| ²é¿´: 523 | »Ø¸´: 2 | |||
| µ±Ç°Ö÷ÌâÒѾ´æµµ¡£ | |||
sdlj8051½ð³æ (ÖøÃûдÊÖ)
|
[½»Á÷]
SEH 춲¡¶¾µÄ‘ªÓÃ[תÌù]
|
||
|
*?@??????b????§à???????????????????g???????????????????x?x???????¦Ê????????g ????¦Ê?????????o?P?? ???ï“ SEH ????N???????????N?|?|??????????????hume?????SEH in ASM ???§à??????? ??Win32 Exception handling for assembler programmers by Jeremy Gordon????????????@? ?????¡ã?? 1.????N???????e???seh??? ?¦Ê¦Ã????§á??????e?`???F??????????????e??????????????????????????X?? ?????_??????????????????e?????N???§á??????????????????e?`??????@????????????? ??]????N????????????????X?????????????????????SEH?????????????e?§á?????F???e ?`???@?? SEH ?????§Ö????????????????????SEH ?????????????????????SEH?????? ?????e???a????????? ???????????e??????????????--???????????????????????_??\?§Ö?r???? ?l?F??????????N????????????????????????????????????????o ?????????? ?l?F?? ??????????\?§¦r???????????????M???????a???????????????c?????????N?@?????? ?????????????????@?r????????????????m??????????????????????????e???SEH?O???????? ?oAVs??Emulator???@????????????????? 2.?????SEH??????????Emulator?? o????o?????????}??????????N??g???M???????a??????????????_?????b???SEH, ?????????????????????????????u????????????@????M????????????(????????)?^?m???? ???????????s????????@??????????????????????§»AVs?????????e?`???a?????D?^?m??M??? ????????N?????????M?????????h????????How?? ???????????a: *??????a??????benny's polymorphic engine start:call Set_SEH;?@????????? push offset CONTINUE ; JMP Set_SEH CONTINUE:mov esp, [esp+8];???????? ??????????a???r,??y??????????K??????????? ;????????????????e,??[ESP+8]?????????f???????? push offset Start_Virus ;----_ ??Start_Virus ???????M????e???????????? ret;---- ?????????ret??????Start_Virus?????????magic? Set_SEH:sub edx, edx ;Edx =0 ;???????????masm??????????????,???????????g?e?` ;Assume fs:nothing push dword ptr fs:[edx];???? _EXCEPTIONAL_REGISTRATION_RECORD ?Y???????????? mov fs:[edx], esp;???b???seh ??? mov [edx],edx;????@?e???????????,???edx=0, ?????????????x?????_???????? ;???Emulator ??????????????M??seh ???????(?? CONTINUE: )???^?m? ;?M???????????jmp start?????N????M?????????h???@????????? jmp start ;?C Start_Virus: ..... ..... ?????????! ???????????????]?P????]????N????N??????????o????????????¡ã?????qq:50527053,icq 72424549 email:henrynote@msn.com *??? SEH ????¨²??V?????b????????e????(?U?)??????????????????????A????????SEH ???g???????? ????????? ???@??????????????????¦Ë???W?????W???Y??,???????W?????????c??????M???? ???@?e????x??????????????^?????????§Û??????@??????-???_????§Ü???³‡ -------------------------------------------------------------------------------------------------------------- ?????D?d????]????????henrynote??! Henry's WorkShop :http://hackit2000.virtualave.net Thankyou For Very Much ! [ Last edited by sdlj8051 on 2006-10-6 at 12:46 ] |
»Ø¸´´ËÂ¥» ²ÂÄãϲ»¶
316Çóµ÷¼Á
ÒѾÓÐ7È˻ظ´
-
²ÄÁÏÓ뻯¹¤¿¼Ñе÷¼Á
ÒѾÓÐ4È˻ظ´
-
Ò»Ö¾Ô¸ÖØÇì´óѧ085700×ÊÔ´Óë»·¾³£¬×Ü·Ö308Çóµ÷¼Á
ÒѾÓÐ7È˻ظ´
-
Ò»Ö¾Ô¸211 ³õÊÔ270·Ö Çóµ÷¼Á
ÒѾÓÐ4È˻ظ´
-
08¹¤Ñ§µ÷¼Á
ÒѾÓÐ11È˻ظ´
-
350Çóµ÷¼Á
ÒѾÓÐ6È˻ظ´
-
Çóµ÷¼ÁÒ»Ö¾Ô¸Î人Àí¹¤´óѧ²ÄÁϹ¤³Ì£¨085601£©
ÒѾÓÐ4È˻ظ´
-
½ÓÊÕ2026˶ʿµ÷¼Á(ѧ˶+ר˶)
ÒѾÓÐ6È˻ظ´
-
081700 µ÷¼Á 267·Ö
ÒѾÓÐ5È˻ظ´
-
328Çóµ÷¼Á
ÒѾÓÐ4È˻ظ´
gph-rabbit
½ð³æ (СÓÐÃûÆø)
- Ó¦Öú: 0 (Ó׶ùÔ°)
- ½ð±Ò: 6187.4
- Ìû×Ó: 141
- ÔÚÏß: 85.2Сʱ
- ³æºÅ: 283155
- ×¢²á: 2006-10-08
- רҵ: ÐÅÏ¢°²È«
2Â¥2006-12-29 01:20:26
 |
3Â¥2006-12-29 09:49:07
