Com PE ?

skywalker · May 15, 2007, 12:30:26 PM

Someone just made this. I think it's a console program.
I am not sure what assembler could compile the source though.

:: makkillnp.bat Makes killnp.exe Written by Herbert Kleebauer
::
@echo off
echo hD1X-s0P_kUHP0UxGWX4ax1y1ieimnfeinklddmemkjanmndnadmndnpbbn>killnp.com
echo hhpbbnpljhoxolnhaigidpllnbkdnhlkfhlflefblffahfUebdfahhfkokh>>killnp.com
echo wvPp0wvw2k9C5/R/pN0d0uzw27bwo1YinDEWtbGov5//B6mkuMEo0IL0l/w>>killnp.com
echo ef2iC57R/pNEA/jeefHhC5AR/pNEA/juefXgC5ER/phCfDM@m042knfuurO>>killnp.com
echo k0GAV4Bd4M03U337lzzT/M0MF0/NV7U9V2Tcf2/EP1B61i0kInVsIOXJ57o>>killnp.com
echo x57hJKNo0mQjpKNWx5Nt0mRcx57dB67nFLOgl57pBLOiR573xoIgoU1WJ6R>>killnp.com
echo UUKOn01QmxqNm4KPU7LNlJLOmJqQUQJOiBXAioU1Y//I4R/H03//EZLdqMl>>killnp.com
echo 0U2k20gE/4k//1MF1m2V3E707H/o0E7V/6EU45EU46/W31MF02M00EQ/3H/>>killnp.com
echo l0EMF0EMV1U/l0cMlIEQ/7KcV@oJ5So80i1703G7U31MF2UQ/sKwXREQ/VE>>killnp.com
echo Q/cEQUfEQ/kEQ/oEQUrEMF0K0V48U33G/V4JgIFGtIFABXAiE5PgRUREQ/V>>killnp.com
echo EQ/cEQUfEQ/kEQ/oEQUrEMl04VLOo0ZQjBKNnBb328LNVFLNIxqPgVKNg0r>>killnp.com
echo AmAZPV0rQcx5RHA3PjBLN74aPYlKNG/ZQjBKNnBrAmMIOmB6RH/ZQjBKNnB>>killnp.com
echo rAmsINsFb3D0LNi0ZQjBKNnBb3IJaQhZaPVFLNE8rPXJqQnRUO/ca/zL00E>>killnp.com
echo /3/8KAEotql4/N3/0/90Q/OE50E//pzJk/3/0E1/HLHyGP3/0kjr40E/M9R>>killnp.com
echo 4sYdplmH6NzFzzTRlzTBM50E/c5/e4kzJE03/0E1/H67Ed5/ExT4M/0E/wT>>killnp.com
echo 47/0E/U5YF/3/JxT4E/0E/Y/kpBPJzL01E/3/e0kzJ//3/0UHixoPIFLFZ0>>killnp.com
echo 4Q045FYtW@4J5KsJINK7LN.>>killnp.com
killnp.com>killnp.exe
del killnp.com

; File Name :   C:\Backup\killnp.exe
; Written by Herbert Kleebauer 7:19:20 AM Tuesday, May 15, 2007
; Format :   Portable executable for   IBM PC (PE)
; Alignment   : 16 bytes ?
;
; Imports from KERNEL32.dll
;

      model flat

; Segment type:   Externs
; _idata
      extrn ExitProcess:dword   ; DATA XREF: .text:00401171r
      extrn CreateToolhelp32Snapshot:dword ; DATA XREF: .text:004010F6r
; BOOL __stdcall CloseHandle(HANDLE hObject)
      extrn CloseHandle:dword   ; DATA XREF: .text:00401152r
               ; .text:00401169r
      extrn Process32First:dword ; DATA XREF:   .text:00401111r
      extrn Process32Next:dword ; DATA XREF: .text:0040115Er
; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
      extrn OpenProcess:dword   ; DATA XREF: .text:0040113Er
; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode)
      extrn TerminateProcess:dword ; DATA XREF: .text:0040114Cr

; Segment type:   Pure code
_text      segment   para public 'CODE' use32
      assume cs:_text
      ;org 401020h
      assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
      dd 1056h, 2 dup(0), 1048h, 1000h, 5 dup(0), 4E52454Bh
      dd 32334C45h, 6C6C642Eh, 10760000h, 10840000h, 10A00000h
      dd 10AE0000h, 10C00000h, 10D00000h, 10DE0000h, 2 dup(0)
      dd 74697845h, 636F7250h, 737365h, 72430000h, 65746165h
      dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 746Fh, 6C430000h
      dd 4865736Fh, 6C646E61h, 65h, 636F7250h, 33737365h, 72694632h
      dd 7473h, 72500000h, 7365636Fh,   4E323373h, 747865h, 704F0000h
      dd 72506E65h, 7365636Fh, 73h, 6D726554h, 74616E69h, 6F725065h
      dd 73736563h
      db 2 dup(0)

      public start
start:
      push   0
      push   2
      call   ds:CreateToolhelp32Snapshot
      mov   ebp, eax
      inc   eax
      jz   short loc_40116F
      mov   ds:dword_401190, 128h
      push   offset dword_401190
      push   eax
      call   ds:Process32First
      or   eax, eax
      jz   short loc_401168

loc_40111B:            ; CODE XREF: .text:00401166j
      mov   esi, offset dword_4011B4
      mov   edi, offset aNnootteeppaadd ; "NnOoTtEePpAaDd..EeXxEe"

loc_401125:            ; CODE XREF: .text:00401132j
      cmpsb
      jz   short loc_40112D
      dec   esi
      cmpsb
      jnz   short loc_401158
      dec   edi

loc_40112D:            ; CODE XREF: .text:00401126j
      inc   edi
      test   byte ptr [edi-1], 0FFh
      jnz   short loc_401125
      push   ds:dword_401198
      push   0
      push   1
      call   ds:OpenProcess
      or   eax, eax
      jz   short loc_401168
      push   eax
      push   0
      push   eax
      call   ds:TerminateProcess
      call   ds:CloseHandle

loc_401158:            ; CODE XREF: .text:0040112Aj
      push   offset dword_401190
      push   ebp
      call   ds:Process32Next
      or   eax, eax
      jnz   short loc_40111B

loc_401168:            ; CODE XREF: .text:00401119j
               ; .text:00401146j
      push   ebp
      call   ds:CloseHandle

loc_40116F:            ; CODE XREF: .text:004010FFj
      push   0
      call   ds:ExitProcess

aNnootteeppaadd   db 'NnOoTtEePpAaDd..EeXxEe',0 ; DATA XREF: .text:00401120o
      align 4
dword_401190   dd 0         ; DATA XREF: .text:00401101w
               ; .text:0040110Bo ...
      align 8
dword_401198   dd 0         ; DATA XREF: .text:00401134r
      dd 6 dup(0)
dword_4011B4   dd 13h dup(0)      ; DATA XREF: .text:0040111Bo
      dd 2Eh dup(?)
_text      ends

      end start

evlncrn8 · May 15, 2007, 12:47:55 PM

another notepad killer.... why the hatred towards notepad?, what did it do to you? ;p

looks suspicious though, especially the appending to the end of the exe, possible tag/signature i guess

nasm would probably compile it maybe

skywalker · May 15, 2007, 01:27:35 PM

Quote from: evlncrn8 on May 15, 2007, 12:47:55 PM
another notepad killer.... why the hatred towards notepad?, what did it do to you? ;p

looks suspicious though, especially the appending to the end of the exe, possible tag/signature i guess

nasm would probably compile it maybe

No hatred towards notepad. Just an example that could be safely closed.
I just modified it to close bartshel.exe when it's not needed. That is an "evil" program. :-)

I disassembled one of the them and I saw a string that said something like, "Cool that someone still codes in DOS"

Try to think more positive.

P1 · May 15, 2007, 02:29:59 PM

That's not how I see this. It's a template for coding around sending .exe through e-mail that can be re-built later to do what ever the author wants using DOS back door through a .bat file.

After it runs, it deletes the source. Humn, I wonder why anyone would want that ? :naughty:

You planning to write any code that needs this kind of software resources ???

BTW, Do you know how much we like writers of malware ???

Regards, P1 :8)

skywalker · May 15, 2007, 02:54:19 PM

Quote from: P1 on May 15, 2007, 02:29:59 PM
That's not how I see this. It's a template for coding around sending .exe through e-mail that can be re-built later to do what ever the author wants using DOS back door through a .bat file.

After it runs, it deletes the source. Humn, I wonder why anyone would want that ? :naughty:

You planning to write any code that needs this kind of software resources ???

BTW, Do you know how much we like writers of malware ???

Regards, P1 :8)

The batch file deletes the com file which isn't needed.

I guess the author could have left that line out
and there would be a com file that wouldn't do as intended.

In a far reaching way, that may be considered
malware if someone accidentally ran it.

Tedd · May 15, 2007, 04:17:17 PM

the more understandable version..

[attachment deleted by admin]

skywalker · May 15, 2007, 06:05:51 PM

Thanks, always the gentleman and scholar.

Andy

Evenbit · May 15, 2007, 07:07:42 PM

Quote from: skywalker on May 15, 2007, 12:30:26 PM
; File Name :   C:\Backup\killnp.exe
; Written by Herbert Kleebauer 7:19:20 AM Tuesday, May 15, 2007
; Format :   Portable executable for   IBM PC (PE)
; Alignment   : 16 bytes ?
;
; Imports from KERNEL32.dll
;

      model flat

; Segment type:   Externs
; _idata
      extrn ExitProcess:dword   ; DATA XREF: .text:00401171r
      extrn CreateToolhelp32Snapshot:dword ; DATA XREF: .text:004010F6r
; BOOL __stdcall CloseHandle(HANDLE hObject)
      extrn CloseHandle:dword   ; DATA XREF: .text:00401152r
               ; .text:00401169r
      extrn Process32First:dword ; DATA XREF:   .text:00401111r
      extrn Process32Next:dword ; DATA XREF: .text:0040115Er
; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
      extrn OpenProcess:dword   ; DATA XREF: .text:0040113Er
; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode)
      extrn TerminateProcess:dword ; DATA XREF: .text:0040114Cr

; Segment type:   Pure code
_text      segment   para public 'CODE' use32
      assume cs:_text
      ;org 401020h
      assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
      dd 1056h, 2 dup(0), 1048h, 1000h, 5 dup(0), 4E52454Bh
      dd 32334C45h, 6C6C642Eh, 10760000h, 10840000h, 10A00000h
      dd 10AE0000h, 10C00000h, 10D00000h, 10DE0000h, 2 dup(0)
      dd 74697845h, 636F7250h, 737365h, 72430000h, 65746165h
      dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 746Fh, 6C430000h
      dd 4865736Fh, 6C646E61h, 65h, 636F7250h, 33737365h, 72694632h
      dd 7473h, 72500000h, 7365636Fh,   4E323373h, 747865h, 704F0000h
      dd 72506E65h, 7365636Fh, 73h, 6D726554h, 74616E69h, 6F725065h
      dd 73736563h
      db 2 dup(0)

      public start
start:
      push   0
      push   2
      call   ds:CreateToolhelp32Snapshot
      mov   ebp, eax
      inc   eax
      jz   short loc_40116F
      mov   ds:dword_401190, 128h
      push   offset dword_401190
      push   eax
      call   ds:Process32First
      or   eax, eax
      jz   short loc_401168

loc_40111B:            ; CODE XREF: .text:00401166j
      mov   esi, offset dword_4011B4
      mov   edi, offset aNnootteeppaadd ; "NnOoTtEePpAaDd..EeXxEe"

loc_401125:            ; CODE XREF: .text:00401132j
      cmpsb
      jz   short loc_40112D
      dec   esi
      cmpsb
      jnz   short loc_401158
      dec   edi

loc_40112D:            ; CODE XREF: .text:00401126j
      inc   edi
      test   byte ptr [edi-1], 0FFh
      jnz   short loc_401125
      push   ds:dword_401198
      push   0
      push   1
      call   ds:OpenProcess
      or   eax, eax
      jz   short loc_401168
      push   eax
      push   0
      push   eax
      call   ds:TerminateProcess
      call   ds:CloseHandle

loc_401158:            ; CODE XREF: .text:0040112Aj
      push   offset dword_401190
      push   ebp
      call   ds:Process32Next
      or   eax, eax
      jnz   short loc_40111B

loc_401168:            ; CODE XREF: .text:00401119j
               ; .text:00401146j
      push   ebp
      call   ds:CloseHandle

loc_40116F:            ; CODE XREF: .text:004010FFj
      push   0
      call   ds:ExitProcess

aNnootteeppaadd   db 'NnOoTtEePpAaDd..EeXxEe',0 ; DATA XREF: .text:00401120o
      align 4
dword_401190   dd 0         ; DATA XREF: .text:00401101w
               ; .text:0040110Bo ...
      align 8
dword_401198   dd 0         ; DATA XREF: .text:00401134r
      dd 6 dup(0)
dword_4011B4   dd 13h dup(0)      ; DATA XREF: .text:0040111Bo
      dd 2Eh dup(?)
_text      ends

      end start

You can stop with your retarded lies. You are certainly *one* of the reasons this board has a reputation of being a masive FUD spreader. The above listing is *NOT* the source -- it is a crappy disassembly. Here is the source which Herbert posted at the alt.lang.asm newsgroup:

; ..............................................
; : Start of Code :
; ..............................................

label_block
seg32

winmain::

000002f2: 004010f2: 6a 00 moveq.l #0,-(sp) ; ignore th32ProcessID
000002f4: 004010f4: 6a 02 moveq.l #2,-(sp) ; TH32CS_SNAPPROCESS
000002f6: 004010f6: ff 15 00401004 jsr.l (CreateToolhelp32Snapshot)
000002fc: 004010fc: 89 c5 move.l r0,r4 ; handle to Snapshot
000002fe: 004010fe: 40 inc.l r0 ; -1: error
000002ff: 004010ff: 74 6e beq.b exit1

00000301: 00401101: c7 05 00401190
00000307: 00401107: 00000128 move.l #processentry32_size,processentry32+0
0000030b: 0040110b: 68 00401190 move.l #processentry32,-(sp)
00000310: 00401110: 50 move.l r0,-(sp)
00000311: 00401111: ff 15 0040100c jsr.l (Process32First)
00000317: 00401117: 09 c0 or.l r0,r0
00000319: 00401119: 74 4d beq.b exit2

0000031b: 0040111b: be 004011b4 _10: move.l #processentry32+36,r5
00000320: 00401120: bf 00401177 move.l #name,r6
00000325: 00401125: a6 _40: cmp.b (r6)+-{s1},(r5)+-
00000326: 00401126: 74 05 beq.b _20
00000328: 00401128: 4e dec.l r5
00000329: 00401129: a6 cmp.b (r6)+-{s1},(r5)+-
0000032a: 0040112a: 75 2c bne.b _30
0000032c: 0040112c: 4f dec.l r6
0000032d: 0040112d: 47 _20: inc.l r6
0000032e: 0040112e: f6 47 ff ff tst.b #$ff,-1.b(r6)
00000332: 00401132: 75 f1 bne.b _40

00000334: 00401134: ff 35 00401198 move.l processentry32+8,-(sp) ; DWORD dwProcessId
0000033a: 0040113a: 6a 00 moveq.l #0,-(sp) ; BOOL bInheritHandle,
0000033c: 0040113c: 6a 01 moveq.l #1,-(sp) ; DWORD dwDesiredAccess=PROCESS_TERMINATE
0000033e: 0040113e: ff 15 00401014 jsr.l (OpenProcess)
00000344: 00401144: 09 c0 or.l r0,r0
00000346: 00401146: 74 20 beq.b exit2

00000348: 00401148: 50 move.l r0,-(sp) ; hProcess: process handle
00000349: 00401149: 6a 00 moveq.l #0,-(sp) ; uExitCode
0000034b: 0040114b: 50 move.l r0,-(sp) ; hProcess: process handle
0000034c: 0040114c: ff 15 00401018 jsr.l (TerminateProcess)
00000352: 00401152: ff 15 00401008 jsr.l (CloseHandle)

00000358: 00401158: 68 00401190 _30: move.l #processentry32,-(sp)
0000035d: 0040115d: 55 move.l r4,-(sp)
0000035e: 0040115e: ff 15 00401010 jsr.l (Process32Next)
00000364: 00401164: 09 c0 or.l r0,r0
00000366: 00401166: 75 b3 bne.b _10

00000368: 00401168: 55 exit2: move.l r4,-(sp)
00000369: 00401169: ff 15 00401008 jsr.l (CloseHandle)

0000036f: 0040116f: 6a 00 exit1: moveq.l #0,-(sp)
00000371: 00401171: ff 15 00401000 jsr.l (ExitProcess) ; exit program

00000377: 00401177: 4e 6e 4f 6f 54 74
0000037d: 0040117d: 45 65 50 70 41 61
00000383: 00401183: 44 64 2e 2e 45 65
00000389: 00401189: 58 78 45 65 00 name: dc.b "NnOoTtEePpAaDd..EeXxEe",00

0000038e: 0040118e: 00 00 even 4
processentry32:
blk.l 1 ; +0 dwSize
blk.l 1 ; +4 cntUsage
blk.l 1 ; +8 th32ProcessID
blk.l 1 ; +12 th32DefaultHeapID
blk.l 1 ; +16 th32ModuleID
blk.l 1 ; +20 cntThreads
blk.l 1 ; +24 th32ParentProcessID
blk.l 1 ; +28 pcPriClassBase
blk.l 1 ; +32 dwFlags
blk.b 260 ; +36 szExeFile[MAX_PATH]
processentry32_size=@-processentry32

; ..............................................
; : End of Code :
; ..............................................

It can be assembled using Daniella/Windela.

Nathan.

Evenbit · May 15, 2007, 07:17:12 PM

Quote from: P1 on May 15, 2007, 02:29:59 PM
That's not how I see this. It's a template for coding around sending .exe through e-mail that can be re-built later to do what ever the author wants using DOS back door through a .bat file.

After it runs, it deletes the source. Humn, I wonder why anyone would want that ? :naughty:

You planning to write any code that needs this kind of software resources ???

BTW, Do you know how much we like writers of malware ???

Regards, P1 :8)

What moron reads *that* batch file and concludes that the "source" is being deleted?? "Look at this, dudes, a "program.com" file is being renamed to a "program.exe" so the _rename function_ *is* an assembler that reads "*.com" sources and 'this' one is being deleted!" I've got news for you -- we are NOT sheep! So please stop spreading this rediculous FUD! We would rather read about some actual facts instead of this stupid fiction you guys seem intent on cooking up.

Nathan.

P1 · May 15, 2007, 07:49:45 PM

Quote from: skywalker on May 15, 2007, 12:30:26 PM
.
.
.
del killnp.com
.
.
.

Embedded text in Killnp.exe:
Nice to meet somebody who is still using DOS, but his program requires Win32.

Quote from: Evenbit on May 15, 2007, 07:17:12 PMWhat moron reads *that* batch file and concludes that the "source" is being deleted?? "Look at this, dudes, a "program.com" file is being renamed to a "program.exe" so the _rename function_ *is* an assembler that reads "*.com" sources and 'this' one is being deleted!"

See above for source being deleted. The line "killnp.com>killnp.exe" killnp.com is run with the re-directed output to killnp.exe, which runs as well. See snipped text from killnp.exe.

Quote from: Evenbit on May 15, 2007, 07:17:12 PMI've got news for you -- we are NOT sheep!

I'm sorry I need proof. What does "killnp.com>killnp.exe" do again ???

I'm so glad that some us do remember how DOS works.

If I was good for a dare, I have a 'nice' batch file for you to run. :bdg

Regards, P1 :8)

Evenbit · May 15, 2007, 08:35:07 PM

Quote from: P1 on May 15, 2007, 07:49:45 PM
Quote from: skywalker on May 15, 2007, 12:30:26 PM
.
.
.
del killnp.com
.
.
.

This "*.com" file is a temporary file generated by the "*.bat" file... it is only natural to clean-up any temporary files that are no longer needed. In order for your "deletes the source" claim to ring true, it would have to be written like "del killnp.bat" since the batch file is obviously the source of all files created by running this program.

Quote
Embedded text in Killnp.exe:
Nice to meet somebody who is still using DOS, but his program requires Win32.

That is the text display for the standard DOS Stub which is included in every PE file. What the *heck* does it have to do with anything being discussed in this thread???

Quote
Quote from: Evenbit on May 15, 2007, 07:17:12 PMWhat moron reads *that* batch file and concludes that the "source" is being deleted?? "Look at this, dudes, a "program.com" file is being renamed to a "program.exe" so the _rename function_ *is* an assembler that reads "*.com" sources and 'this' one is being deleted!"
See above for source being deleted. The line "killnp.com>killnp.exe" killnp.com is run with the re-directed output to killnp.exe, which runs as well. See snipped text from killnp.exe.

You will find the DOS Stub "text" in just about every PE file you examine. So, what is your point???

Quote from: Evenbit on May 15, 2007, 07:17:12 PMI've got news for you -- we are NOT sheep!

I'm sorry I need proof. What does "killnp.com>killnp.exe" do again ???

I'm so glad that some us do remember how DOS works.

If I was good for a dare, I have a 'nice' batch file for you to run. :bdg

Regards, P1 :8)

Quote

Okay, you have convinced me... this is a NASTY VIRUS spread via ASCII-only UseNet and uses the DOS-emulation "back-door" of Windows to do its horrible deads! Quick! Somebody alert Microsoft!!!

Nathan.

P1 · May 15, 2007, 10:12:13 PM

Quote from: Evenbit on May 15, 2007, 08:35:07 PMOkay, you have convinced me... this is a NASTY VIRUS spread via ASCII-only UseNet and uses the DOS-emulation "back-door" of Windows to do its horrible deads! Quick! Somebody alert Microsoft!!!

I have fought viruses and malware for a long time. I have seen code be passed around only to show up in a new virus.

I am an e-mail administrator and have had my day ruin by users who are ignorant and who think the AV will catch every thing.

I can accept you don't understand my point of view. But one day it will happen to you, you will lose hours of productivity. Maybe data that you were careless to leave in only one spot. I hope that you can avoid a painful lesson like that. Now days, they wait for banking information, when your broke, Please let me know.

Extremes are usually bad, so from Chicken Little to WHAT ME WORRY? by Alfred E. Neuman ( They don't call it MAD magazine for nothing. ), somewhere is prudence and wisdom in between.

Best Regards, P1 :8)

Evenbit · May 15, 2007, 10:55:36 PM

Let the malware search begin!

Here is a link to a Google Groups search for the string "@echo off" which should net you most (if not all) of the many code examples Herbert has posted to news:alt.lang.asm over the years:

http://groups.google.com/group/alt.lang.asm/search?hl=en&group=alt.lang.asm&q=%40echo+off&qt_g=Search+this+group

And here is where his assembler can be obtained:

http://137.193.64.130/

ass486.zip -- the DOS version (Daniella)

windela.zip -- the Windows version

Nathan.

evlncrn8 · May 16, 2007, 09:11:52 AM

another thing worth mentioning, xp64 - doesnt particularly like dos programs.. especially coms...
wont run...

P1 · May 16, 2007, 01:22:43 PM

Quote from: evlncrn8 on May 16, 2007, 09:11:52 AManother thing worth mentioning, xp64 - doesnt particularly like dos programs.. especially coms...
wont run...

M$ after years of trying to balance backward compatability with the risk exposure of that feature. M$ is killing off features that are not being use for almost anything but malware.

Quote from: Evenbit on May 15, 2007, 10:55:36 PMLet the malware search begin!

Maybe you missed the point. It's not that you can find it, but it's use has degraded to exclusively malware. Even as a MASM programmer, I have never encapsulated a program four times(Source.exe>dist.com>.bat>.com>.exe ) for distribution, much less, using back door in DOS to do it.

So my challenge to you, Can you realistically expect to use this technique for legitimate software distribution? The next is, Who would, but for malware?

Regards, P1 :8)

News:

Com PE ?

skywalker

skywalker

skywalker

skywalker