Hace mucho tiempo que ya no estoy programando a si que les dejo un codigo que lo diseñe pensando en saltarme que sea tan facil debuggearte con el olly y otras cosas =D Vale decir que se puede convertir en un loader para exes entre otras cosas pero necesitas arreglar un poco el cargador del IAT =/
;This code work with the relocation table :P
Path fix "C:\windows\system32\ntdll.dll"
include "win32ax.inc"
struct UNICODE_STRING
Len dw ?
MaxLen dw ?
Buffer dd ?
ends
.data
kernel32 du "kernel32.dll",0
US UNICODE_STRING
nt dd ?
.code
start:
stdcall ReadFILE,Path
stdcall Loader,eax
mov [nt],ecx
stdcall GetAddressFunction,ecx,"RtlInitUnicodeString"
stdcall eax,US,kernel32
invoke MessageBoxW,0,[US.Buffer],0,0
invoke ExitProcess,0
proc GetAddressFunction,pMZ,pApi
mov edi, [pMZ]
mov ebx,[edi+0x3c]
mov ebx,[ebx+edi+0x78]
add ebx,edi
mov esi,[0x18+ebx]
mov edx, [0x20+ebx]
add edx,edi
.bucle:
dec esi
cmp esi,0
je .error
mov eax,esi
rol eax,2 ;esi * 4
mov eax,[edx + eax]
add eax,edi
stdcall comparar,[pApi],eax
xor eax,0
jnz .bucle
mov eax,[0x24+ebx]
add eax,edi
movzx ecx, word[eax + 2*esi]
mov eax, [ebx + 0x1c]
add eax,edi
mov eax, [eax + 4 * ecx]
add eax, edi
.salir:
ret
.error:
xor eax,eax
jmp .salir
endp
proc comparar ,SRC,DST ;lstrcmp
push edi ecx esi
mov ecx,-1
mov edi,[SRC]
mov al,0
repnz scasb
mov eax,ecx
not eax
mov ecx,eax
mov esi,[SRC]
mov edi,[DST]
repz cmpsb
mov eax,1
jnz Next
dec eax
Next:
pop esi ecx edi
ret
endp
SizeOfImage equ 0x50
pe equ 0x3c
NumberOfSections equ 0x6
VirtualAddr equ 0xc
proc Loader uses edx edi esi ebx,MZ
local PE dd ?
local ExeBuffer dd ?
local Delta dd ?
local IBR dd ?
local NumberBlocks dd ?
local I dd ?
local IBR2 dd ?
local Type dd ?
local IAT dd ?
local offset dd ?
mov eax,[MZ]
add eax,dword[eax+pe]
mov [PE],eax
mov eax,[PE]
cmp dword[eax+0x80],0
je _EXIT
mov eax,[MZ]
mov eax,dword[eax+0x3c]
add eax, [MZ]
xchg eax,[PE]
mov eax,[PE]
mov eax,dword[eax+0x80]
add eax,[MZ]
mov [IAT],eax
_LOADERIAT:
mov eax,[IAT]
mov eax,dword[eax+12]
add eax,[MZ]
invoke LoadLibrary,eax
mov ebx,eax
mov eax,[IAT]
mov eax,dword[eax+16]
add eax,[MZ]
mov edi,eax
_APIs:
mov eax,edi
mov ecx,[MZ]
add dword[eax], ecx
mov eax,dword[eax]
add eax,2
invoke GetProcAddress,ebx,eax
mov dword[edi],eax
add edi,4
cmp dword[edi],0
jne _APIs
add [IAT],20
mov eax,[IAT]
cmp dword[eax+12],0
jne _LOADERIAT
_EXIT:
invoke GlobalAlloc,GPTR,dword[eax+SizeOfImage]
mov [ExeBuffer],eax
mov eax,[PE]
movzx edi,word[eax+NumberOfSections]
_Secciones:
dec edi
mov eax,28h
mul edi
add eax,0xf8
add eax,[PE]
mov ecx,[ExeBuffer]
add ecx,dword[eax+VirtualAddr]
mov edx,dword[eax+0x14];PointerRawData
add edx,[MZ]
invoke RtlMoveMemory,ecx, edx,dword[eax+10h]
cmp edi,0
jne _Secciones
mov eax,[PE]
invoke RtlMoveMemory,[ExeBuffer] , [MZ] ,dword[eax+0x54]
mov edi,[PE]
mov edi,dword[edi+0x34]
mov ecx,[ExeBuffer]
sub ecx,edi
mov [Delta],ecx
mov esi,[PE]
mov eax,[esi+0xA0]
add eax,[ExeBuffer]
mov [IBR],eax
_EX:
mov eax,[IBR]
add eax,8
mov eax,dword[eax]
and eax,0xff
mov ecx,[IBR]
mov ecx,dword[ecx+4]
sub cl,8
mov eax,2
xchg eax,ecx
div ecx
mov [NumberBlocks],eax
inc [NumberBlocks]
_Ini:
push [IBR]
pop [IBR2]
add [IBR2],6; IBR - WORD
_BLOCKS:
dec [NumberBlocks]
add [IBR2],2
pushad
mov eax,[IBR2]
movzx eax,word[eax]
mov ecx,eax
shr ecx,12
and eax,0xff
.if ecx = 3
;scfd
mov edx,[IBR]
mov edx,[edx]
add edx,eax
add edx,[ExeBuffer]
mov eax,dword[edx]
add eax,[Delta]
mov dword[edx],eax
.endif
popad
cmp [NumberBlocks],0
jne _BLOCKS
mov eax,[IBR]
mov eax,[eax+4]
add [IBR],eax
mov eax,[IBR]
cmp dword[eax],0
jne _EX
mov eax,[PE]
mov ecx,[ExeBuffer]
ret
endp
proc ReadFILE, ruta
locals
bUsados dd ?
hFile dd ?
tamAr dd ?
hMap dd ?
IB dd ?
endl
invoke CreateFile, [ruta], GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0
mov [hFile], eax
invoke GetFileSize, [hFile], 0
mov [tamAr], eax
invoke GlobalAlloc, GPTR, eax
mov [IB], eax
invoke ReadFile, [hFile], [IB], [tamAr], addr bUsados, 0
invoke CloseHandle, [hFile]
mov eax, [IB]
mov ebx,[tamAr]
ret
endp
.end start;By Me
Si quieren sacarle algunas apis es cosa de cambiarlas por funciones =P
;Descripcion: Esta función funciona igual que la winapi RtlMoveMemory
; by YST
proc cRtlMoveMemory,cBuffer,Cpuntero,cCantidad
push esi edi
xchg edi,[cBuffer]
xchg esi,[Cpuntero]
.bucleb:
dec [cCantidad]
movsb
cmp [cCantidad],0
jge .bucleb
pop edi esi
ret
Mostrar Mensajes
y los que no se dan por muertos 