感觉还是汇编写起来灵活一些,所以决定用汇编来学习写壳.
(参考 加密解密第三版)
.386
.model flat,stdcall
option casemap:none
include kernel32.inc
;include user32.inc
include Stdlib.Inc
includelib kernel32.lib
;includelib user32.lib
includelib Stdlib.lib
include windows.inc
AddSection proto
.data
szFileName byte "111.exe",0
szSection byte ".ecec",0
.code
start:
invoke AddSection
invoke ExitProcess,0
AddSection proc
LOCAL hFile:HANDLE
LOCAL hMap:HANDLE
LOCAL pMem:LPVOID
LOCAL pFileSize:dword
LOCAL dwNTHeaderAddr:dword
xor eax,eax
invoke CreateFile,addr szFileName,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
.if eax!=INVALID_HANDLE_VALUE
mov hFile,eax
invoke GetFileSize,hFile,addr pFileSize
.if eax!=0
invoke CreateFileMapping,hFile,NULL,PAGE_READWRITE,0,pFileSize,NULL
.if eax!=0
mov hMap,eax
invoke MapViewOfFile,hMap,FILE_MAP_WRITE or FILE_MAP_READ or FILE_MAP_COPY,0,0,0
.if eax!=0
mov pMem,eax
mov esi,pMem
add esi,dword ptr [esi+3ch]
assume esi:ptr IMAGE_NT_HEADERS
movzx ecx,word ptr [esi].FileHeader.NumberOfSections
inc word ptr [esi].FileHeader.NumberOfSections
add esi,sizeof IMAGE_NT_HEADERS;指向第一个节表
mov eax,sizeof IMAGE_SECTION_HEADER
imul ecx
add esi,eax;这里的ESI指向最后一个节的尾部
assume esi:ptr IMAGE_SECTION_HEADER
push esi
invoke StrCpy,addr [esi].Name1,addr szSection
pop esi
assume esi:nothing
.endif
.endif
.endif
.endif
ret
AddSection endp
end start