分享
 
 
 

用汇编遍历Windows局域网共享目录,病毒传染技术之一

王朝system·作者佚名  2006-12-16
窄屏简体版  字體: |||超大  

Virus Tips

by whg (whg@whitecell.org) from www.whitecell.org

用汇编遍历Windows局域网共享目录,病毒传染技术之一

include wap32.inc

.386

.model flat,stdcall

.data

db 0

.code

extrn WNetOpenEnumA: proc

extrn WNetEnumResourceA: proc

extrn WNetCloseEnum: proc

extrn MessageBoxA: proc

extrn ExitProcess: proc

Start:

call EnumNetBoot

call ExitProcess,0

EnumNetBoot proc ;列举网络Boot

;//开始列举网络资源

push ebx

push ebp

mov ebp,NULL ;//列举网络, 从根开始

mov eax,RESOURCEUSAGE_CONTAINER

mov ebx,OFF EnumNetWorkGroup

call EnumNetObject

pop ebp

pop ebx

ret

EnumNetBoot endp

EnumNetWorkGroup proc ;//列举工作组

;ebp=父资源缓冲区

push ebx

call DisplayMsg

mov eax,RESOURCEUSAGE_CONTAINER

mov ebx,OFF EnumNetComputer

call EnumNetObject

pop ebx

ret

EnumNetWorkGroup endp

EnumNetComputer proc ;//列举网络计算机

;ebp=父资源缓冲区

push ebx

call DisplayMsg

mov eax,RESOURCEUSAGE_CONTAINER

mov ebx,OFF EnumNetComputerShareDir

call EnumNetObject

pop ebx

ret

EnumNetComputer endp

EnumNetComputerShareDir proc ;//列举网络计算机共享目录

;ebp=父资源缓冲区

push ebx

call DisplayMsg

mov eax,RESOURCEUSAGE_CONNECTABLE

mov ebx,OFF DisplayMsg

call EnumNetObject

pop ebx

ret

EnumNetComputerShareDir endp

DisplayMsg proc ;//显示列举出来的共享目录

mov eax,[ebp.lpRemoteName]

mov ecx,[ebp.lpProvider]

call MessageBoxA,NULL,eax,ecx,NULL

ret

DisplayMsg endp

;//用来列举局域网某种对象

EnumNetObject proc

;//eax=资源标志 ,ebx=找到对象后自动回调函数指针, ebp=父资源缓冲区

pushad

push eax

call WNetOpenEnumA,RESOURCE_GLOBALNET,RESOURCETYPE_DISK,eax,ebp,esp

pop esi ;//弹出hEnum句柄,平衡堆栈

or eax,eax

jnz short EnumNetObjectError

mov edi,100h ;//划分堆栈空间大小

sub esp,edi

mov ebp,esp ;//在堆栈中开辟缓冲区

LoopEnumNetObject:

push L 1h ;//一次列举一个

mov eax,esp

push edi ;//缓冲区大小(edi=100h)

call WNetEnumResourceA,esi,eax,ebp,esp

pop ecx

pop ecx ;//平衡堆栈

or eax,eax

jnz short EnumNetObjectOver

call ebx ;//调用回调函数

jmp short LoopEnumNetObject

EnumNetObjectOver:

call WNetCloseEnum,esi

add esp,edi

EnumNetObjectError:

popad

ret

EnumNetObject endp

end Start

;//wap32.inc

OFF equ offset

L equ Large

NULL equ L 0

MAX_PATH equ 260

RESOURCE_GLOBALNET equ 2h

RESOURCE_CONNECTED equ 1h

RESOURCETYPE_DISK equ 1h

RESOURCETYPE_ANY equ 0h

RESOURCEUSAGE_CONNECTABLE equ 1h

RESOURCEUSAGE_CONTAINER equ 2h

ERROR_NO_MORE_ITEMS equ 259

NETRESOURCEA STRUCT

dwScope DWORD ?

dwType DWORD ?

dwDisplayType DWORD ?

dwUsage DWORD ?

lpLocalName DWORD ?

lpRemoteName DWORD ?

lpComment DWORD ?

lpProvider DWORD ?

NETRESOURCEA ENDS

||||||为了使你的病毒更稳定,请使用结构化异常处理程序

include wap32.inc

extrn _wsprintfA: proc

extrn MessageBoxA: proc

extrn ExitProcess: proc

.386

.model flat,stdcall

.data

Msg00 db '异常处理信息...',0

Msg01 db '函数原形:',0dh,0ah

db 'Exception PROC uses ebx esi edi,pRecord,pFrame,pContext,pDispatch',0dh,0ah,0ah

db '详细资料...',0dh,0ah,0ah

db '异常处理程序返回地址= %8.8x',0dh,0ah,0ah

db '<参数1>pRecord= [%8.8x] 异常部分记录',0dh,0ah

db ' ExceptionCode= %8.8x ExceptionFlags= %8.8x ',0dh,0ah,0ah

db '<参数2>pFrame= [%8.8x] 一些指针,本程序不关心',0dh,0ah,0ah

db '<参数3>pContext=[%8.8x] 发生异常时候的常用寄存器值',0dh,0ah,0ah

db ' EAX= %8.8x EBX= %8.8x ECX= %8.8x EDX= %8.8x',0dh,0ah

db ' ESI= %8.8x EDI= %8.8x EBP= %8.8x ESP= %8.8x',0dh,0ah

db ' DS= %4.4x ES= %4.4x FS= %4.4x GS= %4.4x',0dh,0ah

db ' SS: ESP=%4.4x: %8.8x CS: EIP=%4.4x: %8.8x',0dh,0ah,0ah

db '<参数4>pDispatch= [%8.8x] X86机器未使用',0dh,0ah,0ah

db '发生异常的代码 CS:[EIP]',0dh,0ah,0ah

db '%8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x',0dh,0ah,0ah

db '发生异常的堆栈 SS:[ESP]',0dh,0ah,0ah

db '%8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x',0dh,0ah,0ah,0

Msg02 db '程序正常终止',0

Msg03 db '应用程序提示',0

MsgBuff db 200h dup(0)

.code

Start:

mov eax,offset MyExceptionProc

push eax

mov eax,fs:[0]

push eax

mov fs:[0],esp ;//挂接异常处理链

CreateException:

int 3 ;//产生中断异常

;mov ds:[0],eax;//产生内存访问异常

;cli ;//特权指令异常

InstructionSize=$-OFF CreateException

call MessageBoxA,NULL,OFF Msg02,OFF Msg03,NULL

call ExitProcess,0

MyExceptionProc proc uses ebx esi edi,pRecord,pFrame,pContext,pDispatch

mov edi,esp

mov ebx,pContext

mov ebx,[ebx.cx_Esp]

mov ecx,8

LoopPushStack:

mov ax,[ebx+7*4]

xchg ah,al

shl eax,16

mov ax,[ebx+2]

xchg ah,al

push eax

sub ebx,4

loop LoopPushStack

mov ebx,pContext

mov ebx,[ebx.cx_Eip]

mov ecx,8

LoopPushCode:

mov ax,[ebx+7*4]

xchg ah,al

shl eax,16

mov ax,[ebx+2]

xchg ah,al

push eax

sub ebx,4

loop LoopPushCode

mov ebx,pDispatch

push ebx

mov ebx,pContext

mov eax,[ebx.cx_Eip]

push eax

mov eax,[ebx.cx_SegCs]

and eax,0ffffh

push eax

mov eax,[ebx.cx_Esp]

push eax

mov eax,[ebx.cx_SegSs]

and eax,0ffffh

push eax

mov eax,[ebx.cx_SegGs]

and eax,0ffffh

push eax

mov eax,[ebx.cx_SegFs]

and eax,0ffffh

push eax

mov eax,[ebx.cx_SegEs]

and eax,0ffffh

push eax

mov eax,[ebx.cx_SegDs]

and eax,0ffffh

push eax

mov eax,[ebx.cx_Esp]

push eax

mov eax,[ebx.cx_Ebp]

push eax

mov eax,[ebx.cx_Edi]

push eax

mov eax,[ebx.cx_Esi]

push eax

mov eax,[ebx.cx_Edx]

push eax

mov eax,[ebx.cx_Ecx]

push eax

mov eax,[ebx.cx_Ebx]

push eax

mov eax,[ebx.cx_Eax]

push eax

push ebx

mov ebx,pFrame

push ebx

mov ebx,pRecord

mov eax,[ebx.ExceptionFlags]

push eax

mov eax,[ebx.ExceptionCode]

push eax

push ebx

mov ebx,[ebp+4]

push ebx

call _wsprintfA,OFF MsgBuff,OFF Msg01

call MessageBoxA,NULL,OFF MsgBuff,OFF Msg00,NULL

mov esp,edi

mov ebx,pContext

add [ebx.cx_Eip],InstructionSize

mov eax,ExceptionContinueExecution

ret

MyExceptionProc endp

end Start

||||||//wap32.inc

OFF equ offset

L equ Large

D equ dword ptr

W equ word ptr

B equ byte ptr

NULL equ L 0

EXCEPTION_RECORD STRUCT

ExceptionCode DWORD ?

ExceptionFlags DWORD ?

pExceptionRecord DWORD ?

ExceptionAddress DWORD ?

NumberParameters DWORD ?

ExceptionInformation DWORD 15 dup(?)

EXCEPTION_RECORD ENDS

CONTEXT STRUC

cx_ContextFlags DD ?

;CONTEXT_DEBUG_REGISTERS

cx_Dr0 DD ? ;04

cx_Dr1 DD ? ;08

cx_Dr2 DD ? ;0C

cx_Dr3 DD ? ;10

cx_Dr6 DD ? ;14

cx_Dr7 DD ? ;18

;CONTEXT_FLOATING_POINT

cx_ControlWord DD ?

cx_StatusWord DD ?

cx_TagWord DD ?

cx_ErrorOffset DD ?

cx_ErrorSelector DD ?

cx_DataOffset DD ?

cx_DataSelector DD ?

cx_RegisterArea DB 80 DUP (?)

cx_Cr0NpxState DD ?

;CONTEXT_SEGMENTS

cx_SegGs DD ? ;8C

cx_SegFs DD ? ;90

cx_SegEs DD ? ;94

cx_SegDs DD ? ;98

;CONTEXT_INTEGER

cx_Edi DD ? ;9C

cx_Esi DD ? ;A0

cx_Ebx DD ? ;A4

cx_Edx DD ? ;A8

cx_Ecx DD ? ;AC

cx_Eax DD ? ;B0

;CONTEXT_CONTROL

cx_Ebp DD ? ;B4

cx_Eip DD ? ;B8

cx_SegCs DD ? ;BC

cx_EFlags DD ? ;C0

cx_Esp DD ? ;C4

cx_SegSs DD ? ;C8

CONTEXT ENDS

EXCEPTION_POINTERS STRUC ;parameter of top-level exception handler

ExceptionRecord DD ? ;pointer to _EXCEPTION_RECORD

ContextRecord DD ? ;pointer to _CONTEXT

EXCEPTION_POINTERS ENDS

;---ExceptionFlags for TEST, AND or CMP instructions

EXCEPTION_CONTINUABLE EQU 000000000H

EXCEPTION_NONCONTINUABLE EQU 000000001H

UNWIND_STACK EQU 000000006H ; ?

;---ExceptionCodes for CMP instruction

EXCEPTION_WAIT_0 EQU 000000000H

EXCEPTION_ABANDONED_WAIT_0 EQU 000000080H

EXCEPTION_USER_APC EQU 0000000C0H

EXCEPTION_TIMEOUT EQU 000000102H

EXCEPTION_PENDING EQU 000000103H

EXCEPTION_SEGMENT_NOTIFICATION EQU 040000005H

EXCEPTION_GUARD_PAGE_VIOLATION EQU 080000001H

EXCEPTION_DATATYPE_MISALIGNMENT EQU 080000002H

EXCEPTION_BREAKPOINT EQU 080000003H ; exception 3

EXCEPTION_SINGLE_STEP EQU 080000004H ; exception 1

EXCEPTION_ACCESS_VIOLATION EQU 0C0000005H ; typically exception 13

EXCEPTION_IN_PAGE_ERROR EQU 0C0000006H

EXCEPTION_NO_MEMORY EQU 0C0000017H

EXCEPTION_ILLEGAL_INSTRUCTION EQU 0C000001DH

EXCEPTION_NONCONTINUABLE_EXCEPTION EQU 0C0000025H

EXCEPTION_INVALID_DISPOSITION EQU 0C0000026H

EXCEPTION_ARRAY_BOUNDS_EXCEEDED EQU 0C000008CH ; exception 5

EXCEPTION_FLOAT_DENORMAL_OPERAND EQU 0C000008DH

EXCEPTION_FLT_DENORMAL_OPERAND EQU 0C000008DH

EXCEPTION_FLOAT_DIVIDE_BY_ZERO EQU 0C000008EH

EXCEPTION_FLT_DIVIDE_BY_ZERO EQU 0C000008EH

EXCEPTION_FLOAT_INEXACT_RESULT EQU 0C000008FH

EXCEPTION_FLT_INEXACT_RESULT EQU 0C000008FH

EXCEPTION_FLOAT_INVALID_OPERATION EQU 0C0000090H

EXCEPTION_FLT_INVALID_OPERATION EQU 0C0000090H

EXCEPTION_FLOAT_OVERFLOW EQU 0C0000091H

EXCEPTION_FLT_OVERFLOW EQU 0C0000091H

EXCEPTION_FLOAT_STACK_CHECK EQU 0C0000092H

EXCEPTION_FLT_STACK_CHECK EQU 0C0000092H

EXCEPTION_FLOAT_UNDERFLOW EQU 0C0000093H

EXCEPTION_FLT_UNDERFLOW EQU 0C0000093H

EXCEPTION_INTEGER_DIVIDE_BY_ZERO EQU 0C0000094H ; exception 0

EXCEPTION_INT_DIVIDE_BY_ZERO EQU 0C0000094H

EXCEPTION_INTEGER_OVERFLOW EQU 0C0000095H ; exception 4

EXCEPTION_INT_OVERFLOW EQU 0C0000095H

EXCEPTION_PRIVILEGED_INSTRUCTION EQU 0C0000096H ; typically exception 13

EXCEPTION_PRIV_INSTRUCTION EQU 0C0000096H

EXCEPTION_STACK_OVERFLOW EQU 0C00000FDH

EXCEPTION_CONTROL_C_EXIT EQU 0C000013AH

;---return codes for top-level exception handler (EAX)

EXCEPTION_CONTINUE_EXECUTION EQU -1

EXCEPTION_CONTINUE_SEARCH EQU 0

EXCEPTION_EXECUTE_HANDLER EQU 1

;---return codes for try-except exception handler (EAX)

ExceptionContinueExecution EQU 0

ExceptionContinueSearch EQU 1

ExceptionNestedException EQU 2

ExceptionCollidedUnwind EQU 3

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有