接论坛帖子:http://topic.csdn.net/u/20120518/18/9a00ec5c-b3d1-4a1f-9bc1-ba1a47b52463.html
例子应用如下。我只是给一个方法给大家,这个方法肯定很麻烦,有需求的人可以用。
添加Module1
Private asm_CallCode() As Byte, KiFastSystemCall&, KiIntSystemCall&
Private Declare Function CallWindowProcW& Lib "user32" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long)
Private Declare Function LocalAlloc& Lib "kernel32" (ByVal f&, ByVal s&)
Private Declare Function LocalSize& Lib "kernel32" (ByVal m&)
Private Declare Function LocalFree& Lib "kernel32" (ByVal m&)
Private Declare Function GetModuleHandleA& Lib "kernel32" (ByVal n$)
Private Declare Function GetProcAddress& Lib "kernel32" (ByVal m&, ByVal n$)
Private Declare Function IsWow64Process& Lib "kernel32" (ByVal h&, IsWow64 As Boolean)
Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal Dst&, ByVal Src&, ByVal Size&)
Private Declare Sub PutMem1 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Byte)
Private Declare Sub PutMem2 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Integer)
Private Declare Sub PutMem4 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Long)
Private Declare Sub PutMem8 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Currency)
Public Function ReadKrnlFunctionIndex&(ByVal Name$, Optional ByVal DllFile$ = "ntdll.dll") '//读取内核函数索引
Dim pEntry&, dwIndex&
pEntry = GetProcAddress(GetModuleHandleA(DllFile), Name)
RtlMoveMemory VarPtr(dwIndex), pEntry + 1, 4
ReadKrnlFunctionIndex = dwIndex
End Function
Public Function InitCallKernel() As Boolean '//这里初始化call代码
Dim bWow64 As Boolean
IsWow64Process -1, bWow64
If bWow64 Then Exit Function '//不支持x64
ReDim asm_CallCode(11)
KiFastSystemCall = GetProcAddress(GetModuleHandleA("ntdll.dll"), "KiFastSystemCall")
KiIntSystemCall = GetProcAddress(GetModuleHandleA("ntdll.dll"), "KiIntSystemCall")
If KiFastSystemCall = 0 Then Exit Function
If KiIntSystemCall = 0 Then Exit Function
asm
最低0.47元/天 解锁文章
4479
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
