【原创】简单加壳源代码
加壳器.386
.model flat,stdcall
option casemap:none
assume fs:nothing
;[+0] 本模块实例句柄
;[+4] kernel32.dll 模块基址
;[+8] GetProcAddress 函数地址
;[+0Ch] LoadLibraryA 函数地址
;[+10h] user32.dll 模块基址
;[+14h] ClassName
;[+18h]~[+3Ch] WNDCLASSA结构体
;[+40h] RegisterClassA 函数地址
;[+44h] DefWindowProcA 函数地址
;[+48h] CreateWindowExA 函数地址
;[+4Ch] GetMessageA 函数地址
;[+50h] DispatchMessageA函数地址
;[+54h]~[+70h] MSG 结构体
;[+74h] 窗口句柄
;[+78h] TranslateMessage函数地址
;[+7Ch] PostQuitMessage 函数地址
;[+80h] 文件路径字符串
;[+84h] SetWindowTextW 函数地址
;[+88h] GetWindowTextA 函数地址
;[+8Ch] CreateFileW 函数地址
;[+90h] GetFileSize 函数地址
;[+94h] 文件句柄1
;[+98h] 文件1 大小
;[+9Ch] HeapCreate 函数地址
;[+0A0h] HeapAlloc 函数地址
;[+0A4h] HeapFree 函数地址
;[+0A8h] hHeap 句柄
;[+0ACh] 申请出来的堆空间地址
;[+0B0h] ReadFile 函数地址
;[+0B4h] WriteFile 函数地址
;[+0B8h] CloseHandle 函数地址
;[+0BCh] 文件2句柄
;[+0C0h] 壳文件句柄
;[+0C4h] SetFilePointer 函数地址
;[+0C8h] 原始OEP
;[+0CCh] 新OEP
;[+0D0h] 密码
;[+0D4h] GetDlgItemTextA函数地址
.code
main:
push ebp
mov ebp,esp
call GetGlobal
mov edi,eax
;----------------------------------------------------
mov ebx,fs:
mov ebx,
mov ebx,
mov edx,
mov ,edx ;[+0]保存本模块实例句柄
mov ebx,
mov ebx,
mov ebx,
mov ,ebx ;[+4]保存kernel32.dll模块基址
mov eax, ;取Nt头文件偏移
add eax,ebx ;offset=>VA
mov eax, ;取导出表RVA
add eax,ebx ;RVA=>VA
mov edx, ;取名称表RVA
add edx,ebx ;RVA=>VA
xor ecx,ecx ;ecx清零
MyLoop:
mov esi, ;取函数名RVA
add esi,ebx ;RVA=>VA
inc ecx ;ecx++
cmp byte ptr,'G' ;如果等于ZF会被置为1
jnz MyLoop ;ZF为0则跳转
cmp byte ptr,'P'
jnz MyLoop
cmp byte ptr,'A'
jnz MyLoop
dec ecx ;ecx-- 真正的下标
mov edx, ;取序号表RVA
add edx,ebx ;RVA=>VA
mov cx,;通过序号表找到地址表下标
mov edx, ;取地址表RVA
add edx,ebx ;RVA=>VA
mov esi, ;取函数RVA
add esi,ebx ;RVA=>VA
mov ,esi ;保存GetProcAddress函数地址
call PushStr1 ;将下面的数据地址入栈
db "LoadLibraryA",0 ;参数2:要获取的函数名
PushStr1:
push ebx ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存LoadLibraryA函数地址
call PushStr2 ;将下面的数据地址入栈
db "user32.dll",0 ;参数1:需要Load的DLL名称
PushStr2:
call eax ;LoadLibraryA
mov ,eax ;保存user32.dll模块基址
mov dword ptr,434241h ;ClassName "ABC"
mov dword ptr,0 ;style
mov edx,WndProc-main
add edx,edi
sub edx,800h
mov dword ptr,edx ;lpfnWndProc
mov dword ptr,0 ;cbClsExtra
mov dword ptr,0 ;cbWndExtra
mov edx, ;取实例句柄
mov dword ptr,edx ;hInstance
mov dword ptr,0 ;hIcon
mov dword ptr,0 ;hCursor
mov dword ptr,0 ;hbrBackground
mov dword ptr,0 ;lpszMenuName
lea edx, ;取字符串地址
mov dword ptr,edx ;lpszClassName
call PushStr3 ;将下面的数据地址入栈
db "RegisterClassA",0 ;参数2:要获取的函数名
PushStr3:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存RegisterClassA函数地址
lea edx, ;取WNDCLASSA结构体地址
push edx ;参数1:&WNDCLASSA
call eax ;RegisterClassA
call PushStr4 ;将下面的数据地址入栈
db "DefWindowProcA",0 ;参数2:要获取的函数名
PushStr4:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存DefWindowProcA函数地址
call PushStr9 ;将下面的数据地址入栈
db "PostQuitMessage",0;参数2:要获取的函数名
PushStr9:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存PostQuitMessage函数地址
call PushStr20 ;将下面的数据地址入栈
db "SetWindowTextW",0 ;参数2:要获取的函数名
PushStr20:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存SetWindowTextW函数地址
call PushStr21 ;将下面的数据地址入栈
db "GetWindowTextA",0 ;参数2:要获取的函数名
PushStr21:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存GetWindowTextA函数地址
call PushStr22 ;将下面的数据地址入栈
db "CreateFileW",0 ;参数2:要获取的函数名
PushStr22:
push ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存CreateFileW函数地址
call PushStr23 ;将下面的数据地址入栈
db "GetFileSize",0 ;参数2:要获取的函数名
PushStr23:
push ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存GetFileSize函数地址
call PushStr24 ;将下面的数据地址入栈
db "HeapCreate",0 ;参数2:要获取的函数名
PushStr24:
push ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存HeapCreate函数地址
call PushStr25 ;将下面的数据地址入栈
db "HeapAlloc",0 ;参数2:要获取的函数名
PushStr25:
push ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存HeapAlloc函数地址
call PushStr26 ;将下面的数据地址入栈
db "HeapFree",0 ;参数2:要获取的函数名
PushStr26:
push ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存HeapFree函数地址
call PushStr27 ;将下面的数据地址入栈
db "ReadFile",0 ;参数2:要获取的函数名
PushStr27:
push ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存ReadFile函数地址
call PushStr28 ;将下面的数据地址入栈
db "WriteFile",0 ;参数2:要获取的函数名
PushStr28:
push ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存WriteFile函数地址
call PushStr29 ;将下面的数据地址入栈
db "CloseHandle",0 ;参数2:要获取的函数名
PushStr29:
push ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存CloseHandle函数地址
call PushStr30 ;将下面的数据地址入栈
db "SetFilePointer",0 ;参数2:要获取的函数名
PushStr30:
push ;参数1:kernel32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存SetFilePointer函数地址
call PushStr31 ;将下面的数据地址入栈
db "GetDlgItemTextA",0 ;参数2:要获取的函数名
PushStr31:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存GetDlgItemTextA函数地址
call PushStr5 ;将下面的数据地址入栈
db "CreateWindowExA",0 ;参数2:要获取的函数名
PushStr5:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存CreateWindowExA函数地址
push 0 ;lpParam
push ;hInstance
push 0 ;hMenu
push 0 ;hWndParent
push 59 ;nHeight
push 316 ;nWidth
push 300 ;Y
push 500 ;X
push 10080000h ;dwStyle
push 0 ;lpWindowName
lea edx, ;取字符串地址
push edx ;lpClassName
push 00000010h ;dwExStyle
call eax ;CreateWindowExA
mov ,eax ;保存窗口句柄
call CreateControl ;创建控件
call PushStr6 ;将下面的数据地址入栈
db "GetMessageA",0 ;参数2:要获取的函数名
PushStr6:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存GetMessageA函数地址
call PushStr7 ;将下面的数据地址入栈
db "DispatchMessageA",0 ;参数2:要获取的函数名
PushStr7:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存DispatchMessageA函数地址
call PushStr8 ;将下面的数据地址入栈
db "TranslateMessage",0 ;参数2:要获取的函数名
PushStr8:
push ;参数1:user32.dll模块基址
call esi ;GetProcAddress
mov ,eax ;保存TranslateMessage函数地址
MsgLoop:
call GetGlobal
mov edi,eax
push 0
push 0
push 0
lea edx,
push edx
call dword ptr
test eax,eax
je Exit1
lea edx,
push edx
call dword ptr
lea edx,
push edx
call dword ptr
jmp MsgLoop
;----------------------------------------------------
Exit1:
pop ebp
ret
WndProc:
push ebp
mov ebp,esp
call GetGlobal
mov edi,eax
;------------------------------------------
WM_DESTROY:
cmp dword ptr,2h
jnz WM_DROPFILES
push 0
call dword ptr
WM_DROPFILES:
cmp dword ptr,233h
jnz WM_COMMAND
mov edx,
mov edx,
add edx,14h
mov ,edx ;保存文件路径字符串
push edx
push
call dword ptr ;SetWindowTextW
WM_COMMAND:
cmp dword ptr,111h
jnz DefWindowProcA
cmp word ptr,2
jnz DefWindowProcA
push 4 ;cchMax
lea edx,
push edx ;lpString
push 1 ;nIDDlgItem
push ;hDlg
call dword ptr ;GetDlgItemTextA
push 0 ;hTemplateFile
push 80h ;dwFlagsAndAttributes
push 3 ;dwCreationDisposition
push 0 ;lpSecurityAttributes
push 0 ;dwShareMode
push 0C0000000h ;dwDesiredAccess
push ;lpFileName
call dword ptr ;CreateFileW
cmp eax,0FFFFFFFFh
je DefWindowProcA ;打开文件失败
mov ,eax ;保存文件句柄
push 0 ;lpFileSizeHigh
push eax ;hFile
call dword ptr ;GetFileSize
mov ,eax ;保存文件大小
inc eax ;eax++
push eax ;dwMaximumSize
push eax ;dwInitialSize
push 0 ;flOptions
call dword ptr ;HeapCreate
mov ,eax ;保存堆句柄
push ;dwBytes
push 8 ;dwFlags
push eax ;hHeap
call dword ptr ;HeapAlloc
mov ,eax ;保存堆空间地址
push 0 ;lpOverlapped
lea edx, ;取文件大小地址
push edx ;lpNumberOfBytesRead
push ;nNumberOfBytesToRead
push eax ;lpBuffer
push ;hFile
call dword ptr ;ReadFile
push ;参数1:需要关闭的句柄
call dword ptr ;CloseHandle
mov ebx, ;取Dos头
cmp word ptr,5A4Dh ;判断MZ
jnz DefWindowProcA
mov edx, ;取Nt头文件偏移
add edx,ebx ;offset=>RVA
add dword ptr,1000h;修改内存镜像大小
mov byte ptr,0 ;清除重定位
movzx ecx,word ptr ;取区段个数
inc word ptr ;修改文件头的区段个数
add edx,0F8h ;取区段首地址
imul ecx,28h
add edx,ecx ;取区段表末尾
mov dword ptr,004A582Eh;.XJ
mov eax,
add eax,
and eax,0FFFFF000h
add eax,1000h
mov ,eax ;区段RVA
mov ,eax ;保存新OEP
mov dword ptr,400h ;区段大小
mov eax,
mov ,eax ;文件偏移
mov dword ptr,0E0000020h ;区段属性
mov ebx,
mov edx,
add edx,ebx
mov eax,
mov ,eax ;保存原始OEP
mov eax, ;取新OEP
mov ,eax;修改OEP
push 0 ;hTemplateFile
push 80h ;dwFlagsAndAttributes
push 2 ;dwCreationDisposition
push 0 ;lpSecurityAttributes
push 0 ;dwShareMode
push 0C0000000h ;dwDesiredAccess
call PushFileName
db 'X',0,'J',0,0,0 ;lpFileName
PushFileName:
call dword ptr ;CreateFileW
mov ,eax ;保存文件句柄
push 0 ;lpOverlapped
lea edx,
push edx ;lpNumberOfBytesWritten
push ;nNumberOfBytesToWrite
push ;lpBuffer
push eax ;hFile
call dword ptr ;WriteFile
;-------------------------
push 0 ;hTemplateFile
push 80h ;dwFlagsAndAttributes
push 3 ;dwCreationDisposition
push 0 ;lpSecurityAttributes
push 0 ;dwShareMode
push 0C0000000h ;dwDesiredAccess
call PushFileName2 ;lpFileName
db 'P',0,'a',0,'c',0,'k',0,0,0
PushFileName2:
call dword ptr ;CreateFileW
cmp eax,0FFFFFFFFh
je DefWindowProcA ;打开文件失败
mov ,eax ;保存文件句柄
push 1000h ;dwMaximumSize
push 1000h ;dwInitialSize
push 0 ;flOptions
call dword ptr ;HeapCreate
push 999h ;dwBytes
push 8 ;dwFlags
push eax ;hHeap
call dword ptr ;HeapAlloc
mov esi,eax ;保存堆空间地址
push 0 ;lpOverlapped
lea edx, ;取文件大小地址
push edx ;lpNumberOfBytesRead
push 400h ;nNumberOfBytesToRead
push esi ;lpBuffer
push ;hFile
call dword ptr ;ReadFile
add esi,400h
mov edx,
mov ,edx
mov edx,
mov ,edx
sub esi,400h
push 0 ;lpOverlapped
lea edx,
push edx ;lpNumberOfBytesWritten
push 400h ;nNumberOfBytesToWrite
push esi ;lpBuffer
push ;hFile
call dword ptr ;WriteFile
;-------------------------
push ;参数1:需要关闭的句柄
call dword ptr ;CloseHandle
DefWindowProcA:
push ;lParam
push ;wParam
push ;uMsg
push ;hWnd
call dword ptr ;DefWindowProcA
;------------------------------------------
pop ebp
ret 10h
CreateControl:
call GetGlobal
mov edi,eax
push 0 ;lpParam
push ;hInstance
push 1 ;hMenu
push ;hWndParent
push 20 ;nHeight
push 250 ;nWidth
push 0 ;Y
push 0 ;X
push 50800000h ;dwStyle
push 0 ;lpWindowName
call PushStr10
db "Edit",0 ;lpClassName
PushStr10:
push 0 ;dwExStyle
call dword ptr ;CreateWindowExA
call GetGlobal
mov edi,eax
push 0 ;lpParam
push ;hInstance
push 2 ;hMenu
push ;hWndParent
push 20 ;nHeight
push 50 ;nWidth
push 0 ;Y
push 250 ;X
push 50800000h ;dwStyle
call PushStr11
db "OK",0 ;lpWindowName
PushStr11:
call PushStr12
db "Button",0 ;lpClassName
PushStr12:
push 0 ;dwExStyle
call dword ptr ;CreateWindowExA
ret
GetGlobal:
mov eax,
and eax,0FFFFF000h
add eax,800h
ret
end main
壳
.386
.model flat,stdcall
option casemap:none
assume fs:nothing
;[-4] Password
;[-8] OEP
;[+100h] 实例句柄
;[+104h] kernel32.dll 模块基址
;[+108h] user32.dll 模块基址
;[+10Ch]~[+130h] WNDCLASSA 结构体
;[+134h]~[+150h] MSG 结构体
;[+154h] Password
;[+0] GetProcAddress
;[+4] LoadLibraryA
;[+8] RegisterClassA
;[+0Ch] CreateWindowExA
;[+10h] DefWindowProcA
;[+14h] GetMessageA
;[+18h] TranslateMessage
;[+1Ch] DispatchMessageA
;[+20h] GetDlgItemTextA
;[+24h] ExitProcess
;[+28h] PostQuitMessage
.code
main:
call GetGlobal ;获取全局基址保存在edi中
;mov ebx,fs: ;进入OPE的时候ebx默认是PEB
mov ebx,
mov ebx,
mov edx,
mov ,edx;保存实例句柄
mov ebx,
mov ebx,
mov ebx,
mov ,ebx;保存"kernel32.dll"模块基址
mov eax, ;取"kernel32.dll"Nt头文件偏移
add eax,ebx ;offset=>VA
mov eax, ;取导出表RVA
add eax,ebx ;RVA=>VA eax=导出表
mov edx, ;取名称表RVA
add edx,ebx ;RVA=>VA
xor ecx,ecx ;ecx清零
MyLoop:
mov esi, ;取函数名RVA
add esi,ebx ;RVA=>VA
inc ecx ;ecx++
cmp byte ptr,'G' ;如果等于ZF会被置为1
jnz MyLoop ;ZF为0则跳转
cmp byte ptr,'P' ;
jnz MyLoop ;
cmp byte ptr,'A' ;
jnz MyLoop
dec ecx ;取真正的的下标
mov edx, ;取序号表RVA
add edx,ebx ;RVA=>VA
mov cx, ;通过序号表找到地址表下标
mov edx, ;取地址表RVA
add edx,ebx ;RVA=>VA
mov esi, ;取函数地址RVA
add esi,ebx ;RVA=>VA
mov ,esi ;保存GetProcAddress函数地址
call PushStr1 ;将EIP入栈
db "LoadLibraryA",0 ;函数名
PushStr1:
push ebx ;"kernel32.dll"模块基址
call esi ;"GetProcAddress"
mov ,eax ;保存"LoadLibraryA"函数地址
call PushStr2
db "user32.dll",0
PushStr2:
call eax ;LoadLibraryA
mov ,eax;保存user32.dll模块基址
call MyGetProcAddress ;获取很多函数地址
call CreateWindow ;创建窗口
call MessageLoop
push 0
call dword ptr
CreateWindow:
mov dword ptr,0 ;style
mov edx,WndProc-main
add edx,edi
sub edx,400h
mov dword ptr,edx;lpfnWndProc
mov dword ptr,0 ;cbClsExtra
mov dword ptr,0 ;cbWndExtra
mov edx, ;取实例句柄
mov dword ptr,edx;hInstance
mov dword ptr,0 ;hIcon
mov dword ptr,0 ;hCursor
mov dword ptr,0 ;hbrBackground
mov dword ptr,0 ;lpszMenuName
call PushStr30
db "XiaoJun",0
PushStr30:
pop edx
mov dword ptr,edx;lpszClassName
lea edx,
push edx
call dword ptr ;RegisterClassA
push 0 ;lpParam
push ;hInstance
push 0 ;hMenu
push 0 ;hWndParent
push 59 ;nHeight
push 316 ;nWidth
push 300 ;Y
push 500 ;X
push 10080000h ;dwStyle
push 0 ;lpWindowName
call PushStr31
db "XiaoJun",0 ;lpClassName
PushStr31:
push 0 ;dwExStyle
call dword ptr;CreateWindowExA
mov esi,eax ;临时保存窗口句柄
push 0 ;lpParam
push ;hInstance
push 1 ;hMenu
push esi ;hWndParent
push 20 ;nHeight
push 250 ;nWidth
push 0 ;Y
push 0 ;X
push 50800000h ;dwStyle
push 0 ;lpWindowName
call PushStr32
db "Edit",0 ;lpClassName
PushStr32:
push 0 ;dwExStyle
call dword ptr;CreateWindowExA
push 0 ;lpParam
push ;hInstance
push 2 ;hMenu
push esi ;hWndParent
push 20 ;nHeight
push 50 ;nWidth
push 0 ;Y
push 250 ;X
push 50800000h ;dwStyle
call PushStr33
db "OK",0 ;lpWindowName
PushStr33:
call PushStr34
db "Button",0 ;lpClassName
PushStr34:
push 0 ;dwExStyle
call dword ptr;CreateWindowExA
ret
MessageLoop:
call GetGlobal
push 0
push 0
push 0
lea esi,
push esi
call dword ptr ;GetMessageA
test eax,eax
je Exit
push esi
call dword ptr ;TranslateMessage
push esi
call dword ptr ;DispatchMessageA
jmp MessageLoop
Exit:
ret
MyGetProcAddress:
call PushStr3
db "RegisterClassA",0
PushStr3:
push
call dword ptr
mov ,eax
call PushStr4
db "CreateWindowExA",0
PushStr4:
push
call dword ptr
mov ,eax
call PushStr5
db "DefWindowProcA",0
PushStr5:
push
call dword ptr
mov ,eax
call PushStr6
db "GetMessageA",0
PushStr6:
push
call dword ptr
mov ,eax
call PushStr7
db "TranslateMessage",0
PushStr7:
push
call dword ptr
mov ,eax
call PushStr8
db "DispatchMessageA",0
PushStr8:
push
call dword ptr
mov ,eax
call PushStr9
db "GetDlgItemTextA",0
PushStr9:
push
call dword ptr
mov ,eax
call PushStr10
db "ExitProcess",0
PushStr10:
push
call dword ptr
mov ,eax
call PushStr11
db "PostQuitMessage",0
PushStr11:
push
call dword ptr
mov ,eax
ret
;获取全局变量基址 返回值:Edi
GetGlobal:
mov edi,
and edi,0FFFFF000h
add edi,400h
ret
WndProc:
push ebp
mov ebp,esp
call GetGlobal
;----------------
WM_DESTROY:
cmp dword ptr,2h
jnz WM_COMMAND
;关闭窗口
push 0
call dword ptr;PostQuitMessage
WM_COMMAND:
cmp dword ptr,111h
jnz DefWindowProcA
cmp word ptr,2
jnz DefWindowProcA
mov dword ptr,0
push 4 ;cchMax
lea edx,
push edx ;lpString
push 1 ;nIDDlgItem
push ;hDlg
call dword ptr ;GetDlgItemTextA
mov eax,
cmp eax,
jnz DefWindowProcA
;密码正确
mov edx,
add edx,
jmp edx ;jmp OEP
DefWindowProcA:
push ;lParam
push ;wParam
push ;uMsg
push ;hWnd
call dword ptr ;DefWindowProcA
;----------------
pop ebp
ret 10h
end main 龙哥哥 发表于 2017-12-18 16:35
怎么用啊,用具体说下吗,不懂哦!
我写这个主要是练习一下ShellCode,还是有很多BUG的,以后有空我写个好一点的,出个详细点的文字教程 感谢分享,辛苦了。 支持原创,学习了 汇编写的....历害了.. 感谢楼主分享, 感谢分享。 怎么用啊,用具体说下吗,不懂哦! 谢谢大佬,虽然看得眼花,哈哈
页:
[1]
2