33,311
社区成员
发帖
与我相关
我的任务
分享熟悉VB语言和C语言的进,重金酬谢
有一段VB的代码
http://www.0ginr.com/bbs/redirect.php?tid=847&goto=lastpost
看不懂VB的代码,有熟悉的帮忙改写成C或者C++的吧,谢谢
http://www.0ginr.com/bbs/redirect.php?tid=847&goto=lastpost
看不懂VB的代码,有熟悉的帮忙改写成C或者C++的吧,谢谢
...全文
请发表友善的回复…
发表回复
supercow 2009-07-30
- 打赏
- 举报
typedef struct {
long hHook;
short iHookType;
long pEThread;
long offPfn;
} MsgHookInfo ;
此处翻译略有错 整个程序中没有使用short类型的 均为LONG
nipcdll 2008-02-21
- 打赏
- 举报
DumpKernelMemory
在驱动下实现比较方便
在驱动下实现比较方便
nipcdll 2008-02-21
- 打赏
- 举报
感谢热心的akirya
Treazy 2008-02-21
- 打赏
- 举报
坏,你可真是闲人
我佩服!
我佩服!
珍惜生命远离CPP 2008-02-21
- 打赏
- 举报
那两个是小事情,会动态加载dll能补上去
DumpKernelMemory这个没实现
DumpKernelMemory这个没实现
边城狂人 2008-02-21
- 打赏
- 举报
老兄,强人啊,不过你只申明了NtReadVirtualMemory和NtWriteVirtualMemory两个函数指针,没有从NTDLL.DLL载入这两个函数,还是不能运行的嘛。
珍惜生命远离CPP 2008-02-20
- 打赏
- 举报
翻译了一下,我发现我真闲.
#include<windows.h>
#include<tchar.h>
long (__stdcall *NtReadVirtualMemory)(long ProcessHandle,long BaseAddress,void* pBuffer,long NumberOfBytesToRead,long*NumberOfBytesReaded)=0;
long (__stdcall *NtWriteVirtualMemory)(long ProcessHandle,long BaseAddress,void* pBuffer,long NumberOfBytesToWrite,long*NumberOfBytesWritten)=0;
const unsigned long NtGetCurrentProcess = 0xffffffff;
typedef struct{
long psi;// As Long 'tagSERVERINFO
long aheList;// As Long '_HANDLEENTRY - handle table pointer
long pDispInfo;// As Long 'global displayinfo
long ulSharedDelta;// As Long 'delta between client and kernel mapping of ...
}SHAREDINFO;
typedef struct{
long phead ;//pointer to the real object
long pOwner ;//pointer to owning entity (pti or ppi)
BYTE bType ;//type of object
BYTE bFlags ;//flags - like destroy flag
short wUniq ;//uniqueness count
}HANDLEENTRY;
typedef struct { //si
short wRIPFlags; //As Integer 'RIPF_ flags
short wSRVIFlags; //As Integer 'SRVIF_ flags
short wRIPPID; //As Integer 'PID of process to apply RIP flags to (zero means all)
short wRIPError;// As Integer 'Error to break on (zero means all errors are treated equal)
long cHandleEntries;// As Long 'count of handle entries in array
}SERVERINFO;
enum HANDLE_TYPE{
TYPE_FREE = 0 ,//'must be zero!
TYPE_WINDOW = 1 ,//'in order of use for C code lookups
TYPE_MENU = 2,//
TYPE_CURSOR = 3,//
TYPE_SETWINDOWPOS = 4,//
TYPE_HOOK = 5,//
TYPE_CLIPDATA = 6 ,//'clipboard data
TYPE_CALLPROC = 7,//
TYPE_ACCELTABLE = 8,//
TYPE_DDEACCESS = 9,//
TYPE_DDECONV = 10,//
TYPE_DDEXACT = 11,// 'DDE transaction tracking info.
TYPE_MONITOR = 12,//
TYPE_KBDLAYOUT = 13,// 'Keyboard Layout handle (HKL) object.
TYPE_KBDFILE = 14,// 'Keyboard Layout file object.
TYPE_WINEVENTHOOK = 15,// 'WinEvent hook (EVENTHOOK)
TYPE_TIMER = 16,//
TYPE_INPUTCONTEXT = 17,// 'Input Context info structure
TYPE_CTYPES = 18,// 'Count of TYPEs; Must be LAST + 1
TYPE_GENERIC = 255// 'used for generic handle validation
};
typedef struct{
long hObject;
long cLockObj;
} HEAD;
typedef struct{
HEAD headinfo;
long pti; //PTHREADINFO
} THROBJHEAD ;
typedef struct{
long rpdesk; //PDESKTOP
long pSelf; //PBYTE
} DESKHEAD ;
typedef struct{
THROBJHEAD ThreadObjHead;
DESKHEAD DesktopHead;
} THRDESKHEAD;
typedef struct{ //hk
THRDESKHEAD tshead;
long phkNext;
short iHook; //// WH_xxx hook type
long offPfn;
short flags; //// HF_xxx flags
short ihmod;
long ptiHooked; ////PTHREADINFO - Thread hooked.
long rpdesk; //// Global hook pdesk. Only used when hook is locked and owner is destroyed
} HOOK ;
typedef struct{
long pEThread;
long RefCount;
long ptlW32;
long pgdiDcattr;
long pgdiBrushAttr;
long pUMPDObjs;
long pUMPDHeap;
long dwEngAcquireCount;
long pSemTable;
long pUMPDObj;
} W32THREAD ;
typedef struct {
long hHook;
short iHookType;
long pEThread;
long offPfn;
} MsgHookInfo ;
long pgSharedInfo=0;
void LocateSharedInfo();
short ReadMemoryToInt( long dwAddress);
long ReadMemoryToLong( long dwAddress);
BYTE ReadMemoryToByt( long dwAddress);
BOOL EnumMsgHook_Init();
MsgHookInfo* EnumMsgHook( long* num );
BOOL NT_SUCCESS( long Status )
{
return (Status >= 0);
}
int main(int argc, char* argv[])
{
return 0;
}
void LocateSharedInfo()
{
long pfnUserRegisterWowHandlers = (long)GetProcAddress(GetModuleHandle(_T("user32.dll")), "UserRegisterWowHandlers");
long I=0;
for( I = pfnUserRegisterWowHandlers ; I<pfnUserRegisterWowHandlers+0x1000;I++){
if( (ReadMemoryToInt(I)== 0x40C7 )&&
(ReadMemoryToInt(I + 1 * 7)== 0x40C7 )&&
(ReadMemoryToInt(I + 2 * 7)== 0x40C7 )&&
(ReadMemoryToInt(I + 3 * 7)== 0x40C7 )&&
(ReadMemoryToInt(I + 4 * 7)== 0x40C7 )&&
(ReadMemoryToInt(I + 5 * 7)== 0x40C7 ) ){
if( ReadMemoryToInt(I + 6*7 )== 0xB8 ){
pgSharedInfo = ReadMemoryToLong(I + 6 * 7 + 1);
}
}
}
}
short ReadMemoryToInt( long dwAddress)
{
short ret=0;
long nReadBytes=0;
long st = NtReadVirtualMemory(NtGetCurrentProcess,dwAddress,&ret,sizeof(ret), &nReadBytes );
return ret;
}
long ReadMemoryToLong( long dwAddress)
{
long ret=0;
long nReadBytes=0;
long st = NtReadVirtualMemory(NtGetCurrentProcess,dwAddress,&ret,sizeof(ret), &nReadBytes );
return ret;
}
BYTE ReadMemoryToByt( long dwAddress)
{
BYTE ret=0;
long nReadBytes=0;
long st = NtReadVirtualMemory(NtGetCurrentProcess,dwAddress,&ret,sizeof(ret), &nReadBytes );
return ret;
}
BOOL EnumMsgHook_Init()
{
LocateSharedInfo();
return (pgSharedInfo!=0);
}
MsgHookInfo* EnumMsgHook(long* num)
{
long hProcess = NtGetCurrentProcess;
SHAREDINFO gSharedInfo={0};
HANDLEENTRY* gHandleEntries=0;
SERVERINFO gsi={0};
MsgHookInfo* retArray=0;
long nReadBytes=0,I=0;
HOOK hHookInfo={0};
W32THREAD w32thd={0};
*num = 0;
if( !NT_SUCCESS(NtReadVirtualMemory(hProcess, pgSharedInfo, &gSharedInfo, sizeof(gSharedInfo), &nReadBytes)) )
goto ExitFunc__;
if( !NT_SUCCESS(NtReadVirtualMemory(hProcess, gSharedInfo.psi, &gsi, sizeof(gsi), &nReadBytes)) )
goto ExitFunc__;
gHandleEntries = malloc( sizeof(HANDLEENTRY)*gsi.cHandleEntries );
if( !NT_SUCCESS(
NtReadVirtualMemory(hProcess, gSharedInfo.aheList, gHandleEntries, sizeof(HANDLEENTRY)*gsi.cHandleEntries ,&nReadBytes)
) )
goto ExitFunc__;
for( I = 0 ; I < gsi.cHandleEntries ; I++){
if(gHandleEntries[I].bType == TYPE_HOOK ){
if( DumpKernelMemory(gHandleEntries[I].phead, sizeof(HOOK), &hHookInfo ) ){
*num = *num + 1;
retArray = realloc( retArray , *num );
retArray[ *num ].hHook = hHookInfo.tshead.ThreadObjHead.headinfo.hObject;
retArray[ *num ].iHookType = hHookInfo.iHook;
retArray[ *num ].offPfn = hHookInfo.offPfn ;
if( DumpKernelMemory(hHookInfo.tshead.ThreadObjHead.pti, sizeof(w32thd),&w32thd ) ){
retArray[ *num ].pEThread = w32thd.pEThread;
}
}
}
}
ExitFunc__:
return retArray;
}
星羽 2008-02-20
- 打赏
- 举报
这么长- -
leexuany 2008-02-20
- 打赏
- 举报
外挂
nipcdll 2008-02-20
- 打赏
- 举报
Public Function EnumMsgHook() As MsgHookInfo()
Dim hProcess As Long: hProcess = NtGetCurrentProcess '???
Dim gSharedInfo As SHAREDINFO
Dim gHandleEntries() As HANDLEENTRY
Dim gsi As SERVERINFO
Dim retArray() As MsgHookInfo
Dim st As Long
Dim nReadBytes As Long
Dim I As Long
Dim hHookInfo As HOOK
Dim tmpBytArray() As Byte
Dim w32thd As W32THREAD
ReDim retArray(0)
st = NtReadVirtualMemory(hProcess, pgSharedInfo, VarPtr(gSharedInfo), LenB(gSharedInfo), nReadBytes)
If (Not NT_SUCCESS(st)) Then GoTo ExitFunc__
st = NtReadVirtualMemory(hProcess, gSharedInfo.psi, VarPtr(gsi), LenB(gsi), nReadBytes)
If (Not NT_SUCCESS(st)) Then GoTo ExitFunc__
ReDim gHandleEntries(gsi.cHandleEntries - 1)
st = NtReadVirtualMemory(hProcess, gSharedInfo.aheList, VarPtr(gHandleEntries(LBound(gHandleEntries))), _
LenB(gHandleEntries(LBound(gHandleEntries))) * gsi.cHandleEntries, nReadBytes)
If (Not NT_SUCCESS(st)) Then GoTo ExitFunc__
For I = LBound(gHandleEntries) To UBound(gHandleEntries)
If (gHandleEntries(I).bType = TYPE_HOOK) Then
'generally, phead is in kernel memory, so we cannot read through NtReadVirtualMemory
ReDim tmpBytArray(LenB(hHookInfo) - 1)
If (DumpKernelMemory(gHandleEntries(I).phead, LenB(hHookInfo), tmpBytArray)) Then
If (CopyMemory(VarPtr(hHookInfo), VarPtr(tmpBytArray(LBound(tmpBytArray))), LenB(hHookInfo))) Then
With retArray(UBound(retArray))
.hHook = hHookInfo.tshead.ThreadObjHead.headinfo.hObject
.iHookType = hHookInfo.iHook
.offPfn = hHookInfo.offPfn
ReDim tmpBytArray(LenB(w32thd) - 1)
If (DumpKernelMemory(hHookInfo.tshead.ThreadObjHead.pti, LenB(w32thd), tmpBytArray)) Then
If (CopyMemory(VarPtr(w32thd), VarPtr(tmpBytArray(LBound(tmpBytArray))), LenB(w32thd))) Then
.pEThread = w32thd.pEThread
End If
End If
'Debug.Print String(30, "="); vbCrLf; _
' " hHook: "; Format(Hex(.hHook), "@@@@@@@@"); vbCrLf; _
' " offPfn: "; Format(Hex(.offPfn), "@@@@@@@@"); vbCrLf; _
' " iHook: "; .iHookType; vbCrLf; _
' " pEThread: "; Format(Hex(.pEThread), "@@@@@@@@"); vbCrLf
'======================================================================
End With
ReDim Preserve retArray(UBound(retArray) + 1)
End If
End If
End If
Next
ExitFunc__:
If (UBound(retArray) > 0) Then ReDim Preserve retArray(UBound(retArray) - 1)
EnumMsgHook = retArray
Erase retArray
Erase tmpBytArray
End Function
Public Function CopyMemory(ByVal pDst As Long, ByVal pSrc As Long, ByVal nLength As Long) As Boolean
Dim st As Long
st = NtWriteVirtualMemory(NtGetCurrentProcess, pDst, pSrc, nLength, ByVal 0)
CopyMemory = NT_SUCCESS(st)
End Function
Public Function NT_SUCCESS(ByVal Status As Long) As Boolean
NT_SUCCESS = (Status >= 0)
End Function
Dim hProcess As Long: hProcess = NtGetCurrentProcess '???
Dim gSharedInfo As SHAREDINFO
Dim gHandleEntries() As HANDLEENTRY
Dim gsi As SERVERINFO
Dim retArray() As MsgHookInfo
Dim st As Long
Dim nReadBytes As Long
Dim I As Long
Dim hHookInfo As HOOK
Dim tmpBytArray() As Byte
Dim w32thd As W32THREAD
ReDim retArray(0)
st = NtReadVirtualMemory(hProcess, pgSharedInfo, VarPtr(gSharedInfo), LenB(gSharedInfo), nReadBytes)
If (Not NT_SUCCESS(st)) Then GoTo ExitFunc__
st = NtReadVirtualMemory(hProcess, gSharedInfo.psi, VarPtr(gsi), LenB(gsi), nReadBytes)
If (Not NT_SUCCESS(st)) Then GoTo ExitFunc__
ReDim gHandleEntries(gsi.cHandleEntries - 1)
st = NtReadVirtualMemory(hProcess, gSharedInfo.aheList, VarPtr(gHandleEntries(LBound(gHandleEntries))), _
LenB(gHandleEntries(LBound(gHandleEntries))) * gsi.cHandleEntries, nReadBytes)
If (Not NT_SUCCESS(st)) Then GoTo ExitFunc__
For I = LBound(gHandleEntries) To UBound(gHandleEntries)
If (gHandleEntries(I).bType = TYPE_HOOK) Then
'generally, phead is in kernel memory, so we cannot read through NtReadVirtualMemory
ReDim tmpBytArray(LenB(hHookInfo) - 1)
If (DumpKernelMemory(gHandleEntries(I).phead, LenB(hHookInfo), tmpBytArray)) Then
If (CopyMemory(VarPtr(hHookInfo), VarPtr(tmpBytArray(LBound(tmpBytArray))), LenB(hHookInfo))) Then
With retArray(UBound(retArray))
.hHook = hHookInfo.tshead.ThreadObjHead.headinfo.hObject
.iHookType = hHookInfo.iHook
.offPfn = hHookInfo.offPfn
ReDim tmpBytArray(LenB(w32thd) - 1)
If (DumpKernelMemory(hHookInfo.tshead.ThreadObjHead.pti, LenB(w32thd), tmpBytArray)) Then
If (CopyMemory(VarPtr(w32thd), VarPtr(tmpBytArray(LBound(tmpBytArray))), LenB(w32thd))) Then
.pEThread = w32thd.pEThread
End If
End If
'Debug.Print String(30, "="); vbCrLf; _
' " hHook: "; Format(Hex(.hHook), "@@@@@@@@"); vbCrLf; _
' " offPfn: "; Format(Hex(.offPfn), "@@@@@@@@"); vbCrLf; _
' " iHook: "; .iHookType; vbCrLf; _
' " pEThread: "; Format(Hex(.pEThread), "@@@@@@@@"); vbCrLf
'======================================================================
End With
ReDim Preserve retArray(UBound(retArray) + 1)
End If
End If
End If
Next
ExitFunc__:
If (UBound(retArray) > 0) Then ReDim Preserve retArray(UBound(retArray) - 1)
EnumMsgHook = retArray
Erase retArray
Erase tmpBytArray
End Function
Public Function CopyMemory(ByVal pDst As Long, ByVal pSrc As Long, ByVal nLength As Long) As Boolean
Dim st As Long
st = NtWriteVirtualMemory(NtGetCurrentProcess, pDst, pSrc, nLength, ByVal 0)
CopyMemory = NT_SUCCESS(st)
End Function
Public Function NT_SUCCESS(ByVal Status As Long) As Boolean
NT_SUCCESS = (Status >= 0)
End Function
nipcdll 2008-02-20
- 打赏
- 举报
引用:
'By 炉子[0GiNr]
'http://0GiNr.com | http://hi.baidu.com/breakinglove_
'转载请注明出处
Option Explicit
Private Declare Function NtReadVirtualMemory _
Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, _
ByVal BaseAddress As Long, _
ByVal pBuffer As Long, _
ByVal NumberOfBytesToRead As Long, _
ByRef NumberOfBytesReaded As Long) As Long
Private Declare Function NtWriteVirtualMemory _
Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, _
ByVal BaseAddress As Long, _
ByVal pBuffer As Long, _
ByVal NumberOfBytesToWrite As Long, _
ByRef NumberOfBytesWritten As Long) As Long
'Private Const pgSharedInfo = &H77D700A0 //can be located now.
Private Const NtGetCurrentProcess = -1 '//0xFFFFFFFF
Private Type SHAREDINFO
psi As Long 'tagSERVERINFO
aheList As Long '_HANDLEENTRY - handle table pointer
pDispInfo As Long 'global displayinfo
ulSharedDelta As Long 'delta between client and kernel mapping of ...
'省略
End Type
Private Type HANDLEENTRY
phead As Long 'pointer to the real object
pOwner As Long 'pointer to owning entity (pti or ppi)
bType As Byte 'type of object
bFlags As Byte 'flags - like destroy flag
wUniq As Integer 'uniqueness count
End Type
Private Type SERVERINFO 'si
wRIPFlags As Integer 'RIPF_ flags
wSRVIFlags As Integer 'SRVIF_ flags
wRIPPID As Integer 'PID of process to apply RIP flags to (zero means all)
wRIPError As Integer 'Error to break on (zero means all errors are treated equal)
cHandleEntries As Long 'count of handle entries in array
End Type
Private Enum HANDLE_TYPE
TYPE_FREE = 0 'must be zero!
TYPE_WINDOW = 1 'in order of use for C code lookups
TYPE_MENU = 2
TYPE_CURSOR = 3
TYPE_SETWINDOWPOS = 4
TYPE_HOOK = 5
TYPE_CLIPDATA = 6 'clipboard data
TYPE_CALLPROC = 7
TYPE_ACCELTABLE = 8
TYPE_DDEACCESS = 9
TYPE_DDECONV = 10
TYPE_DDEXACT = 11 'DDE transaction tracking info.
TYPE_MONITOR = 12
TYPE_KBDLAYOUT = 13 'Keyboard Layout handle (HKL) object.
TYPE_KBDFILE = 14 'Keyboard Layout file object.
TYPE_WINEVENTHOOK = 15 'WinEvent hook (EVENTHOOK)
TYPE_TIMER = 16
TYPE_INPUTCONTEXT = 17 'Input Context info structure
TYPE_CTYPES = 18 'Count of TYPEs; Must be LAST + 1
TYPE_GENERIC = 255 'used for generic handle validation
End Enum
Public Enum HOOK_TYPE
WH_MSGFILTER = -1
WH_JOURNALRECORD = 0
WH_JOURNALPLAYBACK = 1
WH_KEYBOARD = 2
WH_GETMESSAGE = 3
WH_CALLWNDPROC = 4
WH_CBT = 5
WH_SYSMSGFILTER = 6
WH_MOUSE = 7
WH_HARDWARE = 8
WH_DEBUG = 9
WH_SHELL = 10
WH_FOREGROUNDIDLE = 11
WH_CALLWNDPROCRET = 12
WH_KEYBOARD_LL = 13
WH_MOUSE_LL = 14
End Enum
Private Type HEAD
hObject As Long
cLockObj As Long
End Type
Private Type THROBJHEAD
headinfo As HEAD
pti As Long 'PTHREADINFO
End Type
Private Type DESKHEAD
rpdesk As Long 'PDESKTOP
pSelf As Long 'PBYTE
End Type
Private Type THRDESKHEAD
ThreadObjHead As THROBJHEAD
DesktopHead As DESKHEAD
End Type
Private Type HOOK 'hk
tshead As THRDESKHEAD
phkNext As Long
iHook As Integer '// WH_xxx hook type
offPfn As Long
flags As Integer '// HF_xxx flags
ihmod As Integer
ptiHooked As Long '//PTHREADINFO - Thread hooked.
rpdesk As Long '// Global hook pdesk. Only used when hook is locked and owner is destroyed
End Type
Private Type W32THREAD
pEThread As Long
RefCount As Long
ptlW32 As Long
pgdiDcattr As Long
pgdiBrushAttr As Long
pUMPDObjs As Long
pUMPDHeap As Long
dwEngAcquireCount As Long
pSemTable As Long
pUMPDObj As Long
End Type
Public Type MsgHookInfo
hHook As Long
iHookType As HOOK_TYPE
pEThread As Long
offPfn As Long
End Type
Private pgSharedInfo As Long
Private Declare Function GetModuleHandle _
Lib "kernel32.dll" Alias "GetModuleHandleA" _
(ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress _
Lib "kernel32.dll" (ByVal hModule As Long, _
ByVal lpProcName As String) As Long
Private Sub LocateSharedInfo() 'locate gSharedInfo
Dim pfnUserRegisterWowHandlers As Long: pfnUserRegisterWowHandlers = GetProcAddress(GetModuleHandle("user32.dll"), "UserRegisterWowHandlers")
Dim I As Long
For I = pfnUserRegisterWowHandlers To pfnUserRegisterWowHandlers + &H1000
If ((ReadMemoryToInt(I) = &H40C7) And _
(ReadMemoryToInt(I + 1 * 7) = &H40C7) And _
(ReadMemoryToInt(I + 2 * 7) = &H40C7) And _
(ReadMemoryToInt(I + 3 * 7) = &H40C7) And _
(ReadMemoryToInt(I + 4 * 7) = &H40C7) And _
(ReadMemoryToInt(I + 5 * 7) = &H40C7)) Then
If (ReadMemoryToByt(I + 6 * 7) = &HB8) Then '40c7: mov dword ptr
Debug.Print "position="; Hex(I)
pgSharedInfo = ReadMemoryToLong(I + 6 * 7 + 1)
Debug.Print "gSharedInfo="; Hex(pgSharedInfo)
End If
End If
Next
End Sub
Private Function ReadMemoryToInt(ByVal dwAddress As Long) As Integer
Dim st As Long
Dim ret As Integer
Dim nReadBytes As Long
st = NtReadVirtualMemory(NtGetCurrentProcess, dwAddress, VarPtr(ret), LenB(ret), nReadBytes)
ReadMemoryToInt = ret
End Function
Private Function ReadMemoryToLong(ByVal dwAddress As Long) As Long
Dim st As Long
Dim ret As Long
Dim nReadBytes As Long
st = NtReadVirtualMemory(NtGetCurrentProcess, dwAddress, VarPtr(ret), LenB(ret), nReadBytes)
ReadMemoryToLong = ret
End Function
Private Function ReadMemoryToByt(ByVal dwAddress As Long) As Byte
Dim st As Long
Dim ret As Byte
Dim nReadBytes As Long
st = NtReadVirtualMemory(NtGetCurrentProcess, dwAddress, VarPtr(ret), LenB(ret), nReadBytes)
ReadMemoryToByt = ret
End Function
Public Function EnumMsgHook_Init() As Boolean
Call LocateSharedInfo
EnumMsgHook_Init = (pgSharedInfo <> 0)
End Function
'By 炉子[0GiNr]
'http://0GiNr.com | http://hi.baidu.com/breakinglove_
'转载请注明出处
Option Explicit
Private Declare Function NtReadVirtualMemory _
Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, _
ByVal BaseAddress As Long, _
ByVal pBuffer As Long, _
ByVal NumberOfBytesToRead As Long, _
ByRef NumberOfBytesReaded As Long) As Long
Private Declare Function NtWriteVirtualMemory _
Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, _
ByVal BaseAddress As Long, _
ByVal pBuffer As Long, _
ByVal NumberOfBytesToWrite As Long, _
ByRef NumberOfBytesWritten As Long) As Long
'Private Const pgSharedInfo = &H77D700A0 //can be located now.
Private Const NtGetCurrentProcess = -1 '//0xFFFFFFFF
Private Type SHAREDINFO
psi As Long 'tagSERVERINFO
aheList As Long '_HANDLEENTRY - handle table pointer
pDispInfo As Long 'global displayinfo
ulSharedDelta As Long 'delta between client and kernel mapping of ...
'省略
End Type
Private Type HANDLEENTRY
phead As Long 'pointer to the real object
pOwner As Long 'pointer to owning entity (pti or ppi)
bType As Byte 'type of object
bFlags As Byte 'flags - like destroy flag
wUniq As Integer 'uniqueness count
End Type
Private Type SERVERINFO 'si
wRIPFlags As Integer 'RIPF_ flags
wSRVIFlags As Integer 'SRVIF_ flags
wRIPPID As Integer 'PID of process to apply RIP flags to (zero means all)
wRIPError As Integer 'Error to break on (zero means all errors are treated equal)
cHandleEntries As Long 'count of handle entries in array
End Type
Private Enum HANDLE_TYPE
TYPE_FREE = 0 'must be zero!
TYPE_WINDOW = 1 'in order of use for C code lookups
TYPE_MENU = 2
TYPE_CURSOR = 3
TYPE_SETWINDOWPOS = 4
TYPE_HOOK = 5
TYPE_CLIPDATA = 6 'clipboard data
TYPE_CALLPROC = 7
TYPE_ACCELTABLE = 8
TYPE_DDEACCESS = 9
TYPE_DDECONV = 10
TYPE_DDEXACT = 11 'DDE transaction tracking info.
TYPE_MONITOR = 12
TYPE_KBDLAYOUT = 13 'Keyboard Layout handle (HKL) object.
TYPE_KBDFILE = 14 'Keyboard Layout file object.
TYPE_WINEVENTHOOK = 15 'WinEvent hook (EVENTHOOK)
TYPE_TIMER = 16
TYPE_INPUTCONTEXT = 17 'Input Context info structure
TYPE_CTYPES = 18 'Count of TYPEs; Must be LAST + 1
TYPE_GENERIC = 255 'used for generic handle validation
End Enum
Public Enum HOOK_TYPE
WH_MSGFILTER = -1
WH_JOURNALRECORD = 0
WH_JOURNALPLAYBACK = 1
WH_KEYBOARD = 2
WH_GETMESSAGE = 3
WH_CALLWNDPROC = 4
WH_CBT = 5
WH_SYSMSGFILTER = 6
WH_MOUSE = 7
WH_HARDWARE = 8
WH_DEBUG = 9
WH_SHELL = 10
WH_FOREGROUNDIDLE = 11
WH_CALLWNDPROCRET = 12
WH_KEYBOARD_LL = 13
WH_MOUSE_LL = 14
End Enum
Private Type HEAD
hObject As Long
cLockObj As Long
End Type
Private Type THROBJHEAD
headinfo As HEAD
pti As Long 'PTHREADINFO
End Type
Private Type DESKHEAD
rpdesk As Long 'PDESKTOP
pSelf As Long 'PBYTE
End Type
Private Type THRDESKHEAD
ThreadObjHead As THROBJHEAD
DesktopHead As DESKHEAD
End Type
Private Type HOOK 'hk
tshead As THRDESKHEAD
phkNext As Long
iHook As Integer '// WH_xxx hook type
offPfn As Long
flags As Integer '// HF_xxx flags
ihmod As Integer
ptiHooked As Long '//PTHREADINFO - Thread hooked.
rpdesk As Long '// Global hook pdesk. Only used when hook is locked and owner is destroyed
End Type
Private Type W32THREAD
pEThread As Long
RefCount As Long
ptlW32 As Long
pgdiDcattr As Long
pgdiBrushAttr As Long
pUMPDObjs As Long
pUMPDHeap As Long
dwEngAcquireCount As Long
pSemTable As Long
pUMPDObj As Long
End Type
Public Type MsgHookInfo
hHook As Long
iHookType As HOOK_TYPE
pEThread As Long
offPfn As Long
End Type
Private pgSharedInfo As Long
Private Declare Function GetModuleHandle _
Lib "kernel32.dll" Alias "GetModuleHandleA" _
(ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress _
Lib "kernel32.dll" (ByVal hModule As Long, _
ByVal lpProcName As String) As Long
Private Sub LocateSharedInfo() 'locate gSharedInfo
Dim pfnUserRegisterWowHandlers As Long: pfnUserRegisterWowHandlers = GetProcAddress(GetModuleHandle("user32.dll"), "UserRegisterWowHandlers")
Dim I As Long
For I = pfnUserRegisterWowHandlers To pfnUserRegisterWowHandlers + &H1000
If ((ReadMemoryToInt(I) = &H40C7) And _
(ReadMemoryToInt(I + 1 * 7) = &H40C7) And _
(ReadMemoryToInt(I + 2 * 7) = &H40C7) And _
(ReadMemoryToInt(I + 3 * 7) = &H40C7) And _
(ReadMemoryToInt(I + 4 * 7) = &H40C7) And _
(ReadMemoryToInt(I + 5 * 7) = &H40C7)) Then
If (ReadMemoryToByt(I + 6 * 7) = &HB8) Then '40c7: mov dword ptr
Debug.Print "position="; Hex(I)
pgSharedInfo = ReadMemoryToLong(I + 6 * 7 + 1)
Debug.Print "gSharedInfo="; Hex(pgSharedInfo)
End If
End If
Next
End Sub
Private Function ReadMemoryToInt(ByVal dwAddress As Long) As Integer
Dim st As Long
Dim ret As Integer
Dim nReadBytes As Long
st = NtReadVirtualMemory(NtGetCurrentProcess, dwAddress, VarPtr(ret), LenB(ret), nReadBytes)
ReadMemoryToInt = ret
End Function
Private Function ReadMemoryToLong(ByVal dwAddress As Long) As Long
Dim st As Long
Dim ret As Long
Dim nReadBytes As Long
st = NtReadVirtualMemory(NtGetCurrentProcess, dwAddress, VarPtr(ret), LenB(ret), nReadBytes)
ReadMemoryToLong = ret
End Function
Private Function ReadMemoryToByt(ByVal dwAddress As Long) As Byte
Dim st As Long
Dim ret As Byte
Dim nReadBytes As Long
st = NtReadVirtualMemory(NtGetCurrentProcess, dwAddress, VarPtr(ret), LenB(ret), nReadBytes)
ReadMemoryToByt = ret
End Function
Public Function EnumMsgHook_Init() As Boolean
Call LocateSharedInfo
EnumMsgHook_Init = (pgSharedInfo <> 0)
End Function
珍惜生命远离CPP 2008-02-20
- 打赏
- 举报
什么代码?
怎么不直接贴出来
怎么不直接贴出来
