一个壳的源代码
发表于: ASM | 作者: lonkil
标签: 汇编一款壳的源代码:
ASM代码
include win32.inc
.586
.model flat,stdcall
locals
extrn _wsprintfA:proc,MessageBoxA:proc,ExitProcess:proc,IsDebuggerPresent:proc
extrn ReleaseDC:proc,GetDC:proc,TextOutA:proc,GetTickCount:proc
OLD_TICK_COUNT equ 072h
GET_TICK_COUNT equ 0c1h
IS_DBG_PRESENT equ 034h
EXIT_PROCESS equ 0a7h
XX equ 12345678h
.data
PCStart:
nop
@@PCStartRVA:
pushad
call GetRVAOffset,offset @@KillIDA
jmp eax
@@KillIDA:
;//定位GetProcAddress函数
;db 0ebh,001h,0e8h;//乱码样版
sub esp,100h
mov ebp,esp
db 0ebh,001h,0e8h;//乱码样版
mov ebx,[ebp+100h+8*4]
@@RepScanGPA:
dec ebx
db 0ebh,001h,0e8h;//乱码样版
call GetPEOffset,ebx
mov ebx,eax
xor esi,esi
db 0ebh,001h,0e8h;//乱码样版
@@RepScanGPAName:
inc esi
call GetGPANameByIndex,ebx,esi
or eax,eax
db 0ebh,001h,0e8h;//乱码样版
jz short @@RepScanGPA
mov edi,eax
call GetGPAString
db 0ebh,001h,0e8h;//乱码样版
mov edx,eax
call CompareMemory,edi,edx,15
or eax,eax
jnz short @@RepScanGPAName
db 0ebh,001h,0e8h;//乱码样版
call GetGPARVAByIndex,ebx,esi
mov esi,eax
;//ebx=Kernel32 Base;esi=GetProcAddress
