第一个程序独立运行时与在OD中运行时GetModuleHandleA取得的句柄值不一样,OD中将大于70000000,好象只对XP有效。其它程序自己用OD试试。
代码:
.data hInst dd ? szStr db ? szBytes db ? CTEXT MACRO y:VARARG LOCAL sym CONST segment ifidni <y>,<> sym db 0 else sym db y,0 endif CONST ends exitm <offset sym> ENDM .code start: invoke VirtualProtect, (start+02Eh), 04h, PAGE_EXECUTE_READWRITE, ADDR szBytes mov eax, (start+02Eh) xor ebx, ebx mov bl, byte ptr cs:[eax] xor bl, 035h mov byte ptr ds:[eax], bl invoke GetModuleHandleA, 0 mov hInst, eax invoke GetModuleHandleA, 0 invoke wsprintf, ADDR szStr, CTEXT( "模块基址为:0x%x"), eax invoke MessageBox, NULL, ADDR szStr,CTEXT( "SMC检测OD"), MB_OK or MB_APPLMODAL invoke ExitProcess, 0 int 3 nop end start
代码:
start: mov esi, (ProgramEnd-start) invoke VirtualProtect, 401000h, esi, PAGE_EXECUTE_READWRITE, ADDR oldProt ; enable write to code section test eax, eax jnz _patch invoke MessageBox, NULL, szErr, szErr, MB_OK ; error, show it and quit jmp _end _patch: lea edi, _change mov al, 0e8h ; call opcode stosb mov eax, 00000008h ; Will be 08 00 00 00 when written to memory stosd invoke VirtualProtect, 401000h, esi, oldProt, ADDR oldProt ; restore the old protection settings _msgBox: push NULL push offset szTitle push offset szText push NULL _change: nop ; here will be inserted 'call MessageBox' nop nop nop nop _end: invoke ExitProcess, NULL ProgramEnd: end start
代码:
start: mov eax,offset myMod2 invoke VirtualProtect,eax,4,PAGE_EXECUTE_READWRITE,addr oldprotect mov eax,offset myMod2 mov WORD PTR[eax],00B8h mov WORD PTR[eax+1*2],0009h mov WORD PTR[eax+2*2],0000h mov WORD PTR[eax+3*2],0000h mov WORD PTR[eax+4*2],0000h invoke MessageBox,0,addr szText,addr szTitle,MB_OK invoke ExitProcess,0 myMod2 proc nop nop nop nop nop nop nop nop nop nop nop ret myMod2 ENDP end start