📄 morphine.cpp
字号:
// byte ptr (1 bytes)
#define BYTE_TYPE(x) __asm _emit x
// word ptr (2 bytes)
#define WORD_TYPE(x) BYTE_TYPE((x>>(0*8))&0xFF) BYTE_TYPE((x>>(1*8))&0xFF)
// dword ptr (4 bytes)
#define DWORD_TYPE(x) BYTE_TYPE((x>>(0*8))&0xFF) BYTE_TYPE((x>>(1*8))&0xFF) BYTE_TYPE((x>>(2*8))&0xFF) BYTE_TYPE((x>>(3*8))&0xFF)
// dword64 ptr (8 bytes)
#define DWORD64_TYPE(x) DWORD_TYPE(x) DWORD_TYPE(x)
//---------------------------------------------------------
#define BB(x) __asm _emit x
#define DB BYTE_TYPE(0xCC)
#define DD DWORD_TYPE(0xCC)
__stdcall void DynLoader()
{
_asm
{
//THE LOADER!
//this loads pe file to memory from MainData
//fixup relocations
//fixup imports
//fixup exports
//doesn't protect pages - cuz we don't need this !?
//
push 012345678h //LoadLibrary
push 012345678h //GetProcAddress
push 012345678h //Addr of MainData
//now lil hack
//we use rva for maindata, but we don't know image base
//we get eip and and it with 0FFFFF000h which does
//from 000401XXXh something like 000401000h that's why we
//have to be sure this code is not after 2000h, but WE DO know it
call _get_eip
_get_eip:
pop eax
and eax,0FFFFF000h
add [esp],eax
add [esp+004h],eax
add [esp+008h],eax
call _DynLoader_begin
//one more hack here
//code in LoadLibrary that call DllMain saves its esp into esi
//but we modify esi a lot and we shouldn't do this, also ebp for NT4 is need to safe
//but we can fix this up, cuz we know we left esp and it has right value
//so add sum 010h for DllMain params + ret addr and here we go
// mov esi,esp
//popad without eax and ecx
pop edi
pop esi
pop ebp
add esp,004h
pop ebx
pop edx
add esp,008h
mov [esp+004h],ecx //change DllMain.hinstDLL
// int 3
jmp eax //jump to entrypoint
_DynLoader_begin:
//we've got image base in eax (except ax), save it to ebp-050h
push ebp
mov ebp,esp
sub esp,00000200h
/*
-01F8..-0100 - IMAGE_NT_HEADERS NtHeaders
-09C - MemoryBasicInformation.BaseAddress
-098 - MemoryBasicInformation.AllocationBase
-094 - MemoryBasicInformation.AllocationProtect
-090 - MemoryBasicInformation.RegionSize
-08C - MemoryBasicInformation.State
-088 - MemoryBasicInformation.Protect
-084 - MemoryBasicInformation.Type
-07C - PVOID IsBadReadPtr()
-078 - PVOID VirtualQuery()
-074 - PVOID VirtualProtect()
-070 - DWORD FirstModule
-054 - DWORD OrgImageSize
-050 - DWORD ImageBase
-04C - DWORD ImageEntryPoint
-048 - DWORD ImageSize
-044 - DWORD ImageType
-040 - DWORD HintName
-03C - DWORD Thunk
-038..-010 - IMAGE_SECTION_HEADER Section
-00C - PCHAR FileData
-008 - DWORD ImageSizeOrg:Cardinal
-004 - DWORD ImageBaseOrg:Cardinal
+008 - PCHAR AddrOfMainData:Pointer
+00C - PVOID GetProcAddress()
+010 - PVOID LoadLibrary()
*/
push ebx //save ebx, edi, esi
push edi
push esi
and eax,0FFFF0000h
mov [ebp-050h],eax //save ImageBase
mov ecx,00008000h
_DynLoader_fake_loop:
add eax,0AF631837h
xor ebx,eax
add bx,ax
rol ebx,007h
loop _DynLoader_fake_loop
//HERE you can insert our own crypto routine
//esp and ebp should not be changed
push dword ptr [ebp+008h] //AAddr
DWORD_TYPE(DYN_LOADER_DEC_MAGIC)
//\end of crypto routine
call _DynLoader_fill_image_info
push 000h
push 06C6C642Eh
push 032336C65h
push 06E72656Bh //kernel32.dll on stack
push esp //lpLibFileName
mov eax,[ebp+010h] //ImportThunk.LoadLibrary
call [eax] //LoadLibrary
add esp,010h
mov edi,eax
push 000h
push 0636F6C6Ch
push 0416C6175h
push 074726956h //VirtualAlloc on stack
push esp //lpProcName
push eax //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov ebx,eax
test eax,eax
jz _DynLoader_end
push 000007463h
push 065746f72h
push 0506C6175h
push 074726956h //VirtualProtect on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-074h],eax //VirtualProtect
test eax,eax
jz _DynLoader_end
push 000h
push 079726575h
push 0516C6175h
push 074726956h //VirtualQuery on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-078h],eax //VirtualQuery
test eax,eax
jz _DynLoader_end
push 000h
push 072745064h
push 061655264h
push 061427349h //IsBadReadPtr on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-07Ch],eax //IsBadReadPtr
test eax,eax
jz _DynLoader_end
lea edi,[ebp-01F8h] //NtHeaders
push edi
mov esi,[ebp+008h] //IMAGE_DOS_HEADER
add esi,[esi+03Ch] //IMAGE_DOS_HEADER.e_lfanew
push 03Eh //WORD(sizeof(NtHeaders) / 4)
pop ecx
rep movsd
pop edi
mov eax,[edi+034h] //NtHeaders.OptionalHeader.ImageBase
mov [ebp-004h],eax //ImageBaseOrg
mov ecx,[edi+050h] //NtHeaders.OptionalHeader.SizeOfImage
mov [ebp-008h],ecx //ImageSizeOrg
push ecx
push PAGE_EXECUTE_READWRITE //flProtect
push MEM_COMMIT or MEM_RESERVE //flAllocationType
push ecx //dwSize
push eax //lpAddress
call ebx //VirtualAlloc
pop ecx
test eax,eax
jnz _DynLoader_alloc_done
push PAGE_EXECUTE_READWRITE //flProtect
push MEM_COMMIT //flAllocationType
push ecx //dwSize
push eax //lpAddress
call ebx //VirtualAlloc
test eax,eax
jz _DynLoader_end
_DynLoader_alloc_done:
mov [ebp-00Ch],eax //FileData
mov edi,eax
mov esi,[ebp+008h] //IMAGE_DOS_HEADER
push esi
mov ecx,esi //IMAGE_DOS_HEADER
add ecx,[esi+03Ch] //+IMAGE_DOS_HEADER.e_lfanew = NtHeaders
mov ecx,[ecx+054h] //NtHeaders.SizeOfHeaders
rep movsb
pop esi
add esi,[esi+03Ch] //IMAGE_NT_HEADERS
add esi,0F8h //+sizeof(IMAGE_NT_HEADERS) = section headers
_DynLoader_LoadSections:
mov eax,[ebp+008h] //IMAGE_DOS_HEADER
add eax,[eax+03Ch] //IMAGE_DOS_HEADER.e_lfanew
movzx eax,[eax+006h] //NtHeaders.FileHeader.NumberOfSections
_DynLoader_LoadSections_do_section:
lea edi,[ebp-038h] //Section
push edi
push 00Ah //WORD(sizeof(TImageSectionHeader) / 4)
pop ecx
rep movsd
pop edi
_DynLoader_LoadSections_copy_data:
mov edx,[edi+014h] //Section.PointerToRawData
test edx,edx
jz _DynLoader_LoadSections_next_section
push esi
mov esi,[ebp+008h] //AHostAddr
add esi,edx //AHostAddr + Section.PointerToRawData
mov ecx,[edi+010h] //Section.SizeOfRawData
mov edx,[edi+00Ch] //Section.VirtualAddress
mov edi,[ebp-00Ch] //FileData
add edi,edx //FileData + Section.VirtualAddress
rep movsb
pop esi
_DynLoader_LoadSections_next_section:
dec eax
jnz _DynLoader_LoadSections_do_section
mov edx,[ebp-00Ch] //FileData
sub edx,[ebp-004h] //Delta = FileData - ImageBaseOrg
je _DynLoader_PEBTEBFixup
_DynLoader_RelocFixup:
mov eax,[ebp-00Ch] //FileData
mov ebx,eax
add ebx,[ebx+03Ch] //IMAGE_DOS_HEADER.e_lfanew
mov ebx,[ebx+0A0h] //IMAGE_DIRECTORY_ENTRY_BASERELOC.VirtualAddress
test ebx,ebx
jz _DynLoader_PEBTEBFixup
add ebx,eax
_DynLoader_RelocFixup_block:
mov eax,[ebx+004h] //ImageBaseRelocation.SizeOfBlock
test eax,eax
jz _DynLoader_PEBTEBFixup
lea ecx,[eax-008h] //ImageBaseRelocation.SizeOfBlock - sizeof(TImageBaseRelocation)
shr ecx,001h //WORD((ImageBaseRelocation.SizeOfBlock - sizeof(TImageBaseRelocation)) / sizeof(Word))
lea edi,[ebx+008h] //PImageBaseRelocation + sizeof(TImageBaseRelocation)
_DynLoader_RelocFixup_do_entry:
movzx eax,word ptr [edi] //Entry
push edx
mov edx,eax
shr eax,00Ch //Type = Entry >> 12
mov esi,[ebp-00Ch] //FileData
and dx,00FFFh
add esi,[ebx] //FileData + ImageBaseRelocation.VirtualAddress
add esi,edx //FileData + ImageBaseRelocation.VirtualAddress+Entry & 0x0FFF
pop edx
_DynLoader_RelocFixup_HIGH:
dec eax
jnz _DynLoader_RelocFixup_LOW
mov eax,edx
shr eax,010h //HIWORD(Delta)
jmp _DynLoader_RelocFixup_LOW_fixup
_DynLoader_RelocFixup_LOW:
dec eax
jnz _DynLoader_RelocFixup_HIGHLOW
movzx eax,dx //LOWORD(Delta)
_DynLoader_RelocFixup_LOW_fixup:
add word ptr [esi],ax
jmp _DynLoader_RelocFixup_next_entry
_DynLoader_RelocFixup_HIGHLOW:
dec eax
jnz _DynLoader_RelocFixup_next_entry
add [esi],edx
_DynLoader_RelocFixup_next_entry:
inc edi
inc edi //Entry++
loop _DynLoader_RelocFixup_do_entry
_DynLoader_RelocFixup_next_base:
add ebx,[ebx+004h] //ImageBaseRelocation + ImageBaseRelocation.SizeOfBlock
jmp _DynLoader_RelocFixup_block
_DynLoader_PEBTEBFixup:
//we have some bad pointers in InLoadOrderModuleList, we have to change the base of our module
//and if we are executable (not dll) we have to change base address in PEB too
//for VB programs we need to do it now, because its libraries is reading this stuff
//in ImportFixup section
// int 3
mov ecx,[ebp-00Ch] //FileData
mov edx,[ebp-050h] //ImageBase
add [ebp-04Ch],edx //ImageEntryPoint
mov eax,fs:[000000030h] //TEB.PPEB
cmp dword ptr [ebp-044h],IMAGE_TYPE_EXE //check image type = IMAGE_TYPE_EXE
jnz _DynLoader_in_module_list
mov [eax+008h],ecx //PEB.ImageBaseAddr => rewrite old imagebase
_DynLoader_in_module_list:
mov eax,[eax+00Ch] //PEB.LoaderData
mov eax,[eax+00Ch] //LoaderData.InLoadOrderModuleList
//now find our module in the list (same base, same size and same entry point)
mov esi,eax //first record
_DynLoader_in_module_list_one:
mov edx,[eax+018h] //InLoadOrderModuleList.BaseAddress
cmp edx,[ebp-050h] //ImageBase
jnz _DynLoader_in_module_list_next
mov edx,[eax+01Ch] //InLoaderOrderModuleList.EntryPoint
cmp edx,[ebp-04Ch] //ImageEntryPoint
jnz _DynLoader_in_module_list_next
mov edx,[eax+020h] //InLoaderOrderModuleList.SizeOfImage
cmp edx,[ebp-048h] //ImageSize
jnz _DynLoader_in_module_list_next
mov [eax+018h],ecx //InLoadOrderModuleList.BaseAddress => rewrite old imagebase
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -