Injection-DLL


DLL注入工具是信息安全相关领域的常用工具,在Windows系统下将动态库注入到一个正在运行的进程中,这样DLL就属于该进程所以可以调用该进程的函数以及获取进程中的数据。大多数游戏内存外挂就会使用DLL注入技术去读取游戏数据和控制游戏人物的行为。这工具是早期学习WIN32汇编时写的。


Download

链接:https://pan.baidu.com/s/1LpRYvGgnf7R4sk-I93CD9g

密码:n3k6


相关代码⤵⤵⤵

Into.asm

;*************************************************
; https://bbs.guaik.org
;*************************************************
			.386
			.model flat,stdcall
			option casemap:none
;*************************************************
include			windows.inc
include			user32.inc
includelib		user32.lib
include			kernel32.inc
includelib		kernel32.lib
include			advapi32.inc
includelib		advapi32.lib
include			comdlg32.inc
includelib		comdlg32.lib
include			shell32.inc
includelib		shell32.lib
include			into.inc

;*************************************************
.data?
hInstance	dd	?
hWinMain	dd	?
lpLoadLibrary	dd	?
lpFreeLibrary	dd	?
hProcess	dd	?
lpDllName	dd	?
szDllName	db MAX_PATH dup (?)
.const
szText		db	'[GuaikBBS]:https://bbs.guaik.org',0
szCaption	db	'[GhostHand]Message',0
szSetDebug	db	'SeDebugPrivilege',0
szATPErr	db	'[AdjustTokenPrivileges]:Error!!',0
szLPVErr	db	'[LookupPrivilegeValue]:Error!',0
szOPTErr	db	'[OpenProcessToken]:Error!',0
szFilter	db	'Dll Files(*.dll)',0,'*.dll',0,0
szOpenCaption	db	'Select a dll',0
szOD		db	'[_OpenDll]:请选择Dll文件!',0
szDllKernel	db	'Kernel32.dll',0
szLoadLibrary	db	'LoadLibraryA',0
szFreeLibrary	db	'FreeLibraryAndExitThread',0
szCRTErr	db	'[CreateRemoteThread]:Error!',0
szVAEErr	db	'[VirtualAllocEx]:Error!',0
szOPErr		db	'[OpenProcess]:Error!',0
szCRTOk		db	'[CreateRemoteThread]:Success!',0
szEmail		db	'mailto:luting.gu@gmail.com',0
szNtDll		db	'ntdll.dll',0
szNtQueryInformationThread	db	'NtQueryInformationThread',0
.code
_SetWinPos	proc	_hWnd
		
		LOCAL x_screen:dword
		LOCAL y_screen:dword
		LOCAL rtWinMain:RECT
		
		invoke GetSystemMetrics,SM_CXSCREEN
		mov edx,0
		mov cx,2
		div cx      ;商在ax中,余数在dx中
		mov x_screen,eax
		invoke GetSystemMetrics,SM_CYSCREEN
		mov edx,0
		mov cx,2
		div cx
		mov y_screen,eax
		invoke GetWindowRect,_hWnd,addr rtWinMain
		mov edx,0
		mov eax,rtWinMain.right
		mov cx,2
		div cx
		mov edx,x_screen
		sub edx,eax
		mov x_screen,edx
		mov edx,0
		mov eax,rtWinMain.bottom
		mov cx,2
		div cx
		mov edx,y_screen
		sub edx,eax
		mov y_screen,edx
		invoke SetWindowPos,_hWnd,NULL,x_screen,y_screen,NULL,NULL,SWP_NOSIZE
		
		ret

_SetWinPos endp

_EnableDebug	proc
		
		LOCAL hToken:dword
		LOCAL tkp:TOKEN_PRIVILEGES
		LOCAL @luid:LUID
		invoke GetCurrentProcess
		lea ebx,hToken
		invoke OpenProcessToken,eax,TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,ebx
		.if	eax
			invoke LookupPrivilegeValue,NULL,offset szSetDebug,addr tkp.Privileges.Luid
			.if	eax
				mov tkp.PrivilegeCount,1
				mov tkp.Privileges.Attributes,SE_PRIVILEGE_ENABLED
				invoke AdjustTokenPrivileges,hToken, FALSE,addr tkp,sizeof tkp,NULL,NULL
				.if !eax
					invoke CloseHandle,hToken
					invoke MessageBox,hWinMain,offset szATPErr,offset szCaption,MB_OK
				.endif
			.else
				invoke CloseHandle,hToken
				invoke MessageBox,hWinMain,offset szLPVErr,offset szCaption,MB_OK
			.endif
		.else
			invoke MessageBox,hWinMain,offset szOPTErr,offset szCaption,MB_OK
		.endif
		ret

_EnableDebug endp

_OpenDll	proc
	
		LOCAL @stOF:OPENFILENAME
		
		invoke RtlZeroMemory,addr @stOF,sizeof @stOF
		mov @stOF.lStructSize,sizeof @stOF
		push hWinMain
		pop  @stOF.hwndOwner
		mov @stOF.lpstrFilter,offset szFilter
		mov @stOF.lpstrFile,offset szDllName
		mov @stOF.nMaxFile,MAX_PATH
		mov @stOF.Flags,OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST
		mov @stOF.lpstrTitle,offset szOpenCaption
		invoke GetOpenFileName,addr @stOF
		.if	eax
			invoke SetDlgItemText,hWinMain,IDC_DLLPATH,offset szDllName
		.endif
		ret

_OpenDll endp

_GetProcessList proc	_hWnd
		LOCAL @stProcess:PROCESSENTRY32
		LOCAL @hSnapShot
		
		invoke RtlZeroMemory,addr @stProcess,sizeof @stProcess
		invoke SendDlgItemMessage,_hWnd,IDC_PROCESSLIST,LB_RESETCONTENT,0,0
		mov @stProcess.dwSize,sizeof @stProcess
		invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
		mov @hSnapShot,eax
		invoke Process32First,@hSnapShot,addr @stProcess
		.while eax
			invoke SendDlgItemMessage,_hWnd,IDC_PROCESSLIST,LB_ADDSTRING,0,addr @stProcess.szExeFile
			invoke SendDlgItemMessage,_hWnd,IDC_PROCESSLIST,LB_SETITEMDATA,eax,@stProcess.th32ProcessID
			invoke Process32Next,@hSnapShot,addr @stProcess
		.endw
		invoke CloseHandle,@hSnapShot
		ret

_GetProcessList endp

_GetModelList	proc	_dwProcessId,_hWnd,_hModule
	
		LOCAL @stModule:MODULEENTRY32
		LOCAL @hSnapShot
		LOCAL @ModuleSize
		
		mov @ModuleSize,0
		invoke RtlZeroMemory,addr @stModule,sizeof @stModule
		invoke SendDlgItemMessage,_hWnd,IDC_MODELLIST,LB_RESETCONTENT,0,0
		mov @stModule.dwSize,sizeof @stModule
		invoke CreateToolhelp32Snapshot,TH32CS_SNAPMODULE,_dwProcessId	;枚举进程模块
		mov @hSnapShot,eax
		invoke Module32First,@hSnapShot,addr @stModule
		.while	eax
			mov eax,_hModule
			.if	eax == @stModule.modBaseAddr
				push @stModule.modBaseSize
				pop  @ModuleSize
			.endif
			invoke SendDlgItemMessage,_hWnd,IDC_MODELLIST,LB_ADDSTRING,0,addr @stModule.szModule
			invoke SendDlgItemMessage,_hWnd,IDC_MODELLIST,LB_SETITEMDATA,eax,@stModule.modBaseAddr
			invoke Module32Next,@hSnapShot,addr @stModule
		.endw
		invoke CloseHandle,@hSnapShot
		mov eax,@ModuleSize
		ret

_GetModelList endp

_KillThread	proc	_ProcessId,_lpModelBase,dwModelSize
	
		LOCAL @stThread:THREADENTRY32
		LOCAL @hSnapShot
		LOCAL @hThread
		LOCAL @NtQueryInformationThread
		LOCAL @ThreadBase
		invoke GetModuleHandle,offset szNtDll
		invoke GetProcAddress,eax,offset szNtQueryInformationThread
		mov @NtQueryInformationThread,eax
		
		invoke RtlZeroMemory,addr @stThread,sizeof @stThread
		mov @stThread.dwSize,sizeof @stThread
		invoke CreateToolhelp32Snapshot,TH32CS_SNAPTHREAD,_ProcessId
		mov @hSnapShot,eax
		invoke Thread32First,@hSnapShot,addr @stThread
		.while	eax
			invoke OpenThread,THREAD_ALL_ACCESS,FALSE,@stThread.th32ThreadID
			mov @hThread,eax
			
			lea	edx,@ThreadBase
			mov	ecx,@NtQueryInformationThread
			push	NULL
			push	4h
			push	edx
			push	9
			push	@hThread
			call	ecx
			
			mov eax,@ThreadBase
			sub eax,_lpModelBase
			.if	(eax < dwModelSize) || (eax == dwModelSize)
				invoke TerminateThread,@hThread,0
			.endif
			invoke CloseHandle,@hThread
			invoke Thread32Next,@hSnapShot,addr @stThread
		.endw
		invoke CloseHandle,@hSnapShot
		ret

_KillThread endp

_Into		proc	dwProcessId,_hWnd

		LOCAL	@hThread
	
		invoke GetModuleHandle,offset szDllKernel
		invoke GetProcAddress,eax,offset szLoadLibrary
		mov	lpLoadLibrary,eax
		invoke SendDlgItemMessage,_hWnd,IDC_PROCESSLIST,LB_GETCURSEL,0,0
		invoke SendDlgItemMessage,_hWnd,IDC_PROCESSLIST,LB_GETITEMDATA,eax,0
		invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,eax
		.if eax
			mov hProcess,eax
			invoke lstrlen,offset szDllName
			inc eax
			invoke VirtualAllocEx,hProcess,NULL,eax,MEM_COMMIT,PAGE_READWRITE
			.if eax
				mov lpDllName,eax
				;将DLL路径写入目标进程
				invoke lstrlen,offset szDllName
				inc eax
				invoke WriteProcessMemory,hProcess,lpDllName,offset szDllName,eax,NULL
				invoke CreateRemoteThread,hProcess,NULL,0,lpLoadLibrary,lpDllName,0,NULL
				.if eax
					mov @hThread,eax
					invoke WaitForSingleObject,eax,INFINITE;等待线程执行
					invoke CloseHandle,@hThread
					invoke SetDlgItemText,hWinMain,IDC_MSG,offset szCRTOk
				.else
					invoke SetDlgItemText,hWinMain,IDC_MSG,offset szCRTErr
				.endif
				invoke lstrlen,offset szDllName
				inc eax
				invoke VirtualFreeEx,hProcess,lpDllName,eax,MEM_DECOMMIT
			.else
				invoke SetDlgItemText,hWinMain,IDC_MSG,offset szVAEErr
			.endif
			invoke CloseHandle,hProcess
		.else
			invoke SetDlgItemText,hWinMain,IDC_MSG,offset szOPErr
		.endif
		ret

_Into endp



_Out		proc	_dwProcessId,_Model
		
		LOCAL @dwHandle:dword
		LOCAL @hThread:dword
		
		invoke GetModuleHandle,offset szDllKernel
		invoke GetProcAddress,eax,offset szFreeLibrary
		mov lpFreeLibrary,eax
		invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,_dwProcessId	;打开Services.exe的进程
		.if	eax
			mov hProcess,eax
			invoke _GetModelList,_dwProcessId,hWinMain,_Model
			invoke _KillThread,_dwProcessId,_Model,eax
			invoke CreateRemoteThread,hProcess,NULL,0,lpFreeLibrary,_Model,0,NULL
			.if	eax
				mov @hThread,eax
				invoke WaitForSingleObject,eax,INFINITE
				invoke CloseHandle,@hThread
				invoke SetDlgItemText,hWinMain,IDC_MSG,offset szCRTOk
			.else
				invoke SetDlgItemText,hWinMain,IDC_MSG,offset szCRTErr
			.endif
			invoke CloseHandle,hProcess
		.else
			invoke SetDlgItemText,hWinMain,IDC_MSG,offset szOPErr
		.endif
		ret

_Out endp

_MainThread	proc	uses edi esi hWnd,uMsg,wParam,lParam
	
		LOCAL	@dwProcessId
		mov eax,uMsg
		.if	eax == WM_COMMAND
			mov eax,wParam
			.if	ax == IDC_DLL
				call _OpenDll
			.elseif ax ==IDC_PROCESSLIST
				shr eax,16
				.if	ax == LBN_SELCHANGE
					invoke SendDlgItemMessage,hWnd,IDC_PROCESSLIST,LB_GETCURSEL,0,0
					invoke SendDlgItemMessage,hWnd,IDC_PROCESSLIST,LB_GETITEMDATA,eax,0
					invoke _GetModelList,eax,hWnd,0
					invoke GetDlgItem,hWnd,IDC_OUT
					invoke EnableWindow,eax,FALSE
					invoke SendDlgItemMessage,hWnd,IDC_MODELLIST,LB_GETCOUNT,0,0
					.if	eax == 0
						invoke GetDlgItem,hWnd,IDC_IN
						invoke EnableWindow,eax,FALSE
					.else
						invoke GetDlgItem,hWnd,IDC_IN
						invoke EnableWindow,eax,TRUE
					.endif
				.endif
			.elseif	ax ==IDC_MODELLIST
				shr eax,16
				.if	ax == LBN_SELCHANGE
					invoke GetDlgItem,hWnd,IDC_OUT
					invoke EnableWindow,eax,TRUE
				.endif
			.elseif ax == IDC_IN
				invoke lstrlen,offset szDllName
				.if	eax
					invoke SendDlgItemMessage,hWnd,IDC_PROCESSLIST,LB_GETCURSEL,0,0
					invoke SendDlgItemMessage,hWnd,IDC_PROCESSLIST,LB_GETITEMDATA,eax,0
					mov @dwProcessId,eax
					invoke _Into,eax,hWnd
					invoke _GetModelList,@dwProcessId,hWnd,0
				.else
					invoke MessageBox,hWinMain,offset szOD,offset szCaption,MB_OK
				.endif
			.elseif ax == IDC_OUT
				invoke SendDlgItemMessage,hWnd,IDC_PROCESSLIST,LB_GETCURSEL,0,0
				invoke SendDlgItemMessage,hWnd,IDC_PROCESSLIST,LB_GETITEMDATA,eax,0
				mov @dwProcessId,eax
				invoke SendDlgItemMessage,hWnd,IDC_MODELLIST,LB_GETCURSEL,0,0
				invoke SendDlgItemMessage,hWnd,IDC_MODELLIST,LB_GETITEMDATA,eax,0
				invoke _Out,@dwProcessId,eax
				invoke _GetModelList,@dwProcessId,hWnd,0
			.elseif ax ==IDC_UPDATE
				invoke _GetProcessList,hWnd
				invoke SendDlgItemMessage,hWnd,IDC_MODELLIST,LB_RESETCONTENT,0,0
				invoke GetDlgItem,hWnd,IDC_IN
				invoke EnableWindow,eax,FALSE
				invoke GetDlgItem,hWnd,IDC_OUT
				invoke EnableWindow,eax,FALSE
			.elseif ax == IDC_EMAIL
				invoke ShellExecute,0,0,offset szEmail,0,0,SW_SHOW
			.endif
		.elseif	eax == WM_INITDIALOG
			push hWnd
			pop  hWinMain
			invoke LoadIcon,hInstance,ICO_MAIN
			invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
			invoke _SetWinPos,hWnd
			call _EnableDebug
			invoke _GetProcessList,hWnd
			invoke GetDlgItem,hWnd,IDC_IN
			invoke EnableWindow,eax,FALSE
			invoke GetDlgItem,hWnd,IDC_OUT
			invoke EnableWindow,eax,FALSE
			invoke SetDlgItemText,hWinMain,IDC_MSG,offset szText
		.elseif	eax == WM_CLOSE
			invoke EndDialog,hWnd,-1
		.else
			mov eax,FALSE
			ret
		.endif
		mov eax,TRUE
		ret

_MainThread endp

start:
	invoke GetModuleHandle,NULL
	mov hInstance,eax
	invoke DialogBoxParam,eax,IDD_MAIN,NULL,offset _MainThread,-1
	invoke ExitProcess,0
end start

into.inc

IDD_MAIN                equ 1000
IDC_DLL                 equ 1004
IDC_IN                  equ 1005
IDC_OUT                 equ 1006
IDC_UPDATE              equ 1007
IDC_PROCESSLIST         equ 1001
IDC_MODELLIST           equ 1002
IDC_DLLPATH             equ 1003
IDC_MSG                 equ 1008
IDC_EMAIL               equ 1009
ICO_MAIN                equ 1000

into.rc

#define ICO_MAIN 1000
#define IDD_MAIN 1000
#define IDC_DLL 1004
#define IDC_IN 1005
#define IDC_OUT 1006
#define IDC_UPDATE 1007
#define IDC_PROCESSLIST 1001
#define IDC_MODELLIST 1002
#define IDC_DLLPATH 1003
#define IDC_MSG 1008
#define IDC_EMAIL 1009

#include "resource.h"

ICO_MAIN ICON DISCARDABLE "main.ico"

IDD_MAIN DIALOGEX 0,0,327,192
CAPTION "GuaiK-DLL注入器"
FONT 8,"MS Sans Serif",0,0,0
STYLE WS_POPUP|WS_VISIBLE|WS_CAPTION|WS_SYSMENU|DS_MODALFRAME
BEGIN
  CONTROL "选择dll",IDC_DLL,"Button",WS_CHILDWINDOW|WS_VISIBLE|WS_TABSTOP,9,156,54,15
  CONTROL "注入",IDC_IN,"Button",WS_CHILDWINDOW|WS_VISIBLE|WS_TABSTOP,210,156,54,15
  CONTROL "卸载",IDC_OUT,"Button",WS_CHILDWINDOW|WS_VISIBLE|WS_TABSTOP,267,156,54,15
  CONTROL "刷新",IDC_UPDATE,"Button",WS_CHILDWINDOW|WS_VISIBLE|WS_TABSTOP,210,174,54,15
  CONTROL "",IDC_PROCESSLIST,"ListBox",WS_CHILDWINDOW|WS_VISIBLE|WS_BORDER|WS_VSCROLL|WS_TABSTOP|LBS_STANDARD|LBS_NOINTEGRALHEIGHT|LBS_HASSTRINGS,9,15,141,126,WS_EX_CLIENTEDGE
  CONTROL "",IDC_MODELLIST,"ListBox",WS_CHILDWINDOW|WS_VISIBLE|WS_BORDER|WS_VSCROLL|WS_TABSTOP|LBS_STANDARD|LBS_NOINTEGRALHEIGHT|LBS_HASSTRINGS,171,15,141,126,WS_EX_CLIENTEDGE
  CONTROL "",IDC_DLLPATH,"Edit",WS_CHILDWINDOW|WS_VISIBLE|WS_TABSTOP|ES_READONLY|ES_AUTOHSCROLL,69,156,138,15,WS_EX_CLIENTEDGE
  CONTROL "",IDC_MSG,"Edit",WS_CHILDWINDOW|WS_VISIBLE|WS_TABSTOP|ES_READONLY,69,174,138,15,WS_EX_CLIENTEDGE
  CONTROL "进程列表",-1,"Button",WS_CHILDWINDOW|WS_VISIBLE|BS_GROUPBOX,3,3,156,144
  CONTROL "模块列表",-1,"Button",WS_CHILDWINDOW|WS_VISIBLE|BS_GROUPBOX,165,3,156,144
  CONTROL "提示信息:",-1,"Static",WS_CHILDWINDOW|WS_VISIBLE,18,177,42,9
  CONTROL "联系作者",IDC_EMAIL,"Button",WS_CHILDWINDOW|WS_VISIBLE|WS_TABSTOP,267,174,54,15
END