Write Register To File

作者: -
轉自:http://kkiick.com/viewthread.php?tid=25808


我一定瘋了,搞了一整天XD
便練習看c++組譯後code,還蠻有趣的

1st、2nd的地方要自己變更
可惜Define在Disable的地方不能用,不然可以少改一次

我只匯出eax、ebx、ecx、edx、esi、edi、esp、ebp這8個的值
stack的部分應該再加個迴圈讀就好了,不過寫累了,有空再加~
  1. [Enable]
  2. Alloc(Hook,256)

  4. Alloc(MyOpenFile,64)
  5. Alloc(HFILE,4)
  6. Alloc(MyFileName,64)
  7. Alloc(lpReOpenBuff,64)
  8. Alloc(uStyle,4)
  9. Alloc(OF_CREATE,4)
  10. Alloc(OF_WRITE,4)

  12. Alloc(MyWriteFile,64)
  13. Alloc(lpBuffer,32)
  14. Alloc(nNumberOfBytesToWrite,4)
  15. Alloc(lpNumberOfBytesWritten,4)

  17. Alloc(MyCloseFile,32)

  19. Alloc(MyHexToStr,128)
  20. Label(number)
  21. Label(MyLoop)

  23. Alloc(MyRegWrite,64)

  25. Alloc(MyFunction,1024)

  27. OF_CREATE:
  28. DD 00001000
  29. OF_WRITE:
  30. DD 00000001

  32. //1st
  33. ///////////////////////////////////////////////
  34. Define(HookAddr,004EC3C0)
  35. Define(RetAddr,004EC3C6)
  36. Define(OpcodeCode1,mov eax,[esi+2C])
  37. Define(OpcodeCode2,mov [ebp-10],eax)

  39. MyFileName:
  40. DB 'C:\Users\Administrator\Desktop\Reg.txt'
  41. ///////////////////////////////////////////////

  43. HookAddr:
  44. jmp Hook

  46. Hook:
  47. call MyFunction
  48. OpcodeCode1
  49. OpcodeCode2
  50. jmp RetAddr

  52. MyHexToStr:
  53. push eax
  54. push ebx
  55. push ecx
  56. mov ebx,8
  57. xor ecx,ecx
  58. MyLoop:
  59. dec ebx
  60. mov eax,[esp+10]
  61. shr eax,cl
  62. and eax,0000000F
  63. cmp al,0A
  64. jb number
  65. add al,07
  66. number:
  67. add al,30
  68. mov [lpBuffer+ebx],al
  69. add ecx,4
  70. cmp ecx,20
  71. jne MyLoop
  72. mov [lpBuffer+8],0A0D
  73. pop ecx
  74. pop ebx
  75. pop eax
  76. ret 0004

  78. MyOpenFile:
  79. push eax
  80. mov eax,[OF_CREATE]
  81. or eax,[OF_WRITE]
  82. mov [uStyle],eax
  83. pop eax
  84. push [uStyle]
  85. push lpReOpenBuff
  86. push MyFileName
  87. call OpenFile
  88. mov [HFILE],eax
  89. ret

  91. MyWriteFile:
  92. pushad
  93. push 00
  94. push lpNumberOfBytesWritten
  95. push [nNumberOfBytesToWrite]
  96. push lpBuffer
  97. push [HFILE]
  98. call WriteFile
  99. popad
  100. ret

  102. MyCloseFile:
  103. push [HFILE]
  104. call CloseHandle
  105. ret

  107. MyRegWrite:
  108. push eax
  109. mov eax,[esp+0C]
  110. mov [lpBuffer],eax
  111. pop eax
  112. mov [lpBuffer+3],09
  113. mov [nNumberOfBytesToWrite],04
  114. call MyWriteFile

  116. mov [nNumberOfBytesToWrite],0A
  117. push [esp+04]
  118. call MyHexToStr
  119. call MyWriteFile
  120. ret 0008

  122. MyFunction:
  123. pushad
  124. call MyOpenFile
  125. popad

  127. push 'eax'
  128. push eax
  129. call MyRegWrite

  131. push 'ebx'
  132. push ebx
  133. call MyRegWrite

  135. push 'ecx'
  136. push ecx
  137. call MyRegWrite

  139. push 'edx'
  140. push edx
  141. call MyRegWrite

  143. push 'esi'
  144. push esi
  145. call MyRegWrite

  147. push 'edi'
  148. push edi
  149. call MyRegWrite

  151. push 'esp'
  152. push esp
  153. call MyRegWrite

  155. push 'ebp'
  156. push ebp
  157. call MyRegWrite

  159. call MyCloseFile
  160. ret

  162. [Disable]
  163. //2nd
  164. ///////////////////////////////////////////////
  165. 004EC3C0:
  166. mov eax,[esi+2C]
  167. mov [ebp-10],eax
  168. ///////////////////////////////////////////////

  170. DeAlloc(Hook)

  172. DeAlloc(MyOpenFile)
  173. DeAlloc(HFILE)
  174. DeAlloc(MyFileName)
  175. DeAlloc(lpReOpenBuff)
  176. DeAlloc(uStyle)
  177. DeAlloc(OF_CREATE)
  178. DeAlloc(OF_WRITE)

  180. DeAlloc(MyWriteFile)
  181. DeAlloc(lpBuffer)
  182. DeAlloc(nNumberOfBytesToWrite)
  183. DeAlloc(lpNumberOfBytesWritten)

  185. DeAlloc(MyCloseFile)

  187. DeAlloc(MyHexToStr)

  189. DeAlloc(MyRegWrite)

  191. DeAlloc(MyFunction)
複製代碼

留言

張貼留言

本月最夯

偷用電腦,怎知?事件檢視器全記錄!(開機時間、啟動項時間...)

作者: knowlet -
圖片
想知道你的電腦在你不使用的時候是否被開機過嗎?小朋友是不是趁家長不在家的時候偷偷完電腦啊?常常懷疑家裡或公司的電腦被人偷偷開來亂弄東西,可以用下面的方法檢查一下電腦在什麼時候有被開機、登入使用過。 Windows 系統裡的「事件檢視器」會紀錄很多電腦的相關資訊,包含什麼時候開機、登入、登出,或者系統發生哪些錯誤或其他的特殊事件等等,通通會紀錄在「事件檢視器」的日誌中。如果你只是想知道電腦什麼時候開機過的話,可以很輕易的從「事件檢視器」裡查到電腦確實的開機、關機時間。
閱讀完整內容