文章作者:pig4210
信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
很久没有来看了,刚看了一篇asm写的相关win32asm远程注入的问题,他提到了远程注入的两个方法,一个是远程代码,一个是远程DLL,远程代码实现比较困难,所以退而求其次使用DLL注入。
只是,远程代码可以实现无磁盘文件对应。
前些天正好写了一个东西,就是指定DLL插入指定进程的。(本来想打个包上来,结果论坛已经很多限制了,算了,发个主程序的代码就好了)
看了asm的文章,学习其开源精神,跟进一下,嘿嘿。
复制内容到剪贴板
代码:
;2007-07-18 15:33
;功能实现:
; 1.指定DLL远程注入目标进程。
; 2.保存DLL信息,适当时候用户可卸载DLL。
; 卸载动作也是远程线程注入目标进程,但是非文件对应线程,故而实现卸载动态链接库不留痕迹。
; 做这个东西原意是为了注入华夏游戏方便点好研究。
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include comdlg32.inc
includelib comdlg32.lib
include shell32.inc
includelib shell32.lib
include Macro.inc
DLG_MAIN equ 1000
IDC_FileName equ 1001
IDC_Name equ 1002
IDC_Class equ 1003
IDC_unhook equ 1004
IDC_OPEN equ 1005
.data?
hInstance dd ?
hWinMain dd ?
dwProcessID dd ?
dwThreadID dd ?
hProcess dd ?
lpDllstart dd ?
szClass db 128 dup (?)
szWndName db 128 dup (?)
;---------
towrite equ this byte
lpLoadLibrary dd ?
lpGetProcAddress dd ?
lpGetModuleHandle dd ?
lpFreelib dd ?
lpMessageBox dd ?
szDllName db MAX_PATH dup (?)
endwrite equ this byte
;---------
szProfileName db MAX_PATH dup (?)
szConfigName db MAX_PATH dup (?)
.const
szSec db 'info',0
szKeyLoad db 'Load',0
szKeyName db 'Name',0
szKeyClass db 'Class',0
szConfig db '\Config.ini',0
szconstFileName db 'D:\4210\work\exdll\dll.dll',0
szDesktopWindow db '华夏II online',0
szDesktopClass db '*GodClass*',0
szFilter db '动态链接库(*.dll)',0,'*.dll',0,'所有文件',0,'*.*',0,0
szErrorFind db '无法找到指定窗口!',0
szErrorCannot db '无法打开进程!',0
szErrormem db '无法在进程中分配空间!',0
;----------
szDllKernel db 'Kernel32.dll',0
szUser32 db 'User32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szGetProcAddress db 'GetProcAddress',0
szGetModuleHandle db 'GetModuleHandleA',0
szFreelib db 'FreeLibrary',0
szMessageBox db 'MessageBoxA',0
.code
REMOTE_CODE_START equ this byte
_lpLoadLibrary dd ?
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?
_lpFreeLib dd ?
_lpMessageBox dd ?
_szDllName db MAX_PATH dup (?)
_lptmp dd 32 dup (90h)
_hInstance dd ?
_hWinMain dd ?
_szDllUser db 'User32.dll',0
_szErrorFind db '无法在进程中找到需要卸载的文件',0
_RemoteThread proc uses ebx edi esi lParam
pushad
call @F
@@:
pop ebx
sub ebx,offset @B
_invoke [ebx + _lpGetModuleHandle],NULL
mov [ebx + _hInstance],eax
lea eax,[ebx+_szDllName]
_invoke [ebx+_lpGetModuleHandle],eax
.if eax
_invoke [ebx+_lpFreeLib],eax
.else
lea eax,[ebx+_szErrorFind]
_invoke [ebx+_lpMessageBox],NULL,eax,NULL,MB_OK or MB_ICONERROR
.endif
popad
ret
_RemoteThread endp
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - offset REMOTE_CODE_START
GetInput proc
invoke GetDlgItemText,hWinMain,IDC_FileName,addr szProfileName,120
invoke GetDlgItemText,hWinMain,IDC_Name,addr szWndName,120
invoke GetDlgItemText,hWinMain,IDC_Class,addr szClass,120
ret
GetInput endp
hookin proc
invoke GetInput
invoke FindWindow,addr szClass,addr szWndName
.if eax
invoke GetWindowThreadProcessId,eax,addr dwProcessID
mov dwThreadID,eax
invoke GetModuleHandle,addr szDllKernel
invoke GetProcAddress,eax,addr szLoadLibrary
mov lpLoadLibrary,eax
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,dwProcessID
.if eax
mov hProcess,eax
invoke VirtualAllocEx,hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_READWRITE
.if eax
mov lpDllstart,eax
invoke WriteProcessMemory,hProcess,eax,addr szProfileName,MAX_PATH,NULL
invoke CreateRemoteThread,hProcess,NULL,0,lpLoadLibrary,lpDllstart,0,NULL
invoke CloseHandle,eax
.else
invoke MessageBox,hWinMain,addr szErrorCannot,NULL,MB_OK or MB_ICONERROR
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,hWinMain,addr szErrorCannot,NULL,MB_OK or MB_ICONERROR
.endif
.else
invoke MessageBox,hWinMain,addr szErrorFind,NULL,MB_OK or MB_ICONERROR
.endif
invoke WritePrivateProfileString,addr szSec,addr szKeyLoad,addr szProfileName,addr szConfigName
invoke WritePrivateProfileString,addr szSec,addr szKeyName,addr szWndName,addr szConfigName
invoke WritePrivateProfileString,addr szSec,addr szKeyClass,addr szClass,addr szConfigName
ret
hookin endp
unhook proc
push esi
push ebx
;取得文件名
invoke GetInput
mov esi,offset szProfileName
invoke lstrlen,esi
add esi,eax
.while byte ptr [esi] != '\'
dec esi
.endw
inc esi
invoke lstrcpy,addr szDllName,esi
invoke GetModuleHandle,addr szDllKernel
mov ebx,eax
invoke GetProcAddress,ebx,offset szLoadLibrary
mov lpLoadLibrary,eax
invoke GetProcAddress,ebx,offset szGetProcAddress
mov lpGetProcAddress,eax
invoke GetProcAddress,ebx,offset szGetModuleHandle
mov lpGetModuleHandle,eax
invoke GetProcAddress,ebx,offset szFreelib
mov lpFreelib,eax
invoke GetModuleHandle,addr szUser32
mov ebx,eax
invoke GetProcAddress,ebx,offset szMessageBox
mov lpMessageBox,eax
invoke FindWindow,addr szClass,addr szWndName
.if eax
invoke GetWindowThreadProcessId,eax,addr dwProcessID
mov dwThreadID,eax
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,dwProcessID
.if eax
mov hProcess,eax
invoke VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov lpDllstart,eax
invoke WriteProcessMemory,hProcess,lpDllstart,offset REMOTE_CODE_START,REMOTE_CODE_LENGTH,NULL
invoke WriteProcessMemory,hProcess,lpDllstart,offset lpLoadLibrary,offset endwrite-offset towrite,NULL
mov eax,lpDllstart
add eax,offset _RemoteThread - offset REMOTE_CODE_START
invoke CreateRemoteThread,hProcess,NULL,0,eax,0,0,NULL
invoke CloseHandle,eax
.else
invoke MessageBox,hWinMain,addr szErrorCannot,NULL,MB_OK or MB_ICONERROR
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,hWinMain,addr szErrorCannot,NULL,MB_OK or MB_ICONERROR
.endif
.else
invoke MessageBox,hWinMain,addr szErrorFind,NULL,MB_OK or MB_ICONERROR
.endif
pop ebx
pop esi
ret
unhook endp
GetFileName proc
local stFile:OPENFILENAME
invoke RtlZeroMemory,addr stFile,sizeof stFile
mov stFile.lStructSize,sizeof stFile
push hWinMain
pop stFile.hwndOwner
mov stFile.lpstrFilter,offset szFilter
mov stFile.lpstrFile,offset szProfileName
mov stFile.nMaxFile,MAX_PATH
mov stFile.Flags,OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST
invoke GetOpenFileName,addr stFile
.if eax != 0
invoke SetDlgItemText,hWinMain,IDC_FileName,addr szProfileName
.endif
ret
GetFileName endp
StartGet proc
push esi
invoke GetCurrentDirectory,MAX_PATH,addr szConfigName
mov esi,offset szConfigName
invoke lstrlen,esi
mov ecx,offset szConfig
.if byte ptr [esi+eax-1] == '\'
inc ecx
.endif
invoke lstrcat,esi,ecx
invoke GetPrivateProfileString,addr szSec,addr szKeyLoad,NULL,addr szProfileName,MAX_PATH,addr szConfigName
invoke GetPrivateProfileString,addr szSec,addr szKeyName,NULL,addr szWndName,sizeof szWndName,addr szConfigName
invoke GetPrivateProfileString,addr szSec,addr szKeyClass,NULL,addr szClass,sizeof szClass,addr szConfigName
.if !eax
invoke lstrcpy,addr szProfileName,addr szconstFileName
invoke lstrcpy,addr szWndName,addr szDesktopWindow
invoke lstrcpy,addr szClass,addr szDesktopClass
.endif
invoke SetDlgItemText,hWinMain,IDC_FileName,addr szProfileName
invoke SetDlgItemText,hWinMain,IDC_Name,addr szWndName
invoke SetDlgItemText,hWinMain,IDC_Class,addr szClass
pop esi
ret
StartGet endp
DlgMain proc hWnd,wMsg,wParam,lParam
local @szBuffer[256]:byte
pushad
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax == WM_INITDIALOG
push hWnd
pop hWinMain
invoke StartGet
.elseif eax == WM_COMMAND
mov eax,wParam
.if ax == IDOK
invoke hookin
.elseif ax == IDC_OPEN
invoke GetFileName
.elseif eax == IDC_unhook
invoke unhook
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
popad
ret
DlgMain endp
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,eax,DLG_MAIN,NULL,offset DlgMain,NULL
invoke ExitProcess,NULL
end start
其实还写了一个调用远程进程里的函数的程序,是BCB写的主程序,win32asm写的DLL结合起来的,不好帖过来。
啊啊,相当好,竟然允许我发出来的了。但是我还是无法上传文件就是。
那么给出下载地址:
http://www.hj032.cn/pig4210/mywork/hook.rar
http://www.hj032.cn/pig4210/mywork/RemoteThread2Run(ver%201.2).rar
