请大家帮我看看这几个函数的功能是什么,谢谢了。
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As LongPrivate Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
'Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess as long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize as long, lpNumberOfBytesWritten as long) as long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesRead As Long) As Long
'Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject as long) as long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Const PROCESS_ALL_ACCESS = &H1F0FFF
Dim h As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Const PAGE_EXECUTE_READWRITE = &H40
Const MEM_COMMIT = &H1000
Const MEM_RESERVE = &H2000
Const MEM_RELEASE = &H8000
Dim OPcode As String
Public Function Get_Result() As String
Dim i As Long
ReDim AsmCode(Len(OPcode) / 2 - 1) As Byte 'ReDim 语句 (Visual Basic)为数组变量重新分配存储空间?
For i = 0 To UBound(AsmCode) '可以使用UBound 确定数组中元素的总数,但是必须调整它返回的值,以解释下标从0 开始这一事实。
AsmCode(i) = CByte("&H" & Mid(OPcode, i * 2 + 1, 2)) 'CByte()是将字符串、数字转换为Byte型, Hex()是把10进制转换为16进制
Next
Get_Result = CallWindowProc(VarPtr(AsmCode(0)), 0, 0, 0, 0)
End Function
Public Function Get_Code() As String
Get_Code = OPcode
End Function
Public Function Run_ASM(hProcess As Variant) As Long
Dim i As Long, tmp_Addr As Long
ReDim AsmCode(Len(OPcode) / 2 - 1) As Byte
For i = 0 To UBound(AsmCode)
AsmCode(i) = CByte("&H" & Mid(OPcode, i * 2 + 1, 2))
Next
tmp_Addr = VirtualAllocEx(hProcess, ByVal 0&, UBound(AsmCode) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
WriteProcessMemory hProcess, ByVal tmp_Addr, ByVal VarPtr(AsmCode(0)), UBound(AsmCode) + 1, ByVal 0&
CreateRemoteThread hProcess, ByVal 0&, 0, ByVal tmp_Addr, ByVal 0&, ByVal 0&, ByVal 0&
VirtualFreeEx hProcess, tmp_Addr, UBound(AsmCode) + 1, MEM_RELEASE
End Function
--------------------编程问答-------------------- 全都是危险分子啊 --------------------编程问答-------------------- 等待高手啊。。 --------------------编程问答-------------------- 楼主想干什么?木马? --------------------编程问答-------------------- 哪里。。这个是人家写的VB汇编类的前面几个函数 。看不懂。请假大家一下。。非木马。
--------------------编程问答-------------------- 从上至下:
'========================API声明==================
'根据类名或标题名获取窗口句柄
'获取指定线程的标识符(PID)
'打开进程
'写入进程内存数据
'读取内存进程数据
'关闭指定句柄
'复制内存
'关闭指定句柄----重复了
'写入进程内存数据----重复了
'创建远程线程
'在指定进程的虚拟空间释放内存
'在指定进程的虚拟空间分配内存
'函数回调 - 执行指定句柄处函数(VB内嵌汇编类主要函数) ==== 除了本函数,以上的声明主要用于远程注入(即将一段汇编代码注入到另一个已启动的线程,很多游戏外挂的常用方法!)
'=========================三个函数===================
'Get_Result - 执行当前汇编代码数据(16进制字符串)
' 首先将 16进制的字符串 形式的汇编代码转为 字节数组数据,然后执行 CallWindowProc 即可.
' 补充: 使用字符串操作不是效率的方法, 而且这个汇编类未考虑 CallWindowProc 参数的入栈出栈问题.
'Get_Code - 获取当前汇编代码的字符串数据
'Run_ASM - 远程注入当前汇编代码段到指定进程 (参数为进程句柄)
' 将字符串转字节数据并分配内存,然后拷贝汇编数据到指定内存,创建指定线程等待执行汇编代码,最后释放分配的内存.
' 补充: 对数据处理和释放的代码不是很完善.
将我现在在使用的汇编类截取一小部分供您参考(汇编数据以字节数据方式存储而不是使用字符串):
其中的 mAsmCode 是一个 CByteStream 类,即字节数据流处理类,包括了对字节数组常用的 添加/删除/提取/查看/清除等一系列操作.
--------------------编程问答-------------------- 好东西当然要收藏了 --------------------编程问答-------------------- 顶 --------------------编程问答-------------------- 貌似很清了
'执行模块中的汇编代码段
Friend Function AsmRun() As Long
Dim lRet As Long
Dim TempCode As CByteStream
If Started = False Then Exit Function
If mAsmCode.Count = 0 Then Exit Function
Set TempCode = mAsmCode.Clone
Call FillAsmCode
lRet = modBase.CallWindowProc(mAsmCode.DataPtr, 0, 0, 0, 0) 'VB中运行汇编最根本的就是这个函数
mAsmCode.CloneFrom TempCode
Set TempCode = Nothing
Started = False
AsmRun = lRet
End Function
'这个是往某个进程中注入所写的汇编代码
'注入的时候千万不要传入本程序中的任何东西的地址,比如字符串或者某个变量的地址,那样会让注入的程序崩溃
'记得一定要在汇编代码中加RET,不然也会让注入的进程崩溃
Friend Sub Inject(ByVal hPid As Long)
Dim i As Long, tmp_Addr As Long, hProcess As Long, RThwnd As Long, lRet As Long
Dim TempCode As CByteStream
If mAsmCode.Count Then
Set TempCode = mAsmCode.Clone
Call FillAsmCode
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, hPid) '打开进程,得到进程句柄
tmp_Addr = VirtualAllocEx(hProcess, ByVal 0&, mAsmCode.Count, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
WriteProcessMemory hProcess, ByVal tmp_Addr, ByVal mAsmCode.DataPtr, mAsmCode.Count, ByVal 0&
RThwnd = CreateRemoteThread(hProcess, ByVal 0&, 0, ByVal tmp_Addr, ByVal 0&, ByVal 0&, ByVal 0&)
Do
lRet = WaitForSingleObject(RThwnd, 100)
DoEvents
Loop Until lRet <> WAIT_TIMEOUT
VirtualFreeEx hProcess, ByVal tmp_Addr, mAsmCode.Count, MEM_DECOMMIT
CloseHandle RThwnd
CloseHandle hProcess
mAsmCode.CloneFrom TempCode
Set TempCode = Nothing
End If
End Sub
'AsmRun / Inject 调用. 检查并修正汇编代码段的开头和结尾部分,确保堆栈平衡/指令完整结束等
Private Sub FillAsmCode()
Const LENGTH_STEP As Long = 64
Dim FillArr() As Byte, TmpArr() As Byte
Dim i As Long, J As Long, L As Long
'======================================
ReDim FillArr(5)
FillArr(0) = &H58 'POP AX
FillArr(1) = &H59 'POP CX
FillArr(2) = &H59 'POP CX
FillArr(3) = &H59 'POP CX
FillArr(4) = &H59 'POP CX
FillArr(5) = &H50 'PUSH AX
mAsmCode.PeekData TmpArr, , 6
For i = 0 To 5
If TmpArr(i) <> FillArr(i) Then Exit For
Next i
'lg = LenB(TmpArr(0)) * (UBound(TmpArr) + 1)
'If modBase.CompMemory(TmpArr(0), FillArr(0), lg) <> lg Then '保持堆栈平衡和保存返回地址
If i <> 6 Then '保持堆栈平衡和保存返回地址
mAsmCode.GetData TmpArr
mAsmCode.AddData FillArr
mAsmCode.AddData TmpArr
End If
'======================================
ReDim FillArr(2)
FillArr(0) = &HC3 'RET 确保指令结尾加了RET
FillArr(1) = &H90 'NOP 添加空指令防止将前次部分代码误认为地址等错误
FillArr(2) = &H90 'NOP
mAsmCode.PeekData TmpArr, mAsmCode.Count - 3, 3
For i = 0 To 2
J = i
L = 0
Do While (TmpArr(J) = FillArr(L))
J = J + 1
L = L + 1
If J > 2 Then Exit For
Loop
Next i
If L < 3 Then
mAsmCode.AddData4Ptr VarPtr(FillArr(L)), 3 - L
End If
Erase FillArr: Erase TmpArr
'======================================
L = mAsmCode.Count Mod LENGTH_STEP '为一个欲执行的代码段补齐 64 字节
If L Then mAsmCode.Count = mAsmCode.Count + (LENGTH_STEP - L)
End Sub
“远程注入当前汇编代码段到指定进程” --------------------编程问答-------------------- 万分感谢你。。。
补充:VB , 基础类
