前段时间在网上搜远线程代码全是VC和Delphi看了很多帖子都说VB做不了真这样吗？
不仔细研究了网上流传VC版dll注入代码后先用VC做了个然后翻译成VB中间经过不少曲折(我太菜高手别笑我啊)现将经验写出来供和我样新手参考如有不对的处还望高手指出
首先我们要写个dll供注入目标就选“记事本”好了(notepad.exe)
没有装CompileController的类插件VB环境只能写ActiveX Dll所以dll就用vc写个其实是从网上抄来啦嘿嘿代码如下:
test.cpp:
＃i nclude “stdafx.h“
＃i nclude “test.h“
＃i nclude

BOOL APIENTRY DllMain(HANDLE hModule, DWORD reason, LPVOID lpReserved)
{
char szProcessId[64] ；
switch ( reason )
{
DLL_PROCESS_ATTACH:
{
_itoa ( GetCurrentProcessId, szProcessId, 10 )；
MessageBox ( NULL, szProcessId, “RemoteDLL“, MB_OK )；
}
default:
TRUE；
}
}
//用向导新建个简单dll添加以上代码作用是在dll注入以后报出自己“门牌号”便于验证
然后编译把test.dll放到C:下面

打开vb6新建个标准exe
添加个标准模块,添加以下代码:
Option Explicit

Public Const PROCESS_VM_READ = &H10
Public Const TH32CS_SNAPPROCESS = &H2
Public Const MEM_COMMIT = 4096
Public Const PAGE_READWRITE = 4
Public Const PROCESS_CREATE_THREAD = (&H2)
Public Const PROCESS_VM_OPERATION = (&H8)
Public Const PROCESS_VM_WRITE = (&H20)

’Public Declare Function ReadProcessMemory Lib “kernel32“ (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
’Public Declare Function GetLastError Lib “kernel32“ As Long
Public Declare Function VirtualAllocEx Lib “kernel32“ (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function WriteProcessMemory Lib “kernel32“ (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetProcAddress Lib “kernel32“ (ByVal hModule As Long, ByVal lpProcName As String) As Long
Public Declare Function GetModuleHandle Lib “kernel32“ Alias “GetModuleHandleA“ (ByVal lpModuleName As String) As Long
Public Declare Function Process32First Lib “kernel32“ (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function CreateToolhelp32Snapshot Lib “kernel32“ (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function CreateRemoteThread Lib “kernel32“ (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Public Declare Function OpenProcess Lib “kernel32“ (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function Process32Next Lib “kernel32“ (ByVal hSapshot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function CloseHandle Lib “kernel32“ (ByVal hObject As Long) As Long

Public Type PROCESSENTRY32
dwSize As Long
cntUseage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
swFlags As Long
szExeFile As String * 1024
End Type
双击Form1窗体把代码改成下面样子:
Option Explicit

Public Sub EnumAndInject

Dim MySnapHandle As Long
Dim ProcessInfo As PROCESSENTRY32
Dim MyRemoteProcessId As Long
Dim MyDllFileLength As Long
Dim MyDllFileBuffer As Long
Dim MyReturn As Long
Dim MyStartAddr As Long
Dim MyResult As Long
Dim temp As Long
Dim DllFileName As String

MySnapHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
ProcessInfo.dwSize = Len(ProcessInfo)


If Process32First(MySnapHandle, ProcessInfo) <> 0 Then
Do
If InStr(ProcessInfo.szExeFile, “notepad.exe“) > 0 Then
’遍历进程,查找notepad.exe
MyRemoteProcessId = OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, ProcessInfo.th32ProcessID)
’打开进程获得notepad句柄供后面操作使用
DllFileName = “c:\\test.dll“
MyDllFileLength = Len(DllFileName)+1
’学过C语言朋友应该知道串最后要个ASCII 0标志结尾所以要加1

MyDllFileBuffer = VirtualAllocEx(MyRemoteProcessId, 0, MyDllFileLength, MEM_COMMIT, PAGE_READWRITE)
’在指定进程里申请块内存区域出来供我们存放串“c:\\test.dll“
’传给api时byval byref有区别应该使用byval这样会传给api个标准C指针不能byref否则没问题
’但是起不到预期效果,VirtualAllocEx返回是申请到内存地址值.

MyReturn = WriteProcessMemory(MyRemoteProcessId, MyDllFileBuffer, DllFileName, MyDllFileLength, temp)
’向刚才申请内存中写入dll文件路径串
’顺便说下很多api浏览器上api声明都是错包括VB6自带也不例外writeprocessmemory第 2个参数要是
’lpBaseAddress 但是这个值不能传址得到,如果你按byref传址,实际上传是MyDllFileBuffer变量地址,而不是它里面存放那个数字


’上面说了MyDllFileBuffer数值才是WriteProcessMemory要地址,所以声明API时候定要byval,大家知道空着不写就是默认byref
’下面还有几处不该传址参数,只要搞清楚API要到底是什么值才可以确定到底传值还是传址,API浏览器仅能供参考,还是要仔细阅读MSDN
MyStartAddr = GetProcAddress(GetModuleHandle(“Kernel32“), “LoadLibraryA“)
’获取loadlibrary地址,这个可以载入指定dll文件,那他参数呢?就是我们刚才在notepad.exe进程里写入“c:\\test.dll“
’不过还得让CreateRemoteThread告诉他.另外简单说下windows下应用内存管理,我也不很懂,呵呵,win32下应用
’内存区域是隔开,每个有自己块内存不能直接访问别内存区,当然,这里几个系统有访问别内存区域特权
’而且每个应用内存区域都映射到系统内存区域里,也就是说在这里GetProcAddress得到VB里LoadLibraryA入口地址和
’notepad里LoadLibraryA地址是致(映射作用),所以不必担心.另外在VB写里
’要使用LoadLibraryA,notepad不是用vc写吗?要注意根notepad没关系,我们现在是在自己VB里面找LoadLibraryA入口.
’还有要注意大小写api和vb不样
MyResult = CreateRemoteThread(MyRemoteProcessId, 0, 0, MyStartAddr, MyDllFileBuffer, 0, temp)
’好了,现在该让LoadLibrary载入“c:\\test.dll“吧现在CreateRemoteThread做就是在notepad进程中把控制权转到LoadLibraryA入口
’然后把notepad内存区域中“c:\\test.dll“串当作参数传给LoadLibraryA现在我们dll文件就在notepad中运行了
’dll被注入notepad.exe以后会主动弹出对话框显示出notepad.exe进程ID,表明注入成功.

End If

Loop While Process32Next(MySnapHandle, ProcessInfo) <> 0
End If


CloseHandle MySnapHandle

End Sub

Private Sub Form_Load
EnumAndInject
End Sub
以上API详细参数请参考MSDN,没它寸步难行,寒~~

回答:3
楼主,好巧,昨天我才来这里提个问题,你就送上门来了哈 在网上我看了些C,你用这个思路方法和我想改造那个不样,也许你这种更方便但是有弊端.....(具体不说了,你这种思路方法不错,可对我要结果来说,这种思路方法不会成功) 另外个做了驱动级全局hook WriteProcessMemory等操作内存API,任何操作内存API 都会遭到他拦截. 我研究那个,我都忘了...没研究出来..放弃了段时间,的后到现在也没弄过用loadlib..载入DLL 那个API,用Hook 这个API方式将指定DLL载入指定内存地址 不过NicX (NicX)你研究成果对我有了新启发...我考虑下你思路做法... 我也采用驱动级编写哈哈...我想这个叫违驱动级合适,我不使用系统API来操作内存我用个C编写底层硬件操作东西...嘎嘎...总的谢谢咯... 另外多问几句: windowshook 这个号称也能实现注入,你看到了吗?但具体思路方法我没看到 目前为止我看到了4种思路方法 还有种是利用内嵌汇编思路方法... 欢迎指教啊...




回答:4
在windowshookex中指定线程id可以实现全局钩子不过般来说钩子子程必须是个dll中导出如果在2000/xp下还有特殊底层钩子不受这个限制比如WH_MOUSE_LL.如果采用前种思路方法系统会自动把含有钩子dll载入到目标线程中api拦截也可以用windows核心编程里面改exe模块输入节思路方法或者用汇编jmpXXX在网上有现成代码天极网也有那篇文章




回答:5
老大能给个下载地址吗,我看看啊.... 我说用全局钩子实现DLL注入,原理是这样,钩子最基本形式是线程内钩子扩展到全局,就要用dll 为什么必须是DLL 而且是标准DLL ,是全局钩子安装后系统会将这个DLL 注入到每个进程中,这样才实现了全局hook,既然是将dll注入到了所有进程那么也就是说,只要适当添加代码,就可以在出现钩子消息时进行某些事情... )_|_( ^ ~ 这个某些事情不用多说了吧....当然是想注入后执行代码.......... 你说改输入节...不知道改谁输入节,估计你说是实现全局拦截API那个这种思路方法行不通,这个启动时候会自动扫描数据.. 汇编jum...这个就不明白了,那个在系统API时进行了jum,你在jum那到底什么时候jum合适呢? 盼复啊...主要是你说:api拦截也可以用windows核心编程里面改exe模块输入节思路方法或者用汇编jmpXXX在网上有现成代码天极网也有那篇文章这篇文章地址啊....




回答:6
http://www.yesky.com/98/1952598.shtml Windows 2000下Api拦截分析 http://www.codeguru.com/Cpp/W-P/system/processesmodules/article.php/c5767 Three Ways To Inject Your Code Into Another Process http://www.vb-helper.com/howto_make_standard_dll.html how to make a standard DLL in Visual Basic 6




回答:7
第个 ... 根本没什么技术可言... 第 2个 ... e文太多...太费神 .... 第 3个 ... 如何制作标准DLL ... 还值得看,但不知道这种思路方法和中文网上流传那种思路方法 区别到底是什么? 他用好像是def开关??