21,459
社区成员
发帖
与我相关
我的任务
分享
#include <windows.h>
#include <winbase.h>
typedef void (*MYPROC)(LPTSTR); //定义函数指针
int main()
{
HINSTANCE LibHandle;
MYPROC ProcAdd;
LibHandle = LoadLibrary(“msvcrt.dll”);
ProcAdd = (MYPROC) GetProcAddress(LibHandle, "system"); //查找system函数地址
(ProcAdd) ("command.com"); //其实就是执行system(“command.com”)
return 0;
}
#include<windows.h>
void main()
{
__asm
{
//首先要LoadLibrary("msvcrt.dll");
push ebp
mov ebp,esp
xor eax,eax
push eax
push eax
push eax
mov byte ptr[ebp-0Ch],4Dh
mov byte ptr[ebp-0Bh],53h
mov byte ptr[ebp-0Ah],56h
mov byte ptr[ebp-09h],43h
mov byte ptr[ebp-08h],52h
mov byte ptr[ebp-07h],54h
mov byte ptr[ebp-06h],2Eh
mov byte ptr[ebp-05h],44h
mov byte ptr[ebp-04h],4Ch
mov byte ptr[ebp-03h],4Ch
lea eax,[ebp-0Ch]
push eax
mov edx,0x77b70000//win2003 sp2
call edx
//然后是开一个dos窗口:
push ebp
mov ebp, esp
sub esp, 0x2C
mov eax, 0x6D6D6F63
mov dword ptr [ebp-0x0C], eax
mov eax, 0x2E646E61
mov dword ptr [ebp-0x8], eax
mov eax, 0x226D6F63
mov dword ptr [ebp-0x4], eax
xor edx, edx
mov byte ptr [ebp-0x1], dl
lea eax, dword ptr [ebp-0xC]
push eax
mov eax, 0x77b8a083//win2003 sp2
call eax
}
exit(0);
}