基于visual c++之windows核心编程代码分析(53)在C++中嵌入汇编实现DLL注入源代码

我们在C++编程的时候,有些时候获取更大编程余地,以及为了缩减代码,经常使用插入汇编语言进行联合编程。

下面我们实践在C++中嵌入汇编实现DLL注入源代码。

DLL动态函数链接库的接口如下。

#include "stdafx.h"
#include "resource.h"

//////////////////////////////////////////////////////////////////////////
//*******全局变量声明*******
HINSTANCE hInst = NULL;
HWND hDlg;
//////////////////////////////////////////////////////////////////////////


//////////////////////////////////////////////////////////////////////////
//*******函数原型声明*******
extern "C" _declspec(dllexport) void WaiGuaProc();

BOOL CALLBACK DlgProc(HWND hDlg , UINT message , 
					  WPARAM wParam , LPARAM lParam);
//////////////////////////////////////////////////////////////////////////


BOOL APIENTRY DllMain( HANDLE hModule, 
					  DWORD  ul_reason_for_call, 
					  LPVOID lpReserved
					  )
{
	switch(ul_reason_for_call)
    {
	case DLL_PROCESS_ATTACH:
		hInst = (HINSTANCE)hModule; 
		WaiGuaProc();
		break;
		
	case DLL_PROCESS_DETACH: 
		break;
    }
    return TRUE;
}


extern "C" _declspec(dllexport) void WaiGuaProc()
{
	
	hDlg = CreateDialog(hInst , MAKEINTRESOURCE(IDD_MAINDLG) , 
		NULL , (DLGPROC)DlgProc);
	MessageBox(NULL , "Test!" , "Test" , MB_OK);
	return;
}

BOOL CALLBACK DlgProc(HWND hwndDlg,  // handle to dialog box
					  UINT uMsg,     // message
					  WPARAM wParam, // first message parameter
					  LPARAM lParam  // second message parameter
					  )
{
	switch(uMsg)
	{
	case WM_INITDIALOG:
		ShowWindow(hwndDlg , SW_SHOW);
		return TRUE;
		
	case WM_CLOSE:
		DestroyWindow(hwndDlg);
		return TRUE;
		
	case WM_COMMAND:
		if(LOWORD(wParam) == IDOK)
		{
			MessageBox(NULL , "Insert Dll Success!" , "Test!" , MB_OK);
		}
		return TRUE;
	}
	return FALSE;
}


 

 

下面我们进行C++与汇编联合编程,请认真阅读代码注释,

 

#include "Tlhelp32.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

/////////////////////////////////////////////////////////////////////////////
// CAboutDlg dialog used for App About

class CAboutDlg : public CDialog
{
public:
	CAboutDlg();
	
	// Dialog Data
	//{{AFX_DATA(CAboutDlg)
	enum { IDD = IDD_ABOUTBOX };
	//}}AFX_DATA
	
	// ClassWizard generated virtual function overrides
	//{{AFX_VIRTUAL(CAboutDlg)
protected:
	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV support
	//}}AFX_VIRTUAL
	
	// Implementation
protected:
	//{{AFX_MSG(CAboutDlg)
	//}}AFX_MSG
	DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
	//{{AFX_DATA_INIT(CAboutDlg)
	//}}AFX_DATA_INIT
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CAboutDlg)
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
//{{AFX_MSG_MAP(CAboutDlg)
// No message handlers
//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CWaiGuaTestDlg dialog

CWaiGuaTestDlg::CWaiGuaTestDlg(CWnd* pParent /*=NULL*/)
: CDialog(CWaiGuaTestDlg::IDD, pParent)
{
	//{{AFX_DATA_INIT(CWaiGuaTestDlg)
	m_ProcName = _T("");
	//}}AFX_DATA_INIT
	// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CWaiGuaTestDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CWaiGuaTestDlg)
	DDX_CBString(pDX, IDC_COM_Proc, m_ProcName);
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CWaiGuaTestDlg, CDialog)
//{{AFX_MSG_MAP(CWaiGuaTestDlg)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_BN_CLICKED(IDC_BUT_GetProc, OnBUTGetProc)
ON_BN_CLICKED(IDC_BUT_EXECUTION, OnButExecution)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CWaiGuaTestDlg message handlers

BOOL CWaiGuaTestDlg::OnInitDialog()
{
	CDialog::OnInitDialog();
	
	// Add "About..." menu item to system menu.
	
	// IDM_ABOUTBOX must be in the system command range.
	ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
	ASSERT(IDM_ABOUTBOX < 0xF000);
	
	CMenu* pSysMenu = GetSystemMenu(FALSE);
	if (pSysMenu != NULL)
	{
		CString strAboutMenu;
		strAboutMenu.LoadString(IDS_ABOUTBOX);
		if (!strAboutMenu.IsEmpty())
		{
			pSysMenu->AppendMenu(MF_SEPARATOR);
			pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
		}
	}
	
	// Set the icon for this dialog.  The framework does this automatically
	//  when the application's main window is not a dialog
	SetIcon(m_hIcon, TRUE);			// Set big icon
	SetIcon(m_hIcon, FALSE);		// Set small icon
	
	// TODO: Add extra initialization here
	
	return TRUE;  // return TRUE  unless you set the focus to a control
}

void CWaiGuaTestDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
	if ((nID & 0xFFF0) == IDM_ABOUTBOX)
	{
		CAboutDlg dlgAbout;
		dlgAbout.DoModal();
	}
	else
	{
		CDialog::OnSysCommand(nID, lParam);
	}
}

// If you add a minimize button to your dialog, you will need the code below
//  to draw the icon.  For MFC applications using the document/view model,
//  this is automatically done for you by the framework.

void CWaiGuaTestDlg::OnPaint() 
{
	if (IsIconic())
	{
		CPaintDC dc(this); // device context for painting
		
		SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);
		
		// Center icon in client rectangle
		int cxIcon = GetSystemMetrics(SM_CXICON);
		int cyIcon = GetSystemMetrics(SM_CYICON);
		CRect rect;
		GetClientRect(&rect);
		int x = (rect.Width() - cxIcon + 1) / 2;
		int y = (rect.Height() - cyIcon + 1) / 2;
		
		// Draw the icon
		dc.DrawIcon(x, y, m_hIcon);
	}
	else
	{
		CDialog::OnPaint();
	}
}

// The system calls this to obtain the cursor to display while the user drags
//  the minimized window.
HCURSOR CWaiGuaTestDlg::OnQueryDragIcon()
{
	return (HCURSOR) m_hIcon;
}

void CWaiGuaTestDlg::OnBUTGetProc() 
{
	// TODO: Add your control notification handler code here
	((CComboBox *)GetDlgItem(IDC_COM_Proc))->ResetContent();
	
	for(int i=0 ; i < 100 ; i++)
		szThreadId[i] = 0;
	
	HANDLE hSnapShot;
	PROCESSENTRY32 szEntry;
	
	szEntry.dwSize = sizeof(PROCESSENTRY32);
	
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS , 0);
	
	if(hSnapShot == INVALID_HANDLE_VALUE)
	{
		MessageBox("CreateToolhelp32Snapshot Error!");
		return;
	}
	
	if(Process32First(hSnapShot,&szEntry))
	{
		int i=1;
		((CComboBox *)GetDlgItem(IDC_COM_Proc))->AddString(szEntry.szExeFile);
		
		szThreadId[0] = szEntry.th32ProcessID;
		
		while(Process32Next(hSnapShot,&szEntry))
		{
			((CComboBox *)GetDlgItem(IDC_COM_Proc))->AddString(szEntry.szExeFile);
			szThreadId[i] = szEntry.th32ProcessID;
			i++;
		}
		
		MessageBox("获取系统进程列表成功");
		((CComboBox *)GetDlgItem(IDC_COM_Proc))->SetCurSel(i-1);
		
		return;
	}
}

void CWaiGuaTestDlg::OnButExecution() 
{
	// TODO: Add your control notification handler code here
	
	//*******跳过远程线程代码,执行本程序*******
	goto REMOTE_THREAD_END;
	
	
	//////////////////////////////////////////////////////////////////////////
	//////*******远程线程代码*******
	//////////////////////////////////////////////////////////////////////////
REMOTE_THREAD_BEGIN:
	
	_asm	
	{
		//*******给LoadLibrary函数地址占位*******
LoadLibraryAddr:
		nop
		nop
		nop
		nop
		//*******给FreeLibrary函数地址占位*******
FreeLibraryAddr:
		nop
		nop
		nop
		nop
		//*******给动态链接库名占位*******
LibraryName:
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		

		//*******代码开始的真正位置*******
REMOTE_THREAD_CODE:	
	
		//*******实现地址重定位,ebx保存差值*******
		call	relocal
relocal:
		pop		ebx
		sub		ebx , offset relocal
		
		//////////////////////////////////////////////////////////////////////////
		//*******调用LoadLibrary*******
		//////////////////////////////////////////////////////////////////////////
		//*******压入LoadLibrary参数(动态链接库名)*******
		mov		eax , ebx
		add		eax , offset LibraryName
		push	eax
		
		//*******调用LoadLibrary*******
		mov		eax , ebx
		add		eax , offset LoadLibraryAddr
		mov		eax , [eax]
		call	eax
		
		or		eax , eax
		jnz		NEXT1
		ret
		//////////////////////////////////////////////////////////////////////////
		//*******以上调用LoadLibrary*******
		//////////////////////////////////////////////////////////////////////////

NEXT1:
		// *******压入FreeLibrary参数*******
		push	eax
		
		// *******调用FreeLibrary*******
		mov		eax , ebx
		add		eax , offset FreeLibraryAddr
		mov		eax , [eax]
		call	eax
		//////////////////////////////////////////////////////////////////////////
		//*******以上调用FreeLibrary*******
		//////////////////////////////////////////////////////////////////////////
		ret
		
	}
REMOTE_THREAD_END:
	//////////////////////////////////////////////////////////////////////////
	////以上为远程线程代码
	//////////////////////////////////////////////////////////////////////////
	
	
	//*******首先获取选中的进程句柄*******
	
	int nSelectedThreadId;
	nSelectedThreadId = ((CComboBox *)GetDlgItem(IDC_COM_Proc))->GetCurSel();
	
	nSelectedThreadId = szThreadId[nSelectedThreadId];
	
	HANDLE hSelectedProcHandle;
	
	hSelectedProcHandle = OpenProcess(PROCESS_ALL_ACCESS , FALSE , nSelectedThreadId);
	if(!hSelectedProcHandle)
	{
		MessageBox("打开进程失败!");
		return;
	}
	
	// *******得到远程线程代码长度*******
	
	int nRemoteThreadCodeLength;
	
	_asm 
	{
		mov	eax , offset REMOTE_THREAD_END
			mov	ebx , offset REMOTE_THREAD_BEGIN
			sub	eax , ebx
			mov	nRemoteThreadCodeLength , eax
	}
	
	// *******在宿主进程中申请远程线程代码空间*******
	
	LPVOID pRemoteThreadAddr;
	
	pRemoteThreadAddr = VirtualAllocEx(hSelectedProcHandle , NULL , nRemoteThreadCodeLength , 
		MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	
	if(!pRemoteThreadAddr)
	{
		MessageBox("Alloc Memory Error!");
		return;
	}
	
	
	//*******向宿主进程空间中复制远程线程代码*******
	
	LPVOID	pRemoteThreadCodeBuf;
	DWORD	nWritenNum , nSuccess;
	
	_asm mov	eax , offset REMOTE_THREAD_BEGIN
		_asm mov	pRemoteThreadCodeBuf , eax
		
		nSuccess = WriteProcessMemory(hSelectedProcHandle , pRemoteThreadAddr , pRemoteThreadCodeBuf ,
		nRemoteThreadCodeLength , &nWritenNum);
	
	if(!nSuccess)
	{
		MessageBox("Copy Remote Thread Code Error!");
		return;
	}
	
	
	
	
	
	// *******修正远程线程代码*******
	
	// *******首先获取两个关键函数的地址*******
	
	HMODULE hKernel32;
	hKernel32 = LoadLibrary("Kernel32.dll");
	
	if(!hKernel32)
	{
		MessageBox("导入Kernel32.dll错误!");
		return;
	}
	
	LPVOID pLoadLibrary , pGetProcAddress , pFreeLibrary;
	
	pLoadLibrary = (LPVOID)GetProcAddress(hKernel32 , "LoadLibraryA");
	
	if(!pLoadLibrary)
	{
		MessageBox("获取LoadLibrary函数地址失败!");
		return;
	}
	
	pGetProcAddress = (LPVOID)GetProcAddress(hKernel32 , "GetProcAddress");
	
	if(!pGetProcAddress)
	{
		MessageBox("获取GetProcAddress函数地址失败!");
		return;
	}
	
	pFreeLibrary = (LPVOID)GetProcAddress(hKernel32 , "FreeLibrary");
	
	if(!pGetProcAddress)
	{
		MessageBox("获取FreeLibrary函数地址失败!");
		return;
	}
	
	// *******修正代码*******
	
	PBYTE pRemoteAddrMove;
	
	pRemoteAddrMove = (PBYTE)pRemoteThreadAddr;
	
	// *******修正LoadLibrary地址*******
	
	nSuccess = WriteProcessMemory(hSelectedProcHandle , 
		pRemoteAddrMove , 
		&pLoadLibrary ,
		4 , 
		&nWritenNum);
	
	if(!nSuccess)
	{
		MessageBox("修正LoadLibrary地址错误!");
		return;
	}
	
	//*******修正FreeLibrary地址*******
	
	pRemoteAddrMove +=4;
	
	nSuccess = WriteProcessMemory(hSelectedProcHandle ,
		pRemoteAddrMove , 
		&pFreeLibrary ,
		4 ,
		&nWritenNum);
	
	if(!nSuccess)
	{
		MessageBox("修正FreeLibrary地址错误!");
		return;
	}
	
	//*******传递动态链接库名*******
	
	char szDllName[8] = {"Dll.dll"};
	
	pRemoteAddrMove +=4;
	
	nSuccess = WriteProcessMemory(hSelectedProcHandle , 
		pRemoteAddrMove , 
		szDllName ,
		8 , 
		&nWritenNum);
	
	if(!nSuccess)
	{
		MessageBox("修正GetProcAddress地址错误!");
		return;
	}
	
	//********把指针移动到远程线程代码开始处*******
	pRemoteAddrMove +=8;
	
	// *******创建远程线程*******
	
	HANDLE hRemoteThreadHandle;
	
	// *******定义远程线程函数类型*******
	typedef unsigned long (WINAPI *stRemoteThreadProc)(LPVOID);
	
	stRemoteThreadProc pRemoteThreadProc;
	
	// *******把入口地址赋给声明的函数*******
	pRemoteThreadProc = (stRemoteThreadProc)pRemoteAddrMove;
	
	hRemoteThreadHandle = CreateRemoteThread(hSelectedProcHandle , NULL , 0 , 
		pRemoteThreadProc , 0 , 0 , NULL);
	
	
	//*******测试*******
	CString szBuf;
	szBuf.Format("开始地址:%x\nLoadLibrary地址:%x\nGetProcAddress地址%x\n代码开始地址:%x" , 
		pRemoteThreadAddr , pLoadLibrary , pGetProcAddress , pRemoteAddrMove);
	MessageBox(szBuf);	
	
	
	return;
}


 


原文链接: http://blog.csdn.net/yincheng01/article/details/7214449

你可能感兴趣的:(基于visual c++之windows核心编程代码分析(53)在C++中嵌入汇编实现DLL注入源代码)