我在网上找的如下代码,为什么运行不成功??
会导致目标进程出错退出
function RemoteThread:Integer;
asm
call @Delta
@Delta:
pop ebp
sub ebp,offset @Delta
//---- get kernel32.dll base
mov eax,fs:[0]
@FindSEHEnding:
cmp Dword ptr [eax],$FFFFFFFF
je @FoundSEHEnding
mov eax,[eax]
jmp @FindSEHEnding
@FoundSEHEnding:
mov eax,[eax+4]
xor ax,ax
@FindKnlHead:
sub eax,$10000
cmp word ptr [eax],$5A4D
jne @FindKnlHead
mov ebx,eax //kernel32 base
//---- get GetProcAddress address
mov eax,[eax+$3c]
add eax,ebx
mov edx,[eax+$78]
add edx,ebx //ExportTable
mov edi,[edx+$1c]
add edi,ebx //APIAddrTable
mov esi,[edx+$20]
add esi,ebx //APINameTable
//-- Search 'GetProcAddress'
xor ecx,ecx //counter
@Find_ocAd:
mov eax,[esi]
add eax,ebx
cmp dword ptr [eax+5],$6441636f //GetPr'ocAd'dress
je @Found_ocAd
@Find_ocAd_:
add ecx,4
add esi,4
jmp @Find_ocAd
@Found_ocAd:
cmp word ptr [eax+$0d],$73 //GetProcAddres's\0'
jne @Find_ocAd_ //eax: 'GetProcAddress'
//-- Get GetProcAddress address
mov esi,edi
add esi,ecx
mov esi,[esi]
add esi,ebx //GetProcAddress
//---- Free the Library
call @StrGetModuleHandle
db 'GetModuleHandleA',0
@StrGetModuleHandle:
push ebx
call esi
mov edi,eax //GetModuleHandleA
call @StrFreeLibrary
db 'FreeLibrary',0
@StrFreeLibrary:
push ebx
call esi
mov esi,eax //FreeLibrary
lea ecx,[ebp+@DLLName]
push ecx
call edi //GetModuleHandle(DLLName)
push eax
call esi //FreeLibrary(GetModuleHandle(DLLName))
retn
//77E66364 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 GetProcAddress
//B8 00 00 E4 77 BB 00 00 E4 77 8B 40 3C 03 C3 8B 50 78 03 D3 8B 7A 1C 03 FB 8B 72 20 03 F3 33 C9
//8B 06 03 C3 81 78 05 6F 63 41 64 74 08 83 C1 04 83 C6 04 EB EB 66 83 78 0E 73 75 F1 8B C7 03 C1
//8B 00 03 C3
@DLLName: DD 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
//256字节,用于存放要缷载的DLL名
end;
procedure TForm1.Button6Click(Sender: TObject);
var
i,j:Integer;
pid,phan,pthread:dword;
tmpBuf:array[0..256]of char;
rtnVal:Dword;
tmpChar:pchar;
pmem:Pointer;
mbi:TMemoryBasicInformation;
begin
hw:=findwindow('TForm1','pmview v0.9 for XP');
GetWindowThreadProcessId(hw,pid);
phan:=OpenProcess(PROCESS_ALL_ACCESS,true,pid);
j:=Length('C:\Program Files\360safe\safemon\safemon.dll');
tmpChar:=PChar('C:\Program Files\360safe\safemon\safemon.dll');
VirtualQuery(@RemoteThread,mbi,28);
VirtualProtect(@RemoteThread,1024,PAGE_EXECUTE_READWRITE,@mbi);
asm
pushad
lea edi,RemoteThread
add edi,$AB
mov ecx,64
@ZeroBuffer:
mov dword ptr [edi],0
add edi,4
dec ecx
jnz @ZeroBuffer
lea edi,RemoteThread
add edi,$AB
mov esi,tmpChar
mov ecx,j
rep movsb
popad
end;
pmem:=VirtualAllocEx(phan,nil,1024,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(phan,pmem,@RemoteThread,1024,rtnVal);
pthread:=CreateRemoteThread(phan,nil,0,pmem,nil,0,rtnVal);
if pthread<>0 then begin
MessageBox(0,'成功运行远程线程。','信息...',0);
//Button4Click(Sender); //refresh the list.
end else
MessageBox(0,'创建远程线程失败。','信息...',0);
VirtualFreeEx(phan,pmem,1024,MEM_DECOMMIT);
CloseHandle(phan);
end;
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
