[原创]创建远程线程,将代码注入到其它进程中执行
;本文是用的远程线程注入办法。
;还有别的办法,如:
;1.hook创建进程的相关api;
;2.ssdt hook;
;3.修改EPROCESS结构等直接内核对象操作。
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
.data
szDesktopClass db "Progman",0
szDesktopWindow db "Program Manager",0
szDllkernel db "Kernel32.dll",0
szsleep db "Sleep",0
.data?
lpsleep dd ?
dwProcessID dd ?
hProcess dd ?
lpRemoteCode dd ?
.code
startcode_ipsleep dd ?
RemoteThread proc uses ebx edi esi lParam
call @F
@@:pop ebx
sub ebx,offset @B
begin:push 1000
call [ebx+startcode_ipsleep]
jmp begin
ret
RemoteThread endp
lcl dd "lcl",0
start:invoke GetModuleHandle,addr szDllkernel
mov ebx,eax
invoke GetProcAddress,ebx,offset szsleep
mov lpsleep,eax
invoke FindWindow,addr szDesktopClass,addr szDesktopWindow
invoke GetWindowThreadProcessId,eax,offset dwProcessID
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,dwProcessID
mov hProcess,eax
invoke VirtualAllocEx,hProcess,0,offset lcl - offset startcode_ipsleep,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov lpRemoteCode,eax
invoke WriteProcessMemory,hProcess,lpRemoteCode,offset startcode_ipsleep,offset lcl - offset startcode_ipsleep,0
invoke WriteProcessMemory,hProcess,lpRemoteCode,offset lpsleep,4,0
mov eax,lpRemoteCode
add eax,offset RemoteThread - offset startcode_ipsleep
invoke CreateRemoteThread,hProcess,0,0,eax,0,0,0
invoke CloseHandle,eax
invoke CloseHandle,hProcess
ret
end start