📄 cryptstuff.cpp
字号:
CryptSize=section.SizeOfRawData;
if(dwMode==0)// (ebx is a parameter)
{
CryptStart=section.PointerToRawData;
EncryptBuff(Base,CryptStart,CryptSize);
}
else
{
CryptStart=section.VirtualAddress;
DecryptBuff(Base,CryptStart,CryptSize);
}
}
}
}
//----------------------------------------------------------------
void CryptFile(char* szFname,DWORD dwProtFlags)
{
DEPACKER_CODE_SIZE=GetFunctionSize(PE_LOADER_CODE);
InitRandom();
//----- MAP THE FILE -----
hFile=CreateFile(szFname,
GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_WRITE | FILE_SHARE_READ,
NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==INVALID_HANDLE_VALUE)
{
ShowErr(FileErr);
return;
}
dwFsize=GetFileSize(hFile,0);
if(dwFsize == 0)
{
CloseHandle(hFile);
ShowErr(FsizeErr);
return;
}
dwOutPutSize=dwFsize+IT_SIZE+DEPACKER_CODE_SIZE+ALIGN_CORRECTION;
pMem=(char*)GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT,dwOutPutSize);
if(pMem == NULL)
{
CloseHandle(hFile);
ShowErr(MemErr);
return;
}
ReadFile(hFile,pMem,dwFsize,&dwBytesRead,NULL);
// ----- check the PE Signature and get some needed values -----
if((pMem[0]!='M')&&(pMem[1]!='Z'))
{
GlobalFree(pMem);
CloseHandle(hFile);
ShowErr(PEErr);
return;
}
CopyMemory(&dwNTHeaderAddr,pMem+0x3c,4);
if((pMem[dwNTHeaderAddr]!='P')&&(pMem[dwNTHeaderAddr+1]!='E'))
{
GlobalFree(pMem);
CloseHandle(hFile);
ShowErr(PEErr);
return;
}
IMAGE_NT_HEADERS nt_headers;
// Update local IMAGE_NT_HEADERS variable
CopyMemory(&nt_headers,pMem+dwNTHeaderAddr,sizeof(IMAGE_NT_HEADERS));
dwOrgITRVA=nt_headers.OptionalHeader.DataDirectory[1].VirtualAddress;
dwSectionNum=nt_headers.FileHeader.NumberOfSections;
if(dwSectionNum > MAX_SECTION_NUM)
{
ShowErr(SecNumErr);
return;
}
dwOrgEntryPoint=nt_headers.OptionalHeader.AddressOfEntryPoint;
dwImageBase=nt_headers.OptionalHeader.ImageBase;
//----- DELETE Bound Import & IAT DIRECTORIES -----
// Update local IMAGE_NT_HEADERS variable
CopyMemory(&nt_headers,pMem+dwNTHeaderAddr,sizeof(IMAGE_NT_HEADERS));
nt_headers.OptionalHeader.DataDirectory[11].VirtualAddress=0;
nt_headers.OptionalHeader.DataDirectory[11].Size=0;
nt_headers.OptionalHeader.DataDirectory[12].VirtualAddress=0;
nt_headers.OptionalHeader.DataDirectory[12].Size=0;
CopyMemory(pMem+dwNTHeaderAddr,&nt_headers,sizeof(IMAGE_NT_HEADERS));
//----- ENCRYPT DLL/API NAMES & SAVE IT & DESTROY IID's -----
DWORD dwOrgITRO=RVA2Offset(pMem,dwOrgITRVA);
if(ProcessOrgIT(pMem,dwOrgITRO)==0)
{
GlobalFree(pMem);
CloseHandle(hFile);
ShowErr(IIDErr);
return;
}
//----- ADD THE PACKER SECTION -----
PIMAGE_SECTION_HEADER pnewsection;
IMAGE_SECTION_HEADER newsection;
pnewsection=AddSection(pMem);// assume -> IMAGE_SECTION_HEADER
newsection=*pnewsection;
if(pnewsection==NULL)
{
GlobalFree(pMem);
CloseHandle(hFile);
ShowErr(NoRoom4SectionErr);
return;
}
pnewsection=NULL;
// Update local IMAGE_NT_HEADERS variable
CopyMemory(&nt_headers,pMem+dwNTHeaderAddr,sizeof(IMAGE_NT_HEADERS));
pDepackerCode=new TCHAR[DEPACKER_CODE_SIZE];
pDepackerCode=CopyFunction(PE_LOADER_CODE);
GetOepJumpCodeRO(pDepackerCode);
GetLoaderCryptRO(pDepackerCode);
//----- CREATE PACKER IMPORT TABLE -----
dwNewSectionRO=newsection.PointerToRawData;
AssembleIT(pMem,dwNewSectionRO,newsection.VirtualAddress);
//---- REPLACE TLS TABLE -----
ProcessTlsTable(pMem,newsection.VirtualAddress);
//------ ENCRYPT THE SECTIONS -----
// generate PER
SecEncryptBuff=new TCHAR[SEC_PER_SIZE];
SecDecryptBuff=new TCHAR[SEC_PER_SIZE];
MakePER(SecEncryptBuff,SecDecryptBuff,SEC_PER_SIZE);
CopyMemory(pDepackerCode+dwRO_SEC_DECRYPT,
SecDecryptBuff,
SEC_PER_SIZE);
// encrypt !
CryptPE(pMem,0);
// ----- UPDATE PE HEADER -----
// ImportTable RVA ...
// Update local IMAGE_NT_HEADERS variable
CopyMemory(&nt_headers,pMem+dwNTHeaderAddr,sizeof(IMAGE_NT_HEADERS));
nt_headers.OptionalHeader.DataDirectory[1].VirtualAddress=newsection.VirtualAddress;
// EntryPoint...
nt_headers.OptionalHeader.AddressOfEntryPoint=newsection.VirtualAddress+IT_SIZE;
// SizeOfImage ...
nt_headers.OptionalHeader.SizeOfImage=newsection.VirtualAddress+newsection.Misc.VirtualSize;
CopyMemory(pMem+dwNTHeaderAddr,&nt_headers,sizeof(IMAGE_NT_HEADERS));//-> pointer to PE header
// ----- CALCULATE THE NEW EOF -----
dwNewFileEnd=dwNewSectionRO+IT_SIZE+DEPACKER_CODE_SIZE;
// ----- COPY LOADER CODE TO FILE MEMORY & DO CHECKSUM STUFF ------
DWORD dwRO_yC;
dwRO_yC=dwNewSectionRO+IT_SIZE;
PROTECTION_FLAGS=dwProtFlags;// save protection flags...
AllocateLoaderVariables(pDepackerCode);
//----- ENCRYPT OEP JUMP CODE -----;
OepJumpEncrypt(pDepackerCode);
//----- ENCRYPT LOADER -----
// generate PER
SecEncryptBuff=new TCHAR[VAR_PER_SIZE];
SecDecryptBuff=new TCHAR[VAR_PER_SIZE];
MakePER(SecEncryptBuff,SecDecryptBuff,VAR_PER_SIZE);
CopyMemory(pDepackerCode+dwRO_VAR_DECRYPTION,
SecDecryptBuff,
VAR_PER_SIZE);
// encryption !
EncryptBuff(pDepackerCode,
dwRO_VAR_DECRYPTION+0x3+VAR_PER_SIZE,
DEPACKER_CODE_SIZE-
(dwRO_VAR_DECRYPTION+0x04+VAR_PER_SIZE
+sizeof(IMAGE_TLS_DIRECTORY32)+0x08));
CopyMemory(pMem+dwRO_yC,pDepackerCode,DEPACKER_CODE_SIZE);
//----- CALCULATE CHECKSUM -----
dwOrgChecksum=GetChecksum(pMem,dwRO_yC+dwRO_OEP_JUMP_CODE_START-1);
//----- PASTE CHECKSUM ------
CopyMemory(pMem+dwRO_yC+dwRO_dwOrgChecksum,&dwOrgChecksum,4);
// ----- WRITE FILE MEMORY TO DISK -----
SetFilePointer(hFile,0,NULL,FILE_BEGIN);
WriteFile(hFile,pMem,dwOutPutSize,&dwBytesWritten,NULL);
// ------ FORCE CALCULATED FILE SIZE ------
SetFilePointer(hFile,dwNewFileEnd,NULL,FILE_BEGIN);
SetEndOfFile(hFile);
MessageBox(GetActiveWindow(),szDone,szDoneCap,MB_ICONINFORMATION);
// ----- CLEAN UP -----
GlobalFree(pMem);
CloseHandle(hFile);
}
//----------------------------------------------------------------
void PE_LOADER_CODE()
{
_asm
{
//----------------------------------------------------------
//-------------- START OF THE PE LOADER CODE ---------------
DepackerCode:
PUSHAD
// get base ebp
CALL CallMe
CallMe:
POP EBP
SUB EBP,OFFSET CallMe
//----------------------------------------------------------
//---------------- DECRYPT LOADER VARIABLES ----------------
MOV ECX,OFFSET LOADER_CRYPT_END
SUB ECX,OFFSET LOADER_CRYPT_START//ecx->CRYPT_LOADER_SIZE
MOV EDX,EBP
ADD EDX,OFFSET LOADER_CRYPT_START
LEA EDI,[EDX]
MOV ESI,EDI
XOR EAX,EAX
JMP VarDecryptionLoop
INT 3
INT 3
INT 3
INT 3
VarDecryptionLoop:
LODS BYTE PTR DS:[ESI]
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
STOS BYTE PTR ES:[EDI]
LOOP VarDecryptionLoop
LOADER_CRYPT_START:
//----------------------------------------------------------
//---------------------- DETECT WinNT ----------------------
MOV EDX,EBP
ADD EDX,OFFSET _RO_bNT
MOV EAX,[ESP+020h]
INC EAX
JS NoNT
MOV DWORD PTR [EDX], 1
JMP IsNT
NoNT:
MOV DWORD PTR [EDX], 0
IsNT:
//----------------------------------------------------------
//----------------- Get CRC OF LOADER CODE -----------------
MOV EDX,EBP
ADD EDX,OFFSET DepackerCode
LEA EAX,DWORD PTR [EDX]
//OFFSET OEP_JUMP_CODE_START - OFFSET DepackerCode
MOV ECX,OFFSET OEP_JUMP_CODE_START
SUB ECX,OFFSET DepackerCode
CALL _GetCheckSum
MOV EDX,EBP
ADD EDX,OFFSET _RO_dwLoaderCRC
MOV DWORD PTR [EDX], EAX
//----------------------------------------------------------
//------------------------ SI Check 1 ----------------------
//.IF [EBP+PROTECTION_FLAGS]== CHECK_SI_FLAG
MOV EDX,EBP
ADD EDX,OFFSET _RO_PROTECTION_FLAGS
TEST DWORD PTR [EDX],CHECK_SI_FLAG
JZ SkipSICheck
// install SEH frame
MOV EDX,EBP
ADD EDX,OFFSET _RO_SEH
LEA ESI,[EDX]
//ASSUME ESI : PTR sSEH
MOV EDX,EBP
ADD EDX,OFFSET SICheck1_SP
LEA EAX,[EDX]
MOV DWORD PTR DS:[ESI+8],EAX//[ESI].SaveEip
//ASSUME ESI : NOTHING
MOV EDI,EBP
MOV EDX,EBP
ADD EDX,OFFSET SehHandler1
LEA EAX,[EDX]
XOR EBX,EBX
PUSH EAX
PUSH DWORD PTR FS:[EBX]
MOV DWORD PTR FS:[EBX], ESP
// 0 - SI not found
// 1 - SI found
MOV AX,04h
JMP SM1
INT 3//DB 0FFh
SM1:
INT 3
SICheck1_SP:
MOV EBP, EDI
// uninstall SEH frame
XOR EBX, EBX
POP DWORD PTR FS:[EBX]
ADD ESP, 4
//.IF AL != 4
CMP AL,4
JE SkipSICheck
// exit
JMP SM2
INT 3//DB 0E9h
SM2: POPAD
RETN
//.ENDIF
SkipSICheck:
//.ENDIF
//----------------------------------------------------------
//----------------- GET BASE API ADDRESSES -----------------
// find the ImageImportDescriptor and grab dll addresses
MOV EDX,EBP
ADD EDX,OFFSET _RO_dwImageBase
MOV EAX,DWORD PTR [EDX]
ADD EAX,[EAX+03Ch]
ADD EAX,080h
MOV ECX,DWORD PTR [EAX] // ecx contains the VirtualAddress of the IT
ADD ECX,DWORD PTR [EDX]
ADD ECX,010h //ecx points to the FirstThunk address of the IID
MOV EAX,DWORD PTR [ECX]
ADD EAX,DWORD PTR [EDX]
MOV EBX,DWORD PTR [EAX]
MOV EDX,EBP
ADD EDX,OFFSET _RO_LoadLibrary
MOV [EDX],EBX
ADD EAX,04h
MOV EBX,DWORD PTR [EAX]
MOV EDX,EBP
ADD EDX,OFFSET _RO_GetProcAddress
MOV DWORD PTR [EDX],EBX
//----- GET ALL OTHER API ADDRESSES -----
// get kernel base
MOV EDX,EBP
ADD EDX,OFFSET _RO_szKernel32
LEA EAX,[EDX]
PUSH EAX
MOV EDX,EBP
ADD EDX,OFFSET _RO_LoadLibrary
CALL [EDX]
MOV EDX,EBP
ADD EDX,OFFSET _RO_dwKernelBase
MOV ESI,EAX // esi -> kernel base
MOV DWORD PTR [EDX], EAX
//KernelBase=LoadLibrary(szKernel32);
//-> GetModuleHandle
MOV EDX,EBP
ADD EDX,OFFSET _RO_szGetModuleHandle
LEA EAX,[EDX]
CALL DoGetProcAddr
MOV EDX,EBP
ADD EDX,OFFSET _RO_GetModuleHandle
MOV [EDX],EAX
//GetModuleHandle=GetProcAddress(KernelBase,szGetModuleHandle);
//-> VirtualProtect
MOV EDX,EBP
ADD EDX,OFFSET _RO_szVirtualProtect
LEA EAX,[EDX]
CALL DoGetProcAddr
MOV EDX,EBP
ADD EDX,OFFSET _RO_VirtualProtect
MOV [EDX],EAX
//VirtualProtect=GetProcAddress(KernelBase,szVirtualProtect);
//-> GetModuleFileName
MOV EDX,EBP
ADD EDX,OFFSET _RO_szGetModuleFileName
LEA EAX,[EDX]
CALL DoGetProcAddr
MOV EDX,EBP
ADD EDX,OFFSET _RO_GetModuleFileName
MOV [EDX],EAX
//GetModuleFileName=GetProcAddress(KernelBase,szGetModuleFileName);
//-> CreateFile
MOV EDX,EBP
ADD EDX,OFFSET _RO_szCreateFile
LEA EAX,[EDX]
CALL DoGetProcAddr
MOV EDX,EBP
ADD EDX,OFFSET _RO_CreateFile
MOV [EDX],EAX
//CreateFile=GetProcAddress(KernelBase,szCreateFile);
//-> GlobalAlloc
MOV EDX,EBP
ADD EDX,OFFSET _RO_szGlobalAlloc
LEA EAX,[EDX]
CALL DoGetProcAddr
MOV EDX,EBP
ADD EDX,OFFSET _RO_GlobalAlloc
MOV [EDX],EAX
//GlobalAlloc=GetProcAddress(KernelBase,szGlobalAlloc);
//-> GlobalFree
MOV EDX,EBP
ADD EDX,OFFSET _RO_szGlobalFree
LEA EAX,[EDX]
CALL DoGetProcAddr
MOV EDX,EBP
ADD EDX,OFFSET _RO_GlobalFree
MOV [EDX],EAX
//GlobalFree=GetProcAddress(KernelBase,szGlobalFree);
//-> ReadFile
MOV EDX,EBP
ADD EDX,OFFSET _RO_szReadFile
LEA EAX,[EDX]
CALL DoGetProcAddr
MOV EDX,EBP
ADD EDX,OFFSET _RO_ReadFile
MOV [EDX],EAX
//ReadFile=GetProcAddress(KernelBase,szReadFile);
//-> GetFileSize
MOV EDX,EBP
ADD EDX,OFFSET _RO_szGetFileSize
LEA EAX,[EDX]
CALL DoGetProcAddr
MOV EDX,EBP
ADD EDX,OFFSET _RO_GetFileSize
MOV [EDX],EAX
//GetFileSize=GetProcAddress(KernelBase,szGetFileSize);
//-> CloseHandle
MOV EDX,EBP
ADD EDX,OFFSET _RO_szCloseHandle
LEA EAX,[EDX]
CALL DoGetProcAddr
MOV EDX,EBP
ADD EDX,OFFSET _RO_CloseHandle
MOV [EDX],EAX
//CloseHandle=GetProcAddress(KernelBase,szCloseHandle);
// FUNNY JUMP :)
MOV EDX,EBP
ADD EDX,OFFSET LoaderContinue1
LEA EAX, [EDX]
PUSH EAX
RETN
//---------------------
// it's in an own function to keep a the loader code small
// EAX = address of API string
// ESI = target dll base
DoGetProcAddr:
PUSH EAX
PUSH ESI
MOV EDX,EBP
ADD EDX,OFFSET _RO_GetProcAddress
CALL [EDX]
//FARPROC GetProcAddress(HMODULE hModule,LPCSTR lpProcName);
RETN
//---------------------
LoaderContinue1:
//----------------------------------------------------------
//------------------------ ANTI DUMP -----------------------
//.IF [EBP+PROTECTION_FLAGS]== ANTI_DUMP_FLAG
MOV EDX,EBP
ADD EDX,OFFSET _RO_PROTECTION_FLAGS
TEST DWORD PTR [EDX],ANTI_DUMP_FLAG
JZ LetDumpable
PUSH FS:[30h]
POP EAX
TEST EAX,EAX
JS fuapfdw_is9x // detected Win 9x
//fuapfdw_isNT:
MOV EAX,[EAX+0Ch]
MOV EAX,[EAX+0Ch]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -