📄 壳.asm
字号:
.586
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
set_seh proto :dword,:dword
.data
wsock32 db 'wsock32.dll',0
fname1 db 264 dup (?)
fname2 db 264 dup (?)
fname3 db 264 dup (?)
hfile1 dd ?
hfile2 dd ?
hfile3 dd ?
fsize1 dd ?
fsize2 dd ?
pt1 dd ?
pt2 dd ?
temp1 dd ?
mbi MEMORY_BASIC_INFORMATION <>
db 4 dup (?)
mbi2 MEMORY_BASIC_INFORMATION <>
comctl32 db 'comctl32.dll',0
ole32 db 'ole32.dll',0
oo db 'OleUninitialize',0
shell32 db 'shell32.dll',0
flag_add_section dd 1
flag_clear_boundimport dd 1
flag_clear_load_config dd 1
.code
entry: ;!!! 这个;!!!作为加花指令的标志,花指令生成程序遇到第奇数个;!!!即开始加花,偶数个停止加花
jmp _entry
flag_reentry db 0
check_int3 macro
pushf
push eax
mov eax,[ebp+4]
cmp byte ptr [eax],0cch
jne @f
push esi
push edx
xchg eax,esi
rdtsc
add edx,eax
and edx,000000ffh
mov [esi+edx],eax
pop edx
pop esi
@@:
pop eax
popf
endm
check_int3_0 macro
push ebp
mov ebp,esp
pushf
push eax
mov eax,[ebp+4]
cmp byte ptr [eax],0cch
jne @f
push esi
push edx
xchg eax,esi
rdtsc
add edx,eax
and edx,000000ffh
mov [esi+edx],eax
pop edx
pop esi
@@:
pop eax
popf
pop ebp
endm
check1_start label byte
_entry:
pushfd
pushad
call entry0 ;!!!
entry0: ;!!!
pop ebx
sub ebx,offset entry0
cmp flag_reentry[ebx],0
jne entry00
lea esi,entry00[ebx]
mov ecx,__ok - entry00
@@:
not byte ptr [esi]
inc esi
loop @b
mov flag_reentry[ebx],1
entry00:
jmp entry1
get_knl_base proc ;得到 kernel32.dll 基址
assume fs:nothing
mov eax,fs:[0]
check_int3_0
push edx
@@:
cmp dword ptr [eax],-1
je @f
mov eax,[eax]
jmp @b
@@:
mov eax,[eax+4]
and eax,0ffff0000h
@@1:
cmp word ptr [eax],'ZM'
je @f
sub eax,10000h
jmp @@1
@@:
mov edx,[eax+3ch]
add edx,eax
cmp dword ptr [edx],00004550h
je @f
sub eax,10000h
jmp @@1
@@:
pop edx
ret
get_knl_base endp
;tt1 db '1',0
;tt2 db '2',0
;tt3 db '3',0
;tt4 db '4',0
;disp proc uses eax ecx edx
; pushf
; cmp check1[ebx],0
; je @f
; lea edx,tt1[ebx]
; jmp dp5
;@@:
; cmp check2[ebx],0
; je @f
; lea edx,tt2[ebx]
; jmp dp5
;@@:
;
; jmp dp9
;
; cmp hEvent[ebx],0
; je @f
; lea edx,tt3[ebx]
; jmp dp5
;@@:
; cmp hEvent1[ebx],0
; jne @f
; lea edx,tt4[ebx]
; jmp dp5
;@@:
; jmp dp9
;dp5:
; push MB_OK
; push edx
; push edx
; push 0
; call f_MessageBox[ebx]
;dp9:
; popf
; ret
;disp endp
;disp1 proc uses eax ecx edx
; pushf
; lea eax,ttt[ebx]
; push MB_OK
; push eax
; push eax
; push 0
; call f_MessageBox[ebx]
; popf
; ret
;disp1 endp
;
check_thread proc para
mov ebx,para
lea eax,seh1[ebx]
invoke set_seh,1,eax
ct0:
@@:
test flag_thread_end[ebx],1
jnz ct9
test flag_thread_active[ebx],1
jz @b
;;; jmp ct30 ;;;;;;;;;;;;;
lea esi,check1_start[ebx]
lea edi,check1_end[ebx]
mov eax,0
mov ecx,0
@@:
mov cl,[esi]
sub eax,ecx
inc esi
cmp esi,edi
jb @b
ct2 label byte
sub eax,check1_sum[ebx]
add check1[ebx],eax
add decode_key[ebx],eax
xor eax,'jdsg'
int 0f7h
add check1[ebx],eax
test flag_thread_finish[ebx],10b
jz ct3
lea esi,check2_start[ebx]
lea edi,check2_end[ebx]
mov eax,0
mov ecx,0
@@:
mov cl,[esi]
add eax,ecx
inc esi
cmp esi,edi
jb @b
ct21 label byte
sub eax,check2_sum[ebx]
xor check2[ebx],eax
xor decode_key[ebx],eax
sub eax,'jkdf'
int 0f7h
xor check2[ebx],eax
ct30:
or flag_thread_finish[ebx],1
ct3:
; call disp ;;;;;;;;;;;;;;;
jmp ct0
ct9:
and flag_thread_active[ebx],0fffffffeh
invoke set_seh,0,0
or flag_thread_exit[ebx],1
ret
check_thread endp
get_func_address proc stdcall uses ebx ecx edx esi edi base,p_funcname
local save_ebx:dword
mov save_ebx,ebx
gfa1:
mov ebx,base
mov eax,[ebx+3ch] ;'PE'
mov eax,[ebx+eax+78h] ;export table
test p_funcname,80000000h
je gfa5
mov esi,[ebx+eax+24h] ;addr of ord
mov edx,[ebx+eax+14h] ;number of func
mov ecx,p_funcname
and ecx,7fffffffh
sub ecx,[ebx+eax+10h]
cmp ecx,edx
jae @@90
add ecx,ecx
add ecx,ecx
mov edi,ecx
add edi,[ebx+eax+1ch]
mov eax,[ebx+edi]
add eax,ebx
jmp gfa6
gfa5:
cmp ebx,p_funcname
ja @f
;;; mov eax,p_funcname
;;; jmp @@9
@@:
mov esi,[ebx+eax+20h] ;addr of names
mov edx,[ebx+eax+18h] ;number of names
push eax
@@0:
mov ecx,p_funcname
mov edi,[esi+ebx]
@@:
mov al,[edi+ebx]
cmp al,[ecx]
jne @f
cmp al,0
je @@1
inc edi
inc ecx
jmp @b
@@:
add esi,4
dec edx
jnz @@0
mov eax,0
jmp @@9
@@1:
pop eax ;export table
sub esi,[ebx+eax+20h]
shr esi,1
add esi,[ebx+eax+24h] ;addr of 序号
movzx esi,word ptr [ebx+esi]
shl esi,2
add esi,[ebx+eax+1ch] ;addr of functions
mov eax,[ebx+esi]
add eax,ebx
gfa6:
mov ebx,save_ebx
check_int3
lea edx,forwardchain_dll[ebx]
lea edi,forwardchain_handle[ebx]
add eax,check2[ebx]
gfa70:
mov esi,[edx]
cmp esi,0
je @@9
add esi,ebx
push eax
push esi
dec esi
dec eax
gfa7:
inc eax
inc esi
mov cl,[eax]
cmp cl,'a'
jb @f
cmp cl,'z'
ja @f
and cl,0dfh
@@:
cmp cl,[esi]
jne @f
cmp cl,'.'
je gfa75
jmp gfa7
@@:
pop esi
pop eax
add edx,4
add edi,4
jmp gfa70
gfa75:
pop esi
cmp dword ptr [edi],0
jne @f
push eax
push esi
call f_LoadLibrary[ebx]
mov [edi],eax
pop eax
@@:
inc eax
add eax,check1[ebx]
mov p_funcname,eax
mov eax,[edi]
mov base,eax
pop eax
mov ebx,save_ebx
jmp gfa1
@@90:
mov eax,0
@@9:
ret
get_func_address endp
set_seh proc uses eax flag,ofs
assume fs:nothing
cmp flag,0
check_int3
je @f
mov eax,fs:[0]
mov flag,eax
lea eax,flag
mov fs:[0],eax
jmp ss9
@@:
mov eax,[ofs+4]
mov fs:[0],eax
ret 4*4
ss9:
ret 0
set_seh endp
thread_control proc para
mov ebx,para
;lea eax,ttt[ebx]
;push MB_OK
;push eax
;push eax
;push 0
;call f_MessageBox[ebx]
;int 3
tc00:
test flag_thread_end[ebx],80000000h
jnz tc9
tc0:
test flag_thread_create[ebx],1
je @f
and flag_thread_create[ebx],0fffffffeh
and flag_thread_end[ebx], 0fffffffeh
and flag_thread_exit[ebx], 0fffffffeh
lea edx,check_thread[ebx]
jmp tc1
@@:
test flag_thread_create[ebx],10b
je @f
and flag_thread_create[ebx],0fffffffdh
and flag_thread_end[ebx], 0fffffffdh
and flag_thread_exit[ebx], 0fffffffdh
lea edx,decode_thread[ebx]
jmp tc1
@@:
test flag_thread_create[ebx],100b
je @f
and flag_thread_create[ebx],0fffffffbh
and flag_thread_end[ebx], 0fffffffbh
and flag_thread_exit[ebx], 0fffffffbh
lea edx,checkAPI_thread[ebx]
jmp tc1
@@:
jmp tc8
tc1:
lea eax,threadID[ebx]
push eax
push 0
push ebx
push edx
push 0
push 0
call f_CreateThread[ebx]
tc8:
jmp tc00
tc9:
and flag_thread_end[ebx], 7fffffffh
or flag_thread_exit[ebx],80000000h
ret
thread_control endp
seh1 proc uses ebx ecx edx esi lpExceptionRecord,lpSEH,lpContext,lpDisp
mov ecx,lpExceptionRecord
assume ecx:ptr EXCEPTION_RECORD
mov edx,lpContext
assume edx:ptr CONTEXT
mov eax,[ecx].ExceptionAddress
mov ax,[eax]
cmp ax,0f5cdh
je _f5cd
cmp ax,0f6cdh
je _f6cd
cmp ax,0f7cdh
je _f7cd
mov eax,0 ;1
jmp se9 ;jmp se91
_f5cd:
mov eax,0
mov [edx].iDr0,eax
mov [edx].iDr1,eax
mov [edx].iDr2,eax
mov [edx].iDr3,eax
;;; mov [edx].iDr7,0 ;155h
jmp se9
_f6cd:
push ecx
push edx
mov eax,[edx].regEsp
mov esi,[eax]
add [edx].regEsp,4
mov ebx,[edx].regEbx
lea eax,threadID[ebx]
push eax
push 0
push ebx
push esi
push 0
push 0
call f_CreateThread[ebx]
; push eax
; call f_ResumeThread[ebx]
pop edx
pop ecx
jmp _f7cd
_f7cd:
mov eax,0
add eax,[edx].iDr0
add eax,[edx].iDr1
add eax,[edx].iDr2
add eax,[edx].iDr3
mov [edx].regEax,eax
mov eax,0
mov [edx].iDr0,eax
mov [edx].iDr1,eax
mov [edx].iDr2,eax
mov [edx].iDr3,eax
;;; mov [edx].iDr7,0 ;155h
jmp se9
se9:
add [edx].regEip,2
mov eax,0
se91:
assume ecx:nothing
assume edx:nothing
ret
seh1 endp
;!!!
check1_end label byte
pi PROCESS_INFORMATION <>
_si STARTUPINFO <>
proc_exit_code dd ?
shell_eip dd ?
check1 dd 0
hModule dd ?
hProc dd ?
buf db 256 dup (?)
knl_base dd ?
p_funcs label byte
f_GetProcAddress dd ?
f_VirtualAlloc dd ?
f_VirtualProtect dd ?
f_CreateProcess dd ?
f_CreateEvent dd ?
f_OpenEvent dd ?
f_GetModuleHandle dd ?
f_WaitForSingleObject dd ?
f_GetModuleFileName dd ?
f_GetCommandLine dd ?
f_LoadLibrary dd ?
f_FreeLibrary dd ?
f_CloseHandle dd ?
f_ExitProcess dd ?
f_GetExitCodeProcess dd ?
f_GetLastError dd ?
f_VirtualQuery dd ?
f_UnmapViewOfFile dd ?
f_VirtualFree dd ?
f_VirtualProtectEx dd ?
f_CreateThread dd ?
f_ResumeThread dd ?
f_DisableThreadLibraryCalls dd ?
p_funcnames db 'GetProcAddress',0
db 'VirtualAlloc',0
p_vp db 'VirtualProtect',0
db 'CreateProcessA',0
db 'CreateEventA',0
db 'OpenEventA',0
db 'GetModuleHandleA',0
db 'WaitForSingleObject',0
db 'GetModuleFileNameA',0
db 'GetCommandLineA',0
p_ll db 'LoadLibraryA',0
db 'FreeLibrary',0
db 'CloseHandle',0
db 'ExitProcess',0
db 'GetExitCodeProcess',0
db 'GetLastError',0
db 'VirtualQuery',0
db 'UnmapViewOfFile',0
db 'VirtualFree',0
db 'VirtualProtectEx',0
db 'CreateThread',0
db 'ResumeThread',0
db 'DisableThreadLibraryCalls',0
db 0
event_name db 'jdsglxg',0
hNTDLL dd 0
ntdllname db 'ntdll.dll',0
p_getlasterror db 'RtlGetLastWin32Error',0
hEvent dd 0
oringal_proc_offs dd ?
decode_key dd ?
oringal_proc_size dd ?
old_protect_flag dd ?
check2 dd 0
iat_offs dd ?
iat_size dd ?
reloc_offs dd ?
reloc_size dd ?
image_base dd ?
hEvent1 dd 0
check2_sum dd ?
threadID dd ?
flag_thread_end dd 0
p_mem1 dd ?
p_mem2 dd ?
flag_thread_exit dd 0
temp dd ?
flag_thread_create dd 0
mbi1 MEMORY_BASIC_INFORMATION <>
dll_exitcode dd 0
iat_pt dd 0
flag_finish dd 0
exitcode dd 312321
msg db 'Are you sure ?',0
rnd dd ?
titl db '^_^',0
flag_thread_finish dd 0
user32name db 'user32.dll',0
hUser32 dd ?
iat_size0 dd 0
flag_thread_active dd 0
p_msgbox db 'MessageBoxA',0
f_MessageBox dd ?
decode_start dd ?
check1_sum dd ?
decode_end dd ?
number_of_section dd ?
ttt db 'xxx',0
rva_table dd 10h dup (0,0)
flag_encode label dword
export dd 1
import dd 1
res dd 0
exception dd 0
security dd 0
base_reloc dd 1
debug dd 0
copyright dd 0
globlptr dd 0
tls dd 0
loadconfig dd 0
bound_import dd 0
import1 dd 0
delay_import dd 0
dd 0
dd 0
forwardchain_dll dd kernel32,user32,gdi32,ntdll,advapi32,ws2_32,mswsock,shlwapi
dd 0
forwardchain_handle dd 0 ,0 ,0 ,0 ,0 ,0 ,0 ,0
dd 0
kernel32 db 'KERNEL32.dll',0
user32 db 'USER32.dll',0
gdi32 db 'GDI32.dll',0
ntdll db 'NTDLL.dll',0
advapi32 db 'ADVAPI32.dll',0
ws2_32 db 'WS2_32.dll',0
mswsock db 'MSWSOCK.dll',0
shlwapi db 'SHLWAPI',0
file_type db 1 ;1 - exe 2 - dll
data_size = $ - offset pi
check2_start label byte
entry1: ;!!!
cld
call get_knl_base
push eax
lea ecx,p_ll[ebx]
invoke get_func_address,eax,ecx
mov f_LoadLibrary[ebx],eax
pop eax
mov knl_base[ebx],eax
lea edi,p_funcnames[ebx]
lea esi,p_funcs[ebx]
@@:
cmp byte ptr [edi],0
je @f
mov eax,knl_base[ebx]
invoke get_func_address,eax,edi
mov [esi],eax
add esi,4
mov ecx,-1
mov al,0
repne scasb
je @b
@@:
lea eax,user32name[ebx]
push eax
call f_LoadLibrary[ebx]
mov hUser32[ebx],eax
lea ecx,p_msgbox[ebx]
invoke get_func_address,eax,ecx
mov f_MessageBox[ebx],eax
;;;mov check1[ebx],0
;call disp1
cmp file_type[ebx],1 ;exe
je is_exe
cmp file_type[ebx],2 ;dll
jne error_exit
cmp dword ptr [esp+24h+4+4],1 ;dll_process_attach
jne dll_ret
mov eax,[esp+24h+4+0]
mov hModule[ebx],eax
push eax
call f_DisableThreadLibraryCalls[ebx]
; call 校验dll
; cmp eax,正确值
jmp dll_ok ;;;je dll_ok
dll_error:
popad
popfd
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -