利用汇编注入代码到其他进程

本文共计2774个字，预计阅读时长11.1分钟。

include windows.inc
include kernel32.inc
include user32.inc
include Comctl32.inc
include shell32.inc

includelib kernel32.lib
includelib user32.lib
includelib Comctl32.lib
includelib shell32.lib

DlgProcPROTO:HWND,:UINT,:WPARAM,:LPARAM

.const

IDD_DIALOG1equ 101
IDC_BTNINJECTION    equ 1001
msg_title           db"无标题 - 记事本",0
msg_USER32db"user32.dll",0
msg_MESSAGEBOXdb"MessageBoxA",0
MSG_NOFUNDdb"没有找到进程",0
MSG_ERRORdb"错误",0
MSG_OPENERRORDB"打开进程出错",0
MSG_WRITEERRORDB"写入代码出错",
;#########################################################################

.data?

hInstancedd ?
;#########################################################################

.386
.model flat, stdcall  ;32 bit memory model
option casemap :none  ;case sensitive

include Injection.inc

.code
INJECTION_START:
    push MB_OK
    push 0
    push 0
    push 0
labMessagebox:
    mov eax,12345678h
    call eax
    retn 4
INJECTION_END:
.code

Inject proc
    LOCAL @hwnd:HWND
    LOCAL @pid:dword
    LOCAL @hPorcess:HANDLE
    LOCAL @bCode:PVOID
    LOCAL @hMod:HMODULE 
    LOCAL @old:dword
    
    ;1、找到目标进程
    invoke FindWindow,NULL,offset msg_title
    ;check eax!=NULL
    .if eax == NULL
    invoke MessageBox,NULL,offset MSG_NOFUND,offset MSG_ERROR,MB_OK
    ret
    .endif
    mov @hwnd,eax
    ;2、打开进程
    invoke GetWindowThreadProcessId,@hwnd,addr @pid
    ;check
    invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,@pid
    mov @hPorcess,eax
        
    ;3、重定位api地址
    invoke VirtualProtect,offset INJECTION_START,INJECTION_END-INJECTION_START,PAGE_EXECUTE_READWRITE,addr @old
    invoke LoadLibrary,offset msg_USER32
    mov @hMod,eax 
    invoke GetProcAddress,@hMod,offset msg_MESSAGEBOX
    mov dword ptr [labMessagebox+1],eax
    
    ;4、申请内存，写入数据
    invoke VirtualAllocEx,@hPorcess,NULL,1000H,MEM_COMMIT,PAGE_EXECUTE_READWRITE
    mov @bCode,eax
    invoke WriteProcessMemory,@hPorcess,@bCode,INJECTION_START,INJECTION_END-INJECTION_START,NULL
    
    ;5、通过远程线程运行代码
    invoke CreateRemoteThread,@hPorcess,NULL,0,@bCode,NULL,0,NULL
    ret

Inject endp

start:

invoke GetModuleHandle,NULL
movhInstance,eax

    invoke InitCommonControls
invoke DialogBoxParam,hInstance,IDD_DIALOG1,NULL,addr DlgProc,NULL
invoke ExitProcess,0

;########################################################################

DlgProc proc hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM

moveax,uMsg
.if eax==WM_INITDIALOG

.elseif eax==WM_COMMAND
        .if wParam == IDC_BTNINJECTION
            invoke Inject
        .endif
.elseif eax==WM_CLOSE
invoke EndDialog,hWin,0
.else
moveax,FALSE
ret
.endif
moveax,TRUE
ret

DlgProc endp

end start