-
-
[原创]进程注入技术Win32汇编实现
-
发表于: 2014-8-15 11:02
-
网上有很多讨论进程注入编程的帖子,用汇编写的比较少点。最近工作中刚好用到了进程注入技术,下面是原代码。希望大家多提宝贵意见,共同学习、共同进步!
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
include masm32.inc
include advapi32.inc
includelib user32.lib
includelib kernel32.lib
includelib masm32.lib
includelib advapi32.lib
include E:\MASMPlus\Exlib\macro.asm
.data
szKernel db "Kernel32.dll",0
szLoad db "LoadLibraryA",0
szCat db "\\dllinject.dll",0
szPrivilegeName db "SeDebugPrivilege",0 ;SE_DEBUG_NAME=SeDebugPrivilege
.data?
myFile db MAX_PATH dup (?)
szBuffer db 128 dup (?)
.code
;修改进程的一些访问权限
EnableDebugPriv proc
local @stTp:TOKEN_PRIVILEGES,@stLuid:LUID
local @hToken:DWORD
;获取进程句柄
invoke GetCurrentProcess
mov ebx,eax
;打开与进程相关联的访问令版,如果要修改访问令版的特权,需要指定参数TOKEN_ADJUST_PRIVILEGES
invoke OpenProcessToken,ebx,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr @hToken
;#define SE_DEBUG_NAME TEXT("SeDebugPrivilege")
invoke LookupPrivilegeValue,NULL,addr szPrivilegeName,addr @stLuid
mov @stTp.PrivilegeCount,1
push @stLuid.LowPart
push @stLuid.HighPart
pop @stTp.Privileges[0].Luid.HighPart
pop @stTp.Privileges[0].Luid.LowPart
mov @stTp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED ;2
;对访问令牌进行修改
invoke AdjustTokenPrivileges,@hToken,0,addr @stTp,sizeof TOKEN_PRIVILEGES,NULL,NULL
invoke CloseHandle,@hToken
xor eax,eax
ret
EnableDebugPriv endp
;查找指定进程,这里找的是cmd。也可以换成其它程序
GetProcessId proc lpName:DWORD
local hProcessSnap:DWORD
local ProcessID:DWORD
local stPe:PROCESSENTRY32
local bRet:BYTE
xor eax,eax
dec eax
mov ProcessID,eax
mov eax,sizeof stPe
mov stPe.dwSize,eax
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov hProcessSnap,eax
.if hProcessSnap == INVALID_HANDLE_VALUE
invoke GetLastError
invoke wsprintf,addr szBuffer,CTXT("CreateToolhelp32Snapshot failed. error: %d"),eax
invoke StdOut,addr szBuffer
xor eax,eax
dec eax
ret
.endif
invoke Process32First,hProcessSnap,addr stPe
mov bRet,al
.while bRet
invoke lstrcmp,addr stPe.szExeFile,lpName
.if !eax
mov eax,stPe.th32ProcessID
mov ProcessID,eax
.break
.endif
invoke Process32Next,hProcessSnap,addr stPe
mov bRet,al
.endw
invoke CloseHandle,hProcessSnap
mov eax,ProcessID
ret
GetProcessId endp
InjectDll proc lpName:DWORD ,dwRemoteProcessId:DWORD
local hRemoteProcess:DWORD
local pszLibFileRemote:DWORD
local len:DWORD
local pfnStartAddr:DWORD
local hRemoteThread:DWORD
invoke EnableDebugPriv
;打开进程
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId
mov hRemoteProcess,eax
invoke lstrlen,lpName
inc eax
mov len,eax
;为什么要用虚拟内存?
;为了让两个程序共享同一块内存,用虚拟内存的目的就是方便地创建并管理共享内存
invoke VirtualAllocEx,hRemoteProcess,NULL,len,MEM_COMMIT,PAGE_READWRITE
mov pszLibFileRemote,eax
;把要注入的程序写入内存
invoke WriteProcessMemory,hRemoteProcess,pszLibFileRemote,lpName,len,NULL
invoke GetModuleHandle,addr szKernel
invoke GetProcAddress,eax,addr szLoad
mov pfnStartAddr,eax
;创建远程线程
invoke CreateRemoteThread,hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL
.if !eax
invoke wsprintf,addr szBuffer,CTXT("注入线程失败!")
invoke StdOut,addr szBuffer
xor eax,eax
ret
.endif
invoke VirtualFreeEx,hRemoteProcess,addr pszLibFileRemote,len,MEM_RELEASE
invoke CloseHandle,hRemoteProcess
invoke CloseHandle,hRemoteThread
invoke wsprintf,addr szBuffer,CTXT("Done!",0dh,0ah)
invoke StdOut,addr szBuffer
xor eax,eax
inc eax
ret
InjectDll endp
start:
;获取当前目录
invoke GetCurrentDirectory,MAX_PATH,addr myFile
invoke lstrcat,addr myFile,addr szCat
invoke GetProcessId,CTXT("cmd.exe") ;这里可以换其它的程序
invoke InjectDll,addr myFile,eax
invoke ExitProcess,0
end start
上面程序是把DLL文件插入到CMD中,也可以换其它程序插入。DLL文件只是弹了一个框,如果需要其它功能,可以自行修改DLL文件。
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
include masm32.inc
include advapi32.inc
includelib user32.lib
includelib kernel32.lib
includelib masm32.lib
includelib advapi32.lib
include E:\MASMPlus\Exlib\macro.asm
.data
szKernel db "Kernel32.dll",0
szLoad db "LoadLibraryA",0
szCat db "\\dllinject.dll",0
szPrivilegeName db "SeDebugPrivilege",0 ;SE_DEBUG_NAME=SeDebugPrivilege
.data?
myFile db MAX_PATH dup (?)
szBuffer db 128 dup (?)
.code
;修改进程的一些访问权限
EnableDebugPriv proc
local @stTp:TOKEN_PRIVILEGES,@stLuid:LUID
local @hToken:DWORD
;获取进程句柄
invoke GetCurrentProcess
mov ebx,eax
;打开与进程相关联的访问令版,如果要修改访问令版的特权,需要指定参数TOKEN_ADJUST_PRIVILEGES
invoke OpenProcessToken,ebx,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr @hToken
;#define SE_DEBUG_NAME TEXT("SeDebugPrivilege")
invoke LookupPrivilegeValue,NULL,addr szPrivilegeName,addr @stLuid
mov @stTp.PrivilegeCount,1
push @stLuid.LowPart
push @stLuid.HighPart
pop @stTp.Privileges[0].Luid.HighPart
pop @stTp.Privileges[0].Luid.LowPart
mov @stTp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLED ;2
;对访问令牌进行修改
invoke AdjustTokenPrivileges,@hToken,0,addr @stTp,sizeof TOKEN_PRIVILEGES,NULL,NULL
invoke CloseHandle,@hToken
xor eax,eax
ret
EnableDebugPriv endp
;查找指定进程,这里找的是cmd。也可以换成其它程序
GetProcessId proc lpName:DWORD
local hProcessSnap:DWORD
local ProcessID:DWORD
local stPe:PROCESSENTRY32
local bRet:BYTE
xor eax,eax
dec eax
mov ProcessID,eax
mov eax,sizeof stPe
mov stPe.dwSize,eax
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov hProcessSnap,eax
.if hProcessSnap == INVALID_HANDLE_VALUE
invoke GetLastError
invoke wsprintf,addr szBuffer,CTXT("CreateToolhelp32Snapshot failed. error: %d"),eax
invoke StdOut,addr szBuffer
xor eax,eax
dec eax
ret
.endif
invoke Process32First,hProcessSnap,addr stPe
mov bRet,al
.while bRet
invoke lstrcmp,addr stPe.szExeFile,lpName
.if !eax
mov eax,stPe.th32ProcessID
mov ProcessID,eax
.break
.endif
invoke Process32Next,hProcessSnap,addr stPe
mov bRet,al
.endw
invoke CloseHandle,hProcessSnap
mov eax,ProcessID
ret
GetProcessId endp
InjectDll proc lpName:DWORD ,dwRemoteProcessId:DWORD
local hRemoteProcess:DWORD
local pszLibFileRemote:DWORD
local len:DWORD
local pfnStartAddr:DWORD
local hRemoteThread:DWORD
invoke EnableDebugPriv
;打开进程
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId
mov hRemoteProcess,eax
invoke lstrlen,lpName
inc eax
mov len,eax
;为什么要用虚拟内存?
;为了让两个程序共享同一块内存,用虚拟内存的目的就是方便地创建并管理共享内存
invoke VirtualAllocEx,hRemoteProcess,NULL,len,MEM_COMMIT,PAGE_READWRITE
mov pszLibFileRemote,eax
;把要注入的程序写入内存
invoke WriteProcessMemory,hRemoteProcess,pszLibFileRemote,lpName,len,NULL
invoke GetModuleHandle,addr szKernel
invoke GetProcAddress,eax,addr szLoad
mov pfnStartAddr,eax
;创建远程线程
invoke CreateRemoteThread,hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL
.if !eax
invoke wsprintf,addr szBuffer,CTXT("注入线程失败!")
invoke StdOut,addr szBuffer
xor eax,eax
ret
.endif
invoke VirtualFreeEx,hRemoteProcess,addr pszLibFileRemote,len,MEM_RELEASE
invoke CloseHandle,hRemoteProcess
invoke CloseHandle,hRemoteThread
invoke wsprintf,addr szBuffer,CTXT("Done!",0dh,0ah)
invoke StdOut,addr szBuffer
xor eax,eax
inc eax
ret
InjectDll endp
start:
;获取当前目录
invoke GetCurrentDirectory,MAX_PATH,addr myFile
invoke lstrcat,addr myFile,addr szCat
invoke GetProcessId,CTXT("cmd.exe") ;这里可以换其它的程序
invoke InjectDll,addr myFile,eax
invoke ExitProcess,0
end start
上面程序是把DLL文件插入到CMD中,也可以换其它程序插入。DLL文件只是弹了一个框,如果需要其它功能,可以自行修改DLL文件。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
