|
#2
onepc2009-10-13 15:29
|
老帖子了 写成汇编版本的 大家看下吧!~
ASMIDE:MASMPlus
EXE:
程序代码:.386
.Model Flat, StdCall
Option Casemap :None
Include Windows.Inc
Include User32.Inc
Include Kernel32.Inc
Include Advapi32.inc
IncludeLib User32.Lib
IncludeLib Kernel32.Lib
IncludeLib Advapi32.lib
.Data?
dwProcessID dd ?
szMyDllFull db MAX_PATH dup(?)
.Const
szDllKernel db 'Kernel32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szMyDll db '\APIHook.DLL',0
.Code
EnumProcess Proc Uses esi edi ebx _lpProcName:DWORD,_dwPID:DWORD
Local @stProcess:PROCESSENTRY32
Local @hSnapshot
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov @hSnapshot,eax
mov @stProcess.dwSize,sizeof @stProcess
invoke Process32First,@hSnapshot,addr @stProcess
.While eax
invoke lstrcmp,addr @stProcess.szExeFile,_lpProcName
.if eax == 0
mov esi,_dwPID
push @stProcess.th32ProcessID
pop DWORD ptr [esi]
mov eax,TRUE
ret
.endif
invoke Process32Next,@hSnapshot,addr @stProcess
.EndW
invoke CloseHandle,@hSnapshot
xor eax,eax
ret
EnumProcess EndP
EnableDebugPriv Proc
Local @tkp:TOKEN_PRIVILEGES
Local @sdnv:LUID
Local @hToken
invoke RtlZeroMemory,addr @tkp,sizeof TOKEN_PRIVILEGES
invoke RtlZeroMemory,addr @sdnv,sizeof LUID
invoke GetCurrentProcess
mov ecx,eax
invoke OpenProcessToken,ecx,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr @hToken
invoke LookupPrivilegeValue,0,CTEXT("SeDebugPrivilege"),addr @sdnv
mov @tkp.PrivilegeCount,1
m2m @tkp.Privileges.Luid.LowPart,@sdnv.LowPart
m2m @tkp.Privileges.Luid.HighPart,@sdnv.HighPart
mov @tkp.Privileges.Attributes,SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,@hToken,FALSE,addr @tkp,sizeof @tkp,0,0
invoke CloseHandle,@hToken
ret
EnableDebugPriv EndP
RemoteInject Proc _dwPID:DWORD
Local @dwProcessID
Local @hProcess
Local @lpLoadLibrary
Local @lpDllName
invoke GetCurrentDirectory,MAX_PATH,addr szMyDllFull
invoke lstrcat,addr szMyDllFull,addr szMyDll
invoke GetModuleHandle,addr szDllKernel
invoke GetProcAddress,eax,offset szLoadLibrary
mov @lpLoadLibrary,eax
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,dwProcessID
.if eax
mov @hProcess,eax
invoke VirtualAllocEx,@hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov @lpDllName,eax
invoke WriteProcessMemory,@hProcess,eax,offset szMyDllFull,MAX_PATH,NULL
invoke CreateRemoteThread,@hProcess,NULL,0,@lpLoadLibrary,@lpDllName,0,NULL
invoke CloseHandle,eax
.endif
invoke CloseHandle,@hProcess
.else
invoke MessageBox,NULL,CTEXT("无法打开进程"),NULL,MB_OK or MB_ICONWARNING
.endif
ret
RemoteInject EndP
Start Proc
invoke EnableDebugPriv
invoke EnumProcess,CTEXT("winlogon.exe"),offset dwProcessID
invoke RemoteInject,dwProcessID
ret
Start EndP
End Start
.Model Flat, StdCall
Option Casemap :None
Include Windows.Inc
Include User32.Inc
Include Kernel32.Inc
Include Advapi32.inc
IncludeLib User32.Lib
IncludeLib Kernel32.Lib
IncludeLib Advapi32.lib
.Data?
dwProcessID dd ?
szMyDllFull db MAX_PATH dup(?)
.Const
szDllKernel db 'Kernel32.dll',0
szLoadLibrary db 'LoadLibraryA',0
szMyDll db '\APIHook.DLL',0
.Code
EnumProcess Proc Uses esi edi ebx _lpProcName:DWORD,_dwPID:DWORD
Local @stProcess:PROCESSENTRY32
Local @hSnapshot
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov @hSnapshot,eax
mov @stProcess.dwSize,sizeof @stProcess
invoke Process32First,@hSnapshot,addr @stProcess
.While eax
invoke lstrcmp,addr @stProcess.szExeFile,_lpProcName
.if eax == 0
mov esi,_dwPID
push @stProcess.th32ProcessID
pop DWORD ptr [esi]
mov eax,TRUE
ret
.endif
invoke Process32Next,@hSnapshot,addr @stProcess
.EndW
invoke CloseHandle,@hSnapshot
xor eax,eax
ret
EnumProcess EndP
EnableDebugPriv Proc
Local @tkp:TOKEN_PRIVILEGES
Local @sdnv:LUID
Local @hToken
invoke RtlZeroMemory,addr @tkp,sizeof TOKEN_PRIVILEGES
invoke RtlZeroMemory,addr @sdnv,sizeof LUID
invoke GetCurrentProcess
mov ecx,eax
invoke OpenProcessToken,ecx,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr @hToken
invoke LookupPrivilegeValue,0,CTEXT("SeDebugPrivilege"),addr @sdnv
mov @tkp.PrivilegeCount,1
m2m @tkp.Privileges.Luid.LowPart,@sdnv.LowPart
m2m @tkp.Privileges.Luid.HighPart,@sdnv.HighPart
mov @tkp.Privileges.Attributes,SE_PRIVILEGE_ENABLED
invoke AdjustTokenPrivileges,@hToken,FALSE,addr @tkp,sizeof @tkp,0,0
invoke CloseHandle,@hToken
ret
EnableDebugPriv EndP
RemoteInject Proc _dwPID:DWORD
Local @dwProcessID
Local @hProcess
Local @lpLoadLibrary
Local @lpDllName
invoke GetCurrentDirectory,MAX_PATH,addr szMyDllFull
invoke lstrcat,addr szMyDllFull,addr szMyDll
invoke GetModuleHandle,addr szDllKernel
invoke GetProcAddress,eax,offset szLoadLibrary
mov @lpLoadLibrary,eax
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,dwProcessID
.if eax
mov @hProcess,eax
invoke VirtualAllocEx,@hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov @lpDllName,eax
invoke WriteProcessMemory,@hProcess,eax,offset szMyDllFull,MAX_PATH,NULL
invoke CreateRemoteThread,@hProcess,NULL,0,@lpLoadLibrary,@lpDllName,0,NULL
invoke CloseHandle,eax
.endif
invoke CloseHandle,@hProcess
.else
invoke MessageBox,NULL,CTEXT("无法打开进程"),NULL,MB_OK or MB_ICONWARNING
.endif
ret
RemoteInject EndP
Start Proc
invoke EnableDebugPriv
invoke EnumProcess,CTEXT("winlogon.exe"),offset dwProcessID
invoke RemoteInject,dwProcessID
ret
Start EndP
End Start
Dll:
程序代码:.386
.Model Flat,StdCall
Option CaseMap :None
Include Windows.inc
Include User32.inc
Include Kernel32.inc
Include Shlwapi.inc
IncludeLib User32.lib
IncludeLib Kernel32.lib
IncludeLib Shlwapi.lib
KBDLLHOOKSTRUCT STRUCT
vKcode DWORD ?
scanCode DWORD ?
flags DWORD ?
time DWORD ?
dwExtraInfo DWORD ?
KBDLLHOOKSTRUCT ENDS
.Data?
hHook dd ?
dwThread dd ?
hThread dd ?
hDesktop dd ?
hInstDll dd ?
hSasWnd dd ?
lpOldProc dd ?
.Code
KeyboardProc Proc _dwCode:DWORD,_wParam:DWORD,_lParam:DWORD
.if _dwCode==HC_ACTION
.if (_wParam == WM_KEYDOWN)
mov edx,_lParam
assume edx:PTR KBDLLHOOKSTRUCT
.if ([edx].vKcode == VK_LWIN) || ([edx].vKcode==VK_RWIN)
;拦截左右WIN键
mov eax,TRUE
ret
.endif
.endif
.endif
invoke CallNextHookEx,hHook,_dwCode,_wParam,_lParam
ret
KeyboardProc EndP
EnumWindowsProc Proc _hWnd:DWORD,_lParam:DWORD
Local @szBuff[128]:BYTE
invoke GetWindowText,_hWnd,addr @szBuff,sizeof @szBuff
invoke StrStr,addr @szBuff,CTEXT("SAS window")
.if eax
push _hWnd
pop hSasWnd
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
EnumWindowsProc EndP
SASWindowProc Proc _hWnd:DWORD,_uMsg:DWORD,_wParam:DWORD,_lParam:DWORD
.if _uMsg == WM_HOTKEY
;拦截SAS窗口所有热键
mov eax,TRUE
ret
.endif
invoke CallWindowProc,lpOldProc,_hWnd,_uMsg,_wParam,_lParam
ret
SASWindowProc EndP
ThreadProc Proc lParam:DWORD
Local uMsg:MSG
invoke OpenDesktop,CTEXT("Winlogon"),0,FALSE,MAXIMUM_ALLOWED
mov hDesktop,eax
invoke EnumDesktopWindows,hDesktop,offset EnumWindowsProc,NULL
.if hSasWnd
invoke SetWindowLong,hSasWnd,GWL_WNDPROC,offset SASWindowProc
mov lpOldProc,eax
.endif
invoke OpenDesktop,CTEXT("Default"),0,FALSE,MAXIMUM_ALLOWED
mov hDesktop,eax
invoke SetThreadDesktop,hDesktop
invoke CloseHandle,hDesktop
invoke SetWindowsHookEx,WH_KEYBOARD_LL,offset KeyboardProc,hInstDll,NULL
.if eax
mov hHook,eax
invoke OutputDebugString,CTEXT("Set Hook Success!")
.endif
.While TRUE
invoke GetMessage,addr uMsg,0,0,0
.Break .if !eax
invoke TranslateMessage,addr uMsg
invoke DispatchMessage,addr uMsg
.EndW
ThreadProc EndP
DLLEntry Proc uses ebx esi _hInstance:DWORD,_dwReason:DWORD,_dwReserved:DWORD
.if _dwReason == DLL_PROCESS_ATTACH
invoke CreateThread,NULL,0,offset ThreadProc,NULL,0,offset dwThread
mov hThread,eax
.elseif _dwReason == DLL_PROCESS_DETACH
invoke SetWindowLong,hSasWnd,GWL_WNDPROC,lpOldProc
invoke UnhookWindowsHookEx,hHook
invoke TerminateThread,hThread,1
invoke CloseHandle,hThread
.endif
push _hInstance
pop hInstDll
mov eax,TRUE
ret
DLLEntry EndP
End DLLEntry
.Model Flat,StdCall
Option CaseMap :None
Include Windows.inc
Include User32.inc
Include Kernel32.inc
Include Shlwapi.inc
IncludeLib User32.lib
IncludeLib Kernel32.lib
IncludeLib Shlwapi.lib
KBDLLHOOKSTRUCT STRUCT
vKcode DWORD ?
scanCode DWORD ?
flags DWORD ?
time DWORD ?
dwExtraInfo DWORD ?
KBDLLHOOKSTRUCT ENDS
.Data?
hHook dd ?
dwThread dd ?
hThread dd ?
hDesktop dd ?
hInstDll dd ?
hSasWnd dd ?
lpOldProc dd ?
.Code
KeyboardProc Proc _dwCode:DWORD,_wParam:DWORD,_lParam:DWORD
.if _dwCode==HC_ACTION
.if (_wParam == WM_KEYDOWN)
mov edx,_lParam
assume edx:PTR KBDLLHOOKSTRUCT
.if ([edx].vKcode == VK_LWIN) || ([edx].vKcode==VK_RWIN)
;拦截左右WIN键
mov eax,TRUE
ret
.endif
.endif
.endif
invoke CallNextHookEx,hHook,_dwCode,_wParam,_lParam
ret
KeyboardProc EndP
EnumWindowsProc Proc _hWnd:DWORD,_lParam:DWORD
Local @szBuff[128]:BYTE
invoke GetWindowText,_hWnd,addr @szBuff,sizeof @szBuff
invoke StrStr,addr @szBuff,CTEXT("SAS window")
.if eax
push _hWnd
pop hSasWnd
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
EnumWindowsProc EndP
SASWindowProc Proc _hWnd:DWORD,_uMsg:DWORD,_wParam:DWORD,_lParam:DWORD
.if _uMsg == WM_HOTKEY
;拦截SAS窗口所有热键
mov eax,TRUE
ret
.endif
invoke CallWindowProc,lpOldProc,_hWnd,_uMsg,_wParam,_lParam
ret
SASWindowProc EndP
ThreadProc Proc lParam:DWORD
Local uMsg:MSG
invoke OpenDesktop,CTEXT("Winlogon"),0,FALSE,MAXIMUM_ALLOWED
mov hDesktop,eax
invoke EnumDesktopWindows,hDesktop,offset EnumWindowsProc,NULL
.if hSasWnd
invoke SetWindowLong,hSasWnd,GWL_WNDPROC,offset SASWindowProc
mov lpOldProc,eax
.endif
invoke OpenDesktop,CTEXT("Default"),0,FALSE,MAXIMUM_ALLOWED
mov hDesktop,eax
invoke SetThreadDesktop,hDesktop
invoke CloseHandle,hDesktop
invoke SetWindowsHookEx,WH_KEYBOARD_LL,offset KeyboardProc,hInstDll,NULL
.if eax
mov hHook,eax
invoke OutputDebugString,CTEXT("Set Hook Success!")
.endif
.While TRUE
invoke GetMessage,addr uMsg,0,0,0
.Break .if !eax
invoke TranslateMessage,addr uMsg
invoke DispatchMessage,addr uMsg
.EndW
ThreadProc EndP
DLLEntry Proc uses ebx esi _hInstance:DWORD,_dwReason:DWORD,_dwReserved:DWORD
.if _dwReason == DLL_PROCESS_ATTACH
invoke CreateThread,NULL,0,offset ThreadProc,NULL,0,offset dwThread
mov hThread,eax
.elseif _dwReason == DLL_PROCESS_DETACH
invoke SetWindowLong,hSasWnd,GWL_WNDPROC,lpOldProc
invoke UnhookWindowsHookEx,hHook
invoke TerminateThread,hThread,1
invoke CloseHandle,hThread
.endif
push _hInstance
pop hInstDll
mov eax,TRUE
ret
DLLEntry EndP
End DLLEntry
DEF:
EXPORTS
只有本站会员才能查看附件,请 登录
[ 本帖最后由 sll0807 于 2009-10-13 14:45 编辑 ]
