本帖最后由 十二 于 2011-10-22 11:39 编辑
好长时间没来了 
- //by:nt_12
- alloc(newmem,9966000)
- label(returnhere)
- label(SEH)
- label(originalcode)
- label(xxxx)//SEH链
- label(PEhandle)
- label(Addressloop)
- label(WIN7)
- label(WINXP)
- label(Addressloop1)
- label(TTT9)
- label(ASD)
- label(VBV)
- label(JJH)
- label(IIU)
- label(XCV)
- label(GGHG)
- label(WIN7Base)
- label(UUU9)
- label(BNCE)
- label(ZCV)
- label(MMN)
- label(KJH)
- label(YBN)
- label(KMNJ)
- label(LKJ)
- label(SDF)
- label(QWE)
- label(baseloop)
- define(base,"newmem"+800)//模块基址
- define(espsc,"newmem"+7FC)//原始ESP
- define(ver,"newmem"+7F8)//系统版本
- define(number,"newmem"+7F4)//函数序号
- define(ikns,"newmem"+7EC)//原始页面权限信息
- define(vp,"newmem"+7F0)//virtualprotect函数地址
- define(loader,"newmem"+100000)//备份后代码和数据的位置 //*根据自己的情况修改大小
- define(BCB,"newmem"+1000)//.text区段位置
- define(HYCC,"newmem"+1100)//还原代码
- define(DCD,"newmem"+1200)//.text区段大小
- define(dllenter,"newmem"+800)//程序载入模块基址列表 //*根据自己的情况修改大小
- define(APIAddress,"newmem"+10000)//模块函数地址列表 //*根据自己的情况修改大小
- define(FSTSWAX,"newmem"+80000)//FSTSW AX指令引用的所在位置 //*根据自己的情况修改大小
- //label(CMP2)
- //label(CMP1)
- //label(HYIM)
- newmem: //this is allocated memory, you have read,write,execute access
- //place your code here
- originalcode:
- MOV [espsc],ESP
- // 这里写入被注入地址的原代码
- //建立SEH链
- xxxx:
- JMP LKJ
- KJH:
- xor eax,eax
- PUSH SEH
- PUSH DWORD PTR FS:[0]
- MOV DWORD PTR FS:[0],ESP
- //JMP loader //执行备份的代码并跳到SEH,需要注释掉Xor Eax,Eax,与 Div Eax
- DIV EAX
- LKJ:
- //我能得到模块的基址
- PUSHAD
- MOV EBX,dllenter
- MOV EAX,DWORD PTR FS:[30]
- MOV ECX,EAX
- ADD ECX,8
- MOV ECX,[ECX]
- MOV [EBX],ECX
- ADD EBX,4
- MOV EAX,DWORD PTR DS:[EAX+C]
- MOV EAX,DWORD PTR DS:[EAX+1C]
- baseloop:
- MOV EDI,EAX
- MOV EAX,DWORD PTR DS:[EAX+8]
- MOV DWORD PTR DS:[EBX],EAX
- ADD EBX,4
- CMP EAX,0
- MOV EAX,EDI
- MOV EAX,DWORD PTR DS:[EAX]
- MOV EDI,EAX
- JNZ baseloop
- POPAD
- //我能获得模块导出函数
- PUSHAD
- MOV EAX,dllenter
- MOV EDI,APIAddress //API位置存放的位置
- Addressloop1:
- MOV EBX,[EAX]
- PUSH EAX
- MOV [newmem+2800],EBX
- MOV ECX,DWORD PTR DS:[newmem+2800]//获取基址
- MOV EAX,ECX
- PEhandle:
- ADD EAX,4
- MOV ECX,DWORD PTR DS:[EAX]
- CMP ECX,4550
- JNZ PEhandle
- ADD EAX,78
- MOV ECX,EAX
- MOV ECX,[ECX]
- MOV ESI,[newmem+2800]
- ADD ESI,ECX
- ADD ESI,1C
- MOV EDX,[esi-8] // 函数的数量
- ADD EBX,[ESI] //函数的地址
- MOV EAX,[EBX]
- ADD EAX,DWORD PTR DS:[newmem+2800]
- Addressloop:
- MOV ECX,[EBX]
- MOV EAX,[newmem+2800]
- ADD EAX,ECX
- ADD EBX,4
- MOV [EDI],EAX
- ADD EDI,4
- DEC EDX
- CMP EDX,-1
- JNZ Addressloop
- ADD EDI,4
- POP EAX
- PUSHFD
- ADD EAX,4
- POPFD
- CMP [EAX],0
- JNZ Addressloop1
- POPAD
- //我能遍历当前模块代码段中的的所有FSTSW AX代码(其实能遍历任意代码)
- PUSHAD
- MOV EAX,[base]
- MOV EDI,[base]
- ASD:
- ADD EAX,4
- MOV ECX,DWORD PTR DS:[EAX]
- CMP ECX,4550
- JNZ ASD
- MOV EDX,DWORD PTR DS:[EAX+100]
- MOV EAX,DWORD PTR DS:[EAX+104]
- ADD EAX,EDI //模块第一个区段的起始地址
- //↓我是备份代码-数据用的
- /*
- PUSHAD
- MOV [BCB],EAX //保存.text区段位置
- MOV [DCD],EDX //保存.text区段大小
- MOV EDI,loader
- CMP1:
- MOV BL,[EAX] //备份.text区段
- MOV [EDI],BL //开始备份
- INC EAX //OEP+1
- INC EDI
- DEC EDX //大小-1
- CMP EDX,0 //查看是否全部备份完
- JNZ CMP1
- POPAD
- */
- //----------------------------------------------------
- //↓我是还原代码-数据用的
- /*
- MOV,[HYCC],1 //标志位
- JMP GGHG
- HYIM:
- PUSH ikns
- PUSH 40
- PUSH [DCD]
- PUSH [BCB]
- CALL [vp]
- PUSHAD
- MOV EDI,[BCB]
- MOV EBX,[DCD] //还原的大小
- MOV EDX,loader
- CMP2:
- MOV BL,[EDX]
- MOV [EDI],BL
- INC EDI
- INC EDX
- DEC EBX
- CMP EBX,0
- JNZ CMP2
- POPAD
- JMP UUU9
- */
- GGHG:
- MOV EBX,FSTSWAX
- QWE:
- CMP EDX,0
- PUSHFD
- DEC EDX
- POPFD
- JE XCV
- SDF:
- ADD EAX,1
- MOV CL,BYTE PTR DS:[EAX]
- CMP CL,0DF //要遍历的指令HEX码
- JNZ QWE
- ADD EAX,1
- MOV CL,BYTE PTR DS:[EAX]
- CMP CL,0E0 //要遍历的指令HEX码
- JNZ SDF
- DEC EAX
- MOV [EBX],EAX
- ADD EBX,4
- INC EAX
- JMP SDF
- XCV:
- MOV EAX,DWORD PTR FS:[30] // 获取PEB
- MOV EAX,DWORD PTR DS:[EAX+A4] //获取系统版本
- CMP EAX,5
- MOV [ver],EAX
- JNZ WIN7
- WINXP:
- MOV EAX,[APIAddress+BC] //WINXP 硬编获取KiUserExceptionDispatcher异常处理函数
- WIN7:
- MOV EAX,[APIAddress+1C4] //WIN7 硬编获取KiUserExceptionDispatcher异常处理函数
- VBV:
- ADD EAX,1
- CMP BYTE PTR [EAX],E8
- JNZ VBV
- MOV EDI,EAX
- ADD EAX,1
- MOV EBX,EAX
- MOV EBX,[EBX]
- ADD EDI,EBX
- ADD EDI,5
- MOV EAX,EDI
- ZCV:
- ADD EAX,1
- CMP BYTE PTR [EAX],FF
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],73
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],04
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],8D
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],45
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],EC
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],50
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],FF
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],75
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],0C
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],53
- JNZ ZCV
- ADD EAX,1
- CMP BYTE PTR [EAX],56
- JNZ ZCV
- SUB EAX,11
- MOV EBX,6
- PUSH EAX
- PUSH EBX
- IIU:
- JMP KMNJ //处理VirtualProtect函数
- UUU9:
- POP EBX
- POP EAX
- TTT9:
- MOV BYTE PTR [EAX],90
- INC EAX
- DEC EBX
- CMP EBX,0
- JNZ TTT9
- //KiRaiseUserExceptionDispatcher Patch Win7 SEH BUG
- POPAD
- JMP KJH
- PUSHAD //去掉ntdll的区段保护
- KMNJ:
- CMP [ver],5
- JNZ WIN7Base
- //Xp下的Kernel32.dll基址
- MOV EAX,APIAddress
- MOV EBX,2 //XP取kernel32.dll的基址
- MOV [number],DD4//硬编XP virtualprotect函数序号
- JMP JJH
- WIN7Base:
- MOV EAX,APIAddress
- MOV [number],13BC//硬编WIN7 virtualprotect函数序号
- MOV EBX,3 //WIN7取kernel32.dll的基址
- JJH:
- ADD EAX,4
- CMP DWORD PTR [EAX],0
- JNZ JJH
- DEC EBX
- CMP EBX,0
- JNZ JJH
- ADD EAX,4
- MOV ECX,[number]
- MOV EAX,[EAX+ECX] //得到virtualprotect
- MOV EBX,[dllenter+4]//ntdll基址送EBX
- MOV EDX,[dllenter+4]//ntdll基址送EDX
- BNCE:
- ADD EBX,4
- MOV EDI,DWORD PTR DS:[EBX]
- CMP EDI,7865742E
- JNZ BNCE
- ADD EBX,8
- MOV ESI,[EBX]
- ADD EBX,4
- MOV EBX,[EBX]
- ADD EBX,EDX
- PUSH ikns
- PUSH 40
- PUSH ESI
- PUSH EBX
- MOV [vp],EAX
- CALL EAX //调用virtualprotect
- CMP [HYCC],0
- JNZ HYIM
- JMP UUU9
- //读取FSTSW AX完毕,详见FSTSWAX,"newmem"+10000用SEH引发异常 JMP Loader 效果更佳
- //得到函数地址后需要对照相应系统,系统模块导出表中的序列号进行对照然后调用
- //到此这个CE脚本可以实现大部分API的调用和平时所需了
- // 在此处码任意代码即可用导出的函数地址进行 PUSH CALL 调用系统API
- //--------------------------------------------------------
- SEH:
- //这里写异常处理代码
- MOV EAX,DWORD PTR SS:[ESP+C]
- XOR ESI,ESI//---------寄存器清0
- //---------------------------------------------------------
- MOV EDI,[base]
- YBN:
- ADD EDI,4
- MOV ECX,DWORD PTR DS:[EDI]
- CMP ECX,4550
- JNZ YBN
- ADD EDI,28
- MOV ECX,[base]
- ADD ECX,[EDI]
- ADD ECX,5 // OEP 指令偏移检测是否写入硬件断点
- CMP ECX,returnhere
- JNZ MMN
- MOV EDI,[espsc]
- SUB EDI,4
- MOV DWORD PTR DS:[EAX+4],EDI//---------DR0写入ESP硬件断点
- MOV DWORD PTR DS:[EAX+18],???//硬件断点属性
- XOR EDI,EDI
- //---------------------------------------------------------
- MMN:
- //MOV DWORD PTR DS:[EAX+4],ESI//---------调试寄存器iDR0寄存器清0
- //MOV DWORD PTR DS:[EAX+8],ESI//---------调试寄存器iDR1寄存器清0
- //MOV DWORD PTR DS:[EAX+C],ESI//---------调试寄存器iDR2寄存器清0
- //MOV DWORD PTR DS:[EAX+10],ESI//---------调试寄存器iDR3寄存器清0
- //MOV DWORD PTR DS:[EAX+14],ESI//---------调试寄存器iDR6寄存器清0
- //MOV DWORD PTR DS:[EAX+18],ESI//---------调试寄存器iDR7寄存器清0
- //MOV DWORD PTR DS:[EAX+8C],ESI//---------regGs段寄存器清0
- //MOV DWORD PTR DS:[EAX+90],ESI//---------regFs段寄存器清0
- //MOV DWORD PTR DS:[EAX+94],ESI//---------regEs段寄存器清0
- //MOV DWORD PTR DS:[EAX+98],ESI//---------regDs段寄存器清0
- //MOV DWORD PTR DS:[EAX+9C],ESI//---------regEdi寄存器清0
- //MOV DWORD PTR DS:[EAX+A0],ESI//---------regEsi寄存器清0
- //MOV DWORD PTR DS:[EAX+A4],ESI//---------regEbx寄存器清0
- //MOV DWORD PTR DS:[EAX+A8],ESI//---------regEdx寄存器清0
- //MOV DWORD PTR DS:[EAX+AC],ESI//---------regEcx寄存器清0
- //MOV DWORD PTR DS:[EAX+B0],ESI//---------regEax寄存器清0
- //MOV DWORD PTR DS:[EAX+B4],ESI//---------regEbp寄存器清0
- //MOV DWORD PTR DS:[EAX+BC],ESI//---------regCs代码段寄存器清0
- //MOV DWORD PTR DS:[EAX+C0],ESI//---------regFlag标志寄存器清0
- //MOV DWORD PTR DS:[EAX+C4],ESI//---------regEsp寄存器清0
- //MOV DWORD PTR DS:[EAX+C8],ESI//---------regSs段寄存器清0
- MOV DWORD PTR DS:[EAX+B8],returnhere//---------这里是即将要跳到的位置
- XOR EAX,EAX
- RETN
- "pe.exe"+1000: //注入代码的位置
- jmp newmem //返回地址 占用5字节对应OEP字节
- returnhere:
大部分功能都注释了 就不贴脚本功能了 另:WIN7真蛋疼 - =
|
发表于 2011-10-16 16:41:24
染红的潜规则
帝爷的潜规则
变色卡.JPG)