要说明的是该方法本身不是我的原创 ,是其他大牛首先写出来的。
而我只是将该方法的c版本 "翻译" 成 masm32 版本。: )
.386
.model flat, stdcall
option casemap:none
include c:masm32includewindows.inc
include c:masm32includeuser32.inc
include c:masm32includekernel32.inc
include c:masm32includeadvapi32.inc
includelib c:masm32libuser32.lib
includelib c:masm32libkernel32.lib
includelib c:masm32libadvapi32.lib
include c:masm32macrosucmacros.asm
unicode_string struct
_length word ?
maximumlength word ?
buffer dword ?
unicode_string ends
systemloadandcallimage equ 38
_zwsetsysteminformation typedef proto :dword,:dword,:dword
lpzwsetsysteminformation typedef ptr _zwsetsysteminformation
_rtlinitunicodestring typedef proto :dword,:dword
lprtlinitunicodestring typedef ptr _rtlinitunicodestring
system_load_and_call_image struct
modulename unicode_string <?>
system_load_and_call_image ends
.const
txt db 'just do it!',0
cp db 'hopy|侯佩',0
wstr drvnamew,"??c: mpdrv.sys"
drvname db '??c:tmpdrv.sys',0
dllname db 'ntdll.dll',0
szzwsetsysteminformation db 'zwsetsysteminformation',0
szrtlinitunicodestring db 'rtlinitunicodestring',0
.data?
hinstance dd ?
hdll dd ?
stsyscallimage system_load_and_call_image <>
zwsetsysteminformation lpzwsetsysteminformation ?
rtlinitunicodestring lprtlinitunicodestring ?
.code
start:
invoke getmodulehandle, 0
mov hinstance,eax
invoke loadlibrary,addr dllname
mov hdll,eax
invoke getprocaddress,hdll,addr szzwsetsysteminformation
mov zwsetsysteminformation,eax
invoke getprocaddress,hdll,addr szrtlinitunicodestring
mov rtlinitunicodestring,eax
invoke rtlinitunicodestring,addr stsyscallimage.modulename,
addr drvnamew
invoke zwsetsysteminformation,systemloadandcallimage,
addr stsyscallimage,
sizeof system_load_and_call_image
invoke messagebox,null,addr txt,addr cp,mb_ok
invoke exitprocess,null
end start