【源代码】进程隐藏【ciw_blue吧】

ciw_blue吧关注：22贴子：259

2回复贴，共1页

【源代码】进程隐藏

.386
.model flat, stdcall
option casemap:none

include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib

.data

     szLoadLibrary db 'LoadLibraryA',0
     szGetProcAddress db 'GetProcAddress',0
     szGetModuleHandle db 'GetModuleHandleA',0

     szProcessWndName db 'Program Manager',0

     szKernel db 'Kernel32.dll',0

.data?
     dwProcessID dd ?
     hProcess dd ?
     lpLoadLibrary dd ?
     lpGetProcAddress dd ?
     lpGetModuleHandle dd ?
     hModule dd ?
     lpRemoteCode dd ?


.code
_GetKernelBase proc _dwKernelRet
LOCAL _dwRet
pushad
;**********************代码重定位***************
call @F
@@:
pop ebx
sub ebx, offset @B
;************************************************

mov edi, _dwKernelRet
and edi, 0ffff0000h

.while TRUE
.if word ptr [edi] == IMAGE_DOS_SIGNATURE

mov eax, edi
add eax, [eax + 003ch]

.if word ptr [eax] == IMAGE_NT_SIGNATURE
mov _dwRet, edi
.break
.endif
.endif

sub edi, 010000h
.break .if edi < 070000000h
.endw

popad

mov eax, _dwRet

ret
_GetKernelBase endp

_GetAPIByName proc _dwKernelBase, _lpszAPI
LOCAL @dwRet, @dwAPILength

pushad

;************************** 获取API长度 ***************************
mov edi, _lpszAPI
mov ecx, -1   ;构建一个无限ecx循环
xor al, al
cld
repnz scasb

sub edi, _lpszAPI ;用edi减去 _lpszAPI原始地址 = 长度
mov @dwAPILength, edi

;************************** 获取导出库 ***************************
mov esi, _dwKernelBase
assume esi: ptr IMAGE_DOS_HEADER ;esi -> DOS头

add esi, [esi].e_lfanew

assume esi: ptr IMAGE_NT_HEADERS ;esi -> NT头

mov esi, [esi].OptionalHeader.DataDirectory.VirtualAddress ;esi -> 导出库

add esi, _dwKernelBase

assume esi: ptr IMAGE_EXPORT_DIRECTORY

;************************** 查找API *********************************
mov ebx, [esi].AddressOfNames
add ebx, _dwKernelBase ;ebx -> AddressOfNames
xor edx, edx ;edx -> 函数的Index

.repeat ;循环查找API
push esi
mov esi, _lpszAPI ;esi -> _lpszAPI

mov edi, [ebx]
add edi, _dwKernelBase ;edi -> 导出函数名的地址

mov ecx, @dwAPILength ;ecx -> 要获取的API的长度

repz cmpsb ;循环比较

.if ZERO?    ;找到这个API
pop esi
.break
.endif
pop esi
add ebx, 4
inc edx

送TA礼物

1楼2008-04-06 18:29回复

.until edx >= [esi].NumberOfNames

sub ebx, [esi].AddressOfNames
sub ebx, _dwKernelBase
shr ebx, 1
add ebx, [esi].AddressOfNameOrdinals
add ebx, _dwKernelBase
movzx eax, word ptr [ebx]
shl eax, 2
add eax, [esi].AddressOfFunctions
add eax, _dwKernelBase

mov eax, [eax]
add eax, _dwKernelBase
mov @dwRet, eax

popad

mov eax, @dwRet

ret
_GetAPIByName endp
REMOTE_CODE_START equ this byte

_lpLoadLibrary dd ?
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?

_lpMessageBox dd ?
_hInstance dd ?
_hUserModule dd ?
_szMessageBox db 'MessageBoxA',0
_szUserDLL db 'User32.dll',0
_szMsgCaption db '远程成功',0
_szMsgText db '请打开Windows任务管理器,看看!',0

_hRemoteKernel32 dd ?
_hRemoteUser32 dd ?
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RemoteThread proc uses ebx edi esi lParam

call @F
@@:
pop ebx
sub ebx,offset @B

; push NULL
;call [ebx + _lpGetModuleHandle]
; mov [ebx + _hInstance],eax

invoke _GetKernelBase, [esp]
mov [ebx + _hRemoteKernel32], eax

lea eax, [ebx + szGetProcAddress]
invoke _GetAPIByName, [ebx + _hRemoteKernel32], eax
mov _lpGetProcAddress, eax

lea eax, [ebx + szLoadLibrary]
invoke _GetAPIByName, [ebx + _hRemoteKernel32], eax
mov [ebx + _lpLoadLibrary], eax

lea eax, [ebx + _szUser32]
push eax
call [ebx + _lpLoadLibrary]
mov [ebx + _hRemoteUser32], eax

lea eax, [ebx + szMessageBox]
invoke _GetAPIByName, [ebx + _hRemoteUser32], eax
mov [ebx + _lpMessageBox], eax

push NULL
push NULL
push NULL
push NULL
call [ebx + _lpMessageBox]
ret

_RemoteThread endp

REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - offset REMOTE_CODE_START

start:

invoke GetModuleHandle, offset szKernel
mov hModule, eax

invoke GetProcAddress, hModule, offset szLoadLibrary
mov lpLoadLibrary, eax

invoke GetProcAddress, hModule, offset szGetProcAddress
mov lpGetProcAddress, eax

invoke GetProcAddress, hModule, offset szGetModuleHandle
mov lpGetModuleHandle, eax

invoke FindWindow, NULL, offset szProcessWndName ;获取窗口句柄
invoke GetWindowThreadProcessId, eax, offset dwProcessID ;获取程序 ID

invoke OpenProcess, PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,\
FALSE, dwProcessID
.if eax
mov hProcess, eax
invoke VirtualAllocEx, hProcess, NULL, REMOTE_CODE_LENGTH, MEM_COMMIT, PAGE_EXECUTE_READWRITE

.if eax
mov lpRemoteCode, eax

invoke WriteProcessMemory, hProcess, lpRemoteCode, offset REMOTE_CODE_START,\
REMOTE_CODE_LENGTH , NULL

invoke WriteProcessMemory, hProcess,lpRemoteCode, offset lpLoadLibrary,\
sizeof dword * 3, NULL

mov eax, lpRemoteCode
add eax, _RemoteThread - offset REMOTE_CODE_START
invoke CreateRemoteThread, hProcess, NULL, 0, eax, 0, NULL, 0
invoke CloseHandle, eax

invoke MessageBox, NULL, NULL, NULL, MB_OK
.endif

.endif

invoke CloseHandle, hProcess
invoke ExitProcess, 0
end start

2楼2008-04-06 18:29

kernel32.lib
这个库好像没有啊

3楼2008-11-12 18:29

扫二维码下载贴吧客户端

下载贴吧APP
看高清直播、视频！

贴吧热议榜

2回复贴，共1页

<返回ciw_blue吧

发表回复

发贴请遵守贴吧协议及“七条底线”贴吧投诉

内容:

使用签名档查看全部

发表

保存至快速回贴

日	一	二	三	四	五	六

【源代码】进程隐藏

登录百度账号

扫二维码下载贴吧客户端