VB6實現Ring3下直接調用Ring0層函數,反一切R3下API Hook
這樣應該可以避免一般的偷數據(例如CrackThief)XD
以下轉自:http://topic.csdn.net/u/20120518/18/9a00ec5c-b3d1-4a1f-9bc1-ba1a47b52463.html
一切愛好者喜歡玩ntdll那些Nt***、Rtl***的函數,可畢竟那些東西也是能Hook的,而且大多數也就是Hook那些,這次給大家一個新玩法,直接通過Ring3去call到Ring0,此時R3下對ntdll那些R3下函數的「最終入口」的Hook都無法捕獲到我們的調用,除非在R0下Hook了函數。(當然根據下面的原理我想某些人也知道該如何搞個萬能Hook了)
小弟技術很菜,代碼難免繞了很多圈子,而且下面的東西也不是什麼新玩意,只不過是給VB6漲漲氣焰罷了。。。大大們看到了不要嘲我。。。
添加一個Form1,一個Text1、一個Command1
Private Declare Function TabbedTextOut& Lib "user32 " Alias "TabbedTextOutA" (ByVal DC As Long, ByVal X As Long, ByVal Y As Long, ByVal Text As String, ByVal Size As Long, Optional ByVal TabPositions As Long, Optional TabStopPositions As Long, Optional ByVal Origin As Long) Private Declare Function RtlAdjustPrivilege& Lib "ntdll" (ByVal Privileges As Long, Optional ByVal NewValue As Long = 1, Optional ByVal Thread As Long, Optional Value As Long) Private Declare Function CallWindowProc& Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) Private Declare Function GetModuleHandleA& Lib "kernel32" (ByVal n$) Private Declare Function GetProcAddress& Lib "kernel32" (ByVal m&, ByVal n$) Private Declare Function CloseHandle& Lib "kernel32" (ByVal h&) Private Declare Sub RtlMoveMemory Lib "kernel32" (ByVal Dst&, ByVal Src&, ByVal Size&) Private Declare Sub GetMem4 Lib "msvbvm60" (ByVal Ptr As Long, ByVal RetVal As Long) Private KiFastSystemCall& Private Sub Command1_Click() Dim handle& handle = OpenProcess(Text1.Text, 2035711) TerminateProcess handle, 0 CloseHandle handle MsgBox "Handle:" & handle & ",Have tried killed." End Sub Private Sub Form_Load() RtlAdjustPrivilege 20 KiFastSystemCall = GetProcAddress(GetModuleHandleA("ntdll.dll"), "KiFastSystemCall") End Sub Private Function ReadFunctionIndex&(ByVal Name$, Optional ByVal DllFile$ = "ntdll.dll") Dim pEntry&, dwIndex& pEntry = GetProcAddress(GetModuleHandleA(DllFile), Name) GetMem4 pEntry + 1, VarPtr(dwIndex) ReadFunctionIndex = dwIndex End Function Private Function OpenProcess&(ByVal dwPID&, ByVal dwAccess&) Dim hProcess&, ret& Dim objAttr&(5), cid&(1) cid(0) = dwPID Dim dwIndex& dwIndex = ReadFunctionIndex("ZwOpenProcess") Dim ASMCode(42) As Byte ASMCode(0) = &H68 'push CLIENT_ID struct RtlMoveMemory VarPtr(ASMCode(1)), VarPtr(VarPtr(cid(0))), 4 ASMCode(5) = &H68 'push OBJ_ATTR struct RtlMoveMemory VarPtr(ASMCode(6)), VarPtr(VarPtr(objAttr(0))), 4 ASMCode(10) = &H68 'push dwAccess RtlMoveMemory VarPtr(ASMCode(11)), VarPtr(dwAccess), 4 ASMCode(15) = &H68 'push hProcess RtlMoveMemory VarPtr(ASMCode(16)), VarPtr(VarPtr(hProcess)), 4 ASMCode(20) = &H68 'push Return Address RtlMoveMemory VarPtr(ASMCode(21)), VarPtr(VarPtr(ret)), 4 ASMCode(25) = &HBA 'mov edx,KiFastSystemCall Address RtlMoveMemory VarPtr(ASMCode(26)), VarPtr(KiFastSystemCall), 4 ASMCode(30) = &HB8 'mox eax,Kernel Function Index RtlMoveMemory VarPtr(ASMCode(31)), VarPtr(dwIndex), 4 ASMCode(35) = &HFF 'call edx ASMCode(36) = &HD2 ASMCode(37) = &H59 'pop ASMCode(38) = &H59 'pop ASMCode(39) = &H59 'pop ASMCode(40) = &H59 'pop ASMCode(41) = &H59 'pop ASMCode(42) = &HC3 'ret CallWindowProc VarPtr(ASMCode(0)), 0, 0, 0, 0 OpenProcess = hProcess End Function Private Function TerminateProcess&(ByVal hProcess&, ByVal ExitStatus&) Dim ret& Dim dwIndex& dwIndex = ReadFunctionIndex("ZwTerminateProcess") Dim ASMCode(30) As Byte ASMCode(0) = &H68 'push ExitStatus RtlMoveMemory VarPtr(ASMCode(1)), VarPtr(ExitStatus), 4 ASMCode(5) = &H68 'push hProcess RtlMoveMemory VarPtr(ASMCode(6)), VarPtr(hProcess), 4 ASMCode(10) = &H68 'push Return Address RtlMoveMemory VarPtr(ASMCode(11)), VarPtr(VarPtr(ret)), 4 ASMCode(15) = &HBA 'mov edx,KiFastSystemCall Address RtlMoveMemory VarPtr(ASMCode(16)), VarPtr(KiFastSystemCall), 4 ASMCode(20) = &HB8 'mox eax,Kernel Function Index RtlMoveMemory VarPtr(ASMCode(21)), VarPtr(dwIndex), 4 ASMCode(25) = &HFF 'call edx ASMCode(26) = &HD2 ASMCode(27) = &H59 'pop ASMCode(28) = &H59 'pop ASMCode(29) = &H59 'pop ASMCode(30) = &HC3 'ret TerminateProcess = CallWindowProc(VarPtr(ASMCode(0)), 0, 0, 0, 0) End Function Private Function GetDC&(ByVal hWnd&) Dim ret& Dim dwIndex& dwIndex = ReadFunctionIndex("GetDC", "user32.dll") Dim ASMCode(24) As Byte ASMCode(0) = &H68 'push hWnd RtlMoveMemory VarPtr(ASMCode(1)), VarPtr(hWnd), 4 ASMCode(5) = &H68 'push Return Address RtlMoveMemory VarPtr(ASMCode(6)), VarPtr(VarPtr(ret)), 4 ASMCode(10) = &HBA RtlMoveMemory VarPtr(ASMCode(11)), VarPtr(KiFastSystemCall), 4 ASMCode(15) = &HB8 RtlMoveMemory VarPtr(ASMCode(16)), VarPtr(dwIndex), 4 ASMCode(20) = &HFF 'call edx ASMCode(21) = &HD2 ASMCode(22) = &H59 'pop ASMCode(23) = &H59 'pop ASMCode(24) = &HC3 'ret GetDC = CallWindowProc(VarPtr(ASMCode(0)), 0, 0, 0, 0) End Function Private Sub Form_Paint() Form_Resize End Sub Private Sub Form_Resize() TabbedTextOut GetDC(Me.hWnd), 0, 0, "123", -1 End Sub
以上轉自:http://topic.csdn.net/u/20120518/18/9a00ec5c-b3d1-4a1f-9bc1-ba1a47b52463.html
延伸:http://blog.csdn.net/a1875566250/article/details/7584677
沒有DLL= =
回覆刪除你沒有dll你電腦就打不開了XD
刪除還有什麼遊戲沒驅動保護的
回覆刪除這代碼沒大用途
可以防一般人偷數據...
刪除