技術標籤：VB6.0程式製作

今天的一個單子很特殊，需要建立程序並且隱藏掉程序的視窗，但是 這個程序視窗啟動的時候 是 模態窗體，所以 設定了 hide隱藏屬性也是無法隱藏 視窗，最後採用了 DLL注入的 HOOK 了 ShowWindow 函式搞定了。說起 CreateProcess 這個函式 真的非常好用，很多年前 在做 某個外掛的時候就是HOOK了 登入器的這個 函式 注入了自己的DLL。
大家好，我的技術平臺 www.zai996.com 歡迎關注

Public Enum DebugEventTypes
EXCEPTION_DEBUG_EVENT = 1&
CREATE_THREAD_DEBUG_EVENT = 2&

CREATE_PROCESS_DEBUG_EVENT = 3&
EXIT_THREAD_DEBUG_EVENT = 4&
EXIT_PROCESS_DEBUG_EVENT = 5&
LOAD_DLL_DEBUG_EVENT = 6&
UNLOAD_DLL_DEBUG_EVENT = 7&
OUTPUT_DEBUG_STRING_EVENT = 8&
RIP_EVENT = 9&
End Enum

Public Enum DebugStates
DBG_CONTINUE = &H10002
DBG_TERMINATE_THREAD = &H40010003

DBG_TERMINATE_PROCESS = &H40010004
DBG_CONTROL_C = &H40010005
DBG_CONTROL_BREAK = &H40010008
DBG_EXCEPTION_NOT_HANDLED = &H80010001
End Enum

Public Enum ExceptionCodes
EXCEPTION_GUARD_PAGE_VIOLATION = &H80000001
EXCEPTION_DATATYPE_MISALIGNMENT = &H80000002
EXCEPTION_BREAKPOINT = &H80000003
EXCEPTION_SINGLE_STEP = &H80000004

EXCEPTION_ACCESS_VIOLATION = &HC0000005
EXCEPTION_IN_PAGE_ERROR = &HC0000006
EXCEPTION_INVALID_HANDLE = &HC0000008
EXCEPTION_NO_MEMORY = &HC0000017
EXCEPTION_ILLEGAL_INSTRUCTION = &HC000001D
EXCEPTION_NONCONTINUABLE_EXCEPTION = &HC0000025
EXCEPTION_INVALID_DISPOSITION = &HC0000026
EXCEPTION_ARRAY_BOUNDS_EXCEEDED = &HC000008C
EXCEPTION_FLOAT_DENORMAL_OPERAND = &HC000008D
EXCEPTION_FLOAT_DIVIDE_BY_ZERO = &HC000008E
EXCEPTION_FLOAT_INEXACT_RESULT = &HC000008F
EXCEPTION_FLOAT_INVALID_OPERATION = &HC0000090
EXCEPTION_FLOAT_OVERFLOW = &HC0000091
EXCEPTION_FLOAT_STACK_CHECK = &HC0000092
EXCEPTION_FLOAT_UNDERFLOW = &HC0000093
EXCEPTION_INTEGER_DIVIDE_BY_ZERO = &HC0000094
EXCEPTION_INTEGER_OVERFLOW = &HC0000095
EXCEPTION_PRIVILEGED_INSTRUCTION = &HC0000096
EXCEPTION_STACK_OVERFLOW = &HC00000FD
EXCEPTION_CONTROL_C_EXIT = &HC000013A
EXCEPTION_DLL_INIT_FAILED = &HC0000142
End Enum

Public Enum ExceptionFlags
EXCEPTION_CONTINUABLE = 0
EXCEPTION_NONCONTINUABLE = 1 '\ Noncontinuable exception
End Enum

Public Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type

Declare Function DbgUiStopDebugging Lib “ntdll” (ByVal ProcessHandle As Long) As Long
Private Declare Function CreateRemoteThread Lib “kernel32” (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WriteProcessMemory Lib “kernel32” (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function VirtualAllocEx Lib “kernel32” (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long

Public Declare Function WaitForDebugEvent Lib “kernel32” (lpDebugEvent As Any, ByVal dwMilliseconds As Long) As Long
Public Declare Function ContinueDebugEvent Lib “kernel32” (ByVal dwProcessId As Long, ByVal dwThreadId As Long, ByVal dwContinueStatus As Long) As Long

Public Const EXCEPTION_MAXIMUM_PARAMETERS = 15
Public Type DEBUG_EVENT_HEADER
dwDebugEventCode As Long
dwProcessId As Long
dwThreadId As Long
dwData(1023) As Byte
End Type

Public Type EXCEPTION_RECORD
ExceptionCode As Long
ExceptionFlags As Long
ExceptionRecord As Long
ExceptionAddress As Long
NumberParameters As Long
ExceptionInformation(EXCEPTION_MAXIMUM_PARAMETERS - 1) As Long
End Type

Public Type EXCEPTION_DEBUG_INFO
ExceptionRecord As EXCEPTION_RECORD
dwFirstChance As Long
End Type

Public Type CREATE_PROCESS_DEBUG_INFO
hFile As Long
hProcess As Long
hThread As Long
lpBaseOfImage As Long
dwDebugInfoFileOffset As Long
nDebugInfoSize As Long
lpThreadLocalBase As Long
lpStartAddress As Long
lpImageName As Long
fUnicode As Integer
End Type

Public Type EXIT_PROCESS_DEBUG_INFO
dwExitCode As Long
End Type

Public Type CREATE_THREAD_DEBUG_INFO
hThread As Long
lpThreadLocalBase As Long
lpStartAddress As Long
End Type

Public Type EXIT_THREAD_DEBUG_INFO
dwExitCode As Long
End Type

Public Type LOAD_DLL_DEBUG_INFO
hFile As Long
lpBaseOfDll As Long
dwDebugInfoFileOffset As Long
nDebugInfoSize As Long
lpImageName As Long
fUnicode As Integer
End Type

Public Type UNLOAD_DLL_DEBUG_INFO
lpBaseOfDll As Long
End Type

Public Type OUTPUT_DEBUG_STRING_INFO
lpDebugStringData As Long
fUnicode As Integer
nDebugStringLength As Integer
End Type

Public Type STARTUPINFO '(createprocess)
cb As Long
lpReserved As Long
lpDesktop As Long
lpTitle As Long
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type

Public Declare Sub GetStartupInfo Lib “kernel32” Alias “GetStartupInfoA” (lpStartupInfo As STARTUPINFO)

Public Enum ProcessCreationFlags
DEBUG_PROCESS = &H1
DEBUG_ONLY_THIS_PROCESS = &H2
CREATE_SUSPENDED = &H4&
DETACHED_PROCESS = &H8
CREATE_NEW_CONSOLE = &H10
NORMAL_PRIORITY_CLASS = &H20
IDLE_PRIORITY_CLASS = &H40
HIGH_PRIORITY_CLASS = &H80
REALTIME_PRIORITY_CLASS = &H100
CREATE_NEW_PROCESS_GROUP = &H200
CREATE_UNICODE_ENVIRONMENT = &H400
CREATE_SEPARATE_WOW_VDM = &H800
CREATE_SHARED_WOW_VDM = &H1000
CREATE_FORCEDOS = &H2000
CREATE_DEFAULT_ERROR_MODE = &H4000000
CREATE_NO_WINDOW = &H8000000
End Enum

Public Declare Function CreateProcess Lib “kernel32” Alias “CreateProcessA” ( _
ByVal lpApplicationName As String, _
ByVal lpCommandLine As String, _
ByVal lpProcessAttributes As Long, _
ByVal lpThreadAttributes As Long, _
ByVal bInheritHandles As Long, _
ByVal dwCreationFlags _
As Long, lpEnvironment As Any, _
ByVal lpCurrentDriectory As String, _
lpStartupInfo As STARTUPINFO, _
ByRef lpProcessInformation As PROCESS_INFORMATION _
) As Long

Private Const THREAD_PRIORITY_NORMAL = 0
Private Const THREAD_PRIORITY_IDLE = -15

Private Const THREAD_PRIORITY_TIME_CRITICAL = 15
Private Const SW_HIDE = 0
Private Const STARTF_USESHOWWINDOW = &H1

'常量定義
Private Const PROCESS_CREATE_THREAD = (&H2) '用OpenProcess開啟程序時指定建立執行緒許可權
Private Const PROCESS_VM_OPERATION = (&H8) '用OpenProcess開啟程序時指定操作許可權。MSDN上說：Enables using the process handle in the VirtualProtectEx and WriteProcessMemory functions to modify the virtual memory of the process.
Private Const PROCESS_VM_WRITE = (&H20) '用OpenProcess開啟程序時指定寫記憶體空間許可權
Private Const MEM_COMMIT = &H1000 '用VirtualAllocEx分配記憶體時用0初始化記憶體。MSDN上說的是：The function initializes the memory to zero.If a memory page is not yet reserved, setting this value causes the function to both reserve and commit the memory page.
Private Const PAGE_READWRITE = &H4 '用VirtualAllocEx分配記憶體時指定記憶體既可讀也可寫。MSDN上說的是:Enables both read and write access to the committed region of pages.
Private Const TH32CS_SNAPMODULE = &H8 '用CreateToolhelp32Snapshot建立快照時指定為模組快照
Private Const INFINITE = &HFFFFFFFF '用WaitForSingleObject等待執行緒返回是指定一直等待，不超時

Private Declare Function ResumeThread Lib “kernel32” (ByVal hThread As Long) As Long

Public hProcess As Long

Public DLL檔案路徑 As String

Public Sub 建立程序(ByVal 程序path As String) ’

Dim lpSi As STARTUPINFO
Dim lpPi As PROCESS_INFORMATION

Dim IMGBASE As Long
Dim Tmp As Long
Dim PEMark As Long
Dim OEP As Long
Dim CC As Long
Dim exePath As String
CC = &HCC
Dim nSize As Long
Dim dwAddress As Long
Dim lpszRemoteFile As Long
dwStatus = DBG_EXCEPTION_NOT_HANDLED
Bpcount = 0

'GetStartupInfo lpSi
lpSi.cb = Len(lpSi)
lpSi.dwFlags = STARTF_USESHOWWINDOW
lpSi.wShowWindow = 6

exePath = 程序path 'App.Path & “\EXOS輔助【模擬器版】1.1.exe”

ret = CreateProcess(exePath, vbNullString, ByVal 0, ByVal 0, False, CREATE_SUSPENDED, ByVal 0&, vbNullString, lpSi, lpPi)
'這個其實是 掛起程序的 主執行緒，而不是 掛起程序，所以這個時候 ，我們可以建立執行緒 或者 各種 HOOK

'第一步申請記憶體
’
’ Dim a As Long
’ a = VirtualAllocEx(lpPi.hProcess, ByVal 0&, 1024 * 10, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
’ a = a + 1024 '注意這個地方，必須 加上1024 防止記憶體地址 的逆向使用 [就是]

'show
'75E60DFB - B8 58100000 - mov eax,00001058
'75E60E00 - B9 08000000 - mov ecx,00000008
'75E60E05 - 8D 54 24 04 - lea edx,[esp+04]
'75E60E09 - 64 FF 15 C0000000 - call fs:[000000C0]
'75E60E10 - 83 C4 04 - add esp,04
'75E60E13 - C2 08 00 - ret 0008

’
'TCHAR szDll[] = TEXT(“d:\test.dll”);

'LPVOID Param = VirtualAllocEx(pi.hProcess, NULL, MAX_PATH, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

'WriteProcessMemory(pi.hProcess, Param, (LPVOID)szDll, _tcslen(szDll)*2+sizeof(TCHAR), NULL);
’
'HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryW,Param, CREATE_SUSPENDED, NULL);
’
hProcess = lpPi.hProcess ’
nSize = LenB(DLL檔案路徑) + 1
'分配記憶體,VirtualAllocEx返回分配的記憶體的起始地址(BaseAddress)，失敗則返回0
lpszRemoteFile = VirtualAllocEx(hProcess, 0, nSize, MEM_COMMIT, PAGE_READWRITE)

'寫入DLL地址，失敗則返回0。注意：第二個引數是分配的記憶體的起始地址
ret = WriteProcessMemory(hProcess, lpszRemoteFile, DLL檔案路徑, nSize, 0)

'獲取LoadLibraryA函式地址,GetProcAddress返回函式的地址，失敗則返回0
dwAddress = GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA")

'建立遠端執行緒，CreateRemoteThread返回執行緒控制代碼，失敗則返回0
hThread = CreateRemoteThread(hProcess, 0, 0, dwAddress, lpszRemoteFile, 0, 0)

'第二步 開始實現補丁功能： 建立執行緒 或者 寫入 HOOK的 位元組程式碼

’ WriteProcessMemory hProcess, ByVal &H75E60DFB, &HC2&, 1, 0& 'JMP
’ WriteProcessMemory hProcess, ByVal &H75E60DFB + 1, &H8&, 1, 0& 'JMP
’ WriteProcessMemory hProcess, ByVal &H75E60DFB + 2, &H0&, 1, 0& 'JMP
’ WriteProcessMemory hProcess, ByVal &H75E60DFB + 3, &H90&, 1, 0& 'JMP
’ WriteProcessMemory hProcess, ByVal &H75E60DFB + 4, &H90&, 1, 0& 'JMP

'第三步記得恢復
ResumeThread lpPi.hThread '恢復程序的主執行緒
’ SleepEx 10
’ WriteAsmByteByhProcess hProcess, “75E60DFB”, “C2 08 00 90 90” 'C2 08 00

End Sub