VB 远程注入/卸载/自我删除(RtlCreateUserThread)

最新推荐文章于 2022-09-09 23:27:00 发布

chenhui530

最新推荐文章于 2022-09-09 23:27:00 发布

阅读量7.4k

点赞数 1

文章标签： vb function string access dll 多线程

本文链接：https://blog.csdn.net/chenhui530/article/details/3119107

版权

本文介绍了如何使用VB中的RtlCreateUserThread API创建远程线程，实现DLL的注入和卸载功能。通过示例代码展示了如何创建多线程，以及如何对指定进程进行DLL注入和卸载操作，适用于软件开发和外挂编写等场景。

摘要由CSDN通过智能技术生成

最近才发现的“RtlCreateUserThread”(下步调用ZwCreateThread)这可是个好东西，可以创建远程线程，也可以用来写多线程程序，但是在VB里好像还是不是很稳定只能用API。

这篇文章给大家一种不同于(CreateRemoteThread)但是原理是一样(都是通过ZwCreateThread创建线程)创建远程线程，实现注入和卸载功能。对于一些编写外挂，或者对Shellcode感兴趣的人是非常有用的学习资料。

多线程实例

Public Function CreateThread(ByVal hProcess As Long, ByVal StartAddress As Long, ByVal Parameter As Long, ByRef Cid As CLIENT_ID) As Long
    Dim hThread As Long
    Dim ntStatus As Long
    ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
    CreateThread = hThread
End Function

Public Sub ThreadProc(ByVal Parameter As Long)
    Do While gblnRunning
        Form1.List1.AddItem CStr(Parameter)
        Parameter = Parameter + 1
    Loop
    RtlExitUserThread 0
End Sub

in form

Option Explicit

Private Sub cmdDelMe_Click()
DeleteMe Val(txtInput(0).Text)
Unload Me
End Sub

Private Sub cmdInject_Click()
    If Not IsNumeric(txtInput(0).Text) Then
        MsgBox "请输入正确的PID！！", vbCritical, "提示"
        txtInput(0).SetFocus
        Exit Sub
    End If
    If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
        MsgBox "DLL不存在！！", vbCritical, "提示"
        txtInput(1).SetFocus
        Exit Sub
    End If
    InjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub

Private Sub cmdUnInject_Click()
    If Not IsNumeric(txtInput(0).Text) Then
        MsgBox "请输入正确的PID！！", vbCritical, "提示"
        txtInput(0).SetFocus
        Exit Sub
    End If
    If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
        MsgBox "DLL不存在！！", vbCritical, "提示"
        txtInput(1).SetFocus
        Exit Sub
    End If
    UnInjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub
in module

Option Explicit

Public Type CLIENT_ID
UniqueProcess As Long
UniqueThread As Long
End Type

Private Declare Function RtlCreateUserThread Lib "ntdll.dll" (ByVal hProcess As Long, _
                                                              ByRef ThreadSecurityDescriptor As Any, _
                                                              ByVal CreateSuspended As Long, _
                                                              ByVal ZeroBits As Long, _
                                                              ByVal MaximumStackSize As Long, _
                                                              ByVal CommittedStackSize As Long, _
                                                              ByVal StartAddress As Long, _
                                                              ByVal Parameter As Long, _
                                                              ByRef hThread As Long, _