writepr.asm

来自「windows下汇编语言 学习汇编语言好助手」· 汇编 代码 · 共 173 行

;********************************
;文件：WritePr.asm              *
;功能：进入另一个进程的地址空间 *
;********************************
.386p
locals
.model flat,stdcall
include win32.inc
include WritePr.inc
extrn MessageBoxA:proc
extrn ExitProcess:proc
extrn DialogBoxParamA:proc
extrn EndDialog:Proc
extrn GetDlgItemTextA:proc
extrn SetDlgItemTextA:proc
extrn CreateProcessA:proc
extrn CloseHandle:proc
extrn VirtualAllocEx:proc
extrn VirtualFreeEx:proc
extrn GetModuleHandleA:proc
extrn GetProcAddress:proc
extrn WriteProcessMemory:proc
extrn CreateRemoteThread:proc

IDC_PROCESS  = 100
MEM_COMMIT   = 1000H
PAGE_EXECUTE_READWRITE = 40H

.data 
	SUI	STARTUPINFO<17*4,>
	PI	PROCESS_INFOMATION<>
	DialogName	db "MyDialog",0
	CaptionFail	db '失败',0
	TextFail	db 'API:DialogBoxParamA调用失败！',0
	TextCPA		db '创建进程失败！',0
	TextVAE		db '分配远程内存失败！',0
	TextWPM		db '写远程进程失败!',0
	TextCRT		db '建立远程线程失败！',0
	FileName	db 'd:\winnt\notepad.exe',0
				db 300 dup(?)

	hKer32		dd ?
	szKer32		db 'KERNEL32.DLL',0
	hUsr32		dd ?
	szUsr32		db 'USER32.DLL',0
	szMsgBox	db 'MessageBoxA',0
	szExitThread	db 'ExitThread',0
	InitCaption	db '初始化',0
	InitText	db '初始化失败',0
	
	MemBase		dd ?
	NumWritten	dd ?
	hThreadNew	dd ?
	dwThreadNew dd ?
RemoteThreadProc:
	call	@0
MsgBoxAddr	dd ?
ExitThreadAddr	dd ?
ThreadCaption	db 'Wellcome',0
ThreadText	db '现正在远程进程地址空间运行',0
@0:	pop		ebx
	mov		eax,[ebx]
	mov		esi,[ebx+4]
	push 	esi
	lea		esi,[ebx+4*2]
	lea		edi,[ebx+ThreadText-MsgBoxAddr]
	call	eax,0,edi,esi,MB_OK
	pop		esi
	call	esi,0
RemoteThreadProcLeng=$-RemoteThreadProc

.code
WinMain:
	call Init		;初始化
	call GetModuleHandleA,0
	call DialogBoxParamA,eax,offset DialogName,0,offset DialogProc,0
	cmp  eax,0
	jnz  Exit
	mov  eax,offset TextFail
	call MessageBoxA,0,eax,offset CaptionFail,MB_OK
Exit:	
	call ExitProcess,0
;***********************************************************
;窗口处理	
DialogProc  proc uses ebx edi esi, hWnd:DWORD, wMsg:DWORD, wParam:DWORD, lParam:DWORD
	cmp  wMsg,WM_INITDIALOG
	jz   WmInitDialog
	cmp  wMsg,WM_CLOSE
	jz   WmClose
	cmp  wMsg,WM_COMMAND
	jz   WmCommand
	jmp  ExitProc
WmInitDialog:
	call SetDlgItemTextA,hWnd,IDC_PROCESS,offset FileName
	jmp  ExitProc
WmClose:
	call EndDialog,hWnd,1
	jmp  ExitProc
WmCommand:
	mov  ebx,wParam
	cmp  bx,IDOK
	jnz  ExitProc
	call GetDlgItemTextA,hWnd,IDC_PROCESS,offset FileName,200
	call Ingress
	jmp  ExitProc
ExitProc:
	xor  eax,eax
	ret
DialogProc endp	

Init Proc
	call GetModuleHandleA,offset szKer32	;取Kernel32.dll模块句柄
	mov  [hKer32],eax
	or	 eax,eax
	jz   Error
	call GetModuleHandleA,offset szUsr32	;取User32.dll模块句柄
	mov  [hUsr32],eax
	or   eax,eax
	jz   Error
	call GetProcAddress,[hKer32],offset szExitThread
	mov  [ExitThreadAddr],eax
	or   eax,eax
	jz   Error	
	call GetProcAddress,[hUsr32],offset szMsgBox
	mov  [MsgBoxAddr],eax
	or   eax,eax
	jz   Error	
	ret
Error:
	call MessageBoxA,0,offset InitCaption,offset InitText,MB_OK
	call ExitProcess,0
Init endp	

Ingress proc
	call CreateProcessA,offset FileName,0,0,0,FALSE,0,0,0,offset SUI,offset PI
	or   eax,eax
	mov  ebx,offset TextCPA
	jz   ErrMsg
	;在远程地址空间分配内存
	call VirtualAllocEx,PI.hProcess,NULL,2048,MEM_COMMIT,PAGE_EXECUTE_READWRITE
	mov  [MemBase],eax
	or   eax,eax
	mov  ebx,offset TextVAE
	jz   ErrMsg
	;写入远程序地址空间，把我们的子程序复制过去
	call WriteProcessMemory,PI.hProcess,eax,offset RemoteThreadProc,RemoteThreadProcLeng,offset NumWritten
	or   eax,eax
	mov  ebx,offset TextWPM
	jz	 ErrMsg	
	;建立远程序线程
	call CreateRemoteThread,PI.hProcess,NULL,0,MemBase,0,0,offset dwThreadNew
	mov  [hThreadNew],eax
	or   eax,eax
	mov  ebx,offset TextCRT
	jz   ErrMsg
	jmp  OK
ErrMsg:
	call MessageBoxA,0,ebx,offset CaptionFail,MB_OK
OK:
	or   hThreadNew,0
	jz   @1
	call CloseHandle,hThreadNew
@1:	or   PI.hProcess,0
	jz   @2	
	call CloseHandle,PI.hProcess
@2:	or   PI.hProcess,0
	jz   @3
	call CloseHandle,PI.hThread
@3:	ret	
Ingress endp

	end WinMain