真正的隐藏调用系统API

一生放荡mo · 发表于 2015-1-15 10:55:39

本帖最后由心若流云于 2015-1-15 10:57 编辑

真正的隐藏调用系统API

.版本 2

.子程序 GetProcAddress, 整数型

.参数 ModuleHandle, 整数型

.参数 apiName, 通用型

' *** ASM ***

' 54B51003 . 83EC 08 sub esp, 8

' 54B51006 . 53 push ebx

' 54B51007 . 56 push esi

' 54B51008 . 8B75 08 mov esi, dword ptr [ebp+8]

' 54B5100B . 8B46 3C mov eax, dword ptr [esi+3C]

' 54B5100E . 8B4C30 78 mov ecx, dword ptr [eax+esi+78]

' 54B51012 . 8B4431 20 mov eax, dword ptr [ecx+esi+20]

' 54B51016 . 03CE add ecx, esi

' 54B51018 . 894D F8 mov dword ptr [ebp-8], ecx

' 54B5101B . 8B49 18 mov ecx, dword ptr [ecx+18]

' 54B5101E . 57 push edi

' 54B5101F . 03C6 add eax, esi

' 54B51021 . 33FF xor edi, edi

' 54B51023 . 8945 08 mov dword ptr [ebp+8], eax

' 54B51026 . 894D FC mov dword ptr [ebp-4], ecx

' 54B51029 . 85C9 test ecx, ecx

' 54B5102B . 7F 16 jg short 54B51043

' 54B5102D . 5F pop edi

' 54B5102E . 5E pop esi

' 54B5102F . 33C0 xor eax, eax

' 54B51031 . 5B pop ebx

' 54B51032 . 8BE5 mov esp, ebp

' 54B51034 . 5D pop ebp

' 54B51035 . C2 0800 retn 8

' 54B51038 . EB 06 jmp short 54B51040

' 54B5103A 8D9B 00000000 lea ebx, dword ptr [ebx]

' 54B51040 > 8B45 08 mov eax, dword ptr [ebp+8]

' 54B51043 > 8B04B8 mov eax, dword ptr [eax+edi*4]

' 54B51046 . 8B4D 0C mov ecx, dword ptr [ebp+C]

' 54B51049 . 03C6 add eax, esi

' 54B5104B . 33D2 xor edx, edx

' 54B5104D . 2BC1 sub eax, ecx

' 54B5104F . 90 nop

' 54B51050 > 8A19 mov bl, byte ptr [ecx]

' 54B51052 . 84DB test bl, bl

' 54B51054 . 74 1D je short 54B51073

' 54B51056 . 381C08 cmp byte ptr [eax+ecx], bl

' 54B51059 . 75 07 jnz short 54B51062

' 54B5105B . 42 inc edx

' 54B5105C . 41 inc ecx

' 54B5105D . 83FA 1E cmp edx, 1E

' 54B51060 .^ 7C EE jl short 54B51050

' 54B51062 > 47 inc edi

' 54B51063 . 3B7D FC cmp edi, dword ptr [ebp-4]

' 54B51066 .^ 7C D8 jl short 54B51040

' 54B51068 . 5F pop edi

' 54B51069 . 5E pop esi

' 54B5106A . 33C0 xor eax, eax

' 54B5106C . 5B pop ebx

' 54B5106D . 8BE5 mov esp, ebp

' 54B5106F . 5D pop ebp

' 54B51070 . C2 0800 retn 8

' 54B51073 > 8B45 F8 mov eax, dword ptr [ebp-8]

' 54B51076 . 8B48 24 mov ecx, dword ptr [eax+24]

' 54B51079 . 8D1479 lea edx, dword ptr [ecx+edi*2]

' 54B5107C . 0FBF0C32 movsx ecx, word ptr [edx+esi]

' 54B51080 . 8B50 1C mov edx, dword ptr [eax+1C]

' 54B51083 . 8D048A lea eax, dword ptr [edx+ecx*4]

' 54B51086 . 8B0430 mov eax, dword ptr [eax+esi]

' 54B51089 . 5F pop edi

' 54B5108A . 03C6 add eax, esi

' 54B5108C . 5E pop esi

' 54B5108D . 5B pop ebx

' 54B5108E . 8BE5 mov esp, ebp

' 54B51090 . 5D pop ebp

' 54B51091 . C2 0800 retn 8

置入代码 ({ 131, 236, 8, 83, 86, 139, 117, 8, 139, 70, 60, 139, 76, 48, 120, 139, 68, 49, 32, 3, 206, 137, 77, 248, 139, 73, 24, 87, 3, 198, 51, 255, 137, 69, 8, 137, 77, 252, 133, 201, 127, 22, 95, 94, 51, 192, 91, 139, 229, 93, 194, 8, 0, 235, 6, 141, 155, 0, 0, 0, 0, 139, 69, 8, 139, 4, 184, 139, 77, 12, 3, 198, 51, 210, 43, 193, 144, 138, 25, 132, 219, 116, 29, 56, 28, 8, 117, 7, 66, 65, 131, 250, 30, 124, 238, 71, 59, 125, 252, 124, 216, 95, 94, 51, 192, 91, 139, 229, 93, 194, 8, 0, 139, 69, 248, 139, 72, 36, 141, 20, 121, 15, 191, 12, 50, 139, 80, 28, 141, 4, 138, 139, 4, 48, 95, 3, 198, 94, 91, 139, 229, 93, 194, 8, 0 })

return (0)

可以利用这个打开瞧瞧: http://jixiyiing1.host70.chinanet729.com/scl/ecode.html