侵入远程的代码也写好了

;----------------
;编译模式="CON"
;----------------
.386
.model flat, stdcall
option casemap :none
 
include windows.inc
include user32.inc
include kernel32.inc
include masm32.inc
include Psapi.inc

includelib user32.lib
includelib kernel32.lib
includelib masm32.lib
includelib Psapi.lib
;-------------------------------------------------------

Error_Handler   proto :DWORD, :DWORD, :DWORD, :DWORD
Print_Handler   proto :DWORD,  :DWORD,:DWORD
DlgProc proto :DWORD,:DWORD,:DWORD,:DWORD
RetriveProcess proto :DWORD
Enject_Handle  proto :DWORD

szText MACRO Name, Text:VARARG
          LOCAL lbl
            jmp lbl
              Name db Text,0
            lbl:
          ENDM

.const
 DLG_MAIN equ 1
 ITEM_LIST  equ 1001
 BTN_ENJECT equ  1003

.DATA
 szMsg db "Hello World!",13,10,0
 proID dd 512 dup(0)
 szDbg db 256 dup(0),0
 szProcessName db 256 dup(0),0
 szNewLine db " ",13,10,0 
 szDlgName    db "MAIN_DIALOG", 0
 szDllName db  "D:/temp/Dll/Debug/Dll.dll",0

.DATA?
 dwRet dd ?
 hm HMODULE ?
 dwHmRet dd ?
 hProcess HANDLE ?
 hProcessHandle HANDLE ?
 hProcessID dd ? 
 hInstance dd ?

.CODE
START:
 assume fs:nothing
 push  offset Error_Handler
 push  fs:[0]
 mov   fs:[0],esp

 invoke GetModuleHandle,NULL
 mov hInstance,eax
 invoke DialogBoxParam,hInstance,ADDR szDlgName,0,offset DlgProc,0
 
 pop  fs:[0]
 pop   eax

 invoke ExitProcess,0

DlgProc proc hWnd,uMsg,wParam,lParam
.if uMsg==WM_INITDIALOG
 invoke LoadIcon,hInstance,DLG_MAIN
 invoke SendMessage,hWnd,WM_SETICON,ICON_SMALL,eax
 invoke SendMessage,hWnd,WM_SETTEXT,0,ADDR szMsg
.elseif uMsg==WM_COMMAND
 mov eax,wParam
 .if ax==3002
  invoke EndDialog,hWnd,TRUE
 .endif
 .if ax == 1002 ;;process
  invoke RetriveProcess,hWnd
 .endif
 .if ax==BTN_ENJECT
  invoke  Enject_Handle,hWnd
 .endif
.elseif uMsg==WM_CLOSE
 invoke EndDialog,hWnd,FALSE
.else
 mov eax,FALSE
 ret
.endif
mov eax,TRUE
ret
DlgProc endp

Print_Handler   proc  processname:DWORD , processid:DWORD,hDlg:DWORD
 LOCAL  hItem:HANDLE
 LOCAL szShortName[256]:BYTE 
 szText szFormat,"%s(%d)" 
 invoke GetDlgItem,hDlg,ITEM_LIST
 mov  [hItem] , eax
 invoke GetShortPathName,ADDR processname,ADDR szShortName,256
 invoke wsprintf,ADDR szShortName,ADDR szFormat,processname,processid
 invoke SendMessage,[hItem],LB_ADDSTRING ,0,ADDR szShortName;LB_ADDSTRING
 invoke SendMessage,[hItem],LB_SETITEMDATA ,eax,[processid];LB_ADDSTRING
 ret
Print_Handler endp

RetriveProcess proc hDlg:DWORD 
 LOCAL  hItem:HANDLE
   invoke GetDlgItem,hDlg,ITEM_LIST
 mov  [hItem] , eax
@RepeateDelItem:
 invoke SendMessage,[hItem],LB_GETCOUNT ,0 , 0;LB_ADDSTRING
 test eax , eax
 jz  @DelAllItem
 invoke SendMessage,[hItem],LB_DELETESTRING ,0,0;LB_ADDSTRING
 jmp @RepeateDelItem
@DelAllItem:
 invoke EnumProcesses,ADDR proID,512*4,ADDR dwRet
 test eax , eax
 jz   @EnumOver
 mov   ecx,[dwRet]
 SAR   ecx , 2
 mov [dwRet], ecx  

 push 0
 push offset proID   
 
@OpenProcess:
 mov  eax , [esp]  
 mov  ecx , [esp+4] 
 cmp  ecx , [dwRet]  
 jz   @EnumOver
 SAL  ecx , 2
 add  eax , ecx
 mov  eax , [eax]
 mov  [hProcessID],eax
 invoke OpenProcess,PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,0,eax
 mov [hProcessHandle], eax
 test eax , eax 
 jnz @EnumProcessModules
 invoke GetLastError
 mov ecx , [esp+4]
 inc ecx
 mov [esp+4] ,  ecx
 jmp @OpenProcess
 
@EnumProcessModules:
 invoke EnumProcessModules,eax,ADDR hm,4,ADDR dwHmRet  
 test eax , eax
 jnz @GetModuleFileNameEx  
 invoke GetLastError
 mov ecx , [esp+4]
 inc ecx
 mov [esp+4] ,  ecx
 jmp @OpenProcess 
 
@GetModuleFileNameEx:
 invoke GetModuleFileNameEx,[hProcessHandle],[hm],ADDR szProcessName,256 
 invoke Print_Handler,ADDR szProcessName,[hProcessID],hDlg
 invoke CloseHandle,[hProcessHandle]
 
   mov ecx , [esp+4]
 inc ecx
 mov [esp+4] ,  ecx  
 jmp @OpenProcess   

@EnumOver: 
 pop eax
 pop eax
 ret
RetriveProcess endp

Enject_Handle  proc hDlg:DWORD
 LOCAL  hItem:HANDLE
 LOCAL  processid:DWORD
 LOCAL  proHandle:HANDLE
 LOCAL  dLen : DWORD
 LOCAL  dWlen :DWORD
 LOCAL  lpAllocMem:DWORD
 LOCAL  lpfLoadLib:DWORD
 LOCAL  dwThreadID:DWORD
 invoke GetDlgItem,[hDlg],ITEM_LIST
 mov  [hItem] , eax 
 invoke SendMessage,[hItem],LB_GETCURSEL,0,0
 invoke SendMessage,[hItem],LB_GETITEMDATA ,eax,0;LB_ADDSTRING
 mov [processid],eax
 invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,0,[processid]
 mov [proHandle],eax
 test eax , eax
 jz @ErrMsg
 invoke lstrlen,ADDR szDllName
 inc eax
 mov [dLen] , eax
 invoke VirtualAllocEx,[proHandle],NULL,[dLen],MEM_COMMIT,PAGE_READWRITE
 test eax, eax
 jz @ErrMsg
 mov [lpAllocMem],eax
 invoke WriteProcessMemory,[proHandle],[lpAllocMem],ADDR szDllName,[dLen],ADDR dWlen
 test eax , eax
 jz  @ErrMsg
 mov ecx ,  [dLen]
 mov edx ,  [dWlen]
 cmp ecx , edx
 jnz  @ErrMsg
 szText KerName,"Kernel32.DLL"
 invoke GetModuleHandle,ADDR  KerName
 test eax,eax
 jz @ErrMsg
 szText LoadLibName,"LoadLibraryA"
 invoke GetProcAddress,eax,ADDR LoadLibName
 test eax,eax
 jz @ErrMsg
 mov [lpfLoadLib] , eax
 invoke CreateRemoteThread,[proHandle],0,0,[lpfLoadLib],[lpAllocMem],0,ADDR dwThreadID
 mov [dwThreadID],eax
 test eax , eax
 jz  @ErrMsg
 invoke Sleep,3000
 invoke VirtualFreeEx,[proHandle],[lpAllocMem],[dWlen],MEM_DECOMMIT
 invoke CloseHandle,[dwThreadID]
 jmp @ExitEnject
@ErrMsg: 
 szText szError,"Error Open Process"
 invoke MessageBox,0,ADDR szError,0,0
@ExitEnject:
 ret
Enject_Handle endp

Error_Handler proc uses ecx  lpExceptRecord:DWORD, lpFrame:DWORD, lpContext:DWORD, lpDispatch:DWORD
 mov eax , 1
 ret
Error_Handler endp

end START

----------------------------------

侵入远程进程的代码也写完了。不是很复杂！！！

csdn的blog居然不支持上传文件。无语。。

下一步，钩挂Api！！！