本文主要是介绍VB6实现Ring3下直接调用Ring0层函数,反一切R3下API Hook。,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
接论坛帖子:http://topic.csdn.net/u/20120518/18/9a00ec5c-b3d1-4a1f-9bc1-ba1a47b52463.html
例子应用如下。我只是给一个方法给大家,这个方法肯定很麻烦,有需求的人可以用。
添加Module1
- Private asm_CallCode() As Byte, KiFastSystemCall&, KiIntSystemCall&
- Private Declare Function CallWindowProcW& Lib "user32" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long)
- Private Declare Function LocalAlloc& Lib "kernel32" (ByVal f&, ByVal s&)
- Private Declare Function LocalSize& Lib "kernel32" (ByVal m&)
- Private Declare Function LocalFree& Lib "kernel32" (ByVal m&)
- Private Declare Function GetModuleHandleA& Lib "kernel32" (ByVal n$)
- Private Declare Function GetProcAddress& Lib "kernel32" (ByVal m&, ByVal n$)
- Private Declare Function IsWow64Process& Lib "kernel32" (ByVal h&, IsWow64 As Boolean)
- Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal Dst&, ByVal Src&, ByVal Size&)
- Private Declare Sub PutMem1 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Byte)
- Private Declare Sub PutMem2 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Integer)
- Private Declare Sub PutMem4 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Long)
- Private Declare Sub PutMem8 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Currency)
- Public Function ReadKrnlFunctionIndex&(ByVal Name$, Optional ByVal DllFile$ = "ntdll.dll") '//读取内核函数索引
- Dim pEntry&, dwIndex&
- pEntry = GetProcAddress(GetModuleHandleA(DllFile), Name)
- RtlMoveMemory VarPtr(dwIndex), pEntry + 1, 4
- ReadKrnlFunctionIndex = dwIndex
- End Function
- Public Function InitCallKernel() As Boolean '//这里初始化call代码
- Dim bWow64 As Boolean
- IsWow64Process -1, bWow64
- If bWow64 Then Exit Function '//不支持x64
- ReDim asm_CallCode(11)
- KiFastSystemCall = GetProcAddress(GetModuleHandleA("ntdll.dll"), "KiFastSystemCall")
- KiIntSystemCall = GetProcAddress(GetModuleHandleA("ntdll.dll"), "KiIntSystemCall")
- If KiFastSystemCall = 0 Then Exit Function
- If KiIntSystemCall = 0 Then Exit Function
- asm_CallCode(0) = &HBA
- RtlMoveMemory VarPtr(asm_CallCode(1)), IIf(CheckKiFastSystemCallHook, VarPtr(KiIntSystemCall), VarPtr(KiFastSystemCall)), 4 '//这里检测Hook,如果KiFastSystemCall被Hook、修改,就使用KiIntSystemCall
- asm_CallCode(5) = &HB8
- RtlMoveMemory VarPtr(asm_CallCode(6)), VarPtr(0&), 4
- asm_CallCode(10) = &HFF
- asm_CallCode(11) = &HD2
- InitCallKernel = True
- End Function
- Public Function CheckKiFastSystemCallHook() As Boolean
- Dim bChar As Byte
- RtlMoveMemory VarPtr(bChar), KiFastSystemCall, 1
- If bChar = &HE9 Then CheckKiFastSystemCallHook = True: Exit Function '//检测jmp Hook
- If bChar = &H68 Then CheckKiFastSystemCallHook = True: Exit Function '//检测push Hook
- Dim dw3Char&
- RtlMoveMemory VarPtr(dw3Char), KiFastSystemCall, 3
- If dw3Char <> 1037451 Then CheckKiFastSystemCallHook = True: Exit Function '//检测函数头
- End Function
- Public Function CallKernelFunction&(ByVal Name$, ByVal DllFile$, ParamArray pParam())
- Dim dwIndex&
- dwIndex = ReadKrnlFunctionIndex(Name, DllFile)
- If dwIndex = 0 Then CallKernelFunction = -1: Exit Function
- Dim ret&, i%, offset&
- Dim hMem&
- hMem = LocalAlloc(0, ((UBound(pParam) + 2) * 5) + UBound(pParam) + 1 + 1 + 12 + 1) '//申请代码内存
- offset = hMem
- For i = UBound(pParam) To 0 Step -1 '//压栈
- PutMem1 offset, &H68 'push Param
- offset = offset + 1
- PutMem4 offset, pParam(i)
- offset = offset + 4
- Next
- PutMem1 offset, &H68 'push Return Address
- PutMem4 offset + 1, VarPtr(ret)
- offset = offset + 5
- RtlMoveMemory VarPtr(asm_CallCode(6)), VarPtr(dwIndex), 4 '//设置内核函数索引
- RtlMoveMemory offset, VarPtr(asm_CallCode(0)), 12 '//把初始化的代码整个复制过去,省得重造轮子
- offset = offset + 12
- For i = 0 To UBound(pParam) + 1 '//出栈
- PutMem1 offset, &H59 'pop
- offset = offset + 1
- Next
- PutMem1 offset, &HC3 'retn
- PutMem1 hMem + LocalSize(hMem), &H90 '//nop一行代码
- CallKernelFunction = CallWindowProcW(hMem, 0, 0, 0, 0) 'call
- LocalFree hMem '//释放内存
- End Function
- Private Declare Function TextOut& Lib "gdi32" Alias "TextOutA" (ByVal DC As Long, ByVal X As Long, ByVal Y As Long, ByVal Text As String, ByVal Size As Long)
- Private Declare Function CreateThread& Lib "kernel32" (Optional ByVal Attributes As Long, Optional ByVal StackSize As Long, Optional ByVal Address As Long, Optional Parameter As Long, Optional ByVal CreationFlags As Long, Optional TIDs As Long)
- Private Type CONTEXT
- ContextFlags As Long
- Dr(5) As Long
- FloatSave(111) As Byte
- SegGs As Long
- SegFs As Long
- SegEs As Long
- SegDs As Long
- Edi As Long
- Esi As Long
- Ebx As Long
- Edx As Long
- Ecx As Long
- Eax As Long
- Ebp As Long
- Eip As Long
- SegCs As Long
- EFlags As Long
- Esp As Long
- SegSs As Long
- End Type
- Private Function GetAddr&(ByVal aaa&)
- GetAddr = aaa
- End Function
- Private Sub Command1_Click()
- Dim hThread&
- hThread = CreateThread(0, 0, 0, 0, 4, 0)'线程状态为暂停(开始地址为0,直接执行会崩)
- MsgBox hThread
- Dim i As CONTEXT
- i.ContextFlags = 65543'CONTEXT_FULL
- Me.Caption = CallKernelFunction("ZwGetContextThread", "ntdll.dll", hThread, VarPtr(i))
- i.Eip = GetAddr(AddressOf aaa)'更改执行地址
- Me.Caption = CallKernelFunction("ZwSetContextThread", "ntdll.dll", hThread, VarPtr(i))
- CallKernelFunction "ZwResumeThread", "ntdll.dll", hThread, 0'恢复线程运行
- End Sub
- Private Sub Form_Load()
- InitCallKernel
- End Sub
- Private Sub Form_Paint()
- Dim hDC&
- hDC = CallKernelFunction("GetDC", "user32.dll", Me.hWnd) '频繁调用可测试稳定性
- TextOut hDC, 5, 5, "123", 3
- Dim hProcess&
- Dim objAttr&(5), cid&(1)
- cid(0) = 1192 '改成你要打开的PID
- CallKernelFunction "ZwOpenProcess", "ntdll.dll", VarPtr(hProcess), 2035711, VarPtr(objAttr(0)), VarPtr(cid(0))
- Me.Caption = hProcess
- End Sub
- Public Declare Function ExitThread& Lib "kernel32" (ByVal ExitStatus&)
- Public Sub aaa(ByVal Param&)
- Dim i&
- For i = 0 To 10000
- Form1.Caption = i
- Next
- ExitThread 0
- End Sub
编译运行可测试效果
*******************************
下面这个可替换Module1,InitCallKernel时加True即可。
- Private asm_CallCode() As Byte, asm_MyCallCode() As Byte, KiFastSystemCall&, KiIntSystemCall&, MyKiFastSystemCall#
- Private Declare Function CallWindowProcW& Lib "user32" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long)
- Private Declare Function LocalAlloc& Lib "kernel32" (ByVal f&, ByVal s&)
- Private Declare Function LocalSize& Lib "kernel32" (ByVal m&)
- Private Declare Function LocalFree& Lib "kernel32" (ByVal m&)
- Private Declare Function GetModuleHandleA& Lib "kernel32" (ByVal n$)
- Private Declare Function GetProcAddress& Lib "kernel32" (ByVal m&, ByVal n$)
- Private Declare Function IsWow64Process& Lib "kernel32" (ByVal h&, IsWow64 As Boolean)
- Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal Dst&, ByVal Src&, ByVal Size&)
- Private Declare Sub PutMem1 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Byte)
- Private Declare Sub PutMem2 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Integer)
- Private Declare Sub PutMem4 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Long)
- Private Declare Sub PutMem8 Lib "msvbvm60" (ByVal Ptr As Long, ByVal NewVal As Currency)
- Public Function ReadKrnlFunctionIndex&(ByVal Name$, Optional ByVal DllFile$ = "ntdll.dll") '//读取内核函数索引
- Dim pEntry&, dwIndex&
- pEntry = GetProcAddress(GetModuleHandleA(DllFile), Name)
- RtlMoveMemory VarPtr(dwIndex), pEntry + 1, 4
- ReadKrnlFunctionIndex = dwIndex
- End Function
- Public Function InitCallKernel(Optional ByVal IsMySysenter As Boolean) As Boolean '//这里初始化call代码
- Dim bWow64 As Boolean
- IsWow64Process -1, bWow64
- If bWow64 Then Exit Function '//不支持x64
- ReDim asm_CallCode(11)
- KiFastSystemCall = GetProcAddress(GetModuleHandleA("ntdll.dll"), "KiFastSystemCall")
- KiIntSystemCall = GetProcAddress(GetModuleHandleA("ntdll.dll"), "KiIntSystemCall")
- If KiFastSystemCall = 0 Then Exit Function
- If KiIntSystemCall = 0 Then Exit Function
- asm_CallCode(0) = &HBA
- RtlMoveMemory VarPtr(asm_CallCode(1)), IIf(CheckKiFastSystemCallHook, VarPtr(KiIntSystemCall), VarPtr(KiFastSystemCall)), 4 '//这里检测Hook,如果KiFastSystemCall被Hook、修改,就使用KiIntSystemCall
- If IsMySysenter Then RtlMoveMemory VarPtr(asm_CallCode(1)), VarPtr(InitMyCallKernel), 4 '//自己写sysenter,省得R3下被各种Hook
- asm_CallCode(5) = &HB8
- RtlMoveMemory VarPtr(asm_CallCode(6)), VarPtr(0&), 4
- asm_CallCode(10) = &HFF
- asm_CallCode(11) = &HD2
- InitCallKernel = True
- End Function
- Public Function InitMyCallKernel&() '//本来不想写这招的,可见他们说各种Hook,啊那就(<ゝω·)☆
- PutMem4 VarPtr(MyKiFastSystemCall), 873452683
- PutMem2 VarPtr(MyKiFastSystemCall) + 4, -13117
- InitMyCallKernel = VarPtr(MyKiFastSystemCall)
- End Function
- Public Function CheckKiFastSystemCallHook() As Boolean
- Dim bChar As Byte
- RtlMoveMemory VarPtr(bChar), KiFastSystemCall, 1
- If bChar = &HE9 Then CheckKiFastSystemCallHook = True: Exit Function '//检测jmp Hook
- If bChar = &H68 Then CheckKiFastSystemCallHook = True: Exit Function '//检测push Hook
- Dim dw3Char&
- RtlMoveMemory VarPtr(dw3Char), KiFastSystemCall, 3
- If dw3Char <> 1037451 Then CheckKiFastSystemCallHook = True: Exit Function '//检测函数头
- End Function
- Public Function CallKernelFunction&(ByVal Name$, ByVal DllFile$, ParamArray pParam())
- Dim dwIndex&
- dwIndex = ReadKrnlFunctionIndex(Name, DllFile)
- If dwIndex = 0 Then CallKernelFunction = -1: Exit Function
- Dim ret&, i%, offset&
- Dim hMem&
- hMem = LocalAlloc(0, ((UBound(pParam) + 2) * 5) + UBound(pParam) + 1 + 1 + 12 + 1) '//申请代码内存
- offset = hMem
- For i = UBound(pParam) To 0 Step -1 '//压栈
- PutMem1 offset, &H68 'push Param
- offset = offset + 1
- PutMem4 offset, pParam(i)
- offset = offset + 4
- Next
- PutMem1 offset, &H68 'push Return Address
- PutMem4 offset + 1, VarPtr(ret)
- offset = offset + 5
- RtlMoveMemory VarPtr(asm_CallCode(6)), VarPtr(dwIndex), 4 '//设置内核函数索引
- RtlMoveMemory offset, VarPtr(asm_CallCode(0)), 12 '//把初始化的代码整个复制过去,省得重造轮子
- offset = offset + 12
- For i = 0 To UBound(pParam) + 1 '//出栈
- PutMem1 offset, &H59 'pop
- offset = offset + 1
- Next
- PutMem1 offset, &HC3 'retn
- PutMem1 hMem + LocalSize(hMem), &H90 '//nop一行代码
- CallKernelFunction = CallWindowProcW(hMem, 0, 0, 0, 0) 'call
- LocalFree hMem '//释放内存
- End Function
这篇关于VB6实现Ring3下直接调用Ring0层函数,反一切R3下API Hook。的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
