Advertisement
FlyFar
Mar 2nd, 2023
40
0
Never
This is comment for paste NImp Overwriting Virus - Source Code
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. NImp is a overwriting virus written in C++. The name NImp stands for "No import table", because it's executable has no import table. The virus resolves all need functions by hashes.
  2.  
  3.  
  4.  
  5. The virus will search for files in user profile. If the file is executable file, the virus will infect by overwriting the file with the virus. Otherwise, the virus will overwrite the file with a string.
  6.  
  7.  
  8.  
  9. How the virus works
  10.  
  11.  
  12.  
  13. 1) The virus get the address of PEB.
  14.  
  15.  
  16.  
  17. 2) The virus read the loader data from PEB to get the base address of kernel32 and ntdll.
  18.  
  19.  
  20.  
  21. 3) The virus resolves all needed functions by hashes.
  22.  
  23.  
  24.  
  25. 4) The virus search for files in user profile.
  26.  
  27.  
  28.  
  29. 5) If the file is executable file, the virus will infect it by overwriting the file with the virus. Otherwise, the virus will overwrite the file with a string.
  30.  
  31.  
  32.  
  33. 6) After searching all files, the virus calls RtlAdjustPrivilege to enable SeShutdownPrivilege, and then calls NtRaiseHardError to crash the operating system.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement