짜증나는 어셈코딩

.486 

.model flat,stdcall 

option casemap:none 

include \masm32\include\windows.inc 

include \masm32\include\kernel32.inc 

includelib \masm32\lib\kernel32.lib 

include \masm32\include\user32.inc 

includelib \masm32\lib\user32.lib

MyMain proto

.data 

;01h -> 암호화

;00h -> 비암호화(import directory table)

encSections db 03h, 00h, 00h, 00h, 

01h, 00h, 10h, 40h, 00h, 26h, 10h, 40h, 00h, 

00h, 00h, 20h, 40h, 00h, 92h, 20h, 40h, 00h, 

01h, 00h, 30h, 40h, 00h, 0Bh, 30h, 40h, 00h

 

ImportTables IMAGE_IMPORT_DESCRIPTOR 3 dup (<>, <>, <>) 

strMsgBox db "MessageBoxA", 0 ; user32.dll

strCrtWindowExA db "CreateWindowExA", 0; user32.dll

strExitProcess db "ExitProcess", 0; //kernel32.dll

strSleep db "Sleep", 0; //kernel32.dll

strKernel32 db "kernel32.dll", 0

strUser32 db "user32.dll", 0

user32APIs dd 3 dup (0)

kernel32APIs dd 3 dup (0)

IATuser32 dd 3 dup(0)

IATkernel32 dd 3 dup(0)

ksooSectionBeg dd 404000h

ksooSectionEnd dd 40403Ch

.data?

importAddress dd ?

.code 

start: 

invoke MyMain

invoke ExitProcess, NULL 

MyMain proc

LOCAL sectionCnt:DWORD

LOCAL sectionBeg:DWORD

LOCAL sectionEnd:DWORD

LOCAL sectionPtr:DWORD

LOCAL minyHmod:DWORD

LOCAL minyVirtualProtect:DWORD

LOCAL minyFreeLibrary:DWORD

LOCAL minyOldProperties[20]:DWORD

LOCAL minyModOfKernel32:DWORD

LOCAL importDesc:IMAGE_IMPORT_DESCRIPTOR 

;

LOCAL imgBase:DWORD

LOCAL wholePtr:DWORD

LOCAL INTPtr:DWORD

LOCAL IATPtr:DWORD

LOCAL tmpModule:DWORD

LOCAL gabage:DWORD

LOCAL isEnc:BYTE

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

invoke GetModuleHandle, 0

mov imgBase, eax;

;db 1 DUP(121) ; 코드 난독화.

lea esi, [user32APIs]

mov [esi], offset strMsgBox

mov eax, imgBase

sub [esi], eax

lea esi, [user32APIs+4]

mov [esi], offset strCrtWindowExA

mov eax, imgBase

sub [esi], eax

lea esi, [kernel32APIs]

mov [esi], offset strExitProcess

mov eax, imgBase

sub [esi], eax

lea esi, [kernel32APIs+4]

mov [esi], offset strSleep;

mov eax, imgBase

sub [esi], eax

lea eax, [user32APIs]

sub eax, imgBase

mov ImportTables[0].OriginalFirstThunk, eax

mov ImportTables[0].TimeDateStamp, 0

mov ImportTables[0].ForwarderChain, 0

mov eax, offset strUser32;

sub eax, imgBase

mov ImportTables[0].Name1, eax

mov eax, offset IATuser32

sub eax, imgBase

mov ImportTables[0].FirstThunk, eax

lea eax, [kernel32APIs]

sub eax, imgBase

mov ImportTables[type IMAGE_IMPORT_DESCRIPTOR*1].OriginalFirstThunk, eax

mov ImportTables[type IMAGE_IMPORT_DESCRIPTOR*1].TimeDateStamp, 0

mov ImportTables[type IMAGE_IMPORT_DESCRIPTOR*1].ForwarderChain, 0

mov eax, offset strKernel32;

sub eax, imgBase

mov ImportTables[type IMAGE_IMPORT_DESCRIPTOR*1].Name1, eax

mov eax, offset IATkernel32

sub eax, imgBase

mov ImportTables[type IMAGE_IMPORT_DESCRIPTOR*1].FirstThunk, eax

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;동일한 환경 구성하기. 끝

;invoke LoadLibrary

;minyModOfKernel

push 0

push 6c6c642eh

push 32336C65h

push 6E72656Bh

invoke LoadLibrary, esp

db 1 DUP(90h)

mov minyModOfKernel32, eax

push 7463h

push 65746F72h

push 506C6175h

push 74726956h

invoke GetProcAddress, minyModOfKernel32, esp

db 1 DUP(90h)

mov minyVirtualProtect, eax

push 797261h

push 7262694Ch

push 65657246h

invoke GetProcAddress, minyModOfKernel32, esp

db 1 DUP(90h)

mov minyFreeLibrary, eax

;------------------------------------------------------

mov sectionCnt, 0

mov esi, offset encSections

mov eax, [esi]

mov sectionCnt, eax

add esi, 4

xor ecx, ecx

.WHILE ecx<sectionCnt; 0x10 복호화.

push ecx

mov eax, 9     ;lea eax, [esi + 9*ecx]

mul ecx

add eax, esi

mov eax, [eax]

mov isEnc, al; 암호화 된다면 1

mov eax, 9; lea eax, [esi + 9*ecx + 1]

mul ecx

add eax, esi

inc eax

mov eax, [eax]

mov sectionBeg, eax

mov eax, 9 ;lea eax, [esi + 9*ecx + 5]

mul ecx

add eax, esi

add eax, 5

mov eax, [eax]

mov sectionEnd, eax

; 권한 변경. READWRITE 로.

mov eax, 4

mul ecx; eax = 4*ecx 를 수행함.

lea edx, minyOldProperties

add edx, eax

push edx;

push PAGE_READWRITE;

mov eax, sectionBeg

mov ebx, sectionEnd

mov edx, ebx

sub edx, eax; ebx - eax 결과

push edx;

push eax

call minyVirtualProtect

;xor 0x10 수행.

mov eax, sectionBeg

mov ebx, sectionEnd

.IF isEnc != 0 ; 암호화 되는 부분이라면.

.WHILE eax != ebx

mov dl, byte ptr [eax];

xor dl, 10h

mov [eax], dl

inc eax

.ENDW

.ENDIF

pop ecx

inc ecx

.ENDW

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

mov eax, ksooSectionBeg

mov ebx, ksooSectionEnd

xor ecx, ecx

.WHILE eax != ebx

mov dl, [eax]

lea edi, [ImportTables]

mov edi, [edi]

add edi, ecx

mov byte ptr [edi], dl

;mov ImportTables[ecx], dl

inc eax

inc ecx

.ENDW

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

lea esi, [ImportTables]; 어셈코드로는 00405165   8B35 00434000    MOV ESI,DWORD PTR DS:[404300]

mov wholePtr, esi

.WHILE TRUE

mov esi, wholePtr

mov edx, [esi]

.IF edx != 0

JMP CON

.ENDIF

mov edx, [esi+4]

.IF edx != 0

JMP CON

.ENDIF

mov edx, [esi+8]

.IF edx != 0

JMP CON

.ENDIF

mov edx, [esi+12]

.IF edx != 0

JMP CON

.ENDIF

mov edx, [esi+16]

.IF edx != 0

JMP CON

.ENDIF

.BREAK

CON:

lea eax, [esi+12]; 

mov eax, [eax]

add eax, imgBase

invoke LoadLibrary, eax ; dll 네임에 대한 호출

db 1 DUP(90h)

mov tmpModule, eax

;하나의 dll 에 대한 반복문 들어감

lea eax, [esi]

mov eax, [eax]

;add eax, imgBase

mov INTPtr, eax

lea eax, [esi+16]

mov eax, [eax]

add eax, imgBase

mov IATPtr, eax

.WHILE TRUE

lea esi, [INTPtr];

mov edx, [esi];

add edx, imgBase;

mov edx, [edx]

.IF edx != 0

JMP CON2

.ENDIF

.BREAK

CON2:

mov edx, [esi];

add edx, imgBase;

mov edx, [edx]

add edx, imgBase;

add edx, 2

invoke GetProcAddress, tmpModule, edx

db 1 DUP(90h)

lea edi, [IATPtr]

mov edi, [edi]

mov [edi], eax

;;;;;;;;;;;;;;;;

mov edx, INTPtr

add edx, 4

mov INTPtr, edx

mov edx, IATPtr

add edx, 4

mov IATPtr, edx

.ENDW

;반복문 끝남

mov esi, wholePtr

add esi, 20

mov wholePtr, esi

.ENDW

mov sectionCnt, 0

mov esi, offset encSections; MOV ESI,404314

mov eax, [esi]

mov sectionCnt, eax

add esi, 4

xor ecx, ecx

.WHILE ecx<sectionCnt;

push ecx

mov eax, 9; lea eax, [esi + 9*ecx + 1]

mul ecx

add eax, esi

inc eax

mov eax, [eax]

mov sectionBeg, eax

mov eax, 9 ;lea eax, [esi + 9*ecx + 5]

mul ecx

add eax, esi

add eax, 5

mov eax, [eax]

mov sectionEnd, eax

lea eax, [gabage]

push eax

mov eax, minyOldProperties[ecx * 4]

push eax

mov eax, sectionBeg

mov ebx, sectionEnd

mov edx, ebx

sub edx, eax; ebx - eax 결과

push edx;

push eax

call minyVirtualProtect ;권한 복구

pop ecx

inc ecx

.ENDW

ret

MyMain endp

end start

;404300 에 DataDirectory[1].VirtualAddress + ImageBase 저장 

;404304 에 ksooSection 시작위치 

;404308 에 ksooSection 끝. 

;40430C 에 Import Table 의 크기 

;404310 에 ImageBase 값 

;404314 에 암호화된 섹션의 개수 

;404318 부터 암호화된 섹션의 시작(voff)위치와 OverOfEnd 를 기록함. 

;A = LoadLibrary("dll");

;B = GetProcAddress(A, "API name");

;

;

;

;