昨天晚上弄好了
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
includelib kernel32.lib
include user32.inc
includelib user32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
lpLoadLibrary dd ?
lpGetProcAddress dd ?
lpGetModuleHandle dd ?
lpWinExec dd ?
dwProcessID dd ?
dwThreadID dd ?
hProcess dd ?
lpRemoteCode dd ?
.const
szErrOpen db '无法打开远程线程!',0
;
szDesktopClass db 'Progman',0
szDesktopWindow db 'Program Manager',0
szDllKernel db 'Kernel32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szGetProcAddress db 'GetProcAddress',0
szGetModuleHandle db 'GetModuleHandleA',0
szWinExec db 'WinExec',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
reverseArgs macro arglist:VARARG
local txt,count
txt TEXTEQU <>
count = 0
for i,<arglist>
count = count + 1
txt TEXTEQU @CatStr(i,<!,>,<%txt>)
endm
if count GT 0
txt SUBSTR txt,1,@SizeStr(%txt)-1
endif
exitm txt
endm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_invoke macro _Proc,args:VARARG
local count
count = 0
% for i,< reverseArgs( args ) >
count = count + 1
push i
endm
call dword ptr _Proc
endm
.code
;线程注入开始地方
REMOTE_CODE_START equ this byte
_lpLoadLibrary dd ?
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?
_lpWinExec dd ?
_lpFindWindowA dd ?
_lpCreateProcessA dd ?
_lpMessageBoxA dd ?
_lpChildWindowFromPoint dd ?
_lpSetWindowTextA dd ?
_lpPostMessageA dd ?
_lpProcess32First dd ?
_lpCreateToolhelp32Snapshot dd ?
_lpProcess32Next dd ?
_lplstrcmp dd ?
_lpOpenProcess dd ?
_lpTerminateProcess dd ?
_lpCloseHandle dd ?
_lpGetLastError dd ?
_hInstance dd ?
_hInstance1 dd ?
_hSnapshot dd ?
_hProcessI dd ?
_szFindWindowA db 'FindWindowA',0
_szCreateProcessA db 'CreateProcessA',0
_szMessageBoxA db 'MessageBoxA',0
_szChildWindowFromPoint db 'ChildWindowFromPoint', 0
_szSetWindowTextA db 'SetWindowTextA',0
_szPostMessageA db 'PostMessageA',0,0
_szProcess32First db 'Process32First',0
_szCreateToolhelp32Snapshot db 'CreateToolhelp32Snapshot',0
_szProcess32Next db 'Process32Next',0
_szlstrcmp db 'lstrcmp',0
_szOpenProcess db 'OpenProcess',0
_szTerminateProcess db 'TerminateProcess',0
_szCloseHandle db 'CloseHandle',0
_szGetLastError db 'GetLastError',0
_stStartupInfo STARTUPINFO <?>
_procinfo PROCESS_INFORMATION <?>
_stProcess PROCESSENTRY32 <?>
_szUserDll db 'User32.dll',0
_szHaha db 'ooooo',0
_szExecFile db 'NotePad.exe',0
_szFileName db 'write.exe'
_szClassName db 'NotePad',0
_scKernel32 db 'Kernel32.dll',0
_scRegedit db 'Regedit.exe',0
_scDesktop db 'WinSta0\Default',0
_scCmd db 'cmd.exe',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RemoteThread proc uses ebx edi esi ecx edx lParam
;local @hWnd,@bRedraw,@dwLoopCount,@hWinEdit
local @hModule
call @F
@@:
pop ebx
sub ebx,offset @B
_invoke [ebx+_lpGetModuleHandle],NULL
mov [ebx+_hInstance],eax
lea edx,[ebx+offset _szUserDll]
_invoke [ebx+_lpGetModuleHandle],edx
mov @hModule,eax
lea esi,[ebx+offset _szFindWindowA]
lea edi,[ebx+offset _lpFindWindowA]
.while TRUE
_invoke [ebx+offset _lpGetProcAddress],@hModule,esi
mov [edi],eax
add edi,4
@@:
lodsb
or al,al
jnz @B
.break .if !BYTE ptr [esi]
.endw
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
lea eax,[ebx + offset _szClassName]
_invoke [ebx + _lpFindWindowA],eax,0
.if eax != 0
lea eax,[ebx + offset _szClassName]
_invoke [ebx + _lpMessageBoxA],0,eax,0,MB_OK
.endif
call _CreateRemoteProcess
ret
_RemoteThread endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_CreateRemoteProcess Proc uses ebx edi esi ecx edx lParam
local @sc
call @F
@@:
pop ebx
sub ebx,offset @B
_invoke [ebx + _lpGetModuleHandle],NULL
mov [ebx + _hInstance1],eax
lea edx,[ebx + offset _scKernel32]
_invoke [ebx + _lpGetModuleHandle],edx
mov @sc, eax
lea esi,[ebx+offset _szProcess32First]
lea edi,[ebx+offset _lpProcess32First]
.while TRUE
_invoke [ebx + offset _lpGetProcAddress],@sc,esi
mov [edi],eax
add edi,4
@@:
lodsb
or al,al
jnz @B
.break .if !BYTE ptr [esi]
.endw
_invoke [ebx + _lpCreateToolhelp32Snapshot],TH32CS_SNAPPROCESS,0
mov [ebx + _hSnapshot],eax
.if eax == 0
lea eax,[ebx + offset _szClassName]
_invoke [ebx + _lpMessageBoxA],0,eax,0,MB_OK
.endif
;>>>>>>>>>>下面这句我不知道重定位是不是这样写。。。估计错了
mov _stProcess.dwSize,sizeof _stProcess
_invoke [ebx + _lpProcess32First],[ebx + _hSnapshot],[ebx + offset _stProcess]
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>就是这儿为什么一直是零
.if eax == 0
lea eax,[ebx + offset _szClassName]
_invoke [ebx + _lpMessageBoxA],0,eax,0,MB_OK
.endif
.while eax
lea esi,[ebx + offset _scCmd]
lea edi,[ebx + offset _stProcess.szExeFile]
_invoke [ebx + _lplstrcmp],esi,edi
.if eax == 0
lea eax,[ebx + _stProcess.th32ProcessID]
_invoke [ebx + _lpOpenProcess],PROCESS_ALL_ACCESS,TRUE,eax
_invoke [ebx + _lpTerminateProcess],eax,-1
.endif
lea eax,[ebx + offset _stProcess]
_invoke [ebx + _lpProcess32Next],[ebx + _hSnapshot],eax
.endw
_invoke [ebx + _lpCloseHandle],[ebx + _hSnapshot]
ret
_CreateRemoteProcess endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - REMOTE_CODE_START
start:
invoke GetModuleHandle,addr szDllKernel
mov ebx,eax
invoke GetProcAddress,ebx,offset szLoadLibrary
mov lpLoadLibrary,eax
invoke GetProcAddress,ebx,offset szGetProcAddress
mov lpGetProcAddress,eax
invoke GetProcAddress,ebx,offset szGetModuleHandle
mov lpGetModuleHandle,eax
;invoke GetProcAddress,ebx,offset szWinExec
;mov lpWinExec,eax
;********************************************************************
; 查找文件管理器窗口并获取进程ID,然后打开进程
;********************************************************************
invoke FindWindow,NULL,addr szDesktopWindow
invoke GetWindowThreadProcessId,eax,offset dwProcessID
mov dwThreadID,eax
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or \
PROCESS_VM_WRITE,FALSE,dwProcessID
.if eax
mov hProcess,eax
;********************************************************************
; 在进程中分配空间并将执行代码拷贝过去,然后创建一个远程线程
;********************************************************************
invoke VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov lpRemoteCode,eax
invoke WriteProcessMemory,hProcess,lpRemoteCode,\
offset REMOTE_CODE_START,REMOTE_CODE_LENGTH,NULL
invoke WriteProcessMemory,hProcess,lpRemoteCode,\
offset lpLoadLibrary,sizeof dword * 4,NULL
mov eax,lpRemoteCode
add eax,offset _RemoteThread - offset REMOTE_CODE_START
invoke CreateRemoteThread,hProcess,NULL,0,eax,0,0,NULL
invoke CloseHandle,eax
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,NULL,addr szErrOpen,NULL,MB_OK or MB_ICONWARNING
.endif
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
[课程]Android-CTF解题方法汇总!