清凉一吻

插记事本不是很简单吗?

代码测试环境:

  windows XP SP2

.386
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include urlmon.inc
include shell32.inc
includelib kernel32.lib
includelib user32.lib
includelib urlmon.lib
includelib shell32.lib

.data
szDesktopClass db 'Notepad',0 ;记事本的窗口类
szBuff db '你能看到我吗？',0

.data?
hModule dd ?
hWnd dd ?
hProcess dd ?
ShellSize dd ?
Pid dd ?
Written dd ?
dwTid dd ?
.code

Shellcode proc
invoke MessageBox,0,addr szBuff,0,MB_ICONINFORMATION
invoke ExitThread,0
ret
Shellcode endp
start:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;得程序的基址,然后把整个程序搬到记事本进程内存......
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
invoke GetModuleHandle, 0
mov hModule, eax
mov edi, eax
assume edi:ptr IMAGE_DOS_HEADER
add edi, [edi].e_lfanew
add edi, sizeof dword
add edi, sizeof IMAGE_FILE_HEADER
assume edi:ptr IMAGE_OPTIONAL_HEADER32
mov eax, [edi].SizeOfImage
mov ShellSize, eax
assume edi:NOTHING
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;接着原来的代码继续执行
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
invoke FindWindow,addr szDesktopClass,NULL
invoke GetWindowThreadProcessId, eax, addr Pid
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_WRITE+\
PROCESS_VM_OPERATION,FALSE,Pid
mov hProcess, eax
invoke VirtualFreeEx, hProcess, hModule, 0, MEM_RELEASE
invoke VirtualAllocEx, hProcess, hModule, ShellSize, MEM_COMMIT or MEM_RESERVE,
PAGE_EXECUTE_READWRITE
mov hWnd, eax
invoke WriteProcessMemory, hProcess, hWnd, hModule, ShellSize, addr Written
invoke CreateRemoteThread, hProcess, 0, 0, addr Shellcode, hModule, 0, addr dwTid
invoke ExitProcess, 0
end start游戏吧  http://www.game8.cc/MyBlog    http://www.asm32.cn
帖子1598 精华30 积分8742 阅读权限150 性别男 在线时间954 小时 注册时间2006-9-21 最后登录2008-7-20 查看详细资料引用 报告 回复 TOP

装呆
晶莹剔透§烈日灼然