vb中如何将DLL文件注入进程,又如何将其取消

发布网友发布时间：2022-04-24 02:08

共5个回答

热心网友时间：2023-10-21 00:04

不明白你说的用input output 什么意思这个跟dll注入也不沾边啊
dll注入是要用win32API的

========================================
VB只能做ActiveX DLL 不能做标准的DLL 而且要注入目标进程也应该是使用MSVBVM60.dll 的程序
我曾经试过用VB做进程注入
而且曾在国外各论坛找答案
一个MVP告诉我VB做不了
由于VB不能做用来注入的DLL 所以我放弃了
呵呵你还是不要弄这个了比较困难

这个是我以前找的要注的dll最好是拿c++写的 VB 做的“标准”DLL
(带入口的) 只能显示挂载到进程下但不能执行
Attribute VB_Name = "Mole1"
Public Const PROCESS_VM_READ = &H10
Public Const TH32CS_SNAPPROCESS = &H2
Public Const MEM_COMMIT = 4096
Public Const PAGE_READWRITE = 4
Public Const PROCESS_CREATE_THREAD = (&H2)
Public Const PROCESS_VM_OPERATION = (&H8)
Public Const PROCESS_VM_WRITE = (&H20)

Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetLastError Lib "kernel32" () As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetProcAddress Lib "kernel32" (ByVal hMole As Long, ByVal lpProcName As String) As Long
Public Declare Function GetMoleHandle Lib "kernel32" Alias "GetMoleHandleA" (ByVal lpMoleName As String) As Long
Public Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function Process32Next Lib "kernel32" (ByVal hSapshot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Public Type PROCESSENTRY32
dwSize As Long
cntUseage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32MoleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
swFlags As Long
szExeFile As String * 1024
End Type

Public Sub EnumAndInject()

Dim MySnapHandle As Long
Dim ProcessInfo As PROCESSENTRY32
Dim MyRemoteProcessId As Long
Dim MyDllFileLength As Long
Dim MyDllFileBuffer As Long
Dim MyReturn As Long
Dim MyStartAddr As Long
Dim MyResult As Long
Dim temp As Long
Dim DllFileName As String

MySnapHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
ProcessInfo.dwSize = Len(ProcessInfo)

If Process32First(MySnapHandle, ProcessInfo) <> 0 Then
Do
Debug.Print ProcessInfo.szExeFile
If InStr(LCase(ProcessInfo.szExeFile), "notepad.exe") > 0 Then

'遍历进程,查找notepad.exe
MyRemoteProcessId = OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, ProcessInfo.th32ProcessID)
'打开进程获得notepad的句柄供后面的操作使用
'DllFileName = "C:\Program Files\Microsoft Visual Studio\VB98\DATAVIEW.DLL"
MyDllFileLength = Len(DllFileName) + 1
'学过C语言的朋友应该知道字符串最后要一个ASCII 0标志结尾，所以要加1

MyDllFileBuffer = VirtualAllocEx(MyRemoteProcessId, 0, MyDllFileLength, MEM_COMMIT, PAGE_READWRITE)
'在指定进程里申请一块内存区域出来供我们存放字符串“c：\test.dll“
'传string给api时，byval byref有区别，应该使用byval，这样会传给api一个标准的C字符指针，不能byref，否则函数调用没问题
'但是起不到预期效果,VirtualAllocEx返回的是申请到的内存地址值.

MyReturn = WriteProcessMemory(MyRemoteProcessId, MyDllFileBuffer, DllFileName, MyDllFileLength, temp)
'向刚才申请的内存中写入dll文件路径字符串
'顺便说一下，很多api浏览器上的api声明都是错的，包括VB6自带的也不例外，writeprocessmemory第二个参数要的是
'lpBaseAddress 但是这个值不能传址得到,如果你按byref传址,实际上传的是MyDllFileBuffer变量的地址,而不是它里面存放的那个数字
'上面说了MyDllFileBuffer的数值才是WriteProcessMemory要的地址,所以声明API的时候一定要byval,大家知道空着不写就是默认byref
'下面还有几处不该传址的参数,只要搞清楚API函数要的到底是什么值才可以确定到底传值还是传址,API浏览器仅能供参考,还是要仔细阅读MSDN
MyStartAddr = GetProcAddress(GetMoleHandle("Kernel32"), "LoadLibraryA")
'获取loadlibrary函数的地址,这个函数可以载入指定的dll文件,那他的参数呢?就是我们刚才在notepad.exe进程里写入的“c：\test.dll“
'不过还得让CreateRemoteThread告诉他.另外简单的说一下windows下应用程序的内存管理,我也不很懂,呵呵,win32下的应用程序
'的内存区域是隔开的,每个程序有自己的一块内存不能直接访问别的程序的内存区,当然,这里调用的几个系统函数有访问别的程序内存区域的特权
'而且每个应用程序的内存区域都映射到系统内存区域里,也就是说在这里GetProcAddress得到的VB程序里LoadLibraryA函数的入口地址和
'notepad程序里的LoadLibraryA函数地址是一致的(映射的作用),所以不必担心.另外在VB写的程序里
'要使用LoadLibraryA,notepad不是用vc写的吗?要注意根notepad没关系,我们现在是在自己的VB程序里面找LoadLibraryA函数的入口.
'还有要注意函数大小写，api函数和vb不一样的。
MyResult = CreateRemoteThread(MyRemoteProcessId, 0, 0, MyStartAddr, MyDllFileBuffer, 0, temp)
'好了,现在该让LoadLibrary载入“c：\test.dll“吧，现在CreateRemoteThread做的就是在notepad进程中把控制权转到LoadLibraryA的入口
'然后把notepad内存区域中的“c：\test.dll“字符串当作参数传给LoadLibraryA。现在我们的dll文件就在notepad程序中运行了
'dll被注入notepad.exe以后会主动弹出对话框显示出notepad.exe的进程ID,表明注入成功.
End If

Loop While Process32Next(MySnapHandle, ProcessInfo) <> 0
End If

CloseHandle MySnapHandle

End Sub

Private Sub Form_Load()
EnumAndInject
End Sub

Attribute VB_Name = "Mole1"
Public Const PROCESS_VM_READ = &H10
Public Const TH32CS_SNAPPROCESS = &H2
Public Const MEM_COMMIT = 4096
Public Const PAGE_READWRITE = 4
Public Const PROCESS_CREATE_THREAD = (&H2)
Public Const PROCESS_VM_OPERATION = (&H8)
Public Const PROCESS_VM_WRITE = (&H20)

Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetLastError Lib "kernel32" () As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetProcAddress Lib "kernel32" (ByVal hMole As Long, ByVal lpProcName As String) As Long
Public Declare Function GetMoleHandle Lib "kernel32" Alias "GetMoleHandleA" (ByVal lpMoleName As String) As Long
Public Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function Process32Next Lib "kernel32" (ByVal hSapshot As Long, lppe As PROCESSENTRY32) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Public Type PROCESSENTRY32
dwSize As Long
cntUseage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32MoleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
swFlags As Long
szExeFile As String * 1024
End Type

热心网友时间：2023-10-21 00:05

yoya0303那个不错
我有个更简一些的

text1为程序的PID（如果要通过程序名获取请用CreateToolhelp32Snapshot,Process32First,Process32Next）

text2为DLL名（VB写的好像不能改DLLMain所以不行）

Dim pidTAR&

pidTAR = Val(Text1.Text)
'一开始调高点优先级..要不注不进系统进程
Dim hToken&, hmProc&, mpid&, r&, lLuid As LUID, tkp As TOKEN_PRIVILEGES
'
r = OpenProcessToken(GetCurrentProcess, TOKEN_QUERY Or TOKEN_ADJUST_PRIVILEGES, hToken) '打开进程..
r = LookupPrivilegeValue(vbNullString, SE_DEBUG_NAME, lLuid) '获取现在的优先级..
tkp.PrivilegeCount = 1 '改改改
tkp.Privileges.pLuid = lLuid
tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED
r = AdjustTokenPrivileges(hToken, False, tkp, Len(tkp), ByVal 0&, ByVal 0&) '设置优先级..
r = CloseHandle(hToken)

Dim hProc&, prThread&, dwwb&, prParam&, pPar$, thId&
pPar = 1
hProc = OpenProcess(PROCESS_ALL_ACCESS, False, pidTAR) '打开进程..

prParam = VirtualAllocEx(hProc, ByVal 0, LenB(pPar), MEM_COMMIT, PAGE_READWRITE) '分配某别的进程的..某块..你可以用的...内存..
pPar = Text2.Text '注入你的DLL..
Dim hMod As Long, lProcAdd As Long '
hMod = LoadLibrary("kernel32") '只能远程用这些..共享的..模块?
lProcAdd = GetProcAddress(hMod, "LoadLibraryW")

r = WriteProcessMemoryProc(hProc, ByVal prParam, StrPtr(pPar), LenB(pPar), 0) '向刚才分配的内存中写LoadLibrary的参数..也就是那个DLL的路径(废话)
r = CreateRemoteThread(hProc, 0&, 0&, lProcAdd, ByVal prParam, 0, thId) '创建远程线程
VirtualFreeEx hProc, prParam, LenB(pPar), MEM_RELEASE '
CloseHandle hProc '

至于DLL
我习惯用VC写
在DLLMain里面写你的代码就行了

热心网友时间：2023-10-21 00:05

您好，
我想应该可以的哦！
你可以在对话框类里添加DDX的映射哦~，
然后把STATIC的ID跟m_staticEx关联；
如果还是不行的话，就在OnInitDialog中手工子类化 m_staticEx.SubclassWindow(GetDlgItem(ID_STATIC_ID))。
只要完成了手工子类化操作，
static窗口的消息就能被你的CMyStatic处理。
使用DDX映射宏会自动帮你子类化的。
希望我的回答对您能有帮助哦！
谢谢！

热心网友时间：2023-10-21 00:06

可以把
你在对话框类里面添加DDX映射，把STATIC的ID跟m_staticEx关联；要么在OnInitDialog中手工子类化 m_staticEx.SubclassWindow(GetDlgItem(ID_STATIC_ID))。只有完成了子类化操作，static窗口的消息才能被你的CMyStatic处理。使用DDX映射宏会自动帮你子类化。

热心网友时间：2023-10-21 00:07

这样吧，代码很多，我有一个注入和卸载的例子（dll是delphi写的）
留下邮箱，之后我发给你
邮件已发出，注意查收

热心网友时间：2023-10-21 00:04

热心网友时间：2023-10-21 00:05

热心网友时间：2023-10-21 00:06

热心网友时间：2023-10-21 00:07

这样吧，代码很多，我有一个注入和卸载的例子（dll是delphi写的）
留下邮箱，之后我发给你
邮件已发出，注意查收

热心网友时间：2023-10-21 00:05

热心网友时间：2023-10-21 00:06

热心网友时间：2023-10-21 00:07

这样吧，代码很多，我有一个注入和卸载的例子（dll是delphi写的）
留下邮箱，之后我发给你
邮件已发出，注意查收

热心网友时间：2023-10-21 00:05

热心网友时间：2023-10-21 00:06

热心网友时间：2023-10-21 00:07

这样吧，代码很多，我有一个注入和卸载的例子（dll是delphi写的）
留下邮箱，之后我发给你
邮件已发出，注意查收

全部栏目

vb中如何将DLL文件注入进程,又如何将其取消