很多人说VB不能远程注入DLL,其实是错误的VB其实也能象C++等其他语言一样轻松搞定!!不信请看下面代码!更多精彩的代码请访问我的博客。
其实网上也有类似VB代码但是只有注入没有下载,而且注入通用性很差很多会出现非法操作,我的这个代码经过充分测试包括系统进程都可以正常注入和卸载,就连杀毒软件都能注入。(希望不要干坏事哦!!)
地址一:http://www.chenhui530.com
地址二:http://chenhui.ylmf.cn
近期将更新所有原创作品贴在我的博客上!Option ExplicitPrivate Const PROCESS_CREATE_THREAD = &H2
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_WRITE = &H20
Private Const PROCESS_VM_OPERATION = &H8
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFF
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const TOKEN_ASSIGN_PRIMARY = &H1
Private Const TOKEN_DUPLICATE = (&H2)
Private Const TOKEN_IMPERSONATE = (&H4)
Private Const TOKEN_QUERY = (&H8)
Private Const TOKEN_QUERY_SOURCE = (&H10)
Private Const TOKEN_ADJUST_PRIVILEGES = (&H20)
Private Const TOKEN_ADJUST_GROUPS = (&H40)
Private Const TOKEN_ADJUST_DEFAULT = (&H80)
Private Const TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or TOKEN_ASSIGN_PRIMARY Or _
TOKEN_DUPLICATE Or TOKEN_IMPERSONATE Or TOKEN_QUERY Or TOKEN_QUERY_SOURCE Or _
TOKEN_ADJUST_PRIVILEGES Or TOKEN_ADJUST_GROUPS Or TOKEN_ADJUST_DEFAULT)
Private Const SE_PRIVILEGE_ENABLED = &H2
Private Const ANYSIZE_ARRAY = 1
Private Const SE_DEBUG_NAME = "SeDebugPrivilege"Private Type LUID
lowpart As Long
highpart As Long
End TypePrivate Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End TypePrivate Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End TypePrivate Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPriv As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long 'Used to adjust your program's security privileges, can't restore without it!
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As Any, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As LongPublic Function InjectDll(ByVal dwProcessId As Long, ByVal pszLibFile As String) As Boolean
Dim hProcess As Long, hThread As Long
Dim pszLibFileRemote As Long, exitCode As Long On Error GoTo errhandle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE, 0, dwProcessId) If hProcess = 0 Then GoTo errhandle Dim cch As Long, cb As Long cch = 1 + LenB(StrConv(pszLibFile, vbFromUnicode))
cb = cch pszLibFileRemote = VirtualAllocEx(hProcess, ByVal 0&, cb, MEM_COMMIT, PAGE_READWRITE) If pszLibFileRemote = 0 Then GoTo errhandle If (WriteProcessMemory(hProcess, ByVal pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle Dim pfnThreadRtn As Long pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA") If pfnThreadRtn = 0 Then GoTo errhandle hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, ByVal pszLibFileRemote, 0, 0&) If (hThread = 0) Then GoTo errhandle WaitForSingleObject hThread, INFINITE GetExitCodeThread hThread, exitCode InjectDll = CBool(exitCode)errhandle: If pszLibFileRemote <> 0 Then
VirtualFreeEx hProcess, ByVal pszLibFileRemote, 0, MEM_RELEASE
InjectDll = False
Exit Function
End If
If hThread <> 0 Then
CloseHandle hThread
InjectDll = False
Exit Function
End If
If hProcess <> 0 Then
CloseHandle hProcess
InjectDll = False
Exit Function
End If
InjectDll = True
End Function
其实网上也有类似VB代码但是只有注入没有下载,而且注入通用性很差很多会出现非法操作,我的这个代码经过充分测试包括系统进程都可以正常注入和卸载,就连杀毒软件都能注入。(希望不要干坏事哦!!)
地址一:http://www.chenhui530.com
地址二:http://chenhui.ylmf.cn
近期将更新所有原创作品贴在我的博客上!Option ExplicitPrivate Const PROCESS_CREATE_THREAD = &H2
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_WRITE = &H20
Private Const PROCESS_VM_OPERATION = &H8
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFF
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const TOKEN_ASSIGN_PRIMARY = &H1
Private Const TOKEN_DUPLICATE = (&H2)
Private Const TOKEN_IMPERSONATE = (&H4)
Private Const TOKEN_QUERY = (&H8)
Private Const TOKEN_QUERY_SOURCE = (&H10)
Private Const TOKEN_ADJUST_PRIVILEGES = (&H20)
Private Const TOKEN_ADJUST_GROUPS = (&H40)
Private Const TOKEN_ADJUST_DEFAULT = (&H80)
Private Const TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or TOKEN_ASSIGN_PRIMARY Or _
TOKEN_DUPLICATE Or TOKEN_IMPERSONATE Or TOKEN_QUERY Or TOKEN_QUERY_SOURCE Or _
TOKEN_ADJUST_PRIVILEGES Or TOKEN_ADJUST_GROUPS Or TOKEN_ADJUST_DEFAULT)
Private Const SE_PRIVILEGE_ENABLED = &H2
Private Const ANYSIZE_ARRAY = 1
Private Const SE_DEBUG_NAME = "SeDebugPrivilege"Private Type LUID
lowpart As Long
highpart As Long
End TypePrivate Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End TypePrivate Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End TypePrivate Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPriv As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long 'Used to adjust your program's security privileges, can't restore without it!
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As Any, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As LongPublic Function InjectDll(ByVal dwProcessId As Long, ByVal pszLibFile As String) As Boolean
Dim hProcess As Long, hThread As Long
Dim pszLibFileRemote As Long, exitCode As Long On Error GoTo errhandle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE, 0, dwProcessId) If hProcess = 0 Then GoTo errhandle Dim cch As Long, cb As Long cch = 1 + LenB(StrConv(pszLibFile, vbFromUnicode))
cb = cch pszLibFileRemote = VirtualAllocEx(hProcess, ByVal 0&, cb, MEM_COMMIT, PAGE_READWRITE) If pszLibFileRemote = 0 Then GoTo errhandle If (WriteProcessMemory(hProcess, ByVal pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle Dim pfnThreadRtn As Long pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA") If pfnThreadRtn = 0 Then GoTo errhandle hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, ByVal pszLibFileRemote, 0, 0&) If (hThread = 0) Then GoTo errhandle WaitForSingleObject hThread, INFINITE GetExitCodeThread hThread, exitCode InjectDll = CBool(exitCode)errhandle: If pszLibFileRemote <> 0 Then
VirtualFreeEx hProcess, ByVal pszLibFileRemote, 0, MEM_RELEASE
InjectDll = False
Exit Function
End If
If hThread <> 0 Then
CloseHandle hThread
InjectDll = False
Exit Function
End If
If hProcess <> 0 Then
CloseHandle hProcess
InjectDll = False
Exit Function
End If
InjectDll = True
End Function
解决方案 »
- 加密解密问题!!高手进来看看,小弟在此先谢你们了!!
- err.number与error.number有何区别呀?
- ====关于richtextbox的奇妙问题,高手们进来讨论讨论===
- vb能否实现如此通信????//
- 在vb程序里如何新建一个word文档
- webbrowser控件问题:怎样用webbrowser控件保存一个网页到硬盘?
- 多文档界面中,子窗体如何引用主窗体的状态条????!!!!
- 购买或交换大型系统源码我有ERP,你有什么。
- 各位大侠请问 VB 怎样编多线程序
- 如何从VB6.0 进入VB.net ?
- 关于显示 Datagrid 中选中的一行数据?在线等啊。。。。
- 怎样获得计划任务文件夹中某计划的上次运行时间,下次运行时间及状态?
Dim hProcess As Long, hThread As Long
Dim pszLibFileRemote As Long, exitCode As Long
On Error GoTo errhandle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE, 0, dwProcessId)
If hProcess = 0 Then GoTo errhandle
Dim cch As Long, cb As Long
cch = 1 + LenB(StrConv(pszLibFile, vbFromUnicode))
cb = cch
pszLibFileRemote = VirtualAllocEx(hProcess, ByVal 0&, cb, MEM_COMMIT, PAGE_READWRITE)
If pszLibFileRemote = 0 Then GoTo errhandle If (WriteProcessMemory(hProcess, ByVal pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle
Dim pfnThreadRtn As Long
pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA")
If pfnThreadRtn = 0 Then GoTo errhandle
hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, ByVal pszLibFileRemote, 0, pszLibFileRemote)
If (hThread = 0) Then GoTo errhandle WaitForSingleObject hThread, INFINITE
GetExitCodeThread hThread, exitCode
VirtualFreeEx hProcess, pszLibFileRemote, 0, MEM_RELEASE
CloseHandle hThread
pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary")
hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, ByVal exitCode, 0, pszLibFileRemote)
WaitForSingleObject hThread, INFINITE
GetExitCodeThread hThread, exitCodeerrhandle:
If pszLibFileRemote <> 0 Then
VirtualFreeEx hProcess, ByVal pszLibFileRemote, 0, MEM_RELEASE
UnloadDll = False
Exit Function
End If
If hThread <> 0 Then
CloseHandle hThread
UnloadDll = False
Exit Function
End If
If hProcess <> 0 Then
CloseHandle hProcess
UnloadDll = False
Exit Function
End If
UnloadDll = CBool(exitCode)
End FunctionPublic Function EnablePrivilege() As Boolean
Dim hdlProcessHandle As Long
Dim hdlTokenHandle As Long
Dim tmpLuid As LUID
Dim tkp As TOKEN_PRIVILEGES
Dim tkpNewButIgnored As TOKEN_PRIVILEGES
Dim lBufferNeeded As Long
Dim lp As Long
hdlProcessHandle = GetCurrentProcess()
lp = OpenProcessToken(hdlProcessHandle, TOKEN_ALL_ACCESS, hdlTokenHandle)
lp = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", tmpLuid)
tkp.PrivilegeCount = 1
tkp.Privileges(0).pLuid = tmpLuid
tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
EnablePrivilege = AdjustTokenPrivileges(hdlTokenHandle, False, tkp, Len(tkpNewButIgnored), tkpNewButIgnored, lBufferNeeded)
End FunctionPublic Function KillProcess(ByVal ProcessID As String) As Boolean '结束指定进程
Dim lPHand As Long, TMBack As Long
lPHand = OpenProcess(1&, True, CLng(ProcessID)) '获取进程句柄
TMBack = TerminateProcess(lPHand, 0&) '关闭进程
If TMBack <> 0 Then
KillProcess = True
Else
KillProcess = False
End If
CloseHandle lPHand
End Function
http://pscode.com/vb/scripts/ShowCode.asp?txtCodeId=67319&lngWId=1
http://pscode.com/vb/scripts/ShowCode.asp?txtCodeId=62338&lngWId=1
1、 远程注入dll 后,,怎么让注入的dll或exe文件执行呢?
光注入了,不知道怎么运行exe或dll 呀
2、当被注入的程序关闭以后,注入的dll或exe也会被关闭了,,怎么样作到被注入的程序关闭以后,,注入的dll或exe仍然运行,且重新启动以后仍然会附身到别的进程里呢??3、以上有点木马的味道了
E-mail:[email protected]