本帖最后由 sharkman001 于 2023-11-18 10:17 编辑
分享个自己写的加密壳加壳程序代码源码 写的有点乱,大神请绕道#include<stdio.h> #include<Windows.h> #define TOBYTE(X) ((BYTE*)X) typedef struct { union OD_OR_NAME { CHAR* Name; WORD Od; }; }EXP_FUN_NAME; typedef enum { NameFlag = 0x1, OrderFlag = 0x2, }EXP_FUN_MODE; #pragma code_seg(".core") DWORD _declspec(naked) WINAPI GetCurrentFunAddress() { __asm { mov eax, dword ptr ss : [esp] ; ret; } } DWORD _declspec(naked)Get32BitNtdllBase() { __asm { push ebp; mov ebp, esp; sub esp, 0x80; mov dword ptr ds : [ebp - 0x4] , ecx; mov dword ptr ds : [ebp - 0x8] , edx; mov dword ptr ds : [ebp - 0xc] , ebx; mov dword ptr ds : [ebp - 0x10] , esi; mov dword ptr ds : [ebp - 0x1c] , edi; mov eax, fs: [0x30] ; mov eax, dword ptr ds:[eax + 0xc]; add eax, 0xc; mov ecx, eax; mov dword ptr ss : [esp - 0x4] , ecx; sub_6: mov ecx, dword ptr ss : [esp - 0x4] ; mov esi, dword ptr ds : [eax + 0x4] ; cmp esi, ecx; jz sub_4; mov dword ptr ss : [esp - 0xc] , esi; mov ebx, dword ptr ds : [esi + 0x18] ; mov dword ptr ss : [esp - 0x8] , ebx;//保存模块的DLLbase lea ebx, dword ptr es : [esi + 0x2c]; mov eax, dword ptr ds : [ebx] ;//HWORD(EAX)为dllname的最大长度,LOWORD(EAX)为dllname长度 mov dword ptr ss:[esp + 0x10], eax; mov esi, dword ptr ds : [ebx + 0x4] ;//esi为dllname call GetCurrentFunAddress; add eax, 0x76; //add eax, 0xab; mov edi, eax; //lea edi, dword ptr[sub_1]; mov eax, dword ptr ss : [esp+0x10] ; shr eax, 0x10; mov cx, ax; cmp cx, 0; jz sub_4; mov edx, edi; sub_3: mov bx, word ptr es : [edi] ; //_emit 0x66; cmp bx, word ptr es : [esi] ; jnz sub_5; add edi, 0x2; add esi, 0x2; sub cx, 0x2; cmp cx, 0; jnz sub_3; mov eax, dword ptr ss : [esp - 0x8] ; mov edx, dword ptr ds : [eax + 0x3c] ; mov dx, word ptr ds : [eax + edx+0x4] ; cmp dx, 0x8664; jz sub_5; mov eax, dword ptr ss : [esp - 0x8] ; sub_2: mov edi, dword ptr ds : [ebp - 0x1c] ; mov esi, dword ptr ds : [ebp - 0x10] ; mov ebx, dword ptr ds : [ebp - 0xc] ; mov edx, dword ptr ds : [ebp - 0x8] ; mov ecx, dword ptr ds : [ebp - 0x4] ; mov esp, ebp; pop ebp; ret; sub_4: mov eax, 0; jmp sub_2; sub_5: mov eax, dword ptr ss : [esp - 0xc] ; jmp sub_6; sub_1: _emit 0x6e; _emit 0x00; _emit 0x74; _emit 0x00; _emit 0x64; _emit 0x00; _emit 0x6c; _emit 0x00; _emit 0x6c; _emit 0x00; _emit 0x2e; _emit 0x00; _emit 0x64; _emit 0x00; _emit 0x6c; _emit 0x00; _emit 0x6c; _emit 0x00; _emit 0x00; _emit 0x00; } } int _declspec(naked) WINAPI mystrcmp(char* str1, char* str2) { __asm { push ebp; mov ebp, esp; sub esp, 0x80; push esi; push edi; mov dword ptr ss : [esp + 0x8] , 0xffffffff; mov esi, ss: [ebp + 0x8] ; dec esi; sub_1: inc dword ptr ss : [esp + 0x8] ; inc esi; xor cl, cl; cmp cl,byte ptr es : [esi] ; jnz sub_1; mov esi, ss: [ebp + 0xc] ; mov dword ptr ss : [esp + 0xc] , 0xffffffff; dec esi; sub_2: inc dword ptr ss : [esp + 0xc] ; inc esi; xor cl, cl; cmp cl, byte ptr es : [esi] ; jnz sub_2; mov eax, dword ptr ss : [esp + 0xc] ; cmp eax, dword ptr ss : [esp + 0x8] ; jnz sub_3; mov word ptr ss:[esp+0x10] , ax; mov esi, ss : [ebp + 0x8] ; mov edi, ss : [ebp + 0xc] ; sub_5: mov cl, byte ptr es : [esi] ; cmp cl, byte ptr es : [edi] ; jnz sub_3; inc esi; inc edi; dec word ptr ss:[esp + 0x10]; cmp word ptr ss:[esp + 0x10], 0; jz sub_4; jmp sub_5; sub_4: mov eax, 0; sub_6: pop edi; pop esi; mov esp, ebp; pop ebp; ret 0X8; sub_3: mov eax, 1; jmp sub_6; _emit 0x88; _emit 0x88; _emit 0x88; _emit 0x88; } } PVOID _declspec(naked) WINAPI GetFunAddrOfModuleAsm(PVOID pModule, EXP_FUN_NAME unFuntionName, EXP_FUN_MODE eMode) { _asm { push ebp; mov ebp, esp; sub esp,0x144; push ebx; push esi; push edi; lea edi, dword ptr ss : [ebp - 0x144] ; mov ecx, 0x51; mov eax, 0xcccccccc; rep stosd; mov dword ptr ss : [ebp - 0x8] , 0; mov dword ptr ss : [ebp - 0x14] , 0; mov dword ptr ss : [ebp - 0x20] , 0; mov eax, dword ptr ss : [ebp + 0x8] ; mov dword ptr ss : [ebp - 0x50] , eax; mov eax, dword ptr ss : [ebp - 0x50] ; mov ecx, dword ptr ds : [eax + 0x3c] ; mov edx, dword ptr ss : [ebp - 0x50] ; lea eax, dword ptr ds : [ecx + edx + 4] ; mov dword ptr ss : [ebp - 0x5c] , eax; mov eax, dword ptr ss : [ebp - 0x5c] ; add eax, 0x14; mov dword ptr ss : [ebp - 0x68] , eax; mov eax, 0x8; imul ecx, eax, 0; mov edx, dword ptr ss : [ebp - 0x68] ; lea eax, dword ptr ss : [edx + ecx + 0x60] ; mov dword ptr ss : [ebp - 0x14] , eax; mov eax, dword ptr ss : [ebp - 0x14] ; mov ecx, dword ptr ss : [ebp + 0x8] ; add ecx, dword ptr ds : [eax] ; mov dword ptr ss : [ebp - 0x20] , ecx; mov eax, dword ptr ss : [ebp - 0x20] ; mov ecx, dword ptr ss : [ebp + 0x8] ; add ecx, dword ptr ds : [eax + 0x20] ; mov dword ptr ss : [ebp - 0x2C] , ecx; mov eax, dword ptr ss : [ebp - 0x20] ; mov ecx, dword ptr ss : [ebp + 0x8] ; add ecx, dword ptr ds : [eax + 0x24] ; mov dword ptr ss : [ebp - 0x38] , ecx; mov eax, dword ptr ss : [ebp - 0x20] ; mov ecx, dword ptr ss : [ebp + 0x8] ; add ecx, dword ptr ds : [eax + 0x1C] ; mov dword ptr ss : [ebp - 0x44] , ecx; mov dword ptr ss : [ebp - 0x74] , 0x0; cmp dword ptr ss : [ebp + 0x10] , 0x1; jne sub_1; mov dword ptr ss : [ebp - 0x74] , 0x0; jmp sub_2; sub_5: mov eax, dword ptr ss : [ebp - 0x74] ; add eax, 0x1; mov dword ptr ss : [ebp - 0x74] , eax; sub_2: mov eax, dword ptr ss : [ebp - 0x20] ; mov ecx, dword ptr ss : [ebp - 0x74] ; cmp ecx, dword ptr ds : [eax + 0x18] ; jge sub_3; mov eax, dword ptr ss : [ebp - 0x74] ; mov ecx, dword ptr ss : [ebp - 0x2C] ; mov edx, dword ptr ss : [ebp + 0x8] ; add edx, dword ptr ds : [ecx + eax * 4] ; mov dword ptr ss : [ebp - 0x80] , edx; mov eax, dword ptr ss : [ebp + 0xC] ; push eax; mov ecx, dword ptr ss : [ebp - 0x80] ; push ecx; call mystrcmp; test eax, eax; jne sub_4; jmp sub_3; sub_4: jmp sub_5; sub_3: mov eax, dword ptr ss : [ebp - 0x74] ; mov ecx, dword ptr ss : [ebp - 0x38] ; movzx edx, word ptr ds : [ecx + eax * 2] ; mov eax, dword ptr ss : [ebp - 0x44] ; mov ecx, dword ptr ss : [ebp + 0x8] ; add ecx, dword ptr ds : [eax + edx * 4] ; mov dword ptr ss : [ebp - 0x8] , ecx; jmp sub_6; sub_1: movzx eax, word ptr ss : [ebp + 0xC] ; mov ecx, dword ptr ss : [ebp - 0x20] ; sub eax, dword ptr ds : [ecx + 0x10] ; mov edx, dword ptr ss : [ebp - 0x44] ; mov ecx, dword ptr ss : [ebp + 0x8] ; add ecx, dword ptr ds : [edx + eax * 4] ; mov dword ptr ss : [ebp - 0x8] , ecx; sub_6: mov eax, dword ptr ss : [ebp - 0x8] ; pop edi; pop esi; pop ebx; //add esp, 0x144; mov esp, ebp; pop ebp; ret 0xc; } } DWORD _declspec(naked) WINAPI GetMainModuleBase() { __asm { push ebp; mov ebp, esp; sub esp, 0x10; mov eax, fs: [0x30] ; mov eax, dword ptr ds : [eax + 0x8] ; mov esp, ebp; pop ebp; ret; } } DWORD _declspec(naked) WINAPI FixShellRelocal(DWORD sReacalRva) { _asm { push ebp; mov ebp, esp; sub esp, 0x80; push ebx; push edx; push edi; call GetMainModuleBase; mov dword ptr ss : [ebp - 0x20] , eax;//newimagebase add eax, 0x3c; mov ecx, dword ptr ds : [eax] ; mov eax, dword ptr ss : [ebp - 0x20] ; add eax, ecx; add eax, 0x34; mov eax, dword ptr ds : [eax] ; mov dword ptr ss : [ebp - 0x24] , 0x400000;//oldimagebase mov eax, dword ptr ss : [ebp - 0x20] ; add eax, dword ptr ds : [ebp + 0x8] ; mov dword ptr ss : [ebp - 0x4] , eax; sub_4: mov eax, dword ptr ss : [ebp - 0x4] ; mov ebx, dword ptr ds : [eax] ; mov edx, dword ptr ds : [eax + 4] ; cmp ebx, 0; jz sub_5; mov dword ptr ss : [ebp - 0x8] , ebx;//VirtualAddress mov dword ptr ss : [ebp - 0xc] , edx;//block mov eax, edx; sub eax, 0x8; mov dl, 0x2; div dl; xor ebx, ebx; mov bl, al; mov dword ptr ss : [ebp - 0x10] , ebx;//重定位位置个数 mov dword ptr ss : [ebp - 0x1c] , 0; sub_2: mov ecx, dword ptr ss : [ebp - 0x1c] ; cmp ecx, dword ptr ss : [ebp - 0x10] ; jge sub_1; mov edi, dword ptr ss : [ebp - 0x4] ; lea edi, dword ptr es : [edi + 0x8] ; mov ax, word ptr es : [edi + ecx * 0x2] ; test ax, 0x3000; jz sub_3; and eax, 0xfff; add eax, dword ptr ss : [ebp - 0x8] ; add eax, dword ptr ss : [ebp - 0x20] ; mov dword ptr ss : [ebp - 0x28] , eax;//要重定位的目标地址 mov ebx, dword ptr ds : [eax] ; sub ebx, dword ptr ss : [ebp - 0x24] ; add ebx, dword ptr ss : [ebp - 0x20] ; mov edx, dword ptr ss : [ebp - 0x28] ; mov dword ptr ds : [edx] ,ebx; sub_3: inc ecx; mov dword ptr ss : [ebp - 0x1c] , ecx; jmp sub_2; sub_1: mov edx, dword ptr ss : [ebp - 0xc] ; mov eax, dword ptr ss : [ebp - 0x4] ; add edx, eax; mov dword ptr ss : [ebp - 0x4] , edx; jmp sub_4; sub_5: pop edi; pop edx; pop ebx; mov esp, ebp; pop ebp; ret 0x4; } } VOID _declspec(naked) WINAPI DeCode(PVOID pBuff, SIZE_T sSize) { __asm { push ebp; mov ebp, esp; sub esp, 0x50; push edi; push edx; mov eax, dword ptr ss : [ebp + 0xc] ; mov dword ptr ss : [ebp - 0x8] , eax; mov edi, dword ptr ss : [ebp + 0x8] ; dec dword ptr ss : [ebp - 8] ; sub_2: mov ecx, dword ptr ss:[ebp - 0x8] ; cmp ecx, 0; jl sub_1; mov dl, byte ptr es : [edi + ecx * 1] ; and edx, 0xff; cmp ecx, 0; jnz sub_3; xor dl, 0x50; jmp sub_4; sub_3: mov eax, ecx; dec eax; xor dl, cl; xor dl, byte ptr es : [edi + eax * 1] ; sub_4: mov byte ptr es : [edi + ecx * 1] , dl; dec ecx; mov dword ptr ss : [ebp - 0x8] , ecx; jmp sub_2; sub_1: pop edx; pop edi; mov esp, ebp; pop ebp; ret 0x8; } } VOID _declspec(naked)WINAPI ShellEntry() { _asm { pushad; pushfd; push ebp; mov ebp, esp; sub esp, 0x100; mov dword ptr ss : [ebp - 0x4] , 0; call Get32BitNtdllBase; mov dword ptr ss : [ebp - 0x4] , eax;//ntdll.dll的BASE mov dword ptr ss : [ebp - 0x8] , 0; mov dword ptr ss : [ebp - 0xc] , 0; xor eax, eax; mov ecx, eax; mov ax, 0x14; mov cx, 0x16; shl ecx, 0x10; or eax, ecx; mov dword ptr ss : [ebp - 0xc] , eax; //lea eax, dword ptr ds : [sub_2] ; call GetCurrentFunAddress; add eax, 0x15d; mov dword ptr ss : [ebp - 0x8] , eax; lea eax, dword ptr ss : [ebp - 0xc] ; mov dword ptr ss : [ebp - 0x10] , eax;//user32.dll字符串指针 push 0x1; //lea eax, dword ptr ds : [sub_1] ; call GetCurrentFunAddress; add eax, 0x13a; push eax; mov eax, dword ptr ss : [ebp - 0x4] ; push eax; call GetFunAddrOfModuleAsm; mov dword ptr ss : [ebp - 0x14] , eax;//LdrLoadDll地址 mov dword ptr ss : [ebp - 0x18] , 0;//LdrLoadDll返回的模块基址 lea eax, dword ptr ss : [ebp - 0x18] ; push eax; mov eax, dword ptr ss : [ebp - 0x10] ; push eax; push 0; push 0; mov ecx, dword ptr ss : [ebp - 0x14] ; call ecx; push 0x1; //lea eax, dword ptr ds : [sub_3] ; call GetCurrentFunAddress; add eax, 0x124; push eax; mov eax, dword ptr ss : [ebp - 0x18] ; push eax; call GetFunAddrOfModuleAsm; mov dword ptr ss : [ebp - 0x1c] , eax;//MessageBoxA地址 push 6; push 0; push 0; push 0; call eax; push 0x1; call GetCurrentFunAddress; add eax, 0x10b; push eax; push dword ptr ss : [ebp - 0x4] ; call GetFunAddrOfModuleAsm; mov dword ptr ss : [ebp - 0x28],eax;//ZwProtectMemory mov dword ptr ss : [ebp - 0x14] , 0; lea eax, dword ptr ss : [ebp - 0x14] ;//oldprotect push eax; push PAGE_EXECUTE_READWRITE; mov dword ptr ss : [ebp - 0x18] , 0x2000; lea eax, dword ptr ss : [ebp - 0x18] ; push eax; call GetMainModuleBase; mov dword ptr ss : [ebp - 0x20] , eax; add eax, 0x1000; mov dword ptr ss : [ebp - 0x8] , eax; lea eax,dword ptr ss : [ebp - 0x8] ; push eax; push 0xffffffff; mov eax, dword ptr ss: [ebp - 0x28] ; call eax; mov eax, dword ptr ss : [ebp - 0x20] ; mov ecx, dword ptr ds : [eax + 0x3c] ; lea eax, dword ptr ds : [ecx + eax + 0x4] ; mov dword ptr ss : [ebp - 0x24] , eax;//pfileheader mov dx, word ptr ds : [eax + 0x10] ; and edx, 0xffff; add edx, dword ptr ss : [ebp - 0x24] ; add edx, 0x14; mov eax, dword ptr ds : [edx + 0x10] ; push eax; mov eax, dword ptr ds : [edx + 0xc] ;//节RVA add eax, dword ptr ss : [ebp - 0x20] ; push eax; call DeCode; mov eax, dword ptr ss : [ebp - 0x20] ; cmp eax, 0x400000; jz sub_4; mov eax, dword ptr ss : [ebp - 0x20] ; mov eax, dword ptr ds : [eax + 0x40] ; push eax; call FixShellRelocal; mov dword ptr ss : [ebp - 0x14] , 0; lea eax, dword ptr ss : [ebp - 0x14] ;//oldprotect push eax; push PAGE_EXECUTE_READ; lea eax, dword ptr ss : [ebp - 0x18] ; push eax; lea eax, dword ptr ss : [ebp - 0x8] ; push eax; push 0xffffffff; mov eax, dword ptr ss : [ebp - 0x28] ; call eax; mov eax, dword ptr ds : [ebp - 0x1c] ; push 0x4; push 0; push 0; push 0; call eax; sub_4: mov esp, ebp; pop ebp; popfd; popad; call GetMainModuleBase; add eax, 0x22e4; call eax; ret; sub_1: _emit 0x4c; _emit 0x64; _emit 0x72; _emit 0x4c; _emit 0x6f; _emit 0x61; _emit 0x64; _emit 0x44; _emit 0x6c; _emit 0x6c; _emit 0x00; sub_2: _emit 0x75; _emit 0x00; _emit 0x73; _emit 0x00; _emit 0x65; _emit 0x00; _emit 0x72; _emit 0x00; _emit 0x33; _emit 0x00; _emit 0x32; _emit 0x00; _emit 0x2e; _emit 0x00; _emit 0x64; _emit 0x00; _emit 0x6c; _emit 0x00; _emit 0x6c; _emit 0x00; _emit 0x00; _emit 0x00; sub_3: _emit 0x4d; _emit 0x65; _emit 0x73; _emit 0x73; _emit 0x61; _emit 0x67; _emit 0x65; _emit 0x42; _emit 0x6f; _emit 0x78; _emit 0x41; _emit 0x00; sub_6: _emit 0x5a; _emit 0x77; _emit 0x50; _emit 0x72; _emit 0x6f; _emit 0x74; _emit 0x65; _emit 0x63; _emit 0x74; _emit 0x56; _emit 0x69; _emit 0x72; _emit 0x74; _emit 0x75; _emit 0x61; _emit 0x6c; _emit 0x4d; _emit 0x65; _emit 0x6d; _emit 0x6f; _emit 0x72; _emit 0x79; _emit 0x00; } } #pragma code_seg(".text") DWORD dTargetFileSize; PIMAGE_SECTION_HEADER pShellCodeSection; PIMAGE_SECTION_HEADER pEncodeHandleSection; //PVOID pTargetEncodeSection; //DWORD dTargetEncodeSectionSize; VOID Encode(UCHAR* bytearr, LONG size) { for (int i = 0; i < size; ++i) { if (i == 0) { bytearr[i] = bytearr[i] ^ 0x50; } else { bytearr[i] = bytearr[i] ^ bytearr[i - 1]; bytearr[i] = bytearr[i] ^ i; } } return; } PVOID CreateFileBuff(CHAR* path) { DWORD dHighDword; HANDLE hFile = CreateFileA(path, GENERIC_READ | GENERIC_WRITE | DELETE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == 0) { return NULL; } DWORD size = GetFileSize(hFile, &dHighDword); dTargetFileSize = size; PVOID pFileBuff = VirtualAlloc(NULL,size+0x9000, MEM_COMMIT, PAGE_READWRITE); if (pFileBuff == NULL) { return NULL; } ZeroMemory(pFileBuff, size + 0x9000); if (!ReadFile(hFile, pFileBuff, size, NULL, NULL)) { VirtualFree(pFileBuff, size+0x9000, MEM_DECOMMIT); return NULL; } CloseHandle(hFile); return pFileBuff; } BOOL WriteBuffToDisk(CHAR* path,PVOID pBuff, DWORD dSize) { BOOL ret = FALSE; HANDLE hFile = CreateFileA(path, GENERIC_READ | GENERIC_WRITE | DELETE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == 0) { return ret; } if (!WriteFile(hFile, pBuff, dSize, NULL, NULL)) { return ret; } CloseHandle(hFile); return TRUE; } PVOID GetShellCodeSection() { PVOID ret = NULL; HMODULE hModule = GetModuleHandle(NULL); BYTE chSectionName[] = {0x2e,0x63,0x6f,0x72,0x65,0x00,0x00,0x00}; PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4; PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1; PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader; for (int i = 0; i < pFileHeader->NumberOfSections; ++i) { if (strcmp(&(pSection[i].Name), chSectionName) == 0) { ret = &pSection[i]; break; } } return ret; } VOID GetTargtFileBuffCodeSection(PVOID pFileBuff) { PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff; PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4; PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1; PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader; for (int i = 0; i < pFileHeader->NumberOfSections; ++i) { if ((pSection[i].Characteristics & 0x60000000) != 0) { pEncodeHandleSection = &pSection[i]; // pSection[i].Characteristics |= 0x80000000; break; } } return; } VOID AddSection(PVOID pFileBuff,DWORD dWritePosOffset, DWORD dOffset) { PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff; PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4; PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1; PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader; PIMAGE_SECTION_HEADER pLastSection = &(pSection[pFileHeader->NumberOfSections - 1]); DWORD dWritePos = (DWORD)pFileBuff + dWritePosOffset+dOffset; DWORD dStratCopyPos = (DWORD)(pShellCodeSection->VirtualAddress) + (DWORD)GetModuleHandle(NULL); int j = 0; memcpy(dWritePos, dStratCopyPos, pShellCodeSection->SizeOfRawData); pLastSection->SizeOfRawData = pLastSection->SizeOfRawData + dOffset + pShellCodeSection->SizeOfRawData; pLastSection->Misc.VirtualSize = pLastSection->SizeOfRawData; pLastSection->Characteristics |= 0x60000000; if (pLastSection->Misc.VirtualSize % 0X1000 == 0) { pOptionaleHeader->SizeOfImage = pLastSection->VirtualAddress + pLastSection->Misc.VirtualSize; } else { pOptionaleHeader->SizeOfImage = pLastSection->VirtualAddress + (pLastSection->Misc.VirtualSize & 0xfffff000) + 0x1000; } return; } PVOID GetRelocalTableHeader(PVOID pFileBuff) { PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff; PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader + 4; PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1; PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader; int iSectionNum = pFileHeader->NumberOfSections; DWORD dRelocaBaseRva = pOptionaleHeader->DataDirectory[5].VirtualAddress; if (dRelocaBaseRva==0) { return NULL; } for (int i = 0; i < iSectionNum; ++i) { if (pSection[i].VirtualAddress == dRelocaBaseRva) { return pSection[i].PointerToRawData+(DWORD)pFileBuff; } } return NULL; } BOOL IsMoveRelocaData(PIMAGE_BASE_RELOCATION pRelocaTable, PIMAGE_SECTION_HEADER pEncodeSec) { DWORD dSectionRealVirtualSize = 0; BOOL ret = FALSE; if (pEncodeSec->Misc.VirtualSize % 0x1000 == 0) { dSectionRealVirtualSize = pEncodeSec->Misc.VirtualSize; } else { dSectionRealVirtualSize = (pEncodeSec->Misc.VirtualSize & 0xfffff000) + 0x1000; } if ((pRelocaTable->VirtualAddress >= pEncodeSec->VirtualAddress) && (pRelocaTable->VirtualAddress < (pEncodeSec->VirtualAddress + dSectionRealVirtualSize))) { ret = TRUE; } return ret; } PVOID GetMoveRelocaPotin(PVOID pRealocTableHeader, PIMAGE_SECTION_HEADER pEncodeSec) { PIMAGE_BASE_RELOCATION pRelocTable = pRealocTableHeader; PVOID ret = NULL; while ((pRelocTable->VirtualAddress != 0) && (pRelocTable->SizeOfBlock != 0)) { if (pRelocTable->VirtualAddress >= pEncodeSec->VirtualAddress) { ret = pRelocTable; break; } pRelocTable = pRelocTable->SizeOfBlock + (DWORD)pRelocTable; } return ret; } DWORD MoveRelocaDataOfEndcodeSection(PVOID pFileBuff, PIMAGE_SECTION_HEADER pEncodeSec, DWORD dReloctableNewLocal) { PVOID pRelocBasePoint = GetRelocalTableHeader(pFileBuff); PIMAGE_BASE_RELOCATION pTemp = pRelocBasePoint; DWORD dMoveBlockSize = 0; PVOID pMovePoint=NULL; DWORD dSconMovePotin = 0; DWORD dSconMoveSize = 0; PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff; PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader + 4; PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1; PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader; if (pRelocBasePoint == 0) { MessageBox(0, TEXT("无重定位,加壳失败"), 0, 0); return 0; } while ((pTemp->VirtualAddress != 0) && (pTemp->SizeOfBlock != 0)) { if (IsMoveRelocaData(pTemp, pEncodeSec)) { dMoveBlockSize += pTemp->SizeOfBlock; } pTemp = (DWORD)pTemp + pTemp->SizeOfBlock; } pMovePoint = GetMoveRelocaPotin(pRelocBasePoint, pEncodeSec); dSconMoveSize = (DWORD)pMovePoint - (DWORD)pRelocBasePoint; dSconMovePotin = ((DWORD)pMovePoint + dMoveBlockSize) - dSconMoveSize; memcpy((DWORD)dReloctableNewLocal, pMovePoint, dMoveBlockSize); memset((DWORD)pMovePoint, 0, dMoveBlockSize); memcpy((PVOID)dSconMovePotin, pRelocBasePoint, dSconMoveSize); pOptionaleHeader->DataDirectory[5].VirtualAddress += dMoveBlockSize; pOptionaleHeader->DataDirectory[5].Size -= dMoveBlockSize; dSconMoveSize = (DWORD)pFileHeader->NumberOfSections; dSconMovePotin = pSection[dSconMoveSize - 1].VirtualAddress + pSection[dSconMoveSize - 1].SizeOfRawData; *(DWORD*)(((DWORD)pFileBuff) + 0x40) = dSconMovePotin; if (dMoveBlockSize % 0X200 == 0) { return dMoveBlockSize; } else { return (dMoveBlockSize & 0XFFFFFF00) + 0x200; } return 0; } VOID ChangeOEP(PVOID pFileBuff,PVOID pOrigeExcutePoint,DWORD dShellcodeStart) { PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff; PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4; PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1; PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader; DWORD dOldOEPrva = pOptionaleHeader->AddressOfEntryPoint; DWORD dOEPfoa = (DWORD)pOrigeExcutePoint - ((DWORD)(pShellCodeSection->VirtualAddress) + (DWORD)GetModuleHandle(NULL)) + dShellcodeStart; int SecNum = pFileHeader->NumberOfSections; pOptionaleHeader->AddressOfEntryPoint = dOEPfoa-pSection[SecNum-1].PointerToRawData+pSection[SecNum-1].VirtualAddress; *(DWORD*)((DWORD)pFileBuff+dOEPfoa + 0X191) = dOldOEPrva; return; } typedef struct { USHORT length; USHORT MaxLenth; PWCHAR Buffer; }MYUNICODE_STRING, * PMYUNICODE_STRING; typedef NTSTATUS (WINAPI*MYLOAD)(PWSTR,ULONG, PMYUNICODE_STRING,PHANDLE); typedef DWORD(WINAPI* MYMEG)(HINSTANCE, LPSTR, LPSTR, DWORD); int main() { CHAR* path = "C:\\Users\\YH\\Desktop\\子窗口.exe";//大神论坛 www.dslt.tech CHAR* outpath = "C:\\Users\\YH\\Desktop\\SH子窗口.exe"; DWORD dMoveSize = 0; DWORD dShellcodeStart; PVOID pFileBuff = CreateFileBuff(path); if (pFileBuff==NULL) { return 0; } GetTargtFileBuffCodeSection(pFileBuff); dMoveSize = MoveRelocaDataOfEndcodeSection(pFileBuff, pEncodeHandleSection, (DWORD)pFileBuff + dTargetFileSize); dShellcodeStart = dMoveSize + dTargetFileSize; pShellCodeSection = GetShellCodeSection(); AddSection(pFileBuff, dTargetFileSize, dMoveSize); Encode(pEncodeHandleSection->PointerToRawData + (DWORD)pFileBuff, pEncodeHandleSection->SizeOfRawData); ChangeOEP(pFileBuff,ShellEntry, dShellcodeStart); WriteBuffToDisk(outpath, pFileBuff, dTargetFileSize + dMoveSize + pShellCodeSection->SizeOfRawData); VirtualFree(pFileBuff, dTargetFileSize + 0x9000, MEM_DECOMMIT); system("pause"); return 0; }
注:若转载请注明大神论坛来源(本贴地址)与作者信息。
|