-
您的位置:首页 → 网络冲浪 → 病毒快报 → 用汇编遍历Windows局域网共享目录,病毒传染技术之一
用汇编遍历Windows局域网共享目录,病毒传染技术之一
时间:2004/10/8 16:41:00来源:本站整理作者:蓝点我要评论(0)
-
Virus Tips
by whg (whg@whitecell.org) from www.whitecell.org
用汇编遍历Windows局域网共享目录,病毒传染技术之一
include wap32.inc
.386
.model flat,stdcall
.data
db 0
.code
extrn WNetOpenEnumA: proc
extrn WNetEnumResourceA: proc
extrn WNetCloseEnum: proc
extrn MessageBoxA: proc
extrn ExitProcess: proc
Start:
call EnumNetBoot
call ExitProcess,0
EnumNetBoot proc ;列举网络Boot
;//开始列举网络资源
push ebx
push ebp
mov ebp,NULL ;//列举网络, 从根开始
mov eax,RESOURCEUSAGE_CONTAINER
mov ebx,OFF EnumNetWorkGroup
call EnumNetObject
pop ebp
pop ebx
ret
EnumNetBoot endp
EnumNetWorkGroup proc ;//列举工作组
;ebp=父资源缓冲区
push ebx
call DisplayMsg
mov eax,RESOURCEUSAGE_CONTAINER
mov ebx,OFF EnumNetComputer
call EnumNetObject
pop ebx
ret
EnumNetWorkGroup endp
EnumNetComputer proc ;//列举网络计算机
;ebp=父资源缓冲区
push ebx
call DisplayMsg
mov eax,RESOURCEUSAGE_CONTAINER
mov ebx,OFF EnumNetComputerShareDir
call EnumNetObject
pop ebx
ret
EnumNetComputer endp
EnumNetComputerShareDir proc ;//列举网络计算机共享目录
;ebp=父资源缓冲区
push ebx
call DisplayMsg
mov eax,RESOURCEUSAGE_CONNECTABLE
mov ebx,OFF DisplayMsg
call EnumNetObject
pop ebx
ret
EnumNetComputerShareDir endp
DisplayMsg proc ;//显示列举出来的共享目录
mov eax,[ebp.lpRemoteName]
mov ecx,[ebp.lpProvider]
call MessageBoxA,NULL,eax,ecx,NULL
ret
DisplayMsg endp
;//用来列举局域网某种对象
EnumNetObject proc
;//eax=资源标志 ,ebx=找到对象后自动回调函数指针, ebp=父资源缓冲区
pushad
push eax
call WNetOpenEnumA,RESOURCE_GLOBALNET,RESOURCETYPE_DISK,eax,ebp,esp
pop esi ;//弹出hEnum句柄,平衡堆栈
or eax,eax
jnz short EnumNetObjectError
mov edi,100h ;//划分堆栈空间大小
sub esp,edi
mov ebp,esp ;//在堆栈中开辟缓冲区
LoopEnumNetObject:
push L 1h ;//一次列举一个
mov eax,esp
push edi ;//缓冲区大小(edi=100h)
call WNetEnumResourceA,esi,eax,ebp,esp
pop ecx
pop ecx ;//平衡堆栈
or eax,eax
jnz short EnumNetObjectOver
call ebx ;//调用回调函数
jmp short LoopEnumNetObject
EnumNetObjectOver:
call WNetCloseEnum,esi
add esp,edi
EnumNetObjectError:
popad
ret
EnumNetObject endp
end Start
;//wap32.inc
OFF equ offset
L equ Large
NULL equ L 0
MAX_PATH equ 260
RESOURCE_GLOBALNET equ 2h
RESOURCE_CONNECTED equ 1h
RESOURCETYPE_DISK equ 1h
RESOURCETYPE_ANY equ 0h
RESOURCEUSAGE_CONNECTABLE equ 1h
RESOURCEUSAGE_CONTAINER equ 2h
ERROR_NO_MORE_ITEMS equ 259
NETRESOURCEA STRUCT
dwScope DWORD ?
dwType DWORD ?
dwDisplayType DWORD ?
dwUsage DWORD ?
lpLocalName DWORD ?
lpRemoteName DWORD ?
lpComment DWORD ?
lpProvider DWORD ?
NETRESOURCEA ENDS
为了使你的病毒更稳定,请使用结构化异常处理程序
include wap32.inc
extrn _wsprintfA: proc
extrn MessageBoxA: proc
extrn ExitProcess: proc
.386
.model flat,stdcall
.data
Msg00 db '异常处理信息...',0
Msg01 db '函数原形:',0dh,0ah
db 'Exception PROC uses ebx esi edi,pRecord,pFrame,pContext,pDispatch',0dh,0ah,0ah
db '详细资料...',0dh,0ah,0ah
db '异常处理程序返回地址= %8.8x',0dh,0ah,0ah
db '<参数1>pRecord= [%8.8x] 异常部分记录',0dh,0ah
db ' ExceptionCode= %8.8x ExceptionFlags= %8.8x ',0dh,0ah,0ah
db '<参数2>pFrame= [%8.8x] 一些指针,本程序不关心',0dh,0ah,0ah
db '<参数3>pContext=[%8.8x] 发生异常时候的常用寄存器值',0dh,0ah,0ah
db ' EAX= %8.8x EBX= %8.8x ECX= %8.8x EDX= %8.8x',0dh,0ah
db ' ESI= %8.8x EDI= %8.8x EBP= %8.8x ESP= %8.8x',0dh,0ah
db ' DS= %4.4x ES= %4.4x FS= %4.4x GS= %4.4x',0dh,0ah
db ' SS: ESP=%4.4x: %8.8x CS: EIP=%4.4x: %8.8x',0dh,0ah,0ah
db '<参数4>pDispatch= [%8.8x] X86机器未使用',0dh,0ah,0ah
db '发生异常的代码 CS:[EIP]',0dh,0ah,0ah
db '%8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x',0dh,0ah,0ah
db '发生异常的堆栈 SS:[ESP]',0dh,0ah,0ah
db '%8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x',0dh,0ah,0ah,0
Msg02 db '程序正常终止',0
Msg03 db '应用程序提示',0
MsgBuff db 200h dup(0)
.code
Start:
mov eax,offset MyExceptionProc
push eax
mov eax,fs:[0]
push eax
mov fs:[0],esp ;//挂接异常处理链
CreateException:
int 3 ;//产生中断异常
;mov ds:[0],eax;//产生内存访问异常
;cli ;//特权指令异常
InstructionSize=$-OFF CreateException
call MessageBoxA,NULL,OFF Msg02,OFF Msg03,NULL
call ExitProcess,0
MyExceptionProc proc uses ebx esi edi,pRecord,pFrame,pContext,pDispatch
mov edi,esp
mov ebx,pContext
mov ebx,[ebx.cx_Esp]
mov ecx,8
LoopPushStack:
mov ax,[ebx+7*4]
xchg ah,al
shl eax,16
mov ax,[ebx+2]
xchg ah,al
push eax
sub ebx,4
loop LoopPushStack
mov ebx,pContext
mov ebx,[ebx.cx_Eip]
mov ecx,8
LoopPushCode:
mov ax,[ebx+7*4]
xchg ah,al
shl eax,16
mov ax,[ebx+2]
xchg ah,al
push eax
sub ebx,4
loop LoopPushCode
mov ebx,pDispatch
push ebx
mov ebx,pContext
mov eax,[ebx.cx_Eip]
push eax
mov eax,[ebx.cx_SegCs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_Esp]
push eax
mov eax,[ebx.cx_SegSs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_SegGs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_SegFs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_SegEs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_SegDs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_Esp]
push eax
mov eax,[ebx.cx_Ebp]
push eax
mov eax,[ebx.cx_Edi]
push eax
mov eax,[ebx.cx_Esi]
push eax
mov eax,[ebx.cx_Edx]
push eax
mov eax,[ebx.cx_Ecx]
push eax
mov eax,[ebx.cx_Ebx]
push eax
mov eax,[ebx.cx_Eax]
push eax
push ebx
mov ebx,pFrame
push ebx
mov ebx,pRecord
mov eax,[ebx.ExceptionFlags]
push eax
mov eax,[ebx.ExceptionCode]
push eax
push ebx
mov ebx,[ebp+4]
push ebx
call _wsprintfA,OFF MsgBuff,OFF Msg01
call MessageBoxA,NULL,OFF MsgBuff,OFF Msg00,NULL
mov esp,edi
mov ebx,pContext
add [ebx.cx_Eip],InstructionSize
mov eax,ExceptionContinueExecution
ret
MyExceptionProc endp
end Start
;//wap32.inc
OFF equ offset
L equ Large
D equ dword ptr
W equ word ptr
B equ byte ptr
NULL equ L 0
EXCEPTION_RECORD STRUCT
ExceptionCode DWORD ?
ExceptionFlags DWORD ?
pExceptionRecord DWORD ?
ExceptionAddress DWORD ?
NumberParameters DWORD ?
ExceptionInformation DWORD 15 dup(?)
EXCEPTION_RECORD ENDS
CONTEXT STRUC
cx_ContextFlags DD ?
;CONTEXT_DEBUG_REGISTERS
cx_Dr0 DD ? ;04
cx_Dr1 DD ? ;08
cx_Dr2 DD ? ;0C
cx_Dr3 DD ? ;10
cx_Dr6 DD ? ;14
cx_Dr7 DD ? ;18
;CONTEXT_FLOATING_POINT
cx_ControlWord DD ?
cx_StatusWord DD ?
cx_TagWord DD ?
cx_ErrorOffset DD ?
cx_ErrorSelector DD ?
cx_DataOffset DD ?
cx_DataSelector DD ?
cx_RegisterArea DB 80 DUP (?)
cx_Cr0NpxState DD ?
;CONTEXT_SEGMENTS
cx_SegGs DD ? ;8C
cx_SegFs DD ? ;90
cx_SegEs DD ? ;94
cx_SegDs DD ? ;98
;CONTEXT_INTEGER
cx_Edi DD ? ;9C
cx_Esi DD ? ;A0
cx_Ebx DD ? ;A4
cx_Edx DD ? ;A8
cx_Ecx DD ? ;AC
cx_Eax DD ? ;B0
;CONTEXT_CONTROL
cx_Ebp DD ? ;B4
cx_Eip DD ? ;B8
cx_SegCs DD ? ;BC
cx_EFlags DD ? ;C0
cx_Esp DD ? ;C4
cx_SegSs DD ? ;C8
CONTEXT ENDS
EXCEPTION_POINTERS STRUC ;parameter of top-level exception handler
ExceptionRecord DD ? ;pointer to _EXCEPTION_RECORD
ContextRecord DD ? ;pointer to _CONTEXT
EXCEPTION_POINTERS ENDS
;---ExceptionFlags for TEST, AND or CMP instructions
EXCEPTION_CONTINUABLE EQU 000000000H
EXCEPTION_NONCONTINUABLE EQU 000000001H
UNWIND_STACK EQU 000000006H ; ?
;---ExceptionCodes for CMP instruction
EXCEPTION_WAIT_0 EQU 000000000H
EXCEPTION_ABANDONED_WAIT_0 EQU 000000080H
EXCEPTION_USER_APC EQU 0000000C0H
EXCEPTION_TIMEOUT EQU 000000102H
EXCEPTION_PENDING EQU 000000103H
EXCEPTION_SEGMENT_NOTIFICATION EQU 040000005H
EXCEPTION_GUARD_PAGE_VIOLATION EQU 080000001H
EXCEPTION_DATATYPE_MISALIGNMENT EQU 080000002H
EXCEPTION_BREAKPOINT EQU 080000003H ; exception 3
EXCEPTION_SINGLE_STEP EQU 080000004H ; exception 1
EXCEPTION_ACCESS_VIOLATION EQU 0C0000005H ; typically exception 13
EXCEPTION_IN_PAGE_ERROR EQU 0C0000006H
EXCEPTION_NO_MEMORY EQU 0C0000017H
EXCEPTION_ILLEGAL_INSTRUCTION EQU 0C000001DH
EXCEPTION_NONCONTINUABLE_EXCEPTION EQU 0C0000025H
EXCEPTION_INVALID_DISPOSITION EQU 0C0000026H
EXCEPTION_ARRAY_BOUNDS_EXCEEDED EQU 0C000008CH ; exception 5
EXCEPTION_FLOAT_DENORMAL_OPERAND EQU 0C000008DH
EXCEPTION_FLT_DENORMAL_OPERAND EQU 0C000008DH
EXCEPTION_FLOAT_DIVIDE_BY_ZERO EQU 0C000008EH
EXCEPTION_FLT_DIVIDE_BY_ZERO EQU 0C000008EH
EXCEPTION_FLOAT_INEXACT_RESULT EQU 0C000008FH
EXCEPTION_FLT_INEXACT_RESULT EQU 0C000008FH
EXCEPTION_FLOAT_INVALID_OPERATION EQU 0C0000090H
EXCEPTION_FLT_INVALID_OPERATION EQU 0C0000090H
EXCEPTION_FLOAT_OVERFLOW EQU 0C0000091H
EXCEPTION_FLT_OVERFLOW EQU 0C0000091H
EXCEPTION_FLOAT_STACK_CHECK EQU 0C0000092H
EXCEPTION_FLT_STACK_CHECK EQU 0C0000092H
EXCEPTION_FLOAT_UNDERFLOW EQU 0C0000093H
EXCEPTION_FLT_UNDERFLOW EQU 0C0000093H
EXCEPTION_INTEGER_DIVIDE_BY_ZERO EQU 0C0000094H ; exception 0
EXCEPTION_INT_DIVIDE_BY_ZERO EQU 0C0000094H
EXCEPTION_INTEGER_OVERFLOW EQU 0C0000095H ; exception 4
EXCEPTION_INT_OVERFLOW EQU 0C0000095H
EXCEPTION_PRIVILEGED_INSTRUCTION EQU 0C0000096H ; typically exception 13
EXCEPTION_PRIV_INSTRUCTION EQU 0C0000096H
EXCEPTION_STACK_OVERFLOW EQU 0C00000FDH
EXCEPTION_CONTROL_C_EXIT EQU 0C000013AH
;---return codes for top-level exception handler (EAX)
EXCEPTION_CONTINUE_EXECUTION EQU -1
EXCEPTION_CONTINUE_SEARCH EQU 0
EXCEPTION_EXECUTE_HANDLER EQU 1
;---return codes for try-except exception handler (EAX)
ExceptionContinueExecution EQU 0
ExceptionContinueSearch EQU 1
ExceptionNestedException EQU 2
ExceptionCollidedUnwind EQU 3
相关阅读
Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
-
热门文章
没有查询到任何记录。
最新文章
火球病毒是什么意思 火360保险箱如何保护程序
安卓手机病毒Android.KungFu来袭 用户小心流lpk.dll是什么病毒_lpk.dll病毒专杀方法BMW病毒技术深入分析“图片大盗”通过聊天传播 专盗网游账号
人气排行
eset nod32序列号 nod32升级id 2009年8月28lpk.dll是什么病毒_lpk.dll病毒专杀方法最厉害病毒排行榜职业盗号的基本流程试图连接本机的IP端口,该操作被拒绝VBS病毒制造机v1.0 分析报告360保险箱如何保护程序和游戏账号中搜.桌面传媒Deskipn专杀彻底删除办法
查看所有0条评论>>