本文共计2414个字,预计阅读时长9分钟。
代码实现: inject.inc
include windows.inc include kernel32.inc include user32.inc include Comctl32.inc include shell32.incincludelib kernel32.lib includelib user32.lib includelib Comctl32.lib includelib shell32.lib
DlgProcPROTO:HWND,:UINT,:WPARAM,:LPARAM
.const
IDD_DIALOG1equ 101 IDC_BTNINJECTION equ 1001 msg_title db"无标题 - 记事本",0 msg_USER32db"user32.dll",0 msg_MESSAGEBOXdb"MessageBoxA",0 MSG_NOFUNDdb"没有找到进程",0 MSG_ERRORdb"错误",0 MSG_OPENERRORDB"打开进程出错",0 MSG_WRITEERRORDB"写入代码出错", ;#########################################################################
.data?
hInstancedd ? ;#########################################################################
inject.asm
.386 .model flat, stdcall ;32 bit memory model option casemap :none ;case sensitiveinclude Injection.inc
.code INJECTION_START: push MB_OK push 0 push 0 push 0 labMessagebox: mov eax,12345678h call eax retn 4 INJECTION_END: .code
Inject proc LOCAL @hwnd:HWND LOCAL @pid:dword LOCAL @hPorcess:HANDLE LOCAL @bCode:PVOID LOCAL @hMod:HMODULE LOCAL @old:dword
;1、找到目标进程 invoke FindWindow,NULL,offset msg_title ;check eax!=NULL .if eax == NULL invoke MessageBox,NULL,offset MSG_NOFUND,offset MSG_ERROR,MB_OK ret .endif mov @hwnd,eax ;2、打开进程 invoke GetWindowThreadProcessId,@hwnd,addr @pid ;check invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,@pid mov @hPorcess,eax ;3、重定位api地址 invoke VirtualProtect,offset INJECTION_START,INJECTION_END-INJECTION_START,PAGE_EXECUTE_READWRITE,addr @old invoke LoadLibrary,offset msg_USER32 mov @hMod,eax invoke GetProcAddress,@hMod,offset msg_MESSAGEBOX mov dword ptr [labMessagebox+1],eax ;4、申请内存,写入数据 invoke VirtualAllocEx,@hPorcess,NULL,1000H,MEM_COMMIT,PAGE_EXECUTE_READWRITE mov @bCode,eax invoke WriteProcessMemory,@hPorcess,@bCode,INJECTION_START,INJECTION_END-INJECTION_START,NULL ;5、通过远程线程运行代码 invoke CreateRemoteThread,@hPorcess,NULL,0,@bCode,NULL,0,NULL ret
Inject endp
start:
invoke GetModuleHandle,NULL movhInstance,eax
invoke InitCommonControls
invoke DialogBoxParam,hInstance,IDD_DIALOG1,NULL,addr DlgProc,NULL invoke ExitProcess,0
;########################################################################
DlgProc proc hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
moveax,uMsg .if eax==WM_INITDIALOG
.elseif eax==WM_COMMAND .if wParam == IDC_BTNINJECTION invoke Inject .endif .elseif eax==WM_CLOSE invoke EndDialog,hWin,0 .else moveax,FALSE ret .endif moveax,TRUE ret
DlgProc endp
end start
利用汇编注入代码到其他进程