VB远程注入卸载DLL代码

最新推荐文章于 2024-01-03 20:41:11 发布
最新推荐文章于 2024-01-03 20:41:11 发布
阅读量1.1k 收藏 2
点赞数
文章标签: vb dll function token attributes query
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/gzhoney/article/details/1438139
版权

 http://community.csdn.net/Expert/topic/5219/5219055.xml?temp=.7609217

很多人说VB不能远程注入DLL,其实是错误的VB其实也能象C++等其他语言一样轻松搞定!!不信请看下面代码!更多精彩的代码请访问我的博客。
其实网上也有类似VB代码但是只有注入没有下载,而且注入通用性很差很多会出现非法操作,我的这个代码经过充分测试包括系统进程都可以正常注入和卸载,就连杀毒软件都能注入。(希望不要干坏事哦!!)
地址一:http://www.chenhui530.com
地址二:http://chenhui.ylmf.cn
近期将更新所有原创作品贴在我的博客上!

Option Explicit

Private Const PROCESS_CREATE_THREAD = &H2
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_WRITE = &H20
Private Const PROCESS_VM_OPERATION = &H8
Private Const MEM_COMMIT = &H1000
Private Const MEM_RELEASE = &H8000
Private Const PAGE_READWRITE = &H4
Private Const INFINITE = &HFFFFFFFF
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const TOKEN_ASSIGN_PRIMARY = &H1
Private Const TOKEN_DUPLICATE = (&H2)
Private Const TOKEN_IMPERSONATE = (&H4)
Private Const TOKEN_QUERY = (&H8)
Private Const TOKEN_QUERY_SOURCE = (&H10)
Private Const TOKEN_ADJUST_PRIVILEGES = (&H20)
Private Const TOKEN_ADJUST_GROUPS = (&H40)
Private Const TOKEN_ADJUST_DEFAULT = (&H80)
Private Const TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or TOKEN_ASSIGN_PRIMARY Or _
TOKEN_DUPLICATE Or TOKEN_IMPERSONATE Or TOKEN_QUERY Or TOKEN_QUERY_SOURCE Or _
TOKEN_ADJUST_PRIVILEGES Or TOKEN_ADJUST_GROUPS Or TOKEN_ADJUST_DEFAULT)
Private Const SE_PRIVILEGE_ENABLED = &H2
Private Const ANYSIZE_ARRAY = 1
Private Const SE_DEBUG_NAME = "SeDebugPrivilege"

Private Type LUID
   lowpart As Long
   highpart As Long
End Type

Private Type LUID_AND_ATTRIBUTES
   pLuid As LUID
   Attributes As Long
End Type

Private Type TOKEN_PRIVILEGES
   PrivilegeCount As Long
   Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type

Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPriv As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long                'Used to adjust your program's security privileges, can't restore without it!
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As Any, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long

Public Function InjectDll(ByVal dwProcessId As Long, ByVal pszLibFile As String) As Boolean
   Dim hProcess As Long, hThread As Long
   Dim pszLibFileRemote As Long, exitCode As Long

   On Error GoTo errhandle
   hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE, 0, dwProcessId)

   If hProcess = 0 Then GoTo errhandle

   Dim cch   As Long, cb As Long

   cch = 1 + LenB(StrConv(pszLibFile, vbFromUnicode))
   cb = cch

   pszLibFileRemote = VirtualAllocEx(hProcess, ByVal 0&, cb, MEM_COMMIT, PAGE_READWRITE)

   If pszLibFileRemote = 0 Then GoTo errhandle

   If (WriteProcessMemory(hProcess, ByVal pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle

   Dim pfnThreadRtn   As Long

   pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")

   If pfnThreadRtn = 0 Then GoTo errhandle

   hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, ByVal pszLibFileRemote, 0, 0&)

   If (hThread = 0) Then GoTo errhandle

   WaitForSingleObject hThread, INFINITE

   GetExitCodeThread hThread, exitCode

   InjectDll = CBool(exitCode)

errhandle:

   If pszLibFileRemote <> 0 Then
       VirtualFreeEx hProcess, ByVal pszLibFileRemote, 0, MEM_RELEASE
       InjectDll = False
       Exit Function
   End If
   If hThread <> 0 Then
       CloseHandle hThread
       InjectDll = False
       Exit Function
   End If
   If hProcess <> 0 Then
       CloseHandle hProcess
       InjectDll = False
       Exit Function
   End If
   InjectDll = True
End Function
 

Public Function UnloadDll(ByVal dwProcessId As Long, ByVal pszLibFile As String) As Boolean
   Dim hProcess As Long, hThread As Long
   Dim pszLibFileRemote As Long, exitCode As Long
   
   On Error GoTo errhandle
   hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE, 0, dwProcessId)
   If hProcess = 0 Then GoTo errhandle
   
   Dim cch   As Long, cb As Long
   
   cch = 1 + LenB(StrConv(pszLibFile, vbFromUnicode))
   cb = cch
   
   pszLibFileRemote = VirtualAllocEx(hProcess, ByVal 0&, cb, MEM_COMMIT, PAGE_READWRITE)
  
   If pszLibFileRemote = 0 Then GoTo errhandle

   If (WriteProcessMemory(hProcess, ByVal pszLibFileRemote, ByVal pszLibFile, cb, ByVal 0&) = 0) Then GoTo errhandle
 
   Dim pfnThreadRtn   As Long
   pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "GetModuleHandleA")
   

   If pfnThreadRtn = 0 Then GoTo errhandle
   
   hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, ByVal pszLibFileRemote, 0, pszLibFileRemote)
   If (hThread = 0) Then GoTo errhandle

   WaitForSingleObject hThread, INFINITE
   GetExitCodeThread hThread, exitCode
   VirtualFreeEx hProcess, pszLibFileRemote, 0, MEM_RELEASE
   CloseHandle hThread
  
   pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "FreeLibrary")
   hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal pfnThreadRtn, ByVal exitCode, 0, pszLibFileRemote)
   WaitForSingleObject hThread, INFINITE
   GetExitCodeThread hThread, exitCode

errhandle:
   If pszLibFileRemote <> 0 Then
       VirtualFreeEx hProcess, ByVal pszLibFileRemote, 0, MEM_RELEASE
       UnloadDll = False
       Exit Function
   End If
   If hThread <> 0 Then
       CloseHandle hThread
       UnloadDll = False
       Exit Function
   End If
   If hProcess <> 0 Then
       CloseHandle hProcess
       UnloadDll = False
       Exit Function
   End If
   UnloadDll = CBool(exitCode)
End Function

Public Function EnablePrivilege() As Boolean
   Dim hdlProcessHandle As Long
   Dim hdlTokenHandle As Long
   Dim tmpLuid As LUID
   Dim tkp As TOKEN_PRIVILEGES
   Dim tkpNewButIgnored As TOKEN_PRIVILEGES
   Dim lBufferNeeded As Long
   Dim lp As Long
   hdlProcessHandle = GetCurrentProcess()
   lp = OpenProcessToken(hdlProcessHandle, TOKEN_ALL_ACCESS, hdlTokenHandle)
   lp = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", tmpLuid)
   tkp.PrivilegeCount = 1
   tkp.Privileges(0).pLuid = tmpLuid
   tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
   EnablePrivilege = AdjustTokenPrivileges(hdlTokenHandle, False, tkp, Len(tkpNewButIgnored), tkpNewButIgnored, lBufferNeeded)
End Function

Public Function KillProcess(ByVal ProcessID As String) As Boolean '结束指定进程
   Dim lPHand As Long, TMBack As Long
  
   lPHand = OpenProcess(1&, True, CLng(ProcessID)) '获取进程句柄
   TMBack = TerminateProcess(lPHand, 0&) '关闭进程
   If TMBack <> 0 Then
       KillProcess = True
   Else
       KillProcess = False
   End If
   CloseHandle lPHand
End Function


gzhoney
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
VB 远线程注入技术 屏蔽 Ctrl+Alt+Del
yingfox的专栏
11-14 1452
 在NT平台下,用户登陆是使用Winlogon和GINA——Graphical Identification and Authentication,意思是图形化的身份认证。Winlogon是Windows系统的一部分,它专门提供交互式登陆支持,而GINA则是Winlogon用来实现认证的一个DLL——这个DLL就是msgina.dll。WlxInitialize、WlxActivateUs
简易入侵范例,VB远程注入DLL等操作.rar
07-10
VB写的简易入侵范例,可以远程注入DLL、并尝试卸载程序和自我删除,此为代码不是太多,放上来供参考,请不要用于非法途径,仅供学习研究。
教你如何卸载注入到进程中的dll
04-04
RemoteDLL dllinject教你如何卸载注入到进程中的dll
VB远程注入
11-10
一个从pudn上得来的,稍微修改就可进行实际应用。 仅仅实现注入卸载,没别的功能。请注意甄别。
卸载其他进程中的dll模块
cqyczj的专栏
04-15 932
啥也不说了,贴代码: [cpp] view plaincopyprint? #include "stdafx.h"   #define MAX_MODULE_NAME_LEN 16   // 传入到远程线程中的参数结构定义   typedef struct tagThreadParam    {       DWORD dwFreeLibr
VB远程注入DLL卸载DLL的源程序
05-12
内容索引:VB源码,系统相关,DLL注入,卸载DLL  很多人说VB不能远程注入DLL,其实是错误的。VB其实也能象C++等其他语言一样轻松搞定,不信就看看这个代码。这个代码经过充分测试,包括系统进程都可以正常注入卸载,就连杀毒软件都能注入。(希望不要干坏事哦!!)
VB 远程注入卸载自我删除
05-14
最后,`InjectDll`和`UnInjectDll`函数分别用于注入卸载DLL。这两个过程涉及到读取DLL文件,获取其内存映像,并在目标进程中使用`VirtualAllocEx`分配内存,然后用`WriteProcessMemory`写入DLL数据,最后使用`...
VB远程DLL注入卸载及自我删除
05-07
标题中的“VB远程DLL注入卸载及自我删除”涉及到的是Windows编程中的一些高级技术,主要涵盖以下几个核心知识点: 1. **DLL(动态链接库)**:DLL是Windows操作系统中的一个重要组成部分,它允许多个程序共享同一...
[转载]也谈VB远线程注入 Dll注入
yanjingtu2008的专栏
11-05 2053
前段时间在网上搜远线程代码,全是VC和Delphi的,看了很多帖子都说VB做不了。真的这样吗?不,仔细研究了网上流传的VC版的dll注入代码后,先用VC做了个,然后翻译成VB的,中间经过不少曲折(我太菜,高手别笑我啊),现将经验写出来,供和我一样的新手参考,如有不对之处还望高手指出。首先我们要写一个dll注入,目标程序就选“记事本”好了(notepad.exe)因为没有装CompileContr
VB6用OpenProcess注入exe或dll远程注入
12-28
VB6.0源码下载 用OpenProcess注入exe或dll远程注入 VB实例源码 学习用的。请不要拿这些技术去害人哦。
远程注入小记
osummertime的博客
09-26 996
原作者连接提权方法//注入程序 #include "stdafx.h" #include "Remote injection.h" #include "tlhelp32.h" using namespace std; extern int ListProcess(); extern int EnableDebugPriv(const WCHAR *);int _tmain(int argc, TCH
Dll注入卸载入门学习总结
https://github.com/blingbling-110
10-17 542
Dll注入卸载入门学习总结注入Dll卸载Dll 本文所有代码均在该链接:注入Dll示例VS项目 动态链接库(Dll)入门知识:微软教程 注入Dll 注入Dll的大体思路是:在宿主进程中创建一个远程线程,该线程执行kernel32.dll模块中的LoadLibraryA函数来将其他动态链接库加载到宿主进程的地址空间中。 几个重要的API: CreateRemoteThread(创建远程线程) G...
VB封装DLL实例(三)
SimilarDuckweed的博客
02-11 3944
正 文: 一、手动注册及引用 (一)手动注册及引用方法(参看实例:手动引用.mdb) 进入VBA编辑窗口,点菜单【工具】—【引用】,打开【引用】对话框,点【浏览】按钮,打开【添加引用】对话框,点选要引用的DLL(测试实例为:ClsFindString.dll),点【打开】—点【确定】,我们完成动态链接库的手动注册及引用。 (二)手动注册及引用方法不足及问题 手动注册引用优
任意C#的DLL不用注册实现被VB6调用
lishuangquan1987的博客
05-22 3731
VB6与C#之间的交互,据我所知,有以下几种方式: 1.socket通讯方式,VB6有Winsocket控件,C#有专门的位于System.Net.Sockets下的通讯类 2.共享内存,共享内存C#有专门的封装类,详情见我的这篇博客 ,但是VB操作共享内存麻烦,要调用Windows API(Kernel32.dll中的函数) 3.读写文件/数据库的方式。这种方式无非是轮询,一个程序写请求,另一个...
DLL注入技术之一远程线程注入
最新发布
netword12345的专栏
01-03 420
这里要求打开进程的权限必须要有:PROCESS_VM_OPERATION,需要在目标进程里申请内存;这个代码里用到了sp_unique_ptr,这是自己实现的一个智能指针,所以我再传一个完整的工程上来,可以完整的编译,大家有什么需要交流的,可以加我QQ:403887828。这是一个古老的技术,网上也有大批的文章与代码,我这里只是再重新实现一次,力求的优点是可复用,代码整洁,可以让网友在需要的时候,直接把代码贴上就可以使用。注入的第三步是做一些收尾工作,将申请的内存释放掉,将进程句柄关掉。
DLL加载器-远程线程注入(常规dll注入
bring_coco的博客
08-30 1267
注入思路 先获取到LoadLibrary的函数地址,之后使用CreateRemoteThread加载这段地址即可 简单例子: D:\VS项目\Dll3\x64\Debug\Dll3.dll kernel.dll加载的地址在所有进程都是一样的 https://zhuanlan.zhihu.com/p/599915628?utm_id=0 DLL进程注入 dll注入器 生成dll-2-1.exe 这里注入的exe是notepad++,找到其进程,注入dll是我cs生成的beacon.dll 主要思路是:
从高级源码到机器码的过程,反射DLL加载卸载
fengdakailai的博客
05-11 825
在Java中有虚拟机,代码运行时虚拟机把Java语言编译成与机器无关的字节码,然后再把字节码编译成机器指令执行,那么在.NET中程序是如何运行的呢? 其实运行原理是一样的,.NET中的虚拟机是CLR(公共语言运行时),无论是C#程序还是VB程序,首先会由CLR编译成与平台无关的中间语言IL,然后由公共语言运行时CLR的 即时编译器JIT编译成机器代码,再由CPU去执行它。所以说.NET程序也是需要二次编译才能运行,其中涉及的相关术语解释如下: IL/MSIL (Microsoft Intermed..
Vb6.0安装失败解决办法,完全卸载VB(提高班里win7没装上VB的可以看看,我实验成功了)...
demonzsmj12315的博客
12-24 1912
第一步删除注册表信息 打开注册表编辑器:点击“开始”按钮,单击“运行”,(或者快捷键windows+R)敲入RegEdit然后是你要删除的注册表中的某一项。 或者你敲入Regedit 在注册表中按照目录顺序找到以下文件,删除。 上述是讲了两种删除注册表中某一项的方法。下面列出你要删除的(如果没有就不用删除了): HKEY_LOCAL_MACHINE\Software...
VB调用DLL.doc
03-13
VB调用DLL

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值