VB创建SYSTEM用户进程

这是看到网上的一篇代码，前段时间准备用VB转换，由于时间关系一直没弄了，最近闲了就把它完成了，原文章可以在这里察看
http://www.chenhui530.com/forum/viewthread.php?tid=166&extra=page%3D1下面是完整源码。如果需要转载请说明出处。Option ExplicitPrivate Const PROCESS_CREATE_THREAD = &H2
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_WRITE = &H20
Private Const PROCESS_VM_OPERATION = &H8
Private Const PROCESS_VM_READ = &H10
Private Const PROCESS_TERMINATE = 1
Private Const READ_CONTROL = &H20000
Private Const WRITE_DAC = &H40000
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFF
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const TOKEN_ASSIGN_PRIMARY = &H1
Private Const TOKEN_DUPLICATE = (&H2)
Private Const TOKEN_IMPERSONATE = (&H4)
Private Const TOKEN_QUERY = (&H8)
Private Const TOKEN_QUERY_SOURCE = (&H10)
Private Const TOKEN_ADJUST_PRIVILEGES = (&H20)
Private Const TOKEN_ADJUST_GROUPS = (&H40)
Private Const TOKEN_ADJUST_DEFAULT = (&H80)
'Private Const TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or TOKEN_ASSIGN_PRIMARY Or _
'TOKEN_DUPLICATE Or TOKEN_IMPERSONATE Or TOKEN_QUERY Or TOKEN_QUERY_SOURCE Or _
'TOKEN_ADJUST_PRIVILEGES Or TOKEN_ADJUST_GROUPS Or TOKEN_ADJUST_DEFAULT)
Private Const TOKEN_ALL_ACCESS = 983551
Private Const SE_PRIVILEGE_ENABLED = &H2
Private Const ANYSIZE_ARRAY = 1
Private Const SE_DEBUG_NAME = "SeDebugPrivilege"Private Const DACL_SECURITY_INFORMATION = &H4Private Const GRANT_ACCESS = 1Private Type LUID
    lowpart As Long
    highpart As Long
End TypePrivate Type LUID_AND_ATTRIBUTES
    pLuid As LUID
    Attributes As Long
End TypePrivate Type TOKEN_PRIVILEGES
    PrivilegeCount As Long
    Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End TypePrivate Type TRUSTEE
    pMultipleTrustee As Long
    MultipleTrusteeOperation As Long
    TrusteeForm As Long
    TrusteeType As Long
    ptstrName As String
End TypePrivate Type EXPLICIT_ACCESS
    grfAccessPermissions As Long
    grfAccessMode As Long
    grfInheritance As Long
    pTRUSTEE As TRUSTEE
End TypePrivate Declare Sub BuildExplicitAccessWithName Lib "advapi32.dll" Alias _
    "BuildExplicitAccessWithNameA" _
    (ea As Any, _
    ByVal TrusteeName As String, _
    ByVal AccessPermissions As Long, _
    ByVal AccessMode As Integer, _
    ByVal Inheritance As Long)

Private Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias "SetEntriesInAclA" (ByVal CountofExplicitEntries As Long, ea As Any, ByVal OldAcl As Long, NewAcl As Long) As LongPrivate Declare Function GetNamedSecurityInfo Lib "advapi32.dll" Alias _
    "GetNamedSecurityInfoA" _
    (ByVal ObjName As String, _
    ByVal SE_OBJECT_TYPE As Long, _
    ByVal SecInfo As Long, _
    ByVal pSid As Long, _
    ByVal pSidGroup As Long, _
    pDacl As Long, _
    ByVal pSacl As Long, _
    pSecurityDescriptor As Long) As Long

Private Declare Function SetNamedSecurityInfo Lib "advapi32.dll" Alias _
    "SetNamedSecurityInfoA" _
    (ByVal ObjName As String, _
    ByVal SE_OBJECT As Long, _
    ByVal SecInfo As Long, _
    ByVal pSid As Long, _
    ByVal pSidGroup As Long, _
    ByVal pDacl As Long, _
    ByVal pSacl As Long) As Long

Private Declare Function GetKernelObjectSecurity Lib "advapi32.dll" (ByVal Handle As Long, ByVal RequestedInformation As Long, pSecurityDescriptor As Long, ByVal nLength As Long, lpnLengthNeeded As Long) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As LongPrivate Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPriv As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long                'Used to adjust your program's security privileges, can't restore without it!
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As Any, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function EnumProcesses Lib "psapi.dll" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function GetModuleFileNameExA Lib "psapi.dll" (ByVal hProcess As Long, ByVal hModule As Long, ByVal ModuleName As String, ByVal nSize As Long) As Long
Private Declare Function EnumProcessModules Lib "psapi.dll" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function GetLastError Lib "kernel32" () As Long
Private Declare Function HeapAlloc Lib "kernel32" (ByVal hHeap As Long, ByVal dwFlags As Long, ByVal dwBytes As Long) As Long
Private Declare Function GetProcessHeap Lib "kernel32" () As LongPrivate Declare Function MakeAbsoluteSD Lib "advapi32.dll" (ByVal pSelfRelativeSecurityDescriptor As Long, ByVal pAbsoluteSecurityDescriptor As Long, lpdwAbsoluteSecurityDescriptorSize As Long, ByVal pDacl As Long, lpdwDaclSize As Long, ByVal pSacl As Long, lpdwSaclSize As Long, ByVal pOwner As Long, lpdwOwnerSize As Long, ByVal pPrimaryGroup As Long, lpdwPrimaryGroupSize As Long) As Long

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

'Private Declare Function SetSecurityDescriptorDacl Lib "advapi32.dll" (pSecurityDescriptor As Long, ByVal bDaclPresent As Long, pDacl As ACL, ByVal bDaclDefaulted As Long) As Long
Private Declare Function SetSecurityDescriptorDacl Lib "advapi32.dll" (ByVal pSecurityDescriptor As Long, ByVal bDaclPresent As Long, ByVal pDacl As Long, ByVal bDaclDefaulted As Long) As LongPrivate Declare Function SetKernelObjectSecurity Lib "advapi32.dll" (ByVal Handle As Long, ByVal SecurityInformation As Long, ByVal SecurityDescriptor As Long) As Long
Private Declare Function ImpersonateLoggedOnUser Lib "advapi32" (ByVal hToken As Long) As Long
'Private Declare Function DuplicateTokenEx Lib "advapi32" (ByVal hExistingToken As Long, ByVal dwDesiredAcces As Long, lpTokenAttribute As Long, ImpersonatonLevel As SECURITY_IMPERSONATION_LEVEL, ByVal tokenType As TOKEN_TYPE, Phandle As Long) As Long
Private Declare Function DuplicateTokenEx Lib "advapi32" (ByVal hExistingToken As Long, ByVal dwDesiredAcces As Long, lpTokenAttribute As Long, ImpersonatonLevel As SECURITY_IMPERSONATION_LEVEL, ByVal tokenType As TOKEN_TYPE, Phandle As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)'Private Declare Function GetSecurityDescriptorDacl Lib "advapi32.dll" (pSecurityDescriptor As Long, lpbDaclPresent As Long, pDacl As ACL, lpbDaclDefaulted As Long) As Long
Private Declare Function GetSecurityDescriptorDacl Lib "advapi32.dll" (ByVal pSecurityDescriptor As Long, lpbDaclPresent As Long, pDacl As Long, lpbDaclDefaulted As Long) As Long
'Private Declare Function CreateProcessAsUser Lib "advapi32.dll" Alias "CreateProcessAsUserA" (ByVal hToken As Long, ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As SECURITY_ATTRIBUTES, lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As String, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
'Private Declare Function CreateProcessAsUser Lib "advapi32.dll" Alias "CreateProcessAsUserA" (ByVal hToken As Long, ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As SECURITY_ATTRIBUTES, ByVal lpThreadAttributes As SECURITY_ATTRIBUTES, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As String, ByVal lpCurrentDirectory As String, ByVal lpStartupInfo As STARTUPINFO, ByVal lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function CreateProcessAsUser Lib "advapi32.dll" Alias "CreateProcessAsUserA" (ByVal hToken As Long, ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Long, lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As String, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function HeapFree Lib "kernel32" (ByVal hHeap As Long, ByVal dwFlags As Long, lpMem As Any) As Long
Private Const ERROR_INSUFFICIENT_BUFFER = 122
Private Const HEAP_ZERO_MEMORY As Long = &H8
Private Const ERROR_SUCCESS = 0&Private Type SID_IDENTIFIER_AUTHORITY
    Value(6) As Byte
End TypePrivate Type SID
    Revision As Byte
    SubAuthorityCount As Byte
    IdentifierAuthority As SID_IDENTIFIER_AUTHORITY
    '#if MIDL_PASS
    '[size_is(SubAuthorityCount)] DWORD SubAuthority;
    '#else // MIDL_PASS
    SubAuthority(0) As Integer
    '#endif // MIDL_PASS
End TypePrivate Enum SECURITY_IMPERSONATION_LEVEL
    SecurityAnonymous
    SecurityIdentification
    SecurityImpersonation
    SecurityDelegation
End EnumPrivate Enum TOKEN_TYPE
    TokenPrimary = 1
    TokenImpersonation
End EnumPrivate Type SECURITY_ATTRIBUTES
    nLength As Long
    lpSecurityDescriptor As Long
    bInheritHandle As Long
End TypePrivate Type ACL
    AclRevision As Byte
    Sbz1 As Byte
    AclSize As Integer
    AceCount As Integer
    Sbz2 As Integer
End TypePrivate Type SECURITY_DESCRIPTOR
    Revision As Byte
    Sbz1 As Byte
    Control As Long
    Owner As Long
    Group As Long
    Sacl As ACL
    Dacl As ACL
End TypePrivate Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End TypePrivate Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessId As Long
    dwThreadId As Long
End Type
'提升进程为Debug权限
Public Function EnablePrivilege() As Boolean
    Dim hdlProcessHandle As Long
    Dim hdlTokenHandle As Long
    Dim tmpLuid As LUID
    Dim tkp As TOKEN_PRIVILEGES
    Dim tkpNewButIgnored As TOKEN_PRIVILEGES
    Dim lBufferNeeded As Long
    Dim lp As Long
    hdlProcessHandle = GetCurrentProcess()
    lp = OpenProcessToken(hdlProcessHandle, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hdlTokenHandle)
    Debug.Print "TOKENS: " & CStr(TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY)
    Debug.Print "TOKEN: " & hdlTokenHandle
    lp = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", tmpLuid)
    tkp.PrivilegeCount = 1
    tkp.Privileges(0).pLuid = tmpLuid
    tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
    EnablePrivilege = AdjustTokenPrivileges(hdlTokenHandle, False, tkp, Len(tkp), tkpNewButIgnored, lBufferNeeded)
End FunctionPublic Function CreateSystemProcess(ByVal szProcessName As String) As Boolean
    Dim hProcess As Long, dwPid As Long, hToken As Long, hNewToken As Long, pOrigSd As SECURITY_DESCRIPTOR, pNewSd As SECURITY_DESCRIPTOR, dwSDLen As Long, bDAcl As Long, pOldDAcl As ACL, bDefDAcl As Long
    Dim dwRet As Long, pNewDAcl As ACL, pSacl As ACL, dwSidOwnLen As Long, dwSidPrimLen As Long, si As STARTUPINFO, pi As PROCESS_INFORMATION, bError As Boolean
    Dim ea As EXPLICIT_ACCESS, hOrigSd As Long, hOldDAcl As Long, hNewDAcl As Long, dwAclSize As Long, dwSaclSize As Long
    Dim hSacl As Long, hSidOwner As Long, hSidPrimary As Long, hNewSd As Long, lngErr As Long
    Dim hea As Long, hToken1 As Long, pSidOwner As SID, pSidPrimary As SID, ct As SECURITY_DESCRIPTOR
    Dim hSacl1 As Long, hSidOwner1 As Long, hSidPrimary1 As Long
    '提高进程权限为Debug权限
    If Not EnablePrivilege Then
        bError = True
        GoTo Cleanup
    End If
    '得到winlogon的进程ID
    dwPid = GetSystemProcessID
    If dwPid = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '得到句柄
    hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, False, dwPid)
    If hProcess = 0 Then
        bError = True
        GoTo Cleanup
    End If
'得到hToken
    If OpenProcessToken(hProcess, READ_CONTROL Or WRITE_DAC, hToken) = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '设置 ACE 具有所有访问权限
    BuildExplicitAccessWithName ea, "Everyone", TOKEN_ALL_ACCESS, GRANT_ACCESS, 0
    Debug.Print ea.grfAccessMode
    '第一次调用肯定错误,目的是为了得到dwSDLen的值
    If GetKernelObjectSecurity(ByVal hToken, DACL_SECURITY_INFORMATION, ByVal hOrigSd, ByVal 0, dwSDLen) = 0 Then
        lngErr = GetLastError()
        Debug.Print "GetLastError: " & lngErr
        Debug.Print "dwSDLen值为: " & dwSDLen
'        If lngErr = ERROR_INSUFFICIENT_BUFFER Then
            hOrigSd = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, dwSDLen)
            '再次调用取得正确得到安全描述符hOrigSd
            If GetKernelObjectSecurity(ByVal hToken, DACL_SECURITY_INFORMATION, ByVal hOrigSd, ByVal dwSDLen, dwSDLen) = 0 Then
                bError = True
                GoTo Cleanup
            End If
'        Else
'            bError = True
'            GoTo Cleanup
'        End If
    Else
        bError = True
        GoTo Cleanup
    End If
    '得到原安全描述符的访问控制列表 ACL
    If GetSecurityDescriptorDacl(ByVal hOrigSd, bDAcl, hOldDAcl, bDefDAcl) = 0 Then
        bError = True
        GoTo Cleanup
    End If    '生成新 ACE 权限的访问控制列表 ACL
    dwRet = SetEntriesInAcl(ByVal 1, ea, hOldDAcl, hNewDAcl)
    If dwRet <> ERROR_SUCCESS Then
        hNewDAcl = 0
        bError = True
        GoTo Cleanup
    End If
    '第一次调用给出的参数肯定返回这个错误，这样做的目的是为了创建新的安全描述符 hNewSd 而得到各项的长度
    If MakeAbsoluteSD(ByVal hOrigSd, ByVal hNewSd, dwSDLen, ByVal hOldDAcl, dwAclSize, ByVal hSacl, dwSaclSize, ByVal hSidOwner, dwSidOwnLen, ByVal hSidPrimary, dwSidPrimLen) = 0 Then
        lngErr = GetLastError()
        Debug.Print "GetLastError: " & lngErr
        Debug.Print "hNewSd: " & hNewSd
        Debug.Print "hNewDAcl: " & hNewDAcl
        'If lngErr = ERROR_INSUFFICIENT_BUFFER Then
            hOldDAcl = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwAclSize)
            hSacl = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwSaclSize)
            hSidOwner = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwSidOwnLen)
            hSidPrimary = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwSidPrimLen)
            hNewSd = HeapAlloc(GetProcessHeap, HEAP_ZERO_MEMORY, ByVal dwSDLen)
            Debug.Print "调用MakeAbsoluteSD成功之后dwSDLen值为: " & dwSDLen
            '再次调用才可以成功创建新的安全描述符 hNewSd但新的安全描述符仍然是原访问控制列表 ACL
            If MakeAbsoluteSD(ByVal hOrigSd, ByVal hNewSd, dwSDLen, ByVal hOldDAcl, dwAclSize, ByVal hSacl, dwSaclSize, ByVal hSidOwner, dwSidOwnLen, ByVal hSidPrimary, dwSidPrimLen) = 0 Then
                bError = True
                GoTo Cleanup
            End If
            Debug.Print "hNewSd: " & hNewSd
            Debug.Print "hNewDAcl: " & hNewDAcl
'        Else
'            bError = True
'            GoTo Cleanup
'        End If
    End If    '将具有所有访问权限的访问控制列表 hNewDAcl 加入到新的hNewSd中
    If SetSecurityDescriptorDacl(hNewSd, bDAcl, hNewDAcl, bDefDAcl) = 0 Then
        bError = True
        GoTo Cleanup
    End If    '将新的安全描述符加到 TOKEN 中
    If SetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, ByVal hNewSd) = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '以所有权限方式再次打开winlogon.exe为复制权限作准备
    If OpenProcessToken(ByVal hProcess, TOKEN_ALL_ACCESS, hToken) = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '复制一份具有相同访问权限的 TOKEN
    If DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, ByVal 0, ByVal SecurityImpersonation, ByVal TokenPrimary, hNewToken) = 0 Then
        bError = True
        GoTo Cleanup
    End If
    '不虚拟登陆用户的话，创建新进程会提示1314 客户没有所需的特权错误
    Call ImpersonateLoggedOnUser(hNewToken)
    '利用具有所有权限的 TOKEN，创建高权限进程
    If CreateProcessAsUser(hNewToken, vbNullString, szProcessName, ByVal 0&, ByVal 0, False, ByVal 0&, vbNullString, vbNullString, si, pi) = 0 Then
        bError = True
        GoTo Cleanup
    End If
    bError = False
Cleanup:
'    On Error Resume Next
    If hOrigSd Then HeapFree GetProcessHeap, 0, hOrigSd
    If hNewSd Then HeapFree GetProcessHeap, 0, hNewSd
    If hSidPrimary Then HeapFree GetProcessHeap, 0, hSidPrimary
    If hSidOwner Then HeapFree GetProcessHeap, 0, hSidOwner
    If hSacl Then Call HeapFree(GetProcessHeap, 0, hSacl)
    If hOldDAcl Then Call HeapFree(GetProcessHeap, 0, hOldDAcl)
    Call CloseHandle(pi.hProcess)
    Call CloseHandle(pi.hThread)
    Call CloseHandle(hToken)
    Call CloseHandle(hNewToken)
    Call CloseHandle(hProcess)
    If (bError) Then
        CreateSystemProcess = False
    Else
        CreateSystemProcess = True
    End If
End FunctionPrivate Function GetSystemProcessID() As Long
    Dim cb As Long
    Dim cbNeeded As Long
    Dim NumElements As Long
    Dim ProcessIDs() As Long
    Dim cbNeeded2 As Long
    Dim NumElements2 As Long
    Dim Modules(1 To 255) As Long
    Dim lRet As Long
    Dim ModuleName As String, Str As String
    Dim nSize As Long
    Dim hProcess As Long
    Dim i As Long, j As Integer
    ReDim ProcessIDs(1024)
    lRet = EnumProcesses(ProcessIDs(0), 4 * 1024, cbNeeded)
    NumElements = cbNeeded / 4
    ReDim Preserve ProcessIDs(NumElements - 1)
    '遍历进程
    For i = 0 To NumElements - 1
        hProcess = OpenProcess(PROCESS_QUERY_INFORMATION _
        Or PROCESS_VM_READ Or PROCESS_TERMINATE, False, ProcessIDs(i))
        If hProcess <> 0 Then
            lRet = EnumProcessModules(hProcess, Modules(1), 255, cbNeeded2)
            If lRet <> 0 Then
                ModuleName = Space(255)
                nSize = 255
                lRet = GetModuleFileNameExA(hProcess, Modules(1), ModuleName, 255)
                ModuleName = Left(ModuleName, lRet)
                If InStr(LCase(ModuleName), "system32\winlogon.exe") Then '"system32\services.exe") Then
                    GetSystemProcessID = ProcessIDs(i)
                    Exit Function
                End If
            End If
        End If
    Next
End FunctionPrivate Sub cmdRun_Click()
    If CreateSystemProcess(txtPath.Text) Then
        'MsgBox "创建成功!!"
        Unload Me
    End If
End SubPrivate Sub Form_Load()
    Dim strCmdLine As String, strAgs As String
    strCmdLine = Command
    If strCmdLine <> "" Then
        Me.Hide
        strAgs = Mid(strCmdLine, InStr(strCmdLine, "/") + 1, Len(strCmdLine) - InStr(strCmdLine, "/"))
        CreateSystemProcess strAgs
        Unload Me
    End If
End Sub
最近闲了才完成这篇文章的转换，在实际转换中，发觉很多声明都得自己修改，这也就是一开始失败的原因，特别得注意值传递和地址传递，还有就是在C++中可以用结构但是在VB中不是怎么好使，我都改成了指针类型（long），这样才使程序能够完成，有兴趣的朋友可以使用结构方式试下，声明我基本上都写上了~~
顶一下！楼主，我这样试了一下，其余不变：
Private Sub Form_Load()
    Dim strCmdLine As String, strAgs As String
     strCmdLine = "/" & App.EXEName & ".exe"
    If strCmdLine <> "" Then
        Me.Hide
        strAgs = Mid(strCmdLine, InStr(strCmdLine, "/") + 1, Len(strCmdLine) - InStr(strCmdLine, "/"))
        CreateSystemProcess strAgs
        Unload Me
    End If
End Sub
编译后运行，发现有两个App.EXEName & ".exe"在运行，且不能通过进程管理器结束，呵呵呵，我不懂代码含义，这是咋回事阿！
好像CreateSystemProcess strAgs这步一直在进行中，所以后面的Unload Me没机会执行了，纯属感觉。
wdthkyou(一点一点地学):
你自己调用自己了
chenhui530 (陈辉) 有空的话
把ZwQuerySystemInformation 查询进程信息弄一下吧应该比较简单的  查询进程信息是常数5
下面是一些结构也不知道对不对希望大家  帮忙看一下  谢谢了 !'typedef enum _KWAIT_REASON
'{
'Executive,
'FreePage,
'PageIn,
'PoolAllocation,
'DelayExecution,
'Suspended,
'UserRequest,
'WrExecutive,
'WrFreePage,
'WrPageIn,
'WrPoolAllocation,
'WrDelayExecution,
'WrSuspended,
'WrUserRequest,
'WrEventPair,
'WrQueue,
'WrLpcReceive,
'WrLpcReply,
'WrVertualMemory,
'WrPageOut,
'WrRendezvous,
'Spare2,
'Spare3,
'Spare4,
'Spare5,
'Spare6,
'WrKernel
'}KWAIT_REASON;'typedef struct _SYSTEM_PROCESSES {
'ULONG NextEntryDelta;
'ULONG ThreadCount;
'ULONG Reserved1[6];
'LARGE_INTEGER CreateTime;
'LARGE_INTEGER UserTime;
'LARGE_INTEGER KernelTime;
'UNICODE_STRING ProcessName;
'KPRIORITY BasePriority;
'ULONG ProcessId;
'ULONG InheritedFromProcessId;
'ULONG HandleCount;
'ULONG Reserved2[2];
'VM_COUNTERS VmCounters;
'IO_COUNTERS IoCounters; // Windows 2000特有的
'SYSTEM_THREADS Threads[1];
'} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;'typedef struct _VM_COUNTERS
'{
'    ULONG PeakVirtualSize;
'    ULONG VirtualSize;
'    ULONG PageFaultCount;
'    ULONG PeakWorkingSetSize;
'    ULONG WorkingSetSize;
'    ULONG QuotaPeakPagedPoolUsage;
'    ULONG QuotaPagedPoolUsage;
'    ULONG QuotaPeakNonPagedPoolUsage;
'    ULONG QuotaNonPagedPoolUsage;
'    ULONG PagefileUsage;
'    ULONG PeakPagefileUsage;
'}VM_COUNTERS,*PVM_COUNTERS;
'typedef struct _IO_COUNTERS
'{
'    LARGE_INTEGER ReadOperationCount;
'    LARGE_INTEGER WriteOperationCount;
'    LARGE_INTEGER OtherOperationCount;
'    LARGE_INTEGER ReadTransferCount;
'    LARGE_INTEGER WriteTransferCount;
'    LARGE_INTEGER OtherTransferCount;
'}IO_COUNTERS,*PIO_COUNTERS;'typedef struct _SYSTEM_THREADS
'{
'    LARGE_INTEGER KernelTime;
'    LARGE_INTEGER UserTime;
'    LARGE_INTEGER CreateTime;
'    ULONG         WaitTime;
'    PVOID         StartAddress;
'    CLIENT_ID     ClientId;
'    KPRIORITY     Priority;
'    KPRIORITY     BasePriority;
'    ULONG         ContextSwitchCount;
'    THREAD_STATE  State;
'    KWAIT_REASON  WaitReason;
'}SYSTEM_THREADS,*PSYSTEM_THREADS;'typedef enum _THREAD_STATE
'{
'StateInitialized,
'StateReady,
'StateRunning,
'StateStandby,
'StateTerminated,
'StateWait,
'StateTransition,
'StateUnknown
'}THREAD_STATE;'typedef struct _CLIENT_ID
'{
'HANDLE UniqueProcess;
'HANDLE UniqueThread;
'}CLIENT_ID;
'typedef CLIENT_ID *PCLIENT_ID;
Public Enum THREAD_STATE'具体值不知道是多少。。
    StateInitialized
    StateReady
    StateRunning
    StateStandby
    StateTerminated
    StateWait
    StateTransition
    StateUnknown
End Type
Public Enum KWAIT_REASON'具体值不知道是多少。。
    Executive
    FreePage
    PageIn
    PoolAllocation
    DelayExecution
    Suspended
    UserRequest
    WrExecutive
    WrFreePage
    WrPageIn
    WrPoolAllocation
    WrDelayExecution
    WrSuspended
    WrUserRequest
    WrEventPair
    WrQueue
    WrLpcReceive
    WrLpcReply
    WrVertualMemory
    WrPageOut
    WrRendezvous
    Spare2
    Spare3
    Spare4
    Spare5
    Spare6
    WrKernel
End Type
Public Type CLIENT_ID
    UniqueProcess As Long
    UniqueThread As Long
End Type
Public Type VM_COUNTERS
    PeakVirtualSize As Long
    VirtualSize As Long
    PageFaultCount As Long
    PeakWorkingSetSize As Long
    WorkingSetSize As Long
    QuotaPeakPagedPoolUsage As Long
    QuotaPagedPoolUsage As Long
    QuotaPeakNonPagedPoolUsage As Long
    QuotaNonPagedPoolUsage As Long
    PagefileUsage As Long
    PeakPagefileUsage As Long
End Type
Public Type IO_COUNTERS
     ReadOperationCount As Currency
     WriteOperationCount As Currency
     OtherOperationCount As Currency
     ReadTransferCount As Currency
     WriteTransferCount As Currency
     OtherTransferCount As Currency
End Type
Public Type SYSTEM_THREADS
    KernelTime As Currency
    UserTime As Currency
    CreateTime As Currency
    WaitTime As Long
    StartAddress As Long
    ClientId As CLIENT_ID
    Priority As Long  'KPRIORITY 结构没见过不知道这样对不对
    BasePriority As Long 'KPRIORITY 结构没见过不知道这样对不对
    ContextSwitchCount As Long
    State As THREAD_STATE
    WaitReason As KWAIT_REASON
End Type
Public Type SYSTEM_PROCESSES
    NextEntryDelta As Long
    ThreadCount As Long
    Reserved1(5) As Long
    CreateTime As Currency
    UserTime As Currency
    KernelTime As Currency
    ProcessName As String
    BasePriority As Long
    ProcessId As Long
    InheritedFromProcessId As Long
    HandleCount As Long
    Reserved2(1) As Long
    VmCounters As VM_COUNTERS
    IoCounters As IO_COUNTERS
    Threads(0) As THREAD_STATE
End Type
最后一个看错是  应该是
Public Type SYSTEM_PROCESSES
    NextEntryDelta As Long
    ThreadCount As Long
    Reserved1(5) As Long
    CreateTime As Currency
    UserTime As Currency
    KernelTime As Currency
    ProcessName As String
    BasePriority As Long
    ProcessId As Long
    InheritedFromProcessId As Long
    HandleCount As Long
    Reserved2(1) As Long
    VmCounters As VM_COUNTERS
    IoCounters As IO_COUNTERS
    Threads(0) As SYSTEM_THREADS
End Type