📄 morphine.cpp
字号:
add ecx,[ebp-01D0h] //+NtHeaders.OptionalHeader.AddressOfEntryPoint
mov [eax+01Ch],ecx //InLoadOrderModuleList.EntryPoint => rewrite old entrypoint
mov ecx,[ebp-01A8h] //NtHeaders.OptionalHeader.SizeOfImage
mov [eax+020h],ecx //InLoaderOrderModuleList.SizeOfImage => rewrite old sizeofimage
jmp _DynLoader_ImportFixup
_DynLoader_in_module_list_next:
cmp [eax],esi //.IF(InLoadOrderModuleList.Flink == first record)
jz _DynLoader_ImportFixup
mov eax,[eax] //record = InLoadOrderModuleList.Flink
jmp _DynLoader_in_module_list_one
_DynLoader_ImportFixup:
mov ebx,[ebp-0178h] //NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
test ebx,ebx
jz _DynLoader_export_fixup
mov esi,[ebp-00Ch] //FileData
add ebx,esi //FileData + NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
_DynLoader_ImportFixup_module:
mov eax,[ebx+00Ch] //TImageImportDescriptor.Name
test eax,eax
jz _DynLoader_export_fixup
mov ecx,[ebx+010h] //TImageImportDescriptor.FirstThunk
add ecx,esi
mov [ebp-03Ch],ecx //Thunk
mov ecx,[ebx] //TImageImportDescriptor.Characteristics
test ecx,ecx
jnz _DynLoader_ImportFixup_table
mov ecx,[ebx+010h]
_DynLoader_ImportFixup_table:
add ecx,esi
mov [ebp-040h],ecx //HintName
add eax,esi //TImageImportDescriptor.Name + FileData = ModuleName
push eax //lpLibFileName
mov eax,[ebp+010h] //ImportThunk.LoadLibrary
call [eax] //LoadLibrary
test eax,eax
jz _DynLoader_end
mov edi,eax
_DynLoader_ImportFixup_loop:
mov ecx,[ebp-040h] //HintName
mov edx,[ecx] //TImageThunkData.Ordinal
test edx,edx
jz _DynLoader_ImportFixup_next_module
test edx,080000000h //.IF( import by ordinal )
jz _DynLoader_ImportFixup_by_name
and edx,07FFFFFFFh //get ordinal
jmp _DynLoader_ImportFixup_get_addr
_DynLoader_ImportFixup_by_name:
add edx,esi //TImageThunkData.Ordinal + FileData = OrdinalName
inc edx
inc edx //OrdinalName.Name
_DynLoader_ImportFixup_get_addr:
push edx //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
mov ecx,[ebp-03Ch] //HintName
mov [ecx],eax
add dword ptr [ebp-03Ch],004h //Thunk => next Thunk
add dword ptr [ebp-040h],004h //HintName => next HintName
jmp _DynLoader_ImportFixup_loop
_DynLoader_ImportFixup_next_module:
add ebx,014h //sizeof(TImageImportDescriptor)
jmp _DynLoader_ImportFixup_module
_DynLoader_export_fixup:
//go through all loaded modules and search for IAT section for our module
//then change image base in all imports there
// int 3
mov eax,fs:[000000030h] //TEB.PPEB
mov eax,[eax+00Ch] //PEB.LoaderData
mov ebx,[eax+00Ch] //LoaderData.InLoadOrderModuleList
mov [ebp-070h],ebx //FirstModule
_DynLoader_export_fixup_process_module:
mov edx,[ebx+018h] //InLoadOrderModuleList.BaseAddress
cmp edx,[ebp-050h] //ImageBase
jz _DynLoader_export_fixup_next
push edx
push 004h //ucb
push edx //lp
call [ebp-07Ch] //IsBadReadPtr
pop edx
test eax,eax
jnz _DynLoader_export_fixup_next
mov edi,edx
add edi,[edi+03Ch] //IMAGE_DOS_HEADER.e_lfanew
mov edi,[edi+080h] //NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
test edi,edi
jz _DynLoader_export_fixup_next
add edi,edx //+ module.ImageBase
_DynLoader_export_fixup_check_idt:
xor eax,eax
push edi
push 005h //sizeof(ImportDirectoryTable)/4
pop ecx
rep scasd //test for null Directory Entry
pop edi
jz _DynLoader_export_fixup_next
mov esi,[edi+010h] //ImportSection.ImportAddressTableRVA
add esi,[ebx+018h] //+ module.ImageBase
mov eax,[esi] //first IAT func address
sub eax,[ebp-050h] //- ImageBase
jb _DynLoader_export_fixup_next_idir//this is not our import
cmp eax,[ebp-048h] //ImageSize
jbe _DynLoader_export_fixup_prefixaddr //this is our import
_DynLoader_export_fixup_next_idir:
add edi,014h //+ sizeof(IDT) = next IDT
jmp _DynLoader_export_fixup_check_idt
_DynLoader_export_fixup_prefixaddr:
push 01Ch //dwLength = sizeof(MemoryBasicInformation)
lea eax,[ebp-09Ch] //MemoryBasicInformation
push eax //lpBuffer
push esi //lpAddress
call [ebp-078h] //VirtualQuery
lea eax,[ebp-088h] //MemoryBasicInformation.Protect
push eax //lpflOldProtect
push PAGE_READWRITE //flNewProtect
push dword ptr [ebp-090h] //dwSize = MemoryBasicInformation.RegionSize
push dword ptr [ebp-09Ch] //lpAddress = MemoryBasicInformation.BaseAddress
call [ebp-074h] //VirtualProtect
test eax,eax
jz _DynLoader_export_fixup_next
push edi
mov edi,esi
_DynLoader_export_fixup_fixaddr:
lodsd
test eax,eax
jz _DynLoader_export_fixup_protect_back
sub eax,[ebp-050h] //- ImageBase
add eax,[ebp-00Ch] //+ FileData
stosd
jmp _DynLoader_export_fixup_fixaddr
_DynLoader_export_fixup_protect_back:
lea eax,[ebp-084h] //MemoryBasicInformation.Type (just need some pointer)
push eax //lpflOldProtect
push dword ptr [ebp-088h] //flNewProtect = MemoryBasicInformation.Protect
push dword ptr [ebp-090h] //dwSize = MemoryBasicInformation.RegionSize
push dword ptr [ebp-09Ch] //lpAddress = MemoryBasicInformation.BaseAddress
call [ebp-074h] //VirtualProtect
pop edi
jmp _DynLoader_export_fixup_next_idir
_DynLoader_export_fixup_next:
mov ebx,[ebx]
cmp ebx,[ebp-070h] //.IF(InLoadOrderModuleList.Flink == FirstModule)
jnz _DynLoader_export_fixup_process_module
_DynLoader_run:
// int 3
mov eax,[ebp-01D0h] //NtHeaders.OptionalHeader.AddressOfEntryPoint
add eax,[ebp-00Ch] //NtHeaders.OptionalHeader.AddressOfEntryPoint + FileData = EntryPoint
_DynLoader_end:
mov ecx,[ebp-00Ch] //we need FileData
pop esi
pop edi
pop ebx
LEAVE
RETN 00Ch
_DynLoader_fill_image_info:
//these values give info about our image, info is filled before DynLoader is put into
//final executable, we find their offset going from DynLoader_end searching for DYN_LOADER_END_MAGIC
MOV DWORD PTR [EBP-044h],012345678h //ImageType
MOV DWORD PTR [EBP-048h],012345678h //ImageSize
MOV DWORD PTR [EBP-04Ch],012345678h //ImageEntryPoint
MOV DWORD PTR [EBP-054h],012345678h //OrgImageSize
RETN
DWORD_TYPE(DYN_LOADER_END_MAGIC)
}
}
void DynLoader_end()
{
_asm;
}
__stdcall void DynCoder(PCHAR AAddr,DWORD ASize,PCHAR AKey)
{
_asm
{
//this one only smashes a memory a little bit using a key
_Coder_begin:
push edi
push esi
_Coder_main_loop:
mov edi,[ebp+008h] //AAddr
mov ecx,[ebp+00Ch] //ASize
shr ecx,002h
_Coder_pre_code:
mov esi,[ebp+010h] //AKey
_Coder_code:
mov eax,[esi]
test eax,0FF000000h
jz _Coder_pre_code
_Coder_do_code:
add eax,ecx
xor eax,[edi] //smash it
stosd //store it
inc esi
loop _Coder_code
_Coder_end:
pop esi
pop edi
leave
ret 00Ch
}
}
//this one is to support tls loading mechanism
//returns pointer to raw data in old pe of data on VA specified by AVirtAddr
//or NULL if no section contains this data
DWORD VirtAddrToPhysAddr(PCHAR Base, DWORD ARVA)
{
DWORD _offset;
PIMAGE_SECTION_HEADER section;
PIMAGE_NT_HEADERS NtHeaders;
NtHeaders=ImageNtHeader(Base);
section=ImageRvaToSection(NtHeaders,Base,ARVA);
if(section==NULL)
{
return(0);
}
_offset=ARVA+section->PointerToRawData-section->VirtualAddress;
return(_offset);
}
//converts RVA to RAW pointer
PCHAR RVA2RAW(PCHAR Base, DWORD ARVA)
{
DWORD RAW;
RAW=VirtAddrToPhysAddr(Base,ARVA);
return(Base+RAW);
}
//counts size of tls callbacks array
DWORD GetTlsCallbacksLen(PDWORD ACallbacks)
{
PDWORD LPC;
DWORD Result=4;
LPC=ACallbacks;
while(*LPC!=0)
{
Result+=4;
LPC++;
}
return(Result);
}
//does rounding up
DWORD RoundSize(DWORD ASize,DWORD AAlignment)
{
return(DWORD((ASize+AAlignment-1)/AAlignment)*AAlignment);
}
DWORD Random(DWORD dwRange)
{
DWORD RValue;
DWORD rand_by_rang;
// generate new random number
RValue= rand();
// force dwRange//the last rang is RAND_MAX
if(dwRange!=0)rand_by_rang=RValue%dwRange;
else rand_by_rang=0;
return(rand_by_rang);
}
//srand should only called one time !!!
void InitRandom()
{
//manage the random generator //srand(GetTickCount());
srand((unsigned)time(NULL));
}
//generates a buffer of pseudo-random values from 1 to 255
void GenerateRandomBuffer(PBYTE ABuf,DWORD ASize)
{
DWORD i;
srand(0);
//InitRandom();
for(i=0;i<ASize;i++)
{
*ABuf=(BYTE)Random(0xFE)+1;
ABuf++;
}
}
//generetes a key for encoding data
//key is pseudo-random buffer ending with 0
void GenerateKey(PBYTE AKey,WORD ASize)
{
GenerateRandomBuffer(AKey,ASize);
memset(AKey+ASize-1,0,1);
}
//throw the dice
void ThrowTheDice(DWORD *ADice, DWORD ASides=6)
{
*ADice=Random(ASides)+1;
}
//throw the dice
void ThrowTheDice(WORD *ADice, WORD ASides=6)
{
*ADice=(BYTE)Random(ASides)+1;
}
//throw the dice
void ThrowTheDice(BYTE *ADice, BYTE ASides=6)
{
*ADice=(BYTE)Random(ASides)+1;
}
//select one of eax,ecx,edx,ebx,esp,ebp,esi,edi
BYTE RandomReg32All()
{
return((BYTE)Random(Reg32Count));
}
//select one of ax,cx,dx,bx,sp,bp,si,di
BYTE RandomReg16All()
{
return((BYTE)Random(Reg16Count));
}
//select one of al,cl,dl,bl,ah,ch,dh,bh
BYTE RandomReg8ABCD()
{
return((BYTE)Random(Reg8Count));
}
//select one of eax,ecx,edx,ebx,-,ebp,esi,edi
BYTE RandomReg32Esp()
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -