www.pudn.com > kVP.rar > kVP(5).Asm
.386
.model flat,stdcall
include kernel32.inc
include user32.inc
include shell32.inc
include advapi32.inc
include windows.inc
includelib kernel32.lib
includelib user32.lib
includelib shell32.lib
includelib advapi32.lib
string equ REG_SZ
hex equ REG_DWORD
removevirusmainfiles proto dir:dword,file:dword
wconsole proto buffer:dword
searchalldisk proto filterstring:dword,callback:dword
getupdir proto string:dword,to:dword
dumporiginalfile proto path:dword
delregvalue proto hkey:dword,subkey:dword,item:dword
writeregvalue proto hkey:dword,subkey:dword,item:dword,format:dword,value:dword
mapfile proto filename:dword,addsize:dword
unmapfile proto mapsite:dword,hfile:dword,hmap:dword
checkpe proto site:dword
injectprocess proto processlist:dword,numberofprocess:dword
lookupprocess proto processlist:dword,pstname:dword,numberofprocess:dword
.data
;--------------------------------------------------
hcw dword 0
hcr dword 0
hsubkey dword 0
totalfile dword 0
infectedfile dword 0
format1 db '%s\%s',0
format2 db '%s\%s\*.*',0
format3 db '总共扫描 %d 个程序文件,中毒 %d 个,已全部修复!',0
format4 db '\antivd.dll',0
path1 db '\drivers',0
filter db '*.exe',0
tpf db '\*.*',0
regpath1 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
regpath2 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL',0
regtitle1 db 'svcshare',0
regtitle2 db 'load',0
regtitle3 db 'FuckJacks',0
regtitle4 db 'svohost',0
regtitle5 db 'CheckedValue',0
virus1 db 'spoclsv.exe',0
virus2 db 'spcolsv.exe',0
virus3 db 'FuckJacks.exe',0
virus4 db 'twunk32.exe',0
virus5 db 'rundl132.exe',0
virus6 db 'logo_1.exe',0
virus7 db 'setup.exe',0
virus8 db 'GameSetup.exe',0
virus9 db 'vdll.dll',0
virus10 db 'dll.dll',0
virus11 db 'autorun.inf',0
injectprocess1 db 'Explorer.exe',0
injectprocess2 db 'Iexplore.exe',0
filetable dword injectprocess1
dword injectprocess2
filenumber=($-filetable)/4
msg0 db 0
msg1 db '请关闭现在运行的其它程序!杀毒期间不要运行任何其它程序!',0
msg2 db '最好插上你的移动硬盘、U盘、MP3 以便能够杀掉其上的病毒!',0
msg3 db '威金、熊猫专杀工具 V1.0 制作者:邓盾 QQ:151413673',0
msg4 db '************************************************************',0
msg5 db '正在关闭病毒……',0
msg6 db '完成!',0
msg7 db '正在尝试删除病毒主文件……',0
msg8 db '未能找到病毒文件%s',0
msg9 db '正在修复注册表……',0
msg10 db '正在扫描文件……',0
msg11 db '该文件已经中毒,正在修复……',0
msg12 db '不能打开该文件,可能在使用中!',0
msg13 db '错误的文件格式!',0
msg14 db '创建文件失败!',0
msg15 db '分析中……',0
msg16 db '该文件中未发现病毒',0
msg17 db '============================================================',0
.code
main proc
LOCAL temp[256]:byte,windir[256]:byte,sysdir[256]:byte,\
driverdir[256]:byte
;---------------------------------------------------------
invoke GetWindowsDirectory,addr windir,256
invoke GetSystemDirectory,addr sysdir,256
invoke lstrcpy,addr driverdir,addr sysdir
invoke lstrcat,addr driverdir,offset path1
invoke GetStdHandle,STD_OUTPUT_HANDLE
mov hcw,eax
invoke GetStdHandle,STD_INPUT_HANDLE
mov hcr,eax
push offset msg3
call SetConsoleTitle
push offset msg1
call showmsg
push offset msg2
call showmsg
invoke wconsole,offset msg4
invoke wconsole,offset msg5
invoke injectprocess,offset filetable,filenumber ;inject cleaninjection.dll into explorer.exe and iexplorer.exe
invoke Sleep,500
invoke wconsole,offset msg6
invoke wconsole,offset msg4
invoke wconsole,offset msg7
invoke removevirusmainfiles,addr driverdir,offset virus1
invoke removevirusmainfiles,addr driverdir,offset virus2
invoke removevirusmainfiles,addr sysdir,offset virus3
invoke removevirusmainfiles,addr sysdir,offset virus4
invoke removevirusmainfiles,addr windir,offset virus5
invoke removevirusmainfiles,addr windir,offset virus6
mov dword ptr temp,':c'
checkdrive:
invoke GetDriveType,addr temp
dec eax
jz kvdone
inc eax
cmp eax,DRIVE_FIXED
jz kv
cmp eax,DRIVE_REMOVABLE
jz kv
changdrive:
inc temp
jmp checkdrive
kv:
invoke removevirusmainfiles,addr temp,offset virus7
invoke removevirusmainfiles,addr temp,offset virus8
invoke removevirusmainfiles,addr temp,offset virus11
jmp changdrive
kvdone:
invoke wconsole,offset msg6
invoke wconsole,offset msg4
invoke wconsole,offset msg9
call fixreg
invoke wconsole,offset msg6
invoke wconsole,offset msg4
invoke wconsole,offset msg10
invoke searchalldisk,offset filter,offset dumporiginalfile
invoke wconsole,offset msg0
invoke wconsole,offset msg0
invoke wconsole,offset msg0
invoke wconsole,offset msg17
invoke wconsole,offset msg0
invoke wsprintf,addr temp,offset format3,totalfile,infectedfile
invoke wconsole,addr temp
invoke wconsole,offset msg0
invoke wconsole,offset msg17
invoke ReadConsole,hcr,addr temp,2,0,0
ret
main endp
fixreg proc
LOCAL temp:dword
pushad
invoke delregvalue,HKEY_LOCAL_MACHINE,offset regpath1,offset regtitle1
invoke delregvalue,HKEY_LOCAL_MACHINE,offset regpath1,offset regtitle2
invoke delregvalue,HKEY_LOCAL_MACHINE,offset regpath1,offset regtitle3
invoke delregvalue,HKEY_LOCAL_MACHINE,offset regpath1,offset regtitle4
mov temp,1
invoke writeregvalue,HKEY_LOCAL_MACHINE,offset regpath2,offset regtitle5,hex,addr temp
popad
ret
fixreg endp
fix proc path:dword
pushad
invoke CreateDirectory,path,0
invoke SetFileAttributes,path,FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM
popad
ret
fix endp
removevirusmainfiles proc dir:dword,file:dword
LOCAL temp[256]:byte
pushad
invoke wsprintf,addr temp,addr format1,dir,file
invoke SetFileAttributes,addr temp,FILE_ATTRIBUTE_NORMAL
invoke DeleteFile,addr temp
or eax,eax
pushfd
invoke fix,addr temp
popfd
jnz @f
invoke wsprintf,addr temp,addr msg8,file
invoke wconsole,addr temp
@@:
popad
ret
removevirusmainfiles endp
searchalldisk proc filterstring:dword,callback:dword
LOCAL temppath1[256]:byte, \ ;path
temppath2[256]:byte, \ ; path+*.*
targetpath[256]:byte,\ ;path+filename
fileinfo:WIN32_FIND_DATA, \
handlelist[100]:dword,\
folderdepth:dword,\
driver:dword
pushad
mov driver,':b'
startnow:
inc driver
invoke GetDriveType,addr driver
dec eax
jz quit
inc eax
cmp eax,DRIVE_FIXED
jz preexam
cmp eax,DRIVE_REMOVABLE
jz preexam
jmp startnow
preexam:
invoke lstrcpy,addr temppath1,addr driver
invoke lstrcpy,addr temppath2,addr temppath1
lea eax,tpf
invoke lstrcat,addr temppath2,eax
invoke FindFirstFile,addr temppath2,addr fileinfo
inc eax
jz startnow
dec eax
invoke FindClose,eax
and folderdepth,0
goon:
invoke FindFirstFile,addr temppath2,addr fileinfo
inc eax
jz gotoupfolder
dec eax
mov ebx,folderdepth
mov handlelist[ebx*4],eax
jmp judgefile
getnextfile:
mov ebx,folderdepth
mov ebx,handlelist[ebx*4]
invoke FindNextFile,ebx,addr fileinfo
or eax,eax
jnz notfinish
mov eax,folderdepth
or eax,eax
jz startnow
jmp gotoupfolder
notfinish:
jmp judgefile
quit:
popad
ret
judgefile:
test fileinfo.dwFileAttributes,FILE_ATTRIBUTE_DIRECTORY
jz processfile
cmp fileinfo.cFileName,'.'
jz getnextfile
jmp enterfolder
processfile:
invoke lstrcmpi,addr fileinfo.cFileName,offset virus9
or eax,eax
jnz @@@1
invoke removevirusmainfiles,addr temppath1,addr fileinfo.cFileName
jmp getnextfile
@@@1:
invoke lstrcmpi,addr fileinfo.cFileName,offset virus10
or eax,eax
jnz @@@2
invoke removevirusmainfiles,addr temppath1,addr fileinfo.cFileName
jmp getnextfile
@@@2:
mov edi,filterstring
inc edi
invoke lstrcmpi,edi,addr fileinfo.cFileName
or eax,eax
jz doit
lea edi,fileinfo.cFileName
xor eax,eax
xor ecx,ecx
dec ecx
repnz scasb
sub edi,5
mov esi,filterstring
inc esi
invoke lstrcmpi,esi,edi
jz doit
jmp getnextfile
doit:
invoke lstrcpy,addr targetpath,addr temppath1
invoke wsprintf,addr targetpath,addr format1,addr targetpath,\
addr fileinfo.cFileName
mov eax,callback
or eax,eax
jz getnextfile
lea ebx,targetpath
push ebx
call eax
jmp getnextfile
enterfolder:
inc folderdepth
invoke wsprintf,addr temppath1,addr format1,addr temppath1,addr fileinfo.cFileName
invoke getupdir,addr temppath2,addr temppath2
invoke wsprintf,addr temppath2,addr format2,addr temppath2,addr fileinfo.cFileName
jmp goon
gotoupfolder:
dec folderdepth
invoke getupdir,addr temppath1,addr temppath1
invoke getupdir,addr temppath2,addr temppath2
invoke getupdir,addr temppath2,addr temppath2
lea eax,tpf
invoke lstrcat,addr temppath2,eax
jmp getnextfile
searchalldisk endp
getupdir proc stringpath:dword,to:dword
pushad
mov edi,stringpath
xor ecx,ecx
dec ecx
push ecx
xor eax,eax
repnz scasb
pop ecx
mov al,'\'
std
repnz scasb
cld
inc edi
mov [edi],ah
push edi
invoke lstrcpy,to,stringpath
pop edi
mov eax,stringpath
cmp eax,to
jz @f
mov byte ptr [edi],'\'
@@:
popad
ret
getupdir endp
dumporiginalfile proc path:dword
LOCAL mapsite:dword,hfile:dword,hmap:dword,fileend:dword,memsite:dword
inc totalfile
pushad
invoke wconsole,path
invoke wconsole,offset msg15
invoke mapfile,path,0
jecxz openfail
mov mapsite,eax
mov hfile,ecx
mov hmap,edx
dec ebx
dec ebx
mov fileend,ebx
add fileend,eax
invoke checkpe,eax
or eax,eax
jz wrongpe
lookforpe:
cmp eax,fileend
jae notinfected
cmp word ptr [eax],'ZM'
jz dumpit
inc eax
jmp lookforpe
notinfected:
invoke unmapfile,mapsite,hfile,hmap
invoke CloseHandle,hfile
invoke wconsole,offset msg16
invoke wconsole,offset msg0
popad
ret
openfail:
invoke wconsole,offset msg12
invoke wconsole,offset msg0
popad
ret
dumpit:
push eax
invoke checkpe,eax
or eax,eax
pop eax
jnz dumpnow
inc eax
jmp lookforpe
dumpnow:
inc infectedfile
invoke wconsole,offset msg11
sub fileend,eax
add fileend,2
xchg eax,esi
mov edi,mapsite
mov ecx,fileend
rep movsb
invoke unmapfile,mapsite,hfile,hmap
invoke SetFileAttributes,path,FILE_ATTRIBUTE_NORMAL
invoke DeleteFile,path
invoke mapfile,path,fileend
jecxz createfail
mov esi,memsite
mov edi,eax
push ecx
mov ecx,fileend
rep movsb
pop ecx
pushad
invoke FlushViewOfFile,memsite,0
popad
invoke VirtualFree,memsite,0,MEM_RELEASE
invoke unmapfile,eax,ecx,edx
invoke CloseHandle,hfile
invoke wconsole,offset msg6
invoke wconsole,offset msg0
popad
ret
createfail:
invoke wconsole,offset msg14
invoke wconsole,offset msg0
popad
ret
wrongpe:
invoke wconsole,offset msg13
invoke wconsole,offset msg0
invoke unmapfile,mapsite,hfile,hmap
invoke CloseHandle,hfile
popad
ret
dumporiginalfile endp
checkpe proc site:dword
LOCAL temp:dword
pushad
mov ecx,site
pushad
invoke IsBadReadPtr,ecx,2
or eax,eax
popad
jnz wrongpe
xchg eax,ecx
cmp word ptr [eax],'ZM'
jnz wrongpe
mov ecx,[eax+03ch]
lea ecx,[eax+ecx]
pushad
invoke IsBadReadPtr,ecx,2
or eax,eax
popad
jnz wrongpe
cmp word ptr [ecx],'EP'
jnz wrongpe
mov temp,ecx
popad
mov eax,temp
ret
wrongpe:
popad
xor eax,eax
ret
checkpe endp
unmapfile proc mapsite:dword,hfile:dword,hmap:dword
pushad
invoke UnmapViewOfFile,mapsite
invoke CloseHandle,hmap
popad
ret
unmapfile endp
wconsole proc buffer:dword
LOCAL x:dword,cmd[256]:byte
mov x,0a0dh
pushad
invoke lstrcpy,addr cmd,buffer
invoke lstrcat,addr cmd,addr x
invoke lstrlen,addr cmd
invoke WriteConsole,hcw,addr cmd,eax,0,0
popad
ret
wconsole endp
showmsg proc msg:dword
push 0
push msg
push msg
push 0
call MessageBox
ret
showmsg endp
openreg proc hkey:dword,subkey:dword
push offset hsubkey
push KEY_ALL_ACCESS
push 0
push subkey
push hkey
call RegOpenKeyEx
ret
openreg endp
writeregvalue proc hkey:dword,subkey:dword,item:dword,format:dword,value:dword
pushad
push subkey
push hkey
call openreg
cmp format,REG_DWORD
jnz @f
push 4
pop ecx
jmp writeit
@@:
xor eax,eax
mov edi,value
xor ecx,ecx
dec ecx
repnz scasb
not ecx
writeit:
push ecx
push value
push format
push 0
push item
push hsubkey
call RegSetValueEx
push hsubkey
call RegCloseKey
popad
ret
writeregvalue endp
delregvalue proc hkey:dword,subkey:dword,item:dword
pushad
push subkey
push hkey
call openreg
push item
push hsubkey
call RegDeleteValue
push hsubkey
call RegCloseKey
popad
ret
delregvalue endp
mapfile proc filename:dword,addsize:dword
LOCAL createfilesign:dword,mapfilesign:dword,hfilex:dword,hmapx:dword,filesizex:dword
push edi
push esi
mov createfilesign,PAGE_READWRITE
mov mapfilesign,FILE_MAP_ALL_ACCESS
push FILE_ATTRIBUTE_NORMAL
push filename
call SetFileAttributes
push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_ALWAYS
push 0
push FILE_SHARE_READ
push GENERIC_READ or GENERIC_WRITE
push filename
call CreateFile
inc eax
jnz @f
xor ecx,ecx
ret
@@:
dec eax
mov hfilex,eax
push 0
push eax
call GetFileSize
add eax,addsize
mov filesizex,eax
push 0
push eax
push 0
push createfilesign
push 0
push hfilex
call CreateFileMapping
mov hmapx,eax
push filesizex
push 0
push 0
push mapfilesign
push eax
call MapViewOfFile
mov ecx,hfilex
mov edx,hmapx
mov ebx,filesizex
pop esi
pop edi
ret
mapfile endp
injectprocess proc processlist:dword,numberofprocess:dword
LOCAL hshot:dword,pst:PROCESSENTRY32,hp:dword,memsite:dword,temppath[256]:byte
pushad
start:
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov hshot,eax
mov pst.dwSize,sizeof pst
invoke Process32First,hshot,addr pst
or eax,eax
jz quit
invoke lookupprocess,processlist,addr pst.szExeFile,filenumber
or eax,eax
jz findnext
jmp injectit
findnext:
mov pst.dwSize,sizeof pst
invoke Process32Next,hshot,addr pst
or eax,eax
jz quit
invoke lookupprocess,processlist,addr pst.szExeFile,filenumber
or eax,eax
jz findnext
jmp injectit
quit:
popad
ret
injectit:
mov eax,01000h
mov bl,010h
cdq
push 0
call Sleep
div bl
invoke GetModuleHandle,0
xchg eax,ecx
invoke GetModuleFileName,ecx,addr temppath,256
invoke getupdir,addr temppath,addr temppath
invoke lstrcat,addr temppath,offset format4
invoke OpenProcess,PROCESS_ALL_ACCESS,0,pst.th32ProcessID
mov hp,eax
invoke VirtualAllocEx,hp,0,4096,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov memsite,eax
xchg eax,ecx
invoke WriteProcessMemory,hp,ecx,addr temppath,256,0
mov eax,LoadLibrary
inc eax
inc eax
mov eax,[eax]
mov eax,[eax]
invoke CreateRemoteThread,hp,0,0,eax,memsite,0,0
jmp findnext
injectprocess endp
lookupprocess proc processlist:dword,pstname:dword,numberofprocess:dword
pushad
mov esi,processlist
xor edx,edx
@@:
mov edi,[esi+edx*4]
pushad
invoke lstrcmpi,edi,pstname
or eax,eax
popad
jz match
dec numberofprocess
jz unmatch
inc edx
jmp @b
match:
popad
xor eax,eax
inc eax
ret
unmatch:
popad
xor eax,eax
ret
lookupprocess endp
end main