隐藏所有的输入表函数:
EXE和DLL通用----------№冰浪№
为尽量实现简单傻瓜式的操作及代码通用性,利用些病毒常用技术,特此感谢
看雪xfish大侠及其巨著:【Anti Virus专题】系列!!!
请按下列步骤操作:
1:用LoadPE打开文件,点击目录,记下输入表的RVA地址。
2:用OD载入程序,在空白处加入下面代码,并把刚记下的RVA地址及返回原入口点地址填好。.
3:更改入口点为此代码开始处(非必须,但得确保程序调用函数前运行此代码)。
4:把原输入表的RVA地址填0,输入表区段属性改为可写。
完整代码如下:
10074280 > $ E8 01000000 CALL 1291SS.10074286
10074285 00 DB 00
10074286 . 58 POP EAX
10074287 . 8038 00 CMP BYTE PTR DS:[EAX],0
1007428A . 0F85 F5000000 JNZ 1291SS.10074385
10074290 . FE00 INC BYTE PTR DS:[EAX]
10074292 64:A1 3000000>MOV EAX,DWORD PTR FS:[30]
10074298 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
1007429B 8B40 1C MOV EAX,DWORD PTR DS:[EAX+1C]
1007429E 8B00 MOV EAX,DWORD PTR DS:[EAX]
100742A0 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
100742A3 . 8BD8 MOV EBX,EAX
100742A5 . E8 0F000000 CALL 1291SS.100742B9
100742AA . 47 INC EDI
100742AB . 65:74 50 JE SHORT 1291SS.100742FE
100742AE . 72 6F JB SHORT 1291SS.1007431F
100742B0 . 6341 64 ARPL WORD PTR DS:[ECX+64],AX
100742B3 . 64:72 65 JB SHORT 1291SS.1007431B
100742B6 . 73 73 JNB SHORT 1291SS.1007432B
100742B8 00 DB 00
100742B9 . 59 POP ECX
100742BA . 60 PUSHAD
100742BB . 89C3 MOV EBX,EAX
100742BD . 89CF MOV EDI,ECX
100742BF . 30C0 XOR AL,AL
100742C1 > AE SCAS BYTE PTR ES:[EDI]
100742C2 .^ 75 FD JNZ SHORT 1291SS.100742C1
100742C4 . 4F DEC EDI
100742C5 . 29CF SUB EDI,ECX
100742C7 . 87F9 XCHG ECX,EDI
100742C9 . 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
100742CC . 8B7403 78 MOV ESI,DWORD PTR DS:[EBX+EAX+78]
100742D0 . 8D741E 18 LEA ESI,DWORD PTR DS:[ESI+EBX+18]
100742D4 . AD LODS DWORD PTR DS:[ESI]
100742D5 . 92 XCHG EAX,EDX
100742D6 . AD LODS DWORD PTR DS:[ESI]
100742D7 . 50 PUSH EAX
100742D8 . AD LODS DWORD PTR DS:[ESI]
100742D9 . 95 XCHG EAX,EBP
100742DA . AD LODS DWORD PTR DS:[ESI]
100742DB . 95 XCHG EAX,EBP
100742DC . 01D8 ADD EAX,EBX
100742DE . 897C24 18 MOV DWORD PTR SS:[ESP+18],EDI
100742E2 . 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
100742E6 > 4A DEC EDX
100742E7 . 74 27 JE SHORT 1291SS.10074310
100742E9 . 8B3490 MOV ESI,DWORD PTR DS:[EAX+EDX*4]
100742EC . 01DE ADD ESI,EBX
100742EE . F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:>
100742F0 . 74 0A JE SHORT 1291SS.100742FC
100742F2 . 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+18]
100742F6 . 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
100742FA .^ EB EA JMP SHORT 1291SS.100742E6
100742FC > D1E2 SHL EDX,1
100742FE > 01D5 ADD EBP,EDX
10074300 . 0FB7441D 00 MOVZX EAX,WORD PTR SS:[EBP+EBX]
10074305 . C1E0 02 SHL EAX,2
10074308 . 030424 ADD EAX,DWORD PTR SS:[ESP]
1007430B . 8B0403 MOV EAX,DWORD PTR DS:[EBX+EAX]
1007430E . 01D8 ADD EAX,EBX
10074310 > 59 POP ECX
10074311 . 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
10074315 . 895C24 18 MOV DWORD PTR SS:[ESP+18],EBX
10074319 E8 DB E8
1007431A 12 DB 12
1007431B . 0000 ADD BYTE PTR DS:[EAX],AL
1007431D . 0000 ADD BYTE PTR DS:[EAX],AL
1007431F . 0000 ADD BYTE PTR DS:[EAX],AL
10074321 . 004C6F 61 ADD BYTE PTR DS:[EDI+EBP*2+61],CL
10074325 . 64:4C DEC ESP
10074327 69 DB 69
10074328 . 6272 61 BOUND ESI,QWORD PTR DS:[EDX+61]
1007432B . 72 79 JB SHORT 1291SS.100743A6
1007432D . 41 INC ECX
1007432E . 0000 ADD BYTE PTR DS:[EAX],AL
10074330 $ 59 POP ECX
10074331 . 83C1 04 ADD ECX,4
10074334 . 51 PUSH ECX
10074335 . 53 PUSH EBX
10074336 . FFD0 CALL EAX
10074338 . 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
1007433C . E8 00000000 CALL 1291SS.10074341
10074341 $ 5D POP EBP
10074342 . 81E5 0000FFFF AND EBP,FFFF0000
10074348 . 33C0 XOR EAX,EAX
1007434A . EB 06 JMP SHORT 1291SS.10074352
1007434C > 81ED 00100000 SUB EBP,1000
10074352 > 66:8B45 00 MOV AX,WORD PTR SS:[EBP]
10074356 . 66:3D 4D5A CMP AX,5A4D
1007435A . 90 NOP
1007435B .^ 75 EF JNZ SHORT 1291SS.1007434C
1007435D . 8B45 3C MOV EAX,DWORD PTR SS:[EBP+3C]
10074360 . 8B0428 MOV EAX,DWORD PTR DS:[EAX+EBP]
10074363 . 3D 50450000 CMP EAX,4550
10074368 .^ 75 E2 JNZ SHORT 1291SS.1007434C
1007436A . B8 48611100 MOV EAX,116148 //这里填入LoadPE里显示的输入表RVA地址
1007436F . 36:8D1C28 LEA EBX,DWORD PTR SS:[EAX+EBP]
10074373 > 8B43 0C MOV EAX,DWORD PTR DS:[EBX+C]
10074376 . 85C0 TEST EAX,EAX
10074378 . 74 0A JE SHORT 1291SS.10074384
1007437A . E8 0D000000 CALL 1291SS.1007438C
1007437F . 83C3 14 ADD EBX,14
10074382 .^ EB EF JMP SHORT 1291SS.10074373
10074384 > 61 POPAD
10074385 >^ E9 828FF9FF JMP 1291SS.1000D30C //加载输入表完毕,返回原入口点
1007438A 90 NOP
1007438B 90 NOP
1007438C $ 53 PUSH EBX
1007438D . 8D1428 LEA EDX,DWORD PTR DS:[EAX+EBP]
10074390 . 52 PUSH EDX
10074391 . FF5424 20 CALL DWORD PTR SS:[ESP+20]
10074395 . 8BD0 MOV EDX,EAX
10074397 . 8B5B 10 MOV EBX,DWORD PTR DS:[EBX+10]
1007439A . 8D1C2B LEA EBX,DWORD PTR DS:[EBX+EBP]
1007439D > 8B03 MOV EAX,DWORD PTR DS:[EBX]
1007439F . 85C0 TEST EAX,EAX
100743A1 . 74 23 JE SHORT 1291SS.100743C6
100743A3 . 3D 00000080 CMP EAX,80000000
100743A8 . 72 07 JB SHORT 1291SS.100743B1
100743AA . 2D 00000080 SUB EAX,80000000
100743AF . EB 06 JMP SHORT 1291SS.100743B7
100743B1 > 8D0428 LEA EAX,DWORD PTR DS:[EAX+EBP]
100743B4 . 83C0 02 ADD EAX,2
100743B7 > 52 PUSH EDX
100743B8 . 50 PUSH EAX
100743B9 . 52 PUSH EDX
100743BA . FF5424 30 CALL DWORD PTR SS:[ESP+30]
100743BE . 8903 MOV DWORD PTR DS:[EBX],EAX
100743C0 . 83C3 04 ADD EBX,4
100743C3 . 5A POP EDX
100743C4 .^ EB D7 JMP SHORT 1291SS.1007439D
100743C6 > 5B POP EBX
100743C7 . C3 RETN
二进制代码如下:
E8 01 00 00 00 00 58 80 38 00 0F 85 F5 00 00 00 FE 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 00
8B 40 08 8B D8 E8 0F 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 59 60 89 C3 89 CF 30
C0 AE 75 FD 4F 29 CF 87 F9 8B 43 3C 8B 74 03 78 8D 74 1E 18 AD 92 AD 50 AD 95 AD 95 01 D8 89 7C
24 18 89 4C 24 14 4A 74 27 8B 34 90 01 DE F3 A6 74 0A 8B 7C 24 18 8B 4C 24 14 EB EA D1 E2 01 D5
0F B7 44 1D 00 C1 E0 02 03 04 24 8B 04 03 01 D8 59 89 44 24 1C 89 5C 24 18 E8 12 00 00 00 00 00
00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 59 83 C1 04 51 53 FF D0 89 44 24 14 E8 00 00 00
00 5D 81 E5 00 00 FF FF 33 C0 EB 06 81 ED 00 10 00 00 66 8B 45 00 66 3D 4D 5A 90 75 EF 8B 45 3C
8B 04 28 3D 50 45 00 00 75 E2 B8 48 61 11 00 36 8D 1C 28 8B 43 0C 85 C0 74 0A E8 0D 00 00 00 83
C3 14 EB EF 61 E9 82 8F F9 FF 90 90 53 8D 14 28 52 FF 54 24 20 8B D0 8B 5B 10 8D 1C 2B 8B 03 85
C0 74 23 3D 00 00 00 80 72 07 2D 00 00 00 80 EB 06 8D 04 28 83 C0 02 52 50 52 FF 54 24 30 89 03
83 C3 04 5A EB D7 5B C3