遠程dll注入與代碼注入

程序說明:找到計算器進程把c盤下的modll.dll注入.
DLL編繹參數: ml /c /coff modll.asm
link /dll /subsystem:windows /def:modll.def modll.obj
def文件:只有一行(無導出函數哈):LIBRARY modll.dll
dll的作用:顯示被注入進程的PID號.

masm6.11+win2k pro調試通過.
程序下載:http://www.cnwill.com/soft/czy/modll.dll
http://www.cnwill.com/soft/czy/mo.exe

如果是代碼注入:作用彈一個msgbox出來

---------------------------------rthread.asm------------------
.386
.model flat,stdcall
option casemap:none

include ../include/user32.inc
includelib ../lib/user32.lib
include ../include/kernel32.inc
includelib ../lib/kernel32.lib
include ../include/windows.inc


.data
hello db '2K下建遠程線程',0
tit db '計算器',0
szFormat db 'PID是:%d',0
szBuffer dd 20 dup(0),0
pid dd 0
hProcess dd 0
hThread dd 0
pCodeRemote dd 0
dllname db 'c:/modll.dll',0

.const
szmsg db 'MessageBoxA',0
userdll db 'User32.dll',0
szloadlib db 'LoadLibraryA',0 ;注意和LoadLibraryW的區別喲
kerdll db 'kernel32.dll',0

.code
codebegin:
dispdata db "iam remote thread",0
szTit db "nsfocus.czy",0
datalen =$-codebegin
Rproc proc msgbox ;MessageBoxA的地址爲參數
CALL @F ;push esi
@@:
POP EBX
SUB EBX,OFFSET @B
LEA ECX,[EBX+dispdata]
LEA EDX,[EBX+szTit]
push 1
push edx
push ecx
push 0
call msgbox
ret ;重要
Rproc endp
codelen =$-codebegin ;代碼長度13字節

start:
invoke FindWindow,0,offset tit ;返回計算器窗口句柄
invoke GetWindowThreadProcessId,eax,offset pid ;計算機器程序的進程PID號
;invoke wsprintf,offset szBuffer,offset szFormat,pid ;把PID用十進制顯示
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,pid ;打開進程,得到進程句柄
mov hProcess,eax ;保存進程句柄

;-------------------------------------------下面是把程序代碼注入
;invoke VirtualAllocEx,hProcess,0, codelen, MEM_COMMIT, PAGE_EXECUTE_READWRITE
;mov pCodeRemote,eax
;invoke WriteProcessMemory,hProcess,pCodeRemote,offset codebegin,codelen,NULL

;mov esi,pCodeRemote
;add esi,datalen
;push esi
;invoke LoadLibrary,offset userdll
;invoke GetProcAddress,eax,offset szmsg
;pop esi
;invoke CreateRemoteThread,hProcess,0,0,esi,eax,0,0
;--------------------------------------------下面是DLL注入
invoke VirtualAllocEx,hProcess,0, sizeof dllname, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov pCodeRemote,eax
invoke WriteProcessMemory,hProcess,pCodeRemote,offset dllname,sizeof dllname,NULL
invoke LoadLibrary,offset kerdll
invoke GetProcAddress,eax,offset szloadlib
invoke CreateRemoteThread,hProcess,0,0,
eax, ;這個參數在代碼注入中爲代碼起始地址,現在成了LoadLibraryA的起始地址了
pCodeRemote, ;要加載的DLL的名字
0,0
;--------------------------------------------沒有用FreeLibrary所以只能加載一次
mov hThread,eax ; 返回線程句柄
.if hThread
invoke WaitForSingleObject,hThread, INFINITE ;等待線程結束
invoke CloseHandle,hThread ;關閉線程句柄
.endif

invoke VirtualFreeEx,hProcess,pCodeRemote,codelen,MEM_RELEASE ;釋放空間
invoke CloseHandle,hProcess ;關閉進程句柄
;invoke MessageBoxA,0,offset szBuffer,offset szBuffer,1
invoke ExitProcess,0
end start

----------------------------------end---------------------


----------------------modll.asm--------------------
.386
.model flat,stdcall
option casemap:none
include /masm32/include/windows.inc
include /masm32/include/user32.inc
include /masm32/include/kernel32.inc
includelib /masm32/lib/user32.lib
includelib /masm32/lib/kernel32.lib

.data
pid dd 0
szFormat db 'PID是:%d',0
szBuffer dd 20 dup(0),0
tit db '顯示被注入進程的PID',0

.code
DllEntry proc hInstDLL:HINSTANCE, reason:DWORD, reserved1:DWORD

.if reason==DLL_PROCESS_ATTACH ;dll加載時
invoke GetCurrentProcessId
mov pid,eax
invoke wsprintf,offset szBuffer,offset szFormat,pid
invoke MessageBoxA,0,offset szBuffer,offset tit,0
.endif
mov eax,TRUE
ret
DllEntry Endp


End DllEntry
----------------------end--------------------------