线程注入:VB远线程注入 Dll注入来源: 发布时间:星期四, 2009年2月12日 浏览:199次 评论:0
前段时间在网上搜远线程代码 ![]() ![]() ![]() ![]() ![]() 不 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 首先我们要写 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() test.cpp: #i nclude “stdafx.h“ #i nclude “test.h“ #i nclude BOOL APIENTRY DllMain(HANDLE hModule, DWORD reason, LPVOID lpReserved) { char szProcessId[64] ; switch ( reason ) { ![]() { _itoa ( GetCurrentProcessId ![]() MessageBox ( NULL, szProcessId, “RemoteDLL“, MB_OK ); } default: ![]() } } //用向导新建 ![]() ![]() ![]() ![]() ![]() 然后编译 ![]() 打开vb6新建 ![]() 添加 ![]() Option Explicit Public Const PROCESS_VM_READ = &H10 Public Const TH32CS_SNAPPROCESS = &H2 Public Const MEM_COMMIT = 4096 Public Const PAGE_READWRITE = 4 Public Const PROCESS_CREATE_THREAD = (&H2) Public Const PROCESS_VM_OPERATION = (&H8) Public Const PROCESS_VM_WRITE = (&H20) ’Public Declare Function ReadProcessMemory Lib “kernel32“ (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long ’Public Declare Function GetLastError Lib “kernel32“ ![]() Public Declare Function VirtualAllocEx Lib “kernel32“ (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Public Declare Function WriteProcessMemory Lib “kernel32“ (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Public Declare Function GetProcAddress Lib “kernel32“ (ByVal hModule As Long, ByVal lpProcName As String) As Long Public Declare Function GetModuleHandle Lib “kernel32“ Alias “GetModuleHandleA“ (ByVal lpModuleName As String) As Long Public Declare Function Process32First Lib “kernel32“ (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long Public Declare Function CreateToolhelp32Snapshot Lib “kernel32“ (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long Public Declare Function CreateRemoteThread Lib “kernel32“ (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long Public Declare Function OpenProcess Lib “kernel32“ (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Public Declare Function Process32Next Lib “kernel32“ (ByVal hSapshot As Long, lppe As PROCESSENTRY32) As Long Public Declare Function CloseHandle Lib “kernel32“ (ByVal hObject As Long) As Long Public Type PROCESSENTRY32 dwSize As Long cntUseage As Long th32ProcessID As Long th32DefaultHeapID As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long swFlags As Long szExeFile As String * 1024 End Type 双击Form1窗体 ![]() ![]() Option Explicit Public Sub EnumAndInject ![]() Dim MySnapHandle As Long Dim ProcessInfo As PROCESSENTRY32 Dim MyRemoteProcessId As Long Dim MyDllFileLength As Long Dim MyDllFileBuffer As Long Dim MyReturn As Long Dim MyStartAddr As Long Dim MyResult As Long Dim temp As Long Dim DllFileName As String MySnapHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) ProcessInfo.dwSize = Len(ProcessInfo) If Process32First(MySnapHandle, ProcessInfo) <> 0 Then Do If InStr(ProcessInfo.szExeFile, “notepad.exe“) > 0 Then ’遍历进程,查找notepad.exe MyRemoteProcessId = OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, ProcessInfo.th32ProcessID) ’打开进程获得notepad ![]() ![]() DllFileName = “c:\\test.dll“ MyDllFileLength = Len(DllFileName)+1 ’学过C语言 ![]() ![]() ![]() ![]() MyDllFileBuffer = VirtualAllocEx(MyRemoteProcessId, 0, MyDllFileLength, MEM_COMMIT, PAGE_READWRITE) ’在指定进程里申请 ![]() ![]() ’传 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ’但是起不到预期效果,VirtualAllocEx返回 ![]() ![]() MyReturn = WriteProcessMemory(MyRemoteProcessId, MyDllFileBuffer, DllFileName, MyDllFileLength, temp) ’向刚才申请 ![]() ![]() ’顺便说 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ’lpBaseAddress 但是这个值不能传址得到,如果你按byref传址,实际上传 ![]() ![]() ![]() ’上面说了MyDllFileBuffer ![]() ![]() ![]() ![]() ’下面还有几处不该传址 ![]() ![]() ![]() MyStartAddr = GetProcAddress(GetModuleHandle(“Kernel32“), “LoadLibraryA“) ’获取loadlibrary ![]() ![]() ![]() ![]() ![]() ![]() ’不过还得让CreateRemoteThread告诉他.另外简单 ![]() ![]() ![]() ![]() ![]() ![]() ’ ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ’而且每个应用 ![]() ![]() ![]() ![]() ![]() ![]() ’notepad ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ’要使用LoadLibraryA,notepad不是用vc写 ![]() ![]() ![]() ![]() ![]() ’还有要注意 ![]() ![]() ![]() ![]() ![]() ![]() MyResult = CreateRemoteThread(MyRemoteProcessId, 0, 0, MyStartAddr, MyDllFileBuffer, 0, temp) ’好了,现在该让LoadLibrary载入“c:\\test.dll“吧 ![]() ![]() ![]() ’然后把notepad内存区域中 ![]() ![]() ![]() ![]() ![]() ’dll被注入notepad.exe以后会主动弹出对话框显示出notepad.exe ![]() End If Loop While Process32Next(MySnapHandle, ProcessInfo) <> 0 End If CloseHandle MySnapHandle End Sub Private Sub Form_Load ![]() EnumAndInject End Sub 以上 ![]() ![]() 回答:3 楼主,好巧,昨天我才来这里提个问题,你就送上门来了哈 在网上我看了 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 回答:4 在 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 回答:5 老大能给个下载地址吗,我看看啊.... 我说 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 回答:6 http://www.yesky.com/98/1952598.shtml Windows 2000下Api ![]() ![]() 回答:7 第 ![]() ![]() ![]() ![]() ![]() 0
相关文章读者评论发表评论 |