求助】为什么给Explorer进程插入线程会死机
我在网上都找了好多都没得到解决.......
这是两个文件
1.Dll文件:
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
_ProcThread proto lParam:DWORD
.code
;DLL的入口函数.
DllMain proc _hInstance,_dwReason,_dwReserved
.if _dwReason==DLL_PROCESS_ATTACH
invoke CreateThread,NULL,0,addr _ProcThread ,NULL,0,0
invoke SetThreadPriority,eax,1
.endif
DllMain endp
_ProcThread proc lParam:DWORD
.while TRUE
invoke Sleep,5000
invoke MessageBox,0,0,0,1
.endw
ret
_ProcThread endp
end DllMain
2.原文件:
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include advapi32.inc
includelib advapi32.lib
.const
szExplorer db 'explorer.exe',0
szKernel32 db 'kernel32.dll',0
szLoadLibraryA db 'LoadLibraryA',0
szDllPath db 'C:\systemDll.dll',0
.data?
hSnapshot dd ?
hRemoteProcess dd ?
pszInspectDllRemote dd ?
stPe PROCESSENTRY32 <0>
stLsr LPTHREAD_START_ROUTINE <0>
.data
.code
start:
;使用进程快照取得目标进程.
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,NULL
mov hSnapshot,eax
.if eax==INVALID_HANDLE_VALUE ;调用成功,返回快照的句柄,调用失败,返回INVAID_HANDLE_VALUE
ret FALSE
.endif
;这里要构造一个for循环.
mov stPe.dwSize,sizeof PROCESSENTRY32
invoke Process32First,hSnapshot,offset stPe
jmp next
jmpNext:
invoke Process32Next,hSnapshot,offset stPe
next:
cmp eax,TRUE
jne exit
;for循环体.
invoke lstrcmpi,addr stPe.szExeFile,offset szExplorer ;不同返回-1,相同返回0
.if eax!=FALSE ;两字符串不相等,则在次循环.
jmp jmpNext
;.continue
.endif
;获得宿主进程(EXPLORER.EXE)的句柄.
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,stPe.th32ProcessID
mov hRemoteProcess,eax
;把Dll文件名写入申请的空间
invoke VirtualAllocEx,hRemoteProcess,NULL,sizeof szDllPath,MEM_COMMIT,PAGE_READWRITE
mov pszInspectDllRemote,eax
invoke WriteProcessMemory,hRemoteProcess,pszInspectDllRemote,offset szDllPath,sizeof szDllPath,NULL
;获取动太链接库函数地址
invoke GetModuleHandle,offset szKernel32
invoke GetProcAddress,eax,offset szLoadLibraryA
mov stLsr,eax
;创建远程线程.
invoke CreateRemoteThread,hRemoteProcess,NULL,NULL,stLsr,pszInspectDllRemote,NULL,NULL
invoke CloseHandle,eax
invoke CloseHandle,hRemoteProcess
.if hSnapshot!=NULL
invoke CloseHandle,hSnapshot
;.break
jmp exit
.endif
jmp jmpNext
exit:
invoke ExitProcess,NULL
end start
谢谢老大们啊..
[课程]Linux pwn 探索篇!