本问题上面的方示可以拦截到API的参数,却无法继续运行,还要弄什么基地址,还要先把别的程序弄一下TLB文件生成。而下面的这个可以直接用VB完成拦截API,还能中途暂停停中断,却没法显示所执行的API函数的参数。 2个工程能结合起来就好了,有高手吗,能解决此类问题的话,500元可以付给你。基于API的VB HOOK钩子拦截程序 http://www.codefans.net/soft/4579.shtmlPrivate Sub Command1_Click() Dim hProcess As Long, tm As Long, Data4 As Long Command1.Enabled = False Dim lFunc As Long, lVarAdd As Long, tmNuAdd As Long n_Ex = False hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0&, n_ProcessID) If hProcess Then ReadProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address, n_Old_Address, Len(n_Old_Address), tm MsgBox "old Address is" & Hex(n_Old_Address) lFunc = CreateMemory(n_ProcessID, 4096) '注射函數 lVarAdd = CreateMemory(n_ProcessID, 4096) '注射變數
'修改IAT Address WriteProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address, lFunc, Len(lFunc), tm '攔截處理 Dim bProcessMemory As Long, RtnV Do '等待函數被攔截 Do If ReadProcessMemory(hProcess, ByVal lVarAdd, bProcessMemory, Len(bProcessMemory), tm) = 0 Then MsgBox "嚴重錯誤" GoTo Exp End If DoEvents If n_Ex Then GoTo Exp End If Loop While bProcessMemory
Me.Show
'============================================================================== Dim rtnV2 As Integer rtnV2 = MsgBox("攔截到目標程式呼叫" & Imp_p(n_index).sFunctionName & vbCrLf & _ "是否结束进程?", vbYesNo, "抓到了") If rtnV2 = vbYes Then Shell "taskkill /f /pid " & CStr((CLng(Mid(Combo1.Text, 5, 8)))), vbHide MsgBox "等待10秒", , "抓到了" End If '============================================================================== RtnV = MsgBox("攔截到目標程式呼叫" & Imp_p(n_index).sFunctionName & vbCrLf & _ "要繼續攔截下次呼叫?", vbOKCancel, "抓到了") If RtnV = vbCancel Then WriteProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address, n_Old_Address, Len(n_Old_Address), tm bProcessMemory = 1 WriteProcessMemory hProcess, ByVal lVarAdd, bProcessMemory, Len(bProcessMemory), tm Exit Do End If bProcessMemory = 1 WriteProcessMemory hProcess, ByVal lVarAdd, bProcessMemory, Len(bProcessMemory), tm DoEvents Loop Exp: DeleteMemory n_ProcessID, lFunc DeleteMemory n_ProcessID, lVarAdd CloseHandle hProcess Else MsgBox "無訪開啟該Process" End If Command1.Enabled = True End Sub
2个工程能结合起来就好了,有高手吗,能解决此类问题的话,500元可以付给你。基于API的VB HOOK钩子拦截程序
http://www.codefans.net/soft/4579.shtmlPrivate Sub Command1_Click()
Dim hProcess As Long, tm As Long, Data4 As Long
Command1.Enabled = False
Dim lFunc As Long, lVarAdd As Long, tmNuAdd As Long
n_Ex = False
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0&, n_ProcessID)
If hProcess Then
ReadProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address, n_Old_Address, Len(n_Old_Address), tm
MsgBox "old Address is" & Hex(n_Old_Address)
lFunc = CreateMemory(n_ProcessID, 4096) '注射函數
lVarAdd = CreateMemory(n_ProcessID, 4096) '注射變數
'先將外部變數設為1 當攔截到API時 變數會被設成0
Data4 = 1
WriteProcessMemory hProcess, ByVal lVarAdd, Data4, Len(Data4), tm
'將函數原位址寫到lVarAdd + 256
WriteProcessMemory hProcess, ByVal lVarAdd + 256, n_Old_Address, Len(n_Old_Address), tm
'寫入攔截函數
'-----------------------------------------------------------------------
tmNuAdd = lFunc
'Int 3
'WByteToCode hProcess, tmNuAdd, &HCC
'push eax
WByteToCode hProcess, tmNuAdd, &H50
'mov eax, 00000000
WByteToCode hProcess, tmNuAdd, &HB8
WLongToCode hProcess, tmNuAdd, &H0
'mov dword ptr [lVarAdd], eax
WByteToCode hProcess, tmNuAdd, &HA3
WLongToCode hProcess, tmNuAdd, lVarAdd
'lp1:
'cmp eax, dword ptr [lVarAdd]
WByteToCode hProcess, tmNuAdd, &H3B
WByteToCode hProcess, tmNuAdd, &H5
WLongToCode hProcess, tmNuAdd, lVarAdd
'je lp1
WByteToCode hProcess, tmNuAdd, &H74
WByteToCode hProcess, tmNuAdd, &HF8
'pop eax
WByteToCode hProcess, tmNuAdd, &H58
'Int 3
'WByteToCode hProcess, tmNuAdd, &HCC 'jmp dword ptr [lVarAdd + 256] ;其中[lVarAdd + 256]=原來函數位址
WByteToCode hProcess, tmNuAdd, &HFF
WByteToCode hProcess, tmNuAdd, &H25
WLongToCode hProcess, tmNuAdd, lVarAdd + 256 '
'----------------------------------------------------------------------------------
'修改IAT Address
WriteProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address, lFunc, Len(lFunc), tm '攔截處理
Dim bProcessMemory As Long, RtnV
Do
'等待函數被攔截
Do
If ReadProcessMemory(hProcess, ByVal lVarAdd, bProcessMemory, Len(bProcessMemory), tm) = 0 Then
MsgBox "嚴重錯誤"
GoTo Exp
End If
DoEvents
If n_Ex Then
GoTo Exp
End If
Loop While bProcessMemory
Me.Show
'==============================================================================
Dim rtnV2 As Integer
rtnV2 = MsgBox("攔截到目標程式呼叫" & Imp_p(n_index).sFunctionName & vbCrLf & _
"是否结束进程?", vbYesNo, "抓到了")
If rtnV2 = vbYes Then
Shell "taskkill /f /pid " & CStr((CLng(Mid(Combo1.Text, 5, 8)))), vbHide
MsgBox "等待10秒", , "抓到了"
End If
'==============================================================================
RtnV = MsgBox("攔截到目標程式呼叫" & Imp_p(n_index).sFunctionName & vbCrLf & _
"要繼續攔截下次呼叫?", vbOKCancel, "抓到了")
If RtnV = vbCancel Then
WriteProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address, n_Old_Address, Len(n_Old_Address), tm
bProcessMemory = 1
WriteProcessMemory hProcess, ByVal lVarAdd, bProcessMemory, Len(bProcessMemory), tm
Exit Do
End If
bProcessMemory = 1
WriteProcessMemory hProcess, ByVal lVarAdd, bProcessMemory, Len(bProcessMemory), tm
DoEvents
Loop
Exp:
DeleteMemory n_ProcessID, lFunc
DeleteMemory n_ProcessID, lVarAdd
CloseHandle hProcess
Else
MsgBox "無訪開啟該Process"
End If
Command1.Enabled = True
End Sub
http://blog.csdn.net/chenhui530/article/details/1932599
LZ好像把hook想的太简单来,没权限写(访问)其他程序内存(提权),其他程序要进入你自己的程序内存,LZ快点解决来,我也来学习学习