Virus Tips
by whg (whg@whitecell.org) from www.whitecell.org
用汇编遍历Windows局域网共享目录,病毒传染技术之一
include wap32.inc
.386
.model flat,stdcall
.data
db 0
.code
extrn WNetOpenEnumA: proc
extrn WNetEnumResourceA: proc
extrn WNetCloseEnum: proc
extrn MessageBoxA: proc
extrn ExitProcess: proc
Start:
call EnumNetBoot
call ExitProcess,0
EnumNetBoot proc ;列举网络Boot
;//开始列举网络资源
push ebx
push ebp
mov ebp,NULL ;//列举网络, 从根开始
mov eax,RESOURCEUSAGE_CONTAINER
mov ebx,OFF EnumNetWorkGroup
call EnumNetObject
pop ebp
pop ebx
ret
EnumNetBoot endp
EnumNetWorkGroup proc ;//列举工作组
;ebp=父资源缓冲区
push ebx
call DisplayMsg
mov eax,RESOURCEUSAGE_CONTAINER
mov ebx,OFF EnumNetComputer
call EnumNetObject
pop ebx
ret
EnumNetWorkGroup endp
EnumNetComputer proc ;//列举网络计算机
;ebp=父资源缓冲区
push ebx
call DisplayMsg
mov eax,RESOURCEUSAGE_CONTAINER
mov ebx,OFF EnumNetComputerShareDir
call EnumNetObject
pop ebx
ret
EnumNetComputer endp
EnumNetComputerShareDir proc ;//列举网络计算机共享目录
;ebp=父资源缓冲区
push ebx
call DisplayMsg
mov eax,RESOURCEUSAGE_CONNECTABLE
mov ebx,OFF DisplayMsg
call EnumNetObject
pop ebx
ret
EnumNetComputerShareDir endp
DisplayMsg proc ;//显示列举出来的共享目录
mov eax,[ebp.lpRemoteName]
mov ecx,[ebp.lpProvider]
call MessageBoxA,NULL,eax,ecx,NULL
ret
DisplayMsg endp
;//用来列举局域网某种对象
EnumNetObject proc
;//eax=资源标志 ,ebx=找到对象后自动回调函数指针, ebp=父资源缓冲区
pushad
push eax
call WNetOpenEnumA,RESOURCE_GLOBALNET,RESOURCETYPE_DISK,eax,ebp,esp
pop esi ;//弹出hEnum句柄,平衡堆栈
or eax,eax
jnz short EnumNetObjectError
mov edi,100h ;//划分堆栈空间大小
sub esp,edi
mov ebp,esp ;//在堆栈中开辟缓冲区
LoopEnumNetObject:
push L 1h ;//一次列举一个
mov eax,esp
push edi ;//缓冲区大小(edi=100h)
call WNetEnumResourceA,esi,eax,ebp,esp
pop ecx
pop ecx ;//平衡堆栈
or eax,eax
jnz short EnumNetObjectOver
call ebx ;//调用回调函数
jmp short LoopEnumNetObject
EnumNetObjectOver:
call WNetCloseEnum,esi
add esp,edi
EnumNetObjectError:
popad
ret
EnumNetObject endp
end Start
;//wap32.inc
OFF equ offset
L equ Large
NULL equ L 0
MAX_PATH equ 260
RESOURCE_GLOBALNET equ 2h
RESOURCE_CONNECTED equ 1h
RESOURCETYPE_DISK equ 1h
RESOURCETYPE_ANY equ 0h
RESOURCEUSAGE_CONNECTABLE equ 1h
RESOURCEUSAGE_CONTAINER equ 2h
ERROR_NO_MORE_ITEMS equ 259
NETRESOURCEA STRUCT
dwScope DWORD ?
dwType DWORD ?
dwDisplayType DWORD ?
dwUsage DWORD ?
lpLocalName DWORD ?
lpRemoteName DWORD ?
lpComment DWORD ?
lpProvider DWORD ?
NETRESOURCEA ENDS
||||||为了使你的病毒更稳定,请使用结构化异常处理程序
include wap32.inc
extrn _wsprintfA: proc
extrn MessageBoxA: proc
extrn ExitProcess: proc
.386
.model flat,stdcall
.data
Msg00 db '异常处理信息...',0
Msg01 db '函数原形:',0dh,0ah
db 'Exception PROC uses ebx esi edi,pRecord,pFrame,pContext,pDispatch',0dh,0ah,0ah
db '详细资料...',0dh,0ah,0ah
db '异常处理程序返回地址= %8.8x',0dh,0ah,0ah
db '<参数1>pRecord= [%8.8x] 异常部分记录',0dh,0ah
db ' ExceptionCode= %8.8x ExceptionFlags= %8.8x ',0dh,0ah,0ah
db '<参数2>pFrame= [%8.8x] 一些指针,本程序不关心',0dh,0ah,0ah
db '<参数3>pContext=[%8.8x] 发生异常时候的常用寄存器值',0dh,0ah,0ah
db ' EAX= %8.8x EBX= %8.8x ECX= %8.8x EDX= %8.8x',0dh,0ah
db ' ESI= %8.8x EDI= %8.8x EBP= %8.8x ESP= %8.8x',0dh,0ah
db ' DS= %4.4x ES= %4.4x FS= %4.4x GS= %4.4x',0dh,0ah
db ' SS: ESP=%4.4x: %8.8x CS: EIP=%4.4x: %8.8x',0dh,0ah,0ah
db '<参数4>pDispatch= [%8.8x] X86机器未使用',0dh,0ah,0ah
db '发生异常的代码 CS:[EIP]',0dh,0ah,0ah
db '%8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x',0dh,0ah,0ah
db '发生异常的堆栈 SS:[ESP]',0dh,0ah,0ah
db '%8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x',0dh,0ah,0ah,0
Msg02 db '程序正常终止',0
Msg03 db '应用程序提示',0
MsgBuff db 200h dup(0)
.code
Start:
mov eax,offset MyExceptionProc
push eax
mov eax,fs:[0]
push eax
mov fs:[0],esp ;//挂接异常处理链
CreateException:
int 3 ;//产生中断异常
;mov ds:[0],eax;//产生内存访问异常
;cli ;//特权指令异常
InstructionSize=$-OFF CreateException
call MessageBoxA,NULL,OFF Msg02,OFF Msg03,NULL
call ExitProcess,0
MyExceptionProc proc uses ebx esi edi,pRecord,pFrame,pContext,pDispatch
mov edi,esp
mov ebx,pContext
mov ebx,[ebx.cx_Esp]
mov ecx,8
LoopPushStack:
mov ax,[ebx+7*4]
xchg ah,al
shl eax,16
mov ax,[ebx+2]
xchg ah,al
push eax
sub ebx,4
loop LoopPushStack
mov ebx,pContext
mov ebx,[ebx.cx_Eip]
mov ecx,8
LoopPushCode:
mov ax,[ebx+7*4]
xchg ah,al
shl eax,16
mov ax,[ebx+2]
xchg ah,al
push eax
sub ebx,4
loop LoopPushCode
mov ebx,pDispatch
push ebx
mov ebx,pContext
mov eax,[ebx.cx_Eip]
push eax
mov eax,[ebx.cx_SegCs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_Esp]
push eax
mov eax,[ebx.cx_SegSs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_SegGs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_SegFs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_SegEs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_SegDs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_Esp]
push eax
mov eax,[ebx.cx_Ebp]
push eax
mov eax,[ebx.cx_Edi]
push eax
mov eax,[ebx.cx_Esi]
push eax
mov eax,[ebx.cx_Edx]
push eax
mov eax,[ebx.cx_Ecx]
push eax
mov eax,[ebx.cx_Ebx]
push eax
mov eax,[ebx.cx_Eax]
push eax
push ebx
mov ebx,pFrame
push ebx
mov ebx,pRecord
mov eax,[ebx.ExceptionFlags]
push eax
mov eax,[ebx.ExceptionCode]
push eax
push ebx
mov ebx,[ebp+4]
push ebx
call _wsprintfA,OFF MsgBuff,OFF Msg01
call MessageBoxA,NULL,OFF MsgBuff,OFF Msg00,NULL
mov esp,edi
mov ebx,pContext
add [ebx.cx_Eip],InstructionSize
mov eax,ExceptionContinueExecution
ret
MyExceptionProc endp
end Start
||||||//wap32.inc
OFF equ offset
L equ Large
D equ dword ptr
W equ word ptr
B equ byte ptr
NULL equ L 0
EXCEPTION_RECORD STRUCT
ExceptionCode DWORD ?
ExceptionFlags DWORD ?
pExceptionRecord DWORD ?
ExceptionAddress DWORD ?
NumberParameters DWORD ?
ExceptionInformation DWORD 15 dup(?)
EXCEPTION_RECORD ENDS
CONTEXT STRUC
cx_ContextFlags DD ?
;CONTEXT_DEBUG_REGISTERS
cx_Dr0 DD ? ;04
cx_Dr1 DD ? ;08
cx_Dr2 DD ? ;0C
cx_Dr3 DD ? ;10
cx_Dr6 DD ? ;14
cx_Dr7 DD ? ;18
;CONTEXT_FLOATING_POINT
cx_ControlWord DD ?
cx_StatusWord DD ?
cx_TagWord DD ?
cx_ErrorOffset DD ?
cx_ErrorSelector DD ?
cx_DataOffset DD ?
cx_DataSelector DD ?
cx_RegisterArea DB 80 DUP (?)
cx_Cr0NpxState DD ?
;CONTEXT_SEGMENTS
cx_SegGs DD ? ;8C
cx_SegFs DD ? ;90
cx_SegEs DD ? ;94
cx_SegDs DD ? ;98
;CONTEXT_INTEGER
cx_Edi DD ? ;9C
cx_Esi DD ? ;A0
cx_Ebx DD ? ;A4
cx_Edx DD ? ;A8
cx_Ecx DD ? ;AC
cx_Eax DD ? ;B0
;CONTEXT_CONTROL
cx_Ebp DD ? ;B4
cx_Eip DD ? ;B8
cx_SegCs DD ? ;BC
cx_EFlags DD ? ;C0
cx_Esp DD ? ;C4
cx_SegSs DD ? ;C8
CONTEXT ENDS
EXCEPTION_POINTERS STRUC ;parameter of top-level exception handler
ExceptionRecord DD ? ;pointer to _EXCEPTION_RECORD
ContextRecord DD ? ;pointer to _CONTEXT
EXCEPTION_POINTERS ENDS
;---ExceptionFlags for TEST, AND or CMP instructions
EXCEPTION_CONTINUABLE EQU 000000000H
EXCEPTION_NONCONTINUABLE EQU 000000001H
UNWIND_STACK EQU 000000006H ; ?
;---ExceptionCodes for CMP instruction
EXCEPTION_WAIT_0 EQU 000000000H
EXCEPTION_ABANDONED_WAIT_0 EQU 000000080H
EXCEPTION_USER_APC EQU 0000000C0H
EXCEPTION_TIMEOUT EQU 000000102H
EXCEPTION_PENDING EQU 000000103H
EXCEPTION_SEGMENT_NOTIFICATION EQU 040000005H
EXCEPTION_GUARD_PAGE_VIOLATION EQU 080000001H
EXCEPTION_DATATYPE_MISALIGNMENT EQU 080000002H
EXCEPTION_BREAKPOINT EQU 080000003H ; exception 3
EXCEPTION_SINGLE_STEP EQU 080000004H ; exception 1
EXCEPTION_ACCESS_VIOLATION EQU 0C0000005H ; typically exception 13
EXCEPTION_IN_PAGE_ERROR EQU 0C0000006H
EXCEPTION_NO_MEMORY EQU 0C0000017H
EXCEPTION_ILLEGAL_INSTRUCTION EQU 0C000001DH
EXCEPTION_NONCONTINUABLE_EXCEPTION EQU 0C0000025H
EXCEPTION_INVALID_DISPOSITION EQU 0C0000026H
EXCEPTION_ARRAY_BOUNDS_EXCEEDED EQU 0C000008CH ; exception 5
EXCEPTION_FLOAT_DENORMAL_OPERAND EQU 0C000008DH
EXCEPTION_FLT_DENORMAL_OPERAND EQU 0C000008DH
EXCEPTION_FLOAT_DIVIDE_BY_ZERO EQU 0C000008EH
EXCEPTION_FLT_DIVIDE_BY_ZERO EQU 0C000008EH
EXCEPTION_FLOAT_INEXACT_RESULT EQU 0C000008FH
EXCEPTION_FLT_INEXACT_RESULT EQU 0C000008FH
EXCEPTION_FLOAT_INVALID_OPERATION EQU 0C0000090H
EXCEPTION_FLT_INVALID_OPERATION EQU 0C0000090H
EXCEPTION_FLOAT_OVERFLOW EQU 0C0000091H
EXCEPTION_FLT_OVERFLOW EQU 0C0000091H
EXCEPTION_FLOAT_STACK_CHECK EQU 0C0000092H
EXCEPTION_FLT_STACK_CHECK EQU 0C0000092H
EXCEPTION_FLOAT_UNDERFLOW EQU 0C0000093H
EXCEPTION_FLT_UNDERFLOW EQU 0C0000093H
EXCEPTION_INTEGER_DIVIDE_BY_ZERO EQU 0C0000094H ; exception 0
EXCEPTION_INT_DIVIDE_BY_ZERO EQU 0C0000094H
EXCEPTION_INTEGER_OVERFLOW EQU 0C0000095H ; exception 4
EXCEPTION_INT_OVERFLOW EQU 0C0000095H
EXCEPTION_PRIVILEGED_INSTRUCTION EQU 0C0000096H ; typically exception 13
EXCEPTION_PRIV_INSTRUCTION EQU 0C0000096H
EXCEPTION_STACK_OVERFLOW EQU 0C00000FDH
EXCEPTION_CONTROL_C_EXIT EQU 0C000013AH
;---return codes for top-level exception handler (EAX)
EXCEPTION_CONTINUE_EXECUTION EQU -1
EXCEPTION_CONTINUE_SEARCH EQU 0
EXCEPTION_EXECUTE_HANDLER EQU 1
;---return codes for try-except exception handler (EAX)
ExceptionContinueExecution EQU 0
ExceptionContinueSearch EQU 1
ExceptionNestedException EQU 2
ExceptionCollidedUnwind EQU 3
