📄 useful.inc
字号:
.CONTEXT_Edi dd ?
.CONTEXT_Esi dd ?
.CONTEXT_Ebx dd ?
.CONTEXT_Edx dd ?
.CONTEXT_Ecx dd ?
.CONTEXT_Eax dd ?
.CONTEXT_Ebp dd ?
.CONTEXT_Eip dd ?
.CONTEXT_SegCs dd ?
.CONTEXT_EFlags dd ?
.CONTEXT_Esp dd ?
.CONTEXT_SegSS dd ?
.size = $-.CONTEXT_ContextFlags
}
virtual at 0
vContext CONTEXT
end virtual
;
; now sth. related to SEH (Structured Exception Handling)
;
; first, the ERR structure...
struc EXCEPTION_REGISTRATION_RECORD
{
.ERR_prev_structure dd ?
.ERR_ExceptionHandler dd ?
.size = $-.ERR_prev_structure
}
; exception record...
struc EXCEPTION_RECORD
{
.ER_ExceptionCode dd ?
.ER_ExceptionFlags dd ?
.ER_ExceptionRecord dd ?
.ER_ExceptionAddress dd ?
.ER_NumberParameters dd ?
.ER_ExceptionInformation:
times 15 dd ?
.size = $-.ER_ExceptionCode
}
virtual at 0
vER EXCEPTION_RECORD
end virtual
; exception pointers...
struc EXCEPTION_POINTERS
{
.EP_ExceptionRecord dd ?
.EP_ContextRecord dd ?
.size = $-.EP_ExceptionRecord
}
virtual at 0
vEP EXCEPTION_POINTERS
end virtual
; now some constantz and return valuez related to SEH
EXCEPTION_EXECUTE_HANDLER equ 1
EXCEPTION_CONTINUE_SEARCH equ 0
EXCEPTION_CONTINUE_EXECUTION equ -1
EXCEPTION_ACCESS_VIOLATION equ 0C0000005h
EXCEPTION_DATATYPE_MISALIGNMENT equ 080000002h
EXCEPTION_BREAKPOINT equ 080000003h
EXCEPTION_SINGLE_STEP equ 080000004h
EXCEPTION_ARRAY_BOUNDS_EXCEEDED equ 0C000008Ch
EXCEPTION_FLT_DENORMAL_OPERAND equ 0C000008Dh
EXCEPTION_FLT_DIVIDE_BY_ZERO equ 0C000008Eh
EXCEPTION_FLT_INEXACT_RESULT equ 0C000008Fh
EXCEPTION_FLT_INVALID_OPERATION equ 0C0000090h
EXCEPTION_FLT_OVERFLOW equ 0C0000091h
EXCEPTION_FLT_STACK_CHECK equ 0C0000092h
EXCEPTION_FLT_UNDERFLOW equ 0C0000093h
EXCEPTION_INT_DIVIDE_BY_ZERO equ 0C0000094h
EXCEPTION_INT_OVERFLOW equ 0C0000095h
EXCEPTION_PRIV_INSTRUCTION equ 0C0000096h
EXCEPTION_IN_PAGE_ERROR equ 0C0000006h
EXCEPTION_ILLEGAL_INSTRUCTION equ 0C000001Dh
EXCEPTION_NONCONTINUABLE_EXCEPTION equ 0C0000025h
EXCEPTION_STACK_OVERFLOW equ 0C00000FDh
EXCEPTION_INVALID_DISPOSITION equ 0C0000026h
EXCEPTION_GUARD_PAGE equ 080000001h
; the structure to access the exception handle function's argumentz
struc Exception_Handler
{
.EH_Dummy dd ?
.EH_ExceptionRecord dd ?
.EH_EstablisherFrame dd ?
.EH_ContextRecord dd ?
.EH_DispatcherContext dd ?
}
virtual at 0
vEH Exception_Handler
end virtual
;
; the following two macroz provide fast and powerful SEH support for
; Win32 applicationz in a few linez of code.
;
macro @SEH_SetupFrame ExceptionHandler
{
local set_new_eh
call set_new_eh
mov esp,[esp+vEH.EH_EstablisherFrame]
ExceptionHandler
set_new_eh:
xor edx,edx
push dword [fs:edx]
mov [fs:edx],esp
}
macro @SEH_RemoveFrame
{
xor edx,edx
pop dword [fs:edx]
pop edx
}
;
; here's some useful constantz used in Win32 apiz
;
; Some global constantz...
NULL equ 0
FALSE equ 0
TRUE equ 1
MAX_PATH equ 260
INVALID_HANDLE_VALUE equ -1
STANDARD_RIGHTS_REQUIRED equ 000F0000h
; Desired access valuez...
GENERIC_READ equ 80000000h
GENERIC_WRITE equ 40000000h
; Share mode valuez...
FILE_SHARE_READ equ 00000001h
FILE_SHARE_WRITE equ 00000002h
; Creation disposition valuez...
CREATE_NEW equ 1
CREATE_ALWAYS equ 2
OPEN_EXISTING equ 3
OPEN_ALWAYS equ 4
TRUNCATE_EXISTING equ 5
; File attributez and flag valuez...
FILE_ATTRIBUTE_READONLY equ 00000001h
FILE_ATTRIBUTE_HIDDEN equ 00000002h
FILE_ATTRIBUTE_SYSTEM equ 00000004h
FILE_ATTRIBUTE_DIRECTORY equ 00000010h
FILE_ATTRIBUTE_ARCHIVE equ 00000020h
FILE_ATTRIBUTE_NORMAL equ 00000080h
FILE_ATTRIBUTE_TEMPORARY equ 00000100h
FILE_ATTRIBUTE_ATOMIC_WRITE equ 00000200h
FILE_ATTRIBUTE_XACTION_WRITE equ 00000400h
FILE_ATTRIBUTE_COMPRESSED equ 00000800h
FILE_ATTRIBUTE_HAS_EMBEDDING equ 00001000h
FILE_FLAG_POSIX_SEMANTICS equ 01000000h
FILE_FLAG_BACKUP_SEMANTICS equ 02000000h
FILE_FLAG_DELETE_ON_CLOSE equ 04000000h
FILE_FLAG_SEQUENTIAL_SCAN equ 08000000h
FILE_FLAG_RANDOM_ACCESS equ 10000000h
FILE_FLAG_NO_BUFFERING equ 20000000h
FILE_FLAG_OVERLAPPED equ 40000000h
FILE_FLAG_WRITE_THROUGH equ 80000000h
; Protection and other valuez...
SECTION_QUERY equ 00000001h
SECTION_MAP_WRITE equ 00000002h
SECTION_MAP_READ equ 00000004h
SECTION_MAP_EXECUTE equ 00000008h
SECTION_EXTEND_SIZE equ 00000010h
SECTION_ALL_ACCESS equ STANDARD_RIGHTS_REQUIRED OR \
SECTION_QUERY OR \
SECTION_MAP_WRITE OR \
SECTION_MAP_READ OR \
SECTION_MAP_EXECUTE OR \
SECTION_EXTEND_SIZE
FILE_MAP_COPY equ SECTION_QUERY
FILE_MAP_WRITE equ SECTION_MAP_WRITE
FILE_MAP_READ equ SECTION_MAP_READ
FILE_MAP_ALL_ACCESS equ SECTION_ALL_ACCESS
PAGE_NOACCESS equ 00000001h
PAGE_READONLY equ 00000002h
PAGE_READWRITE equ 00000004h
PAGE_WRITECOPY equ 00000008h
PAGE_EXECUTE equ 00000010h
PAGE_EXECUTE_READ equ 00000020h
PAGE_EXECUTE_READWRITE equ 00000040h
PAGE_EXECUTE_WRITECOPY equ 00000080h
PAGE_GUARD equ 00000100h
PAGE_NOCACHE equ 00000200h
MEM_COMMIT equ 00001000h
MEM_RESERVE equ 00002000h
MEM_DECOMMIT equ 00004000h
MEM_RELEASE equ 00008000h
MEM_FREE equ 00010000h
MEM_PRIVATE equ 00020000h
MEM_MAPPED equ 00040000h
MEM_TOP_DOWN equ 00100000h
SEC_FILE equ 00800000h
SEC_IMAGE equ 01000000h
SEC_RESERVE equ 04000000h
SEC_COMMIT equ 08000000h
SEC_NOCACHE equ 10000000h
MEM_IMAGE equ SEC_IMAGE
; Code Page valuez...
CP_ACP equ 0 ; ANSI code page
CP_OEMCP equ 1 ; OEM code page
CP_MACCP equ 2 ; MAC code page
; Message Box suport valuez...
MB_OK equ 00000000h
MB_OKCANCEL equ 00000001h
MB_ABORTRETRYIGNORE equ 00000002h
MB_YESNOCANCEL equ 00000003h
MB_YESNO equ 00000004h
MB_RETRYCANCEL equ 00000005h
MB_TYPEMASK equ 0000000Fh
MB_ICONHAND equ 00000010h
MB_ICONQUESTION equ 00000020h
MB_ICONEXCLAMATION equ 00000030h
MB_ICONASTERISK equ 00000040h
MB_ICONMASK equ 000000F0h
MB_ICONINFORMATION equ MB_ICONASTERISK
MB_ICONSTOP equ MB_ICONHAND
MB_DEFBUTTON1 equ 00000000h
MB_DEFBUTTON2 equ 00000100h
MB_DEFBUTTON3 equ 00000200h
MB_DEFMASK equ 00000F00h
MB_APPLMODAL equ 00000000h
MB_SYSTEMMODAL equ 00001000h
MB_TASKMODAL equ 00002000h
MB_NOFOCUS equ 00008000h
;
; some useful functionz we use in virus programming
;
; create file functionz...
macro @FILE_CreateFileR aCreateFile,pszFileName
{
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ
push GENERIC_READ
if pszFileName eqtype ""
@pushsz pszFileName
else
push pszFileName
end if
call aCreateFile
}
macro @FILE_CreateFileRW aCreateFile,pszFileName
{
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ or FILE_SHARE_READ
push GENERIC_READ or GENERIC_WRITE
if pszFileName eqtype ""
@pushsz pszFileName
else
push pszFileName
end if
call aCreateFile
}
; file mapping functionz...
macro @FILE_CreateFileMappingR aCreateFileMapping,hFile,pszMapName
{
if pszMapName eqtype ""
@pushsz pszMapName
else
push pszMapName
end if
push NULL
push NULL
push PAGE_READONLY
push NULL
push hFile
call aCreateFileMapping
}
macro @FILE_CreateFileMappingRW aCreateFileMapping,hFile,pszMapName
{
if pszMapName eqtype ""
@pushsz pszMapName
else
push pszMapName
end if
push NULL
push NULL
push PAGE_READWRITE
push NULL
push hFile
call aCreateFileMapping
}
macro @FILE_MapViewOfFileR aMapViewOfFile,hMapping
{
push NULL
push NULL
push NULL
push FILE_MAP_READ
push hMapping
call aMapViewOfFile
}
macro @FILE_MapViewOfFileRW aMapViewOfFile,hMapping
{
push NULL
push NULL
push NULL
push FILE_MAP_READ or FILE_MAP_WRITE
push hMapping
call aMapViewOfFile
}
;
; now comes to the PE structurez...
;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -