-
-
[原创]PELoader + 多线程解密的壳样例
-
发表于:
2009-4-18 13:26
9843
-
最近人变懒了,专题一直没有更新,放一个小技巧出来耍耍。是原先那个随机密码的应用和PE Loader的应用都在这个例子中有体现。一般的壳是附加到应用程序上,这个是相反的想法,把应用程序反附加到壳上.然后随机加密(在一个范围内本例子中是 0 - 0100h).壳在启动后创建0100h个线程并利用线程号解密,当唯一正确的线程解密后利用PE LOADER把正确代码加载到争取的位置并修复引入表。这个样例的很大缺陷是只有被加壳的程序的ImageBase和壳的ImageBase相同是才可以加载争取。打包程序的代码没有考虑末尾数据有些不稳定。有兴趣的朋友再继续研究吧。
样例的代码有三部分
这部分为启动部分
;; ----------------------------------------
;; code segment
;; ----------------------------------------
.code
;; ----------------------------------------
;; function statement
;; ----------------------------------------
AntiKV proto szFilePath : LPSTR
CheckPacketSuccessRate proto szFilePath : LPSTR
;; AntiAV start
AntiKV_Start:
ifdef DEBUG_ANTIAV
lea edi, g_szTarget
else
;; get command line
invoke GetCommandLine ; eax = command line
mov edi, eax ; edi = command line
mov al, ' ' ; al = 020h
mov ecx, MAX_PATH ; ecx = MAX PATH length
repnz scasb ; edi = target file path
endif
;; decrypt it
invoke AntiKV, edi
;; exit
invoke ExitProcess, 1
;; Anti KV
AntiKV proc uses ebx ecx edx edi esi, szFilePath : LPSTR
;; start check the packet success rate
invoke CheckPacketSuccessRate, edi
test eax, eax
jz Error_AntiKV
;; rebuild new exe
invoke ReBuildNewExe, szFilePath, 0100h
lea eax, g_szSuccessPacket
invoke crt_printf, eax
Exit_AntiKV:
assume esi : nothing
assume edi : nothing
xor eax, eax
ret
Error_AntiKV:
lea eax, g_szCanotLoad
invoke crt_printf, eax
jmp Exit_AntiKV
AntiKV endp
CheckPacketSuccessRate proc uses ebx ecx edx edi esi, szFilePath : LPSTR
LOCAL pPointer : LPVOID
;; init data
mov pPointer, NULL
;; map file
invoke MapFile2Mem, szFilePath, 0, addr pPointer, 1
test eax, eax ; eax = file memory size
jz Error_CheckPacketSuccessRate
mov esi, pPointer
add esi, dword ptr [esi+03ch] ; esi = PE header
assume esi : ptr IMAGE_NT_HEADERS
; eax = ImageBase
mov eax, dword ptr [esi].OptionalHeader.ImageBase
cmp eax, 00400000h ; check ImageBase == lprotecter ImageBase
jnz Error_CheckPacketSuccessRate
invoke FreeMemory, addr pPointer
mov eax, 1 ; set return success value
Exit_CheckPacketSuccessRate:
assume esi : nothing
ret
Error_CheckPacketSuccessRate:
cmp pPointer, NULL
invoke FreeMemory, addr pPointer
jz @F
@@:
xor eax, eax ; eax = 0 failed value
jmp Exit_CheckPacketSuccessRate
CheckPacketSuccessRate endp
end AntiKV_Start
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
学习
膜拜. 能不能介绍一下怎么才能把汇编代码写的这么熟练
