远程注入代码,一些过时的ring3技术(ASM、VC++、Delphi) (非Dll注入)
ASM:
include b.inc
.code
;/
;///
;/// 说明: 显示一个消息
;/// 参数:
;/// 返回:
;///
;/
ShowTip proc
invoke GetModuleHandle, $CTA0("user32.dll")
invoke GetProcAddress, eax, offset $CTA0("MessageBoxA")
push 64d
push 0
push $CTA0("显示一个消息")
push 0
call eax
ret
ShowTip endp
;/
;///
;/// 说明: 插入EXE
;/// 参数: Pid = 进程PID
;/// 返回: 成功True,否则False
;///
;/
InjectExe proc uses ebx esi edi Pid
LOCAL status
LOCAL hMod: HMODULE
LOCAL hNHOffset: DWORD
LOCAL cbImage: DWORD
LOCAL hProcess: HANDLE, hThread: HANDLE
LOCAL pBaseAddr: DWORD
mov status, 0
invoke GetModuleHandle, NULL
mov hMod, eax
mov esi, eax
assume esi: ptr IMAGE_DOS_HEADER
push [esi].e_lfanew
pop hNHOffset
assume esi: Nothing
mov eax, hMod
add eax, hNHOffset
mov esi, eax
assume esi: ptr IMAGE_NT_HEADERS
push [esi].OptionalHeader.SizeOfImage
pop cbImage
assume esi: Nothing
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, Pid
.if eax == NULL
jmp Err
.endif
mov hProcess, eax
;//给我释放
invoke VirtualFreeEx, hProcess, hMod, 0, MEM_RELEASE
;//是我的终究是我的
invoke VirtualAllocEx, hProcess, hMod, cbImage, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
.if eax == NULL
jmp Err
.endif
mov pBaseAddr, eax
;//可以写进去了
invoke WriteProcessMemory, hProcess, pBaseAddr, hMod, cbImage, NULL
.if eax == NULL
jmp Err
.endif
;//OK,插进去..
invoke CreateRemoteThread, hProcess, NULL, NULL, offset ShowTip, NULL, NULL, NULL
.if eax == NULL
jmp Err
.endif
mov hThread, eax
invoke WaitForSingleObject, hThread, INFINITE
invoke CloseHandle, hThread
mov status, 1
Err:
.if pBaseAddr != NULL
invoke VirtualFreeEx, hProcess, pBaseAddr, 0, MEM_RELEASE
.endif
.if hProcess != NULL
invoke CloseHandle, hProcess
.endif
mov eax, status
ret
InjectExe endp
;/
;///
;///
;/// PE 入口
;///
;///
;/
start:
invoke InjectExe, (you pid?)
.if eax
invoke MessageBox, NULL, $CTA0("OK"), NULL, MB_OK
.endif
invoke ExitProcess, NULL
end start
VC++:
#include
#include
#pragma comment(linker, "/BASE:0x14000000")
typedef int (__stdcall *fnMessageBoxA)(HWND, LPCSTR, LPCSTR, UINT);
//
///
///说明: 显示一个消息
///参数:
///返回:
///
//
void __stdcall ShowTip()
{
HMODULE hMod;
fnMessageBoxA myMessageBoxA;
hMod = GetModuleHandle(L"user32.dll");
myMessageBoxA = (fnMessageBoxA)GetProcAddress(hMod, (LPCSTR)"MessageBoxA");
myMessageBoxA(NULL, "显示一个消息", NULL, 64);
}
//
///
///说明: 插入代码
///参数: Pid = 进程PID
///返回: 成功True,否则False
///
//
bool InjectExe(DWORD Pid)
{
bool status = false;
LPVOID pBaseAddr = NULL;
HMODULE hMod = GetModuleHandle(NULL);
LONG hNHOffset = PIMAGE_DOS_HEADER(hMod)->e_lfanew;
DWORD cbImage = PIMAGE_NT_HEADERS((DWORD)hMod + (DWORD)hNHOffset)->OptionalHeader.SizeOfImage;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, Pid);
if (hProcess == NULL)
{
goto Err;
}
//给我释放哈..
VirtualFreeEx(hProcess, LPVOID(hMod), 0, MEM_RELEASE);
//给我哈
pBaseAddr = VirtualAllocEx(hProcess, LPVOID(hMod), cbImage, MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (pBaseAddr == NULL)
{
goto Err;
}
//写进去
if (!WriteProcessMemory(hProcess, pBaseAddr, LPCVOID(hMod), cbImage, NULL))
{
goto Err;
}
//可以插进去了..
HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)&ShowTip, NULL, NULL, NULL);
if (hThread == NULL)
{
goto Err;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
status = true;
Err:
if (pBaseAddr != NULL)
{
VirtualFreeEx(hProcess, pBaseAddr, 0, MEM_RELEASE);
}
if (hProcess != NULL)
{
CloseHandle(hProcess);
}
return status;
}
//
///
///
///PE入口
///
///
//
int APIENTRY _tWinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCommandLine,
int nCmdShow)
{
if (InjectExe(you exe pid))
{
MessageBox(NULL, L"OK", NULL, 64);
}
return 0;
}
Delphi:
program Project1;
{$IMAGEBASE $14000000}
uses
Windows, SysUtils;
///
///
///说明: 显示消息
///参数:
///返回值:
///
///
procedure ShowTip; stdcall;
type
TMessageBoxA = function (hWnd: HWND; lpText, lpCaption: PChar; uType: UINT): Integer; stdcall;
var
hMod: HMODULE;
pFuncAddr: Pointer;
begin
hMod := GetModuleHandle(PChar('user32.dll'));
pFuncAddr := GetProcAddress(hMod, PChar('MessageBoxA'));
if pFuncAddr <> nil then
begin
TMessageBoxA(pFuncAddr)(0, PChar('显示一个消息而已'), PChar('当然成功啦'), 64);
end;
end;
///
///
///说明: 插入代码
///参数: Pid=进程PID
///返回: 成功True,否则False
///
///
function InjectExe(Pid: DWORD): Boolean;
label
Err;
var
hMod: HMODULE;
hNHOffset: Integer;
cbImage: DWORD;
hProcess, hThread: THandle;
pBaseAddr: Pointer;
dwReserved: DWORD;//纯粹是保留的
begin
Result := False;
hMod := GetModuleHandle(nil);
hNHOffset := PImageDosHeader(Pointer(hMod))^._lfanew;
cbImage := PImageNtHeaders(Pointer(Integer(hMod) + hNHOffset))^.OptionalHeader.SizeOfImage;
hProcess := OpenProcess(PROCESS_ALL_ACCESS, False, Pid);
if hProcess = 0 then
goto Err;
//给我释放
VirtualFreeEx(hProcess, Pointer(hMod), 0, MEM_RELEASE);
//分配一下内存咯
pBaseAddr := VirtualAllocEx(hProcess, Pointer(hMod), cbImage, MEM_COMMIT or MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if pBaseAddr = nil then
goto Err;
//写进去
if not WriteProcessMemory(hProcess, pBaseAddr, Pointer(hMod), cbImage, dwReserved) then
goto Err;
//最后一步,插入线程
hThread := CreateRemoteThread(hProcess, nil, 0, Pointer(@ShowTip), nil, 0, dwReserved);
if hThread = 0 then
goto Err;
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
Result := True;
Err:
if pBaseAddr <> nil then VirtualFreeEx(hProcess, pBaseAddr, 0, MEM_RELEASE);
if hProcess <> 0 then CloseHandle(hProcess);
end;
///
///
///PE入口
///
///
begin
if InjectExe(you exe pid) then
MessageBox(0, PChar('Success'), PChar('插入成功'), 64);
end.
至于VB的已经发过了,上一篇帖子中就有。。。另外ASM生成时需要Link下 /BASE,嗯嗯。。想信这个地球人都会的。
较早前的代码了,所以发出来看看有没有谁需要用哈??
转载于:http://hi.baidu.com/cxwr/blog/item/8f1cc494f3199b1dd31b7066.html