分类: WINDOWS
2009-05-29 23:35:39
.486
.model flat, stdcall
option casemap :none
include windows.inc
include masm32.inc
include gdi32.inc
include user32.inc
include kernel32.inc
include Comctl32.inc
include comdlg32.inc
include shell32.inc
include oleaut32.inc
include ole32.inc
include msvcrt.inc
includelib masm32.lib
includelib gdi32.lib
includelib user32.lib
includelib kernel32.lib
includelib Comctl32.lib
includelib comdlg32.lib
includelib shell32.lib
includelib oleaut32.lib
includelib ole32.lib
includelib msvcrt.lib
include Macro.inc
.data?
dwProcessID dd ?
dwThreadID dd ?
hProcess dd ?
lpRemoteCode dd ?
oldProt dd ?
CTEXT macro Text:VARARG .code ico equ 2001
_lpLoadLibrary dd ? _szDllUser db 'User32.dll',0
DialogTitle db 'Main Dialog',0 call @F call @F DlgMain endp
_RemoteThread proc uses ebx edi esi lParam call @F _RemoteThread endp REMOTE_CODE_END equ this byte
start:
local szText
.data
szText byte Text, 0
.code
exitm
endm
REMOTE_CODE_START equ this byte
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?
_lpDialogBoxParam dd ?
_lpDialogBoxIndirectParam dd ?
_lpGlobalAlloc dd ?
_lpVirtualAlloc dd ?
_lpVirtualProtect dd ?
_lpMultiByteToWideChar dd ?
_lpVirtualFree dd ?
_lpGlobalFree dd ?
_lpMessageBox dd ?
_lpLoadIcon dd ?
_lpSendMessage dd ?
_lpEndDialog dd ?
_hInstance dd ?
_hWinMain dd ?
_szClassName db 'RemoteClass',0
_szCaptionMain db 'RemoteWindow',0
_szDllKernel db 'Kernel32.dll',0
_szDialogBoxParam db 'DialogBoxParamA',0
_szDialogBoxIndirectParam db 'DialogBoxIndirectParamA',0
_szGlobalAlloc db 'GlobalAlloc',0
_szVirtualAlloc db 'VirtualAlloc',0
_szVirtualProtect db 'VirtualProtect',0
_szMultiByteToWideChar db 'MultiByteToWideChar',0
_szVirtualFree db 'VirtualFree',0
_szGlobalFree db 'GlobalFree',0
_szMessageBox db 'MessageBoxA',0
_szLoadIcon db 'LoadIconA',0
_szSendMessage db 'SendMessageA',0
_szEndDialog db 'EndDialog',0,0
font db 'MS Sans Serif',0
menu1 db 'cancel',0
DialogContext db 'Main Dialog In MASM32',0
DlgProc proc uses ebx edi esi,hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
@@:
pop ebx
sub ebx,offset @B
mov eax,uMsg
.if eax==WM_CLOSE
_invoke [ebx+_lpEndDialog],hWin,0
.elseif eax==WM_INITDIALOG
_invoke [ebx+_lpLoadIcon],[ebx+_hInstance],ico
_invoke [ebx+_lpSendMessage],hWin,WM_SETICON,1,eax
.elseif eax==WM_COMMAND
mov eax,wParam
.if eax== IDCANCEL
_invoke [ebx+_lpEndDialog],hWin,0
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
DlgProc endp
DlgMain proc
@@:
pop ebx
sub ebx,offset @B
push esi
push edi
_invoke [ebx+_lpVirtualAlloc],0, 1000h, MEM_COMMIT, PAGE_EXECUTE_READWRITE
mov esi, eax
mov edi, esi
mov dword ptr [edi], WS_OVERLAPPED or WS_SYSMENU or DS_SETFONT or DS_CENTER
mov word ptr [edi+8], 2 ;;窗口子控件数
mov word ptr [edi+10], 50 ;;左边坐标
mov word ptr [edi+12], 50 ;;顶部坐标
mov word ptr [edi+14], 150 ;;宽度
mov word ptr [edi+16], 80 ;;高度
add edi, 22
lea eax,[ebx+DialogTitle]
_invoke [ebx+_lpMultiByteToWideChar],CP_ACP,MB_PRECOMPOSED,eax,0FFFFFFFFh,edi,lengthof DialogTitle
add edi, lengthof DialogTitle*2
mov word ptr [edi], 10 ;字体大小
add edi, 2
lea eax,[ebx+font]
_invoke [ebx+_lpMultiByteToWideChar],CP_ACP,MB_PRECOMPOSED,eax,0FFFFFFFFh,edi,lengthof font
add edi, lengthof font*2
;//DlgButton "Cancel",WS_TABSTOP,48,40,50,15,IDCANCEL
;//CONTROL "Cancel",IDCANCEL,"Button",0x50018000,48,40,50,15
add edi, 3
and edi, 0FFFFFFFCh
mov dword ptr [edi], WS_VISIBLE or WS_CHILD
mov word ptr [edi+8], 48
mov word ptr [edi+10], 40
mov word ptr [edi+12], 50
mov word ptr [edi+14], 15
mov word ptr [edi+16], IDCANCEL ;; 控件ID
mov word ptr [edi+18], 0FFFFh ;; class array
mov word ptr [edi+20], 80h ;; 按钮标志
add edi, 22
lea eax,[ebx+menu1]
_invoke [ebx+_lpMultiByteToWideChar],CP_ACP,MB_PRECOMPOSED,eax,0FFFFFFFFh,edi,lengthof menu1
add edi, lengthof menu1*2
;//DlgStatic "Main Dialog In MASM32", SS_CENTER,2,20,140,9,100
add edi, 1
and edi, 0FFFFFFFEh
add edi, 2
add edi, 3
and edi, 0FFFFFFFCh
mov dword ptr [edi], WS_VISIBLE or WS_CHILD or SS_CENTER
mov word ptr [edi+8], 2
mov word ptr [edi+10], 20
mov word ptr [edi+12], 140
mov word ptr [edi+14], 9
mov word ptr [edi+16], 100 ;; 控件ID
mov word ptr [edi+18], 0FFFFh ;; class array
mov word ptr [edi+20], 82h ;; static标识
add edi, 22
lea eax,[ebx+DialogContext]
_invoke [ebx+_lpMultiByteToWideChar],CP_ACP,MB_PRECOMPOSED,eax,0FFFFFFFFh,edi,lengthof DialogContext
add edi, lengthof DialogContext*2
add edi, 2Ch
add edi, 1
and edi, 0FFFFFFFEh
add edi, 2
lea eax, [ebx+DlgProc]
_invoke [ebx+_lpDialogBoxIndirectParam],[ebx+ _hInstance],esi,0,eax,NULL
push eax
_invoke [ebx+_lpVirtualFree],esi,0, MEM_RELEASE
pop eax
pop edi
pop esi
ret
local @hDllUser
local @hDllKernel
@@:
pop ebx
sub ebx,offset @B
_invoke [ebx + _lpGetModuleHandle],NULL
mov [ebx + _hInstance],eax
lea eax,[ebx + offset _szDllUser]
_invoke [ebx + _lpGetModuleHandle],eax
mov @hDllUser,eax
lea eax,[ebx + offset _szDllKernel]
_invoke [ebx + _lpGetModuleHandle],eax
mov @hDllKernel,eax
lea esi,[ebx + offset _szDialogBoxParam]
lea edi,[ebx + offset _lpDialogBoxParam]
.while TRUE
_invoke [ebx + _lpGetProcAddress],@hDllUser,esi
.if eax==0
_invoke [ebx + _lpGetProcAddress],@hDllKernel,esi
.endif
mov [edi],eax
add edi,4
@@:
lodsb
or al,al
jnz @B
.break .if ! byte ptr [esi]
.endw
call DlgMain
ret
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - offset REMOTE_CODE_START
mov esi, (ProgramEnd-start)
invoke VirtualProtect, 401000h, esi, PAGE_EXECUTE_READWRITE, ADDR oldProt
invoke GetModuleHandle,CTEXT('Kernel32.dll')
mov ebx,eax
invoke GetProcAddress,ebx,CTEXT('LoadLibraryA')
mov _lpLoadLibrary,eax
invoke GetProcAddress,ebx,CTEXT('GetProcAddress')
mov _lpGetProcAddress,eax
invoke GetProcAddress,ebx,CTEXT('GetModuleHandleA')
mov _lpGetModuleHandle,eax
invoke FindWindow,CTEXT('Progman'),CTEXT('Program Manager')
invoke GetWindowThreadProcessId,eax,offset dwProcessID
mov dwThreadID,eax
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,FALSE,dwProcessID
.if eax
mov hProcess,eax
invoke VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITE
.if eax
mov lpRemoteCode,eax
invoke WriteProcessMemory,hProcess,lpRemoteCode,offset REMOTE_CODE_START,REMOTE_CODE_LENGTH,NULL
mov eax,lpRemoteCode
add eax,offset _RemoteThread - offset REMOTE_CODE_START
invoke CreateRemoteThread,hProcess,NULL,0,eax,0,0,NULL
invoke CloseHandle,eax
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,NULL,CTEXT('无法打开远程线程!'),NULL,MB_OK or MB_ICONWARNING
.endif
invoke ExitProcess,NULL
ProgramEnd:
end start
