不需要输入表，基址能任意改的程序。-编程技术-看雪-安全社区|安全招聘|kanxue.com

不需要输入表，基址能任意改的程序。

发表于: 2006-12-28 01:32 4849

不需要输入表，基址能任意改的程序。

FlyToTheSpace 活跃值

活跃值

12

2006-12-28 01:32

4849

程序运行建立一个新的线程，显示Hello WOrld!
给程序做内存补丁可能会用得上。。

////----------------------------------------------
oep.asm

.586
.Model Flat, StdCall
Option Casemap :None
Include windows.inc
Include kernel32.inc
include masm32.inc
IncludeLib kernel32.lib

STEXT MACRO Text
local szText
LOCAL lbl
LOCAL lbllbl
call lbllbl
lbllbl:
pop edx
add edx,6
jmp lbl
szText db Text,0
lbl:
exitm <edx>;这里占用了edx寄存器，还没想到其它的好办法
ENDM
USERDATA STRUCT
pLoadLibrary dd ?
pCreateThread dd ?
pMessageBox dd ?
pmalloc dd ?
pfree    dd ?
pstrcpy dd ?
pmemcpy dd ?
subAddr dd ?
USERDATA ENDS
pUSERDATA equ <USERDATA>
WinMain proto:DWORD ,:DWORD
  GetKernelModule proto:DWORD
  GetMyAddress proto:DWORD,:DWORD
  mstrcmp proto:DWORD,:DWORD
  ThreadProc proto:DWORD
  GetRealAddress proto:DWORD,:DWORD
.code
start:

mov eax,[esp]
call next11
next11:
pop ebx
sub ebx,401000h
sub ebx,8
invoke WinMain,eax,ebx

ret
WinMain proc pKernel:DWORD ,subAddr:DWORD
LOCAL tArray:USERDATA
LOCAL ptArray:DWORD

;load kernel32.dll
invoke GetKernelModule,pKernel
mov edi,eax
invoke GetMyAddress,edi,STEXT("LoadLibraryA")
cmp eax,0
je Ex11
mov tArray.pLoadLibrary,eax

;invoke GetMyAddress,edi,1

invoke GetMyAddress,edi,STEXT("CreateThread")
cmp eax,0
je Ex11
mov tArray.pCreateThread,eax

push STEXT("ntdll.dll")
call tArray.pLoadLibrary
cmp eax,0
je Ex11
mov edi,eax
invoke GetMyAddress,edi,STEXT("memcpy")
cmp eax,0
je Ex11
mov tArray.pmemcpy,eax

;WS2_32.dll
push STEXT("WS2_32.dll")
call tArray.pLoadLibrary
cmp eax,0
je Ex11
mov edi,eax
;invoke GetProcAddress,edi,21h
invoke GetMyAddress,edi,21h;这里是测试一下api
;user32.dll
push STEXT("user32.dll")
call tArray.pLoadLibrary
cmp eax,0
je Ex11

invoke GetMyAddress,eax,STEXT("MessageBoxA")
cmp eax,0
je Ex11
mov tArray.pMessageBox,eax

;msvcrt.dll
push STEXT("msvcrt.dll")
call tArray.pLoadLibrary
cmp eax,0
je Ex11
mov edi,eax

invoke GetMyAddress,edi,STEXT("malloc")
cmp eax,0
je Ex11
mov tArray.pmalloc,eax

invoke GetMyAddress,edi,STEXT("strcpy")
cmp eax,0
je Ex11
mov tArray.pstrcpy,eax

invoke GetMyAddress,edi,STEXT("free")
cmp eax,0
je Ex11
mov tArray.pfree,eax

push sizeof USERDATA
call tArray.pmalloc
cmp eax,0
je Ex11
mov ptArray,eax
push sizeof USERDATA
lea eax,tArray
push eax
push ptArray
call tArray.pmemcpy

push 0
push 0
push ptArray
push ThreadProc

pop eax
add eax,subAddr
push eax

push 0
push 0
call tArray.pCreateThread
Ex11:
ret
WinMain endp
ThreadProc proc lpvoid:DWORD
LOCAL test1:pUSERDATA
mov esi,lpvoid
push NULL
push STEXT("Hello")
push STEXT("Hello World!")
push NULL
call (USERDATA ptr[esi]).pMessageBox
ret
ThreadProc endp
GetRealAddress proc ModuleAddr:DWORD,lpvoid:DWORD
mov eax,ModuleAddr
cmp WORD ptr[eax],5a4dh
je ExReal
mov eax,lpvoid
cmp WORD ptr[eax],0ff8bh
je ExReal

ret
ExReal:
xor eax,eax
ret
GetRealAddress endp
include api.asm
end start
///---------------------------------

api.asm
GetKernelModule proc address:DWORD
mov eax,address
and eax,0ffff0000h
mov ecx,5a4dh
con:
sub eax,1000h
cmp WORD ptr[eax],5a4dh
jne con
ret
GetKernelModule endp
GetMyAddress proc Module:DWORD,APIName:DWORD
local FunctionAddress:DWORD
local NameAddress:DWORD
local ExportNum:DWORD
local NameOrdinals:DWORD

mov eax,Module
cmp WORD ptr[eax],5a4dh
je con
exit:
xor eax,eax
ret
con:
mov eax,Module
add eax,3ch
mov ecx,[eax]
add ecx,Module
add ecx,78h
cmp DWORD ptr[ecx],0
je exit
cmp DWORD ptr[ecx+4],0
je exit
mov eax,[ecx]
add eax,Module

mov ebx,[eax+14h]
mov ExportNum,ebx

mov ebx,[eax+1ch]
add ebx,Module
mov FunctionAddress,ebx

mov ebx,[eax+20h]
add ebx,Module
mov NameAddress,ebx

mov ebx,[eax+24h]
add ebx,Module
mov NameOrdinals,ebx

mov eax,APIName
cmp eax,0
je exit
cmp eax,0ffffh
jbe Ordinals

xor ecx,ecx
continue:
mov edx,NameAddress
mov edx,[edx]
cmp edx,0
je exit
cmp ExportNum,0
jbe exit
add edx,Module
invoke mstrcmp,APIName,edx
cmp eax,0
je here
add NameAddress,4
dec ExportNum
inc ecx
jmp continue
Ordinals:
mov ecx,eax
dec ecx
jmp Ord
here:
mov eax,2
mul ecx
add NameOrdinals,eax
xor ecx,ecx
mov eax,NameOrdinals
mov cx,WORD ptr[eax]
Ord:
mov eax,4
mul ecx
add eax,FunctionAddress
mov eax,[eax]
cmp eax,0
je exit
add eax,Module
ret
GetMyAddress endp
mstrcmp proc str1:DWORD ,str2:DWORD
next:
mov eax,str1
mov al,BYTE ptr[eax]
mov ebx,str2

cmp al,BYTE ptr[ebx]
jne Ex
cmp al,0
je Ex1
inc str1
inc str2
jmp next
Ex:
mov eax,1
ret
Ex1:
xor eax,eax
ret
mstrcmp endp
//----------

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

上传的附件：

oep.zip （2.54kb，16次下载）

收藏・0

免费・0

支持

分享

最新回复 (3)
xIkUg 雪币： 116 活跃值： (220) 能力值： ( LV12，RANK：370 ) 在线值：发帖 27 回帖 675 粉丝 4 关注私信	xIkUg 9 2 楼没有输入表在2000下跑不动。。。 2006-12-28 09:40 0
FlyToTheSpace 雪币： 333 活跃值： (369) 能力值： ( LV12，RANK：490 ) 在线值：发帖 58 回帖 388 粉丝 0 关注私信	FlyToTheSpace 12 3 楼我的系统是win2003 ,win2000还没试。。 2006-12-28 13:50 0
FlyToTheSpace 雪币： 333 活跃值： (369) 能力值： ( LV12，RANK：490 ) 在线值：发帖 58 回帖 388 粉丝 0 关注私信	FlyToTheSpace 12 4 楼操作系统加载程序时，ntdll.dll，kernel32.dll 本来就加载了，只要找到这些dll加载的基址的话，程序运行就没问题了。。 peid 里面的插件verA 0.15 在分析dll的时候，会自动建立一个L_o_a_d_e_r.exe 这个程序就是这么做的。。 2006-12-28 14:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

FlyToTheSpace

发帖

回帖

RANK

他的文章

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

//