此次是我在百度解答的最後壹個問題,今後我永遠拒絕百度
希望妳能采納我的答案,謝謝
Option Explicit
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, _
lpNumberOfBytesWritten As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, _
lpNumberOfBytesWritten As Long) As Long
Private Declare Function GlobalAddAtom Lib "kernel32" Alias "GlobalAddAtomW" (ByVal lpString As Long) As Integer
Private Declare Function GlobalDeleteAtom Lib "kernel32" (ByVal nAtom As Integer) As Integer
Private Declare Function GlobalFindAtom Lib "kernel32" Alias "GlobalFindAtomW" (ByVal lpString As Long) As Integer
Private Const TH32CS_SNAPPROCESS = 2
Private Type PROCESSENTRY32W
dwSize As Long
cntUsage As Long
h32ProcessID As Long ' // this process
th32DefaultHeapID As Long '
h32ModuleID As Long ' // associated exe
cntThreads As Long '
th32ParentProcessID As Long ' // this process's parent process
pcPriClassBase As Long ' // Base priority of process's threads
dwFlags As Long '
szExeFile(1 To 260) As Integer ' // Path
End Type
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" Alias "Process32FirstW" (ByVal hSnapshot As Long, lpPE As PROCESSENTRY32W) As Long
Private Declare Function Process32Next Lib "kernel32" Alias "Process32NextW" (ByVal hSnapshot As Long, lpPE As PROCESSENTRY32W) As Long
Private Declare Function lstrcmpi Lib "kernel32" Alias "lstrcmpiW" (lpString1 As Integer, ByVal lpString2 As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Type LUID
lowpart As Long
highpart As Long
End Type
Private Type LUID_AND_ATTRIBUTES
pLuid As LUID
Attributes As Long
End Type
Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
Privileges As LUID_AND_ATTRIBUTES
End Type
Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Private Const TOKEN_QUERY As Long = &H8&
Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20&
Private Const SE_PRIVILEGE_ENABLED As Long = &H2
Private Const SE_DEBUG_NAME As String = "SeDebugPrivilege"
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueW" (ByVal lpSystemName As Long, ByVal lpName As Long, lpLuid As LUID) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, _
ByVal BufferLength As Long, ByVal PrevState As Long, ByVal N As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
Private Const MEM_COMMIT As Long = &H1000
Private Const MEM_DECOMMIT As Long = &H4000
Private Const PAGE_READWRITE As Long = 4
Private Const PAGE_EXECUTE_READWRITE As Long = &H40
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal ProcessHandle As Long, ByVal lpAddress As Long, ByVal dwSize As Long, _
ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal ProcessHandle As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, _
ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Const CODELONG_LEN = 33
Private mlShellCode(CODELONG_LEN - 1) As Long
'============================================
' 遠程線程插入函數
' 功能:向 Winlogon 進程插入遠程線程代碼,並執行
' 返回:.T. 成功
'============================================
Public Function SendSysKey() As Boolean
Const WINLOGON As String = "Winlogon.exe"
Const SHELL_CODE_LENGTH = CODELONG_LEN * 4
Const SHELL_FUNCOFFSET = 2 * 4
Dim hProcess As Long '遠端進程句柄
Dim hPId As Long '遠端進程ID
Dim lResult As Long '壹般返回變量
Dim pToken As TOKEN_PRIVILEGES
Dim hToken As Long
Dim hRemoteThread As Long
Dim hRemoteThreadID As Long
Dim lDbResult(1) As Long
Dim lRemoteAddr As Long
'------------------------------------
'取winlogon進程ID
'------------------------------------
hPId = GetProcessIdFromName(WINLOGON)
If hPId = 0 Then
Debug.Assert False
Exit Function
End If
'------------------------------------
'提升本進程權限,以取得對winlogon進程操作的許可
'------------------------------------
lResult = OpenProcessToken(GetCurrentProcess(), _
TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, _
hToken)
Debug.Assert lResult
lResult = LookupPrivilegeValue(0, StrPtr(SE_DEBUG_NAME), pToken.Privileges.pLuid)
Debug.Assert lResult
pToken.PrivilegeCount = 1
pToken.Privileges.Attributes = SE_PRIVILEGE_ENABLED
lResult = AdjustTokenPrivileges(hToken, False, pToken, Len(pToken), 0, 0)
Debug.Assert lResult
'------------------------------------
' 打開winlogon進程
'------------------------------------
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, hPId)
Debug.Assert hProcess
If hProcess Then
'------------------------------------
' 初始註入代碼
'------------------------------------
Call InitShellCode
'------------------------------------
' 遠端進程分配內存
'------------------------------------
lRemoteAddr = VirtualAllocEx(hProcess, 0, SHELL_CODE_LENGTH, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
Debug.Assert lRemoteAddr
'------------------------------------
' 寫入 shell 代碼
'------------------------------------
If lRemoteAddr Then
Call WriteProcessMemory(hProcess, lRemoteAddr, mlShellCode(0), SHELL_CODE_LENGTH, 0)
Else
Exit Function
End If
'------------------------------------
'創建遠程線程
'------------------------------------
hRemoteThread = CreateRemoteThread(hProcess, 0, 0, lRemoteAddr + SHELL_FUNCOFFSET, 0, 0, hRemoteThreadID)
Debug.Assert hRemoteThread
If hRemoteThread Then Call CloseHandle(hRemoteThread)
'------------------------------------
'等待遠程線程執行完畢並取回結果信息
'------------------------------------
Do
If ReadProcessMemory(hProcess, lRemoteAddr, lDbResult(0), 8, lResult) = 1 Then
If lDbResult(0) = 0 Then
SendSysKey = lDbResult(1) = 0
Exit Do
End If
Else
Debug.Assert False
End If
Loop
'------------------------------------
' 釋放遠端進程內存
'------------------------------------
Call VirtualFreeEx(hProcess, lRemoteAddr, SHELL_CODE_LENGTH, MEM_DECOMMIT)
End If
End Function
'============================================
' 根據可執行文件的名稱取回進程ID
' 參數:可執行文件名(含擴展名)
' 返回:進程ID。0表示無
'============================================
Private Function GetProcessIdFromName(ByVal sName As String) As Long
Dim hSnapshot As Long
Dim lpPE As PROCESSENTRY32W
Dim lpWinlogon As Long
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
Debug.Assert hSnapshot
lpPE.dwSize = Len(lpPE)
If Process32First(hSnapshot, lpPE) Then
lpWinlogon = StrPtr(sName)
Do
If lstrcmpi(lpPE.szExeFile(1), lpWinlogon) = 0 Then
GetProcessIdFromName = lpPE.h32ProcessID
Exit Do
End If
If Process32Next(hSnapshot, lpPE) = 0 Then Exit Do ' 此代碼之前位置錯誤
Loop
End If
Call CloseHandle(hSnapshot)
End Function
'============================================
' 初始線程代碼
'============================================
Private Function InitShellCode() As Long
Const kernel32 As String = "kernel32.dll"
Const user32 As String = "user32.dll"
Dim hDll As Long
'------------------------------------
'提取註入代碼所需的API函數
'------------------------------------
hDll = LoadLibrary(StrPtr(user32))
Debug.Assert hDll
mlShellCode(0) = GetProcAddress(hDll, "FindWindowW")
mlShellCode(1) = GetProcAddress(hDll, "SendMessageW")
Call FreeLibrary(hDll)
'---------------------------
' 以下代碼由 MASM32 產生,作用就是查找指定窗口並發送熱鍵消息,超簡單 ' 遺憾網上很少有解決方案。唯壹有的就是在服務程序中的VNC源碼。
mlShellCode(2) = &H83EC8B55
mlShellCode(3) = &HE860F8C4
mlShellCode(4) = &H0&
mlShellCode(5) = &H14EB815B
mlShellCode(6) = &H8D004010
mlShellCode(7) = &H40105283
mlShellCode(8) = &H6A5000
mlShellCode(9) = &H100093FF
mlShellCode(10) = &HC00B0040
mlShellCode(11) = &H11681974
mlShellCode(12) = &H6A002E00
mlShellCode(13) = &H3126800
mlShellCode(14) = &HFF500000
mlShellCode(15) = &H40100493
mlShellCode(16) = &H4838900
mlShellCode(17) = &H33004010
mlShellCode(18) = &H8389C0
mlShellCode(19) = &H61004010
mlShellCode(20) = &H53C3C9
mlShellCode(21) = &H530041
mlShellCode(22) = &H770020
mlShellCode(23) = &H6E0069
mlShellCode(24) = &H6F0064
mlShellCode(25) = &H77&
mlShellCode(26) = &H81EC8B55
mlShellCode(27) = &HFFFDD8C4
mlShellCode(28) = &H1EEE8FF
mlShellCode(29) = &H45890000
mlShellCode(30) = &HEC458DE8
mlShellCode(31) = &HFF286A50
mlShellCode(32) = &H13E8E875
End Function