[分享]一个关于远程线程的小程序-编程技术-看雪-安全社区|安全招聘|kanxue.com

[分享]一个关于远程线程的小程序

发表于: 2008-4-12 22:09 4096

[分享]一个关于远程线程的小程序

hfyy

2008-4-12 22:09

4096

这个程序是我用罗云彬书上的源码拼上的，所以原创就说不上了，是个演示远程线程的程序给和我一样初学的朋友们
功能：显示一个进程列表向你选中的进程插入个窗口程序
1.asm

.386
.Model Flat, StdCall
Option Casemap :None

Include windows.inc
Include user32.inc
Include kernel32.inc
Include gdi32.inc

Includelib gdi32.lib
IncludeLib user32.lib
IncludeLib kernel32.lib
Include macro.asm
include		3.inc


IDD_DLG			equ	1000
IDC_PROCESS			equ	1001
IDC_REFRESH			equ	1002



		.data?
hInstance	dd	?
hWinList	dd	?
lpLoadLibrary	dd	?
lpGetProcAddress dd	?
lpGetModuleHandle dd	?
dwProcessID	dd	?
dwThreadID	dd	?
hProcess	dd	?
lpRemoteCode	dd	?
		.const
szErrTerminate	db	'无法结束指定进程!',0
szDllKernel	db	'Kernel32.dll',0
szLoadLibrary	db	'LoadLibraryA',0
szGetProcAddress db	'GetProcAddress',0
szGetModuleHandle db	'GetModuleHandleA',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

		.code
include	2.asm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_GetProcessList	proc	_hWnd
		local	@stProcess:PROCESSENTRY32
		local	@hSnapShot

		invoke	RtlZeroMemory,addr @stProcess,sizeof @stProcess
		invoke	SendMessage,hWinList,LB_RESETCONTENT,0,0
		mov	@stProcess.dwSize,sizeof @stProcess
		invoke	CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
		mov	@hSnapShot,eax
		invoke	Process32First,@hSnapShot,addr @stProcess
		.while	eax
			invoke	SendMessage,hWinList,LB_ADDSTRING,0,addr @stProcess.szExeFile
			invoke	SendMessage,hWinList,LB_SETITEMDATA,eax,@stProcess.th32ProcessID
			invoke	Process32Next,@hSnapShot,addr @stProcess
		.endw
		invoke	CloseHandle,@hSnapShot
		invoke	GetDlgItem,_hWnd,IDOK
		invoke	EnableWindow,eax,FALSE
		ret

_GetProcessList	endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcDlgMain	proc	uses ebx edi esi hWnd,wMsg,wParam,lParam

		mov	eax,wMsg
		.if	eax == WM_CLOSE
			invoke	EndDialog,hWnd,NULL
		.elseif	eax == WM_INITDIALOG
			invoke	GetDlgItem,hWnd,IDC_PROCESS
			mov	hWinList,eax
			invoke	_GetProcessList,hWnd
;********************************************************************
		.elseif	eax == WM_COMMAND
			mov	eax,wParam
			.if	ax ==	IDOK
				invoke	SendMessage,hWinList,LB_GETCURSEL,0,0
				invoke	SendMessage,hWinList,LB_GETITEMDATA,eax,0
				invoke	OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or \
			PROCESS_VM_WRITE,FALSE,eax
				.if	eax
					;mov	ebx,eax
					mov	hProcess,eax
					invoke	VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
					.if	eax
						mov	lpRemoteCode,eax
						invoke	WriteProcessMemory,hProcess,lpRemoteCode,\
								offset REMOTE_CODE_START,REMOTE_CODE_LENGTH,NULL
						invoke	WriteProcessMemory,hProcess,lpRemoteCode,\
								offset lpLoadLibrary,sizeof dword * 3,NULL
						mov	eax,lpRemoteCode
						add	eax,offset _RemoteThread - offset REMOTE_CODE_START
						invoke	CreateRemoteThread,hProcess,NULL,0,eax,0,0,NULL
						invoke	CloseHandle,eax
					.endif
					invoke	CloseHandle,hProcess
				.elseif
					invoke	Sleep,200
					invoke	_GetProcessList,hWnd
					jmp	@F
				.endif
				;invoke	MessageBox,hWnd,addr szErrTerminate,NULL,MB_OK or MB_ICONWARNING
				@@:
;********************************************************************
			.elseif	ax ==	IDC_REFRESH
				invoke	_GetProcessList,hWnd
;********************************************************************
			.elseif	ax ==	IDC_PROCESS
				shr	eax,16
				.if	ax ==	LBN_SELCHANGE
					invoke	GetDlgItem,hWnd,IDOK
					invoke	EnableWindow,eax,TRUE
				.endif
			.endif
;********************************************************************
		.else
			mov	eax,FALSE
			ret
		.endif
		mov	eax,TRUE
		ret

_ProcDlgMain	endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
		invoke	GetModuleHandle,addr szDllKernel
		mov	ebx,eax
		invoke	GetProcAddress,ebx,offset szLoadLibrary
		mov	lpLoadLibrary,eax
		invoke	GetProcAddress,ebx,offset szGetProcAddress
		mov	lpGetProcAddress,eax
		invoke	GetProcAddress,ebx,offset szGetModuleHandle
		mov	lpGetModuleHandle,eax
		invoke	GetModuleHandle,NULL
		mov	hInstance,eax
		invoke	DialogBoxParam,hInstance,IDD_DLG,NULL,offset _ProcDlgMain,NULL
		invoke	ExitProcess,NULL
end	start

2.asm

REMOTE_CODE_START	equ this byte

_lpLoadLibrary		dd	?	;导入函数地址表
_lpGetProcAddress	dd	?
_lpGetModuleHandle	dd	?

_lpDestroyWindow	dd	?
_lpPostQuitMessage	dd	?
_lpDefWindowProc	dd	?
_lpLoadCursor		dd	?
_lpRegisterClassEx	dd	?
_lpCreateWindowEx	dd	?
_lpShowWindow		dd	?
_lpUpdateWindow		dd	?
_lpGetMessage		dd	?
_lpTranslateMessage	dd	?
_lpDispatchMessage	dd	?

_hInstance	dd	?
_hWinMain	dd	?
_szClassName	db	'RemoteClass',0
_szCaptionMain	db	'RemoteWindow',0
_szDllUser		db	'User32.dll',0
_szDestroyWindow	db	'DestroyWindow',0
_szPostQuitMessage	db	'PostQuitMessage',0
_szDefWindowProc	db	'DefWindowProcA',0
_szLoadCursor		db	'LoadCursorA',0
_szRegisterClassEx	db	'RegisterClassExA',0
_szCreateWindowEx	db	'CreateWindowExA',0
_szShowWindow		db	'ShowWindow',0
_szUpdateWindow		db	'UpdateWindow',0
_szGetMessage		db	'GetMessageA',0
_szTranslateMessage	db	'TranslateMessage',0
_szDispatchMessage	db	'DispatchMessageA',0,0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RemoteThread	proc	uses ebx edi esi lParam
		local	@hModule

		call	@F
		@@:
		pop	ebx
		sub	ebx,offset @B
;********************************************************************
		_invoke	[ebx + _lpGetModuleHandle],NULL
		mov	[ebx + _hInstance],eax
		lea	eax,[ebx + offset _szDllUser]
		_invoke	[ebx + _lpGetModuleHandle],eax
		mov	@hModule,eax
		lea	esi,[ebx + offset _szDestroyWindow]
		lea	edi,[ebx + offset _lpDestroyWindow]
		.while	TRUE
			_invoke	[ebx + _lpGetProcAddress],@hModule,esi
			mov	[edi],eax
			add	edi,4
			@@:
			lodsb
			or	al,al
			jnz	@B
			.break	.if ! byte ptr [esi]
		.endw
;********************************************************************
		call	_WinMain
		ret

_RemoteThread	endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcWinMain	proc	uses ebx edi esi,hWnd,uMsg,wParam,lParam

		call	@F
		@@:
		pop	ebx
		sub	ebx,offset @B
;********************************************************************
		mov	eax,uMsg
		.if	eax ==	WM_CLOSE
			_invoke	[ebx + _lpDestroyWindow],hWnd
			_invoke	[ebx + _lpPostQuitMessage],NULL
;********************************************************************
		.else
			_invoke	[ebx + _lpDefWindowProc],hWnd,uMsg,wParam,lParam
			ret
		.endif
;********************************************************************
		xor	eax,eax
		ret

_ProcWinMain	endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ZeroMemory	proc	_lpDest,_dwSize

		push	edi
		mov	edi,_lpDest
		mov	ecx,_dwSize
		xor	eax,eax
		cld
		rep	stosb
		pop	edi
		ret

_ZeroMemory	endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WinMain	proc	uses ebx esi edi _lParam
		local	@stWndClass:WNDCLASSEX
		local	@stMsg:MSG

		call	@F
		@@:
		pop	ebx
		sub	ebx,offset @B
;********************************************************************
		invoke	_ZeroMemory,addr @stWndClass,sizeof @stWndClass
		_invoke	[ebx + _lpLoadCursor],0,IDC_ARROW
		mov	@stWndClass.hCursor,eax
		push	[ebx + _hInstance]
		pop	@stWndClass.hInstance
		mov	@stWndClass.cbSize,sizeof WNDCLASSEX
		mov	@stWndClass.style,CS_HREDRAW or CS_VREDRAW
		lea	eax,[ebx +  offset _ProcWinMain]
		mov	@stWndClass.lpfnWndProc,eax
		mov	@stWndClass.hbrBackground,COLOR_WINDOW + 1
		lea	eax,[ebx + offset _szClassName]
		mov	@stWndClass.lpszClassName,eax
		lea	eax,@stWndClass
		_invoke	[ebx + _lpRegisterClassEx],eax
;********************************************************************
; 建立并显示窗口
;********************************************************************
		lea	eax,[ebx + offset _szClassName]
		lea	ecx,[ebx + offset _szCaptionMain]
		_invoke	[ebx + _lpCreateWindowEx],WS_EX_CLIENTEDGE,eax,ecx,\
			WS_OVERLAPPEDWINDOW,\
			100,100,600,400,\
			NULL,NULL,[ebx + _hInstance],NULL
		mov	[ebx + _hWinMain],eax
		_invoke	[ebx + _lpShowWindow],[ebx + _hWinMain],SW_SHOWNORMAL
		_invoke	[ebx + _lpUpdateWindow],[ebx + _hWinMain]
;********************************************************************
; 消息循环
;********************************************************************
		.while	TRUE
			lea	eax,@stMsg
			_invoke	[ebx + _lpGetMessage],eax,NULL,0,0
			.break	.if eax	== 0
			lea	eax,@stMsg
			_invoke	[ebx + _lpTranslateMessage],eax
			lea	eax,@stMsg
			_invoke	[ebx + _lpDispatchMessage],eax
		.endw
		ret

_WinMain	endp
REMOTE_CODE_END		equ this byte
REMOTE_CODE_LENGTH	equ offset REMOTE_CODE_END - offset REMOTE_CODE_START

[课程]Linux pwn 探索篇！

上传的附件：

远程线程.rar （5.20kb，30次下载）

收藏・0

免费・0

支持

最新回复 (1)
Sysnap 雪币： 581 活跃值： (149) 能力值： ( LV12，RANK：600 ) 在线值：发帖 32 回帖 389 粉丝 10 关注私信	Sysnap 14 2 楼呵呵......现在用远程线程来干坏事不容易啊 2008-4-12 23:37 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

hfyy

发帖

122

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
Sysnap 雪币： 581 活跃值： (149) 能力值： ( LV12，RANK：600 ) 在线值：发帖 32 回帖 389 粉丝 10 关注私信	Sysnap 14 2 楼呵呵......现在用远程线程来干坏事不容易啊 2008-4-12 23:37 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复