Private Const PROCESS_CREATE_THREAD = &H2 Private Const PROCESS_QUERY_INFORMATION = &H400 Private Const PROCESS_VM_WRITE = &H20 Private Const PROCESS_VM_OPERATION = &H8 Private Const MEM_COMMIT = &H1000 Private Const MEM_RELEASE = &H8000 Private Const PAGE_READWRITE = &H4 Private Const INFINITE = &HFFFFFFFFPrivate Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, _ lpAddress As Any, _ ByVal dwSize As Long, _ ByVal flAllocationType As Long, _ ByVal flProtect As Long) As Long Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, _ lpAddress As Any, _ ByVal dwSize As Long, _ ByVal dwFreeType As Long) As Long Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As LongPrivate Function loadmode(ByVal dwProcessId As Long, ByVal pszLibFile As String) As Long Dim hProcess As Long, hThread As Long Dim pszLibFileRemote As Long, exitCode As Long
On Error GoTo errhandle hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or _ PROCESS_CREATE_THREAD Or _ PROCESS_VM_OPERATION Or _ PROCESS_VM_WRITE, _ 0, dwProcessId) If hProcess = 0 Then GoTo errhandle
errhandle: If pszLibFileRemote <> 0 Then _ VirtualFreeEx hProcess, pszLibFileRemote, 0, MEM_RELEASE
If hThread <> 0 Then _ CloseHandle hThread
If hProcess <> 0 Then _ CloseHandle hProcess End Function
Private Sub Command1_Click() loadmode 3200,"C:\Program Files\Rising\Rav\rscommon.dll" unloadmode 3200, "C:\Program Files\Rising\Rav\rscommon.dll", loadmode(3200,"C:\Program Files\Rising\Rav\rscommon.dll") End SubPrivate Function unloadmode(ByVal dwProcessId As Long, ByVal pszLibFile As String, ByVal modeH As Long) As Long Dim hProcess As Long, hThread As Long Dim pszLibFileRemote As Long, exitCode As Long
On Error GoTo errhandle hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or _ PROCESS_CREATE_THREAD Or _ PROCESS_VM_OPERATION Or _ PROCESS_VM_WRITE, _ 0, dwProcessId) If hProcess = 0 Then GoTo errhandle
pszLibFileRemote = VirtualAllocEx(hProcess, 0&, cb, MEM_COMMIT, PAGE_READWRITE) If pszLibFileRemote = 0 Then GoTo errhandle If (WriteProcessMemory(hProcess, pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle ' Dim pfnThreadRtn As Long
pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary") If pfnThreadRtn = 0 Then GoTo errhandle
Private Const PROCESS_CREATE_THREAD = &H2
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_WRITE = &H20
Private Const PROCESS_VM_OPERATION = &H8
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFFPrivate Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, _
lpAddress As Any, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, _
lpAddress As Any, _
ByVal dwSize As Long, _
ByVal dwFreeType As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As LongPrivate Function loadmode(ByVal dwProcessId As Long, ByVal pszLibFile As String) As Long
Dim hProcess As Long, hThread As Long
Dim pszLibFileRemote As Long, exitCode As Long
On Error GoTo errhandle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or _
PROCESS_CREATE_THREAD Or _
PROCESS_VM_OPERATION Or _
PROCESS_VM_WRITE, _
0, dwProcessId)
If hProcess = 0 Then GoTo errhandle
Dim cch As Long, cb As Long
cch = 1 + LenB(StrConv(pszLibFile, vbFromUnicode))
cb = cch
pszLibFileRemote = VirtualAllocEx(hProcess, 0&, cb, MEM_COMMIT, PAGE_READWRITE)
If pszLibFileRemote = 0 Then GoTo errhandle
If (WriteProcessMemory(hProcess, pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle
Dim pfnThreadRtn As Long
pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
If pfnThreadRtn = 0 Then GoTo errhandle
hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, pszLibFileRemote, 0, ByVal 0&)
If (hThread = 0) Then GoTo errhandle
WaitForSingleObject hThread, INFINITE
GetExitCodeThread hThread, exitCode
loadmode = exitCode
errhandle:
If pszLibFileRemote <> 0 Then _
VirtualFreeEx hProcess, pszLibFileRemote, 0, MEM_RELEASE
If hThread <> 0 Then _
CloseHandle hThread
If hProcess <> 0 Then _
CloseHandle hProcess
End Function
Private Sub Command1_Click()
loadmode 3200,"C:\Program Files\Rising\Rav\rscommon.dll"
unloadmode 3200, "C:\Program Files\Rising\Rav\rscommon.dll", loadmode(3200,"C:\Program Files\Rising\Rav\rscommon.dll")
End SubPrivate Function unloadmode(ByVal dwProcessId As Long, ByVal pszLibFile As String, ByVal modeH As Long) As Long
Dim hProcess As Long, hThread As Long
Dim pszLibFileRemote As Long, exitCode As Long
On Error GoTo errhandle
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or _
PROCESS_CREATE_THREAD Or _
PROCESS_VM_OPERATION Or _
PROCESS_VM_WRITE, _
0, dwProcessId)
If hProcess = 0 Then GoTo errhandle
Dim cch As Long, cb As Long
cch = 1 + LenB(StrConv(pszLibFile, vbFromUnicode))
cb = cch
pszLibFileRemote = VirtualAllocEx(hProcess, 0&, cb, MEM_COMMIT, PAGE_READWRITE) If pszLibFileRemote = 0 Then GoTo errhandle If (WriteProcessMemory(hProcess, pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle
'
Dim pfnThreadRtn As Long
pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary") If pfnThreadRtn = 0 Then GoTo errhandle
hThread = CreateRemoteThread(hProcess, ByVal 0&, 1024 * 16, ByVal pfnThreadRtn, ByVal modeH, 0, pszLibFileRemote)
If (hThread = 0) Then GoTo errhandle
WaitForSingleObject hThread, INFINITE
GetExitCodeThread hThread, exitCode
InjectLibB = exitCode
errhandle:
If pszLibFileRemote <> 0 Then _
VirtualFreeEx hProcess, pszLibFileRemote, 0, MEM_RELEASE
If hThread <> 0 Then _
CloseHandle hThread
If hProcess <> 0 Then _
CloseHandle hProcess
End Function
测试了让记事本加载瑞星下面的那个DLL然后卸载不行直接卸载瑞星程序中的"ravmon.exe"中的那个DLL更不行