📄 headerunpacker.asm
字号:
; Author: Brandon LaCombe
; Date: February 3, 2006
; License: Public Domain
.386
.model flat, stdcall
option casemap:none
include windows.inc
include LoaderStructs.inc
VIRTUALALLOC typedef proto lpAddress:dword, dwSize:dword, flAllocationType:dword, flProtect:dword
VIRTUALFREE typedef proto lpAddress:dword, dwSize:dword, dwFreeType:dword
VIRTUALPROTECT typedef proto lpAddress:dword, dwSize:dword, flNewProtect:dword, lpflOldProtect:dword
UNPACK typedef proto pbDest:dword, pbSrc:dword, pbWorkMem:dword
.code
ExportHeaderUnpacker proc pdwHeaderUnpackerSize:dword
mov eax, pdwHeaderUnpackerSize
.if eax
mov dword ptr[eax], header_unpacker_end - header_unpacker_start
.endif
mov eax, header_unpacker_start
ret
ExportHeaderUnpacker endp
; Unpacks a previously compressed file header. Simply unprotects the file header
; and decompresses the original.
header_unpacker_start:
invoke VIRTUALPROTECT ptr[(KERNEL_IAT ptr[ebp]).pVirtualProtect], (LOADER_STRUCT ptr[ebx]).dwImageBase, 1, PAGE_READWRITE, addr (LOADER_STRUCT ptr[ebx]).dwOepDelta
mov eax, (LOADER_STRUCT ptr[ebx]).dwTotalMemSize
sub eax, (LOADER_STRUCT ptr[ebx]).dwUnpackMemSize
invoke VIRTUALALLOC ptr[(KERNEL_IAT ptr[ebp]).pVirtualAlloc], NULL, eax, MEM_COMMIT, PAGE_READWRITE
pushad
invoke UNPACK ptr[(LOADER_STRUCT ptr[ebx]).pUnpack], (LOADER_STRUCT ptr[ebx]).dwImageBase, (LOADER_STRUCT ptr[ebx]).pHeader, eax
popad
invoke VIRTUALFREE ptr[(KERNEL_IAT ptr[ebp]).pVirtualFree], eax, 0, MEM_RELEASE
invoke VIRTUALPROTECT ptr[(KERNEL_IAT ptr[ebp]).pVirtualProtect], (LOADER_STRUCT ptr[ebx]).dwImageBase, 1, (LOADER_STRUCT ptr[ebx]).dwOepDelta, addr (LOADER_STRUCT ptr[ebx]).dwOepDelta
header_unpacker_end:
end
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -