标题: [转载] 也谈VB远线程注入 Dll注入 [打印本页]

---

作者: chinanic    时间: 2007-4-10 02:33     标题: 也谈VB远线程注入 Dll注入

前段时间在网上搜远线程代码，全是VC和Delphi的，看了很多帖子都说VB做不了。真的这样吗？
不，仔细研究了网上流传的VC版的dll注入代码后，先用VC做了个，然后翻译成VB的，中间经过不少曲折（我太菜，高手别笑我啊），现将经验写出来，供和我一样的新手参考，如有不对之处还望高手指出。
首先我们要写一个dll供注入，目标程序就选“记事本”好了(notepad.exe)
因为没有装CompileController之类插件的VB环境只能写ActiveX Dll，所以dll就用vc写一个，其实是从网上抄来的啦，嘿嘿，代码如下：

1. test.cpp：
   
2. #include “stdafx.h“
   
3. #include “test.h“
   
4. #include
   
5. 
   
6. BOOL APIENTRY DllMain(HANDLE hModule, DWORD reason, LPVOID lpReserved)
   
7. {
   
8. char szProcessId[64] ；
   
9. switch ( reason )
   
10. {
    
11. case DLL_PROCESS_ATTACH：
    
12. {
    
13. _itoa ( GetCurrentProcessId(), szProcessId, 10 )；
    
14. MessageBox ( NULL, szProcessId, “RemoteDLL“, MB_OK )；
    
15. }
    
16. default：
    
17. return TRUE；
    
18. }
    
19. }

复制代码

//用向导新建的一个简单dll，添加以上代码，作用是在dll注入以后报出自己的“门牌号”便于验证
然后编译，把test.dll放到C：下面

打开vb6新建一个标准exe
添加一个标准模块,添加以下代码：

1. Option Explicit
   
2. 
   
3. Public Const PROCESS_VM_READ = &H10
   
4. Public Const TH32CS_SNAPPROCESS = &H2
   
5. Public Const MEM_COMMIT = 4096
   
6. Public Const PAGE_READWRITE = 4
   
7. Public Const PROCESS_CREATE_THREAD = (&H2)
   
8. Public Const PROCESS_VM_OPERATION = (&H8)
   
9. Public Const PROCESS_VM_WRITE = (&H20)
   
10. 
    
11. ’Public Declare Function ReadProcessMemory Lib “kernel32“ (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    
12. ’Public Declare Function GetLastError Lib “kernel32“ () As Long
    
13. Public Declare Function VirtualAllocEx Lib “kernel32“ (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    
14. Public Declare Function WriteProcessMemory Lib “kernel32“ (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    
15. Public Declare Function GetProcAddress Lib “kernel32“ (ByVal hModule As Long, ByVal lpProcName As String) As Long
    
16. Public Declare Function GetModuleHandle Lib “kernel32“ Alias “GetModuleHandleA“ (ByVal lpModuleName As String) As Long
    
17. Public Declare Function Process32First Lib “kernel32“ (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
    
18. Public Declare Function CreateToolhelp32Snapshot Lib “kernel32“ (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
    
19. Public Declare Function CreateRemoteThread Lib “kernel32“ (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
    
20. Public Declare Function OpenProcess Lib “kernel32“ (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
    
21. Public Declare Function Process32Next Lib “kernel32“ (ByVal hSapshot As Long, lppe As PROCESSENTRY32) As Long
    
22. Public Declare Function CloseHandle Lib “kernel32“ (ByVal hObject As Long) As Long
    
23. 
    
24. Public Type PROCESSENTRY32
    
25. dwSize As Long
    
26. cntUseage As Long
    
27. th32ProcessID As Long
    
28. th32DefaultHeapID As Long
    
29. th32ModuleID As Long
    
30. cntThreads As Long
    
31. th32ParentProcessID As Long
    
32. pcPriClassBase As Long
    
33. swFlags As Long
    
34. szExeFile As String * 1024
    
35. End Type
    
36. 双击Form1窗体，把代码改成下面的样子：
    
37. Option Explicit
    
38. 
    
39. Public Sub EnumAndInject()
    
40. 
    
41. Dim MySnapHandle As Long
    
42. Dim ProcessInfo As PROCESSENTRY32
    
43. Dim MyRemoteProcessId As Long
    
44. Dim MyDllFileLength As Long
    
45. Dim MyDllFileBuffer As Long
    
46. Dim MyReturn As Long
    
47. Dim MyStartAddr As Long
    
48. Dim MyResult As Long
    
49. Dim temp As Long
    
50. Dim DllFileName As String
    
51. 
    
52. MySnapHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
    
53. ProcessInfo.dwSize = Len(ProcessInfo)
    
54. 
    
55. 
    
56. If Process32First(MySnapHandle, ProcessInfo) <> 0 Then
    
57. Do
    
58. If InStr(ProcessInfo.szExeFile, “notepad.exe“) > 0 Then
    
59. ’遍历进程,查找notepad.exe
    
60. MyRemoteProcessId = OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, ProcessInfo.th32ProcessID)
    
61. ’打开进程获得notepad的句柄供后面的操作使用
    
62. DllFileName = “c：\test.dll“
    
63. MyDllFileLength = Len(DllFileName)+1
    
64. ’学过C语言的朋友应该知道字符串最后要一个ASCII 0标志结尾，所以要加1
    
65. 
    
66. MyDllFileBuffer = VirtualAllocEx(MyRemoteProcessId, 0, MyDllFileLength, MEM_COMMIT, PAGE_READWRITE)
    
67. ’在指定进程里申请一块内存区域出来供我们存放字符串“c：\test.dll“
    
68. ’传string给api时，byval byref有区别，应该使用byval，这样会传给api一个标准的C字符指针，不能byref，否则函数调用没问题
    
69. ’但是起不到预期效果,VirtualAllocEx返回的是申请到的内存地址值.
    
70. 
    
71. MyReturn = WriteProcessMemory(MyRemoteProcessId, MyDllFileBuffer, DllFileName, MyDllFileLength, temp)
    
72. ’向刚才申请的内存中写入dll文件路径字符串
    
73. ’顺便说一下，很多api浏览器上的api声明都是错的，包括VB6自带的也不例外，writeprocessmemory第二个参数要的是
    
74. ’lpBaseAddress 但是这个值不能传址得到,如果你按byref传址,实际上传的是MyDllFileBuffer变量的地址,而不是它里面存放的那个数字
    
75. ’上面说了MyDllFileBuffer的数值才是WriteProcessMemory要的地址,所以声明API的时候一定要byval,大家知道空着不写就是默认byref
    
76. ’下面还有几处不该传址的参数,只要搞清楚API函数要的到底是什么值才可以确定到底传值还是传址,API浏览器仅能供参考,还是要仔细阅读MSDN
    
77. MyStartAddr = GetProcAddress(GetModuleHandle(“Kernel32“), “LoadLibraryA“)
    
78. ’获取loadlibrary函数的地址,这个函数可以载入指定的dll文件,那他的参数呢?就是我们刚才在notepad.exe进程里写入的“c：\test.dll“
    
79. ’不过还得让CreateRemoteThread告诉他.另外简单的说一下windows下应用程序的内存管理,我也不很懂,呵呵,win32下的应用程序
    
80. ’的内存区域是隔开的,每个程序有自己的一块内存不能直接访问别的程序的内存区,当然,这里调用的几个系统函数有访问别的程序内存区域的特权
    
81. ’而且每个应用程序的内存区域都映射到系统内存区域里,也就是说在这里GetProcAddress得到的VB程序里LoadLibraryA函数的入口地址和
    
82. ’notepad程序里的LoadLibraryA函数地址是一致的(映射的作用),所以不必担心.另外在VB写的程序里
    
83. ’要使用LoadLibraryA,notepad不是用vc写的吗?要注意根notepad没关系,我们现在是在自己的VB程序里面找LoadLibraryA函数的入口.
    
84. ’还有要注意函数大小写，api函数和vb不一样的。
    
85. MyResult = CreateRemoteThread(MyRemoteProcessId, 0, 0, MyStartAddr, MyDllFileBuffer, 0, temp)
    
86. ’好了,现在该让LoadLibrary载入“c：\test.dll“吧，现在CreateRemoteThread做的就是在notepad进程中把控制权转到LoadLibraryA的入口
    
87. ’然后把notepad内存区域中的“c：\test.dll“字符串当作参数传给LoadLibraryA。现在我们的dll文件就在notepad程序中运行了
    
88. ’dll被注入notepad.exe以后会主动弹出对话框显示出notepad.exe的进程ID,表明注入成功.
    
89. 
    
90. End If
    
91. 
    
92. Loop While Process32Next(MySnapHandle, ProcessInfo) <> 0
    
93. End If
    
94. 
    
95. 
    
96. CloseHandle MySnapHandle
    
97. 
    
98. End Sub
    
99. 
    
100. Private Sub Form_Load()
     
101. EnumAndInject
     
102. End Sub

复制代码

以上调用的API详细参数请参考MSDN,没它寸步难行,寒~~

---

欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/)

Powered by Discuz! 7.2