求助】为什么给Explorer进程插入线程会死机
我在网上都找了好多都没得到解决.......
这是两个文件

1.Dll文件:
.386
.model flat,stdcall
option casemap:none

include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib

_ProcThread proto lParam:DWORD

.code

;DLL的入口函数.
DllMain proc _hInstance,_dwReason,_dwReserved
        .if _dwReason==DLL_PROCESS_ATTACH
                invoke CreateThread,NULL,0,addr _ProcThread ,NULL,0,0
                invoke SetThreadPriority,eax,1
        .endif
DllMain endp

_ProcThread proc lParam:DWORD
        .while TRUE
                invoke Sleep,5000
                invoke MessageBox,0,0,0,1
        .endw
        ret
_ProcThread endp

end DllMain

2.原文件:

.386
.model flat,stdcall
option casemap:none

include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib

include advapi32.inc
includelib advapi32.lib

.const
szExplorer db 'explorer.exe',0
szKernel32 db 'kernel32.dll',0
szLoadLibraryA db 'LoadLibraryA',0
szDllPath db 'C:\systemDll.dll',0

.data?
hSnapshot dd ?
hRemoteProcess dd ?
pszInspectDllRemote dd ?
stPe PROCESSENTRY32 <0>
stLsr LPTHREAD_START_ROUTINE <0>

.data

.code

start:
        ;使用进程快照取得目标进程.
        invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,NULL
        mov hSnapshot,eax
        .if eax==INVALID_HANDLE_VALUE ;调用成功，返回快照的句柄，调用失败，返回INVAID_HANDLE_VALUE
                ret FALSE
        .endif
       
       
        ;这里要构造一个for循环.
        mov stPe.dwSize,sizeof PROCESSENTRY32
        invoke Process32First,hSnapshot,offset stPe
        jmp next
        jmpNext:
        invoke Process32Next,hSnapshot,offset stPe       
        next:
        cmp eax,TRUE
        jne exit
       
        ;for循环体.
       
        invoke lstrcmpi,addr stPe.szExeFile,offset szExplorer  ;不同返回-1,相同返回0
        .if eax!=FALSE ;两字符串不相等,则在次循环.
                jmp jmpNext
                ;.continue
        .endif
       
       
        ;获得宿主进程(EXPLORER.EXE)的句柄.
        invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,stPe.th32ProcessID
        mov hRemoteProcess,eax

       
        ;把Dll文件名写入申请的空间
        invoke VirtualAllocEx,hRemoteProcess,NULL,sizeof szDllPath,MEM_COMMIT,PAGE_READWRITE
        mov pszInspectDllRemote,eax
        invoke WriteProcessMemory,hRemoteProcess,pszInspectDllRemote,offset szDllPath,sizeof szDllPath,NULL
       
        ;获取动太链接库函数地址
        invoke GetModuleHandle,offset szKernel32
        invoke GetProcAddress,eax,offset szLoadLibraryA
        mov stLsr,eax
       
        ;创建远程线程.
        invoke CreateRemoteThread,hRemoteProcess,NULL,NULL,stLsr,pszInspectDllRemote,NULL,NULL
        invoke CloseHandle,eax
        invoke CloseHandle,hRemoteProcess
        .if hSnapshot!=NULL
                invoke CloseHandle,hSnapshot
                ;.break
                jmp exit
        .endif
        jmp jmpNext
        exit:
       
        invoke ExitProcess,NULL
end start

谢谢老大们啊..

[课程]Linux pwn 探索篇！