Home > Others

Remote Code intrusion is also completed.

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

;----------------
; Compilation mode = "CON"
;----------------
. 386
. Model flat, stdcall
Option casemap: none
 
Include windows. inc
Include user32.inc
Include kernel32.inc
Include masm32.inc
Include Psapi. inc

Includelib user32.lib
Includelib kernel32.lib
Includelib masm32.lib
Includelib Psapi. lib
;-------------------------------------------------------

Error_Handler proto: DWORD,: DWORD
Print_Handler proto: DWORD,: DWORD,: DWORD
DlgProc proto: DWORD,: DWORD
RetriveProcess proto: DWORD
Enject_Handle proto: DWORD

SzText MACRO Name, Text: VARARG
Local LBL
JMP LBL
Name dB text, 0
LBL:
Endm

. Const
Dlg_main equ 1
Item_list equ 1001
Btn_enject equ 1003

. Data
Szmsg DB "Hello world! ", 13, 10, 0
Proid dd 512 DUP (0)
Szdbg dB 256 DUP (0), 0
Szprocessname dB 256 DUP (0), 0
Sznewline DB "", 13, 10, 0
Szdlgname DB "main_dialog", 0
Szdllname DB "D:/temp/dll/debug/DLL. dll", 0

. Data?
Dwret dd?
HM hmodule?
Dwhmret dd?
Hprocess handle?
Hprocesshandle handle?
Hprocessid dd?
Hinstance dd?

. Code
Start:
Assume FS: Nothing
Push offset error_handler
Push FS: [0]
MoV FS: [0], ESP

Invoke getmodulehandle, null
MoV hinstance, eax
Invoke dialogboxparam, hinstance, ADDR szdlgname, 0, offset dlgproc, 0
 
Pop FS: [0]
Pop eax

Invoke exitprocess, 0

Dlgproc proc hwnd, umsg, wparam, lparam
. If uMsg = WM_INITDIALOG
Invoke LoadIcon, hInstance, DLG_MAIN
Invoke SendMessage, hWnd, WM_SETICON, ICON_SMALL, eax
Invoke SendMessage, hWnd, WM_SETTEXT, 0, ADDR szMsg
. Elseif uMsg = WM_COMMAND
Mov eax, wParam
. If ax = 3002
Invoke EndDialog, hWnd, TRUE
. Endif
. If ax = 1002; process
Invoke RetriveProcess, hWnd
. Endif
. If ax = BTN_ENJECT
Invoke Enject_Handle, hWnd
. Endif
. Elseif uMsg = WM_CLOSE
Invoke EndDialog, hWnd, FALSE
. Else
Mov eax, FALSE
Ret
. Endif
Mov eax, TRUE
Ret
DlgProc endp

Print_Handler proc processname: DWORD, processid: DWORD, hDlg: DWORD
LOCAL hItem: HANDLE
LOCAL szShortName [256]: BYTE
SzText szFormat, "% s (% d )"
Invoke GetDlgItem, hDlg, ITEM_LIST
Mov [hItem], eax
Invoke getaskpathname, ADDR processname, ADDR szShortName, 256
Invoke wsprintf, ADDR szShortName, ADDR szFormat, processname, processid
Invoke SendMessage, [hItem], LB_ADDSTRING, 0, ADDR szShortName; LB_ADDSTRING
Invoke SendMessage, [hItem], LB_SETITEMDATA, eax, [processid]; LB_ADDSTRING
Ret
Print_Handler endp

RetriveProcess proc hDlg: DWORD
LOCAL hItem: HANDLE
Invoke GetDlgItem, hDlg, ITEM_LIST
Mov [hItem], eax
@ RepeateDelItem:
Invoke SendMessage, [hItem], LB_GETCOUNT, 0, 0; LB_ADDSTRING
Test eax, eax
Jz @ DelAllItem
Invoke SendMessage, [hItem], LB_DELETESTRING, 0, 0; LB_ADDSTRING
Jmp @ RepeateDelItem
@ DelAllItem:
Invoke EnumProcesses, ADDR proID, 512*4, ADDR dwRet
Test eax, eax
Jz @ EnumOver
Mov ecx, [dwRet]
SAR ecx, 2
Mov [dwRet], ecx

Push 0
Push offset proID
 
@ OpenProcess:
Mov eax, [esp]
Mov ecx, [esp + 4]
Cmp ecx, [dwRet]
Jz @ EnumOver
SAL ecx, 2
Add eax, ecx
Mov eax, [eax]
Mov [hProcessID], eax
Invoke OpenProcess, PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, 0, eax
Mov [hProcessHandle], eax
Test eax, eax
Jnz @ EnumProcessModules
Invoke GetLastError
Mov ecx, [esp + 4]
Inc ecx
Mov [esp + 4], ecx
Jmp @ OpenProcess
 
@ EnumProcessModules:
Invoke EnumProcessModules, eax, ADDR hm, 4, ADDR dwHmRet
Test eax, eax
Jnz @ GetModuleFileNameEx
Invoke GetLastError
Mov ecx, [esp + 4]
Inc ecx
Mov [esp + 4], ecx
Jmp @ OpenProcess
 
@ GetModuleFileNameEx:
Invoke GetModuleFileNameEx, [hProcessHandle], [hm], ADDR szProcessName, 256
Invoke Print_Handler, ADDR szProcessName, [hProcessID], hDlg
Invoke CloseHandle, [hProcessHandle]
 
Mov ecx, [esp + 4]
Inc ecx
Mov [esp + 4], ecx
Jmp @ OpenProcess

@ EnumOver:
Pop eax
Pop eax
Ret
RetriveProcess endp

Enject_Handle proc hDlg: DWORD
LOCAL hItem: HANDLE
LOCAL processid: DWORD
LOCAL proHandle: HANDLE
LOCAL dLen: DWORD
LOCAL dWlen: DWORD
LOCAL lpAllocMem: DWORD
LOCAL lpfLoadLib: DWORD
LOCAL dwThreadID: DWORD
Invoke GetDlgItem, [hDlg], ITEM_LIST
Mov [hItem], eax
Invoke SendMessage, [hItem], LB_GETCURSEL, 0, 0
Invoke SendMessage, [hItem], LB_GETITEMDATA, eax, 0; LB_ADDSTRING
Mov [processid], eax
Invoke OpenProcess, PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE, 0, [processid]
Mov [proHandle], eax
Test eax, eax
Jz @ ErrMsg
Invoke lstrlen, ADDR szDllName
Inc eax
Mov [dLen], eax
Invoke VirtualAllocEx, [proHandle], NULL, [dLen], MEM_COMMIT, PAGE_READWRITE
Test eax, eax
Jz @ ErrMsg
Mov [lpAllocMem], eax
Invoke WriteProcessMemory, [proHandle], [lpAllocMem], ADDR szDllName, [dLen], ADDR dWlen
Test eax, eax
Jz @ ErrMsg
Mov ecx, [dLen]
Mov edx, [dWlen]
Cmp ecx, edx
Jnz @ ErrMsg
SzText KerName, "Kernel32.DLL"
Invoke GetModuleHandle, ADDR KerName
Test eax, eax
Jz @ ErrMsg
SzText LoadLibName, "LoadLibraryA"
Invoke GetProcAddress, eax, ADDR LoadLibName
Test eax, eax
Jz @ ErrMsg
Mov [lpfLoadLib], eax
Invoke CreateRemoteThread, [proHandle], 0, [lpfLoadLib], [lpAllocMem], 0, ADDR dwThreadID
Mov [dwThreadID], eax
Test eax, eax
Jz @ ErrMsg
Invoke Sleep, 3000
Invoke VirtualFreeEx, [proHandle], [lpAllocMem], [dWlen], MEM_DECOMMIT
Invoke CloseHandle, [dwThreadID]
Jmp @ ExitEnject
@ ErrMsg:
SzText szError, "Error Open Process"
Invoke MessageBox, 0, ADDR szError, 0, 0
@ ExitEnject:
Ret
Enject_Handle endp

Error_Handler proc uses ecx lp1_trecord: DWORD, lpFrame: DWORD, lpContext: DWORD, lpDispatch: DWORD
Mov eax, 1
Ret
Error_Handler endp

End START

----------------------------------

The code for intrusion into the remote process is also completed. Not very complicated !!!

The csdn blog does not support file upload. Speechless ..

Next, hook up the Api !!!

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More