📄 morphine.dpr
字号:
add ecx,[esi+03Ch] //+TImageDosHeader._lfanew = NtHeaders
mov ecx,[ecx+054h] //NtHeaders.SizeOfHeaders
rep movsb
pop esi
add esi,[esi+03Ch] //TImageNtHeaders
add esi,0F8h //+SizeOf(TImageNtHeaders) = section headers
@DynLoader_LoadSections:
mov eax,[ebp+008h] //TImageDosHeader
add eax,[eax+03Ch] //TImageDosHeader._lfanew
movzx eax,[eax+006h] //NtHeaders.FileHeader.NumberOfSections
@DynLoader_LoadSections_do_section:
lea edi,[ebp-038h] //Section
push edi
push 00Ah //SizeOf(TImageSectionHeader) div 4
pop ecx
rep movsd
pop edi
@DynLoader_LoadSections_copy_data:
mov edx,[edi+014h] //Section.PointerToRawData
test edx,edx
jz @DynLoader_LoadSections_next_section
push esi
mov esi,[ebp+008h] //AHostAddr
add esi,edx //AHostAddr + Section.PointerToRawData
mov ecx,[edi+010h] //Section.SizeOfRawData
mov edx,[edi+00Ch] //Section.VirtualAddress
mov edi,[ebp-00Ch] //FileData
add edi,edx //FileData + Section.VirtualAddress
rep movsb
pop esi
@DynLoader_LoadSections_next_section:
dec eax
jnz @DynLoader_LoadSections_do_section
mov edx,[ebp-00Ch] //FileData
sub edx,[ebp-004h] //Delta = FileData - ImageBaseOrg
je @DynLoader_PEBTEBFixup
@DynLoader_RelocFixup:
mov eax,[ebp-00Ch] //FileData
mov ebx,eax
add ebx,[ebx+03Ch] //TImageDosHeader._lfanew
mov ebx,[ebx+0A0h] //IMAGE_DIRECTORY_ENTRY_BASERELOC.VirtualAddress
test ebx,ebx
jz @DynLoader_PEBTEBFixup
add ebx,eax
@DynLoader_RelocFixup_block:
mov eax,[ebx+004h] //ImageBaseRelocation.SizeOfBlock
test eax,eax
jz @DynLoader_PEBTEBFixup
lea ecx,[eax-008h] //ImageBaseRelocation.SizeOfBlock - SizeOf(TImageBaseRelocation)
shr ecx,001h //(ImageBaseRelocation.SizeOfBlock - SizeOf(TImageBaseRelocation)) div SizeOf(Word)
lea edi,[ebx+008h] //PImageBaseRelocation + SizeOf(TImageBaseRelocation)
@DynLoader_RelocFixup_do_entry:
movzx eax,word ptr [edi] //Entry
push edx
mov edx,eax
shr eax,00Ch //Type = Entry shr 12
mov esi,[ebp-00Ch] //FileData
and dx,00FFFh
add esi,[ebx] //FileData + ImageBaseRelocation.VirtualAddress
add esi,edx //FileData + ImageBaseRelocation.VirtualAddress+Entry and $0FFF
pop edx
@DynLoader_RelocFixup_HIGH:
dec eax
jnz @DynLoader_RelocFixup_LOW
mov eax,edx
shr eax,010h //HiWord(Delta)
jmp @DynLoader_RelocFixup_LOW_fixup
@DynLoader_RelocFixup_LOW:
dec eax
jnz @DynLoader_RelocFixup_HIGHLOW
movzx eax,dx //LoWord(Delta)
@DynLoader_RelocFixup_LOW_fixup:
add word ptr [esi],ax
jmp @DynLoader_RelocFixup_next_entry
@DynLoader_RelocFixup_HIGHLOW:
dec eax
jnz @DynLoader_RelocFixup_next_entry
add [esi],edx
@DynLoader_RelocFixup_next_entry:
inc edi
inc edi //Inc(Entry)
loop @DynLoader_RelocFixup_do_entry
@DynLoader_RelocFixup_next_base:
add ebx,[ebx+004h] //ImageBaseRelocation + ImageBaseRelocation.SizeOfBlock
jmp @DynLoader_RelocFixup_block
@DynLoader_PEBTEBFixup:
//we have some bad pointers in InLoadOrderModuleList, we have to change the base of our module
//and if we are executable (not dll) we have to change base address in PEB too
//for VB programs we need to do it now, because its libraries is reading this stuff
//in ImportFixup section
// int 3
mov ecx,[ebp-00Ch] //FileData
mov edx,[ebp-050h] //ImageBase
add [ebp-04Ch],edx //ImageEntryPoint
mov eax,fs:[000000030h] //TEB.PPEB
cmp dword ptr [ebp-044h],IMAGE_TYPE_EXE //check image type = IMAGE_TYPE_EXE
jnz @DynLoader_in_module_list
mov [eax+008h],ecx //PEB.ImageBaseAddr -> rewrite old imagebase
@DynLoader_in_module_list:
mov eax,[eax+00Ch] //PEB.LoaderData
mov eax,[eax+00Ch] //LoaderData.InLoadOrderModuleList
//now find our module in the list (same base, same size and same entry point)
mov esi,eax //first record
@DynLoader_in_module_list_one:
mov edx,[eax+018h] //InLoadOrderModuleList.BaseAddress
cmp edx,[ebp-050h] //ImageBase
jnz @DynLoader_in_module_list_next
mov edx,[eax+01Ch] //InLoaderOrderModuleList.EntryPoint
cmp edx,[ebp-04Ch] //ImageEntryPoint
jnz @DynLoader_in_module_list_next
mov edx,[eax+020h] //InLoaderOrderModuleList.SizeOfImage
cmp edx,[ebp-048h] //ImageSize
jnz @DynLoader_in_module_list_next
mov [eax+018h],ecx //InLoadOrderModuleList.BaseAddress -> rewrite old imagebase
add ecx,[ebp-01D0h] //+NtHeaders.OptionalHeader.AddressOfEntryPoint
mov [eax+01Ch],ecx //InLoadOrderModuleList.EntryPoint -> rewrite old entrypoint
mov ecx,[ebp-01A8h] //NtHeaders.OptionalHeader.SizeOfImage
mov [eax+020h],ecx //InLoaderOrderModuleList.SizeOfImage -> rewrite old sizeofimage
jmp @DynLoader_ImportFixup
@DynLoader_in_module_list_next:
cmp [eax],esi //InLoadOrderModuleList.Flink ?= first record
jz @DynLoader_ImportFixup
mov eax,[eax] //record = InLoadOrderModuleList.Flink
jmp @DynLoader_in_module_list_one
@DynLoader_ImportFixup:
mov ebx,[ebp-0178h] //NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
test ebx,ebx
jz @DynLoader_export_fixup
mov esi,[ebp-00Ch] //FileData
add ebx,esi //FileData + NtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
@DynLoader_ImportFixup_module:
mov eax,[ebx+00Ch] //TImageImportDescriptor.Name
test eax,eax
jz @DynLoader_export_fixup
mov ecx,[ebx+010h] //TImageImportDescriptor.FirstThunk
add ecx,esi
mov [ebp-03Ch],ecx //Thunk
mov ecx,[ebx] //TImageImportDescriptor.Characteristics
test ecx,ecx
jnz @DynLoader_ImportFixup_table
mov ecx,[ebx+010h]
@DynLoader_ImportFixup_table:
add ecx,esi
mov [ebp-040h],ecx //HintName
add eax,esi //TImageImportDescriptor.Name + FileData = ModuleName
push eax //lpLibFileName
call @FixDLLName
mov [esi+0400h], eax
mov eax,[ebp+010h] //ImportThunk.LoadLibrary
call [eax] //LoadLibrary
call @DestroyImport
test eax,eax
jz @DynLoader_end
mov edi,eax
@DynLoader_ImportFixup_loop:
mov ecx,[ebp-040h] //HintName
mov edx,[ecx] //TImageThunkData.Ordinal
test edx,edx
jz @DynLoader_ImportFixup_next_module
test edx,080000000h //import by ordinal ?
jz @DynLoader_ImportFixup_by_name
and edx,07FFFFFFFh //get ordinal
jmp @DynLoader_ImportFixup_get_addr
@DynLoader_ImportFixup_by_name:
add edx,esi //TImageThunkData.Ordinal + FileData = OrdinalName
inc edx
inc edx //OrdinalName.Name
@DynLoader_ImportFixup_get_addr:
push edx //lpProcName
call @FixProcName
mov [esi+0400h], edx
push edi //hModule
mov eax,[ebp+00Ch] //ImportThunk.GetProcAddress
call [eax] //GetProcAddress
call @DestroyImport
call @SmallITP
mov [esi+0400h], 00000000h
mov ecx,[ebp-03Ch] //HintName
mov [ecx],eax
add dword ptr [ebp-03Ch],004h //Thunk -> next Thunk
add dword ptr [ebp-040h],004h //HintName -> next HintName
jmp @DynLoader_ImportFixup_loop
@DynLoader_ImportFixup_next_module:
add ebx,014h //SizeOf(TImageImportDescriptor)
jmp @DynLoader_ImportFixup_module
@DynLoader_export_fixup:
//go through all loaded modules and search for IAT section for our module
//then change image base in all imports there
// int 3
mov eax,fs:[000000030h] //TEB.PPEB
mov eax,[eax+00Ch] //PEB.LoaderData
mov ebx,[eax+00Ch] //LoaderData.InLoadOrderModuleList
mov [ebp-070h],ebx //FirstModule
@DynLoader_export_fixup_process_module:
mov edx,[ebx+018h] //InLoadOrderModuleList.BaseAddress
cmp edx,[ebp-050h] //ImageBase
jz @DynLoader_export_fixup_next
push edx
push 004h //ucb
push edx //lp
call [ebp-07Ch] //IsBadReadPtr
pop edx
test eax,eax
jnz @DynLoader_export_fixup_next
mov edi,edx
add edi,[edi+03Ch] //TImageDosHeader._lfanew
mov edi,[edi+080h] //TImageNtHeaders.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
test edi,edi
jz @DynLoader_export_fixup_next
add edi,edx //+ module.ImageBase
@DynLoader_export_fixup_check_idt:
xor eax,eax
push edi
push 005h //sizeof(ImportDirectoryTable)/4
pop ecx
rep scasd //test for null Directory Entry
pop edi
jz @DynLoader_export_fixup_next
mov esi,[edi+010h] //ImportSection.ImportAddressTableRVA
add esi,[ebx+018h] //+ module.ImageBase
mov eax,[esi] //first IAT func address
sub eax,[ebp-050h] //- ImageBase
jb @DynLoader_export_fixup_next_idir //this is not our import
cmp eax,[ebp-048h] //ImageSize
jbe @DynLoader_export_fixup_prefixaddr //this is our import
@DynLoader_export_fixup_next_idir:
add edi,014h //+ sizeof(IDT) = next IDT
jmp @DynLoader_export_fixup_check_idt
@DynLoader_export_fixup_prefixaddr:
push 01Ch //dwLength = sizeof(MemoryBasicInformation)
lea eax,[ebp-09Ch] //MemoryBasicInformation
push eax //lpBuffer
push esi //lpAddress
call [ebp-078h] //VirtualQuery
lea eax,[ebp-088h] //MemoryBasicInformation.Protect
push eax //lpflOldProtect
push PAGE_READWRITE //flNewProtect
push dword ptr [ebp-090h] //dwSize = MemoryBasicInformation.RegionSize
push dword ptr [ebp-09Ch] //lpAddress = MemoryBasicInformation.BaseAddress
call [ebp-074h] //VirtualProtect
test eax,eax
jz @DynLoader_export_fixup_next
push edi
mov edi,esi
@DynLoader_export_fixup_fixaddr:
lodsd
test eax,eax
jz @DynLoader_export_fixup_protect_back
sub eax,[ebp-050h] //- ImageBase
add eax,[ebp-00Ch] //+ FileData
stosd
jmp @DynLoader_export_fixup_fixaddr
@DynLoader_export_fixup_protect_back:
lea eax,[ebp-084h] //MemoryBasicInformation.Type (just need some pointer)
push eax //lpflOldProtect
push dword ptr [ebp-088h] //flNewProtect = MemoryBasicInformation.Protect
push dword ptr [ebp-090h] //dwSize = MemoryBasicInformation.RegionSize
push dword ptr [ebp-09Ch] //lpAddress = MemoryBasicInformation.BaseAddress
call [ebp-074h] //VirtualProtect
pop edi
jmp @DynLoader_export_fixup_next_idir
@DynLoader_export_fixup_next:
mov ebx,[ebx]
cmp ebx,[ebp-070h] //InLoadOrderModuleList.Flink ?= FirstModule
jnz @DynLoader_export_fixup_process_module
@DynLoader_run:
// int 3
mov eax,[ebp-01D0h] //NtHeaders.OptionalHeader.AddressOfEntryPoint
add eax,[ebp-00Ch] //NtHeaders.OptionalHeader.AddressOfEntryPoint + FileData = EntryPoint
@DynLoader_end:
mov ecx,[ebp-00Ch] //we need FileData
pop esi
pop edi
pop ebx
call @DestroyPE
leave
ret 00Ch
@DestroyPE:
pushad
mov ebx, [ebp+008h]
dec ebx
dec ebx
dec ebx
dec ebx
@CrazyLoop1:
inc ebx
cmp byte ptr[ebx], 4Dh
jnz @CrazyLoop1
cmp byte ptr[ebx+1], 5Ah
jnz @CrazyLoop1
mov edi, ebx
@CrazyLoop2:
inc edi
cmp byte ptr[edi], 4Bh
jnz @CrazyLoop2
cmp byte ptr[edi+1], 65h
jnz @CrazyLoop2
cmp byte ptr[edi+2], 52h
jnz @CrazyLoop2
cmp byte ptr[edi+3], 6Eh
jnz @CrazyLoop2
cmp byte ptr[edi+4], 45h
jnz @CrazyLoop2
cmp byte ptr[edi+5], 6Ch
jnz @CrazyLoop2
cmp byte ptr[edi+6], 33h
jnz @CrazyLoop2
cmp byte ptr[edi+7], 32h
jnz @CrazyLoop2
sub edi, ebx //Address Of KeRnEl32 - Address of File Start = Uncomplete File Size
sub edi, 80h
PUSH 0h //Fill With
PUSH EDI //Length
PUSH EBX //Destination
call @FillMemory
pop ebx
pop ebx
pop ebx
popad
ret
@FillMemory:
PUSH EBP
MOV EBP,ESP
PUSH ECX
PUSH EBX
PUSH ESI
PUSH EDI
MOV ESI,DWORD PTR SS:[EBP+08h]// -> Destination
MOV ECX,DWORD PTR SS:[EBP+0Ch]// -> Length
MOV EBX,DWORD PTR SS:[EBP+10h]// -> Fill
@memfill:
MOV BYTE PTR [ESI],BL
INC ESI
LOOP @memfill
POP EDI
POP ESI
POP EBX
POP ECX
MOV ESP,EBP
POP EBP
RETN
@DynLoader_fill_image_info:
//these values give info about our image, info is filled before DynLoader is put into
//final executable, we find their offset going from DynLoader_end searching for DYN_LOADER_END_MAGIC
mov [ebp-044h],012345678h //ImageType
mov [ebp-048h],012345678h //ImageSize
mov [ebp-04Ch],012345678h //ImageEntryPoint
mov [ebp-054h],012345678h //OrgImageSize
ret
dd DYN_LOADER_END_MAGIC
end;
procedure DynLoader_end; assembler; asm end;
procedure DynCoder(AAddr:Pointer;ASize:Cardinal;AKey:Pointer); assembler; stdcall;
//this one only smashes a memory a little bit using a key
asm
@Coder_begin:
push edi
push esi
@Coder_main_loop:
mov edi,[ebp+008h] //AAddr
mov ecx,[ebp+00Ch] //ASize
shr ecx,002h
@Coder_pre_code:
mov esi,[ebp+010h] //AKey
@Coder_code:
mov eax,[esi]
test eax,0FF000000h
jz @Coder_pre_code
@Coder_do_code:
add eax,ecx
xor eax,[edi] //smash it
stosd //store it
inc esi
loop @Coder_code
@Coder_end:
pop esi
pop edi
leave
ret 00Ch
end;
procedure ProtectImportTable(Source, Size:Integer);
var MemStr:TMemoryStream;
I,I1:Integer;
IStart,ISize:Integer;
dosh:PIMAGE_DOS_HEADER;
peh:PIMAGE_NT_HEADERS;
sectionh:PIMAGE_SECTION_HEADER;
Buff:array[0..4] of Char;
Buff2:array[0..2] of Char;
begin
WriteLn('Protecting our Import Table !');
MemStr.SetSize(Size);
CopyMemory(MemStr.Memory, Pointer(Source), Size);
//
dosh := PIMAGE_DOS_HEADER(MemStr.Memory);
peh:= PIMAGE_NT_HEADERS(Longword(dosh) + Longword(dosh.e_lfanew));
sectionh:=PIMAGE_SECTION_HEADER(peh);
if (dosh.e_magic <> IMAGE_DOS_SIGNATURE) or (peh.Signature <> IMAGE_NT_SIGNATURE) then
begin
WriteLn('Invalid PE File ...');
MemStr.Clear;
MemStr.Free;
exit;
end;
inc(PIMAGE_NT_HEADERS(sectionh));
for I := 1 to peh.FileHeader.NumberOfSections do
begin
if (sectionh.Name[0] <> '.') and (sectionh.Name[1] <> 'i') and (sectionh.Name[2] <> 'd') and (sectionh.Name[3] <> 'a') and (sectionh.Name[4] <> 't') and (sectionh.Name[5] <> 'a') then inc(sectionh)
end;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -