首页
社区
课程
招聘
关于木马的生成技术
发表于: 2006-3-18 23:49 10009

关于木马的生成技术

2006-3-18 23:49
10009

很不理解,那些木马是如何修改加壳后的程序的~~~~~

一般的生成方法都是要给修改的地方留出一些空间,然后再去修改,但是如果这个程序被加壳的了,那么我们留出空间的地方也就被改变了,从而无法正确的修改~~

但是我看有些木马程序可以修改加壳后的文件,是如何做到的?


[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!

收藏
免费 7
支持
分享
最新回复 (22)
雪    币: 519
活跃值: (1223)
能力值: ( LV12,RANK:650 )
在线值:
发帖
回帖
粉丝
2
在后面加一段?
2006-3-19 10:32
0
雪    币: 217
活跃值: (99)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
3
如果修改的是自身的话,也许木马先脱壳,再修改,最后再加壳.
修改其他程序就不叫木马了,那是病毒.
2006-3-19 10:50
0
雪    币: 203
活跃值: (26)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
smc技术
2006-3-19 12:23
0
雪    币: 149
活跃值: (344)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
5
可以让木马作为一个loader吧
2006-3-19 17:21
0
雪    币: 235
活跃值: (100)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
6
smc技术应该不行吧~~

举个例子~~

386
.model flat, stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

ShowMessage    proto
ReplaceMent    proto

.data
szMsg1        db    "这是未执行SMC之前的代码!", 0

.code
start:
invoke MessageBox,0,addr szMsg1,0,0
invoke ExitProcess,0
end start

这个是一个MsgBox框,我想要再写一个程序,去修改MsgBox显示的内容~~

如果这个程序没有加壳的话,很好做,找到szMsg1的位置就好了,然后修改~

如果这个程序加壳了话,szMsg1就被封装起来了,无法直接修改~~

请问应该怎么做?
2006-3-19 18:58
0
雪    币: 149
活跃值: (344)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
7
无论如何szMsg1也会有暴露在内存中的一天...
2006-3-19 19:34
0
雪    币: 235
活跃值: (100)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
8
不是要修改内存中的数据~~~~

而是要修改exe中的数据~~~

因为你要修改的数据,只可能写入exe中~~

不可能直接写入到内存中嘛~~~~~
2006-3-19 20:11
0
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
把数据添加到文件末尾,作为附加数据,还有的就是增加区段写数据
2006-3-19 20:20
0
雪    币: 235
活跃值: (100)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
10
一个被加壳的程序如何加入新的区段?
2006-3-19 20:23
0
雪    币: 203
活跃值: (26)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
壳不是一直保护的,你能找到合适的机会修改内存的,SMC肯定可行的
2006-3-19 21:26
0
雪    币: 235
活跃值: (100)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
12
但是你最终的数据是要写入到exe文件里面的~~

不然你怎么知道要把什么数据写入内存呢?

一旦程序被加壳了,你的数据应该写到什么地方呢?
2006-3-20 01:01
0
雪    币: 257
活跃值: (56)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
13
overlay

主程序都是一样的,

或者用资源
2006-8-20 23:25
0
雪    币: 255
活跃值: (207)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
14
楼主是在写木马吧,呵呵.
2006-8-21 08:33
0
雪    币: 207
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
15
关注,学习ing
2006-8-21 09:50
0
雪    币: 207
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
16
最初由 lemony 发布
smc技术应该不行吧~~

举个例子~~

386
........

你hook MessageBoxA不就可以了么?
或者infect exe后CreateThread运行一个timer,到时修改解压的代码就可以了
2006-8-21 15:53
0
雪    币: 257
活跃值: (56)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
17
补充一下,一般的木马是将数据保存在OVERLAY

灰鸽子是将数据加密放在资源里面(rescope可以看见)
2006-8-21 20:52
0
雪    币: 171
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
18
看看winshell的源码你就明白了..
比如木马的端口信息,密码信息配置,都是在程序中使用静态变量..然后通过配置程序去修改这个木马程序(EXE文件)中的这些值来配置它的。
2006-8-27 12:11
0
雪    币: 1705
活跃值: (41)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
19
写尾部,到用的时候在从新尾部读出来,现在的程序都是加过壳在向尾部增加加密的数据,到用的时候,读出解密!
2006-8-30 09:30
0
雪    币: 277
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
20
不管加不加壳,写入文件尾部就对了
2006-8-30 18:21
0
雪    币: 223
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
21
这个其实也是比较容易的,上面你们说了,修改未加壳的程序比较容易,那就可以了
我们把未修改的程序以资源的方式加载到EXE(也是服务端生成器)同时把加壳程序也一并添加到资源里,当运行生成器的时候,把两个资源导出,修改目标程序( 应该说是服务端)修改完成后,再用加壳程序加壳,OK了
2006-10-1 14:06
0
雪    币: 2950
活跃值: (1793)
能力值: ( LV9,RANK:850 )
在线值:
发帖
回帖
粉丝
22
支持你这种说法,不过我地另外一个地方看到一破文,但是照猫画虎也不成功。
看下面:
s Tutorial: How to do Inline Patch in Aspack'ed applications!
Ok, as you know, I haven't written a tutor by myself for long time, so since
I'm on holiday now, I decided to write one. This time, we'll do an Inline
Patching in Aspack'ed application. Very easy, no fear! Ok, I've coded a small
crackme for the education, and it's packed with Aspack v2.12. So on this
crackme, we must remove the messagebox. Still as I said, the main goal is to
do Inline Patching on this Crackme, not to remove the messagebox only! ;)
Ok, let's go..
What we'll need:
OllyDbg - to find Program Entry Point (OEP) in the Crackme
HIEW v6.83 - to edit the Crackme
W32Dasm v8.93 - to disassemble the Crackme
LordPE Deluxe - to unpack the Crackme and edit PE headers
PEiD v0.80 - to identify the PE in Crackme
Pen and paper, and your brain!!
Step 1. Let's run PEiDentifier on this Crackme to confirm it's packed with
        Aspack! Or you can use any similiar file scanner. (They can be
        found at Protools sites!). While we're at it, run Crackme and see what
        happens. Ok, the messagebox appears, so it has to be removed. I'm not
        teaching you how to remove the box, just how to do Inline Patch.
Step 2. Ok, coz it's packed with Aspack, we all know that Aspack'ed
        applications first goto its own decryption procedures, to check CRC
        etc, then if it's OK then it goes to Main procedure of applications
        or else gives you errors. So we gotta find the jump to OEP in Crackme
        in decryption codes. When run, we all know Aspack'ed applications
        contain the "known" instructions near the end of decryption part:
xxxxxxxx 61             popad
xxxxxxxx 7508           jne cccccccc
xxxxxxxx B801000000     mov eax,00000001
xxxxxxxx C20C00         retn 000C
cccccccc 68aaaaaaaa     push aaaaaaaa <--- aaaaaaaa is our OEP value
xxxxxxxx C3             ret
We gotta find the OEP value in this unpacking code, remember we will NOT find
the OEP value in Aspack'ed files, only when you run 'em, you'll find it in
memory. Of course, it's hardcoded in Aspack'ed files, but hard to find it.
So the known bytes we always can find in Aspack'ed files looks like:
61
7508
B801000000
C20C00
6800000000 <--- always 00000000, so that's why we don't know the OEP yet!
C3
Step 3. Ok, now we can open HIEW on Crackme and search for bytes: 6800000000C3.
        We found it at:
.0040D3AF: 61                 popad
.0040D3B0: 7508               jne 00040D3BA
.0040D3B2: B801000000         mov eax,000000001
.0040D3B7: C20C00             retn 0000C
.0040D3BA: 6800000000         push 000000000
.0040D3BF: C3                 retn
Ok cool, we know it's Aspack'ed and we have the address "40D3BA", so write
down this address on paper.
Step 4. Next thing we gotta do, is to load the debugger to find the real OEP.
        Load OllyDbg, open Crackme.exe. (If you're unfamiliar with OllyDbg,
        find some tutors on how to use it.) Anyway, back to OllyDbg, at CPU,
        main thread window at first line, you'll see like this:
0040D000   90                 NOP
0040D001   60                 PUSHAD
0040D002   E8 03000000        CALL ASPCrack.0040D00A
0040D007   E9 EB045D45        JMP 459DD4F7
0040D00C   55                 PUSH EBP
Step 5. Ok, now scroll down to 40D3BA where it looks like this:
0040D3BA 68 00000000 PUSH 0
Ok, on that line, press F2 to set breakpoint on this line. Then finally press
F9 to run Crackme in OllyDbg. Awesome, what do we find? Here's what I found:
0040D3BA 68 345A4000 PUSH ASPCrack.00405A34
See? 405A34 is our real OEP! Write down this OEP. We're done with OllyDbg for now.
Step 6. What now? We gotta unpack the Crackme, not to remove the messagebox
        only, but to get/write down the Address that needs to be patched. Ok,
        run Crackme again, don't close it yet! Now run LordPE, scroll down till
        you see like this:
Path                      PID        ImageBase   ImageSize
c:\Crkme\ASPCrackme.exe   000007D8   00400000    00010000
^^^^^^^^^^^^^^^^^^^^^^^
This path might be different where you stored the Crackme!
Ok good, now RightClick on that line and select "dump full...", then save
the dumped to wherever you want. You'll see we got dumped.exe with 65,536
bytes in size. Now close Crackme, don't close LordPE yet!
Step 7. Now we need to rebuild the PE headers since the dumped.exe won't run
        good. In LordPE, click "Rebuild PE" and select dumped.exe file. You'll
        see Rebuild Status, and it has been finished rebuilding. Now try run
        dumped.exe, good it runs fine now. Close it now. Again, don't close
        LordPE yet.
Step 8. Now run W32Dasm and open dumped.exe. WTF? It's not disassembled...
        Oh yes, PE sections in dumped.exe aren't fixed yet. Go back to LordPE,
        click "PE Editor", select dumped.exe. Click "Sections". Ok, wtf are we
        doing? On the first line you'll see like this:
Name   VOffset    VSize      ROffset    RSize      Flags
CODE   00001000   00005000   00000400   00004A68   C0000040
You see "C0000040"? That flags means it's readable, writeable, and no
executable code. Normally I use HIEW to change the flags from:
11000000 00000000 00000000 01000000 | C0000040
to
11100000 00000000 00000000 00100000 | E0000020
But within LordPE, it's easier for you. Ok, back at LordPE. RightClick and
select "edit section header..." Change C0000040 to E0000020, or simply click
"..." button, you'll see checkboxes. Just check the following boxes:
1. Executable as code
2. Readable
3. Writeable
4. Contains executable code
Uncheck other boxes, you'll see flags changed at "Current Value". Ok, save and
close LordPE.
Step 9. Again run W32Dasm and open dumped.exe. Great, it's disassembled now.
        Now our task is to remove the messagebox, as I said, I'm not
        teaching you how to crack it, so we skip the "how/why" part. Now click
        Str.Refs button, scroll down to: "C'mon...you gotta remove this" and
        DoubleClick on it. Now we're at like this:
* Referenced by a CALL at Address:
|:004057F9 <--- we gotta goto this address...
|
* Possible StringData Ref from Code Obj ->"C'mon...you gotta remove this "
                                        ->"NAG!!"
                                  |
:00405904 B818594000              mov eax, 00405918
:00405909 E8B2E1FFFF              call 00403AC0
:0040590E C3                      ret
Now press Shift-F12 and type 4057F9. And we land here:
:004057F9 E806010000              call 00405904
This is the address we gotta nop the call, the offset is 4BF9. Write down this
address: 4057F9 on paper.
Step 10. Now run HIEW and open dumped.exe, press F5, type 4BF9. Then press F3
         to edit, type 9090909090, F9 to save. Close HIEW and run dumped.exe.
         Great, the messagebox is gone. We got OEP address, we got the address
         where we removed the messagebox, we used 5 bytes (90 90 90 90 90).
         Now our next task is to do Inline Patch finally.
Step 11. Ok, go back to HIEW and open Crackme.exe. First we need space where
         we can insert the patch instructions in Crackme. We look around and
         found lots space at 40E100 (Offset: 4D00). Ok good, we have this
         address too. Now you remember the address where it tells ASPack the
         real OEP? It's at 40D3BA (Offset: 3FBA) right? Let's goto 40D3BA
         (press F5 and type 3FBA), we are at:
.0040D3AF: 61                 popad
.0040D3B0: 7508               jne 00040D3BA    <--- we gotta change this to JUMP to
.0040D3B2: B801000000         mov eax,000000001     40E100, to do Inline Patch
.0040D3B7: C20C00             retn 0000C            instructions, when done patching
.0040D3BA: 6800000000         push 000000000        then it goes back here at the
.0040D3BF: C3                 retn                  40D3B7 address.
Scroll up to 40D3B0, press F3, press TAB, then type: jmp 4D00, then nop 2
bytes (90 90), then F9 to save. We get like this:
.0040D3AF: 61                 popad
.0040D3B0: E94B0D0000         jmp .00040E100
.0040D3B5: 90                 nop
.0040D3B6: 90                 nop
.0040D3B7: C20C00             retn 0000C
.0040D3BA: 6800000000         push 000000000
.0040D3BF: C3                 retn
Step 12. Ok, good so far. Let's goto 40E100 (press F5, type 4D00), let's
         insert Patch Instructions. Press F3, then TAB, then type the following:
mov d, [004057F9], 090909090
mov b, [004057FD], 090
push 00405A34
ret
After saved with F9, we get like this:
.0040E100: C705F957400090909090  mov d,[004057F9],090909090
.0040E10A: C605FD57400090        mov b,[004057FD],090
.0040E111: 68345A4000            push 000405A34
.0040E116: C3                    retn
Ok, lemme explain what the fuck is what:
You remember we did 5 bytes to remove the messagebox? So we can only move a
maximum of 4 bytes at a time, so that's why we first move 4 bytes, then
finally the last 1 byte.
mov d, [location], 0xxxxxxxx    : d = double word = 4 bytes
mov w, [location], 0xxxx        : w = word        = 2 bytes
mov b, [location], 0xx          : b = byte        = 1 byte
See? Good, also remember if you want to store 2 bytes into a certain
location example: EB 10, you type: mov w, [location], 010EB
Notice that the order of bytes is reversed, as the last byte will be stored
first. Let's say for example in 7 bytes: C6 05 95 76 40 00 01, we do then:
mov d, [location], 0769505C6     <--- It's better to insert 0 in front,
mov w, [location], 00040              otherwise it'll be refused.
mov b, [location], 001
Ok, we typed in Crackme above as we did:
mov d, [004057F9], 090909090     <--- first 4 bytes
mov b, [004057FD], 090           <--- last 1 byte
push 00405A34                    <--- we push the real OEP (remember we found OEP?)
retn                             <--- we go back to 40D3B7.
Step 13. Now close HIEW and try run Crackme....see? It runs good, we did it!!
Note: I know there are few tutors on Inline Patch out there, but as you know
me, I try my best to teach in easy way to learners ;) Of course the credits
goto all the crackers that did in their tutorials. So I really hope this
tutorial helps a lot to you learners! Also watch out for next tutorial how to
do Inline Patch on ASProtect. You can sleep now, don't worry and fear! ;)
Enjoy it, tKC....................tkc@reaper.org
2006-10-1 22:38
0
雪    币: 2950
活跃值: (1793)
能力值: ( LV9,RANK:850 )
在线值:
发帖
回帖
粉丝
23
我靠,重翻 一次,居然补丁成功了!!
2006-10-1 23:23
0
游客
登录 | 注册 方可回帖
返回
//