远线程运行API2011-06-06 博客园 zcsor继续前面一篇所写的——远线程调用ASM在上一篇中的类的基础上,继承并发扬了一个类:远线程运行API,里面采用 的技术就是:1、构造远线程调用代码及参数2、通过线性搜索获取对方进程中的API入口地址由于2是提取自一个以前的代码,并且调用API的函数中用了多个循环判定, 导致……效率低下的很呢代码中关键部分就是:1、E8后面偏移地址的计算:E8后面是相对地址……2、不同类型参数的处理:除了INTEGER以外,都“按指针”传递——调用时 采用了字节数组3、参数反向压栈:注意一下就可以了4、实现了一个泛接口类,用以把结构转化为字节数组,但未测试,若不成功 应自己把参数转化为字节数组后传入5、有个修改内存页属性的函数,没有用到,其实是给后面程序用的,添加到 这里了,要用也可以,只是在这个类里直接调用了API这个完整的文件就是这样的了:(记得添加上篇那个类到工程才能用……继 承并发扬么!)Imports System.Runtime.InteropServicesPublic Class RunRemoteAPI : Inherits RunRemoteASMCode """ <summary> """ 远程DLL函数导出函数信息 """ </summary> """ <remarks></remarks> Protected avExports() As avExportOrImports """ <summary> """ 函数导出信息 """ </summary> """ <remarks></remarks> Public Structure avExportOrImports Dim LibName As String "库名(在导出中未使 用) Dim ExportsIndex As Integer "函数导入/出序号 Dim Name As String "函数名 Dim ExportsRVA As Integer "函数导入/出表RVA Dim FunctionRVA As Integer "函数入口RVA End Structure """ <summary> """ 基地址 """ </summary> """ <value></value> """ <returns>为对方进程申请的内存的基地址 </returns> """ <remarks></remarks> ReadOnly Property BaseAddress() As Integer Get Return MyBase.AllocBaseAddress End Get End Property """ <summary> """ 对方进程 """ </summary> """ <value></value> """ <returns>对方进程对象</returns> """ <remarks></remarks> ReadOnly Property RotateProcess() As Process Get Return MyBase.RemoteProcess End Get End Property """ <summary> """ 用ProcessID初始化 """ </summary> """ <param name="PID"></param> """ <remarks></remarks> Sub New(ByVal PID As Integer) MyBase.New(PID) End Sub """ <summary> """ 根据名称调用对方进程的API """ </summary> """ <param name="DllName">API所在DLL名称 </param> """ <param name="FuncName">API函数名称 </param> """ <param name="FuncParams">参数列表</param> """ <returns>API返回值,此返回值只有当Wait为True时才可信 </returns> """ <remarks></remarks> Function CallRemoteAPIByName(ByVal DllName As String, ByVal FuncName As String, ByVal Wait As Boolean, ByVal ParamArray FuncParams() As mFuncParam) As Integer If MyBase.RemoteProcess Is Nothing Then MsgBox("未找到指定进程") Return -1 End If "初始化数据 ClearCodeAndData() Dim DllHandle As Integer = -1 Dim FuncAddress As Integer = -1 "枚举对方进程模块列表,找到对方进程中相应DLL的基地址 (Handle) For Each m As ProcessModule In Process.GetProcessById(MyBase.RemoteProcess.Id).Modules If InStr(m.FileName.ToUpper, DllName.ToUpper) > 0 Then DllHandle = m.BaseAddress Exit For End If Next If DllHandle = -1 Then MsgBox("未发现对方进程中的 " & DllName & " 模块", , "进程 : " & MyBase.RemoteProcess.Id) Return -1 End If "枚举对方进程中相应DLL中全部函数信息(暴力搜索) avExports = GetExports(MyBase.RemoteProcess.Handle, DllHandle) "遍历信息表,获取我们需要的函数入口地址 For Each e As avExportOrImports In avExports If Not e.Name Is Nothing AndAlso e.Name.ToUpper = FuncName.ToUpper Then FuncAddress = e.FunctionRVA Exit For End If Next If FuncAddress = -1 Then MsgBox("未发现 " & DllName & " 模块中 的函数 " & FuncName, , "进程 : " & MyBase.RemoteProcess.Id) Return -1 End If "以下构造调用API的ASM CODE "首先将参数依次压栈 Dim Ubound As Integer = FuncParams.Length - 1 For i As Integer = Ubound To 0 Step -1 "参数反向 If FuncParams(i).Ptr Then "如果需要按指 针封送,作为数据处理并添加指针段。否则,直接添加 Dim addr As Integer = MyBase.AddData (FuncParams(i).Obj) MyBase.AddByte2Code(&H68) "按4字节 对齐 prush MyBase.AddInt2Code(addr + MyBase.AllocBaseAddress) "将数据部分的地址写入到为对 方申请的内存的代码部分 Else MyBase.AddByte2Code(&H68) "按4字节 对齐 MyBase.AddBytes2Code(FuncParams (i).Obj) End If Next "向代码添加调用 AddCallToCode(FuncAddress) "向代码添加RET(RET 10) MyBase.AddByte2Code(&HC3) "int3 MyBase.AddByte2Code(&HCC) Return MyBase.Run(Wait) End Function """ <summary> """ 读BYREF型返回值,例如GETWINDOWSTEXTA,第二个参数 """ </summary> """ <param name="index">要传回的BYREF参数索引,如 GETWINDOWSTEXTA中,第二个参数是第一个BYREF传入值,要返回它则传入 1</param> """ <returns></returns> """ <remarks></remarks> Public Function RemoteBytesFromIndex(ByVal index As Integer) As Byte() Dim odata As mData = CType(MyBase.DataArraylist(index - 1), mData) Dim ret(odata.len - 1) As Byte ReadProcessMemory(MyBase.RemoteProcess.Handle, odata.prt, ret, odata.len, 0) Return ret End Function """ <summary> """ 将CALL语句添加到ASM CODE """ </summary> """ <param name="FuncAddr">API函数入口地址 </param> """ <remarks>注意地址偏移计算</remarks> Protected Sub AddCallToCode(ByVal FuncAddr As Integer) "E8指令要调用的地址是相对地址 MyBase.AddByte2Code(&HE8) Dim CallAddress As Integer = Math.Abs (MyBase.AllocBaseAddress + MyBase.PtrAddressOffset - FuncAddr) - 4 MyBase.AddInt2Code(CallAddress) End Sub
""" <summary> """ 获取指定DLL函数的导出函数信息 """ </summary> """ <param name="pHandle">DLL所在进程句柄 </param> """ <param name="ModuleBaseAddress">DLL句柄(基地址) </param> """ <remarks></remarks> Public Function GetExports(ByVal pHandle As IntPtr, ByVal ModuleBaseAddress As Integer) As avExportOrImports() Dim ret() As avExportOrImports = Nothing Try Dim lpEXPORT_TABLE As Integer = ModuleBaseAddress + MemValue(pHandle, ModuleBaseAddress + MemValue (pHandle, ModuleBaseAddress + &H3C) + &H78) Dim lNumberOfNames As Integer = MemValue (pHandle, lpEXPORT_TABLE + &H18) Dim lNumberOfFunctions As Integer = MemValue (pHandle, lpEXPORT_TABLE + &H14) Dim lBase As Integer = MemValue(pHandle, lpEXPORT_TABLE + &H10) Dim lpNamesTable As Integer = ModuleBaseAddress + MemValue(pHandle, lpEXPORT_TABLE + &H20) Dim lpFunctionsTable As Integer = ModuleBaseAddress + MemValue(pHandle, lpEXPORT_TABLE + &H1C) Dim lpOrdinalsTable As Integer = ModuleBaseAddress + MemValue(pHandle, lpEXPORT_TABLE + &H24) Dim lpFunction As Integer Dim lNameOrdinal As Integer ReDim ret(lNumberOfFunctions - 1) Dim i As Integer For i = 0 To lNumberOfFunctions - 1 " 识别入口 ret(i).ExportsIndex = i + lBase ret(i).ExportsRVA = lpFunctionsTable + 4 * i ret(i).FunctionRVA = MemValue (pHandle, lpFunctionsTable + 4 * i) + ModuleBaseAddress Next Do While lNumberOfNames > 0 "从入 口识别函数名 lNumberOfNames = lNumberOfNames - 1 lpFunction = ModuleBaseAddress + MemValue(pHandle, lpNamesTable + lNumberOfNames * 4) lNameOrdinal = MemValue(pHandle, (lpOrdinalsTable + lNumberOfNames * 2), True) If lNameOrdinal >= lNumberOfFunctions Then Exit Do ret(lNameOrdinal).Name = RemoteStrFromPtr(pHandle, lpFunction) Loop Return ret Catch ex As Exception "Debug.Print(Err.Description) Return ret End Try End Function
""" <summary> """ 读取指定内存4,2字节 """ </summary> """ <param name="lAddress">地址</param> """ <param name="TooByte">二字节还是四字节 </param> """ <returns></returns> """ <remarks></remarks> Protected Function MemValue(ByVal pHandle As IntPtr, ByVal lAddress As Integer, Optional ByVal TooByte As Boolean = False) As Object Dim tmpArr() As Byte If TooByte Then ReDim tmpArr(1) Else ReDim tmpArr(3) Try Dim lOldProtect As Integer VirtualProtectEx(pHandle, lAddress, 1, &H40, lOldProtect) ReadProcessMemory(pHandle, lAddress, tmpArr, tmpArr.Length, 0) VirtualProtectEx(pHandle, lAddress, 1, lOldProtect, lOldProtect) Catch ex As Exception If Err.Number = 5 Then Return 0 End Try If TooByte Then Return BitConverter.ToInt16(tmpArr, 0) Else Return BitConverter.ToInt32(tmpArr, 0) End If End Function
""" <summary> """ 根据内存地址指针读字符串 """ </summary> """ <param name="lpString">地址(指针) </param> """ <returns></returns> """ <remarks>最多读会1024个字符</remarks> Protected Function RemoteStrFromPtr(ByVal pHandle As IntPtr, ByVal lpString As Integer) As String Dim b(1023) As Byte Dim lPosOfZero As Integer Dim lOldProtect As Integer Try VirtualProtectEx(pHandle, lpString, 1, &H40, lOldProtect) ReadProcessMemory(pHandle, lpString, b, 1024, 0) VirtualProtectEx(pHandle, lpString, 1, lOldProtect, lOldProtect) Dim i As Integer For i = 0 To b.Length - 1 If b(i) = 0 Then lPosOfZero = i Exit For End If Next Return System.Text.Encoding.ASCII.GetString (b, 0, lPosOfZero) Catch ex As Exception "Debug.Print(Err.Number & " " & Err.Description) Return String.Empty End Try End Function Enum Protect "内存保护属性枚举 PAGE_NOACCESS = &H1 PAGE_READONLY = &H2 PAGE_READWRITE = &H4 PAGE_WRITECOPY = &H8 PAGE_EXECUTE = &H10 PAGE_EXECUTE_READ = &H20 PAGE_EXECUTE_READWRITE = &H40 PAGE_EXECUTE_READWRITECOPY = &H50 PAGE_EXECUTE_WRITECOPY = &H80 PAGE_GUARD = &H100 PAGE_NOCACHE = &H200 PAGE_WRITECOMBINE = &H400 End Enum
Shared Function SetVirtualProtect(ByVal hProcess As IntPtr, ByVal lpBaseAddress As Integer, Optional ByVal nSize As Integer = 8, Optional ByVal nProtect As Protect = Protect.PAGE_EXECUTE_READWRITECOPY) As Integer Dim lProtect As Integer If VirtualProtectEx(hProcess, lpBaseAddress, nSize, nProtect, lProtect) <> 0 Then Return lProtect Else Return -1 End Function
End Class
""" <summary> """ 函数参数 """ </summary> """ <remarks></remarks> Public Class mFuncParam Public Obj As Byte() Public Ptr As Boolean Sub New(ByVal obj As Integer) Me.Obj = BitConverter.GetBytes(obj) Me.Ptr = False End Sub Sub New(ByVal obj As Byte()) Me.Obj = obj.Clone Me.Ptr = True End Sub End Class
""" <summary> """ 用于将结构体转化为BYTE类型,只提供了一个共享成员方法 """ </summary> """ <typeparam name="T">必须传入自定义类型,系统类型将引发错误 </typeparam> """ <remarks>系统类型应自行转化为BYTE数组或INTEGER类型 </remarks> Public Class Param(Of T) Shared Function GetBytes(ByVal Value As T) As Byte() Try Dim size As Integer = Marshal.SizeOf(Value) Dim ret(size) As Byte Dim ptr As IntPtr = Marshal.AllocHGlobal (size) Marshal.StructureToPtr(Value, ptr, True) Marshal.Copy(ptr, ret, 0, size) Marshal.FreeHGlobal(ptr) Return ret Catch ex As Exception MsgBox(ex.ToString) Return Nothing End Try End Function End Class
易网时代-编程资源站