headerunpacker.asm

来自「pe exe packer (must use vc2005 to compil」· 汇编 代码 · 共 43 行

; Author:   Brandon LaCombe
; Date:     February 3, 2006
; License:  Public Domain
.386
.model flat, stdcall
option casemap:none

include     windows.inc
include     LoaderStructs.inc

VIRTUALALLOC   typedef proto lpAddress:dword, dwSize:dword, flAllocationType:dword, flProtect:dword
VIRTUALFREE    typedef proto lpAddress:dword, dwSize:dword, dwFreeType:dword
VIRTUALPROTECT typedef proto lpAddress:dword, dwSize:dword, flNewProtect:dword, lpflOldProtect:dword
UNPACK         typedef proto pbDest:dword, pbSrc:dword, pbWorkMem:dword

.code
ExportHeaderUnpacker proc pdwHeaderUnpackerSize:dword
    mov eax, pdwHeaderUnpackerSize
    .if eax
        mov dword ptr[eax], header_unpacker_end - header_unpacker_start
    .endif
    mov eax, header_unpacker_start
    ret
ExportHeaderUnpacker endp

; Unpacks a previously compressed file header. Simply unprotects the file header
; and decompresses the original.
header_unpacker_start:

    invoke VIRTUALPROTECT ptr[(KERNEL_IAT ptr[ebp]).pVirtualProtect], (LOADER_STRUCT ptr[ebx]).dwImageBase, 1, PAGE_READWRITE, addr (LOADER_STRUCT ptr[ebx]).dwOepDelta
    mov eax, (LOADER_STRUCT ptr[ebx]).dwTotalMemSize
    sub eax, (LOADER_STRUCT ptr[ebx]).dwUnpackMemSize
    invoke VIRTUALALLOC ptr[(KERNEL_IAT ptr[ebp]).pVirtualAlloc], NULL, eax, MEM_COMMIT, PAGE_READWRITE
    pushad
    invoke UNPACK ptr[(LOADER_STRUCT ptr[ebx]).pUnpack], (LOADER_STRUCT ptr[ebx]).dwImageBase, (LOADER_STRUCT ptr[ebx]).pHeader, eax
    popad
    invoke VIRTUALFREE ptr[(KERNEL_IAT ptr[ebp]).pVirtualFree], eax, 0, MEM_RELEASE
    invoke VIRTUALPROTECT ptr[(KERNEL_IAT ptr[ebp]).pVirtualProtect], (LOADER_STRUCT ptr[ebx]).dwImageBase, 1, (LOADER_STRUCT ptr[ebx]).dwOepDelta, addr (LOADER_STRUCT ptr[ebx]).dwOepDelta

header_unpacker_end:

end