[Asm] 纯文本查看 复制代码
format PE GUI 4.0
entry start
include 'win32a.inc'
section '.data' data readable writeable
processInfo PROCESS_INFORMATION
startupInfo STARTUPINFO
cmdLine db 'TOTALCMD64.EXE',0
hProcess dd ?
baseAddress dd ?
bytesWritten dd ?
nops db 90h, 90h, 90h, 90h, 90h, 90h
section '.code' code readable executable
start:
; 初始化 STARTUPINFO 结构
invoke RtlZeroMemory, startupInfo, sizeof.STARTUPINFO
mov [startupInfo.cb], sizeof.STARTUPINFO
; 创建进程 (挂起状态)
invoke CreateProcessA, 0, cmdLine, 0, 0, 0, CREATE_SUSPENDED, 0, 0, startupInfo, processInfo
test eax, eax
jz error_exit
; 保存进程句柄
mov eax, [processInfo.hProcess]
mov [hProcess], eax
; 获取进程基地址 (这里简化处理,实际应该通过PEB获取)
; 注意: 对于64位进程,32位程序需要特殊处理,这里知道基地址
; 实际应用中应该读取PEB的ImageBaseAddress
mov [baseAddress], 00400000h ; 基地址是00400000h,需要根据实际情况修改
; 计算要修改的地址 (基地址 + RVA)
mov eax, [baseAddress]
add eax, 2B2DD0h ; RVA 2B2DD0
; 修改内存 (6个NOP)
invoke WriteProcessMemory, [hProcess], eax, nops, 6, bytesWritten
; 恢复线程执行
invoke ResumeThread, [processInfo.hThread]
; 关闭句柄
invoke CloseHandle, [processInfo.hThread]
invoke CloseHandle, [processInfo.hProcess]
; 退出程序
invoke ExitProcess, 0
error_exit:
; 错误处理
invoke ExitProcess, 1
section '.idata' import data readable writeable
library kernel32, 'kernel32.dll', \
user32, 'user32.dll'
import kernel32, \
CreateProcessA, 'CreateProcessA', \
ExitProcess, 'ExitProcess', \
CloseHandle, 'CloseHandle', \
WriteProcessMemory, 'WriteProcessMemory', \
ResumeThread, 'ResumeThread', \
RtlZeroMemory, 'RtlZeroMemory'
import user32, \
MessageBoxA, 'MessageBoxA'
IP卡
发表于 
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 
发表于 
发表于 
发表于 