📄 shel.asm
字号:
sub dword ptr [eax+edx],ecx
mov ecx,check2[ebx]
add ecx,check1[ebx]
sub dword ptr [eax+edx],ecx
pop ecx
@@:
add esi,2
loop rt12
pop esi
add esi,[esi+4]
jmp rl1
rl2:
mov edi,reloc_offs[ebx]
add edi,edx
mov ecx,reloc_size[ebx]
mov al,0
; rep stosb
mov eax,decode_key[ebx]
mov edx,hModule[ebx]
mov esi,[edx+3ch]
lea esi,[esi+edx+0f8h]
mov edi,esi
xor shell_eip[ebx],eax
@@:
imul esi,number_of_section[ebx],28h
add esi,edi
jmp _@@100
cmp dword ptr [esi+0ch],0
je _@@100
cmp dword ptr [esi+08h],0
je _@@100
add esi,28h
jmp @b
_@@100:
sub esi,28h
xchg edi,esi
_@@10:
cmp esi,edi
jnbe _@@19
pop ecx
push edx
lea eax,old_protect_flag[ebx]
push eax
cc15:
push ecx
push dword ptr [esi+8]
mov eax,[esi+0ch]
add eax,edx
push eax
call f_VirtualProtect[ebx]
pop edx
add esi,28h
jmp _@@10
_@@19:
mov eax,shell_eip[ebx]
add eax,edx
add eax,check2[ebx]
xor eax,check1[ebx]
;call disp
push eax
;call disp1
or flag_thread_end[ebx],111b
or flag_thread_end[ebx],80000000h
@@:
mov eax,flag_thread_exit[ebx]
and eax,10000000000000000000000000000111b
xor eax,10000000000000000000000000000111b
jnz @b
pop eax
mov dword ptr proc_entry[ebx+1],eax
invoke set_seh,0,0
;call disp
or flag_finish[ebx],1
pe0:
cmp file_type[ebx],2 ;dll
jne @f
jmp pe1
@@:
;call disp1
lea edi,entry[ebx]
mov ecx,offset pe1 - offset entry
cld
mov al,0
rep stosb ;!!!
pe1: ;!!!
popad
popfd
;int 3
proc_entry label byte ;!!!
push 12345678 ;!!!
ret
second_entry:
call _cc1 ;!!!
_cc1: ;!!!
pop ebx
sub ebx,offset _cc1
push MB_YESNO
lea eax, titl[ebx]
push eax
lea eax, msg[ebx]
push eax
push 0
call f_MessageBox[ebx]
cmp eax,IDYES
je @f
push 0
jmp se1
@@:
push exitcode[ebx] ;;;312321
se1:
call f_ExitProcess[ebx]
__ok:
check2_end label byte
db 4 dup (?)
create_process_fail:
error_exit:
push 0
call f_ExitProcess[ebx]
;!!!
;added on 2006-3-4
db 'rNiLaToV'
ipt db 14h * 2 dup (0)
size1 = $ - offset ipt
dllname db 'kernel32.dll',0
size2 = $ - offset dllname
funname db 0,0,'GetVersion',0
size3 = $ - offset funname
funaddr dd ?,0
size4 = $ - offset funaddr
;added on 2006-3-4
key_size = $ - offset entry
db 1000h dup (0)
trans proc uses eax esi edi
mov esi,eax
dec esi
@@:
inc esi
mov al,[esi]
cmp al,0
je t9
cmp al,20h
je @f
cmp al,9
jne @b
@@:
inc esi
mov al,[esi]
cmp al,0
je t9
cmp al,20h
je @b
cmp al,9
je @b
mov edi,offset fname1
@@:
mov al,[esi]
cmp al,20h
je @f
cmp al,9
je @f
mov [edi],al
inc esi
inc edi
cmp al,0
je t9
jmp @b
@@:
mov byte ptr [edi],0
dec esi
@@:
inc esi
mov al,[esi]
cmp al,0
je t9
cmp al,20h
je @b
cmp al,9
je @b
mov edi,offset fname2
@@:
mov al,[esi]
cmp al,20h
je @f
cmp al,9
je @f
mov [edi],al
inc esi
inc edi
cmp al,0
je t9
jmp @b
@@:
mov byte ptr [edi],0
dec esi
@@:
inc esi
mov al,[esi]
cmp al,0
je t9
cmp al,20h
je @b
cmp al,9
je @b
mov edi,offset fname3
@@:
mov al,[esi]
cmp al,20h
je @f
cmp al,9
je @f
mov [edi],al
inc esi
inc edi
cmp al,0
je t9
jmp @b
@@:
mov byte ptr [edi],0
t9:
ret
trans endp
calc_checksum proc uses eax ebx ecx edi esi
mov ebx,0
lea esi,check1_start[ebx]
lea edi,check1_end[ebx]
mov eax,0
mov ecx,0
@@:
mov cl,[esi]
sub eax,ecx
inc esi
cmp esi,edi
jb @b
mov dword ptr check1_sum,eax
lea esi,check2_start[ebx]
lea edi,check2_end[ebx]
mov eax,0
mov ecx,0
@@:
mov cl,[esi]
add eax,ecx
inc esi
cmp esi,edi
jb @b
mov dword ptr check2_sum,eax
ret
calc_checksum endp
start:
; int 3
jmp st1
invoke LoadLibrary,addr shell32
invoke GetProcAddress,eax,800000e9h
; invoke VirtualAlloc,0h,10000h,MEM_RESERVE,PAGE_READWRITE
; invoke VirtualQuery,eax,addr mbi,sizeof MEMORY_BASIC_INFORMATION
; invoke VirtualAlloc,0h,10000h,MEM_COMMIT,PAGE_READWRITE
; invoke VirtualAlloc,0h,10000h,MEM_COMMIT,PAGE_READWRITE
; invoke VirtualProtect,3e0000h,10,PAGE_READONLY,addr temp1
mov esi,400000h
@@:
invoke VirtualQuery,esi,addr mbi,sizeof MEMORY_BASIC_INFORMATION
; cmp dword ptr mbi[10h],10000h
; je @f
mov esi,dword ptr mbi[0] ;MEMORY_BASIC_INFORMATION.BaseAddress]
add esi,dword ptr mbi[0ch] ;MEMORY_BASIC_INFORMATION.RegionSize]
cmp eax,0
jne @b
@@:
mov eax,dword ptr mbi[0]
; invoke VirtualAlloc,eax,10h,MEM_COMMIT,PAGE_READWRITE
cmp eax,0
jne @f
invoke VirtualQuery,3e0000h,addr mbi,sizeof MEMORY_BASIC_INFORMATION
; invoke VirtualAlloc,0,10h,MEM_COMMIT,PAGE_READWRITE
invoke VirtualQuery,3e0000h,addr mbi,sizeof MEMORY_BASIC_INFORMATION
@@:
st1:
invoke VirtualProtect,addr entry,key_size,PAGE_READWRITE,addr temp1
invoke GetTickCount
push eax
invoke GetTickCount
pop edx
mul edx
mov dword ptr dc_edit+1,eax
mov dword ptr ec_edit+1,eax
call calc_checksum
invoke GetTickCount
push eax
invoke GetTickCount
pop edx
mul edx
mov decode_key,eax
not eax
mov rnd,eax
mov esi,offset _ok
mov edi,offset __ok
mov eax,decode_key
@@:
cmp esi,edi
jae @f
xor [esi],al
inc eax
ror eax,7
inc esi
jmp @b
@@:
invoke GetCommandLine
call trans ;分解命令行
invoke CreateFile,addr fname1,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0
cmp eax,INVALID_HANDLE_VALUE
je error1
mov hfile1,eax
invoke CreateFile,addr fname2,GENERIC_WRITE,0,0,CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL,0
cmp eax,INVALID_HANDLE_VALUE
je error3
mov hfile3,eax
invoke GetFileSize,hfile1,0
mov fsize1,eax
invoke VirtualAlloc,0,fsize1,MEM_COMMIT,PAGE_READWRITE
mov pt1,eax
invoke ReadFile,hfile1,pt1,fsize1,addr temp1,0
mov ebx,pt1
mov esi,[ebx+3ch]
cmp flag_clear_boundimport,0
je @f
lea eax,[ebx+esi+0d0h]
mov dword ptr [eax],0
mov dword ptr [eax+4],0
@@:
cmp flag_clear_load_config,0
je @f
lea eax,[ebx+esi+0c8h]
mov dword ptr [eax],0
mov dword ptr [eax+4],0
@@:
mov eax,[ebx+esi+34h]
mov image_base,eax
push esi
lea esi,[ebx+esi+78h]
mov edi,offset rva_table
mov ecx,80h
call move_memory
pop esi
cmp flag_add_section,0
je @f
add word ptr [ebx+esi+6],1
@@:
mov eax,0
xchg eax,[ebx+esi+80h]
mov iat_offs,eax
mov eax,0
xchg eax,[ebx+esi+84h]
mov iat_size,eax
mov eax,0
xchg eax,[ebx+esi+0a0h]
mov reloc_offs,eax
mov eax,0
xchg eax,[ebx+esi+0a4h]
mov reloc_size,eax
lea edi,[esi+0f8h]
movzx eax,word ptr [ebx+esi+6]
mov temp1,eax
st2:
dec temp1
jz st3
jmp @f
cmp dword ptr [ebx+edi+0ch],0 ;;;;;;
je st3
cmp dword ptr [ebx+edi+08h],0 ;;;;;;
je st3
@@:
jmp st24
mov eax,dword ptr [ebx+esi+0a8h]
cmp eax,0
je @f
add eax,dword ptr [ebx+esi+0ach]
cmp eax,dword ptr [ebx+edi+0ch]
jb @f
mov eax,dword ptr [ebx+edi+0ch]
add eax,dword ptr [ebx+edi+8]
cmp eax,dword ptr [ebx+esi+0a8h]
ja st25
@@:
mov eax,dword ptr [ebx+esi+88h]
cmp eax,0
je @f
add eax,dword ptr [ebx+esi+8ch]
cmp eax,dword ptr [ebx+edi+0ch]
jb @f
mov eax,dword ptr [ebx+edi+0ch]
add eax,dword ptr [ebx+edi+8]
cmp eax,dword ptr [ebx+esi+88h]
ja st25
@@:
mov eax,dword ptr [ebx+esi+0c0h]
cmp eax,0
je @f
add eax,dword ptr [ebx+esi+0c4h]
cmp eax,dword ptr [ebx+edi+0ch]
jb @f
mov eax,dword ptr [ebx+edi+0ch]
add eax,dword ptr [ebx+edi+8]
cmp eax,dword ptr [ebx+esi+0c0h]
ja st25
@@:
st24:
mov eax,[ebx+edi+8]
cmp eax,[ebx+edi+10h]
jbe @f
mov eax,[ebx+edi+10h]
@@:
mov ecx,[ebx+edi+14h]
;;;;;;add ecx,ebx
mov edx,[ebx+edi+0ch]
sub ecx,edx ;
invoke encode,edx,eax,ebx,ecx
st25:
add edi,28h
jmp st2
st3:
push edi
lea eax,[esi+0f8h]
sub edi,eax
mov edx,0
mov eax,edi
mov edi,28h
div edi
mov number_of_section,eax
pop edi
cmp flag_add_section,0
jne st6
mov eax,fsize1
sub eax,[ebx+edi+14h]
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
push eax
add eax,key_size
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+edi+08h],eax
mov [ebx+edi+10h],eax
or dword ptr [ebx+edi+24h],0a0000020h ;mov dword ptr [ebx+edi+24h],0e0000040h
pop ecx
mov eax,[ebx+edi+0ch]
add eax,ecx
add eax,offset entry
sub eax,offset entry
xchg [ebx+esi+28h],eax
mov shell_eip,eax
jmp st7
st6:
mov eax,key_size
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+edi+8],eax
sub edi,28h
mov eax,[ebx+edi+0ch]
add eax,[ebx+edi+8]
test eax,00000fffh
je @f
add eax,1000h
@@:
and eax,0fffff000h
add edi,28h
mov [ebx+edi+0ch],eax
mov eax,key_size
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+edi+10h],eax
mov eax,fsize1
test eax,00000fffh
je @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+edi+14h],eax
mov dword ptr [ebx+edi+24h],0e0000020h
mov eax,[ebx+edi+0ch]
add eax,offset entry
sub eax,offset entry
xchg [ebx+esi+28h],eax
mov shell_eip,eax
st7:
mov eax,[ebx+edi+0ch]
add eax,[ebx+edi+8]
test eax,00000fffh
je @f
add eax,1000h
@@:
and eax,0fffff000h
mov [ebx+esi+50h],eax
mov eax,decode_key
xor shell_eip,eax
lea esi,entry00
mov ecx,__ok - entry00
@@:
not byte ptr [esi]
inc esi
loop @b
mov flag_reentry,0
invoke WriteFile,hfile3,pt1,fsize1,addr temp1,0
cmp flag_add_section,0
jne st75
mov eax,fsize1
sub eax,[ebx+edi+14h]
mov ecx,1000h
sub ecx,eax
jns st71
@@:
add ecx,1000h
js @b
st71:
mov eax,ecx
jmp st8
st75:
mov eax,fsize1
test eax,00000fffh
je @f
add eax,1000h
@@:
and eax,0fffff000h
sub eax,fsize1
st8:
lea ecx,_fill
invoke WriteFile,hfile3,ecx,eax,addr temp1,0
mov eax,key_size
test eax,00000fffh
jz @f
add eax,1000h
@@:
and eax,0fffff000h
invoke WriteFile,hfile3,addr entry,eax,addr temp1,0
invoke CloseHandle,hfile1
invoke CloseHandle,hfile3
invoke VirtualFree,pt1,0,MEM_RELEASE
invoke CreateFile,addr fname2,GENERIC_READ + GENERIC_WRITE,0,0,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,0
cmp eax,INVALID_HANDLE_VALUE
je error3
mov hfile1,eax
invoke GetFileSize,hfile1,0
mov fsize1,eax
invoke VirtualAlloc,0,fsize1,MEM_COMMIT,PAGE_READWRITE
mov pt1,eax
invoke ReadFile,hfile1,pt1,fsize1,addr temp1,0
mov ecx,fsize1
mov edi,pt1
uu1:
cmp ecx,8
jb nofound
cmp dword ptr [edi],'LiNr' ;'rNiL'
jne uu2
cmp dword ptr [edi+4],'VoTa' ;'aToV'
je found
uu2:
inc edi
loop uu1
jmp nofound
found:
add edi,8
sub edi,pt1
mov ebx,pt1
mov esi,[ebx+3ch]
movzx ecx,word ptr [ebx+esi+6]
mov eax,[ebx+esi+74h]
shl eax,3
lea edx,[ebx+esi+78h]
add edx,eax
uu3:
cmp dword ptr [edx+14h],edi
ja s_nt
mov eax,[edx+8]
add eax,[edx+14h]
cmp eax,edi
jbe s_nt
mov eax,edi
sub eax,[edx+14h]
add eax,[edx+0ch]
mov [ebx+esi+80h],eax
mov dword ptr [ebx+esi+84h],14h ;size1+size2+size3+size4
lea ecx,[eax+size1]
mov [ebx+edi+0ch],ecx
lea ecx,[eax+size1+size2]
mov [ebx+edi+size1+size2+size3],ecx
lea ecx,[eax+size1+size2+size3]
mov [ebx+edi+10h],ecx
jmp found1
s_nt:
add edx,28h
loop uu3
jmp nofound
found1:
invoke SetFilePointer,hfile1,0,0,FILE_BEGIN
invoke WriteFile,hfile1,pt1,fsize1,addr temp1,0
nofound:
invoke CloseHandle,hfile1
invoke VirtualFree,pt1,0,MEM_RELEASE
error1:
error2:
error3:
exit0:
invoke ExitProcess,0
_fill db 1000h dup (0)
end start
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -