?? headerunpacker.asm
字號(hào):
; Author: Brandon LaCombe
; Date: February 3, 2006
; License: Public Domain
.386
.model flat, stdcall
option casemap:none
include windows.inc
include LoaderStructs.inc
VIRTUALALLOC typedef proto lpAddress:dword, dwSize:dword, flAllocationType:dword, flProtect:dword
VIRTUALFREE typedef proto lpAddress:dword, dwSize:dword, dwFreeType:dword
VIRTUALPROTECT typedef proto lpAddress:dword, dwSize:dword, flNewProtect:dword, lpflOldProtect:dword
UNPACK typedef proto pbDest:dword, pbSrc:dword, pbWorkMem:dword
.code
ExportHeaderUnpacker proc pdwHeaderUnpackerSize:dword
mov eax, pdwHeaderUnpackerSize
.if eax
mov dword ptr[eax], header_unpacker_end - header_unpacker_start
.endif
mov eax, header_unpacker_start
ret
ExportHeaderUnpacker endp
; Unpacks a previously compressed file header. Simply unprotects the file header
; and decompresses the original.
header_unpacker_start:
invoke VIRTUALPROTECT ptr[(KERNEL_IAT ptr[ebp]).pVirtualProtect], (LOADER_STRUCT ptr[ebx]).dwImageBase, 1, PAGE_READWRITE, addr (LOADER_STRUCT ptr[ebx]).dwOepDelta
mov eax, (LOADER_STRUCT ptr[ebx]).dwTotalMemSize
sub eax, (LOADER_STRUCT ptr[ebx]).dwUnpackMemSize
invoke VIRTUALALLOC ptr[(KERNEL_IAT ptr[ebp]).pVirtualAlloc], NULL, eax, MEM_COMMIT, PAGE_READWRITE
pushad
invoke UNPACK ptr[(LOADER_STRUCT ptr[ebx]).pUnpack], (LOADER_STRUCT ptr[ebx]).dwImageBase, (LOADER_STRUCT ptr[ebx]).pHeader, eax
popad
invoke VIRTUALFREE ptr[(KERNEL_IAT ptr[ebp]).pVirtualFree], eax, 0, MEM_RELEASE
invoke VIRTUALPROTECT ptr[(KERNEL_IAT ptr[ebp]).pVirtualProtect], (LOADER_STRUCT ptr[ebx]).dwImageBase, 1, (LOADER_STRUCT ptr[ebx]).dwOepDelta, addr (LOADER_STRUCT ptr[ebx]).dwOepDelta
header_unpacker_end:
end
?? 快捷鍵說(shuō)明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號(hào)
Ctrl + =
減小字號(hào)
Ctrl + -