-
-
[原创]PE文件添加区段[逆向分析+asm代码实现]
-
发表于:
2008-11-23 06:26
10957
-
[原创]PE文件添加区段[逆向分析+asm代码实现]
2008年11月23日 6:16:55
[SIZE=2]00401000 z>/$ 6A 00 push 0 ; /pModule = NULL[/SIZE]
[SIZE=2]00401002 |. E8 7F050000 call ; \GetModuleHandleA[/SIZE]
[SIZE=2]00401007 |. 6A 00 push 0 ; /lParam = NULL[/SIZE]
[SIZE=2]00401009 |. 68 1F104000 push 0040101F ; |DlgProc = zeroadd.0040101F[/SIZE]
[SIZE=2]0040100E |. 6A 00 push 0 ; |hOwner = NULL[/SIZE]
[SIZE=2]00401010 |. 6A 01 push 1 ; |pTemplate = 1[/SIZE]
[SIZE=2]00401012 |. 50 push eax ; |hInst[/SIZE]
[SIZE=2]00401013 |. E8 20050000 call ; \DialogBoxParamA[/SIZE]
[SIZE=2]00401018 |. 6A 00 push 0 ; /ExitCode = 0[/SIZE]
[SIZE=2]0040101A \. E8 5B050000 call ; \ExitProcess[/SIZE]
[SIZE=2]00401030 |> \837D 0C 10 cmp dword ptr [ebp+C], 10[/SIZE]
[SIZE=2]00401034 |. 75 0F jnz short 00401045[/SIZE]
[SIZE=2]00401036 |. 6A 00 push 0 ; /Result = 0[/SIZE]
[SIZE=2]00401038 |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]0040103B |. E8 FE040000 call ; \EndDialog[/SIZE]
[SIZE=2]00401045 |> \817D 0C 11010000 cmp dword ptr [ebp+C], 111[/SIZE]
[SIZE=2]0040104C |. 0F85 31040000 jnz 00401483[/SIZE]
[SIZE=2]00401052 |. 8B45 10 mov eax, dword ptr [ebp+10][/SIZE]
[SIZE=2]00401055 |. 66:83F8 02 cmp ax, 2[/SIZE]
[SIZE=2]00401059 |. 75 58 jnz short 004010B3[/SIZE]
[SIZE=2]0040105B |. C1E8 10 shr eax, 10[/SIZE]
[SIZE=2]0040105E |. 66:0BC0 or ax, ax[/SIZE]
[SIZE=2]00401061 |. 75 50 jnz short 004010B3[/SIZE]
[SIZE=2]00401063 |. C705 F3324000 4C00>mov dword ptr [4032F3], 4C[/SIZE]
[SIZE=2]0040106D |. C705 FF324000 3F33>mov dword ptr [4032FF], 0040333F ; ASCII "Executable Files (*.exe, *.dll)"[/SIZE]
[SIZE=2]00401077 |. C705 0F334000 7C33>mov dword ptr [40330F], 0040337C[/SIZE]
[SIZE=2]00401081 |. C705 13334000 0002>mov dword ptr [403313], 200[/SIZE]
[SIZE=2]0040108B |. C705 27334000 0418>mov dword ptr [403327], 281804[/SIZE]
[SIZE=2]00401095 |. 68 F3324000 push 004032F3 ; /pOpenFileName = zeroadd.004032F3[/SIZE]
[SIZE=2]0040109A |. E8 11050000 call ; \GetOpenFileNameA[/SIZE]
[SIZE=2]004010A4 |. 68 7C334000 push 0040337C ; /Text = ""[/SIZE]
[SIZE=2]004010A9 |. 6A 03 push 3 ; |ControlID = 3[/SIZE]
[SIZE=2]004010AB |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]004010AE |. E8 A3040000 call ; \SetDlgItemTextA[/SIZE]
[SIZE=2]004010B3 |> \66:83F8 06 cmp ax, 6[/SIZE]
[SIZE=2]004010B7 |. 0F85 7A030000 jnz 00401437[/SIZE]
[SIZE=2]004010BD |. C1E8 10 shr eax, 10[/SIZE]
[SIZE=2]004010C0 |. 66:0BC0 or ax, ax[/SIZE]
[SIZE=2]004010C3 |. 0F85 6E030000 jnz 00401437[/SIZE]
[SIZE=2]004010C9 |. 68 00020000 push 200 ; /Count = 200 (512.)[/SIZE]
[SIZE=2]004010CE |. 68 20304000 push 00403020 ; |Buffer = zeroadd.00403020[/SIZE]
[SIZE=2]004010D3 |. 6A 03 push 3 ; |ControlID = 3[/SIZE]
[SIZE=2]004010D5 |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]004010D8 |. E8 67040000 call ; \GetDlgItemTextA[/SIZE]
[SIZE=2]004010DD |. 68 00020000 push 200 ; /Count = 200 (512.)[/SIZE]
[SIZE=2]004010E2 |. 68 00304000 push 00403000 ; |Buffer = zeroadd.00403000[/SIZE]
[SIZE=2]004010E7 |. 6A 04 push 4 ; |ControlID = 4[/SIZE]
[SIZE=2]004010E9 |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]004010EC |. E8 53040000 call ; \GetDlgItemTextA[/SIZE]
[SIZE=2]004010F1 |. 68 00020000 push 200 ; /Count = 200 (512.)[/SIZE]
[SIZE=2]004010F6 |. 68 08304000 push 00403008 ; |Buffer = zeroadd.00403008[/SIZE]
[SIZE=2]004010FB |. 6A 05 push 5 ; |ControlID = 5[/SIZE]
[SIZE=2]004010FD |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]00401100 |. E8 3F040000 call ; \GetDlgItemTextA[/SIZE]
[SIZE=2]00401105 |. 6A 0F push 0F ; /ButtonID = F (15.)[/SIZE]
[SIZE=2]00401107 |. FF75 08 push dword ptr [ebp+8] ; |hWnd[/SIZE]
[SIZE=2]0040110A |. E8 3B040000 call ; \IsDlgButtonChecked[/SIZE]
[SIZE=2]0040110F |. 83F8 01 cmp eax, 1[/SIZE]
[SIZE=2]00401112 |. 75 38 jnz short 0040114C[/SIZE]
[SIZE=2]00401114 |. 68 20304000 push 00403020 ; /String2 = ""[/SIZE]
[SIZE=2]00401119 |. 68 85304000 push 00403085 ; |String1 = zeroadd.00403085[/SIZE]
[SIZE=2]0040111E |. E8 81040000 call ; \lstrcpyA[/SIZE]
[SIZE=2]00401123 |. 68 1B314000 push 0040311B ; /StringToAdd = ".bak"[/SIZE]
[SIZE=2]00401128 |. 68 85304000 push 00403085 ; |ConcatString = ""[/SIZE]
[SIZE=2]0040112D |. E8 6C040000 call ; \lstrcatA[/SIZE]
[SIZE=2]00401132 |. 6A 00 push 0 ; /FailIfExists = FALSE[/SIZE]
[SIZE=2]00401134 |. 68 85304000 push 00403085 ; |NewFileName = ""[/SIZE]
[SIZE=2]00401139 |. 68 20304000 push 00403020 ; |ExistingFileName = ""[/SIZE]
[SIZE=2]0040113E |. E8 1F040000 call ; \CopyFileA[/SIZE]
[SIZE=2]00401143 |. 83F8 00 cmp eax, 0[/SIZE]
[SIZE=2]00401146 |. 0F84 51020000 je 0040139D[/SIZE]
[SIZE=2]0040114C |> 6A 00 push 0 ; /FailIfExists = FALSE[/SIZE]
[SIZE=2]0040114E |. 68 29314000 push 00403129 ; |NewFileName = "swapit.sca"[/SIZE]
[SIZE=2]00401153 |. 68 20304000 push 00403020 ; |ExistingFileName = ""[/SIZE]
[SIZE=2]00401158 |. E8 05040000 call ; \CopyFileA[/SIZE]
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课