|
[原创]INC2l -win32版本+源码+演示
海阔天空 08:25:28 使用VC++的LIB工具,带/DEF:(.def文件名) /MACHINE:IX86(80X86机器),就输出符合VC++格式的的LIB文件了. EXAMPLE: LIB /DEF:VideoDeCoder.def /MACHINE:IX86 感谢他提供了更,,,代码也我懒的改了,MASM的也一样 |
|
[原创]提取 ShadowSsdt 原始地址代码
我是为了提取原始参数而已,才写了这个,什么老代码,,前面忽略的是简单才忽略,既然你没能力看懂,那就全部放出来好了 ShadowSsdt proc uses esi edi local hde:hde32s local pSSDT,pSSPT,Indent local pKERNEL_MODULE:KERNEL_MODULE local Shadow_ServiceTableBase local Shadow_NumberOfService local Shadow_ParamTableBase local Win32Path[MAX_PATH+1]:BYTE local ImageBase,Win32Ring0,dwdelta local szKeAddSystemServiceTable[30]:BYTE local hFile,FileSize,hFileMap,BaseAddress local Import_KeAddSystemServiceTable,Call_KeAddSystemServiceTable local ShadowSsdtName,VirtualSize xor eax, eax mov pSSDT, eax mov pSSPT, eax mov Indent, eax mov BaseAddress, eax mov hFile, eax mov hFileMap, eax m2m ShadowSsdtName, ShadowName invoke GetSystemDirectory,addr Win32Path,MAX_PATH invoke StrLen,addr Win32Path mov WORD ptr Win32Path[eax], "\" invoke StrCat,addr Win32Path,offset szWin32ksys invoke CreateFile,addr Win32Path,GENERIC_READ,FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL .if eax == INVALID_HANDLE_VALUE open_err: invoke wsprintf,offset TempBuf,offset szScanInline_Open,offset szWin32ksys invoke SetWindowText,hStausBar,offset TempBuf jmp err .endif mov hFile, eax invoke GetFileSize,eax,NULL mov FileSize, eax invoke CreateFileMapping,hFile,NULL,PAGE_READONLY,NULL,NULL,NULL or eax, eax jz open_err mov hFileMap, eax invoke MapViewOfFile,hFileMap,FILE_MAP_READ,NULL,NULL,NULL or eax, eax jz open_err mov BaseAddress, eax lea eax, szKeAddSystemServiceTable mov DWORD ptr[eax+00000000], 06441654Bh mov DWORD ptr[eax+00000004], 073795364h mov DWORD ptr[eax+00000008], 0536D6574h mov DWORD ptr[eax+00000012], 069767265h mov DWORD ptr[eax+00000016], 061546563h mov DWORD ptr[eax+00000020], 000656C62h invoke FindImport,BaseAddress,0,eax or eax, eax jz err mov Import_KeAddSystemServiceTable, eax mov esi, BaseAddress assume esi:ptr IMAGE_DOS_HEADER add esi, [esi].e_lfanew assume esi:ptr IMAGE_NT_HEADERS mov Call_KeAddSystemServiceTable, 0 mov Indent, 0 comment/* BOOLEAN KeAddSystemServiceTable( IN PVOID ServiceTableBase, IN PVOID ServiceCounterTableBase, IN ULONG NumberOfService, IN PVOID ParamTableBase, IN ULONG InsertServiceTableIndex ) BF9B3B3A - BF800380 = 1B37BA 014B3B22 57 push edi 014B3B23 68 10E399BF push BF99E310 ParamTableBase 014B3B28 FF35 0CE399BF push dword ptr [BF99E30C] NumberOfService 014B3B2E 8935 30899ABF mov dword ptr [BF9A8930],esi 014B3B34 56 push esi ServiceCounterTableBase 014B3B35 68 00D699BF push BF99D600 ServiceTableBase 014B3B3A FF15 580799BF call dword ptr [BF990758] $-18 > 57 push edi $-17 > 68 10E399BF push BF99E310 $-12 > FF35 0CE399BF push dword ptr [BF99E30C] $-C > 8935 30899ABF mov dword ptr [BF9A8930],esi $-6 > 56 push esi $-5 > 68 00D699BF push BF99D600 $ ==> > FF15 580799BF call dword ptr [BF990758] INIT:BF9B3B22 push edi InsertServiceTableIndex INIT:BF9B3B23 push offset unk_BF99E310 ParamTableBase INIT:BF9B3B28 push dword_BF99E30C NumberOfService INIT:BF9B3B2E mov dword_BF9A8930, esi INIT:BF9B3B34 push esi ServiceCounterTableBase INIT:BF9B3B35 push offset off_BF99D600 ServiceTableBase INIT:BF9B3B3A call ds:KeAddSystemServiceTable */ assume edi:nothing mov edi, BaseAddress add edi, [edi].IMAGE_DOS_HEADER.e_lfanew movzx eax, [edi].IMAGE_NT_HEADERS.FileHeader.NumberOfSections mov Indent, eax add edi, sizeof IMAGE_NT_HEADERS assume edi:ptr IMAGE_SECTION_HEADER mov VirtualSize, 0 .repeat invoke StrCmp,edi,T("INIT") .if eax m2m VirtualSize, [edi].Misc.VirtualSize mov edi, [edi].PointerToRawData add edi, BaseAddress .break .endif add edi, sizeof IMAGE_SECTION_HEADER dec Indent .until Indent == 0 cmp VirtualSize, 0 je err mov Call_KeAddSystemServiceTable, 0 mov Indent, 0 .while TRUE invoke DisasmLen,edi,addr hde .if hde.len == 6 && hde.opcode == 0FFh && hde.modrm == 15h && hde.disp32 mov eax, hde.disp32 sub eax, [esi].OptionalHeader.ImageBase invoke RVAToFileMap,BaseAddress,eax .if eax == Import_KeAddSystemServiceTable mov Call_KeAddSystemServiceTable, edi .break .endif .endif mov eax, hde.len add edi, eax add Indent, eax mov eax, Indent .break .if eax >= VirtualSize .endw cmp Call_KeAddSystemServiceTable, 0 jz err m2m ImageBase, [esi].OptionalHeader.ImageBase mov edi, Call_KeAddSystemServiceTable mov eax, DWORD ptr[edi-5+1] sub eax, [esi].OptionalHeader.ImageBase add eax, BaseAddress mov Shadow_ServiceTableBase, eax mov eax, DWORD ptr[edi-17h+1] sub eax, [esi].OptionalHeader.ImageBase add eax, BaseAddress mov Shadow_ParamTableBase, eax mov eax, DWORD ptr[edi-12h+2] sub eax, [esi].OptionalHeader.ImageBase add eax, BaseAddress m2m Shadow_NumberOfService, DWORD ptr[eax] invoke DumpKernelModule or eax, eax jz err mov esi, offset KernelModule assume esi:ptr KERNEL_MODULE .while [esi].BaseAddress invoke StrRChr,addr [esi].ImageName,"\" .if eax inc eax .else lea eax, [esi].ImageName .endif invoke strnicmp,eax,offset szWin32ksys .if eax mov eax, [esi].BaseAddress mov Win32Ring0, eax sub eax, ImageBase mov dwdelta, eax .break .endif add esi, sizeof KERNEL_MODULE .endw imul eax, Shadow_NumberOfService, 4 invoke GlobalAlloc,GPTR,eax or eax, eax jz err mov pSSDT, eax imul eax, Shadow_NumberOfService, 4 invoke Communications,IOCTL_DumpShadowSsdt,NULL,NULL,pSSDT,eax or eax, eax jz err invoke GlobalAlloc,GPTR,Shadow_NumberOfService or eax, eax jz err mov pSSPT, eax invoke Communications,IOCTL_DumpShadowSspt,NULL,NULL,pSSPT,Shadow_NumberOfService or eax, eax jz err mov esi, pSSDT mov edi, Shadow_ServiceTableBase mov Indent, 0 .repeat ;; 序号 invoke wsprintf,offset TempBuf,offset szD,Indent invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,0,offset TempBuf ;; 当前地址 invoke wsprintf,offset TempBuf,offset sz08X,DWORD ptr[esi] invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,1,offset TempBuf ;; 原始地址 mov eax, DWORD ptr[edi] add eax, dwdelta invoke wsprintf,offset TempBuf,offset sz08X,eax invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,2,offset TempBuf ;; 当前参数 mov eax, Indent add eax, pSSPT movzx eax, BYTE ptr[eax] invoke wsprintf,offset TempBuf,offset szD,eax invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,3,offset TempBuf ;; 原始参数 mov eax, Indent add eax, Shadow_ParamTableBase movzx eax, BYTE ptr[eax] invoke wsprintf,offset TempBuf,offset szD,eax invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,4,offset TempBuf ;; 名称 .if ShadowSsdtName mov eax, ShadowSsdtName invoke ListView_AddItemEx,hMianDlg,92,NULL,Indent,5,DWORD ptr[eax] add ShadowSsdtName, 4 .endif ;; 所属模块 invoke GetBelongsSys,DWORD ptr[esi] .if eax mov ecx, eax invoke ListView_AddItemEx,hMianDlg,92,0,Indent,6,addr [ecx].KERNEL_MODULE.ImageName .endif add esi, 4 add edi, 4 inc Indent mov eax, Indent .until eax == Shadow_NumberOfService err: .if pSSDT invoke GlobalFree,pSSDT .endif .if pSSPT invoke GlobalFree,pSSPT .endif .if BaseAddress invoke UnmapViewOfFile,BaseAddress .endif .if hFile invoke ZwClose,hFile .endif .if hFileMap invoke ZwClose,hFileMap .endif ret ShadowSsdt endp |
|
Themida Logo显示分析
路过..嘻嘻 |
|
[调查]问一下坛子里有多少大虾在用W32ASM编程!
.*.inc == *.h *.lib 编译DLL都会有的...系统那些DLL微软不会给代码...*.inc里面的只是API的声名 |
|
[原创]ShellCode的另外一种玩法(远程线程注入ShellCode)
ShellCode是通用版本基本上可以在所有Windows系统上跑 CreateRemoteThread 只能在NT里运行..没调用那个DLL的话.可以在注入后写个循环来LoadLibrary |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值