大家见过chenhui530的远程hookAPI是不是很牛,好今天,心情好,发一个更牛的出来共享一下!首先说下chenhui530那段远程hookAPI的最大缺点!! 它只能hook VB写的程序,对于C++或其它任何语言写的程序都会崩溃! 为什么会崩溃,通过OD反汇编跟踪就能找到原因,原因是--VB6.0自身的原因-_-!什么叫hook,如果您对其还不太了解,请您自行查找资料! 为了不重现chenhui530那种另人尴尬的处境,我们在编译PE文件时,必须修改PE文件的基址 (这种修改你可以视为跳避VB-IDE的追杀)'专门用于修改基址,请将此文件编译后,放至VB98目录下,代替现有的LINK.EXE文件, '代替前请先保存原先的LINK.EXE文件 'modLINK Option ExplicitPublic Sub Main() Dim sBuf As String Dim szBase As String
If MsgBox("是否设置EXE基地址?", vbYesNo + 64, "基址") = vbNo Then Shell "Link2.exe " & Command Else
szBase = InputBox("请输入需要设置的基地址,不用输入 0x", "基址", "400000") If Trim(szBase) = vbNullString Then szBase = "/BASE:0x400000" Else szBase = "/BASE:0x" & szBase End If
sBuf = Replace(Command, "/BASE:0x400000", szBase) Shell "link2.exe " & sBuf End If End Sub
上面是第一步,第二步我们需要将所有hook所要用到的API全部自行重写,原因很简单,VB自带的API非常有 自己的特色:)!!(什么特色?用OD反跟踪一下每个VBAPI都会加上这个API:vbaSetSystemError) 我们需要用到以下API进行HOOK操作:ReadProcessMemory、WriteProcessMemory、 GetModuleHandle、GetProcAddress、GetCurrentProcess、CopyMemory 下面我们全部重写上面这些API: '-------------*.tlb------------------------------------------ [ uuid(12345678-1234-1234-1234-123456789ABC), helpstring("my api library"), lcid(0x0), version(1.0) ] library MyAPIs { importlib("stdole2.tlb");typedef [public] long HWND; typedef [public] long DWORD; typedef [public] long UINT; typedef [public] long WPARAM; typedef [public] long LPARAM; typedef [public] long HANDLE;
'-----------------注入主程式开始----------------------------------------------------- [code=VB] 'modMain.bas Option ExplicitPrivate Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long '上面这些是我们自己用到的,因为我们已经引用了类型库,所以默认声明为 Private 方式, '这样做的好处是不影响 modHOOK 模块中的相同API使用Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long Public Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As LongPublic Const MEM_RELEASE = &H8000 Public Const MEM_COMMIT = &H1000 Public Const MEM_RESERVE = &H2000 Public Const MEM_DECOMMIT = &H4000 Public Const PAGE_EXECUTE_READWRITE = &H40Public Const SYNCHRONIZE = &H100000 Public Const STANDARD_RIGHTS_REQUIRED = &HF0000 Public Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)Public Const INFINITE = &HFFFFFFFFPublic Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(9) As Integer e_lfanew As Long End TypePublic Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer Characteristics As Integer End Type
Public Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type
Public Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUninitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer Win32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long Subsystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(15) As IMAGE_DATA_DIRECTORY End Type
Public Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Public Sub Main() Dim Pid As Long Dim sBuf As String
sBuf = InputBox("PID", , 0) Pid = CLng(sBuf)
If InjectMsvbvm6_dll(Pid) Then MsgBox "插入运行库OK" End If
If InjectExe(Pid) Then MsgBox "已插入代码" End IfEnd Sub
'/////////////////////////////////////////////////////// '/// '///说明: 插入运行库代码 '///参数: Pid=进程PID '///返回: 成功True,否则False '/// '/////////////////////////////////////////////////////// Public Function InjectMsvbvm6_dll(ByVal Pid As Long) As Boolean Dim hProcess As Long, hThread As Long Dim szDllPath As String Dim cbDllPath As Long Dim pBaseAddr As Long Dim pFuncAddr As Long Dim hMod As Long
Err: If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE If hProcess <> 0 Then CloseHandle hProcess End Function '/////////////////////////////////////////////////////// '/// '///说明: 插入代码 '///参数: Pid=进程PID '///返回: 成功True,否则False '/// '/////////////////////////////////////////////////////// Public Function InjectExe(ByVal Pid As Long) As Boolean Dim hMod As Long Dim stIDH As IMAGE_DOS_HEADER Dim stINH As IMAGE_NT_HEADERS Dim cbImage As Long Dim hProcess As Long, hThread As Long Dim pBaseAddr As Long Dim pFuncAddr As Long
InjectExe = True Err: 'If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE If hProcess <> 0 Then CloseHandle hProcess
End FunctionPrivate Function Init() As Long Dim pFuncAddr As Long pFuncAddr = GetFuncAddr(AddressOf NewMessageBox)
'保存该地址,一会要注入进去的 CopyMemory NewAddr(1), pFuncAddr, 4 End FunctionPrivate Function GetFuncAddr(ByVal func As Long) As Long GetFuncAddr = func End Function 'modHOOK Option ExplicitPublic NewAddr(7) As BytePublic Function Hook(ByVal pFAddr As Long) As Long Dim hMod As Long Dim pBaseAddr As Long
'这一步写进去以后基本上就成功OK了.. WriteProcessMemory GetCurrentProcess, ByVal pBaseAddr, NewAddr(0), 8, 0 End FunctionPublic Function NewMessageBox(ByVal hWnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long '默认HOOK的是MessageBoxA函数,所以我们用 MessageBoxW 给我们弹出消息 '这里没有写还原函数,其实这个都很好解决,我们在用 WriteProcessMemory写入HOOK代码时可以还通过 'ReadProcessMemory读取原始代码,当需要恢复时再通过 WriteProcessMemory写回去就OK了..
MessageBoxW 0, "哈哈...被我们给HOOK了", "嘿嘿~~啦啦啦..", 16 NewMessageBox = 1 End Function[/code]以中全部代码,希望大家喜欢,必竟用纯VB 远程HOOK任意API,还是不多见的!! 测试环境:windows 2003 Server/windows XP 测试软件:腾讯QQ2009版 测试结果:成功HOOK SendMessageA和MessageBoxA
项目所需技术: C/C++,Visual Basic
项目描述: 要求能够得到各类聊天软件的所有聊天记录最少需要得到QQ或MSN的聊天记录要求以COM的形式出现,并可以让VB6.0调用
要求给出所有源码及相关源码使用说明 项目预算不够可以和我再议.
项目预算: ¥ 500-1000
项目状态(天数): 项目竞标中 (19天)
发 布 者: m60a1
好了好了,我错了,我以为大家都用过这个交易平台
现在我贴出来了
希望大家有能力,有时间的,帮帮我的忙,谢谢大家
一开始我和各位一样,一直钻进了网络协议里面,天天在那里分析QQ的网络协议,里面却实是加了密的,想解好难呀(至少我
我认为是这样),不过这段时间网络封包分析下来,对IE的封包分析到是有了点头绪,我可以分析出来所有连接外网的网址
呵呵,这是意外的收获.后来我学乖了,解啥密呀,它这东西又不是见不得人的,不管你怎么加密总得正常让人看记录的不是吗!!
对了,直接远程hook一个api---SendMessageA ,你腾讯再牛,你总得让正常人发消息的吧,那好,只要你敢发
我就敢截你下来 :)搞定了!!!!!
它只能hook VB写的程序,对于C++或其它任何语言写的程序都会崩溃!
为什么会崩溃,通过OD反汇编跟踪就能找到原因,原因是--VB6.0自身的原因-_-!什么叫hook,如果您对其还不太了解,请您自行查找资料!
为了不重现chenhui530那种另人尴尬的处境,我们在编译PE文件时,必须修改PE文件的基址
(这种修改你可以视为跳避VB-IDE的追杀)'专门用于修改基址,请将此文件编译后,放至VB98目录下,代替现有的LINK.EXE文件,
'代替前请先保存原先的LINK.EXE文件
'modLINK
Option ExplicitPublic Sub Main()
Dim sBuf As String
Dim szBase As String
If MsgBox("是否设置EXE基地址?", vbYesNo + 64, "基址") = vbNo Then
Shell "Link2.exe " & Command
Else
szBase = InputBox("请输入需要设置的基地址,不用输入 0x", "基址", "400000")
If Trim(szBase) = vbNullString Then
szBase = "/BASE:0x400000"
Else
szBase = "/BASE:0x" & szBase
End If
sBuf = Replace(Command, "/BASE:0x400000", szBase)
Shell "link2.exe " & sBuf
End If
End Sub
自己的特色:)!!(什么特色?用OD反跟踪一下每个VBAPI都会加上这个API:vbaSetSystemError)
我们需要用到以下API进行HOOK操作:ReadProcessMemory、WriteProcessMemory、
GetModuleHandle、GetProcAddress、GetCurrentProcess、CopyMemory
下面我们全部重写上面这些API:
'-------------*.tlb------------------------------------------
[
uuid(12345678-1234-1234-1234-123456789ABC),
helpstring("my api library"),
lcid(0x0),
version(1.0)
]
library MyAPIs
{
importlib("stdole2.tlb");typedef [public] long HWND;
typedef [public] long DWORD;
typedef [public] long UINT;
typedef [public] long WPARAM;
typedef [public] long LPARAM;
typedef [public] long HANDLE;
[dllname("kernel32")]
module kernel32
{
[entry("WriteProcessMemory")] long WriteProcessMemory ([in] HANDLE hProcess,
[in] void* lpBaseAddress, [in] void* lpBuffer, [in] DWORD nSize, [in] DWORD* lpNumberOfBytesWritten);
[entry("ReadProcessMemory")] long ReadProcessMemory ([in] HANDLE hProcess,
[in] void* lpBaseAddress, [in] void* lpBuffer, [in] DWORD nSize, [in] DWORD* lpNumberOfBytesWritten);
[entry("GetCurrentProcess")] HANDLE GetCurrentProcess();
[entry("RtlMoveMemory")] void CopyMemory([in] void* pDest, [in] void*
pSrc, [in] long ByteLen);
[entry("GetModuleHandleA")] long GetModuleHandle ([in] LPSTR lpModuleName);
[entry("GetProcAddress")] long GetProcAddress ([in] DWORD hModule, [in] LPSTR lpProcName);
};[dllname("user32")]
module User32
{
[entry("MessageBoxA")] long MessageBox ([in] HANDLE hWnd, [in] LPSTR lpText,
[in] LPSTR lpCaption, [in] UINT uType);
[entry("MessageBoxW")] long MessageBoxW ([in] HANDLE hWnd, [in] LPWSTR lpText,
[in] LPWSTR lpCaption, [in] UINT uType);
};
};
'-----------------类库新建完毕-------------------------------------------------------
使用MKTYPLIB.EXE进行编译上面的类库生成类库文件,下面我们所有的HOOK操作都用这个类库里面的API
[code=VB]
'modMain.bas
Option ExplicitPrivate Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
'上面这些是我们自己用到的,因为我们已经引用了类型库,所以默认声明为 Private 方式,
'这样做的好处是不影响 modHOOK 模块中的相同API使用Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Public Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As LongPublic Const MEM_RELEASE = &H8000
Public Const MEM_COMMIT = &H1000
Public Const MEM_RESERVE = &H2000
Public Const MEM_DECOMMIT = &H4000
Public Const PAGE_EXECUTE_READWRITE = &H40Public Const SYNCHRONIZE = &H100000
Public Const STANDARD_RIGHTS_REQUIRED = &HF0000
Public Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)Public Const INFINITE = &HFFFFFFFFPublic Type IMAGE_DOS_HEADER
e_magic As Integer
e_cblp As Integer
e_cp As Integer
e_crlc As Integer
e_cparhdr As Integer
e_minalloc As Integer
e_maxalloc As Integer
e_ss As Integer
e_sp As Integer
e_csum As Integer
e_ip As Integer
e_cs As Integer
e_lfarlc As Integer
e_ovno As Integer
e_res(3) As Integer
e_oemid As Integer
e_oeminfo As Integer
e_res2(9) As Integer
e_lfanew As Long
End TypePublic Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
Characteristics As Integer
End Type
Public Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
Public Type IMAGE_OPTIONAL_HEADER
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUninitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersion As Integer
MinorOperatingSystemVersion As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
Win32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
Subsystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(15) As IMAGE_DATA_DIRECTORY
End Type
Public Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
Public Sub Main()
Dim Pid As Long
Dim sBuf As String
sBuf = InputBox("PID", , 0)
Pid = CLng(sBuf)
If InjectMsvbvm6_dll(Pid) Then
MsgBox "插入运行库OK"
End If
If InjectExe(Pid) Then
MsgBox "已插入代码"
End IfEnd Sub
'///
'///说明: 插入运行库代码
'///参数: Pid=进程PID
'///返回: 成功True,否则False
'///
'///////////////////////////////////////////////////////
Public Function InjectMsvbvm6_dll(ByVal Pid As Long) As Boolean
Dim hProcess As Long, hThread As Long
Dim szDllPath As String
Dim cbDllPath As Long
Dim pBaseAddr As Long
Dim pFuncAddr As Long
Dim hMod As Long
InjectMsvbvm6_dll = False
hMod = GetModuleHandle("kernel32.dll")
pFuncAddr = GetProcAddress(hMod, "LoadLibraryA")
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, Pid)
If hProcess = 0 Then GoTo Err
szDllPath = "c:\windows\system32\msvbvm60.dll"
cbDllPath = Len(szDllPath) * 2 + 1
pBaseAddr = VirtualAllocEx(hProcess, ByVal 0&, cbDllPath, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
If pBaseAddr = 0 Then GoTo Err
If WriteProcessMemory(hProcess, ByVal pBaseAddr, ByVal szDllPath, cbDllPath, 0) = 0 Then GoTo Err
hThread = CreateRemoteThread(hProcess, ByVal 0&, 0, ByVal pFuncAddr, ByVal pBaseAddr, 0, 0)
If hThread = 0 Then GoTo Err
WaitForSingleObject hThread, INFINITE
CloseHandle hThread
InjectMsvbvm6_dll = True
Err:
If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE
If hProcess <> 0 Then CloseHandle hProcess
End Function
'///////////////////////////////////////////////////////
'///
'///说明: 插入代码
'///参数: Pid=进程PID
'///返回: 成功True,否则False
'///
'///////////////////////////////////////////////////////
Public Function InjectExe(ByVal Pid As Long) As Boolean
Dim hMod As Long
Dim stIDH As IMAGE_DOS_HEADER
Dim stINH As IMAGE_NT_HEADERS
Dim cbImage As Long
Dim hProcess As Long, hThread As Long
Dim pBaseAddr As Long
Dim pFuncAddr As Long
InjectExe = False
hMod = GetModuleHandle(vbNullString)
'得到相应的偏移值结构
CopyMemory stIDH, ByVal hMod, Len(stIDH)
CopyMemory stINH, ByVal (hMod + stIDH.e_lfanew), Len(stINH)
cbImage = stINH.OptionalHeader.SizeOfImage
If cbImage = 0 Then GoTo Err
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, Pid)
If hProcess = 0 Then GoTo Err
VirtualFreeEx hProcess, hMod, 0, MEM_RELEASE
pBaseAddr = VirtualAllocEx(hProcess, ByVal hMod, cbImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
If pBaseAddr = 0 Then GoTo Err
If WriteProcessMemory(hProcess, ByVal pBaseAddr, ByVal hMod, cbImage, 0) = 0 Then GoTo Err
'现在处理该是处理我们自己的函数地址的时候了,至于为什么会先在这里把函数地址计算好,具
'体可以看 modHook 中的说明
'
Dim pFAddr As Long
Init '先初始以便获取函数地址
pFAddr = VirtualAllocEx(hProcess, ByVal 0&, 4, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
If pFAddr = 0 Then GoTo Err
'然后把咱们的地址传进去
If WriteProcessMemory(hProcess, ByVal pFAddr, NewAddr(1), 4, 0) = 0 Then GoTo Err
pFuncAddr = GetFuncAddr(AddressOf Hook)
hThread = CreateRemoteThread(hProcess, ByVal 0&, 0, ByVal pFuncAddr, ByVal pFAddr, 0, 0)
If hThread = 0 Then GoTo Err
WaitForSingleObject hThread, INFINITE
CloseHandle hThread
InjectExe = True
Err: 'If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE
If hProcess <> 0 Then CloseHandle hProcess
End FunctionPrivate Function Init() As Long
Dim pFuncAddr As Long pFuncAddr = GetFuncAddr(AddressOf NewMessageBox)
'保存该地址,一会要注入进去的
CopyMemory NewAddr(1), pFuncAddr, 4
End FunctionPrivate Function GetFuncAddr(ByVal func As Long) As Long
GetFuncAddr = func
End Function
'modHOOK
Option ExplicitPublic NewAddr(7) As BytePublic Function Hook(ByVal pFAddr As Long) As Long
Dim hMod As Long
Dim pBaseAddr As Long
hMod = GetModuleHandle("user32.dll")
pBaseAddr = GetProcAddress(hMod, "MessageBoxA")
'Dim pFuncAddr As Long
' pFuncAddr = GetFuncAddr(AddressOf NewMessageBox)
' CopyMemory NewAddr(1), pFuncAddr, 4
'以下部分为机器码生成
'机器码意思为:
'
'mov eax, 我们的地址
'jmp eax
'
NewAddr(0) = &HB8
NewAddr(5) = &HFF
NewAddr(6) = &HE0
NewAddr(7) = &H0
'最后我想到一个折中的办法,就是先让注入程序帮我们把地址算好,然后我们直接调用即可.
ReadProcessMemory GetCurrentProcess, ByVal pFAddr, NewAddr(1), 4, 0
MessageBox 0, "被我给HOOK了...", "已HOOK", 32
'这一步写进去以后基本上就成功OK了..
WriteProcessMemory GetCurrentProcess, ByVal pBaseAddr, NewAddr(0), 8, 0
End FunctionPublic Function NewMessageBox(ByVal hWnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long '默认HOOK的是MessageBoxA函数,所以我们用 MessageBoxW 给我们弹出消息
'这里没有写还原函数,其实这个都很好解决,我们在用 WriteProcessMemory写入HOOK代码时可以还通过
'ReadProcessMemory读取原始代码,当需要恢复时再通过 WriteProcessMemory写回去就OK了..
MessageBoxW 0, "哈哈...被我们给HOOK了", "嘿嘿~~啦啦啦..", 16 NewMessageBox = 1
End Function[/code]以中全部代码,希望大家喜欢,必竟用纯VB 远程HOOK任意API,还是不多见的!!
测试环境:windows 2003 Server/windows XP
测试软件:腾讯QQ2009版
测试结果:成功HOOK SendMessageA和MessageBoxA