gxs edi

OnlySetInfectedMark 　　 ; Read all virus block tables Mov eax, ebp; read function number Call edi; read the block table to esi (@ 9) 　　 The following is a complete modification to handle the Winzip self-extracting file error. when you open the self-extracting file, The virus will not be infected. First, the virus obtains the ToRawData pointer of the 2nd block tables, Read the data and determine whether the data contains the "WinZip (R )" 　　 Xchg eax,

Here the "string" is not a single string, including all consecutive data (such as arrays); the string command is only used for memory operations. Move string commands: movsb, movsw, and movsd; from ESI-> EDI; after execution, the ESI and EDI address move the corresponding unit comparison string commands: cmpsb, cmpsw, cmpsd; compare ESI and EDI. After exe

functions during memory construction and analysis? Copy to clipboardprint? 74: manager m; 00401268 lea ecx, [ebp-4] 0040126B call @ ILT + 60 (manager: manager) (00401041) 75 :} 00401270 lea ecx, [ebp-4] 00401273 call @ ILT + 0 (manager ::~ Manager) (00401005) 00401278 pop edi 00401279 pop esi 004020.a pop ebx 004010000b add esp, 44 h 0040da-e cmp ebp, esp 00401280 call _ chkesp (00408760) 00401285 mov esp, ebp 00401287 pop ebp 74: manager m; 004012

Linux-0.11 Memory Management module is the source of the more difficult to understand the part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/* *author:davidlin *date:2014-11-11pm *email: [email protected] or [email protected] *world:the City of SZ , in China *ver:000.000.001 *history:editor time do 1) Linpeng 2014-11-11 Created this file! 2) */Here is the source code

push EAX; block table size push edx; edx is the offset of the Virus code block table push esi; buffer address 　　 Combined virus code block and Virus code block table must be less than or equal to the amount of space not used Inc ECX push ecx; Save numberofsections+1 　　 SHL ecx, 03h; multiply 8 push ecx; reserved virus block table space 　　 Add ecx, eax add ecx, edx; offset of the body of the ecx+ file 　　 Sub ecx, (sizeofheaders-@9) [esi] Not ECX Inc ECX; ecx for file header size-offset of

Stack006af03c | ff95 4d0f0000 call dword ptr ss: [EBP + F4D]; kernel32.getmodulehandlea006af042 | 8985 26040000 mov dword ptr ss: [EBP + 426], eax; the handle of kernel32.dll is stored in EBP + 426006af048 8bf8 mov EDI, eax; kernel32.77e40000006af04a 8d5d 5E Lea EBX, dword ptr ss: [EBP + 5E]; "virtualalloc"006af04d 53 push EBX006af04e 50 push eax; kernel32.dll handle006af04f ff95 490f0000 call dword ptr ss: [EBP + f49]; getprocaddress006af055 8985 4d

operation adds ESP to 8, indicating that the stack growth direction is from high address to low address. 00c93a03 mov dword ptr [Sum], eax # function return value stored in eax in the sum variable # function call field int pushparametersorderapp (INT param1, int param2) {00e41f80 push EBP # Save the previous EBP pointer, esp + = 400e41f81 mov EBP, esp # assign the new ESP to EBP and direct it to 00e41f83 sub ESP at the bottom of the current function stack, 0d8h # reserve 216 (0d8) bytes for the

Static _ always_inline void * _ memcpy (void * To, const void * From, size_t N) {int D0, D1, D2; ASM volatile ("rep; movsl \ n \ t "" movl % 4, % ECx \ n \ t "" andl $3, % ECx \ n \ t "" JZ 1f \ n \ t "" rep; movsb \ n \ t "" 1: ":" = C "(D0 ), "= D" (D1), "= S" (D2): "0" (N/4), "G" (N ), "1" (long) to), "2" (long) from): "Memory"); return to;}/** this looks uugly, but the compiler can optimize it totally, * as the Count is const Ant. */static _ always_inline void * _ constant_memcpy (void *

/**author:davidlin*date:2014-11-11pm*email: [email protected] or [email protected]*world:the City of SZ, in China*ver:000.000.001*history:editor time do1) Linpeng 2014-11-11 created this file!2)*/Linux-0.11 Memory Management module is more difficult to understand in the source code part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/** Get Physical Address of first (a

/**author:davidlin*date:2014-11-11pm*email: [email protected] or [email protected]*world:the City of SZ, in China*ver:000.000.001*history:editor time do1) Linpeng 2014-11-11 created this file!2)*/Linux-0.11 Memory Management module is more difficult to understand in the source code part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/** Get Physical Address of first (a

It's free. Let's take a look.ODLoad directly as follows: 00414000> $ E8 00000000 call 0041400500414005 $ 5B pop ebx // locate the code00414006.81EB05024000 sub ebx, 00400205 // The code segment length, followed by a variable0041400C. 64: 8B3D 30000000 mov edi, dword ptr fs: [30] // FS [30]-> PEB, locate kernel32.dll00414013. 8B7F 0C mov edi, dword ptr [edi + C] /

EAX register to the memory location specified by value. Use the memory location of the variable address. as follows, multi-memory specifies multiple values in one command:values:. int 10,20,30,40,50,60,70this creates a series of data values that are contiguous in memory (similar to an array of high-level languages). When referencing data in an array, you must use the system to determine which memory location you want to access. The memory location is determined by the following expression:base_

If you returned a struct object, what would the return statement do? Here is the test code #include using namespace Std;struct BIG{Char buf[100];int i;Long D;}B,B2;Big Bigfun (Big B){b.i=100;return b;}int main (){B2=bigfun (B);return 0;}To set a breakpoint at the beginning and end of main8:int Main ()19: {004012A0 Push EBP004012A1 mov Ebp,esp004012a3 Sub esp,118hPuzzled at first, and analyzed for a long timeThe original (118h-40h) remaining memory block holds two big variablesLow address put bi

Loading and execution of programs (iii)--reading notes 23And then the last time the content said.load_relocate_programthe explanation of the process is not over yet, so create a stack segment descriptor and reposition symbol table.Allocating stack space and creating a stack segment descriptor462 ; Creating a program stack segment descriptor463 movecx,[edi+0x0c]; 4KB magnification464 movEbx0x000fffff465 SubEbx,ecxTo get

__stdcall __cdecl __fastcall vc6.0:int __stdcall/__cdecl/__fastcall Add (int x, int y){return x+y;}void Main (){Add (2,3);}1.__stdcall:1:int __stdcall Add (int x, int y)2: {00401020 Push EBP00401021 mov Ebp,esp00401023 Sub esp,40h00401026 push EBX00401027 push ESI00401028 Push EDI00401029 Lea edi,[ebp-40h]0040102C mov ecx,10h00401031 mov eax,0cccccccch00401036 Rep stos dword ptr [edi]3:return X

esi, [edx + 0x3c]; Lea ESI, [edx + esi]; mov esi, [esi + 0x78]; Lea ESI, [edx + esi]; mov edi, [esi + 0x1c]; Lea EDI, [edx + edi]; MOV[EBP-0X04], EDI; mov

Everyone knows that to use COM components in a program, you must first call coinitialize. This function is mainly used to initialize the com runtime environment. But does the function scope take the thread as the unit or the process as the unit? Maybe you have figured out the answer through the test program. That's right, it's a thread. Today, we will go into a bit more detail and confirm our ideas by analyzing the specific implementation of coinitialize. Let's take a look at coinitialize compil

]; Lea ESI, [edx + esi]; mov esi, [esi + 0x78]; Lea ESI, [edx + esi]; mov edi, [esi + 0x1c]; Lea EDI, [edx + edi]; MOV[EBP-0X04], EDI; mov edi