软件下载 | 资讯教程 | 最近更新 | 下载排行 | 一键转帖 | 发布投稿
您的位置:最火下载站 > 电脑教程 > 编程开发 > vb开发 > VB开发:干掉映像劫持两种简单方法

VB开发:干掉映像劫持两种简单方法

Option Explicit

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDest As Any, pSrc As Any, ByVal ByteLen As Long)
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function NtClose Lib "NTDLL.DLL" (ByVal ObjectHandle As Long) As Long
Private Declare Function DebugActiveProcessStop Lib "kernel32" (ByVal dwProcessId As Long) As Long
Private Declare Function CreateProcessA Lib "kernel32" (ByVal lpApplicationName As String, _
ByVal lpCommandLine As String, _
lpProcessAttributes As Any, _
lpThreadAttributes As Any, _
ByVal bInheritHandles As Long, _
ByVal dwCreationFlags As Long, _
lpEnvironment As Any, _
ByVal lpCurrentDriectory As String, _
lpStartupInfo As STARTUPINFO, _
lpProcessInformation As PROCESS_INFORMATION) As Long

Private Const DEBUG_PROCESS = &H1

Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type

Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

'方法一:调试法
Private Function RunExe(ByVal szFileName As String) As Boolean
Dim lRet As Long
Dim lp As PROCESS_INFORMATION
Dim si As STARTUPINFO
si.cb = Len(si)
lRet = CreateProcessA(vbNullString, szFileName, ByVal 0&, ByVal 0&, 0, DEBUG_PROCESS, ByVal 0&, vbNullString, si, lp)
If lRet <> 0 Then
NtClose lp.hThread
NtClose lp.hProcess
DebugActiveProcessStop lp.dwProcessId
RunExe = True
End If
End Function

'方法二:hook法,不太稳定
Private Function HookIFEO() As Boolean
Dim hModule As Long
Dim pFunAddr As Long
Dim pNewAddr As Long
Dim dwJmpAddr(4) As Byte
hModule = GetModuleHandle("ntdll.dll")
If hModule = 0 Then Exit Function
pFunAddr = GetProcAddress(hModule, "LdrQueryImageFileExecutionOptions")
If pFunAddr = 0 Then Exit Function
dwJmpAddr(0) = &HE9
pNewAddr = GetProcAddress(hModule, "NtOpenFile") '随便找一个参数相同的
If pNewAddr = 0 Then Exit Function
pNewAddr = pNewAddr - pFunAddr - 5 '换成NtOpenFile的地址
CopyMemory dwJmpAddr(1), pNewAddr, 4
HookIFEO = WriteProcessMemory(GetCurrentProcess, ByVal pFunAddr, dwJmpAddr(0), 5, ByVal 0&)
End Function

'运行计算器

Private Sub Command1_Click()
RunExe "calc.exe"
End Sub

Private Sub Command2_Click()
If HookIFEO Then Shell "calc.exe", vbNormalFocus
End Sub
    相关阅读
    栏目导航
    推荐软件