远程dll注入与代码注入

最新推荐文章于 2021-05-19 17:41:56 发布

zerray

最新推荐文章于 2021-05-19 17:41:56 发布

阅读量1.7k

点赞数

分类专栏：编程文章标签： dll include library null thread access

编程专栏收录该内容

20 篇文章

订阅专栏

该博客介绍了一个程序，可找到计算器进程并将c盘下的modll.dll注入。说明了DLL编译参数、def文件内容，dll作用为显示被注入进程的PID号。还给出了代码注入和DLL注入的具体代码，以及程序下载链接。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

程序说明:找到计算器进程把c盘下的modll.dll注入.
DLL编绎参数: ml /c /coff modll.asm
link /dll /subsystem:windows /def:modll.def modll.obj
def文件:只有一行(无导出函数哈):LIBRARY modll.dll
dll的作用:显示被注入进程的PID号.

masm6.11+win2k pro调试通过.
程序下载:http://www.cnwill.com/soft/czy/modll.dll
http://www.cnwill.com/soft/czy/mo.exe

如果是代码注入:作用弹一个msgbox出来

---------------------------------rthread.asm------------------
.386
.model flat,stdcall
option casemap:none

include ../include/user32.inc
includelib ../lib/user32.lib
include ../include/kernel32.inc
includelib ../lib/kernel32.lib
include ../include/windows.inc

.data
hello db '2K下建远程线程',0
tit db '计算器',0
szFormat db 'PID是:%d',0
szBuffer dd 20 dup(0),0
pid dd 0
hProcess dd 0
hThread dd 0
pCodeRemote dd 0
dllname db 'c:/modll.dll',0

.const
szmsg db 'MessageBoxA',0
userdll db 'User32.dll',0
szloadlib db 'LoadLibraryA',0 ;注意和LoadLibraryW的区别哟
kerdll db 'kernel32.dll',0

.code
codebegin:
dispdata db "iam remote thread",0
szTit db "nsfocus.czy",0
datalen =$-codebegin
Rproc proc msgbox ;MessageBoxA的地址为参数
CALL @F ;push esi
@@:
POP EBX
SUB EBX,OFFSET @B
LEA ECX,[EBX+dispdata]
LEA EDX,[EBX+szTit]
push 1
push edx
push ecx
push 0
call msgbox
ret ;重要
Rproc endp
codelen =$-codebegin ;代码长度13字节

start:
invoke FindWindow,0,offset tit ;返回计算器窗口句柄
invoke GetWindowThreadProcessId,eax,offset pid ;计算机器程序的进程PID号
;invoke wsprintf,offset szBuffer,offset szFormat,pid ;把PID用十进制显示
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,pid ;打开进程,得到进程句柄
mov hProcess,eax ;保存进程句柄

;-------------------------------------------下面是把程序代码注入
;invoke VirtualAllocEx,hProcess,0, codelen, MEM_COMMIT, PAGE_EXECUTE_READWRITE
;mov pCodeRemote,eax
;invoke WriteProcessMemory,hProcess,pCodeRemote,offset codebegin,codelen,NULL

;mov esi,pCodeRemote
;add esi,datalen
;push esi
;invoke LoadLibrary,offset userdll
;invoke GetProcAddress,eax,offset szmsg
;pop esi
;invoke CreateRemoteThread,hProcess,0,0,esi,eax,0,0
;--------------------------------------------下面是DLL注入
invoke VirtualAllocEx,hProcess,0, sizeof dllname, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov pCodeRemote,eax
invoke WriteProcessMemory,hProcess,pCodeRemote,offset dllname,sizeof dllname,NULL
invoke LoadLibrary,offset kerdll
invoke GetProcAddress,eax,offset szloadlib
invoke CreateRemoteThread,hProcess,0,0,
eax, ;这个参数在代码注入中为代码起始地址,现在成了LoadLibraryA的起始地址了
pCodeRemote, ;要加载的DLL的名字
0,0
;--------------------------------------------没有用FreeLibrary所以只能加载一次
mov hThread,eax ; 返回线程句柄
.if hThread
invoke WaitForSingleObject,hThread, INFINITE ;等待线程结束
invoke CloseHandle,hThread ;关闭线程句柄
.endif

invoke VirtualFreeEx,hProcess,pCodeRemote,codelen,MEM_RELEASE ;释放空间
invoke CloseHandle,hProcess ;关闭进程句柄
;invoke MessageBoxA,0,offset szBuffer,offset szBuffer,1
invoke ExitProcess,0
end start

----------------------------------end---------------------

----------------------modll.asm--------------------
.386
.model flat,stdcall
option casemap:none
include /masm32/include/windows.inc
include /masm32/include/user32.inc
include /masm32/include/kernel32.inc
includelib /masm32/lib/user32.lib
includelib /masm32/lib/kernel32.lib

.data
pid dd 0
szFormat db 'PID是:%d',0
szBuffer dd 20 dup(0),0
tit db '显示被注入进程的PID',0

.code
DllEntry proc hInstDLL:HINSTANCE, reason:DWORD, reserved1:DWORD

.if reason==DLL_PROCESS_ATTACH ;dll加载时
invoke GetCurrentProcessId
mov pid,eax
invoke wsprintf,offset szBuffer,offset szFormat,pid
invoke MessageBoxA,0,offset szBuffer,offset tit,0
.endif
mov eax,TRUE
ret
DllEntry Endp

End DllEntry
----------------------end--------------------------