类人猿编程联盟

设为首页 | 收藏本站
课程推荐

按键2014汇编库开发作品3.3(人猿开发)2019.6.10

503
发表时间:2018-04-12 00:00

Declare Function Asm Lib   "ToAsm" Alias   "Asm"(ByVal code As String,ByVal 长度 As Long) As Long

Declare Function SetRec Lib   "user32" Alias   "SetRect"(ByVal 矩形 As Any,ByVal 左边 As Long,ByVal 顶边 As Long,ByVal 右边 As Long,ByVal 底边 As Long) As Long

Declare Function LocalAlloc   Lib "kernel32" Alias "LocalAlloc" (ByVal wOemChar As Long,ByVal wOmChar As Long) As Long

Declare Function LocalFree Lib "kernel32" Alias "LocalFree" (ByVal hMem As Long) As Long

Declare Function LocalSize Lib "kernel32" (ByVal hMem As Long) As Long

Declare Function RtlMoveMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal h As Any, ByRef f As Any, ByVal Length As Long)

Declare Function CallWindowProcA Lib   "user32.dll" Alias   "CallWindowProcA"(ByVal 前1窗口函数地址 As Long,byref 窗口句柄 As Long,ByVal 消息值 As Long,ByVal 附加参数1 As Long,ByVal 附加参数2 As Long) As Long

Declare Function RtlFillMemory Lib   "kernel32.dll" Alias   "RtlFillMemory"(ByVal 目的内存 As String,ByVal 长度 As Long,ByVal 填充内容 As Any) As Long

Declare Function LoadLibraryA Lib   "kernel32.dll" Alias   "LoadLibraryA"(ByVal 动态链接库名称 As String) As Long

Declare Function FreeLibrary Lib "kernel32" Alias "FreeLibrary" (ByVal hLibModule As Long) As Long

Declare Function GetProcAddress Lib   "kernel32.dll" Alias   "GetProcAddress"(ByVal 模块句柄 As Long,ByVal 进程名称 As String) As Long

Declare Function GetModuleHandleA Lib   "kernel32.dll" Alias   "GetModuleHandleA"(ByVal 模块名 As String) As Long

Declare Function SetWindowsHook Lib   "user32.dll" Alias   "SetWindowsHookExA"(ByVal 钩子类型 As Long,ByVal 回调函数地址 As Long,ByVal 实例句柄 As Long,ByVal 线程ID As Long) As Long

Declare Function UnhookWindowsHookEx Lib   "user32.dll" Alias   "UnhookWindowsHookEx"(ByVal 钩子句柄 As Long) As Long

Declare Function RtlZeroMemory Lib   "kernel32.dll" Alias   "RtlZeroMemory"(ByVal 目的内存 As String,ByVal 长度 As Long) As Long

Declare Function MultiByteToWideChar Lib   "kernel32.dll" Alias   "MultiByteToWideChar"(ByVal CodePage As Long,ByVal dwFlags As Long,ByVal lpMultiByteStr As Long,ByVal cchMultiByte As Long,ByVal lpWideCharStr As Long,ByVal lpWideCharStr As Long) As Long

Declare Function CreateThread Lib "kernel32" (lpThreadAttributes As Any, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long

Declare Function   OpenProcess Lib "kernel32" Alias "OpenProcess" (ByVal dwDesiredAccess As Long, ByVal   bInheritHandle As Long, ByVal dwProcessId As Long) As Long

Declare Function   WriteProcessMemory Lib "kernel32" Alias "WriteProcessMemory" ( Handle_Process As Long, lpBaseAddress As long,date As long,   nSize As Long, lpNumberOfBytesWritten As Long) As Long

Declare Function   CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Long) As Long

Declare Function GetCurrentProcessId Lib "kernel32" Alias "GetCurrentProcessId" () As Long

Declare Function ReadProcessMemory Lib "kernel32" Alias "ReadProcessMemory" (ByVal hProcess As Long,ByVal lpBaseAddress As Long, ByRef lpBuffer As Long, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function CallAsmCode Lib "user32" Alias "CallWindowProcA" ( lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, lParam As Long) As Long

Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long

Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long

Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long  

Private Declare Function htonl Lib "Wsock32.dll" (ByVal hostlong As Long) As Long //4字节高低位互转 //32位有符号整数 不支持无符号整数   FFFF FFFF

Private Declare Function htons Lib "Wsock32.dll" (ByVal hostshort As Long) As Long //2字节

Private Declare Function SetWindowsHookExA Lib "user32" Alias "SetWindowsHookExW" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long

Private Declare Function GetWindowThreadProcessId Lib "user32" Alias "GetWindowThreadProcessId" (ByVal hwnd As Long, lpdwProcessId As Long) As Long   

Public   Declare Function CallNextHookEx Lib "user32" Alias "CallNextHookEx" (ByVal hHook As Long, ByVal ncode As Long,ByVal wParam As WindowsMessages,lParam As MSLLHOOKSTRUCT) As Long   

Private Declare Function RegisterWindowMessage Lib "user32" Alias "RegisterWindowMessageA" (ByVal lpString As String) As Long

Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long

Public Declare Function VirtualProtectEx Lib "kernel32 " (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flNewProtect As Integer, ByRef lpflOldProtect As Integer) As Integer

Public Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long

//call Lib.AsmCode.创建进程S(GetCurrentProcessId(), "E:\MOYU\soul.exe blacknull wqo65m a6981723", "E:\\MOYU")

//call 创建进程S(GetCurrentProcessId(), "G:\xunleimoyu\soul.exe blacknull wqo65m a6981723", "G:\xunleimoyu")

//Hwnd = Plugin.Window.Find(0, "【魔域】")

//ProcessId= Plugin.SysEx.GetProcessID (Hwnd)

//TracePrint ProcessId

//Call Plugin.SysEx.Speed(hwnd, 4)

Function 内存保护属性修改(ProcessId,Addr,AddrSize) //VirtualQueryEx,调用改成可读可写可执行

    Dim issuscce,oldVal

    issuscce = VirtualProtectEx(ProcessId, Addr, AddrSize, 64, oldVal)

    VirtualQueryEx=issuscce

End Function

Function 枚举系统进程名()

    Dim WMI,objs

    Set WMI = GetObject("WinMgmts:")

    Set objs = WMI.InstancesOf("Win32_Process")

    For Each obj In objs

        Enum1 = Enum1 + obj.Description + Chr(13) + Chr(10)

    Next

    //   msgbox Enum1

    枚举系统进程名=Enum1

End function

Function 获取系统全部进程和ID()//获取进程ID和进程名字

    Dim Pro_And_Name

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

    Set ps = objWMIService.ExecQuery("select * from Win32_Process")

    For Each p In ps

        Pro_And_Name = Pro_And_Name & vbCrLf & p.ProcessId & " " & p.Name

    Next

    //    MessageBox   Pro_And_Name

    Pro_Name_Array = split(Pro_And_Name, vbcrlf)

    获取系统全部进程和ID=Pro_And_Name

End Function

Function 根据进程名字枚举进程ID(进程名)//获取进程ID和进程名字

    Dim Pro_And_Name   //进程名字和id字符串

    Dim Name_Array

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

    Set ps = objWMIService.ExecQuery("select * from Win32_Process")

    For Each p In ps

        Pro_And_Name = Pro_And_Name & vbCrLf & p.ProcessId & " " & p.Name

    Next

    //        MessageBox   Pro_And_Name

    Pro_Name_Array = split(Pro_And_Name, vbcrlf)

    i=1

    For   UBound (Pro_Name_Array)

        //        TracePrint Pro_Name_Array(i)

        Name_Array = split(Pro_Name_Array(i), " ")

        If Name_Array(1) = 进程名 Then

            根据进程名字枚举进程ID = int(Name_Array(0))

            //            TracePrint   Name_Array(1)

            Exit for

            //            end if

        End if

        i=i+1

    Next

End Function

//Hwnd = Plugin.Window.Find(0, "【魔域】")

//ProcessId= Plugin.SysEx.GetProcessID (Hwnd)

//TracePrint ProcessId

//怪物对象地址= 跨进程获取函数名地址S(ProcessId,"3DRole.dll","?g_objPlayerSet@@3VCGamePlayerSet@@A")

// TracePrint Hex(怪物对象地址)

Function 跨进程获取函数名地址S(ProcessId,模块名字,函数名字)//Call 跨进程获取函数名地址(ProcessId,"kernel32","CreateRemoteThread",有保护无法突破参数)

    Dim 远程参数地址

    Dim 返回值地址

    返回值地址 = 申请指定进程空间(ProcessId, 4)

    远程参数地址 = 申请指定进程空间(ProcessId, len(模块名字) + 4)

    Call 写入字符集ASCII(ProcessId, 远程参数地址, 模块名字)//二进制字符串写入

    远程名字参数地址=申请指定进程空间(ProcessId, len(函数名字)+4)

    Call 写入字符集ASCII(ProcessId, 远程名字参数地址, 函数名字)//二进制字符串写入

    //TracePrint   Hex(远程参数地址)

    GetModuleHandleA = 获取函数地址API("kernel32.dll", "GetModuleHandleA")//==这个是固定的,模块基地址

    Addr_GetProcAddress = 获取函数地址API("kernel32.dll", "GetProcAddress")//==这个是固定的,获取获取函数的基地址

    //TracePrint Hex(GetModuleHandleA)

    Call AsmClear()

    call Pushad()

    Call PUSH(远程参数地址)   //,先写入完整call 再调用 这个是基地址不过要保持平衡,PK模式call

    Call Mov_EDX_Value(GetModuleHandleA)

    Call Call_EDX()

    Call Push(远程名字参数地址)

    Call Push_EAX

    Call Mov_EDX_Value(Addr_GetProcAddress)

    Call Call_EDX()

    Call Mov_DWORD_Ptr_Addr_EAX(返回值地址)

    Call Popad()

    Call ret()   //这个和上面5个push 是对应关系的

    Call RunAsmCode(ProcessId, 1)//核心代码

    Delay 100

    获取函数地址= 读取四字节整数(ProcessId,返回值地址)

    //    TracePrint "模块地址===" & Hex(模块地址)

    跨进程获取函数名地址S=获取函数地址

End Function

Function 主线程切入口注入(ProcessId, 函数字节集,主线程入口地址)//最好先暂停线程再执行线程

    Dim NewAddr //这个函数是用来储存的。

    Dim JMP_Value//跳转数值

    NewAddr = 申请指定进程空间(ProcessId, len(函数字节集) + 4)

    Call 写入字节集(ProcessId, NewAddr, 函数字节集)//这个是写入Fake_HOOK函数

    TracePrint Hex(NewAddr)

    JMP_Value = HEX(htonl(NewAddr - 主线程入口地址 - 5)) //公式计算

    TracePrint JMP_Value

    JMP_Value= 进制_字节集标准化(JMP_Value)

    call 写入单字节整数(ProcessId, 主线程入口地址, &He9)

    Call 写入字节集(ProcessID, 主线程入口地址+1, JMP_Value) //这个是jmp

End Function

Function 进制_单浮点转十六(浮点数值)

    If 浮点数值 > -1 and 浮点数值 < 1 Then

        进制_单浮点转十六 = "00000000"

        TracePrint 进制_单浮点转十六

    Else

        Dim Hex_Value

        Dim Zhishu_Bin

        Dim Str_Bin //二进制字符串

        Dim IntVal

        Dim float_val

        If Left(浮点数值, 1) = "-" Then //==================1.标记正负数   +和-

            Hex_Value = "1"

            浮点数值 = Replace(浮点数值, "-", "")

        Else

            Hex_Value = "0"

        End If

        If Hex_Value = "1" Then   //负数   //=================2.指数运算

            IntVal=   Left(浮点数值,   Instr(浮点数值, ".")-1)

            IntVal = 进制_十转二(IntVal)

            Zhishu_Bin=Len(IntVal)+127-1

            Zhishu_Bin = 进制_十转二(Zhishu_Bin)

        Elseif Hex_Value ="0" then//正数

            IntVal=   Left(浮点数值,   Instr(浮点数值, ".")-1)

            IntVal = 进制_十转二(IntVal)

            TracePrint " 整数的值:"   & IntVal

            Zhishu_Bin=Len(IntVal)+127-1

            Zhishu_Bin=进制_十转二(Zhishu_Bin)

        End If

        Str_Bin = Left(浮点数值, Instr(浮点数值, ".") - 1)//=================3.整数部分转换

        Str_Bin = 进制_十转二(Str_Bin)

        TracePrint Str_Bin

        Str_Bin = mid(Str_Bin, 2, len(Str_Bin))//去掉浮点数1.1111的整数位   mid字符去掉整数第一位

        For 23 - Len(Str_Bin)   //4.小数暂时缺省

            float_val=float_val & "0"

        Next

        进制_单浮点转十六 = Hex_Value & Zhishu_Bin & Str_Bin   & float_val

        TracePrint   进制_单浮点转十六

        进制_单浮点转十六 = 进制_二转十六(cstr(进制_单浮点转十六))

        TracePrint 进制_单浮点转十六

    End if

End Function

Function 进制_双浮点转十六(浮点数值)

    If 浮点数值 > -1 and 浮点数值 < 1 Then

        进制_双浮点转十六 = "0000000000000000"

        TracePrint 进制_双浮点转十六

    Else

        Dim Hex_Value

        Dim Zhishu_Bin

        Dim Str_Bin //二进制字符串

        Dim IntVal

        Dim float_val

        If Left(浮点数值, 1) = "-" Then //==================1.标记正负数   +和-

            Hex_Value = "1"

            浮点数值 = Replace(浮点数值, "-", "")

        Else

            Hex_Value = "0"

        End If

        If Hex_Value = "1" Then   //负数   //=================2.指数运算

            IntVal=   Left(浮点数值,   Instr(浮点数值, ".")-1)

            IntVal = 进制_十转二(IntVal)

            Zhishu_Bin=Len(IntVal)+1023-1

            Zhishu_Bin = 进制_十转二(Zhishu_Bin)

        Elseif Hex_Value ="0" then//正数

            IntVal=   Left(浮点数值,   Instr(浮点数值, ".")-1)

            IntVal = 进制_十转二(IntVal)

            TracePrint " 整数的值:"   & IntVal

            Zhishu_Bin=Len(IntVal)+1023-1

            Zhishu_Bin=进制_十转二(Zhishu_Bin)

        End If

        Str_Bin = Left(浮点数值, Instr(浮点数值, ".") - 1)//=================3.整数部分转换

        Str_Bin = 进制_十转二(Str_Bin)

        Str_Bin = mid(Str_Bin, 2, len(Str_Bin))//去掉浮点数1.1111的整数位   mid字符去掉整数第一位

        For 52 - Len(Str_Bin)   //4.小数暂时缺省

            float_val=float_val & "0"

        Next

        进制_双浮点转十六 = Hex_Value & Zhishu_Bin & Str_Bin   & float_val

        //    TracePrint   进制_单浮点转十六

        进制_双浮点转十六 = 进制_二转十六(cstr(进制_双浮点转十六))

        TracePrint 进制_双浮点转十六

    End if

End Function

//用途:十转二

Public Function 进制_十转二(Dec )

    进制_十转二 = ""

    Do While Dec > 0

        进制_十转二 = Dec Mod 2 & 进制_十转二

        Dec = Dec \ 2

    Loop

End Function

//TracePrint "将二进制转化为十六进制"   & B2H("111111111111111111111111111111111111")

' 用途:将二进制转化为十六进制

' 输入:Bin(二进制数)

' 输入数据类型:String

' 输出:B2H(十六进制数)

' 输出数据类型:String

' 输入的最大数为2147483647个字符




Public Function 进制_二转十六( Bin)

    Dim i

    Dim H

    If Len(Bin) Mod 4 <> 0 Then

        Bin = String(4 - Len(Bin) Mod 4, "0") & Bin

    End If

    For i = 1 To Len(Bin) Step 4

        Select Case Mid(Bin, i, 4)

        Case "0000": H = H & "0"

        Case "0001": H = H & "1"

        Case "0010": H = H & "2"

        Case "0011": H = H & "3"

        Case "0100": H = H & "4"

        Case "0101": H = H & "5"

        Case "0110": H = H & "6"

        Case "0111": H = H & "7"

        Case "1000": H = H & "8"

        Case "1001": H = H & "9"

        Case "1010": H = H & "A"

        Case "1011": H = H & "B"

        Case "1100": H = H & "C"

        Case "1101": H = H & "D"

        Case "1110": H = H & "E"

        Case "1111": H = H & "F"

        End Select

    Next

    While Left(H, 1) = "0"

        H = Right(H, Len(H) - 1)

    Wend

    进制_二转十六 = H

End Function

//TracePrint   "将十六进制转化为十进制"   &   H2D("ffffffff")

' 用途:将十六进制转化为十进制

' 输入:Hex(十六进制数)

' 输入数据类型:String

' 输出:H2D(十进制数)

' 输出数据类型:Long

' 输入的最大数为7FFFFFFF,输出的最大数为2147483647

//TracePrint 进制_十六转十("FFFFFFFFFFFF")





Function 进制_十六转有十(HexVal) //只支持有符号整数

进制_十六转有符号十= CLng("&H" & HexVal)

End Function


Function 进制_十转十六(IntVal)   //内存专用 支持无符号4字节整数

If   IntVal>2147483647   Then

IntVal=4294967295-IntVal-1

End If

进制_十转十六=Hex(IntVal)

End Function



Function Hexs(IntVal)   //内存专用 支持无符号4字节整数

If   IntVal>2147483647   Then

IntVal=IntVal-4294967295-1

End If

Hexs=Hex(IntVal)

End Function



Public Function 进制_十六转十(Hex)//支持长整数地址,主要用来搞内存

    Dim i

    Dim b

    Hex = UCase(Hex)

    For i = 1 To Len(Hex)

        Select Case Mid(Hex, Len(Hex) - i + 1, 1)

        Case "0": b = b + 16 ^ (i - 1) * 0

        Case "1": b = b + 16 ^ (i - 1) * 1

        Case "2": b = b + 16 ^ (i - 1) * 2

        Case "3": b = b + 16 ^ (i - 1) * 3

        Case "4": b = b + 16 ^ (i - 1) * 4

        Case "5": b = b + 16 ^ (i - 1) * 5

        Case "6": b = b + 16 ^ (i - 1) * 6

        Case "7": b = b + 16 ^ (i - 1) * 7

        Case "8": b = b + 16 ^ (i - 1) * 8

        Case "9": b = b + 16 ^ (i - 1) * 9

        Case "A": b = b + 16 ^ (i - 1) * 10

        Case "B": b = b + 16 ^ (i - 1) * 11

        Case "C": b = b + 16 ^ (i - 1) * 12

        Case "D": b = b + 16 ^ (i - 1) * 13

        Case "E": b = b + 16 ^ (i - 1) * 14

        Case "F": b = b + 16 ^ (i - 1) * 15

        End Select

    Next

    进制_十六转十 = b

End Function

Public Function 进制_十六转二( Hex )

    Dim i

    Dim b

    Hex = UCase(Hex)

    For i = 1 To Len(Hex)

        Select Case Mid(Hex, i, 1)

        Case "0": b = b & "0000"

        Case "1": b = b & "0001"

        Case "2": b = b & "0010"

        Case "3": b = b & "0011"

        Case "4": b = b & "0100"

        Case "5": b = b & "0101"

        Case "6": b = b & "0110"

        Case "7": b = b & "0111"

        Case "8": b = b & "1000"

        Case "9": b = b & "1001"

        Case "A": b = b & "1010"

        Case "B": b = b & "1011"

        Case "C": b = b & "1100"

        Case "D": b = b & "1101"

        Case "E": b = b & "1110"

        Case "F": b = b & "1111"

        End Select

    Next

    While Left(b, 1) = "0"

        b = Right(b, Len(b) - 1)

    Wend

    进制_十六转二 = b

End Function

Function 进制_十六转十进制(十六进制字符串)

    //例子:Msgbox lib.算法.十六进制转十进制("FFFFFF")

    Dim D,H,i,Ia

    D = 0

    H = UCase(十六进制字符串)

    For i = 1 To Len(H)

        Ia = Asc(Mid(H, i, 1)) - 48

        If Ia > 9 Then Ia = Ia - 7

        D = D * 16 + Ia

    Next

    进制_十六转十进制 = D

End Function

Function 进制_字节集标准化(十六字节集)

    Dim i

    dim   PublicCode_1                       

    For i = 0 To Len(十六字节集) / 2 - 1

        PublicCode_1 = PublicCode_1 &(" " & Mid(十六字节集, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

    Next

    十六字节集 = LTrim(PublicCode_1)//重新赋值

    进制_字节集标准化=十六字节集

End function   

Function 创建进程S(ParentProPid, WholePathAndParam, WorkPath)//发神经了,为什么不直接用API,为什么要用shellcode

    Dim 参数2,参数8,参数9,参数10

    Addr_CreateProcessA = 获取函数地址API("kernel32.dll", "CreateProcessA")

    //    TracePrint Hex(Addr_CreateProcessA)

    参数2 =   申请指定进程空间(ParentProPid,len(WholePathAndParam)+8) //获取文件路径大小,根据居停情况分配空间

    //    TracePrint Hex(参数2)

    Call 写入字符集ASCII(ParentProPid, 参数2, WholePathAndParam)   //完整路径和参数

    参数8 =   申请指定进程空间(ParentProPid,50)

    //    TracePrint Hex(参数8)

    Call 写入字符集ASCII(ParentProPid, 参数8, WorkPath)   //工作路径   E:\\moyu"

    参数10 = 申请指定进程空间(ParentProPid, 20) //这个结构太小了,根据具体情况,200

    参数9 =   申请指定进程空间(ParentProPid,500)   //这个结构太小了,根据具体情况,200

    call AsmClear()

    Call Push_EBP()

    Call mov_ebp_esp()

    Call PUSH(参数10) //这个是结构

    Call PUSH(参数9)   //这个是结构

    Call PUSH(参数8)   //不包括文件名字路径

    Call PUSH(0)

    Call PUSH(0)

    Call PUSH(0)

    Call PUSH(0)

    Call PUSH(0)

    Call PUSH(参数2)

    Call PUSH(0)

    Call Mov_EAX_Value(Addr_CreateProcessA)

    Call Call_EAX

    Call Mov_ESP_EBP()

    Call pop_ebp()

    Call Ret()

    //TracePrint W_GetCode()

    Call RunAsmCode(ParentProPid, 0)

    Delay 100

    Call 释放进程分配空间(ParentProPid,参数8)

    Call 释放进程分配空间(ParentProPid,参数2)

    Call 释放进程分配空间(ParentProPid,参数9)

    Call 释放进程分配空间(ParentProPid,参数10)

End function

//call 钩子HOOK实例()

Function 钩子HOOK实例(ProcessId)//==============================//HWND = Plugin.Window.Find(0, "【魔域】")   ProcessId = Plugin.SysEx.GetProcessID(Hwnd)

    申请回调函数地址 = 申请指定进程空间(ProcessId, 120)//最长代码是100

    Call 写入四字节内存整数(ProcessId, 申请回调函数地址 + 100, 0)

    call AsmClear()

    Call Push_EBP()

    Call mov_ebp_esp()

    call Mov_EAX_DWORD_Ptr_Addr(&H12C447C)

    Call Push (1)

    Call Push(3)

    Call Mov_ECX_DWORD_Ptr_EAX

    Call Mov_ESI_DWORD_Ptr_Addr(&H12C51D4)

    Call Call_ESI

    Call Mov_EAX_Value(1)

    call Mov_DWORD_Ptr_Addr_EAX(申请回调函数地址+100)

    Call Mov_ESP_EBP()

    Call pop_ebp()

    Call ret   //这个和上面5个push 是对应关系的

    Call RunAsmCodetoMainThread(ProcessId, 申请回调函数地址)

End function

Function RunAsmCodetoMainThread(ProcessId, 申请回调函数地址) //============================注入核心代码========================

    Dim i

    dim   PublicCode_1                       

    For i = 0 To Len(PublicCode) / 2 - 1

        PublicCode_1 = PublicCode_1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

    Next

    PublicCode=LTrim(PublicCode_1)   //重新赋值

    //TracePrint   PublicCode

    call 写入字节集(ProcessId, 申请回调函数地址, PublicCode)

    Dim 函数是否执行

    q=0

    For 300

        q=q+1

        TracePrint   q

        Call 钩子HOOK注入执行(HWND, 申请回调函数地址, ProcessId)

        函数是否执行 = 读取四字节整数(ProcessId, 申请回调函数地址 + 100)

        TracePrint   Hex(函数是否执行)

        If 函数是否执行 = 1 Then

            Exit For

        End if

    Next

End Function

Function 钩子Hook注入二进制代码(ProcessId, 申请回调函数地址,二进制字节集)//==========================================================

    Dim i

    Dim PublicCode_1

    Dim PublicCode

    PublicCode=二进制字节集

    For i = 0 To Len(PublicCode) / 2 - 1

        PublicCode_1 = PublicCode_1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

    Next

    PublicCode=LTrim(PublicCode_1)   //重新赋值

    TracePrint   PublicCode

    call 写入字节集(ProcessId, 申请回调函数地址, PublicCode)

    //call 写入字节集(ProcessId, 申请回调函数地址, "8B 0D 7C 24 2C 01 6A 01 6A 03 8B 09 FF 15 D4 31 2C 01 C3")

    Dim 函数是否执行

    q=0

    For 300

        q=q+1

        //TracePrint   q

        Call 钩子HOOK注入执行(HWND, 申请回调函数地址, ProcessId)

        函数是否执行 = 读取四字节整数(ProcessId, 申请回调函数地址 + 100)

        //TracePrint   Hex(函数是否执行)

        If 函数是否执行 = 1 Then

            Exit For

        End if

    Next

End Function

//=======================================钩子处理================

Function 钩子HOOK注入执行(HWND, 函数地址, ProcessId)

    Dim 存放返回值的地址

    Dim ThreadPid

    存放返回值的地址= 申请指定进程空间(ProcessId, 4)

    //TracePrint   Hex(存放返回值的地址)

    ThreadPid=GetWindowThreadProcessId(HWND,0)

    Addr_SetWindowsHookEx = 获取函数地址API("user32.dll", "SetWindowsHookExA")

    //TracePrint "Addr_SetWindowsHookEx函数地址 === " & Hex(Addr_SetWindowsHookEx)

    call AsmClear()

    Call Push_EBP()

    Call mov_ebp_esp()

    Call PUSH(ThreadPid)

    Call PUSH(GetModuleHandleA(0)) //窗口句柄基地址 4000000

    Call PUSH(函数地址)

    Call PUSH(4)   //,先写入完整call 再调用 这个是基地址不过要保持平衡,PK模式call

    Call Mov_EDX_Value(Addr_SetWindowsHookEx)

    Call Call_EDX()

    Call Mov_DWORD_Ptr_Addr_EAX(存放返回值的地址)

    Call Mov_ESP_EBP()

    Call pop_ebp()

    Call ret   //这个和上面5个push 是对应关系的

    //TracePrint   PublicCode

    Call RunAsmCode(ProcessId, 1)//核心代码

    //Delay 100 //============================读取内存一定要延迟,因为HOOK消息要排队的。

    //TracePrint "存放返回值的地址 =="&   Hex(存放返回值的地址)

    钩子类型= 读取四字节整数(ProcessId,存放返回值的地址)

    //TracePrint "钩子类型==" & Hex(钩子类型)

    钩子HOOK注入执行= 钩子类型

End Function

//call AsmClear()//========================================================================本地执行汇编运算例子

//Addr_SendMessageA = 获取函数地址API("user32.dll", "SendMessageA")

//TracePrint Addr_SendMessageA

//call AsmClear()

//Call Push_EBP()

//Call mov_ebp_esp()

//Call PUSH(0)

//Call PUSH(0)

//Call PUSH(0)

//Call PUSH(hwnd)

//Call Mov_EAX_Value(Addr_SendMessageA)

//Call Call_EAX

//Call Mov_ESP_EBP()

//Call pop_ebp()

//Call Ret()

//TracePrint W_GetCode()

//Call RunAsmCode(ProcessId, 1)//核心代码

Function 钩子HOOK卸载(钩子句柄)

    CALL   UnhookWindowsHookEx(钩子句柄)//释放钩子

End Function

//=======================================钩子处理===================

EndScript

Function 钩子HOOK消息注册(消息字符串)

    钩子HOOK消息注册=RegisterWindowMessage(消息字符串)

End Function

Function RunCurAsmCode()//本地执行汇编运算

    Dim i                         //==========================================================

    dim AsmCode1

    AsmCode1=""

    ReDim AsmCode(Len(PublicCode) / 2 - 1)

    For i = 0 To UBound(AsmCode)

        AsmCode1 = AsmCode1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

    Next

    PublicCode = LTrim(AsmCode1)

    TracePrint PublicCode

    CodeSize = UBound(split(PublicCode, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符

    //TracePrint   CodeSize

    NewWriteCodeAddr = 申请指定进程空间(GetCurrentProcessId(), CodeSize)//申请空

    TracePrint Hex(NewWriteCodeAddr )

    call 写入字节集(GetCurrentProcessId(), NewWriteCodeAddr, PublicCode)

    Call CallWindowProcA(NewWriteCodeAddr,0,0,0,0)

End Function

//call 远程注入汇编代码(ProcessId, "8B 0D 7C 24 2C 01 6A 00 68 38 7C 91 8B 8B 09 A1 E8 29 2C 01 FF D0 C3")   //记住要加上ret

//call 远程注入汇编代码(ProcessId, "8B 0D 7C 24 2C 01 6A 00 68 38 7C 91 8B 8B 09 A1 E8 29 2C 01 FF D0 C3")   //记住要加上ret

Function AsmClear()

    PublicCode=""

End Function

Function 窗口的创建者ThreadPId(Hwnd,lpdwProcessId)

    窗口的创建者ThreadPId=GetWindowThreadProcessId(Hwnd,lpdwProcessId)

End Function

Function 跨进程模块通讯链接(ProcessId,SendData)

    TracePrint "该功能暂停使用!"

end Function  

Function 汇编执行代码(ByteData,Size)//完成,获取返回值暂时还没有办法

    WriteAddr= 申请指定进程空间(GetCurrentProcessId(),Size) //这个是存放汇编代码地址的

    //TracePrint Hex(WriteAddr)

    ByteData = ByteData + " C2 14 00"   //这里是retn 14

    //TracePrint ByteData

    call 写入字节集(GetCurrentProcessId(), WriteAddr, ByteData)   //retn   14,个参数 。这里是写入