15,471
社区成员
发帖
与我相关
我的任务
分享关于psapi.dll在98下的使用?
我的使用psapi.dll的程序在2k下可以正常运行,但是到98下运行时显示如下错误:
窗口标题是
"启动程序时出错"
内容是:
链接文件psapi.dll到不存在的输出ntdll.dll:stricmp这是什么错误呢?怎样解决呢?
窗口标题是
"启动程序时出错"
内容是:
链接文件psapi.dll到不存在的输出ntdll.dll:stricmp这是什么错误呢?怎样解决呢?
...全文
请发表友善的回复…
发表回复
guww 2003-12-27
- 打赏
- 举报
gz
会思考的草 2003-12-11
- 打赏
- 举报
,众所周知在NT下可以通过CreateRemoteThread将线程插入到其他的地址空间,但在9X下
,不支持该函数,我以前写过的9X下防火墙保护技术,利用了微软的Undocumented Api
,CreateKernelThread可以把线程插入到KERNEL32中,但要把线程插入到其他进程中就没有什么API可用了,但,是可以通过调式API强大的功能来实现WIN9X下CreateRemoteThread
,下面的程序可以把MESSAGEBOX线程插入到其他进程的RVA 500H处,这里通过CreateProcess产生一个进程,然,后插入线程,你也可以通过DebugActiveProcess往后台运行的进程中插入线程。你甚至可以把你的病毒线程插,入到防毒软件的进程中,嘿嘿.
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\comdlg32.lib
.data
User db 'User32.dll',0
UserMessageBoxStr db 'MessageBoxA',0
KnlCreateThreadStr db 'CreateThread',0
AppName db "Win32 Debug Test",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0
db "All Files",0,"*.*",0,0
ExitProc db "The debuggee exits",0
NewThread db "A new thread is created",0
EndThread db "A thread is destroyed",0
ProcessInfo db "File Handle: %lx ",0dh,0Ah
db "Process Handle: %lx",0Dh,0Ah
db "Thread Handle: %lx",0Dh,0Ah
db "Image Base: %lx",0Dh,0Ah
db "Start offsetess: %lx",0
Tmpbuffer db 512 dup(?)
buffer db 512 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
ProcessId dd ?
ThreadId dd ?
INTFlag dd 0
HProcess dd ?
HThread dd ?
OldlpStartAddress dd ?
align dword
context CONTEXT <>
.code
MsgNewThread:
push esi
push edi
call tmp
tmp:
pop esi
sub esi,offset tmp
jmp @f
Caution db 'Caption',0
Text db 'RemoteThread Test!',0
UserMessageBox dd ?
@@:
push 0
lea edi,Caution[esi]
push edi
lea edi,Text[esi]
push edi
push dword ptr 0
lea edi,UserMessageBox[esi]
call dword ptr[edi]
pop edi
pop esi
ret
NewThreadLength=$-MsgNewThread
RemoteThread:
pushad
push eax
push esp
push 0
push 0
push 400500h
NewThreadAddr=$-4
push 0
push 0
call GetCreateThread
KnlCreateThread dd ?
GetCreateThread:
pop eax
call dword ptr[eax]
pop eax
popad
jmp $
RemoteThreadLength=$- RemoteThread
start:
invoke GetModuleHandle,offset User
or eax,eax
jnz OK
invoke LoadLibraryA,offset User
OK:
invoke GetProcAddress,eax,offset UserMessageBoxStr
mov UserMessageBox,eax
invoke GetProcAddress,0bff70000h,offset KnlCreateThreadStr
mov KnlCreateThread,eax
mov ofn.lStructSize,size ofn
mov ofn.lpstrFilter, offset FilterString
mov ofn.lpstrFile, offset buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName, offset ofn
or eax,eax
jz Exit
invoke GetStartupInfo,offset startinfo
invoke CreateProcess, offset buffer, NULL, NULL, NULL, FALSE, \
DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS, NULL, NULL, offset startinfo, offset pi
or eax,eax
jz Exit
Debug:
invoke WaitForDebugEvent, offset DBEvent, INFINITE
cmp DBEvent.dwDebugEventCode,EXIT_PROCESS_DEBUG_EVENT
jnz @f
invoke MessageBox, 0, offset ExitProc, offset AppName, MB_OK+MB_ICONINFORMATION
jmp Close
@@:
cmp DBEvent.dwDebugEventCode,CREATE_PROCESS_DEBUG_EVENT
jnz @f
push DBEvent.u.CreateProcessInfo.hProcess
pop dword ptr[HProcess]
push DBEvent.u.CreateProcessInfo.hThread
pop dword ptr[HThread]
push DBEvent.u.CreateProcessInfo.lpStartAddress
pop dword ptr[OldlpStartAddress]
push DBEvent.u.CreateProcessInfo.lpBaseOfImage
pop dword ptr[NewThreadAddr]
add dword ptr[NewThreadAddr],500h
invoke wsprintf, offset buffer, offset ProcessInfo, DBEvent.u.CreateProcessInfo.hFile,\
DBEvent.u.CreateProcessInfo.hProcess, DBEvent.u.CreateProcessInfo.hThread, \
DBEvent.u.CreateProcessInfo.lpBaseOfImage, DBEvent.u.CreateProcessInfo.lpStartAddress
invoke MessageBox,0, offset buffer, offset AppName, MB_OK+MB_ICONINFORMATION
mov context.ContextFlags, CONTEXT_FULL
invoke GetThreadContext,HThread, offset context
invoke ReadProcessMemory, HProcess,OldlpStartAddress,\
offset Tmpbuffer,RemoteThreadLength,NULL
invoke WriteProcessMemory, HProcess,dword ptr[NewThreadAddr],\
offset MsgNewThread,NewThreadLength,NULL
or eax,eax
jz @f
invoke WriteProcessMemory, HProcess,OldlpStartAddress,\
offset RemoteThread,RemoteThreadLength,NULL
or eax,eax
jz @f
mov INTFlag,1
@@:
cmp DBEvent.dwDebugEventCode,EXCEPTION_DEBUG_EVENT
jnz @f
cmp DBEvent.u.Exception.pExceptionRecord.ExceptionCode,EXCEPTION_BREAKPOINT
jnz @f
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
jmp Debug
@@:
cmp DBEvent.dwDebugEventCode,CREATE_THREAD_DEBUG_EVENT
jnz @f
invoke MessageBox,0, offset NewThread, offset AppName, MB_OK+MB_ICONINFORMATION
cmp INTFlag,1
jnz @f
invoke WriteProcessMemory, HProcess,OldlpStartAddress,\
offset Tmpbuffer,RemoteThreadLength,NULL
mov eax,OldlpStartAddress
mov dword ptr [context.regEip],eax
mov INTFlag,0
invoke SetThreadContext,HThread, offset context
@@:
cmp DBEvent.dwDebugEventCode,EXIT_THREAD_DEBUG_EVENT
jnz @f
invoke MessageBox,0, offset EndThread, offset AppName, MB_OK+MB_ICONINFORMATION
@@:
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, \
DBG_EXCEPTION_NOT_HANDLED
or eax,eax
jz Close
jmp Debug
Close:
invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread
Exit:
invoke ExitProcess, 0
end start
,不支持该函数,我以前写过的9X下防火墙保护技术,利用了微软的Undocumented Api
,CreateKernelThread可以把线程插入到KERNEL32中,但要把线程插入到其他进程中就没有什么API可用了,但,是可以通过调式API强大的功能来实现WIN9X下CreateRemoteThread
,下面的程序可以把MESSAGEBOX线程插入到其他进程的RVA 500H处,这里通过CreateProcess产生一个进程,然,后插入线程,你也可以通过DebugActiveProcess往后台运行的进程中插入线程。你甚至可以把你的病毒线程插,入到防毒软件的进程中,嘿嘿.
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\comdlg32.lib
.data
User db 'User32.dll',0
UserMessageBoxStr db 'MessageBoxA',0
KnlCreateThreadStr db 'CreateThread',0
AppName db "Win32 Debug Test",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0
db "All Files",0,"*.*",0,0
ExitProc db "The debuggee exits",0
NewThread db "A new thread is created",0
EndThread db "A thread is destroyed",0
ProcessInfo db "File Handle: %lx ",0dh,0Ah
db "Process Handle: %lx",0Dh,0Ah
db "Thread Handle: %lx",0Dh,0Ah
db "Image Base: %lx",0Dh,0Ah
db "Start offsetess: %lx",0
Tmpbuffer db 512 dup(?)
buffer db 512 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
ProcessId dd ?
ThreadId dd ?
INTFlag dd 0
HProcess dd ?
HThread dd ?
OldlpStartAddress dd ?
align dword
context CONTEXT <>
.code
MsgNewThread:
push esi
push edi
call tmp
tmp:
pop esi
sub esi,offset tmp
jmp @f
Caution db 'Caption',0
Text db 'RemoteThread Test!',0
UserMessageBox dd ?
@@:
push 0
lea edi,Caution[esi]
push edi
lea edi,Text[esi]
push edi
push dword ptr 0
lea edi,UserMessageBox[esi]
call dword ptr[edi]
pop edi
pop esi
ret
NewThreadLength=$-MsgNewThread
RemoteThread:
pushad
push eax
push esp
push 0
push 0
push 400500h
NewThreadAddr=$-4
push 0
push 0
call GetCreateThread
KnlCreateThread dd ?
GetCreateThread:
pop eax
call dword ptr[eax]
pop eax
popad
jmp $
RemoteThreadLength=$- RemoteThread
start:
invoke GetModuleHandle,offset User
or eax,eax
jnz OK
invoke LoadLibraryA,offset User
OK:
invoke GetProcAddress,eax,offset UserMessageBoxStr
mov UserMessageBox,eax
invoke GetProcAddress,0bff70000h,offset KnlCreateThreadStr
mov KnlCreateThread,eax
mov ofn.lStructSize,size ofn
mov ofn.lpstrFilter, offset FilterString
mov ofn.lpstrFile, offset buffer
mov ofn.nMaxFile,512
mov ofn.Flags, OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST or OFN_LONGNAMES or OFN_EXPLORER or OFN_HIDEREADONLY
invoke GetOpenFileName, offset ofn
or eax,eax
jz Exit
invoke GetStartupInfo,offset startinfo
invoke CreateProcess, offset buffer, NULL, NULL, NULL, FALSE, \
DEBUG_PROCESS+ DEBUG_ONLY_THIS_PROCESS, NULL, NULL, offset startinfo, offset pi
or eax,eax
jz Exit
Debug:
invoke WaitForDebugEvent, offset DBEvent, INFINITE
cmp DBEvent.dwDebugEventCode,EXIT_PROCESS_DEBUG_EVENT
jnz @f
invoke MessageBox, 0, offset ExitProc, offset AppName, MB_OK+MB_ICONINFORMATION
jmp Close
@@:
cmp DBEvent.dwDebugEventCode,CREATE_PROCESS_DEBUG_EVENT
jnz @f
push DBEvent.u.CreateProcessInfo.hProcess
pop dword ptr[HProcess]
push DBEvent.u.CreateProcessInfo.hThread
pop dword ptr[HThread]
push DBEvent.u.CreateProcessInfo.lpStartAddress
pop dword ptr[OldlpStartAddress]
push DBEvent.u.CreateProcessInfo.lpBaseOfImage
pop dword ptr[NewThreadAddr]
add dword ptr[NewThreadAddr],500h
invoke wsprintf, offset buffer, offset ProcessInfo, DBEvent.u.CreateProcessInfo.hFile,\
DBEvent.u.CreateProcessInfo.hProcess, DBEvent.u.CreateProcessInfo.hThread, \
DBEvent.u.CreateProcessInfo.lpBaseOfImage, DBEvent.u.CreateProcessInfo.lpStartAddress
invoke MessageBox,0, offset buffer, offset AppName, MB_OK+MB_ICONINFORMATION
mov context.ContextFlags, CONTEXT_FULL
invoke GetThreadContext,HThread, offset context
invoke ReadProcessMemory, HProcess,OldlpStartAddress,\
offset Tmpbuffer,RemoteThreadLength,NULL
invoke WriteProcessMemory, HProcess,dword ptr[NewThreadAddr],\
offset MsgNewThread,NewThreadLength,NULL
or eax,eax
jz @f
invoke WriteProcessMemory, HProcess,OldlpStartAddress,\
offset RemoteThread,RemoteThreadLength,NULL
or eax,eax
jz @f
mov INTFlag,1
@@:
cmp DBEvent.dwDebugEventCode,EXCEPTION_DEBUG_EVENT
jnz @f
cmp DBEvent.u.Exception.pExceptionRecord.ExceptionCode,EXCEPTION_BREAKPOINT
jnz @f
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, DBG_CONTINUE
jmp Debug
@@:
cmp DBEvent.dwDebugEventCode,CREATE_THREAD_DEBUG_EVENT
jnz @f
invoke MessageBox,0, offset NewThread, offset AppName, MB_OK+MB_ICONINFORMATION
cmp INTFlag,1
jnz @f
invoke WriteProcessMemory, HProcess,OldlpStartAddress,\
offset Tmpbuffer,RemoteThreadLength,NULL
mov eax,OldlpStartAddress
mov dword ptr [context.regEip],eax
mov INTFlag,0
invoke SetThreadContext,HThread, offset context
@@:
cmp DBEvent.dwDebugEventCode,EXIT_THREAD_DEBUG_EVENT
jnz @f
invoke MessageBox,0, offset EndThread, offset AppName, MB_OK+MB_ICONINFORMATION
@@:
invoke ContinueDebugEvent, DBEvent.dwProcessId, DBEvent.dwThreadId, \
DBG_EXCEPTION_NOT_HANDLED
or eax,eax
jz Close
jmp Debug
Close:
invoke CloseHandle,pi.hProcess
invoke CloseHandle,pi.hThread
Exit:
invoke ExitProcess, 0
end start
lifg 2003-12-11
- 打赏
- 举报
现在知道了,那能不能在98下,插入远程线程呢?用什么函数呢?
lifg 2003-12-10
- 打赏
- 举报
高手快来啊!
elabs 2003-12-10
- 打赏
- 举报
晕倒,那个本来就是2K的库,你非要在98下用,不出错才怪呢。
要是你高兴,是不是写个windows程序,到UNIX下执行啊。
要是你高兴,是不是写个windows程序,到UNIX下执行啊。
