|
20楼#
发布于:2004-08-30 23:41
关键是要了解RED_spring大哥所说的WIN98的PCB结构,我看了一个外国网站上面有WIN95的,但在98下很多不一样,还是不行。
|
|
|
21楼#
发布于:2004-09-02 09:33
隐隐约约好像觉得是这样: 98下的进程ID号就是进程的句柄值和一个魔数相异或得到的。这个魔数是系统每次启动时随机生成的。具体好像是一个叫做OBFUSCATE的函数。 |
|
|
22楼#
发布于:2004-09-08 10:26
谢谢楼上
回去试验一下 |
|
|
23楼#
发布于:2004-10-16 17:09
解决了没有?解决了给点分吧,我一点专家分都没有啊!!!
|
|
|
24楼#
发布于:2004-11-09 15:17
回音呢?
|
|
|
25楼#
发布于:2005-01-24 14:19
回音就是不行
呵呵呵 |
|
|
26楼#
发布于:2005-01-24 16:02
[quote]隐隐约约好像觉得是这样: 98下的进程ID号就是进程的句柄值和一个魔数相异或得到的。这个魔数是系统每次启动时随机生成的。具体好像是一个叫做OBFUSCATE的函数。 [/quote] 确实是这样,这是微软倒的鬼,但这个magic在内存中什么位置呢? |
|
|
|
27楼#
发布于:2005-01-24 21:07
;@GOTO TRANSLATE
.586P .MODEL FLAT, STDCALL OPTION CASEMAP: NONE INCLUDE WINDOWS.inc UNICODE = FALSE INCLUDE APIMACRO.mac INCLUDELIB iKERNEL32.lib INCLUDELIB iUSER32.lib .DATA? xESP DWORD ? pentry32 PROCESSENTRY32 <> Place SIGN 11 DUP (?) .CODE TEXT Hex2Str, </##x/0> TEXT GetCPIDstack, <Obsfucator via GetCurrentProcessId and stack/0> TEXT GetCPIDkernel, <Obsfucator via GetCurrentProcessId and kernel/0> TEXT GetCTIDstack, <Obsfucator via GetCurrentThreadId and stack/0> TEXT GetCTIDkernel, <Obsfucator via GetCurrentThreadId and kernel/0> TEXT TH32, <Obsfucator from Toolhelp32/0> Titles DWORD GetCPIDstack, GetCPIDkernel, GetCTIDstack, GetCTIDkernel,\ TH32 PrimaryThread: MOV EAX, DS SUB ECX, ECX TEST AL , 100B ;user 32bit tasks have LDT selectors in 9x JE NotIn9x ASSUME FS: NOTHING PUSH OFFSET FaultsON ;build xFrame (see Infos\SEHall.zip) PUSH FS: [ECX] MOV FS: [ECX], ESP MOV xESP, ESP MOV EDI, ECX ;------------------------------------------- iMOV EBX, GetCurrentProcessId sWin32 EBX XOR EAX, [ESP-8] ;bad because it reads from ESP-?? sWin32 DisplayObsfucateur ;------------------------------------------- sWin32 EBX ;this method is used in ATM, ApiHooks, .. MOV ECX, [EBX+1] MOV EDX, [ECX] XOR EAX, [EDX] ;bad because it reads from kernel space sWin32 DisplayObsfucateur ;------------------------------------------- iMOV EBX, GetCurrentThreadId sWin32 EBX XOR EAX, [ESP-8] ;bad because it reads from ESP-?? sWin32 DisplayObsfucateur ;------------------------------------------- sWin32 EBX MOV ECX, [EBX+1] MOV EDX, [ECX] XOR EAX, [EDX] ;bad because it reads from kernel space sWin32 DisplayObsfucateur ;------------------------------------------- MOV ESI, OFFSET pentry32 ASSUME ESI: PTR PROCESSENTRY32 iWin32 CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0 MOV EBX, EAX MOV [ESI].dwSize, SIZEOF PROCESSENTRY32 INC EAX JE TH32Failed iWin32 Process32First, EBX, ESI PUSH EAX iWin32 CloseHandle, EBX POP EAX TEST EAX, EAX JE TH32Failed MOV EAX, [ESI].th32ParentProcessID ; or th32ModuleID sWin32 DisplayObsfucateur ;------------------------------------------- TH32Failed: SmoothEnd: POP FS: [0] ;remove xFrame POP ECX ;remove xFrame NotIn9x: iWin32 ExitProcess, EAX FaultsON: MOV ECX, [ESP+12] ASSUME ECX: PTR CONTEXT MOV EDX, xESP MOV EAX, ExceptionContinueExecution MOV [ECX].regEip, OFFSET SmoothEnd MOV [ECX].regEsp, EDX RET DisplayObsfucateur: icWin32i wsprintf, OFFSET Place, sHex2Str, EAX iWin32i MessageBox, NULL, OFFSET Place, Titles[EDI*4], MB_ICONINFORMATION INC EDI RET END PrimaryThread :TRANSLATE @ECHO OFF ML /c /coff /nologo Obsfucator.bat LINK3 Obsfucator /IGNORE:4078,4060 /nologo /STUB:PEstub.exe /SUBSYSTEM:WINDOWS /MERGE:.idata=.text DEL Obsfucator.obj PAUSE CLS |
|
|
上一页
下一页