来源:www.cncfan.com | 2006-1-10 | (有3387人读过)
代码如下: program Project1;
uses Windows;
procedure DeleteSelf; var hModule: THandle; buff: array[0..255] of Char; hKernel32: THandle; pExitProcess, pDeleteFileA, pUnmapViewOfFile: Pointer; begin hModule := GetModuleHandle(nil); GetModuleFileName(hModule, buff, sizeof(buff)); CloseHandle(THandle(4));
hKernel32 := GetModuleHandle('KERNEL32'); pExitProcess := GetProcAddress(hKernel32, 'ExitProcess'); pDeleteFileA := GetProcAddress(hKernel32, 'DeleteFileA'); pUnmapViewOfFile := GetProcAddress(hKernel32, 'UnmapViewOfFile'); asm LEA EAX, buff PUSH 0 PUSH 0 PUSH EAX PUSH pExitProcess PUSH hModule PUSH pDeleteFileA PUSH pUnmapViewOfFile RET end; end;
begin DeleteSelf; end.
现在有一点比较古怪,那就是必须把代码放在一个Procedure里,
直接放在begin ... end.中间是不行的。也许是全局变量不能使用
的缘故,但为什么不能使用,还是不是很清楚。
还有,不GetProcAddress,直接如下写:
PUSH OFFSET UnmapViewOfFile
trace的结果是执行进入了KERNEL32.UnmapViewOfFile的,只是在
函数内RET $4出就出错了,跳到了一个莫名其妙的地方。另外,Borland**上RE的代码不是上面的,不过效果一样 。但是FreeLibrary(p)跟UnmapViewOfFile(hModule)效果一样吗?
代码如下:
program Project1;
uses
windows;
procedure DeleteSelf; var module : HMODULE; buf : array [ 0 .. MAX_PATH - 1 ] of char; p : ULONG; hKrnl32 : HMODULE; pExitProcess, pDeleteFile, pFreeLibrary : pointer;
begin module := GetModuleHandle ( nil ); GetModuleFileName ( module, buf, sizeof ( buf ) ); CloseHandle ( THandle ( 4 ) ); p := ULONG ( module ) + 1;
//上面这一句什么意思?
hKrnl32 := GetModuleHandle ( 'kernel32' ); pExitProcess := GetProcAddress ( hKrnl32, 'ExitProcess' ); pDeleteFile := GetProcAddress ( hKrnl32, 'DeleteFileA' ); pFreeLibrary := GetProcAddress ( hKrnl32, 'FreeLibrary' ); asm lea eax, buf push 0 push 0 push eax push pExitProcess push p push pDeleteFile push pFreeLibrary ret end;
end;
|