恩~才学会,毕竟是业余嘛,学来玩。
VB.NET 2008 写的代码,主要是前几天看人家写的VB6什么的代码,运行起来不错,可改成VB.NET 2008一写,直接坏事了,在XP系统D325的U上跑的都挺好,可放到VISTA系统TK55的本子上,VB6的还行,.NET的直接非法。针对这个,完整重写了一下代码。
简单介绍步骤:
1、通过ID获取进程句柄,并替它申请一块内存:
'获取对方进程
RemoteProcess = Process.GetProcessById(PID)
'为对方进程申请4KB内存
AllocBaseAddress = VirtualAllocEx(RemoteProcess.Handle, 0, MEM_SIZE, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
2、构建汇编代码,这里分两种情况
A、添加代码
'添加整型
Protected Sub AddInt2Code(ByVal Value As Integer)
Dim bytes() As Byte = BitConverter.GetBytes(CInt(Value)) '获取字节内容
Add2Memory(bytes, PtrAddressOffset) '写入参数堆栈
PtrAddressOffset += 4 '堆栈位置指针向后移动
End Sub
'添加字节型
Protected Sub AddByte2Code(ByVal Value As Byte)
Dim bytes(0) As Byte
bytes(0) = Value
Add2Memory(bytes, PtrAddressOffset)
PtrAddressOffset += 1
End Sub
'添加字节数组
Protected Sub AddBytes2Code(ByVal Value As Byte())
Add2Memory(Value, PtrAddressOffset)
PtrAddressOffset += Value.Length
End Sub
B、添加数据
Add2Memory(Value, ObjAddressOffset) '将数据写入“数据区”
Dim odata As New mData '记录每个数据(地址和长度)
odata.prt = ObjAddressOffset + AllocBaseAddress
odata.len = Value.Length
DataArraylist.Add(odata)
ObjAddressOffset += Value.Length '堆栈数据指针向后移动
ObjAddressOffset += ObjAddressOffset Mod 4 '四字节对齐
3、运行
'运行
Function Run() As Integer
Dim lngRet As Integer
Dim ThreadHwnd = CreateRemoteThread(RemoteProcess.Handle, 0, 0, AllocBaseAddress, 0, 0, 0)
WaitForSingleObject(ThreadHwnd, INFINITE)
GetExitCodeThread(ThreadHwnd, lngRet)
Return lngRet
End Function
4、回收内存
Protected Overrides Sub Finalize()
On Error Resume Next
VirtualFreeEx(RemoteProcess.Handle, AllocBaseAddress, MEM_AUTOFREE, MEM_RELEASE) '释放为对方申请的内存
MyBase.Finalize()
End Sub
完毕~!~
完整代码如下:
Imports System.Runtime.InteropServices
''' <summary>
''' 用于远线程运行ASM代码
''' 远线程被限制在4KB空间内:
''' 前512字节被用于代码,后面的用于数据
''' </summary>
''' <remarks></remarks>
Public Class RunRemoteASMCode
'自定义常数
Private Const MEM_SIZE As Integer = &H1000 '申请内存大小
Private Const MEM_AUTOFREE As Integer = &H0 '释放内存时系统自动判别大小
Private Const INFINITE As Integer = -1 '等待时间
'默认常数
Private Const MEM_COMMIT As Integer = &H1000
Private Const MEM_RESERVE As Integer = &H2000
Private Const MEM_RELEASE As Integer = &H8000
Private Const PAGE_EXECUTE_READWRITE As Integer = &H40
Protected AllocBaseAddress As Integer '申请内存的基地址
Protected ThreadHwnd As Integer '远线程句柄
Protected RemoteProcess As Process '对方进程
Protected PtrAddressOffset As Integer '代码基地址
Protected ObjAddressOffset As Integer '数据基地址
Protected DataArraylist As New ArrayList
Sub New(ByVal PID As Integer)
Try
'获取对方进程
RemoteProcess = Process.GetProcessById(PID)
'为对方进程申请4KB内存
AllocBaseAddress = VirtualAllocEx(RemoteProcess.Handle, 0, MEM_SIZE, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
'初始化参数堆栈指针
ClearCodeAndData()
Catch ex As Exception
Throw New Exception("RunRemoteASMCode类初始化错误", ex)
End Try
End Sub
'将数据添加到申请的内存
Protected Sub Add2Memory(ByVal Value() As Byte, ByVal AddressOffset As Integer)
WriteProcessMemory(RemoteProcess.Handle, AllocBaseAddress + AddressOffset, Value, Value.Length, 0)
End Sub
'添加数据
Protected Function AddData(ByVal Value() As Byte) As Integer
If ObjAddressOffset + Value.Length > MEM_SIZE Then
'MsgBox("数据超出所申请内存区域,无法继续")
Return -1
Else
Dim ret As Integer = ObjAddressOffset
Add2Memory(Value, ObjAddressOffset) '将数据写入“数据区”
Dim odata As New mData '记录每个数据(地址和长度)
odata.prt = ObjAddressOffset + AllocBaseAddress
odata.len = Value.Length
DataArraylist.Add(odata)
ObjAddressOffset += Value.Length '堆栈数据指针向后移动
ObjAddressOffset += ObjAddressOffset Mod 4 '四字节对齐
Return ret
End If
End Function
'添加整型
Protected Sub AddInt2Code(ByVal Value As Integer)
Dim bytes() As Byte = BitConverter.GetBytes(CInt(Value)) '获取字节内容
Add2Memory(bytes, PtrAddressOffset) '写入参数堆栈
PtrAddressOffset += 4 '堆栈位置指针向后移动
End Sub
'添加字节型
Protected Sub AddByte2Code(ByVal Value As Byte)
Dim bytes(0) As Byte
bytes(0) = Value
Add2Memory(bytes, PtrAddressOffset)
PtrAddressOffset += 1
End Sub
'添加字节数组
Protected Sub AddBytes2Code(ByVal Value As Byte())
Add2Memory(Value, PtrAddressOffset)
PtrAddressOffset += Value.Length
End Sub
'运行
Function Run() As Integer
Dim lngRet As Integer
Dim ThreadHwnd = CreateRemoteThread(RemoteProcess.Handle, 0, 0, AllocBaseAddress, 0, 0, 0)
WaitForSingleObject(ThreadHwnd, INFINITE)
GetExitCodeThread(ThreadHwnd, lngRet)
Return lngRet
End Function
'清除代码和数据(实际上没有真正清除,只是重置了指针;数据段信息记录表确实清除了)
Public Sub ClearCodeAndData()
PtrAddressOffset = 0 '初始化参数堆栈为所申请内存基地址
ObjAddressOffset = 512 '从基地址向后偏移512字节供数据使用
DataArraylist.Clear()
End Sub
Protected Overrides Sub Finalize()
On Error Resume Next
VirtualFreeEx(RemoteProcess.Handle, AllocBaseAddress, MEM_AUTOFREE, MEM_RELEASE) '释放为对方申请的内存
MyBase.Finalize()
End Sub
'用以记录数据段信息
Protected Class mData
Public prt As Integer '地址
Public len As Integer '长度
End Class
End Class
这样就可以运行了。。。。没想出来啥例子来,汇编本来就学得不咋地……而且写这个主要是为了注入……
哦也~先到这里。把一个小测试的结果贴来~倒霉的还是记事本~~~
恩~~~窗体的是这样搞的
Dim api As RunRemoteAPI
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Try
api = New RunRemoteAPI(CInt(TextBox1.Text))
'Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
TextBox3.Text = Hex(api.CallRemoteAPIByName("kernel32", "LoadLibraryA", New mFuncParam(System.Text.ASCIIEncoding.ASCII.GetBytes("c:\test.dll"))))
TextBox2.Text = Hex(api.BaseAddress)
'枚举对方进程模块列表
For Each m As ProcessModule In Process.GetProcessById(api.RotateProcess.Id).Modules
ListBox1.Items.Add(m.FileName)
Next
'Private Declare Function FreeLibrary Lib "kernel32" Alias "FreeLibrary" (ByVal hLibModule As Long) As Long
api.CallRemoteAPIByName("kernel32", "FreeLibrary", New mFuncParam(CInt("&H" & TextBox3.Text)))
'枚举对方进程模块列表
For Each m As ProcessModule In Process.GetProcessById(api.RotateProcess.Id).Modules
ListBox2.Items.Add(m.FileName)
Next
'Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
Dim s(255) As Byte
api.CallRemoteAPIByName("user32", "GetWindowTextW", New mFuncParam(CInt(Me.Handle)), _
New mFuncParam(s), _
New mFuncParam(s.Length))
Button1.Text = System.Text.Encoding.Unicode.GetString(api.RemoteBytesFromIndex(1))
Catch ex As Exception
MsgBox(ex.ToString)
End Try
End Sub
就是在上面的基础上弄了一个这:
Public Class RunRemoteAPI : Inherits RunRemoteASMCode
基本还是可用的。。。还有一些不足,需要改进的,还没弄好。。。