首页
社区
课程
招聘
[原创]PE文件添加区段[逆向分析+asm代码实现]
发表于: 2008-11-23 06:26 10957

[原创]PE文件添加区段[逆向分析+asm代码实现]

2008-11-23 06:26
10957
2008年11月23日 6:16:55
[SIZE=2]00401000 z>/$  6A 00              push    0                                 ; /pModule = NULL[/SIZE]
[SIZE=2]00401002   |.  E8 7F050000        call      ; \GetModuleHandleA[/SIZE]
[SIZE=2]00401007   |.  6A 00              push    0                                 ; /lParam = NULL[/SIZE]
[SIZE=2]00401009   |.  68 1F104000        push    0040101F                          ; |DlgProc = zeroadd.0040101F[/SIZE]
[SIZE=2]0040100E   |.  6A 00              push    0                                 ; |hOwner = NULL[/SIZE]
[SIZE=2]00401010   |.  6A 01              push    1                                 ; |pTemplate = 1[/SIZE]
[SIZE=2]00401012   |.  50                 push    eax                               ; |hInst[/SIZE]
[SIZE=2]00401013   |.  E8 20050000        call         ; \DialogBoxParamA[/SIZE]
[SIZE=2]00401018   |.  6A 00              push    0                                 ; /ExitCode = 0[/SIZE]
[SIZE=2]0040101A   \.  E8 5B050000        call           ; \ExitProcess[/SIZE]
 
[SIZE=2]00401030   |> \837D 0C 10         cmp     dword ptr [ebp+C], 10[/SIZE]
[SIZE=2]00401034   |.  75 0F              jnz     short 00401045[/SIZE]
[SIZE=2]00401036   |.  6A 00              push    0                                 ; /Result = 0[/SIZE]
[SIZE=2]00401038   |.  FF75 08            push    dword ptr [ebp+8]                 ; |hWnd[/SIZE]
[SIZE=2]0040103B   |.  E8 FE040000        call               ; \EndDialog[/SIZE]
[SIZE=2]00401045   |> \817D 0C 11010000   cmp     dword ptr [ebp+C], 111[/SIZE]
[SIZE=2]0040104C   |.  0F85 31040000      jnz     00401483[/SIZE]
[SIZE=2]00401052   |.  8B45 10            mov     eax, dword ptr [ebp+10][/SIZE]
[SIZE=2]00401055   |.  66:83F8 02         cmp     ax, 2[/SIZE]
[SIZE=2]00401059   |.  75 58              jnz     short 004010B3[/SIZE]
[SIZE=2]0040105B   |.  C1E8 10            shr     eax, 10[/SIZE]
[SIZE=2]0040105E   |.  66:0BC0            or      ax, ax[/SIZE]
[SIZE=2]00401061   |.  75 50              jnz     short 004010B3[/SIZE]
[SIZE=2]00401063   |.  C705 F3324000 4C00>mov     dword ptr [4032F3], 4C[/SIZE]
[SIZE=2]0040106D   |.  C705 FF324000 3F33>mov     dword ptr [4032FF], 0040333F      ;  ASCII "Executable Files (*.exe, *.dll)"[/SIZE]
[SIZE=2]00401077   |.  C705 0F334000 7C33>mov     dword ptr [40330F], 0040337C[/SIZE]
[SIZE=2]00401081   |.  C705 13334000 0002>mov     dword ptr [403313], 200[/SIZE]
[SIZE=2]0040108B   |.  C705 27334000 0418>mov     dword ptr [403327], 281804[/SIZE]
[SIZE=2]00401095   |.  68 F3324000        push    004032F3                          ; /pOpenFileName = zeroadd.004032F3[/SIZE]
[SIZE=2]0040109A   |.  E8 11050000        call      ; \GetOpenFileNameA[/SIZE]
[SIZE=2]004010A4   |.  68 7C334000        push    0040337C                          ; /Text = ""[/SIZE]
[SIZE=2]004010A9   |.  6A 03              push    3                                 ; |ControlID = 3[/SIZE]
[SIZE=2]004010AB   |.  FF75 08            push    dword ptr [ebp+8]                 ; |hWnd[/SIZE]
[SIZE=2]004010AE   |.  E8 A3040000        call         ; \SetDlgItemTextA[/SIZE]
[SIZE=2]004010B3   |> \66:83F8 06         cmp     ax, 6[/SIZE]
[SIZE=2]004010B7   |.  0F85 7A030000      jnz     00401437[/SIZE]
[SIZE=2]004010BD   |.  C1E8 10            shr     eax, 10[/SIZE]
[SIZE=2]004010C0   |.  66:0BC0            or      ax, ax[/SIZE]
[SIZE=2]004010C3   |.  0F85 6E030000      jnz     00401437[/SIZE]
[SIZE=2]004010C9   |.  68 00020000        push    200                               ; /Count = 200 (512.)[/SIZE]
[SIZE=2]004010CE   |.  68 20304000        push    00403020                          ; |Buffer = zeroadd.00403020[/SIZE]
[SIZE=2]004010D3   |.  6A 03              push    3                                 ; |ControlID = 3[/SIZE]
[SIZE=2]004010D5   |.  FF75 08            push    dword ptr [ebp+8]                 ; |hWnd[/SIZE]
[SIZE=2]004010D8   |.  E8 67040000        call         ; \GetDlgItemTextA[/SIZE]
[SIZE=2]004010DD   |.  68 00020000        push    200                               ; /Count = 200 (512.)[/SIZE]
[SIZE=2]004010E2   |.  68 00304000        push    00403000                          ; |Buffer = zeroadd.00403000[/SIZE]
[SIZE=2]004010E7   |.  6A 04              push    4                                 ; |ControlID = 4[/SIZE]
[SIZE=2]004010E9   |.  FF75 08            push    dword ptr [ebp+8]                 ; |hWnd[/SIZE]
[SIZE=2]004010EC   |.  E8 53040000        call         ; \GetDlgItemTextA[/SIZE]
[SIZE=2]004010F1   |.  68 00020000        push    200                               ; /Count = 200 (512.)[/SIZE]
[SIZE=2]004010F6   |.  68 08304000        push    00403008                          ; |Buffer = zeroadd.00403008[/SIZE]
[SIZE=2]004010FB   |.  6A 05              push    5                                 ; |ControlID = 5[/SIZE]
[SIZE=2]004010FD   |.  FF75 08            push    dword ptr [ebp+8]                 ; |hWnd[/SIZE]
[SIZE=2]00401100   |.  E8 3F040000        call         ; \GetDlgItemTextA[/SIZE]
[SIZE=2]00401105   |.  6A 0F              push    0F                                ; /ButtonID = F (15.)[/SIZE]
[SIZE=2]00401107   |.  FF75 08            push    dword ptr [ebp+8]                 ; |hWnd[/SIZE]
[SIZE=2]0040110A   |.  E8 3B040000        call      ; \IsDlgButtonChecked[/SIZE]
[SIZE=2]0040110F   |.  83F8 01            cmp     eax, 1[/SIZE]
[SIZE=2]00401112   |.  75 38              jnz     short 0040114C[/SIZE]
[SIZE=2]00401114   |.  68 20304000        push    00403020                          ; /String2 = ""[/SIZE]
[SIZE=2]00401119   |.  68 85304000        push    00403085                          ; |String1 = zeroadd.00403085[/SIZE]
[SIZE=2]0040111E   |.  E8 81040000        call              ; \lstrcpyA[/SIZE]
[SIZE=2]00401123   |.  68 1B314000        push    0040311B                          ; /StringToAdd = ".bak"[/SIZE]
[SIZE=2]00401128   |.  68 85304000        push    00403085                          ; |ConcatString = ""[/SIZE]
[SIZE=2]0040112D   |.  E8 6C040000        call              ; \lstrcatA[/SIZE]
[SIZE=2]00401132   |.  6A 00              push    0                                 ; /FailIfExists = FALSE[/SIZE]
[SIZE=2]00401134   |.  68 85304000        push    00403085                          ; |NewFileName = ""[/SIZE]
[SIZE=2]00401139   |.  68 20304000        push    00403020                          ; |ExistingFileName = ""[/SIZE]
[SIZE=2]0040113E   |.  E8 1F040000        call             ; \CopyFileA[/SIZE]
[SIZE=2]00401143   |.  83F8 00            cmp     eax, 0[/SIZE]
[SIZE=2]00401146   |.  0F84 51020000      je      0040139D[/SIZE]
[SIZE=2]0040114C   |>  6A 00              push    0                                 ; /FailIfExists = FALSE[/SIZE]
[SIZE=2]0040114E   |.  68 29314000        push    00403129                          ; |NewFileName = "swapit.sca"[/SIZE]
[SIZE=2]00401153   |.  68 20304000        push    00403020                          ; |ExistingFileName = ""[/SIZE]
[SIZE=2]00401158   |.  E8 05040000        call             ; \CopyFileA[/SIZE]

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 7
支持
分享
最新回复 (7)
雪    币: 204
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
好文,学习了
2008-11-23 07:30
0
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
3
TAG:PE SECTION 区段 添加 ZEROADD LORDPE

我对PE的学习一直很怵
2008-11-23 16:47
0
雪    币: 208
活跃值: (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
4
好文章往都很长!
2008-11-23 19:12
0
雪    币: 251
活跃值: (25)
能力值: ( LV9,RANK:290 )
在线值:
发帖
回帖
粉丝
5
太长太暴力了
2008-11-23 20:14
0
雪    币: 264
活跃值: (11)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
6
[QUOTE=;]...[/QUOTE]
我也是最近才认真学习PE格式的觉得挺有趣的 希望高手们多多指点…
BTW: .if后的条件怎么复合?
2008-11-24 22:59
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
[QUOTE=;]...[/QUOTE]
的确是精华。膜拜。
2008-11-25 10:25
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
学习,谢谢分享,
我是菜鸟一个,还不是很懂
我会努力的
2009-2-18 13:23
0
游客
登录 | 注册 方可回帖
返回
//