拜读DiA/rrlf/29A.8.008的《Capture the desktop - scan .LNK files for victims》一文,原文中代码为fasm编写。于是顺手改写为自己常用的masm了。改写的过程中才发现原文中关于lnk文件结构部分有误,代码自然也是错的了。微软并没有公开lnk文件结构,因而也无可厚非了。在这里贴出来修改后的masm代码,并附一个人分析后认为比较可靠的lnk结构资料(http://www.stdlib.com/art6-Shortcut-File-Format-lnk.html)。
- ;※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
- ; LinkScan.exe
- ;※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※※
- ; Author: Goly
- ; Email: bh.yang@163.com
- ; QQ: 402295354
- ; Site:
- ;★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
- ; Core Code:
- .386
- .model flat, stdcall
- option casemap:none
- include windows.inc
- include user32.inc
- include kernel32.inc
- include advapi32.inc
- include gdi32.inc
- includelib user32.lib
- includelib kernel32.lib
- includelib gdi32.lib
- includelib advapi32.lib
- .const
- szDesktopSubkey db 'Software\Microsoft\',
- 'Windows\CurrentVersion\',
- 'Explorer\Shell Folders',0
- szDesktopValue db 'Desktop',0
- szERROR db 'Error!',0
- szLnkFiles db '*.lnk',0
- .data
- dwRegHandle dd ?
- szDesktopPath db 260 dup(?)
- dwDesktopSize dd 260
- szRegType db 'REG_SZ',0
- stWin32FindData WIN32_FIND_DATA
- dwFindHandle dd ?
- dwFileHandle dd ?
- dwMapHandle dd ?
- dwMapAddress dd ?
- dwItemSize dw ?
- dtVictim db 255 dup(?)
- .code
- ;-------get desktop path from registry-----
- _GetDesktopPath proc
- invoke RegOpenKeyEx,\
- HKEY_CURRENT_USER,\
- offset szDesktopSubkey,\
- 0,\
- KEY_ALL_ACCESS,\
- offset dwRegHandle
- cmp eax,ERROR_SUCCESS
- jnz _Error
- invoke RegQueryValueEx,\
- dwRegHandle,\
- offset szDesktopValue,\
- 0,\
- offset szRegType,\
- offset szDesktopPath,\
- offset dwDesktopSize
- cmp eax,ERROR_SUCCESS
- jnz _Error
- invoke RegCloseKey,\
- dwRegHandle
- ;check if path is valid,if not,make it valid
- mov esi,offset szDesktopPath
- @GetZero:
- cmp byte ptr[esi],0
- je @GotZero
- inc esi
- jmp @GetZero
- @GotZero:
- dec esi
- cmp byte ptr[esi],5ch;'\'
- je @HaveSlash
- inc esi
- mov byte ptr[esi],5ch
- mov byte ptr[esi+1],0
- @HaveSlash:
- ret
- _GetDesktopPath endp
- ;-------get desktop path from registry-----END
- _ScanLinkFile proc
- invoke SetCurrentDirectory,\
- offset szDesktopPath
- cmp eax,0
- je _Error
- invoke FindFirstFile,\
- offset szLnkFiles,\
- offset stWin32FindData
- mov dwFindHandle,eax
- @FindMoreFiles:
- cmp eax,0
- je @ExitFunc
- invoke CreateFile,\
- offset stWin32FindData.cFileName,\
- GENERIC_READ+GENERIC_WRITE,\
- FILE_SHARE_READ,\
- 0,\
- OPEN_EXISTING,\
- FILE_ATTRIBUTE_NORMAL,\
- 0
- cmp eax,INVALID_HANDLE_VALUE
- je @FindNextLNK
- mov dwFileHandle,eax
- ;--------Map the file---
- invoke CreateFileMapping,\
- dwFileHandle,\
- 0,\
- PAGE_READWRITE,\
- 0,\
- 0,\
- 0
- cmp eax,0
- je @CloseFile
- mov dwMapHandle,eax
- invoke MapViewOfFile,\
- dwMapHandle,\
- FILE_MAP_WRITE,\
- 0,\
- 0,\
- 0
- cmp eax,0
- je @CloseMap
- mov dwMapAddress,eax
- ;---------Map the file---END
- ;---------Check if .lnk file is valid---
- mov esi,dwMapAddress
- cmp dword ptr[esi],4ch
- jne @CloseMap
- ;---------Check if .lnk file is valid---END
- add esi,4ch;Jump over the header
- mov edi,offset dwItemSize
- movsw
- xor eax,eax
- mov ax,dwItemSize
- add esi,eax;Jump over the Shell Item List strcture
- push esi
- add esi,10h;Jump over FileLocationInfo
- mov eax,dword ptr[esi]
- pop esi
- add esi,eax;Jump over Location Volume Table to the volume label (ASCIZ)
- mov edi,offset dtVictim;destination is Victim (esi->edi)
- @CopyVictimString:
- cmp byte ptr[esi],0
- je @HaveVictim
- movsb
- jmp @CopyVictimString
- @HaveVictim:
- mov dword ptr[edi],0
- ;----check if victim path is valid
- mov edx,offset dtVictim
- cmp byte ptr[edx+1],3AH
- jne @CloseMap
- @GetVictimZero:
- cmp byte ptr[edx],0
- je @HaveVictimZero
- inc edx
- jmp @GetVictimZero
- @HaveVictimZero:
- cmp byte ptr[edx-4],'.'
- jne @CloseMap
- invoke MessageBox,\
- 0,\
- offset dtVictim,\
- offset stWin32FindData.cFileName,\
- MB_ICONINFORMATION
- invoke UnmapViewOfFile,\
- dwMapAddress
- @CloseMap:
- invoke CloseHandle,\
- dwMapHandle
- @CloseFile:
- invoke CloseHandle,\
- dwFileHandle
- @FindNextLNK:
- invoke FindNextFile,\
- dwFindHandle,\
- offset stWin32FindData
- jmp @FindMoreFiles
- @ExitFunc:
- ret
- _ScanLinkFile endp
- _Error:
- invoke MessageBox,\
- 0,\
- offset szERROR,
- offset szERROR,
- MB_ICONERROR
- jmp _Exit
- start:
- call _GetDesktopPath
- call _ScanLinkFile
- _Exit:
- invoke ExitProcess,\
- 0
- end start
阅读(913) | 评论(0) | 转发(0) |
