📄 jacket.inc
字号:
Protectcode MACRO
vstart: ;加入到程序里面的代码开始
call nstart
nstart:
pop ebp
sub ebp,offset nstart
mov dword ptr [ebp+appBase],ebp
mov dword ptr [ebp+PROC_s_ebp],ebp
mov eax,[esp] ;返回k32地址
mov [ebp+p_version],eax ;后面可以用p_version来判断操作系统
xor edx,edx
getK32Base:
dec eax ;逐字节比较验证
mov dx,word ptr [eax+IMAGE_DOS_HEADER.e_lfanew] ;就是ecx+3ch
test dx,0f000h ;Dos Header+stub不可能太大,超过4096byte
jnz getK32Base ;加速检验
cmp eax,dword ptr [eax+edx+IMAGE_NT_HEADERS.OptionalHeader.ImageBase]
jnz getK32Base ;看Image_Base值是否等于ecx即模块起始值,
mov [ebp+k32Base],eax ;如果是,就认为找到kernel32的Base值
lea edi,[ebp+aGetModuleHandle]
lea esi,[ebp+lpApiAddrs]
lop_get:
lodsd
cmp eax,0 ;比较是否到达lpApiAddrs的结尾了
jz End_Get
add eax,ebp ;得到的函数名的地址必须加上一个ebp的偏移
push eax ;参数1-->函数名地址
push dword ptr [ebp+k32Base] ;参数2-->kernel32的Base值
call GetApiA ;把找到的api地址存放到指定aGetModuleHandle的空间中
stosd
jmp lop_get
End_Get:
;**************************
;使用定时器
;*************************
;---------Begain-----------------得到Timer用的api
;-> SetTimer
pushad
lea eax,[ebp+offset u32]
push eax
call [ebp+aLoadLibrary]
mov esi,eax
;得到SendMessageA的地址
lea eax,[ebp+sSendMessageA]
call DoGetProcAddr ;get SendMessageA addr--->This Functiong Need Tow Parameters Esi And Eax
mov [ebp+aSendMessageA],eax
;得到SetTimer的地址
lea eax,[ebp+sSetTimer]
call DoGetProcAddr ;get settimer addr--->This Functiong Need Tow Parameters Esi And Eax
mov [ebp+aSetTimer],eax
mov eax,offset TimerProc_ShellCheck
add eax,ebp
push eax ;address of timer procedure
push 5000 ;time-out value
push 621h ;timer identifier
push NULL ;handle of window for timer messages NULL means all windows
call [ebp+aSetTimer] ;call settimer
.if eax==0
push 0
call [ebp+aExitProcess]
.endif
mov ebx,offset COPYDATA ;的到COPYDATASTRUCT结构地址
add ebx,ebp ;加上偏移
assume ebx:ptr COPYDATASTRUCT
mov [ebx].cbData,eax ;保存返回 的用于kill定时器的id
assume ebx:ptr nothing
popad
;---------End-----------------得到的api地址-----------
ContineProgram:
mov eax,[ebp+p_version]
test eax,eax
js _9x ;判断操作系统
ExitProc:
mov eax,des_base[ebp] ;查找结束
add eax,des_in[ebp]
PSkipDecryptSec:
push eax
ret ;返回原程序入口
_9x:
JMP ExitProc
K32_api_retrieve proc Base:DWORD ,sApi:DWORD
push edx ;保存edx
xor eax,eax ;此时esi=sApi
Next_Api: ;edi=AddressOfNames
mov esi,sApi
xor edx,edx
dec edx
Match_Api_name:
movzx ebx,byte ptr [esi]
inc esi
cmp ebx,0
je foundit
inc edx
push eax
mov eax,[edi+eax*4] ;AddressOfNames的指针,递增
add eax,Base ;注意是RVA,一定要加Base值
cmp bl,byte ptr [eax+edx] ;逐字符比较
pop eax
je Match_Api_name ;继续搜寻
inc eax ;不匹配,下一个api
loop Next_Api
no_exist:
pop edx ;若全部搜完,即未存在
xor eax,eax
ret
foundit:
pop edx ;edx=AddressOfNameOrdinals
;*2得到AddressOfNameOrdinals的指针
movzx eax,word ptr [edx+eax*2] ;eax返回指向AddressOfFunctions的指针
ret
K32_api_retrieve endp
;---------------------------------------------
;这个函数用于查找相关的api的地址
;---------------------------------------------
GetApiA proc Base:DWORD,sApi:DWORD
local ADDRofFun:DWORD
pushad
mov esi,Base
mov eax,esi
mov ebx,eax
mov ecx,eax
mov edx,eax
mov edi,eax ;all is Base!
add ecx,[ecx+3ch] ;现在esi=off PE_HEADER
add esi,[ecx+78h] ;得到esi=IMAGE_EXPORT_DIRECTORY入口
add eax,[esi+1ch] ;eax=AddressOfFunctions的地址
mov ADDRofFun,eax
mov ecx,[esi+18h] ;ecx=NumberOfNames
add edx,[esi+24h] ;edx=AddressOfNameOrdinals
add edi,[esi+20h] ;esi=AddressOfNames
invoke K32_api_retrieve,Base,sApi
mov ebx,ADDRofFun
mov eax,[ebx+eax*4] ;要*4才得到偏移
add eax,Base ;加上Base!
mov [esp+7*4],eax ;eax返回api地址
popad
ret
GetApiA endp
; it's in an own function to keep a the loader code small
; eax = address of API string
; esi = target dll base
DoGetProcAddr:
push eax
push esi
call [ebp+aGetProcAddress]
ret
;----得到api地址的函数上面的
TimerProc_ShellCheck Proc hDlg:HWND, uMsg:UINT, idEvent:UINT, dwTime:DWORD
.IF hDlg==NULL
;SendShellMessage code here
pushad
call _Timer_ShellCheck_Get_Ebp
_Timer_ShellCheck_Get_Ebp:
pop ebp
sub ebp,offset _Timer_ShellCheck_Get_Ebp
mov eax,offset COPYDATA ;的到COPYDATASTRUCT结构地址
add eax,ebp ;加上偏移
assume eax:ptr COPYDATASTRUCT
mov [eax].dwData,123h ;我们判断的标示位
mov ebx,offset Shellhere
add ebx,ebp
mov [eax].lpData,ebx
push eax ;second message parameter
push NULL ;first message parameter
push WM_COPYDATA ;message to send
push HWND_BROADCAST ;handle of destination window
call [ebp+aSendMessageA] ;call sendmessagea
popad
ret
.ENDIF
COPYDATA COPYDATASTRUCT<>
Shellhere db "My ShellHere",0
sSendMessageA db "SendMessageA",0
aSendMessageA dd 0;
TimerProc_ShellCheck endp
des_in dd 0 ;这里是原程序的入口地址
des_base dd 0 ;
p_version dd 0 ;用来判断操作系统的
u32 db "User32.dll",0
k32 db "Kernel32.dll",0
pSMem dd 0
appBase dd ? ;这里是全局的偏移量
k32Base dd ?
;-----------------------------------------apis needed
lpApiAddrs label near
dd offset sGetModuleHandle
dd offset sGetProcAddress
dd offset sLoadLibrary
dd offset sSetTimer
dd offset sSetThreadPriority
dd offset sMapViewOfFile
dd offset sUnmapViewOfFile
dd offset sCloseHandle
dd offset sGetFileSize
dd offset sSetEndOfFile
dd offset sSetFilePointer
dd offset sExitProcess
dd 0,0
sGetModuleHandle db "GetModuleHandleA",0
sGetProcAddress db "GetProcAddress",0
sLoadLibrary db "LoadLibraryA",0
sSetTimer db "SetTimer",0
sSetThreadPriority db "SetThreadPriority",0
sMapViewOfFile db "MapViewOfFile",0
sUnmapViewOfFile db "UnmapViewOfFile",0
sCloseHandle db "CloseHandle",0
sGetFileSize db "GetFileSize",0
sSetFilePointer db "SetFilePointer",0
sSetEndOfFile db "SetEndOfFile",0
sExitProcess db "ExitProcess",0
aGetModuleHandle dd 0
aGetProcAddress dd 0
aLoadLibrary dd 0
aSetTimer dd 0
aSetThreadPriority dd 0
aMapViewOfFile dd 0
aUnmapViewOfFile dd 0
aCloseHandle dd 0
aGetFileSize dd 0
aSetFilePointer dd 0
aSetEndOfFile dd 0
aExitProcess dd 0
; HookProc data
;
dwTest DD 0
dwBytesRead DD 0
pExitProcess DD 0
PROC_s_ebp dd 0 ;原来得ebp偏移
HookProcEnd:
;-----------------------<上面的>
vend:
ENDM⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -