最近才发现的“RtlCreateUserThread”(下步调用ZwCreateThread)这可是个好东西,可以创建远程线程,也可以用来写多线程程序,但是在VB里好像还是不是很稳定只能用API。这篇文章给大家一种不同于(CreateRemoteThread)但是原理是一样(都是通过ZwCreateThread创建线程)创建远程线程,实现注入和卸载功能。对于一些编写外挂,或者对Shellcode感兴趣的人是非常有用的学习资料。原贴地址:http://blog.csdn.net/chenhui530/archive/2008/10/21/3119107.aspx 多线程实例Public Function CreateThread(ByVal hProcess As Long, ByVal StartAddress As Long, ByVal Parameter As Long, ByRef Cid As CLIENT_ID) As Long
Dim hThread As Long
Dim ntStatus As Long
ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
CreateThread = hThread
End FunctionPublic Sub ThreadProc(ByVal Parameter As Long)
Do While gblnRunning
Form1.List1.AddItem CStr(Parameter)
Parameter = Parameter + 1
Loop
RtlExitUserThread 0
End Sub
in formOption ExplicitPrivate Sub cmdDelMe_Click()
DeleteMe Val(txtInput(0).Text)
Unload Me
End SubPrivate Sub cmdInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
InjectDll Val(txtInput(0).Text), txtInput(1).Text
End SubPrivate Sub cmdUnInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
UnInjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub
in moduleOption ExplicitPublic Type CLIENT_ID
UniqueProcess As Long
UniqueThread As Long
End TypePrivate Declare Function RtlCreateUserThread Lib "ntdll.dll" (ByVal hProcess As Long, _
ByRef ThreadSecurityDescriptor As Any, _
ByVal CreateSuspended As Long, _
ByVal ZeroBits As Long, _
ByVal MaximumStackSize As Long, _
ByVal CommittedStackSize As Long, _
ByVal StartAddress As Long, _
ByVal Parameter As Long, _
ByRef hThread As Long, _
ByRef ClientId As CLIENT_ID) As LongPrivate Declare Function RtlExitUserThread Lib "ntdll.dll" (ByVal ntStatus As Long) As Long
Private Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal dwExitCode As Long) As Long
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare Function CreateEvent Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, ByVal bManualReset As Long, ByVal bInitialState As Long, ByVal lpName As String) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Public Declare Function SetEvent Lib "kernel32" (ByVal hEvent As Long) As Long
Private Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As LongPrivate Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As LongPrivate Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As LongPrivate Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As LongPrivate Const INFINITE =
Private Const MEM_COMMIT =
Public Const MEM_RELEASE =
Private Const PAGE_EXECUTE_READWRITE =
Private Const PAGE_READWRITE =
Private Const SYNCHRONIZE As Long =
Private Const STANDARD_RIGHTS_REQUIRED As Long =
Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Dim hThread As Long
Dim ntStatus As Long
ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
CreateThread = hThread
End FunctionPublic Sub ThreadProc(ByVal Parameter As Long)
Do While gblnRunning
Form1.List1.AddItem CStr(Parameter)
Parameter = Parameter + 1
Loop
RtlExitUserThread 0
End Sub
in formOption ExplicitPrivate Sub cmdDelMe_Click()
DeleteMe Val(txtInput(0).Text)
Unload Me
End SubPrivate Sub cmdInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
InjectDll Val(txtInput(0).Text), txtInput(1).Text
End SubPrivate Sub cmdUnInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
UnInjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub
in moduleOption ExplicitPublic Type CLIENT_ID
UniqueProcess As Long
UniqueThread As Long
End TypePrivate Declare Function RtlCreateUserThread Lib "ntdll.dll" (ByVal hProcess As Long, _
ByRef ThreadSecurityDescriptor As Any, _
ByVal CreateSuspended As Long, _
ByVal ZeroBits As Long, _
ByVal MaximumStackSize As Long, _
ByVal CommittedStackSize As Long, _
ByVal StartAddress As Long, _
ByVal Parameter As Long, _
ByRef hThread As Long, _
ByRef ClientId As CLIENT_ID) As LongPrivate Declare Function RtlExitUserThread Lib "ntdll.dll" (ByVal ntStatus As Long) As Long
Private Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal dwExitCode As Long) As Long
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare Function CreateEvent Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, ByVal bManualReset As Long, ByVal bInitialState As Long, ByVal lpName As String) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Public Declare Function SetEvent Lib "kernel32" (ByVal hEvent As Long) As Long
Private Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As LongPrivate Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As LongPrivate Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As LongPrivate Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As LongPrivate Const INFINITE =
Private Const MEM_COMMIT =
Public Const MEM_RELEASE =
Private Const PAGE_EXECUTE_READWRITE =
Private Const PAGE_READWRITE =
Private Const SYNCHRONIZE As Long =
Private Const STANDARD_RIGHTS_REQUIRED As Long =
Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
解决方案 »
- 大家有模拟计算机组成原理实验的软件?
- 求助窗体设计方案
- 如何把ACCESS VBA工具箱里的控件引入到VB中
- 奇怪listview
- 在VB中怎样把一个字符串变成两行,换行符是什么?
- vb库存小程序,达人帮忙啊!!!!!!!!!!!!!!!!!!!!!!!!!!谢谢
- 请问winsock同时处理多个连接进行传输的情况下效率如何?
- 我的代码与书本是一样的,但运行起来就是不对
- 我有一个想做一个软件,和美萍网吧管理软件一样,最下面是一个任务栏,和win98一样,我想问怎样实现右边的托盘的输入法? 也就是用鼠标点一下我制作的输入法指示器,出现的和win98的那种差不多就行了!
- 用SQL语句查询,来者送高分,望指点.....
- 如何用vb实现模拟鼠标中键滚动
- 求:mdi窗口中第二次调用同一窗口Initialize的事件为何没有反映
Dim hThread As Long
Dim ntStatus As Long
ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
CreateThread = hThread
End FunctionPublic Function EndThread(ByVal hThread As Long) As Boolean
EndThread = TerminateThread(hThread, 0)
End FunctionPublic Function InjectDll(ByVal dwProcessId As Long, ByVal strFileName As String) As Boolean
Dim hProcess As Long
Dim nSize As Long
Dim pBase As Long
Dim ShellCode() As Byte
Dim hThread As Long
Dim Cid As CLIENT_ID
Dim dwFunAddress As Long
strFileName = strFileName & Chr(0)
nSize = LenB(strFileName)
ReDim ShellCode(nSize + 31 - 1)
ShellCode(0) =
ShellCode(1) =
ShellCode(2) =
ShellCode(3) =
ShellCode(4) = &H0 'call $5
ShellCode(5) = &H5D 'pop ebp
ShellCode(6) =
ShellCode(7) = &HC5 'mov eax,ebp
ShellCode(8) =
ShellCode(9) =
ShellCode(10) = &H1A 'add eax,1a '指向dll路径
ShellCode(11) = &H50 ' push eax
ShellCode(12) =
ShellCode(13) =
ShellCode(14) =
ShellCode(15) =
ShellCode(16) = &H0 'mov eax,LoadLibraryW
ShellCode(17) =
ShellCode(18) = &HD0 'call eax
ShellCode(19) =
ShellCode(20) = &H0 'push 0
ShellCode(21) =
ShellCode(22) =
ShellCode(23) =
ShellCode(24) =
ShellCode(25) = &H0 'mov eax,ExitThread
ShellCode(26) =
ShellCode(27) = &HD0 'call eax
ShellCode(28) =
ShellCode(29) = &H4 'ret 4
ShellCode(30) =
CopyMemory ShellCode(31), ByVal StrPtr(strFileName), nSize
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryW")
CopyMemory ShellCode(13), dwFunAddress, 4
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitThread")
CopyMemory ShellCode(22), dwFunAddress, 4
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
If hProcess Then
pBase = VirtualAllocEx(hProcess, ByVal 0&, nSize + 31, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If pBase Then
If WriteProcessMemory(hProcess, ByVal pBase, ShellCode(0), nSize + 31, ByVal 0&) Then
hThread = CreateThread(hProcess, pBase, 0, Cid)
If hThread Then
WaitForSingleObject hThread, INFINITE
CloseHandle hThread
InjectDll = True
End If
End If
VirtualFreeEx hProcess, ByVal pBase, 0, MEM_RELEASE
End If
CloseHandle hProcess
End If
End Function
Dim hProcess As Long
Dim nSize As Long
Dim pBase As Long
Dim ShellCode() As Byte
Dim hThread As Long
Dim Cid As CLIENT_ID
Dim dwFunAddress As Long
strFileName = strFileName & Chr(0)
nSize = LenB(strFileName)
ReDim ShellCode(nSize + 32 - 1)
ShellCode(0) =
ShellCode(1) =
ShellCode(2) =
ShellCode(3) =
ShellCode(4) = &H0 'call $5
ShellCode(5) = &H5D 'pop ebp
ShellCode(6) =
ShellCode(7) = &HC5 'mov eax,ebp
ShellCode(8) =
ShellCode(9) =
ShellCode(10) = &H1B 'add eax,1b '指向dll路径
ShellCode(11) = &H50 ' push eax
ShellCode(12) =
ShellCode(13) =
ShellCode(14) =
ShellCode(15) =
ShellCode(16) = &H0 'mov eax,GetModuleHandleW
ShellCode(17) =
ShellCode(18) = &HD0 'call eax
ShellCode(19) =
ShellCode(20) = &H0 'push 0
ShellCode(21) = &H50 'push eax
ShellCode(22) =
ShellCode(23) =
ShellCode(24) =
ShellCode(25) =
ShellCode(26) = &H0 'mov eax,FreeLibraryAndExitThread
ShellCode(27) =
ShellCode(28) = &HD0 'call eax
ShellCode(29) =
ShellCode(30) = &H4 'ret 4
ShellCode(31) =
CopyMemory ShellCode(32), ByVal StrPtr(strFileName), nSize
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "GetModuleHandleW")
CopyMemory ShellCode(13), dwFunAddress, 4
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibraryAndExitThread")
CopyMemory ShellCode(23), dwFunAddress, 4
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
If hProcess Then
pBase = VirtualAllocEx(hProcess, ByVal 0&, nSize + 32, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If pBase Then
If WriteProcessMemory(hProcess, ByVal pBase, ShellCode(0), nSize + 32, ByVal 0&) Then
hThread = CreateThread(hProcess, pBase, 0, Cid)
If hThread Then
WaitForSingleObject hThread, INFINITE
CloseHandle hThread
UnInjectDll = True
End If
End If
VirtualFreeEx hProcess, ByVal pBase, 0, MEM_RELEASE
End If
CloseHandle hProcess
End If
End FunctionPublic Function DeleteMe(ByVal dwProcessId As Long) As Boolean
Dim AppName As String
Dim hProcess As Long
Dim nSize As Long
Dim pBase As Long
Dim ShellCode() As Byte
Dim hThread As Long
Dim Cid As CLIENT_ID
Dim dwFunAddress As Long
AppName = String(260, Chr(0))
GetModuleFileName 0, AppName, 260
AppName = Left(AppName, InStr(AppName, Chr(0)) - 1)
AppName = AppName & Chr(0)
nSize = LenB(AppName)
ReDim ShellCode(nSize + 35 - 1)
ShellCode(0) =
ShellCode(1) =
ShellCode(2) =
ShellCode(3) =
ShellCode(4) = &H0 'call $5
ShellCode(5) = &H5D 'pop ebp
ShellCode(6) =
ShellCode(7) = &HC5 'mov eax,ebp
ShellCode(8) =
ShellCode(9) =
ShellCode(10) = &H1E 'add eax,1e '指向主程序路径
ShellCode(11) = &H50 ' push eax
ShellCode(12) =
ShellCode(13) =
ShellCode(14) =
ShellCode(15) =
ShellCode(16) = &H0 'mov eax,DeleteFileW
ShellCode(17) =
ShellCode(18) = &HD0 'call eax
ShellCode(19) =
ShellCode(20) = &HC0 'test eax,eax
ShellCode(21) =
ShellCode(22) = &HEF 'jz &ShellCode(6)
ShellCode(23) =
ShellCode(24) = &H0 'push 0
ShellCode(25) =
ShellCode(26) =
ShellCode(27) =
ShellCode(28) =
ShellCode(29) = &H0 'mov eax,ExitThread
ShellCode(30) =
ShellCode(31) = &HD0 'call eax
ShellCode(32) =
ShellCode(33) = &H4 'ret 4
ShellCode(34) =
CopyMemory ShellCode(35), ByVal StrPtr(AppName), nSize
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "DeleteFileW")
CopyMemory ShellCode(13), dwFunAddress, 4
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitThread")
CopyMemory ShellCode(26), dwFunAddress, 4
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
If hProcess Then
pBase = VirtualAllocEx(hProcess, ByVal 0&, nSize + 35, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If pBase Then
If WriteProcessMemory(hProcess, ByVal pBase, ShellCode(0), nSize + 35, ByVal 0&) Then
hThread = CreateThread(hProcess, pBase, 0, Cid)
If hThread Then
' WaitForSingleObject hThread, INFINITE
' CloseHandle hThread
DeleteMe = True
End If
End If
' VirtualFreeEx hProcess, ByVal pBase, 0, MEM_RELEASE
End If
CloseHandle hProcess
End IfEnd Function