发一个自己写的简单的加密壳加壳程序代码
写的有点乱,大神请绕道#include<stdio.h>#include<Windows.h>
#define TOBYTE(X) ((BYTE*)X)
typedef struct
{
union OD_OR_NAME
{
CHAR* Name;
WORD Od;
};
}EXP_FUN_NAME;
typedef enum
{
NameFlag = 0x1,
OrderFlag = 0x2,
}EXP_FUN_MODE;
#pragma code_seg(".core")
DWORD _declspec(naked) WINAPI GetCurrentFunAddress()
{
__asm
{
mov eax, dword ptr ss : ;
ret;
}
}
DWORD _declspec(naked)Get32BitNtdllBase()
{
__asm
{
push ebp;
mov ebp, esp;
sub esp, 0x80;
mov dword ptr ds : , ecx;
mov dword ptr ds : , edx;
mov dword ptr ds : , ebx;
mov dword ptr ds : , esi;
mov dword ptr ds : , edi;
mov eax, fs: ;
mov eax, dword ptr ds:;
add eax, 0xc;
mov ecx, eax;
mov dword ptr ss : , ecx;
sub_6:
mov ecx, dword ptr ss : ;
mov esi, dword ptr ds : ;
cmp esi, ecx;
jz sub_4;
mov dword ptr ss : , esi;
mov ebx, dword ptr ds : ;
mov dword ptr ss : , ebx;//保存模块的DLLbase
lea ebx, dword ptr es : ;
mov eax, dword ptr ds : ;//HWORD(EAX)为dllname的最大长度,LOWORD(EAX)为dllname长度
mov dword ptr ss:, eax;
mov esi, dword ptr ds : ;//esi为dllname
call GetCurrentFunAddress;
add eax, 0x76;
//add eax, 0xab;
mov edi, eax;
//lea edi, dword ptr;
mov eax, dword ptr ss : ;
shr eax, 0x10;
mov cx, ax;
cmp cx, 0;
jz sub_4;
mov edx, edi;
sub_3:
mov bx, word ptr es : ;
//_emit 0x66;
cmp bx, word ptr es : ;
jnz sub_5;
add edi, 0x2;
add esi, 0x2;
sub cx, 0x2;
cmp cx, 0;
jnz sub_3;
mov eax, dword ptr ss : ;
mov edx, dword ptr ds : ;
mov dx, word ptr ds : ;
cmp dx, 0x8664;
jz sub_5;
mov eax, dword ptr ss : ;
sub_2:
mov edi, dword ptr ds : ;
mov esi, dword ptr ds : ;
mov ebx, dword ptr ds : ;
mov edx, dword ptr ds : ;
mov ecx, dword ptr ds : ;
mov esp, ebp;
pop ebp;
ret;
sub_4:
mov eax, 0;
jmp sub_2;
sub_5:
mov eax, dword ptr ss : ;
jmp sub_6;
sub_1:
_emit 0x6e;
_emit 0x00;
_emit 0x74;
_emit 0x00;
_emit 0x64;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x2e;
_emit 0x00;
_emit 0x64;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x00;
_emit 0x00;
}
}
int _declspec(naked) WINAPI mystrcmp(char* str1, char* str2)
{
__asm
{
push ebp;
mov ebp, esp;
sub esp, 0x80;
push esi;
push edi;
mov dword ptr ss : , 0xffffffff;
mov esi, ss: ;
dec esi;
sub_1:
inc dword ptr ss : ;
inc esi;
xor cl, cl;
cmp cl,byte ptr es : ;
jnz sub_1;
mov esi, ss: ;
mov dword ptr ss : , 0xffffffff;
dec esi;
sub_2:
inc dword ptr ss : ;
inc esi;
xor cl, cl;
cmp cl, byte ptr es : ;
jnz sub_2;
mov eax, dword ptr ss : ;
cmp eax, dword ptr ss : ;
jnz sub_3;
mov word ptr ss: , ax;
mov esi, ss : ;
mov edi, ss : ;
sub_5:
mov cl, byte ptr es : ;
cmp cl, byte ptr es : ;
jnz sub_3;
inc esi;
inc edi;
dec word ptr ss:;
cmp word ptr ss:, 0;
jz sub_4;
jmp sub_5;
sub_4:
mov eax, 0;
sub_6:
pop edi;
pop esi;
mov esp, ebp;
pop ebp;
ret 0X8;
sub_3:
mov eax, 1;
jmp sub_6;
_emit 0x88;
_emit 0x88;
_emit 0x88;
_emit 0x88;
}
}
PVOID_declspec(naked) WINAPI GetFunAddrOfModuleAsm(PVOID pModule, EXP_FUN_NAME unFuntionName, EXP_FUN_MODE eMode)
{
_asm
{
push ebp;
mov ebp, esp;
sub esp,0x144;
push ebx;
push esi;
push edi;
lea edi, dword ptr ss : ;
mov ecx, 0x51;
mov eax, 0xcccccccc;
rep stosd;
mov dword ptr ss : , 0;
mov dword ptr ss : , 0;
mov dword ptr ss : , 0;
mov eax, dword ptr ss : ;
mov dword ptr ss : , eax;
mov eax, dword ptr ss : ;
mov ecx, dword ptr ds : ;
mov edx, dword ptr ss : ;
lea eax, dword ptr ds : ;
mov dword ptr ss : , eax;
mov eax, dword ptr ss : ;
add eax, 0x14;
mov dword ptr ss : , eax;
mov eax, 0x8;
imul ecx, eax, 0;
mov edx, dword ptr ss : ;
lea eax, dword ptr ss : ;
mov dword ptr ss : , eax;
mov eax, dword ptr ss : ;
mov ecx, dword ptr ss : ;
add ecx, dword ptr ds : ;
mov dword ptr ss : , ecx;
mov eax, dword ptr ss : ;
mov ecx, dword ptr ss : ;
add ecx, dword ptr ds : ;
mov dword ptr ss : , ecx;
mov eax, dword ptr ss : ;
mov ecx, dword ptr ss : ;
add ecx, dword ptr ds : ;
mov dword ptr ss : , ecx;
mov eax, dword ptr ss : ;
mov ecx, dword ptr ss : ;
add ecx, dword ptr ds : ;
mov dword ptr ss : , ecx;
mov dword ptr ss : , 0x0;
cmp dword ptr ss : , 0x1;
jne sub_1;
mov dword ptr ss : , 0x0;
jmp sub_2;
sub_5:
mov eax, dword ptr ss : ;
add eax, 0x1;
mov dword ptr ss : , eax;
sub_2:
mov eax, dword ptr ss : ;
mov ecx, dword ptr ss : ;
cmp ecx, dword ptr ds : ;
jge sub_3;
mov eax, dword ptr ss : ;
mov ecx, dword ptr ss : ;
mov edx, dword ptr ss : ;
add edx, dword ptr ds : ;
mov dword ptr ss : , edx;
mov eax, dword ptr ss : ;
push eax;
mov ecx, dword ptr ss : ;
push ecx;
call mystrcmp;
test eax, eax;
jne sub_4;
jmp sub_3;
sub_4:
jmp sub_5;
sub_3:
mov eax, dword ptr ss : ;
mov ecx, dword ptr ss : ;
movzx edx, word ptr ds : ;
mov eax, dword ptr ss : ;
mov ecx, dword ptr ss : ;
add ecx, dword ptr ds : ;
mov dword ptr ss : , ecx;
jmp sub_6;
sub_1:
movzx eax, word ptr ss : ;
mov ecx, dword ptr ss : ;
sub eax, dword ptr ds : ;
mov edx, dword ptr ss : ;
mov ecx, dword ptr ss : ;
add ecx, dword ptr ds : ;
mov dword ptr ss : , ecx;
sub_6:
mov eax, dword ptr ss : ;
pop edi;
pop esi;
pop ebx;
//add esp, 0x144;
mov esp, ebp;
pop ebp;
ret 0xc;
}
}
DWORD _declspec(naked) WINAPI GetMainModuleBase()
{
__asm
{
push ebp;
mov ebp, esp;
sub esp, 0x10;
mov eax, fs: ;
mov eax, dword ptr ds : ;
mov esp, ebp;
pop ebp;
ret;
}
}
DWORD _declspec(naked) WINAPI FixShellRelocal(DWORD sReacalRva)
{
_asm
{
push ebp;
mov ebp, esp;
sub esp, 0x80;
push ebx;
push edx;
push edi;
call GetMainModuleBase;
mov dword ptr ss : , eax;//newimagebase
add eax, 0x3c;
mov ecx, dword ptr ds : ;
mov eax, dword ptr ss : ;
add eax, ecx;
add eax, 0x34;
mov eax, dword ptr ds : ;
mov dword ptr ss : , 0x400000;//oldimagebase
mov eax, dword ptr ss : ;
add eax, dword ptr ds : ;
mov dword ptr ss : , eax;
sub_4:
mov eax, dword ptr ss : ;
mov ebx, dword ptr ds : ;
mov edx, dword ptr ds : ;
cmp ebx, 0;
jz sub_5;
mov dword ptr ss : , ebx;//VirtualAddress
mov dword ptr ss : , edx;//block
mov eax, edx;
sub eax, 0x8;
mov dl, 0x2;
div dl;
xor ebx, ebx;
mov bl, al;
mov dword ptr ss : , ebx;//重定位位置个数
mov dword ptr ss : , 0;
sub_2:
mov ecx, dword ptr ss : ;
cmp ecx, dword ptr ss : ;
jge sub_1;
mov edi, dword ptr ss : ;
lea edi, dword ptr es : ;
mov ax, word ptr es : ;
test ax, 0x3000;
jz sub_3;
and eax, 0xfff;
add eax, dword ptr ss : ;
add eax, dword ptr ss : ;
mov dword ptr ss : , eax;//要重定位的目标地址
mov ebx, dword ptr ds : ;
sub ebx, dword ptr ss : ;
add ebx, dword ptr ss : ;
mov edx, dword ptr ss : ;
mov dword ptr ds : ,ebx;
sub_3:
inc ecx;
mov dword ptr ss : , ecx;
jmp sub_2;
sub_1:
mov edx, dword ptr ss : ;
mov eax, dword ptr ss : ;
add edx, eax;
mov dword ptr ss : , edx;
jmp sub_4;
sub_5:
pop edi;
pop edx;
pop ebx;
mov esp, ebp;
pop ebp;
ret 0x4;
}
}
VOID _declspec(naked) WINAPI DeCode(PVOID pBuff, SIZE_T sSize)
{
__asm
{
push ebp;
mov ebp, esp;
sub esp, 0x50;
push edi;
push edx;
mov eax, dword ptr ss : ;
mov dword ptr ss : , eax;
mov edi, dword ptr ss : ;
dec dword ptr ss : ;
sub_2:
mov ecx, dword ptr ss: ;
cmp ecx, 0;
jl sub_1;
mov dl, byte ptr es : ;
and edx, 0xff;
cmp ecx, 0;
jnz sub_3;
xor dl, 0x50;
jmp sub_4;
sub_3:
mov eax, ecx;
dec eax;
xor dl, cl;
xor dl, byte ptr es : ;
sub_4:
mov byte ptr es : , dl;
dec ecx;
mov dword ptr ss : , ecx;
jmp sub_2;
sub_1:
pop edx;
pop edi;
mov esp, ebp;
pop ebp;
ret 0x8;
}
}
VOID _declspec(naked)WINAPI ShellEntry()
{
_asm
{
pushad;
pushfd;
push ebp;
mov ebp, esp;
sub esp, 0x100;
mov dword ptr ss : , 0;
call Get32BitNtdllBase;
mov dword ptr ss : , eax;//ntdll.dll的BASE
mov dword ptr ss : , 0;
mov dword ptr ss : , 0;
xor eax, eax;
mov ecx, eax;
mov ax, 0x14;
mov cx, 0x16;
shl ecx, 0x10;
or eax, ecx;
mov dword ptr ss : , eax;
//lea eax, dword ptr ds : ;
call GetCurrentFunAddress;
add eax, 0x15d;
mov dword ptr ss : , eax;
lea eax, dword ptr ss : ;
mov dword ptr ss : , eax;//user32.dll字符串指针
push 0x1;
//lea eax, dword ptr ds : ;
call GetCurrentFunAddress;
add eax, 0x13a;
push eax;
mov eax, dword ptr ss : ;
push eax;
call GetFunAddrOfModuleAsm;
mov dword ptr ss : , eax;//LdrLoadDll地址
mov dword ptr ss : , 0;//LdrLoadDll返回的模块基址
lea eax, dword ptr ss : ;
push eax;
mov eax, dword ptr ss : ;
push eax;
push 0;
push 0;
mov ecx, dword ptr ss : ;
call ecx;
push 0x1;
//lea eax, dword ptr ds : ;
call GetCurrentFunAddress;
add eax, 0x124;
push eax;
mov eax, dword ptr ss : ;
push eax;
call GetFunAddrOfModuleAsm;
mov dword ptr ss : , eax;//MessageBoxA地址
push 6;
push 0;
push 0;
push 0;
call eax;
push 0x1;
call GetCurrentFunAddress;
add eax, 0x10b;
push eax;
push dword ptr ss : ;
call GetFunAddrOfModuleAsm;
mov dword ptr ss : ,eax;//ZwProtectMemory
mov dword ptr ss : , 0;
lea eax, dword ptr ss : ;//oldprotect
push eax;
push PAGE_EXECUTE_READWRITE;
mov dword ptr ss : , 0x2000;
lea eax, dword ptr ss : ;
push eax;
call GetMainModuleBase;
mov dword ptr ss : , eax;
add eax, 0x1000;
mov dword ptr ss : , eax;
lea eax,dword ptr ss : ;
push eax;
push 0xffffffff;
mov eax, dword ptr ss: ;
call eax;
mov eax, dword ptr ss : ;
mov ecx, dword ptr ds : ;
lea eax, dword ptr ds : ;
mov dword ptr ss : , eax;//pfileheader
mov dx, word ptr ds : ;
and edx, 0xffff;
add edx, dword ptr ss : ;
add edx, 0x14;
mov eax, dword ptr ds : ;
push eax;
mov eax, dword ptr ds : ;//节RVA
add eax, dword ptr ss : ;
push eax;
call DeCode;
mov eax, dword ptr ss : ;
cmp eax, 0x400000;
jz sub_4;
mov eax, dword ptr ss : ;
mov eax, dword ptr ds : ;
push eax;
call FixShellRelocal;
mov dword ptr ss : , 0;
lea eax, dword ptr ss : ;//oldprotect
push eax;
push PAGE_EXECUTE_READ;
lea eax, dword ptr ss : ;
push eax;
lea eax, dword ptr ss : ;
push eax;
push 0xffffffff;
mov eax, dword ptr ss : ;
call eax;
mov eax, dword ptr ds : ;
push 0x4;
push 0;
push 0;
push 0;
call eax;
sub_4:
mov esp, ebp;
pop ebp;
popfd;
popad;
call GetMainModuleBase;
addeax, 0x22e4;
call eax;
ret;
sub_1:
_emit 0x4c;
_emit 0x64;
_emit 0x72;
_emit 0x4c;
_emit 0x6f;
_emit 0x61;
_emit 0x64;
_emit 0x44;
_emit 0x6c;
_emit 0x6c;
_emit 0x00;
sub_2:
_emit 0x75;
_emit 0x00;
_emit 0x73;
_emit 0x00;
_emit 0x65;
_emit 0x00;
_emit 0x72;
_emit 0x00;
_emit 0x33;
_emit 0x00;
_emit 0x32;
_emit 0x00;
_emit 0x2e;
_emit 0x00;
_emit 0x64;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x6c;
_emit 0x00;
_emit 0x00;
_emit 0x00;
sub_3:
_emit 0x4d;
_emit 0x65;
_emit 0x73;
_emit 0x73;
_emit 0x61;
_emit 0x67;
_emit 0x65;
_emit 0x42;
_emit 0x6f;
_emit 0x78;
_emit 0x41;
_emit 0x00;
sub_6:
_emit 0x5a;
_emit 0x77;
_emit 0x50;
_emit 0x72;
_emit 0x6f;
_emit 0x74;
_emit 0x65;
_emit 0x63;
_emit 0x74;
_emit 0x56;
_emit 0x69;
_emit 0x72;
_emit 0x74;
_emit 0x75;
_emit 0x61;
_emit 0x6c;
_emit 0x4d;
_emit 0x65;
_emit 0x6d;
_emit 0x6f;
_emit 0x72;
_emit 0x79;
_emit 0x00;
}
}
#pragma code_seg(".text")
DWORD dTargetFileSize;
PIMAGE_SECTION_HEADER pShellCodeSection;
PIMAGE_SECTION_HEADER pEncodeHandleSection;
//PVOID pTargetEncodeSection;
//DWORD dTargetEncodeSectionSize;
VOID Encode(UCHAR* bytearr, LONG size)
{
for (int i = 0; i < size; ++i)
{
if (i == 0)
{
bytearr = bytearr ^ 0x50;
}
else
{
bytearr = bytearr ^ bytearr;
bytearr = bytearr ^ i;
}
}
return;
}
PVOID CreateFileBuff(CHAR* path)
{
DWORD dHighDword;
HANDLE hFile = CreateFileA(path, GENERIC_READ | GENERIC_WRITE | DELETE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == 0)
{
return NULL;
}
DWORD size = GetFileSize(hFile, &dHighDword);
dTargetFileSize = size;
PVOID pFileBuff = VirtualAlloc(NULL,size+0x9000, MEM_COMMIT, PAGE_READWRITE);
if (pFileBuff == NULL)
{
return NULL;
}
ZeroMemory(pFileBuff, size + 0x9000);
if (!ReadFile(hFile, pFileBuff, size, NULL, NULL))
{
VirtualFree(pFileBuff, size+0x9000, MEM_DECOMMIT);
return NULL;
}
CloseHandle(hFile);
return pFileBuff;
}
BOOL WriteBuffToDisk(CHAR* path,PVOID pBuff, DWORD dSize)
{
BOOL ret = FALSE;
HANDLE hFile = CreateFileA(path, GENERIC_READ | GENERIC_WRITE | DELETE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == 0)
{
return ret;
}
if (!WriteFile(hFile, pBuff, dSize, NULL, NULL))
{
return ret;
}
CloseHandle(hFile);
return TRUE;
}
PVOID GetShellCodeSection()
{
PVOID ret = NULL;
HMODULE hModule = GetModuleHandle(NULL);
BYTE chSectionName[] = {0x2e,0x63,0x6f,0x72,0x65,0x00,0x00,0x00};
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
for (int i = 0; i < pFileHeader->NumberOfSections; ++i)
{
if (strcmp(&(pSection.Name), chSectionName) == 0)
{
ret = &pSection;
break;
}
}
return ret;
}
VOID GetTargtFileBuffCodeSection(PVOID pFileBuff)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
for (int i = 0; i < pFileHeader->NumberOfSections; ++i)
{
if ((pSection.Characteristics & 0x60000000) != 0)
{
pEncodeHandleSection = &pSection;
// pSection.Characteristics |= 0x80000000;
break;
}
}
return;
}
VOID AddSection(PVOID pFileBuff,DWORD dWritePosOffset, DWORD dOffset)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
PIMAGE_SECTION_HEADER pLastSection = &(pSection);
DWORD dWritePos = (DWORD)pFileBuff + dWritePosOffset+dOffset;
DWORD dStratCopyPos = (DWORD)(pShellCodeSection->VirtualAddress) + (DWORD)GetModuleHandle(NULL);
int j = 0;
memcpy(dWritePos, dStratCopyPos, pShellCodeSection->SizeOfRawData);
pLastSection->SizeOfRawData = pLastSection->SizeOfRawData + dOffset + pShellCodeSection->SizeOfRawData;
pLastSection->Misc.VirtualSize = pLastSection->SizeOfRawData;
pLastSection->Characteristics |= 0x60000000;
if (pLastSection->Misc.VirtualSize % 0X1000 == 0)
{
pOptionaleHeader->SizeOfImage = pLastSection->VirtualAddress + pLastSection->Misc.VirtualSize;
}
else
{
pOptionaleHeader->SizeOfImage = pLastSection->VirtualAddress + (pLastSection->Misc.VirtualSize & 0xfffff000) + 0x1000;
}
return;
}
PVOID GetRelocalTableHeader(PVOID pFileBuff)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader + 4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
int iSectionNum = pFileHeader->NumberOfSections;
DWORD dRelocaBaseRva = pOptionaleHeader->DataDirectory.VirtualAddress;
if (dRelocaBaseRva==0)
{
return NULL;
}
for (int i = 0; i < iSectionNum; ++i)
{
if (pSection.VirtualAddress == dRelocaBaseRva)
{
return pSection.PointerToRawData+(DWORD)pFileBuff;
}
}
return NULL;
}
BOOL IsMoveRelocaData(PIMAGE_BASE_RELOCATION pRelocaTable, PIMAGE_SECTION_HEADER pEncodeSec)
{
DWORD dSectionRealVirtualSize = 0;
BOOL ret = FALSE;
if (pEncodeSec->Misc.VirtualSize % 0x1000 == 0)
{
dSectionRealVirtualSize = pEncodeSec->Misc.VirtualSize;
}
else
{
dSectionRealVirtualSize = (pEncodeSec->Misc.VirtualSize & 0xfffff000) + 0x1000;
}
if ((pRelocaTable->VirtualAddress >= pEncodeSec->VirtualAddress) && (pRelocaTable->VirtualAddress < (pEncodeSec->VirtualAddress + dSectionRealVirtualSize)))
{
ret = TRUE;
}
return ret;
}
PVOID GetMoveRelocaPotin(PVOID pRealocTableHeader, PIMAGE_SECTION_HEADER pEncodeSec)
{
PIMAGE_BASE_RELOCATION pRelocTable = pRealocTableHeader;
PVOID ret = NULL;
while ((pRelocTable->VirtualAddress != 0) && (pRelocTable->SizeOfBlock != 0))
{
if (pRelocTable->VirtualAddress >= pEncodeSec->VirtualAddress)
{
ret = pRelocTable;
break;
}
pRelocTable = pRelocTable->SizeOfBlock + (DWORD)pRelocTable;
}
return ret;
}
DWORD MoveRelocaDataOfEndcodeSection(PVOID pFileBuff, PIMAGE_SECTION_HEADER pEncodeSec, DWORD dReloctableNewLocal)
{
PVOID pRelocBasePoint = GetRelocalTableHeader(pFileBuff);
PIMAGE_BASE_RELOCATION pTemp = pRelocBasePoint;
DWORD dMoveBlockSize = 0;
PVOID pMovePoint=NULL;
DWORD dSconMovePotin = 0;
DWORD dSconMoveSize = 0;
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader + 4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
if (pRelocBasePoint == 0)
{
MessageBox(0, TEXT("无重定位,加壳失败"), 0, 0);
return 0;
}
while ((pTemp->VirtualAddress != 0) && (pTemp->SizeOfBlock != 0))
{
if (IsMoveRelocaData(pTemp, pEncodeSec))
{
dMoveBlockSize += pTemp->SizeOfBlock;
}
pTemp = (DWORD)pTemp + pTemp->SizeOfBlock;
}
pMovePoint = GetMoveRelocaPotin(pRelocBasePoint, pEncodeSec);
dSconMoveSize = (DWORD)pMovePoint - (DWORD)pRelocBasePoint;
dSconMovePotin = ((DWORD)pMovePoint + dMoveBlockSize) - dSconMoveSize;
memcpy((DWORD)dReloctableNewLocal, pMovePoint, dMoveBlockSize);
memset((DWORD)pMovePoint, 0, dMoveBlockSize);
memcpy((PVOID)dSconMovePotin, pRelocBasePoint, dSconMoveSize);
pOptionaleHeader->DataDirectory.VirtualAddress += dMoveBlockSize;
pOptionaleHeader->DataDirectory.Size -= dMoveBlockSize;
dSconMoveSize = (DWORD)pFileHeader->NumberOfSections;
dSconMovePotin = pSection.VirtualAddress + pSection.SizeOfRawData;
*(DWORD*)(((DWORD)pFileBuff) + 0x40) = dSconMovePotin;
if (dMoveBlockSize % 0X200 == 0)
{
return dMoveBlockSize;
}
else
{
return (dMoveBlockSize & 0XFFFFFF00) + 0x200;
}
return 0;
}
VOID ChangeOEP(PVOID pFileBuff,PVOID pOrigeExcutePoint,DWORD dShellcodeStart)
{
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFileBuff;
PIMAGE_FILE_HEADER pFileHeader = pDosHeader->e_lfanew + (LONG)pDosHeader+4;
PIMAGE_OPTIONAL_HEADER32 pOptionaleHeader = pFileHeader + 1;
PIMAGE_SECTION_HEADER pSection = (DWORD)pOptionaleHeader + pFileHeader->SizeOfOptionalHeader;
DWORD dOldOEPrva = pOptionaleHeader->AddressOfEntryPoint;
DWORD dOEPfoa = (DWORD)pOrigeExcutePoint - ((DWORD)(pShellCodeSection->VirtualAddress) + (DWORD)GetModuleHandle(NULL)) + dShellcodeStart;
int SecNum = pFileHeader->NumberOfSections;
pOptionaleHeader->AddressOfEntryPoint = dOEPfoa-pSection.PointerToRawData+pSection.VirtualAddress;
*(DWORD*)((DWORD)pFileBuff+dOEPfoa + 0X191) = dOldOEPrva;
return;
}
typedef struct
{
USHORT length;
USHORT MaxLenth;
PWCHAR Buffer;
}MYUNICODE_STRING, * PMYUNICODE_STRING;
typedef NTSTATUS(WINAPI*MYLOAD)(PWSTR,ULONG, PMYUNICODE_STRING,PHANDLE);
typedef DWORD(WINAPI* MYMEG)(HINSTANCE, LPSTR, LPSTR, DWORD);
int main()
{
CHAR* path = "C:\\Users\\YH\\Desktop\\子窗口.exe";
CHAR* outpath = "C:\\Users\\YH\\Desktop\\SH子窗口.exe";
DWORD dMoveSize = 0;
DWORD dShellcodeStart;
PVOID pFileBuff = CreateFileBuff(path);
if (pFileBuff==NULL)
{
return 0;
}
GetTargtFileBuffCodeSection(pFileBuff);
dMoveSize = MoveRelocaDataOfEndcodeSection(pFileBuff, pEncodeHandleSection, (DWORD)pFileBuff + dTargetFileSize);
dShellcodeStart = dMoveSize + dTargetFileSize;
pShellCodeSection = GetShellCodeSection();
AddSection(pFileBuff, dTargetFileSize, dMoveSize);
Encode(pEncodeHandleSection->PointerToRawData + (DWORD)pFileBuff, pEncodeHandleSection->SizeOfRawData);
ChangeOEP(pFileBuff,ShellEntry, dShellcodeStart);
WriteBuffToDisk(outpath, pFileBuff, dTargetFileSize + dMoveSize + pShellCodeSection->SizeOfRawData);
VirtualFree(pFileBuff, dTargetFileSize + 0x9000, MEM_DECOMMIT);
system("pause");
return 0;
} 厉害了,我的哥,看着这些指令,头皮麻啊 哈哈,这还不算大佬么{:1_896:}
反正比我这种脚本小子强多了 太厉害了老哥 这代码那么多没注释吗?? 嗯,学习了 超厉害!!!! 怎么才能学会看懂代码 很牛了,几年了 大佬你月薪不得40k起步?
页:
[1]
2