|
[求助]关于asm内联汇编
push 是eax, pop是ecx 有问题 c 定义有问题 实际使用 函数定义最好申明成 naked 如下方式, 测试正常 int Test1(CHAR *pText) { OutputDebugStringA(pText); return 1; } CHAR *p; __declspec(naked) VOID TestH() { _asm { push eax; mov eax,[esp+8]; mov p,eax; pop eax; jmp Test1; } } 测试代码: int (*fun1)(CHAR *pText) = &Test1; fun1("asdf"); int (*fun2)(CHAR *pText) = (int (*)(CHAR *pText))&TestH; fun2("zxcv"); |
|
[求助]win10 64位 pe 文件, 向代码节空白区添加 messagebox 怎么弄
E8 call指令只有32位偏移, 64这样用可能没法用, 可以换个方式, 如x64使用导入表的方式 FF15 的方式 也可以 mov rax, xxx call rax |
|
[求助][求助]如何hOOK不定参数的函数?
1. 获取传入参数, 参数都是在esp 上面, 只要取第一个参数的地址, 后面的参数就可以根据如此取到 如 f(p1, p2, p3) f(p1, ...) { p2 = *(&p1 + 1) p3 = *(&p1 + 2) } 2. 参数个数, 参数个数一般无法明确知道, 有两个办法 a. 分析参数传入的数据, 来确定有几个 如printf("%d-%s", ..) 通过"%d-%s" 知道有 1+2个参数 b. 使用尽量多的参数, 如20个, 如果实际只有3个, 但是你传递20个参数过去也不会有影响的, 变参属于c方式, 没关系, API方式就不行 |
|
[求助] 有谁做过explorer的监控程序呀。监控explorer打开的目录。找不到好方法呀
搞那么复杂, 用个BHO就好了 |
|
[原创]伪造句柄方法结束进程
主要代码, 没有整理... BOOL CHandleList::OnSupperKill() { if(m_MenuOpItem.dwTypeTag != (DWORD &)"Proc") return FALSE; HANDLE hProc; STARTUPINFOA si; PROCESS_INFORMATION pi; NNtKrn::EPROCESS_XP * pKrnProc; DWORD dwKrnAddr; DWORD dwSize; DWORD dwWriteAddr; EPROCESS_XP_R3 ShellProc; ETHREAD_XP_R3 ShellThread; DWORD dwAddr; DWORD dwAddrDlt; EPROCESS_XP_R3 DestProc; ETHREAD_XP_R3 DestThread; NNtKrn::LIST_ENTRY ShellThreadList; NNtKrn::LIST_ENTRY DestThreadList; memset(&si, 0, sizeof(si)); si.cb = sizeof(si); CreateProcessA(NULL, "Notepad.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi); // 壳 数据 dwKrnAddr = NNtKrn::GetHandleKrnObject(pi.hProcess); if(dwKrnAddr == 0) return FALSE; NLog::LogString("Shell dwKrnAddr: %08X", dwKrnAddr); ShellProc.dwObjAddr = dwKrnAddr; NNtKrn::ReadKrnObject(ShellProc); dwAddr = GetEThreadByThreadListHead(&ShellProc.Obj.ThreadListHead); ShellThread.dwObjAddr = dwAddr; NNtKrn::ReadKrnObject(ShellThread); if((DWORD)(__int64)ShellProc.Obj.UniqueProcessId != pi.dwProcessId) return FALSE; if((DWORD)(__int64)ShellThread.Obj.Cid.UniqueProcess != pi.dwProcessId) return FALSE; // 目标 数据 DestProc.dwObjAddr = (DWORD)(__int64)m_MenuOpItem.Base.Object; DestProc.Obj = m_MenuOpItem.KrnObj.EProcessXp; dwAddr = GetEThreadByThreadListHead(&DestProc.Obj.ThreadListHead); DestThread.dwObjAddr = dwAddr; NNtKrn::ReadKrnObject(DestThread); if((DWORD)(__int64)DestProc.Obj.UniqueProcessId != (DWORD)(__int64)DestThread.Obj.Cid.UniqueProcess) return FALSE; dwAddr = NNtKrn::GetLastThreadAddr((DWORD)(__int64)m_MenuOpItem.Base.Object); if(dwAddr == 0) return FALSE; DestThread.dwObjAddr = dwAddr; NNtKrn::ReadKrnObject(DestThread); if((DWORD)(__int64)DestProc.Obj.UniqueProcessId != (DWORD)(__int64)DestThread.Obj.Cid.UniqueProcess) return FALSE; NNtKrn::ETHREAD_XP * pKrnDestLastThread; NNtKrn::LIST_ENTRY * pHead; LIST_ENTRY_R3 OldList; LIST_ENTRY_R3 MokeList; pKrnProc = (NNtKrn::EPROCESS_XP *)ShellProc.dwObjAddr; pHead = &pKrnProc->ThreadListHead; MokeList.Obj.Blink = pHead; MokeList.Obj.Flink = pHead; pKrnDestLastThread = (NNtKrn::ETHREAD_XP *)DestThread.dwObjAddr; MokeList.dwObjAddr = (DWORD)(__int64)&pKrnDestLastThread->ThreadListEntry; OldList.dwObjAddr = MokeList.dwObjAddr; NNtKrn::ReadKrnObject(OldList); NNtKrn::WriteKrnObject(MokeList); //写入结束线程 pKrnDestLastThread = (NNtKrn::ETHREAD_XP *)DestThread.dwObjAddr; dwAddr = (DWORD)(__int64)&pKrnDestLastThread->pThreadsProcess; // Nntdll::WriteKernelMem(dwAddr, sizeof(NNtKrn::EPROCESS_XP *), &ShellProc.dwObjAddr); //修改线程的Proc指针 // 伪造 ShellThreadList = ShellProc.Obj.ThreadListHead; DestThreadList = DestProc.Obj.ThreadListHead; pKrnProc = (NNtKrn::EPROCESS_XP *)ShellProc.dwObjAddr; dwWriteAddr = (DWORD)(__int64)&pKrnProc->ThreadListHead; dwSize = sizeof(NNtKrn::LIST_ENTRY); Nntdll::WriteKernelMem(dwWriteAddr, dwSize, &DestThreadList); //写入首线程 TerminateProcess(pi.hProcess, 0); NNtKrn::WriteKrnObject(OldList); //恢复原来的列表 Nntdll::WriteKernelMem(dwWriteAddr, dwSize, &ShellThreadList); //恢复首线程 TerminateProcess(pi.hProcess, 0); return TRUE; } |
|
[求助]Themida.V1.9.1.0如何脱壳啊
试试这个脚本, 我用这个脱某个1.9的可以修复大部分 IAT, 某些自己修复 某些1.9的可能不行 /* Script written by a__p Script : Themida & WinLicen 1.1.X - 1.8.X 系列脱壳脚本 Date : 2007-05-25 Test Environment : OllyDbg 1.1, ODBGScript 1.52, Winxp Win2003 */ var modulebase var codebase var codesize var TZM var gjd1 var gjd2 var tmpbp var apibase var mem var tmp BPHWCALL gmi eip,MODULEBASE mov modulebase,$RESULT gmi eip,CODEBASE mov codebase,$RESULT gmi eip,CODESIZE mov codesize,$RESULT bpwm codebase,codesize ESTO REP: ESTO ESTO find eip,#F3A4????# cmp $RESULT,0 je REP STI STO ESTO LODS: find eip,#8908AD??# cmp $RESULT,0 je TZM jmp DM TZM: ESTO find eip,#8908AD??# cmp $RESULT,0 jmp LODS DM: bpmc mov add,eip findmem #0F850A000000C785# mov add1,$RESULT mov [add1],0A0EEB findmem #0F84390000003B8D# mov add2,$RESULT mov [add2],3928EB mov tmpbp,add1 alloc 1000 mov mem, $RESULT log mem mov tmp,mem mov [tmp],#A3000000008908ADC746FC00000000E90000000050A1000000008907807FFFE8750866C747FEFF15EB0666C747FEFF2558E90000000050A100000000894701807FFFE8750866C747FFFF15EB0666C747FFFF25580F8500000000E90000000083C704E900000000# mov memtmp,tmp add memtmp,100 add tmp,1 mov [tmp],memtmp add tmp,15 mov [tmp],memtmp add tmp,22 mov [tmp],memtmp mov tmp,mem find tmpbp,#8908AD# mov tmpbp,$RESULT mov addr1,tmpbp add addr1,0A eval "jmp {tmp}" asm tmpbp, $RESULT find tmpbp,#E92400000058# mov tmpbp,$RESULT add tmp,14 eval "jmp {tmp}" asm tmpbp, $RESULT find tmpbp,#0F851800000083BD# mov tmpbp,$RESULT mov addr3,tmpbp add addr3,06 add tmp,22 eval "jmp {tmp}" asm tmpbp, $RESULT find tmpbp,#884704# mov tmpbp,$RESULT mov addr2,tmpbp add addr2,03 mov [tmpbp],#909090# find tmpbp,#ABAD# mov tmpbp,$RESULT mov [tmpbp],#90# add tmpbp,9 add tmp,29 eval "jmp {tmp}" asm tmpbp, $RESULT mov memtmp,mem add memtmp,0F eval "jmp {addr1}" asm memtmp, $RESULT add memtmp,22 eval "jmp {addr2}" asm memtmp, $RESULT add memtmp,23 eval "jne {addr2}" asm memtmp, $RESULT add memtmp,06 eval "jmp {addr3}" asm memtmp, $RESULT add memtmp,08 eval "jmp {addr1}" asm memtmp, $RESULT find eip,#C7010000000083C104# mov tmpbp,$RESULT add tmpbp,14 bphws tmpbp,"x" esto bphwc tmpbp mov tmp,codebase add tmp,codesize oep: bprm codebase,codesize esto bpmc cmp eip,tmp ja oep msg "脚本执行完毕!请注意OEP是否被偷代码!" ret |
|
[求助]Winlicense的anti用什么办法可以破啊?
脱壳机我也想要 在哪啊,没找到 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值