- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
- 09
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
BOOL NAKED CompareCurrentProcess(PCHAR pszName)
{
/*
1. Found PEB
2. Found _RTL_USER_PROCESS_PARAMETERS
3. Found _RTL_USER_PROCESS_PARAMETERS->ImagePathName
4. Convert UNICODE to ANSI
5. compare strings
*/
__asm {
MOV ESI,ESP // SAVE STACK PTR
MOV EAX,DWORD PTR FS:[0x30] // eax == PEB
MOV EAX,DWORD PTR DS:[EAX+0x10] // eax == _RTL_USER_PROCESS_PARAMETERS
ADD EAX,0x38 // eax == _RTL_USER_PROCESS_PARAMETERS->ImagePathName
XOR EDX,EDX //
XOR ECX,ECX //
XOR EDI,EDI //
MOV CL, BYTE PTR [EAX] // CL = UNICODE_STRING.Length in bytes
SUB ESP,ECX // reserve in stack CL bytes
ADD EAX,4 // EAX ptr to WCHAR ImagePathName
MOV EAX,DWORD PTR [EAX] // EAX = PWCHAR
next_char:
CMP CL,0 // WCHAR end
JZ end;
MOV DL,BYTE PTR [EAX] // DL == *(PCHAR)WCHAR
ADD EAX,2 // GOTO next WIDEchar
MOV BYTE PTR [ESP],DL // SAVE char in memory reserved in stack
INC ESP // pStr++
INC EDI // pStrLen++
SUB CL,2 // Length--;
jmp next_char // goto_next;
end:
MOV BYTE PTR [ESP],0 // *pStr = 0; null terminated
SUB ESP,EDI // pStr = (PCHAR)(pStr - pStrLen)
XOR EDX,EDX
XOR ECX,ECX
mov ecx,esp // ecx = pStr
mov edx,esp // edx = pStr
//
// HERE FOUND image file name
m_loop:
cmp edi,0
jz file_founded
cmp byte ptr [edx],0x5C // '\'
JZ founded;
inc edx
dec edi
jmp m_loop
founded:
dec edi
mov ecx,edx
inc edx
jmp m_loop
file_founded:
push esi
inc ecx
push ecx
push dword ptr [esi+4]
call my_strcmp
pop esi
mov esp,esi
ret
}
}
panter_dsd 23.03.2011 20:17 # +4
ReL 23.03.2011 22:05 # −4
TarasB 24.03.2011 11:41 # −3
absolut 24.03.2011 11:54 # 0
TarasB 24.03.2011 11:58 # −1
Правда, это просто С, без плюсов.
absolut 23.03.2011 20:31 # 0
tr00_gr1m_doomster 23.03.2011 21:09 # +4
absolut 23.03.2011 21:12 # +2
tr00_gr1m_doomster 23.03.2011 21:14 # 0
absolut 23.03.2011 21:16 # 0
tr00_gr1m_doomster 23.03.2011 21:19 # 0
da4ever 23.03.2011 21:59 # +2
tr00_gr1m_doomster 24.03.2011 00:56 # −1
tr00_gr1m_doomster 24.03.2011 00:57 # 0
metaball 24.03.2011 10:36 # +1
bugmenot 24.03.2011 11:56 # −1