Einzelnen Beitrag anzeigen

moonwhaler

Registriert seit: 22. Dez 2005
57 Beiträge
 
Delphi 5 Enterprise
 
#6

Re: selbstlöschende Datei (Exe die ein Bild enthält)

  Alt 21. Sep 2007, 09:30
Das ist ja lustig. Ich hab gerade gestern etwas wiedergefunden, was als vergessen galt. "Lösch Dich Selber" ist der Titel des Monsters. Der Code ist allerdings ungetestet!!

Delphi-Quellcode:
// A procedure in assembler that deletes the main executable file - while
// running. Neat.
procedure DeleteSelf;
{
  Note, this version will only work, as long as the functions are imported through
  the import table. This is true for any Win32 app and Kernel32.dll!
  Anyway, if you introduce symbol names, that conflict with the function names,
  this code is likely to break!
}

var
  szModuleName: array[0..MAX_PATH - 1] of Char;
  pExitProcess,
    pDeleteFile,
    pFreeLibrary,
    pUnmapViewOfFile: Pointer;
  hModule: THandle;
asm
(*** Get real address of ExitProcess ***)
{ Dereference the function addresses from the jump table
  I'll briefly explain on this first function ('ExitProcess')
  Load effective address. EAX points to code like FF 25 XX XX XX XX -> jmp ds:XXXXXXXX }

    lea eax, [ExitProcess]
{ Ignore the jump instruction (i.e. FF 25) }
    mov eax, [eax+2]
{ EAX holds now the XX XX XX XX from above metacode, i.e. a pointer to the 'real'
  address }

    mov eax, [eax]
{ EAX now holds the 'real' address of the function ExitProcess within our realm }
    mov pExitProcess, eax
{ The following code works accordingly ...}
(*** Get real address of DeleteFileA ***)
    lea eax, [DeleteFileA]
    mov eax, [eax+2]
    mov eax, [eax]
    mov pDeleteFile, eax
(*** Get real address of FreeLibrary ***)
    lea eax, [FreeLibrary]
    mov eax, [eax+2]
    mov eax, [eax]
    mov pFreeLibrary, eax
(*** Get real address of UnmapViewOfFile ***)
    lea eax, [UnmapViewOfFile]
    mov eax, [eax+2]
    mov eax, [eax]
    mov pUnmapViewOfFile, eax
(*** Now the "main code" ***)
    push 0
    call GetModuleHandleA
    mov hModule, eax
(*** Got module handle of this instance ***)
    push MAX_PATH
    lea eax, szModuleName
    push eax
    push hModule
    call GetModuleFileNameA
(*** szModuleName now holds the file name of our instance's module ***)
    call GetVersion
(*** Checking for Windows 9x / Windows NT platform ***)
    test eax, $80000000
    jz @@NTplatform
//@@9xplatform:
    lea eax, szModuleName
    push system.ExitCode
    push 0
    push eax
    push pExitProcess
    push hModule
    push pDeleteFile
    push pFreeLibrary
    ret
@@NTplatform:
    push 4
    call CloseHandle;
    lea eax, szModuleName
    push system.ExitCode
    push 0
    push eax
    push pExitProcess
    push hModule
    push pDeleteFile
    push pUnmapViewOfFile
    ret
end;
  Mit Zitat antworten Zitat