📄 morphine.dpr
字号:
push 000h
push 06C6C642Eh
push 032336C65h
push 06E72656Bh //kernel32.dll on stack
push esp //lpLibFileName
mov eax,[ebp+010h] //ImportThunk.LoadLibrary
call [eax] //LoadLibrary
add esp,010h
mov edi,eax
push 000h
push 0636F6C6Ch
push 0416C6175h
push 074726956h //VirtualAlloc on stack
push esp //lpProcName
push eax //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov ebx,eax
test eax,eax
jz @DynLoader_end
push 000007463h
push 065746f72h
push 0506C6175h
push 074726956h //VirtualProtect on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-074h],eax //VirtualProtect
test eax,eax
jz @DynLoader_end
push 000h
push 079726575h
push 0516C6175h
push 074726956h //VirtualQuery on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-078h],eax //VirtualQuery
test eax,eax
jz @DynLoader_end
push 000h
push 072745064h
push 061655264h
push 061427349h //IsBadReadPtr on stack
push esp //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
add esp,010h
mov [ebp-07Ch],eax //IsBadReadPtr
test eax,eax
jz @DynLoader_end
lea edi,[ebp-01F8h] //NtHeaders
push edi
mov esi,[ebp+008h] //TImageDosHeader
add esi,[esi+03Ch] //TImageDosHeader._lfanew
push 03Eh //SizeOf(NtHeaders) div 4
pop ecx
rep movsd
pop edi
mov eax,[edi+034h] //NtHeaders.OptionalHeader.ImageBase
mov [ebp-004h],eax //ImageBaseOrg
mov ecx,[edi+050h] //NtHeaders.OptionalHeader.SizeOfImage
mov [ebp-008h],ecx //ImageSizeOrg
push ecx
push PAGE_EXECUTE_READWRITE //flProtect
push MEM_COMMIT or MEM_RESERVE //flAllocationType
push ecx //dwSize
push eax //lpAddress
call ebx //VirtualAlloc
pop ecx
test eax,eax
jnz @DynLoader_alloc_done
push PAGE_EXECUTE_READWRITE //flProtect
push MEM_COMMIT //flAllocationType
push ecx //dwSize
push eax //lpAddress
call ebx //VirtualAlloc
test eax,eax
jz @DynLoader_end
@DynLoader_alloc_done:
mov [ebp-00Ch],eax //FileData
mov edi,eax
mov esi,[ebp+008h] //TImageDosHeader
push esi
mov ecx,esi //TImageDosHeader
add ecx,[esi+03Ch] //+TImageDosHeader._lfanew = NtHeaders
mov ecx,[ecx+054h] //NtHeaders.SizeOfHeaders
rep movsb
pop esi
add esi,[esi+03Ch] //TImageNtHeaders
add esi,0F8h //+SizeOf(TImageNtHeaders) = section headers
@DynLoader_LoadSections:
mov eax,[ebp+008h] //TImageDosHeader
add eax,[eax+03Ch] //TImageDosHeader._lfanew
movzx eax,[eax+006h] //NtHeaders.FileHeader.NumberOfSections
@DynLoader_LoadSections_do_section:
lea edi,[ebp-038h] //Section
push edi
push 00Ah //SizeOf(TImageSectionHeader) div 4
pop ecx
rep movsd
pop edi
@DynLoader_LoadSections_copy_data:
mov edx,[edi+014h] //Section.PointerToRawData
test edx,edx
jz @DynLoader_LoadSections_next_section
push esi
mov esi,[ebp+008h] //AHostAddr
add esi,edx //AHostAddr + Section.PointerToRawData
mov ecx,[edi+010h] //Section.SizeOfRawData
mov edx,[edi+00Ch] //Section.VirtualAddress
mov edi,[ebp-00Ch] //FileData
add edi,edx //FileData + Section.VirtualAddress
rep movsb
pop esi
@DynLoader_LoadSections_next_section:
dec eax
jnz @DynLoader_LoadSections_do_section
mov edx,[ebp-00Ch] //FileData
sub edx,[ebp-004h] //Delta = FileData - ImageBaseOrg
je @DynLoader_PEBTEBFixup
@DynLoader_RelocFixup:
mov eax,[ebp-00Ch] //FileData
mov ebx,eax
add ebx,[ebx+03Ch] //TImageDosHeader._lfanew
mov ebx,[ebx+0A0h] //IMAGE_DIRECTORY_ENTRY_BASERELOC.VirtualAddress
test ebx,ebx
jz @DynLoader_PEBTEBFixup
add ebx,eax
@DynLoader_RelocFixup_block:
mov eax,[ebx+004h] //ImageBaseRelocation.SizeOfBlock
test eax,eax
jz @DynLoader_PEBTEBFixup
lea ecx,[eax-008h] //ImageBaseRelocation.SizeOfBlock - SizeOf(TImageBaseRelocation)
shr ecx,001h //(ImageBaseRelocation.SizeOfBlock - SizeOf(TImageBaseRelocation)) div SizeOf(Word)
lea edi,[ebx+008h] //PImageBaseRelocation + SizeOf(TImageBaseRelocation)
@DynLoader_RelocFixup_do_entry:
movzx eax,word ptr [edi] //Entry
push edx
mov edx,eax
shr eax,00Ch //Type = Entry shr 12
mov esi,[ebp-00Ch] //FileData
and dx,00FFFh
add esi,[ebx] //FileData + ImageBaseRelocation.VirtualAddress
add esi,edx //FileData + ImageBaseRelocation.VirtualAddress+Entry and $0FFF
pop edx
@DynLoader_RelocFixup_HIGH:
dec eax
jnz @DynLoader_RelocFixup_LOW
mov eax,edx
shr eax,010h //HiWord(Delta)
jmp @DynLoader_RelocFixup_LOW_fixup
@DynLoader_RelocFixup_LOW:
dec eax
jnz @DynLoader_RelocFixup_HIGHLOW
movzx eax,dx //LoWord(Delta)
@DynLoader_RelocFixup_LOW_fixup:
add word ptr [esi],ax
jmp @DynLoader_RelocFixup_next_entry
@DynLoader_RelocFixup_HIGHLOW:
dec eax
jnz @DynLoader_RelocFixup_next_entry
add [esi],edx
@DynLoader_RelocFixup_next_entry:
inc edi
inc edi //Inc(Entry)
loop @DynLoader_RelocFixup_do_entry
@DynLoader_RelocFixup_next_base:
add ebx,[ebx+004h] //ImageBaseRelocation + ImageBaseRelocation.SizeOfBlock
jmp @DynLoader_RelocFixup_block
@DynLoader_PEBTEBFixup:
//we have some bad pointers in InLoadOrderModuleList, we have to change the base of our module
//and if we are executable (not dll) we have to change base address in PEB too
//for VB programs we need to do it now, because its libraries is reading this stuff
//in ImportFixup section
// int 3
mov ecx,[ebp-00Ch] //FileData
mov edx,[ebp-050h] //ImageBase
add [ebp-04Ch],edx //ImageEntryPoint
mov eax,fs:[000000030h] //TEB.PPEB
cmp dword ptr [ebp-044h],IMAGE_TYPE_EXE //check image type = IMAGE_TYPE_EXE
jnz @DynLoader_in_module_list
mov [eax+008h],ecx //PEB.ImageBaseAddr -> rewrite old imagebase
@DynLoader_in_module_list:
mov eax,[eax+00Ch] //PEB.LoaderData
mov eax,[eax+00Ch] //LoaderData.InLoadOrderModuleList
//now find our module in the list (same base, same size and same entry point)
mov esi,eax //first record
@DynLoader_in_module_list_one:
mov edx,[eax+018h] //InLoadOrderModuleList.BaseAddress
cmp edx,[ebp-050h] //ImageBase
jnz @DynLoader_in_module_list_next
mov edx,[eax+01Ch] //InLoaderOrderModuleList.EntryPoint
cmp edx,[ebp-04Ch] //ImageEntryPoint
jnz @DynLoader_in_module_list_next
mov edx,[eax+020h] //InLoaderOrderModuleList.SizeOfImage
cmp edx,[ebp-048h] //ImageSize
jnz @DynLoader_in_module_list_next
mov [eax+018h],ecx //InLoadOrderModuleList.BaseAddress -> rewrite old imagebase
add ecx,[ebp-01D0h] //+NtHeaders.OptionalHeader.AddressOfEntryPoint
mov [eax+01Ch],ecx //InLoadOrderModuleList.EntryPoint -> rewrite old entrypoint
mov ecx,[ebp-01A8h] //NtHeaders.OptionalHeader.SizeOfImage
mov [eax+020h],ecx //InLoaderOrderModuleList.SizeOfImage -> rewrite old sizeofimage
jmp @DynLoader_ImportFixup
@DynLoader_in_module_list_next:
cmp [eax],esi //InLoadOrderModuleList.Flink ?= first record
jz @DynLoader_ImportFixup
mov eax,[eax] //record = InLoadOrderModuleList.Flink
jmp @DynLoader_in_module_list_one
@DynLoader_ImportFixup:
mov ebx,[ebp-0178h] //NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
test ebx,ebx
jz @DynLoader_export_fixup
mov esi,[ebp-00Ch] //FileData
add ebx,esi //FileData + NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
@DynLoader_ImportFixup_module:
mov eax,[ebx+00Ch] //TImageImportDescriptor.Name
test eax,eax
jz @DynLoader_export_fixup
mov ecx,[ebx+010h] //TImageImportDescriptor.FirstThunk
add ecx,esi
mov [ebp-03Ch],ecx //Thunk
mov ecx,[ebx] //TImageImportDescriptor.Characteristics
test ecx,ecx
jnz @DynLoader_ImportFixup_table
mov ecx,[ebx+010h]
@DynLoader_ImportFixup_table:
add ecx,esi
mov [ebp-040h],ecx //HintName
add eax,esi //TImageImportDescriptor.Name + FileData = ModuleName
push eax //lpLibFileName
mov eax,[ebp+010h] //ImportThunk.LoadLibrary
call [eax] //LoadLibrary
test eax,eax
jz @DynLoader_end
mov edi,eax
@DynLoader_ImportFixup_loop:
mov ecx,[ebp-040h] //HintName
mov edx,[ecx] //TImageThunkData.Ordinal
test edx,edx
jz @DynLoader_ImportFixup_next_module
test edx,080000000h //import by ordinal ?
jz @DynLoader_ImportFixup_by_name
and edx,07FFFFFFFh //get ordinal
jmp @DynLoader_ImportFixup_get_addr
@DynLoader_ImportFixup_by_name:
add edx,esi //TImageThunkData.Ordinal + FileData = OrdinalName
inc edx
inc edx //OrdinalName.Name
@DynLoader_ImportFixup_get_addr:
push edx //lpProcName
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
mov ecx,[ebp-03Ch] //HintName
mov [ecx],eax
add dword ptr [ebp-03Ch],004h //Thunk -> next Thunk
add dword ptr [ebp-040h],004h //HintName -> next HintName
jmp @DynLoader_ImportFixup_loop
@DynLoader_ImportFixup_next_module:
add ebx,014h //SizeOf(TImageImportDescriptor)
jmp @DynLoader_ImportFixup_module
@DynLoader_export_fixup:
//go through all loaded modules and search for IAT section for our module
//then change image base in all imports there
// int 3
mov eax,fs:[000000030h] //TEB.PPEB
mov eax,[eax+00Ch] //PEB.LoaderData
mov ebx,[eax+00Ch] //LoaderData.InLoadOrderModuleList
mov [ebp-070h],ebx //FirstModule
@DynLoader_export_fixup_process_module:
mov edx,[ebx+018h] //InLoadOrderModuleList.BaseAddress
cmp edx,[ebp-050h] //ImageBase
jz @DynLoader_export_fixup_next
push edx
push 004h //ucb
push edx //lp
call [ebp-07Ch] //IsBadReadPtr
pop edx
test eax,eax
jnz @DynLoader_export_fixup_next
mov edi,edx
add edi,[edi+03Ch] //TImageDosHeader._lfanew
mov edi,[edi+080h] //TImageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
test edi,edi
jz @DynLoader_export_fixup_next
add edi,edx //+ module.ImageBase
@DynLoader_export_fixup_check_idt:
xor eax,eax
push edi
push 005h //sizeof(ImportDirectoryTable)/4
pop ecx
rep scasd //test for null Directory Entry
pop edi
jz @DynLoader_export_fixup_next
mov esi,[edi+010h] //ImportSection.ImportAddressTableRVA
add esi,[ebx+018h] //+ module.ImageBase
mov eax,[esi] //first IAT func address
sub eax,[ebp-050h] //- ImageBase
jb @DynLoader_export_fixup_next_idir //this is not our import
cmp eax,[ebp-048h] //ImageSize
jbe @DynLoader_export_fixup_prefixaddr //this is our import
@DynLoader_export_fixup_next_idir:
add edi,014h //+ sizeof(IDT) = next IDT
jmp @DynLoader_export_fixup_check_idt
@DynLoader_export_fixup_prefixaddr:
push 01Ch //dwLength = sizeof(MemoryBasicInformation)
lea eax,[ebp-09Ch] //MemoryBasicInformation
push eax //lpBuffer
push esi //lpAddress
call [ebp-078h] //VirtualQuery
lea eax,[ebp-088h] //MemoryBasicInformation.Protect
push eax //lpflOldProtect
push PAGE_READWRITE //flNewProtect
push dword ptr [ebp-090h] //dwSize = MemoryBasicInformation.RegionSize
push dword ptr [ebp-09Ch] //lpAddress = MemoryBasicInformation.BaseAddress
call [ebp-074h] //VirtualProtect
test eax,eax
jz @DynLoader_export_fixup_next
push edi
mov edi,esi
@DynLoader_export_fixup_fixaddr:
lodsd
test eax,eax
jz @DynLoader_export_fixup_protect_back
sub eax,[ebp-050h] //- ImageBase
add eax,[ebp-00Ch] //+ FileData
stosd
jmp @DynLoader_export_fixup_fixaddr
@DynLoader_export_fixup_protect_back:
lea eax,[ebp-084h] //MemoryBasicInformation.Type (just need some pointer)
push eax //lpflOldProtect
push dword ptr [ebp-088h] //flNewProtect = MemoryBasicInformation.Protect
push dword ptr [ebp-090h] //dwSize = MemoryBasicInformation.RegionSize
push dword ptr [ebp-09Ch] //lpAddress = MemoryBasicInformation.BaseAddress
call [ebp-074h] //VirtualProtect
pop edi
jmp @DynLoader_export_fixup_next_idir
@DynLoader_export_fixup_next:
mov ebx,[ebx]
cmp ebx,[ebp-070h] //InLoadOrderModuleList.Flink ?= FirstModule
jnz @DynLoader_export_fixup_process_module
@DynLoader_run:
// int 3
mov eax,[ebp-01D0h] //NtHeaders.OptionalHeader.AddressOfEntryPoint
add eax,[ebp-00Ch] //NtHeaders.OptionalHeader.AddressOfEntryPoint + FileData = EntryPoint
@DynLoader_end:
mov ecx,[ebp-00Ch] //we need FileData
pop esi
pop edi
pop ebx
leave
ret 00Ch
@DynLoader_fill_image_info:
//these values give info about our image, info is filled before DynLoader is put into
//final executable, we find their offset going from DynLoader_end searching for DYN_LOADER_END_MAGIC
mov [ebp-044h],012345678h //ImageType
mov [ebp-048h],012345678h //ImageSize
mov [ebp-04Ch],012345678h //ImageEntryPoint
mov [ebp-054h],012345678h //OrgImageSize
ret
dd DYN_LOADER_END_MAGIC
end;
procedure DynLoader_end; assembler; asm end;
procedure DynCoder(AAddr:Pointer;ASize:Cardinal;AKey:Pointer); assembler; stdcall;
//this one only smashes a memory a little bit using a key
asm
@Coder_begin:
push edi
push esi
@Coder_main_loop:
mov edi,[ebp+008h] //AAddr
mov ecx,[ebp+00Ch] //ASize
shr ecx,002h
@Coder_pre_code:
mov esi,[ebp+010h] //AKey
@Coder_code:
mov eax,[esi]
test eax,0FF000000h
jz @Coder_pre_code
@Coder_do_code:
add eax,ecx
xor eax,[edi] //smash it
stosd //store it
inc esi
loop @Coder_code
@Coder_end:
pop esi
pop edi
leave
ret 00Ch
end;
function VirtAddrToPhysAddr(ANtHeaders:PImageNtHeaders;AVirtAddr:Pointer):Pointer;
//this one is to support tls loading mechanism
//returns pointer to raw data in old pe of data on VA specified by AVirtAddr
//or nil if no section contains this data
var
LI:Integer;
LPSection:PImageSectionHeader;
LAddr:Cardinal;
begin
Result:=nil;
LAddr:=Cardinal(AVirtAddr)-ANtHeaders^.OptionalHeader.ImageBase;
LPSection:=Pointer(Cardinal(@ANtHeaders^.OptionalHeader)+ANtHeaders^.FileHeader.SizeOfOptionalHeader);
for LI:=0 to ANtHeaders^.FileHeader.NumberOfSections-1 do
begin
if (LPSection^.VirtualAddress<=Cardinal(LAddr)) and (LPSection^.VirtualAddress+LPSection^.SizeOfRawData>Cardinal(LAddr)) and (LPSection^.SizeOfRawData<>0) then
begin
Result:=Pointer(Cardinal(LPSection^.PointerToRawData)+LAddr-LPSection^.VirtualAddress);
Break;
end;
Inc(LPSection);
end;
end;
function RVA2RAW(ANtHeader,AVirtImage:Pointer;ARVA:Cardinal):Pointer;
//converts RVA to RAW pointer
var
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -