1 .386
2 .model flat,stdcall
3 option casemap:none
4
5 include Windows.inc
6 include User32.inc
7 include Kernel32.inc
8 includelib User32.lib
9 includelib Kernel32.lib
10
11 ;声明函数
12 _QLGetProcAddress typedef proto :dword,:dword
13 ;声明函数引用
14 _ApiGetProcAddress typedef ptr _QLGetProcAddress
15
16 _QLLoadLib typedef proto :dword
17 _ApiLoadLib typedef ptr _QLLoadLib
18
19 _QLMessageBoxA typedef proto :dword,:dword,:dword,:dword
20 _ApiMessageBoxA typedef ptr _QLMessageBoxA
21
22 .data
23 pHwnd dd ?
24 lpRemote dd ?
25 hProcessID dd ?
26 hProcess dd ?
27 parent dd ?
28 szBuf db 100 dup(0)
29 szFlag dd 004032b3h
30 ;hProcess dd ?
31 .const
32 szTitle db 'PEDump by qixiaorui',0
33 .code
34 REMOTE_THREAD_START equ this byte
35 _GetKernelBase proc
36 local @dwRet
37
38 pushad
39
40 assume fs:nothing
41 mov eax,fs:[30h] ;获取PEB所在地址
42 mov eax,[eax+0ch] ;获取PEB_LDR_DATA 结构指针
43 mov esi,[eax+1ch] ;获取InInitializationOrderModuleList 链表头
44 ;第一个LDR_MODULE节点InInitializationOrderModuleList成员的指针
45 lodsd ;获取双向链表当前节点后继的指针
46 mov eax,[eax+8] ;获取kernel32.dll的基地址
47 mov @dwRet,eax
48 popad
49 mov eax,@dwRet
50 ret
51 _GetKernelBase endp
52
53 ;_GetKernelBase proc _lpAddress 这种方法在程序入口获取当前[esp]里的内容
54 ; local @Ret
55 ; mov edi,_lpAddress
56 ; and edi,0ffff0000h
57 ; .repeat
58 ; .if word ptr [edi] == IMAGE_DOS_SIGNATURE
59 ; mov esi,edi
60 ; add esi,[esi+3ch]
61 ; .if word ptr [esi] == IMAGE_NT_SIGNATURE
62 ; mov @Ret,edi
63 ; .break
64 ; .endif
65 ;; .endif
66 ; sub edi,010000h
67 ; .break .if edi < 070000000h
68 ; .until FALSE
69 ; mov eax,@Ret
70 ;; ret
71 ;_GetKernelBase endp
72
73 _GetAddressFromName proc _lpBase,_lpName
74 local @Countsb
75 local @Ret
76 ;获取字符串长度
77 pushad
78 mov edi,_lpName
79 mov al,0
80 mov ecx,-1
81 repnz scasb
82 mov ecx,edi
83 sub ecx,_lpName
84 mov @Countsb,ecx
85 ;获取导出表
86 mov esi,_lpBase
87 add esi,[esi+3ch]
88 mov edi,dword ptr [esi+78h]
89 add edi,_lpBase
90 assume edi : ptr IMAGE_EXPORT_DIRECTORY
91 xor ebx,ebx
92 ;mov ecx,[edi].NumberOfNames
93 mov edx,[edi].AddressOfNames
94 add edx,_lpBase
95 .repeat
96 push edi
97 mov esi,[edx]
98 add esi,_lpBase
99 mov edi,_lpName
100 mov ecx,@Countsb ;字符串比较
101 repz cmpsb
102 .if ZERO?
103 pop edi
104 jmp @F
105 .endif
106 pop edi
107 add edx,4
108 inc ebx
109 .until ebx >= [edi].NumberOfNames
110 mov @Ret,-1
111 jmp _Ret
112 @@:
113 sub edx,[edi].AddressOfNames
114 sub edx,_lpBase
115 shr edx,1
116 add edx ,[edi].AddressOfNameOrdinals
117 add edx,_lpBase
118 movzx eax,word ptr [edx]
119 shl eax, 2
120 add eax,[edi].AddressOfFunctions
121 add eax,_lpBase
122 mov eax,[eax]
123 add eax,_lpBase
124 mov @Ret,eax
125
126 _Ret:
127 popad
128 mov eax,@Ret
129 ret
130 _GetAddressFromName endp
131 ;==================
132 ;远程线程函数
133 ;==================
134 _RemoteThread proc uses ebx edi esi lParam
135 call @F
136 @@:
137 pop ebx ;代码重定位
138 sub ebx,offset @B
139 invoke _GetKernelBase
140 mov [ebx + offset hKernel32Base],eax
141 mov eax,offset szGetProcAddr
142 add eax,ebx
143 mov ecx,offset hKernel32Base
144 mov ecx,[ebx+ecx]
145 invoke _GetAddressFromName ,ecx,eax
146 mov [ebx + offset lpGetProcAddr],eax
147 mov [ebx + offset _getProcAddress],eax
148
149 mov eax, offset szLoadLib
150 add eax,ebx
151 mov ecx,offset hKernel32Base
152 mov ecx,[ebx+ecx]
153 mov edx,offset _getProcAddress
154 add edx,ebx
155
156 push eax
157 push ecx
158 call dword ptr [edx]
159
160 mov [ebx + offset _loadLibrary],eax
161 mov eax,offset user32_DLL
162 add eax,ebx
163 mov edx,offset _loadLibrary
164 mov edx,[ebx+edx]
165 push eax
166 call edx
167 mov [ebx + offset hUser32Base],eax
168 mov eax,offset hUser32Base
169 mov eax,[ebx +eax]
170 mov ecx,offset szMessageBox
171 add ecx,ebx
172 mov edx,offset _getProcAddress
173 mov edx,[ebx +edx]
174 push ecx
175 push eax
176 call edx
177 mov [ebx + offset _messageBox],eax
178 push 1
179 push 0
180 mov eax,offset szText
181 add eax,ebx
182 push eax
183 push 0
184 mov edx,offset _messageBox
185 add edx,ebx
186 call dword ptr [edx]
187
188 ret
189 _RemoteThread endp
190
191 ;------------------------------------------------
192 ; 远程线程用到的数据
193 ;------------------------------------------------
194 szText db 'HelloWorldPE',0
195 szGetProcAddr db 'GetProcAddress',0
196 szLoadLib db 'LoadLibraryA',0
197 szMessageBox db 'MessageBoxA',0
198
199 user32_DLL db 'user32.dll',0,0
200
201 ;定义函数
202 _getProcAddress _ApiGetProcAddress ?
203 _loadLibrary _ApiLoadLib ?
204 _messageBox _ApiMessageBoxA ?
205
206
207 hKernel32Base dd ?
208 hUser32Base dd ?
209 lpGetProcAddr dd ?
210 lpLoadLib dd ?
211
212 REMOTE_THREAD_END equ this byte
213 REMOTE_THREAD_SIZE=offset REMOTE_THREAD_END-offset REMOTE_THREAD_START
214
215 _GetTopWidnow proc
216 local @WriteCount
217 invoke GetDesktopWindow
218 invoke GetWindow,eax,GW_CHILD
219 invoke GetWindow,eax,GW_HWNDFIRST
220 mov pHwnd,eax
221 invoke GetParent,eax
222 .if !eax
223 mov parent,1
224 .endif
225 mov eax,pHwnd
226 .while eax
227 .if parent
228 mov parent,0
229 invoke GetWindowText,pHwnd,addr szBuf,sizeof szBuf
230 nop
231 invoke lstrcmp,addr szBuf,offset szTitle
232 .if !eax
233 mov eax,pHwnd
234 ;invoke MessageBox,NULL,offset szBuf,NULL,MB_OK
235 ;invoke SendMessage,pHwnd,WM_CLOSE,0,0
236 .break
237 .endif
238 .endif
239 invoke GetWindow,pHwnd,GW_HWNDNEXT
240 mov pHwnd,eax
241 invoke GetParent,eax
242 .if !eax
243 invoke IsWindowVisible,pHwnd
244 .if eax
245 mov parent,1
246 .endif
247 .endif
248 mov eax,pHwnd
249 .endw
250
251 invoke GetWindowThreadProcessId,pHwnd,offset hProcessID
252
253 invoke OpenProcess,PROCESS_ALL_ACCESS,\
254 FALSE,hProcessID
255 mov hProcess,eax
256 invoke VirtualAllocEx,hProcess,NULL,\
257 REMOTE_THREAD_SIZE,\
258 MEM_COMMIT,\
259 PAGE_EXECUTE_READWRITE
260 .if eax
261 mov lpRemote,eax
262 invoke WriteProcessMemory,hProcess,\
263 lpRemote,\
264 offset REMOTE_THREAD_START,\
265 REMOTE_THREAD_SIZE,\
266 addr @WriteCount
267 mov eax,lpRemote
268 add eax,offset _RemoteThread - offset REMOTE_THREAD_START
269 invoke CreateRemoteThread,hProcess,NULL,0,eax,0,0,NULL
270
271 .endif
272
273
274 ret
275 _GetTopWidnow endp
276
277 start:
278 ;call _RemoteThread
279 invoke _GetTopWidnow
280 invoke ExitProcess,NULL
281 end start