fasm x64 汇编专治TOTALCMD64 11.51不加载msimg32.dll

slzslz

需要怎么一字节TOTALCOMMAND 各位大侠在msimg32,dll中继续发挥吧

[Asm] 纯文本查看 复制代码

format PE64 GUI 5.0
entry start

include 'win64a.inc'

; 常量定义
INFINITE             = 0xFFFFFFFF
MEM_COMMIT           = 0x1000
MEM_RESERVE          = 0x2000
PAGE_READWRITE       = 0x04
CREATE_SUSPENDED     = 0x00000004

section '.data' data readable writeable

    my_dll_path        db 'msimg32.dll',0
    my_dll_path_len    = $ - my_dll_path  ; 字符串长度（含NULL）
    process_info       PROCESS_INFORMATION
    startup_info       STARTUPINFO
    process_handle     dq ?
    process_id         dd ?
    thread_handle      dq ?
    kernel32_dll       db 'kernel32.dll',0
    load_library_name  db 'LoadLibraryA',0
    load_library_addr  dq ?
    remote_mem         dq ?
    thread_ret         dq ?  ; 远程线程句柄

section '.code' code readable executable

start:
   sub     rsp, 8      ; 对齐栈

    ; 初始化 STARTUPINFO 结构
    lea     rdi, [startup_info]
    mov     rcx, sizeof.STARTUPINFO
    xor     eax, eax
    rep stosb
    mov     [startup_info.cb], sizeof.STARTUPINFO

    ; 创建挂起的 Notecase.exe 进程
    invoke  CreateProcessA, 0, "TOTALCMD64.EXE", 0, 0, 0, \
            CREATE_SUSPENDED, 0, 0, startup_info, process_info

    test    rax, rax
    jz exit_program

    ; 保存进程句柄和 PID
    mov rax, [process_info.hProcess]
    mov [process_handle], rax
    mov eax, [process_info.dwProcessId]
    mov [process_id], eax

    ; 保存线程句柄
    mov rax, [process_info.hThread]
    mov [thread_handle], rax

    ; 获取 LoadLibraryA 地址
    invoke GetModuleHandleA, kernel32_dll
    test rax, rax
    jz exit_program_cleanup

    invoke GetProcAddress, rax, load_library_name
    test rax, rax
    jz exit_program_cleanup
    mov [load_library_addr], rax

    ; 在目标进程中分配内存
    invoke VirtualAllocEx, [process_handle], 0, my_dll_path_len, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE
    test rax, rax
    jz exit_program_cleanup
    mov [remote_mem], rax

    ; 写入 DLL 路径
    invoke WriteProcessMemory, [process_handle], [remote_mem], my_dll_path, my_dll_path_len, 0
    test rax, rax
    jz exit_program_cleanup

    ; 创建远程线程调用 LoadLibraryA
    invoke CreateRemoteThread, [process_handle], 0, 0, [load_library_addr], [remote_mem], 0, 0
    test rax, rax
    jz exit_program_cleanup
    mov [thread_ret], rax  ; 保存远程线程句柄

    ; 等待 DLL 加载完成
    invoke WaitForSingleObject, [thread_ret], INFINITE

    ; 检查 DLL 是否加载成功（可选）
    invoke GetExitCodeThread, [thread_ret], remote_mem
    test rax, rax
    jz @f
    cmp [remote_mem], 0
    jnz @f
    ; 可在此处处理 DLL 加载失败的情况
@@:
    ; 关闭远程线程句柄
    invoke CloseHandle, [thread_ret]

    ; 恢复 notecase.exe 的主线程（关键修复点！）
    invoke ResumeThread, [thread_handle]

exit_program_cleanup:
    ; 释放分配的内存
    invoke VirtualFreeEx, [process_handle], [remote_mem], 0, MEM_RELEASE

    ; 关闭句柄
    invoke CloseHandle, [thread_handle]
    invoke CloseHandle, [process_handle]

exit_program:
    invoke ExitProcess, 0

section '.idata' import data readable writeable

library kernel32, 'kernel32.dll'

include 'api\kernel32.inc'

anablap

感谢发布原创作品，PYG有你更精彩！

ruanjian

谢谢分享

qinccckencn

謝謝提供分享學習了

cxqdly

多谢汇编大神

toneger

膜拜大神~！
谢谢大佬~！

linxiansen

PYG有你更精彩！

Paranioa

感谢分享

lies2014

谢谢分享！

zenix

很不错。
谢谢分享源代码。