用汇编语言写的远程线程插入,但插入到explorer.exe的话,就会造成explorer.exe忙碌,感觉像死机了,但是插入线程工作正常,那位高手指教以下啊??
代码如下:
System_Dir db "c:\test.dll",0
start:
invoke GetModuleHandle, NULL
mov hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov proc_snap_hd,eax
mov snap_st.dwSize,sizeof snap_st
invoke Process32First,proc_snap_hd,addr snap_st
.while eax !=0
lea edi,snap_st.szExeFile
lea esi,Explorer
mov ecx,12
repe cmpsb
.if ZERO?
.REPEAT
invoke Sleep,2000
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_WRITE or PROCESS_VM_OPERATION,1,snap_st.th32ProcessID
.UNTIL eax!=0
mov explorer_hd, eax
invoke VirtualAllocEx,explorer_hd,NULL,260,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov VoM_hd,eax
invoke WriteProcessMemory,explorer_hd,VoM_hd,addr System_Dir,260,NULL
invoke LoadLibrary,addr Kernel
invoke GetProcAddress,eax,addr LoadL_name
invoke CreateRemoteThread,explorer_hd,NULL,0,eax,VoM_hd,NULL,NULL
.endif
invoke Process32Next,proc_snap_hd,addr snap_st
.endw
;invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,eax
end start
dll 文件源代码如下:
.code
DllEntry proc hInstDLL:HINSTANCE, reason:DWORD, reserved1:DWORD
invoke CreateThread,NULL,0,addr GetSysInfo,NULL,0,tr_l
mov eax,0
ret
DllEntry Endp
GetSysInfo proc
.while true
invoke sleep,5000
ret
GetSysInfo endp
End DllEntry
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
