这几句话谁会写? '默认HOOK的是MessageBoxA函数,所以我们用 MessageBoxW 给我们弹出消息 '这里没有写还原函数,其实这个都很好解决,我们在用 WriteProcessMemory写入HOOK代码时可以还通过 'ReadProcessMemory读取原始代码,当需要恢复时再通过 WriteProcessMemory写回去就OK了.. BAS1.BASOption ExplicitPrivate Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long '上面这些是我们自己用到的,因为我们已经引用了类型库,所以默认声明为 Private 方式, '这样做的好处是不影响 modHOOK 模块中的相同API使用Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long Public Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As LongPublic Const MEM_RELEASE = &H8000 Public Const MEM_COMMIT = &H1000 Public Const MEM_RESERVE = &H2000 Public Const MEM_DECOMMIT = &H4000 Public Const PAGE_EXECUTE_READWRITE = &H40Public Const SYNCHRONIZE = &H100000 Public Const STANDARD_RIGHTS_REQUIRED = &HF0000 Public Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)Public Const INFINITE = &HFFFFFFFFPublic Type IMAGE_DOS_HEADER e_magic As Integer e_cblp As Integer e_cp As Integer e_crlc As Integer e_cparhdr As Integer e_minalloc As Integer e_maxalloc As Integer e_ss As Integer e_sp As Integer e_csum As Integer e_ip As Integer e_cs As Integer e_lfarlc As Integer e_ovno As Integer e_res(3) As Integer e_oemid As Integer e_oeminfo As Integer e_res2(9) As Integer e_lfanew As Long End TypePublic Type IMAGE_FILE_HEADER Machine As Integer NumberOfSections As Integer TimeDateStamp As Long PointerToSymbolTable As Long NumberOfSymbols As Long SizeOfOptionalHeader As Integer Characteristics As Integer End Type
Public Type IMAGE_DATA_DIRECTORY VirtualAddress As Long Size As Long End Type
Public Type IMAGE_OPTIONAL_HEADER Magic As Integer MajorLinkerVersion As Byte MinorLinkerVersion As Byte SizeOfCode As Long SizeOfInitializedData As Long SizeOfUninitializedData As Long AddressOfEntryPoint As Long BaseOfCode As Long BaseOfData As Long ImageBase As Long SectionAlignment As Long FileAlignment As Long MajorOperatingSystemVersion As Integer MinorOperatingSystemVersion As Integer MajorImageVersion As Integer MinorImageVersion As Integer MajorSubsystemVersion As Integer MinorSubsystemVersion As Integer Win32VersionValue As Long SizeOfImage As Long SizeOfHeaders As Long CheckSum As Long Subsystem As Integer DllCharacteristics As Integer SizeOfStackReserve As Long SizeOfStackCommit As Long SizeOfHeapReserve As Long SizeOfHeapCommit As Long LoaderFlags As Long NumberOfRvaAndSizes As Long DataDirectory(15) As IMAGE_DATA_DIRECTORY End Type
Public Type IMAGE_NT_HEADERS Signature As Long FileHeader As IMAGE_FILE_HEADER OptionalHeader As IMAGE_OPTIONAL_HEADER End Type Public Sub Main() Dim Pid As Long Dim sBuf As String
sBuf = InputBox("PID", , 0) Pid = CLng(sBuf)
If InjectMsvbvm6_dll(Pid) Then MsgBox "插入运行库OK" End If
If InjectExe(Pid) Then MsgBox "已插入代码" End IfEnd Sub'/////////////////////////////////////////////////////// '/// '///说明: 插入运行库代码 '///参数: Pid=进程PID '///返回: 成功True,否则False '/// '/////////////////////////////////////////////////////// Public Function InjectMsvbvm6_dll(ByVal Pid As Long) As Boolean Dim hProcess As Long, hThread As Long Dim szDllPath As String Dim cbDllPath As Long Dim pBaseAddr As Long Dim pFuncAddr As Long Dim hMod As Long
Err: If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE If hProcess <> 0 Then CloseHandle hProcess End Function '/////////////////////////////////////////////////////// '/// '///说明: 插入代码 '///参数: Pid=进程PID '///返回: 成功True,否则False '/// '/////////////////////////////////////////////////////// Public Function InjectExe(ByVal Pid As Long) As Boolean Dim hMod As Long Dim stIDH As IMAGE_DOS_HEADER Dim stINH As IMAGE_NT_HEADERS Dim cbImage As Long Dim hProcess As Long, hThread As Long Dim pBaseAddr As Long Dim pFuncAddr As Long
InjectExe = True Err: 'If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE If hProcess <> 0 Then CloseHandle hProcess
End FunctionPrivate Function Init() As Long Dim pFuncAddr As Long pFuncAddr = GetFuncAddr(AddressOf NewMessageBox)
'保存该地址,一会要注入进去的 CopyMemory NewAddr(1), pFuncAddr, 4 End FunctionPrivate Function GetFuncAddr(ByVal func As Long) As Long GetFuncAddr = func End FunctionBAS2.BASPublic NewAddr(7) As BytePublic Function Hook(ByVal pFAddr As Long) As Long Dim hMod As Long Dim pBaseAddr As Long
'这一步写进去以后基本上就成功OK了.. WriteProcessMemory GetCurrentProcess, ByVal pBaseAddr, NewAddr(0), 8, 0 End FunctionPublic Function NewMessageBox(ByVal hWnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long '默认HOOK的是MessageBoxA函数,所以我们用 MessageBoxW 给我们弹出消息 '这里没有写还原函数,其实这个都很好解决,我们在用 WriteProcessMemory写入HOOK代码时可以还通过 'ReadProcessMemory读取原始代码,当需要恢复时再通过 WriteProcessMemory写回去就OK了..
MessageBoxW 0, "哈哈...被我们给HOOK了", "嘿嘿~~啦啦啦..", 16 NewMessageBox = 1 End Function
'这里没有写还原函数,其实这个都很好解决,我们在用 WriteProcessMemory写入HOOK代码时可以还通过
'ReadProcessMemory读取原始代码,当需要恢复时再通过 WriteProcessMemory写回去就OK了..
BAS1.BASOption ExplicitPrivate Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
'上面这些是我们自己用到的,因为我们已经引用了类型库,所以默认声明为 Private 方式,
'这样做的好处是不影响 modHOOK 模块中的相同API使用Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Public Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As LongPublic Const MEM_RELEASE = &H8000
Public Const MEM_COMMIT = &H1000
Public Const MEM_RESERVE = &H2000
Public Const MEM_DECOMMIT = &H4000
Public Const PAGE_EXECUTE_READWRITE = &H40Public Const SYNCHRONIZE = &H100000
Public Const STANDARD_RIGHTS_REQUIRED = &HF0000
Public Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)Public Const INFINITE = &HFFFFFFFFPublic Type IMAGE_DOS_HEADER
e_magic As Integer
e_cblp As Integer
e_cp As Integer
e_crlc As Integer
e_cparhdr As Integer
e_minalloc As Integer
e_maxalloc As Integer
e_ss As Integer
e_sp As Integer
e_csum As Integer
e_ip As Integer
e_cs As Integer
e_lfarlc As Integer
e_ovno As Integer
e_res(3) As Integer
e_oemid As Integer
e_oeminfo As Integer
e_res2(9) As Integer
e_lfanew As Long
End TypePublic Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
Characteristics As Integer
End Type
Public Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
Public Type IMAGE_OPTIONAL_HEADER
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUninitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersion As Integer
MinorOperatingSystemVersion As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
Win32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
Subsystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(15) As IMAGE_DATA_DIRECTORY
End Type
Public Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
Public Sub Main()
Dim Pid As Long
Dim sBuf As String
sBuf = InputBox("PID", , 0)
Pid = CLng(sBuf)
If InjectMsvbvm6_dll(Pid) Then
MsgBox "插入运行库OK"
End If
If InjectExe(Pid) Then
MsgBox "已插入代码"
End IfEnd Sub'///////////////////////////////////////////////////////
'///
'///说明: 插入运行库代码
'///参数: Pid=进程PID
'///返回: 成功True,否则False
'///
'///////////////////////////////////////////////////////
Public Function InjectMsvbvm6_dll(ByVal Pid As Long) As Boolean
Dim hProcess As Long, hThread As Long
Dim szDllPath As String
Dim cbDllPath As Long
Dim pBaseAddr As Long
Dim pFuncAddr As Long
Dim hMod As Long
InjectMsvbvm6_dll = False
hMod = GetModuleHandle("kernel32.dll")
pFuncAddr = GetProcAddress(hMod, "LoadLibraryA")
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, Pid)
If hProcess = 0 Then GoTo Err
szDllPath = "c:\windows\system32\msvbvm60.dll"
cbDllPath = Len(szDllPath) * 2 + 1
pBaseAddr = VirtualAllocEx(hProcess, ByVal 0&, cbDllPath, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
If pBaseAddr = 0 Then GoTo Err
If WriteProcessMemory(hProcess, ByVal pBaseAddr, ByVal szDllPath, cbDllPath, 0) = 0 Then GoTo Err
hThread = CreateRemoteThread(hProcess, ByVal 0&, 0, ByVal pFuncAddr, ByVal pBaseAddr, 0, 0)
If hThread = 0 Then GoTo Err
WaitForSingleObject hThread, INFINITE
CloseHandle hThread
InjectMsvbvm6_dll = True
Err:
If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE
If hProcess <> 0 Then CloseHandle hProcess
End Function
'///////////////////////////////////////////////////////
'///
'///说明: 插入代码
'///参数: Pid=进程PID
'///返回: 成功True,否则False
'///
'///////////////////////////////////////////////////////
Public Function InjectExe(ByVal Pid As Long) As Boolean
Dim hMod As Long
Dim stIDH As IMAGE_DOS_HEADER
Dim stINH As IMAGE_NT_HEADERS
Dim cbImage As Long
Dim hProcess As Long, hThread As Long
Dim pBaseAddr As Long
Dim pFuncAddr As Long
InjectExe = False
hMod = GetModuleHandle(vbNullString)
'得到相应的偏移值结构
CopyMemory stIDH, ByVal hMod, Len(stIDH)
CopyMemory stINH, ByVal (hMod + stIDH.e_lfanew), Len(stINH)
cbImage = stINH.OptionalHeader.SizeOfImage
If cbImage = 0 Then GoTo Err
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, Pid)
If hProcess = 0 Then GoTo Err
VirtualFreeEx hProcess, hMod, 0, MEM_RELEASE
pBaseAddr = VirtualAllocEx(hProcess, ByVal hMod, cbImage, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
If pBaseAddr = 0 Then GoTo Err
If WriteProcessMemory(hProcess, ByVal pBaseAddr, ByVal hMod, cbImage, 0) = 0 Then GoTo Err
'现在处理该是处理我们自己的函数地址的时候了,至于为什么会先在这里把函数地址计算好,具
'体可以看 modHook 中的说明
'
Dim pFAddr As Long
Init '先初始以便获取函数地址
pFAddr = VirtualAllocEx(hProcess, ByVal 0&, 4, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
If pFAddr = 0 Then GoTo Err
'然后把咱们的地址传进去
If WriteProcessMemory(hProcess, ByVal pFAddr, NewAddr(1), 4, 0) = 0 Then GoTo Err
pFuncAddr = GetFuncAddr(AddressOf Hook)
hThread = CreateRemoteThread(hProcess, ByVal 0&, 0, ByVal pFuncAddr, ByVal pFAddr, 0, 0)
If hThread = 0 Then GoTo Err
WaitForSingleObject hThread, INFINITE
CloseHandle hThread
InjectExe = True
Err: 'If pBaseAddr <> 0 Then VirtualFreeEx hProcess, ByVal pBaseAddr, 0, MEM_RELEASE
If hProcess <> 0 Then CloseHandle hProcess
End FunctionPrivate Function Init() As Long
Dim pFuncAddr As Long pFuncAddr = GetFuncAddr(AddressOf NewMessageBox)
'保存该地址,一会要注入进去的
CopyMemory NewAddr(1), pFuncAddr, 4
End FunctionPrivate Function GetFuncAddr(ByVal func As Long) As Long
GetFuncAddr = func
End FunctionBAS2.BASPublic NewAddr(7) As BytePublic Function Hook(ByVal pFAddr As Long) As Long
Dim hMod As Long
Dim pBaseAddr As Long
hMod = GetModuleHandle("user32.dll")
pBaseAddr = GetProcAddress(hMod, "MessageBoxA")
'该步骤下普遍会崩溃...我实现是米得办法啊..用OD跟踪发现读取内存有误,唉..VB就是VB..没办法
'这里有点让我抓狂,曾想过用硬编码的方式...汗!~~ 我实在是米有办法啊!!~~~
'Dim pFuncAddr As Long
' pFuncAddr = GetFuncAddr(AddressOf NewMessageBox)
' CopyMemory NewAddr(1), pFuncAddr, 4
'以下部分为机器码生成
'机器码意思为:
'
'mov eax, 我们的地址
'jmp eax
'
NewAddr(0) = &HB8
NewAddr(5) = &HFF
NewAddr(6) = &HE0
NewAddr(7) = &H0
'最后我想到一个折中的办法,就是先让注入程序帮我们把地址算好,然后我们直接调用即可.
ReadProcessMemory GetCurrentProcess, ByVal pFAddr, NewAddr(1), 4, 0
MessageBox 0, "被我给HOOK了...", "已HOOK", 32
'这一步写进去以后基本上就成功OK了..
WriteProcessMemory GetCurrentProcess, ByVal pBaseAddr, NewAddr(0), 8, 0
End FunctionPublic Function NewMessageBox(ByVal hWnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long '默认HOOK的是MessageBoxA函数,所以我们用 MessageBoxW 给我们弹出消息
'这里没有写还原函数,其实这个都很好解决,我们在用 WriteProcessMemory写入HOOK代码时可以还通过
'ReadProcessMemory读取原始代码,当需要恢复时再通过 WriteProcessMemory写回去就OK了..
MessageBoxW 0, "哈哈...被我们给HOOK了", "嘿嘿~~啦啦啦..", 16 NewMessageBox = 1
End Function