[原创]另一种进入NT内核方法的汇编版本

要说明的是该方法本身不是我的原创 ，是其他大牛首先写出来的。

而我只是将该方法的C版本 "翻译" 成 masm32 版本。: )




.386


.model flat, stdcall


option casemap:none




include c:masm32includewindows.inc


include c:masm32includeuser32.inc


include c:masm32includekernel32.inc


include c:masm32includeadvapi32.inc


includelib c:masm32libuser32.lib


includelib c:masm32libkernel32.lib


includelib c:masm32libadvapi32.lib


include c:masm32macrosucmacros.asm




UNICODE_STRING STRUCT


_Length WORD ?


MaximumLength WORD ?


Buffer DWORD ?


UNICODE_STRING ENDS




SystemLoadAndCallImage equ 38




_ZwSetSystemInformation typedef proto :dword,:dword,:dword


lpZwSetSystemInformation typedef ptr _ZwSetSystemInformation




_RtlInitUnicodeString typedef proto :dword,:dword


lpRtlInitUnicodeString typedef ptr _RtlInitUnicodeString




SYSTEM_LOAD_AND_CALL_IMAGE struct




ModuleName UNICODE_STRING <?>




SYSTEM_LOAD_AND_CALL_IMAGE ends




.const


txt db 'Just Do It!',0


cp db 'hopy|侯佩',0


WSTR drvnameW,"??c: mpDrv.sys"


drvname db '??c:tmpDrv.sys',0


dllname db 'ntdll.dll',0


szZwSetSystemInformation db 'ZwSetSystemInformation',0


szRtlInitUnicodeString db 'RtlInitUnicodeString',0




.data?


hInstance dd ?


hdll dd ?


stSysCallImage SYSTEM_LOAD_AND_CALL_IMAGE <>


ZwSetSystemInformation lpZwSetSystemInformation ?


RtlInitUnicodeString lpRtlInitUnicodeString ?




.code


start:


invoke GetModuleHandle, 0


mov hInstance,eax




invoke LoadLibrary,addr dllname


mov hdll,eax




invoke GetProcAddress,hdll,addr szZwSetSystemInformation


mov ZwSetSystemInformation,eax




invoke GetProcAddress,hdll,addr szRtlInitUnicodeString


mov RtlInitUnicodeString,eax





invoke RtlInitUnicodeString,addr stSysCallImage.ModuleName,


addr drvnameW




invoke ZwSetSystemInformation,SystemLoadAndCallImage,


addr stSysCallImage,


sizeof SYSTEM_LOAD_AND_CALL_IMAGE




invoke MessageBox,NULL,addr txt,addr cp,MB_OK




invoke ExitProcess,NULL


end start