注入WINXP计算器的简单实例源码——》2012水哥巨献
程序代码:
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include kernel32.inc
include user32.inc
include debug.inc
include masm32.inc
includelib user32.lib
includelib kernel32.lib
includelib debug.lib
includelib masm32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
L macro var:VARARG
LOCAL @lbl
.const
@lbl db var,0
.code
exitm <offset @lbl>
endm
.data?
hInstance dd ?
hWinMain dd ?
RemoteHwnd dd ?
OldWndProc dd ?
hThread1 dd ?
hThread2 dd ?
hRichEditDLL dd ?
hwndRichEdit dd ?
_count db ?
.const
RichEditDLL db "RichEd20.dll",0
RichEditClass db "RichEdit20A",0
szClassName db 'RemoteClass',0
szCaptionMain db 'RemoteWindow',0
szClac db '计算器',0
_ENTER db 0Dh,0Ah
RichEditID equ 300
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;---------------------
; 往文本框中追加文本
;---------------------
_appendInfo proc _lpsz
local @stCR:CHARRANGE
pushad
invoke GetWindowTextLength,hwndRichEdit
mov @stCR.cpMin,eax ;将插入点移动到最后
mov @stCR.cpMax,eax
invoke SendMessage,hwndRichEdit,EM_EXSETSEL,0,addr @stCR
invoke SendMessage,hwndRichEdit,EM_REPLACESEL,FALSE,_lpsz
popad
ret
_appendInfo endp
_Inject_dll_proc proc _hWnd,_uMsg,_wParam,_lParam
local @temp[260]:byte
local _point:POINT
mov eax,_uMsg
.if eax == WM_COMMAND
mov edx,_wParam
shr edx,16
.if edx== BN_CLICKED
invoke GetWindowText, _lParam,addr @temp,260
invoke _appendInfo,addr @temp
.if _count>30
invoke _appendInfo,offset _ENTER
mov _count,0
.endif
inc _count
.endif
invoke CallWindowProc,OldWndProc,_hWnd,_uMsg,_wParam,_lParam
ret
.else
invoke CallWindowProc,OldWndProc,_hWnd,_uMsg,_wParam,_lParam
ret
.endif
xor eax,eax
ret
_Inject_dll_proc endp
_HookProc proc
; int 3
invoke Sleep,1000
invoke FindWindow,0,offset szClac
cmp eax,0
jz @F
mov RemoteHwnd,eax
mov ebx,eax
invoke SetWindowLong,ebx,GWL_WNDPROC,_Inject_dll_proc
mov OldWndProc,eax
; invoke MessageBox,NULL,L("找到"),L("error"),MB_OK
@@:
ret
_HookProc endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 窗口过程
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcWinMain proc uses ebx edi esi,hWnd,uMsg,wParam,lParam
mov eax,uMsg
.if eax == WM_CLOSE
invoke DestroyWindow,hWnd
invoke PostQuitMessage,NULL
;********************************************************************
.elseif eax == WM_CREATE
invoke CreateWindowEx,0,addr RichEditClass,0,WS_VISIBLE or ES_MULTILINE or WS_CHILD or WS_VSCROLL or WS_HSCROLL, CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,hWnd,0,hInstance,0
mov hwndRichEdit,eax
invoke SendMessage,hwndRichEdit,EM_LIMITTEXT,-1,0
.elseif eax==WM_SIZE
mov eax,lParam
mov edx,eax
and eax,0FFFFh
shr edx,16
invoke MoveWindow,hwndRichEdit,0,0,eax,edx,TRUE
.else
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.endif
;********************************************************************
xor eax,eax
ret
_ProcWinMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WinMain proc uses ebx esi edi _lParam
local @stWndClass:WNDCLASSEX
local @stMsg:MSG
invoke RtlZeroMemory,addr @stWndClass,sizeof @stWndClass
;********************************************************************
; 注册窗口类
;********************************************************************
invoke LoadCursor,0,IDC_ARROW
mov @stWndClass.hCursor,eax
push hInstance
pop @stWndClass.hInstance
mov @stWndClass.cbSize,sizeof WNDCLASSEX
mov @stWndClass.style,CS_HREDRAW or CS_VREDRAW
mov @stWndClass.lpfnWndProc,offset _ProcWinMain
mov @stWndClass.hbrBackground,COLOR_WINDOW + 1
mov @stWndClass.lpszClassName,offset szClassName
invoke RegisterClassEx,addr @stWndClass
;********************************************************************
; 建立并显示窗口
;********************************************************************
invoke CreateWindowEx,WS_EX_CLIENTEDGE,offset szClassName,offset szCaptionMain,\
WS_OVERLAPPEDWINDOW,\
100,100,600,400,\
NULL,NULL,hInstance,NULL
mov hWinMain,eax
invoke ShowWindow,hWinMain,SW_SHOWNORMAL
invoke UpdateWindow,hWinMain
;********************************************************************
; 消息循环
;********************************************************************
.while TRUE
invoke GetMessage,addr @stMsg,NULL,0,0
.break .if eax == 0
invoke TranslateMessage,addr @stMsg
invoke DispatchMessage,addr @stMsg
.endw
ret
_WinMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DllEntry proc _hInstance,_dwReason,_dwReserved
local @dwThreadID
local @dwHookProc
.if _dwReason == DLL_PROCESS_ATTACH
push _hInstance
pop hInstance
invoke LoadLibrary,addr RichEditDLL
mov hRichEditDLL,eax
invoke CreateThread,NULL,0,offset _WinMain,NULL,NULL,addr @dwThreadID
mov hThread1,eax
invoke CloseHandle,hThread1
invoke CreateThread,NULL,NULL,_HookProc,NULL,0,addr @dwHookProc
invoke CloseHandle,eax
.elseif _dwReason == DLL_PROCESS_DETACH
invoke FreeLibrary,hRichEditDLL
.endif
mov eax,TRUE
ret
DllEntry Endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
End DllEntry
看看
Calc_Dll_Windows.rar
水哥