When writing the shell today, I think of a method that does not need to manually modify directly, hidden the CALL instruction, and share it with everyone. Let me talk about the simple way to hide Call. (I used to use Delphi so this is Delphi code) I am online, the computer is not brought out, so I want to write, what is wrong, I hope to point out. Manual hiding method: For example, we define such a process. Procedure test; becomes; then calls in another process, begin test; end; generally compile we will see the corresponding 00000001 Call XXXXXXXX (00000001 and XXXXXXXX is assumed) Address) Our most commonly used hidden method is to put the code Writing becoming Begin Test; ASM DB $ 90, $ 90, $ 90, $ 90, END; END; we need to take advantage of 6 NOPs to prepare for future hidden. And then wait for such a code will appear after compiling 00000001 call XXXXXXXX00000006 nop00000007 nop00000008 nop00000009 nop00000010 nop00000011 nop then we need to do is to manually modify the code as follows so that the code length 00000001 push 0000001200000006 push XXXXXXXX00000011 ret exactly the same so that to achieve the effect of hidden, but This way, every time you have to modify the trouble, look at another hidden method automatically hide: Only we have seen a manual hidden method, let's see the automatic hidden method, and the TEST process is an example. We all know such a way to get EIP's method 00000001 Call 0000000600000006 POP EAX Take a look at this code machine code 00000001 ff0000000000000006 58 {Machine might have error memory} then we define two variables VAR Testeip: cardinal; testpoi : Pointer; Don't ask what to do, you will clear it immediately. We now change the following Begin ASM DB $ FF, $ 00, $ 00, $ 00, $ 00, $ 58; Add Eax, $ 20; {Here you want to see, this $ 20 is the size of this code, anyway, let Eax just just return to RET The address of the latter sentence} MOV TESTEIP, EAX; End; testpoi: = @ TEST; ASM PUSH TESTEIP; PUSH TESTPOI; RET END; then compile, how? Is the CALL instruction not see? But there is a trouble, that is, what do you do if there is a TEST band parameter? For example: Procedure Test (A, B, C: cardinal); Begund; then we can also call Begin ASM DB $ FF, $ 00, $ 00, $ 00, $ 00, $ 58; Add Eax, $ 2F; {Here you want to see, this $ 20 is the size of this code, anyway, let Eax just just only to RET's address} MOV TESTEIP, ECX, MOV EAX, parameter 1; MOV ECX, parameter 2; MOV EDX, parameter 3; end; testpoi: = @ Test; ASM MOV EAX, TESTEIP; PUSH TESTEIP; PUSH TESTPOI; RET END
