| 查看: 535 | 回复: 2 | |||
| 当前主题已经存档。 | |||
sdlj8051金虫 (著名写手)
|
[交流]
SEH 於病毒的應用[转贴]
|
||
|
*?@??????b????о???????????????????g???????????????????x?x???????κ????????g ????κ?????????o?P?? ???飺 SEH ????N???????????N?|?|??????????????hume?????SEH in ASM ???о??????? ??Win32 Exception handling for assembler programmers by Jeremy Gordon????????????@? ?????°?? 1.????N???????e???seh??? ?κγ????п??????e?`???F??????????????e??????????????????????????X?? ?????_??????????????????e?????N???п??????????????????e?`??????@????????????? ??]????N????????????????X?????????????????????SEH?????????????e?п?????F???e ?`???@?? SEH ?????е????????????????????SEH ?????????????????????SEH?????? ?????e???a????????? ???????????e??????????????--???????????????????????_??\?е?r???? ?l?F??????????N????????????????????????????????????????o ?????????? ?l?F?? ??????????\?Еr???????????????M???????a???????????????c?????????N?@?????? ?????????????????@?r????????????????m??????????????????????????e???SEH?O???????? ?oAVs??Emulator???@????????????????? 2.?????SEH??????????Emulator?? o????o?????????}??????????N??g???M???????a??????????????_?????b???SEH, ?????????????????????????????u????????????@????M????????????(????????)?^?m???? ???????????s????????@??????????????????????ЩAVs?????????e?`???a?????D?^?m??M??? ????????N?????????M?????????h????????How?? ???????????a: *??????a??????benny's polymorphic engine start:call Set_SEH;?@????????? push offset CONTINUE ; JMP Set_SEH CONTINUE:mov esp, [esp+8];???????? ??????????a???r,??y??????????K??????????? ;????????????????e,??[ESP+8]?????????f???????? push offset Start_Virus ;----_ ??Start_Virus ???????M????e???????????? ret;---- ?????????ret??????Start_Virus?????????magic? Set_SEH:sub edx, edx ;Edx =0 ;???????????masm??????????????,???????????g?e?` ;Assume fs:nothing push dword ptr fs:[edx];???? _EXCEPTIONAL_REGISTRATION_RECORD ?Y???????????? mov fs:[edx], esp;???b???seh ??? mov [edx],edx;????@?e???????????,???edx=0, ?????????????x?????_???????? ;???Emulator ??????????????M??seh ???????(?? CONTINUE: )???^?m? ;?M???????????jmp start?????N????M?????????h???@????????? jmp start ;?C Start_Virus: ..... ..... ?????????! ???????????????]?P????]????N????N??????????o????????????°?????qq:50527053,icq 72424549 email:henrynote@msn.com *??? SEH ????ú??V?????b????????e????(?U?)??????????????????????A????????SEH ???g???????? ????????? ???@??????????????????λ???W?????W???Y??,???????W?????????c??????M???? ???@?e????x??????????????^?????????й??????@??????-???_????к???硣 -------------------------------------------------------------------------------------------------------------- ?????D?d????]????????henrynote??! Henry's WorkShop :http://hackit2000.virtualave.net Thankyou For Very Much ! [ Last edited by sdlj8051 on 2006-10-6 at 12:46 ] |
回复此楼» 猜你喜欢
271求调剂
已经有34人回复
-
327求调剂
已经有10人回复
-
297求调剂
已经有23人回复
-
材料工程281还有调剂机会吗
已经有33人回复
-
各位老师好,求调剂,本科211,一志愿天津大学生物与医药学硕,差两名录取。
已经有4人回复
-
本科郑州大学,一志愿华东师范大学282求调剂
已经有32人回复
-
求调剂
已经有10人回复
-
一志愿211 0703化学 346分求调剂
已经有29人回复
-
化工学硕294分,求导师收留
已经有22人回复
-
327求调剂
已经有17人回复
2楼2006-12-29 01:20:26
 |
3楼2006-12-29 09:49:07
