标 题: 【原创】托盘图标伪装大师(汇编)
作 者: 非安全(nohacks)
时 间: 2008-08-15,17:05
链 接: http://bbs.pediy.com/showthread.php?t=70762
这篇文章是“多桌面切换程序-通杀所有网管程序”的延续,上篇文章我们提到了用虚拟桌面的方法绕过网管软件的方法,但还有个小缺陷,新桌面的任务栏上没有网管程序的图标,较易被路过的网管发现,这不上班闲着无聊,用汇编写了个小软件:托盘图标伪装大师1.0,解决了这个问题,虽然没什么技术含量,但做为一种思路,还是值得一看的,主要是API函数LoadImage和GetPrivateProfileString的使用,前者用来装载图标文件,后者用来读取配置文件,程序主要功能如下:
读取配置文件config.ini,在托盘区显示配置文件指定的程序图标
[SETUP]
ICO="WX2004.ICO"
程序代码如下:
代码:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Programmed by nohacks, nohacks@163.com ; Website: http://hi.baidu.com/nohacks ; Win32 ASM is Masm ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 版本信息 ; Icon camouflage Masters V1.0 - 托盘图标伪装大师 ; ; 2008年8月15日 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .386 .model flat,stdcall option casemap:none include windows.inc include debug.inc include user32.inc include kernel32.inc include shell32.inc includelib user32.lib includelib kernel32.lib includelib shell32.lib WM_SHELLNOTIFY equ WM_USER+5 ICO_INDEX equ 1200 IDI_TRAY equ 0 WinMain proto :DWORD,:DWORD,:DWORD,:DWORD .DATA ClassName db "SimpleWinClass",0 AppName db "nohacks",0 Section db "SETUP",0 keyname db "ICO",0 ininame db ".\config.ini",0 mypath db "wx2004.ico",0 .DATA? hInstance dd ? note NOTIFYICONDATA <> CommandLine LPSTR ? buffer db 512 dup(?) fileErr dd ? .CODE start: invoke GetModuleHandle, NULL mov hInstance,eax invoke GetCommandLine mov CommandLine,eax invoke GetPrivateProfileString,addr Section,addr keyname,addr mypath,addr buffer ,512,addr ininame invoke GetFileAttributes,addr buffer ;快速判断文件是否存在 mov fileErr,eax invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT invoke ExitProcess, eax WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD LOCAL wc:WNDCLASSEX LOCAL msg:MSG LOCAL hwnd:HWND mov wc.cbSize,SIZEOF WNDCLASSEX mov wc.style, CS_HREDRAW or CS_VREDRAW mov wc.lpfnWndProc, OFFSET WndProc mov wc.cbClsExtra,NULL mov wc.cbWndExtra,NULL push hInstance pop wc.hInstance mov wc.hbrBackground,COLOR_WINDOW+1 mov wc.lpszMenuName,NULL mov wc.lpszClassName,OFFSET ClassName invoke LoadIcon,NULL,NULL mov wc.hIcon,eax mov wc.hIconSm,eax invoke LoadCursor,NULL,IDC_ARROW mov wc.hCursor,eax invoke RegisterClassEx, addr wc invoke CreateWindowEx,NULL,\ ADDR ClassName,\ ADDR AppName,\ WS_OVERLAPPEDWINDOW,\ CW_USEDEFAULT,\ CW_USEDEFAULT,\ CW_USEDEFAULT,\ CW_USEDEFAULT,\ NULL,\ NULL,\ hInst,\ NULL mov hwnd,eax ; invoke ShowWindow, hwnd,CmdShow ;invoke UpdateWindow, hwnd .WHILE TRUE invoke GetMessage, ADDR msg,NULL,0,0 .BREAK .IF (!eax) invoke TranslateMessage, ADDR msg invoke DispatchMessage, ADDR msg .ENDW mov eax,msg.wParam ret WinMain endp WndProc proc hWnd:HWND, wMsg:UINT, wParam:WPARAM, lParam:LPARAM mov eax,wMsg cmp eax,WM_CREATE je boxStart cmp eax,WM_CLOSE je boxClose invoke DefWindowProc,hWnd,wMsg,wParam,lParam ret boxStart: mov note.cbSize,sizeof NOTIFYICONDATA push hWnd pop note.hwnd mov note.uID,IDI_TRAY mov note.uFlags,NIF_ICON+NIF_MESSAGE+NIF_TIP mov note.uCallbackMessage,WM_SHELLNOTIFY .if fileErr!=-1 invoke LoadImage,hInstance,addr buffer,IMAGE_ICON,0,0,LR_LOADFROMFILE ;载入图标文件 .else invoke LoadIcon,hInstance,ICO_INDEX .endif mov note.hIcon,eax invoke lstrcpy,addr note.szTip,NULL ;这里可以设置托盘文字提示,本处留空 invoke ShowWindow,hWnd,SW_HIDE invoke Shell_NotifyIcon,NIM_ADD,addr note jmp return boxClose: invoke Shell_NotifyIcon,NIM_DELETE,addr note ;删除托盘图标 invoke PostQuitMessage,NULL jmp return return: xor eax,eax ret WndProc endp end start
声明:本文原创于看雪软件安全论坛(bbs.pediy.com),转载请注明出处!
PS:搞木马或在网吧工作的兄弟有福了,比如干掉了某杀软或者切换到了虚拟桌面,用这个程序模拟杀软或网管软件的托盘图标可迷惑网管,你只要提取目标程序的图标放在程序目录,然后修改配置文件即可!