📄 exec.asm
字号:
;@GOTO TRANSLATE
.586P
.MODEL FLAT, STDCALL
OPTION CASEMAP: NONE
INCLUDE WINDOWS.inc
UNICODE = FALSE
INCLUDE APIMACRO.mac
INCLUDE ApiHooks.inc
INCLUDELIB iKERNEL32.lib
INCLUDELIB iUSER32.lib
INCLUDELIB iApiHooks.lib
;------------------------------------------------------------------
.DATA
prinfo PROCESS_INFORMATION <>
stinfo STARTUPINFO <SIZEOF STARTUPINFO>
TEXTA HookDll, <Exec.dll/0>
TEXTA KERNEL32, <KERNEL32.dll/0>
TEXTA CreateProcessA, <CreateProcessA/0>
TEXTA CreateProcessW, <CreateProcessW/0>
TEXTA LoadModule, <LoadModule/0>
TEXTA WinExec, <WinExec/0>
TEXTA USER32, <USER32.dll/0>
TEXTA MessageBoxA, <MessageBoxA/0>
TEXTA Free, <I am free/:/0>
TEXTA Captured, <*CAPTURED*/0>
LOADPARMS32 STRUCT
lpEnvAddress LPSTR ?
lpCmdLine LPSTR ?
lpCmdShow LPSTR ?
dwReserved DWORD NULL
LOADPARMS32 ENDS
.CODE
;Any pointer dereference must be surrounded by SEH frame to catch
;invalid pointers!!!
;Helper part-----------
;------------------------------------------------------------------
NewCreateProcessA PROC lpApplicationName, lpCommandLine,\
lpProcessAttributes, lpThreadAttributes,\
bInheritHandles, dwCreationFlags, \
lpEnvironment, lpCurrentDirectory,\
lpStartupInfo, lpProcessInformation
MOV EAX, dwCreationFlags
OR EAX, CREATE_SUSPENDED
iWin32 CreateProcessA, lpApplicationName, lpCommandLine,\
lpProcessAttributes, lpThreadAttributes,\
bInheritHandles, EAX,\
lpEnvironment, lpCurrentDirectory,\
lpStartupInfo, lpProcessInformation
TEST EAX, EAX
JE @Failed
PUSHp EAX, EBX
MOV EBX, lpProcessInformation
ASSUME EBX: PTR PROCESS_INFORMATION
iWin32 EstablishApiHooksA, sHookDll, [EBX].dwProcessId
TEST dwCreationFlags, CREATE_SUSPENDED
JNE @F
iWin32 ResumeThread, [EBX].hThread
@@:
POPc EAX, EBX
@Failed:
RET
NewCreateProcessA ENDP
;------------------------------------------------------------------
NewCreateProcessW PROC lpApplicationName, lpCommandLine,\
lpProcessAttributes, lpThreadAttributes,\
bInheritHandles, dwCreationFlags, \
lpEnvironment, lpCurrentDirectory,\
lpStartupInfo, lpProcessInformation
MOV EAX, dwCreationFlags
OR EAX, CREATE_SUSPENDED
iWin32 CreateProcessW, lpApplicationName, lpCommandLine,\
lpProcessAttributes, lpThreadAttributes,\
bInheritHandles, EAX,\
lpEnvironment, lpCurrentDirectory,\
lpStartupInfo, lpProcessInformation
TEST EAX, EAX
JE @Failed
PUSHp EAX, EBX
MOV EBX, lpProcessInformation
ASSUME EBX: PTR PROCESS_INFORMATION
iWin32 EstablishApiHooksA, sHookDll, [EBX].dwProcessId
TEST dwCreationFlags, CREATE_SUSPENDED
JNE @F
iWin32 ResumeThread, [EBX].hThread
@@:
POPc EAX, EBX
@Failed:
RET
NewCreateProcessW ENDP
;------------------------------------------------------------------
NewLoadModule PROC lpModuleName, lpParameterBlock
MOV EAX, lpParameterBlock
ASSUME EAX: PTR LOADPARMS32
MOV ECX, [EAX].lpCmdShow
MOV EDX, [EAX].lpCmdLine
CMP WORD PTR [ECX], 2
JNE @Fail
MOV CX, [ECX+2]
CMP BYTE PTR [EDX], 0
MOV stinfo.wShowWindow, CX
MOV ECX, 0
JE @F
LEA ECX, [EDX+1]
@@:
iWin32 CreateProcessA, lpModuleName, ECX, \
NULL, NULL, FALSE, CREATE_SUSPENDED,\
[EAX].lpEnvAddress, NULL,\
OFFSET stinfo, OFFSET prinfo
TEST EAX, EAX
JNE @F
@Fail:
LEAVE
iWin32j LoadModule
@@:
iWin32 EstablishApiHooksA, sHookDll, prinfo.dwProcessId
iWin32 CloseHandle, prinfo.hProcess
iWin32 ResumeThread, prinfo.hThread
iWin32 CloseHandle, prinfo.hThread
MOV EAX, 32
RET
NewLoadModule ENDP
;------------------------------------------------------------------
NewWinExec PROC lpszCmdLine, fuCmdShow
MOV EAX, fuCmdShow
MOV stinfo.wShowWindow, AX
iWin32 CreateProcessA, NULL, lpszCmdLine, \
NULL, NULL, FALSE, CREATE_SUSPENDED,\
NULL, NULL,\
OFFSET stinfo, OFFSET prinfo
TEST EAX, EAX
JNE @F
LEAVE
iWin32j WinExec
@@:
iWin32 EstablishApiHooksA, sHookDll, prinfo.dwProcessId
iWin32 CloseHandle, prinfo.hProcess
iWin32 ResumeThread, prinfo.hThread
iWin32 CloseHandle, prinfo.hThread
MOV EAX, 32
RET
NewWinExec ENDP
;------------------------------------------------------------------
;Executive part-----------
;------------------------------------------------------------------
NewMessageBoxA PROC hWnd, lpText, lpCaption, uType
PUSHp ESI, EDI
MOV EDI, lpText
iWin32 lstrlen, EDI
MOV ESI, (sFree + LFree-1)
PUSHp EAX, EAX
iWin32 VirtualProtect, EDI, EAX, PAGE_READWRITE, ESP
POPc EAX, EDX
ADD EDI, EAX
STD
MOV ECX, LFree
REPE CMPSB
CLD
JNE @F
MOV ESI, sCaptured
INC EDI
MOV ECX, LCaptured
REP MOVSB
@@:
PUSH EAX
iWin32 VirtualProtect, lpText, EAX, EDX, ESP
POP EAX
POPc ESI, EDI
LEAVE
iWin32j MessageBoxA
NewMessageBoxA ENDP
;------------------------------------------------------------------
BeginHooks ApiHookChain ;Exec
MkHook ,, CreateProcessA
MkHook ,, CreateProcessW
MkHook ,, LoadModule
MkHook ,, WinExec
MkHook ,USER32, MessageBoxA
EndHooks
;------------------------------------------------------------------
END
:TRANSLATE
@ECHO OFF
ML /c /coff /nologo Exec.bat
rem LINK3 Exec /nologo /DLL /NOENTRY /EXPORT:Exec,@1,NONAME /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text /MERGE:.idata=.text /IGNORE:4078 /BASE:0X77400000
LINK3 Exec /nologo /DLL /NOENTRY /EXPORT:ApiHookChain,@3 /SUBSYSTEM:WINDOWS /MERGE:.rdata=.text /MERGE:.idata=.text /IGNORE:4078 /BASE:0X77400000
DEL Exec.obj
DEL Exec.exp
DEL Exec.lib
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -