locked
關於用VB寫一個專為注入型的DLL檔案的問題 RRS feed

  • 一般討論

  • 最近,我在網路上看到有關類似將自己編寫好的DLL檔案注入到其他程序中,這樣可以達到只在被注入的程式中就能執行自己編寫的DLL檔內的程式碼,但是我已經有用VB寫一個DLL檔案,但是問題來了!我把我寫好的DLL檔案注入到要被注入的程序中,我編寫的DLL檔案已經成功被注入到要被注入的程序中,可是我發現了,要如何注入完成後使用DLL裡的程式碼讓他自動執行呢?

     

    我是想要問,如何在用VB編寫一個DLL並且只要程式有這DLL檔案已經注入並且可以無條件直接(自動)執行。

     

    各位大大、高手們,請幫幫小弟,謝!

    2010年8月7日 上午 03:23

所有回覆

  • 依照本版公告,本版是禁止討論這方面技術,建議你到民間網站去發問。
    論壇是網友平等互助 保證解答請至 微軟技術支援服務
    提問時,錯誤情境描述與錯誤訊息很重要,情境描述包含你做了什麼,預期的結果與實際發生的結果。一個最爛的問法範例:「我的電腦電腦怎麼不能開機?」誰知道你家是不是沒電還是你根本找不到電源鈕。
    2010年8月7日 下午 12:39
  • 您可以看看這篇討論:Detecting a DLL injection on a seperate process(http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/78c5a1b3-b92a-4793-bf01-6f81d9a97884)
    2010年8月7日 下午 03:06
  • 謝謝!!    這對我來說非常需要!!

     

    可是... API GetWindowThreadProcessId 不是不能用了嗎,就算用這個 API 來找程序的 PID 不是也找不到?

    2010年8月9日 下午 12:05
  • 拜託~~ 發問很久了  tihs  大大你怎發到一半就不見了...
    2010年8月14日 上午 03:18
  • 你有看過本版置頂文嗎 ? 張貼文章應注意事項及應提供資訊

    禁止討論惡意程式的撰寫

     

    基於公共利益的維護,本版禁止討論惡意程式的撰寫,但惡意程式的防制程式撰寫則不在此限。

     

    若需討論惡意程式撰寫,請到民間相關論壇討論。

     

    惡意程式的定義:

    1. 一般定義的蠕蟲、木馬、廣告、病毒等。
    2. 資源損耗程式,包含阻斷式攻擊、大量開啟圖片導致資源耗盡等。
    3. 漏洞的攻擊討論,例如隱碼攻擊程式。
    4. 可能會造成他人損害的程式。

     

    監控程式列為注意對象,比如說鍵盤、滑鼠測掃、封包的過濾攔截可能被視為木馬的一種,依照討論內容來判斷。

    註:封包監聽可能涉及刑法妨害秘密罪,此類程式撰寫討論時,請明確說明應用範圍與方向,以便判讀是否屬於惡意程式。

    ------------------------------------------------------------------------------------------------------------------------

    另外, 版上沒有人有任何義務回答你的問題, 不要自以為問了就一定要有人回答你, 回答者會因為其它考量而選擇不繼續回答, 例如你的問題疑似撰寫惡意程式.

    2010年8月14日 上午 03:31
  • GetWindowThreadProcessId沒有看到不能用的訊息, 請參考:GetWindowThreadProcessId Function
    2010年8月14日 上午 04:03
  • 我的想法是

    把dll注入~然後可以修改記憶體

    原本是VB6寫的~但是改成VB.NET問題很多~也Google了~發現VB.NET相關的文章很少...

    所以才來此發問

    希望能有一些頭緒出來

     

     

     

     

    Public Class Form2
    
      Private Sub Form2_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
    
        Dim ProcessList() As Process
    
    
    
        ProcessList = Process.GetProcesses
        '取得所有進程
    
        For i As Integer = 0 To ProcessList.Length - 1
    
          If ProcessList(i).ProcessName = "XXXXX" Then
            'XXXXX為要注入的程式
    
            Dim ProcessX As New Process()
            Dim hProcess = ProcessList(i).Handle.ToString
    
            ProcessX = Process.GetProcessById(ProcessList(i).Id)
            '括號內的ProcessList(i).Id為指定程式的PID
    
            Label4.Text = ProcessList(i).Id
            'PID = ProcessID = 進程名字
    
            Label5.Text = hProcess
            'hProcess = Process Handle = 進程的本機句柄 
    
            Label6.Text = ProcessX.MainWindowHandle
            'Handle = 主窗口句柄
    
    
    
            Dim MyHandleProcessId As String
            Dim DllFileName As String
            Dim MyDllFileLength As String
            Dim MyDllFileBuffer As String
            Dim MyReturn As Integer
            Dim MyStartAddr As Integer
            Dim MyResult As Integer
            Dim temp As Integer
    
    
    
            If hProcess <> 0 Then
    
              MyHandleProcessId = ProcessX.MainWindowHandle
              '進程的句柄
    
              DllFileName = "C:\Inject.dll"
              'Dll路徑
    
              MyDllFileLength = Len(DllFileName) + 1
              'Dll文件名轉換
    
              MyDllFileBuffer = VirtualAllocEx(MyHandleProcessId, 0, MyDllFileLength, MEM_COMMIT, PAGE_READWRITE)
              '目標進程中分配一塊空白內存,內存的起始地址保存在MyDllFileBuffer中。這塊內存區域我們用來存放Dll文件路徑,並作為參數傳遞給LoadLibraryA。
    
              MyReturn = WriteProcessMemory(MyHandleProcessId, MyDllFileBuffer, DllFileName, MyDllFileLength, temp)
              '分配出來的內存中寫入Dll路徑。第二個參數傳遞的是MyDllFileBuffer的內容,而不是MyDllFileBuffer的內存地址。
    
              MyStartAddr = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
              '得到LoadLibraryA函數的起始地址。他的參數就是我們剛才寫入的Dll路徑。但是LoadLibraryA本身是不知道參數在哪裡的。接下來我們就用CreateRemoteThread函數告訴他參數放在哪裡了。
    
              MyResult = CreateRemoteThread(MyHandleProcessId, 0, 0, MyStartAddr, MyDllFileBuffer, 0, temp)
              '好了,現在用CreateRemoteThread在目標進程創建一個線程,線程起始地址指向LoadLibraryA,參數就是MyDllFileBuffer中保存的Dll路徑。
    
              Label8.Text = "注入成功"
    
            End If
    
            Exit Sub
    
          End If
    
        Next
    
        Me.Show()
    
      End Sub

     

     

     

     

     

     

     

     

     

    Option Explicit On
    
    Imports System.Runtime.InteropServices
    
    Module Module1
    
      Public Const PROCESS_VM_READ = &H10
      '讀取進程內存空間的權限,可用ReadProcessMemory
    
      Public Const TH32CS_SNAPPROCESS = &H2
      '定義私有常量
    
      Public Const MEM_COMMIT = 4096
      '指明已分配物理內存
    
      Public Const PAGE_READWRITE = 4
      '允許讀寫
    
      Public Const PROCESS_CREATE_THREAD = (&H2)
      '允許遠程創建線程
    
      Public Const PROCESS_VM_OPERATION = (&H8)
      '允許遠程VirtualProtectEx & WriteProcessMemory操作
    
      Public Const PROCESS_VM_WRITE = (&H20)
      '允許遠程VirtualProtectEx & WriteProcessMemory寫入
    
      <DllImport("kernel32.dll")>
      Public Function VirtualAllocEx(ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
        '目標進程中分配一段空白內存供程序使用
      End Function
      <DllImport("kernel32.dll")>
      Public Function GetProcAddress(ByVal hModule As Integer, ByVal lpProcName As String) As Integer
      End Function
      <DllImport("kernel32.dll")>
      Public Function ReadProcessMemory(ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer As String, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As Integer) As Integer
      End Function
      <DllImport("kernel32.dll")>
      Public Function WriteProcessMemory(ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer As String, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As Integer) As Integer
      End Function
      <DllImport("kernel32.dll")>
      Public Function CreateRemoteThread(ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
      End Function
      Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
      '得到函數地址與dll模塊地址
    
    End Module
    

     

     

     

     

     

    原本VB6是這樣

     

    模組

     

     

     

     

     

     
    
    Option Explicit
    Public Const PROCESS_VM_READ = &H10
    Public Const TH32CS_SNAPPROCESS = &H2
    Public Const MEM_COMMIT = 4096
    Public Const PAGE_READWRITE = 4
    Public Const PROCESS_CREATE_THREAD = (&H2)
    Public Const PROCESS_VM_OPERATION = (&H8)
    Public Const PROCESS_VM_WRITE = (&H20)
    Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    Public Declare Function GetLastError Lib "kernel32" () As Long
    Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
    Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
    Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
    Public Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
    Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
    Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
    Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
    Public Declare Function Process32Next Lib "kernel32" (ByVal hSapshot As Long, lppe As PROCESSENTRY32) As Long
    Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
    Public Type PROCESSENTRY32
    dwSize As Long
    cntUseage As Long
    th32ProcessID As Long
    th32DefaultHeapID As Long
    th32ModuleID As Long
    cntThreads As Long
    th32ParentProcessID As Long
    pcPriClassBase As Long
    swFlags As Long
    szExeFile As String * 1024
    End Type

     

     

     

     

     

     

     

     

     

     
    Public Sub EnumAndInject()
    Dim MySnapHandle As Long
    Dim ProcessInfo As PROCESSENTRY32
    Dim MyRemoteProcessId As Long
    Dim MyDllFileLength As Long
    Dim MyDllFileBuffer As Long
    Dim MyReturn As Long
    Dim MyStartAddr As Long
    Dim MyResult As Long
    Dim temp As Long
    Dim DllFileName As String
    MySnapHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
    ProcessInfo.dwSize = Len(ProcessInfo)
    
    If Process32First(MySnapHandle, ProcessInfo) <> 0 Then
    Do
    If InStr(ProcessInfo.szExeFile, "注入的進程") > 0 Then
    MyRemoteProcessId = OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, ProcessInfo.th32ProcessID)
    DllFileName =  "C:\要注入的dll位置"
    MyDllFileLength = Len(DllFileName) + 1
    MyDllFileBuffer = VirtualAllocEx(MyRemoteProcessId, 0, MyDllFileLength, MEM_COMMIT, PAGE_READWRITE)
    MyReturn = WriteProcessMemory(MyRemoteProcessId, MyDllFileBuffer, DllFileName, MyDllFileLength, temp)
    MyStartAddr = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
    MyResult = CreateRemoteThread(MyRemoteProcessId, 0, 0, MyStartAddr, MyDllFileBuffer, 0, temp)
    End If
    Loop While Process32Next(MySnapHandle, ProcessInfo) <> 0
    End If
    
    CloseHandle MySnapHandle
    End Sub

     

     

     

     

    希望能給我一個方向~哪邊錯誤~我可以自己Google~

    當然方便的話可以幫我講解一下~

    2010年9月23日 下午 01:44
  • 依本版置頂公告,涉及安全性問題,禁止在本站討論,請移駕。
    T.L. Cheng
    2010年9月23日 下午 04:06
    版主
  •  

     

     

    因為我是用VB6改寫成NET

    但是不知道線程.分配內存

    有沒有問題

     

     

     

     

     

    Public Class Form2
    
     Private Sub Form2_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
    
      Dim ProcessList() As Process
    
    
    
      ProcessList = Process.GetProcesses
      '取得所有進程
    
      For i As Integer = 0 To ProcessList.Length - 1
    
       If ProcessList(i).ProcessName = "XXXXX" Then
        
    
        Dim ProcessX As New Process()
        Dim hProcess = ProcessList(i).Handle.ToString
    
        ProcessX = Process.GetProcessById(ProcessList(i).Id)
        '括號內的ProcessList(i).Id為指定程式的PID
    
        Label4.Text = ProcessList(i).Id
        'PID = ProcessID = 進程名字
    
        Label5.Text = hProcess
        'hProcess = Process Handle = 進程的本機句柄 
    
        Label6.Text = ProcessX.MainWindowHandle
        'Handle = 主窗口句柄
    
    
    
        Dim MyHandleProcessId As String
        Dim DllFileName As String
        Dim MyDllFileLength As String
        Dim MyDllFileBuffer As String
        Dim MyReturn As Integer
        Dim MyStartAddr As Integer
        Dim MyResult As Integer
        Dim temp As Integer
    
    
    
        If hProcess <> 0 Then
    
         MyHandleProcessId = ProcessX.MainWindowHandle
         '進程的句柄
    
         DllFileName = "C:\Inject.dll"
         'Dll路徑
    
         MyDllFileLength = Len(DllFileName) + 1
         
    
         MyDllFileBuffer = VirtualAllocEx(MyHandleProcessId, 0, MyDllFileLength, MEM_COMMIT, PAGE_READWRITE)
         '目標進程中分配一塊空白內存,內存的起始地址保存在MyDllFileBuffer中。這塊內存區域我們用來存放Dll文件路徑,並作為參數傳遞給LoadLibraryA。
    
         MyReturn = WriteProcessMemory(MyHandleProcessId, MyDllFileBuffer, DllFileName, MyDllFileLength, temp)
         '分配出來的內存中寫入Dll路徑。第二個參數傳遞的是MyDllFileBuffer的內容,而不是MyDllFileBuffer的內存地址。
    
         MyStartAddr = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
         '得到LoadLibraryA函數的起始地址。他的參數就是我們剛才寫入的Dll路徑。但是LoadLibraryA本身是不知道參數在哪裡的。接下來我們就用CreateRemoteThread函數告訴他參數放在哪裡了。
    
         MyResult = CreateRemoteThread(MyHandleProcessId, 0, 0, MyStartAddr, MyDllFileBuffer, 0, temp)
         '好了,現在用CreateRemoteThread在目標進程創建一個線程,線程起始地址指向LoadLibraryA,參數就是MyDllFileBuffer中保存的Dll路徑。
    
         Label8.Text = "12345"
    
        End If
    
        Exit Sub
    
       End If
    
      Next
    
      Me.Show()
    
     End Sub
    

     

     

     

     

     

     

     

     

    Option Explicit On
    
    Imports System.Runtime.InteropServices
    
    Module Module1
    
     Public Const PROCESS_VM_READ = &H10
     '讀取進程內存空間的權限,可用ReadProcessMemory
    
     Public Const TH32CS_SNAPPROCESS = &H2
     '定義私有常量
    
     Public Const MEM_COMMIT = 4096
     '指明已分配物理內存
    
     Public Const PAGE_READWRITE = 4
     '允許讀寫
    
     Public Const PROCESS_CREATE_THREAD = (&H2)
     '允許遠程創建線程
    
     Public Const PROCESS_VM_OPERATION = (&H8)
     '允許遠程VirtualProtectEx & WriteProcessMemory操作
    
     Public Const PROCESS_VM_WRITE = (&H20)
     '允許遠程VirtualProtectEx & WriteProcessMemory寫入
    
     <DllImport("kernel32.dll")>
     Public Function VirtualAllocEx(ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
      '目標進程中分配一段空白內存供程序使用
     End Function
     <DllImport("kernel32.dll")>
     Public Function GetProcAddress(ByVal hModule As Integer, ByVal lpProcName As String) As Integer
     End Function
     <DllImport("kernel32.dll")>
     Public Function ReadProcessMemory(ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer As String, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As Integer) As Integer
     End Function
     <DllImport("kernel32.dll")>
     Public Function WriteProcessMemory(ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer As String, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As Integer) As Integer
     End Function
     <DllImport("kernel32.dll")>
     Public Function CreateRemoteThread(ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
     End Function
     Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
     '得到函數地址與dll模塊地址
    
    End Module
    

     

     

     

     

     

     

    希望能給我一個方向~哪邊錯誤~我可以自己Google~

    當然方便的話可以幫我講解一下~

    2010年9月24日 上午 01:12
  • 若想使VB2008程式 注入winlogon.exe 來防止被偵測進程名稱該怎麼做? ---不是做病毒...而是想防止被從工作管理員關閉

    有在網路爬過文 幾乎都是VB6的代碼 升級成2008的又不能用


    b27906910@yahoo.com.tw
    2010年11月3日 上午 10:07