|
代码太长了,分成两段
'============================================
' 远程线程插入函数
' 功能:向 Winlogon 进程插入远程线程代码,并执行
' 返回:.T. 成功
'============================================
Public Function SendSysKey() As Boolean
Const WINLOGON As String = "Winlogon.exe"
Const SHELL_CODE_LENGTH = CODELONG_LEN * 4
Const SHELL_FUNCOFFSET = 2 * 4
Dim hProcess As Long '远端进程句柄
Dim hPId As Long '远端进程ID
Dim lResult As Long '一般返回变量
Dim pToken As TOKEN_PRIVILEGES
Dim hToken As Long
Dim hRemoteThread As Long
Dim hRemoteThreadID As Long
Dim lDbResult(1) As Long
Dim lRemoteAddr As Long
'------------------------------------
'取winlogon进程ID
'------------------------------------
hPId = GetProcessIdFromName(WINLOGON)
If hPId = 0 Then
Debug.Assert False
Exit Function
End If
'------------------------------------
'提升本进程权限,以取得对winlogon进程操作的许可
'------------------------------------
lResult = OpenProcessToken(GetCurrentProcess(), _
TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, _
hToken)
Debug.Assert lResult
lResult = LookupPrivilegeValue(0, StrPtr(SE_DEBUG_NAME), pToken.Privileges.pLuid)
Debug.Assert lResult
pToken.PrivilegeCount = 1
pToken.Privileges.Attributes = SE_PRIVILEGE_ENABLED
lResult = AdjustTokenPrivileges(hToken, False, pToken, Len(pToken), 0, 0)
Debug.Assert lResult
'------------------------------------
' 打开winlogon进程
'------------------------------------
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, hPId)
Debug.Assert hProcess
If hProcess Then
'------------------------------------
' 初始注入代码
'------------------------------------
Call InitShellCode
'------------------------------------
' 远端进程分配内存
'------------------------------------
lRemoteAddr = VirtualAllocEx(hProcess, 0, SHELL_CODE_LENGTH, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
Debug.Assert lRemoteAddr
'------------------------------------
' 写入 shell 代码
'------------------------------------
If lRemoteAddr Then
Call WriteProcessMemory(hProcess, lRemoteAddr, mlShellCode(0), SHELL_CODE_LENGTH, 0)
Else
Exit Function
End If
'------------------------------------
'创建远程线程
'------------------------------------
hRemoteThread = CreateRemoteThread(hProcess, 0, 0, lRemoteAddr + SHELL_FUNCOFFSET, 0, 0, hRemoteThreadID)
Debug.Assert hRemoteThread
If hRemoteThread Then Call CloseHandle(hRemoteThread)
'------------------------------------
'等待远程线程执行完毕并取回结果信息
'------------------------------------
Do
If ReadProcessMemory(hProcess, lRemoteAddr, lDbResult(0), 8, lResult) = 1 Then
If lDbResult(0) = 0 Then
SendSysKey = lDbResult(1) = 0
Exit Do
End If
Else
Debug.Assert False
End If
Loop
'------------------------------------
' 释放远端进程内存
'------------------------------------
Call VirtualFreeEx(hProcess, lRemoteAddr, SHELL_CODE_LENGTH, MEM_DECOMMIT)
End If
End Function
'============================================
' 根据可执行文件的名称取回进程ID
' 参数:可执行文件名(含扩展名)
' 返回:进程ID。0表示无
'============================================
Private Function GetProcessIdFromName(ByVal sName As String) As Long
Dim hSnapshot As Long
Dim lpPE As PROCESSENTRY32W
Dim lpWinlogon As Long
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
Debug.Assert hSnapshot
lpPE.dwSize = Len(lpPE)
If Process32First(hSnapshot, lpPE) Then
lpWinlogon = StrPtr(sName)
Do
If lstrcmpi(lpPE.szExeFile(1), lpWinlogon) = 0 Then
GetProcessIdFromName = lpPE.h32ProcessID
Exit Do
End If
If Process32Next(hSnapshot, lpPE) = 0 Then Exit Do ' 此代码之前位置错误
Loop
End If
Call CloseHandle(hSnapshot)
End Function
'============================================
' 初始线程代码
'============================================
Private Function InitShellCode() As Long
Const kernel32 As String = "kernel32.dll"
Const user32 As String = "user32.dll"
Dim hDll As Long
'------------------------------------
'提取注入代码所需的API函数
'------------------------------------
hDll = LoadLibrary(StrPtr(user32))
Debug.Assert hDll
mlShellCode(0) = GetProcAddress(hDll, "FindWindowW")
mlShellCode(1) = GetProcAddress(hDll, "SendMessageW")
Call FreeLibrary(hDll)
'---------------------------
' 以下代码由 MASM32 产生,作用就是查找指定窗口并发送热键消息
mlShellCode(2) = &H83EC8B55
mlShellCode(3) = &HE860F8C4
mlShellCode(4) = &H0&
mlShellCode(5) = &H14EB815B
mlShellCode(6) = &H8D004010
mlShellCode(7) = &H40105283
mlShellCode(8) = &H6A5000
mlShellCode(9) = &H100093FF
mlShellCode(10) = &HC00B0040
mlShellCode(11) = &H11681974
mlShellCode(12) = &H6A002E00
mlShellCode(13) = &H3126800
mlShellCode(14) = &HFF500000
mlShellCode(15) = &H40100493
mlShellCode(16) = &H4838900
mlShellCode(17) = &H33004010
mlShellCode(18) = &H8389C0
mlShellCode(19) = &H61004010
mlShellCode(20) = &H53C3C9
mlShellCode(21) = &H530041
mlShellCode(22) = &H770020
mlShellCode(23) = &H6E0069
mlShellCode(24) = &H6F0064
mlShellCode(25) = &H77&
mlShellCode(26) = &H81EC8B55
mlShellCode(27) = &HFFFDD8C4
mlShellCode(28) = &H1EEE8FF
mlShellCode(29) = &H45890000
mlShellCode(30) = &HEC458DE8
mlShellCode(31) = &HFF286A50
mlShellCode(32) = &H13E8E875
End Function |
|