:00657B8D 90 nop
:00657B8E 90 nop
:00657B8F 90 nop
:00657B90 83EC0C sub esp, 0000000C // 分配12字节局部变量
:00657B93 56 push esi
:00657B94 68D0CB9100 push 0091CBD0 // 临界区对象* Reference To: KERNEL32.EnterCriticalSection, Ord:008Bh
|
:00657B99 FF1504228500 Call dword ptr [00852204] // 进入临界区
:00657B9F 8B742414 mov esi, dword ptr [esp+14]
:00657BA3 8B06 mov eax, dword ptr [esi]
:00657BA5 83C604 add esi, 00000004
:00657BA8 85C0 test eax, eax
:00657BAA 0F8EA2000000 jle 00657C52
:00657BB0 53 push ebx
:00657BB1 55 push ebp
:00657BB2 57 push edi
:00657BB3 89442420 mov dword ptr [esp+20], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00657C49(C)
|
:00657BB7 8B2E mov ebp, dword ptr [esi]
:00657BB9 8B5E04 mov ebx, dword ptr [esi+04] // 本次动态代码长度
:00657BBC 83C604 add esi, 00000004
:00657BBF C1E505 shl ebp, 05
:00657BC2 81C5E8CB9100 add ebp, 0091CBE8
:00657BC8 83C604 add esi, 00000004
:00657BCB 89742410 mov dword ptr [esp+10], esi
:00657BCF 03F3 add esi, ebx
:00657BD1 8B4500 mov eax, dword ptr [ebp+00] // 得到上一次动态检测代码的地址
:00657BD4 89742414 mov dword ptr [esp+14], esi
:00657BD8 50 push eax* Reference To: MSVCRT.free, Ord:025Eh
|
:00657BD9 FF15FC238500 Call dword ptr [008523FC] // 释放上一次的动态代码内存空间
:00657BDF 83C404 add esp, 00000004
:00657BE2 B908000000 mov ecx, 00000008
:00657BE7 33C0 xor eax, eax
:00657BE9 8BFD mov edi, ebp
:00657BEB 85DB test ebx, ebx
:00657BED F3 repz
:00657BEE AB stosd
:00657BEF 7E4F jle 00657C40
:00657BF1 53 push ebx // 动态代码长度* Reference To: MSVCRT.malloc, Ord:0291h
|
:00657BF2 FF1540248500 Call dword ptr [00852440]
:00657BF8 83C404 add esp, 00000004
:00657BFB 894500 mov dword ptr [ebp+00], eax
:00657BFE 85C0 test eax, eax
:00657C00 743E je 00657C40
:00657C02 8B742410 mov esi, dword ptr [esp+10]
:00657C06 8BCB mov ecx, ebx
:00657C08 8BD1 mov edx, ecx
:00657C0A 8BF8 mov edi, eax
:00657C0C C1E902 shr ecx, 02
:00657C0F F3 repz
:00657C10 A5 movsd
:00657C11 8BCA mov ecx, edx
:00657C13 8D442418 lea eax, dword ptr [esp+18]
:00657C17 83E103 and ecx, 00000003
:00657C1A 50 push eax
:00657C1B F3 repz
:00657C1C A4 movsb
:00657C1D 8B4D00 mov ecx, dword ptr [ebp+00]
:00657C20 6A40 push 00000040
:00657C22 53 push ebx
:00657C23 51 push ecx* Reference To: KERNEL32.VirtualProtect, Ord:035Bh
|
:00657C24 FF15A0218500 Call dword ptr [008521A0] // 把动态代码的内存页属性设置为PAGE_EXECUTE_READWRITE
:00657C2A 8B5500 mov edx, dword ptr [ebp+00]
:00657C2D 53 push ebx
:00657C2E 52 push edx* Reference To: KERNEL32.GetCurrentProcess, Ord:012Fh
|
:00657C2F FF15FC218500 Call dword ptr [008521FC]
:00657C35 50 push eax* Reference To: KERNEL32.FlushInstructionCache, Ord:00DCh
|
:00657C36 FF1540218500 Call dword ptr [00852140] // 刷新CPU指令缓存
:00657C3C 8B742414 mov esi, dword ptr [esp+14]* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00657BEF(C), :00657C00(C)
|
:00657C40 8B442420 mov eax, dword ptr [esp+20]
:00657C44 48 dec eax
:00657C45 89442420 mov dword ptr [esp+20], eax
:00657C49 0F8568FFFFFF jne 00657BB7
:00657C4F 5F pop edi
:00657C50 5D pop ebp
:00657C51 5B pop ebx* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00657BAA(C)
|
:00657C52 68D0CB9100 push 0091CBD0* Reference To: KERNEL32.LeaveCriticalSection, Ord:022Dh
|
:00657C57 FF15F8218500 Call dword ptr [008521F8]
:00657C5D 5E pop esi
:00657C5E 83C40C add esp, 0000000C
:00657C61 C20400 ret 0004
这段代码会不定期执行,希望如果要执行的时候就直接释放掉,不让它执行,不知道有没有办法做到?
PS..那个分给少了
:00657B8E 90 nop
:00657B8F 90 nop
:00657B90 83EC0C sub esp, 0000000C // 分配12字节局部变量
:00657B93 56 push esi
:00657B94 68D0CB9100 push 0091CBD0 // 临界区对象* Reference To: KERNEL32.EnterCriticalSection, Ord:008Bh
|
:00657B99 FF1504228500 Call dword ptr [00852204] // 进入临界区
:00657B9F 8B742414 mov esi, dword ptr [esp+14]
:00657BA3 8B06 mov eax, dword ptr [esi]
:00657BA5 83C604 add esi, 00000004
:00657BA8 85C0 test eax, eax
:00657BAA 0F8EA2000000 jle 00657C52
:00657BB0 53 push ebx
:00657BB1 55 push ebp
:00657BB2 57 push edi
:00657BB3 89442420 mov dword ptr [esp+20], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00657C49(C)
|
:00657BB7 8B2E mov ebp, dword ptr [esi]
:00657BB9 8B5E04 mov ebx, dword ptr [esi+04] // 本次动态代码长度
:00657BBC 83C604 add esi, 00000004
:00657BBF C1E505 shl ebp, 05
:00657BC2 81C5E8CB9100 add ebp, 0091CBE8
:00657BC8 83C604 add esi, 00000004
:00657BCB 89742410 mov dword ptr [esp+10], esi
:00657BCF 03F3 add esi, ebx
:00657BD1 8B4500 mov eax, dword ptr [ebp+00] // 得到上一次动态检测代码的地址
:00657BD4 89742414 mov dword ptr [esp+14], esi
:00657BD8 50 push eax* Reference To: MSVCRT.free, Ord:025Eh
|
:00657BD9 FF15FC238500 Call dword ptr [008523FC] // 释放上一次的动态代码内存空间
:00657BDF 83C404 add esp, 00000004
:00657BE2 B908000000 mov ecx, 00000008
:00657BE7 33C0 xor eax, eax
:00657BE9 8BFD mov edi, ebp
:00657BEB 85DB test ebx, ebx
:00657BED F3 repz
:00657BEE AB stosd
:00657BEF 7E4F jle 00657C40
:00657BF1 53 push ebx // 动态代码长度* Reference To: MSVCRT.malloc, Ord:0291h
|
:00657BF2 FF1540248500 Call dword ptr [00852440]
:00657BF8 83C404 add esp, 00000004
:00657BFB 894500 mov dword ptr [ebp+00], eax
:00657BFE 85C0 test eax, eax
:00657C00 743E je 00657C40
:00657C02 8B742410 mov esi, dword ptr [esp+10]
:00657C06 8BCB mov ecx, ebx
:00657C08 8BD1 mov edx, ecx
:00657C0A 8BF8 mov edi, eax
:00657C0C C1E902 shr ecx, 02
:00657C0F F3 repz
:00657C10 A5 movsd
:00657C11 8BCA mov ecx, edx
:00657C13 8D442418 lea eax, dword ptr [esp+18]
:00657C17 83E103 and ecx, 00000003
:00657C1A 50 push eax
:00657C1B F3 repz
:00657C1C A4 movsb
:00657C1D 8B4D00 mov ecx, dword ptr [ebp+00]
:00657C20 6A40 push 00000040
:00657C22 53 push ebx
:00657C23 51 push ecx* Reference To: KERNEL32.VirtualProtect, Ord:035Bh
|
:00657C24 FF15A0218500 Call dword ptr [008521A0] // 把动态代码的内存页属性设置为PAGE_EXECUTE_READWRITE
:00657C2A 8B5500 mov edx, dword ptr [ebp+00]
:00657C2D 53 push ebx
:00657C2E 52 push edx* Reference To: KERNEL32.GetCurrentProcess, Ord:012Fh
|
:00657C2F FF15FC218500 Call dword ptr [008521FC]
:00657C35 50 push eax* Reference To: KERNEL32.FlushInstructionCache, Ord:00DCh
|
:00657C36 FF1540218500 Call dword ptr [00852140] // 刷新CPU指令缓存
:00657C3C 8B742414 mov esi, dword ptr [esp+14]* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00657BEF(C), :00657C00(C)
|
:00657C40 8B442420 mov eax, dword ptr [esp+20]
:00657C44 48 dec eax
:00657C45 89442420 mov dword ptr [esp+20], eax
:00657C49 0F8568FFFFFF jne 00657BB7
:00657C4F 5F pop edi
:00657C50 5D pop ebp
:00657C51 5B pop ebx* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00657BAA(C)
|
:00657C52 68D0CB9100 push 0091CBD0* Reference To: KERNEL32.LeaveCriticalSection, Ord:022Dh
|
:00657C57 FF15F8218500 Call dword ptr [008521F8]
:00657C5D 5E pop esi
:00657C5E 83C40C add esp, 0000000C
:00657C61 C20400 ret 0004
这段代码会不定期执行,希望如果要执行的时候就直接释放掉,不让它执行,不知道有没有办法做到?
PS..那个分给少了
或者全部nop掉
如果修改代码的话说不定会有些特殊的问题有没有这样的方法:比如监视00657B90或者00657B93或者00657B94这个位置,发现有程序读取/修改/使用这里的代码,就立即让程序自杀-.-