Write Register To File

轉自:http://kkiick.com/viewthread.php?tid=25808


我一定瘋了,搞了一整天XD
便練習看c++組譯後code,還蠻有趣的

1st、2nd的地方要自己變更
可惜Define在Disable的地方不能用,不然可以少改一次

我只匯出eax、ebx、ecx、edx、esi、edi、esp、ebp這8個的值
stack的部分應該再加個迴圈讀就好了,不過寫累了,有空再加~
  1. [Enable]
  2. Alloc(Hook,256)

  3. Alloc(MyOpenFile,64)
  4. Alloc(HFILE,4)
  5. Alloc(MyFileName,64)
  6. Alloc(lpReOpenBuff,64)
  7. Alloc(uStyle,4)
  8. Alloc(OF_CREATE,4)
  9. Alloc(OF_WRITE,4)

  10. Alloc(MyWriteFile,64)
  11. Alloc(lpBuffer,32)
  12. Alloc(nNumberOfBytesToWrite,4)
  13. Alloc(lpNumberOfBytesWritten,4)

  14. Alloc(MyCloseFile,32)

  15. Alloc(MyHexToStr,128)
  16. Label(number)
  17. Label(MyLoop)

  18. Alloc(MyRegWrite,64)

  19. Alloc(MyFunction,1024)

  20. OF_CREATE:
  21. DD 00001000
  22. OF_WRITE:
  23. DD 00000001

  24. //1st
  25. ///////////////////////////////////////////////
  26. Define(HookAddr,004EC3C0)
  27. Define(RetAddr,004EC3C6)
  28. Define(OpcodeCode1,mov eax,[esi+2C])
  29. Define(OpcodeCode2,mov [ebp-10],eax)

  30. MyFileName:
  31. DB 'C:\Users\Administrator\Desktop\Reg.txt'
  32. ///////////////////////////////////////////////

  33. HookAddr:
  34. jmp Hook

  35. Hook:
  36. call MyFunction
  37. OpcodeCode1
  38. OpcodeCode2
  39. jmp RetAddr

  40. MyHexToStr:
  41. push eax
  42. push ebx
  43. push ecx
  44. mov ebx,8
  45. xor ecx,ecx
  46. MyLoop:
  47. dec ebx
  48. mov eax,[esp+10]
  49. shr eax,cl
  50. and eax,0000000F
  51. cmp al,0A
  52. jb number
  53. add al,07
  54. number:
  55. add al,30
  56. mov [lpBuffer+ebx],al
  57. add ecx,4
  58. cmp ecx,20
  59. jne MyLoop
  60. mov [lpBuffer+8],0A0D
  61. pop ecx
  62. pop ebx
  63. pop eax
  64. ret 0004

  65. MyOpenFile:
  66. push eax
  67. mov eax,[OF_CREATE]
  68. or eax,[OF_WRITE]
  69. mov [uStyle],eax
  70. pop eax
  71. push [uStyle]
  72. push lpReOpenBuff
  73. push MyFileName
  74. call OpenFile
  75. mov [HFILE],eax
  76. ret

  77. MyWriteFile:
  78. pushad
  79. push 00
  80. push lpNumberOfBytesWritten
  81. push [nNumberOfBytesToWrite]
  82. push lpBuffer
  83. push [HFILE]
  84. call WriteFile
  85. popad
  86. ret

  87. MyCloseFile:
  88. push [HFILE]
  89. call CloseHandle
  90. ret

  91. MyRegWrite:
  92. push eax
  93. mov eax,[esp+0C]
  94. mov [lpBuffer],eax
  95. pop eax
  96. mov [lpBuffer+3],09
  97. mov [nNumberOfBytesToWrite],04
  98. call MyWriteFile

  99. mov [nNumberOfBytesToWrite],0A
  100. push [esp+04]
  101. call MyHexToStr
  102. call MyWriteFile
  103. ret 0008

  104. MyFunction:
  105. pushad
  106. call MyOpenFile
  107. popad

  108. push 'eax'
  109. push eax
  110. call MyRegWrite

  111. push 'ebx'
  112. push ebx
  113. call MyRegWrite

  114. push 'ecx'
  115. push ecx
  116. call MyRegWrite

  117. push 'edx'
  118. push edx
  119. call MyRegWrite

  120. push 'esi'
  121. push esi
  122. call MyRegWrite

  123. push 'edi'
  124. push edi
  125. call MyRegWrite

  126. push 'esp'
  127. push esp
  128. call MyRegWrite

  129. push 'ebp'
  130. push ebp
  131. call MyRegWrite

  132. call MyCloseFile
  133. ret

  134. [Disable]
  135. //2nd
  136. ///////////////////////////////////////////////
  137. 004EC3C0:
  138. mov eax,[esi+2C]
  139. mov [ebp-10],eax
  140. ///////////////////////////////////////////////

  141. DeAlloc(Hook)

  142. DeAlloc(MyOpenFile)
  143. DeAlloc(HFILE)
  144. DeAlloc(MyFileName)
  145. DeAlloc(lpReOpenBuff)
  146. DeAlloc(uStyle)
  147. DeAlloc(OF_CREATE)
  148. DeAlloc(OF_WRITE)

  149. DeAlloc(MyWriteFile)
  150. DeAlloc(lpBuffer)
  151. DeAlloc(nNumberOfBytesToWrite)
  152. DeAlloc(lpNumberOfBytesWritten)

  153. DeAlloc(MyCloseFile)

  154. DeAlloc(MyHexToStr)

  155. DeAlloc(MyRegWrite)

  156. DeAlloc(MyFunction)
複製代碼

留言

本月最夯

偷用電腦,怎知?事件檢視器全記錄!(開機時間、啟動項時間...)