貌似没有人做出这道题,今天我把它补完
程序非常简单 以下为反汇编
[Asm] 纯文本查看 复制代码 defiler.2.exe: file format pei-i386
Disassembly of section .text:
00401000 <.text>:
401000: 6a 40 push $0x40
401002: 68 00 30 40 00 push $0x403000
401007: 68 1f 30 40 00 push $0x40301f
40100c: 6a 00 push $0x0
40100e: e8 0d 00 00 00 call 0x401020 <user32.MessageBoxA>
401013: 6a 00 push $0x0
401015: e8 00 00 00 00 call 0x40101a <kernel32.ExitProcess>
40101a: ff 25 00 20 40 00 jmp *0x402000
401020: ff 25 08 20 40 00 jmp *0x402008
要求不patch程序去nag 较为简单的方法是patch掉user.dll
MessageBoxA原入口为
[Asm] 纯文本查看 复制代码 69e81290: 8b ff mov %edi,%edi
69e81292: 55 push %ebp
69e81293: 8b ec mov %esp,%ebp
69e81295: 83 3d 94 5c ea 69 00 cmpl $0x0,0x69ea5c94
69e8129c: 74 22 je 0x69e812c0
69e8129e: 64 a1 18 00 00 00 mov %fs:0x18,%eax
69e812a4: ba b0 61 ea 69 mov $0x69ea61b0,%edx
69e812a9: 8b 48 24 mov 0x24(%eax),%ecx
69e812ac: 33 c0 xor %eax,%eax
69e812ae: f0 0f b1 0a lock cmpxchg %ecx,(%edx)
69e812b2: 85 c0 test %eax,%eax
69e812b4: 75 0a jne 0x69e812c0
69e812b6: c7 05 00 5d ea 69 01 movl $0x1,0x69ea5d00
69e812bd: 00 00 00
69e812c0: 6a ff push $0xffffffff
69e812c2: 6a 00 push $0x0
69e812c4: ff 75 14 pushl 0x14(%ebp)
69e812c7: ff 75 10 pushl 0x10(%ebp)
69e812ca: ff 75 0c pushl 0xc(%ebp)
69e812cd: ff 75 08 pushl 0x8(%ebp)
69e812d0: e8 3b 02 00 00 call 0x69e81510 <user32.MessageBoxTimeoutA>
69e812d5: 5d pop %ebp
69e812d6: c2 10 00 ret $0x10
将入口修改为retn即可
win10dll劫持有好多坑,要把注册表中系统dll删除或者直接替换%WINDIR%\SysWoW64\user32.dll | 
发表于 2024-2-4 20:41
