VB6實現Ring3下直接調用Ring0層函數,反一切R3下API Hook

作者: knowlet -

這樣應該可以避免一般的偷數據(例如CrackThief)XD

以下轉自:http://topic.csdn.net/u/20120518/18/9a00ec5c-b3d1-4a1f-9bc1-ba1a47b52463.html



一切愛好者喜歡玩ntdll那些Nt***、Rtl***的函數,可畢竟那些東西也是能Hook的,而且大多數也就是Hook那些,這次給大家一個新玩法,直接通過Ring3去call到Ring0,此時R3下對ntdll那些R3下函數的「最終入口」的Hook都無法捕獲到我們的調用,除非在R0下Hook了函數。(當然根據下面的原理我想某些人也知道該如何搞個萬能Hook了)
小弟技術很菜,代碼難免繞了很多圈子,而且下面的東西也不是什麼新玩意,只不過是給VB6漲漲氣焰罷了。。。大大們看到了不要嘲我。。。

添加一個Form1,一個Text1、一個Command1

Private Declare Function TabbedTextOut& Lib "user32 " Alias "TabbedTextOutA" (ByVal DC As Long, ByVal X As Long, ByVal Y As Long, ByVal Text As String, ByVal Size As Long, Optional ByVal TabPositions As Long, Optional TabStopPositions As Long, Optional ByVal Origin As Long) Private Declare Function RtlAdjustPrivilege& Lib "ntdll" (ByVal Privileges As Long, Optional ByVal NewValue As Long = 1, Optional ByVal Thread As Long, Optional Value As Long) Private Declare Function CallWindowProc& Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) Private Declare Function GetModuleHandleA& Lib "kernel32" (ByVal n$) Private Declare Function GetProcAddress& Lib "kernel32" (ByVal m&, ByVal n$) Private Declare Function CloseHandle& Lib "kernel32" (ByVal h&) Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal Dst&, ByVal Src&, ByVal Size&) Private Declare Sub GetMem4 Lib "msvbvm60" (ByVal Ptr As Long, ByVal RetVal As Long) Private KiFastSystemCall& Private Sub Command1_Click() Dim handle& handle = OpenProcess(Text1.Text, 2035711) TerminateProcess handle, 0 CloseHandle handle MsgBox "Handle:" & handle & ",Have tried killed." End Sub Private Sub Form_Load() RtlAdjustPrivilege 20 KiFastSystemCall = GetProcAddress(GetModuleHandleA("ntdll.dll"), "KiFastSystemCall") End Sub Private Function ReadFunctionIndex&(ByVal Name$, Optional ByVal DllFile$ = "ntdll.dll") Dim pEntry&, dwIndex& pEntry = GetProcAddress(GetModuleHandleA(DllFile), Name) GetMem4 pEntry + 1, VarPtr(dwIndex) ReadFunctionIndex = dwIndex End Function Private Function OpenProcess&(ByVal dwPID&, ByVal dwAccess&) Dim hProcess&, ret& Dim objAttr&(5), cid&(1) cid(0) = dwPID Dim dwIndex& dwIndex = ReadFunctionIndex("ZwOpenProcess") Dim ASMCode(42) As Byte ASMCode(0) = &H68 'push CLIENT_ID struct RtlMoveMemory VarPtr(ASMCode(1)), VarPtr(VarPtr(cid(0))), 4 ASMCode(5) = &H68 'push OBJ_ATTR struct RtlMoveMemory VarPtr(ASMCode(6)), VarPtr(VarPtr(objAttr(0))), 4 ASMCode(10) = &H68 'push dwAccess RtlMoveMemory VarPtr(ASMCode(11)), VarPtr(dwAccess), 4 ASMCode(15) = &H68 'push hProcess RtlMoveMemory VarPtr(ASMCode(16)), VarPtr(VarPtr(hProcess)), 4 ASMCode(20) = &H68 'push Return Address RtlMoveMemory VarPtr(ASMCode(21)), VarPtr(VarPtr(ret)), 4 ASMCode(25) = &HBA 'mov edx,KiFastSystemCall Address RtlMoveMemory VarPtr(ASMCode(26)), VarPtr(KiFastSystemCall), 4 ASMCode(30) = &HB8 'mox eax,Kernel Function Index RtlMoveMemory VarPtr(ASMCode(31)), VarPtr(dwIndex), 4 ASMCode(35) = &HFF 'call edx ASMCode(36) = &HD2 ASMCode(37) = &H59 'pop ASMCode(38) = &H59 'pop ASMCode(39) = &H59 'pop ASMCode(40) = &H59 'pop ASMCode(41) = &H59 'pop ASMCode(42) = &HC3 'ret CallWindowProc VarPtr(ASMCode(0)), 0, 0, 0, 0 OpenProcess = hProcess End Function Private Function TerminateProcess&(ByVal hProcess&, ByVal ExitStatus&) Dim ret& Dim dwIndex& dwIndex = ReadFunctionIndex("ZwTerminateProcess") Dim ASMCode(30) As Byte ASMCode(0) = &H68 'push ExitStatus RtlMoveMemory VarPtr(ASMCode(1)), VarPtr(ExitStatus), 4 ASMCode(5) = &H68 'push hProcess RtlMoveMemory VarPtr(ASMCode(6)), VarPtr(hProcess), 4 ASMCode(10) = &H68 'push Return Address RtlMoveMemory VarPtr(ASMCode(11)), VarPtr(VarPtr(ret)), 4 ASMCode(15) = &HBA 'mov edx,KiFastSystemCall Address RtlMoveMemory VarPtr(ASMCode(16)), VarPtr(KiFastSystemCall), 4 ASMCode(20) = &HB8 'mox eax,Kernel Function Index RtlMoveMemory VarPtr(ASMCode(21)), VarPtr(dwIndex), 4 ASMCode(25) = &HFF 'call edx ASMCode(26) = &HD2 ASMCode(27) = &H59 'pop ASMCode(28) = &H59 'pop ASMCode(29) = &H59 'pop ASMCode(30) = &HC3 'ret TerminateProcess = CallWindowProc(VarPtr(ASMCode(0)), 0, 0, 0, 0) End Function Private Function GetDC&(ByVal hWnd&) Dim ret& Dim dwIndex& dwIndex = ReadFunctionIndex("GetDC", "user32.dll") Dim ASMCode(24) As Byte ASMCode(0) = &H68 'push hWnd RtlMoveMemory VarPtr(ASMCode(1)), VarPtr(hWnd), 4 ASMCode(5) = &H68 'push Return Address RtlMoveMemory VarPtr(ASMCode(6)), VarPtr(VarPtr(ret)), 4 ASMCode(10) = &HBA RtlMoveMemory VarPtr(ASMCode(11)), VarPtr(KiFastSystemCall), 4 ASMCode(15) = &HB8 RtlMoveMemory VarPtr(ASMCode(16)), VarPtr(dwIndex), 4 ASMCode(20) = &HFF 'call edx ASMCode(21) = &HD2 ASMCode(22) = &H59 'pop ASMCode(23) = &H59 'pop ASMCode(24) = &HC3 'ret GetDC = CallWindowProc(VarPtr(ASMCode(0)), 0, 0, 0, 0) End Function Private Sub Form_Paint() Form_Resize End Sub Private Sub Form_Resize() TabbedTextOut GetDC(Me.hWnd), 0, 0, "123", -1 End Sub

以上轉自:http://topic.csdn.net/u/20120518/18/9a00ec5c-b3d1-4a1f-9bc1-ba1a47b52463.html

延伸:http://blog.csdn.net/a1875566250/article/details/7584677

留言

張貼留言

本月最夯

偷用電腦,怎知?事件檢視器全記錄!(開機時間、啟動項時間...)

作者: knowlet -
圖片
想知道你的電腦在你不使用的時候是否被開機過嗎?小朋友是不是趁家長不在家的時候偷偷完電腦啊?常常懷疑家裡或公司的電腦被人偷偷開來亂弄東西,可以用下面的方法檢查一下電腦在什麼時候有被開機、登入使用過。 Windows 系統裡的「事件檢視器」會紀錄很多電腦的相關資訊,包含什麼時候開機、登入、登出,或者系統發生哪些錯誤或其他的特殊事件等等,通通會紀錄在「事件檢視器」的日誌中。如果你只是想知道電腦什麼時候開機過的話,可以很輕易的從「事件檢視器」裡查到電腦確實的開機、關機時間。
閱讀完整內容

[Chrome] 不用任何擴充功能,Chrome 內建開發者工具讓您輕鬆下載任何影片!

作者: knowlet -
圖片
此招急其凶狠,初新者莫學  (開玩笑地 現在線上影音及其發達,各種影片下載手法層出不窮,本站曾介紹過: [JS] 取得伊莉影片區的影片下載網址 如何下載 Youtube 影片?Youtube Downloader! [JS] Facebook 影片一鍵下載,按一下即可! 但是難道遇到不同網站就得找新的下載器、擴充功能或是重寫JS嘛!?現在要分享一個必殺技(?)其實就跟那些萬用影片下載器原理差不多,把這招學起來以後都不用下載那些軟體、擴充功能了(前提是你用 Chrome,其他沒試過) 目前試過知名線上影音分享:Youtube、FC2、Nico Nico、Eyny Video (依莉)、Tudou (土豆)、Facebook,都可以使用...
閱讀完整內容