上一篇：windows下越界一个字节也能导致溢出攻击 >>

用汇编遍历Windows局域网共享目录，病毒传染技术之一

virus tips

by whg (whg@whitecell.org) from www.whitecell.org

用汇编遍历windows局域网共享目录，病毒传染技术之一

include wap32.inc
.386
.model flat,stdcall
.data
db 0
.code
extrn wnetopenenuma: proc
extrn wnetenumresourcea: proc
extrn wnetcloseenum: proc
extrn messageboxa: proc
extrn exitprocess: proc

start:

call enumnetboot
call exitprocess,0

enumnetboot proc ;列举网络boot
;//开始列举网络资源
push ebx
push ebp
mov ebp,null ;//列举网络, 从根开始
mov eax,resourceusage_container
mov ebx,off enumnetworkgroup
call enumnetobject
pop ebp
pop ebx
ret
enumnetboot endp

enumnetworkgroup proc ;//列举工作组
;ebp=父资源缓冲区
push ebx
call displaymsg
mov eax,resourceusage_container
mov ebx,off enumnetcomputer
call enumnetobject
pop ebx
ret
enumnetworkgroup endp

enumnetcomputer proc ;//列举网络计算机
;ebp=父资源缓冲区
push ebx
call displaymsg
mov eax,resourceusage_container
mov ebx,off enumnetcomputersharedir
call enumnetobject
pop ebx
ret
enumnetcomputer endp

enumnetcomputersharedir proc ;//列举网络计算机共享目录
;ebp=父资源缓冲区
push ebx
call displaymsg
mov eax,resourceusage_connectable
mov ebx,off displaymsg
call enumnetobject
pop ebx
ret
enumnetcomputersharedir endp

displaymsg proc ;//显示列举出来的共享目录
mov eax,[ebp.lpremotename]
mov ecx,[ebp.lpprovider]
call messageboxa,null,eax,ecx,null
ret
displaymsg endp

;//用来列举局域网某种对象
enumnetobject proc
;//eax=资源标志 ,ebx=找到对象后自动回调函数指针, ebp=父资源缓冲区
pushad
push eax
call wnetopenenuma,resource_globalnet,resourcetype_disk,eax,ebp,esp
pop esi ;//弹出henum句柄,平衡堆栈
or eax,eax
jnz short enumnetobjecterror
mov edi,100h ;//划分堆栈空间大小
sub esp,edi
mov ebp,esp ;//在堆栈中开辟缓冲区
loopenumnetobject:
push l 1h ;//一次列举一个
mov eax,esp
push edi ;//缓冲区大小(edi=100h)
call wnetenumresourcea,esi,eax,ebp,esp
pop ecx
pop ecx ;//平衡堆栈
or eax,eax
jnz short enumnetobjectover
call ebx ;//调用回调函数
jmp short loopenumnetobject
enumnetobjectover:
call wnetcloseenum,esi
add esp,edi
enumnetobjecterror:
popad
ret
enumnetobject endp
end start

;//wap32.inc
off equ offset
l equ large
null equ l 0

max_path equ 260

resource_globalnet equ 2h
resource_connected equ 1h

resourcetype_disk equ 1h
resourcetype_any equ 0h

resourceusage_connectable equ 1h
resourceusage_container equ 2h

error_no_more_items equ 259

netresourcea struct
dwscope dword ?
dwtype dword ?
dwdisplaytype dword ?
dwusage dword ?
lplocalname dword ?
lpremotename dword ?
lpcomment dword ?
lpprovider dword ?
netresourcea ends

为了使你的病毒更稳定，请使用结构化异常处理程序

include wap32.inc
extrn _wsprintfa: proc
extrn messageboxa: proc
extrn exitprocess: proc

.386
.model flat,stdcall
.data
msg00 db 异常处理信息...,0
msg01 db 函数原形:,0dh,0ah
db exception proc uses ebx esi edi,precord,pframe,pcontext,pdispatch,0dh,0ah,0ah
db 详细资料...,0dh,0ah,0ah
db 异常处理程序返回地址= %8.8x,0dh,0ah,0ah
db <参数1>precord= [%8.8x] 异常部分记录,0dh,0ah
db exceptioncode= %8.8x exceptionflags= %8.8x ,0dh,0ah,0ah
db <参数2>pframe= [%8.8x] 一些指针，本程序不关心,0dh,0ah,0ah
db <参数3>pcontext=[%8.8x] 发生异常时候的常用寄存器值,0dh,0ah,0ah
db eax= %8.8x ebx= %8.8x ecx= %8.8x edx= %8.8x,0dh,0ah
db esi= %8.8x edi= %8.8x ebp= %8.8x esp= %8.8x,0dh,0ah
db ds= %4.4x es= %4.4x fs= %4.4x gs= %4.4x,0dh,0ah
db ss: esp=%4.4x: %8.8x cs: eip=%4.4x: %8.8x,0dh,0ah,0ah
db <参数4>pdispatch= [%8.8x] x86机器未使用,0dh,0ah,0ah
db 发生异常的代码 cs:[eip],0dh,0ah,0ah
db %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x,0dh,0ah,0ah
db 发生异常的堆栈 ss:[esp],0dh,0ah,0ah
db %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x %8.8x,0dh,0ah,0ah,0
msg02 db 程序正常终止,0
msg03 db 应用程序提示,0
msgbuff db 200h dup(0)

.code

start:
mov eax,offset myexceptionproc
push eax
mov eax,fs:[0]
push eax
mov fs:[0],esp ;//挂接异常处理链
createexception:
int 3 ;//产生中断异常
;mov ds:[0],eax;//产生内存访问异常
;cli ;//特权指令异常
instructionsize=$-off createexception
call messageboxa,null,off msg02,off msg03,null
call exitprocess,0
myexceptionproc proc uses ebx esi edi,precord,pframe,pcontext,pdispatch
mov edi,esp
mov ebx,pcontext
mov ebx,[ebx.cx_esp]
mov ecx,8
looppushstack:
mov ax,[ebx+7*4]
xchg ah,al
shl eax,16
mov ax,[ebx+2]
xchg ah,al
push eax
sub ebx,4
loop looppushstack
mov ebx,pcontext
mov ebx,[ebx.cx_eip]
mov ecx,8
looppushcode:
mov ax,[ebx+7*4]
xchg ah,al
shl eax,16
mov ax,[ebx+2]
xchg ah,al
push eax
sub ebx,4
loop looppushcode
mov ebx,pdispatch
push ebx
mov ebx,pcontext
mov eax,[ebx.cx_eip]
push eax
mov eax,[ebx.cx_segcs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_esp]
push eax
mov eax,[ebx.cx_segss]
and eax,0ffffh
push eax
mov eax,[ebx.cx_seggs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_segfs]
and eax,0ffffh
push eax
mov eax,[ebx.cx_seges]
and eax,0ffffh
push eax
mov eax,[ebx.cx_segds]
and eax,0ffffh
push eax
mov eax,[ebx.cx_esp]
push eax
mov eax,[ebx.cx_ebp]
push eax
mov eax,[ebx.cx_edi]
push eax
mov eax,[ebx.cx_esi]
push eax
mov eax,[ebx.cx_edx]
push eax
mov eax,[ebx.cx_ecx]
push eax
mov eax,[ebx.cx_ebx]
push eax
mov eax,[ebx.cx_eax]
push eax
push ebx
mov ebx,pframe
push ebx
mov ebx,precord
mov eax,[ebx.exceptionflags]
push eax
mov eax,[ebx.exceptioncode]
push eax
push ebx
mov ebx,[ebp+4]
push ebx
call _wsprintfa,off msgbuff,off msg01
call messageboxa,null,off msgbuff,off msg00,null
mov esp,edi
mov ebx,pcontext
add [ebx.cx_eip],instructionsize
mov eax,exceptioncontinueexecution
ret
myexceptionproc endp
end start

;//wap32.inc

off equ offset
l equ large
d equ dword ptr
w equ word ptr
b equ byte ptr
null equ l 0

exception_record struct
exceptioncode dword ?
exceptionflags dword ?
pexceptionrecord dword ?
exceptionaddress dword ?
numberparameters dword ?
exceptioninformation dword 15 dup(?)
exception_record ends

context struc
cx_contextflags dd ?
;context_debug_registers
cx_dr0 dd ? ;04
cx_dr1 dd ? ;08
cx_dr2 dd ? ;0c
cx_dr3 dd ? ;10
cx_dr6 dd ? ;14
cx_dr7 dd ? ;18
;context_floating_point
cx_controlword dd ?
cx_statusword dd ?
cx_tagword dd ?
cx_erroroffset dd ?
cx_errorselector dd ?
cx_dataoffset dd ?
cx_dataselector dd ?
cx_registerarea db 80 dup (?)
cx_cr0npxstate dd ?
;context_segments
cx_seggs dd ? ;8c
cx_segfs dd ? ;90
cx_seges dd ? ;94
cx_segds dd ? ;98
;context_integer
cx_edi dd ? ;9c
cx_esi dd ? ;a0
cx_ebx dd ? ;a4
cx_edx dd ? ;a8
cx_ecx dd ? ;ac
cx_eax dd ? ;b0
;context_control
cx_ebp dd ? ;b4
cx_eip dd ? ;b8
cx_segcs dd ? ;bc
cx_eflags dd ? ;c0
cx_esp dd ? ;c4
cx_segss dd ? ;c8
context ends

exception_pointers struc ;parameter of top-level exception handler
exceptionrecord dd ? ;pointer to _exception_record
contextrecord dd ? ;pointer to _context
exception_pointers ends

;---exceptionflags for test, and or cmp instructions
exception_continuable equ 000000000h
exception_noncontinuable equ 000000001h
unwind_stack equ 000000006h ; ?

;---exceptioncodes for cmp instruction
exception_wait_0 equ 000000000h
exception_abandoned_wait_0 equ 000000080h
exception_user_apc equ 0000000c0h
exception_timeout equ 000000102h
exception_pending equ 000000103h
exception_segment_notification equ 040000005h
exception_guard_page_violation equ 080000001h
exception_datatype_misalignment equ 080000002h
exception_breakpoint equ 080000003h ; exception 3
exception_single_step equ 080000004h ; exception 1
exception_access_violation equ 0c0000005h ; typically exception 13
exception_in_page_error equ 0c0000006h
exception_no_memory equ 0c0000017h
exception_illegal_instruction equ 0c000001dh
exception_noncontinuable_exception equ 0c0000025h
exception_invalid_disposition equ 0c0000026h
exception_array_bounds_exceeded equ 0c000008ch ; exception 5
exception_float_denormal_operand equ 0c000008dh
exception_flt_denormal_operand equ 0c000008dh
exception_float_divide_by_zero equ 0c000008eh
exception_flt_divide_by_zero equ 0c000008eh
exception_float_inexact_result equ 0c000008fh
exception_flt_inexact_result equ 0c000008fh
exception_float_invalid_operation equ 0c0000090h
exception_flt_invalid_operation equ 0c0000090h
exception_float_overflow equ 0c0000091h
exception_flt_overflow equ 0c0000091h
exception_float_stack_check equ 0c0000092h
exception_flt_stack_check equ 0c0000092h
exception_float_underflow equ 0c0000093h
exception_flt_underflow equ 0c0000093h
exception_integer_divide_by_zero equ 0c0000094h ; exception 0
exception_int_divide_by_zero equ 0c0000094h
exception_integer_overflow equ 0c0000095h ; exception 4
exception_int_overflow equ 0c0000095h
exception_privileged_instruction equ 0c0000096h ; typically exception 13
exception_priv_instruction equ 0c0000096h
exception_stack_overflow equ 0c00000fdh
exception_control_c_exit equ 0c000013ah

;---return codes for top-level exception handler (eax)
exception_continue_execution equ -1
exception_continue_search equ 0
exception_execute_handler equ 1

;---return codes for try-except exception handler (eax)
exceptioncontinueexecution equ 0
exceptioncontinuesearch equ 1
exceptionnestedexception equ 2
exceptioncollidedunwind equ 3　

（）

返回顶部

下一篇：DOS工作站加盟NT网 >>