一个最简单的壳的源代码（A simple shell of the source code）.docVIP

一个最简单的壳的源代码（A simple shell of the source code） A simple shell of the source code.Txt .386 .model, flat, stdcall Locals EXTRN ExitProcess:PROC .data DB 0 .code Start: IMAGE_DOS_SIGNATURE equ 5A4Dh; ZM IMAGE_NT_SIGNATURE equ 4550h; EP NOP; the beginning of the code; of course, you can set something else DB $Packer_Begin$; ShellCode technology ~ ~ easy to extract code BeginTempStub: These, fields, are, if, we, load, at, right, base (0 And, the, section, is, assumed, to, start, at,, VA, 4000H, since Basic, MASM, project, does, that ImportDescStart: DD 0; Orig First Thunk DD 0; no DD 0; no DdRvaName DD 1234567h; DD 4028h (name, of, DLL (RVA)) DdFirstThunk DD 896969h; DD 4035h (first thunk (RVA)) ImportDescEnd: DB 20, dup (0); end, of, Import, Desc SzUser32, DB, KERNEL32.DLL 0 DwFirstThunk DD 0; 403Dh; RVA to beep DwSecondThunk DD 0 DD 0 WImportHint DW 0 SzApiGetModule, DB, LoadLibraryA 0 WImportHinted DW 0 SzApiGetProc, DB, GetProcAddress 0 NOP NOP NOP NOP NOP NOP NOP NOP NOP Call GetDelta; PE Virus the most classic Technology.. code self positioning GetDelta: Pop EBP; save the address of the current code segment in EBP Sub EBP, offset GetDelta; ebp-GetDalta data offset; ~ebp saves the address of the current code segment JMP OverData; jump to the end of the initialization data BeginData: SzKernel, DB, KERNEL32.DLL 0; k32 string information DwBeginVirtAddr DD 0; virtual address start length DwTotalSize DD 0; div by 4; encryption length DwCurrentKey DD 0; encryption key DwOldOEP DD 0; save the old OEP address DwOrigDesc DD 0 DwBaseOfDLL DD 0 DLL; the base is mainly base preservation k32 DdCurrentBase DD 0; a temporary variable base for storage SzIsDebuggerPresent, DB, IsDebuggerPresent 0; this function is known _IsDebuggerPresent DD 0; function address storage location SzExitProcess, DB, ExitProcess 0; ha ha ~! _ExitProcess DD 0 SzCreateFileA DB CreateFileAquot, 0; ^_^ ~; _CreateFileA DD 0 SzSleep DB Sleepquot, 0; left; _Sleep DD 0 SzNtIce, DB, \\.\NTIC