|
我想写一个QQ聊天记录监视程序,懂的给点建议吧
改木马的确是要容易点,但我还是想自己亲自动手。一方面也是为了了解一下TLS,不然用126邮箱就可以跳过这个麻烦。 |
|
hm写的IDA边线插件不错,自定义边线。
现一下你有4.9就没动静了吗? |
|
Unpacking EncryptPE V2.2005910
如此强贴,怎能不留名 |
|
打造对抗 OpenProcess 检测的 OD
强贴必留名,我顶 |
|
|
|
[请教]MASM.TASM.NASM.FASM.GOASM 之间有什么区别?
=============================================================================================== 1977 ASM86 ||1978 | ||1979 |-CP/M-86 asm86 ||1980 | ||1981 +-------------------------------------------------+ ||1982 |-MASM---------+----+ | ||1983 | | | | | ||1984 | |-NBASM | +-------------------+-Incra | ||1985 | | | | | | ||1986 | |-ARROWSOFT | | | +--A86 ||1987 | | | | +-WASM | || Terse1988 | | | +-OptASM | ||1989 TASM-----------)----)----------+ | ||1990 | | | | | ||1991 | | | | GAS | ||1992 | | | | | ||1993 | | | | | ||1994 | +------+ | | GEMA, CrossFire | ||1995 | | +----------)------------------+ +-A386 ||1996 |-------NASM \-Pass32 | | ||1997 |-TMA |-------------------+ | |-ML ||1998 | |-SpASM---+ | | | ||1999 | |-GASM | |-FASM | || HLA2000 +-LZASM | | | | ||2001 | +-GoASM | +---------------YASM | Osimplay ||2002 | | | ||2003 +-miASMa +-RosASM +-CodeX ||2004 Octasm ||=============================================================================================== |
|
|
|
|
|
移动资源,附源码
最爱工具贴,留名必强贴,我顶 |
|
又见TLS-Unpacking read-me's UnpackMe
看汇编代码哪有看C代码来得舒服:) 汇编代码: 7C95B444 56 PUSH ESI 7C95B445 50 PUSH EAX 7C95B446 57 PUSH EDI 7C95B447 68 E4B4957C PUSH ntdll.7C95B4E4 ; ASCII "LDR: Tls Callbacks Found. Imagebase %p Tls %p CallBacks %p " 7C95B44C E8 9F4FFFFF CALL ntdll.DbgPrint 7C95B451 83C4 10 ADD ESP,10 7C95B454 ^E9 BCD0FEFF JMP ntdll.7C948515 7C95B459 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX 7C95B45C 83C6 04 ADD ESI,4 7C95B45F 8975 E0 MOV DWORD PTR SS:[EBP-20],ESI 7C95B462 381D 21C1997C CMP BYTE PTR DS:[7C99C121],BL 7C95B468 74 0F JE SHORT ntdll.7C95B479 7C95B46A 50 PUSH EAX 7C95B46B 57 PUSH EDI 7C95B46C 68 20B5957C PUSH ntdll.7C95B520 ; ASCII "LDR: Calling Tls Callback Imagebase %p Function %p " 7C95B471 E8 7A4FFFFF CALL ntdll.DbgPrint 7C95B476 83C4 0C ADD ESP,0C 7C95B479 53 PUSH EBX 7C95B47A FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C95B47D 57 PUSH EDI 7C95B47E FF75 E4 PUSH DWORD PTR SS:[EBP-1C] 7C95B481 E8 0D5DFCFF CALL ntdll.7C921193 7C95B486 ^E9 8AD0FEFF JMP ntdll.7C948515 =================================== NT4.0中TLS处理相关源代码(摘自nt4\private\ntos\dll\ldrinit.c): VOID LdrpCallTlsInitializers( PVOID DllBase, ULONG Reason ) { PIMAGE_TLS_DIRECTORY TlsImage; ULONG TlsSize; PIMAGE_TLS_CALLBACK *CallBackArray; PIMAGE_TLS_CALLBACK InitRoutine; TlsImage = (PIMAGE_TLS_DIRECTORY)RtlImageDirectoryEntryToData( DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_TLS, &TlsSize ); try { if ( TlsImage ) { CallBackArray = TlsImage->AddressOfCallBacks; if ( CallBackArray ) { if (ShowSnaps) { DbgPrint( "LDR: Tls Callbacks Found. Imagebase %lx Tls %lx CallBacks %lx\n", DllBase, TlsImage, CallBackArray ); } while(*CallBackArray){ InitRoutine = *CallBackArray++; if (ShowSnaps) { DbgPrint( "LDR: Calling Tls Callback Imagebase %lx Function %lx\n", DllBase, InitRoutine ); } #if defined (WX86) if (!Wx86CurrentTib() || LdrpRunWx86DllEntryPoint( (PDLL_INIT_ROUTINE)InitRoutine, NULL, DllBase, Reason, NULL ) == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) #endif { (InitRoutine)(DllBase,Reason,0); } } } } } except (EXCEPTION_EXECUTE_HANDLER) { ; } } |
|
Windows2000 & NT4源码高速下载地址[转帖]
目前脱壳论坛中讨论了TLS对壳的影响,看汇编代码哪有看C代码来得舒服! 汇编代码: 7C95B444 56 PUSH ESI 7C95B445 50 PUSH EAX 7C95B446 57 PUSH EDI 7C95B447 68 E4B4957C PUSH ntdll.7C95B4E4 ; ASCII "LDR: Tls Callbacks Found. Imagebase %p Tls %p CallBacks %p " 7C95B44C E8 9F4FFFFF CALL ntdll.DbgPrint 7C95B451 83C4 10 ADD ESP,10 7C95B454 ^E9 BCD0FEFF JMP ntdll.7C948515 7C95B459 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX 7C95B45C 83C6 04 ADD ESI,4 7C95B45F 8975 E0 MOV DWORD PTR SS:[EBP-20],ESI 7C95B462 381D 21C1997C CMP BYTE PTR DS:[7C99C121],BL 7C95B468 74 0F JE SHORT ntdll.7C95B479 7C95B46A 50 PUSH EAX 7C95B46B 57 PUSH EDI 7C95B46C 68 20B5957C PUSH ntdll.7C95B520 ; ASCII "LDR: Calling Tls Callback Imagebase %p Function %p " 7C95B471 E8 7A4FFFFF CALL ntdll.DbgPrint 7C95B476 83C4 0C ADD ESP,0C 7C95B479 53 PUSH EBX 7C95B47A FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C95B47D 57 PUSH EDI 7C95B47E FF75 E4 PUSH DWORD PTR SS:[EBP-1C] 7C95B481 E8 0D5DFCFF CALL ntdll.7C921193 7C95B486 ^E9 8AD0FEFF JMP ntdll.7C948515 NT4.0中TLS处理相关源代码: VOID LdrpCallTlsInitializers( PVOID DllBase, ULONG Reason ) { PIMAGE_TLS_DIRECTORY TlsImage; ULONG TlsSize; PIMAGE_TLS_CALLBACK *CallBackArray; PIMAGE_TLS_CALLBACK InitRoutine; TlsImage = (PIMAGE_TLS_DIRECTORY)RtlImageDirectoryEntryToData( DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_TLS, &TlsSize ); try { if ( TlsImage ) { CallBackArray = TlsImage->AddressOfCallBacks; if ( CallBackArray ) { if (ShowSnaps) { DbgPrint( "LDR: Tls Callbacks Found. Imagebase %lx Tls %lx CallBacks %lx\n", DllBase, TlsImage, CallBackArray ); } while(*CallBackArray){ InitRoutine = *CallBackArray++; if (ShowSnaps) { DbgPrint( "LDR: Calling Tls Callback Imagebase %lx Function %lx\n", DllBase, InitRoutine ); } #if defined (WX86) if (!Wx86CurrentTib() || LdrpRunWx86DllEntryPoint( (PDLL_INIT_ROUTINE)InitRoutine, NULL, DllBase, Reason, NULL ) == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) #endif { (InitRoutine)(DllBase,Reason,0); } } } } } except (EXCEPTION_EXECUTE_HANDLER) { ; } } |
|
|
|
[原创]编写PPC程序的loader--Intumical1.0126
你的PPC是什么型号的啊。多普达818还是828?水还是行货? |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值