vb远程线程注入拦截键盘.docx
《vb远程线程注入拦截键盘.docx》由会员分享,可在线阅读,更多相关《vb远程线程注入拦截键盘.docx(20页珍藏版)》请在冰豆网上搜索。
vb远程线程注入拦截键盘
OptionExplicit
PrivateSubcmdLock_Click()
IfLockKeyboard(True)Then
cmdLock.Enabled=False
cmdUnLock.Enabled=True
EndIf
EndSub
PrivateSubcmdUnLock_Click()
IfLockKeyboard(False)Then
cmdLock.Enabled=True
cmdUnLock.Enabled=False
EndIf
EndSub
PrivateSubForm_Load()
DimbIsLockAsBoolean
bIsLock=GetKeyboardState
cmdLock.Enabled=NotbIsLock
cmdUnLock.Enabled=bIsLock
EndSub
模块部分代码:
OptionExplicit
'是否包含处理其它键盘消息,True表示处理.
#ConstINC_OTHER_KEY=True
'注意,以下所有双版本的API均声明成了UNICODE版。
并且许多地方与VB的API浏览器生成的代码有所不同。
PrivateDeclareFunctionOpenProcessLib"kernel32"(ByValdwDesiredAccessAsLong,ByValbInheritHandleAsLong,ByValdwProcessIdAsLong)AsLong
PrivateDeclareFunctionReadProcessMemoryLib"kernel32"(ByValhProcessAsLong,ByVallpBaseAddressAsLong,lpBufferAsAny,ByValnSizeAsLong,lpNumberOfBytesWrittenAsLong)AsLong
PrivateDeclareFunctionWriteProcessMemoryLib"kernel32"(ByValhProcessAsLong,ByVallpBaseAddressAsLong,lpBufferAsAny,ByValnSizeAsLong,lpNumberOfBytesWrittenAsLong)AsLong
PrivateDeclareFunctionGlobalAddAtomLib"kernel32"Alias"GlobalAddAtomW"(ByVallpStringAsLong)AsInteger
PrivateDeclareFunctionGlobalDeleteAtomLib"kernel32"(ByValnAtomAsInteger)AsInteger
PrivateDeclareFunctionGlobalFindAtomLib"kernel32"Alias"GlobalFindAtomW"(ByVallpStringAsLong)AsInteger
PrivateConstTH32CS_SNAPPROCESS=2
PrivateTypePROCESSENTRY32W
dwSizeAsLong
cntUsageAsLong
h32ProcessIDAsLong'//thisprocess
th32DefaultHeapIDAsLong'
h32ModuleIDAsLong'//associatedexe
cntThreadsAsLong'
th32ParentProcessIDAsLong'//thisprocess'sparentprocess
pcPriClassBaseAsLong'//Basepriorityofprocess'sthreads
dwFlagsAsLong'
szExeFile(1To260)AsInteger'//Path
EndType
PrivateDeclareFunctionCreateToolhelp32SnapshotLib"kernel32"(ByValdwFlagsAsLong,ByValth32ProcessIDAsLong)AsLong
PrivateDeclareFunctionProcess32FirstLib"kernel32"Alias"Process32FirstW"(ByValhSnapshotAsLong,lpPEAsPROCESSENTRY32W)AsLong
PrivateDeclareFunctionProcess32NextLib"kernel32"Alias"Process32NextW"(ByValhSnapshotAsLong,lpPEAsPROCESSENTRY32W)AsLong
PrivateDeclareFunctionlstrcmpiLib"kernel32"Alias"lstrcmpiW"(lpString1AsInteger,ByVallpString2AsLong)AsLong
PrivateDeclareFunctionCloseHandleLib"kernel32"(ByValhObjectAsLong)AsLong
PrivateDeclareFunctionGetLastErrorLib"kernel32"()AsLong
PrivateTypeLUID
lowpartAsLong
highpartAsLong
EndType
PrivateTypeLUID_AND_ATTRIBUTES
pLuidAsLUID
AttributesAsLong
EndType
PrivateTypeTOKEN_PRIVILEGES
PrivilegeCountAsLong
PrivilegesAsLUID_AND_ATTRIBUTES
EndType
PrivateConstPROCESS_ALL_ACCESSAsLong=&H1F0FFF
PrivateConstTOKEN_QUERYAsLong=&H8&
PrivateConstTOKEN_ADJUST_PRIVILEGESAsLong=&H20&
PrivateConstSE_PRIVILEGE_ENABLEDAsLong=&H2
PrivateConstSE_DEBUG_NAMEAsString="SeDebugPrivilege"
PrivateDeclareFunctionGetCurrentProcessLib"kernel32"()AsLong
PrivateDeclareFunctionOpenProcessTokenLib"advapi32.dll"(ByValProcessHandleAsLong,ByValDesiredAccessAsLong,TokenHandleAsLong)AsLong
PrivateDeclareFunctionLookupPrivilegeValueLib"advapi32.dll"Alias"LookupPrivilegeValueW"(ByVallpSystemNameAsLong,ByVallpNameAsLong,lpLuidAsLUID)AsLong
PrivateDeclareFunctionAdjustTokenPrivilegesLib"advapi32.dll"(ByValTokenHandleAsLong,ByValDisableAllPrivilegesAsLong,NewStateAsTOKEN_PRIVILEGES,ByValBufferLengthAsLong,ByValPrevStateAsLong,ByValNAsLong)AsLong
PrivateDeclareFunctionGetModuleHandleLib"kernel32"Alias"GetModuleHandleW"(ByVallpwModuleNameAsLong)AsLong
PrivateDeclareFunctionGetProcAddressLib"kernel32"(ByValhModuleAsLong,ByVallpProcNameAsString)AsLong
PrivateConstMEM_COMMITAsLong=&H1000
PrivateConstMEM_DECOMMITAsLong=&H4000
PrivateConstPAGE_EXECUTE_READWRITEAsLong=&H40
PrivateDeclareFunctionVirtualAllocExLib"kernel32"(ByValProcessHandleAsLong,ByVallpAddressAsLong,ByValdwSizeAsLong,ByValflAllocationTypeAsLong,ByValflProtectAsLong)AsLong
PrivateDeclareFunctionVirtualFreeExLib"kernel32"(ByValProcessHandleAsLong,ByVallpAddressAsLong,ByValdwSizeAsLong,ByValdwFreeTypeAsLong)AsLong
PrivateDeclareFunctionCreateRemoteThreadLib"kernel32"(ByValhProcessAsLong,ByVallpThreadAttributesAsLong,ByValdwStackSizeAsLong,ByVallpStartAddressAsLong,ByVallpParameterAsLong,ByValdwCreationFlagsAsLong,lpThreadIdAsLong)AsLong
PrivateDeclareFunctionWaitForSingleObjectLib"kernel32"(ByValhHandleAsLong,ByValdwMillisecondsAsLong)AsLong
PrivateDeclareFunctionGetExitCodeThreadLib"kernel32"(ByValhThreadAsLong,lpExitCodeAsLong)AsLong
#IfINC_OTHER_KEYThen
PrivateDeclareFunctionSetWindowsHookExLib"user32"Alias"SetWindowsHookExW"(ByValidHookAsLong,ByVallpfnAsLong,ByValhmodAsLong,ByValdwThreadIdAsLong)AsLong
PrivateDeclareFunctionUnhookWindowsHookExLib"user32"(ByValhHookAsLong)AsLong
PrivateDeclareFunctionCallNextHookExLib"user32"(ByValhHookAsLong,ByValnCodeAsLong,ByValwParamAsLong,lParamAsAny)AsLong
#EndIf
PrivateConstATOM_FLAGAsString="HookSysKey"
PrivateConstSHELL_FALGAsString="Winlogon"
PrivateConstSHELL_CODE_DWORDLEN=317'注入代码所占的双字数
PrivateConstSHELL_CODE_LENGTH=(SHELL_CODE_DWORDLEN*4)'字节数
PrivateConstSHELL_FUNCOFFSET=&H8'注入代码线程函数偏移量
PrivatemlShellCode(SHELL_CODE_DWORDLEN-1)AsLong
#IfINC_OTHER_KEYThen
Privatem_lHookIDAsLong'键盘钩子句柄
PrivateTypeKBDLLHOOKSTRUCT
vkCodeAsLong
scanCodeAsLong
flagsAsLong
timeAsLong
dwExtraInfoAsLong
EndType
PrivateDeclareSubCopyMemoryLib"kernel32"Alias"RtlMoveMemory"(DestinationAsAny,SourceAsAny,ByValLengthAsLong)
#EndIf
'============================================
'锁定/解锁键盘
'参数:
布尔型,真表示锁定
'返回:
布尔型,真表示成功
'注意:
非Ctrl+Alt+Del键使用普通钩子技术,因此
'程序在退出时注意要卸载钩子。
'============================================
PublicFunctionLockKeyboard(ByValbLockAsBoolean)AsBoolean
DimlResultAsLong
DimlStrPtrAsLong
DimiAtomAsInteger
lStrPtr=StrPtr(SHELL_FALG)
iAtom=GlobalFindAtom(lStrPtr)
IfiAtom=0Then
lResult=InsertAsmCode
Debug.AssertlResult=0
IflResultThenExitFunction
EndIf
lStrPtr=StrPtr(ATOM_FLAG)
iAtom=GlobalFindAtom(lStrPtr)
IfbLockThen
#IfINC_OTHER_KEYThen
'强烈建议:
使用了SetWindowsHookEx的话,请编译后再运行!
m_lHookID=SetWindowsHookEx(13,AddressOfLowLevelKeyboardProc,App.hInstance,0)
#EndIf
IfiAtom=0TheniAtom=GlobalAddAtom(lStrPtr)
LockKeyboard=(iAtom<>0)
Debug.AssertLockKeyboard
Else
#IfINC_OTHER_KEYThen
Ifm_lHookIDThenCallUnhookWindowsHookEx(m_lHookID)
#EndIf
IfiAtomTheniAtom=GlobalDeleteAtom(iAtom)
LockKeyboard=iAtom=0
EndIf
EndFunction
PublicFunctionGetKeyboardState()AsBoolean
GetKeyboardState=GlobalFindAtom(StrPtr(ATOM_FLAG))<>0
EndFunction
#IfINC_OTHER_KEYThen
PrivateFunctionLowLevelKeyboardProc(ByValnCodeAsLong,ByValwParamAsLong,ByVallParamAsLong)AsLong
DimKBEventAsKBDLLHOOKSTRUCT
IfnCode>=0Then
'在这里可以加入实际的过滤条件
CopyMemoryKBEvent,ByVallParam,20&'sizeofKBDLLHOOKSTRUCT=20
'wParam=消息,如WM_KEYDOWN,WM_KEYUP等
Debug.PrintHex$(KBEvent.vkCode)'VK_?
?
?
定义的键码
LowLevelKeyboardProc=1'1屏蔽,否则应调用CallNextHookEx
Else
LowLevelKeyboardProc=CallNextHookEx(m_lHookID,nCode,wParam,lParam)
EndIf
EndFunction
#EndIf
'----------------------------------------------
'远程线程插入函数
'功能:
向Winlogon进程插入远程线程代码,并执行
'返回:
0表示成功,非0表示标准的系统错误代号
'----------------------------------------------
PrivateFunctionInsertAsmCode()AsLong
ConstWINLOGONAsString="Winlogon.exe"
DimhProcessAsLong'远端进程句柄
DimhPIdAsLong'远端进程ID
DimlResultAsLong'一般返回变量
DimpTokenAsTOKEN_PRIVILEGES
DimhTokenAsLong
DimhRemoteThreadAsLong
DimhRemoteThreadIDAsLong
DimlDbResult
(1)AsLong
DimlRemoteAddrAsLong
'------------------------------------
'取winlogon进程ID
'------------------------------------
hPId=GetProcessIdFromName(WINLOGON)
IfhPId=0Then
InsertAsmCode=GetLastError
Debug.AssertFalse
ExitFunction
EndIf
'------------------------------------
'提升本进程权限,以取得对winlogon进程操作的许可
'------------------------------------
lResult=OpenProcessToken(GetCurrentProcess(),_
TOKEN_ADJUST_PRIVILEGESOrTOKEN_QUERY,_
hToken)
Debug.AssertlResult
lResult=LookupPrivilegeValue(0,StrPtr(SE_DEBUG_NAME),pToken.Privileges.pLuid)
Debug.AssertlResult
pToken.PrivilegeCount=1
pToken.Privileges.Attributes=SE_PRIVILEGE_ENABLED
lResult=AdjustTokenPrivileges(hToken,False,pToken,Len(pToken),0,0)
Debug.AssertlResult
'------------------------------------
'打开winlogon进程
'------------------------------------
hProcess=OpenProcess(PROCESS_ALL_ACCESS,0,hPId)
Debug.AsserthProcess
IfhProcessThen
'------------------------------------
'初始注入代码
'------------------------------------
CallInitShellCode
'------------------------------------
'远端进程分配内存
'------------------------------------
lRemoteAddr=VirtualAllocEx(hProcess,0,SHELL_CODE_LENGTH,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
Debug.AssertlRemoteAddr
'------------------------------------
'写入shell代码
'------------------------------------
IflRemoteAddrThen
InsertAsmCode=WriteProcessMemory(hProcess,lRemoteAddr,mlShellCode(0),SHELL_CODE_LENGTH,0)
Else
InsertAsmCode=GetLastError
ExitFunction
EndIf
'------------------------------------
'创建远程线程
'------------------------------------
hRemoteThread=CreateRemoteThread(hProcess,0,0,lRemoteAddr+SHELL_FUNCOFFSET,0,0,hRemoteThreadID)
IfhRemoteThread=0Then
InsertAsmCode=GetLastError
Debug.AsserthRemoteThread
ExitFunction
EndIf
'----------------------------------
升级会员 