📄 anticodered.asm
字号:
; Anti Code Red [30.08.01]
; Assemblieren:
; ML /Dmasm /c /Cx /coff AntiCodeRed.asm
; Linken:
; LINK AntiCodeRed.obj /entry:_KillCodeRedBackdoors /subsystem:windows /base:50855936
;Ziele:
; * ???
;
;BUGS (ML/LINK.EXE):
; * ???
; -> ???
.386
.model flat, stdcall
option casemap:none
; ***** ***** Includes ***** *****
include C:\masm32\include\windows.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\kernel32.inc
include C:\masm32\include\advapi32.inc
include C:\masm32\include\wsock32.inc
includelib C:\masm32\lib\user32.lib
includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\advapi32.lib
includelib C:\masm32\lib\wsock32.lib
.Data
include ACR_Vars.INC
; ***** ***** Code ***** *****
.Code
_KillCodeRedBackdoors:
; TerminateCodeRedIIExplorerExeBackdoor:
; mov ecx, 75
; TerminateCRII_ReserveStackMem:
; push 0
; loop TerminateCRII_ReserveStackMem
;
; mov edi, esp ;EDI -> PROCESSENTRY32
;
; push 0
; push TH32CS_SNAPPROCESS
; CALL CreateToolhelp32Snapshot
; mov ebx, eax ;EBX: SnapshotList
; ;or eax, eax
;
; mov [edi], dword ptr 296 ;set the dwSize member
; push edi
; push ebx
; CALL Process32First
;
; CALL IsCodeRedIIExplorerExeBackdoor_TerminateIt
;
; TerminateCRII_WalkProcessListLoop:
; mov [edi], dword ptr 296
; push edi
; push ebx
; CALL Process32Next
; mov ecx, 75
; cmp eax, TRUE
; jne TerminateCRII_FreeStackMem
;
; CALL IsCodeRedIIExplorerExeBackdoor_TerminateIt
;
; JMP TerminateCRII_WalkProcessListLoop
;
; TerminateCRII_FreeStackMem:
; pop eax
; loop TerminateCRII_FreeStackMem
;
RemoveExplorerAndBackdoorFiles:
mov bl, "B"
mov bh, 2
RemoveBackdoorFilesLoop:
inc bl
RenameAntiCodeRedExplorerExe:
lea esi, offset ACRExplorerExeStr
mov [esi], byte ptr bl
lea edi, offset ACRNewExplorerExeStr
mov [edi], byte ptr bl
push FILE_ATTRIBUTE_NORMAL
push esi
CALL SetFileAttributes
push edi
push esi
CALL MoveFile
KillRootExe:
lea esi, offset CRIIRootExeStr1
mov [esi], byte ptr bl
push FILE_ATTRIBUTE_NORMAL
push esi
CALL SetFileAttributes
push esi
CALL DeleteFile
lea esi, offset CRIIRootExeStr2
mov [esi], byte ptr bl
push FILE_ATTRIBUTE_NORMAL
push esi
CALL SetFileAttributes
push esi
CALL DeleteFile
dec bh
or bh, bh
jnz RemoveBackdoorFilesLoop
RemoveBackdoorMappings:
lea edi, offset CRIIRegKey
push 0
push esp
push KEY_SET_VALUE
push 0
push edi ;subkey
push HKEY_LOCAL_MACHINE
CALL RegOpenKeyEx
pop ebx ;EBX: hRegKey
lea esi, offset CRIIRegVal1
mov edi, 4
DeleteBackdoorMappingsLoop:
DetermineStringLen:
pushad
mov edi, esi
xor eax, eax
xor ecx, ecx
dec ecx
cld
repne scasb
dec edi
sub edi, esi
mov [esp+24], edi
popad
push ecx ;lendata
push edi ;ptrdata
push REG_SZ
push 0
push esi ;lpValueName
add esi, ecx
inc esi
push ebx
CALL RegDeleteValue
dec edi
or edi, edi
jnz DeleteBackdoorMappingsLoop
push ebx
CALL RegCloseKey
_ExecuteWinExplorer:
GetSysDir:
push 1024
push offset ExplorerCmdStr
CALL GetWindowsDirectory
cmp eax, FALSE
je _Wait
cmp eax, 1024
jg _Wait
CopyString:
mov edi, offset ExplorerCmdStr
add edi, eax
mov esi, offset ExplorerStr
mov ecx, 12
cmp [edi-1], byte ptr "\"
je BackslashPresent
mov [edi], byte ptr "\"
inc edi
BackslashPresent:
rep movsb
ExecuteExplorer:
;push 0
;push 0
;push 0
;push 0
push SW_SHOWMAXIMIZED
push offset ExplorerCmdStr
CALL WinExec
_Wait:
push 1800000 ;1800 sec. (30 mins)
CALL Sleep
_DisplayCodeGreenMessage:
push MB_OK or MB_SERVICE_NOTIFICATION or MB_SYSTEMMODAL
push offset CodeGreenTitle
push offset CodeGreenMessage
push 0
CALL MessageBoxA
_ExitProcess:
push 0
CALL ExitProcess
;ret
; IsCodeRedIIExplorerExeBackdoor_TerminateIt: ;edi -> PROCESSENTRY32
; pushad
; mov ecx, 12
; add edi, 36 ;edi->szExeFile (":\explorer.exe)
; lea esi, offset CRIIExplorerExeStr
; add esi, 3
; repe cmpsb
; jnz Not_Explorer ;ecx not 0
; mov edi, [esp] ;pop edi
; mov eax, [edi+8] ;eax: ProcessID
;
; push eax ;pid
; push FALSE
; push PROCESS_ALL_ACCESS
; CALL OpenProcess
;
; mov ebx, eax ;EBX: hProcess
;
; push 0
; push 12 ;read 12 bytes
; push edi
; push 00400100h
; push ebx
; CALL ReadProcessMemory
; cmp eax, TRUE
;
; jne Not_CRIIExplorer ;could not read process memory
;
; lea esi, offset CRIIExplorerExePE
; mov ecx, 12
; repe cmpsb
;
; jnz Not_CRIIExplorer ;normal explorer process
;
; push 0
; push ebx
; call TerminateProcess
;
; Not_CRIIExplorer:
; push ebx
; call CloseHandle
;
; Not_Explorer:
; popad
; ret
;
END _KillCodeRedBackdoors⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -