Pe 简单Xor异或加密壳

Pe 简单Xor异或加密壳 Pe 简单Xor异或加密壳 原由

两三天写完了，现在发上来，使用LibPe库经行处理。
除了固定基址0x00400000的Pe文件，同时可以支持动态镜像基址和ASLR的Pe文件的异或加密。

(!)汇编寻找镜像基址

获得当前地址。当前地址后3位清零。循环动态减0x1000，比较循环值地址的转为word的值是否与魔术签名（0x4D5A）相等。

源码

#include 
#include 
#include 

#include 

#include "LibPeH.h"

using std::string;

//char dcd[0x100] =

int main(int prmNbr, char* prmArr[])
{
	//xor.exe (source file) key [key2 [key3 [key4]]]
	//key 和 key2 是十六進制文字形式的密钥 DWORD 如： A1B2C3D4

	//处理参数

	string keyStr;

	//if (prmNbr >= 3)
	//{
	//	if (strstr(prmArr[2], "0x") || strstr(prmArr[2], "0X"))
	//	{
	//		keyStr = string(prmArr[2]);

	//		keyStr = keyStr.substr(2);
	//	}
	//}

	char* flNm;
	flNm = new char[0x100];

	//读入文件名
	printf(">>> [文件名]:");
	scanf("%s", flNm);

	//DWORD key;

	DWORD key;

	printf(">>> [密钥] (单个字节):");
	scanf("%x", &key);

	
	//修改区段属性 可执行

	struct PeStrc pe= getStrc(flNm);
	
	//获取.text可执行区段

	int encrpScnIdx = -1;

	for (int i = 0; i < pe.scnCnt; i++)
	{
		if (strcmp((char*)pe.scnHd[i].Name, ".text") == 0)
		{
			encrpScnIdx = i;
		}

	}
	
	//printf("pe.flAlgn :%08x pe.scnHd[0].SizeOfRawData %08xn", pe.flAlgn, pe.scnHd[0].SizeOfRawData);

	pe.scnHd[encrpScnIdx].Characteristics |= IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;//| IMAGE_SCN_CNT_INITIALIZED_DATA| IMAGE_SCN_CNT_UNINITIALIZED_DATA;   //.text段
	//pe.scnHd[1].Characteristics |= IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE;// | IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_CNT_UNINITIALIZED_DATA;   //.data段

	//获取密钥

	printf("key:%xn", key);

	//增加区段

	{
		//修改optional header中的相关信息

		DWORD newScnFlSz = 0x400;  //可被修改
		DWORD newScnVrtSz;       //可被修改

		//区段文件大小和区段虚拟大小
		newScnFlSz = szAlgn(pe.flAlgn, newScnFlSz);
		newScnVrtSz = szAlgn(pe.scnAlgn, newScnFlSz);

		pe.optHd.SizeOfImage += newScnVrtSz;
		pe.flHd.NumberOfSections++;

		//修改节表

		int newScnIdx = pe.scnCnt;

		memcpy(pe.scnHd[newScnIdx].Name, (byte*)".decode", 0x8);
		pe.scnHd[newScnIdx].PointerToRawData = scnIdxToFoaFromStrc(pe, newScnIdx - 1) + scnIdxToFlSzFromStrc(pe, newScnIdx - 1);
		pe.scnHd[newScnIdx].SizeOfRawData = newScnFlSz;
		pe.scnHd[newScnIdx].VirtualAddress = scnIdxToRvaFromStrc(pe, newScnIdx - 1) + scnIdxToVrtSzFromStrc(pe, newScnIdx - 1);

		pe.scnHd[newScnIdx].Misc.VirtualSize = newScnVrtSz;

		pe.scnHd[newScnIdx].Characteristics = IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_READ | IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_CNT_UNINITIALIZED_DATA
			| IMAGE_SCN_MEM_WRITE;

		pe.scnCnt++;

		pe.ntHd.FileHeader = pe.flHd;
		pe.ntHd.OptionalHeader = pe.optHd;

		pe.flSz += newScnFlSz;

		pe.scn[newScnIdx] = (byte*)malloc(newScnFlSz + 0x1000);

	}


	DWORD newScnOfst= pe.scnHd[pe.scnCnt-1].PointerToRawData;
	printf("newScnOfst:%xn", newScnOfst);

	DWORD encptScnOfst = pe.scnHd[encrpScnIdx].PointerToRawData;

	DWORD encrpScnFlSz = szAlgn(pe.flAlgn, pe.scnHd[encrpScnIdx].SizeOfRawData);
	encrpScnFlSz = encrpScnFlSz < pe.scnHd[encrpScnIdx].Misc.VirtualSize ? encrpScnFlSz : pe.scnHd[encrpScnIdx].Misc.VirtualSize;
	
	printf("pe.flAlgn :%08x encptScnOfst :%08x encrpScnFlSz :%08xn", pe.flAlgn, encptScnOfst,encrpScnFlSz);

	DWORD psnFrstScnOfstInCd = 0x0;

	byte* bff;

	struct PeStrc pe2;


	//放置加密代码
	//{

		DWORD ofst;

		string cdStr;

		char* cdRd, * cd;

		cdRd = new char[0x100];

		cd = new char[0x100];

		//?If the numbers in two lines or more its not correct
		//此处为防止非善意利用而修改
		cdStr = string("90 90 90 90 90 90 90 E8 00 00 00 00 58 25 00 F0 FF FF 90 9000 66 8B 18 66 81 FB 4D 5A D0 05 00 00 00 00 B9 00 00 00 00 90 80 30 F9 00 75 F6 90 61 90 90 89 D0 05 00 00 00 00 50 C3 90 90 90");



		//转化指令

		char tbl[] = "0123456789ABCDEFabcdefg";

		int ptr = 0;

		for (int i = 0; i < cdStr.size(); i++)
		{
			if (strchr(tbl, cdStr[i]))
			{
				cd[ptr] = cdStr[i];
				ptr++;
			}
		}

		cd[ptr] = '';

		if (strlen(cd) % 2 == 1)
		{
			cd[ptr++] = '0';
			cd[ptr] = '';
		}




		//转换成byte数组

		int sz = strlen(cd) / 2;

		byte* bytArr = new byte[0x500];

		char* strTmp;

		strTmp = new char[0x10];

		for (int i = 0; i < strlen(cd); i += 2)
		{

			strncpy(strTmp, cd + i, 2);
			strTmp[2] = '';

			bytArr[i / 2] = strtol(strTmp, NULL, 16);
		}

		//修正地址数据

		//printf("pe.flAlgn :%08x encptScnOfst :%08x encrpScnFlSz :%08xn", pe.flAlgn, encptScnOfst, encrpScnFlSz);


		*(DWORD*)(bytArr+0x2d) = foaToRvaFromStrc(pe, encptScnOfst);
		
		*(DWORD*)(bytArr+0x32) = encrpScnFlSz;

		*(bytArr + 0x39) = (byte)key;

		*(DWORD*)(bytArr + 0x48) = pe.optHd.AddressOfEntryPoint;

		printf("pe.flAlgn :%08x encptScnOfst: %08x encrpScnFlSz: %08x entryPoint: %08xn", pe.flAlgn, encptScnOfst, encrpScnFlSz,pe.optHd.AddressOfEntryPoint);

		//写入数据

		

		bff = getBffFromStrc(pe);

		bffOvrwrt(bff, newScnOfst, bytArr, sz);

		pe = getStrcFromBff(bff,pe.flSz);

	//}

	

	//区段加密
	{
		printf("encptFlSz:%xn",encrpScnFlSz);
		printf("scn[encptFlSz]:n");
		for (int i = 0; i < encrpScnFlSz; i++)
		{
			//printf("%02x ", *(pe.scn[0] + i));
			//printf("%02x ", *(pe.scn[encrpScnIdx] + i));
			*((pe.scn[encrpScnIdx]) + i) ^= (byte)key;
			//printf("%02x ", *(pe.scn[0] + i));
		}
	}

	//入口点修正

	pe.optHd.AddressOfEntryPoint = foaToRvaFromStrc(pe, newScnOfst + 5);

	pe.ntHd.OptionalHeader = pe.optHd;

	//输出文件

	//strcGnrt((char *)(string("Xor_") + string(flNm)).c_str(), pe);
	strcGnrt((char*)(string("Xor_") + string(flNm)).c_str(), pe);


}