-
-
[求助]我想学习怎么用设置上下文的方法来实现线程插入
-
发表于: 2007-11-17 10:42
-
我想学习怎么用设置上下文的方法来实现线程插入。我有C的源码可以不知道怎样翻译成汇编
,希望高人指点一二
。付上C源码:
;SuspendThread(hThread);
;ctx.ContextFlags = CONTEXT_CONTROL;
;GetThreadContext(hThread, &ctx);
;oldIP = ctx.Eip;
;Set the EIP of the context to the addrddess of our stub
;ctx.Eip = (DWORD)stub;
;ctx.ContextFlags = CONTEXT_CONTROL;
;Right now loadDll is code, which isn't writable.We need to change that.
;VirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot);
;Patch the first push instruction
;memcpy((void *)((unsigned long)loadDll + 1), &oldIP, 4);
;Patch the 2nd push instruction
;memcpy((void *)((unsigned long)loadDll + 8), &dllString, 4)
;Patch the mov eax, 0xDEADBEEF to mov eax, LoadLibrary
;memcpy((void *)((unsigned long)loadDll + 13), &loadLibAddy, 4);
;WriteProcessMemory(hProcess, stub, loadDll, stubLen, NULL); ;Write the stub into the target Set the new context of the target's thread
;SetThreadContext(hThread, &ctx);
;Let the target thread continue execution, starting at our stub
;ResumeThread(hThread); ;SuspendThread(hThread);
;ctx.ContextFlags = CONTEXT_CONTROL;
;GetThreadContext(hThread, &ctx);
;oldIP = ctx.Eip;
;Set the EIP of the context to the addrddess of our stub
;ctx.Eip = (DWORD)stub;
;ctx.ContextFlags = CONTEXT_CONTROL;
;Right now loadDll is code, which isn't writable.We need to change that.
;VirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot);
;Patch the first push instruction
;memcpy((void *)((unsigned long)loadDll + 1), &oldIP, 4);
;Patch the 2nd push instruction
;memcpy((void *)((unsigned long)loadDll + 8), &dllString, 4)
;Patch the mov eax, 0xDEADBEEF to mov eax, LoadLibrary
;memcpy((void *)((unsigned long)loadDll + 13), &loadLibAddy, 4);
;WriteProcessMemory(hProcess, stub, loadDll, stubLen, NULL); ;Write the stub into the target Set the new context of the target's thread
;SetThreadContext(hThread, &ctx);
;Let the target thread continue execution, starting at our stub
;ResumeThread(hThread);
,希望高人指点一二 。付上C源码:;SuspendThread(hThread);
;ctx.ContextFlags = CONTEXT_CONTROL;
;GetThreadContext(hThread, &ctx);
;oldIP = ctx.Eip;
;Set the EIP of the context to the addrddess of our stub
;ctx.Eip = (DWORD)stub;
;ctx.ContextFlags = CONTEXT_CONTROL;
;Right now loadDll is code, which isn't writable.We need to change that.
;VirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot);
;Patch the first push instruction
;memcpy((void *)((unsigned long)loadDll + 1), &oldIP, 4);
;Patch the 2nd push instruction
;memcpy((void *)((unsigned long)loadDll + 8), &dllString, 4)
;Patch the mov eax, 0xDEADBEEF to mov eax, LoadLibrary
;memcpy((void *)((unsigned long)loadDll + 13), &loadLibAddy, 4);
;WriteProcessMemory(hProcess, stub, loadDll, stubLen, NULL); ;Write the stub into the target Set the new context of the target's thread
;SetThreadContext(hThread, &ctx);
;Let the target thread continue execution, starting at our stub
;ResumeThread(hThread); ;SuspendThread(hThread);
;ctx.ContextFlags = CONTEXT_CONTROL;
;GetThreadContext(hThread, &ctx);
;oldIP = ctx.Eip;
;Set the EIP of the context to the addrddess of our stub
;ctx.Eip = (DWORD)stub;
;ctx.ContextFlags = CONTEXT_CONTROL;
;Right now loadDll is code, which isn't writable.We need to change that.
;VirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot);
;Patch the first push instruction
;memcpy((void *)((unsigned long)loadDll + 1), &oldIP, 4);
;Patch the 2nd push instruction
;memcpy((void *)((unsigned long)loadDll + 8), &dllString, 4)
;Patch the mov eax, 0xDEADBEEF to mov eax, LoadLibrary
;memcpy((void *)((unsigned long)loadDll + 13), &loadLibAddy, 4);
;WriteProcessMemory(hProcess, stub, loadDll, stubLen, NULL); ;Write the stub into the target Set the new context of the target's thread
;SetThreadContext(hThread, &ctx);
;Let the target thread continue execution, starting at our stub
;ResumeThread(hThread);
|
|
|---|---|
|
|
|
|
|
|
|
|
我是想写成汇编,由于能力有限,不知道要怎么改,能不能给出关键的代码?谢谢了。
我在用SetThreadContext时,返回的是0,也主是不成功,为什么呀?我的权限不够??
|
|
|
|
|
|
|
