📄 sunrise_pe.pas
字号:
unit Sunrise_PE;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,aplibu,disasm,link, vm, ComCtrls, Buttons,{emulapis,}
ToolWin, ImgList, ExtCtrls, XPMan;
type
TForm1 = class(TForm)
OpenDialog1: TOpenDialog;
PageControl1: TPageControl;
TabSheet1: TTabSheet;
Memo1: TMemo;
TabSheet2: TTabSheet;
CheckBox3: TCheckBox;
CheckBox4: TCheckBox;
Edit1: TEdit;
Button1: TButton;
Button2: TButton;
CheckBox5: TCheckBox;
TabSheet3: TTabSheet;
ListBox1: TListBox;
CoolBar1: TCoolBar;
StatusBar1: TStatusBar;
ToolBar1: TToolBar;
ToolButton2: TToolButton;
ImageList1: TImageList;
ToolButton1: TToolButton;
ToolButton3: TToolButton;
ListBox2: TListBox;
Panel1: TPanel;
Edit2: TEdit;
Label1: TLabel;
SpeedButton1: TSpeedButton;
SpeedButton2: TSpeedButton;
ToolButton4: TToolButton;
ToolButton5: TToolButton;
CheckBox6: TCheckBox;
Timer1: TTimer;
TabSheet5: TTabSheet;
Shape1: TShape;
Label2: TLabel;
XPManifest1: TXPManifest;
Label3: TLabel;
procedure TabSheet6Show(Sender: TObject);
procedure TabSheet5Show(Sender: TObject);
procedure TabSheet2Show(Sender: TObject);
procedure TabSheet4Show(Sender: TObject);
procedure Timer1Timer(Sender: TObject);
procedure ToolButton5Click(Sender: TObject);
procedure ToolButton4Click(Sender: TObject);
procedure Edit2Click(Sender: TObject);
procedure SpeedButton1Click(Sender: TObject);
procedure SpeedButton2Click(Sender: TObject);
procedure ToolButton3Click(Sender: TObject);
procedure Edit2KeyPress(Sender: TObject; var Key: Char);
procedure Memo1DblClick(Sender: TObject);
procedure TabSheet1Show(Sender: TObject);
procedure TabSheet3Show(Sender: TObject);
procedure BitBtn1Click(Sender: TObject);
procedure tMouseDown(Sender: TObject; Button: TMouseButton;
Shift: TShiftState; X, Y: Integer);
procedure TabSheet2MouseDown(Sender: TObject; Button: TMouseButton;
Shift: TShiftState; X, Y: Integer);
procedure FormShow(Sender: TObject);
procedure Memo1MouseDown(Sender: TObject; Button: TMouseButton;
Shift: TShiftState; X, Y: Integer);
procedure FormMouseDown(Sender: TObject; Button: TMouseButton;
Shift: TShiftState; X, Y: Integer);
procedure FormCreate(Sender: TObject);
procedure Button2Click(Sender: TObject);
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
mem_in_tmp:tmemorystream;
function Discmd(p_codestart,dw_line:cardinal):boolean;
end;
const
SECTION_CODE = $1;
SECTION_IMPORT = $2;
SECTION_DATA = $3;
SECTION_EXPORT = $4;
SECTION_TLS = $5;
SECTION_RESOURCES = $6;
SECTION_RELOC = $7;
SECTION_DEBUG = $8;
ERROR_COMPRESS = $80000001;
ERROR_NOMODULEFILE = $80000002;
ERROR_NOMORE = $FFFFFFFF;
IMAGE_FLAG32 = $80000000;
ENCRYPT_SUCCESS = $1;
ENCRYPT_TRUE = $1;
ENCRYPT_FALSE =$0;
ENCRYPT_NOTENCRYPT = $2;
TYPE_NORMAL = $0;
SPECIAL_ACMDLN = $1; //典型,表示直接模拟PE装载器处理IAT
//模拟API部分
SPECIAL_MESSAGEBOXA = $1000;
SPECIAL_MESSAGEBOXW = $1001;
SPECIAL_CREATEFILEA = $1002;
SPECIAL_CREATEFILEW = $1003;
SPECIAL_MSGBOXINXA = $1004;
{$DEFINE ENCRYPT_HUA} //普通不重要花
{$DEFINE ENCRYPT_KERNEL} //核心花指令
{$DEFINE ENCRYPT_THREAD_ANTI}
//{$DEFINE ENCRYPT_LOGO}
//{$DEFINE ENCRYPT_SEH}
//{$DEFINE ENCRYPT_BPCHECK}
{$DEFINE ENCRYPT_HUA_IAT}
{$DEFINE ENCRYPT_CRC_IAT}
type TMyResDir = packed record
Numberofdir:word;
Numberofid : word;
isstringname:DWORD;
ID:DWORD;
NoRes:DWORD;
ressize:DWORD;
//这两个结构必须在最后
length:WORD;
name:array[0..63] of byte;
end;
type
TimageimportDescriptor = packed record
OriginalFirstThunk:DWORD;
TimeDateStamp:DWORD;
ForwarderChain:dWORD;
Name:dWORD;
FirstThunk:dWORD;
end;
type
TIMAGERESDIRECTORY = packed record
Characteristics:DWORD;
TimeDateStamp:DWORD;
MajorVersion:WORD;
MinorVersion:WORD;
NumberOfNamedEntries:WORD;
NumberOfIdEntries:WORD;
end;
type
TIMAGERESDIRECTORYENTRY = packed record
Name:DWORD;
ID:DWORD;
end;
type
TIMAGERESDATAENTRY = packed record
OffsetToData:DWORD;
Size:DWORD;
CodePage:DWORD;
Reserved:DWORD;
end;
type TPeinformation = packed record
ImageSize : DWORD;
NumberofSections : DWORD;
RAWTOIAT:DWORD;
numofimports : DWORD;
Sections : array of TImageSectionHeader;
end;
type tpacksignheader = packed record
packsign : DWORD;
registered : DWORD;
reserved : DWORD;
end;
type Tpackfunctions = packed record
p_main : DWORD;
p_main_size : DWORD;
p_IAT : DWORD;
p_IAT_size : DWORD;
end;
type tdatasecheader = packed record
packset : tpacksignheader; //壳数据指针
packfunctions : Tpackfunctions;
OEP : DWORD;
numberofsections : DWORD;
IATAddress : DWORD;
IATAddress2 : DWORD;
IAT_size : DWORD;
IAT_Nums : DWORD;
DLLLoad : DWORD;
datasec_size : DWORD;
rsrc_RAV : DWORD;
rsrc_size : DWORD;
Debug_RAV:DWORD;
debug_size:DWORD;
TLS_RAV:DWORD;
TLS_size : DWORD;
EncryptCode:DWORD;
EncryptRes:DWORD;
isStealCode:boolean;
MyOEP:DWORD;
packsize:dword;
dllreloc:boolean;
twoprocess:boolean;
end;
type tpackheader0 = packed record
imagebase :DWORD;
base_Kernel32 : DWORD;
p_GetProcAddress : DWORD;
p_GetModuleHandleA : DWORD;
p_VirtualAlloc :DWORD;
p_VirtualFree : DWORD;
p_LoadLibraryA : DWORD;
p_ExitProcess :procedure (uExitCode: UINT); stdcall;
// p_CreateProcessA:DWORD;
// p_GetCommandLineA:DWORD;
adr_datasec : DWORD;
linkroom : DWORD;
p_movmem : DWORD;
p_VirtualProtect : DWORD;
p_messageboxA:DWORD;
p_CreateProcessA:function (lpApplicationName: PAnsiChar; lpCommandLine: PAnsiChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
lpCurrentDirectory: PAnsiChar;
const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation): BOOL; stdcall;
p_GetCommandLineA:function (): PAnsiChar; stdcall;
p_WaitForDebugEvent:function (var lpDebugEvent: TDebugEvent; dwMilliseconds:
DWORD): BOOL; stdcall;
p_ContinueDebugEvent :function (dwProcessId, dwThreadId, dwContinueStatus:
DWORD): BOOL; stdcall;
p_CreateEventA:function (lpEventAttributes: PSecurityAttributes;
bManualReset, bInitialState: BOOL; lpName: PAnsiChar): THandle; stdcall;
p_GetLastError:function (): DWORD; stdcall;
p_CloseHandle:function (hObject: THandle): BOOL; stdcall;
p_OutputDebugStringA:procedure (lpOutputString: PAnsiChar); stdcall;
p_GetThreadContext:function (hThread: THandle; var lpContext: TContext): BOOL; stdcall;
p_SetThreadContext:function (hThread: THandle; const lpContext: TContext): BOOL; stdcall;
p_SuspendThread:function (hThread: THandle): DWORD; stdcall;
p_ResumeThread:function (hThread: THandle): DWORD; stdcall;
p_Isdebuggerpresent:function ():bool;stdcall;
p_CreateThread:function (lpThreadAttributes: Pointer;
dwStackSize: DWORD; lpStartAddress: TFNThreadStartRoutine;
lpParameter: Pointer; dwCreationFlags: DWORD; var lpThreadId: DWORD): THandle; stdcall;
p_WaitForSingleObject:function (hHandle: THandle; dwMilliseconds: DWORD): DWORD; stdcall;
p_ExitThread:procedure (dwExitCode: DWORD); stdcall;
end;
type Troomheader = packed record
Sign:DWORD;
dataroom : DWORD;
GetRoomBase:DWORD;
baseofcode:DWORD;
Module_user32 : DWORD;
Module_Kernel32 : DWORD;
emul_linked : boolean;
emul_messageboxA : DWORD;
emul_messageboxW : DWORD;
emul_CreateFileA : DWORD;
emul_CreateFileW : DWORD;
end;
type TAImport = packed record
functionsno : DWORD;
address : DWORD;
isNoIat : DWORD;
isSaved : DWORD;
dwType : DWORD;
KEY : byte;
Callrom0: BYTE;
callrom1: DWORD;
IATAdr : DWORD;
IATAdr0 : DWORD;
IATrom0 : WORD;
IATAdr1 : DWORD;
IATrom1 : WORD;
IATAdr2 : DWORD;
IATrom2 : WORD;
DLLname : String;
FunctionName : String;
end;
type T_AImport = packed record
KEY : byte;
address : DWORD;
isNoIat : DWORD;
dwType : DWORD;
functionsno : DWORD;
Callrom0: BYTE;
callrom1: DWORD;
IATAdr : DWORD;
IATAdr0 : DWORD;
IATrom0 : WORD;
IATAdr1 : DWORD;
IATrom1 : WORD;
IATAdr2 : DWORD;
IATrom2 : WORD;
end;
type TEncryptOptions = packed record
DLLoadLibrary : DWORD;
Encryptrsrc : Boolean;
EncryptCode : Boolean;
ExePath : string;
OutFile : string;
StealOEP: Boolean;
twoprocess:boolean;
end;
type TImageTLSDIRECTORY32 = packed record
StartAddressOfRawData :DWORD;
EndAddressOfRawData : DWORD;
AddressOfIndex : DWORD;
AddressOfCallBacks :DWORD;
SizeOfZeroFill :DWORD;
Characteristics :DWORD;
end;
type TPatcher = packed record
JmpAddresss : DWORD;
jmpWord : WORD;
callAddress : DWORD;
CAllWORD:WORD;
movAddress : DWORD;
movWORD:WORD;
end;
var
Form1: TForm1;
//function LinkIatProc(t_memory:cardinal;IatName:string;var t_random:DWORD):DWORD;stdcall;
function LinkIatProc(IatName:string;var t_random:DWORD;var link:Tlinkcode):DWORD;stdcall;
function GetImageBase():cardinal;stdcall;assembler;
function Getandsaveinfo():cardinal;stdcall;assembler;
procedure Movmem(src:cardinal;dest:pointer;size:cardinal);stdcall;assembler;
function linkpackercode(m_info:DWORD):DWORD;assembler;stdcall;
function Packer_main(dw_esp,dw_ebp:cardinal):DWORD;assembler;stdcall;
function Depack(src,dest:pointer):DWORD;stdcall;assembler;
function Depack_shell(src,dest:pointer):DWORD;stdcall;assembler;
Function IatWorkProc():DWORD;stdcall;assembler;
procedure EncryptStr(src:string;KEY:Byte);stdcall;assembler;
procedure PackCode_Main();assembler;
function CryptStr(src:pansichar;KEY:Byte):Cardinal;stdcall;assembler;
procedure ClearnStr(src:pansichar);stdcall;assembler;
procedure DropStr(src:pansichar);stdcall;assembler;
function CryptStrLen(src:pansichar;KEY:Byte):Cardinal;stdcall;assembler;
function CodeStart_IatWorkProc():DWORD;stdcall;assembler;
function CodeStart_packer_main2():DWORD;stdcall;assembler;
function CodeEnd_packer_main2():DWORD;stdcall;assembler;
function GenResTree(ResData:cardinal;p_VirtualAlloc:cardinal):cardinal;stdcall;
function CodeStart_vm_mini():cardinal;stdcall;assembler;
function CodeEnd_vm_mini():cardinal;stdcall;assembler;
function shell_vmachine_Run(p_vmcode,dw_rebp,dw_resp,dw_imagebase,dw_reip:cardinal):cardinal;stdcall;assembler;
//模拟函数
function LinkEmulApi(dwtype:DWORD):DWORD;stdcall;assembler;
function CodeStart_emul_MessageBoxA():DWORD;stdcall;assembler;
function CodeStart_emul_MessageBoxW():DWORD;stdcall;assembler;
function CodeStart_emul_CreateFileA():DWORD;stdcall;assembler;
function CodeStart_emul_CreateFileW():DWORD;stdcall;assembler;
//vm部分
function shell_vmachine_init(p_virtualaloc:cardinal):DWORD;stdcall;assembler;
implementation
{$R *.dfm}
function CodeStart_Packer():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,7
end;
function Packcode(m_type:cardinal):cardinal;
asm
mov eax,0
pushad
db 0bh,0c0h,074h,058h
db 0E8h,000h,000h,000h,000h,058h,005h,043h,000h,000h,000h,080h,038h,0E9h,075h
db 003h,061h,0EBh,035h,0E8h,000h,000h,000h,000h,058h,25h,000h,0F0h,0FFh,0FFh
db 033h,0FFh,066h,0BBh,019h,05Ah,066h,083h,0C3h,034h,066h,039h,018h,075h,012h
db 00Fh,0B7h,050h,03Ch,003h,0d0h,0BBh,0E9h,044h,000h,000h,083h,0C3h,067h,039h
db 01Ah,074h,007h,02Dh,000h,010h,000h,000h,0EBh,0DAh,08Bh,0F8h,0B8h,098h,02Ah
db 05Dh,000h,003h,0C7h,0B9h,05Ah,0C2h,03Ch,000h,003h,0CFh,0EBh,00Ah
pushfd
{$IFDEF ENCRYPT_HUA}
db 0EBh,001h,0C0h,050h,053h,0E8h,004h,000h,000h,000h,0C0h,0Ech,029h,099h,058h,0FFh
db 030h,05Bh,088h,058h,00Eh,05Bh,058h,08Bh,0AAh
{$ENDIF}
call PackCode_Main
end;
procedure PackCode_Main();
var
asm_LinkCodeProc : Procedure ();
begin
asm_LinkCodeProc := pointer(linkpackercode(Getandsaveinfo));
asm_LinkCodeProc;
end;
function CodeStart_movmem():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,5
end;
procedure Movmem(src:cardinal;dest:pointer;size:cardinal);stdcall;assembler;
asm
pushad
mov ecx,size
mov edi,dest
mov esi,src
rep movs byte ptr [edi],byte ptr [esi]
popad
end;
function CodeEnd_movmem():DWORD;
asm
Call @CodeEnd
@CodeEnd:
pop eax
sub eax,5
end;
function CodeStart_GetRoomBase():DWORD;
asm
call @CodeStart
@CodeStart:
pop eax
add eax,5
end;
function GetImageBase():cardinal;stdcall;assembler;
asm
Call @p_next
@p_next:
pop eax
shr eax,$0C
shl eax,$0C
cmp word ptr [eax],$5A4D
jz @_final
@findhead:
sub eax,$1000
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -