当前位置: 首页 > 工具软件 > unload_dll > 使用案例 >

VB用CreateProcess创建进程注入DLL开源,不用第三方VC写的库

凌长恨
2023-12-01

今天的一个单子很特殊,需要创建进程并且隐藏掉进程的窗口,但是 这个进程窗口启动的时候 是 模态窗体,所以 设置了 hide隐藏属性也是无法隐藏 窗口,最后采用了 DLL注入的 HOOK 了 ShowWindow 函数搞定了。说起 CreateProcess 这个函数 真的非常好用,很多年前 在做 某个插件的时候就是HOOK了 登入器的这个 函数 注入了自己的DLL。
大家好,我的技术平台 www.zai996.com 欢迎关注

Public Enum DebugEventTypes
EXCEPTION_DEBUG_EVENT = 1&
CREATE_THREAD_DEBUG_EVENT = 2&
CREATE_PROCESS_DEBUG_EVENT = 3&
EXIT_THREAD_DEBUG_EVENT = 4&
EXIT_PROCESS_DEBUG_EVENT = 5&
LOAD_DLL_DEBUG_EVENT = 6&
UNLOAD_DLL_DEBUG_EVENT = 7&
OUTPUT_DEBUG_STRING_EVENT = 8&
RIP_EVENT = 9&
End Enum

Public Enum DebugStates
DBG_CONTINUE = &H10002
DBG_TERMINATE_THREAD = &H40010003
DBG_TERMINATE_PROCESS = &H40010004
DBG_CONTROL_C = &H40010005
DBG_CONTROL_BREAK = &H40010008
DBG_EXCEPTION_NOT_HANDLED = &H80010001
End Enum

Public Enum ExceptionCodes
EXCEPTION_GUARD_PAGE_VIOLATION = &H80000001
EXCEPTION_DATATYPE_MISALIGNMENT = &H80000002
EXCEPTION_BREAKPOINT = &H80000003
EXCEPTION_SINGLE_STEP = &H80000004
EXCEPTION_ACCESS_VIOLATION = &HC0000005
EXCEPTION_IN_PAGE_ERROR = &HC0000006
EXCEPTION_INVALID_HANDLE = &HC0000008
EXCEPTION_NO_MEMORY = &HC0000017
EXCEPTION_ILLEGAL_INSTRUCTION = &HC000001D
EXCEPTION_NONCONTINUABLE_EXCEPTION = &HC0000025
EXCEPTION_INVALID_DISPOSITION = &HC0000026
EXCEPTION_ARRAY_BOUNDS_EXCEEDED = &HC000008C
EXCEPTION_FLOAT_DENORMAL_OPERAND = &HC000008D
EXCEPTION_FLOAT_DIVIDE_BY_ZERO = &HC000008E
EXCEPTION_FLOAT_INEXACT_RESULT = &HC000008F
EXCEPTION_FLOAT_INVALID_OPERATION = &HC0000090
EXCEPTION_FLOAT_OVERFLOW = &HC0000091
EXCEPTION_FLOAT_STACK_CHECK = &HC0000092
EXCEPTION_FLOAT_UNDERFLOW = &HC0000093
EXCEPTION_INTEGER_DIVIDE_BY_ZERO = &HC0000094
EXCEPTION_INTEGER_OVERFLOW = &HC0000095
EXCEPTION_PRIVILEGED_INSTRUCTION = &HC0000096
EXCEPTION_STACK_OVERFLOW = &HC00000FD
EXCEPTION_CONTROL_C_EXIT = &HC000013A
EXCEPTION_DLL_INIT_FAILED = &HC0000142
End Enum

Public Enum ExceptionFlags
EXCEPTION_CONTINUABLE = 0
EXCEPTION_NONCONTINUABLE = 1 '\ Noncontinuable exception
End Enum

Public Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type

Declare Function DbgUiStopDebugging Lib “ntdll” (ByVal ProcessHandle As Long) As Long
Private Declare Function CreateRemoteThread Lib “kernel32” (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WriteProcessMemory Lib “kernel32” (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function VirtualAllocEx Lib “kernel32” (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long

Public Declare Function WaitForDebugEvent Lib “kernel32” (lpDebugEvent As Any, ByVal dwMilliseconds As Long) As Long
Public Declare Function ContinueDebugEvent Lib “kernel32” (ByVal dwProcessId As Long, ByVal dwThreadId As Long, ByVal dwContinueStatus As Long) As Long

Public Const EXCEPTION_MAXIMUM_PARAMETERS = 15
Public Type DEBUG_EVENT_HEADER
dwDebugEventCode As Long
dwProcessId As Long
dwThreadId As Long
dwData(1023) As Byte
End Type

Public Type EXCEPTION_RECORD
ExceptionCode As Long
ExceptionFlags As Long
ExceptionRecord As Long
ExceptionAddress As Long
NumberParameters As Long
ExceptionInformation(EXCEPTION_MAXIMUM_PARAMETERS - 1) As Long
End Type

Public Type EXCEPTION_DEBUG_INFO
ExceptionRecord As EXCEPTION_RECORD
dwFirstChance As Long
End Type

Public Type CREATE_PROCESS_DEBUG_INFO
hFile As Long
hProcess As Long
hThread As Long
lpBaseOfImage As Long
dwDebugInfoFileOffset As Long
nDebugInfoSize As Long
lpThreadLocalBase As Long
lpStartAddress As Long
lpImageName As Long
fUnicode As Integer
End Type

Public Type EXIT_PROCESS_DEBUG_INFO
dwExitCode As Long
End Type

Public Type CREATE_THREAD_DEBUG_INFO
hThread As Long
lpThreadLocalBase As Long
lpStartAddress As Long
End Type

Public Type EXIT_THREAD_DEBUG_INFO
dwExitCode As Long
End Type

Public Type LOAD_DLL_DEBUG_INFO
hFile As Long
lpBaseOfDll As Long
dwDebugInfoFileOffset As Long
nDebugInfoSize As Long
lpImageName As Long
fUnicode As Integer
End Type

Public Type UNLOAD_DLL_DEBUG_INFO
lpBaseOfDll As Long
End Type

Public Type OUTPUT_DEBUG_STRING_INFO
lpDebugStringData As Long
fUnicode As Integer
nDebugStringLength As Integer
End Type

Public Type STARTUPINFO '(createprocess)
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

Public Declare Sub GetStartupInfo Lib “kernel32” Alias “GetStartupInfoA” (lpStartupInfo As STARTUPINFO)

Public Enum ProcessCreationFlags
DEBUG_PROCESS = &H1
DEBUG_ONLY_THIS_PROCESS = &H2
CREATE_SUSPENDED = &H4&
DETACHED_PROCESS = &H8
CREATE_NEW_CONSOLE = &H10
NORMAL_PRIORITY_CLASS = &H20
IDLE_PRIORITY_CLASS = &H40
HIGH_PRIORITY_CLASS = &H80
REALTIME_PRIORITY_CLASS = &H100
CREATE_NEW_PROCESS_GROUP = &H200
CREATE_UNICODE_ENVIRONMENT = &H400
CREATE_SEPARATE_WOW_VDM = &H800
CREATE_SHARED_WOW_VDM = &H1000
CREATE_FORCEDOS = &H2000
CREATE_DEFAULT_ERROR_MODE = &H4000000
CREATE_NO_WINDOW = &H8000000
End Enum

Public Declare Function CreateProcess Lib “kernel32” Alias “CreateProcessA” ( _
ByVal lpApplicationName As String, _
ByVal lpCommandLine As String, _
ByVal lpProcessAttributes As Long, _
ByVal lpThreadAttributes As Long, _
ByVal bInheritHandles As Long, _
ByVal dwCreationFlags _
As Long, lpEnvironment As Any, _
ByVal lpCurrentDriectory As String, _
lpStartupInfo As STARTUPINFO, _
ByRef lpProcessInformation As PROCESS_INFORMATION _
) As Long

Private Const THREAD_PRIORITY_NORMAL = 0
Private Const THREAD_PRIORITY_IDLE = -15

Private Const THREAD_PRIORITY_TIME_CRITICAL = 15
Private Const SW_HIDE = 0
Private Const STARTF_USESHOWWINDOW = &H1

'常量定义
Private Const PROCESS_CREATE_THREAD = (&H2) '用OpenProcess打开进程时指定创建线程权限
Private Const PROCESS_VM_OPERATION = (&H8) '用OpenProcess打开进程时指定操作权限。MSDN上说:Enables using the process handle in the VirtualProtectEx and WriteProcessMemory functions to modify the virtual memory of the process.
Private Const PROCESS_VM_WRITE = (&H20) '用OpenProcess打开进程时指定写内存空间权限
Private Const MEM_COMMIT = &H1000 '用VirtualAllocEx分配内存时用0初始化内存。MSDN上说的是:The function initializes the memory to zero.If a memory page is not yet reserved, setting this value causes the function to both reserve and commit the memory page.
Private Const PAGE_READWRITE = &H4 '用VirtualAllocEx分配内存时指定内存既可读也可写。MSDN上说的是:Enables both read and write access to the committed region of pages.
Private Const TH32CS_SNAPMODULE = &H8 '用CreateToolhelp32Snapshot创建快照时指定为模块快照
Private Const INFINITE = &HFFFFFFFF '用WaitForSingleObject等待线程返回是指定一直等待,不超时

Private Declare Function ResumeThread Lib “kernel32” (ByVal hThread As Long) As Long

Public hProcess As Long

Public DLL文件路径 As String

Public Sub 创建进程(ByVal 进程path As String) ’

Dim lpSi As STARTUPINFO
Dim lpPi As PROCESS_INFORMATION

Dim IMGBASE As Long
Dim Tmp As Long
Dim PEMark As Long
Dim OEP As Long
Dim CC As Long
Dim exePath As String
CC = &HCC
Dim nSize As Long
Dim dwAddress As Long
Dim lpszRemoteFile As Long
dwStatus = DBG_EXCEPTION_NOT_HANDLED
Bpcount = 0

'GetStartupInfo lpSi
lpSi.cb = Len(lpSi)
lpSi.dwFlags = STARTF_USESHOWWINDOW
lpSi.wShowWindow = 6

exePath = 进程path 'App.Path & “\EXOS辅助【模拟器版】1.1.exe”

ret = CreateProcess(exePath, vbNullString, ByVal 0, ByVal 0, False, CREATE_SUSPENDED, ByVal 0&, vbNullString, lpSi, lpPi)
'这个其实是 挂起进程的 主线程,而不是 挂起进程,所以这个时候 ,我们可以创建线程 或者 各种 HOOK

'第一步申请内存

’ Dim a As Long
’ a = VirtualAllocEx(lpPi.hProcess, ByVal 0&, 1024 * 10, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
’ a = a + 1024 '注意这个地方,必须 加上1024 防止内存地址 的逆向使用 [就是]

'show
'75E60DFB - B8 58100000 - mov eax,00001058
'75E60E00 - B9 08000000 - mov ecx,00000008
'75E60E05 - 8D 54 24 04 - lea edx,[esp+04]
'75E60E09 - 64 FF 15 C0000000 - call fs:[000000C0]
'75E60E10 - 83 C4 04 - add esp,04
'75E60E13 - C2 08 00 - ret 0008


'TCHAR szDll[] = TEXT(“d:\test.dll”);

'LPVOID Param = VirtualAllocEx(pi.hProcess, NULL, MAX_PATH, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

'WriteProcessMemory(pi.hProcess, Param, (LPVOID)szDll, _tcslen(szDll)*2+sizeof(TCHAR), NULL);

'HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryW,Param, CREATE_SUSPENDED, NULL);

hProcess = lpPi.hProcess ’
nSize = LenB(DLL文件路径) + 1
'分配内存,VirtualAllocEx返回分配的内存的起始地址(BaseAddress),失败则返回0
lpszRemoteFile = VirtualAllocEx(hProcess, 0, nSize, MEM_COMMIT, PAGE_READWRITE)

'写入DLL地址,失败则返回0。注意:第二个参数是分配的内存的起始地址
ret = WriteProcessMemory(hProcess, lpszRemoteFile, DLL文件路径, nSize, 0)

'获取LoadLibraryA函数地址,GetProcAddress返回函数的地址,失败则返回0
dwAddress = GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA")

'创建远程线程,CreateRemoteThread返回线程句柄,失败则返回0
hThread = CreateRemoteThread(hProcess, 0, 0, dwAddress, lpszRemoteFile, 0, 0)

'第二步 开始实现补丁功能: 创建线程 或者 写入 HOOK的 字节代码

’ WriteProcessMemory hProcess, ByVal &H75E60DFB, &HC2&, 1, 0& 'JMP
’ WriteProcessMemory hProcess, ByVal &H75E60DFB + 1, &H8&, 1, 0& 'JMP
’ WriteProcessMemory hProcess, ByVal &H75E60DFB + 2, &H0&, 1, 0& 'JMP
’ WriteProcessMemory hProcess, ByVal &H75E60DFB + 3, &H90&, 1, 0& 'JMP
’ WriteProcessMemory hProcess, ByVal &H75E60DFB + 4, &H90&, 1, 0& 'JMP

'第三步记得恢复
ResumeThread lpPi.hThread '恢复进程的主线程
’ SleepEx 10
’ WriteAsmByteByhProcess hProcess, “75E60DFB”, “C2 08 00 90 90” 'C2 08 00

End Sub

 类似资料: