Ó¦¡¶ÍøÂ簲ȫ·¨¡·ÒªÇó£¬×Ô2017Äê10ÔÂ1ÈÕÆð£¬Î´½øÐÐʵÃûÈÏÖ¤½«²»µÃʹÓû¥ÁªÍø¸úÌû·þÎñ¡£Îª±£ÕÏÄúµÄÕʺÅÄܹ»Õý³£Ê¹Óã¬Ç뾡¿ì¶ÔÕʺŽøÐÐÊÖ»úºÅÑéÖ¤£¬¸ÐлÄúµÄÀí½âÓëÖ§³Ö£¡

24СʱÈÈÃÅ°æ¿éÅÅÐаñ    

Znn3bq.jpeg
Сľ³æÂÛ̳-ѧÊõ¿ÆÑл¥¶¯Æ½Ì¨ » רҵѧ¿ÆÇø » ÐÅÏ¢¿Æѧ » SEH 춲¡¶¾µÄ‘ªÓÃ[תÌù]
ÉÇÍ·´óѧº£Ñó¿Æѧ½ÓÊܵ÷¼Á
31/1·µ»ØÁбí
²é¿´: 536  |  »Ø¸´: 2
Ö»¿´Â¥Ö÷ @ËûÈË ´æµµ лظ´ÌáÐÑ (ºöÂÔ) ÊÕ²Ø    ÔÚAPPÖв鿴
µ±Ç°Ö÷ÌâÒѾ­´æµµ¡£

sdlj8051

½ð³æ (ÖøÃûдÊÖ)

[½»Á÷] SEH 춲¡¶¾µÄ‘ªÓÃ[תÌù]

*?@??????b????§à???????????????????g???????????????????x?x???????¦Ê????????g
????¦Ê?????????o?P??


???ï“

SEH ????N???????????N?|?|??????????????hume?????SEH in ASM ???§à???????
??Win32 Exception handling for assembler programmers by Jeremy Gordon????????????@?
?????¡ã??


1.????N???????e???seh???

?¦Ê¦Ã????§á??????e?`???F??????????????e??????????????????????????X??
?????_??????????????????e?????N???§á??????????????????e?`??????@?????????????
??]????N????????????????X?????????????????????SEH?????????????e?§á?????F???e
?`???@?? SEH ?????§Ö????????????????????SEH ?????????????????????SEH??????
?????e???a?????????

???????????e??????????????--???????????????????????_??\?§Ö?r????
?l?F??????????N????????????????????????????????????????o ?????????? ?l?F??

??????????\?§¦r???????????????M???????a???????????????c?????????N?@??????
?????????????????@?r????????????????m??????????????????????????e???SEH?O????????
?oAVs??Emulator???@?????????????????



2.?????SEH??????????Emulator??


o????o?????????}??????????N??g???M???????a??????????????_?????b???SEH,
?????????????????????????????u????????????@????M????????????(????????)?^?m????
???????????s????????@??????????????????????§»AVs?????????e?`???a?????D?^?m??M???
????????N?????????M?????????h????????How?? ???????????a:

*??????a??????benny's polymorphic engine

start:call Set_SEH;?@????????? push offset CONTINUE
;      JMP Set_SEH
CONTINUE:mov esp, [esp+8];???????? ??????????a???r,??y??????????K???????????                          
                                       ;????????????????e,??[ESP+8]?????????f????????


push offset Start_Virus ;----_ ??Start_Virus ???????M????e????????????
ret;----  ?????????ret??????Start_Virus?????????magic?



Set_SEH:sub edx, edx            ;Edx =0

;???????????masm??????????????,???????????g?e?`
;Assume fs:nothing

push dword ptr fs:[edx];???? _EXCEPTIONAL_REGISTRATION_RECORD ?Y????????????
mov fs:[edx], esp;???b???seh ???
mov [edx],edx;????@?e???????????,???edx=0, ?????????????x?????_????????

;???Emulator ??????????????M??seh ???????(?? CONTINUE: )???^?m?
;?M???????????jmp start?????N????M?????????h???@?????????
               jmp start       ;?C


Start_Virus:    .....
.....

?????????!
???????????????]?P????]????N????N??????????o????????????¡ã?????qq:50527053,icq 72424549
email:henrynote@msn.com


*???
SEH ????¨²??V?????b????????e????(?U?)??????????????????????A????????SEH ???g????????
?????????
???@??????????????????¦Ë???W?????W???Y??,???????W?????????c??????M????
???@?e????x??????????????^?????????§Û??????@??????-???_????§Ü???³‡

--------------------------------------------------------------------------------------------------------------
?????D?d????]????????henrynote??! Henry's WorkShop :http://hackit2000.virtualave.net
Thankyou For Very Much !

[ Last edited by sdlj8051 on 2006-10-6 at 12:46 ]
»Ø¸´´ËÂ¥

» ²ÂÄãϲ»¶
1Â¥ 2006-08-23 13:52:49
ÒÑÔÄ   »Ø¸´´ËÂ¥   ¹Ø×¢TA ¸øTA·¢ÏûÏ¢ ËÍTAºì»¨ TAµÄ»ØÌû

gph-rabbit

½ð³æ (СÓÐÃûÆø)
¿´¿´ÁË£¬Ð»Ð»¡£
»Ø¸´´ËÂ¥
2Â¥2006-12-29 01:20:26
ÒÑÔÄ   »Ø¸´´ËÂ¥   ¹Ø×¢TA ¸øTA·¢ÏûÏ¢ ËÍTAºì»¨ TAµÄ»ØÌû

hezhi200512
3Â¥2006-12-29 09:49:07
ÒÑÔÄ   »Ø¸´´ËÂ¥   ¹Ø×¢TA ¸øTA·¢ÏûÏ¢ ËÍTAºì»¨ TAµÄ»ØÌû
Ïà¹Ø°æ¿éÌøת ÎÒÒª¶©ÔÄÂ¥Ö÷ sdlj8051 µÄÖ÷Ìâ¸üÐÂ
31/1·µ»ØÁбí
ÆÕͨ±íÇé Áú Íà »¢ è ¸ß¼¶»Ø¸´ (¿ÉÉÏ´«¸½¼þ)
×î¾ßÈËÆøÈÈÌûÍƼö [²é¿´È«²¿] ×÷Õß »Ø/¿´ ×îºó·¢±í
[¿¼ÑÐ] Çóµ÷¼Á +9 ºÎÆøÕý 2026-04-13 10/500 2026-04-13 15:18 by ¸ø¸öÊé
[¿¼ÑÐ] 0856ר˶Çóµ÷¼Á Ï£ÍûÊÇaÇøԺУ +23 ºÃºÃÐÝÏ¢ºÃ²»ºÃ 2026-04-09 26/1300 2026-04-13 14:22 by ÕÅzhihao
[¿¼ÑÐ] 293Çóµ÷¼Á +15 ÎÒ°®¸ßÊý¸ßÊý°®Î 2026-04-12 16/800 2026-04-13 11:56 by 414435937
[¿¼ÑÐ] 366Çóµ÷¼Á +9 ²»ÖªÃûµÄСئ 2026-04-11 9/450 2026-04-13 01:19 by ÐÒÃâ ..
[¿¼ÑÐ] 296Çóµ÷¼Á +14 Íô£¡£¿£¡ 2026-04-10 16/800 2026-04-12 10:48 by zhouyuwinner
[ÕÒ¹¤×÷] ɽ¶«¸ßУ½Ìʦ¿¼ºË³¬¼¶ÎÞµ×Ïߣ¬Ô±¹¤¹ý²»ÏÂÈ¥À² +4 qut2026 2026-04-09 9/450 2026-04-12 00:54 by qut2026
[¿¼ÑÐ] ҩѧר˶µ÷¼Á +8 ? һ·Éú?»¨? 2026-04-10 10/500 2026-04-11 21:21 by zhouxiaoyu
[¿¼ÑÐ] µ÷¼Á +10 Ö»ÐðÀë±ð´Ç 2026-04-09 12/600 2026-04-11 20:57 by ÄæË®³Ë·ç
[¿¼ÑÐ] ũѧ0904 312Çóµ÷¼Á +3 Say Never 2026-04-11 3/150 2026-04-11 17:22 by daydayup2005
[¿¼ÑÐ] 269Çóµ÷¼Á +11 °¡°¡ÎÒÎÒ 2026-04-07 11/550 2026-04-11 16:45 by vgtyfty
[¿¼ÑÐ] Çóµ÷¼Á +3 θ¾·ÂÎÀÛÁË 2026-04-11 5/250 2026-04-11 14:13 by luhong1990
[¿¼ÑÐ] µ÷¼Á +4 µçÆø300Çóµ÷¼Á²» 2026-04-08 7/350 2026-04-11 10:44 by ×ÏêØ×ÏÆå
[¿¼ÑÐ] 22408 352·ÖÇóµ÷¼Á0854Àà +4 ŬÁ¦µÄÏÄÄ© 2026-04-09 4/200 2026-04-11 09:57 by zhq0425
[¿¼ÑÐ] 282£¬Çóµ÷¼Á +12 jggshjkkm 2026-04-09 14/700 2026-04-11 09:39 by Öí»á·É
[¿¼ÑÐ] 298Çóµ÷¼Á +9 ¶¤¶£ß˶¬¹Ï 2026-04-07 11/550 2026-04-11 09:35 by zhq0425
[¿¼ÑÐ] 284Çóµ÷¼Á +9 ÈÃÎÒÉÏ°¶°É°¢Î÷ 2026-04-09 11/550 2026-04-10 19:18 by ¾¸jing
[ÂÛÎÄͶ¸å] mdpiСÐÞrvrʱ¼äËÄÎåÌìÁË 20+3 ¹þ¹þhigh 2026-04-08 5/250 2026-04-10 16:02 by ±±¾©À³ÒðÈóÉ«
[¿¼ÑÐ] Èí¼þ¹¤³ÌÇóµ÷¼Á22Èí¹¤296·ÖÇóµ÷¼Á£¬½ÓÊÜ¿çµ÷ +4 yangchen2017 2026-04-08 5/250 2026-04-08 21:56 by ÍÁľ˶ʿÕÐÉú
[¿¼ÑÐ] 338Çóµ÷¼Á +5 СÖíºìÉ« 678 2026-04-06 6/300 2026-04-07 21:18 by ÇÇßÕßÕßÕ
[¿¼ÑÐ] Ò»Ö¾Ô¸Î÷ÄÏ090202Çóµ÷¼Á +4 ÔÚÏßÇóÓÐѧÉÏ 2026-04-07 4/200 2026-04-07 19:47 by biomichael
ÐÅÏ¢Ìáʾ
¹Ø±Õ
ÇëÌî´¦ÀíÒâ¼û
¹Ø±Õ