情况是这样的,有一个EXE程序,我想在运行EXE的同时也开启一个系统服务(这个系统服务是手动停止的),用批处理可以简单实现ECHO net start SCardSvr,但我想在程序中实现,不知道又没有可能,找了一些有功能的程序载入OD看了下是下面这个样子。
0045946C /$ 55 PUSH EBP
0045946D |. 8BEC MOV EBP,ESP
0045946F |. 83C4 D8 ADD ESP,-28
00459472 |. 53 PUSH EBX
00459473 |. 56 PUSH ESI
00459474 |. 57 PUSH EDI
00459475 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00459478 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0045947B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045947E |. E8 C9B9FAFF CALL fuwu.00404E4C
00459483 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00459486 |. E8 C1B9FAFF CALL fuwu.00404E4C
0045948B |. 33C0 XOR EAX,EAX
0045948D |. 55 PUSH EBP
0045948E |. 68 45954500 PUSH fuwu.00459545
00459493 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00459496 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00459499 |. 33C0 XOR EAX,EAX
0045949B |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
0045949E |. 6A 01 PUSH 1
004594A0 |. 6A 00 PUSH 0
004594A2 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004594A5 |. E8 B2B9FAFF CALL fuwu.00404E5C
004594AA |. 50 PUSH EAX
004594AB |. E8 50F3FFFF CALL <JMP.&advapi32.OpenSCManagerA>
004594B0 |. 8BD8 MOV EBX,EAX
004594B2 |. 85DB TEST EBX,EBX
004594B4 |. 76 6D JBE SHORT fuwu.00459523
004594B6 |. 6A 14 PUSH 14
004594B8 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004594BB |. E8 9CB9FAFF CALL fuwu.00404E5C
004594C0 |. 50 PUSH EAX
004594C1 |. 53 PUSH EBX
004594C2 |. E8 41F3FFFF CALL <JMP.&advapi32.OpenServiceA>
004594C7 |. 8BF0 MOV ESI,EAX
004594C9 |. 85F6 TEST ESI,ESI
004594CB |. 76 50 JBE SHORT fuwu.0045951D
004594CD |. 33C0 XOR EAX,EAX
004594CF |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004594D2 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004594D5 |. 50 PUSH EAX
004594D6 |. 6A 00 PUSH 0
004594D8 |. 56 PUSH ESI
004594D9 |. E8 5AF3FFFF CALL <JMP.&advapi32.StartServiceA>
004594DE |. 85C0 TEST EAX,EAX
004594E0 |. 74 35 JE SHORT fuwu.00459517
004594E2 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004594E5 |. 50 PUSH EAX
004594E6 |. 56 PUSH ESI
004594E7 |. E8 2CF3FFFF CALL <JMP.&advapi32.QueryServiceStatus>
004594EC |. 85C0 TEST EAX,EAX
004594EE |. 74 27 JE SHORT fuwu.00459517
004594F0 |. EB 1F JMP SHORT fuwu.00459511
004594F2 |> 8B7D EC /MOV EDI,DWORD PTR SS:[EBP-14]
004594F5 |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
004594F8 |. 50 |PUSH EAX ; /Timeout
004594F9 |. E8 624DFBFF |CALL <JMP.&kernel32.Sleep> ; \Sleep
004594FE |. 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]
00459501 |. 50 |PUSH EAX
00459502 |. 56 |PUSH ESI
00459503 |. E8 10F3FFFF |CALL <JMP.&advapi32.QueryServiceStatus>
00459508 |. 85C0 |TEST EAX,EAX
0045950A |. 74 0B |JE SHORT fuwu.00459517
0045950C |. 3B7D EC |CMP EDI,DWORD PTR SS:[EBP-14]
0045950F |. 77 06 |JA SHORT fuwu.00459517
00459511 |> 837D DC 04 CMP DWORD PTR SS:[EBP-24],4
00459515 |.^ 75 DB \JNZ SHORT fuwu.004594F2
00459517 |> 56 PUSH ESI
00459518 |. E8 B3F2FFFF CALL <JMP.&advapi32.CloseServiceHandle>
0045951D |> 53 PUSH EBX
0045951E |. E8 ADF2FFFF CALL <JMP.&advapi32.CloseServiceHandle>
00459523 |> 837D DC 04 CMP DWORD PTR SS:[EBP-24],4
00459527 |. 0F94C3 SETE BL
0045952A |. 33C0 XOR EAX,EAX
0045952C |. 5A POP EDX
0045952D |. 59 POP ECX
0045952E |. 59 POP ECX
0045952F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00459532 |. 68 4C954500 PUSH fuwu.0045954C
00459537 |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0045953A |. BA 02000000 MOV EDX,2
0045953F |. E8 7CB4FAFF CALL fuwu.004049C0
00459544 \. C3 RETN
这部分应该是实现累世功能的吧,我就想问下大家在反汇编OD中有可能实现开启某系统服务的功能吗。如果PATH代码这里涉及到几个函数,比如我想开启SCardSvr这个服务,那是怎么传参的呢,如有指教不胜感激。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
