代码实现: inject.inc
include windows.inc
include kernel32.inc
include user32.inc
include Comctl32.inc
include shell32.inc
includelib kernel32.lib
includelib user32.lib
includelib Comctl32.lib
includelib shell32.lib
DlgProcPROTO:HWND,:UINT,:WPARAM,:LPARAM
.const
IDD_DIALOG1equ 101
IDC_BTNINJECTION equ 1001
msg_title db"无标题 - 记事本",0
msg_USER32db"user32.dll",0
msg_MESSAGEBOXdb"MessageBoxA",0
MSG_NOFUNDdb"没有找到进程",0
MSG_ERRORdb"错误",0
MSG_OPENERRORDB"打开进程出错",0
MSG_WRITEERRORDB"写入代码出错",
;#########################################################################
.data?
hInstancedd ?
;#########################################################################
inject.asm
.386
.model flat, stdcall ;32 bit memory model
option casemap :none ;case sensitive
include Injection.inc
.code
INJECTION_START:
push MB_OK
push 0
push 0
push 0
labMessagebox:
mov eax,12345678h
call eax
retn 4
INJECTION_END:
.code
Inject proc
LOCAL @hwnd:HWND
LOCAL @pid:dword
LOCAL @hPorcess:HANDLE
LOCAL @bCode:PVOID
LOCAL @hMod:HMODULE
LOCAL @old:dword
;1、找到目标进程
invoke FindWindow,NULL,offset msg_title
;check eax!=NULL
.if eax == NULL
invoke MessageBox,NULL,offset MSG_NOFUND,offset MSG_ERROR,MB_OK
ret
.endif
mov @hwnd,eax
;2、打开进程
invoke GetWindowThreadProcessId,@hwnd,addr @pid
;check
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,@pid
mov @hPorcess,eax
;3、重定位api地址
invoke VirtualProtect,offset INJECTION_START,INJECTION_END-INJECTION_START,PAGE_EXECUTE_READWRITE,addr @old
invoke LoadLibrary,offset msg_USER32
mov @hMod,eax
invoke GetProcAddress,@hMod,offset msg_MESSAGEBOX
mov dword ptr [labMessagebox+1],eax
;4、申请内存,写入数据
invoke VirtualAllocEx,@hPorcess,NULL,1000H,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov @bCode,eax
invoke WriteProcessMemory,@hPorcess,@bCode,INJECTION_START,INJECTION_END-INJECTION_START,NULL
;5、通过远程线程运行代码
invoke CreateRemoteThread,@hPorcess,NULL,0,@bCode,NULL,0,NULL
ret
Inject endp
start:
invoke GetModuleHandle,NULL
movhInstance,eax
invoke InitCommonControls
invoke DialogBoxParam,hInstance,IDD_DIALOG1,NULL,addr DlgProc,NULL
invoke ExitProcess,0
;########################################################################
DlgProc proc hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
moveax,uMsg
.if eax==WM_INITDIALOG
.elseif eax==WM_COMMAND
.if wParam == IDC_BTNINJECTION
invoke Inject
.endif
.elseif eax==WM_CLOSE
invoke EndDialog,hWin,0
.else
moveax,FALSE
ret
.endif
moveax,TRUE
ret
DlgProc endp
end start