📄 pcshrink.asm
字号:
mov dword ptr [eax],ebx
mov dword ptr new_sect_name,ebx
mov dword ptr [eax+4],0
add eax,40 ; increment to next object record
add curSectionTableDisplacement,4
loop otbl_loop
done_otbl:
pop esi ; restore ptr pe hdr
sub eax,40
mov edi,eax
; call lstrcat,offset obj_txt,edi
mov eax,[edi+objpoff] ; get object physical off
mov lastobjimageoff,eax ; save it
mov ecx,[edi+objpsize] ; get object physical size
mov originalpsize,ecx ; save it 4 later
mov eax,[edi+objvsize] ; get object virtual size
mov originalvsize,eax ; save it
cmp eax,ecx
jae psize_less_vsize ; padded space for alignment?
mov eax,ecx ; set vsize to psize
psize_less_vsize:
add eax,VIRTUAL_SIZE ; add our virtual size
mov dword ptr [edi+objvsize],eax ; save new virtual size
cmp LastSectionUnaligned,0
jnz have_compressed_last
mov ecx,originalpsize
mov eax,originalvsize
cmp eax,ecx
jbe vsize_less_psize_whohoo
mov eax,ecx
mov originalvsize,ecx
jmp vsize_less_psize_whohoo
have_compressed_last:
mov eax,LastSectionUnaligned
vsize_less_psize_whohoo:
mov SymbiontOffset,eax
push eax
add eax,DECRYPTOR_SIZE ; adjust physical size of object
mov RawLastSection,eax
;mov ecx,[esi+filealign]
call file_align_fix ; on file alignment
mov [edi+objpsize],eax
mov ecx,dword ptr [esi+objalign] ; get object alignment
mov eax,dword ptr [edi+objvsize] ; add virtual size
add eax,dword ptr [edi+objrva] ; +last object rva
call align_fix ; set on obj alignment
mov dword ptr [esi+imagesize],eax ; save new imagesize
add largest_needed_buffer,(offset decryptor_code_end-offset decryptor_code)
pop eax
mov [edi+objflags],0E0000020h ; set object flags r/w/x/init data
add eax,[edi+objrva] ; add last object's RVA
; eax now RVA of decryptor code
mov ebx,[esi+entrypointRVA] ; get original entry
mov [esi+entrypointRVA],eax ; put our RVA as entry
push eax
add eax,svd_imgbase
sub eax,offset decryptor_code
mov delta_offset,eax
pop eax
; change import table address, save old one
pushad
add eax,offset fake_it-offset decryptor_code
add add1,eax
add add2,eax
add add3,eax
add dword ptr add4,eax
add dword ptr add5,eax
add dword ptr add6,eax
add dword ptr add7,eax
mov ecx,[esi+import_rva]
mov iAddress,ecx
mov [esi+import_rva],eax
mov dword ptr [esi+import_size],(offset end_it-offset fake_it)
popad
add ebx,svd_imgbase
mov [host_eip],ebx ; save it
push esi
call CompressSymbiont
mov ecx,DECRYPTOR_SIZE
;sub ecx,eax
mov edi,map_ptr
add edi,SymbiontOffset
add edi,lastobjimageoff ; add object physical offset
lea esi,decryptor_code ; esi->symbiont code
rep movsb
pop esi ; restore ptr pe hdr
;mov eax,NewRsrcSize
;mov esi[140],eax
;mov ecx,[esi+filealign]
mov eax,RawLastSection
push eax
call file_align_fix
pop ecx
xchg ecx,eax
sub ecx,eax
xor eax,eax
rep stosb ; pad up object to alignment
call unmap ; unmap file
mov error,0 ; if we made it here then no error
jmp unmapped
abort_encrypt:
call unmap ;unmap if aborted infection
unmapped:
call SetFileTime,handle,offset lastwrite,offset lastaccess,offset creation
mov edx,fsize
lea edi,a_org_size
call write_decimal
cmp error,0
jnz skip_align2
mov eax,handle
call AlignFile
skip_align2:
mov edx,fsize
lea edi,a_new_size
call write_decimal
call lstrcat,offset size_txt,offset a_org_size
call lstrcat,offset size_txt,offset inter
call lstrcat,offset size_txt,offset a_new_size
call CloseHandle,handle
call SetFileAttributesA,fnameptr,oldattrib ; restore the original attributes
ret
CompressFile endp
; returns eax=new physical size
compress_object proc
push ecx esi ecx
call HeapAlloc,HeapHandle,HEAP_ZERO_MEMORY,ecx
mov p_lz_mem,eax
call HeapAlloc,HeapHandle,HEAP_ZERO_MEMORY,(1024*1000)+16
mov working_mem,eax
pop ecx
cmp ecx,50h
jbe simple_copy
;call LZRW1_COMPRESS,offset csize,eax,ecx,esi
mov current_comp_start,esi
mov CurrentSectionSize,ecx
call _aP_pack,esi,p_lz_mem,ecx,working_mem,offset pack_callback
pop edi ecx
mov esi,p_lz_mem
rep movsb
jmp did_compress_it
simple_copy:
pop edi ecx
mov csize,eax
did_compress_it:
call HeapFree,HeapHandle,0,p_lz_mem
call HeapFree,HeapHandle,0,working_mem
mov eax,csize
ret
compress_object endp
test_obj proc
push esi
cmp dword ptr [eax+objpoff],0 ; make sure physical offset isn't 0
jz ret_stc
cmp dword ptr [eax+objpsize],0 ; make sure physical size isn't 0
jz ret_stc
cmp dword ptr [eax+objvsize],minimum_object_size
jbe ret_stc
call test_rvas
jc ret_stc
lea esi,bad_otbl ; scan thru bad obj
bobj_loop: ; table
xchg eax,ebx
lodsd
xchg eax,ebx
cmp ebx,[eax]
jz ret_stc
or ebx,ebx
jnz bobj_loop
pop esi
clc
ret
ret_stc:
pop esi
stc
ret
test_obj endp
test_rvas proc
pushad
mov edx,exporttbl
or edx,edx
jz not_bad
mov ebx,dword ptr [eax+objrva]
cmp ebx,edx
jg not_bad
jz ret_stc2
mov ebx,dword ptr [eax+40+objrva]
or ebx,ebx
jz ret_stc
cmp ebx,edx
jg ret_stc2
not_bad:
popad
clc
ret
ret_stc2:
popad
stc
ret
endp
GetPEHeader proc
mov esi,[eax+3Ch] ; where PE hdr pointer is
add esi,eax
mov ptrpeheader,esi ; esi->PE Hdr
ret
GetPEHeader endp
; create_mapping - create file mapping of [handle]
; entry: ecx=+adjust mapping size
;
create_mapping proc
push ecx ; save additional mapping size
call GetFileSize,handle,offset byteswrote
call test_error
jnc no_error_gf
pop ecx
jmp create_abort
no_error_gf:
mov fsize,eax
pop ecx ; restore map size
add eax,ecx
call CreateFileMappingA,handle,0,PAGE_READWRITE,0,eax,0
call test_error
jc create_abort
mov maphandle,eax
call MapViewOfFile,eax,FILE_MAP_WRITE,0,0,0
call test_error
jc create_abort
mov map_ptr,eax
create_abort:
ret
create_mapping endp
; test_error - test API for an error return
; entry: eax=API return
; returns: carry if error
;
test_error proc
cmp eax,-1
jz api_err
or eax,eax
jz api_err
clc
ret
api_err:
stc
ret
test_error endp
; unmap file - Unmap view of file
;
unmap proc
call UnmapViewOfFile,map_ptr
call CloseHandle,maphandle
ret
unmap endp
; sets eax on alignment of ecx
;
file_align_fix:
mov ecx,newalign
align_fix proc
xor edx,edx
div ecx ; /alignment
or edx,edx ; if no remainder then no next
jz no_adjust
inc eax ; next alignment
no_adjust:
mul ecx ; *alignment
ret
align_fix endp
OpenFile proc
call CreateFileA,esi,0c0000000h,0,0,3,20h,0
ret
OpenFile endp
newalign equ 200h
;-----------------------------------------------
; align file
; call with eax=handle
;
AlignFile proc
xor ecx,ecx ; only map size of file
call create_mapping ; create file mapping
jc abort_encrypt
mov ecx,fsize
or ecx,ecx ; no file size?
jz abort_align
mov org_fsize,ecx
; eax->mapped file
call GetPEHeader ; load esi->PE Header
mov eax,[esi+filealign]
mov orgalign,eax
was_same:
xor eax,eax
mov ax, word ptr [esi+NtHeaderSize] ; get header size
add eax,18h ; object table is here
add eax,esi
push esi eax
;TiTi/Blizzard contributed the following addition to vgalign
;###########BEGINING OF APPENDED CODE#########################
;lea edi, [esi+headlen] ;beginning of obj table
;virogen slight mod
xchg edi,eax
mov secpt, edi
movzx ecx, word ptr [esi+numObj] ;number of sections
xor ebx, ebx
secloop:
call SqueezeSection
inc ebx
cmp ebx, ecx
je secdone
jmp secloop
secdone:
;###########END OF APPENDED CODE##############################
pop eax esi
pushad
call RemoveReloc,esi,eax
popad
push eax ; save ptr to obj table
xor edx,edx
mov ecx,40
xor eax,eax
mov ax,[esi+numObj]
inc eax
mul ecx
xchg eax,ebx
pop eax
push eax
add eax,ebx
mov ecx,[esi+filealign]
call align_fix
xchg ebx,eax ; ebx->phy. start of first obj
pop eax
mov ecx,ebx
sub ecx,map_ptr
mov [esi+sizehdr],ecx ; save new total size of hdr
mov ecx,newalign
mov [esi+filealign],ecx
movzx ecx,word ptr [esi+numObj] ; get number of objects
mov edi,ebx ; edi->phy. start of first obj
; edi contains pointer to current writing address of the executable
otbl_loop2:
push eax ecx
mov ecx,edi ; ecx->current obj poff
sub ecx,map_ptr ; get real obj poff
mov esi,[eax+objpoff] ; esi->original obj p. off
mov [eax+objpoff],ecx ; save new physical offset at cur
mov ebx,[eax+objvsize] ; get virtual size
cmp ebx,[eax+objpsize] ; bigger than physical size?
jg skip_align ; if so skip re-aligning this one
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -