1,486
社区成员
发帖
与我相关
我的任务
分享VB 远程注入/卸载/自我删除(RtlCreateUserThread)
最近才发现的“RtlCreateUserThread”(下步调用ZwCreateThread)这可是个好东西,可以创建远程线程,也可以用来写多线程程序,但是在VB里好像还是不是很稳定只能用API。
这篇文章给大家一种不同于(CreateRemoteThread)但是原理是一样(都是通过ZwCreateThread创建线程)创建远程线程,实现注入和卸载功能。对于一些编写外挂,或者对Shellcode感兴趣的人是非常有用的学习资料。
原贴地址:http://blog.csdn.net/chenhui530/archive/2008/10/21/3119107.aspx
多线程实例
Public Function CreateThread(ByVal hProcess As Long, ByVal StartAddress As Long, ByVal Parameter As Long, ByRef Cid As CLIENT_ID) As Long
Dim hThread As Long
Dim ntStatus As Long
ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
CreateThread = hThread
End Function
Public Sub ThreadProc(ByVal Parameter As Long)
Do While gblnRunning
Form1.List1.AddItem CStr(Parameter)
Parameter = Parameter + 1
Loop
RtlExitUserThread 0
End Sub
in form
Option Explicit
Private Sub cmdDelMe_Click()
DeleteMe Val(txtInput(0).Text)
Unload Me
End Sub
Private Sub cmdInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
InjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub
Private Sub cmdUnInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
UnInjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub
in module
Option Explicit
Public Type CLIENT_ID
UniqueProcess As Long
UniqueThread As Long
End Type
Private Declare Function RtlCreateUserThread Lib "ntdll.dll" (ByVal hProcess As Long, _
ByRef ThreadSecurityDescriptor As Any, _
ByVal CreateSuspended As Long, _
ByVal ZeroBits As Long, _
ByVal MaximumStackSize As Long, _
ByVal CommittedStackSize As Long, _
ByVal StartAddress As Long, _
ByVal Parameter As Long, _
ByRef hThread As Long, _
ByRef ClientId As CLIENT_ID) As Long
Private Declare Function RtlExitUserThread Lib "ntdll.dll" (ByVal ntStatus As Long) As Long
Private Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal dwExitCode As Long) As Long
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare Function CreateEvent Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, ByVal bManualReset As Long, ByVal bInitialState As Long, ByVal lpName As String) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Public Declare Function SetEvent Lib "kernel32" (ByVal hEvent As Long) As Long
Private Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long
Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Private Const INFINITE =
Private Const MEM_COMMIT =
Public Const MEM_RELEASE =
Private Const PAGE_EXECUTE_READWRITE =
Private Const PAGE_READWRITE =
Private Const SYNCHRONIZE As Long =
Private Const STANDARD_RIGHTS_REQUIRED As Long =
Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
这篇文章给大家一种不同于(CreateRemoteThread)但是原理是一样(都是通过ZwCreateThread创建线程)创建远程线程,实现注入和卸载功能。对于一些编写外挂,或者对Shellcode感兴趣的人是非常有用的学习资料。
原贴地址:http://blog.csdn.net/chenhui530/archive/2008/10/21/3119107.aspx
多线程实例
Public Function CreateThread(ByVal hProcess As Long, ByVal StartAddress As Long, ByVal Parameter As Long, ByRef Cid As CLIENT_ID) As Long
Dim hThread As Long
Dim ntStatus As Long
ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
CreateThread = hThread
End Function
Public Sub ThreadProc(ByVal Parameter As Long)
Do While gblnRunning
Form1.List1.AddItem CStr(Parameter)
Parameter = Parameter + 1
Loop
RtlExitUserThread 0
End Sub
in form
Option Explicit
Private Sub cmdDelMe_Click()
DeleteMe Val(txtInput(0).Text)
Unload Me
End Sub
Private Sub cmdInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
InjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub
Private Sub cmdUnInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
UnInjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub
in module
Option Explicit
Public Type CLIENT_ID
UniqueProcess As Long
UniqueThread As Long
End Type
Private Declare Function RtlCreateUserThread Lib "ntdll.dll" (ByVal hProcess As Long, _
ByRef ThreadSecurityDescriptor As Any, _
ByVal CreateSuspended As Long, _
ByVal ZeroBits As Long, _
ByVal MaximumStackSize As Long, _
ByVal CommittedStackSize As Long, _
ByVal StartAddress As Long, _
ByVal Parameter As Long, _
ByRef hThread As Long, _
ByRef ClientId As CLIENT_ID) As Long
Private Declare Function RtlExitUserThread Lib "ntdll.dll" (ByVal ntStatus As Long) As Long
Private Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal dwExitCode As Long) As Long
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare Function CreateEvent Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, ByVal bManualReset As Long, ByVal bInitialState As Long, ByVal lpName As String) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Public Declare Function SetEvent Lib "kernel32" (ByVal hEvent As Long) As Long
Private Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long
Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Private Const INFINITE =
Private Const MEM_COMMIT =
Public Const MEM_RELEASE =
Private Const PAGE_EXECUTE_READWRITE =
Private Const PAGE_READWRITE =
Private Const SYNCHRONIZE As Long =
Private Const STANDARD_RIGHTS_REQUIRED As Long =
Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
...全文
请发表友善的回复…
发表回复
IORI915189 2008-10-31
- 打赏
- 举报
蹭分
uxen 2008-10-24
- 打赏
- 举报
还是该有些说明才好,边看边查手册太累了。
嗷嗷叫的老马 2008-10-24
- 打赏
- 举报
又是一堆代码......BS一下先....
什么时候发几楼美女图片出来啊~~~
什么时候发几楼美女图片出来啊~~~
xuezhongqing80 2008-10-24
- 打赏
- 举报
很有用,收藏,谢谢!
迈克揉索芙特 2008-10-24
- 打赏
- 举报
[Quote=引用 17 楼 myjian 的回复:]
又是一堆代码......BS一下先....
什么时候发几楼美女图片出来啊~~~
[/Quote]
干柴烈火
又是一堆代码......BS一下先....
什么时候发几楼美女图片出来啊~~~
[/Quote]
干柴烈火
yeah920 2008-10-24
- 打赏
- 举报
友情顶一下.
嗷嗷叫的老马 2008-10-24
- 打赏
- 举报
BS19楼。。。。
zzyong00 2008-10-23
- 打赏
- 举报
mark
njstalk 2008-10-23
- 打赏
- 举报
哈哈。顶者有分哇。看不懂啊,帮顶~
chenhui530 2008-10-23
- 打赏
- 举报
又没人鸟我
rene023 2008-10-23
- 打赏
- 举报
你玩的,大多数人都看不懂了。
jhone99 2008-10-22
- 打赏
- 举报
顶,收藏,谢谢了
东方之珠 2008-10-22
- 打赏
- 举报
顶者有分,收藏
yangao 2008-10-22
- 打赏
- 举报
和写外挂有啥关系啊?
迈克揉索芙特 2008-10-22
- 打赏
- 举报
强顶 接分 陈辉加油
swalp 2008-10-22
- 打赏
- 举报
雄起。收藏了。顺便带走你的分一点点。
mokton 2008-10-22
- 打赏
- 举报
学习,关注,加顶,分分
Michael_g 2008-10-22
- 打赏
- 举报
我用汇编写过,用VB 能行吗?如果在代码里调用VB的函数还能行吗?
alan001 2008-10-22
- 打赏
- 举报
支持一下楼主
谢谢楼主发布
收藏之
谢谢楼主发布
收藏之
laviewpbt 2008-10-21
- 打赏
- 举报
每次玩的东西我都看不懂啊
加载更多回复(3)
