,众所周知在NT下可以通过CreateRemoteThread将线程插入到其他的地址空间,但在9X下
,不支持该函数,我以前写过的9X下防火墙保护技术,利用了微软的Undocumented Api
,CreateKernelThread可以把线程插入到KERNEL32中,但要把线程插入到其他进程中就没有什么API可用了,但,是可以通过调式API强大的功能来实现WIN9X下CreateRemoteThread
,下面的程序可以把MESSAGEBOX线程插入到其他进程的RVA 500H处,这里通过CreateProcess产生一个进程,然,后插入线程,你也可以通过DebugActiveProcess往后台运行的进程中插入线程。你甚至可以把你的病毒线程插,入到防毒软件的进程中,嘿嘿.
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\comdlg32.inc
.data
User db 'User32.dll',0
UserMessageBoxStr db 'MessageBoxA',0
KnlCreateThreadStr db 'CreateThread',0
AppName db "Win32 Debug Test",0
ofn OPENFILENAME <>
FilterString db "Executable Files",0,"*.exe",0
db "All Files",0,"*.*",0,0
ExitProc db "The debuggee exits",0
NewThread db "A new thread is created",0
EndThread db "A thread is destroyed",0
ProcessInfo db "File Handle: %lx ",0dh,0Ah
db "Process Handle: %lx",0Dh,0Ah
db "Thread Handle: %lx",0Dh,0Ah
db "Image Base: %lx",0Dh,0Ah
db "Start offsetess: %lx",0
Tmpbuffer db 512 dup(?)
buffer db 512 dup(?)
startinfo STARTUPINFO <>
pi PROCESS_INFORMATION <>
DBEvent DEBUG_EVENT <>
ProcessId dd ?
ThreadId dd ?
.code
MsgNewThread:
push esi
push edi
call tmp
tmp:
pop esi
sub esi,offset tmp
jmp @f
Caution db 'Caption',0
Text db 'RemoteThread Test!',0
UserMessageBox dd ?
@@:
push 0
lea edi,Caution[esi]
push edi
lea edi,Text[esi]
push edi
push dword ptr 0
lea edi,UserMessageBox[esi]
call dword ptr[edi]
pop edi
pop esi
ret
NewThreadLength=$-MsgNewThread