| 查看: 474 | 回复: 2 | |||
| 当前主题已经存档。 | |||
sdlj8051金虫 (著名写手)
|
[交流]
SEH 於病毒的應用[转贴]
|
||
|
*?@??????b????о???????????????????g???????????????????x?x???????κ????????g ????κ?????????o?P?? ???飺 SEH ????N???????????N?|?|??????????????hume?????SEH in ASM ???о??????? ??Win32 Exception handling for assembler programmers by Jeremy Gordon????????????@? ?????°?? 1.????N???????e???seh??? ?κγ????п??????e?`???F??????????????e??????????????????????????X?? ?????_??????????????????e?????N???п??????????????????e?`??????@????????????? ??]????N????????????????X?????????????????????SEH?????????????e?п?????F???e ?`???@?? SEH ?????е????????????????????SEH ?????????????????????SEH?????? ?????e???a????????? ???????????e??????????????--???????????????????????_??\?е?r???? ?l?F??????????N????????????????????????????????????????o ?????????? ?l?F?? ??????????\?Еr???????????????M???????a???????????????c?????????N?@?????? ?????????????????@?r????????????????m??????????????????????????e???SEH?O???????? ?oAVs??Emulator???@????????????????? 2.?????SEH??????????Emulator?? o????o?????????}??????????N??g???M???????a??????????????_?????b???SEH, ?????????????????????????????u????????????@????M????????????(????????)?^?m???? ???????????s????????@??????????????????????ЩAVs?????????e?`???a?????D?^?m??M??? ????????N?????????M?????????h????????How?? ???????????a: *??????a??????benny's polymorphic engine start:call Set_SEH;?@????????? push offset CONTINUE ; JMP Set_SEH CONTINUE:mov esp, [esp+8];???????? ??????????a???r,??y??????????K??????????? ;????????????????e,??[ESP+8]?????????f???????? push offset Start_Virus ;----_ ??Start_Virus ???????M????e???????????? ret;---- ?????????ret??????Start_Virus?????????magic? Set_SEH:sub edx, edx ;Edx =0 ;???????????masm??????????????,???????????g?e?` ;Assume fs:nothing push dword ptr fs:[edx];???? _EXCEPTIONAL_REGISTRATION_RECORD ?Y???????????? mov fs:[edx], esp;???b???seh ??? mov [edx],edx;????@?e???????????,???edx=0, ?????????????x?????_???????? ;???Emulator ??????????????M??seh ???????(?? CONTINUE: )???^?m? ;?M???????????jmp start?????N????M?????????h???@????????? jmp start ;?C Start_Virus: ..... ..... ?????????! ???????????????]?P????]????N????N??????????o????????????°?????qq:50527053,icq 72424549 email:henrynote@msn.com *??? SEH ????ú??V?????b????????e????(?U?)??????????????????????A????????SEH ???g???????? ????????? ???@??????????????????λ???W?????W???Y??,???????W?????????c??????M???? ???@?e????x??????????????^?????????й??????@??????-???_????к???硣 -------------------------------------------------------------------------------------------------------------- ?????D?d????]????????henrynote??! Henry's WorkShop :http://hackit2000.virtualave.net Thankyou For Very Much ! [ Last edited by sdlj8051 on 2006-10-6 at 12:46 ] |
回复此楼» 猜你喜欢
基金委咋了?2026年的指南还没有出来?
已经有5人回复
-
国自然申请面上模板最新2026版出了吗?
已经有17人回复
-
纳米粒子粒径的测量
已经有8人回复
-
疑惑?
已经有5人回复
-
计算机、0854电子信息(085401-058412)调剂
已经有5人回复
-
Materials Today Chemistry审稿周期
已经有5人回复
-
溴的反应液脱色
已经有7人回复
-
推荐一本书
已经有12人回复
-
基金申报
已经有4人回复
-
常年博士招收(双一流,工科)
已经有4人回复
2楼2006-12-29 01:20:26
 |
3楼2006-12-29 09:49:07