// 1.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <iostream>
using namespace std;
#define array_size 10
int a[array_size]={42, 73, 65, 97, 23, 59, 18, 84, 36, 6};
int _tmain(int argc, _TCHAR* argv[])
{
int *p;
p=&a[0];
p--;
__asm
{
mov esi,p;
mov ecx,array_size;
_outloop:
mov edx,ecx;
_inloop:
mov eax, [ esi+ecx*4 ]; //一个int占4字节
mov ebx, [ esi+edx*4 ];
cmp eax, ebx;
jnb _noxchg; //不交换
mov [ esi+ecx*4 ], ebx;
mov [ esi+edx*4 ], eax;
_noxchg:
dec edx;
jnz _inloop;
loop _outloop;
}
for (int i=0;i<10;i++)
cout<<a[i]<<" ";
cin>>a[0];
return 0;
}
int RemoteThread()
{
_asm
{
call @Delta //编译的时候产生文件基址地址
@Delta:
pop ebp //取得加载基址
sub ebp,offset @Delta //call函数的情况下地址不会变,但是涉及到引用变量,
//PE Loader不会“重定位”引用变量的地址,所以需要自己
//在文件偏移上加上装载基址
mov eax, fs:[0]
@FindSEHEnding:
cmp Dword ptr [eax],$ffffffff
je @FoundSEHEnding
mov eax,[eax]
jmp @FindSEHEnding
@FoundSEHEnding:
mov eax, [eax+4] //根据SEH的结构,其+4为异常函数地址,该异常函数地址在K.Dll内部
xor ax,ax
@FindKnlHead:
sub eax,$10000
cmp word ptr [eax],$5A4D
jne @FindKnlHead
mov ebx,eax
mov eax, [eax+$3c]
add eax,ebx
mov edx, [eax+$78]
add edx,ebx
mov edi, [edx+$1c]
add edi,ebx
mov esi, [edx+$20]
add esi,ebx
xor ecx,ecx
@Find_ocAd:
mov eax, [esi]
add eax,ebx
cmp dword ptr [eax+5],$6441636f //"ocAd"的ASC码
je @Found_ocAd
@Find_ocAd2:
add ecx,4
add esi,4
jmp @Find_ocAd
@Found_ocAd:
cmp word ptr [eax+$0d], $73
jne @Find_ocAd2
mov esi,edi
add esi,ecx
mov esi,[esi]
add esi,ebx //典型的基址加上偏移地址
call @StrGetModuleHandle
db 'GetModuleHandleA',0
@StrGetModuleHandle: //push字符串,原因是调用CALL的时候,堆栈里先压入了下一条地址
//(如果是调用函数,应该在"另一个"堆栈中压入了参数和EIP,EBP,
//退出时会自动平衡)
push ebx
call esi
mov edi,eax
call @StrFreeLibrary
db 'StrFreeLibrary',0
@StrFreeLibrary:
push ebx
call esi
mov esi,eax
lea ecx, [ebp+@DLLName]
push ecx
call edi
push eax
call esi
rtn
@DLLName DD 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
}
}