| 查看: 527 | 回复: 2 | |||
| 当前主题已经存档。 | |||
sdlj8051金虫 (著名写手)
|
[交流]
SEH 於病毒的應用[转贴]
|
||
|
*?@??????b????о???????????????????g???????????????????x?x???????κ????????g ????κ?????????o?P?? ???飺 SEH ????N???????????N?|?|??????????????hume?????SEH in ASM ???о??????? ??Win32 Exception handling for assembler programmers by Jeremy Gordon????????????@? ?????°?? 1.????N???????e???seh??? ?κγ????п??????e?`???F??????????????e??????????????????????????X?? ?????_??????????????????e?????N???п??????????????????e?`??????@????????????? ??]????N????????????????X?????????????????????SEH?????????????e?п?????F???e ?`???@?? SEH ?????е????????????????????SEH ?????????????????????SEH?????? ?????e???a????????? ???????????e??????????????--???????????????????????_??\?е?r???? ?l?F??????????N????????????????????????????????????????o ?????????? ?l?F?? ??????????\?Еr???????????????M???????a???????????????c?????????N?@?????? ?????????????????@?r????????????????m??????????????????????????e???SEH?O???????? ?oAVs??Emulator???@????????????????? 2.?????SEH??????????Emulator?? o????o?????????}??????????N??g???M???????a??????????????_?????b???SEH, ?????????????????????????????u????????????@????M????????????(????????)?^?m???? ???????????s????????@??????????????????????ЩAVs?????????e?`???a?????D?^?m??M??? ????????N?????????M?????????h????????How?? ???????????a: *??????a??????benny's polymorphic engine start:call Set_SEH;?@????????? push offset CONTINUE ; JMP Set_SEH CONTINUE:mov esp, [esp+8];???????? ??????????a???r,??y??????????K??????????? ;????????????????e,??[ESP+8]?????????f???????? push offset Start_Virus ;----_ ??Start_Virus ???????M????e???????????? ret;---- ?????????ret??????Start_Virus?????????magic? Set_SEH:sub edx, edx ;Edx =0 ;???????????masm??????????????,???????????g?e?` ;Assume fs:nothing push dword ptr fs:[edx];???? _EXCEPTIONAL_REGISTRATION_RECORD ?Y???????????? mov fs:[edx], esp;???b???seh ??? mov [edx],edx;????@?e???????????,???edx=0, ?????????????x?????_???????? ;???Emulator ??????????????M??seh ???????(?? CONTINUE: )???^?m? ;?M???????????jmp start?????N????M?????????h???@????????? jmp start ;?C Start_Virus: ..... ..... ?????????! ???????????????]?P????]????N????N??????????o????????????°?????qq:50527053,icq 72424549 email:henrynote@msn.com *??? SEH ????ú??V?????b????????e????(?U?)??????????????????????A????????SEH ???g???????? ????????? ???@??????????????????λ???W?????W???Y??,???????W?????????c??????M???? ???@?e????x??????????????^?????????й??????@??????-???_????к???硣 -------------------------------------------------------------------------------------------------------------- ?????D?d????]????????henrynote??! Henry's WorkShop :http://hackit2000.virtualave.net Thankyou For Very Much ! [ Last edited by sdlj8051 on 2006-10-6 at 12:46 ] |
回复此楼» 猜你喜欢
085600材料与化工调剂
已经有10人回复
-
279分求调剂 一志愿211
已经有18人回复
-
0703化学求调剂
已经有5人回复
-
材料292调剂
已经有3人回复
-
一志愿陕师大生物学071000,298分,求调剂
已经有3人回复
-
306求0703调剂一志愿华中师范
已经有7人回复
-
333求调剂
已经有3人回复
-
335求调剂
已经有4人回复
-
336求调剂
已经有4人回复
-
303求调剂
已经有4人回复
2楼2006-12-29 01:20:26
 |
3楼2006-12-29 09:49:07
10