📄 壳.asm
字号:
mov eax,0
ret 3*4
dll_ok:
mov eax,exitcode[ebx]
mov dll_exitcode[ebx],eax
jmp exe_dll ;;;cc
dll_ret:
mov eax,dll_exitcode[ebx]
cmp eax,exitcode[ebx]
jne dll_error
cmp flag_finish[ebx],0
jne pe0
jmp dll_error
is_exe:
push 0
call f_GetModuleHandle[ebx]
mov hModule[ebx],eax
exe_dll:
lea eax,event_name[ebx]
push eax
push 0
push EVENT_ALL_ACCESS
call f_OpenEvent[ebx]
cmp eax,0
je firstrun
push eax
push eax
call f_CloseHandle[ebx]
pop hEvent1[ebx]
;call disp1
lea eax,seh1[ebx]
invoke set_seh,1,eax
int 0f5h ;clear DRx
lea eax,thread_control[ebx]
push eax
int 0f6h ;create control thread ,return:eax=DRx
or flag_thread_create[ebx],111b
lea eax,_ok[ebx]
mov decode_start[ebx],eax
or flag_thread_active[ebx],1 ;active check
lea eax,__ok[ebx]
mov decode_end[ebx],eax
not eax
int 0f7h ;Get and clear DRx
and flag_thread_finish[ebx],0fffffffdh
add decode_key[ebx],eax
or flag_thread_active[ebx],10b ;active decode
@@:
test flag_thread_finish[ebx],10b
int 0f7h
jz @b
jmp _ok
lea eax,second_entry[ebx]
mov dword ptr proc_ret_addr[ebx+1],eax
popad
popfd
proc_ret_addr label byte ;!!!
push 12345678h ;!!!
ret
isnot? proc stdcall uses eax ecx edx pt
mov ecx,0
mov edx,pt
check_int3
is0:
mov eax,dword ptr rva_table[ecx*8][ebx]
cmp eax,0
je is1
sub eax,3
cmp edx,eax
jb is1
add eax,dword ptr rva_table[ecx*8+4][ebx]
add eax,3
cmp edx,eax
jae is1
cmp dword ptr flag_encode[ecx*4][ebx],0
jne is2
xor al,al
jmp is9
is1:
inc ecx
cmp ecx,16
jb is0
is2:
or al,1
is9:
ret
isnot? endp
;!!!
api1:
push eax
pushf
push eax
api1_1 label byte
mov eax,87264981h
api1_2 label byte
sub eax,71526384h
mov [esp+6],eax
pop eax
popf
ret
api1_len = $ - offset api1
api2:
push eax
pushf
push eax
api2_1 label byte
mov eax,41836496h
api2_2 label byte
xor eax,18932755h
mov [esp+6],eax
pop eax
popf
ret
api2_len = $ - offset api2
api3:
push eax
pushf
push eax
api3_1 label byte
mov eax,36384594h
api3_2 label byte
add eax,92837461h
mov [esp+6],eax
pop eax
popf
ret
api3_len = $ - offset api3
;!!!
checkAPI_thread proc para
mov ebx,para
lea eax,seh1[ebx]
invoke set_seh,1,eax
ca0:
test flag_thread_end[ebx],100b
jnz ca9
cld
ca1:
mov eax,ebx
not eax
int 0f7h
add check2[ebx],eax
xchg esi,eax
mov al,0cch
mov edi,f_VirtualProtect[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_VirtualProtectEx[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_CreateThread[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_VirtualAlloc[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_LoadLibrary[ebx]
mov ecx,10
repne scasb
je ca5
mov edi,f_VirtualFree[ebx]
mov ecx,10
repne scasb
je ca5
or flag_thread_finish[ebx],100b
xor check1[ebx],esi
jmp ca6
ca5:
sub check1[ebx],eax
inc dword ptr dc_edit+1
inc dword ptr ec_edit+1
add check2[ebx],eax
inc decode_key[ebx]
; lea eax,ttt[ebx]
; push MB_OK
; push eax
; push eax
; push 0
; call f_MessageBox[ebx]
ca6:
jmp ca0
ca9:
invoke set_seh,0,0
or flag_thread_exit[ebx],100b
ret
checkAPI_thread endp
decode proc stdcall uses esi ecx edx edi p_offs,p_size,base,xz
; ret
dc0:
mov ecx,p_size
cmp ecx,4
jb dc9
sub ecx,3
mov esi,p_offs
add esi,xz
check_int3
mov edx,base
dc_edit label byte ;!!!
mov eax,'jdsg' ;!!!
dc1:
sub esi,xz
invoke isnot?,esi
pushf
add esi,xz
popf
jz @f
push eax
mov eax,-1
;int 0f7h
mov edi,eax
pop eax
xor [esi+edx],eax
; ror eax,7
add eax,7
;xor [esi+edx],edi
@@:
inc esi
loop dc1
dc9:
ret
decode endp
encode proc stdcall uses ebx esi ecx edx p_offs,p_size,base,xz
; ret
mov ebx,0
mov ecx,p_size
cmp ecx,4
jb ec9
sub ecx,3
mov esi,p_offs
add esi,xz
mov edx,base
ec_edit label byte ;!!!
mov eax,'jdsg' ;!!!
ec1:
sub esi,xz
invoke isnot?,esi
pushf
add esi,xz
popf
jz @f
xor [esi+edx],eax
; ror eax,7
add eax,7
@@:
inc esi
loop ec1
ec9:
ret
encode endp
move_memory proc
; jecxz mm9
or ecx,ecx
jz mm9
cmp esi,edi
je mm9
check_int3_0
pushf
cld
cmp esi,edi
jae @f
add esi,ecx
add edi,ecx
dec esi
dec edi
std
@@:
rep movsb
popf
mm9:
ret
move_memory endp
proc_iat proc uses ecx edx esi edi ebp
mov esi,eax
mov ecx,9
mov edx,0
pi00:
cmp byte ptr [esi],0
jne @f
inc edx
@@:
inc esi
loop pi00
cmp edx,4 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
check_int3_0
jb pi0
;call disp1
jmp pi9
pi0:
mov esi,eax
pi1:
inc rnd[ebx]
mov eax,rnd[ebx]
rol eax,5
mov edx,rnd[ebx]
ror edx,17
add eax,edx
mov rnd[ebx],eax
jz pi1
and eax,3
cmp eax,0
jne @f
lea ebp,api1[ebx]
lea ecx,api1_1+1[ebx]
lea edx,api1_2+1[ebx]
mov edi,rnd[ebx]
add esi,edi
push api1_len
jmp pi5
@@:
cmp eax,1
jne @F
lea ebp,api3[ebx]
lea ecx,api3_1+1[ebx]
lea edx,api3_2+1[ebx]
mov edi,rnd[ebx]
sub esi,edi
push api3_len
jmp pi5
@@:
lea ebp,api2[ebx]
lea ecx,api2_1+1[ebx]
lea edx,api2_2+1[ebx]
mov edi,rnd[ebx]
xor esi,edi
push api2_len
pi5:
cmp iat_size0[ebx],api1_len
jb pi6
cmp iat_size0[ebx],api2_len
jb pi6
cmp iat_size0[ebx],api3_len
jae pi8
pi6:
push ecx
push edx
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT or MEM_TOP_DOWN
push 4096
push 0
call f_VirtualAlloc[ebx]
mov iat_pt[ebx],eax
mov iat_size0[ebx],4096
pop edx
pop ecx
pi8:
pop eax
sub iat_size0[ebx],eax
push ecx
push edx
push esi
mov ecx,eax
mov eax,iat_pt[ebx]
add iat_pt[ebx],ecx
mov esi,0
pi81:
mov dl,ds:[ebp+esi]
mov [eax+esi],dl
inc esi
loop pi81
pop esi
pop edx
pop ecx
sub ecx,ebp
sub edx,ebp
mov dword ptr [eax+ecx],esi
mov dword ptr [eax+edx],edi
pi9:
ret
proc_iat endp
decode_thread proc para
mov ebx,para
lea eax,seh1[ebx]
invoke set_seh,1,eax
dt0:
@@:
test flag_thread_end[ebx],10b
jnz dt9
test flag_thread_active[ebx],10b
jz @b
;.......
mov esi,decode_start[ebx]
mov eax,esi
int 0f7h
mov edi,decode_end[ebx]
add edi,eax
mov eax,decode_key[ebx]
@@:
cmp esi,edi
jae @f
xor [esi],al
inc eax
ror eax,7
mov edx,eax
int 0f7h
add eax,edx
inc esi
jmp @b
@@:
and flag_thread_active[ebx],0fffffffdh
or flag_thread_finish[ebx],10b
jmp dt0
dt9:
and flag_thread_active[ebx],0fffffffdh
invoke set_seh,0,0
or flag_thread_exit[ebx],10b
ret
decode_thread endp
clear_string proc uses eax string
pushf
mov eax,string
cs1:
test eax,80000000h
jnz cs9
cmp byte ptr [eax],0
je cs9
mov byte ptr [eax],0
inc eax
jmp cs1
cs9:
check_int3
popf
ret
clear_string endp
firstrun:
lea eax,event_name[ebx]
push eax
push 0
push 0
push 0
call f_CreateEvent[ebx]
mov hEvent[ebx],eax
lea eax,pi[ebx] ;PROCESS_INFORMATION
push eax
lea eax,_si[ebx]
push eax
push 0
push 0
push 0
push 0
push 0
push 0
call f_GetCommandLine[ebx]
push eax
push 0
call f_CreateProcess[ebx]
cmp eax,0
je create_process_fail
push INFINITE
push dword ptr pi[0][ebx]
call f_WaitForSingleObject[ebx] ;等待进程结束
lea eax,proc_exit_code[ebx]
push eax
push dword ptr pi[0][ebx]
call f_GetExitCodeProcess[ebx]
push dword ptr pi[4][ebx]
call f_CloseHandle[ebx]
push dword ptr [pi+0][ebx]
call f_CloseHandle[ebx]
push dword ptr hEvent[ebx]
call f_CloseHandle[ebx]
jmp error_exit
mov eax,exitcode[ebx]
cmp proc_exit_code[ebx],eax ;;;312321
je _ok
jne error_exit
_ok:
cc:
call cc1 ;!!!
cc1: ;!!!
pop ebx
sub ebx,offset cc1
jmp @@1000
;;;call disp ;;;;;;;;;;;;;;;
@@1000:
;call disp1
mov edx,hModule[ebx]
mov esi,[edx+3ch]
lea esi,[esi+edx+0f8h]
mov edi,esi
@@:
imul esi,number_of_section[ebx],28h
add esi,edi
jmp @@10
cmp dword ptr [esi+0ch],0
je @@100
cmp dword ptr [esi+08h],0
je @@100
add esi,28h
jmp @b
@@100:
sub esi,28h
@@10:
sub esi,28h
cmp esi,edi
jb @@19
push edx
lea eax,old_protect_flag[ebx]
push eax
mov eax,hEvent[ebx]
push PAGE_READWRITE
add dword ptr [ebx][dc_edit+1],eax
mov eax,[esi+8]
test hEvent1[ebx],0ffffffffh
jz @@18
push eax
mov eax,[esi+0ch]
add eax,edx
push eax
call f_VirtualProtect[ebx]
pop edx
push old_protect_flag[ebx]
mov eax,dword ptr ttt[ebx]
int 0f7h
add dword ptr cc20[ebx],eax
jmp @@15
mov ecx,[edx+3ch]
lea ecx,[ecx+edx+0a8h]
mov eax,[ecx]
cmp eax,0
je @f
add eax,[ecx+4]
cmp eax,[esi+0ch]
jb @f
mov eax,[esi+0ch]
add eax,[esi+8]
cmp eax,[ecx]
ja @@18
@@:
mov ecx,[edx+3ch]
lea ecx,[ecx+edx+88h]
mov eax,[ecx]
cmp eax,0
je @f
add eax,[ecx+4]
cmp eax,[esi+0ch]
jb @f
mov eax,[esi+0ch]
add eax,[esi+8]
cmp eax,[ecx]
ja @@18
@@:
mov ecx,[edx+3ch]
lea ecx,[ecx+edx+0c0h]
mov eax,[ecx]
cmp eax,0
je @f
add eax,[ecx+4]
cmp eax,[esi+0ch]
jb @f
mov eax,[esi+0ch]
add eax,[esi+8]
cmp eax,[ecx]
ja @@18
@@:
@@15:
sub dword ptr cc2[ebx],eax
mov eax,[esi+8]
sub edx,check2[ebx]
cmp eax,[esi+10h]
jbe @f
mov eax,[esi+10h]
@@:
mov ecx,[esi+0ch]
;;;;;add ecx,edx
invoke decode,ecx,eax,edx,0
@@18:
jmp @@10
@@19:
;;;call disp1
;call disp1
;处理import表
iat:
mov edx,hModule[ebx]
mov esi,[edx+3ch]
mov esi,iat_offs[ebx] ;;;[esi+edx+80h] ;import table
cmp esi,0
je cc3
cc2:
mov eax,[esi+edx+0ch] ;dll name
cmp eax,0
je cc3
add eax,edx
push edx
push eax
push eax
call f_LoadLibrary[ebx]
call clear_string
pop edx
mov ecx,eax
mov edi,[esi+edx+10h] ;func name
add edi,edx
push esi
mov eax,[esi+edx+0]
cmp eax,0
jne @f
mov eax,[esi+edx+10h]
@@:
mov esi,eax
test hEvent1[ebx],0ffffffffh
jz cc20
add esi,edx
cc20:
cmp dword ptr [esi],0
je cc21
mov eax,dword ptr [esi]
test eax,80000000h
jnz @f
cmp eax,ecx
jae @f
add eax,edx
add eax,2
@@:
push eax
push eax
push ecx
call get_func_address
call clear_string
cmp eax,0
je @f
call proc_iat
mov [edi],eax
@@:
mov eax,hEvent[ebx]
add [edi],eax
add edi,4
test threadID[ebx],0ffffffffh
jz cc21
add esi,4
jmp cc20
cc21:
pop esi
add esi,14h
jmp cc2
cc3:
mov eax,hEvent[ebx]
mov edi,iat_offs[ebx]
add edi,edx
mov ecx,iat_size[ebx]
xor shell_eip[ebx],eax
mov al,0
; rep stosb ;清import table 有些程序不能正常运行
; call clear_import_table
;处理reloc表
;
mov edx,hModule[ebx]
mov esi,[edx+3ch]
mov esi,reloc_offs[ebx] ;;;[esi+edx+0a0h] ;reloc table
cmp esi,0
je rl2
lea esi,[esi+edx]
rl1:
cmp dword ptr [esi],0
je rl2
push esi
mov edi,[esi]
mov ecx,[esi+4]
sub ecx,8
shr ecx,1
rt12:
movzx eax,word ptr [esi+8]
push eax
and ax,0011000000000000b
cmp ax,0011000000000000b
pop eax
jne @f
and ax,0000111111111111b
add eax,edi
add dword ptr[eax+edx],edx
push ecx
mov ecx, dword ptr image_base[ebx]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -