📄 sunrise_pe.pas
字号:
_PENH:windows.TImageNtHeaders;
_PEIH:TimageimportDescriptor;
_PEEH:windows.TImageExportDirectory;
_PEDH1:windows.TImageDosHeader;
_PENH1:windows.TImageNtHeaders;
_PEIH1:TimageimportDescriptor;
_PEEH1:windows.TImageExportDirectory;
hExport : DWORD;
t_ccnum : DWORD;
iatroom : DWORD;
//redll
h_mem:pointer;
h_mouser32,
h_moker32:cardinal;
//two process
lpStartupInfo:TStartupInfo;
lpProcessInformation: TProcessInformation;
dbg_event:TDebugEvent;
dbg_context:TContext;
h_event:cardinal;
p_outputstring:pansichar;
h_process,
h_thread:cardinal;
h_cotype:cardinal;
pan_info:pansichar;
//threads
h_thread1:cardinal;
h_thread2:cardinal;
h_thread3:cardinal;
id_thread1:cardinal;
id_thread2:cardinal;
id_thread3:cardinal;
proc_thread1,
proc_thread2,
proc_thread3:pointer;
threads_ebp:pointer;
//label
label threadproc1,threadproc2,threadproc3,mainthread;
begin
t_size := sizeof(p_roomheader);
asm
Call @p_next
@p_next:
pop esi
shr esi,$0C
shl esi,$0C
cmp word ptr [esi],$5A4D
jz @_final
@findhead:
sub esi,$1000
cmp word ptr [esi],$5A4D
jnz @findhead
@_final:
lea edi,p_roomheader
mov ecx,t_size
rep movs byte ptr [edi],byte ptr [esi]
end;
t_size := sizeof(p_packheader);
asm
mov esi,p_roomheader.dataroom
lea edi,p_packheader
mov ecx,t_size
rep movs byte ptr [edi],byte ptr [esi]
end;
asm_movmem := pointer(p_packheader.p_movmem);
asm_virtualFree := pointer(p_packheader.p_VirtualFree);
asm_VirtualAlloc := Pointer(p_packheader.p_VirtualAlloc);
asm_LoadlibraryA := Pointer(P_packheader.p_LoadLibraryA);
asm_GetProcAddress := Pointer(p_packheader.p_GetProcAddress);
asm_GetModuleHandleA := Pointer(p_Packheader.p_GetModuleHandleA);
asm_VirtualProtect := pointer(P_packheader.p_VirtualProtect);
asm_movmem(p_packheader.adr_datasec,@p_packdata,sizeof(p_packdata));
asm_movmem(p_packheader.imagebase,@_PEDH,sizeof(_PEDH));
asm_movmem(p_packheader.imagebase+_PEDH._lfanew,@_PENH,sizeof(_PENH));
// _PENH.OptionalHeader.DataDirectory[
// IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress := p_packdata.rsrc_RAV;
// _PENH.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress
// := p_packdata.TLS_RAV;
// _PENH.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size :=
// p_packdata.TLS_size;
asm
pushad
call @s_user32
db 075h,073h,065h,072h,033h,032h,02Eh,064h,06Ch,06Ch,0h
@s_user32:
call asm_LoadlibraryA
mov p_roomheader.Module_user32,eax
mov h_mouser32,eax
popad
end;
if p_packdata.twoprocess then
begin
if not p_packheader.p_Isdebuggerpresent then
begin
//在被调试就出错。
if p_packheader.p_Isdebuggerpresent then asm_LoadlibraryA := nil;
asm_fillchar(cardinal(@lpStartupInfo),sizeof(lpstartupinfo),0);
p_packheader.p_CreateProcessA(nil,p_packheader.p_GetCommandLineA,nil,nil,
False,DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS,nil,nil,lpStartupInfo,lpProcessInformation);
while (p_packheader.p_WaitForDebugEvent(dbg_event,INFINITE)) do
begin
h_cotype := DBG_CONTINUE;
case dbg_event.dwDebugEventCode of
CREATE_PROCESS_DEBUG_EVENT:
begin
h_process := dbg_event.CreateProcessInfo.hProcess;
h_thread := dbg_event.CreateProcessInfo.hThread;
end;
EXCEPTION_DEBUG_EVENT:
begin
if dbg_event.Exception.ExceptionRecord.ExceptionCode = EXCEPTION_BREAKPOINT then
begin
p_packheader.p_GetThreadContext(h_thread,dbg_context);
p_packheader.p_SetThreadContext(h_Thread,dbg_context);
end
else
h_cotype := DBG_EXCEPTION_NOT_HANDLED;
end;
OUTPUT_DEBUG_STRING_EVENT:
begin
end;
EXIT_PROCESS_DEBUG_EVENT:
begin
p_packheader.p_ExitProcess(0);
end;
end;
p_packheader.p_ContinueDebugEvent(dbg_event.dwProcessId,
dbg_event.dwThreadId,h_cotype);
end;
end
else
begin
//如果在被调试,就出错。
if not p_packheader.p_Isdebuggerpresent then asm_LoadlibraryA := nil;
end;
end;
//get threads procedure
asm
pushad
call @thread_proc_link1
call threadproc1
@thread_proc_link1:
pop eax
add eax,1
mov ebx,dword ptr [eax]
add eax,4
add eax,ebx
mov proc_thread1,eax
call @thread_proc_link2
call threadproc2
@thread_proc_link2:
pop eax
add eax,1
mov ebx,dword ptr [eax]
add eax,4
add eax,ebx
mov proc_thread2,eax
call @thread_proc_link3
call threadproc3
@thread_proc_link3:
pop eax
add eax,1
mov ebx,dword ptr [eax]
add eax,4
add eax,ebx
mov proc_thread3,eax
popad
end;
//create threads
asm mov threads_ebp,ebp end;
h_thread1:=p_packheader.p_CreateThread(nil,0,proc_thread1,threads_ebp,0,id_thread1);
h_thread2:=p_packheader.p_CreateThread(nil,0,proc_thread2,threads_ebp,0,id_thread2);
h_thread3:=p_packheader.p_CreateThread(nil,0,proc_thread3,threads_ebp,0,id_thread3);
h_moker32 := p_roomheader.Module_Kernel32;
for I := 0 to p_packdata.numberofsections - 1 do
begin
asm_movmem((i * sizeof(p_section))+p_packheader.adr_datasec+sizeof(
p_packdata),@p_section,sizeof(p_section));
case p_section.Characteristics of
SECTION_CODE:
begin
depack(pointer(p_packheader.adr_datasec+p_section.PointerToRawData),
pointer(p_packheader.imagebase+ p_section.VirtualAddress));
end;
SECTION_DATA:
begin
depack(pointer(p_packheader.adr_datasec+p_section.PointerToRawData),
pointer(p_packheader.imagebase+ p_section.VirtualAddress));
end;
SECTION_RESOURCES:
begin
if p_packdata.EncryptRes = ENCRYPT_TRUE then
begin
//这里重新组建资源
p_resstoremem := asm_VirtualAlloc(nil,p_packdata.rsrc_size,MEM_COMMIT,
PAGE_READWRITE);
depack(pointer(p_packheader.adr_datasec+p_section.PointerToRawData),
p_resstoremem);
_PENH.OptionalHeader.DataDirectory[
IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress
:= GenResTree(cardinal(p_resstoremem),p_packheader.p_VirtualAlloc);
end
else
begin
depack(pointer(p_packheader.adr_datasec+p_section.PointerToRawData),
pointer(p_packheader.imagebase+ p_section.VirtualAddress));
end;
end;
end;
end;
//开始处理IAT
v_imagebase := p_packheader.imagebase + _PENH.OptionalHeader.SectionAlignment;
p_IatWorkMem := asm_VirtualAlloc(nil,p_packdata.IAT_size,MEM_COMMIT,
PAGE_READWRITE);
iatroom := cardinal(p_IatWorkMem);
depack(pointer(p_packheader.adr_datasec+p_packdata.IATAddress),p_IatWorkMem);
pp_iatmem := 0;
asm_movmem(cardinal(p_IatWorkMem),@p_import,sizeof(p_import));
p_iatworkproc := CodeStart_IatWorkProc;
///这里插入Anti注人,也就是其他功能
/// 检查导入表是不是一个
while p_import.address <>0 do
begin
base_adr := p_IatWorkProc - (cardinal(p_IatWorkMem)+pp_iatmem+17)-5;
p_import.Callrom0 := $E8;
p_import.callrom1 := base_adr;
asm_movmem(Cardinal(@p_import),pointer(cardinal(p_IatWorkMem)+pp_IatMem),
sizeof(p_import));
t_importbase := cardinal(p_IatWorkMem)+pp_IatMem;
base_adr := cardinal(p_IatWorkMem)+pp_iatmem+17;
asm_movmem(cardinal(@base_adr),pointer(p_packheader.imagebase+
p_import.address),sizeof(base_adr));
pp_IatMem := pp_IatMem+sizeof(p_import);
t_saveiat := pp_IatMem+cardinal(p_IatWorkMem);
p_DLLName := pointer(cardinal(p_IatWorkMem)+pp_IatMem);
t_Length := Cryptstr(p_DLLName,p_import.KEY);
pp_IatMem := pp_IatMem+ t_Length;
hModule := asm_GetModuleHandleA(p_DLLName);
if hModule = 0 then
begin
hModule := asm_LoadlibraryA(p_DLLName);
end;
DropStr(p_DLLName);
// if hModule <> 0 then
// begin
// //装入模块错误
// end;
if p_import.isNoIat = ENCRYPT_FALSE then
begin
if p_packdata.IATAddress2 <> 0 then
t_funbase := cardinal(p_iatworkmem)+p_packdata.IATAddress2 - 22 - t_importbase
//t_funbase就是定位iat处理过程地址的
else
t_funbase := cardinal(p_IatWorkMem)+pp_IatMem - 22 - t_importbase;
t_hmodule := hModule;
pp_IatMem := pp_IatMem+p_import.IATrom2;
end
else
begin
p_DLLName := pointer(p_import.functionsno);
hModule := asm_GetProcAddress(hModule,p_DLLName);
end;
case p_import.dwType of
TYPE_NORMAL:
begin
Hmodule := hmodule xor p_import.callrom1;
asm_movmem(cardinal(@hModule),pointer(t_saveiat),sizeof(hModule));
if p_import.IATAdr0 > 0 then
begin
p_import.IATrom0 := $E9;
Hmodule := t_saveiat-27 - (v_imagebase+p_import.IATAdr0) - 5;
asm_movmem(cardinal(@p_import.IATrom0),pointer(v_imagebase+
p_import.IATAdr0),sizeof(p_import.IATrom0));
asm_movmem(cardinal(@Hmodule),pointer(v_imagebase+p_import.IATAdr0+1),
sizeof(Hmodule));
end;
if p_import.IATAdr1 > 0 then
begin
p_import.IATrom1 := $E890;
Hmodule := t_saveiat-27 - (v_imagebase+p_import.IATAdr1+1) - 5;
asm_movmem(cardinal(@p_import.IATrom1),pointer(v_imagebase+
p_import.IATAdr1),sizeof(p_import.IATrom1));
asm_movmem(cardinal(@Hmodule),pointer(v_imagebase+p_import.IATAdr1+2),
sizeof(Hmodule));
end;
if (p_import.isNoIat = ENCRYPT_FALSE) and (p_import.dwType <> SPECIAL_ACMDLN)
and (p_import.dwType < SPECIAL_MESSAGEBOXA) then
begin
p_import.callrom1 := t_funbase;
p_import.IATAdr0 := t_hmodule;
p_import.IATAdr1 := p_packheader.p_GetProcAddress;
asm_movmem(Cardinal(@p_import),pointer(t_importbase),sizeof(p_import));
end;
end;
SPECIAL_ACMDLN:
begin
t_address := t_saveiat-27; //这里特别注意,如果改变了TAImport要重新计算这里的值
asm
pushad
push 006E6C64h
push 6D63615Fh
push esp
push hModule
call asm_GetProcAddress
add esp,8
mov hModule,eax
popad
end;
asm_movmem(hModule,@hModule,sizeof(hModule));
asm_movmem(cardinal(@hModule),pointer(t_address),sizeof(hModule));
end;
end;
if p_import.dwType >= SPECIAL_MESSAGEBOXA then
begin
t_address := linkemulfunctions(p_import.dwType);
asm_movmem(cardinal(@t_address),pointer(p_packheader.imagebase+
p_import.address),sizeof(t_address));
end;
asm_movmem(cardinal(p_IatWorkMem)+pp_IatMem,@p_import,sizeof(p_import));
end;
//wait threads final
p_packheader.p_WaitForSingleObject(h_thread1,INFINITE);
p_packheader.p_WaitForSingleObject(h_thread2,INFINITE);
p_packheader.p_WaitForSingleObject(h_thread3,INFINITE);
if asm_virtualprotect(pointer(p_packheader.imagebase),$200,PAGE_READWRITE,pp_iatmem) then
asm_movmem(cardinal(@_PENH),pointer(p_packheader.imagebase+_PEDH._lfanew),
sizeof(_PENH));
shell_vmachine_init(p_packheader.p_VirtualAlloc);
if p_packdata.isStealCode then
begin
shell_vmachine_run(iatroom+p_packdata.MyOEP,dw_ebp,dw_esp+52,p_packheader.imagebase,p_packdata.OEP);
end
else
begin
result := p_packdata.OEP+p_packheader.imagebase;
asm
mov esp,dw_esp
push result
pop eax
pop eax
pop eax
pop eax
popfd
popad
jmp dword ptr [esp-34h]
end;
end;
goto mainthread;
//thread procedure One
threadproc1: //注册机制线程
asm
mov ebp,dword ptr [esp+4]
end;
_PENH.OptionalHeader.DataDirectory[
IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress := p_packdata.rsrc_RAV;
_PENH.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress
:= p_packdata.TLS_RAV;
_PENH.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size :=
p_packdata.TLS_size;
{$IFDEF ENCRYPT_LOGO}
asm
pushad
call @s_messageboxa
db 04Dh,065h,073h,073h,061h,067h,065h,042h,06Fh,078h,041h,0h
@s_messageBoxA:
push h_mouser32
call asm_GetProcAddress
push MB_OK
call @s_str0
db 070h,065h,031h,032h,033h,0h
@s_str0:
call @s_str1
db 0b2h, 0e2h, 0cah, 0d4h, 0B0h, 0E6h, 0B1h, 0BEh, 00h
@s_str1:
push 0
call eax
popad
end;
{$ENDIF ENCRYPT_LOGO}
asm ret 04h end;
threadproc2: //anti线程
asm
mov ebp,dword ptr [esp+4]
end;
{$IFDEF ENCRYPT_THREAD_ANTI}
{$ENDIF ENCRYPT_THREAD_ANTI}
asm ret 04h end;
threadproc3:
asm
mov ebp,dword ptr [esp+4]
end;
asm ret 04h end;
//end procedure
mainthread:
end;
function CodeEnd_packer_main2():DWORD;
asm
Call @CodeEnd
@CodeEnd:
pop eax
sub eax,5
end;
function CryptStr(src:pansichar;KEY:Byte):Cardinal;stdcall;
asm
push ebx
push ecx
pushfd
mov eax,src
mov ecx,eax
mov bl,key
@_next:
xor byte ptr [eax],bl
cmp byte ptr [eax],0
jz @_final
add eax,1
jmp @_next
@_final:
popfd
inc eax //0字节算上
sub eax,ecx
pop ecx
pop ebx
end;
function CryptStrLen(src:pansichar;KEY:Byte):Cardinal;stdcall;
asm
push ebx
push ecx
pushfd
mov eax,src
mov ecx,eax
mov bl,key
@_next:
xor byte ptr [eax],bl
cmp byte ptr [eax],0
jz @_final
xor byte ptr [eax],bl
add eax,1
jmp @_next
@_final:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -