注入win32汇编模态对话框时,总是无法成功,现把代码贴于下面和传于附件。请大牛不吝赐教。之前在看雪我网上看了好多人提问,但都没有一个确切点的答案,也试过他们的方法但还是无法显示对话框。具体情况是这样的:对话框能正常编译和生成Dll 和exe(包括被注入和注入对话框) 被注入对话框改写exe能正常显示。注入对话框也能正常注入其它窗口类程序。目前只发现不能注入上传(或者这类)对话框。编译器是2.2的Radasm 跪求踢教。望高手指点。调试了两天都没有一个结果。
;主调用程序
;>>>>>>>>>>>>
;以下为调用窗口(主程序)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
IDD_DLG1 equ 8000H
ICO_MAIN equ 8001H
.data?
hInstanc dd ?
dwProcessID dd ?
dwThreadID dd ?
hProcess dd ?
lpLoadLibrary dd ?
lpDllName dd ?
szMyDllFull db MAX_PATH dup (?)
.const
szErrOpen db '无法打开远程线程!',0
szDllKernel db 'Kernel32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szMyDll db '\ZtDll.dll',0 ;此为对话框dll
szPlayCN db 'explorer.exe',0 ;这个为系统快照里的任意进程
szPrompt db '温馨提示',0
ErroText db '进程未启动!请先启动进程。',0
;>>>>>>>>>>>>格式控制符
ForMOne db '%s',0
ForMTwo db '%d/%d',0
ForMThree db '%d',0
ForMFour db '%d:%d',0
ForMFive db '内容:%d',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>提示便利函数
_MessageBox proc _szDate
LOCAL @szbuffer[20]:byte
invoke wsprintf,addr @szbuffer,offset ForMFive,_szDate
invoke MessageBox,0,addr @szbuffer,addr szPrompt,MB_OK or MB_ICONQUESTION
ret
_MessageBox endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;_GetProcessID proc szProName
LOCAL @stProcess:PROCESSENTRY32
LOCAL @hSnapShot
pushad
invoke RtlZeroMemory,addr @stProcess,Sizeof @stProcess
mov @stProcess.dwSize,Sizeof @stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,NULL
mov @hSnapShot,eax
invoke Process32First,@hSnapShot,addr @stProcess
.while eax
invoke lstrcmp,szProName,addr @stProcess.szExeFile
.if eax == 0
jmp Ver
.endif
invoke Process32Next,@hSnapShot,addr @stProcess
.endw
invoke CloseHandle,@hSnapShot
popad
mov eax,0 ;失败:返回0 到eax
ret
Ver:
invoke CloseHandle,@hSnapShot
popad
mov eax,@stProcess.th32ProcessID ;成功:保存ID 到eax
ret
_GetProcessID endp
_InjectFunc proc uses ebx esi edi Wnd
LOCAL GameID:dword,hThread:dword,dwExitCode:dword
invoke GetCurrentDirectory,MAX_PATH,offset szMyDllFull
invoke lstrcat,offset szMyDllFull,offset szMyDll
invoke GetModuleHandle,offset szDllKernel
invoke GetProcAddress,eax,offset szLoadLibrary
mov lpLoadLibrary,eax
invoke _GetProcessID,addr szPlayCN
;invoke _MessageBox,eax
.if eax == 0
invoke MessageBox,Wnd,offset ErroText,offset szPrompt,MB_OK or MB_ICONQUESTION
ret
.endif
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,eax
;invoke _MessageBox,offset szMyDllFull
mov GameID,eax
.if eax
mov hProcess,eax
invoke VirtualAllocEx,hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_READWRITE
.if eax
mov lpDllName,eax
invoke WriteProcessMemory,hProcess,\
eax,offset szMyDllFull,MAX_PATH,NULL
invoke CreateRemoteThread,hProcess,NULL,0,lpLoadLibrary,\
lpDllName,0,NULL
mov hThread,EAX
.If hThread == 0
.Endif
Invoke WaitForSingleObject,hThread, INFINITE
Invoke GetExitCodeThread, hThread, addr dwExitCode
.If dwExitCode != 0
invoke VirtualFreeEx, hProcess, lpDllName, 0, MEM_RELEASE
Invoke CloseHandle,hProcess
mov EAX,1
.else
mov EAX,0
.endif
ret
.endif
.else
invoke MessageBox,Wnd,offset szErrOpen,offset szPrompt,MB_OK or MB_ICONQUESTION
mov eax,1
ret
.endif
ret
_InjectFunc endp
_ProcDlgMain proc uses edi esi ebx hWnd,uMsg,wParam,lParam
mov eax,uMsg
.if eax == WM_COMMAND
mov eax,wParam
.if ax == IDOK
invoke _InjectFunc,hWnd
.if eax == 0
invoke ExitProcess,NULL ;启动后关闭对话框
.endif
.endif
.elseif eax == WM_CLOSE
invoke EndDialog,hWnd,0
.elseif eax == WM_INITDIALOG
invoke LoadIcon,hInstanc,ICO_MAIN
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
invoke SetWindowPos,hWnd,HWND_TOPMOST,0,0,0,0,SWP_NOMOVE Or SWP_NOSIZE
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_ProcDlgMain endp
start:
invoke GetModuleHandle,NULL
mov hInstanc,eax
invoke DialogBoxParam,hInstanc,IDD_DLG1,NULL,offset _ProcDlgMain,NULL
invoke ExitProcess,NULL
end start
;>>>>>>>>>
;资源文件(主对话框的)
;>>>>>>
#include <resource.h>
#define IDD_DLG1 0x8000
#define ICO_MAIN 0x8001
ICO_MAIN ICON "Main.ico"
IDD_DLG1 DIALOG 200,100,90,40
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_TABSTOP | WS_SYSMENU + WS_MAXIMIZEBOX + WS_MINIMIZEBOX
CAPTION "注入>>>残剑"//
FONT 9,"宋体"
BEGIN
DEFPUSHBUTTON "挂接程序(&Z)", IDOK, 15, 10, 60, 20
//CONTROL "",IDC_LST1,"SysListView32",0x5081000D,2,100,232,90
END
;>>>>>>>>>>>>>>>>>>>>>>>>
;注入对话框文件主文件
;>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
ICO_MAIN equ 1000h ;图标
DLG_MAIN equ 1
.data?
hInstance dd ?
.code
_ProcDlgMain proc uses ebx edi esi hWnd,wMsg,wParam,lParam
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax == WM_INITDIALOG
invoke LoadIcon,hInstance,ICO_MAIN
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
.elseif eax == WM_COMMAND
mov eax,wParam
.if ax == IDOK
invoke EndDialog,hWnd,NULL
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_ProcDlgMain endp
_WinMain proc
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
ret
_WinMain endp
DllEntry proc _hInstance,_dwReason,_dwReserved
local @dwThreadID
.if _dwReason == DLL_PROCESS_ATTACH
push _hInstance
pop hInstance
invoke CreateThread,NULL,0,offset _WinMain,NULL,\
NULL,addr @dwThreadID
invoke CloseHandle,eax
.endif
mov eax,TRUE
ret
DllEntry Endp
;>>>>>>>>>>
;注入对话框资源文件
;>>>>>>>>>>
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#include <resource.h>
#define ICO_MAIN 0x1000 //图标
#define DLG_MAIN 1
ICO_MAIN ICON "Main.ico"
DLG_MAIN DIALOG 50,50,113,64
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "对话框模板"
FONT 9,"宋体"
{
ICON ICO_MAIN,-1,10,11,18,21
CTEXT "简单的对话框例子",-1,36,14,70,19
DEFPUSHBUTTON "退出",IDOK,58,46,50,14
CONTROL "",-1,"Static",SS_ETCHEDHORZ | WS_CHILD | WS_VISIBLE,6,39,103,1
}
注有大牛测试过。。但本人还是不懂,是否有大牛补充一下。本不能再发贴的,但本人实在很急。弄了两天了就是不知道怎么回事。只能破例一次最先的在链接http://bbs.pediy.com/showthread.php?t=150089
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
