用户态调用系统服务
还在GetProcAddress?还在暴力搜索API?还在哈希计算API?现在就体验直接调用系统服务端快感,绕开USER32 GDI32罢,
演示的是调用系统枚举窗口,至于文件,内存,进程,线程等
与此雷同,从此,我们可以脱离WIN32 DLL的束缚了。
;--------------------------------------------------------------------------------
;程序设计:中国·旓旓
;版权所有:旓旓软件 2003-2013
;禁止任何修改与盗版
;请访问64位汇编语言官方站 Http://Www.
;电子邮件 WebMaster@ Tel:1821548**** QQ:6405035 6405038
;官方论坛:Http://Www. 官方QQ群:10126494
;--------------------------------------------------------------------------------
;程序环境设置
.686
.xmm
.model flat,stdcall
option casemap:none
;--------------------------------------------------------------------------------
;头文件与库文件导入
include SvcGui.Inc
include windows.inc
include kernel32.inc
include user32.inc
include advapi32.inc
include shell32.inc
include ws2_32.inc
include gdi32.inc
include ntdll.inc
include comctl32.inc
include comdlg32.inc
include shlwapi.inc
include msvcrt.inc
includelib kernel32.lib
includelib user32.lib
includelib advapi32.lib
includelib shell32.lib
includelib WS2_32.Lib
includelib gdi32.lib
includelib ntdll.lib
includelib comctl32.lib
includelib comdlg32.lib
includelib shlwapi.lib
includelib msvcrt.lib
;--------------------------------------------------------------------------------
;函数定义
ICON_LOGO EQU 1
;--------------------------------------------------------------------------------
WINDOWINFO STRUCT
cbSize DWORD ?
rcWindow RECT <>
rcClient RECT <>
dwStyle DWORD ?
dwExStyle DWORD ?
dwWindowStatus DWORD ?
cxWindowBorders DWORD ?
cyWindowBorders DWORD ?
atomWindowType WORD ?
wCreatorVersion WORD ?
WINDOWINFO ENDS
;--------------------------------------------------------------------------------
;已初始化数据段
.data
;--------------------------------------------------------------------------------
;未初始化数据段
.data?
hInstance DWORD ?
lpCommand DWORD ?
;--------------------------------------------------------------------------------
;常量段
.const
szConTitle BYTE "旓旓软件窗口枚举程序",0
szCopyRight BYTE "旓旓软件窗口枚举程序,版权所有;旓旓,2003-2013,保留所有权利.",0DH,0AH,0
szInvalidVersion BYTE "错误的操作系统版本,本程序目前只支持WINDOWS XP",0DH,0AH,0
szWndFormat BYTE "窗口标题:%s",0DH,0AH,0
;--------------------------------------------------------------------------------
;代码段
.code
;--------------------------------------------------------------------------------
X86FastSystemCall PROC
mov edx,esp
sysenter
ret
X86FastSystemCall ENDP
;系统服务ID在不同的OS下不同,需要区分OS
X86NtUserBuildHwndList PROC
mov eax,01138H
call X86FastSystemCall
ret
X86NtUserBuildHwndList ENDP
;--------------------------------------------------------------------------------
X86EnumWindows PROC USES EBX EDI ESI @hConsole:DWORD
LOCAL @dwMaxHwnd:DWORD
LOCAL @lpHwnd:DWORD
LOCAL @dwCount:DWORD
LOCAL @dwcbBuffer:DWORD
LOCAL @dwWritten:DWORD
LOCAL @szTitle[128]:BYTE
LOCAL @szBuffer[256]:BYTE
mov @lpHwnd,0
mov @dwCount,0
mov @dwMaxHwnd,0
;获得窗口个数
lea eax,@dwCount
push eax
push NULL
push @dwMaxHwnd
push 0
push FALSE
push NULL
push NULL
call X86NtUserBuildHwndList
add esp,sizeof dword * 7
push @dwCount
pop @dwMaxHwnd
;分配内存
invoke GlobalAlloc,GMEM_FIXED or GMEM_ZEROINIT,8192
.if eax
mov @lpHwnd,eax
;枚举窗口
lea eax,@dwCount
push eax
push @lpHwnd
push @dwMaxHwnd
push 0
push FALSE
push NULL
push NULL
call X86NtUserBuildHwndList
add esp,sizeof dword * 7
push esi
push edi
mov esi,@lpHwnd
mov edi,0
.while TRUE
.break .if edi>=@dwMaxHwnd
mov ecx,[esi]
invoke GetWindowText,ecx,addr @szTitle,sizeof @szTitle
invoke sprintf,addr @szBuffer,addr szWndFormat,addr @szTitle
invoke strlen,addr @szBuffer
mov @dwcbBuffer,eax
invoke WriteConsole,@hConsole,addr @szBuffer,@dwcbBuffer,addr @dwWritten,NULL
add esi,4
inc edi
.endw
pop edi
pop esi
;释放内存
invoke GlobalFree,@lpHwnd
.endif
;返回
ret
X86EnumWindows ENDP
;--------------------------------------------------------------------------------
CtrlHandler PROC USES EBX EDI ESI @dwCtrlType
pushad
mov eax,@dwCtrlType
.if eax == CTRL_C_EVENT || eax == CTRL_BREAK_EVENT
invoke ExitProcess,NULL
.endif
popad
mov eax,TRUE
ret
CtrlHandler ENDP
;--------------------------------------------------------------------------------
ConsoleEntry PROC USES EBX EDI ESI @hInstance:DWORD,@lpCommand:DWORD
LOCAL @hConsole:DWORD
LOCAL @hIcon:DWORD
LOCAL @hConsoleIn:DWORD
LOCAL @hConsoleOut:DWORD
LOCAL @stCoord:COORD
LOCAL @stConScrBuff:CONSOLE_SCREEN_BUFFER_INFO
LOCAL @dwcbInput:DWORD
LOCAL @dwcbWrite:DWORD
LOCAL @szInput[1024]:BYTE
LOCAL @OsVersionInfoEx:OSVERSIONINFOEX
;创建控制台
invoke AllocConsole
;获得控制台窗口句柄
invoke GetConsoleWindow
mov @hConsole,eax
;控制台窗口透明化
invoke GetWindowLong,@hConsole,GWL_EXSTYLE
or eax,WS_EX_LAYERED
invoke SetWindowLong,@hConsole,GWL_EXSTYLE,eax
invoke SetLayeredWindowAttributes,@hConsole,0,200,LWA_ALPHA
;创建图标
invoke LoadIcon,@hInstance,ICON_LOGO
mov @hIcon,eax
invoke SendMessage,@hConsole,WM_SETICON,ICON_SMALL,@hIcon
;获取控制台输入输出句柄
invoke GetStdHandle,STD_INPUT_HANDLE
mov @hConsoleIn,eax
invoke GetStdHandle,STD_OUTPUT_HANDLE
mov @hConsoleOut,eax
;设置控制台相关属性
invoke SetConsoleMode,@hConsoleIn,ENABLE_LINE_INPUT or ENABLE_ECHO_INPUT or ENABLE_PROCESSED_INPUT
invoke SetConsoleCtrlHandler,addr CtrlHandler,TRUE
;设置控制台缓冲区大小
mov @stCoord.x,140
mov @stCoord.y,40
mov eax,@stCoord
invoke SetConsoleScreenBufferSize,@hConsoleOut,eax
;取得控制台窗口大小
invoke GetConsoleScreenBufferInfo,@hConsoleOut,addr @stConScrBuff
;设置控制台窗口大小
mov @stConScrBuff.srWindow.Right,139
mov @stConScrBuff.srWindow.Bottom,39
invoke SetConsoleWindowInfo,@hConsoleOut,TRUE,addr @stConScrBuff.srWindow
;设置控制台颜色属性
invoke SetConsoleTextAttribute,@hConsoleOut,FOREGROUND_GREEN or FOREGROUND_INTENSITY
;设置控制台标题
invoke SetConsoleTitle,addr szConTitle
invoke WriteConsole,@hConsoleOut,addr szCopyRight,sizeof szCopyRight -1,addr @dwcbWrite,NULL
;获取系统版本
invoke RtlZeroMemory,addr @OsVersionInfoEx,sizeof @OsVersionInfoEx
mov @OsVersionInfoEx.dwOSVersionInfoSize,sizeof @OsVersionInfoEx
invoke GetVersionEx,addr @OsVersionInfoEx
.if @OsVersionInfoEx.dwMajorVersion ==5 && @OsVersionInfoEx.dwMinorVersion ==1
invoke X86EnumWindows,@hConsoleOut
.else
invoke WriteConsole,@hConsoleOut,addr szInvalidVersion,sizeof szInvalidVersion -1,addr @dwcbWrite,NULL
.endif
invoke ReadConsole,@hConsoleIn,addr @szInput,sizeof @szInput,addr @dwcbInput,NULL
.if eax
invoke ReadConsole,@hConsoleIn,addr @szInput,sizeof @szInput,addr @dwcbInput,NULL
.endif
;释放控制台输入输出句柄
invoke CloseHandle,@hConsoleIn
invoke CloseHandle,@hConsoleOut
;释放控制台
invoke FreeConsole
ret
ConsoleEntry ENDP
;--------------------------------------------------------------------------------
start:
;获取模块句柄
invoke GetModuleHandle,NULL
mov hInstance,eax
;获取命令行参数
invoke GetCommandLine
mov lpCommand,eax
;初始化通用控件
invoke InitCommonControls
;启动控制台函数
invoke ConsoleEntry,hInstance,lpCommand
;退出进程
invoke ExitProcess,NULL
;指定程序入口点
end start
[ 本帖最后由 x64asm 于 2013-1-17 07:22 编辑 ]
