|
[求助]如何得到某一程序中某一DLL的基址
invoke GetPidFromProcName, CTEXT("B.exe") ;得到B.exe的基址 invoke OpenProcess , PROCESS_ALL_ACCESS , TRUE , eax ;打开B.exe进程 invoke GetShell32Base, Pid,CTEXT("C.dll") ;得到B.exe下的C.dll的基址 mov modBaseAddr,eax GetPidFromProcName proc lpProcName:DWORD LOCAL stProcess : PROCESSENTRY32 LOCAL hSnapshot LOCAL dwProcessID mov dwProcessID, 0 invoke RtlZeroMemory, addr stProcess, sizeof stProcess mov stProcess.dwSize, sizeof stProcess invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0 mov hSnapshot, eax invoke Process32First, hSnapshot, addr stProcess .while eax invoke lstrcmpi, lpProcName, addr stProcess.szExeFile .if eax==0 mov eax, stProcess.th32ProcessID mov dwProcessID, eax .break .endif invoke Process32Next, hSnapshot, addr stProcess .endw invoke CloseHandle, hSnapshot mov eax, dwProcessID ret GetPidFromProcName endp GetShell32Base proc uses ebx esi edi remoteproid:dword ,modname:dword LOCAL hSnapshot:dword LOCAL modinfo:MODULEENTRY32 mov modinfo.dwSize,sizeof MODULEENTRY32 invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE,remoteproid mov hSnapshot,eax invoke Module32First,hSnapshot,addr modinfo .while eax lea ecx,modinfo.szModule invoke lstrcmpi,modname,ecx .if eax == 0 mov eax,modinfo.modBaseAddr ret .endif invoke Module32Next,hSnapshot,addr modinfo .endw invoke CloseHandle,hSnapshot ret GetShell32Base endp |
|
[求助]LISTBOX的右键菜单
但是以上的内容好象都没达到效果,因为可以随便在窗体某处右击,没有控制在LISTBOX内,以下代码应该可以实现: .elseif uMsg==WM_CONTEXTMENU ... invoke GetDlgItem,hWnd,IDC_LST mov hList,eax invoke SetWindowLong,hList,GWL_WNDPROC,ListBoxProc mov lpListBox, eax ListBoxProc proc hCtl :DWORD,uMsg:DWORD, wParam:DWORD, lParam :DWORD .if uMsg == WM_RBUTTONDOWN ;WM_CONTEXTMENU mov eax, hList invoke MessageBox,hDlg,CTEXT("test"),0,0 ;仅仅做个测试,自己修改 .endif invoke CallWindowProc,lpLstBox,hCtl,uMsg,wParam,lParam ret ListBoxProc endp |
|
[求助]LISTBOX的右键菜单
1、换种思路,用双击实现: .IF uMsg == WM_COMMAND mov eax, wParam movzx edx, ax ; edx 就是ListBox的ID: IDListBox shr eax, 16 .IF edx == IDListBox && eax == LBN_DBLCLK ;做些想做的事情 .ENDIF .ENDIF 2、鼠标右击: .if uMsg == WM_RBUTTONDOWN invoke GetClientRect,hList,addr Rct mov eax,lParam and eax,0FFFFh ;鼠标 X 位置 mov edx,lParam, shr edx,16 ; 鼠标 Y 位置 .if eax >= Rct.left && eax <= Rct.right && edx >= Rct.top && edx <= Rct.bottom invoke DestroyWindow,hList .endif 3、真正的右键菜单 .if uMsg == WM_INITDIALOG invoke LoadMenu, hInstance, offset MenuName ;主菜单 mov hMenuh , eax invoke GetSubMenu, hMenuh,0 ;子菜单 mov hSubMenu, eax ... .elseif uMsg==WM_CONTEXTMENU mov eax, lParam ;显示弹出菜单 and eax, 0ffffh mov ebx, lParam shr ebx, 16 ;invoke TrackPopupMenu, hMenuh, TPM_LEFTALIGN, eax, ebx, 0, hWnd, 0 invoke TrackPopupMenu, hSubMenu, TPM_LEFTALIGN, eax, ebx, 0, hWnd, 0 相关资料:列表框控件 1,创建方法:子窗口CREATEWINDOW,对话框.LISTBOX ID 2,列表样式:LBS_NOTIFY 父窗口发送消息 LBS_EXTENDEDSEL 扩展 LBS_SORT 字母顺序 LBS_NOREDRAW 改变时不重画 LBS_NULTIPLESEL 多选 LBS_STANDARD 标准样式 3,消息传递:发送WM_COMMAND 字参数(WPARAM) 高字节:通知码 低字节;控件标识 4,通知码: LBN_SELCHAANG 发生改变 LBN_DBLCLK 双击 LBN_SELCANCLE 选择取消 LBN_SETFOCUS 收到输入焦点 LBN_KILLFOCUS 失去输入焦点 应用程序对列表框通过SENDMESSAGE或SENDLGITEMMESSAGE发送以下消息. LB_ADDFILE 加入指定文件 LB_GETTEXT 获取指定文本 LB_ADDSTRING 加入列表项 LB_GETTEXTLEN 获取指定项长高 LB_DELETESTRING 删除列表项 LB_GETTOPINDEX 获取第一项的索引值 LB_DIR 列出指定文件 LB_INSERTSTRING 加入一项 LB_FINDSTRING 查找指定项 LB_RESETCONTENT 清空 LB_GETCOUNT 项数 LB_SETSEL 设置状态 LB_GETCURSEL 选种的索引值 LB_SETCURSEL 设置选中项 LB_GETSEL 获取选中状态 LB_SETTOPINDEX 设置第一项索引值 LB_GETSELCOUNT 获取项数 |
|
[求助]如何得到远程程序的基址
有几种方法吧: 1、 invoke OpenProcess , PROCESS_ALL_ACCESS , TRUE , Pid mov hProcess,eax invoke GetModuleInformation,hProcess,ModuleHwnd,addr ModuleInformation,size MODULEINFO 其中: MODULEINFO struct lpBaseOfDll dword 0 ;模块的地址 SizeOfImage dword 0 ;大小 EntryPoint dword 0 ;入口 MODULEINFO ends 2、 GetModulePreferredBaseAddr proc dwProcessID:DWORD,pvModuleRemote:PVOID local pvModulePreferredBaseAddr:PVOID LOCAL idh:IMAGE_DOS_HEADER LOCAL inth:IMAGE_NT_HEADERS invoke Toolhelp32ReadProcessMemory,dwProcessID,pvModuleRemote,addr idh,sizeof idh ,NULL .if idh.e_magic==IMAGE_DOS_SIGNATURE invoke Toolhelp32ReadProcessMemory,dwProcessID,pvModuleRemote+idh.e_lfanew,addr inth,sizeof inth,NULL .if inth.Signature==IMAGE_NT_SIGNATURE mov eax,inth.OptionalHeader.ImageBase mov pvModulePreferredBaseAddr,eax .endif .endif mov eax,pvModulePreferredBaseAddr GetModulePreferredBaseAddr endp 3、 invoke OpenProcess , PROCESS_ALL_ACCESS , TRUE , Pid mov hProcess,eax invoke VirtualQueryEx,hProcess,400000h,addr meminfo,sizeof meminfo mov eax,meminfo.BaseAddress mov BaseAddr,eax |
|
|
|
|
|
[下载]Ultimate Hooking Engine
翻译了一下,MASM版本: include cacl5bytes.asm hookapi proc invoke OutputInfo, hOutputCtl, CTEXT("Ultimate Hooking Engine") jmp __execute loader: pusha call mainloader popa goback: push 0deadc0deh retn __execute: ;mov ctx.ContextFlags, CONTEXT_FULL invoke CreateProcessA, CTEXT("I:\Ultimate Hooking Engine\hook\test.exe"), 0,0,0,0, CREATE_SUSPENDED, 0,0, offset sinfo, offset pinfo test eax, eax jz __killprocess INVOKE VirtualAllocEx, pinfo.hProcess, 0, 1000h, MEM_COMMIT, PAGE_EXECUTE_READWRITE mov stubmemory, eax INVOKE GetThreadContext, pinfo.hThread, offset ctx mov eax, ctx.regEax mov eax, stubmemory mov ctx.regEax, eax INVOKE SetThreadContext, pinfo.hThread, offset ctx invoke OutputInfo, hOutputCtl, CTEXT(" m2m NewLoadLibraryA, LoadLibraryA m2m NewVirtualAlloc, VirtualAlloc m2m NewVirtualProtect, VirtualProtect m2m NewGetProcAddress, GetProcAddress invoke OutputInfo, hOutputCtl, CTEXT(" invoke OutputInfo, hOutputCtl, CTEXT(" @exit: ret __killprocess: invoke OutputInfo, hOutputCtl, CTEXT("[X] can't create process... did you type correct name?") jmp @exit __usage: invoke OutputInfo, hOutputCtl, CTEXT("[X] wrong arguments!!") jmp @exit hookapi endp mainloader proc call delta delta: pop ebp sub ebp, offset delta ;加载DLL lea eax, [ebp+dllname] ;"hookdll.dll" push eax call [ebp+NewLoadLibraryA] ;LoadLibraryA加载DLL mov [ebp+dllbase], eax ;获取DLL句柄,EAX=10000000,4D 5A 90 00 03 test eax, eax ;如果没有则提示加载失败 jz nohookmain call WalkDllsAndHook ;执行HOOKAPI xor ecx, ecx sub ecx, 87868600h push ecx xor ecx, 16101B6Dh push ecx xor ecx, 0FD060DFBh push ecx push esp push [ebp+dllbase] call [ebp+NewGetProcAddress] ;GetProcAddress找到API lea esp, dword ptr [esp+0Ch] test eax, eax jz nohookmain ;如果没有则提示查找失败 call eax ;如果有调用该API nohookmain: retn mainloader endp WalkDllsAndHook proc mov ebx, [ebp+dllbase] ;DLL基址MZ add ebx, [ebx+3ch] ;+3C获取PE头地址 ,000000E8 mov ebx, [ebx+78h] ;导出表 ,0000AFB0 add ebx, [ebp+dllbase] xor eax, eax mov esi, [ebx+20h] ;API名称 add esi, [ebp+dllbase] cyclenames: mov ecx, [esi] add ecx, [ebp+dllbase] ;ecx为API名称 cmp dword ptr[ecx], 'KOOH' ;前缀是否为HOOK jne nextname ;循环取API名称 pusha mov [ebp+currenthookexport], ecx ;ecx为函数名称 mov esi, ecx add esi, 5 ;扣除"HOOK-" 5个字母 lea edi, [ebp+dllname] ;DLL名称 copydllname: lodsb stosb cmp al, '_' ;中间是否含有'_' jne copydllname ;循环查找 mov byte ptr[edi-1], 0 ;找到'_'后换成0 lea edi, [ebp+apiname] ;装入API名称 copystring ;拷贝剩下的API名称 lea eax, [ebp+dllname] ;装入中间的名称,即系统API:kernel32 push eax call [ebp+NewLoadLibraryA] ;LoadLibraryA加载系统API mov [ebp+currentdllbase], eax ;kernel32的基址 push [ebp+currenthookexport] ;API全称"HOOK_kernel32_CreateFileA" push [ebp+dllbase] ;DLL基址 call [ebp+NewGetProcAddress] ;GetProcAddress找到API mov [ebp+currenthookexport], eax ;mydll.HOOK_kernel32_CreateFileA放入currenthookexport lea eax, [ebp+apiname] ;API名称:CreateFileA push eax push [ebp+currentdllbase] ;kernel32的基址 call [ebp+NewGetProcAddress] ;kernel32.CreateFileA函数 mov esi, eax lea eax, [ebp+detoured] ;Detoured_CreateFileA" push eax push [ebp+dllbase] ;DLL基址 call [ebp+NewGetProcAddress] ;mydll.Detoured_CreateFileA test eax, eax jz nodetoured push eax ;mydll.Detoured_CreateFileA push [ebp+currenthookexport] ;mydll.HOOK_kernel32_CreateFileA push esi ;kernel32.CreateFileA call InstallDetour jmp skip0 nodetoured: lea ecx, [ebp+dummy] push ecx push [ebp+currenthookexport] push esi call InstallDetour skip0: popa nextname: inc eax add esi, 4 cmp eax, [ebx+18h] ;ed_numberofnames jb cyclenames @exit: ret WalkDllsAndHook endp InstallDetour proc api_address:dword,new_address:dword,detour_variable:dword local local_delta:dword local dummyvar:dword pusha get_delta xchg eax, ebx lea ecx, dummyvar push ecx push PAGE_EXECUTE_READWRITE push 1000h push api_address ;kernel32.CreateFileA call [ebx+NewVirtualProtect] ;kernel32.VirtualProtect cmp [ebx+detour_buffer], 0 jne skip_alloc push PAGE_EXECUTE_READWRITE push 1000h push 1000h push 0 call [ebx+NewVirtualAlloc] ;申请内存 mov [ebx+detour_buffer], eax skip_alloc: mov esi, api_address ;kernel32.CreateFileA mov edi, [ebx+detour_buffer] xor ecx, ecx get_5bytes: push esi ;kernel32.CreateFileA call cacl_bytes add esi, eax add ecx, eax cmp ecx, 5 jb get_5bytes mov esi, api_address ;kernel32.CreateFileA push ecx ;5 rep movsb pop ecx push edi push eax mov edi, api_address ;kernel32.CreateFileA mov al, 90h ;替换成nop rep stosb ;DLL基址替换成5个90 pop eax pop edi mov byte ptr[edi], 0e9h ;jmp命令 add edi, 5 sub esi, edi mov dword ptr[edi-4], esi ;0EF9FFFB install_hook: mov eax, detour_variable ;Mydll.Detoured_CreateFileA push [ebx+detour_buffer] pop dword ptr[eax] mov eax, api_address ;kernel32.CreateFileA mov ecx, new_address ;mydll.HOOK_kernel32_CreateFileA mov byte ptr[eax], 0e9h add eax, 5 ;恢复kernel32.CreateFileA sub ecx, eax mov dword ptr[eax-4], ecx mov [ebx+detour_buffer], edi popa leave retn 0ch InstallDetour endp DLL源码:: .386 .model flat, stdcall option casemap: none include windows.inc include user32.inc include kernel32.inc includelib user32.lib includelib kernel32.lib public C Detoured_MessageBoxA public C Detoured_GetModuleHandleA .data? Detoured_MessageBoxA dd ? Detoured_GetModuleHandleA dd ? .code DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD .if reason==DLL_PROCESS_ATTACH mov eax,TRUE .endif ret DllEntry Endp HOOK_user32_MessageBoxA proc hwnd:DWORD, text:DWORD, about:DWORD, icon:DWORD push icon push about push text push hwnd call Detoured_MessageBoxA ret HOOK_user32_MessageBoxA endp HOOK_kernel32_GetModuleHandleA proc modulename:dword push modulename call Detoured_GetModuleHandleA ret HOOK_kernel32_GetModuleHandleA endp HOOK_kernel32_ExitProcess proc exitcode:dword invoke TerminateProcess, -1, exitcode ret HOOK_kernel32_ExitProcess endp End DllEntry -----------------------mydll.Inc------------- HOOK_kernel32_GetModuleHandleA proto HOOK_user32_MessageBoxA proto HOOK_kernel32_ExitProcess proto Detoured_GetModuleHandleA proto Detoured_MessageBoxA proto ------------------------mydll.Def------------- EXPORTS HOOK_user32_MessageBoxA HOOK_kernel32_GetModuleHandleA HOOK_kernel32_ExitProcess Detoured_GetModuleHandleA Detoured_MessageBoxA |
|
FileMoniotor1.0 for ring3
此Detoured非彼detours库, |
|
FileMoniotor1.0 for ring3
deroko的那个可能比较完美: http://bbs.pediy.com/showthread.php?t=45601&highlight=Ultimate .386 .model flat, stdcall option casemap: none include windows.inc include user32.inc include kernel32.inc includelib user32.lib includelib kernel32.lib public C Detoured_MessageBoxA public C Detoured_GetModuleHandleA .data? Detoured_MessageBoxA dd ? Detoured_GetModuleHandleA dd ? .code DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD .if reason==DLL_PROCESS_ATTACH mov eax,TRUE .endif ret DllEntry Endp HOOK_user32_MessageBoxA proc hwnd:DWORD, text:DWORD, about:DWORD, icon:DWORD push icon push about push text push hwnd call Detoured_MessageBoxA ret HOOK_user32_MessageBoxA endp HOOK_kernel32_GetModuleHandleA proc modulename:dword push modulename call Detoured_GetModuleHandleA ret HOOK_kernel32_GetModuleHandleA endp HOOK_kernel32_ExitProcess proc exitcode:dword invoke TerminateProcess, -1, exitcode ret HOOK_kernel32_ExitProcess endp End DllEntry -----------------------mydll.Inc------------- HOOK_kernel32_GetModuleHandleA proto HOOK_user32_MessageBoxA proto HOOK_kernel32_ExitProcess proto Detoured_GetModuleHandleA proto Detoured_MessageBoxA proto ------------------------mydll.Def------------- EXPORTS HOOK_user32_MessageBoxA HOOK_kernel32_GetModuleHandleA HOOK_kernel32_ExitProcess Detoured_GetModuleHandleA Detoured_MessageBoxA |
|
FileMoniotor1.0 for ring3
讲的非常正确,汇编写的程序,未做特殊处理,在IDA中反汇编后,结合一些API的调用,基本上可以还原代码. |
|
如何在驱动中启动用户层程序[讨论]
RING0中调用RING3程序,这是比较难的问题.收集了一份源码,上传以供参考. 另外多用搜索引擎得到更多的答案. 在ring0调用Ring3的代码 : http://blog.csdn.net/iiprogram/archive/2006/05/11/723376.aspx Ring0 Call Ring3: http://blog.csdn.net/Purpleendurer/archive/2005/03/13/318702.aspx |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值