shellcode.asm

加密工具源码

$ShellStart0:
	call	$Entry

;import table
$ImportTableBegin:

importTableG 	dd  firstAddressG - importTableG
				dd 	0,0
importRVA1G 	dd 	dllNameG - importTableG
importRVA2G		dd 	firstAddressG - importTableG
				dd  0,0,0,0,0

firstAddressG	dd	firstFunctionG - importTableG
secondAddressG	dd	secondFunctionG - importTableG
thirdAddressG	dd 	thirdFunctionG - importTableG
				dd	0

dllNameG		db	'KERNEL32.dll'
				dw	0
firstFunctionG	dw	0
				db	'GetProcAddress',0
secondFunctionG	dw	0
				db	'GetModuleHandleA',0
thirdFunctionG	dw	0
				db	'LoadLibraryA',0
$ImportTableEnd: 

; necessary	data
shellBaseG		dd	0						;$ShellStart
sizeOfPackedShellG	dd	0					;size
allocG			db	'VirtualAlloc',0		;alloc memory
allocAddressG	dd	0
tlsTableG		db	18h	dup	(?)

;really entry
$Entry:
	; calculate RVA 
	pop	ebp
	sub	ebp,(importTableG - $ShellStart0) ; ebp is importTableG's offset relatived $ShellStart0
	
	;get address of VirtualAlloc
	lea	esi, [ebp + (dllNameG - $ShellStart0)]
	push esi
	call dword ptr [ebp + (secondAddressG - $ShellStart0)]
	lea	 esi, [ebp + (allocG - $ShellStart0)]
	push esi
	push eax
	call dword ptr [ebp + (firstAddressG - $ShellStart0)]
	mov  dword ptr [ebp + (allocAddressG - $ShellStart0)],eax
	
	;jmp packed code
	push ebp
	mov  edx, dword ptr [ebp + (shellBaseG - $ShellStart0)]
	jmp  edx
$ShellEnd0:

;depacked sections
$ShellStart:
	;calculate RVA
	call	$+5
	pop		edx
	sub		edx ,5h
	pop		ebp
	
	; inintialize functions
	mov ecx, 3h
	lea	esi, [ebp + (firstAddressG - $ShellStart0)]
	lea edi, [edx + (getProcAddressAddrG - $ShellStart)]
$MoveThreeFunctionsAddress:
	mov	eax,dword ptr [esi]
	mov dword ptr [edi],eax
	add esi,4h
	add edi,4h
	loop  $MoveThreeFunctionsAddress
	
	mov  eax,dword ptr [ebp + (allocAddressG - $ShellStart0)]
	mov  dword ptr [edx +(g_allocAddress - $ShellStart)],eax
	mov ebp,edx
	
	push 0
	call dword ptr [ebp + (moduleHandleAddrG - $ShellStart)]
	mov  dword ptr [ebp +(fileHandleG - $ShellStart)],eax
	
	lea	 esi,dword ptr [ebp + (kernal32G - $ShellStart)]
	push esi
	call	dword ptr [ebp + (moduleHandleAddrG - $ShellStart)]
	.if eax == 0
		push esi
		call	dword ptr [ebp + (loadLibraryAddrG - $ShellStart)]
	.endif	
	mov esi,eax
	
	lea	ebx,dword ptr [ebp + (allocFreeG - $ShellStart)]
	push ebx
	push esi
	call dword ptr [ebp + (getProcAddressAddrG - $ShellStart)]
	mov	dword ptr [ebp + (g_allocFreeAddr - $ShellStart)],eax
	
	; deal with import table
	mov eax,dword ptr [ebp + (isProtectImpTableG - $ShellStart)]
	.if eax == 0
		mov edi,dword ptr [ebp + (impTableAddressG - $ShellStart)]
		add edi,dword ptr [ebp + (fileHandleG - $ShellStart)]
$GetNextFunctionsOfDll:
		mov	esi,dword ptr [edi + 0ch]
		.if esi == 0
			jmp $GetFunctionsOfAllDll
		.endif
		add esi,dword ptr [ebp + (fileHandleG - $ShellStart)]
		push esi
		call dword ptr [ebp + (moduleHandleAddrG - $ShellStart)]
		.if eax == 0
			push esi
			call dword ptr [ebp + (loadLibraryAddrG - $ShellStart)]			
		.endif
		mov esi,eax
		mov edx,dword ptr [edi]
		.if edx == 0
			mov edx,dword ptr [edi + 10h]			
		.endif
		add edx,dword ptr [ebp + (fileHandleG - $ShellStart)]
		mov ebx,dword ptr [edi +10h]
		add ebx ,dword ptr [ebp + (fileHandleG - $ShellStart)]
$GetNextFunction:
		mov eax,dword ptr [edx]
		.if eax == 0
			jmp  $GetAllFunctions
		.endif		
		push ebx
		push edx
		cdq
		.if edx == 0
			add eax,2h
			add eax,dword ptr [ebp + (fileHandleG - $ShellStart)]
		.else
			and eax,7fffffffh
		.endif
		push eax
		push esi
		call dword ptr [ebp + (getProcAddressAddrG - $ShellStart)]
		mov  dword ptr [ebx],eax
		pop edx
		pop ebx
		add edx,4h
		add ebx,4h
		jmp $GetNextFunction
$GetAllFunctions:
		add edi,14h
		jmp $GetNextFunctionsOfDll
$GetFunctionsOfAllDll:
	.else
		mov edx, dword ptr [ebp + (impTableAddressG - $ShellStart)]
		add edx,ebp
$GetNextFunctionsOfAllProtectedDll:
		mov edi,dword ptr [edx]
		.if edi == 0
			jmp $GetFunctionsOfAllProtectedDll
		.endif
		add edi,dword ptr [ebp + (fileHandleG - $ShellStart)]
		add edx,5h
		mov esi,edx
		push esi
		call	dword ptr [ebp + (moduleHandleAddrG - $ShellStart)]
		.if eax == 0
			push esi
			call	dword ptr [ebp + (loadLibraryAddrG - $ShellStart)]
		.endif
		movzx ecx,byte ptr [esi - 1]
		add esi,ecx
		mov edx,esi
		mov esi,eax
		inc edx
		mov ecx,dword ptr [edx]
		add edx,4h
$GetNextFunctionProtected:
		push ecx
		movzx eax,byte ptr [edx]
		.if eax == 0
			inc edx
			push edx
			mov eax, dword ptr [edx]
			push eax
			push esi
			call dword ptr [ebp + (getProcAddressAddrG - $ShellStart)]
			mov dword ptr [edi],eax
			pop edx 
			add edx,4h
		.else
			inc edx
			push  edx
			push  edx
			push  esi
			call dword ptr [ebp +(getProcAddressAddrG - $ShellStart)]
			mov  dword ptr [edi],eax
			pop  edx
			movzx eax, byte ptr [edx - 1]
			add  edx,eax
		.endif
		inc edx
		add edi , 4h
		pop ecx
		loop $GetNextFunctionProtected
		jmp  $GetNextFunctionsOfAllProtectedDll
$GetFunctionsOfAllProtectedDll:
	.endif
	
	; anti dump 
	assume fs:nothing
	push fs:[30]
	pop	 eax
	test eax,eax
	js 	 $Anti_Win9x
$Anti_WinNT:
	mov	eax,[eax + 0ch]
	mov eax, [eax + 0ch]
	mov dword ptr [eax +20h],1000h
	jmp	$Anti_Finish
$Anti_Win9x:
	push 0
	call	dword ptr [ebp + (moduleHandleAddrG - $ShellStart)]
	test  	edx,edx
	jns 	$Anti_Finish
	cmp		dword ptr [edx +8h],-1
	jne		$Anti_Finish
	mov		edx, [edx +4]
	mov 	dword ptr [edx + 50h],1000h
$Anti_Finish:
	mov 	dword ptr [ebp +(shellImageBaseG - $ShellStart)],ebp
	mov		eax, dword ptr [ebp + (oepG - $ShellStart)]
	add eax,dword ptr [ebp +(fileHandleG - $ShellStart)]
	jmp eax
	
getProcAddressAddrG	dd 	0
moduleHandleAddrG	dd	0
loadLibraryAddrG	dd 	0
g_allocAddress		dd	0
g_allocFreeAddr		dd	0

fileHandleG			dd 	0
shellImageBaseG		dd	0					;imageBase

isProtectImpTableG 	dd	0
impTableAddressG	dd	0					;import table

oepG				dd	0					;really entry

kernal32G			db	'KERNEL32.dll',0
allocFreeG			db	'VirtualFree',0

packedSectionsG		db	0a0h dup (?)	;section' information

$ShellEnd:

Junk_Code_1_Start:		;17字节
	call	$+0ah
	db	0fh
	db	01h
	jmp	$+7h
	db	0e8h
	jmp	$-3h
	db	0h
	db	0h
	add	esp,4h
Junk_Code_1_End:
	
Junk_Code_2_Start:		;22字节
	jmp	$+3h
	db	0fh
	db	31h
	db	0f0h
	jmp	$+0eh
	xor	ecx,eax		;2字节
	jmp	$+5h
	jmp	$+0bh
	db	0fh
	pop	ecx
	jz	$+7h
	jnz	$-6h
	push	ecx
	jmp	$-0dh
Junk_Code_2_End:
	
Junk_Code_3_Start:		;42字节
	mov	ecx,4h
	call	$+24h
	jmp	$-4h
	call	$+1bh
	db	0e9h
	jmp	$-6
	db	0h,0h
	pop	eax
	jmp	$+0bh
	db	0fh
	db	25h
	call	$-9h
	db	0fh
	db	0b9h
	dec	ecx
	jnz	$-0dh
	jmp	$+7h
	jmp	$-5h
	jmp	$-0eh
	db	0d6h
Junk_Code_3_End:
	
Junk_Code_4_Start:		;26字节
	call	$+0ch
	db	0C7h
	db	083h
	add	eax,13h
	jmp	$+0dh	
	pop	eax
	jmp	$+4h
	db	0CDh
	db	020h
	add	eax,2	;3字节
	jmp	$+3h
	db	0E9h
	push    eax
	ret
	db	0e8h
Junk_Code_4_End:
	
Junk_Code_5_Start:		;19字节
	call	$+8h
	db	0c7h
	db	084h
	db	0h
	pop	eax
	jmp	$+3h
	db	0e9h
	add	eax,7h
	push	eax
	ret
	db	0ffh
	db	35h
Junk_Code_5_End:
	
Junk_Code_6_Start:
	call	$+0dh
	db	0fh
	db	01h
	add	eax,0fh
	push	eax
	ret
	db	0ffh
	pop	eax
	add	eax,2h
	jmp	eax
	db	0fh
	db	01h
	db	0ch
Junk_Code_6_End:
	
Junk_Code_7_Start:
	call	$+1bh
	mov	ebx,dword ptr [esp+0ch]
	mov	esp,dword ptr [ebx+0c4h]
	pop	dword ptr fs:[0]
	add	esp,4h
	jmp	$+16h
	push	dword ptr fs:[0]
	mov	fs:[0],esp
	xor	ecx,ecx
	cdq
	div	ecx
	db	0e9h
Junk_Code_7_End:
	
Junk_Code_8_Start:
	xor	esi,esi
	call	$+15h
	mov	esp,dword ptr [esp+08h]
	pop	dword ptr fs:[0]
	pop	eax
	jmp	$+15h
	db	0c7h
	db	83h
	push	dword ptr fs:[0]
	mov	fs:[0],esp
	lodsd
	db	0cdh
	db	20h
Junk_Code_8_End: