原文地址:http://blog.csdn.net/chenhui530/archive/2008/10/21/3119107.aspx 作者:chenhui530(大仙级人物)
最近才发现的“RtlCreateUserThread”(下步调用ZwCreateThread)这可是个好东西,可以创建远程线程,也可以用来写多线程程序,但是在VB里好像还是不是很稳定只能用API。
这篇文章给大家一种不同于(CreateRemoteThread)但是原理是一样(都是通过ZwCreateThread创建线程)创建远程线程,实现注入和卸载功能。对于一些编写外挂,或者对Shellcode感兴趣的人是非常有用的学习资料。
多线程实例
Public Function CreateThread(ByVal hProcess As Long, ByVal StartAddress As Long, ByVal Parameter As Long, ByRef Cid As CLIENT_ID) As Long
Dim hThread As Long
Dim ntStatus As Long
ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
CreateThread = hThread
End Function
Public Sub ThreadProc(ByVal Parameter As Long)
Do While gblnRunning
Form1.List1.AddItem CStr(Parameter)
Parameter = Parameter + 1
Loop
RtlExitUserThread 0
End Sub
----------------------------------------------------------------------------------------
in form
Option Explicit
Private Sub cmdDelMe_Click()
DeleteMe Val(txtInput(0).Text)
Unload Me
End Sub
Private Sub cmdInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
InjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub
Private Sub cmdUnInject_Click()
If Not IsNumeric(txtInput(0).Text) Then
MsgBox "请输入正确的PID!!", vbCritical, "提示"
txtInput(0).SetFocus
Exit Sub
End If
If Dir(txtInput(1).Text, 1 Or 2 Or 4) = "" Then
MsgBox "DLL不存在!!", vbCritical, "提示"
txtInput(1).SetFocus
Exit Sub
End If
UnInjectDll Val(txtInput(0).Text), txtInput(1).Text
End Sub
in module
----------------------------------------------------------------------------------------------------------
Option Explicit
Public Type CLIENT_ID
UniqueProcess As Long
UniqueThread As Long
End Type
Private Declare Function RtlCreateUserThread Lib "ntdll.dll" (ByVal hProcess As Long, _
ByRef ThreadSecurityDescriptor As Any, _
ByVal CreateSuspended As Long, _
ByVal ZeroBits As Long, _
ByVal MaximumStackSize As Long, _
ByVal CommittedStackSize As Long, _
ByVal StartAddress As Long, _
ByVal Parameter As Long, _
ByRef hThread As Long, _
ByRef ClientId As CLIENT_ID) As Long
Private Declare Function RtlExitUserThread Lib "ntdll.dll" (ByVal ntStatus As Long) As Long
Private Declare Function TerminateThread Lib "kernel32" (ByVal hThread As Long, ByVal dwExitCode As Long) As Long
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Public Declare Function CreateEvent Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, ByVal bManualReset As Long, ByVal bInitialState As Long, ByVal lpName As String) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Public Declare Function SetEvent Lib "kernel32" (ByVal hEvent As Long) As Long
Private Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long
Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Private Const INFINITE =
Private Const MEM_COMMIT =
Public Const MEM_RELEASE =
Private Const PAGE_EXECUTE_READWRITE =
Private Const PAGE_READWRITE =
Private Const SYNCHRONIZE As Long =
Private Const STANDARD_RIGHTS_REQUIRED As Long =
Public Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Public Function CreateThread(ByVal hProcess As Long, ByVal StartAddress As Long, ByVal Parameter As Long, ByRef Cid As CLIENT_ID) As Long
Dim hThread As Long
Dim ntStatus As Long
ntStatus = RtlCreateUserThread(hProcess, ByVal 0&, 0, 0, 0, 0, StartAddress, Parameter, hThread, Cid)
CreateThread = hThread
End Function
Public Function EndThread(ByVal hThread As Long) As Boolean
EndThread = TerminateThread(hThread, 0)
End Function
Public Function InjectDll(ByVal dwProcessId As Long, ByVal strFileName As String) As Boolean
Dim hProcess As Long
Dim nSize As Long
Dim pBase As Long
Dim ShellCode() As Byte
Dim hThread As Long
Dim Cid As CLIENT_ID
Dim dwFunAddress As Long
strFileName = strFileName & Chr(0)
nSize = LenB(strFileName)
ReDim ShellCode(nSize + 31 - 1)
ShellCode(0) =
ShellCode(1) =
ShellCode(2) =
ShellCode(3) =
ShellCode(4) = &H0 'call $5
ShellCode(5) = &H5D 'pop ebp
ShellCode(6) =
ShellCode(7) = &HC5 'mov eax,ebp
ShellCode(8) =
ShellCode(9) =
ShellCode(10) = &H1A 'add eax,1a '指向dll路径
ShellCode(11) = &H50 ' push eax
ShellCode(12) =
ShellCode(13) =
ShellCode(14) =
ShellCode(15) =
ShellCode(16) = &H0 'mov eax,LoadLibraryW
ShellCode(17) =
ShellCode(18) = &HD0 'call eax
ShellCode(19) =
ShellCode(20) = &H0 'push 0
ShellCode(21) =
ShellCode(22) =
ShellCode(23) =
ShellCode(24) =
ShellCode(25) = &H0 'mov eax,ExitThread
ShellCode(26) =
ShellCode(27) = &HD0 'call eax
ShellCode(28) =
ShellCode(29) = &H4 'ret 4
ShellCode(30) =
CopyMemory ShellCode(31), ByVal StrPtr(strFileName), nSize
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryW")
CopyMemory ShellCode(13), dwFunAddress, 4
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitThread")
CopyMemory ShellCode(22), dwFunAddress, 4
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
If hProcess Then
pBase = VirtualAllocEx(hProcess, ByVal 0&, nSize + 31, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If pBase Then
If WriteProcessMemory(hProcess, ByVal pBase, ShellCode(0), nSize + 31, ByVal 0&) Then
hThread = CreateThread(hProcess, pBase, 0, Cid)
If hThread Then
WaitForSingleObject hThread, INFINITE
CloseHandle hThread
InjectDll = True
End If
End If
VirtualFreeEx hProcess, ByVal pBase, 0, MEM_RELEASE
End If
CloseHandle hProcess
End If
End Function
Public Function UnInjectDll(ByVal dwProcessId As Long, ByVal strFileName As String) As Boolean
Dim hProcess As Long
Dim nSize As Long
Dim pBase As Long
Dim ShellCode() As Byte
Dim hThread As Long
Dim Cid As CLIENT_ID
Dim dwFunAddress As Long
strFileName = strFileName & Chr(0)
nSize = LenB(strFileName)
ReDim ShellCode(nSize + 32 - 1)
ShellCode(0) =
ShellCode(1) =
ShellCode(2) =
ShellCode(3) =
ShellCode(4) = &H0 'call $5
ShellCode(5) = &H5D 'pop ebp
ShellCode(6) =
ShellCode(7) = &HC5 'mov eax,ebp
ShellCode(8) =
ShellCode(9) =
ShellCode(10) = &H1B 'add eax,1b '指向dll路径
ShellCode(11) = &H50 ' push eax
ShellCode(12) =
ShellCode(13) =
ShellCode(14) =
ShellCode(15) =
ShellCode(16) = &H0 'mov eax,GetModuleHandleW
ShellCode(17) =
ShellCode(18) = &HD0 'call eax
ShellCode(19) =
ShellCode(20) = &H0 'push 0
ShellCode(21) = &H50 'push eax
ShellCode(22) =
ShellCode(23) =
ShellCode(24) =
ShellCode(25) =
ShellCode(26) = &H0 'mov eax,FreeLibraryAndExitThread
ShellCode(27) =
ShellCode(28) = &HD0 'call eax
ShellCode(29) =
ShellCode(30) = &H4 'ret 4
ShellCode(31) =
CopyMemory ShellCode(32), ByVal StrPtr(strFileName), nSize
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "GetModuleHandleW")
CopyMemory ShellCode(13), dwFunAddress, 4
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibraryAndExitThread")
CopyMemory ShellCode(23), dwFunAddress, 4
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
If hProcess Then
pBase = VirtualAllocEx(hProcess, ByVal 0&, nSize + 32, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If pBase Then
If WriteProcessMemory(hProcess, ByVal pBase, ShellCode(0), nSize + 32, ByVal 0&) Then
hThread = CreateThread(hProcess, pBase, 0, Cid)
If hThread Then
WaitForSingleObject hThread, INFINITE
CloseHandle hThread
UnInjectDll = True
End If
End If
VirtualFreeEx hProcess, ByVal pBase, 0, MEM_RELEASE
End If
CloseHandle hProcess
End If
End Function
Public Function DeleteMe(ByVal dwProcessId As Long) As Boolean
Dim AppName As String
Dim hProcess As Long
Dim nSize As Long
Dim pBase As Long
Dim ShellCode() As Byte
Dim hThread As Long
Dim Cid As CLIENT_ID
Dim dwFunAddress As Long
AppName = String(260, Chr(0))
GetModuleFileName 0, AppName, 260
AppName = Left(AppName, InStr(AppName, Chr(0)) - 1)
AppName = AppName & Chr(0)
nSize = LenB(AppName)
ReDim ShellCode(nSize + 35 - 1)
ShellCode(0) =
ShellCode(1) =
ShellCode(2) =
ShellCode(3) =
ShellCode(4) = &H0 'call $5
ShellCode(5) = &H5D 'pop ebp
ShellCode(6) =
ShellCode(7) = &HC5 'mov eax,ebp
ShellCode(8) =
ShellCode(9) =
ShellCode(10) = &H1E 'add eax,1e '指向主程序路径
ShellCode(11) = &H50 ' push eax
ShellCode(12) =
ShellCode(13) =
ShellCode(14) =
ShellCode(15) =
ShellCode(16) = &H0 'mov eax,DeleteFileW
ShellCode(17) =
ShellCode(18) = &HD0 'call eax
ShellCode(19) =
ShellCode(20) = &HC0 'test eax,eax
ShellCode(21) =
ShellCode(22) = &HEF 'jz &ShellCode(6)
ShellCode(23) =
ShellCode(24) = &H0 'push 0
ShellCode(25) =
ShellCode(26) =
ShellCode(27) =
ShellCode(28) =
ShellCode(29) = &H0 'mov eax,ExitThread
ShellCode(30) =
ShellCode(31) = &HD0 'call eax
ShellCode(32) =
ShellCode(33) = &H4 'ret 4
ShellCode(34) =
CopyMemory ShellCode(35), ByVal StrPtr(AppName), nSize
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "DeleteFileW")
CopyMemory ShellCode(13), dwFunAddress, 4
dwFunAddress = GetProcAddress(GetModuleHandle("kernel32.dll"), "ExitThread")
CopyMemory ShellCode(26), dwFunAddress, 4
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId)
If hProcess Then
pBase = VirtualAllocEx(hProcess, ByVal 0&, nSize + 35, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
If pBase Then
If WriteProcessMemory(hProcess, ByVal pBase, ShellCode(0), nSize + 35, ByVal 0&) Then
hThread = CreateThread(hProcess, pBase, 0, Cid)
If hThread Then
' WaitForSingleObject hThread, INFINITE
' CloseHandle hThread
DeleteMe = True
End If
End If
' VirtualFreeEx hProcess, ByVal pBase, 0, MEM_RELEASE
End If
CloseHandle hProcess
End If
End Function
/Files/xxaxx/工程1.rar