假設有一個exe,我現在要感染它,因為上面的原因決定,我只能選擇一個迂迴的路線。
把exe用ildasm搞成.il代碼,然後把我的il代碼加進去,然後ilasm重新編譯該il,呵呵。這樣做,需要被感染的機器安裝有ildasm(如果不裝sdk,沒這玩意兒)。
簡單的例子:我想輸入hello,fqq!那麼寫一個最小的代碼,如下:using System;
namespace DebugDemo{
public class Demo{
public static void Main(){
Console.WriteLine("hello,fqq!");
}
}
}
然後用csc,ildasm,得到.il代碼,main裡面唯一的一行,會輸出為:IL_0000: ldstr "hello,fqq!"
IL_0005: call void [mscorlib]System.Console::WriteLine(string)
然後,用ildasm 要感染的檔案.exe /output=tmp.il
然後找到il中的.entrypoint,把上面兩行插進去,並修改後面的il行號(是否需要修改?我沒有實驗過,不過我是都修改了),然後,用ilasm重新編譯一次,把原來的檔案覆蓋即可。
雖然著很濫,不過確實很直接的做法,呵呵。
這是被感染檔案,修改前的il代碼: .entrypoint
// Code size 25 (0x19)
.maxstack 3
.locals init (int32 V_0,
int32 V_1,
int32 V_2,
int32 V_3)
IL_0000: ldc.i4.s 10
IL_0002: stloc.0
IL_0003: ldc.i4.s 20
IL_0005: stloc.1
IL_0006: ldc.i4.s 30
IL_0008: stloc.2
IL_0009: ldloc.0
IL_000a: ldloc.1
IL_000b: ldloc.2
IL_000c: call int32 DebugDemo.Demo::Sum(int32,
int32,
int32)
IL_0011: stloc.3
IL_0012: ldloc.3
IL_0013: call void [mscorlib]System.Console::WriteLine(int32)
IL_0018: ret
下面是被感染檔案修改後的代碼: .entrypoint
// Code size 25 (0x19)
.maxstack 3
.locals init (int32 V_0,
int32 V_1,
int32 V_2,
int32 V_3)
IL_0000: ldstr "hello,fqq!"
IL_0005: call void [mscorlib]System.Console::WriteLine(string)
IL_000a: ldc.i4.s 10
IL_000c: stloc.0
IL_000d: ldc.i4.s 20
IL_000f: stloc.1
IL_0010: ldc.i4.s 30
IL_0012: stloc.2
IL_0013: ldloc.0
IL_0014: ldloc.1
IL_0015: ldloc.2
IL_0016: call int32 DebugDemo.Demo::Sum(int32,
int32,
int32)
IL_001b: stloc.3
IL_001c: ldloc.3
IL_001d: call void [mscorlib]System.Console::WriteLine(int32)
IL_0022: ret
注意IL_0000和IL_0005兩行,被我插入了。
注意!!!這不是什麼病毒教程,如果病毒要這麼寫,作者早就被人扁死了。
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
