Code automodifiant

2026-02-26 22:15:43 +01:00 · 2026-02-26 22:15:43 +01:00 · 75c14abfa5
commit 75c14abfa5
parent 6d7a7fa4ec
1 changed files with 166 additions and 8 deletions
--- a/Malware/Malware/Malware.cpp
+++ b/Malware/Malware/Malware.cpp
@ -78,6 +78,67 @@ typedef struct {
 int __declspec(noinline) main(int argc, char *argv[]);
 void __declspec(noinline) boundary_end();

+unsigned char shellcode[] = {
+    0x31, 0xFF,                                     // [0]  xor edi, edi
+    // <loop_start>:
+    0x8A, 0x87, 0x00, 0x00, 0x00, 0x00,             // [2]  mov al, [edi + p_enc_delta]
+    0x32, 0x87, 0x00, 0x00, 0x00, 0x00,             // [8]  xor al, [edi + p_h2]
+    0x8A, 0x0D, 0x00, 0x00, 0x00, 0x00,             // [14] mov cl, [p_mask]
+    0x20, 0xC8,                                     // [20] and al, cl
+    0x8A, 0x8F, 0x00, 0x00, 0x00, 0x00,             // [22] mov cl, [edi + p_leurre]
+    0x30, 0xC1,                                     // [28] xor cl, al
+    0x30, 0x8F, 0x00, 0x00, 0x00, 0x00,             // [30] xor [edi + p_payload], cl
+    0x47,                                           // [36] inc edi
+    0x83, 0xFF, 0x07,                               // [37] cmp edi, 7
+    0x7C, 0xD8,                                     // [40] jl <loop_start> (-40 octets)
+    
+    // Finition du payload
+    0xC6, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00,       // [42] mov byte ptr [p_payload+7], 0
+    
+    // Récupération de argv[1]
+    0x8B, 0x55, 0x0C,                               // [49] mov edx, [ebp+0x0C]
+    0x8B, 0x52, 0x04,                               // [52] mov edx, [edx+4]
+    0x52,                                           // [55] push edx
+    
+    // Appel de la fonction 
+    0x68, 0x00, 0x00, 0x00, 0x00,                   // [56] push p_payload
+    
+    // --- L'INJECTION ABSOLUE EST ICI ---
+    0xB8, 0x00, 0x00, 0x00, 0x00,                   // [61] mov eax, p_funcs
+    0x90, 0x90,                                     // [66] NOP, NOP (On supprime le déréférencement)
+    0xFF, 0xD0,                                     // [68] call eax                                    // [68] call eax
+    0x83, 0xC4, 0x08,                               // [70] add esp, 8
+    
+    // Sortie (selector = 3)
+    0xC7, 0x85, 0x48, 0xFF, 0xFF, 0xFF, 0x03, 0x00, 0x00, 0x00, // [73] mov dword ptr [ebp-B8h], 3
+    
+    0x90, 0x90                                      // [83] NOPs (Taille totale : 85 octets)
+};
+
+void apply_smc_patch(void* target, void* p_enc_delta, void* p_h2, void* p_mask, void* p_leurre, void* p_payload, void* p_funcs) 
+{
+    *(uint32_t*)(shellcode + 4)  = (uint32_t)p_enc_delta;
+    *(uint32_t*)(shellcode + 10) = (uint32_t)p_h2;
+    *(uint32_t*)(shellcode + 16) = (uint32_t)p_mask;
+    *(uint32_t*)(shellcode + 24) = (uint32_t)p_leurre;
+    *(uint32_t*)(shellcode + 32) = (uint32_t)p_payload;
+    *(uint32_t*)(shellcode + 44) = (uint32_t)p_payload + 7;
+    *(uint32_t*)(shellcode + 57) = (uint32_t)p_payload;
+    
+    // NOUVEAU : Injection de l'adresse de ton pointeur de fonction
+    *(uint32_t*)(shellcode + 62) = (uint32_t)p_funcs;
+
+    // (La modification de selector reste inchangée car ton image montre que ça marche parfaitement !)
+
+    DWORD oldProtect;
+    if (VirtualProtect(target, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect)) 
+    {
+        memcpy(target, shellcode, sizeof(shellcode));
+        VirtualProtect(target, sizeof(shellcode), oldProtect, &oldProtect);
+        FlushInstructionCache(GetCurrentProcess(), target, sizeof(shellcode));
+    }
+}
+

 uint8_t gf_mul(GF_CONTEXT* ctx, uint8_t key_stream) {
    ctx->p = 0;
@ -587,17 +648,114 @@ int __declspec(noinline)  main(int argc, char *argv[]) {
                    fake_exit(argv[1]);
                }

+                void* p_target;
+                __asm { mov p_target, offset smc_zone }
+                apply_smc_patch(p_target, &enc_delta, &h2, &mask, &h_leurre, &payload, stdfunclist->obfusc_printf);

-                for (int i = 0; i < 8; i++) {
-                    uint8_t d = (enc_delta[i] ^ h2[i]) & (mask & 0xFF);
-                    payload[i] ^= (h_leurre[i] ^ d);
-                }
-                payload[7] = (uint8_t)(0);
+                smc_zone:
+                    __asm {
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                        _emit 0x90
+                    }

-                stdfunclist->obfusc_printf((char *)payload, argv[1]);
+                    goto label_finish_exec;

-                selector = M_EXIT;
-                break;
+                    stdfunclist->obfusc_printf("%s", argv[1]);
+                    
+                label_finish_exec:
+                    selector = M_EXIT;
+                    break;
            }

            default: