title image


Smiley @All (spez. Frager, Benibela): Selbstlöschende EXE, optimierter Code: ...
Hi,



habe mal eben das Teil etwas optimiert. Der Footprint ist nun deutlich kleiner, da keine Strings mehr benötigt werden um die Funcs zu referenzieren. Ich nehme die Importtabelle. Einschränkungen dieser Methode stehen ganz am Anfang der Procedure als Kommentar.



Ich denke, dadurch, daß ich meinen Code auskommentiert habe, sollte er durchaus auch für andere nachvollziehbar sein





procedure DeleteSelf;

{

Note, this version will only work, as long as the functions are imported through

the import table. This is true for any Win32 app and Kernel32.dll!

Anyway, if you introduce symbol names, that conflict with the function names,

this code is likely to break!

}

var

szModuleName: array[0..MAX_PATH - 1] of Char;

pExitProcess,

pDeleteFile,

pFreeLibrary,

pUnmapViewOfFile: Pointer;

hModule: THandle;

asm

(*** Get real address of ExitProcess ***)

{ Dereference the function addresses from the jump table

I'll briefly explain on this first function ('ExitProcess')

Load effective address. EAX points to code like FF 25 XX XX XX XX -> jmp ds:XXXXXXXX }

lea eax, [ExitProcess]

{ Ignore the jump instruction (i.e. FF 25) }

mov eax, [eax+2]

{ EAX holds now the XX XX XX XX from above metacode, i.e. a pointer to the 'real'

address }

mov eax, [eax]

{ EAX now holds the 'real' address of the function ExitProcess within our realm }

mov pExitProcess, eax

{ The following code works accordingly ...}

(*** Get real address of DeleteFileA ***)

lea eax, [DeleteFileA]

mov eax, [eax+2]

mov eax, [eax]

mov pDeleteFile, eax

(*** Get real address of FreeLibrary ***)

lea eax, [FreeLibrary]

mov eax, [eax+2]

mov eax, [eax]

mov pFreeLibrary, eax

(*** Get real address of UnmapViewOfFile ***)

lea eax, [UnmapViewOfFile]

mov eax, [eax+2]

mov eax, [eax]

mov pUnmapViewOfFile, eax

(*** Now the "main code" ***)

push 0

call GetModuleHandleA

mov hModule, eax

(*** Got module handle of this instance ***)

push MAX_PATH

lea eax, szModuleName

push eax

push hModule

call GetModuleFileNameA

(*** szModuleName now holds the file name of our instance's module ***)

call GetVersion

(*** Checking for Windows 9x / Windows NT platform ***)

test eax, $80000000

jz @@NTplatform

//@@9xplatform:

lea eax, szModuleName

push system.ExitCode

push 0

push eax

push pExitProcess

push hModule

push pDeleteFile

push pFreeLibrary

ret

@@NTplatform:

push 4

call CloseHandle;

lea eax, szModuleName

push system.ExitCode

push 0

push eax

push pExitProcess

push hModule

push pDeleteFile

push pUnmapViewOfFile

ret

end;





Viel Spaß damit ... ich erhebe keinerlei Anspruch auf Urheberrechte. Es ist Public Domain / OpenSource, wie immer ihr wollt :)

geschrieben von

Login

E-Mail:
  

Passwort:
  

Beitrag anfügen

Symbol:
 
 
 
 
 
 
 
 
 
 
 
 
 

Überschrift: