垃圾代码生成
垃圾代码生成
/*
__declspec(naked) void pre_poly_handler()
{
_asm
{
pushfd
add dword ptr [esp], 0xdeadbeef
sub esp, 4
_emit 0x11
_emit 0x11
_emit 0x11
_emit 0x11
}
}
__declspec(naked) void post_poly_handler()
{
_asm
{
sub dword ptr [esp+4], 0xdeadbeef
add esp, 4
popfd
_emit 0x11
_emit 0x11
_emit 0x11
_emit 0x11
}
}
DWORD get_stub_size(void* stub_address)
{
BYTE stub_end[] = {0x11, 0x11, 0x11, 0x11};
DWORD stub_size = 0;
while(TRUE)
{
if(!memcmp((BYTE*)stub_address + stub_size, stub_end, sizeof(stub_end)))
{
return stub_size;
}
stub_size++;
}
}
DWORD get_stub_fixup_offset(void* stub_address, DWORD magic, DWORD size)
{
DWORD offset = 0;
while(offset < size)
{
if(!memcmp((BYTE*)stub_address + offset, &magic, sizeof(DWORD)))
{
return offset;
}
offset++;
}
return 0;
}
__declspec(naked) void poly_jmp()
{
_asm
{
_emit 0xe9
_emit 0xef
_emit 0xbe
_emit 0xad
_emit 0xde
_emit 0x11
_emit 0x11
_emit 0x11
_emit 0x11
}
}
__declspec(naked) void poly_call1()
{
_asm
{
sub esp, -4
_emit 0xe8
_emit 0xef
_emit 0xbe
_emit 0xad
_emit 0xde
_emit 0x11
_emit 0x11
_emit 0x11
_emit 0x11
}
}
__declspec(naked) void poly_call2()
{
_asm
{
add esp, 4
_emit 0xe8
_emit 0xef
_emit 0xbe
_emit 0xad
_emit 0xde
_emit 0x11
_emit 0x11
_emit 0x11
_emit 0x11
}
}
__declspec(naked) void poly_call3()
{
_asm
{
pop dword ptr [esp-4]
_emit 0xe0
_emit 0xef
_emit 0xbe
_emit 0xad
_emit 0xde
_emit 0x11
_emit 0x11
_emit 0x11
_emit 0x11
}
}
__declspec(naked) void poly_call4()
{
_asm
{
lea esp, dword ptr[esp+4]
_emit 0xe0
_emit 0xef
_emit 0xbe
_emit 0xad
_emit 0xde
_emit 0x11
_emit 0x11
_emit 0x11
_emit 0x11
}
}
void make_poly(BYTE* buf, DWORD size)
{
DWORD tmp = 0;
DWORD key = 0;
DWORD offset = 0;
DWORD pre_poly_size = get_stub_size((void*)pre_poly_handler);
DWORD post_poly_size = get_stub_size((void*)post_poly_handler);
DWORD poly_jmp_size = get_stub_size((void*)poly_jmp);
DWORD poly_call1_size = get_stub_size((void*)poly_call1);
DWORD poly_call2_size = get_stub_size((void*)poly_call2);
DWORD poly_call3_size = get_stub_size((void*)poly_call3);
DWORD poly_call4_size = get_stub_size((void*)poly_call4);
DWORD puresize = size - post_poly_size;
memset(buf, 0x90, size);
BYTE lastjunk = 0;
BYTE junk = 0;
if(size < pre_poly_size + poly_call4_size + post_poly_size)
{
return;
}
key = GetRandomDword();
memcpy(buf, (void*)pre_poly_handler, pre_poly_size);
memcpy(buf + get_stub_fixup_offset(buf, 0xdeadbeef, pre_poly_size), &key, sizeof(DWORD));
offset += pre_poly_size;
while(offset + poly_call4_size <= puresize)
{
DWORD tmp = GetRandomByte()%5;
switch(tmp)
{
case 0:
memcpy(buf + offset, (void*)poly_jmp, poly_jmp_size);
offset += poly_jmp_size;
break;
case 1:
memcpy(buf + offset, (void*)poly_call1, poly_call1_size);
offset += poly_call1_size;
break;
case 2:
memcpy(buf + offset, (void*)poly_call2, poly_call2_size);
offset += poly_call2_size;
break;
case 3:
memcpy(buf + offset, (void*)poly_call3, poly_call3_size);
offset += poly_call3_size;
break;
case 4:
memcpy(buf + offset, (void*)poly_call4, poly_call4_size);
offset += poly_call4_size;
break;
}
tmp = GetRandomByte()%0x50;
if(offset + tmp <= puresize)
{
if(GetRandomByte()%3 == 0 && tmp >=post_poly_size)
{
memcpy(buf + offset, (void*)post_poly_handler, post_poly_size);
memcpy(buf + offset + get_stub_fixup_offset(buf + offset, 0xdeadbeef, post_poly_size), &key, sizeof(DWORD));
offset +=post_poly_size;
tmp -= post_poly_size;
}
else if(GetRandomByte()%3 == 0 && tmp >=pre_poly_size)
{
memcpy(buf + offset, (void*)pre_poly_handler, pre_poly_size);
memcpy(buf + offset + get_stub_fixup_offset(buf + offset, 0xdeadbeef, pre_poly_size), &key, sizeof(DWORD));
offset +=pre_poly_size;
tmp -= pre_poly_size;
}
while(tmp > 0)
{
junk = GetRandomByte();
if(junk == 0xde && lastjunk == 0xad)
{
junk++;
}
lastjunk = junk;
memcpy(buf + offset, &junk, sizeof(BYTE));
offset++;
tmp--;
}
}
}
DWORD fixup_offset = 0;
DWORD dest_offset = 0;
DWORD dest_offset_diff = 0;
fixup_offset = get_stub_fixup_offset(buf, 0xdeadbeef, puresize);
memset(buf + fixup_offset, 0, sizeof(DWORD));
while(get_stub_fixup_offset(buf, 0xdeadbeef, puresize))
{
tmp = GetRandomByte();
while(tmp > puresize)
{
tmp = GetRandomByte();
}
if(GetRandomByte()%2)
{
if(get_stub_fixup_offset(buf + tmp, 0xdeadbeef, puresize - tmp))
{
dest_offset = tmp + get_stub_fixup_offset(buf + tmp, 0xdeadbeef, puresize - tmp);
}
}
else
{
if(get_stub_fixup_offset(buf + puresize - tmp, 0xdeadbeef, tmp))
{
dest_offset = puresize - tmp + get_stub_fixup_offset(buf + puresize - tmp, 0xdeadbeef, tmp);
}
}
if(dest_offset != 0)
{
dest_offset_diff = dest_offset - fixup_offset - 5;
if(*(buf + dest_offset - 1) == 0xe0)
{
dest_offset_diff -= 4;
}
else if(*(buf + dest_offset - 1) == 0xe8)
{
dest_offset_diff -= 3;
}
if(*(buf + fixup_offset - 1) == 0xe0)
{
memset(buf + fixup_offset - 1, 0xe8, sizeof(BYTE));
}
memcpy(buf + fixup_offset, &dest_offset_diff, sizeof(DWORD));
fixup_offset = dest_offset;
memset(buf + fixup_offset, 0, sizeof(DWORD));
}
}
dest_offset = puresize - fixup_offset - 5 + 1;
if(*(buf + fixup_offset - 1) == 0xe0)
{
memset(buf + fixup_offset - 1, 0xe8, sizeof(BYTE));
}
memcpy(buf + fixup_offset, &dest_offset, sizeof(DWORD));
DWORD fill_size = puresize - offset;
wmc.FillBytes((char*)buf + offset, fill_size);
offset += fill_size;
memcpy(buf + puresize, (void*)post_poly_handler, post_poly_size);
memcpy(buf + puresize + get_stub_fixup_offset(buf + puresize, 0xdeadbeef, post_poly_size), &key, sizeof(DWORD));
}
*/