data:
var hInstance
var codeseg
var vmseg
var ep
var oep
var temp
code:
gpa "VirtualFree","kernel32.dll"
bphws $RESULT,"x"
run
bphwc $RESULT
rtu
gmi eip,MODULEBASE
mov hInstance,$RESULT
mov temp,$RESULT
add temp,3c
mov temp,[temp]
add temp,hInstance
add temp,28
mov temp,[temp]
add temp,hInstance
bc temp
mov ep,temp
gmemi eip,MEMORYBASE
mov codeseg,$RESULT
find $RESULT,#2ECC9D#
mov [$RESULT],#2ECC90#
gpa "EnumWindows","user32.dll"
mov [$RESULT],#8BC09C85C09D0578563412C20800#
gpa "CreateThread","kernel32.dll"
find $RESULT,#FF7518#
mov [$RESULT],#6A0490#
gpa "ZwCreateThread","ntdll.dll"
bp $RESULT
loop1:
run
cmp eip,$RESULT
jne loop1
bc $RESULT
bp ep
loop2:
run
cmp eip,ep
jne loop2
bc ep
mov temp,codeseg
sub temp,1
gmemi temp,MEMORYBASE
mov vmseg,$RESULT
gmemi temp,MEMORYSIZE
bprm vmseg,$RESULT
run
bpmc
mov oep,eax
sti
bprm oep,1
loop3:
run
cmp eip,oep
jne loop3
bpmc
ret
| 
发表于 2009-8-14 00:51
发表于 2009-8-14 00:57
|
发表于 2009-8-14 00:59
发表于 2009-8-15 16:14
:L看不懂 ````