c#通过调用windows API函数,可以很轻松的完成非托管WIN32程序的注入、内存读写等操作,以下为c#实现远程注入非托管WIN32程序,并利用嵌入汇编调用非托管WIN32程序中的内部过程的源码:(注:c#内嵌汇编其实是用一个类开实现汇编与机器码之间的转换关系。)
1 public unsafe partial class Form1 : Form
2 {
3 int pHandle = 0;
4 int pid = 0;
5 int value = 0;
6 int baseAddress = 0x452BD4;
7 Process controlProcess = null;
8
9 public Form1()
10 {
11 InitializeComponent();
12 }
13
14
15
16 private void timer1_Tick(object sender, EventArgs e)
17 {
18 Win32API.API.ReadProcessMemory(pHandle, baseAddress, out value, 4, 0);
19 label1.Text = value.ToString();
20 }
21
22 private void asmcall(int addr)
23 {
24 AsmClass asm = new AsmClass();
25 asm.Pushad();
26 asm.Mov_EAX(5555);
27 asm.Mov_EBX(addr);
28 asm.Call_EBX();
29
30 asm.Popad();
31 asm.Ret();
32 asm.RunAsm(this.pid);
33 }
34 private void btnCallTest_Click(object sender, EventArgs e)
35 {
36 int addr = Convert.ToInt32(txtCallAddress.Text, 16);
37 this.asmcall(addr);
38 }
39
40 private void btnSelectProcess_Click(object sender, EventArgs e)
41 {
42 FrmProcessSelect frmProcessSelect = new FrmProcessSelect();
43 if (frmProcessSelect.ShowDialog() == DialogResult.OK)
44 {
45 controlProcess = frmProcessSelect.resultProcess;
46 txtProcessName.Text = controlProcess.ProcessName;
47 }
48 else
49 {
50 frmProcessSelect.Dispose();
51 return;
52 }
53 frmProcessSelect.Dispose();
54
55 pid = controlProcess.Id;
56 pHandle = Win32API.API.OpenProcess(Win32API.API.OPEN_PROCESS_ALL, 0, pid);
57
58 if (pHandle <= 0)
59 {
60 lblMsg.Text = "打开进程失败!";
61 return;
62 }
63 else
64 {
65 lblMsg.Text = "进程创建成功!";
66 groupBox1.Enabled = true;
67 timer1.Interval = 100;
68 timer1.Start();
69 }
70 }
71
72 private void btnAddCall_Click(object sender, EventArgs e)
73 {
74 AsmClass asm = new AsmClass();
75 asm.Pushad();
76
77 asm.Mov_EBX(0xD53BE4);
78 asm.Mov_EAX(0xD51F28);
79 asm.Mov_EDX_DWORD_Ptr_EBX_Add(0x214);
80 asm.Mov_DWORD_Ptr_EAX_Add_EDX(0x24C);
81 asm.Mov_EAX_EBX();
82
83 asm.Mov_EBX(0x430020);
84 asm.Call_EBX();
85
86 asm.Popad();
87 asm.Ret();
88 asm.RunAsm(this.pid);
89 }
90
91 private void btnSubtractCall_Click(object sender, EventArgs e)
92 {
93 AsmClass asm = new AsmClass();
94 asm.Pushad();
95
96 asm.Mov_EBX(0xD53F8C);
97 asm.Mov_EAX(0xD51F28);
98 asm.Mov_EDX_DWORD_Ptr_EBX_Add(0x214);
99 asm.Mov_DWORD_Ptr_EAX_Add_EDX(0x24C);
100 asm.Mov_EAX_EBX();
101
102 asm.Mov_EBX(0x430020);
103 asm.Call_EBX();
104
105 asm.Popad();
106 asm.Ret();
107 asm.RunAsm(this.pid);
108 }
109 }
2 {
3 int pHandle = 0;
4 int pid = 0;
5 int value = 0;
6 int baseAddress = 0x452BD4;
7 Process controlProcess = null;
8
9 public Form1()
10 {
11 InitializeComponent();
12 }
13
14
15
16 private void timer1_Tick(object sender, EventArgs e)
17 {
18 Win32API.API.ReadProcessMemory(pHandle, baseAddress, out value, 4, 0);
19 label1.Text = value.ToString();
20 }
21
22 private void asmcall(int addr)
23 {
24 AsmClass asm = new AsmClass();
25 asm.Pushad();
26 asm.Mov_EAX(5555);
27 asm.Mov_EBX(addr);
28 asm.Call_EBX();
29
30 asm.Popad();
31 asm.Ret();
32 asm.RunAsm(this.pid);
33 }
34 private void btnCallTest_Click(object sender, EventArgs e)
35 {
36 int addr = Convert.ToInt32(txtCallAddress.Text, 16);
37 this.asmcall(addr);
38 }
39
40 private void btnSelectProcess_Click(object sender, EventArgs e)
41 {
42 FrmProcessSelect frmProcessSelect = new FrmProcessSelect();
43 if (frmProcessSelect.ShowDialog() == DialogResult.OK)
44 {
45 controlProcess = frmProcessSelect.resultProcess;
46 txtProcessName.Text = controlProcess.ProcessName;
47 }
48 else
49 {
50 frmProcessSelect.Dispose();
51 return;
52 }
53 frmProcessSelect.Dispose();
54
55 pid = controlProcess.Id;
56 pHandle = Win32API.API.OpenProcess(Win32API.API.OPEN_PROCESS_ALL, 0, pid);
57
58 if (pHandle <= 0)
59 {
60 lblMsg.Text = "打开进程失败!";
61 return;
62 }
63 else
64 {
65 lblMsg.Text = "进程创建成功!";
66 groupBox1.Enabled = true;
67 timer1.Interval = 100;
68 timer1.Start();
69 }
70 }
71
72 private void btnAddCall_Click(object sender, EventArgs e)
73 {
74 AsmClass asm = new AsmClass();
75 asm.Pushad();
76
77 asm.Mov_EBX(0xD53BE4);
78 asm.Mov_EAX(0xD51F28);
79 asm.Mov_EDX_DWORD_Ptr_EBX_Add(0x214);
80 asm.Mov_DWORD_Ptr_EAX_Add_EDX(0x24C);
81 asm.Mov_EAX_EBX();
82
83 asm.Mov_EBX(0x430020);
84 asm.Call_EBX();
85
86 asm.Popad();
87 asm.Ret();
88 asm.RunAsm(this.pid);
89 }
90
91 private void btnSubtractCall_Click(object sender, EventArgs e)
92 {
93 AsmClass asm = new AsmClass();
94 asm.Pushad();
95
96 asm.Mov_EBX(0xD53F8C);
97 asm.Mov_EAX(0xD51F28);
98 asm.Mov_EDX_DWORD_Ptr_EBX_Add(0x214);
99 asm.Mov_DWORD_Ptr_EAX_Add_EDX(0x24C);
100 asm.Mov_EAX_EBX();
101
102 asm.Mov_EBX(0x430020);
103 asm.Call_EBX();
104
105 asm.Popad();
106 asm.Ret();
107 asm.RunAsm(this.pid);
108 }
109 }